Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] [NOTICE] Mac OS X 10.5.5 will still require installation of "Smart Card Services Update"

Shawn,

I'm getting asked for a Username and password to access your iDisk. Please advise.

 
-greg
________________
 Gregory Adair
 Work: (619) 553-4072
 Fax:  (619) 553-4063
 E-mail:  email@hidden

On Sep 11, 2008, at 6:22 AM, Shawn A. Geddis wrote:

Mac OS X 10.5 Smart Card Users,

The planned integration of the Smart Card Services Update into the Mac OS X 10.5.5 update release, unfortunately had to be removed late in the process.  It is indeed unfortunate and an example of why we do not pre-announce fixes/patches coming in software updates.  My intent was to keep you all abreast of the hard work we were doing to not only address the identified Smart Card issues on Mac OS X 10.5.x, but to help IT Staff and individual Users that the work would be integrated into a future update.  Integration of those updates will take place, but I wanted to be sure that all of you were aware of my pre-mature (and now inaccurate) indication of them coming in 10.5.5.

I have written up a very brief document to highlight the steps IT Staff and Individuals can take to address them and ensure they successfully authenticate to Smart Card protected services using Mac OS X 10.5.4 / 10.5.5.  Since far too many agency servers strip or prevent attachments, I have included the text of that document below for your immediate consumption.

To be absolutely clear, *IF* you....
* Previously installed the Smart Card Services Update v1.1 on an Intel-based Mac with 10.5.4:
You can upgrade to 10.5.5 with no changes relating to Smart Cards.
* Upgrade your system to 10.5.5 and have not previously installed the Smart Card update: 
You will need to install the Smart Card Services Update v1.2.
* Are running on a PPC-based Mac (G4 / G5) with Mac OS X 10.5.4 / 10.5.5:
You will need to install the Smart Card Services Update v1.2.

As always, we are interested in your feedback and are working hard to ensure Smart Cards "Just Work" on Mac OS X.  

- Shawn
_____________________________________________________
Shawn Geddis    Security Consulting Engineer    Apple Enterprise



US Federal Smart Cards On Mac OS X 10.5

System Requirements Usage Changes

Mac OS X 10.5.4 or 10.5.5 Client-side Certificate Authentication & Safari
Supported Reader Identity Preferences
Supported Smart Card(s) Troubleshooting
Identity Preference(s)


Mac OS X 10.5.4 or 10.5.5

Mac OS X 10.5.5 was originally to include important updates to properly handle many CCID Readers along with support for the newer Smart Cards being issued within the US Federal Government.  Those Smart Card Services related updates will, unfortunately, not appear in the 10.5.5 update, but will continue to be made available through a separate installer.

The original update for Intel-based systems running Mac OS X 10.5.4 is still available via the following link:

http://idisk.mac.com/geddis-Public/SmartCards/Installers/Smart_Card_Services_Update_v1.1.zip

NOTE: You would need to apply the Smart Card update prior to updating to Mac OS X 10.5.5.

A Universal update (PPC / INTEL) for systems running Mac OS X 10.5.4 or 10.5.5 will be available soon via the following link:

http://idisk.mac.com/geddis-Public/SmartCards/Installers/Smart_Card_Services_Update_v1.2.zip

NOTE:  This Smart Card update will support both PPC & Intel-based systems running Mac OS X 10.5.4 or 10.5.5.

________________________________


Supported Readers

There are a number of CCID readers supported by the Smart Card Services Update.  For an up-to-date list of those readers that are supported (excluding PIN Pad functionality), you can check:

http://pcsclite.alioth.debian.org/ccid.html,

Please note that some readers commonly used within the US Federal Government require updated firmware to work as expected.  In particular, OEM derivatives of the SCM SCR 331 product family will require updating if they have firmeware version prior to v5.25.

ActivCard USB v2
CRYPTOCard USB

SCM SCR 331, SCR 531

The Firmware “Flashing” Utility for the Readers noted above requires either Windows or Linux and can be found at:

http://www.scmmicrosystems.com/support/pcs_downloads.php?lang=en


________________________________


Supported Smart Cards


The Smart Card Services Update brings support for the latest US Federal Government Smart Cards (CAC & PIV).  For the “Common Access Card” (CAC), Mac OS X will now support T=1 cards at full speed with many readers. Also, “Personal Identity Verification” (PIV) cards can now be used for authenticated logins. Updates are still being made for full PIV compliance and will be available when complete.


________________________________


Client-side Certificate Authentication & Safari


Mac OS X 10.5.3 brought changes to how Safari handles client-side certificates for authentication. Safari 3 no longer automatically sends the first valid client certificate found, instead Safari will prompt the user to pick a certificate from all certificates currently available to a user. This includes those stored on smart cards. Please note that Safari will only prompt when a web page requires certificate authentication. For sites that allow certification authentication as an option, and not required, you will have to create an "identity preference" to map which certificate you'd like to use for a specific URL. The explanation of this change can be found at:  http://support.apple.com/kb/HT1679


________________________________

Identity Preferences

There are a few US Federal Government PKI protected services (Websites, Webmail, Mail Servers, etc.) which now interact differently with the changes to Mac OS X 10.5.3+ and may require the user to create an Identity Preference, a mapping between a specific URL and a  specific certificate, for successful authentication.

This preference is remembered in your keychain as an "identity preference” item, and you will not be prompted again when returning to the same site.  

  1. Creating an Identity Preference
  2. Launch Keychain Access (Located in /Applications/Utilities/)
  3. “Select” your Smart Card (keychain) (Should always appear as the first keychain in the list)
  4. Click on “My Certificates” (This is a “Category” list in the lower left corner)
  5. Hold down the <Control> Key and click on the appropriate Certificate (Cert for your URL)
  6. Select “New Identity Preference...” (Contextual Menu to create an Identity Preference)
    1. Enter URL for Server (as FQDN) (Fully Qualified Domain Name - "https://Full.Server.Name/"
    2. AKO: https://akocac.us.army.mil/ (NOTE: Must include trailing “/”)
    3. NMCI Webmail: https://webmail.nmci.navy.mil/Exchange/ (NOTE: Must include “Exchange/”)


Most authentication would “typically” succeed with just using the FQDN as used in 6.1 above, but there are servers (ie. NMCI Webmail) that currently require entry of the full URL to the service be entered in the Identity Preference.

Also, some Web Sites/Services may contain content references which require authentication to multiple servers which would require multiple Identity Preferences be created.  This is until a domain-based or wild-card style Identity Preference is supported.


________________________________

Troubleshooting

To provide you and Apple with the ability to troubleshoot why you may still be failing to authenticate to a given server, you can enable a debug flag for Identity matching which, when enabled, will log identity preference information to the System log (/var/log/system.log).  Launch and use the Terminal application for the following commands.


Enable Identity Preference Debug Mode in 10.5.4 and beyond: 

defaults write com.apple.security LogIdentityPreferenceLookup -boolean true

You will want to disable this additional logging when you have everything working.  To disable, perform the following:

defaults write com.apple.security LogIdentityPreferenceLookup -boolean false

To read the current value of this debug key, perform the following:

defaults read com.apple.security LogIdentityPreferenceLookup

You will see output at the end similar to the following, where “0” is false (off) and “1” is true (on)

LogIdentityPreferenceLookup = 0;

When enabled, each identity preference lookup is written as in the following example:

Jul  1 18:12:51 /Applications/Safari.app/Contents/MacOS/Safari[386]: preferred identity: "<User Identity" found for "<https://Full.Server.Name/>"

These messages can help end users correct the host name they entered in the manually configured Identity Preference.  If you are still failing, provide these log messages along with your card reader information (from System Profiler).  It is also valuable, in some cases, to know the specific card you are using and the name is noted on the top back of the card.  Another quick way to capture card info is to launch Terminal and execute the following command while you have your reader attached and card inserted:

pcsctest

Select the number (typically "1") which corresponds to the reader you have attached.
Capture the output from this command and include in your correspondence with Apple.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/fed-talk/email@hidden

This email sent to email@hidden

Attachment: smime.p7s
Description: S/MIME cryptographic signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/fed-talk/email@hidden

This email sent to email@hidden


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.