Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
Re: [Fed-Talk] Smart Cards: tokens Cache Explained
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] Smart Cards: tokens Cache Explained



Title: Re: [Fed-Talk] Smart Cards: tokens Cache Explained
Shawn,

this looks like something Apple could add the the Keychain Access program, maybe “Preferences->General->Clear Smartcard Cache”

any progress on getting the developers to allow wildcards in the URLs for ID Prefs? Adding multiple URLs for the same base site is really getting irritating and is frustrating our users to no end. Most have switched to Firefox because Apple native approach is no cumbersome that its not worth using Safari.

it would great if you could do the following:


http://*.mysite.mil/sites/*       --  in this example all hosts within that domain and all URLs starting with /sites would automatically be sent whatever the selected certificate is if TLS is enabled.

boyd




On 3/27/09 3:13 PM, "Shawn Geddis" <email@hidden> wrote:

Marty,

As an official followup, I will restate here to avoid some confusion
conveyed in the other responses:

The first time a Smart Card is _seen_ in Mac OS X, we perform the
following:

1) Create and maintain a Cache directory
This directory is solely for the purpose of expediting the processing
of information from a Smart Card.  Since access / retrieving the
certificates from the card via the slow card interface it can take
more time than we all would like, therefore, Mac OS X caches that
information for much faster access.

                The Cache directory is located at the following location:
                /var/db/TokenCache/tokens/com.apple.tokend.<cardtype>:<CARDTYPE>–
<CardIdent>
                               
                <cardtype>                                              Reference to the matching smart card Tokend
identifier      i.e.  cac, piv,  ....
                <CARDTYPE>                                      Reference to the matching smart card spec
identifier              i.e.  CAC, PIV,  ....
                <CardIdent>                                             The Smart Card's 20 character (alpha-numeric)
unique identifier
                                                                                        Format:   XXXX-XXXX-XXXX-XXXX-XXXX     
       
                Sample complete path would look like:
                /var/db/TokenCache/tokens/
com.apple.tokend.cac:CAC-4090-0029-8400-0000-04D3/


                Directories and contents stored inside the directory are as follows:

                "Cache"
                         And files stored are copies of the certificates:
                                0-Email Encryption Certificate
                                0-Email Signing Certificate
                                0-Identity Certificate

                "PrintName"
                        Text file containing the "Name" as it appears in the Keychain List.
                        This defaults to:   <CARDTYPE>-<CardIdent>    (like the dir above)
                        You can change this text if you would like and have sudo privs
       
                "SSID"
                        This is an Index into CDSA (CSSM DL DB)

                "Work"
                        This is a "working" directory :-)


2) Clearing the Cache directory

        So if I were to issue the command:
                sudo rm -r /var/db/TokenCache/tokens/
com.apple.tokend.cac:CAC-4090-0029-8400-0000-04D3/

        It would wipe out the cache related to that specific card, but it
will be automatically re-created when I re-insert the card.
        Just pull the card prior to issuing the above command and then re-
insert the card afterwards.


        Clearing the complete directory would not cause any harm:

                sudo rm -rf /var/db/TokenCache/tokens/

        The "tokens" directory will be re-created on next card insertion as
well.  This would help you avoid having to use a wild-card style
deletion.

By removing the card directory(ies), it would mean that if you did any
manual modification to say the "PrintName" that you would need to just
repeat the modification.  Some folks have changed the PrintName to
reflect personal naming conventions preferences -- i.e. "Shawn Test
CAC".  Be very careful on length and characters used.

- Shawn
_____________________________________________________
Shawn Geddis  - Security Consulting Engineer  -  Apple Enterprise



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

References: 
 >[Fed-Talk] Smart Cards: tokens Cache Explained (From: "Shawn A. Geddis" <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.