Coolkey Does Not Support PIV Smart Cards in Red Hat Enterprise Linux 6.3

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux 6.3

Issue

  • RHEL 5.7 64bit - Cannot get ActiveClient to ever read the card reader. The problem looks to be with the version of pcsc included with RHEL 5.
  • RHEL 6.2 64bit - Have ActiveClient software working and can see certificates on card. Issue is cannot integrate with system due to 32bit pkcs11 included with ActiveClient (/usr/local/ActivIdentity/ActivClient/lib/libacpkcs211.so).
  • PIV card: Oberthur CosmopolIC 64K V5.2 Fast ATR
  • CAC card: Oberthur ID-One Cosmo 64 v5.2D Fast ATR with PIV application SDK
  • Problem Statement: "coolkey" (the opensoure smart card reading software) cannot read their CAC smart card. It can read the PIV card, it just can't understand the format of the card. So would require reformatting to be able to use it. ActivIdentity ActivClient can read these smart cards no problem.

Resolution

Root Cause

  • Coolkey did not provide support for these cards

Diagnostic Steps

  • PIV card: Oberthur CosmopolIC 64K V5.2 Fast ATR
  • CAC card: Oberthur ID-One Cosmo 64 v5.2D Fast ATR with PIV application SDK
  • Problem Statement: "coolkey" (the opensoure smart card reading software) cannot read their CAC smart card. It can read the PIV card, it just can't understand the format of the card. So would require reformatting to be able to use it. ActivIdentity ActivClient can read these smart cards no problem.

  • Summary

    • Configure system & install Active Idenity
    • Add to NSS DB
    • Setup pam_pkcs11.conf
    • Install Issuer certificates
    • Setup PAM
    • Setup mapper file
  • Configure system & install Active Identity 32bit
    • Currently this portion only will work with:
      • RHEL 5.2 32bit
      • RHEL 6.2 32bit
      • RHEL 6.2 64bit
    • Disable Selinux
    • Update packages
yum -y update
  * Install Smart Card support (only for RHEL 6 and above)
yum groupinstall "Smart Card Support"
  * Install Dependencies for Active Client
     * For RHEL 5 & above run:
yum install pcsc-lite zlib.i386 pcsc-lite-libs.i386 glib2.i386 libpng.i386 libSM.i386 libXext.i386 libXrender.i386 libX11.i386 libXfixes.i386 freetype.i386 libXcursor.i386 fontconfig.i386 libXrandr.i386 libXcursor.i386 libjpeg.i386 libstdc++.i386
     * For RHEL 6 & above run:
yum install pcsc-lite zlib.i686 pcsc-lite-libs.i686 glib2.i686 libpng.i686 libSM.i686 libXext.i686  libXrender.i686 libX11.i686 libXfixes.i686 freetype.i686 libXcursor.i686 fontconfig.i686 libXrandr.i686 libXcursor.i686 libjpeg.i686 libstdc++.i686 dbus-devel.i686 dbus-glib-devel.i686
  * Remove openct & pcsc-lite-openct if they are installed (only for RHEL 6  and above)
        yum remove openct  pcsc-lite-openct
  * Install Active Client
rpm -ivh ai-activclient-apps-3.0.0-21.i386.rpm ai-activclient-scmw-3.0.0-21.i386.rpm
  * See smart card
     * Plug in smart reader & Smart card then run command:
/usr/local/ActivIdentity/ActivClient/bin/acuserconsole
     * You should now see your card

* Add Active Identity to NSS DB
* THIS STEP IS CURRENTLY NOT SUPPORTED ON RHEL 64 BIT

modutil -add "ActiveIdentity ActiveClient PKCS #11 Module" -libfile /usr/local/ActivIdentity/ActivClient/lib/libacpkcs211.so -dbdir /etc/pki/nssdb
  * To verify it is in the NSS database for use. 
modutil -list -dbdir /etc/pki/nssdb
  • Setup /etc/pam_pkcs11.conf
    • THIS STEP IS CURRENTLY NOT PROPERLY SUPPORTED ON RHEL 64 BIT
    • Modify Line "use_pkcs11_module =" to:
use_pkcs11_module = activeclient;
  * Under this line add the following stanza:

~
pkcs11_module activeclient {
module = /usr/local/ActivIdentity/ActivClient/lib/libacpkcs211.so;
description = "ActiveClient"
slot_num = 0;
ca_dir = /etc/pam_pkcs11/cacerts;
nss_dir = /etc/pki/nssdb;
crl_dir = /etc/pam_pkcs11/crls;
crl_policy = none;
}

   * Install Issuer Certificates
      * You will need to install the entire certificate chain for the certificate issuer.
      * You can get these certificates from your Windows Machines mmc manager):
      * To install these certificates run the following commands:

certutil -A -n 'Corp Trusted Certificate" -t "CT,C,C" -a -d /etc/pki/nssdb -i issuingCA.cer


certutil -A -n "Corp policy Certificate" -t "CT,C,C" -a -d /etc/pki/nssdb -i policy.cer

certutil -A -n "Corp root Certificate" -t "CT,C,C" -a -d /etc/pki/nssdb -i root.cer
~~~

certutil -A -n "Corp other Certificate" -t "CT,C,C" -a -d /etc/pki/nssdb -i ca.cer
  * Run this command to see that the certificates are installed:
certutil -L -d /etc/pki/nssdb
  • Setup PAM
    • In file /etc/pam.d/system-auth under line "auth required pam_env.so" insert line:
auth    sufficient      pam_pkcs11.so
  • Setup mapper file
    • This is the file where you will match the CN name on the certificate with a login name.
    • Create file /etc/pam_pkcs11/cn_map . In this file you will have the following map:
<CN NAME ON SMART CARD CERT> -> <USER LOGIN NAME>
  * For example the file will look like:
JOESMITH -> joesmith
JACKFROST -> jackf
  • You can check if your mappings are correct by running "pkcs11_inspect debug".

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.