Folks,
Within the last few months, all of you have contacted me directly or made requests via the Apple Federal website email address for help on identifying Smart Card Readers, help in addressing some issues you were facing or just plain jelp to get Smart Card Services working with your US Federal Smart Card (CAC / GSCIS).
I am currently on travel and have very spotty access to internet and no cell coverage, but am well aware that many of you are working under intense deadlines and lack of support from your normal support organizations. As we work with and thru each and every one of you to help drive each agency's improvements in supporting Smart Cards on Mac OS X and the platform in general, we want to help you get relevant information to get things working in time for your deadlines.
As I have stated several times on the Fed-Talk Mailing list, I am working to complete the updated Smart Card Administration and User Guide for Mac OS X 10.4. It is not yet complete, but is targeted for completion in about a month. I hope to be able to provide early access to some who will provide additional feedback on the content and approach prior to its final release. If you would like to review the guide and will commit to providing feedback, please send me a message to email@hidden with the subject: [Request] Access to SmartCard Guide. This will aid in the proper handling of the messages, so all other messages will not be processed.
----
In addition to this message content, all of you should take advantage of the helpful exchange with your Federal colleagues (Staff/Contractors/Integrators/...) on the "Fed-Talk" mailing list. This forum was created for open discussion of all things relevant to Mac OS X systems in use within the Federal Government. There are people from around the world and all areas of support staff, users and administrators. If you are not already subscribed, please do so at your earliest opportunity:
or, via email, send a message with subject or body 'help' to email@hidden
----
Apple also maintains an Enterprise website which is the portal into the Federal content with lots of valuable information. Utilize this website for access to Communication, Customer Profiles, Technology highlights, support/community links, etc. from Apple Enterprise division (which includes the Federal Division).
Feedback or Questions to Apple Federal Team, send an email to: email@hidden
----
Now back to the intent of this message.....
This message will attempt to provide a some snippet guidance for all of you relevant to the similar requests and comments you made in your messages. It may be that much of this message goes beyond what you may personally need, but it will be relevant to many others on this message.
----
Previous Mac OS X 10.3 Support:
Smart Card Support on Mac OS X 10.3 was the foundation of Smart Cards on Mac OS X 10.4. That said, there is a significant amount of difference in both the architecture and what you needed to do to take full advantage of your Smart Card within that environment. One key and significant difference is that Mac OS 10.3.x "ONLY" supported access to Smart Cards through the typical PKCS#11 interface. It is the most common interface access to Smart Cards, however, it lacks the overall OS integration Apple user's demand. For a full User Guide (105 pages) I developed and released last year for Mac OS X 10.3.x, please grab it from my personal iDisk and follow the instructions documented.
(1) Access via the Finder's "Go" menu by selecting:
Go ---> iDisk ---> Other User's Public Folder...
Enter Member Name: geddis
Path: SmartCards / Admin_Guides / 10.3.x / SmartCardAdmin_v1.0.pdf
(2) Access via WebDAV at the following URL:
----
Smart Card Services on Mac OS X 10.4:
Hopefully, you all have by now officially migrated over to Mac OS X 10.4, so that you can take advantage of all of the advanced Smart Card Services built-in to the OS. That said, there is no need to purchase or install any additional Smart Card middleware to access and use your Smart Card issued according to one of the US Federal Government Smart Card specifications (CAC & GSCIS). The newly formalized PIV spec has only recently been published and when official cards are issued according to this spec, Apple will continue its commitment to supporting the US Federal Government Smart Card support Out-Of-The-Box. In fact, Apple Computer is still the ONLY OS Vendor providing this support "Out-of-the-box" whereas other platforms require you to purchase, install and configure Smart Card support. Many of you know and understand that for complex systems like the integration of various 2-factor authentication solutions like Smart Cards across the whole OS requires significant amount of work and includes several different and sometimes interrelated components.
The following should prove to help you understand some of those components and how it might help or hinder your use and/or deployment of Smart Cards on Mac OS X 10.4. Apple's built-in Smart Card Services is quite extensive and extensible and removes the requirement to purchase & install middleware just to access and use Smart Cards that conform to supported standards. Additional Smart Card "type" cards issued by Smart Card Management vendors are/can be supported when you install the required OS X compatible "tokend" component from that vendor.
If you are using supported hardware and you have everything configured properly, all you would need to do is insert your Smart Card and the identification and contents (three certificates & three private keys) will be published and available for viewing in the Keychain Access Application.
I did present Smart Cards on Mac OS X 10.4 at the last DoD PKE Forum in Atlanta, GA and I have posted it on the web for your retrieval. This is in PDF format for you to grab and view as you wish. Due to the distribution restrictions on Apple Presentations, you will be unable to Print or Edit/Copy any contents of the PDF.
Presentation: Smart Cards on Mac OS X 10.4
Given: DoD PKE Forum
November 8, 2005
Atlanta, GA
Retrieve the Presentation (PDF) from the following path:
Functions supported by the built-in Smart Card Services:
* Cryptographic Login
-- Accounts: Local and Network based Accounts -- NetInfo, LDAP, AD, NIS, ...
-- Methods: (a) Attributes from email signing Cert -- (i.e. NT Principal Name, RFC822 Name, Common Name,...)
(b) pubkeyhash -- more secure method utilizing and the validation of the associated Public Key Hash
* Signed and Encrypted Email (S/MIME)
-- OS Security Based: Apple Mail, Entourage 2004 (suggested v11.2.3) & any others leveraging built-in Services
-- PKCS#11 Based: Netscape, Mozilla, Firefox, ...
* Secure Web Access (HTTPS )
-- X.509 based Client-side Authentication
-- X.509 based Server-side Authentication
-- Application(s) Safari & any browser leveraging built-in Certificate Services
* Remote (VPN) Access
-- X.509 based User Authentication
-- Application(s) Internet Connect (User-Auth: L2TP, PPTP, 802.1X/TLS)
* Screen Saver Unlock
-- X.509 based User Authentication
-- System Preference --> Security must have the following checked:
"Require password to wake this computer from sleep or screen saver"
* System Administration
-- X.509 based User Authentication
-- System Preferences All security protected System Preferences
* OCSP & CRL Certificate Validation/Revocation Services
-- Standard CRL - Certification Revocation List - Client-side Services
-- OCSP - Online Certificate Status Protocol - Client-side Services
Server-side OCSP Validators can be obtained from both vendors:
** Note:
Third-Party Applications
Currently, Thin Clients like "Citrix ICA" or MS "Remote Desktop Connector" do not utilize Smart Card Services
on Mac OS X 10.4 and therefore will not work with your US Federal Smart Card.
Citrix ICA - does not currently support Smart Card use on Mac OS X 10.4
MS Remote Desktop Connector - does not currently support Smart Card use on Mac OS X 10.4
Federal Website Access
Any standards compliant PKI-based Federal website should work with no problems, unless you attempt to use a
site that implements a non-standard or proprietary. One such website that many folks have had trouble with is
the Defense Travel System - DTS. It currently implements a proprietary implementation that relies exclusively on
ActiveX, Windows and IE 6 or higher.
This locks all other platforms out from accessing this site. It is in everyones' interest to vocalize the challenges to
your ability to access this site and the non-standard way it has been implemented. There are other Federal
websites that have taken the same approach and unless the implementors hear from the masses, things will
unfortunately probably not change. Please speak up.
Smart Card Readers Supported:
There are far too many readers that work on Mac OS X 10.4 to list here, but I will begin with those supported "out-of-the-box" and list a few others frequently in use. Keep in mind that there are many readers that are sold under other names / manufacturers, but are actually based on known and supported "mechanism" -- the hardware/firmware used within the reader.
Smart Card Reader Drivers are located at: /usr/libexec/SmartCardServices/drivers/
Built-in Readers and corresponding Drivers:
USB Based Readers
* CCID (USB) Compliant Readers - Several readers are noted as CCID Compliant
CCIDClassDriver.bundle - Apple provided and maintained driver
* Athena IIIe USB Readers - IIIe USB Smart Card Readers
ifd-ASEIIIeUSB.bundle - Apple ships within OS - Athena maintained
PC Card Based Readers
* CRYPTOCard PC Card Reader - CRYPTOCard has two Readers ("P-1" & "CardMan 4040")
CC-PC-Card.bundle - Apple ships within OS - CRYPTOCard maintained
* SCM Microsystems SCR24X Series - SCM Microsystems PC Card Readers (241 & 243) - OEM'd as well
SCR24XHndlr.bundle - Apple ships within OS - SCM Microsystems maintained
* OMNIKey CardMan Readers - OMNIKey PC Card Reader - CardMan 4040 - OEM'd as well
ifdok_cm4040_macos-2.0.0.bundle - Apple ships within OS - OMNIKey maintained
** NOTE: Previous to Mac OS X 10.4.6, there were issues preventing the automatic recognition of PC Card
based Smart Card Readers. Two changes were required to utilize these readers even though the
drivers were shipped within the OS. Those changes included modifications to securityd.plist and
moving aside the CCIDClassDriver to avoid conflicts. Mac OS X 10.4.6 has FIXED these previous
issues, so all three of the mentioned PC Card Readers (and readers based on those mechanisms)
will work with no modifications required.
Some Additional Smart Card Readers and corresponding Drivers known to work
-- This is not an exhaustive List !!!
USB Based Readers -
(Those updated to be CCID Compliant will then work with built-in CCID Class Driver)
* ActivCard
ActivCard USB v2 - MUST FLASH reader with SCM CCID-Compliant firmware update - see below
* Axalto
Reflex USB v3 - CCID Compliant!
* CRYPTOCard
CRYPTOCard USB - MUST FLASH reader with SCM CCID-Compliant firmware update - see below
* GemPlus
GemPlus PCTwin - CCID Compliant!
GemPlus USB - CCID Compliant!
GemPC43X - GemPC 430, 433, 435 - Requires installation of supported driver
* OMNIKey
CardMan 2020 - Requires installation of supported driver
CardMan 3121 - CCID Compliant!
CardMan 5125 - CCID Compliant! (Contact Reader support only)
* Schlumberger
Reflex USB v2 - Requires installation of supported driver
* SCM Microsystems
SCR 331 / SCR 531 - Must Flash reader with CCID Compliant firmware update - see below
USB-Dongle Based Readers
* Aladdin
eToken Pro - Requires Aladdin Software and REQUIRES PKCS#11 applications
* GemPlus
GemPlus PCKey - CCID Compliant!
* OMNIKey
CardMan 6121 - CCID Compliant!
USB Keyboard-based Readers
* CherryCorp
SmartBoard G83-6702 - Smart card keyboard (USB) compatible with OMNIKey CardMan 2020
- Requires installation of OMNIKey CardMan 2020 driver
Firmware Update for SCM SCR 331 "Mechanism" based Readers: (Requires using Windows)
The Firmware Update Tool/Firmware
Smart Cards Supported:
As previously noted, Apple still is the only OS Vendor providing out-of-the-box support for the US Federal Smart Cards (CAC / GSCIS) with PIV support coming with final release of the PIV specification from NIST. Once official PIV Cards / Test Cards begin to be issued, Apple will be able to complete the PIV support within the OS. Smart Cards being issued right now are either CAC or GSCIS compliant and will work.
Some have questioned whether their newly issued 64K cards would be supported and work with Mac OS X 10.4. The answer is YES! The issues that some were finding is with the use of the legacy utility "Common Access Card Viewer" which previously had issues with buffer sizes in handling the newer cards. That has also been addressed and should not be the case when running the most current version of Mac OS X 10.4.x. The Viewer Utility is located on your Installation DVD at the path--> /System/Installation/Packages/CommonAccessCard.pkg
In addition to the US Federal Smart Cards, Mac OS X 10.4.x has out-of-the-box support for the Smart Cards that conform to the Belgian National ID (BELPIC) as well as the Japanese PKI (JPKI) specifications.
* CAC / GSCIS - US Federal Government issued Smart Cards
* BELPIC - Belgian National ID
* JPKI - Japanese PKI
System Modifications Required:
The following system modifications are required to enable the use of your US Federal Smart Card (CAC/GSCIS). I have provided these directions
* Enable Additional Keychain - Enable the pre-populated X509Certificates Keychain - Federal Intermediate Certs
* Enable CRL / OCSP - Enable CRL & OCSP in Keychain Access Preferences.
* Enable Smart Card Login - Modify /etc/authorization file
* Directory Services - Choose one of the supported methods and configure appropriately:
* Config to use "NT Principal Name" from email Signing Cert (Typical Federal use)
* Bind a pubkeyhash form the Smart Card to Acct in the Directory Service of Choice
All of the login/DS modifications are documented along with a helpful diffs file for the authorization modification and a pre-configured cacloginconfig.plist in the "TigerSmartcardSetup.zip" file located on my iDisk.
Web Access:
** NOTE:
Those needing to use the legacy PKCS#11 approach to access your Smart Card must do the following:
* Run pcsctool in the Terminal to ensure your Smart Card is updated within the token
- select "1" (commonAccessCard.bundle) when prompted.
This will also ensure that some of the newer 64K cards are supported with these apps as well.
Issues with Intel-Based Macs
Smart Card services are fully supported on the new Intel-based Macs (MacBook Pro & iMac), but there are currently some known issues that you should be aware of. These are being addressed, so you should continue to check to see if they have been addressed in subsequent OS updates.
* "sc_auth" - Apple provided shell script for binding a Smart Card to a Directory Service Account
using the pubkeyhash method will not currently run on the Intel-based Macs. Since
the Federal Government Agencies are typically utilizing the NT Principal Name
approach, this is not an issue -- you would be using the use of the .plist config file
to configure what is used for user lookup in the corresponding Directory.
file created and used: /etc/cacloginconfig.plist
* ExpressCard/34 - The new MacBook Pro laptops provide a built-in ExpressCard/34 slot rather than the
previously provided PCMCIA / PCCard slot. This means that it is only 34mm wide
and the Smart Cards are 54mm wide. Currently, there is no Smart Card vendor
providing a solution for the ExpressCard/34 slot. Users with these systems would
need to utilize a USB based reader on these systems for now.
Some additional questions you all have raised:
(Q1) How can I publish my certificates to my keychain so that I can use them.
(A1) There is NO need to do anything other than 'enable' the pre-populated X509Certificates Keychain. Once the Smart Card is recognized, the Keys/Certs will automatically be available to the OS and all services relying on the OS Certificate/Keychain Services.
(Q2) How can we use CAC for VPN and wireless 802.11 authentication ?
(A2) Apple's included VPN Client "Internet Connect" provides full support for the Smart Cards (as noted earlier). User Authentication can use Certificates from the Smart Card for L2TP, PPTP and 802.1X/TLS.
(Q3) How do I configure Mail.app to digitally sign / encrypt messages ?
(A3) There is no configuration necessary to enable Mail.app to utilize valid certificates with a Smart Card. The key point to note is that as long as the email account (email address) is exactly the same (including case) as the RFC822 Name within the email signing certificate on the Smart Card, Mail.app will automatically display the Sign/Encrypt icons and allow you to digitally sign the message. Ensure that you have the Smart Card inserted in the reader prior to launching Mail.app. When you want to encrypt a message to someone, you need to ensure you have the Public Certificate (for email encryption) that matches exactly (including case) of the email address you are sending to. You can also configure "Directory Access" to pull public certificates from a Certificate Server that is LDAP accessible. Configuring an LDAP server in Address Book will not work in retrieving Certs from a public store.
(Q4) Why doesn't the 10.3.x instructions of using "cac_setup" work ?
(A4) Mac OS X 10.4.x is significantly different than 10.3 and no longer utilizes the previously provided scripts for setting up Smart Card Services or card association. Much of the Smart Card Services in Mac OS X 10.4 are automatic and do not require any setup or configuration. The replacement command on Mac OS X 10.4 for associating a Smart Card to an account is "sc_auth". Refer to the DRAFT-SmartCardLogin-Tiger Document for more details prior to the release of the Admin Guide.
(Q5) CAC viewer, it continuously states, "please insert a common access card" ?
(A5) This indicates that either your Smart Card is not being recognized and most likely due to the Reader not being recognized.
(Q6) OCSPD appears to stall my system and takes 512+ MB of real RAM when my card is used.
(A6) The PKI system in Mac OS X 10.4 will attempt to resolve/validate all Certificates according to the CRL/OSCP Server address(es) embedded in the certificate. It has become apparent, largely within the Army, that the server defined and embedded in the certificate is not available to the user's system (typically overloaded or across a slower WAN connection) which is causing severe delays or in some cases no response what so ever from the original server. The amount of "effort" is controlled by the Preference Settings within the Keychain Access --> Preferences --> Certificates. The Values for OCSP & CRL are OFF, Best Attempt, Required if Cert Indicates, and Require for All Certs. Best Attempt might indeed be the best practice setting for this, since it will allow the occasional laps in access to the CRL/OCSP Server(s).
(Q7) I replaced the Certificates on my Smart Card. Why does Keychain Access show my old Certificates ?
(A7) For performance reasons, Mac OS X 10.4, will cache the Public Certificates from the Smart Card - They are public and hence are accessible without PIN protection. When some folks have gotten their Certificates replaced (under rare situations) the system will be reading from the cached entries - since the Smart Card itself has not changed. If you have had to or just for some reason gotten your Certificates replaced on a particular Smart Card, you can do one of the following to effective force the system to cache the new Public Certs.
(1) Remove caching for All previously seen Smart Cards on this particular host
$ sudo rm -R /private/var/db/TokenCache/tokens
-OR-
(2) Selectively remove JUST the cached Certificate Information
$ sudo -s (This will prompt you for password and give you root privs)
$ cd /private/var/db/TokenCache/tokens (This will change the current directory to the token cache)
Now, IF you have only used one Smart Card on your system the next step will be very easy.
IF you have used more than your current Smart Card, look on the back/back of your Smart Card
and take note of the number stamped on the card that looks like the following:
2050-5000-5076-301D-2F63
This number signifies the Card identifier and will be used as part of the Smart Card cache folder.
The token cache folders (directories) have the name constructed as such:
com.apple.tokend.cac - dot notation for the tokend identifier
: - "colon" separator
CAC - Name of the tokend which handles this card
- - "dash" separator
2050-5000-5076-301D-2F63 - 20 digit identifier of the Smart Card
So, the whole directory would look like this:
com.apple.tokend.cac:CAC-2050-5000-5076-301D-2F63
With the complete path now of:
/private/var/db/TokenCache/tokens/com.apple.tokend.cac:CAC-2050-5000-5076-301D-2F63
The contents of this directory are:
drwx------ 3 root user 102 Apr 13 21:17 Cache
-rw-r--r-- 1 root user 14 Apr 13 21:17 PrintName
-rw-r--r-- 1 root user 3 Apr 13 21:17 SSID
drwx------ 2 root user 68 Apr 13 21:17 Work
The "Cache" directory is where the Certificates are stored. It looks like:
-rw-r--r-- 1 root user 1069 Apr 13 21:17 0-Email Encryption Certificate
-rw-r--r-- 1 root user 1144 Apr 13 21:17 0-Email Signing Certificate
-rw-r--r-- 1 root user 1012 Apr 13 21:17 0-Identity Certificate
Now, all you want to do is to remove JUST the cache of certificates:
$ sudo rm -R /private/var/db/TokenCache/tokens/com.apple.tokend.cac:CAC-2050-5000-5076-301D-2F63/Cache
There are always many more questions, but I will leave this message as it is for now.... I will be back after April 17th, but will of course be further behind with mail then I am now, so please understand that I will try my best to answer your mail as quickly as possible. I have just learned that I cannot invent a 30+ hour day...
I will be finishing up the Smart Card User and Admin Guide, so be sure to subscribe to the Fed-Talk mailing list to know when and where it is available.