1

The company where I work is upgrading the certificates for VPN access from A1 to A3, but I am having trouble getting the new A3 Token to work in Ubuntu.

By following a bunch of instructions from around the web and from coworkers, here is what I have done so far:

  1. I have downloaded and installed the driver from the address below.
    $ wget https://www.globalsign.com/en/safenet-drivers/USB/10.7/Safenet_Linux_Installer_DEB_x64.zip

  1. At that point, the token was still not being recognized. It did not appear as a result of the command p11tool --list-tokens. So I was told to create the file /etc/gnutls/pkcs11.conf and add the following line to it load=/usr/lib/libeTPkcs11.so.

  2. That made the token be recognized, but its Module was not being displayed. Here's how it appeared. URL and serial have been purposely removed.

    $ p11tool --list-tokens

Token 1:
    URL: ###########
    Type: Hardware token
    Flags: RNG, Requires login
    Manufacturer: SafeNet, Inc.
    Model: eToken
    Serial: ###########
    Module:
  1. To solve that, I was told to access the folder /usr/lib/x86_64-linux-gnu/pkcs11, delete or rename the file opensc-pkcs11.so, and recreate it as symbolic link to the driver's file. That's what I did via the command below.
    $ sudo ln -s /usr/lib/libeToken.so.10.7.77 /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so

This is pretty much where I stand. Doing step 4 made the token recognize its driver. The Module now appears when I list it.

    $ p11tool --list-tokens

Token 1:
    URL: ###########
    Type: Hardware token
    Flags: RNG, Requires login
    Manufacturer: SafeNet, Inc.
    Model: eToken
    Serial: ###########
    Module: opensc-pkcs11.so

But when I try to get the URL of the token's certificate, which I need to access the VPN, this is what I get. Does anyone know how can I fix this?

$ p11tool --list-all-certs "[token-url]"

No matching objects found
Matheus Correia
  • 11

1 Answers1

2

Long time ago...

  1. First you need type the command below an get a similar response (token serial is masked):
$ p11tool --list-all-certs
warning: no token URL was provided for this operation; the available tokens are:

pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=0a2a4a6a;token=Soluti
  1. Then, you can replace [token-url] with the last line showed (in my case) in your $ p11tool --list-all-certs "[token-url]".

For example, this is my way to get VPN connection:

$ sudo openconnect \
--authgroup=MY_AUTH_GROUP \
--protocol=gp \
MY_VPN_HOSTNAME \
--cafile certificates.pem \
-u MY_USERNAME \
-c $(p11tool --provider=/usr/lib/libeToken.so --list-all-certs --only-urls | tail -1)

See the last line: I added --only-urls and filtered to get the last line ( | tail -1).

And I needed to specify my provider library (--provider=/usr/lib/libeToken.so) because p11tool does not automagically locate it.

Important: The PC/SC Smart Card Daemon needs to be active: $ sudo systemctl start pcscd

Best regards!

EdemarSantos
  • 31
  • For anyone trying to get access to smart cards on WSL2, the "systemctl start pcscd" tip is golden, start on WSL2 with "pcscd". – Bart De Boeck Oct 15 '23 at 11:41