How Smart Card Enrollment Works - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Chapter 43. Securing Your Network
• Ignore — Removing the smart card has no effect.
6. If you need to enable the Online Certificate Status Protocol (OCSP), open the /etc/
pam_pkcs11/pam_pkcs11.conf file, and locate the following line:
enable_ocsp = false;
Change this value to true, as follows:
enable_ocsp = true;
7. Enroll your smart card
8. If you are using a CAC card, you also need to perform the following steps:
a. Change to the root account and create a file called /etc/pam_pkcs11/cn_map.
b. Add the following entry to the cn_map file:
MY.CAC_CN.123454 -> myloginid
where MY.CAC_CN.123454 is the Common Name on your CAC and myloginid is your
UNIX login ID.
9. Logout
43.3.2.1. Troubleshooting
If you have trouble getting your smart card to work, try using the following command to locate the
source of the problem:
pklogin_finder debug
If you run the pklogin_finder tool in debug mode while an enrolled smart card is plugged in, it
attempts to output information about the validity of certificates, and if it is successful in attempting to
map a login ID from the certificates that are on the card.

43.3.3. How Smart Card Enrollment Works

Smart cards are said to be enrolled when they have received an appropriate certificate signed by a
valid Certificate Authority (CA). This involves several steps, described below:
1. The user inserts their smart card into the smart card reader on their workstation. This event is
recognized by the Enterprise Security Client (ESC).
2. The enrollment page is displayed on the user's desktop. The user completes the required details
and the user's system then connects to the Token Processing System (TPS) and the CA.
3. The TPS enrolls the smart card using a certificate signed by the CA.
638