Bug 1305985

Summary: [RFE] - Document client setup for smart card sharing
Product: Red Hat Enterprise Virtualization Manager Reporter: David Jaša <djasa>
Component: DocumentationAssignee: Zac Dover <zdover>
Status: CLOSED CURRENTRELEASE QA Contact: Tahlia Richardson <trichard>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.6.0CC: djasa, fdelorey, gklein, lbopf, lsurette, mkalinin, rbalakri, srevivo, tjelinek, trichard, uril, ylavi, zdover
Target Milestone: ovirt-4.0.5Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-11 05:57:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Docs RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 902971    

Description David Jaša 2016-02-09 17:48:53 UTC 
Description of problem:
Enabling smartcard in VM console properties is not enough to make smart cards work. The rest of the steps are not currently documented which causes a lot of confusion

Version-Release number of selected component (if applicable):
RHEV up to 3.6 RC

The docs could probably look as follows:

== Client system configuration for smart card sharing ===

Smart cards may require various libraries to access their certificates. This section will show how to make them visible for NSS library which spice-gtk utilizes to provide the smartcard to the guest. NSS expects the libraries to provide PKCS #11 interface.

The module architecture has to match spice-gtk/remote-viewer architecture so if you have only 32b PKCS #11 library available, you'll have to install 32b build of virt-viewer as well.

=== RHEL clients with CoolKey smart card middleware ===

CoolKey smart card middleware is a part of RHEL distribution. As such, it's enough to install <code>Smart Card Support</code> yum group and when enabled, any smart card should be redirected to the guest.

=== RHEL clients with other smart card middleware ===

The library need to be registered in system NSS database. To achieve that, you can run (as root):
<pre>
modutil -dbdir /etc/pki/nssdb -add "module name" -libfile /path/to/library.so
</pre>

=== Windows clients ===

On Windows, Red Hat doesn't provide any PKCS #11 library to access the smart card so the library has to be obtained from third party. To register the library, perform (as elevated-privileges user):
<pre>
mkdir %PROGRAMDATA%\pki\nssdb
certutil -d %PROGRAMDATA%\pki\nssdb -N
modutil -dbdir %PROGRAMDATA%\pki\nssdb -add "module name" -libfice C:\Path\to\module.dll
</pre>

The certutil and modutil commands are available as a part of virt-viewer installation, in <code>C:\Program Files[ (x86)]\VirtViewer[version]\bin\</code> directory
Comment 1 Marina Kalinin 2016-02-16 14:28:02 UTC 
David, 
Then we will have to work on a kcs for this, if we cannot make it in documentation until 4.0.

Myself or Frank will work with you on this.

Thank you,
Marina.
Comment 2 Yaniv Lavi 2016-05-09 11:00:02 UTC 
oVirt 4.0 Alpha has been released, moving to oVirt 4.0 Beta target.
Comment 4 Uri Lublin 2016-05-23 08:13:42 UTC 
(In reply to David Jaša from comment #0)

David, thanks.

Found a typo below:

> === Windows clients ===
> 
> modutil -dbdir %PROGRAMDATA%\pki\nssdb -add "module name" -libfice
> C:\Path\to\module.dll

modutil -dbdir %PROGRAMDATA%\pki\nssdb -add "module name" -libfile C:\Path\to\module.dll


Should we also mention what's required on guests ?
Comment 5 David Jaša 2016-05-23 13:33:25 UTC 
I found out on Linux that nss has multiarch automagic built-in: when you use just "-libfile library.so", nss will use appropriate binary for the given architecture. Maybe the same will work on Windows as well? We should verify however before writing it down into official docs...
Comment 11 Martin Perina 2016-11-15 13:29:57 UTC 
Smartcard VM authentication is Virt team feature, moving to Tomas