Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
- Subject: Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
- From: Michael Chute <email@hidden>
- Date: Tue, 24 May 2005 12:15:40 -0400
My CAC is working fine on my 10.4 installs. I have run into one
issue where the X509 Certs were not in the keychain access I just
copied them in to solve that problem. You said the only thing you
tried is the keychain stuff that shawn gave instructions for. I have
not done that alone. I also do the easy modifications to turn on the
cryptographic login (changing the authorization file and such) its
not hard and maybe you need to do this to get full functionality. My
CAC shows up in the keychains window of keychain access as Smart Card
#2. I wonder given the "access restricted" message if this is due to
you not altering the authorization file as explained in the enabling
steps that shawn stated. The only thing I noted is that the path to
the dif file is wrong as written, i just wrote the command up to that
point then dragged the file in to get the correct path and it
worked. In order to see the keychains in keychain access you need to
click the "show keychains button on the bottom left of the keychain
access window. Your CAC should then show up in the keychain panel.
I too have the library keychain which is shared and the X509 anchors
which is not. I think that is the normal set. I am not using a
flashed activ card reader I am using the activcard reader with he
activcard v2 driver. I am having no issues with it.
On May 24, 2005, at 10:57 AM, Michael Kluskens wrote:
I'm having some issues with CAC and 10.4
I've done testing on OS X 10.4.1 on a standard journaled file
system and on a case-sensitive, journaled file system, with no
apparent difference between them.
The only configuration setup I attempted is in Keychain Access and
that configuration step refuses to "stick" on my machine. (I also
tried sc_auth accept but I get "Access Restricted" and I don't know
what that means).
OS X Mail works with encryption, decryption, and signing with no
additional configuration.
Safari responds with "The client certificate has been revoked" when
I visit a local PKI enabled site (it's optional for this site
hopefully that is not the cause of the problem). Mozilla also can
not access that site under 10.4 if the CAC is in.
My CAC card reader is a ActivCard reader that was flashed to work
with 10.3 and I have to assume it is working fine since OS X Mail
is fully operational in CAC functions. sc_hash gives the hashes
for all three keys on the CAC.
On May 9, 2005, at 2:45 PM, Shawn Geddis wrote:
Smart Cards in "Tiger" - 10.4.x
=====================
Smart Cards (CAC, GSCIS, PIV, JPKI, BELPIC, ....) are all
abstracted as keychains
Can the Smart Card keychain be seen in the "Keychain Access"
application and where? On my machine, the sections labeled "keys"
and "My certificates" are empty.
** Address Book
Now also displays the "signing" check symbol just left of email
addresses that the user has corresponding Public Cert in their
keychain. The Cert is NOT stored in the keychain, but represents
a relationship with one in one of the currently active keychains.
This works, but I think there is a wording error here, the Cert is
stored in the keychain, it is NOT stored in the Address Book.
"Common Access Card Viewer" functionality is largely now available
since the Smart Cards appear as dynamic keychains. You can view
the Certificate and Key information as well as change the PIN on
the card by selecting the "Change Password for Keychain ...".
This does not work at all for me, the only keychain I have is my
regular software keychain, I see no evidence of the CAC card in
Keychain Access.
2) The DoD Intermediate CAs are not available to the Keychain List
by default
-- Federal Customers within DoD will need to add the
"X509Certificates" to the list
a) Launch Keychain Access
b) Select "Edit -> Keychain List"
c) Select "Show: Mac OS X (System)"
d) Check "Shared" checkbox next to
"X509Certificates" (/System/Library/Keychains)
e) X509Certificates will now appear in the Keychains
List and will be available for
Intermediates for the whole trust path
validation.
This is what totally fails on my system. First off the check mark
is not there if I immediately or any time afterwards go back into
this menu. Also, I note that I also have System /Library/Keychains
which is shared and X509Anchors /System/Library/Keychains which is
not shared (and not shareable just like X509Certificates). Under
User I also have System /Library/Keychains which is shared.
I created a brand new account and the problems existed there as well.
Michael
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden