Can anyone help with getting the new DoD CACs (Smart Card) to work in CentOS 6.6? I don't use it for console logins, only for email and .mil web sites.
I recently had to get a new DoD CAC (Smart Card) when one of the buildings I work in upgraded their security system. My old CAC was working fine prior to this for signing and encrypting email and for authenticating to various DoD (.mil) sites from the Internet using the coolkey libraries.
After getting my new CAC I am no longer able to authenticate to any DoD sites. I can still sign and encrypt email in Thunderbird via the coolkey libraries but .mil sites either simply display blank pages or raise various errors in firefox. I am prompted for my PIN, which is successfully accepted but I'm not even prompted for which cert to use, like I used to be.
I've tried installing and loading the latest "cackey" libraries (see below) but when I insert my CAC and attempt to login to the module in the Mozilla device manager it completely freezes firefox. Recovery requires killing firefox. If I remove the latest and install the next previous cackey library it works the same as coolkey - doesn't freeze up firefox but never connects to .mil sites.
I tried building the cackey RPMs from the source RPMs too but the result is the same.
Latest 64-bit cackey: cackey-0.6.8-3522.x86_64.rpm Next previous cackey: cackey-0.6.5-2444.x86_64.rpm
I'm pretty sure it has something to do with the newer PIV CAC internal layout. I went through a similar transition when the GEMAL 144 cards came out but the cackey libraries did at least work and coolkey eventually caught up.
One thing is for sure... the cackey RPM from forge.mil is not a drop-in replacement for coolkey. The cackey RPM only installs the libraries themselves, nothing else. It doesn't even register them in the nss db I had to do that manually with modutil. I must be missing something...
Without direct access to forge.mil it's difficult to troubleshoot cackey. For some silly reason they still require CAC authentication to get the CAC software and drivers and access the forums, etc.
More relevant information below...
I'd be grateful for any ideas or advice on this. I desperately need to retrieve vulnerability reports, patches, and other DoD resources. Thanks!
Cal Webster
Smart Card Reader: SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202509) 00 00-0
Old CAC: GEMAL TO TOPDL GX4 144 New CAC: G&D FIPS 201 SCE 3.2
[root@inet3 ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root@inet3 ~]# uname -a Linux inet3 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@inet3 ~]#
Installed Packages
coolkey.i686 1.1.0-32.el6 @base coolkey.x86_64 1.1.0-32.el6 @base firefox.i686 31.2.0-3.el6.centos @updates firefox.x86_64 31.2.0-3.el6.centos @updates thunderbird.x86_64 31.2.0-3.el6.centos @updates pcsc-lite.x86_64 1.5.2-14.el6 @base pcsc-lite-devel.x86_64 1.5.2-14.el6 @base pcsc-lite-libs.x86_64 1.5.2-14.el6 @base nss.i686 3.16.1-14.el6 @base nss.x86_64 3.16.1-14.el6 @base nss-devel.x86_64 3.16.1-14.el6 @base nss-softokn.i686 3.14.3-18.el6_6 @updates nss-softokn.x86_64 3.14.3-18.el6_6 @updates nss-softokn-devel.x86_64 3.14.3-18.el6_6 @updates nss-softokn-freebl.i686 3.14.3-18.el6_6 @updates nss-softokn-freebl.x86_64 3.14.3-18.el6_6 @updates nss-softokn-freebl-devel.x86_64 3.14.3-18.el6_6 @updates nss-sysinit.x86_64 3.16.1-14.el6 @base nss-tools.x86_64 3.16.1-14.el6 @base nss-util.i686 3.16.1-3.el6 @base nss-util.x86_64 3.16.1-3.el6 @base nss-util-devel.x86_64 3.16.1-3.el6 @base
[root@inet3 ~]# modutil -list -dbdir /etc/pki/nssdb
Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded
slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services token: NSS Certificate DB
2. CoolKey PKCS #11 Module library name: libcoolkeypk11.so slots: 1 slot attached status: loaded
slot: SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202 token: WEBSTER.CALVIN.DALE.9427154028
3. cackey library name: libcackey.so slots: 2 slots attached status: loaded
slot: CACKey Slot token: WEBSTER.CALVIN.DALE.9427154028
slot: CACKey Slot token: DoD Certificates ----------------------------------------------------------- [root@inet3 ~]#
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Cal Webster Sent: Wednesday, December 03, 2014 17:35 To: CentOS List Subject: [CentOS] Firefox fails to authenticate .mil sites with New DoD CAC
Can anyone help with getting the new DoD CACs (Smart Card) to work in CentOS 6.6? I don't use it for console logins, only for email and .mil web sites.
I recently had to get a new DoD CAC (Smart Card) when one of the buildings I work in upgraded their security system. My old CAC was working fine prior to this for signing and encrypting email and for authenticating to various DoD (.mil) sites from the Internet using the coolkey libraries.
After getting my new CAC I am no longer able to authenticate to any DoD sites. I can still sign and encrypt email in Thunderbird via the coolkey libraries but .mil sites either simply display blank pages or raise various errors in firefox. I am prompted for my PIN, which is successfully accepted but I'm not even prompted for which cert to use, like I used to be.
Does your system trust CA32?
I see
Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD EMAIL CA-32 Validity Not Before: Nov 24 00:00:00 2014 GMT Not After : Jan 30 23:59:59 2015 GMT Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, OU=CONTRACTOR, CN=WEBSTER.CALVIN.DALE.1011559383
I've tried installing and loading the latest "cackey" libraries (see below) but when I insert my CAC and attempt to login to the module in the Mozilla device manager it completely freezes firefox. Recovery requires killing firefox. If I remove the latest and install the next previous cackey library it works the same as coolkey - doesn't freeze up firefox but never connects to .mil sites.
I tried building the cackey RPMs from the source RPMs too but the result is the same.
Latest 64-bit cackey: cackey-0.6.8-3522.x86_64.rpm Next previous cackey: cackey-0.6.5-2444.x86_64.rpm
I'm pretty sure it has something to do with the newer PIV CAC internal layout. I went through a similar transition when the GEMAL 144 cards came out but the cackey libraries did at least work and coolkey eventually caught up.
One thing is for sure... the cackey RPM from forge.mil is not a drop-in replacement for coolkey. The cackey RPM only installs the libraries themselves, nothing else. It doesn't even register them in the nss db I had to do that manually with modutil. I must be missing something...
Without direct access to forge.mil it's difficult to troubleshoot cackey. For some silly reason they still require CAC authentication to get the CAC software and drivers and access the forums, etc.
Ha. Have you contacted the DOD PKE team for support on that? DISA Tinker AFB OPS List PKE_Support dgisa.tinker.ops.list.pkesupport@mail.mil
More relevant information below...
I'd be grateful for any ideas or advice on this. I desperately need to retrieve vulnerability reports, patches, and other DoD resources. Thanks!
Cal Webster
I have a G&D FIPS 201 SCE 3.2 test CAC from JITC I can attach to VM for debbuging.
Smart Card Reader: SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202509) 00 00-0
Old CAC: GEMAL TO TOPDL GX4 144 New CAC: G&D FIPS 201 SCE 3.2
[root@inet3 ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root@inet3 ~]# uname -a Linux inet3 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@inet3 ~]#
Installed Packages
coolkey.i686 1.1.0-32.el6 @base coolkey.x86_64 1.1.0-32.el6 @base firefox.i686 31.2.0-3.el6.centos @updates firefox.x86_64 31.2.0-3.el6.centos @updates thunderbird.x86_64 31.2.0-3.el6.centos @updates pcsc-lite.x86_64 1.5.2-14.el6 @base pcsc-lite-devel.x86_64 1.5.2-14.el6 @base pcsc-lite-libs.x86_64 1.5.2-14.el6 @base nss.i686 3.16.1-14.el6 @base nss.x86_64 3.16.1-14.el6 @base nss-devel.x86_64 3.16.1-14.el6 @base nss-softokn.i686 3.14.3-18.el6_6 @updates nss-softokn.x86_64 3.14.3-18.el6_6 @updates nss-softokn-devel.x86_64 3.14.3-18.el6_6 @updates nss-softokn-freebl.i686 3.14.3-18.el6_6 @updates nss-softokn-freebl.x86_64 3.14.3-18.el6_6 @updates nss-softokn-freebl-devel.x86_64 3.14.3-18.el6_6 @updates nss-sysinit.x86_64 3.16.1-14.el6 @base nss-tools.x86_64 3.16.1-14.el6 @base nss-util.i686 3.16.1-3.el6 @base nss-util.x86_64 3.16.1-3.el6 @base nss-util-devel.x86_64 3.16.1-3.el6 @base
[root@inet3 ~]# modutil -list -dbdir /etc/pki/nssdb
Listing of PKCS #11 Modules
- NSS Internal PKCS #11 Module
slots: 2 slots attachedstatus: loaded
slot: NSS Internal Cryptographic Servicestoken: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Servicestoken: NSS Certificate DB
- CoolKey PKCS #11 Module
library name: libcoolkeypk11.so slots: 1 slot attached status: loaded
slot: SCM Microsystems Inc. SCR3310 USB Smart CardReader (21120628202 token: WEBSTER.CALVIN.DALE.9427154028
- cackey
library name: libcackey.so slots: 2 slots attached status: loaded
slot: CACKey Slottoken: WEBSTER.CALVIN.DALE.9427154028
slot: CACKey Slottoken: DoD Certificates
[root@inet3 ~]#
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
On Wed, 2014-12-03 at 18:20 -0500, Jason Pyeron wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Cal Webster Sent: Wednesday, December 03, 2014 17:35 To: CentOS List Subject: [CentOS] Firefox fails to authenticate .mil sites with New DoD CAC
Can anyone help with getting the new DoD CACs (Smart Card) to work in CentOS 6.6? I don't use it for console logins, only for email and .mil web sites.
I recently had to get a new DoD CAC (Smart Card) when one of the buildings I work in upgraded their security system. My old CAC was working fine prior to this for signing and encrypting email and for authenticating to various DoD (.mil) sites from the Internet using the coolkey libraries.
After getting my new CAC I am no longer able to authenticate to any DoD sites. I can still sign and encrypt email in Thunderbird via the coolkey libraries but .mil sites either simply display blank pages or raise various errors in firefox. I am prompted for my PIN, which is successfully accepted but I'm not even prompted for which cert to use, like I used to be.
Does your system trust CA32?
I see
Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD EMAIL CA-32 Validity Not Before: Nov 24 00:00:00 2014 GMT Not After : Jan 30 23:59:59 2015 GMT Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, OU=CONTRACTOR, CN=WEBSTER.CALVIN.DALE.1011559383
That's a very good point, Jason. I could not locate that CA in the certs being stored for Firefox. It is, however, listed in the CA store in Thunderbird, which I've had no trouble using with coolkey libs. The trust settings there are all un-checked, though.
I had also installed the latest dod_configuration-1.3.7.xpi extension which automatically downloads the latest DoD certs on installation. I assumed it was a complete set. After reading your message I went ahead and clicked the [Update DoD Certs...] button in the add-on preferences too - Still not listed. Apparently this cert is missed during this process.
I went ahead and exported the cert from Thunderbird, then imported it into firefox. Now I'm up and running again.
It's often the simple things we overlook, which is why it's nice to have a community to bounce things off of.
Thanks for the help Jason.
I've tried installing and loading the latest "cackey" libraries (see below) but when I insert my CAC and attempt to login to the module in the Mozilla device manager it completely freezes firefox. Recovery requires killing firefox. If I remove the latest and install the next previous cackey library it works the same as coolkey - doesn't freeze up firefox but never connects to .mil sites.
I tried building the cackey RPMs from the source RPMs too but the result is the same.
Latest 64-bit cackey: cackey-0.6.8-3522.x86_64.rpm Next previous cackey: cackey-0.6.5-2444.x86_64.rpm
I'm pretty sure it has something to do with the newer PIV CAC internal layout. I went through a similar transition when the GEMAL 144 cards came out but the cackey libraries did at least work and coolkey eventually caught up.
One thing is for sure... the cackey RPM from forge.mil is not a drop-in replacement for coolkey. The cackey RPM only installs the libraries themselves, nothing else. It doesn't even register them in the nss db I had to do that manually with modutil. I must be missing something...
Without direct access to forge.mil it's difficult to troubleshoot cackey. For some silly reason they still require CAC authentication to get the CAC software and drivers and access the forums, etc.
Ha. Have you contacted the DOD PKE team for support on that? DISA Tinker AFB OPS List PKE_Support dgisa.tinker.ops.list.pkesupport@mail.mil
No, but thank you for the contact info. Even though I've got my issue resolved, I'd be happy to help iron out the cackey package issues if someone wants.
More relevant information below...
I'd be grateful for any ideas or advice on this. I desperately need to retrieve vulnerability reports, patches, and other DoD resources. Thanks!
Cal Webster
I have a G&D FIPS 201 SCE 3.2 test CAC from JITC I can attach to VM for debbuging.
Thanks but that won't be necessary now unless someone else needs the help.
Smart Card Reader: SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202509) 00 00-0
Old CAC: GEMAL TO TOPDL GX4 144 New CAC: G&D FIPS 201 SCE 3.2
[root@inet3 ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root@inet3 ~]# uname -a Linux inet3 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@inet3 ~]#
Installed Packages
coolkey.i686 1.1.0-32.el6 @base coolkey.x86_64 1.1.0-32.el6 @base firefox.i686 31.2.0-3.el6.centos @updates firefox.x86_64 31.2.0-3.el6.centos @updates thunderbird.x86_64 31.2.0-3.el6.centos @updates pcsc-lite.x86_64 1.5.2-14.el6 @base pcsc-lite-devel.x86_64 1.5.2-14.el6 @base pcsc-lite-libs.x86_64 1.5.2-14.el6 @base nss.i686 3.16.1-14.el6 @base nss.x86_64 3.16.1-14.el6 @base nss-devel.x86_64 3.16.1-14.el6 @base nss-softokn.i686 3.14.3-18.el6_6 @updates nss-softokn.x86_64 3.14.3-18.el6_6 @updates nss-softokn-devel.x86_64 3.14.3-18.el6_6 @updates nss-softokn-freebl.i686 3.14.3-18.el6_6 @updates nss-softokn-freebl.x86_64 3.14.3-18.el6_6 @updates nss-softokn-freebl-devel.x86_64 3.14.3-18.el6_6 @updates nss-sysinit.x86_64 3.16.1-14.el6 @base nss-tools.x86_64 3.16.1-14.el6 @base nss-util.i686 3.16.1-3.el6 @base nss-util.x86_64 3.16.1-3.el6 @base nss-util-devel.x86_64 3.16.1-3.el6 @base
[root@inet3 ~]# modutil -list -dbdir /etc/pki/nssdb
Listing of PKCS #11 Modules
- NSS Internal PKCS #11 Module
slots: 2 slots attachedstatus: loaded
slot: NSS Internal Cryptographic Servicestoken: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Servicestoken: NSS Certificate DB
- CoolKey PKCS #11 Module
library name: libcoolkeypk11.so slots: 1 slot attached status: loaded
slot: SCM Microsystems Inc. SCR3310 USB Smart CardReader (21120628202 token: WEBSTER.CALVIN.DALE.9427154028
- cackey
library name: libcackey.so slots: 2 slots attached status: loaded
slot: CACKey Slottoken: WEBSTER.CALVIN.DALE.9427154028
slot: CACKey Slottoken: DoD Certificates
[root@inet3 ~]#
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
--
-- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
------=_NextPart_000_0481_01D00F25.D30E4A00--
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I thought DoD used RHEL and not Centos, or did Centos did approved DADEMS recently?
On Wed, Dec 3, 2014 at 5:34 PM, Cal Webster cwebster@ec.rr.com wrote:
Can anyone help with getting the new DoD CACs (Smart Card) to work in CentOS 6.6? I don't use it for console logins, only for email and .mil web sites.
I recently had to get a new DoD CAC (Smart Card) when one of the buildings I work in upgraded their security system. My old CAC was working fine prior to this for signing and encrypting email and for authenticating to various DoD (.mil) sites from the Internet using the coolkey libraries.
After getting my new CAC I am no longer able to authenticate to any DoD sites. I can still sign and encrypt email in Thunderbird via the coolkey libraries but .mil sites either simply display blank pages or raise various errors in firefox. I am prompted for my PIN, which is successfully accepted but I'm not even prompted for which cert to use, like I used to be.
I've tried installing and loading the latest "cackey" libraries (see below) but when I insert my CAC and attempt to login to the module in the Mozilla device manager it completely freezes firefox. Recovery requires killing firefox. If I remove the latest and install the next previous cackey library it works the same as coolkey - doesn't freeze up firefox but never connects to .mil sites.
I tried building the cackey RPMs from the source RPMs too but the result is the same.
Latest 64-bit cackey: cackey-0.6.8-3522.x86_64.rpm Next previous cackey: cackey-0.6.5-2444.x86_64.rpm
I'm pretty sure it has something to do with the newer PIV CAC internal layout. I went through a similar transition when the GEMAL 144 cards came out but the cackey libraries did at least work and coolkey eventually caught up.
One thing is for sure... the cackey RPM from forge.mil is not a drop-in replacement for coolkey. The cackey RPM only installs the libraries themselves, nothing else. It doesn't even register them in the nss db I had to do that manually with modutil. I must be missing something...
Without direct access to forge.mil it's difficult to troubleshoot cackey. For some silly reason they still require CAC authentication to get the CAC software and drivers and access the forums, etc.
More relevant information below...
I'd be grateful for any ideas or advice on this. I desperately need to retrieve vulnerability reports, patches, and other DoD resources. Thanks!
Cal Webster
Smart Card Reader: SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202509) 00 00-0
Old CAC: GEMAL TO TOPDL GX4 144 New CAC: G&D FIPS 201 SCE 3.2
[root@inet3 ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root@inet3 ~]# uname -a Linux inet3 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@inet3 ~]#
Installed Packages
coolkey.i686 1.1.0-32.el6 @base coolkey.x86_64 1.1.0-32.el6 @base firefox.i686 31.2.0-3.el6.centos @updates firefox.x86_64 31.2.0-3.el6.centos @updates thunderbird.x86_64 31.2.0-3.el6.centos @updates pcsc-lite.x86_64 1.5.2-14.el6 @base pcsc-lite-devel.x86_64 1.5.2-14.el6 @base pcsc-lite-libs.x86_64 1.5.2-14.el6 @base nss.i686 3.16.1-14.el6 @base nss.x86_64 3.16.1-14.el6 @base nss-devel.x86_64 3.16.1-14.el6 @base nss-softokn.i686 3.14.3-18.el6_6 @updates nss-softokn.x86_64 3.14.3-18.el6_6 @updates nss-softokn-devel.x86_64 3.14.3-18.el6_6 @updates nss-softokn-freebl.i686 3.14.3-18.el6_6 @updates nss-softokn-freebl.x86_64 3.14.3-18.el6_6 @updates nss-softokn-freebl-devel.x86_64 3.14.3-18.el6_6 @updates nss-sysinit.x86_64 3.16.1-14.el6 @base nss-tools.x86_64 3.16.1-14.el6 @base nss-util.i686 3.16.1-3.el6 @base nss-util.x86_64 3.16.1-3.el6 @base nss-util-devel.x86_64 3.16.1-3.el6 @base
[root@inet3 ~]# modutil -list -dbdir /etc/pki/nssdb
Listing of PKCS #11 Modules
NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded
slot: NSS Internal Cryptographic Servicestoken: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Servicestoken: NSS Certificate DB
CoolKey PKCS #11 Module library name: libcoolkeypk11.so slots: 1 slot attached status: loaded
slot: SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202token: WEBSTER.CALVIN.DALE.9427154028
cackey library name: libcackey.so slots: 2 slots attached status: loaded
slot: CACKey Slottoken: WEBSTER.CALVIN.DALE.9427154028
slot: CACKey Slottoken: DoD Certificates
[root@inet3 ~]#
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----Original Message----- From: Jason Ricles Sent: Thursday, December 04, 2014 11:23 To: CentOS mailing list Subject: Re: [CentOS] Firefox fails to authenticate .mil sites with New DoDCAC
I thought DoD used RHEL and not Centos, or did Centos did approved DADEMS recently?
DADMS is a Navy system, but yes Centos is approved for use by DISA. You would STIG it just like RHEL.
-Jason
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
Gotcha, I also work with DoD for Navy systems and was surprised by that. So you mean if we don't want to pay RHEL licensing fees, we can use Centos? Since we are paying about $100 per RHEL license.
On Thu, Dec 4, 2014 at 11:36 AM, Jason Pyeron jpyeron@pdinc.us wrote:
-----Original Message----- From: Jason Ricles Sent: Thursday, December 04, 2014 11:23 To: CentOS mailing list Subject: Re: [CentOS] Firefox fails to authenticate .mil sites with New DoDCAC
I thought DoD used RHEL and not Centos, or did Centos did approved DADEMS recently?
DADMS is a Navy system, but yes Centos is approved for use by DISA. You would STIG it just like RHEL.
-Jason
--
-- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, 2014-12-04 at 11:41 -0500, Jason Ricles wrote:
Gotcha, I also work with DoD for Navy systems and was surprised by that. So you mean if we don't want to pay RHEL licensing fees, we can use Centos? Since we are paying about $100 per RHEL license.
I would recommend RHEL for critical systems or those that must be certified for a particular purpose, such as CA servers. We've been using CentOS for years now on our internal networks for software development, local site mail service (SMTP/POP/IMAP), file services (FTP/NFS/SMB/CIFS), DNS, local web servers, etc. It works very well for this, especially for software development where multiple people can get a GUI login through Stunnel->VNC->GDM and/or shell through ssh.
We're also using CentOS for software maintenance of RHEL hosts on our aircraft simulators. Many of our software developers prefer a CentOS workstation because of its versatility. On those we install MS Windoze as a KVM guest for those applications that require it. My internal workstation is setup this way for use network/systems admin and analysis, software development, as well as normal office tasks.
On Thu, Dec 4, 2014 at 11:36 AM, Jason Pyeron jpyeron@pdinc.us wrote:
-----Original Message----- From: Jason Ricles Sent: Thursday, December 04, 2014 11:23 To: CentOS mailing list Subject: Re: [CentOS] Firefox fails to authenticate .mil sites with New DoDCAC
I thought DoD used RHEL and not Centos, or did Centos did approved DADEMS recently?
DADMS is a Navy system, but yes Centos is approved for use by DISA. You would STIG it just like RHEL.
-Jason
--
-- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
That is true, which we are using ours for critical things. Guess RHEL will be the way to go till Centos is maybe approved for critical systems as well.
On Thu, Dec 4, 2014 at 12:29 PM, Cal Webster cwebster@ec.rr.com wrote:
On Thu, 2014-12-04 at 11:41 -0500, Jason Ricles wrote:
Gotcha, I also work with DoD for Navy systems and was surprised by that. So you mean if we don't want to pay RHEL licensing fees, we can use Centos? Since we are paying about $100 per RHEL license.
I would recommend RHEL for critical systems or those that must be certified for a particular purpose, such as CA servers. We've been using CentOS for years now on our internal networks for software development, local site mail service (SMTP/POP/IMAP), file services (FTP/NFS/SMB/CIFS), DNS, local web servers, etc. It works very well for this, especially for software development where multiple people can get a GUI login through Stunnel->VNC->GDM and/or shell through ssh.
We're also using CentOS for software maintenance of RHEL hosts on our aircraft simulators. Many of our software developers prefer a CentOS workstation because of its versatility. On those we install MS Windoze as a KVM guest for those applications that require it. My internal workstation is setup this way for use network/systems admin and analysis, software development, as well as normal office tasks.
On Thu, Dec 4, 2014 at 11:36 AM, Jason Pyeron jpyeron@pdinc.us wrote:
-----Original Message----- From: Jason Ricles Sent: Thursday, December 04, 2014 11:23 To: CentOS mailing list Subject: Re: [CentOS] Firefox fails to authenticate .mil sites with New DoDCAC
I thought DoD used RHEL and not Centos, or did Centos did approved DADEMS recently?
DADMS is a Navy system, but yes Centos is approved for use by DISA. You would STIG it just like RHEL.
-Jason
--
-- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, 2014-12-04 at 13:09 -0500, Jason Ricles wrote:
That is true, which we are using ours for critical things. Guess RHEL will be the way to go till Centos is maybe approved for critical systems as well.
That's really up to the program manager in which the machine would be used. He would make a determination whether it's supportable and maintainable, based on in-house expertise and/or outside contract support. RHEL subscriptions give you instant support and patches if necessary. Otherwise, unless another RHEL subscriber has the same issue, you'd have to wait for the community to fix something then get it integrated into RHEL before filtering down to CentOS. If this is acceptable then CentOS is an option.
On Thu, Dec 4, 2014 at 12:29 PM, Cal Webster cwebster@ec.rr.com wrote:
On Thu, 2014-12-04 at 11:41 -0500, Jason Ricles wrote:
Gotcha, I also work with DoD for Navy systems and was surprised by that. So you mean if we don't want to pay RHEL licensing fees, we can use Centos? Since we are paying about $100 per RHEL license.
I would recommend RHEL for critical systems or those that must be certified for a particular purpose, such as CA servers. We've been using CentOS for years now on our internal networks for software development, local site mail service (SMTP/POP/IMAP), file services (FTP/NFS/SMB/CIFS), DNS, local web servers, etc. It works very well for this, especially for software development where multiple people can get a GUI login through Stunnel->VNC->GDM and/or shell through ssh.
We're also using CentOS for software maintenance of RHEL hosts on our aircraft simulators. Many of our software developers prefer a CentOS workstation because of its versatility. On those we install MS Windoze as a KVM guest for those applications that require it. My internal workstation is setup this way for use network/systems admin and analysis, software development, as well as normal office tasks.
On Thu, Dec 4, 2014 at 11:36 AM, Jason Pyeron jpyeron@pdinc.us wrote:
-----Original Message----- From: Jason Ricles Sent: Thursday, December 04, 2014 11:23 To: CentOS mailing list Subject: Re: [CentOS] Firefox fails to authenticate .mil sites with New DoDCAC
I thought DoD used RHEL and not Centos, or did Centos did approved DADEMS recently?
DADMS is a Navy system, but yes Centos is approved for use by DISA. You would STIG it just like RHEL.
-Jason
--
-- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----Original Message----- From: Cal Webster Sent: Thursday, December 04, 2014 13:31
On Thu, 2014-12-04 at 13:09 -0500, Jason Ricles wrote:
That is true, which we are using ours for critical things.
Guess RHEL
will be the way to go till Centos is maybe approved for critical systems as well.
That's really up to the program manager in which the machine would be
More correct the DAA [designated approving authority], not the PM.
used. He would make a determination whether it's supportable and maintainable, based on in-house expertise and/or outside contract support. RHEL subscriptions give you instant support and patches if necessary. Otherwise, unless another RHEL subscriber has the same issue, you'd have to wait for the community to fix something then get it integrated into RHEL before filtering down to CentOS. If this is acceptable then CentOS is an option.
On Thu, Dec 4, 2014 at 12:29 PM, Cal Webster
cwebster@ec.rr.com wrote:
On Thu, 2014-12-04 at 11:41 -0500, Jason Ricles wrote:
Gotcha, I also work with DoD for Navy systems and was
surprised by
that. So you mean if we don't want to pay RHEL licensing
fees, we can
use Centos? Since we are paying about $100 per RHEL license.
I would recommend RHEL for critical systems or those that must be certified for a particular purpose, such as CA servers.
We've been using
CentOS for years now on our internal networks for
software development,
local site mail service (SMTP/POP/IMAP), file services (FTP/NFS/SMB/CIFS), DNS, local web servers, etc. It works
very well for
this, especially for software development where multiple
people can get
a GUI login through Stunnel->VNC->GDM and/or shell through ssh.
We're also using CentOS for software maintenance of RHEL
hosts on our
aircraft simulators. Many of our software developers
prefer a CentOS
workstation because of its versatility. On those we
install MS Windoze
as a KVM guest for those applications that require it. My internal workstation is setup this way for use network/systems admin and analysis, software development, as well as normal office tasks.
On Thu, Dec 4, 2014 at 11:36 AM, Jason Pyeron
jpyeron@pdinc.us wrote:
-----Original Message----- From: Jason Ricles Sent: Thursday, December 04, 2014 11:23 To: CentOS mailing list Subject: Re: [CentOS] Firefox fails to authenticate .mil sites with New DoDCAC
I thought DoD used RHEL and not Centos, or did Centos
did approved
DADEMS recently?
DADMS is a Navy system, but yes Centos is approved for
use by DISA. You would STIG it just like RHEL.
-Jason
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
-----Original Message----- From: Jason Ricles Sent: Thursday, December 04, 2014 11:42
Gotcha, I also work with DoD for Navy systems and was surprised by that. So you mean if we don't want to pay RHEL licensing fees, we can use Centos? Since we are paying about $100 per RHEL license.
But you will still need a (self?) support plan to be STIG compliant.
On Thu, Dec 4, 2014 at 11:36 AM, Jason Pyeron jpyeron@pdinc.us wrote:
-----Original Message----- From: Jason Ricles Sent: Thursday, December 04, 2014 11:23 To: CentOS mailing list Subject: Re: [CentOS] Firefox fails to authenticate .mil sites with New DoDCAC
I thought DoD used RHEL and not Centos, or did Centos did approved DADEMS recently?
DADMS is a Navy system, but yes Centos is approved for use
by DISA. You would STIG it just like RHEL.
-Jason
--
-- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
Do you mean as in terms of updates? I forget some of the STIGs and don't deal with that part of our projects.
On Thu, Dec 4, 2014 at 1:14 PM, Jason Pyeron jpyeron@pdinc.us wrote:
-----Original Message----- From: Jason Ricles Sent: Thursday, December 04, 2014 11:42
Gotcha, I also work with DoD for Navy systems and was surprised by that. So you mean if we don't want to pay RHEL licensing fees, we can use Centos? Since we are paying about $100 per RHEL license.
But you will still need a (self?) support plan to be STIG compliant.
On Thu, Dec 4, 2014 at 11:36 AM, Jason Pyeron jpyeron@pdinc.us wrote:
-----Original Message----- From: Jason Ricles Sent: Thursday, December 04, 2014 11:23 To: CentOS mailing list Subject: Re: [CentOS] Firefox fails to authenticate .mil sites with New DoDCAC
I thought DoD used RHEL and not Centos, or did Centos did approved DADEMS recently?
DADMS is a Navy system, but yes Centos is approved for use
by DISA. You would STIG it just like RHEL.
-Jason
--
-- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
--
-- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, 2014-12-04 at 11:22 -0500, Jason Ricles wrote:
I thought DoD used RHEL and not Centos, or did Centos did approved DADEMS recently?
DoD does use RHEL for the critical infrastructure hosts and in our case for training simulators. The issue here was with a separate non-DoD asset used to retrieve security updates and to conduct research to support engineering efforts on isolated, stand-alone networks. The isolated networks are not allowed to touch the Internet. CentOS 6 (and recently 7) has been approved for engineering labs and certain R&D facilities too, BTW - You'll see it if you do a search in DADMS. We do use CentOS for local general purpose servers and workstations.
On Wed, Dec 3, 2014 at 5:34 PM, Cal Webster cwebster@ec.rr.com wrote:
Can anyone help with getting the new DoD CACs (Smart Card) to work in CentOS 6.6? I don't use it for console logins, only for email and .mil web sites.
I recently had to get a new DoD CAC (Smart Card) when one of the buildings I work in upgraded their security system. My old CAC was working fine prior to this for signing and encrypting email and for authenticating to various DoD (.mil) sites from the Internet using the coolkey libraries.
After getting my new CAC I am no longer able to authenticate to any DoD sites. I can still sign and encrypt email in Thunderbird via the coolkey libraries but .mil sites either simply display blank pages or raise various errors in firefox. I am prompted for my PIN, which is successfully accepted but I'm not even prompted for which cert to use, like I used to be.
I've tried installing and loading the latest "cackey" libraries (see below) but when I insert my CAC and attempt to login to the module in the Mozilla device manager it completely freezes firefox. Recovery requires killing firefox. If I remove the latest and install the next previous cackey library it works the same as coolkey - doesn't freeze up firefox but never connects to .mil sites.
I tried building the cackey RPMs from the source RPMs too but the result is the same.
Latest 64-bit cackey: cackey-0.6.8-3522.x86_64.rpm Next previous cackey: cackey-0.6.5-2444.x86_64.rpm
I'm pretty sure it has something to do with the newer PIV CAC internal layout. I went through a similar transition when the GEMAL 144 cards came out but the cackey libraries did at least work and coolkey eventually caught up.
One thing is for sure... the cackey RPM from forge.mil is not a drop-in replacement for coolkey. The cackey RPM only installs the libraries themselves, nothing else. It doesn't even register them in the nss db I had to do that manually with modutil. I must be missing something... The Without direct access to forge.mil it's difficult to troubleshoot cackey. For some silly reason they still require CAC authentication to get the CAC software and drivers and access the forums, etc.
More relevant information below...
I'd be grateful for any ideas or advice on this. I desperately need to retrieve vulnerability reports, patches, and other DoD resources. Thanks!
Cal Webster
Smart Card Reader: SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202509) 00 00-0
Old CAC: GEMAL TO TOPDL GX4 144 New CAC: G&D FIPS 201 SCE 3.2
[root@inet3 ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root@inet3 ~]# uname -a Linux inet3 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@inet3 ~]#
Installed Packages
coolkey.i686 1.1.0-32.el6 @base coolkey.x86_64 1.1.0-32.el6 @base firefox.i686 31.2.0-3.el6.centos @updates firefox.x86_64 31.2.0-3.el6.centos @updates thunderbird.x86_64 31.2.0-3.el6.centos @updates pcsc-lite.x86_64 1.5.2-14.el6 @base pcsc-lite-devel.x86_64 1.5.2-14.el6 @base pcsc-lite-libs.x86_64 1.5.2-14.el6 @base nss.i686 3.16.1-14.el6 @base nss.x86_64 3.16.1-14.el6 @base nss-devel.x86_64 3.16.1-14.el6 @base nss-softokn.i686 3.14.3-18.el6_6 @updates nss-softokn.x86_64 3.14.3-18.el6_6 @updates nss-softokn-devel.x86_64 3.14.3-18.el6_6 @updates nss-softokn-freebl.i686 3.14.3-18.el6_6 @updates nss-softokn-freebl.x86_64 3.14.3-18.el6_6 @updates nss-softokn-freebl-devel.x86_64 3.14.3-18.el6_6 @updates nss-sysinit.x86_64 3.16.1-14.el6 @base nss-tools.x86_64 3.16.1-14.el6 @base nss-util.i686 3.16.1-3.el6 @base nss-util.x86_64 3.16.1-3.el6 @base nss-util-devel.x86_64 3.16.1-3.el6 @base
[root@inet3 ~]# modutil -list -dbdir /etc/pki/nssdb
Listing of PKCS #11 Modules
NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded
slot: NSS Internal Cryptographic Servicestoken: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Servicestoken: NSS Certificate DB
CoolKey PKCS #11 Module library name: libcoolkeypk11.so slots: 1 slot attached status: loaded
slot: SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202token: WEBSTER.CALVIN.DALE.9427154028
cackey library name: libcackey.so slots: 2 slots attached status: loaded
slot: CACKey Slottoken: WEBSTER.CALVIN.DALE.9427154028
slot: CACKey Slottoken: DoD Certificates
[root@inet3 ~]#
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Cal Webster -
Jason Pyeron -
Jason Ricles