UPDATE
The "Smart Card Services Update" installer noted in the original
message has been updated to v1.1.
Background on a Fix:
The "Smart Card Services Update v1.0" installer contained all of
the appropriate components, however, for some customers, the
installer failed to effectively replace the two tokend modules
(CAC.tokend and PIV.tokend). The failure to replace those two
modules resulted in several folks unable to access / still access
their US Federal Smart Cards.
Delivery Vehicle:
After extensive testing with several Federal Mac OS X 10.5.4 Users
affected, I am happy to announce that there is an updated installer
on my iDisk:
http://idisk.mac.com/geddis//Public/SmartCards/Installers/Smart_Card_Services_Update_v1.1.zip
These component updates are also integrated into the Mac OS X
10.5.5 Software Update (beta build right now) for those authorized
with access and able to test.
*Related* Messages I have recently sent to Fed-Talk list :
[Discussion] 10.5.x/Smart Card/Safari Issues
[Discussion] (1) Reader and/or Card not recognized by Mac OS X 10.5*
[Discussion] (2) Card recognized, but I cannot access PKI protected
Websites
[Discussion] (3) Enabling Intermediate CA Certificates -
SystemCACertificates
[Discussion] (4) Support Smart Card "Types" on Mac OS X 10.5
---- UPDATED Notice ----
(1) Reader and/or Card not recognized by Mac OS X 10.5
Many of you were already working with your Smart Card / Reader on
10.4.11 and then things stopped working after you upgraded to 10.5.x.
Customers Impacted:
Smart Card users who upgraded to Mac OS X 10.5 and had one of a
handful of Readers (SCM SCR 331/531/3310/3311/..) as well as a
newer Smart Card supporting Block Transfer (T=1) and/or a Hybrid
card containing both CAC/PIV applets. Note that this is not a
problem with either the Reader /Smart Card Manufacturers, but with
the compatibility issues of the Mac OS X 10.5.x shipped components
and these devices.
Platform Affected: Mac OS X 10.5.x
Services Affected: Any services requiring an Identity (Cert/Key)
from the Smart Card
User Experience: Previous:
When inserting a supported smart card, it appears in the
Keychain List within Keychain Access.
After Update:
When inserting a supported smart card, the reader may even
blink
but the card never appears in the Keychain List.
Background on a Fix: We are replacing some of the previously
shipped Smart Card Services
Components to better support these specific issues:
• CCID Class Driver: Replaced with a more comprehensive CCID
Driver
• PCSC Framework: Updated to support T=1 Card Negotiation
• CAC Tokend: Updated to support T=1 Card Negotiation
• PIV Tokend: Updated to support T=1 Card Negotiation
Delivery Vehicle: Plan to provide these modifications in a
subsequent Mac OS X 10.5
Software Update.
Work-a-round: Until it has been integrated into the OS, I have
developed an Installer
to get each of you the current builds of those components for
your
immediate testing and use. The Installer requires that you have
already upgraded to 10.5.4 first - otherwise it will not
instal.
**WARNING**: *Disclaimer*
Use at your own risk. Ensure that you test this installer
on test machines prior to larger scale deployment.
If you are using s Third-party product related to the use of
your
Smart Card, then check with the vendor to ensure they rely on
their own Tokend module or that their software is not
negatively
impacted by the SCS component updates.
Installer URL: In the future, there will be a more appropriate
location to pickup
Installers/patches/documents, but until then, grab this one
at the
following URL. You will note that this is a digitally signed
installer
to ensure its authenticity and origination.
http://idisk.mac.com/geddis//Public/SmartCards/Installers/Smart_Card_Services_Update_v1.1.zip
installation Welcome Panel:
Smart Card Services Update 1.0 Smart Card Services components
shipped in Mac OS X 10.5.0 - 10.5.4 require specific updates to
support some of the newer Smart Cards issued within the US Federal
Government. These newer cards support a faster transfer protocol
(T=1) and can also be a hybrid card (CAC & PIV applets). They
require a negotiation of which protocol to use (T=0 or T=1). CCID
compliant smart card reader support and protocol negotiation has
been significantly improved in this update.
New Components to be installed:
PCSC Framework
• PCSC.Framework /System/Library/Frameworks/
• pcscd /usr/sbin/
CCID Compliant Smart Card Readers
• ifd-ccid.bundle /usr/libexec/SmartCardServices/drivers/
Smart Cards
• CAC.tokend /System/Library/Security/tokend/ CAC.tokend
• PIV.tokend /System/Library/Security/tokend/ PIV.tokend
Installer Important Information Panel:
This is a digitally signed Mac OS X Installer. You can verify the
integrity of this installer by clicking on the small certificate
icon in the upper right corner of this installer window.
This installer is provided to you by:
Shawn Geddis
Security Consulting Engineer, Apple Enterprise
email@hidden
____________________________________________________
Please contact Shawn Geddis <email@hidden> directly in the
event of any issues with this installer or the results of
installing on your machine(s) and he will make a best effort
attempt to help. Please provide a complete System Profiler report
to assist in the troubleshooting of your installation.
*Disclaimer*
Use at your own risk. Ensure that you test this installer on test
machines prior to larger scale deployment.
Installation Complete Panel:
Smart Card Services Update 1.1
____________________________________________________
During the installation of this update, copies of the older
versions of the replaced components have been placed into a new
folder on your Desktop:
SmartCardServices-Backup-[OS build#]
i.e. SmartCardServices-Backup-[9D37]
If for any reason you wish to retain the previously installed
components, you should put this folder into a safe place.
Components and where they were moved from:
PCSC.Framework /System/Library/Frameworks
pcscd /usr/sbin/
CCIDCLassDriver.bundle /usr/libexec/SmartCardServices/drivers/
CAC.tokend /System/Library/Security/tokend/
PIV.tokend /System/Library/Security/tokend/
- Shawn
_____________________________________________________
Shawn Geddis Security Consulting Engineer Apple
Enterprise
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden