Configure Smart Card Redirection on a RHEL 9.x/8.x Virtual Machine

To configure smart card redirection on a RHEL 9.x/8.x virtual machine (VM), install the libraries on which the feature depends and the root Certificate Authority (CA) certificate to support the trusted authentication of smart cards.

Prerequisites

Integrate a RHEL 9.x/8.x Virtual Machine with Active Directory for Smart Card Redirection
To use the smart card single sign-on (SSO) feature in FIPS mode, ensure that you have completed all the steps described in Configure a FIPS-compliant Linux Virtual Machine. You must add the trusted CA certificate for VMwareBlastServer to /etc/vmware/ssl/rui.crt and add the key paired with rui.crt to /etc/vmware/ssl/rui.key.

Procedure

Install the required libraries.

yum install -y opensc pcsc-lite pcsc-lite-libs pcsc-lite-ccid nss-tools

Enable the pcscd service.

systemctl enable pcscd
systemctl start pcscd

Make sure that the /etc/sssd/sssd.conf configuration file contains the following lines, which enable smart card authentication.
```
[pam]
pam_cert_auth = True
```

Copy the required CA certificate to /etc/sssd/pki/sssd_auth_ca_db.pem.

openssl x509 -inform der -in certificate.cer -out certificate.pem
cp certificate.pem /etc/sssd/pki/sssd_auth_ca_db.pem

To verify the status of the smart card, run the following pkcs11-tool commands and confirm that they return the correct output.
```
pkcs11-tool -L

pkcs11-tool --login -O

pkcs11-tool --test --login
```
To support the smart card SSO feature, configure the /etc/vmware/viewagent-greeter.conf file. See Setting Options in Configuration Files on a Linux Desktop.
Install the Horizon Agent package, with smart card redirection enabled.
- If using the .rpm installer:
  1. Run the installer to install Horizon Agent with the default feature options.
```
sudo rpm -ivh VMware-horizonagent-linux-YYMM-y.y.y-xxxxxxx.el8.x86_64.rpm
```
  2. To add the smart card redirection feature, run the ViewSetup.sh script.
```
/usr/lib/vmware/viewagent/bin/ViewSetup.sh -m yes
```
- If using the .tar.gz installer, run the installer with the parameter to enable smart card redirection:
```
sudo ./install_viewagent.sh -m yes
```
Note: If you get an error message instructing you to install the default PC/SC Lite library, uninstall the custom PC/SC Lite library that is currently present on the machine and install the default PC/SC Lite library using the following command.
```
yum reinstall pcsc-lite-libs pcsc-lite
```
You can then run the Horizon Agent installer.
If you are using a custom PC/SC Lite library, configure the pcscd.maxReaderContext and pcscd.readBody options in the /etc/vmware/config file.
See Setting Options in Configuration Files on a Linux Desktop.
Restart the virtual machine and log back in.