Standard Agent for Linux Administrators' Guide
This release is in Beta. Beta software is not fully supported, and may be incomplete or unstable. It is not intended for use in production systems. We welcome your feedback on this release! Send feedback to anyware-beta-feedback@hp.com.

Enabling Smart Card Authentication Using Linux Clients

Smart card authentication is supported for Linux Clients running on Ubuntu 22.04 connecting to Linux agents. The following section contains information on system requirements, limitations, agent setup, and client setup.

Info

Only in-session use of smart cards is supported. This means that smartcards are used for authentication after users connect to, and are actively using applications on the host machine.

General Requirements

Component Version
Client Anyware Linux Client installed on Ubuntu 22.04 25.03+
Agent
  • Graphics Agent for Linux
  • Standard Agent for Linux
 25.03+
Infrastructure (Required for brokered connections only)
  • Connection Manager & Security Gateway 20.07+
  • Leostream broker
  
  ActivClient Middleware Tested using 7.4.3.13.
Other versions are expected to work, but have not been tested.

Smart Card Certificate Requirements

The smart card certificate prerequisites are as follows:

  • Key usage is set to digital signature

  • The Subject common name and subject alternative name (other name) are defined

  • Enhanced key usage must include client authentication and/or smart card logon

  • Key length does not exceed 2048 bit

Tested Smart Card Readers

The following smart card readers have been tested:

  • Belkin USB Smart Card Reader (F1DN008U)

  • Identiv SCR3310 USB Contact Smart Card Reader

Tested Smart Card Models

The following smart card models have been tested:

Product Name                      Type of Card Notes
Gemalto TOP DL V2.1 144K FIPS CAC   
IDEMIA Cosmo v8.0 Alternate token  
IDEMIA ID-one 125 V8.0D CAC   
G+D Sm@rtCafe Expert v7.0 CAC   
G+D Sm@rtCafe Expert v7.0 144K DI CAC   
PIVkey C910 PIV   
PIVkey C980 PIV   
PIVkey C990 PIV   
Yubikey 5C Using PIV interface. 
Yubikey 5NFC Using PIV interface. 
Smart card verified and tested in customer environment CoolKey applet For accessing SIPRNet

Note: Testing Smart Card Solutions

Solutions must be validated in user environments first, as environmental differences including network conditions or other components may impact support.

Notes

  • Smart Card authentication in enabled by modifying the pcoip.enable_smart_card directive, as described in Enabling Smartcard Authentication.

  • At present, only simultaneous configuration of a single card and single reader is supported.

  • While in a PCoIP session, the remote desktop's Device Manager will show two identical smart cards. This is expected and does not affect the session.

  • Smartcard authentication is only supported on Ubuntu 22.04 clients connecting to Linux agents. It is not supported while connecting from Trusted Zero Clients to Linux agents.

  • If available, configure the Linux Desktop Environment to use smartcards for lock screen authentication.

Known Limitations

  • The Interactive logon: Smart card removal behavior is not supported during sessions authenticated using smart cards.

  • Elliptic Curve Cryptography (ECC) Certificates are not supported.

  • When authenticated using smart cards, Anyware Clients cannot recognize HP Digital Badges.

  • Concurrent users cannot log on to agent machines using the same smart card for authentication.

  • Smart cards having multiple certificates allow only one user to log on at a time. Others users must wait until the current users logs off before attempting to log on.

  • Single sign-on is not supported. Users must authenticate twice: once on the client and again on the host machine's lock screen.

  • Session locking upon smartcard removal might not work as expected.

  • Session disconnection on smartcard removal might not work as expected.

  • If PCoIP sessions on RHEL agent machines fail, disable SELINUX and re-establish a PCoIP session. If this does not work, contact the HP Support team.

  • If PIN prompts do not work on Linux Desktop Environments of RHEL agent machines, use the password to unlock the desktop. Smartcards will be remoted and available to be used in session.

Agent Setup

Note

Some card readers might require their drivers to be installed on the agent machine. Consult with the reader manual to determine whether you need to install the required drivers.

Prerequisites

  • The host machine is domain-joined.
  • If this is a brokered connection, make sure that you installed Leostream broker and Connection Manager.
  • The CA certificates that are used for authenticating smartcards are handy.

Step I: Prepare the Linux Machine

  1. Connecting the machine directly to AD using SSSD. For more information, consult the following topics:

  2. Enable smart card authentication on the Linux machine and configure smart card for lock screen. For more information, consult the following topics:

  3. Install the Leostream agent on the Linux machine. For more information, see the Leostream® Platform Installation Guide.

    Info

    For common errors encountered during Leostream agent configuration, see the Leostream Install Errors article.

Step II: Install and Configure Anyware Agent

  1. Make sure that you downloaded Anyware Agent 25.03 or later to the remote machine.

  2. Install the agent following instructions in Installing the agent

  3. Enable smart card authentication on the agent:

    1. Navigate to /etc/pcoip/.

    2. Open the pcoip-agent.conf file.

    3. Locate the pcoip.enable_smart_card directive.

    4. Set its value to "1".

    5. Save your changes.

    6. Add root CA certificate and the intermediate CA certificates to the agent's trusted certificate store.

      For example:

      cp hp_root_CA.pem /etc/ssl/certs/
cp hp_int_CA.pem /etc/ssl/certs/

    7. Add the following setting to the domain section in the sssd.conf file, available at the following location: /etc/sssd/

      For example:

      [domain/ my.ad.domain.net]
ad_gpo_map_permit = +pcoip-session

    8. Restart the PCoIP Agent service by running the following command:

      systemctl restart pcoip

Client Setup

  1. Make sure that you downloaded Anyware Linux Client version 25.03 or later on the Ubuntu 22.04 client machine.

  2. Configure the client machine to connect to the agent machine. Follow the instructions in the topic "Connecting to an Agent Machine " in the Anyware Linux Client guide.

  3. Plug the smart card reader into the client machine.

  4. Use your smartcard to authenticate the session. For a full set of instructions on using smartcards to authenticate PCoIP sessions, consult "Using Smart Card Authentication to Connect to a Session" in the Anyware Linux Client guide.

Disabling Smartcard Authentication

  1. on the agent machine, navigate to /etc/pcoip/.

  2. Open the pcoip-agent.conf file.

  3. Set the pcoip.enable_smart_card directive to "0".

  4. Save your changes.

  5. Reboot the agent machine.

Last updated: Tuesday, February 18, 2025