Re: Cannot make smart card work with Horizon View ...

Argenet · ‎08-27-2015

Hi All,

I am trying to set up the smart card authentication with Horizon View 3.4 client for Linux using a Gemalto.NET card and two readers:

1) OMNIKey 5321

2) IO Gear GSR202

I cannot get the certificates from my smart card shown (see the log excerpt below).

2015-08-27 10:17:58.951-07:00: vmware-view 20375| Failed to load module "canberra-gtk-module"

2015-08-27 10:17:58.951-07:00: vmware-view 20375| Initializing smartcard modules

2015-08-27 10:17:58.951-07:00: vmware-view 20375| Attempting to load cryptoki module /usr/lib/vmware/view/pkcs11/libcoolkeypk11.so

2015-08-27 10:17:58.952-07:00: vmware-view 20375| Attempting to load cryptoki module /usr/lib/vmware/view/pkcs11/libgtop11dotnet.so

2015-08-27 10:18:00.175-07:00: vmware-view 20375| Attempting to load cryptoki module /usr/lib/vmware/view/pkcs11/libopensc-pkcs11.so

2015-08-27 10:18:00.178-07:00: vmware-view 20375| Loaded 2 modules from /usr/lib/vmware/view/pkcs11

2015-08-27 10:18:00.189-07:00: vmware-view 20375| Failed to load module "atk-bridge"

2015-08-27 10:18:00.192-07:00: vmware-view 20375| Using glib version 2.42.2

2015-08-27 10:18:00.192-07:00: vmware-view 20375| Using gtk+ version 2.24.27

2015-08-27 10:18:00.193-07:00: vmware-view 20375| Using window manager Xfwm4

2015-08-27 10:18:00.195-07:00: vmware-view 20375| Built using OpenSSL 1.0.1m 19 Mar 2015

2015-08-27 10:18:00.195-07:00: vmware-view 20375| Using libcurl/7.42.0 OpenSSL/1.0.2 zlib/1.2.8 c-ares/1.9.1

2015-08-27 10:18:00.195-07:00: vmware-view 20375| Icon cache root dir will be: /home/argenet/.vmware/icon/.

2015-08-27 10:18:00.258-07:00: vmware-view 20375| We cannot use all monitors.

2015-08-27 10:18:00.314-07:00: vmware-view 20375| Empty loginCerts list, FAILURE

2015-08-27 10:18:00.314-07:00: vmware-view 20375| Unable to retrieve smart card certificates

2015-08-27 10:18:00.314-07:00: vmware-view 20375| Closing session for token [.NET #0AE329216DA4F3EE] (Gemalto .NET PKCS11)

2015-08-27 10:18:02.710-07:00: vmware-view 20375| Disconnecting from broker (null)

2015-08-27 10:18:02.710-07:00: vmware-view 20375| CdkUtil_SetLocalAddress: fd -1 < 0, not retrieving local address.

2015-08-27 10:18:02.712-07:00: vmware-view 20375| TaskCombiner: CdkGetLaunchItemsTask(TODO) added, group task num:1, total task num:1.

2015-08-27 10:18:02.712-07:00: vmware-view 20375| TaskCombiner: CdkGetUserGlobalPreferencesTask(TODO) added, group task num:2, total task num:2.

2015-08-27 10:18:02.714-07:00: vmware-view 20375| TaskCombiner: CdkGetTunnelConnectionTask(TODO) added, group task num:3, total task num:3.

2015-08-27 10:18:02.714-07:00: vmware-view 20375| TaskCombiner: Group Tasks(3):CdkGetLaunchItemsTask(TODO),CdkGetUserGlobalPreferencesTask(TODO),CdkGetTunnelConnectionTask(TODO),

2015-08-27 10:18:02.714-07:00: vmware-view 20375| TaskCombiner: CdkGetConfigurationTask(TODO) added, group task num:1, total task num:4.

However, the very same cards works perfectly for me at Windows and Mac with View client 3.4 and same readers.

I also ensured it is recognized properly in the system:

% opensc-tool -a

Using reader with a card: OMNIKEY CardMan (076B:5321) 5321 (OKCM0072507121033223556944721814) 00 00

3b:16:96:41:73:74:72:69:64

Any help is highly appreciated.

grossag · ‎09-01-2015

I asked some coworkers to chime in on this thread. Hopefully you will hear back soon.

On Windows I know we need a minidriver from Windows Update to get Gemalto.NET cards working, but I'm not sure about Linux.

Mangui · ‎09-01-2015

Hi, Argenet.

From your describe and log information, you had install libgtop11donet.so, so seems that now Gemalto card should work well with PKCS#11 interface that view client need. From below information:

2015-08-27 10:18:00.314-07:00: vmware-view 20375| Empty loginCerts list, FAILURE

2015-08-27 10:18:00.314-07:00: vmware-view 20375| Unable to retrieve smart card certificates

It is said that view client try to get the smart card certificates from your card, but get NULL. Because view client will only try to get the certificates list that match with the issuers received from broker, so first you need to make sure that there is certificate in your smart card that match with your broker setttings. If no, you should entitle such user in your broker settings.

And I suggest you to add:

view.defauleLogLevel = "0"

in the file ~/.vmware/view-preference that can increase the log level that we can get more log information.

Mangui · ‎09-01-2015

Sorry, it should be view.defaultLogLevel = "0", no view.defauleLogLevel = "0"

Argenet · ‎09-04-2015

Hi Mangul,

Thank you for chiming in and providing the troubleshooting steps.

First note, I am using the very same Gemalto.NET card and OMNIKey reader for Windows and it works perfectly fine for me when logging in using Horizon View client.

So the certificate stored at this smart card is valid and should work alike for Linux as well.

Do I need to somehow explicitly install it (the user's certificate, not the CA which is already in a trusted store) to the Linux desktop prior to launching View client?

Next, I have turned the additional logs on, publishing the log snippet below

Last (not least) I have updated to the new Horizon Client v3.5 but still experiencing the same issue with it as well.

2015-09-04 16:19:26.437-07:00: vmware-view 28349| [All] cdk_smartcard_auth_dialog_get_certificates:740: Entry

2015-09-04 16:19:26.437-07:00: vmware-view 28349| [All] cdk_wrap_label_notify_cb:1669: Entry

2015-09-04 16:19:26.437-07:00: vmware-view 28349| [All] cdk_wrap_label_notify_cb:1674: Exit