On Mon, 2016-10-17 at 11:28 -0400, Sean wrote:
Hi, Can anyone on the list tell me what the minimum version of NetworkManager-openconnect that is require to support PCKS#11 URLs in a VPN settings config file? We're running EL7 systems (CentOS, Scientific, and some RHEL) with NetworkManager v1.0.6-31 and NetworkManager-openconnect v0.9.8.6 and when attempting to setup usercert and userkey fields with a PKCS#11 SmartCard URL, as produced from p11tool, NetworkManager's gui throws an unable to open key/certificate file error. /etc/NetworkManager/system-connections/VPN looks something like: [connection] id=VPN uuid=43297f31-e438-491e-80c0-3127a13ea176 type=vpn autoconnect=false permissions=user:<my username>:; secondaries= [vpn] enable_csd_trojan=no xmlconfig-flags=0 pem_passphrase_fsid=no gwcert-flags=2 gateway-flags=2 autoconnect-flags=0 lasthost-flags=0 usercert="pkcs11:model=X;manufacturer=Y;serial=Z;id=%00%02;object- type=cert" userkey="pkcs11:model=X;manufacturer=Y;serial=Z;id=%00%02;object- type=private" stoken_source=disabled certsigs-flags=0 cookie-flags=2 gateway=vpn.example.com authtype=cert service-type=org.freedesktop.NetworkManager.openconnect [ipv4] dns-search= method=auto [ipv6] dns-search= method=auto Also, using openconnect alone from the command prompt does successfully connect to the vpn using the same PKCS#11 URLs. If I need more recent versions of these, does anyone have any ideas on whether doing so is a manageable process on a EL 7 system? ... and by that I'm really asking is EL7 just too old to support what we're trying to do from the Gnome NetworkManager interface. Thanks a bunch for reading and any assistance!
Hi Sean, AFAIK neither NetworkManager nor the nm-openconnect plugin support specifying PKCS#11 URLs yet. It's on the todo list, and obviously important. Thomas
Attachment:
signature.asc
Description: This is a digitally signed message part