Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4139: How to support a 3rd party PKCS#11 module other than the Coolkey module shipped for RedHat

Centrify DirectControl ,  

12 April,16 at 11:07 AM

Applies to: Centrify DirectControl Suite 2013.3 on RHEL5 and RHEL6 with Smart Card Support

 
Question:

How can a 3rd party PKCS#11 module be supported other than the Coolkey module shipped for RedHat?

 Answer:

 Run "sctool -s" to checks the status of smart card support. 

 The screenshot below shows what happens when required packages are missing.

It is essential to have the RedHat SmartCard package in order to apply the 3rd party PKCS#11 module steps below:


3409


Notes:

      To enable smart card support please check:

  • KB-3415: How to enable Smart Card logon support on Red Hat Environments?
     
  • The Centrify Coolkey module is hardcoded to be used in the RHSC components.
    This Coolkey module is always configured to be used by the system components when RHSC support is enabled


  • 3rd party PKCS#11 modules are not included in the Centrify package. They can be installed any time either before or after the installation of CDC...

    But they MUST be installed before applying the GPs below to configure the 3rd party module. 

  • Only one PKCS#11 module can be active at a given time.

  • If a 3rd party PKCS#11 module has been specified, Centrify's default Coolkey module will not be active.

 

To support 3rd party PKCS#11 modules:

 

  • Option 1:
    Directly edit the parameter in /etc/centrifydc/centrifydc.conf to configure which PKCS#11 module to use.
    The default value is to use the Centrify Coolkey module:

    rhel.smartcard.pkcs11.module: /usr/$LIB/pkcs11/libcentrifypkcs11.so

    After saving the configuration file as root, reload the config and restart the sctool:

    adreload
    /usr/bin/sctool -d && /usr/bin/sctool -e

    Optionally, GNOME can also be refreshed to reflect the change

    /usr/sbin/gdm-safe-restart


     
  • Option 2:
    This setting can also be deployed via GP:

    Computer Configuration / Centrify Settings / Linux Settings / Security / "Enable smart card support" > Specify PKCS#11 module


3409-1


3409-2


After applying the GP, run the following command on the RHEL machine:

adgpupdate

Use Cases:

  1. Admin should ensure that 3rd party PKCS#11 module has been installed on client machines before proceeding to #2.


     2. Either manually set or create a new GP to configure which 3rd party PKCS11 module to be used. Absolute paths should be used.

         NOTE: Env variables like $LIB are supported.


  3. adreload / adgpupdate is necessary to see the change immediately.


   Additional Notes:

 

  • 3rd party PKCS#11 should work as expected
    • 3rd party PKCS11 module might not work well with gdm.

  • Certain card event operations, such as Screen Lock upon card removal, would not work in these cases.

  • Centrify will not patch anything to handle this as it is due to the feature set of either gdb or the module itself. 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.