In an ongoing effort to help everyone on this list with Smart Card related questions, I will try to address your questions and statements below.....
On Oct 22, 2008, at 11:29 AM, Burdge, Eric C Maj USAF AETC 81 MSGS/SGCQ wrote:
Consultant:
I understand that Mac OS X supports military CAC. I am having trouble using my CAC and a SCR331 USB card reader (which has been flashed to the most current FW of 5.25—should I reflash it down to 5.18?) from home. Please advise and assist.
No, you do not need to go backwards. An SCM SCR 331 reader with firmware v5.25 is quite appropriate, but unfortunately only one of the initial steps to take. This requirement was due to the varying versions of non-ccid compliant and somewhat problematic versions of firmware prior to that on that particular family of readers -- I say family, since it does not refer to a *specific* reader.
I use a PowerBook (Pismo) with a G4 processor (550 MHz) running Mac OS 10.4.11 with all the latest updates. BTW, I also installed some SCM drivers downloaded from the SCM site…how do I uninstall them (or delete them) if I need to do that? I understand that OS 10.4.+ was suppose to already have some CCID compliant drivers and I wonder if the SCM drivers deleted them while installing their own…?! At any rate, below is the info on what I have tried thus far…
Mac OS X 10.4.11 had a CCIDClass Driver that worked with the cards and other Smart Card related OS components included in 10.4.11. If you installed any specific drivers from the vendor (i.e. SCM) then they would *normally* be installed at the following location. I say *normally*, because some Smart Card vendors have unfortunately continued to install their drivers and unnecessary config files in other locations on the drive.
The Apple Smart Card Driver directory is:
/usr/libexec/SmartCardServices/drivers/
Where you would see the following CCID Class Driver from Apple to work with the SCR SCM 331 reader....
CCIDClassDriver.bundle
If you have any other specific driver for the reader (i.e. driver name begins with "SCR") then I would suggest you remove it by deleting the driver from that directory and unplugging/re-plugging your reader to your system.
When I query the system profiler, it correctly reveals that the SCR331 card reader is attached to one of the two USB ports. The green light on the card reader remains green. When I insert my CAC card, it still remains green and does NOT blink…
System Profiler is a valuable tool, but has only very limited help for you in the case of Smart Cards. System Profiler is giving you what the OS sees for Hardware, but does not indicate if it is able to communicate with the reader (with the appropriate driver) or with the Smart Card (the CAC applet on the card). The lack of blinking indicates that it does not recognize one or both in this case.... Start with the Driver issue discussed above and them move to the card.
Troubleshooting:
1) Launch "Terminal" from the /Applications/Utilities Folder
2) Execute the following command: "top" (without the quotes)
3) Watch the activity at the top of the Process list as you connect the reader and insert the card
- When a reader is attached, the "pcscd" process will automatically launch
- When a card is inserted, multiple Processes (tokend modules) will launch with each
probing the card to determine if it is a card it knows how to talk to. In your case with a
Common Access Card, the CAC process should win and will remain in the process list.
I know that the card reader works because if I take it over to my PC, it reads my CAC just fine and I can read my USAF email, etc., etc., but no such love from the Mac?! A colleague mentioned that they had to install OS X 10.4, plug in the card reader and configure, and then install the updates to 10.4.11?! Do I really need to do this?!?!?
No need for any configuring with the Card on 10.4.x, unless you are also using it for Login to your account. The Smart Card Setup Guide (for setting up Login )that was posted specifically for 10.4 can be found at:
With Mac OS X 10.5.x, all of the noted changes for setting up /etc/authorization for Login are not needed -- already integrated into 10.5.0+. If you want to Login with 10.5 then you could use the guide for associating your card to an account with either the PubkKeyhash method or the Attribute Matching Method.
Here is what done. I have a SCM Microsystems SCR331 USB Smart Card Reader flashed with the latest firmware (5.25) downloaded from SCM Microsystems. I have also installed their drivers which are purportedly both MacOS X 10.4 and 10.5 compliant:
The same driver would not work for both 10.4 and 10.5, due to changes with the Smart Card Services components and the OS Changes between 10.4 and 10.5. You are better off addressing the reader driver issue with the steps I noted earlier in this message.
I have followed the instructions, below, all to no avail:
Add the DOD Intermediate CAs to the Keychain
These steps are performed on a Mac with OS X 10.4.3 or better.
a) Logon to the Mac with your normal user ID.
b) Launch Keychain Access (Go | Utilities | Keychain Access).
c) Select Edit | Keychain List.
d) Under Show, select: Mac OS X (System).
e) Check "Shared" checkbox for X509Certificates
(/System/Library/Keychains)
f) Click OK.
g) Close Keychain Access.
This keychain contains the DoD Intermediate Certificates which has been pre-populated by Apple. As you note, the keychain just needs to be enabled for use by you as a user. The "Shared" checkbox just allowed all users on that box to have access to the keychain without manually adding it for each account.
Delete old Keychain Certificates and CAC cache (Optional):
If your CAC card has changed in any way (new email address, name change, etc)
from the time you first used it on a specific system, you may have to clear out the
cached CAC credentials and certificates.
Step 1: Remove Cached CAC credentials
a) Open a Terminal Session (Go | Utilities | Terminal)
b) Type: cd /private/var/db/TokenCache and press <Enter>.
c) Type: sudo mv tokens tokens-old and press <Enter>.
d) Type: sudo mkdir tokens and press <Enter>.
e) Type: sudo chmod 711 tokens and press <Enter>.
DoD apparently had an unusually high number of cards "re-issued" with new certs for various reasons. For performance reasons, Mac OS X caches the Certificates (public content) from the card into the directory you noted above:
/var/db/TokenCache/tokens/
Moving the whole directory aside and re-creating it, seems a bit harsh of an approach. If you really want to blow away all cached information, you could execute the following and have a one line clean solution:
sudo rm -R /var/db/TokenCache/tokens/com.apple.tokend.*
Reducing four commands down to one and reducing possible errors.
Step 2: Remove old Certificates
a) Launch Keychain Access (Go | Utilities | Keychain Access)
b) Click on Certificates.
c) Use Edit | Delete to remove certificates with your name (Last.First.MI.xxx)
d) Close Keychain Access.
Technical Report NPS-CS-06-009
The Center for Information Systems Security Studies and Research 8
Return to Top
Any chance to get a glimps at this document to help folks correct possible errors ?
Copy new Certificates from CAC to Login Keychain:
You must copy your CAC credentials from the CAC card to the login (default)
keychain.
a) Insert your USB CAC reader into the system
b) Launch Keychain Access (Go | Utilities | Keychain Access)
c) Click on Show Keychains.
d) Insert your CAC into the reader.
I will avoid my typical rant on this specific guidance....
I am unable to complete the remainder of the instructions, below, because my CAC card does NOT show up in the key chain:
Note that a new entry appears (smart card #x).
e) Click on the smart card #x keychain.
f) Select the certificates with your name (Last.First.MI.xxxxxxx) and click on Edit
| Copy.
g) Click on the login (default) keychain and click on Edit | Paste.
h) Close Keychain Access.
Late in the 10.4.x builds, the naming convention was updated to include the card identifier rather than the generic naming convention you see in step "e)" above. It would appear in the form "CAC-4090-0029-8400-0000-04D4" with the 20-char identifier being specific to your card.
If the card does not appear in the Keychain, then the Reader / Card is not properly being seen...
Troubleshooting:
1) Launch "Terminal" from the /Applications/Utilities Folder
2) Execute the following command: "pcsctest" (without the quotes)
3)
The following will occur if a reader is inserted and recognized:
MUSCLE PC/SC Lite Test Program
Testing SCardEstablishContext : Command successful.
Testing SCardGetStatusChange
Once a reader is inserted and recognized the following will occur:
MUSCLE PC/SC Lite Test Program
Testing SCardEstablishContext : Command successful.
Testing SCardGetStatusChange
Please insert a working reader : Command successful.
Testing SCardListReaders : Command successful.
Reader 01: SCM SCR-331 CCID 0 0
Enter the reader number : 1
Waiting for card insertion
: Command successful.
Testing SCardConnect : Command successful.
Testing SCardStatus : Command successful.
Current Reader Name : CCID USB Reader 0 0
Current Reader State : 34
Current Reader Protocol : 0
Current Reader ATR Size : 9
Current Reader ATR Value : 3B E2 00 00 04 03 00
Testing SCardDisconnect : Command successful.
Testing SCardReleaseContext : Command successful.
PC/SC Test Completed Successfully !