[Fed-Talk] PIV login using CAC
[Fed-Talk] PIV login using CAC
- Subject: [Fed-Talk] PIV login using CAC
- From: "Losasso, Jonathan E ITSR CCG, N63" <email@hidden>
- Date: Thu, 11 Sep 2008 08:03:14 -0700
- Thread-topic: PIV login using CAC
Shawn,
First thank you for updating us on the upcoming changes to how 10.5.5 will handle our CAC. Quickly one note to add is that the new nmci webmail servers do now require a trailing / ex. 'https://webmail.west.nmci.navy.mil' works just fine as a identity preference, it's what I am using now.
Anyways some backrgound about us is we utilize around fifty macbook pros, 10 imacs, and around 10 mac pros all connected to a internal network run by three mac servers, everything is intel, everything is 10.5.4. We already require a password that goes above and beyond the DoD standard, however we would really like to move over to a CAC logon. As you can see we have a large number of mac systems that we would like to implement a better login procedure. An ideal solution would be PIV utilizing our CAC that would pull a network profile from our server. Is this currently possible given the correct hardware or would we have to wait on some more software updates to come out to implement this login procedure? If you have any questions feel free to ask.
v/r
-----Original Message-----
From: fed-talk-bounces+jonathan.losasso=email@hidden [mailto:fed-talk-bounces+jonathan.losasso=email@hidden] On Behalf Of Shawn A. Geddis
Sent: Thursday, September 11, 2008 6:23
To: Fed Talk
Subject: [Fed-Talk] [NOTICE] Mac OS X 10.5.5 will still require installationof "Smart Card Services Update"
Mac OS X 10.5 Smart Card Users,
The planned integration of the Smart Card Services Update into the Mac OS X 10.5.5 update release, unfortunately had to be removed late in the process. It is indeed unfortunate and an example of why we do not pre-announce fixes/patches coming in software updates. My intent was to keep you all abreast of the hard work we were doing to not only address the identified Smart Card issues on Mac OS X 10.5.x, but to help IT Staff and individual Users that the work would be integrated into a future update. Integration of those updates will take place, but I wanted to be sure that all of you were aware of my pre-mature (and now inaccurate) indication of them coming in 10.5.5.
I have written up a very brief document to highlight the steps IT Staff and Individuals can take to address them and ensure they successfully authenticate to Smart Card protected services using Mac OS X 10.5.4 / 10.5.5. Since far too many agency servers strip or prevent attachments, I have included the text of that document below for your immediate consumption.
To be absolutely clear, *IF* you....
* Previously installed the Smart Card Services Update v1.1 on an Intel-based Mac with 10.5.4:
You can upgrade to 10.5.5 with no changes relating to Smart Cards.
* Upgrade your system to 10.5.5 and have not previously installed the Smart Card update:
You will need to install the Smart Card Services Update v1.2.
* Are running on a PPC-based Mac (G4 / G5) with Mac OS X 10.5.4 / 10.5.5:
You will need to install the Smart Card Services Update v1.2.
As always, we are interested in your feedback and are working hard to ensure Smart Cards "Just Work" on Mac OS X.
- Shawn
_____________________________________________________
Shawn Geddis Security Consulting Engineer Apple Enterprise
US Federal Smart Cards On Mac OS X 10.5
System Requirements Usage Changes
Mac OS X 10.5.4 or 10.5.5 Client-side Certificate Authentication & Safari Supported Reader Identity Preferences Supported Smart Card(s) Troubleshooting Identity Preference(s)
Mac OS X 10.5.4 or 10.5.5
Mac OS X 10.5.5 was originally to include important updates to properly handle many CCID Readers along with support for the newer Smart Cards being issued within the US Federal Government. Those Smart Card Services related updates will, unfortunately, not appear in the 10.5.5 update, but will continue to be made available through a separate installer.
The original update for Intel-based systems running Mac OS X 10.5.4 is still available via the following link:
http://idisk.mac.com/geddis-Public/SmartCards/Installers/Smart_Card_Services_Update_v1.1.zip <http://idisk.mac.com/geddis-Public/SmartCards/Installers/Smart_Card_Services_Update_v1.1.zip>
NOTE: You would need to apply the Smart Card update prior to updating to Mac OS X 10.5.5.
A Universal update (PPC / INTEL) for systems running Mac OS X 10.5.4 or 10.5.5 will be available soon via the following link:
http://idisk.mac.com/geddis-Public/SmartCards/Installers/Smart_Card_Services_Update_v1.2.zip <http://idisk.mac.com/geddis-Public/SmartCards/Installers/Smart_Card_Services_Update_v1.2.zip>
NOTE: This Smart Card update will support both PPC & Intel-based systems running Mac OS X 10.5.4 or 10.5.5.
________________________________
Supported Readers
There are a number of CCID readers supported by the Smart Card Services Update. For an up-to-date list of those readers that are supported (excluding PIN Pad functionality), you can check:
http://pcsclite.alioth.debian.org/ccid.html <http://pcsclite.alioth.debian.org/ccid.html> ,
Please note that some readers commonly used within the US Federal Government require updated firmware to work as expected. In particular, OEM derivatives of the SCM SCR 331 product family will require updating if they have firmeware version prior to v5.25.
ActivCard USB v2
CRYPTOCard USB
SCM SCR 331, SCR 531
The Firmware “Flashing” Utility for the Readers noted above requires either Windows or Linux and can be found at:
http://www.scmmicrosystems.com/support/pcs_downloads.php?lang=en <http://www.scmmicrosystems.com/support/pcs_downloads.php?lang=en>
________________________________
Supported Smart Cards
The Smart Card Services Update brings support for the latest US Federal Government Smart Cards (CAC & PIV). For the “Common Access Card” (CAC), Mac OS X will now support T=1 cards at full speed with many readers. Also, “Personal Identity Verification” (PIV) cards can now be used for authenticated logins. Updates are still being made for full PIV compliance and will be available when complete.
________________________________
Client-side Certificate Authentication & Safari
Mac OS X 10.5.3 brought changes to how Safari handles client-side certificates for authentication. Safari 3 no longer automatically sends the first valid client certificate found, instead Safari will prompt the user to pick a certificate from all certificates currently available to a user. This includes those stored on smart cards. Please note that Safari will only prompt when a web page requires certificate authentication. For sites that allow certification authentication as an option, and not required, you will have to create an "identity preference" to map which certificate you'd like to use for a specific URL. The explanation of this change can be found at: http://support.apple.com/kb/HT1679
________________________________
Identity Preferences
There are a few US Federal Government PKI protected services (Websites, Webmail, Mail Servers, etc.) which now interact differently with the changes to Mac OS X 10.5.3+ and may require the user to create an Identity Preference, a mapping between a specific URL and a specific certificate, for successful authentication.
This preference is remembered in your keychain as an "identity preference” item, and you will not be prompted again when returning to the same site.
1. Creating an Identity Preference
2. Launch Keychain Access (Located in /Applications/Utilities/)
3. “Select” your Smart Card (keychain) (Should always appear as the first keychain in the list)
4. Click on “My Certificates” (This is a “Category” list in the lower left corner)
5. Hold down the <Control> Key and click on the appropriate Certificate (Cert for your URL)
6. Select “New Identity Preference...” (Contextual Menu to create an Identity Preference)
1. Enter URL for Server (as FQDN) (Fully Qualified Domain Name - "https://Full.Server.Name/ <https://Full.Server.Name/> "
2. AKO: https://akocac.us.army.mil <https://akocac.us.army.mil> / (NOTE: Must include trailing “/”)
3. NMCI Webmail: https://webmail.nmci.navy.mil/Exchange/ <https://webmail.nmci.navy.mil/Exchange/> (NOTE: Must include “Exchange/”)
Most authentication would “typically” succeed with just using the FQDN as used in 6.1 above, but there are servers (ie. NMCI Webmail) that currently require entry of the full URL to the service be entered in the Identity Preference.
Also, some Web Sites/Services may contain content references which require authentication to multiple servers which would require multiple Identity Preferences be created. This is until a domain-based or wild-card style Identity Preference is supported.
________________________________
Troubleshooting
To provide you and Apple with the ability to troubleshoot why you may still be failing to authenticate to a given server, you can enable a debug flag for Identity matching which, when enabled, will log identity preference information to the System log (/var/log/system.log). Launch and use the Terminal application for the following commands.
Enable Identity Preference Debug Mode in 10.5.4 and beyond:
defaults write com.apple.security LogIdentityPreferenceLookup -boolean true
You will want to disable this additional logging when you have everything working. To disable, perform the following:
defaults write com.apple.security LogIdentityPreferenceLookup -boolean false
To read the current value of this debug key, perform the following:
defaults read com.apple.security LogIdentityPreferenceLookup
You will see output at the end similar to the following, where “0” is false (off) and “1” is true (on)
LogIdentityPreferenceLookup = 0;
When enabled, each identity preference lookup is written as in the following example:
Jul 1 18:12:51 /Applications/Safari.app/Contents/MacOS/Safari[386]: preferred identity: "<User Identity" found for "<https://Full.Server.Name/ <https://Full.Server.Name/> >"
These messages can help end users correct the host name they entered in the manually configured Identity Preference. If you are still failing, provide these log messages along with your card reader information (from System Profiler). It is also valuable, in some cases, to know the specific card you are using and the name is noted on the top back of the card. Another quick way to capture card info is to launch Terminal and execute the following command while you have your reader attached and card inserted:
pcsctest
Select the number (typically "1") which corresponds to the reader you have attached.
Capture the output from this command and include in your correspondence with Apple.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden