Re: [Fed-Talk] Smart Cards: tokens Cache Explained
Re: [Fed-Talk] Smart Cards: tokens Cache Explained
- Subject: Re: [Fed-Talk] Smart Cards: tokens Cache Explained
- From: Boyd Fletcher <email@hidden>
- Date: Sun, 29 Mar 2009 23:15:09 -0400
- Thread-topic: [Fed-Talk] Smart Cards: tokens Cache Explained
Title: Re: [Fed-Talk] Smart Cards: tokens Cache Explained
Shawn,
this looks like something Apple could add the the Keychain Access program, maybe “Preferences->General->Clear Smartcard Cache”
any progress on getting the developers to allow wildcards in the URLs for ID Prefs? Adding multiple URLs for the same base site is really getting irritating and is frustrating our users to no end. Most have switched to Firefox because Apple native approach is no cumbersome that its not worth using Safari.
it would great if you could do the following:
http://*.mysite.mil/sites/* -- in this example all hosts within that domain and all URLs starting with /sites would automatically be sent whatever the selected certificate is if TLS is enabled.
boyd
On 3/27/09 3:13 PM, "Shawn Geddis" <email@hidden> wrote:
Marty,
As an official followup, I will restate here to avoid some confusion
conveyed in the other responses:
The first time a Smart Card is _seen_ in Mac OS X, we perform the
following:
1) Create and maintain a Cache directory
This directory is solely for the purpose of expediting the processing
of information from a Smart Card. Since access / retrieving the
certificates from the card via the slow card interface it can take
more time than we all would like, therefore, Mac OS X caches that
information for much faster access.
The Cache directory is located at the following location:
/var/db/TokenCache/tokens/com.apple.tokend.<cardtype>:<CARDTYPE>–
<CardIdent>
<cardtype> Reference to the matching smart card Tokend
identifier i.e. cac, piv, ....
<CARDTYPE> Reference to the matching smart card spec
identifier i.e. CAC, PIV, ....
<CardIdent> The Smart Card's 20 character (alpha-numeric)
unique identifier
Format: XXXX-XXXX-XXXX-XXXX-XXXX
Sample complete path would look like:
/var/db/TokenCache/tokens/
com.apple.tokend.cac:CAC-4090-0029-8400-0000-04D3/
Directories and contents stored inside the directory are as follows:
"Cache"
And files stored are copies of the certificates:
0-Email Encryption Certificate
0-Email Signing Certificate
0-Identity Certificate
"PrintName"
Text file containing the "Name" as it appears in the Keychain List.
This defaults to: <CARDTYPE>-<CardIdent> (like the dir above)
You can change this text if you would like and have sudo privs
"SSID"
This is an Index into CDSA (CSSM DL DB)
"Work"
This is a "working" directory :-)
2) Clearing the Cache directory
So if I were to issue the command:
sudo rm -r /var/db/TokenCache/tokens/
com.apple.tokend.cac:CAC-4090-0029-8400-0000-04D3/
It would wipe out the cache related to that specific card, but it
will be automatically re-created when I re-insert the card.
Just pull the card prior to issuing the above command and then re-
insert the card afterwards.
Clearing the complete directory would not cause any harm:
sudo rm -rf /var/db/TokenCache/tokens/
The "tokens" directory will be re-created on next card insertion as
well. This would help you avoid having to use a wild-card style
deletion.
By removing the card directory(ies), it would mean that if you did any
manual modification to say the "PrintName" that you would need to just
repeat the modification. Some folks have changed the PrintName to
reflect personal naming conventions preferences -- i.e. "Shawn Test
CAC". Be very careful on length and characters used.
- Shawn
_____________________________________________________
Shawn Geddis - Security Consulting Engineer - Apple Enterprise
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden