Let me try to take your scenario step by step to help explain what was happening, what went wrong and what you should/can do...
On Sep 22, 2005, at 9:50 AM, Dalton Hamilton wrote:
1. Upgraded the firmware on the CAC Reader to V5.18. This allowed my system to see the CAC Reader and read the card. When I connect the CAC Reader, the pcscd process starts.
Flashing the firmware on the reader is a good step for everyone. Many may recall that I have stated that the SCM SCR331 is a 'family' of readers and not a single model (different firmware and versions). The best thing is for everyone to flash the firmware (currently v5.18) which makes the reader full CCID Compliant. It is then fully supported by the CCID Class Driver in Mac OS X 10.4.x rather than the problematic SCR331 (pseudo ccid) driver that was pr-installed in Mac OS X 10.3.x.
Let me restate: Mac OS X 10.4.x does NOT install the SCR331 driver that was pre-installed in 10.3.x, so if you have one of these readers, it is best that you flash the unit for optimal user experience.
2. I've also installed the Common Access Card Viewer (CACV) application off the 10.4 Install DVD.
This application is NOT necessary for any normal use of the Smart Cards. The Common Access Card Viewer is a legacy App that 'still' exists and is known to have some issues on Tiger with newer cards. This App is capable of also displaying the Demographic / Protected data from the card. Since it is attempting to display protected data, it requires the entry of the PIN associated with the card.
3. I then started the Keychain Access application and did Edit->Keychain List and clicked on the "Shared" checkbox for X509Certificates.
This is necessary for all DoD users, since the DoD Intermediate Certs are pre-installed in that keychain. This makes the experience simple enough for DoD users, but does not confuse or generate questions for non-DoD users of Smart Cards (yes, there is a growing list of Non-US Federal Smart Card Users - with different Smart Cards).
3. Next I inserted my CAC ID and started the Common Access Card Viewer and it said it was loading the CAC info and then prompted me for my Keychain Password.
Whether it is the Common Access Card Viewer, Keychain Access or any other Application, the Password/PIN to enter is the PIN for the Card. We are aware that some dialogs indicate "password" when they mean "PIN" for a card, but that is an outstanding issue relating to abstracting Smart Cards as keychains which have to date always used passwords.
At that time, I didn't realize the CAC Card itself was treated as a KeyChain -- even though I had made the above modifications to the Keychain Access application and could see the card showup as as a keychain.
The appearance of the Smart Card as a Keychain is new to Mac OS X 10.4.x - Tiger. Smart Cards become dynamic in nature and appear in the Keychain list when they are inserted and disappear when they are removed. The modifications you made to 'enable' X509Certificates is separate from the Smart Card.
I typed in my user password and it prompted me again for a password, I again typed my user password, and it prompted me again for a password and I realized it must be talking about the CAC ID PIN number. I then typed the PIN number. Still no luck. I had locked the card already. I drove over the the DEERS/RAPIDS group and they unlocked by card and let me put in another PIN (which I chose the same PIN number).
Yes! Unfortunately you learned that 'after' locking your card, but now you and many others realize what is happening. Anytime it is asking you within the CAC Viewer or in relation to a keychain named "smart card #..." then you need to enter the PIN. UI improvements as well as dialog wording improvements are in the works.
4. Once I was back at my system, I put the CAC ID in the reader and no luck at all -- the system would not detect the ID. I unplugged the CAC reader and plugged it back in and the system wouldn't detect the reader. I restarted the system and then the system would see the reader.
Tiger starts Smart Card Services when you initially connected the reader. It will shut down 2 minutes after the card is removed for lack of Smart Card activity. The system 'should' restart the services when you insert the card again, but issues relating to the shutdown of services as well as a system going to sleep (which I am not sure was true in your case or not) are being addressed and will be available in a future software release.
I started Keychain Access and inserted my card and could see it showup as a keychain. I then inserted my CAC ID and started the CAC Viewer. It prompted for a keychain password and I very carefully typed the correct numbers. No luck, it prompted again.
There is no real User need to use the CAC Viewer and as I stated previously, there are some issues with it that are being addressed. The functionality of identifying and viewing the Certs, Keys and locking/unlocking the card can all be done from within Keychain Access now. Is there an additional function that you are attempting to use CAC Viewer for or an assumption that you must use it for Smart Card Services. CAC Viewer was created for the initial release of the previously separate software package known as "FSCP" (Federal Smart Card Package). That software was only needed for 10.2.3 - 10.2.8. It was integrated into 10.3.0 and was no longer needed from that point on. Please do not install the FSCP onto any Mac OS X system that is not 10.2.3 - 10.2.8 or it will force you to perform an Archive Install of the OS to correct the problem and still save your personal data!
This tells me that the CAC Viewer can't communicate with the CAC ID properly.
CAC Viewer is not part of the standard install and is currently still provided for legacy support. What you are seeing is indeed tied to the fact that it has not been modified to work with the larger capacity (64K) cards that are now being distributed. To help us better understand your needs, what additional functionality are you personally looking for from CAC Viewer that is not already provided in Keychain Access ? CAC Viewer was designed when there was no "Smart Card as Keychain" capability within Mac OS X. Its value has all but been eliminated with the Tiger integration.
5. I then moved on to Entourage. I setup Entourages security settings for the Signing Certificate and Encryption Certificate. I then sent a digitally signed email to another user. He sent me a signed email. I added his certificate/public-key to the contact and then sent him a signed and encrypted email. He responded with an encrypted email which my Entourage application could not decrypt. The error is "There was an error trying to decrypt the message or locating your encryption certificate."
Have you applied the recent MS Office SP2 yet ? You should if you have not.
Typical issue for this kind of problem is that the sender encrypted the message with a former (still valid) Public Cert. This can happen if you have replaced your certs and they still have your previous and still valid public cert. Were you re-issued new Certs (a new card) or by chance have multiple certs (including Soft Certs) for the corresponding email address ?
The attachment folder has a smime.p7m file in it. I double-clicked the smime.p7m and it prompted me to add the embedded or enclosed (or something like that) certificate to a keychain and gave me a pulldown list of keychains to add it to. Hmm, it didn't make sense but I tried it anyway, more out of frustration than logical sense. I added it to the Login keychain and the CAC Card keychain. Still nothing.
The attachment "smime.p7m" is the original encrypted message. Since you indicated your system was unable to decrypt the message, it remains in an encrypted form as an attachment. There is no way for you to add anything to the "CAC Card" Keychain. Please note what Certificate was added to your keychain when/it it was successfully added ?
5. At the current moment, when I try to send an Digitally Signed email, I get an Entourage error reading "Could not save this message. An unknown error (1) occurred." and all I can do is hit ok. I can see all the certificates and private keys on the CAC card from the keychain access application.
There is a current issue identified that requires the Smart Card be in the reader prior to launching Entourage - Even though the Smart Card/Keys/Certs all appear in the Keychain, there is an access issue to the card that is blocking Entourage from seeing that a new keychain (Smart Card) has been added to the system if Entourage is already running. This also happens, as previously noted, when there is greater than 2 minutes where the system does not recognize that you have a card inserted -- or when you system goes to sleep. Quit Entourage, remove the card, insert the card, ensure that it appears in the keychain and relaunch Entourage. You should be able to continue now. The error you are seeing is when the card is no longer accessible by Entourage. Issue being addressed
6. Then sometimes I insert my card and it does not show up in the Keychain Access list.
Issues with the restarting of Smart Card Services after being shutdown or when a system goes to sleep are causing your system to no longer recognize that there is a Smart Card inserted. For those who care, securityd is not relaunching each of the tokend items (CAC, BELPIC, JPKI) and hence the card and reference to its contents are not being propagated up the chain.
Since I didn't take chronological notes on all this, I'm sure some of the above is a bit twisted; however, the point is, I'm really looking to get this working. I need this to work as it is a requirement to send Digitally Signed and Encrypted email for certain information. I want these systems to be successful and if I don't get it working, nobody else is. If anyone is monitoring this thread that can help, I'd be glad to give you a call or work offline via my military email address..
As I have mentioned off-line, you can call me to help you get this resolved.
The following are responses to comments/questions brought up by others on this thread:
======================================================================================
Most of the "flaky" behavior you and others have experienced can be attributed to issues we have found with Smart Card drivers and the corresponding firmware. Previously mentioned about the SCR331 Reader where everyone should update the reader with the most recent firmware v5.18.