Prepare Ubuntu 18.04 for Desktop Anywhere

This one was a little tricky to get set up. I am happy to say that after you follow this procedure, you will be able to access AFRC Desktop Anywhere from Ubuntu 18.04!

As always, I like to provide transparency. I am a traditional reservist in the Air Force Reserve and I also work for VMware. Anything provided here is from me and only me. Nothing here represents official notification from the USAF or VMware. Follow at your own risk. Your system and set up are most likely not identical to mine. I am using a VMware virtual machine for this guide but that should not matter for the purposes of this guide.

With that boring stuff out of the way…

Make sure your system is up-to-date.

Download Software and Packages

  • Open Terminal and type in the following:
sudo apt install opensc opensc-pkcs11 pcsc-tools

Install the DoD Certificates into Firefox Certificate Manager

Open Firefox and select the three lines at the top-right of the window, then click on Preferences. In the Find in Preferences search box, type in Certificates. Click on the View Certificates… button.

In Certificate Manager, make sure you are on the Authorities tab and click the Import… button.

Navigate to where you downloaded and extracted the DoD certificates from earlier. Select the Certificates_PKCS7_v5.6_DoD.der.p7b file. Check the two boxes to trust the certificate. You will need to do this for each certificate you need to use. I recommend starting with DoD Root CA 2, DoD Root CA 3, DoD Root CA 4, and DoD Root CA 5. The certificates will be added under the U.S. Government heading.

Add DoD Certificates to the Ubuntu Certificate Trust

While you are here, be sure to choose the DoD Root CA 3 certificate, and then press the Export… button. Make sure the X.509 Certificate (PEM) is selected at the bottom of the window. Also do this for the DOD SW CA-53 certificate necessary for Desktop Anywhere. When you are done exporting the certificates, you can close the Certificate Manager window.

Open Terminal and copy the two files to /usr/share/ca-certificates. Use the following image if you are unsure how to accomplish this.

Now we want to reconfigure the certificate store by typing in sudo dpkg-reconfigure ca-certificates. This will open the ca-certificates configuration window. Choose Ask, then press tab to select <OK>.

Press the Space bar on the top two DoD certificate and press tab to select <OK>.

When you select <OK>, the Terminal will display the operation of adding the chosen certificates to the certificate store. Make sure the number of certificates you selected are added. In this case, there should be two.

Verify the Smart Card Reader is Accessible to the System

On the Terminal, type pcsc_scan. For the purposes of demonstration in this guide, I am going to post an image of before I connected my Smart Card reader so you can see the difference.

And then, here is an image after I connected my Smart Card reader.

Installing VMware Horizon Client for Linux

On the Terminal, navigate to your downloaded file. Add the execution bit to the bundle by typing sudo chmod u+x <filename>. See the image below for a visual.

Type sudo ./VMware-Horizon and press tab. The rest of the filename should have auto-completed. Press Enter to continue to installation. Read and accept the EULA.

Customize the installation as needed. I am going to accept the defaults.

Verify all the product install files are ready, and click the Install button.

Check the box to Register and start…, and click the Scan button.

I had a few failed results, but this should not affect my use at this time.

Go ahead and close the installer.

Configure the Smart Card Module to be Accessible for Horizon Client

Ref: https://docs.vmware.com/en/VMware-Horizon-Client-for-Linux/5.4/horizon-client-linux-installation/GUID-6CB5F6EE-E7DC-4BF7-8E2A-4542E4A78182.html

On the Terminal, make a directory in /usr/lib/vmware/view/pkcs11.

Now we are going to create a symbolic link to the OpenSC module. The VMware article helps with the syntax, but points to the incorrect location of the module. As long as you have been following along up to this point, you should not have any errors.

sudo ln -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so /usr/lib/vmware/view/pkcs11/libopenscpkcs11.so

Follow the image below for the syntax.

Verify Horizon Client for Linux can use your Smart Card

Hopefully you ran the steps above to verify that Ubuntu could see and access your Smart Card reader. This step will check the log and verify that it is working for the Horizon Client.

Open up the VMware Horizon Client and wait for it to show up. Then, on the Terminal, type less /tmp/vmware-<username>/<log-file-name>. For instance I typed:

less /tmp/vmware-arombaut/vmware-horizon-client-15386.log

Look through the log until you find Initializing smartcard modules. You should see it Loaded 1 modules from /usr/lib/vmware/view/pkcs11 and see one or more certificates presented to you. The certificates that have populated UPNs are what is going to be presented to you in the Horizon UI. This information is also seen from the line, certsList has 1 certificates.

You can close the log and the Terminal.

This actually completes the setup of VMware Horizon Client for Linux. From here you can add a Server and select the appropriate CAC certificate to authenticate.

Due to customer-sensitive information, I am not able to provide further information beyond this point here. I can help you individually if you need more assistance from here though.

[email protected]

9 responses to “Prepare Ubuntu 18.04 for Desktop Anywhere”

  1. Michael Avatar
    Michael

    You, sir, are a blessing. Where on Earth did you find the bit about linking the smartcard module to the Horizon client?

  2. Jeremy Avatar
    Jeremy

    Thank you so much!
    I had everything else in place and was getting stuck on the root certs showing up as untrusted. Running Debian and now I understand how certificates are trusted outside of Firefox (at least on Debian derivatives). I am sure this bit of information will come in handy on other projects in the future. Again, you are a lifesaver!

  3. Clint Avatar
    Clint

    OUTSTANDING GOOD SIR!!!! Working in Buntu 20.0.4.1 LTS after following your tutorial. It didnt see my card readers initially (Dell E6430 external and built in card reader) but after a restart all was well Sir!!!

  4. Mack109 Avatar
    Mack109

    Thanks Aaron! This worked great on Linux Mint Tessa.

  5. ed Avatar

    vMware over Windows is extremely slow. In you guys experience, how fast it is over Linux (Ubuntu) ?

  6. ray Avatar
    ray

    One thing I would add is ensure you are using a Smartcard Reader that is compatible with the CCID (Chip/Smart Card Interface Devices) and ICCD (Integrated Circuit(s) Card Devices) driver.

    Supported CCID readers/ICCD tokens: https://ccid.apdu.fr/ccid/supported.html

    Here are some Smart Card Readers that were intermittently working in Linux:
    [ray@ThinkPad ~]$ lsusb
    Bus 005 Device 021: ID 0bda:0165 Realtek Semiconductor Corp. Smart Card Reader Interface
    Bus 003 Device 003: ID 058f:9540 Alcor Micro Corp. AU9540 Smartcard Reader

    The Realtek Semiconductor Corp. Smart Card Reader Interface (0bda:0165) is actually a Stanley Global SGT111 Smart Card Reader.
    The Alcor Micro Corp. AU9540 Smartcard Reader (058f:9540) is a smart card reader that I added when I bought my Lenovo ThinkPad T14 (not knowing that it had compatibility issues with Linux).

    After running pcsc_scan, I could see the both of the above card readers fluctuate between:
    Card state: Card removed AND Card state: Card inserted. This would cause my VMware Horizon Client to randomly disconnect from Desktop Anywhere (very annoying).

    Here are the Smart Card Readers that I ended up buying on Amazon and eBay because they are fully supported by the CCID driver:

    SCM Microsystems Inc. SCR 3310 USB Smart Card Reader: https://ccid.apdu.fr/ccid/supported.html#0x04E60x5116
    CHERRY SmartTerminal ST-1144: https://ccid.apdu.fr/ccid/supported.html#0x046A0x002D
    (Features: “One-hand operation“ possible due to heavy weight and stable base.)

    [ray@ThinkPad ~]$ lsusb
    Bus 005 Device 020: ID 04e6:5116 SCM Microsystems, Inc. SCR331-LC1 / SCR3310 SmartCard Reader
    Bus 005 Device 022: ID 046a:002d Cherry GmbH SmartTerminal XX44

    I haven’t had any issues with the using the above supported Card Readers. I use the CHERRY SmartTerminal ST-1144 when I’m at my desk, and the Identiv SCR3310v2.0 USB Smart Card Reader when I have to travel for work.

  7. Stephen Avatar
    Stephen

    Great guide Aaron! I’m just getting stuck on the last part when trying to actually use the smart card. I’ve created the symbolic link for opensc-pkcs11.so, but then when I try to launch VMware, my smart card reader flashes a few times like it’s reading, but then it stops flashing and the VMware client never opens. When I remove the symbolic link, VMware does open fine – but obviously without the smart card capabilities. I’ve done a pcsc_scan in the terminal also, and it does appear Linux is seeing the card. Any ideas why VMware crashes on startup? Thanks.

  8. Eric Avatar
    Eric

    Went to run the installer and no luck, T&C wouldn’t display, only a red exclamation point

  9. Kendall Avatar
    Kendall

    Aaron,
    Thanks for this. It works in Ubuntu 22.04.3 LTS, although, on my Dell Latitude 5480 with NVIDIA Corporation GM108M [GeForce 930MX] / Mesa Intel® HD Graphics 520 (SKL GT2), and the X11 windowing system — I guess the laptop screen is the Intel driver, and the NVIDIA is the external HDMI conx, but I get this window output of fuzzed black and white pixels, like old-school TV with no reception, after authenticating to the desktop anywhere server, on the laptop screen – I don’t have an external monitor to test the HDMI, but this is my travel laptop, so wouldn’t have that anyway.

    I know this set-up works – I have the same build on my other laptop, Dell Inspiron 5559, 2014 Model, and the desktop anywhere works.

Leave a Reply

Your email address will not be published. Required fields are marked *