David,
Thank you! I will look into this and see if this can make a difference.
On Tue, May 19, 2015 at 10:34 AM, David Jaša <djasa@xxxxxxxxxx> wrote:
So official builds exist as well but you'd need a Red Hat CertificateOn Út, 2015-05-19 at 15:59 +0200, David Jaša wrote:
> On Út, 2015-05-19 at 09:00 -0400, Thomas Foster wrote:
> > David,
> >
> > While using the spice client have you put your cac into your local
> > reader? If so, we're you able to use it? I ask because if you look
> > at my screenshots from my last email I get the same usb device
> > (usbccid), but I also get an extra device that is a problem.
> >
> > _______________________________________________
> > Spice-devel mailing list
> > Spice-devel@xxxxxxxxxxxxxxxxxxxxx
> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>
> Hm, I think I start understanding your situation: you're using linux
> client (CentOS 7?), Windows 7 guest and the smart card doesn't work
> for you. When you write "drivers in spice client" you actually mean
> drivers for client OS. That's card-dependent. You need to have a
> "smart card middleware" installed in the system and registered in nss,
> e.g.:
>
> $ modutil -dbdir /etc/pki/nssdb -list
>
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
> 1. NSS Internal PKCS #11 Module
> slots: 2 slots attached
> status: loaded
>
> slot: NSS Internal Cryptographic Services
> token: NSS Generic Crypto Services
>
> slot: NSS User Private Key and Certificate Services
> token: NSS Certificate DB
>
> 2. CoolKey PKCS #11 Module
> library name: libcoolkeypk11.so
> slots: 1 slot attached
> status: loaded
>
> slot: Gemalto PC Twin Reader 00 00
> token: spice qe
>
> 3. p11-kit
> library name: /usr/lib64/pkcs11/p11-kit-trust.so
> slots: 2 slots attached
> status: loaded
>
> slot: /etc/pki/ca-trust/source
> token: System Trust
>
> slot: /usr/share/pki/ca-trust-source
> token: Default Trust
> -----------------------------------------------------------
>
> Module 2. is the one that provides my smartcard, "slot: Gemalto PC
> Twin Reader 00 00" is my physical card reader, . Coolkey is not
> however officially sanctioned in windows (although unofficial builds
> exist)
System subscription in order to access them:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Managing_Smart_Cards_with_the_Enterprise_Security_Client/install-windows.html
David
> so if you intend to use the card in Windows, you'll need a different
> middleware for it and possibly, you'll need to register it to nss by
> hand:
>
> # modutil -dbdir /etc/pki/nssdb -add "some name for your pkcs#11 module" -libfile /usr/lib64/pkcs11/your_fancy_p11_library.so
>
> once done, the "spice client" will pick up the card automatically and
> it will show up in the working card reader in Windows with no further
> configuration.
> Alternatively, if your card doesn't have linux drivers (or it needs to
> be formatted by some Windows tool to a format specific for that
> tool...), the option for you is to use USB redirection of the whole
> card reader:
>
> Then the card won't be obviously available in the client OS but that's
> kind of irrelevant if it's format need to be incompatible with the
> client OS anyway.
> Please note also that I had to stop and mask pcscd in the client
> system in order to make the reader redirect. Note also that you'll
> need the driver for the physical reader in the guest OS in this
> scenario (the Gemalto driver for my card reader was also available
> through Windows update). The card was not recognized in my case
> beacause it's CoolKey/RHCS-formatted which would need the driver
> linked above in Windows:
>
>
> HTH,
>
> David
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@xxxxxxxxxxxxxxxxxxxxx
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel