Configuring applications for smart card access

Many applications, including Firefox and Thunderbird, that require smart card access to sensitive sites or data, create their own NSS database for the user. To give these applications access to the certificates and control revocation lists (CRL) used by the agent for log on, you enable the group policy “Specify applications to import system NSSDB”, which synchronizes the system NSSDB file on a computer with each application’s NSSDB file.

Each application, such as Firefox, creates a profile file (profile.ini) that specifies the location for its certificates and CRLs. With the “Specify applications to import system NSSDB” policy, you specify the location of the profile file for an application. A Centrify mapper file parses the profile file to determine the location of the application’s certificates and CRLs and copies certificates and CRLs to this location.

Steps

If the computers you manage use applications such as Firefox that require smart card access to sensitive sites or data, configure NSS database synchronization to ensure that these applications have access to current certificates and control revocation lists.

To configure NSS database synchronization

  1. On a Windows computer, open Group Policy Management and select the Group Policy object where you enabled smart card support for Red Hat Linux computers; right-click the Group Policy object, then select Edit.
  2. In the Group Policy Management Editor, expand User Configuration > Policies > Centrify Settings > Linux Settings, click Security, then double-click Specify applications to import system NSSDB.
  3. Select Enabled, then click Add.
  4. In Application, specify the application directory in which to import the system NSS database.

    For each application enter the location of its profiles.ini file. Specify the entry in relation to the home directory of the user by starting the path with ~/. For example, the following entry specifies the default location of the Firefox profiles.ini file

    ~/.mozilla/firefox.
  5. Click Add to add as many application directories as necessary, then click OK to save the settings.

    Note:   User policies are turned off by default on Linux systems but can be turned on with a group policy setting. To ensure that the “Specify applications to import system NSSDB” policy takes effect, verify that the following computer policy is enabled:

  6. Expand Computer Configuration > Centrify Settings > DirectControl Settings, click Group Policy Settings, then double-click Enable user group policy.
  7. Verify that Enabled is selected, and if not, select it, then click OK.
  8. To apply the group policy immediately to any computer, restart the computer or run the adgpupdate command on it.

    Otherwise, all affected computers will be updated automatically at the next group policy update interval. After computers are restarted or receive the policy update, the screen is locked if a smart card is removed.