Re: [Fed-Talk] CAC Setup on Intel MACs (additional step)
Re: [Fed-Talk] CAC Setup on Intel MACs (additional step)
- Subject: Re: [Fed-Talk] CAC Setup on Intel MACs (additional step)
- From: "Shawn A. Geddis" <email@hidden>
- Date: Mon, 8 Oct 2007 11:27:54 -0400
On Oct 8, 2007, at 10:18 AM, Timothy J. Miller wrote:
Don't launch FF with the card in the reader. After launch, insert
and unlock the card from the NSS dialog.
This is a regression of an old pre-2.0 bug.
-- Tim
Date: Fri, 05 Oct 2007 17:25:56 -0400
From: Michael Smith <email@hidden>
Subject: Re: [Fed-Talk] CAC Setup on Intel MACs
To: "MacLeod, Donald H ERDC-ITL-NH Contractor"
<email@hidden>, Apple Fed Talk
<email@hidden>
Message-ID: <C32C2424.2699F%email@hidden>
Content-Type: text/plain; charset="US-ASCII"
The additional step is, in Firefox, under Advanced, Encryption,
Security
Devices, is click the Load button to add a new PKCS #11 module and
set the
path to the OS X PKCS security bundle at
/usr/libexec/SmartCardServices/pkcs11/pkcs11.bundle/Contents/MacOS/
pkcs11
That will enable FF to use the OS X smart card services. Works
very well.
Mike Smith
ERDC-CRREL
Robert et. al.,
Using PKCS#11 applications on Mac OS X 10.4.0 and later is no longer
the preferred or integrated abstraction for Smart Cards. Be aware that
in future versions of Mac OS X, PKCS#11 support may not ship on the
product and may not be supported by AppleCare.
If you desire to use Mac OS X 10.4.x AND PKCS#11 applications (i.e.
FF) you would need to ensure the following:
(1) Using a supported Smart Card Reader
-- CCID Compliant will always work.
-- Readers supported by drivers at:
/usr/libexec/SmartCardServices/drivers
-- You have installed a supported driver from the reader vendor
(2) Your Smart Card is supported by the PKCS#11 bundle
-- 32K CAC are ---- The ATR value exists in the bundle
(/usr/libexec/SmartCardServices/services/commonAccessCard.bundle/
Contents/Info.plist)
If the PKCS#11 application crashes when you launch it, remove the
card and try again.
(Timothy Miller has pointed this out a few times)
-- 64K CAC will work fine, but you must ensure they are *recognized*
by the PKCS#11 bundle
If the PKCS#11 application crashes when attempting to use the card,
ensure that the
ATR value is added to the commonAccessCard bundle. You add the
ATR value
by running the "pcsctool" command in Terminal (ensure you execute
with sudo, since
this requires additional privileges.
# pcsctool
Select the approprate token driver:
-----------------------------------
1. commonAccessCard.bundle
2. GSCISPlugin.bundle
3. mscMuscleCard.bundle
4. slbCryptoflex.bundle
-----------------------------------
Enter the number:
You would enter #1. Ensure the Smart Card is in the reader as well.
Keep in mind that the sometimes painful steps of working with PKCS#11
applications (as noted above) are some of the key reasons that Apple
moved away from that architecture and to one that seamlessly
integrates the Smart Cards into the Mac OS X credential system --
visible to the user as Keychains.
- Shawn
____________________________________________________
Shawn Geddis Security Consulting Engineer Apple Enterprise
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden