To configure smart card redirection on a RHEL 7.x virtual machine (VM), install the libraries on which the feature depends and the root Certificate Authority (CA) certificate required for authentication. In addition, you must edit some configuration files to complete the authentication setup.
To set up smart card redirection on a RHEL 7.x VM, use the following procedure.
Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.
Placeholder Value |
Description |
dns_IP_ADDRESS |
IP address of your DNS name server |
mydomain.com |
DNS name of your AD domain |
MYDOMAIN.COM |
DNS name of your AD domain, in all capital letters |
MYDOMAIN |
DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters |
ads-hostname |
Host name of your AD server |
Note: If you use the
vSphere console to log in to a RHEL 7.x. VM that has
Horizon Agent installed and smart card redirection enabled, you might experience a delayed logout time of two minutes or longer. This delayed logout only occurs from the
vSphere console. The RHEL 7.x logout experience from
Horizon Client is not affected.
Procedure
- Install the required libraries.
yum install nss-tools nss-pam-ldapd esc pam_pkcs11 pam_krb5 opensc pcsc-lite-ccid authconfig
authconfig-gtk krb5-libs krb5-workstation krb5-pkinit pcsc-lite pcsc-lite-libs
- Install a root CA certificate.
- Download a root CA certificate and save it to /tmp/certificate.cer on your desktop. See How to Export Root Certification Authority Certificate.
- Locate the root CA certificate that you downloaded, and transfer it to a .pem file.
openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
- Use the certutil command to install the root CA certificate to the system database /etc/pki/nssdb.
Replace "root CA cert" in the following example command with the name of the root CA certificate in the system database.
certutil -A -d /etc/pki/nssdb -n "root CA cert" -t "CT,C,C" -i /tmp/certificate.pem
- Copy the root CA certificate to the /etc/pam_pkcs11/cacerts directory.
mkdir -p /etc/pam_pkcs11/cacerts
cp /tmp/certificate.pem /etc/pam_pkcs11/cacerts
- Navigate to , select the Enable smart card support check box, and click Apply.
- Copy the smart card drivers and add the drivers library to the system database /etc/pki/nssdb.
cp libcmP11.so /usr/lib64/
modutil -add "piv card 2.0" -libfile /usr/lib64/libcmP11.so -dbdir /etc/pki/nssdb/
Note: To get the
libcmP11.so
driver, refer to your smart card provider.
- Edit the module setting in the /etc/pam_pkcs11/pam_pkcs11.conf configuration file, as shown in the following example.
pkcs11_module coolkey {
module = libcmP11.so;
description = "Cool Key";
slot_num = 0;
ca_dir = /etc/pam_pkcs11/cacerts;
nss_dir = /etc/pki/nssdb;
cert_policy = ca, signature;
}
- Edit the /etc/pam_pkcs11/cn_map file so that it includes content similar to the following example. For the specific content to include, refer to the user information listed in the smart card certificate.
- Edit the /etc/krb5.conf/ configuration file, as shown in the following example.
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = MYDOMAIN.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
MYDOMAIN.COM = {
kdc = ads-hostname
admin_server = ads-hostname
default_domain = ads-hostname
pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem
pkinit_cert_match = <KU>digitalSignature
pkinit_kdc_hostname = ads-hostname
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
- Edit the /etc/pam.d/system-auth configuration file so that it includes the line shown in the following example. Ensure that the contents appear in a single line without a carriage return.
auth optional pam_krb5.so use_first_pass no_subsequent_prompt preauth_options=X509_user_identity=PKCS11:/usr/lib64/libcmP11.so
- Edit the /etc/pam.d/smartcard-auth configuration file so that it includes the line shown in the following example. Ensure that the contents appear in a single line without a carriage return.
auth optional pam_krb5.so use_first_pass no_subsequent_prompt preauth_options=X509_user_identity=PKCS11:/usr/lib64/libcmP11.so
- To support the smart card single sign-on (SSO) feature, configure the /etc/vmware/viewagent-greeter.conf file. See Setting Options in Configuration Files on a Linux Desktop.
- Restart the PC/SC daemon.
chkconfig pcscd on
service pcscd start
- Install the Horizon Agent package, with smart card redirection enabled.
sudo ./install_viewagent.sh -m yes
Note: If you get an error message instructing you to install the default PC/SC Lite library, uninstall the custom PC/SC Lite library that is currently present on the machine and install the default PC/SC Lite library using the following command.
yum reinstall pcsc-lite-libs pcsc-lite
You can then run the Horizon Agent installer.
- If you are using a custom PC/SC Lite library, configure the pcscd.maxReaderContext and pcscd.readBody options in the /etc/vmware/config file.
- Restart the RHEL 7.x VM and log back in.