Re: [Fed-Talk] Cac not being read correctly
Re: [Fed-Talk] Cac not being read correctly
- Subject: Re: [Fed-Talk] Cac not being read correctly
- From: Paul Nelson <email@hidden>
- Date: Fri, 27 Mar 2009 13:12:33 -0500
- Thread-topic: [Fed-Talk] Cac not being read correctly
/var is a symbolic link to /private/var
In general, you should use the "standard" name /var instead of /private/var
in the unlikely event that it should ever move.
Paul
> From: "Losasso, Jonathan E IT3 CCG, N63" <email@hidden>
> Date: Fri, 27 Mar 2009 10:23:04 -0700
> To: Apple Fed Talk <email@hidden>
> Subject: RE: [Fed-Talk] Cac not being read correctly
>
> Don't forget /private/var/db/TokenCache/tokens/
>
> (are they just links to each other anyway?)
>
> -Jon
>
> -----Original Message-----
> From: fed-talk-bounces+jonathan.losasso=email@hidden
> [mailto:fed-talk-bounces+jonathan.losasso=email@hidden] On
> Behalf Of Paul Nelson
> Sent: Friday, March 27, 2009 10:17
> To: email@hidden; Miller, Timothy J.; 'Joe'
> Cc: Apple Fed Talk
> Subject: Re: [Fed-Talk] Cac not being read correctly
>
> Why not just remove all the caches. It's not that much work for the system
> to rebuild them.
>
> Also, you can't use 'sudo' and a wildcard for the tokens folder since the
> user shell doesn't have permissions to look in there.
>
> sudo /bin/sh -c "rm -rf /var/db/TokenCache/tokens/*"
>
> should do the trick since it starts a new shell to expand a wildcard.
>
> Paul Nelson
> Thursby Software Systems, Inc.
>
>
>> From: Marty Riley <email@hidden>
>> Reply-To: <email@hidden>
>> Date: Fri, 27 Mar 2009 16:50:11 +0000
>> To: "Miller, Timothy J." <email@hidden>, 'Joe'
>> <email@hidden>
>> Cc: Apple Fed Talk <email@hidden>
>> Subject: Re: [Fed-Talk] Cac not being read correctly
>>
>> I've tried to get to the cac-XXXX-XXXX-XXXX-XXXX using the sudo rm -r
>> command through terminal, still can't get there. Any advice.
>>
>>
>> Sent from my Verizon Wireless BlackBerry
>>
>> -----Original Message-----
>> From: "Marty Riley" <email@hidden>
>>
>> Date: Fri, 27 Mar 2009 16:32:57
>> To: Miller, Timothy J.<email@hidden>; 'Joe'<email@hidden>
>> Cc: email@hidden<email@hidden>
>> Subject: Re: [Fed-Talk] Cac not being read correctly
>>
>>
>> Joe; Tim,
>>
>> I apparently am not savvy enough with Mac OS to find the sub folders.
>> I'm looking for the tokens in sudo rm previously mentioned. Can one of
>> you guys walk this 'poser' through the steps to get there? I'm getting
>> a whiff of victory now, I just need a little help to find those tokens.
>>
>> Sent from my Verizon Wireless BlackBerry
>>
>> -----Original Message-----
>> From: "Miller, Timothy J." <email@hidden>
>>
>> Date: Fri, 27 Mar 2009 12:26:34
>> To: 'Joe'<email@hidden>;
>> email@hidden<email@hidden>
>> Cc: email@hidden<email@hidden>
>> Subject: RE: [Fed-Talk] Cac not being read correctly
>>
>>
>> The below is correct and should fix the problem. Also, you may need
>> to get the certs for CAs 19 and 20 as they're not rolled into the
>> System keychain yet.
>>
>> -- Tim
>>
>>> -----Original Message-----
>>> From: fed-talk-bounces+tmiller=email@hidden [mailto:fed-
>>> talk-bounces+tmiller=email@hidden] On Behalf Of Joe
>>> Sent: Friday, March 27, 2009 10:44 AM
>>> To: email@hidden
>>> Cc: email@hidden
>>> Subject: Re: [Fed-Talk] Cac not being read correctly
>>>
>>> Marty,
>>>
>>> I didn't read ALL of your email, but I just had the same issue. I am
>>> getting ready to test this now, and am confident it will work.
>>>
>>> Previously, another Fed-Talk member (Chris Blaine) posted the
>>> following, which worked for him:
>>>
>>> -------
>>> I had the same problem, and finally found a posting in another Apple
>>> forum, Apple-cdsa (
>>> http://lists.apple.com/archives/apple-cdsa/2008/May/msg00003.html)
>>> which gave me the answer.
>>>
>>> The answer comes in the last paragraph...
>>>
>>> Meanwhile, take a look at /var/db/TokenCache/tokens. There is one
>>> directory in there for each card the system remembers having seen
>>> before, named by whatever identifier the Tokend has assigned the card
>>> (the form is token identifier:card identifier). Remove the card and
>>> blow away that directory, and when you re-insert the card you should
>>> get the new contents (because you removed the place where the Tokend
>>> would store its cached data). Note that if you do this, the system
>>> will also think your card is new (never before seen).
>>>
>>> There is a cached copy of my previous tokens, Deleting the
>>> referenced directories, as below resolved my issue, and allowed the
>>> new certificates to be populated into keychain.
>>>
>>> sudo rm -r com.apple.tokend.cac:CAC-XXXX-XXXX-XXXX-XXXX
>>>
>>> --
>>> Thanks
>>> Chris Blaine
>>> Senior Network Engineer
>>> Network Security Officer
>>> C4I Programs
>>> 700 Robbins St, Bldg 2A
>>> Philadelphia, PA 19111
>>> -------
>>>
>>> Thanks,
>>> Joe O'Toole
>>>
>>>
>>>
>>> On Mar 27, 2009, at 11:39 AM, Marty Riley wrote:
>>>
>>>
>>>
>>> I'm having trouble reading my CAC Card accurately which was recently
>>> updated with a NMCI e-mail address. Prior to accomplishing this, I
>>> had no trouble at all accessing my OWA e-mail via my Macs, and am
>>> wondering if keychain access "caches" smart card info based on a
>>> serial number of a CAC Card.
>>>
>>> System:
>>> iMac and Mac Pro both running Leopard 10.5.6 Cac Card readers SCR331
>>> flashed to 5.25 firmware version Cac Card GEMAL TO ACCESS 64KV2
>>>
>>> Certificates prior to the email update:
>>> ID certificate: CA-16
>>> Encryption: CA-15
>>> E-mail Signature: CA-15
>>>
>>> Certificates after the email update:
>>> ID certificate: CA-16 (no change)
>>> Encryption: CA-19 (changed)
>>> E-mail Signature: CA-19 (changed)
>>>
>>> I am able to access DoD websites that I registered at with the ID
>>> certificate (CA-16) still, as that one didn't change. But no joy on
>>> the OWA access which uses the DOD EMAIL signature, due in part I
>>> think, to the CA changing. Which is unusual I think, because it's the
>>> same station that issued my original CAC card?!
>>>
>>> I have spent four days reading posts, cleared Safari cache, ran Onyx
>>> for cleanups, cleared all the keychains from my list and imported
>>> them again, and spent a whole lot of time with the smiling little
>>> face of 'finder' surfing though the computer and can't seem to find
>>> anything (I think he's taunting me now!). I've tried everything
>>> except starting from scratch with a new CAC card. I'm reluctant to do
>>> that since I have so many DoD sites that I work with along with
>>> legacy e-mail accounts (I know, I know.....)
>>>
>>> When I insert the CAC card, it clearly shows up in my keychain access
>>> list, but when I look at each certificate, they're the ones that were
>>> on the card prior to the e-mail address update (CA-15), complete with
>>> the prior e-mail address. I don't understand. I've even sent e- mails
>>> to my personal e-mail address from work that I digitally signed, and
>>> the certificate for the e-mail address shows up correctly (CA-19) in
>>> my login keychain (verified)- so I don't think it's a CA Root or DOD
>>> Email certificate problem.
>>>
>>> Do I need to just swallow it and get a new CAC card? or can anyone
>>> help me find the elusive cache (or whatever else) that I think is
>>> killing me?
>>> Sent from my Verizon Wireless BlackBerry
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>> talk/email@hidden
>>>
>>> This email sent to email@hidden
>>>
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden