Product SiteDocumentation Site

Red Hat Enterprise Linux 6

Managing Single Sign-On and Smart Cards

For Red Hat Enterprise Linux 6

Edition 1

Ella Deon Lackey


Legal Notice

Copyright © 2010 Red Hat, Inc..
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
All other trademarks are the property of their respective owners.


1801 Varsity Drive
 RaleighNC 27606-2072 USA
 Phone: +1 919 754 3700
 Phone: 888 733 4281
 Fax: +1 919 754 3701

August 13, 2009
Abstract
This guide is for both users and administrators for Red Hat Enterprise Linux 6.0 to learn how to manage personal certificates and keys using the Enterprise Security Client. The Enterprise Security Client is a simple GUI which works as a frontend for the Red Hat Certificate System token management system. The Enterprise Security Client allows users of Red Hat Enterprise Linux 6.0 to format and manage smart cards easily as part of a single sign-on solution.

About This Guide
1. Additional Reading
2. Examples and Formatting
2.1. Formatting for Examples and Commands
2.2. Tool Locations
2.3. Guide Formatting
3. Giving Feedback
4. Document History
1. Introduction to the Enterprise Security Client
1.1. Red Hat Enterprise Linux, Single Sign-On, and Authentication
1.2. Red Hat Certificate System and the Enterprise Security Client
2. Using Pluggable Authentication Modules (PAM)
2.1. About PAM
2.2. PAM Configuration Files
2.2.1. PAM Service Files
2.2.2. PAM Configuration File Format
2.2.3. Sample PAM Configuration Files
2.3. Creating PAM Modules
2.4. PAM and Administrative Credential Caching
2.4.1. Removing the Timestamp File
2.4.2. Common pam_timestamp Directives
3. Using Kerberos
3.1. About Kerberos
3.1.1. A General Overview of Kerberos
3.1.2. How Kerberos Works
3.1.3. Additional Resources for Kerberos
3.2. Configuring a Kerberos 5 Server
3.3. Configuring a Kerberos 5 Client
3.4. Domain-to-Realm Mapping
3.5. Setting up Secondary KDCs
3.6. Setting up Cross Realm Authentication
4. Using the Enterprise Security Client
4.1. Launching Enterprise Security Client
4.2. Overview of Enterprise Security Client Configuration
4.2.1. Enterprise Security Client File Locations
4.2.2. About the Preferences Configuration Files
4.2.3. About the XUL and JavaScript Files in the Enterprise Security Client
4.3. Configuring Phone Home
4.3.1. About Phone Home Profiles
4.3.2. Setting Global Phone Home Information
4.3.3. Adding Phone Home Information to a Token Manually
4.3.4. Configuring the TPS to Use Phone Home
4.4. Using Security Officer Mode
4.4.1. Enabling Security Officer Mode
4.4.2. Enrolling a New Security Officer
4.4.3. Using Security Officers to Manage Users
4.5. Configuring SSL Connections with the TPS
4.6. Customizing the Smart Card Enrollment User Interface
4.7. Disabling LDAP Authentication for Token Operations
5. Using Smart Cards with the Enterprise Security Client
5.1. Supported Smart Cards
5.2. Setting up Users to Be Enrolled
5.3. Enrolling a Smart Card Automatically
5.4. Managing Smart Cards
5.4.1. Formatting the Smart Card
5.4.2. Resetting a Smart Card Password
5.4.3. Viewing Certificates
5.4.4. Importing CA Certificates
5.4.5. Adding Exceptions for Servers
5.4.6. Enrolling Smart Cards
5.4.7. Re-Enrolling Tokens
5.5. Diagnosing Problems
5.5.1. Errors
5.5.2. Events
6. Configuring Applications for Single Sign-On
6.1. Configuring Firefox to Use Kerberos for Single Sign-On
6.2. Enabling Smart Card Login on Red Hat Enterprise Linux
6.3. Setting up Browsers to Support SSL for Tokens
6.4. Using the Certificates on Tokens for Mail Clients
Glossary