To configure smart card redirection on a RHEL 8.x desktop, install the libraries on which the feature depends, the root CA certificate to support the trusted authentication of smart cards, and the required PC/SC Lite library.

Prerequisites

Integrate a RHEL 8.x Desktop with Active Directory for Smart Card Redirection

Procedure

  1. Install the required libraries. 
    # yum install -y opensc pcsc-lite pcsc-lite-libs pcsc-lite-ccid nss-tools
  2. Enable the pcscd service. 
    # systemctl enable pcscd
# systemctl start pcscd
  3. Make sure that the /etc/sssd/sssd.conf configuration file contains the following lines, which enable smart card authentication. 
    [pam]
pam_cert_auth = True
  4. Copy the required CA certificate to /etc/sssd/pki/sssd_auth_ca_db.pem. 
    # openssl x509 -inform der -in certificate.cer -out certificate.pem
# cp certificate.pem /etc/sssd/pki/sssd_auth_ca_db.pem
  5. To verify the status of the smart card, run the following pkcs11-tool commands and confirm that they return the correct output. 
    # pkcs11-tool -L

# pkcs11-tool --login -O

# pkcs11-tool --test --login
  6. Set up the PKCS11 module. 
    cp libcmP11.so /usr/lib64/
  7. Create the /usr/share/p11-kit/modules/libcmP11.module file. Add the following content to the file. 
    # This file describes how to load the opensc module
# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
 
# This is a relative path, which means it will be loaded from
# the p11-kit default path which is usually $(libdir)/pkcs11.
# Doing it this way allows for packagers to package opensc for
# 32-bit and 64-bit and make them parallel installable
module: /usr/lib64/libcmP11.so
priority: 99
  8. Update PC/SC Lite to version 1.8.8. 
    # yum install -y git flex autoconf automake libtool libudev-devel flex
# git clone https://salsa.debian.org/rousseau/PCSC.git
# cd PCSC
# git checkout -b 1.8.8 pcsc-1.8.8
# ./bootstrap
# ./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu 
     --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr 
     --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share 
     --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec 
     --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man 
     --infodir=/usr/share/info --disable-static --enable-usbdropdir=/usr/lib64/pcsc/drivers
# make
# make install
  9. Install the Horizon Agent package, with smart card redirection enabled. 
    # sudo ./install_viewagent.sh -m yes
    Note: To use smart card redirection, you must install the required version of Horizon Agent for your Linux distribution, as described in the following table.
    Linux Distribution Horizon Agent
    RHEL 8.1 Horizon Agent 7.12 or later
    RHEL 8.0 Horizon Agent 7.10 or later
  10. Reboot your system and log back in.