RE: [Fed-Talk] Cac not being read correctly
RE: [Fed-Talk] Cac not being read correctly
- Subject: RE: [Fed-Talk] Cac not being read correctly
- From: "Miller, Timothy J." <email@hidden>
- Date: Fri, 27 Mar 2009 12:26:34 -0400
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Cac not being read correctly
The below is correct and should fix the problem. Also, you may need to get
the certs for CAs 19 and 20 as they're not rolled into the System keychain
yet.
-- Tim
>-----Original Message-----
>From: fed-talk-bounces+tmiller=email@hidden [mailto:fed-
>talk-bounces+tmiller=email@hidden] On Behalf Of Joe
>Sent: Friday, March 27, 2009 10:44 AM
>To: email@hidden
>Cc: email@hidden
>Subject: Re: [Fed-Talk] Cac not being read correctly
>
>Marty,
>
>I didn't read ALL of your email, but I just had the same issue. I am
>getting ready to test this now, and am confident it will work.
>
>Previously, another Fed-Talk member (Chris Blaine) posted the following,
>which worked for him:
>
>-------
>I had the same problem, and finally found a posting in another Apple
>forum,
>Apple-cdsa (
>http://lists.apple.com/archives/apple-cdsa/2008/May/msg00003.html) which
>gave me the answer.
>
>The answer comes in the last paragraph...
>
>Meanwhile, take a look at /var/db/TokenCache/tokens. There is one
>directory
>in there for each card the system remembers having seen before, named by
>whatever identifier the Tokend has assigned the card (the form is token
>identifier:card identifier). Remove the card and blow away that
>directory,
>and when you re-insert the card you should get the new contents (because
>you
>removed the place where the Tokend would store its cached data). Note
>that
>if you do this, the system will also think your card is new (never
>before
>seen).
>
>There is a cached copy of my previous tokens, Deleting the referenced
>directories, as below resolved my issue, and allowed the new
>certificates to
>be populated into keychain.
>
>sudo rm -r com.apple.tokend.cac:CAC-XXXX-XXXX-XXXX-XXXX
>
>--
>Thanks
>Chris Blaine
>Senior Network Engineer
>Network Security Officer
>C4I Programs
>700 Robbins St, Bldg 2A
>Philadelphia, PA 19111
>-------
>
>Thanks,
>Joe O'Toole
>
>
>
>On Mar 27, 2009, at 11:39 AM, Marty Riley wrote:
>
>
>
> I'm having trouble reading my CAC Card accurately which was
>recently
> updated with a NMCI e-mail address. Prior to accomplishing this, I
>had
> no trouble at all accessing my OWA e-mail via my Macs, and am
> wondering if keychain access "caches" smart card info based on a
> serial number of a CAC Card.
>
> System:
> iMac and Mac Pro both running Leopard 10.5.6
> Cac Card readers SCR331 flashed to 5.25 firmware version
> Cac Card GEMAL TO ACCESS 64KV2
>
> Certificates prior to the email update:
> ID certificate: CA-16
> Encryption: CA-15
> E-mail Signature: CA-15
>
> Certificates after the email update:
> ID certificate: CA-16 (no change)
> Encryption: CA-19 (changed)
> E-mail Signature: CA-19 (changed)
>
> I am able to access DoD websites that I registered at with the ID
> certificate (CA-16) still, as that one didn't change. But no joy
>on
> the OWA access which uses the DOD EMAIL signature, due in part I
> think, to the CA changing. Which is unusual I think, because it's
>the
> same station that issued my original CAC card?!
>
> I have spent four days reading posts, cleared Safari cache, ran
>Onyx
> for cleanups, cleared all the keychains from my list and imported
>them
> again, and spent a whole lot of time with the smiling little face
>of
> 'finder' surfing though the computer and can't seem to find
>anything
> (I think he's taunting me now!). I've tried everything except
>starting
> from scratch with a new CAC card. I'm reluctant to do that since I
> have so many DoD sites that I work with along with legacy e-mail
> accounts (I know, I know.....)
>
> When I insert the CAC card, it clearly shows up in my keychain
>access
> list, but when I look at each certificate, they're the ones that
>were
> on the card prior to the e-mail address update (CA-15), complete
>with
> the prior e-mail address. I don't understand. I've even sent e-
>mails
> to my personal e-mail address from work that I digitally signed,
>and
> the certificate for the e-mail address shows up correctly (CA-19)
>in
> my login keychain (verified)- so I don't think it's a CA Root or
>DOD
> Email certificate problem.
>
> Do I need to just swallow it and get a new CAC card? or can anyone
> help me find the elusive cache (or whatever else) that I think is
> killing me?
> Sent from my Verizon Wireless BlackBerry
>_______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>talk/email@hidden
>
> This email sent to email@hidden
>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden