On Nov 30, 2009, at 9:39 PM, Rocky Favorito wrote:
I got my new CAC a few weeks ago and noticed the Air Force is now putting our “Email for Life” (email@hidden) address on our Certs vs. our Base Specific Email Address (email@hidden). As a result, I could not sign or encrypt emails via OWA (mac or windows).
I went to a DoD site to change my email back to “email@hidden” on my CAC Certs, which fixed my problem on Windows OWA. However, I noticed that my CAC Keychain RFC-822 field still displays “email@hidden” in the Mac OS, even though it shows a value of “email@hidden” on my Windows client. (note: I even recreated all of my ID preferences and still no love). Why the mismatch?
IMPACT: I can no longer access OWA on my Mac via Safari.
Appreciate any insights.
Rocky
Rocky et. al.,
As a reminder, All Smart Card related questions, assistance and guidance has all moved to the SmartCardServices project at Mac OS Forge [1].
The answer in short is that, since you got the certs replaced on the same card, you need to remove the cached directory corresponding to your Smart Card.
However, I noticed that my CAC Keychain RFC-822 field still displays “email@hidden” in the Mac OS, even though it shows a value of “email@hidden” on my Windows client. (note: I even recreated all of my ID preferences and still no love). Why the mismatch?
You will need to perform the step noted in "2) Clearing the Cache directory" at the end of this message.
- Shawn
P.S. Intentionally not signing this message so that DIGEST recipients can read this message. _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise
______________
The first time a Smart Card is _seen_ in Mac OS X, we perform the following:
1) Create and maintain a Cache directory This directory is solely for the purpose of expediting the processing of information from a Smart Card. Since access / retrieving the certificates from the card via the slow card interface it can take more time than we all would like, therefore, Mac OS X caches that information for much faster access.
The Cache directory is located at the following location: /var/db/TokenCache/tokens/com.apple.tokend.<cardtype>:<CARDTYPE>–<CardIdent> <cardtype> Reference to the matching smart card Tokend identifier i.e. cac, piv, .... <CARDTYPE> Reference to the matching smart card spec identifier i.e. CAC, PIV, .... <CardIdent> The Smart Card's 20 character (alpha-numeric) unique identifier Format: XXXX-XXXX-XXXX-XXXX-XXXX Sample complete path would look like: /var/db/TokenCache/tokens/com.apple.tokend.cac:CAC-4090-0029-8400-0000-04D3/
Directories and contents stored inside the directory are as follows:
"Cache" And files stored are copies of the certificates: 0-Email Encryption Certificate 0-Email Signing Certificate 0-Identity Certificate
"PrintName" Text file containing the "Name" as it appears in the Keychain List. This defaults to: <CARDTYPE>-<CardIdent> (like the dir above) You can change this text if you would like and have sudo privs "SSID" This is an Index into CDSA (CSSM DL DB)
"Work" This is a "working" directory :-)
2) Clearing the Cache directory
So if I were to issue the command: sudo rm -r /var/db/TokenCache/tokens/com.apple.tokend.cac:CAC-4090-0029-8400-0000-04D3/
It would wipe out the cache related to that specific card, but it will be automatically re-created when I re-insert the card. Just pull the card prior to issuing the above command and then re-insert the card afterwards.
Clearing the complete directory would not cause any harm:
sudo rm -rf /var/db/TokenCache/tokens/
The "tokens" directory will be re-created on next card insertion as well. This would help you avoid having to use a wild-card style deletion.
By removing the card directory(ies), it would mean that if you did any manual modification to say the "PrintName" that you would need to just repeat the modification. Some folks have changed the PrintName to reflect personal naming conventions preferences -- i.e. "Shawn Test CAC". Be very careful on length and characters used. |