To configure smart card redirection on a RHEL 9.x/8.x virtual machine (VM), install the libraries on which the feature depends and the root Certificate Authority (CA) certificate to support the trusted authentication of smart cards.

Prerequisites

Procedure

  1. Install the required libraries.
    yum install -y opensc pcsc-lite pcsc-lite-libs pcsc-lite-ccid nss-tools
  2. Enable the pcscd service.
    systemctl enable pcscd
    systemctl start pcscd
  3. Make sure that the /etc/sssd/sssd.conf configuration file contains the following lines, which enable smart card authentication.
    [pam]
    pam_cert_auth = True
  4. Copy the required CA certificate to /etc/sssd/pki/sssd_auth_ca_db.pem.
    openssl x509 -inform der -in certificate.cer -out certificate.pem
    cp certificate.pem /etc/sssd/pki/sssd_auth_ca_db.pem
  5. To verify the status of the smart card, run the following pkcs11-tool commands and confirm that they return the correct output.
    pkcs11-tool -L
    
    pkcs11-tool --login -O
    
    pkcs11-tool --test --login
  6. Copy the required drivers and add the necessary library files to the nssdb directory.
    1. Run commands similar to the following example.
      These example commands show how to add libcmP11.so, the driver file for the Gemalto PIV 2.0 card, to the nssdb directory. In place of libcmP11.so, you can substitute the driver file for your smart card.
      cp libcmP11.so /usr/lib64/
      mkdir -p /etc/pki/nssdb
      certutil -N -d /etc/pki/nssdb
      certutil -A -n rootca -i certificate.pem -t "CT,CT,CT" -d /etc/pki/nssdb
      modutil -dbdir /etc/pki/nssdb/  -add "piv card 2.0" -libfile /usr/lib64/libcmP11.so
    2. Verify that the expected certificate is loaded successfully by running the following command.
      # certutil -L -d /etc/pki/nssdb
      Verify that the command returns output similar to the following example.
      Certificate Nickname
      rootca
    3. Verify that the expected libraries are added successfully by running the following command.
      modutil -dbdir /etc/pki/nssdb -list
      Verify that the command returns output similar to the following example.
      Listing of PKCS #11 Modules
      –-----------------------------------------------------------
        1. NSS Internal PKCS #11 Module
               slots: 2 slots attached
              status: loaded
      
               slot: NSS Internal Cryptographic Services
              token: NSS Generic Crypto Services
      
               slot: NSS User Private Key and Certificate Services
              token: NSS Certificate DB
      
        2. piv card 2.0
              library name: /usr/lib/libcmP11.so
               slots: There are no slots attached to this module
              status: loaded
      –-----------------------------------------------------------
  7. Create the /usr/share/p11-kit/modules/libcmP11.module file. Add the following content to the file.
    # This file describes how to load the opensc module
    # See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
     
    # This is a relative path, which means it will be loaded from
    # the p11-kit default path which is usually $(libdir)/pkcs11.
    # Doing it this way allows for packagers to package opensc for
    # 32-bit and 64-bit and make them parallel installable
    module: /usr/lib64/libcmP11.so
    priority: 99
    Note: (RHEL 9.x) You must also remove the /usr/share/p11-kit/modules/p11-kit-trust.module file from the system. In addition, if you are not using opensc, you must remove the /usr/share/p11-kit/modules/opensc.module file.
  8. To support the smart card SSO feature, configure the /etc/vmware/viewagent-greeter.conf file. See Setting Options in Configuration Files on a Linux Desktop.
  9. Install the Horizon Agent package, with smart card redirection enabled.
    • If using the .rpm installer:
      1. Run the installer to install Horizon Agent with the default feature options.
        sudo rpm -ivh VMware-horizonagent-linux-YYMM-y.y.y-xxxxxxx.el8.x86_64.rpm
      2. To add the smart card redirection feature, run the ViewSetup.sh script.
        /usr/lib/vmware/viewagent/bin/ViewSetup.sh -m yes
    • If using the .tar.gz installer, run the installer with the parameter to enable smart card redirection:
      sudo ./install_viewagent.sh -m yes
    Note: If you get an error message instructing you to install the default PC/SC Lite library, uninstall the custom PC/SC Lite library that is currently present on the machine and install the default PC/SC Lite library using the following command.
    yum reinstall pcsc-lite-libs pcsc-lite

    You can then run the Horizon Agent installer.

  10. If you are using a custom PC/SC Lite library, configure the pcscd.maxReaderContext and pcscd.readBody options in the /etc/vmware/config file.
  11. Restart the virtual machine and log back in.