Bug 1305985 - [RFE] - Document client setup for smart card sharing
[RFE] - Document client setup for smart card sharing
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: Documentation (Show other bugs)
3.6.0
Unspecified Unspecified
unspecified Severity unspecified
: ovirt-4.0.5
: ---
Assigned To: Zac Dover
Tahlia Richardson
: FutureFeature
Depends On:
Blocks: 902971
  Show dependency treegraph
 
Reported: 2016-02-09 12:48 EST by David Jaša
Modified: 2017-01-11 00:57 EST (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-01-11 00:57:41 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Docs
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1258423 None None None 2016-02-09 12:59 EST

  None (edit)
Description David Jaša 2016-02-09 12:48:53 EST
Description of problem:
Enabling smartcard in VM console properties is not enough to make smart cards work. The rest of the steps are not currently documented which causes a lot of confusion

Version-Release number of selected component (if applicable):
RHEV up to 3.6 RC

The docs could probably look as follows:

== Client system configuration for smart card sharing ===

Smart cards may require various libraries to access their certificates. This section will show how to make them visible for NSS library which spice-gtk utilizes to provide the smartcard to the guest. NSS expects the libraries to provide PKCS #11 interface.

The module architecture has to match spice-gtk/remote-viewer architecture so if you have only 32b PKCS #11 library available, you'll have to install 32b build of virt-viewer as well.

=== RHEL clients with CoolKey smart card middleware ===

CoolKey smart card middleware is a part of RHEL distribution. As such, it's enough to install <code>Smart Card Support</code> yum group and when enabled, any smart card should be redirected to the guest.

=== RHEL clients with other smart card middleware ===

The library need to be registered in system NSS database. To achieve that, you can run (as root):
<pre>
modutil -dbdir /etc/pki/nssdb -add "module name" -libfile /path/to/library.so
</pre>

=== Windows clients ===

On Windows, Red Hat doesn't provide any PKCS #11 library to access the smart card so the library has to be obtained from third party. To register the library, perform (as elevated-privileges user):
<pre>
mkdir %PROGRAMDATA%\pki\nssdb
certutil -d %PROGRAMDATA%\pki\nssdb -N
modutil -dbdir %PROGRAMDATA%\pki\nssdb -add "module name" -libfice C:\Path\to\module.dll
</pre>

The certutil and modutil commands are available as a part of virt-viewer installation, in <code>C:\Program Files[ (x86)]\VirtViewer[version]\bin\</code> directory
Comment 1 Marina 2016-02-16 09:28:02 EST
David, 
Then we will have to work on a kcs for this, if we cannot make it in documentation until 4.0.

Myself or Frank will work with you on this.

Thank you,
Marina.
Comment 2 Yaniv Lavi 2016-05-09 07:00:02 EDT
oVirt 4.0 Alpha has been released, moving to oVirt 4.0 Beta target.
Comment 4 Uri Lublin 2016-05-23 04:13:42 EDT
(In reply to David Jaša from comment #0)

David, thanks.

Found a typo below:

> === Windows clients ===
> 
> modutil -dbdir %PROGRAMDATA%\pki\nssdb -add "module name" -libfice
> C:\Path\to\module.dll

modutil -dbdir %PROGRAMDATA%\pki\nssdb -add "module name" -libfile C:\Path\to\module.dll


Should we also mention what's required on guests ?
Comment 5 David Jaša 2016-05-23 09:33:25 EDT
I found out on Linux that nss has multiarch automagic built-in: when you use just "-libfile library.so", nss will use appropriate binary for the given architecture. Maybe the same will work on Windows as well? We should verify however before writing it down into official docs...
Comment 11 Martin Perina 2016-11-15 08:29:57 EST
Smartcard VM authentication is Virt team feature, moving to Tomas

Note You need to log in before you can comment on or make changes to this bug.