Would seem that your colleagues on the Fed-Talk list are not quite providing the correct information to allow you to quickly move forward here. My repeated statements apparently have not made it clear enough yet to the Fed-Talk List regarding Smart Cards on Mac OS X.... I'll try again... :-)
I hope to help you quickly here and use this as an update to the growing Fed-Talk List Membership....
All Smart Card Questions, Issues, Comments, ... http://smartcardservices.macosforge.org/
Tokend Releases
(1) CAC-NG (BETA v0.9) Snow Leopard (Mar 3, 2010)
OS Requirement: Mac OS X 10.6.0 - 10.6.x Snow Leopard SHA-1 Hash: c9568c3f76e554b05a72d3ff9868aa62a945ee45
This build supports the Gemalto TOPDLGX4 144 cards, but does not yet support the Oberthur ID One 128 v5.5 Dual cards. subsequent builds will provide support needed for the Oberthur card. If you attempt to access this newer Oberthur card, it will be picked up by the original CAC.tokend and will show no certs/keys within Keychain Access -indicating a lack of support.
(2) **UPDATED** CAC-NG (BETA v0.96) Leo (Feb 2, 2010)
OS Requirement: Mac OS X 10.5.6 - 10.5.X (Leopard) SHA-1 Hash: bfa96cccd380b54fbb81dada44897c5d0ff5fa39
The Smart Card Services Project Team is pleased to provide access to the*BETA* for CAC Next Generation (a.k.a. CAC-NG) Tokend support for Mac OS X 10.5 "Leopard". Support for Snow Leopard is forth coming, but you can proceed to test with your Mac OS X 10.5.6+ machines with this installation.
Report any anomalies to the SmartCardServices Team via the ticket system:
These beta Tokends support the "GEMALTO TOPDL GX4 144", but do not yet support other newer cards such as "Oberthur ID One 128 v5.5" (128K CAC-NG based Cards). The support for these additional cards will continue to be added and available here prior to integration directly into future commercial releases of Mac OS X / Mac OS X Server 10.6.x.
Note that the Smart Cards appear as keychains within Keychain Access -- most common way to quickly ensure the card/reader are working as expected. With the insertion of your GEMALTO TOPDL GX4 144, the original CAC Tokend is picking it up as is noted by the first characters of the Keychain Name "CAC-......". As you noted, the Certificates / Keys were not displayed in the panel, and hence indicates the Card is not correctly being recognized. When you have a CAC-NG card ( as you do ) and it is properly picked up by the CAC-NG Tokend, the Keychain Name will appear as "CACNG-..." and all objects (Certs / Keys) will be properly displayed in the panel to the right.
On Mar 4, 2010, at 4:17 PM, Miller, Timothy J. wrote: Known bug, reported, beta fix available for Leopard, no fix available for Snow Leopard yet.
Not a bug :-) , since the CAC-NG cards were never issued nor supported prior to 2009. The new CAC-NG cards contain two applets (CACv2 & PIVTrans) on a single card which also deviates from all prior cards as well as from the PIV cards used by the rest of the Federal Government.
To hopefully help clarify things more for folks, Mac OS X has much more extensive Smart Card Integration without the need for Applications to ever deal with Smart Cards directly (eg. PKCS#11). However, this approach requires that each variation in Card Type (i.e. Various Applets like CAC, CAC-NG, PIV, ....) each require a Tokend to provide the lowest level comms specific to that applet (e.g. APDUs - http://en.wikipedia.org/wiki/APDU).
Mac OS X 10.6.2 also provided PKINIT which was the final piece in getting full SSO with your Smart Cards (transparently acquiring Kerberos tickets). Mac OS 10.6.3, when released, will included some additional certificate processing to the PKINIT support already in 10.6.2. This provides what some folks have been looking for directly from Mac OS X.
Smart Card specific Mailing Lists are located via the project @ MacOSForge
http://smartcardservices.macosforge.org/trac/wiki/MailLists
- Shawn __________________________________________________
MacOSForge Project Lead: Smart Card Services __________________________________________________
On Mar 4, 2010, at 4:17 PM, Miller, Timothy J. wrote: Known bug, reported, beta fix available for Leopard, no fix available for Snow Leopard yet. -- Tim -----Original Message-----
From: fed-talk-bounces+tmiller=email@hidden [mailto:fed-
talk-bounces+tmiller=email@hidden] On Behalf Of Adams,
Walter CTR CNIC HQ, N61
Sent: Thursday, March 04, 2010 3:14 PM
To: email@hidden
Cc: Adams, Walter CTR CNIC HQ, N61
Subject: [Fed-Talk] New CAC card problems
Folks,
Has anyone had problems with the new GEMALTO CACs that are being issued?
We have a member of our team that renewed his CAC and got a new one
(GEMALTO TOPDL GX4 144) that Keychain Access does not read.
Keychain Access can see that a CAC has been inserted, can recognize the
20 digit string (5 groups of 4) that identifies the CAC, but it can not see any of the certificates.
If you try to unlock it you are prompted for the PIN, but it is unable to unlock the CAC and prompts you again.
Note: We know that the CAC is "good" because we have tested it with an
NMCI PC and with another PC running Active Client.
Note: Active Client on the second PC was unable to display the manufacturer
and model info for this new card but was able to unlock and use the certs.
Thanks,
Walter
Walter Adams
D. Program Manager & Chief Architect PSNet
email@hidden
703-518-5527 (Office)
|