Bug 590689

Summary: Smart card authentication with ocsp validation.
Product: Red Hat Enterprise Linux 6 Reporter: Asha Akkiangady <aakkiang>
Component: doc-Managing_Smart_CardsAssignee: Deon Ballard <dlackey>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: ckannan, dlackey, jmagne, mhideo, rrelyea, shaines
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-11 15:35:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Asha Akkiangady 2010-05-10 13:51:03 UTC
Description of problem:
Smart card authentication with ocsp validation requires document edits in Rhel 6 deployment guide. Reference bug: https://bugzilla.redhat.com/show_bug.cgi?id=583109.

Rhel 5 doc "http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/sso-sc-config.html":

----------  Change --------------

6. If you need to enable the Online Certificate Status Protocol   (OCSP), open
the /etc/pam_pkcs11/pam_pkcs11.conf file, and locate the following line:

  enable_ocsp = false;

  Change this value to true, as follows:

  enable_ocsp = true;

------------- to ----------------

6. If you need to enable the Online Certificate Status Protocol   (OCSP), open
the /etc/pam_pkcs11/pam_pkcs11.conf file, and locate all the lines with:

   cert_policy=ca, signature;

  Change them all by adding ocsp_on, as follows:

   cert_policy=ca, ocsp_on, signature;

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Comment 2 RHEL Product and Program Management 2010-05-10 15:40:49 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for

Comment 8 Michael Hideo 2010-07-28 22:15:19 UTC
August 11 is target.

Comment 11 Andrew Ross 2010-08-20 01:45:06 UTC

# Open the pam_pkcs11.conf file.

vim /etc/pam_pkcs11/pam_pkcs11.conf

# Change every cert_policy line so that it contains the ocsp_on option.

cert_policy =ca, ocsp_on, signature;

And a note on the space between cert_policy and =ca

Comment 12 releng-rhel@redhat.com 2010-11-11 15:35:23 UTC
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.