Buscar

48.3.2. Getting Started with your new Smart Card

download PDF
Before you can use your smart card to log in to your system and take advantage of the increased security options this technology provides, you need to perform some basic installation and configuration steps. These are described below.

Note

This section provides a high-level view of getting started with your smart card. More detailed information is available in the Red Hat Certificate System Enterprise Security Client Guide.
  1. Log in with your Kerberos name and password
  2. Make sure you have the nss-tools package loaded.
  3. Download and install your corporate-specific root certificates. Use the following command to install the root CA certificate:
    certutil -A -d /etc/pki/nssdb -n "root ca cert" -t "CT,C,C" \
    	-i ./ca_cert_in_base64_format.crt
  4. Verify that you have the following RPMs installed on your system: esc, pam_pkcs11, coolkey, ifd-egate, ccid, gdm, authconfig, and authconfig-gtk.
  5. Enable Smart Card Login Support
    1. On the Gnome Title Bar, select System->Administration->Authentication.
    2. Type your machine's root password if necessary.
    3. In the Authentication Configuration dialog, click the Authentication tab.
    4. Select the Enable Smart Card Support check box.
    5. Click the Configure Smart Card... button to display the Smartcard Settings dialog, and specify the required settings:
      • Require smart card for login — Clear this check box. After you have successfully logged in with the smart card you can select this option to prevent users from logging in without a smart card.
      • Card Removal Action — This controls what happens when you remove the smart card after you have logged in. The available options are:
        • Lock — Removing the smart card locks the X screen.
        • Ignore — Removing the smart card has no effect.
  6. If you need to enable the Online Certificate Status Protocol (OCSP), open the /etc/pam_pkcs11/pam_pkcs11.conf file, and locate the following line:
    enable_ocsp = false;
    Change this value to true, as follows:
    enable_ocsp = true;
  7. Enroll your smart card
  8. If you are using a CAC card, you also need to perform the following steps:
    1. Change to the root account and create a file called /etc/pam_pkcs11/cn_map.
    2. Add the following entry to the cn_map file:
      MY.CAC_CN.123454 -> myloginid
      where MY.CAC_CN.123454 is the Common Name on your CAC and myloginid is your UNIX login ID.
  9. Logout

48.3.2.1. Troubleshooting

If you have trouble getting your smart card to work, try using the following command to locate the source of the problem:
pklogin_finder debug
If you run the pklogin_finder tool in debug mode while an enrolled smart card is plugged in, it attempts to output information about the validity of certificates, and if it is successful in attempting to map a login ID from the certificates that are on the card.
Red Hat logoGithubRedditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

© 2024 Red Hat, Inc.