To configure smart card redirection on a RHEL 7.x virtual machine (VM), install the libraries on which the feature depends and the root Certificate Authority (CA) certificate required for authentication. In addition, you must edit some configuration files to complete the authentication setup.

To set up smart card redirection on a RHEL 7.x VM, use the following procedure.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
MYDOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname Host name of your AD server
Note: If you use the vSphere console to log in to a RHEL 7.x. VM that has Horizon Agent installed and smart card redirection enabled, you might experience a delayed logout time of two minutes or longer. This delayed logout only occurs from the vSphere console. The RHEL 7.x logout experience from Horizon Client is not affected.

Prerequisites

Integrate a RHEL 7.x Virtual Machine with Active Directory for Smart Card Redirection

Procedure

  1. Install the required libraries.
    yum install nss-tools nss-pam-ldapd esc pam_pkcs11 pam_krb5 opensc pcsc-lite-ccid authconfig 
          authconfig-gtk krb5-libs krb5-workstation krb5-pkinit pcsc-lite pcsc-lite-libs
    
  2. Install a root CA certificate.
    1. Download a root CA certificate and save it to /tmp/certificate.cer on your desktop. See How to Export Root Certification Authority Certificate.
    2. Locate the root CA certificate that you downloaded, and transfer it to a .pem file.
      openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
    3. Use the certutil command to install the root CA certificate to the system database /etc/pki/nssdb.
      Replace "root CA cert" in the following example command with the name of the root CA certificate in the system database.
      certutil -A -d /etc/pki/nssdb -n "root CA cert" -t "CT,C,C" -i /tmp/certificate.pem
    4. Copy the root CA certificate to the /etc/pam_pkcs11/cacerts directory.
      mkdir -p /etc/pam_pkcs11/cacerts
      
      cp /tmp/certificate.pem /etc/pam_pkcs11/cacerts
  3. Navigate to Applications > Sundry > Authentication, select the Enable smart card support check box, and click Apply.
  4. Copy the smart card drivers and add the drivers library to the system database /etc/pki/nssdb.
    cp libcmP11.so /usr/lib64/
    modutil -add "piv card 2.0" -libfile /usr/lib64/libcmP11.so -dbdir /etc/pki/nssdb/
    Note: To get the libcmP11.so driver, refer to your smart card provider.
  5. Edit the module setting in the /etc/pam_pkcs11/pam_pkcs11.conf configuration file, as shown in the following example.
    pkcs11_module coolkey {
          module = libcmP11.so;                
          description = "Cool Key";
          slot_num = 0;
          ca_dir = /etc/pam_pkcs11/cacerts; 
          nss_dir = /etc/pki/nssdb;
          cert_policy = ca, signature;
    }
  6. Edit the /etc/pam_pkcs11/cn_map file so that it includes content similar to the following example. For the specific content to include, refer to the user information listed in the smart card certificate.
    user sc -> user-sc
  7. Edit the /etc/krb5.conf/ configuration file, as shown in the following example.
    [libdefaults]
          dns_lookup_realm = false
          ticket_lifetime = 24h
          renew_lifetime = 7d
          forwardable = true
          rdns = false
          default_realm = MYDOMAIN.COM
          default_ccache_name = KEYRING:persistent:%{uid}
    
    [realms]
          MYDOMAIN.COM = {
                kdc = ads-hostname
                admin_server = ads-hostname
                default_domain = ads-hostname
                pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem
                pkinit_cert_match = <KU>digitalSignature
                pkinit_kdc_hostname = ads-hostname
          }
    
    [domain_realm]
          .mydomain.com = MYDOMAIN.COM
          mydomain.com = MYDOMAIN.COM
  8. Edit the /etc/pam.d/system-auth configuration file so that it includes the line shown in the following example. Ensure that the contents appear in a single line without a carriage return.
    auth  optional  pam_krb5.so use_first_pass no_subsequent_prompt preauth_options=X509_user_identity=PKCS11:/usr/lib64/libcmP11.so
  9. Edit the /etc/pam.d/smartcard-auth configuration file so that it includes the line shown in the following example. Ensure that the contents appear in a single line without a carriage return.
    auth  optional  pam_krb5.so use_first_pass no_subsequent_prompt preauth_options=X509_user_identity=PKCS11:/usr/lib64/libcmP11.so
  10. To support the smart card single sign-on (SSO) feature, configure the /etc/vmware/viewagent-greeter.conf file. See Setting Options in Configuration Files on a Linux Desktop.
  11. Restart the PC/SC daemon.
    chkconfig pcscd on
    service pcscd start
  12. Install the Horizon Agent package, with smart card redirection enabled.
    sudo ./install_viewagent.sh -m yes
    Note: If you get an error message instructing you to install the default PC/SC Lite library, uninstall the custom PC/SC Lite library that is currently present on the machine and install the default PC/SC Lite library using the following command.
    yum reinstall pcsc-lite-libs pcsc-lite

    You can then run the Horizon Agent installer.

  13. If you are using a custom PC/SC Lite library, configure the pcscd.maxReaderContext and pcscd.readBody options in the /etc/vmware/config file.
  14. Restart the RHEL 7.x VM and log back in.