Red_Hat_Enterprise_Linux-6-Managing_Smart_Cards-en-US.pdf

Red Hat Enterprise Linux 6

Managing Single Sign-

On and Smart Cards

For Red Hat Enterprise Linux 6

Ella Deon Lackey

Publication date: August 13, 2009, revised December 6, 2011

Managing Single Sign-On and Smart Cards

Red Hat Enterprise Linux 6 Managing Single Sign-On and Smart

Cards

For Red Hat Enterprise Linux 6

Edition 6.2

Author

Ella Deon Lackey

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons

Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available

at http://creativecommons.org/licenses/by-sa/3.0/ . In accordance with CC-BY-SA, if you distribute this

document or an adaptation of it, you must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,

Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity

Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux ® is the registered trademark of Linus Torvalds in the United States and other countries.

Java ® is a registered trademark of Oracle and/or its affiliates.

XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States

and/or other countries.

MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other

countries.

All other trademarks are the property of their respective owners.

1801 Varsity Drive

Raleigh, NC 27606-2072 USA

Phone: +1 919 754 3700

Phone: 888 733 4281

Fax: +1 919 754 3701

This guide is for both users and administrators for Red Hat Enterprise Linux 6 to learn how to manage

personal certificates and keys using the Enterprise Security Client. The Enterprise Security Client is a

simple GUI which works as a frontend for the Red Hat Certificate System token management system.

The Enterprise Security Client allows users of Red Hat Enterprise Linux 6 to format and manage smart

cards easily as part of a single sign-on solution.

About This Guide v

1. Additional Reading .......................................................................................................... v

2. Examples and Formatting ............................................................................................... vi

2.1. Formatting for Examples and Commands .............................................................. vi

2.2. Tool Locations ..................................................................................................... vi

2.3. Guide Formatting ................................................................................................. vi

3. Giving Feedback ............................................................................................................ vii

4. Document History .......................................................................................................... vii

1. Introduction to the Enterprise Security Client 1

1.1. Red Hat Enterprise Linux, Single Sign-On, and Authentication ........................................ 1

1.2. Red Hat Certificate System and the Enterprise Security Client ........................................ 2

2. Using Pluggable Authentication Modules (PAM) 5

2.1. About PAM .................................................................................................................. 5

2.2. PAM Configuration Files ............................................................................................... 5

2.2.1. PAM Service Files ............................................................................................. 5

2.2.2. PAM Configuration File Format ........................................................................... 6

2.2.3. Sample PAM Configuration Files ........................................................................ 8

2.3. Creating PAM Modules ................................................................................................. 9

2.4. PAM and Administrative Credential Caching ................................................................. 10

2.4.1. Removing the Timestamp File .......................................................................... 10

2.4.2. Common pam_timestamp Directives ................................................................. 11

3. Using Kerberos 13

3.1. About Kerberos .......................................................................................................... 13

3.1.1. How Kerberos Works ....................................................................................... 13

3.1.2. Considerations for Deploying Kerberos ............................................................. 15

3.1.3. Additional Resources for Kerberos .................................................................... 15

3.2. Installing Kerberos ...................................................................................................... 17

3.3. Configuring a Kerberos 5 Server ................................................................................. 17

3.3.1. Configuring the Master KDC Server .................................................................. 17

3.3.2. Setting up Secondary KDCs ............................................................................. 19

3.4. Configuring a Kerberos 5 Client .................................................................................. 21

3.5. Domain-to-Realm Mapping .......................................................................................... 23

3.6. Setting up Cross Realm Authentication ........................................................................ 23

3.6.1. Setting up Basic Trust Relationships ................................................................. 23

3.6.2. Setting up Complex Trust Relationships ............................................................ 24

4. Setting up Enterprise Security Client 27

4.1. Installing the Smart Card Package Group .................................................................... 27

4.2. Launching the Smart Card Manager UI ........................................................................ 27

4.3. Overview of Enterprise Security Client Configuration .................................................... 28

4.3.1. Enterprise Security Client File Locations ........................................................... 29

4.3.2. About the Preferences Configuration Files ......................................................... 29

4.3.3. About the XUL and JavaScript Files in the Enterprise Security Client ................... 33

4.4. Configuring Phone Home ............................................................................................ 33

4.4.1. About Phone Home Profiles ............................................................................. 34

4.4.2. Setting Global Phone Home Information ............................................................ 35

4.4.3. Adding Phone Home Information to a Token Manually ........................................ 36

4.4.4. Configuring the TPS to Use Phone Home ......................................................... 36

4.5. Using Security Officer Mode ....................................................................................... 37

4.5.1. Enabling Security Officer Mode ........................................................................ 38

4.5.2. Enrolling a New Security Officer ....................................................................... 41

4.5.3. Using Security Officers to Manage Users .......................................................... 43

4.6. Configuring SSL Connections with the TPS ................................................................. 51

iii

Managing Single Sign-On and Smart Cards

4.7. Customizing the Smart Card Enrollment User Interface ................................................. 54

4.8. Disabling LDAP Authentication for Token Operations .................................................... 57

5. Using Smart Cards with the Enterprise Security Client 59

5.1. Supported Smart Cards .............................................................................................. 59

5.2. Setting up Users to Be Enrolled .................................................................................. 59

5.3. Enrolling a Smart Card Automatically .......................................................................... 60

5.4. Managing Smart Cards ............................................................................................... 63

5.4.1. Formatting the Smart Card ............................................................................... 64

5.4.2. Resetting a Smart Card Password .................................................................... 65

5.4.3. Viewing Certificates ......................................................................................... 67

5.4.4. Importing CA Certificates ................................................................................. 69

5.4.5. Adding Exceptions for Servers ......................................................................... 71

5.4.6. Enrolling Smart Cards ...................................................................................... 74

5.5. Diagnosing Problems .................................................................................................. 75

5.5.1. Errors .............................................................................................................. 78

5.5.2. Events ............................................................................................................. 79

6. Configuring Applications for Single Sign-On 81

6.1. Configuring Firefox to Use Kerberos for Single Sign-On ................................................ 81

6.2. Enabling Smart Card Login ......................................................................................... 83

6.3. Setting up Browsers to Support SSL for Tokens ........................................................... 85

6.4. Using the Certificates on Tokens for Mail Clients .......................................................... 87

Glossary 89

About This Guide

The Enterprise Security Client is a simple user interface which formats and manages smart cards.

This guide is intended for everyday users of Certificate System, who use the Enterprise Security

Client to manage their smart cards. Certificate System agents should read the Certificate System

Agent's Guide for information on how to perform agent tasks, such as handling certificate requests and

revoking certificates.

Before reading this guide, be familiar with the following concepts:

• Public-key cryptography and the Secure Sockets Layer (SSL) protocol

• Intranet, extranet, Internet security, and the role of digital certificates in a secure enterprise

• LDAP and Red Hat Directory Server

1. Additional Reading

This guide covers information on managing smart cards, security and single sign-on related services in

Red Hat Enterprise Linux, PAM, and Kerberos.

To understand the complete range of security concepts inherent in Red Hat Enterprise Linux 6,

including using SELinux, refer to these guides in the Red Hat Enterprise Linux documentation set:

• Red Hat Enterprise Linux Deployment Guide covers a comprehensive selection of security and

configuration topics, including access controls, network configuration, SELinux, and single sign-on,

along with other deployment and management considerations.

• Red Hat Enterprise Linux Security Guide provides an overview of security concepts, such as server

security and potential network threats, and describes how to configure Red Hat Enterprise Linux 6

servers and workstations, virtual private networks, and firewalls for effective security. It also covers

how to assess vulnerabilities in the system and to detect and respond to intrusions.

• Red Hat Enterprise Linux SELinux Guide gives an overview of SELinux concepts and details how to

configure and use SELinux effectively on a Red Hat Enterprise Linux system.

• Red Hat Enterprise Linux Installation Guide provides procedures and options for installing Red Hat

Enterprise Linux 6.

Some very basic information on using other end user web services for the Certificate System CA and

RA systems is covered in Using End User Services 1 . For basic certificate management, that is all

many users need to know. Managing Smart Cards with the Enterprise Security Client and the End

User's Guide , together, are both for end users of Red Hat Certificate System.

For more information on the basic concepts of certificates, public key infrastructure, and Certificate

System itself, see the Certificate System Deployment, Planning, and Installation Guide 2 .

More detailed information about the concepts behind public key cryptography, as well as a more

detailed overview of the Certificate System subsystems and how Certificate System manages

certificates and smart cards, is available in the Certificate System Administrator's Guide 3 . This is also

1 http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Using_End_User_Services/index.html

2 http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/index.html

3 http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/index.html

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: