Set Up Smart Card Redirection on a RHEL 7.x Virtual Machine

To configure smart card redirection on a RHEL 7.x virtual machine (VM), install the libraries on which the feature depends and the root Certificate Authority (CA) certificate required for authentication. In addition, you must edit some configuration files to complete the authentication setup.

To set up smart card redirection on a RHEL 7.x VM, use the following procedure.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.


Placeholder Value	Description
dns_IP_ADDRESS	IP address of your DNS name server
mydomain.com	DNS name of your AD domain
MYDOMAIN.COM	DNS name of your AD domain, in all capital letters
MYDOMAIN	DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname	Host name of your AD server

Note: If you use the vSphere console to log in to a RHEL 7.x. VM that has Horizon Agent installed and smart card redirection enabled, you might experience a delayed logout time of two minutes or longer. This delayed logout only occurs from the vSphere console. The RHEL 7.x logout experience from Horizon Client is not affected.

Prerequisites

Integrate a RHEL 7.x Virtual Machine with Active Directory for Smart Card Redirection

Procedure

Install the required libraries.

yum install nss-tools nss-pam-ldapd esc pam_pkcs11 pam_krb5 opensc pcsc-lite-ccid authconfig 
      authconfig-gtk krb5-libs krb5-workstation krb5-pkinit pcsc-lite pcsc-lite-libs

Install a root CA certificate.
1. Download a root CA certificate and save it to /tmp/certificate.cer on your desktop. See How to Export Root Certification Authority Certificate.
2. Locate the root CA certificate that you downloaded, and transfer it to a .pem file.
```
openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
```
3. Use the certutil command to install the root CA certificate to the system database /etc/pki/nssdb.
  Replace "root CA cert" in the following example command with the name of the root CA certificate in the system database.
```
certutil -A -d /etc/pki/nssdb -n "root CA cert" -t "CT,C,C" -i /tmp/certificate.pem
```
4. Copy the root CA certificate to the /etc/pam_pkcs11/cacerts directory.
```
mkdir -p /etc/pam_pkcs11/cacerts

cp /tmp/certificate.pem /etc/pam_pkcs11/cacerts
```
Navigate to Applications > Sundry > Authentication, select the Enable smart card support check box, and click Apply.
Copy the smart card drivers and add the drivers library to the system database /etc/pki/nssdb.
```
cp libcmP11.so /usr/lib64/
modutil -add "piv card 2.0" -libfile /usr/lib64/libcmP11.so -dbdir /etc/pki/nssdb/
```
Note: To get the libcmP11.so driver, refer to your smart card provider.

Edit the module setting in the /etc/pam_pkcs11/pam_pkcs11.conf configuration file, as shown in the following example.

pkcs11_module coolkey {
      module = libcmP11.so;                
      description = "Cool Key";
      slot_num = 0;
      ca_dir = /etc/pam_pkcs11/cacerts; 
      nss_dir = /etc/pki/nssdb;
      cert_policy = ca, signature;
}

Edit the /etc/pam_pkcs11/cn_map file so that it includes content similar to the following example. For the specific content to include, refer to the user information listed in the smart card certificate.
```
user sc -> user-sc
```

Edit the /etc/krb5.conf/ configuration file, as shown in the following example.

[libdefaults]
      dns_lookup_realm = false
      ticket_lifetime = 24h
      renew_lifetime = 7d
      forwardable = true
      rdns = false
      default_realm = MYDOMAIN.COM
      default_ccache_name = KEYRING:persistent:%{uid}

[realms]
      MYDOMAIN.COM = {
            kdc = ads-hostname
            admin_server = ads-hostname
            default_domain = ads-hostname
            pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem
            pkinit_cert_match = <KU>digitalSignature
            pkinit_kdc_hostname = ads-hostname
      }

[domain_realm]
      .mydomain.com = MYDOMAIN.COM
      mydomain.com = MYDOMAIN.COM

Edit the /etc/pam.d/system-auth configuration file so that it includes the line shown in the following example. Ensure that the contents appear in a single line without a carriage return.
```
auth  optional  pam_krb5.so use_first_pass no_subsequent_prompt preauth_options=X509_user_identity=PKCS11:/usr/lib64/libcmP11.so
```
Edit the /etc/pam.d/smartcard-auth configuration file so that it includes the line shown in the following example. Ensure that the contents appear in a single line without a carriage return.
```
auth  optional  pam_krb5.so use_first_pass no_subsequent_prompt preauth_options=X509_user_identity=PKCS11:/usr/lib64/libcmP11.so
```
To support the smart card single sign-on (SSO) feature, configure the /etc/vmware/viewagent-greeter.conf file. See Setting Options in Configuration Files on a Linux Desktop.
Restart the PC/SC daemon.
```
chkconfig pcscd on
service pcscd start
```
Install the Horizon Agent package, with smart card redirection enabled.
```
sudo ./install_viewagent.sh -m yes
```
Note: If you get an error message instructing you to install the default PC/SC Lite library, uninstall the custom PC/SC Lite library that is currently present on the machine and install the default PC/SC Lite library using the following command.
```
yum reinstall pcsc-lite-libs pcsc-lite
```
You can then run the Horizon Agent installer.
If you are using a custom PC/SC Lite library, configure the pcscd.maxReaderContext and pcscd.readBody options in the /etc/vmware/config file.
See Setting Options in Configuration Files on a Linux Desktop.
Restart the RHEL 7.x VM and log back in.