48.3.2. Getting Started with your new Smart Card
- Log in with your Kerberos name and password
- Make sure you have the
- Download and install your corporate-specific root certificates. Use the following command to install the root CA certificate:
certutil -A -d /etc/pki/nssdb -n "root ca cert" -t "CT,C,C" \
- Verify that you have the following RPMs installed on your system: esc, pam_pkcs11, coolkey, ifd-egate, ccid, gdm, authconfig, and authconfig-gtk.
- Enable Smart Card Login Support
- On the Gnome Title Bar, select System->Administration->Authentication.
- Type your machine's root password if necessary.
- In the Authentication Configuration dialog, click the Authentication tab.
- Select the Enable Smart Card Support check box.
- Click thebutton to display the Smartcard Settings dialog, and specify the required settings:
- Require smart card for login — Clear this check box. After you have successfully logged in with the smart card you can select this option to prevent users from logging in without a smart card.
- Card Removal Action — This controls what happens when you remove the smart card after you have logged in. The available options are:
- Lock — Removing the smart card locks the X screen.
- Ignore — Removing the smart card has no effect.
- If you need to enable the Online Certificate Status Protocol (OCSP), open the
/etc/pam_pkcs11/pam_pkcs11.conffile, and locate the following line:
enable_ocsp = false;Change this value to true, as follows:
enable_ocsp = true;
- Enroll your smart card
- If you are using a CAC card, you also need to perform the following steps:
- Change to the root account and create a file called
- Add the following entry to the
cn_mapfile:MY.CAC_CN.123454 -> myloginidwhere MY.CAC_CN.123454 is the Common Name on your CAC and myloginid is your UNIX login ID.
pklogin_findertool in debug mode while an enrolled smart card is plugged in, it attempts to output information about the validity of certificates, and if it is successful in attempting to map a login ID from the certificates that are on the card.