> -----Original Message----- > From: centos-bounces at centos.org > [mailto:centos-bounces at centos.org] On Behalf Of Cal Webster > Sent: Wednesday, December 03, 2014 17:35 > To: CentOS List > Subject: [CentOS] Firefox fails to authenticate .mil sites > with New DoD CAC > > Can anyone help with getting the new DoD CACs (Smart Card) to work in > CentOS 6.6? I don't use it for console logins, only for email and .mil > web sites. > > I recently had to get a new DoD CAC (Smart Card) when one of the > buildings I work in upgraded their security system. My old CAC was > working fine prior to this for signing and encrypting email and for > authenticating to various DoD (.mil) sites from the Internet using the > coolkey libraries. > > After getting my new CAC I am no longer able to authenticate > to any DoD > sites. I can still sign and encrypt email in Thunderbird via > the coolkey > libraries but .mil sites either simply display blank pages or raise > various errors in firefox. I am prompted for my PIN, which is > successfully accepted but I'm not even prompted for which cert to use, > like I used to be. Does your system trust CA32? I see Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD EMAIL CA-32 Validity Not Before: Nov 24 00:00:00 2014 GMT Not After : Jan 30 23:59:59 2015 GMT Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, OU=CONTRACTOR, CN=WEBSTER.CALVIN.DALE.1011559383 > > I've tried installing and loading the latest "cackey" libraries (see > below) but when I insert my CAC and attempt to login to the module in > the Mozilla device manager it completely freezes firefox. Recovery > requires killing firefox. If I remove the latest and install the next > previous cackey library it works the same as coolkey - > doesn't freeze up > firefox but never connects to .mil sites. > > I tried building the cackey RPMs from the source RPMs too but > the result > is the same. > > Latest 64-bit cackey: cackey-0.6.8-3522.x86_64.rpm > Next previous cackey: cackey-0.6.5-2444.x86_64.rpm > > I'm pretty sure it has something to do with the newer PIV CAC internal > layout. I went through a similar transition when the GEMAL 144 cards > came out but the cackey libraries did at least work and coolkey > eventually caught up. > > One thing is for sure... the cackey RPM from forge.mil is not > a drop-in > replacement for coolkey. The cackey RPM only installs the libraries > themselves, nothing else. It doesn't even register them in > the nss db I > had to do that manually with modutil. I must be missing something... > > Without direct access to forge.mil it's difficult to troubleshoot > cackey. For some silly reason they still require CAC authentication to > get the CAC software and drivers and access the forums, etc. Ha. Have you contacted the DOD PKE team for support on that? DISA Tinker AFB OPS List PKE_Support <dgisa.tinker.ops.list.pkesupport at mail.mil> > > More relevant information below... > > I'd be grateful for any ideas or advice on this. I desperately need to > retrieve vulnerability reports, patches, and other DoD resources. > Thanks! > > Cal Webster > I have a G&D FIPS 201 SCE 3.2 test CAC from JITC I can attach to VM for debbuging. > > > > Smart Card Reader: > SCM Microsystems Inc. SCR3310 USB Smart Card Reader > (21120628202509) 00 > 00-0 > > Old CAC: GEMAL TO TOPDL GX4 144 > New CAC: G&D FIPS 201 SCE 3.2 > > > [root at inet3 ~]# cat /etc/redhat-release > CentOS release 6.6 (Final) > [root at inet3 ~]# uname -a > Linux inet3 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC > 2014 x86_64 x86_64 x86_64 GNU/Linux > [root at inet3 ~]# > > Installed Packages > > coolkey.i686 1.1.0-32.el6 @base > coolkey.x86_64 1.1.0-32.el6 @base > firefox.i686 31.2.0-3.el6.centos > @updates > firefox.x86_64 31.2.0-3.el6.centos > @updates > thunderbird.x86_64 31.2.0-3.el6.centos > @updates > pcsc-lite.x86_64 1.5.2-14.el6 > @base > pcsc-lite-devel.x86_64 1.5.2-14.el6 > @base > pcsc-lite-libs.x86_64 1.5.2-14.el6 > @base > nss.i686 3.16.1-14.el6 > @base > nss.x86_64 3.16.1-14.el6 > @base > nss-devel.x86_64 3.16.1-14.el6 > @base > nss-softokn.i686 3.14.3-18.el6_6 > @updates > nss-softokn.x86_64 3.14.3-18.el6_6 > @updates > nss-softokn-devel.x86_64 3.14.3-18.el6_6 > @updates > nss-softokn-freebl.i686 3.14.3-18.el6_6 > @updates > nss-softokn-freebl.x86_64 3.14.3-18.el6_6 > @updates > nss-softokn-freebl-devel.x86_64 3.14.3-18.el6_6 > @updates > nss-sysinit.x86_64 3.16.1-14.el6 > @base > nss-tools.x86_64 3.16.1-14.el6 > @base > nss-util.i686 3.16.1-3.el6 > @base > nss-util.x86_64 3.16.1-3.el6 > @base > nss-util-devel.x86_64 3.16.1-3.el6 > @base > > > [root at inet3 ~]# modutil -list -dbdir /etc/pki/nssdb > > Listing of PKCS #11 Modules > ----------------------------------------------------------- > 1. NSS Internal PKCS #11 Module > slots: 2 slots attached > status: loaded > > slot: NSS Internal Cryptographic Services > token: NSS Generic Crypto Services > > slot: NSS User Private Key and Certificate Services > token: NSS Certificate DB > > 2. CoolKey PKCS #11 Module > library name: libcoolkeypk11.so > slots: 1 slot attached > status: loaded > > slot: SCM Microsystems Inc. SCR3310 USB Smart Card > Reader (21120628202 > token: WEBSTER.CALVIN.DALE.9427154028 > > 3. cackey > library name: libcackey.so > slots: 2 slots attached > status: loaded > > slot: CACKey Slot > token: WEBSTER.CALVIN.DALE.9427154028 > > slot: CACKey Slot > token: DoD Certificates > ----------------------------------------------------------- > [root at inet3 ~]# > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > > -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.