On Mar 29, 2007, at 5:12 PM, Timothy J. Miller wrote:
Yokel-Contractor, Grant wrote:
I have been testing CAC authentication with OWA on my MacBook
Pro (10.4.9) for the past couple months now and have proved
successful except with one card...You guessed it, the GEMPLUS 64k
CAC. All other cards I've tested (Oberthur, Axalto, Schlumberger)
have worked flawlessly. The GEMPLUS is recognized in Keychain
Access, displays the cert's, and will unlock if directed to do so.
However when I pull up Firefox with DOD Configuration 0.6.1 and go
into the Certificate Manager, the cert's won't pull up. If you
put in any other CAC, your immediately prompted for your PIN upon
clicking the "view certificates" tab, and the cert's will display,
thus you know you will be prompted for a choice of what cert to use
when you attempt OWA. When you attempt with a GEMPLUS on OWA, it
immediately brings you to a 401 error. I'm using a SCR331 flashed
with 5.22 firmware. I've also tried with Safari, Camino, and
BonEcho. The first time I attempted to use a GEMPLUS with Firefox I
actually rendered the browser to a non-operational state, forced
to troubleshoot and eventually re-install. Has anyone seen any
success with a GEMPLUS 64K?
I have a GEMPLUS 64K card with no problems. Try this:
Put your card in the reader.
Open Terminal.
Run "sudo pcsctool"
Enter your password when prompted.
Select "commonAccessCard.bundle" from the list.
Then try FF again.
-- Tim
Grant & Fed-Talk,
Tim's comment/instructions above are spot on, but I wanted to remind
folks why this is the case, so that they better understand the cause.
*** Thanks to Tim Miller, by the way, for frequently providing you all
with good follow up explanations.
Mac OS X 10.4.x
=============
First, note that in Mac OS X 10.4.x and any Applications leveraging
the built-in Smart Card Services there is no issue with what physical
card is used or even the capacity (i.e. 32K v. 64K or even if it is
Oberthur, Axalto, Schlumberger, etc). The key component is whether
the card "interface" is supported via any included "Tokend" on the
system. DoD customers do not even need to care, since the CAC/GSC-IS
compliant applet-based cards are already supported by the "CAC.Tokend"
shipped with Mac OS X 10.4.x. Any card supported by a "Tokend" will
appear in the Keychain list within "Keychain Access".
PKCS#11
========
Prior to Mac OS X 10.4.x, initial Smart Card Services were provided
via a typical PKCS#11 library. The PKCS#11 libraries still exist, but
that architecture proved to be insufficient for what Apple needed.
One specific drawback of the PKCS#11 approach which is highlighted in
Grant's problem here is that PKCS#11 differentiates between cards via
the ATR values. Since several folks (such as Grant) are now receiving
Smart Cards with ATR values that were not available back when the
PKCS#11 support was last modified (i.e. Mac OS X 10.3.9), there is a
need to have the ATR value added to the ATR list in the appropriate
bundle -- this correctly directs the PKCS#11 environment to know which
bundle to use to handle the inserted card.
Tim's short list of instructions is actually walking you thru the
insertion of the ATR value from the currently inserted card into the
ATR list for the corresponding CAC bundle for any PKCS#11 based
application -- which of course Netscape/Mozilla/Firefox/
Thunderbird/.... all are among a few.
There is NO integration between PKCS#11 and Tokend (and hence the
integrated PKI/Cryptography) on Mac OS X. This is exactly why you are
forced to "manually manage" the Certs / Trust within the PKCS#11
applications like FireFox.
As to the flashing of firmware on the readers, The SCM SCR 331 (which
is also rebranded under several other vendor names / moniker such as
ActivCard and CRYPTOCard) has been seen amongst the DoD Community with
a wide array of firmware versions that are unsupported by and in many
cases incompatible with the standards-based CCID Class driver provided
in Mac OS X 10.4.x. This is precisely why I have suggested folks
flash their reader to the recent CCID Compliant firmware from SCM.
Otherwise, explained and unpredictable problems can and will ensue.
DoD Intermediate and Root CA Certificates
=================================
As of the 10.4.9 update, the third DoD Root CA is now also added as
well as all of the remaining of the 18 Intermediates are also
installed. So, install OS Updates all the way to 10.4.9 and you will
have all the certificates now.
X509Anchors:
* DoD Class 3 Root CA
* DoD PKI Med Root CA
* DoD Root CA 2 ** NEW **
X509Certificates: (you just enable this by adding the existing
keychain to your keychain list)
* DOD CLASS 3 CA-XX (where X is '1' thru '10')
* DOD CLASS 3 EMAIL CA-XX (where X is '1' thru '10')
* DOD EMAIL CA-XX (where X is '11' thru '18') ** NEW **
* DOD CA-XX (where X is '11' thru '18') ** NEW **
Additional Info:
Periodically, I also forward my standard email response to folks
looking for additional information related to Smart Card Support on
Mac OS X. That message follows....
=================================
Folks,
Within the last few months, all of you have contacted me directly or
made requests via the Apple Federal website email address for help on
identifying Smart Card Readers, help in addressing some issues you
were facing or just plain help to get Smart Card Services working with
your US Federal Smart Card (CAC / GSCIS). I have tried to cover the
content that everyone asked about in their email messages. If for
some reason I have still not addressed your question, please follow up
and indicate what remaining item still eludes you.
As we work with and thru each and every one of you to help drive each
agency's improvements in supporting Smart Cards on Mac OS X and the
platform in general, we want to help you get relevant information to
get things working in time for your deadlines.
As I have stated several times on the Fed-Talk Mailing list, I am
working to complete the updated Smart Card Administration and User
Guide for Mac OS X 10.4. It is not yet complete, but is targeted for
completion in about a month - or so.
----
In addition to this message content, all of you should take advantage
of the helpful exchange with your Federal colleagues (Staff/
Contractors/Integrators/...) on the "Fed-Talk" mailing list. This
forum was created for open discussion of all things relevant to Mac OS
X systems in use within the Federal Government. There are people from
around the world and all areas of support staff, users and
administrators. If you are not already subscribed, please do so at
your earliest opportunity:
or, via email, send a message with subject or body 'help' to email@hidden
You can reach the person managing the list at email@hidden
----
Apple also maintains an Enterprise website which is the portal into
the Federal content with lots of valuable information. Utilize this
website for access to Communication, Customer Profiles, Technology
highlights, support/community links, etc. from Apple Enterprise
division (which includes the Federal Division).
Feedback or Questions to Apple Federal Team, send an email to: email@hidden
----
Now back to the intent of this message.....
This message will attempt to provide a some snippet guidance for all
of you relevant to the similar requests and comments you made in your
messages. It may be that much of this message goes beyond what you
may personally need, but it will be relevant to many others on this
message.
----
Previous Mac OS X 10.3 Support:
Smart Card Support on Mac OS X 10.3 was the foundation of Smart Cards
on Mac OS X 10.4. That said, there is a significant amount of
difference in both the architecture and what you needed to do to take
full advantage of your Smart Card within that environment. One key
and significant difference is that Mac OS 10.3.x "ONLY" supported
access to Smart Cards through the typical PKCS#11 interface. It is
the most common interface access to Smart Cards, however, it lacks the
overall OS integration Apple user's demand. For a full User Guide
(105 pages) I developed and released last year for Mac OS X 10.3.x,
please grab it from my personal iDisk and follow the instructions
documented.
(1) Access via the Finder's "Go" menu by selecting:
Go ---> iDisk ---> Other User's Public Folder...
Smart Card Services on Mac OS X 10.4:
Hopefully, you all have by now officially migrated over to Mac OS X
10.4, so that you can take advantage of all of the advanced Smart Card
Services built-in to the OS. That said, there is no need to purchase
or install any additional Smart Card middleware to access and use your
Smart Card issued according to one of the US Federal Government Smart
Card specifications (CAC & GSCIS). The newly formalized PIV spec has
been published and when official cards are issued according to this
spec, Apple will continue its commitment to supporting the US Federal
Government Smart Card support Out-Of-The-Box. In fact, Apple Computer
is still the ONLY OS Vendor providing this support "Out-of-the-box"
whereas other platforms require you to purchase, install and configure
Smart Card support. Many of you know and understand that for complex
systems like the integration of various 2-factor authentication
solutions like Smart Cards across the whole OS requires significant
amount of work and includes several different and sometimes
interrelated components.
The following should prove to help you understand some of those
components and how it might help or hinder your use and/or deployment
of Smart Cards on Mac OS X 10.4. Apple's built-in Smart Card Services
is quite extensive and extensible and removes the requirement to
purchase & install middleware just to access and use Smart Cards that
conform to supported standards. Additional Smart Card "type" cards
issued by Smart Card Management vendors are/can be supported when you
install the required OS X compatible "tokend" component from that
vendor.
If you are using supported hardware and you have everything configured
properly, all you would need to do is insert your Smart Card and the
identification and contents (three certificates & three private keys)
will be published and available for viewing in the Keychain Access
Application.
I did present Smart Cards on Mac OS X 10.4 at the last DoD PKE Forum
in Atlanta, GA and I have posted it on the web for your retrieval.
This is in PDF format for you to grab and view as you wish. Due to
the distribution restrictions on Apple Presentations, you will be
unable to Print or Edit/Copy any contents of the PDF.
Presentation: Smart Cards on Mac OS X 10.4
Given: DoD PKE Forum
November 8, 2005
Atlanta, GA
Retrieve several Presentations (PDF) from the following paths:
Functions supported by the built-in Smart Card Services:
* Cryptographic Login
-- Accounts: Local and Network based Accounts -- NetInfo, LDAP, AD,
NIS, ...
-- Methods: (a) Attributes from email signing Cert -- (i.e. NT
Principal Name, RFC822 Name, Common Name,...)
(b) pubkeyhash -- more secure method utilizing and the
validation of the associated Public Key Hash
* Signed and Encrypted Email (S/MIME)
-- OS Security Based: Apple Mail, Entourage 2004 (suggested
v11.2.3) & any others leveraging built-in Services
-- PKCS#11 Based: Netscape, Mozilla, Firefox, ...
* Secure Web Access (HTTPS )
-- X.509 based Client-side Authentication
-- X.509 based Server-side Authentication
-- Application(s) Safari & any browser leveraging built-in
Certificate Services
* Remote (VPN) Access
-- X.509 based User Authentication
-- Application(s) Internet Connect (User-Auth: L2TP, PPTP,
802.1X/TLS)
* Screen Saver Unlock
-- X.509 based User Authentication
-- System Preference --> Security must have the following checked:
"Require password to wake this computer from sleep or screen saver"
* System Administration
-- X.509 based User Authentication
-- System Preferences All security protected System Preferences
* OCSP & CRL Certificate Validation/Revocation Services
-- Standard CRL - Certification Revocation List - Client-side Services
-- OCSP - Online Certificate Status Protocol - Client-side Services
Server-side OCSP Validators can be obtained from both vendors:
Third-Party Applications
Currently, Thin Clients like "Citrix ICA" or MS "Remote Desktop
Connector" do not utilize Smart Card Services
on Mac OS X 10.4 and therefore will not work with your US Federal
Smart Card.
Citrix ICA - does not currently support Smart Card use on Mac
OS X 10.4
MS Remote Desktop Connector - does not currently support Smart Card
use on Mac OS X 10.4
Federal Website Access
Any standards compliant PKI-based Federal website should work with
no problems, unless you attempt to use a
site that implements a non-standard or proprietary. One such
website that many folks have had trouble with is
the Defense Travel System - DTS. It currently implements a
proprietary implementation that relies exclusively on
ActiveX, Windows and IE 6 or higher.
This locks all other platforms out from accessing this site. It is
in everyones' interest to vocalize the challenges to
your ability to access this site and the non-standard way it has
been implemented. There are other Federal
websites that have taken the same approach and unless the
implementors hear from the masses, things will
unfortunately probably not change. Please speak up.
Smart Card Readers Supported:
There are far too many readers that work on Mac OS X 10.4 to list
here, but I will begin with those supported "out-of-the-box" and list
a few others frequently in use. Keep in mind that there are many
readers that are sold under other names / manufacturers, but are
actually based on known and supported "mechanism" -- the hardware/
firmware used within the reader.
Smart Card Reader Drivers are located at: /usr/libexec/
SmartCardServices/drivers/
Built-in Readers and corresponding Drivers:
USB Based Readers
* CCID (USB) Compliant Readers - Several readers are noted as
CCID Compliant
CCIDClassDriver.bundle - Apple provided and maintained driver
* Athena IIIe USB Readers - IIIe USB Smart Card Readers
ifd-ASEIIIeUSB.bundle - Apple ships within OS - Athena maintained
PC Card Based Readers
* CRYPTOCard PC Card Reader - CRYPTOCard has two Readers ("P-1" &
"CardMan 4040")
CC-PC-Card.bundle - Apple ships within OS - CRYPTOCard maintained
* SCM Microsystems SCR24X Series - SCM Microsystems PC Card Readers
(241 & 243) - OEM'd as well
SCR24XHndlr.bundle - Apple ships within OS - SCM Microsystems
maintained
* OMNIKey CardMan Readers - OMNIKey PC Card Reader - CardMan 4040
- OEM'd as well
ifdok_cm4040_macos-2.0.0.bundle - Apple ships within OS -
OMNIKey maintained
** NOTE: Previous to Mac OS X 10.4.6, there were issues preventing
the automatic recognition of PC Card
based Smart Card Readers. Two changes were required to utilize
these readers even though the
drivers were shipped within the OS. Those changes included
modifications to securityd.plist and
moving aside the CCIDClassDriver to avoid conflicts. Mac OS X
10.4.6 has FIXED these previous
issues, so all three of the mentioned PC Card Readers (and readers
based on those mechanisms)
will work with no modifications required.
Some Additional Smart Card Readers and corresponding Drivers known
to work
-- This is not an exhaustive List !!!
USB Based Readers -
(Those updated to be CCID Compliant will then work with built-in
CCID Class Driver)
* ActivCard http://www.actividentity.com/ (Changed Company
Name)
ActivCard USB v2 - MUST FLASH reader with SCM CCID-Compliant
firmware update - see below
ActivCard USB v3 - CCID Compliant!
* Athena http://www.athena-scs.com/
ASEDrive IIIe - CCID Compliant!
* Axalto http://www.axalto.com/ (merged with GemPlus)
Reflex USB v3 - CCID Compliant!
* Cherry Corp http://www.cherrycorp.com/
ST-1000U - Compatible with OMNIKey CardMan 2020 -
requires driver
ST-1044U - CCID Compliant!
* CRYPTOCard http://www.cryptocard.com/
CRYPTOCard USB - MUST FLASH reader with SCM CCID-Compliant
firmware update - see below
* GemPlus http://www.gemplus.com/ (merged with Axalto)
GemPlus PCTwin - CCID Compliant!
GemPlus USB-SL - CCID Compliant!
GemPC 43X - GemPC 430, 433, 435 - Requires installation of
supported driver
* OMNIKey http://www.omnikey.com/
CardMan 2020 - Requires installation of supported driver
Cardman 3021 - CCID Compliant!
CardMan 3121 - CCID Compliant!
CardMan 5125 - CCID Compliant! (Contact Reader support only)
* Schlumberger http://www.schlumberger.com/
Reflex USB v2 - Requires installation of supported driver
Reflex USB v3 - CCID Compliant!
* SCM Microsystems http://www.scmmicro.com/
SCR 331 / SCR 531 -- MUST FLASH reader with SCM CCID-Compliant
firmware update - see below
SCR 335 - CCID Compliant!
SCR 3310 - CCID Compliant!
SCR 3311 - CCID Compliant!
SCR 3310 - CCID Compliant!
Smart Cards Supported:
As previously noted, Apple still is the only OS Vendor providing out-
of-the-box support for the US Federal Smart Cards (CAC / GSCIS) with
PIV support coming with final release of the PIV specification from
NIST. Once official PIV Cards / Test Cards begin to be issued, Apple
will be able to complete the PIV support within the OS. Smart Cards
being issued right now are either CAC or GSCIS compliant and will work.
Some have questioned whether their newly issued 64K cards would be
supported and work with Mac OS X 10.4. The answer is YES! The issues
that some were finding is with the use of the legacy utility "Common
Access Card Viewer" which previously had issues with buffer sizes in
handling the newer cards. That has also been addressed and should not
be the case when running the most current version of Mac OS X 10.4.x.
The Viewer Utility is located on your Installation DVD at the path--
> /System/Installation/Packages/CommonAccessCard.pkg
In addition to the US Federal Smart Cards, Mac OS X 10.4.x has out-of-
the-box support for the Smart Cards that conform to the Belgian
National ID (BELPIC) as well as the Japanese PKI (JPKI) specifications.
* CAC / GSCIS - US Federal Government issued Smart Cards
* BELPIC - Belgian National ID
* JPKI - Japanese PKI
System Modifications Required:
The following system modifications are required to enable the use of
your US Federal Smart Card (CAC/GSCIS). I have provided these
directions
* Enable Additional Keychain - Enable the pre-populated
X509Certificates Keychain - Federal Intermediate Certs
* Enable CRL / OCSP - Enable CRL & OCSP in Keychain Access
Preferences.
* Enable Smart Card Login - Modify /etc/authorization file
* Directory Services - Choose one of the supported methods and
configure appropriately:
* Config to use "NT Principal Name" from email Signing
Cert (Typical Federal use)
* Bind a pubkeyhash form the Smart Card to Acct in the
Directory Service of Choice
All of the login/DS modifications are documented along with a helpful
diffs file for the authorization modification and a pre-configured
cacloginconfig.plist in the "TigerSmartcardSetup.zip" file located on
my iDisk as well as included here for those who do not troubles
receiving .zip files.
** NOTE:
Those needing to use the legacy PKCS#11 approach to access your
Smart Card must do the following:
* Run pcsctool in the Terminal to ensure your Smart Card is
updated within the token
- select "1" (commonAccessCard.bundle) when prompted.
This will also ensure that some of the newer 64K cards are supported
with these apps as well.
Issues with Intel-Based Macs
Smart Card services are fully supported on the new Intel-based Macs
(MacBook Pro & iMac), but there are currently some known issues that
you should be aware of. These are being addressed, so you should
continue to check to see if they have been addressed in subsequent OS
updates.
* "sc_auth" - Apple provided shell script for binding a Smart Card
to a Directory Service Account
using the pubkeyhash method will not currently run on the Intel-
based Macs. Since
the Federal Government Agencies are typically utilizing the NT
Principal Name
approach, this is not an issue -- you would be using the use of
the .plist config file
to configure what is used for user lookup in the corresponding
Directory.
file created and used: /etc/cacloginconfig.plist
* ExpressCard/34 - The new MacBook Pro laptops provide a built-in
ExpressCard/34 slot rather than the
previously provided PCMCIA / PCCard slot. This means that it is
only 34mm wide
and the Smart Cards are 54mm wide. Currently, there is no Smart
Card vendor
providing a solution for the ExpressCard/34 slot. Users with
these systems would
need to utilize a USB based reader on these systems for now.
Some additional questions you all have raised:
(Q1) How can I publish my certificates to my keychain so that I can
use them.
(A1) There is NO need to do anything. Once the Smart Card is
recognized, the Keys/Certs will automatically be available to the OS
and all services relying on the OS Certificate/Keychain Services.
(Q2) My Certificates indicate that they are signed by an untrusted
authority. What do I do ?
(A2) Make sure that you have enabled the pre-populated
X509Certificates keychain which has all of the DoD Intermediates up to
CA 10. There have been several more CAs as well as a second DoD
Trusted Root come out since this with the corresponding CA
Certificates appearing in a future OS update. Until then you need to
Import the Intermediates into the X509Certificates an the additional
Trusted Root into the X509Anchors keychain. This keychain is located
at: /System/Library/Keychains/X509Certificates
If you are not part of DoD and your certificates have been issued
relatively recently, then you need to import your agencies Trusted
Root CA into the X509Anchors and any corresponding Intermediates into
the X509Certifcates for your certificates to function properly.
(Q3) How can we use CAC for VPN and wireless 802.11 authentication ?
(A3) Apple's included VPN Client "Internet Connect" provides full
support for the Smart Cards (as noted earlier). User Authentication
can use Certificates from the Smart Card for L2TP, PPTP and 802.1X/TLS.
(Q4) How do I configure Mail.app to digitally sign / encrypt messages ?
(A4) There is no configuration necessary to enable Mail.app to
utilize valid certificates with a Smart Card. The key point to note
is that as long as the email account (email address) is exactly the
same (including case) as the RFC822 Name within the email signing
certificate on the Smart Card, Mail.app will automatically display the
Sign/Encrypt icons and allow you to digitally sign the message.
Ensure that you have the Smart Card inserted in the reader prior to
launching Mail.app. When you want to encrypt a message to someone,
you need to ensure you have the Public Certificate (for email
encryption) that matches exactly (including case) of the email address
you are sending to. You can also configure "Directory Access" to pull
public certificates from a Certificate Server that is LDAP
accessible. Configuring an LDAP server in Address Book will not work
in retrieving Certs from a public store.
email@hidden does NOT equal email@hidden
(Q5) Why doesn't the 10.3.x instructions of using "cac_setup" work ?
(A5) Mac OS X 10.4.x is significantly different than 10.3 and no
longer utilizes the previously provided scripts for setting up Smart
Card Services or card association. Much of the Smart Card Services in
Mac OS X 10.4 are automatic and do not require any setup or
configuration. The replacement command on Mac OS X 10.4 for
associating a Smart Card to an account is "sc_auth". Refer to the
DRAFT-SmartCardLogin-Tiger Document for more details prior to the
release of the Admin Guide.
(Q6) CAC viewer, it continuously states, "please insert a common
access card" ?
(A6) This indicates that either your Smart Card is not being
recognized and most likely due to the Reader not being recognized.
(Q7) OCSPD appears to stall my system and takes 512+ MB of real RAM
when my card is used.
(A7) The PKI system in Mac OS X 10.4 will attempt to resolve/validate
all Certificates according to the CRL/OSCP Server address(es) embedded
in the certificate. It has become apparent, largely within the Army,
that the server defined and embedded in the certificate is not
available to the user's system (typically overloaded or across a
slower WAN connection) which is causing severe delays or in some cases
no response what so ever from the original server. The amount of
"effort" is controlled by the Preference Settings within the Keychain
Access --> Preferences --> Certificates. The Values for OCSP & CRL
are OFF, Best Attempt, Required if Cert Indicates, and Require for All
Certs. Best Attempt might indeed be the best practice setting for
this, since it will allow the occasional laps in access to the CRL/
OCSP Server(s).
(Q8) I replaced the Certificates on my Smart Card. Why does Keychain
Access show my old Certificates ?
(A8) For performance reasons, Mac OS X 10.4, will cache the Public
Certificates from the Smart Card - They are public and hence are
accessible without PIN protection. When some folks have gotten their
Certificates replaced (under rare situations) the system will be
reading from the cached entries - since the Smart Card itself has not
changed. If you have had to or just for some reason gotten your
Certificates replaced on a particular Smart Card, you can do one of
the following to effective force the system to cache the new Public
Certs.
(1) Remove caching for All previously seen Smart Cards on this
particular host
$ sudo rm -R /private/var/db/TokenCache/tokens
-OR-
(2) Selectively remove JUST the cached Certificate Information
$ sudo -s (This will prompt you for password and give you root
privs)
$ cd /private/var/db/TokenCache/tokens (This will change the current
directory to the token cache)
Now, IF you have only used one Smart Card on your system the next
step will be very easy.
IF you have used more than your current Smart Card, look on the back/
back of your Smart Card
and take note of the number stamped on the card that looks like the
following:
2050-5000-5076-301D-2F63
This number signifies the Card identifier and will be used as part of
the Smart Card cache folder.
The token cache folders (directories) have the name constructed as
such:
com.apple.tokend.cac - dot notation for the tokend identifier
: - "colon" separator
CAC - Name of the tokend which handles this card
- - "dash" separator
2050-5000-5076-301D-2F63 - 20 digit identifier of the Smart Card
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/fed-talk/email@hidden
