Re: [Fed-Talk] CAC Patch 1.2 help requested
Re: [Fed-Talk] CAC Patch 1.2 help requested
- Subject: Re: [Fed-Talk] CAC Patch 1.2 help requested
- From: Boyd Fletcher <email@hidden>
- Date: Thu, 9 Oct 2008 17:42:50 -0400
- Thread-topic: [Fed-Talk] CAC Patch 1.2 help requested
Title: Re: [Fed-Talk] CAC Patch 1.2 help requested
which mail program? Apple Mail or Entourage 2004/2008?
On 10/9/08 5:01 PM, "Gregory Adair" <email@hidden> wrote:
Ben,
Glad you mentioned this, because I haven't seen it mentioned anywhere else. Several of us here at my command, are unable to encrypt messages using our pki certs The problem is occurring on machines from 10.5.2 up to those running 10.5.5 with the 1.2 patch installed, and others in between. We are all able to digitally sign, send, and receive messages, but like Ben stated, the padlock is greyed out and unusable. Has anyone else had this problem? Maybe it's just us or maybe not many folks have been encrypting messages to see problem because I haven't seen a lot of chatter on this list about it. All, please take a look and give it a try. I see this as a pretty big thing that needs fixing. Thank you.
-Greg
________________
Gregory Adair
E-mail: email@hidden
On Sep 22, 2008, at 2:35 PM, Ben Dugas wrote:
Shawn,
Thanks for getting back to me, but it was after I had left the Lab on Friday. Prior to 10.5.2 I had never created identity preferences. Since 10.5.2, in OSX my CAC card has become useless. I've been using VMWare Fusion to do my day to day things.
So I have removed all Identity preferences in Keychains. Even if i reboot, don't open keychain access and just open safari, it does not prompt me for a pin. I have reset safari using the menu and cleared everything but my usernames and other auto fill information. Still a no go.
There are 4 other mac's at the lab that are at 10.5.4 or 10.5.5 and none of them have their CAC card working even after loading the 1.2 version of the patch. Are there any log files you want to see?
Thanks,
Ben
On Sep 19, 2008, at 4:32 PM, Shawn A. Geddis wrote:
On Sep 19, 2008, at 5:32 PM, Ben Dugas wrote:
Shawn,
I have downloaded your 1.2 update but it didn't work help would be greatly appreciated. OSX 10.5.5 Build 9F33 (No Prior CAC Patch)
Keychain sees the CAC card and typing in the pin there unlocks the CAC card.
I have tried both Identity preferences and certificate preferences for
https://cmproweb1.spawar.navy.mil/
https://infosec.navy.mil
https://ako.army.mil/
Safari doesn't prompt me for the pin.
Different issue.
In mail I have the star with the X in the middle black (available) but the paddle lock is grayed out. (unavailable)
I just flashed my CAC reader using the firmware from the EDS posting.
My CAC card is GEMALTO Access 64KV2.
Should i delete my keychain? What troubleshooting steps should I take next?
Thanks,
Ben
Ben,
I will hit a few of the easy ones here first and then tackle the others...
Keychain sees the CAC card and typing in the pin there unlocks the CAC card.
We provide the ability to unlock the Smart Card via Keychain Access, but there is no need to. Anytime the OS services need to use your Private Key on the card or display the PIN protected data on the card, you would be prompted for the Smart Card's PIN (It will ask for the Keychain's Password -- and since the Smart Card is a Keychain, the PIN == Password referenced in the Dialog). As long as you do not remove the Smart Card, you will not be prompted again for the PIN. That decision is determined by the ACLs (Access Control Lists) on the objects stored in the card and the CAC does not provide an ACL to require PIN entry on every use --- hence the reason you were not prompted again when using Safari.
I have tried both Identity preferences and certificate preferences for
https://cmproweb1.spawar.navy.mil/
https://infosec.navy.mil
https://ako.army.mil/
You create Identity Preferences to access PK-enabled Services -- only if the site is configured not to require Certificate-based authentication. Otherwise, if it is configured as requires, Safari would prompt you for which certificate to use from the card and automatically create the Identity Preference for you.
Adjust the URLs you are referencing in the ID Prefs to match the Real URL of the Server where Authentication is taking place and also note that you should "usually" use a trailing "/" at the end (but recent NMCI changes alter that for those folks).
https://infosec.navy.mil
should be ====> https://infosec.navy.mil/
https://ako.army.mil/
should be ====> https://akocac.us.army.mil/
https://cmproweb1.spawar.navy.mil/
This one appears to be correct, but of course I have no way of verifying without a valid CAC and access.
Maybe someone else within SPAWAR using Mac OS X can verify what URL is correct for this one.
Also, be sure that if you are using the correct certificate to authenticate to the web services. Which one to use is determined by the configuration of the site.
Safari doesn't prompt me for the pin.
As noted above, if you have unlocked the Smart Card (keychain), you will not be prompted again unless you remove the Smart Card from the reader or your system screen saver kicks in or system goes to sleep.
- Shawn
________________________________________
Shawn Geddis T (703) 264-5103
Security Consulting Engineer C (703) 623-9329
Apple Enterprise Division email@hidden
11921 Freedom Drive, Suite 600, Reston VA 20190-5634
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden