On Thu, 2014-12-04 at 11:22 -0500, Jason Ricles wrote: > I thought DoD used RHEL and not Centos, or did Centos did approved > DADEMS recently? DoD does use RHEL for the critical infrastructure hosts and in our case for training simulators. The issue here was with a separate non-DoD asset used to retrieve security updates and to conduct research to support engineering efforts on isolated, stand-alone networks. The isolated networks are not allowed to touch the Internet. CentOS 6 (and recently 7) has been approved for engineering labs and certain R&D facilities too, BTW - You'll see it if you do a search in DADMS. We do use CentOS for local general purpose servers and workstations. > On Wed, Dec 3, 2014 at 5:34 PM, Cal Webster <cwebster at ec.rr.com> wrote: > > Can anyone help with getting the new DoD CACs (Smart Card) to work in > > CentOS 6.6? I don't use it for console logins, only for email and .mil > > web sites. > > > > I recently had to get a new DoD CAC (Smart Card) when one of the > > buildings I work in upgraded their security system. My old CAC was > > working fine prior to this for signing and encrypting email and for > > authenticating to various DoD (.mil) sites from the Internet using the > > coolkey libraries. > > > > After getting my new CAC I am no longer able to authenticate to any DoD > > sites. I can still sign and encrypt email in Thunderbird via the coolkey > > libraries but .mil sites either simply display blank pages or raise > > various errors in firefox. I am prompted for my PIN, which is > > successfully accepted but I'm not even prompted for which cert to use, > > like I used to be. > > > > I've tried installing and loading the latest "cackey" libraries (see > > below) but when I insert my CAC and attempt to login to the module in > > the Mozilla device manager it completely freezes firefox. Recovery > > requires killing firefox. If I remove the latest and install the next > > previous cackey library it works the same as coolkey - doesn't freeze up > > firefox but never connects to .mil sites. > > > > I tried building the cackey RPMs from the source RPMs too but the result > > is the same. > > > > Latest 64-bit cackey: cackey-0.6.8-3522.x86_64.rpm > > Next previous cackey: cackey-0.6.5-2444.x86_64.rpm > > > > I'm pretty sure it has something to do with the newer PIV CAC internal > > layout. I went through a similar transition when the GEMAL 144 cards > > came out but the cackey libraries did at least work and coolkey > > eventually caught up. > > > > One thing is for sure... the cackey RPM from forge.mil is not a drop-in > > replacement for coolkey. The cackey RPM only installs the libraries > > themselves, nothing else. It doesn't even register them in the nss db I > > had to do that manually with modutil. I must be missing something... > >The > > Without direct access to forge.mil it's difficult to troubleshoot > > cackey. For some silly reason they still require CAC authentication to > > get the CAC software and drivers and access the forums, etc. > > > > More relevant information below... > > > > I'd be grateful for any ideas or advice on this. I desperately need to > > retrieve vulnerability reports, patches, and other DoD resources. > > Thanks! > > > > Cal Webster > > > > > > > > > > Smart Card Reader: > > SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202509) 00 > > 00-0 > > > > Old CAC: GEMAL TO TOPDL GX4 144 > > New CAC: G&D FIPS 201 SCE 3.2 > > > > > > [root at inet3 ~]# cat /etc/redhat-release > > CentOS release 6.6 (Final) > > [root at inet3 ~]# uname -a > > Linux inet3 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC > > 2014 x86_64 x86_64 x86_64 GNU/Linux > > [root at inet3 ~]# > > > > Installed Packages > > > > coolkey.i686 1.1.0-32.el6 @base > > coolkey.x86_64 1.1.0-32.el6 @base > > firefox.i686 31.2.0-3.el6.centos @updates > > firefox.x86_64 31.2.0-3.el6.centos @updates > > thunderbird.x86_64 31.2.0-3.el6.centos @updates > > pcsc-lite.x86_64 1.5.2-14.el6 @base > > pcsc-lite-devel.x86_64 1.5.2-14.el6 @base > > pcsc-lite-libs.x86_64 1.5.2-14.el6 @base > > nss.i686 3.16.1-14.el6 @base > > nss.x86_64 3.16.1-14.el6 @base > > nss-devel.x86_64 3.16.1-14.el6 @base > > nss-softokn.i686 3.14.3-18.el6_6 @updates > > nss-softokn.x86_64 3.14.3-18.el6_6 @updates > > nss-softokn-devel.x86_64 3.14.3-18.el6_6 @updates > > nss-softokn-freebl.i686 3.14.3-18.el6_6 @updates > > nss-softokn-freebl.x86_64 3.14.3-18.el6_6 @updates > > nss-softokn-freebl-devel.x86_64 3.14.3-18.el6_6 @updates > > nss-sysinit.x86_64 3.16.1-14.el6 @base > > nss-tools.x86_64 3.16.1-14.el6 @base > > nss-util.i686 3.16.1-3.el6 @base > > nss-util.x86_64 3.16.1-3.el6 @base > > nss-util-devel.x86_64 3.16.1-3.el6 @base > > > > > > [root at inet3 ~]# modutil -list -dbdir /etc/pki/nssdb > > > > Listing of PKCS #11 Modules > > ----------------------------------------------------------- > > 1. NSS Internal PKCS #11 Module > > slots: 2 slots attached > > status: loaded > > > > slot: NSS Internal Cryptographic Services > > token: NSS Generic Crypto Services > > > > slot: NSS User Private Key and Certificate Services > > token: NSS Certificate DB > > > > 2. CoolKey PKCS #11 Module > > library name: libcoolkeypk11.so > > slots: 1 slot attached > > status: loaded > > > > slot: SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202 > > token: WEBSTER.CALVIN.DALE.9427154028 > > > > 3. cackey > > library name: libcackey.so > > slots: 2 slots attached > > status: loaded > > > > slot: CACKey Slot > > token: WEBSTER.CALVIN.DALE.9427154028 > > > > slot: CACKey Slot > > token: DoD Certificates > > ----------------------------------------------------------- > > [root at inet3 ~]# > > > > > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > http://lists.centos.org/mailman/listinfo/centos > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos