To configure smart card redirection on a SLED/SLES desktop, install the libraries on which the feature depends and the root CA certificate to support the trusted authentication of smart cards. In addition, you must edit some configuration files to complete the authentication setup.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
MYDOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname Host name of your AD server
ads-hostname.mydomain.com Fully qualified domain name (FQDN) of your AD server
mytimeserver.mycompany.com DNS name of your NTP time server
AdminUser User name of the Linux desktop administrator

Procedure

  1. Install the required library packages.
    1. Install the PAM library and other packages.
      # zypper install pam_pkcs11 mozilla-nss mozilla-nss-tools 
          pcsc-lite pcsc-ccid opensc coolkey pcsc-tools
    2. Perform the appropriate steps to install the PC/SC tools.
  2. Install a Root Certification Authority (CA) certificate.
    1. Download a root CA certificate and save it to /tmp/certificate.cer on your desktop. See How to Export Root Certification Authority Certificate.
    2. Locate the root CA certificate that you downloaded, transfer it to a .pem file, and create a hash file.
      # openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
      # cp /tmp/certificate.pem /etc/pam_pkcs11/cacerts
      # chmod a+r /etc/pam_pkcs11/cacerts/certificate.pem
      # cd /etc/pam_pkcs11/cacerts
      # pkcs11_make_hash_link
    3. Install trust anchors to the NSS database.
      # mkdir /etc/pam_pkcs11/nssdb
      # certutil -N -d /etc/pam_pkcs11/nssdb
      # certutil -L -d /etc/pam_pkcs11/nssdb
      # certutil -A -n rootca -i certificate.pem -t "CT,CT,CT" -d /etc/pam_pkcs11/nssdb
    4. Install the required drivers.
      # cp libcmP11.so /usr/lib64/
      # modutil -add "piv card 2.0" -libfile /usr/lib64/libcmP11.so -dbdir /etc/pam_pkcs11/nssdb/
  3. Edit the /etc/pam_pkcs11/pam_pkcs11.conf file.
    1. Delete the line use_pkcs11_module = nss. In its place, add the line use_pkcs11_module = mysc.
    2. Add the mysc module, as shown in the following example.
      pkcs11_module mysc {
        module = /usr/lib64/libcmP11.so;
        description = "MY Smartcard";
        slot_num = 0;
        nss_dir = /etc/pam_pkcs11/nssdb;
        cert_policy = ca, ocsp_on, signature, crl_auto;
      }
    3. Update the Common Name mapper configuration, as shown in the following example.
      # Assume common name (CN) to be the login
      mapper cn {
            debug = false;
            module = internal;
            # module = /usr/lib64/pam_pkcs11/cn_mapper.so;
            ignorecase = true;
            mapfile = file:///etc/pam_pkcs11/cn_map;}
    4. Delete the line use_mappers = ms. In its place, add the line use_mappers = cn, null.
  4. Edit the /etc/pam_pkcs11/cn_map configuration file so that it includes the following line.
    ads-hostname -> ads-hostname
  5. Modify the PAM configuration.
    1. To make it possible to configure smart card authentication, first disable the pam_config tool.
      # find /etc/pam.d/ -type l -iname "common-*" -delete
      # for X in /etc/pam.d/common-*-pc; do cp -ivp $X ${X:0:-3}; done
    2. Create a file named common-auth-smartcard under the /etc/pam.d/ directory. Add the following content to the file.
      auth    required        pam_env.so
      auth    sufficient      pam_pkcs11.so
      auth    optional        pam_gnome_keyring.so
      auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass
      auth    required        pam_winbind.so  use_first_pass
    3. For SLED/SLES 12 SP3, replace the line auth include common-auth with the line auth include common-auth-smartcard in both of these files: /etc/pam.d/gdm and /etc/pam.d/xscreensaver.
    4. For SLED 11 SP4, replace the line auth include common-auth with the line auth include common-auth-smartcard in both of these files: /etc/pam.d/gdm and /etc/pam.d/gnome-screensaver.
  6. Disable the firewall.
    # rcSuSEfirewall2 stop
    # chkconfig SuSEfirewall2_setup off
    # chkconfig SuSEfirewall2_init off
    Note: Smart card redirection sometimes fails when the firewall is enabled.
  7. Install the library packages required for smart card redirection.
    1. For SLED/SLES 12 SP3 and SLED 11 SP4, run the following installation commands.
      # SUSEConnect -p sle-sdk/12.3/x86_64
      # zypper in git autoconf automake libtool flex libudev-devel gcc
    2. For SLES 12 SP3, install systemd-devel.
      # zypper in systemd-devel
    3. For SLED 11 SP4, install the following packages:
      • perl-Error, autoconf, automake, flex rpm
      • git, gcc
      • libtool
  8. Install the Horizon Agent package, with smart card redirection enabled.
    # sudo ./install_viewagent.sh -m yes
    Note: You must install Horizon Agent 7.9 or later.
  9. Reboot your system and log back in.