System Requirements Usage Changes
Mac OS X 10.5.4 or 10.5.5 Client-side Certificate Authentication & Safari
Supported Reader Identity Preferences
Supported Smart Card(s) Troubleshooting
Identity Preference(s)
Mac OS X 10.5.4 or 10.5.5
Mac OS X 10.5.5 was originally to include important updates to properly handle many CCID Readers along with support for the newer Smart Cards being issued within the US Federal Government. Those Smart Card Services related updates will, unfortunately, not appear in the 10.5.5 update, but will continue to be made available through a separate installer.
The original update for Intel-based systems running Mac OS X 10.5.4 is still available via the following link:
http://idisk.mac.com/geddis-Public/SmartCards/Installers/Smart_Card_Services_Update_v1.1.zip
NOTE: You would need to apply the Smart Card update prior to updating to Mac OS X 10.5.5.
A Universal update (PPC / INTEL) for systems running Mac OS X 10.5.4 or 10.5.5 will be available soon via the following link:
http://idisk.mac.com/geddis-Public/SmartCards/Installers/Smart_Card_Services_Update_v1.2.zip
NOTE: This Smart Card update will support both PPC & Intel-based systems running Mac OS X 10.5.4 or 10.5.5.
________________________________
Supported Readers
There are a number of CCID readers supported by the Smart Card Services Update. For an up-to-date list of those readers that are supported (excluding PIN Pad functionality), you can check:
http://pcsclite.alioth.debian.org/ccid.html,
Please note that some readers commonly used within the US Federal Government require updated firmware to work as expected. In particular, OEM derivatives of the SCM SCR 331 product family will require updating if they have firmeware version prior to v5.25.
ActivCard USB v2
CRYPTOCard USB
SCM SCR 331, SCR 531
The Firmware “Flashing” Utility for the Readers noted above requires either Windows or Linux and can be found at:
http://www.scmmicrosystems.com/support/pcs_downloads.php?lang=en
________________________________
Supported Smart Cards
The Smart Card Services Update brings support for the latest US Federal Government Smart Cards (CAC & PIV). For the “Common Access Card” (CAC), Mac OS X will now support T=1 cards at full speed with many readers. Also, “Personal Identity Verification” (PIV) cards can now be used for authenticated logins. Updates are still being made for full PIV compliance and will be available when complete.
________________________________
Client-side Certificate Authentication & Safari
Mac OS X 10.5.3 brought changes to how Safari handles client-side certificates for authentication. Safari 3 no longer automatically sends the first valid client certificate found, instead Safari will prompt the user to pick a certificate from all certificates currently available to a user. This includes those stored on smart cards. Please note that Safari will only prompt when a web page requires certificate authentication. For sites that allow certification authentication as an option, and not required, you will have to create an "identity preference" to map which certificate you'd like to use for a specific URL. The explanation of this change can be found at: http://support.apple.com/kb/HT1679
________________________________
Identity Preferences
There are a few US Federal Government PKI protected services (Websites, Webmail, Mail Servers, etc.) which now interact differently with the changes to Mac OS X 10.5.3+ and may require the user to create an Identity Preference, a mapping between a specific URL and a specific certificate, for successful authentication.
This preference is remembered in your keychain as an "identity preference” item, and you will not be prompted again when returning to the same site.
- Creating an Identity Preference
- Launch Keychain Access (Located in /Applications/Utilities/)
- “Select” your Smart Card (keychain) (Should always appear as the first keychain in the list)
- Click on “My Certificates” (This is a “Category” list in the lower left corner)
- Hold down the <Control> Key and click on the appropriate Certificate (Cert for your URL)
- Select “New Identity Preference...” (Contextual Menu to create an Identity Preference)
- Enter URL for Server (as FQDN) (Fully Qualified Domain Name - "https://Full.Server.Name/"
- AKO: https://akocac.us.army.mil/ (NOTE: Must include trailing “/”)
- NMCI Webmail: https://webmail.nmci.navy.mil/Exchange/ (NOTE: Must include “Exchange/”)
Most authentication would “typically” succeed with just using the FQDN as used in 6.1 above, but there are servers (ie. NMCI Webmail) that currently require entry of the full URL to the service be entered in the Identity Preference.
Also, some Web Sites/Services may contain content references which require authentication to multiple servers which would require multiple Identity Preferences be created. This is until a domain-based or wild-card style Identity Preference is supported.
________________________________
Troubleshooting
To provide you and Apple with the ability to troubleshoot why you may still be failing to authenticate to a given server, you can enable a debug flag for Identity matching which, when enabled, will log identity preference information to the System log (/var/log/system.log). Launch and use the Terminal application for the following commands.
Enable Identity Preference Debug Mode in 10.5.4 and beyond:
defaults write com.apple.security LogIdentityPreferenceLookup -boolean true
You will want to disable this additional logging when you have everything working. To disable, perform the following:
defaults write com.apple.security LogIdentityPreferenceLookup -boolean false
To read the current value of this debug key, perform the following:
defaults read com.apple.security LogIdentityPreferenceLookup
You will see output at the end similar to the following, where “0” is false (off) and “1” is true (on)
LogIdentityPreferenceLookup = 0;
When enabled, each identity preference lookup is written as in the following example:
Jul 1 18:12:51 /Applications/Safari.app/Contents/MacOS/Safari[386]: preferred identity: "<User Identity" found for "<https://Full.Server.Name/>"
These messages can help end users correct the host name they entered in the manually configured Identity Preference. If you are still failing, provide these log messages along with your card reader information (from System Profiler). It is also valuable, in some cases, to know the specific card you are using and the name is noted on the top back of the card. Another quick way to capture card info is to launch Terminal and execute the following command while you have your reader attached and card inserted:
pcsctest
Select the number (typically "1") which corresponds to the reader you have attached.
Capture the output from this command and include in your correspondence with Apple.