To configure smart card redirection on a RHEL desktop, install the libraries on which the feature depends, the root CA certificate to support the trusted authentication of smart cards, and the required PC/SC Lite library. In addition, you must edit some configuration files to complete the authentication setup.

Use the following procedure to set up smart card redirection for a RHEL desktop.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
MYDOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname Host name of your AD server
Note: Smart card redirection is supported on desktops running RHEL 6, or RHEL 7.1 or later.

Procedure

  1. Install the required libraries.
    yum install nss-tools nss-pam-ldapd esc pam_pkcs11 pam_krb5 opensc pcsc-lite-ccid authconfig 
          authconfig-gtk krb5-libs krb5-workstation krb5-pkinit pcsc-lite pcsc-lite-libs
    
  2. Install a Root Certification Authority (CA) certificate.
    1. Download a root CA certificate and save it to /tmp/certificate.cer on your desktop. See How to Export Root Certification Authority Certificate.
    2. Locate the root CA certificate that you downloaded, and transfer it to a .pem file.
      openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
    3. Use the certutil command to install the root CA certificate to the system database /etc/pki/nssdb.
      certutil -A -d /etc/pki/nssdb -n "root CA cert" -t "CT,C,C" -i /tmp/certificate.pem
    4. Copy the root CA certificate to the /etc/pam_pkcs11/cacerts directory.
      mkdir -p /etc/pam_pkcs11/cacerts
      
      cp /tmp/certificate.pem /etc/pam_pkcs11/cacerts
  3. Navigate to Applications > Sundry > Authentication, select the Enable smart card support check box, and click Apply.
  4. Copy the smart card drivers and add the drivers library to the system database /etc/pki/nssdb.
    cp libcmP11.so /usr/lib64/
    modutil -add "piv card 2.0" -libfile /usr/lib64/libcmP11.so -dbdir /etc/pki/nssdb/
  5. Edit the module setting in the /etc/pam_pkcs11/pam_pkcs11.conf configuration file, as shown in the following example.
    pkcs11_module coolkey {
          module = libcmP11.so;                
          description = "Cool Key";
          slot_num = 0;
          ca_dir = /etc/pam_pkcs11/cacerts; 
          nss_dir = /etc/pki/nssdb;
          cert_policy = ca, signature;
    }
  6. Edit the /etc/pam_pkcs11/cn_map file so that it includes content similar to the following example. For the specific content to include, refer to the user information listed in the smart card certificate.
    user sc -> user-sc
  7. Edit the /etc/krb5.conf/ configuration file, as shown in the following example.
    [libdefaults]
          dns_lookup_realm = false
          ticket_lifetime = 24h
          renew_lifetime = 7d
          forwardable = true
          rdns = false
          default_realm = MYDOMAIN.COM
          default_ccache_name = KEYRING:persistent:%{uid}
    
    [realms]
          MYDOMAIN.COM = {
                kdc = ads-hostname
                admin_server = ads-hostname
                default_domain = ads-hostname
                pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem
                pkinit_cert_match = <KU>digitalSignature
                pkinit_kdc_hostname = ads-hostname
          }
    
    [domain_realm]
          .mydomain.com = MYDOMAIN.COM
          mydomain.com = MYDOMAIN.COM
  8. Edit the /etc/pam.d/system-auth configuration file so that it includes the line shown in the following example.
    auth  optional  pam_krb5.so use_first_pass no_subsequent_prompt 
                    preauth_options=X509_user_identity=PKCS11:/usr/lib64/libcmP11.so
  9. Restart the PC/SC daemon.
    chkconfig pcscd on
    service pcscd start
  10. Install the required PC/SC Lite version for your RHEL distribution.
    • For RHEL 7.x, install PC/SC Lite, version 1.8.8.
      yum install git flex autoconf automake libtool libudev-devel flex
      git clone https://salsa.debian.org/rousseau/PCSC.git
      cd PCSC
      git checkout -b 1.8.8 pcsc-1.8.8
      ./bootstrap
      ./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= 
         --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin
         --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 
         --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man 
         --infodir=/usr/share/info --disable-static --enable-usbdropdir=/usr/lib64/pcsc/drivers
      make
      make install
    • For RHEL 6.x, install PC/SC Lite, version 1.7.4.
      yum groupinstall "Development tools"
      yum install libudev-devel
      service pcscd stop
      wget https://alioth.debian.org/frs/download.php/file/3598/pcsc-lite-1.7.4.tar.bz2
      tar -xjvf pcsc-lite-1.7.4.tar.bz2
      cd ./pcsc-lite-1.7.4
      ./configure --prefix=/usr/ --libdir=/usr/lib64/ --enable-usbdropdir=/usr/lib64/pcsc/drivers
       --enable-confdir=/etc --enable-ipcdir=/var/run  --disable-libusb --disable-serial --disable-usb
       --disable-libudev
      make
      make install
      service pcscd start
  11. Install the Horizon Agent package, with smart card redirection enabled.
    sudo ./install_viewagent.sh -m yes
    Note: For RHEL 6.x, you must install View Agent 6.2.1 or later. For RHEL 7.x, you must install Horizon Agent 7.8 or later.
  12. Reboot your system and log back in.