To configure smart card redirection on a RHEL 7.x virtual machine (VM), install the libraries on which the feature depends, the root CA certificate required for authentication, and the required PC/SC Lite library. In addition, you must edit some configuration files to complete the authentication setup.

Use the following procedure to set up smart card redirection on a RHEL 7.x VM.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
MYDOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname Host name of your AD server
Smart card redirection is supported on desktops running RHEL 7.2 or later.
Note: If you use the vSphere console to log in to a RHEL 7.x. VM that has Horizon Agent installed and smart card redirection enabled, you might experience a delayed logout time of two minutes or longer. This delayed logout only occurs from the vSphere console. The RHEL 7.x logout experience from Horizon Client is not affected.

Prerequisites

Integrate a RHEL 7.x Virtual Machine with Active Directory for Smart Card Redirection

Procedure

  1. Install the required libraries.
    yum install nss-tools nss-pam-ldapd esc pam_pkcs11 pam_krb5 opensc pcsc-lite-ccid authconfig 
          authconfig-gtk krb5-libs krb5-workstation krb5-pkinit pcsc-lite pcsc-lite-libs
    
  2. Install a Root Certification Authority (CA) certificate.
    1. Download a root CA certificate and save it to /tmp/certificate.cer on your desktop. See How to Export Root Certification Authority Certificate.
    2. Locate the root CA certificate that you downloaded, and transfer it to a .pem file.
      openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
    3. Use the certutil command to install the root CA certificate to the system database /etc/pki/nssdb.
      certutil -A -d /etc/pki/nssdb -n "root CA cert" -t "CT,C,C" -i /tmp/certificate.pem
    4. Copy the root CA certificate to the /etc/pam_pkcs11/cacerts directory.
      mkdir -p /etc/pam_pkcs11/cacerts
      
      cp /tmp/certificate.pem /etc/pam_pkcs11/cacerts
  3. Navigate to Applications > Sundry > Authentication, select the Enable smart card support check box, and click Apply.
  4. Copy the smart card drivers and add the drivers library to the system database /etc/pki/nssdb.
    cp libcmP11.so /usr/lib64/
    modutil -add "piv card 2.0" -libfile /usr/lib64/libcmP11.so -dbdir /etc/pki/nssdb/
    Note: To get the libcmP11.so driver, refer to your smart card provider.
  5. Edit the module setting in the /etc/pam_pkcs11/pam_pkcs11.conf configuration file, as shown in the following example.
    pkcs11_module coolkey {
          module = libcmP11.so;                
          description = "Cool Key";
          slot_num = 0;
          ca_dir = /etc/pam_pkcs11/cacerts; 
          nss_dir = /etc/pki/nssdb;
          cert_policy = ca, signature;
    }
  6. Edit the /etc/pam_pkcs11/cn_map file so that it includes content similar to the following example. For the specific content to include, refer to the user information listed in the smart card certificate.
    user sc -> user-sc
  7. Edit the /etc/krb5.conf/ configuration file, as shown in the following example.
    [libdefaults]
          dns_lookup_realm = false
          ticket_lifetime = 24h
          renew_lifetime = 7d
          forwardable = true
          rdns = false
          default_realm = MYDOMAIN.COM
          default_ccache_name = KEYRING:persistent:%{uid}
    
    [realms]
          MYDOMAIN.COM = {
                kdc = ads-hostname
                admin_server = ads-hostname
                default_domain = ads-hostname
                pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem
                pkinit_cert_match = <KU>digitalSignature
                pkinit_kdc_hostname = ads-hostname
          }
    
    [domain_realm]
          .mydomain.com = MYDOMAIN.COM
          mydomain.com = MYDOMAIN.COM
  8. Edit the /etc/pam.d/system-auth configuration file so that it includes the line shown in the following example. Ensure that the contents appear in a single line without a carriage return.
    auth  optional  pam_krb5.so use_first_pass no_subsequent_prompt preauth_options=X509_user_identity=PKCS11:/usr/lib64/libcmP11.so
  9. Restart the PC/SC daemon.
    chkconfig pcscd on
    service pcscd start
  10. Install PC/SC Lite, version 1.8.8.
    yum install git flex autoconf automake libtool libudev-devel flex
    git clone https://salsa.debian.org/rousseau/PCSC.git
    cd PCSC
    git checkout -b pcsc-1.8.8 1.8.8
    ./bootstrap
    ./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= 
       --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin
       --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 
       --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man 
       --infodir=/usr/share/info --disable-static --enable-usbdropdir=/usr/lib64/pcsc/drivers
    make
    make install
  11. Install the Horizon Agent package, with smart card redirection enabled.
    sudo ./install_viewagent.sh -m yes
  12. Restart the RHEL 7.x VM and log back in.