SCM SCR-331 USB Smartcard Reader – Firmware Upgrade

Previously, I had trouble getting some of these readers to work under Linux – the ccid software would complain that the reader firmware was “bogus” and needed to be upgraded. To repeat a previous post, there is *NO* visible difference between the right and wrong versions of the readers – both say SCR331 on the dataplate on the bottom of the reader. However, I noticed that the part number of the good reader is 904622, while the PN of the unusable reader is 904054. Digging around got me to the SCM site, with different choices of driver and firmware ZIP files to download. After much trial-and-error, here is the process I found to work ( you must do this on Windows – either a physical or virtual machine):

  1. UPDATED (their site has changed):  Download two files from http://www.scmmicro.com/support/pc-security-support/downloads.html (there appears to be a Linux utility now, but i have not tried it):
    • SCR331 SCR531 CCID (USB) row x Firmware column – v5.22, filename = SCRx31CCID_fw5.22.zip
    • SCR331 SCR531 CCID (USB) row x Windows PC/SC CT-API Installer column – v8.18, filename = SCR3xxx_installer_V8.18.zip
    • Try the 331/531 USB or serial files, as you need, and click on Utilites and Diagnostic Tools to get the FWupdate file.  There is also one for Linux, which sounds very interesting.
    • YMMMV – I have not tried these, and I am very tired, so good luck.  If you get good results or even some pain and suffering and want to provide feedback that might help others, please do so.
    • Consider the rest of this post stale – I have no idea what else may have changed, so maybe it still works, maybe it doesn’t.  Sorry.  I’ll get to it later.
  2. Unzip each to the local machine, and turn off any software that uses the card reader (such as the Active Card Gold program that was running in the system tray of the computer I did this on). If you do not, when you run through this process, it will fail with an error message about the card reader being busy. Of course, make sure your reader is plugged into a USB port.
  3. Run the “Setup.exe” file from the SCR3xxx_installer_V8.18 folder, and accept the defaults. Reboot if you like, but I did not have to do so. On Windows XP and Windows 2000, Plug-and-Play recognized the card reader. If you do not do this step, you may get an error from the upgrader that no USB card could be found.
  4. Run the “FwUpdate.exe” file from the SCRx31CCID_fw5.22 folder, which also contains the 5.22 .bin firmware file. Click through the process until you get to a dialog with a black window/green text display of the current version (probably 4.13 or something else less than 5.22) and the upgrade version (5.22). Click the Continue button and let it run. It takes only a short time, but do not interrupt it, or you might wreck the reader.
  5. Test it – it should still work on Windows as before, but plugging it into a Linux PC with the CAC software loaded should show you happy things in /var/log/messages. As an aside, I use the Ryolog 1.3 SuperKaramba theme, which shows me my log in realtime (and color-coded), so I can easily watch events as they happen. Try logging into a CAC-restricted site with your card – it should work fine now.

Troubleshooting:

  • On a VMWare Windows Guest, you may not see the reader in Linux unless you uncheck the reader listed under the VM menu, RemovableDevices, USB Devices. Ryolog will show the logged events, something along the lines of the reader being busy, unable to initialize the device.
  • In Windows, FwUpdate closes with an error that it found no SCM USB reader – try loading the v8.18 drivers first. Reboot if it still does not work.
  • FwUpdate gets to the black and green display dialog, but does not allow you to continue, stating that the USB reader is busy, and to try again later. Make sure all software that could possibly be using the reader is turned off, and try again.

Hope this helps!

Theme Change…

I changed themes, to improve layout and readability.  I tried several, and this is what I have settled on for now, but I am not terribly attached to it.

So, if ya don’t like it, want the old one back, or want to recommend a different theme, lemme know…

Smartcards, DoD CAC and RDP with RDesktop 1.5.x

In continuing to integrate CAC into Linux, I went to the RDesktop SourceForge CVS website, followed the cvs download directions (using “rdesktop” as the modulename), and downloaded the latest version of rdesktop, which is supposed to have smartcard reader support. This piggybacks off of the installation of the CAC reader software in the previous post.

Once downloaded, cd to the rdesktop directory and do the following:

  1. Run the command “declare -x PKG_CONFIG_PATH=/usr/cac/lib/pkgconfig”
  2. “./configure –prefix=/usr/cac –enable-smartcard” – look for the line, “checking for PCSCLITE:” – it should say “yes” (thanks to the previous “declare” command)
  3. make && make install
  4. Run with “rdesktop -r scard <remote IP>:<remote port>

I was able to RDP over a VPN tunnel I established to a Windows machine I could test with, and confirmed that ActiveCard Gold utilities on the remote computer read and accepted my card certs from my local computer. Next, I was able to pass the certs to my (remote computer’s) Outlook e-mail client in order to send signed and encrypted messages.

Using DoD CAC and SmartCard Readers on Linux

I was recently able to get my DoD CAC (Common Acccess Card) working on Linux, following a discovery on AKO (Army Knowledge Online) that others had also done so, and had posted their instructions and results. I did not install from Mandriva packages, but from the tarballs as instructed, for better control over the entire process.

Update: This also works on Kubuntu 7.10 (Gutsy Gibbon). Here is a forum link with more info.

Another update, with another forum link: How To: Set up and use a DOD Common Access Card (CAC) for Army Knowledge Online (AKO)

Here is a summary of the steps to take:

  1. Download the following tarball files and extract them (tar xvfz filename.tar.gz):
  2. Make the install directories, along with a critical build-time directory – “mkdir -p /usr/cac/lib/pkgconfig”
  3. Set the build variable – “declare -x PKG_CONFIG_PATH=/usr/cac/lib/pkgconfig” – this is only needed for building, not later using these tools.
  4. Change to the respective directories and configure/make/make install:
    • cd libusb­0.1.12 && ./configure –prefix=/usr/cac && make && make install, then cd up one directory
    • cd pcsc­lite­1.4.0 && ./configure –prefix=/usr/cac && make && make install, then cd up one directory
    • cd pcsc­tools­1.4.8 && edit “Makefile” – change “DESTDIR” to “/usr/cac” && make && make install, then cd up one directory
    • cd ccid­1.2.1 && ./configure –prefix=/usr/cac && make && make install, then cd up one directory
    • cd coolkey-1.1.0 && ./configure –prefix=/usr/cac && make && make install, then cd up one directory
    • If you have an ActiveCard Gold 2.0 USB device, edit “/usr/cac/pcsc/drivers/ifd­ccid.bundle/Contents/Info.plist” around line 38 and change “<string>0x0000</string>” to “<string>0x0004</string>”
  5. Plug in the reader – the green light should come on (I am using an SCM SCR-331 USB smartcard reader).
  6. Run “/usr/cac/sbin/pcscd” – later, add to /etc/rc.local or use whatever means to ensure it starts at system boot

Now, set up Firefox (I do not use Thunderbird, but similar steps can be taken – instructions can likely be Googled):

  1. Import the certs into Firefox, one at a time:
    • “Preferences”
    • “Advanced”
    • “Encryption” tab
    • “View Certificates” button
    • “Authorities” tab
    • “Import” button.
    • Root certs may have to be exported from Explorer first, other certs can be found at “https://crl.chamb.disa.mil/&#8221;.
  2. Insert CAC into reader – the green light should flash.
  3. Add “CAC Module” to Firefox as a Security Device
    • “Preferences”
    • “Advanced”
    • “Encryption” tab
    • “Security Devices” button
    • “Load” button
    • Enter “CAC Module” as the module name, and browse to “/usr/cac/lib/pkcs11/libcoolkeypk11.so” for the module filename.

Now, go to a CAC protected site, like www.us.army.mil, choose to login with the CAC, and enter PIN when prompted for “Master Password”. To ensure access for some sites that require you to choose a certificate, select “Ask me every time” on the Firefox Preferences-Advanced-Encryption page (“When a web site requires a certificate:”).

Be aware – ccid will squawk about your SCR firmware version if it is 4.13 or lower (calls it “bogus”), and instruct you to either upgrade the firmware or get a newer card reader. There is *NO* visible difference between the right and wrong versions of the readers – both say SCR331 on the dataplate on the bottom of the reader. However, I noticed that the part number of the good reader is 904622, while the PN of the unusable reader is 904054.

Lotsa trial and error went into getting these steps worked out, and as soon as I figure out how to upgrade the firmware (it is apparently devilishly hard to do, as the available instructions are sparse and do not work for me), I ‘ll post it as a new article.

Huge credits go to Jerome Brock and Kenneth L. Van Alstyne, Jr. – Mr. Brock wrote this up on AKO, and Mr. Van Alstyne wrote up the original write paper that Mr. Brock found and followed.

Mandriva Cooker Update

Well, I ran urpmi yesterday – partly to see what would come down the pipe, and partly out of hope to fix both a nagging problem with being unable to boot new kernels and a new problem induced since the last update that prevented USB devices from working after about a minute.

Of course, I only discovered the new one after I desperately needed to copy some stuff over to a USB thumbdrive… (Figures.)

So I updated in run-level 3, and was nonplussed when I was unable to go to any other run-level after the update completed. Additionally, at some point during the update, the network interface was nuked, and I had to run “service network restart” in order to get eth0 visible again – running “ifconfig eth0 up” would fail, squawking that it no such device could be found. Once networking was working again, I reran the urpmi command and finished updating with only minor drama. Until I finished, reinstalled my nvidia kernel driver (ver. 9764), and typed “init 5″ in order to bring up the desktop. At this point all I got was a cryptic message that there were no init processes left, or words to that effect.

So, I rebooted, cuz it wasn’t yet enough drama and I was bored.

So, it failed to boot past a new message to enter the init level desired, instead always responding that there were no init processes left (or words to that effect).

So, I booted off my trusty RIP (Rescue Is Possible) liveCD, mounted my boot partition, copied over a working mdadm.conf to /etc/mdadm/mdadm.conf, followed instructions I left myself in the file, and soon had my RAID and LVM volumes up and mounted. I checked the mounted /etc/inittab, and it had next to nothing it it. Luckily, a backup existed, called inittab.rpmsave, which I copied back over the impaired inittab file. I also confirmed that the update had wiped all of the files from /etc/rc0.d through rc6.d directories. I unmounted the volumes and rebooted to see if the system would come up anyway.

It did, in the default run-level 3, but init # would not work. So I ran gdm to start the desktop and it works fine. I am guessing that Mandriva Cooker has been changed to move away from the current initscript process to a different one (sysV to BSD-style, maybe?). I understand that Slackware uses BSD-style initscripts, so maybe this is what is going on. Unfortuately, I am not even remotely familiar with this, so I will start studying.

Good news is, I got KDE 3.5.6, the USB problem is fixed, and the kernel boot problem I have had for a very long time (never found a cure, but am sure it was a Cooker-related problem) is gone. As soon as kernel 2.6.20.1 comes out (the git-6 changelog seems to indicate a lot of SATA and IDE changes), I will throw that on and see how it works. Beryl also got updated, and some quirks with the old version are gone. Nice.

Follow

Get every new post delivered to your Inbox.