[CentOS] Firefox fails to authenticate .mil sites with New DoD CAC
Cal Webster
cwebster at ec.rr.com
Thu Dec 4 16:53:59 UTC 2014
On Thu, 2014-12-04 at 11:22 -0500, Jason Ricles wrote:
> I thought DoD used RHEL and not Centos, or did Centos did approved
> DADEMS recently?
DoD does use RHEL for the critical infrastructure hosts and in our case
for training simulators. The issue here was with a separate non-DoD
asset used to retrieve security updates and to conduct research to
support engineering efforts on isolated, stand-alone networks. The
isolated networks are not allowed to touch the Internet. CentOS 6 (and
recently 7) has been approved for engineering labs and certain R&D
facilities too, BTW - You'll see it if you do a search in DADMS. We do
use CentOS for local general purpose servers and workstations.
> On Wed, Dec 3, 2014 at 5:34 PM, Cal Webster <cwebster at ec.rr.com> wrote:
> > Can anyone help with getting the new DoD CACs (Smart Card) to work in
> > CentOS 6.6? I don't use it for console logins, only for email and .mil
> > web sites.
> >
> > I recently had to get a new DoD CAC (Smart Card) when one of the
> > buildings I work in upgraded their security system. My old CAC was
> > working fine prior to this for signing and encrypting email and for
> > authenticating to various DoD (.mil) sites from the Internet using the
> > coolkey libraries.
> >
> > After getting my new CAC I am no longer able to authenticate to any DoD
> > sites. I can still sign and encrypt email in Thunderbird via the coolkey
> > libraries but .mil sites either simply display blank pages or raise
> > various errors in firefox. I am prompted for my PIN, which is
> > successfully accepted but I'm not even prompted for which cert to use,
> > like I used to be.
> >
> > I've tried installing and loading the latest "cackey" libraries (see
> > below) but when I insert my CAC and attempt to login to the module in
> > the Mozilla device manager it completely freezes firefox. Recovery
> > requires killing firefox. If I remove the latest and install the next
> > previous cackey library it works the same as coolkey - doesn't freeze up
> > firefox but never connects to .mil sites.
> >
> > I tried building the cackey RPMs from the source RPMs too but the result
> > is the same.
> >
> > Latest 64-bit cackey: cackey-0.6.8-3522.x86_64.rpm
> > Next previous cackey: cackey-0.6.5-2444.x86_64.rpm
> >
> > I'm pretty sure it has something to do with the newer PIV CAC internal
> > layout. I went through a similar transition when the GEMAL 144 cards
> > came out but the cackey libraries did at least work and coolkey
> > eventually caught up.
> >
> > One thing is for sure... the cackey RPM from forge.mil is not a drop-in
> > replacement for coolkey. The cackey RPM only installs the libraries
> > themselves, nothing else. It doesn't even register them in the nss db I
> > had to do that manually with modutil. I must be missing something...
> >The
> > Without direct access to forge.mil it's difficult to troubleshoot
> > cackey. For some silly reason they still require CAC authentication to
> > get the CAC software and drivers and access the forums, etc.
> >
> > More relevant information below...
> >
> > I'd be grateful for any ideas or advice on this. I desperately need to
> > retrieve vulnerability reports, patches, and other DoD resources.
> > Thanks!
> >
> > Cal Webster
> >
> >
> >
> >
> > Smart Card Reader:
> > SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202509) 00
> > 00-0
> >
> > Old CAC: GEMAL TO TOPDL GX4 144
> > New CAC: G&D FIPS 201 SCE 3.2
> >
> >
> > [root at inet3 ~]# cat /etc/redhat-release
> > CentOS release 6.6 (Final)
> > [root at inet3 ~]# uname -a
> > Linux inet3 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC
> > 2014 x86_64 x86_64 x86_64 GNU/Linux
> > [root at inet3 ~]#
> >
> > Installed Packages
> >
> > coolkey.i686 1.1.0-32.el6 @base
> > coolkey.x86_64 1.1.0-32.el6 @base
> > firefox.i686 31.2.0-3.el6.centos @updates
> > firefox.x86_64 31.2.0-3.el6.centos @updates
> > thunderbird.x86_64 31.2.0-3.el6.centos @updates
> > pcsc-lite.x86_64 1.5.2-14.el6 @base
> > pcsc-lite-devel.x86_64 1.5.2-14.el6 @base
> > pcsc-lite-libs.x86_64 1.5.2-14.el6 @base
> > nss.i686 3.16.1-14.el6 @base
> > nss.x86_64 3.16.1-14.el6 @base
> > nss-devel.x86_64 3.16.1-14.el6 @base
> > nss-softokn.i686 3.14.3-18.el6_6 @updates
> > nss-softokn.x86_64 3.14.3-18.el6_6 @updates
> > nss-softokn-devel.x86_64 3.14.3-18.el6_6 @updates
> > nss-softokn-freebl.i686 3.14.3-18.el6_6 @updates
> > nss-softokn-freebl.x86_64 3.14.3-18.el6_6 @updates
> > nss-softokn-freebl-devel.x86_64 3.14.3-18.el6_6 @updates
> > nss-sysinit.x86_64 3.16.1-14.el6 @base
> > nss-tools.x86_64 3.16.1-14.el6 @base
> > nss-util.i686 3.16.1-3.el6 @base
> > nss-util.x86_64 3.16.1-3.el6 @base
> > nss-util-devel.x86_64 3.16.1-3.el6 @base
> >
> >
> > [root at inet3 ~]# modutil -list -dbdir /etc/pki/nssdb
> >
> > Listing of PKCS #11 Modules
> > -----------------------------------------------------------
> > 1. NSS Internal PKCS #11 Module
> > slots: 2 slots attached
> > status: loaded
> >
> > slot: NSS Internal Cryptographic Services
> > token: NSS Generic Crypto Services
> >
> > slot: NSS User Private Key and Certificate Services
> > token: NSS Certificate DB
> >
> > 2. CoolKey PKCS #11 Module
> > library name: libcoolkeypk11.so
> > slots: 1 slot attached
> > status: loaded
> >
> > slot: SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202
> > token: WEBSTER.CALVIN.DALE.9427154028
> >
> > 3. cackey
> > library name: libcackey.so
> > slots: 2 slots attached
> > status: loaded
> >
> > slot: CACKey Slot
> > token: WEBSTER.CALVIN.DALE.9427154028
> >
> > slot: CACKey Slot
> > token: DoD Certificates
> > -----------------------------------------------------------
> > [root at inet3 ~]#
> >
> >
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
More information about the CentOS
mailing list