To configure smart card redirection on a RHEL 9.x/8.x virtual machine (VM), install the libraries on which the feature depends and the root Certificate Authority (CA) certificate to support the trusted authentication of smart cards.
Procedure
- Install the required libraries.
yum install -y opensc pcsc-lite pcsc-lite-libs pcsc-lite-ccid nss-tools
- Enable the pcscd service.
systemctl enable pcscd
systemctl start pcscd
- Make sure that the /etc/sssd/sssd.conf configuration file contains the following lines, which enable smart card authentication.
[pam]
pam_cert_auth = True
- Copy the required CA certificate to /etc/sssd/pki/sssd_auth_ca_db.pem.
openssl x509 -inform der -in certificate.cer -out certificate.pem
cp certificate.pem /etc/sssd/pki/sssd_auth_ca_db.pem
- To verify the status of the smart card, run the following pkcs11-tool commands and confirm that they return the correct output.
pkcs11-tool -L
pkcs11-tool --login -O
pkcs11-tool --test --login
- Copy the required drivers and add the necessary library files to the nssdb directory.
- Run commands similar to the following example.
These example commands show how to add
libcmP11.so, the driver file for the Gemalto PIV 2.0 card, to the
nssdb directory. In place of
libcmP11.so, you can substitute the driver file for your smart card.
cp libcmP11.so /usr/lib64/
mkdir -p /etc/pki/nssdb
certutil -N -d /etc/pki/nssdb
certutil -A -n rootca -i certificate.pem -t "CT,CT,CT" -d /etc/pki/nssdb
modutil -dbdir /etc/pki/nssdb/ -add "piv card 2.0" -libfile /usr/lib64/libcmP11.so
- Verify that the expected certificate is loaded successfully by running the following command.
# certutil -L -d /etc/pki/nssdb
Verify that the command returns output similar to the following example.
Certificate Nickname
rootca
- Verify that the expected libraries are added successfully by running the following command.
modutil -dbdir /etc/pki/nssdb -list
Verify that the command returns output similar to the following example.
Listing of PKCS #11 Modules
–-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. piv card 2.0
library name: /usr/lib/libcmP11.so
slots: There are no slots attached to this module
status: loaded
–-----------------------------------------------------------
- Create the /usr/share/p11-kit/modules/libcmP11.module file. Add the following content to the file.
# This file describes how to load the opensc module
# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
# This is a relative path, which means it will be loaded from
# the p11-kit default path which is usually $(libdir)/pkcs11.
# Doing it this way allows for packagers to package opensc for
# 32-bit and 64-bit and make them parallel installable
module: /usr/lib64/libcmP11.so
priority: 99
Note: (RHEL 9.x) You must also remove the
/usr/share/p11-kit/modules/p11-kit-trust.module file from the system. In addition, if you are not using
opensc, you must remove the
/usr/share/p11-kit/modules/opensc.module file.
- To support the smart card SSO feature, configure the /etc/vmware/viewagent-greeter.conf file. See Setting Options in Configuration Files on a Linux Desktop.
- Install the Horizon Agent package, with smart card redirection enabled.
Note: If you get an error message instructing you to install the default PC/SC Lite library, uninstall the custom PC/SC Lite library that is currently present on the machine and install the default PC/SC Lite library using the following command.
yum reinstall pcsc-lite-libs pcsc-lite
You can then run the Horizon Agent installer.
- If you are using a custom PC/SC Lite library, configure the pcscd.maxReaderContext and pcscd.readBody options in the /etc/vmware/config file.
- Restart the virtual machine and log back in.
