Red Hat Bugzilla – Bug 1305985
[RFE] - Document client setup for smart card sharing
Last modified: 2017-01-11 00:57:41 EST
Description of problem:
Enabling smartcard in VM console properties is not enough to make smart cards work. The rest of the steps are not currently documented which causes a lot of confusion
Version-Release number of selected component (if applicable):
RHEV up to 3.6 RC
The docs could probably look as follows:
== Client system configuration for smart card sharing ===
Smart cards may require various libraries to access their certificates. This section will show how to make them visible for NSS library which spice-gtk utilizes to provide the smartcard to the guest. NSS expects the libraries to provide PKCS #11 interface.
The module architecture has to match spice-gtk/remote-viewer architecture so if you have only 32b PKCS #11 library available, you'll have to install 32b build of virt-viewer as well.
=== RHEL clients with CoolKey smart card middleware ===
CoolKey smart card middleware is a part of RHEL distribution. As such, it's enough to install <code>Smart Card Support</code> yum group and when enabled, any smart card should be redirected to the guest.
=== RHEL clients with other smart card middleware ===
The library need to be registered in system NSS database. To achieve that, you can run (as root):
modutil -dbdir /etc/pki/nssdb -add "module name" -libfile /path/to/library.so
=== Windows clients ===
On Windows, Red Hat doesn't provide any PKCS #11 library to access the smart card so the library has to be obtained from third party. To register the library, perform (as elevated-privileges user):
certutil -d %PROGRAMDATA%\pki\nssdb -N
modutil -dbdir %PROGRAMDATA%\pki\nssdb -add "module name" -libfice C:\Path\to\module.dll
The certutil and modutil commands are available as a part of virt-viewer installation, in <code>C:\Program Files[ (x86)]\VirtViewer[version]\bin\</code> directory
Then we will have to work on a kcs for this, if we cannot make it in documentation until 4.0.
Myself or Frank will work with you on this.
oVirt 4.0 Alpha has been released, moving to oVirt 4.0 Beta target.
(In reply to David Jaša from comment #0)
Found a typo below:
> === Windows clients ===
> modutil -dbdir %PROGRAMDATA%\pki\nssdb -add "module name" -libfice
modutil -dbdir %PROGRAMDATA%\pki\nssdb -add "module name" -libfile C:\Path\to\module.dll
Should we also mention what's required on guests ?
I found out on Linux that nss has multiarch automagic built-in: when you use just "-libfile library.so", nss will use appropriate binary for the given architecture. Maybe the same will work on Windows as well? We should verify however before writing it down into official docs...
Smartcard VM authentication is Virt team feature, moving to Tomas