Modutil -fips true -dbdir /etc/pam_pkcs11/nssdb If FIPS mode is returned as disabled, to enable it run this as root:.If it returns that FIPS mode is enabled then proceed to loading in the certificates. Modutil -chkfips true -dbdir /etc/pam_pkcs11/nssdb Check to see if FIPS mode is already enabled as root in the run:.If FIPS mode for NSSdb is required in your environment follow these steps for turning on FIPS mode. If not, then you will see the previously loaded certificates.) (If the NSSdb was created from scratch at this step it should be blank. Verify the database was created by listing certificates.Create the NSSdb using the certutil commands as root:.Create the directory for the NSSdb to exist in as root:.Installing the NSSdb trust anchors Creating an nssdb To create the hash use the following command as root:.Change the permissions on the file to allow for the creation of the hashĬhmod a+r /etc/pam_pkcs11/cacert/rootcert.pem.To create a PKCS11 hash file copy the public certificate from your Certificate Authority to /etc/pam_pkcs11/cacerts as root:Ĭp /location_of_ca_root_cert/rootcert.pem /etc/pam_pkcs11/cacerts.It is necessary to obtain the public root certificate from your Certificate Authority (CA) and sub CAs in. Installing Trust Anchors and Hashes Creating the PKCS11 Hash file As root, issue the following command to check the rvice:.As root, issue the following command to start the rvice:.As root, issue the following command to enable the service to start at boot:.'/etc/pam.d/common-session-pc' -> '/etc/pam.d/common-session'Ĭonfiguring necessary services to be enabled and startedĬonfigure the PC/SC Smart Card Daemon to be enabled and started. '/etc/pam.d/common-password-pc' -> '/etc/pam.d/common-password' '/etc/pam.d/common-account-pc' -> '/etc/pam.d/common-account' Copy the past pam-config generated configuration to the actual files:įor X in /etc/pam.d/common-*-pc do cp -ivp $X $ done.Disable pam-config by removing the symlinks:įind /etc/pam.d/ -type l -iname "common-*" -delete.To disable the pam-config tool proceed with the following directions: See the section in the documentation on disabling the PAM configuration symbolic links. You will have manually create and maintain the required files. To successfully be able to configure smart card authentication in SLES 12 SP2 you will need to disable the pam_config tool. See the pam-config documentation for more details. The pam-config tool helps configure the global PAM configurations files, such as /etc/pam.d/common-*, and some applications configurations. Prerequisite Configuration Removing pam_config tool symbolic links The package can now be installed as usual:.To enable the SUSE Package Hub (example shown for SP2):.To get an overview on the available modules and extensions:.pcsc-tools 1.5.2-2.1-x86_64 (from SUSE Package Hub)Īs of writing, pcsc-tools is available in the SUSE Package Hub.SUSE Enterprise Linux Server 12 SP3 for x86_64.SUSE Enterprise Linux Server 12 SP2 for x86_64.SUSE Enterprise Linux Server 12 SP1 for x86_64. This procedure has been tested on SUSE Linux Enterprise Server 12 SP2 and using the specified packages. When this guide is followed, the system will be able to validate the certificates on the smart cards, authenticate users using their smart card and PIN for login, and lock the session upon smart card removal. The main software elements include pcsc-lite, PAM, pam_pkcs11 and coolkey. The configuration described here includes the Common Access Card (commonly referred to CAC card), as used by the United States Department of Defense (DoD) for civil and military application. Smart Cards are used for user authentication and related cryptography applications. This guide describes the configuration of Smart Card authentication on SUSE Linux Enterprise Server 12.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |