Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

48.3.2. Getting Started with your new Smart Card

Before you can use your smart card to log in to your system and take advantage of the increased security options this technology provides, you need to perform some basic installation and configuration steps. These are described below.


This section provides a high-level view of getting started with your smart card. More detailed information is available in the Red Hat Certificate System Enterprise Security Client Guide.
  1. Log in with your Kerberos name and password
  2. Make sure you have the nss-tools package loaded.
  3. Download and install your corporate-specific root certificates. Use the following command to install the root CA certificate:
    certutil -A -d /etc/pki/nssdb -n "root ca cert" -t "CT,C,C" \
    	-i ./ca_cert_in_base64_format.crt
  4. Verify that you have the following RPMs installed on your system: esc, pam_pkcs11, coolkey, ifd-egate, ccid, gdm, authconfig, and authconfig-gtk.
  5. Enable Smart Card Login Support
    1. On the Gnome Title Bar, select System->Administration->Authentication.
    2. Type your machine's root password if necessary.
    3. In the Authentication Configuration dialog, click the Authentication tab.
    4. Select the Enable Smart Card Support check box.
    5. Click the Configure Smart Card... button to display the Smartcard Settings dialog, and specify the required settings:
      • Require smart card for login — Clear this check box. After you have successfully logged in with the smart card you can select this option to prevent users from logging in without a smart card.
      • Card Removal Action — This controls what happens when you remove the smart card after you have logged in. The available options are:
        • Lock — Removing the smart card locks the X screen.
        • Ignore — Removing the smart card has no effect.
  6. If you need to enable the Online Certificate Status Protocol (OCSP), open the /etc/pam_pkcs11/pam_pkcs11.conf file, and locate the following line:
    enable_ocsp = false;
    Change this value to true, as follows:
    enable_ocsp = true;
  7. Enroll your smart card
  8. If you are using a CAC card, you also need to perform the following steps:
    1. Change to the root account and create a file called /etc/pam_pkcs11/cn_map.
    2. Add the following entry to the cn_map file:
      MY.CAC_CN.123454 -> myloginid
      where MY.CAC_CN.123454 is the Common Name on your CAC and myloginid is your UNIX login ID.
  9. Logout Troubleshooting

If you have trouble getting your smart card to work, try using the following command to locate the source of the problem:
pklogin_finder debug
If you run the pklogin_finder tool in debug mode while an enrolled smart card is plugged in, it attempts to output information about the validity of certificates, and if it is successful in attempting to map a login ID from the certificates that are on the card.