To configure smart card redirection on a SLED/SLES virtual machine (VM), install the libraries on which the feature depends and the root Certificate Authority (CA) certificate to support the trusted authentication of smart cards. In addition, you must edit some configuration files to complete the authentication setup.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
MYDOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname Host name of your AD server
ads-hostname.mydomain.com Fully qualified domain name (FQDN) of your AD server
mytimeserver.mycompany.com DNS name of your NTP time server
AdminUser User name of the VM administrator

Prerequisites

Complete the steps described in Integrate a SLED/SLES Virtual Machine with Active Directory for Smart Card Redirection.

Procedure

  1. Install the required library packages.
    1. Install the PAM library and other packages.
      zypper install pam_pkcs11 mozilla-nss mozilla-nss-tools 
          pcsc-lite pcsc-ccid opensc coolkey pcsc-tools

      You might need to enable extensions like PackageHub to install all the preceding packages.

    2. To use the installed packages, enable extensions like PackageHub and install the PC/SC tools. For example, you can run the following commands for SLED/SLES 12 SP3.
      SUSEConnect --list-extensions
      SUSEConnect -p PackageHub/12.3/x86_64
      zypper in pcsc-tools
  2. Install a root CA certificate.
    1. Download a root CA certificate and save it to /tmp/certificate.cer on the system. See How to Export Root Certification Authority Certificate.
    2. Locate the root CA certificate that you downloaded, transfer it to a .pem file, and create a hash file.
      openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
      cp /tmp/certificate.pem /etc/pam_pkcs11/cacerts
      chmod a+r /etc/pam_pkcs11/cacerts/certificate.pem
      cd /etc/pam_pkcs11/cacerts
      pkcs11_make_hash_link
    3. Install trust anchors to the NSS database.
      mkdir /etc/pam_pkcs11/nssdb
      certutil -N -d /etc/pam_pkcs11/nssdb
      certutil -L -d /etc/pam_pkcs11/nssdb
      certutil -A -n rootca -i certificate.pem -t "CT,CT,CT" -d /etc/pam_pkcs11/nssdb
    4. Install the required drivers.
      cp libcmP11.so /usr/lib64/
      modutil -add "piv card 2.0" -libfile /usr/lib64/libcmP11.so -dbdir /etc/pam_pkcs11/nssdb/
  3. Edit the /etc/pam_pkcs11/pam_pkcs11.conf file.
    1. Delete the line use_pkcs11_module = nss. In its place, add the line use_pkcs11_module = mysc.
    2. Add the mysc module, as shown in the following example.
      pkcs11_module mysc {
        module = /usr/lib64/libcmP11.so;
        description = "MY Smartcard";
        slot_num = 0;
        nss_dir = /etc/pam_pkcs11/nssdb;
        cert_policy = ca, ocsp_on, signature, crl_auto;
      }
    3. Update the Common Name mapper configuration, as shown in the following example.
      # Assume common name (CN) to be the login
      mapper cn {
            debug = false;
            module = internal;
            # module = /usr/lib64/pam_pkcs11/cn_mapper.so;
            ignorecase = true;
            mapfile = file:///etc/pam_pkcs11/cn_map;}
    4. Delete the line use_mappers = ms. In its place, add the line use_mappers = cn, null.
  4. Edit the /etc/pam_pkcs11/cn_map configuration file so that it includes the following line.
    ads-hostname -> ads-hostname
  5. Modify the PAM configuration.
    1. To make it possible to configure smart card authentication, first deactivate the pam_config tool.
      find /etc/pam.d/ -type l -iname "common-*" -delete
      for X in /etc/pam.d/common-*-pc; do cp -ivp $X ${X:0:-3}; done
    2. Create a file named common-auth-smartcard under the /etc/pam.d/ directory. Add the following content to the file.
      auth    required        pam_env.so
      auth    sufficient      pam_pkcs11.so
      auth    optional        pam_gnome_keyring.so
      auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass
      auth    required        pam_winbind.so  use_first_pass
    3. Replace the line auth include common-auth with the line auth include common-auth-smartcard in both of these files: /etc/pam.d/gdm and /etc/pam.d/xscreensaver.
  6. To configure the pcscd service to start automatically after the VM restarts, edit the appropriate file for your SLED/SLES version.
    • (SLED/SLES 12.x) Add the line rcpcscd start to /etc/init.d/after.local so that the file resembles the following example.
      #! /bin/sh
      #
      # Copyright (c) 2010 SuSE LINUX Products GmbH, Germany. All rights reserved.
      #
      # Author: Werner Fink, 2010
      #
      # /etc/init.d/after.local
      #
      # script with local commands to be executed from init after all scripts
      # of a runlevel have been executed.
      #
      # Here you should add things, that should happen directly after
      # runlevel has been reached.
      #
      rcpcscd start
    • (SLED/SLES 15.x) Add the line WantedBy=multi-user.target to /usr/lib/systemd/system/pcscd.service so that the file resembles the following example.
      [Unit]
      Description=PC/SC Smart Card Daemon
      Requires=pcscd.socket
      
      [Service]
      ExecStart=/usr/sbin/pcscd --foreground --auto-exit
      ExecReload=/usr/sbin/pcscd --hotplug
      
      [Install]
      Also=pcscd.socket
      WantedBy=multi-user.target
      After editing the pcscd.service file, run the following command.
      systemctl enable pcscd
    Note: If the pcscd service does not start after the VM restarts, the first login through pam_pkcs11 fails.
  7. Turn off the firewall.
    rcSuSEfirewall2 stop
    chkconfig SuSEfirewall2_setup off
    chkconfig SuSEfirewall2_init off
    Note: Smart card redirection sometimes fails when the firewall is enabled.
  8. (SLED/SLES 15.x) To ensure that the smart card greeter functions properly, modify the org.gnome.Shell.desktop file on the VM.
    1. Open the /usr/share/applications/org.gnome.Shell.desktop file.
    2. In the file, find and replace Exec=/usr/bin/gnome-shellwith the following line.
      Exec=sh -c "DISPLAY=:${DISPLAY##*:} exec /usr/bin/gnome-shell"
      
    3. Save and close the file.
  9. To support the smart card single sign-on (SSO) feature, configure the /etc/vmware/viewagent-greeter.conf file. See Setting Options in Configuration Files on a Linux Desktop.
  10. Install the Horizon Agent package, with smart card redirection enabled.
    sudo ./install_viewagent.sh -m yes
    Note: If you get an error message instructing you to install the default PC/SC Lite library, uninstall the custom PC/SC Lite library that is currently present on the machine and install the default PC/SC Lite library using the following command.
    zypper install -f -y pcsc-lite libpcsclite1

    You can then run the Horizon Agent installer.

  11. If you are using a custom PC/SC Lite library, configure the pcscd.maxReaderContext and pcscd.readBody options in the /etc/vmware/config file.
  12. Restart the VM and log back in.