Re: Coolkey use problems on Fedora 14 (no token available), please help.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02/07/2011 02:33 PM, guy zelck wrote:
On my systems where it doesn't work (Opensuse 11.3 and Fedora 14) I see a
frantically flickering led on the key. What is it communicating when normaly it
should come ask for the PIN? On the Fedora14 system I kept the stock packages,

Here is what I did, long time back to get it working in Fedora

Setting up CAC card usage on Fedora (32 & 64 bit)

Generic <smartcart> RedHat guide : http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Deployment_Guide/sso-sc-config.html
AKO CAC Setup guide <Windows> : https%3A%2F%2Fwww.us.army.mil%2Fsuite%2Ffolder%2F10619395&id=6032445&links=CAC,SETUP&q=%2528%2522CAC%2Bsetup%2522%2529%26SecurityInfo%3DNzZ82harp82RIdTGzjrAUwrQKOLFpi1Ok7YzDnnaZroLCgpzHxrr%2FeQlHsdUEWnfF9hzmXsj%2FJUGMReyAF%2F0YfnoyaTvib5NQOXHclTMIg%3D%3D


<This might be un-necessary, all of these packages came pre-installed on my Fedora, yum install with update these pkgs if already installed, so cant hurt>

su
# For 64 bit
yum install nss-tools.x86_64 pam_pkcs11.x86_64 coolkey.x86_64 ifd-egate.x86_64 authconfig.x86_64 authconfig-gtk.x86_64  esc.x86_64 ccid.x86_64 gdm.x86_64 fprintd-pam.x86_64 pcsc-lite.x86_64 pcsc-tools.x86_64 pcsc-lite-libs.x86_64


# OR For 32 bit
yum install nss-tools.i586 pam_pkcs11.i586 coolkey.i586 ifd-egate.i586 authconfig.i586 authconfig-gtk.i586  esc.i586 ccid.i586 gdm.i586 fprintd-pam.i586 pcsc-lite.i586 pcsc-tools.i586

# restart the pcscd demon:
sudo /etc/init.d/pcscd restart

# List the USB devices
lsusb
<snip> 
Bus 002 Device 003: ID 04e6:5116 SCM Microsystems, Inc. SCR331-LC1 SmartCard Reader
<snip>


# Start the openct deamon
/etc/init.d/openct start

# look for card readers 
openct-tool list

# Dump the contents of the card 
openct-tool -r 1 atr

[root@476114-mitll abentley]# openct-tool -r 1 atr
Detected CCID Compatible
Card not present    <THIS IS BAD - Card needs to be initialized>
failed to reset card



Download DoD Root Certs : 
browse to;  https://crl.gds.disa.mil/
Click on DOD CA-24, hit "submit" button
right click on the "Download' link, save as, save to somewhere on your local computer. i.e. /home/your_user_name/DoDCACerts

Do the same for DODCA_13.cer through DODCA_24.cer <some CAs have been retired, so some CA Certs might not be available, thats ok>

Read :  http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

Do this to see if a cert Database exists on your machine already
certutil -L -d /etc/pki/nssdb   <Should get created when nss gets installed>

sudo certutil -A -d /etc/pki/nssdb -n "dod root ca2 cert" -t "CT,C,C" -i ./DoDRootCA2.cer
sudo certutil -A -d /etc/pki/nssdb -n "dod ca11 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_11.cer
sudo certutil -A -d /etc/pki/nssdb -n "dod ca12 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_12.cer
sudo certutil -A -d /etc/pki/nssdb -n "dod ca13 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_13.cer
sudo certutil -A -d /etc/pki/nssdb -n "dod ca14 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_14.cer
sudo certutil -A -d /etc/pki/nssdb -n "dod ca15 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_15.cer
sudo certutil -A -d /etc/pki/nssdb -n "dod ca16 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_16.cer
sudo certutil -A -d /etc/pki/nssdb -n "dod ca17 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_17.cer
sudo certutil -A -d /etc/pki/nssdb -n "dod ca18 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_18.cer
sudo certutil -A -d /etc/pki/nssdb -n "dod ca19 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_19.cer
sudo certutil -A -d /etc/pki/nssdb -n "dod ca20 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_20.cer
sudo certutil -A -d /etc/pki/nssdb -n "dod ca21 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_21.cer
sudo certutil -A -d /etc/pki/nssdb -n "dod ca22 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_22.cer
sudo certutil -A -d /etc/pki/nssdb -n "dod ca23 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_23.cer
sudo certutil -A -d /etc/pki/nssdb -n "dod ca24 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_24.cer


#Enable Smart Card Login Support

   1. On the Gnome Title Bar, select System->Administration->Authentication.
   2. Type your machine's root password if necessary.
   3. In the Authentication Configuration dialog, click the Authentication tab.
   4. Select the Enable Smart Card Support check box.
   5. Click the Configure Smart Card... button to display the Smartcard Settings dialog, and specify the required settings:
          * Require smart card for login â?? Clear this check box. After you have successfully logged in with the smart card you can select this option to prevent users from logging in without a smart card.
          * Card Removal Action â?? This controls what happens when you remove the smart card after you have logged in. The available options are:
                o Lock â?? Removing the smart card locks the X screen. <Advisable, but be carefull....>
                o Ignore â?? Removing the smart card has no effect. 



#  If you need to enable the Online Certificate Status Protocol (OCSP), open the /etc/pam_pkcs11/pam_pkcs11.conf file, and locate the following line:
enable_ocsp = false;
Change this value to true, as follows:
enable_ocsp = true;

# Plug your reader into your computer & plug your card into the reader
pcsc_scan

#should list your card reader 
PC/SC device scanner
V 1.4.15 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau@xxxxxxx>
Compiled with PC/SC lite version: 1.5.2
Scanning present readers...
0: SCM SCR 3310 00 00

Tue Mar 23 09:47:17 2010
 Reader 0: SCM SCR 3310 00 00
  Card state: Card inserted, 
  ATR: HEX Numbers..................

ATR: HEX Numbers..................
+ TS = 3B --> Direct Convention
+ T0 = 7D, Y(1): 0111, K: 13 (historical bytes)
  TA(1) = 96 --> Fi=512, Di=32, 16 cycles/ETU
    250000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 312500 bits/s
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = 00 --> Extra guard time: 0
+ Historical bytes: HEX Numbers..................
  Category indicator byte: 80 (compact TLV data object)
    Tag: 3, len: 1 (card service data byte)
      Card service data byte: 80
        - Application selection: by full DF name
        - EF.DIR and EF.ATR access services: by GET RECORD(s) command
        - Card with MF
    Tag: 6, len: 5 (pre-issuing data)
      Data: B0 83 11 17 D6
    Tag: 8, len: 3 (status indicator)
      LCS (life card cycle): 00 (No information given)
      SW: 9000 (Normal processing.)


#Determine what device your USB CAC is on
sudo dmesg > ~/dmesg.txt
vi ~/dmesg.txt
/ 


# Mount the USB reader
sudo mkdir /mnt/cac
sudo mount -t usbfs /dev/sr0 /mnt/cac

#Write the following line into /etc/fstab to make it permanent
usbfs /mnt/cac usbfs auto 0 0


#Bring up thr CAC manager App - to open the CAC
system_memnu->Applications->System Tools->Smart Card Manager
enroll



# Enable Thuderbird to use the CAC Card  
#Add CAC Module to Thuderbird as a Security Device
   0. sudo /opt/dev_tools/thunderbird/thunderbird
   1. Preferences Menu
   2. Advanced Section
   3. Encryption Tab
   4. Security Devices Button
   5. Load Button
   6. Enter CAC Module as the module name, and browse to /usr/lib64/pkcs11/libcoolkeypk11.so for the module filename. 
      <or /usr/lib/pkcs11/libcoolkeypk11.so for 32 bit>



# Enable Firefox to use the CAC Card  https://help.ubuntu.com/community/CommonAccessCard
#Add CAC Module to Firefox as a Security Device
   0. sudo /opt/dev_tools/firefox_3_5_6/firefox 
   1. Preferences Menu
   2. Advanced Section
   3. Encryption Tab
   4. Security Devices Button
   5. Load Button
   6. Enter CAC Module as the module name, and browse to /usr/lib/pkcs11/libcoolkeypk11.so for the module filename. 
      seems to only work with 32 bit libcoolkey

OR go here https://software.forge.mil/sf/projects/community_cac

# Enroll your smart card
# If you are using a CAC card, you also need to perform the following steps:

   1. Change to the root account and create a file called /etc/pam_pkcs11/cn_map.
   2. Add the following entry to the cn_map file:
      MY.CAC_CN.123454 -> myloginid
      where MY.CAC_CN.123454 is the Common Name on your CAC and myloginid is your UNIX login ID. 

# Logout 
sudo umount /mnt/cac







_______________________________________________
Coolkey-devel mailing list
Coolkey-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/coolkey-devel

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Women]

  Powered by Linux