20 years ago, when the Lisa evolved into
the 68000 Mac, my assessment was - for 90% of the users, the Mac could do their
job wildly easier and better than anything from Microsoft. The problem was for
that other 10%, there was nothing anyone could do to make it work. Seems like
nothing has changed.
Spending my life in that 10% category.
(25 years as an embedded systems
developer)
Bill Frame (CTR)
Joint Program Executive Office for
Chemical and Biological Defense
Software Support Activity, San
Diego, CA
Senior Systems Engineer
Desk: 619.553.0799 Fax: 619.553.6902
Cell: 619.992.8983
email@hidden
From: John B. Niles
[mailto:email@hidden]
Sent: Friday, July 11, 2008 3:44
AM
To: Bill Frame
Subject: Re: [Fed-Talk] How to
setup CAC authentication in Safari
Bill,
At our location, the few of us still using Macs are fully aware that
Leopard broke CAC use on Macs. Unless you are a Unix expert, I doubt you
will get the process to work. I spend far too much time on this issue,
checking the FedTalk emails, getting responses from several well meaning list
members, and trying the posted guidance.
However, the process is simply broken in Leopard, and we have not been
able to get it to work. The current references either assume you are a
Unix expert, are obsolete (such as "CAC on Mac"), or just don't work.
It has been simply an achievement (in 10.5.4) to get the card reader to
work with the CAC. Now I can actually send digitally signed messages (but
not encrypted ones). Currently, even a routine process such as binding my
card to my AKO account must once again be done on a Windows PC. Agh!!!!
I have asked for help from the list on this several times and read all of the
recommendations from list messages. Some very well meaning responses have
been received but none work.
I am still trying a few variations, but my guess is that it will take at least
one more system upgrade (maybe more) before Apple gets this one right. If
we have some luck and do work it out, I'll send the list a message and maybe
title it "CAC for Dummies" (non-experts).
I am very disappointed that Apple took a major step backward with Leopard on CAC.
Oh well.
Regards,
John
On Jul 11, 2008, at 12:12 AM, Bill Frame wrote:
The CAC shows at the top left corner
of the Keychain.
I installed Shawn Geddis’ patch.
I set up the ID preference for the correct cert to the https://akocac.us.army.mil/.
No change. Still doesn’t do anything the web site recognizes as a CAC.
Bill Frame (CTR)
Joint Program Executive Office for
Chemical and Biological Defense
Software Support Activity, San
Diego, CA
Senior Systems Engineer
Desk: 619.553.0799 Cell: 619.992.8983
email@hidden
From: Paul Nelson
<email@hidden>
Date: Wed, 09 Jul 2008 15:15:34
-0500
To: Bill Frame <email@hidden>,
Apple Fed Talk <email@hidden>
Conversation: [Fed-Talk] How to
setup CAC authentication in Safari
Subject: Re: [Fed-Talk] How to
setup CAC authentication in Safari
Bill,
I think you would be helped out a lot if you had the Army golden master for
your Mac. It should take care of making sure your CAC works properly.
You would still have the various problems connecting to web sites
however.
Here are some simple steps to see if the CAC is working with the card reader.
- Remove the CAC from the reader
- Launch the Keychain Access utility (in
Applications / Utilities)
- In the extreme lower left corner of the
window, you will see a button with a triangle in it. Click this
button so the triangle points UP. This will change your window so it
displays a list of keychains
- With the list of keychains showing on the left
side of the window, insert your CAC and wait a few seconds. You
should see a new item appear at the top of the list. The new item
will have a name starting with the letters CAC.
If NO item appears in the window, follow these troubleshooting steps:
- Unplug the smartcard reader, remove the CAC
from the reader
- Reboot the Mac
- Launch the Console utility (in Applications /
Utilities).
- Make sure the Console window says “All
Messages” at the top. If it does NOT say “All
Messages”, then choose “Open Quickly” then “LOG DATABASE
QUERIES” then “All Messages” from the File menu.
- Watch the Console window (it should say
“All Messages” at the top) and connect your card reader.
You should see messages identifying the card reader. If you
don’t, your card reader may not be working, or may need to be
flashed with newer firmware. Check the manufacturers site for
information about firmware.
- If the card reader messages appear in the
console window, insert your CAC into the reader. You should see
messages indicating that a card was inserted. You may see some error
messages too.
- Launch the Activity Monitor utility (in
Applications / Utilities). Choose “Activity Monitor”
from the Window menu.
- In the Activity Monitor window, click on the
Process ID column until you see a triangle pointing down. You want
to see process ids sorted with the largest number first.
- You should see a process named CAC in the
list. If not, your card reader and CAC combination is not supported
by the OS. You may have to try a different kind of card reader.
If you have Thursby’s AFC product installed, you will see a
process named AMSmartCard appear instead of “CAC”.
- If you do not see the CAC process, look at the
Console window (All Messages). If you see an error message with
“Protocol
type of card (T=1) not supported by this driver for this type of reader
(TPDU)” you are experiencing a known problem with
Leopard. Shawn Geddis posted a link to an installer that may fix
this particular issue.
From: Bill
Frame <email@hidden>
Date: Wed, 9 Jul 2008 10:59:10
-0700
To: Apple Fed Talk <email@hidden>
Subject: Re: [Fed-Talk] How to
setup CAC authentication in Safari
Unfortunately, there seems to be a problem with participants of this
list operating at the extremes of competence on the OS X system administration.
I’ve owned a Mac for nearly 3 months, so I’m obviously at the
bottom end.
Since I didn’t try to use the CAC until June, I started with 10.5.3, so
10.5.3’s changes didn’t apply to my situation. 10.5.4 did solve
some issues that it wasn’t supposed to, but the CAC recognition problem
is still there.
Some people are talking about how the CAC is recognized by the machine, but not
by the target web site. How do they know? Someone mentioned the CAC certs
showing in the Keychain, but mine show there when the CAC is not attached. When
I go to AKO or the Navy PKI site, they obviously do not see the CAC.
Another thing was setting the system log to record website URLs:
http://lists.apple.com/archives/Fed-talk/2008/Jul/msg00024.html
The “troubleshooting” section probably has some incredibly useful
information, but it leaves out most of the steps involved. The commands to do
this don’t help a lot if you’re not familiar with how to do command
line in OS X. I haven’t done Unix command line since the early 90s, so
I’m not up on what is safe and what isn’t, or whether there are
intermediate steps after bringing up the Terminal.
http://www.apple.com/itpro/federal/
has a lot of marketing stuff, but I’m not finding anything that says
“this is what you need to do, and look here if it doesn’t
work”.
I would love to walk away from Windows. The reason I have the Mac is because I
spent 3 days fixing a .net framework issue on XP. I can setup an XP box
to access the sites requiring a CAC in less than 15 minutes. After one
walk-through by the Navy support guy, I’ve set up 5 machines on my own.
I’ve been trying to get the Mac running since early June, so far
unsuccessfully. So far, every person I talked to at work that uses a Mac,
either it worked when they plugged in the reader, or it never has worked and
nobody can figure out why.
I know how frustrating it can be doing detailed instructions for newbies, but
that’s where some of us are. Anybody up to the challenge?
Bill Frame (CTR)
Joint Program Executive Office for
Chemical and Biological Defense
Software Support Activity, San
Diego, CA
Senior Systems Engineer
Desk: 619.553.0799 Fax: 619.553.6902
Cell: 619.992.8983
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
|