Re: [Fed-Talk] [Discussion] (2) Card recognized, but I cannot access PKI protected Websites
Re: [Fed-Talk] [Discussion] (2) Card recognized, but I cannot access PKI protected Websites
- Subject: Re: [Fed-Talk] [Discussion] (2) Card recognized, but I cannot access PKI protected Websites
- From: Boyd Fletcher <email@hidden>
- Date: Wed, 02 Jul 2008 18:52:46 -0400
- Thread-topic: [Fed-Talk] [Discussion] (2) Card recognized, but I cannot access PKI protected Websites
Title: Re: [Fed-Talk] [Discussion] (2) Card recognized, but I cannot access PKI protected Websites
Thanks Shawn.
Any chance we can get Apple to allow the use of wildcards in the URL for a site when setting the ID Pref Cert?
for example:
https://*.us.army.mil
Also, I think it would help a lot if Safari had a GUI hook that would like you set the ID Pref Cert for the current site.
thanks,
boyd
On 7/2/08 4:15 PM, "Shawn Geddis" <email@hidden> wrote:
(Stepping away from vacation long enough to send some critical email)
(2) Card recognized, but I cannot access PKI protected Websites
Many of you were already working with your Smart Cards on Mac OS X 10.5.0 - 10.5.2, but after you upgraded to 10.5.3, Client-side authentication to those sites failed for you.
Customers Impacted: Smart Card users who upgraded to Mac OS X 10.5.3
Required Client Authentication to various PKI protected Web portals
Issued Smart card supports the newer Block Transfer (T=1) type.
If you possibly have a Hybrid card (both CAC and PIV applets), you
may still experience issues even when applying the installer from
Shawn Geddis.
Platform Affected: Mac OS X 10.5.3 - released 05/28/08
Services Affected: Safari 3.1.1
-- Web Access using Smart Cards to PKI protected US Federal Government websites
(** All other services are NOT affected **)
Delivery Vehicle: Specific fixes have been released as part of Mac OS X 10.5.4
*** Upgrade you system to Mac OS X 10.5.4
• Safari 3.1.2
• Keychain Access 4.0.2
Several issues were addressed related to correcting the
network layer's use of the Identity Preference as well as previous
crashing of Keychain Access when the Identity Preference was
accessed.
Previous User Experience:
Previous to upgrading to Mac OS X 10.5.3, users were able to successfully access PKI protected Government websites using their US Federal Government Smart Cards (i.e. DoD -> CAC). In some cases, the user would need to manually configure an association between which Certificate to use for the specific URL they were accessing.
Related Change in 10.5.3 Safari:
• Fundamental changes within Mac OS X on how Client-side Certificates are handled
Safari, Mac OS X 10.5.3: Changes in client certificate authentication
http://support.apple.com/kb/HT1679
User Experience:
Mac OS X 10.5.2 (and earlier) / Safari:
Safari 3 automatically sends the first available client certificate in your keychain
Mac OS X 10.5.3 (and later) / Safari:
You will be prompted to select a client certificate when server requests it.
An Identity Preference is then created for the associated URL and Cert.
Server Side Configuration Caveat:
Safari may not prompt you to select a client certificate if the server you are attempting to authenticate to is configured to *optionally* accept (rather than require) client authentication. Many of the US Federal Government web servers are configured for *optional* rather than *required*, since there is still a transition from User/Pass over to Smart Cards.
System will auto create Identity Preference *IF* Server configured for *required*
As noted in the KBase article referenced above, when accessing a website configured as *required*, Safari will prompt the user for the appropriate certificate to use for client authentication, but ONLY if it is configured as *required*.
Manually Creating Identity Preferences -- Server configured for *optional*
In this case you can force a particular client certificate to be sent by manually creating an identity preference item for the desired server authentication. Note that it is important to know the correct URL for the actual authentication process which may significantly differ from the standard login URL.
For example, if you are authentication to AKO:
The website URL is: https://www.us.army.mil/
The CAC Login URL is: https://akocac.us.army.mil/
NOTE:
It is best to not try and fully qualify the complete URL, but rather just include the FQDN - Fully Qualified Domain Name for the server you are authenticating to. Also, be careful and ensure you have terminated the URL with the "/" to complete the proper host specification. For example, do not just enter the above URL as https://akocac.us.army.mil without the trailing "/", because it will fail for you.
Also, make sure that you are selecting the *proper* Certificate from the card. *Proper* means the certificate expected / required by the Server for user authentication. It may require you to check with your local Admin or help desk to determine which certificate is required for that site.
Since you are manually creating the Identity Preference, you need to ensure that you are selecting the right one. The Certificate selected is easily changed by opening up the "Identity Preference" within your default keychain using Keychain Access and selecting an alternative Certificate.
Troubleshooting:
To provide you and Apple with the ability to troubleshoot why you may still be failing to authenticate to a given server, Apple enabled a debug flag which, when enabled, will log identity preference information to the System log (/\var/log/system.log).
Enable Identity Preference Debug Mode in 10.5.4 and beyond:
% defaults write com.apple.security LogIdentityPreferenceLookup -boolean true
When enabled, each identity preference lookup is written as in the following example:
Jul 1 18:12:51 /Applications/Safari.app/Contents/MacOS/Safari[386]: preferred identity: "User" found for "https://Full.Server.Name/"
These messages might allow some to correct the host name they entered in the manually configured Identity Preference.
If you are still failing, provide these log messages along with your Reader and Card information. Quickest way to capture this info is to launch Terminal and execute the following command while you have your reader attached and card inserted:
% pcsctest
Select the number (typically "1") which corresponds to the reader with the card inserted,
...capture the output from this command and include in your message directly to me.
- Shawn
_____________________________________________________
Shawn Geddis Security Consulting Engineer Apple Enterprise
Contents of the mentioned Kbase Article mentioned in this post:
Safari, Mac OS X 10.5.3: Changes in client certificate authentication
http://support.apple.com/kb/HT1679
Summary
Safari 3's handling of client certificate <http://docs.info.apple.com/article.html?path=Mac/10.5/en/8843.html> authentication changes in Mac OS X 10.5.3 and later.
This improves the security and reliability of client certificate-authenticated connections to servers.
- Mac OS X 10.5.2 and earlier behavior: Safari 3 automatically sends the first available client certificate in your keychain to the website.
- Mac OS X 10.5.3 and later behavior: No client certificate is sent until you have the opportunity to select the appropriate one to use for that site. You will be prompted by Safari 3 to select a client certificate at the point where the server requests client authentication. After selecting a client certificate, the decision is remembered in your keychain as an "identity preference item", and you will not be prompted again when returning to the same site.
Note: Safari may not prompt you to select a client certificate if a server is configured to optionally accept (rather than require) client authentication. In this case you can force a particular client certificate to be sent by creating an identity preference item for that server.
To manually specify a client certificate be used for a particular website:
- Open Keychain Access (in Applications/Utilities) and find your client certificate. Click the "My Certificates" category to easily see available client certificates.
- Control-click the certificate, then choose "New Identity Preference..." from the contextual menu.
- A sheet appears in the dialog. Type (or paste) the URL of the page that requires the certificate, exactly as it appears in Safari's location field (for example, "https://www.apache-ssl.org/cgi/cert-export").
- Note: With Mac OS X 10.5.4 or later, you may specify a partial URL to match any page on a server (for example, "https://www.apache-ssl.org/").
- Choose the certificate from the pop-up menu, then click Add to create the identity preference. (You may need to click the "All Items" category to view the newly created item.)
To change your decision about which client certificate to use for a particular website:
- Open Keychain Access (in Applications/Utilities) and find the identity preference item for the website in question. Tip: Click the "All Items" category and enter the website name in the search field in the upper right corner.
- Open the item and select a different certificate from the pop-up menu.
-
- As an alternative to step 2, you can delete the identity preference item from the keychain. The next time you visit the site with Safari 3 you will be prompted to select your client certificate.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden