[Spice-devel] Cac redirection through spice client

Thomas Foster thomas.foster80 at gmail.com
Tue May 19 08:15:19 PDT 2015


David,

Thank you! I will look into this and see if this can make a difference.

On Tue, May 19, 2015 at 10:34 AM, David Jaša <djasa at redhat.com> wrote:

> On Út, 2015-05-19 at 15:59 +0200, David Jaša wrote:
> > On Út, 2015-05-19 at 09:00 -0400, Thomas Foster wrote:
> > > David,
> > >
> > > While using the spice client have you put your cac into your local
> > > reader?  If so, we're you able to use it?  I ask because if you look
> > > at my screenshots from my last email I get the same usb device
> > > (usbccid), but I also get an extra device that is a problem.
> > >
> > > _______________________________________________
> > > Spice-devel mailing list
> > > Spice-devel at lists.freedesktop.org
> > > http://lists.freedesktop.org/mailman/listinfo/spice-devel
> >
> > Hm, I think I start understanding your situation: you're using linux
> > client (CentOS 7?), Windows 7 guest and the smart card doesn't work
> > for you. When you write "drivers in spice client" you actually mean
> > drivers for client OS. That's card-dependent. You need to have a
> > "smart card middleware" installed in the system and registered in nss,
> > e.g.:
> >
> > $ modutil -dbdir /etc/pki/nssdb -list
> >
> > Listing of PKCS #11 Modules
> > -----------------------------------------------------------
> >   1. NSS Internal PKCS #11 Module
> >        slots: 2 slots attached
> >       status: loaded
> >
> >        slot: NSS Internal Cryptographic Services
> >       token: NSS Generic Crypto Services
> >
> >        slot: NSS User Private Key and Certificate Services
> >       token: NSS Certificate DB
> >
> >   2. CoolKey PKCS #11 Module
> >       library name: libcoolkeypk11.so
> >        slots: 1 slot attached
> >       status: loaded
> >
> >        slot: Gemalto PC Twin Reader 00 00
> >       token: spice qe
> >
> >   3. p11-kit
> >       library name: /usr/lib64/pkcs11/p11-kit-trust.so
> >        slots: 2 slots attached
> >       status: loaded
> >
> >        slot: /etc/pki/ca-trust/source
> >       token: System Trust
> >
> >        slot: /usr/share/pki/ca-trust-source
> >       token: Default Trust
> > -----------------------------------------------------------
> >
> > Module 2. is the one that provides my smartcard, "slot: Gemalto PC
> > Twin Reader 00 00" is my physical card reader, . Coolkey is not
> > however officially sanctioned in windows (although unofficial builds
> > exist)
>
> So official builds exist as well but you'd need a Red Hat Certificate
> System subscription in order to access them:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Managing_Smart_Cards_with_the_Enterprise_Security_Client/install-windows.html
>
> David
>
> > so if you intend to use the card in Windows, you'll need a different
> > middleware for it and possibly, you'll need to register it to nss by
> > hand:
> >
> > # modutil -dbdir /etc/pki/nssdb -add "some name for your pkcs#11 module"
> -libfile /usr/lib64/pkcs11/your_fancy_p11_library.so
> >
> > once done, the "spice client" will pick up the card automatically and
> > it will show up in the working card reader in Windows with no further
> > configuration.
> > Alternatively, if your card doesn't have linux drivers (or it needs to
> > be formatted by some Windows tool to a format specific for that
> > tool...), the option for you is to use USB redirection of the whole
> > card reader:
> >
> > Then the card won't be obviously available in the client OS but that's
> > kind of irrelevant if it's format need to be incompatible with the
> > client OS anyway.
> > Please note also that I had to stop and mask pcscd in the client
> > system in order to make the reader redirect. Note also that you'll
> > need the driver for the physical reader in the guest OS in this
> > scenario (the Gemalto driver for my card reader was also available
> > through Windows update). The card was not recognized in my case
> > beacause it's CoolKey/RHCS-formatted which would need the driver
> > linked above in Windows:
> >
> >
> > HTH,
> >
> > David
> > _______________________________________________
> > Spice-devel mailing list
> > Spice-devel at lists.freedesktop.org
> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20150519/25ffad76/attachment.html>


More information about the Spice-devel mailing list