I was recently able to get my DoD CAC (Common Acccess Card) working on Linux, following a discovery on AKO (Army Knowledge Online) that others had also done so, and had posted their instructions and results. I did not install from Mandriva packages, but from the tarballs as instructed, for better control over the entire process.
Update: This also works on Kubuntu 7.10 (Gutsy Gibbon). Here is a forum link with more info.
Another update, with another forum link: How To: Set up and use a DOD Common Access Card (CAC) for Army Knowledge Online (AKO)
Here is a summary of the steps to take:
- Download the following tarball files and extract them (tar xvfz filename.tar.gz):
- libusb – Project URL:”http://libusb.sourceforge.net/”
- pcsc-lite – Project URL:”http://pcsclite.alioth.debian.org/”
- pcsc-tools – Project URL:”http://ludovic.rousseau.free.fr/softwares/pcsc-tools/“
- ccid – Project URL:”http://pcsclite.alioth.debian.org/ccid.html“
- CoolKey – Project URL:”http://directory.fedora.redhat.com/wiki/CoolKey“
- Make the install directories, along with a critical build-time directory – “mkdir -p /usr/cac/lib/pkgconfig”
- Set the build variable – “declare -x PKG_CONFIG_PATH=/usr/cac/lib/pkgconfig” – this is only needed for building, not later using these tools.
- Change to the respective directories and configure/make/make install:
- cd libusb0.1.12 && ./configure –prefix=/usr/cac && make && make install, then cd up one directory
- cd pcsclite1.4.0 && ./configure –prefix=/usr/cac && make && make install, then cd up one directory
- cd pcsctools1.4.8 && edit “Makefile” – change “DESTDIR” to “/usr/cac” && make && make install, then cd up one directory
- cd ccid1.2.1 && ./configure –prefix=/usr/cac && make && make install, then cd up one directory
- cd coolkey-1.1.0 && ./configure –prefix=/usr/cac && make && make install, then cd up one directory
- If you have an ActiveCard Gold 2.0 USB device, edit “/usr/cac/pcsc/drivers/ifdccid.bundle/Contents/Info.plist” around line 38 and change “<string>0x0000</string>” to “<string>0x0004</string>”
- Plug in the reader – the green light should come on (I am using an SCM SCR-331 USB smartcard reader).
- Run “/usr/cac/sbin/pcscd” – later, add to /etc/rc.local or use whatever means to ensure it starts at system boot
Now, set up Firefox (I do not use Thunderbird, but similar steps can be taken – instructions can likely be Googled):
- Import the certs into Firefox, one at a time:
- “Preferences”
- “Advanced”
- “Encryption” tab
- “View Certificates” button
- “Authorities” tab
- “Import” button.
- Root certs may have to be exported from Explorer first, other certs can be found at “https://crl.chamb.disa.mil/”.
- Insert CAC into reader – the green light should flash.
- Add “CAC Module” to Firefox as a Security Device
- “Preferences”
- “Advanced”
- “Encryption” tab
- “Security Devices” button
- “Load” button
- Enter “CAC Module” as the module name, and browse to “/usr/cac/lib/pkcs11/libcoolkeypk11.so” for the module filename.
Now, go to a CAC protected site, like www.us.army.mil, choose to login with the CAC, and enter PIN when prompted for “Master Password”. To ensure access for some sites that require you to choose a certificate, select “Ask me every time” on the Firefox Preferences-Advanced-Encryption page (“When a web site requires a certificate:”).
Be aware – ccid will squawk about your SCR firmware version if it is 4.13 or lower (calls it “bogus”), and instruct you to either upgrade the firmware or get a newer card reader. There is *NO* visible difference between the right and wrong versions of the readers – both say SCR331 on the dataplate on the bottom of the reader. However, I noticed that the part number of the good reader is 904622, while the PN of the unusable reader is 904054.
Lotsa trial and error went into getting these steps worked out, and as soon as I figure out how to upgrade the firmware (it is apparently devilishly hard to do, as the available instructions are sparse and do not work for me), I ‘ll post it as a new article.
Huge credits go to Jerome Brock and Kenneth L. Van Alstyne, Jr. – Mr. Brock wrote this up on AKO, and Mr. Van Alstyne wrote up the original write paper that Mr. Brock found and followed.
Filed under: Hardware, HowTo, Linux, Security, Smartcard | Tagged: HowTo |
Linux Free Trade Zone 
Hi,
I am currently – like right now – working with the DISA PKI/PKE team to get the process and proceadures in place for Linux CAC support. I will be building RHEL5 RPMs for installing the certs for NIPR, SIPR, JITC_OandM, and Other. You will then be able to download download these RPMs right next to the windows InstallRoot application and I will work with PKI to keep these updated until the work to add linux support to InstallRoot is completed.
As a side note, work has already begun to add linux support to the actual InstallRoot application. However, developer time was cut a bit short and there is also an open bug in the Java NSS API which doesn’t all us to properly code the database registration of the certs at the moment. This too is being worked.
I will also have directions for updating the firmware of a SCR331 USB CCID reader and the links for the firmware and the drivers. The most current firmware for the SCR331 USB CCID reader is 5.22. The version usually found on the DISA SCR331 reader is 5.1x which isn’t fully CCID 1.0 complaint which gives the ccid package in RH fits.
Also, if you are using FC6, FC7 or RHEL5, you don’t need to recompile PCSC-Lite, CCID, etc. Those packages are there and will work just fine.
Please keep an eye on http://ossg.disa.mil/projects/linuxcac/ for updates.
Yours,
Aaron
OSSG Technical and Project Lead
Aaron,
Recently, I had to get a replacement CAC. Prior to the replacement my CAC worked beautifully in Ubuntu 9.10 AND 10.04. I have read there is a bug when using Coolkey. Is OSSG working closely with the Coolkey team to resolve this? If not, do you know of any other CAC Management Packages for Ubuntu/Debian? Thank you for your time.
Jonathan
I get the “403: Access Forbidden” error on AKO since I got a new card. It works perfectly in Windows though, so I’m not sure where the disconnect is. Firefox shows “Not present” for status of the reader (SCR331) in the Device Manager. Everything shows up when I run pcsc_scan though, so the computer reads the card fine.
Aaron, that is great news – very cool. I do not use RHEL, but I know plenty of folks do.
Much appreciated!
Symbolik,
Your procedure works for Ubuntu 7.04. Thank you so much! This made my day.
Notes for linux newbies like me:
“Make the install directories” means execute the following commands:
sudo mkdir -p /usr/cac/libusb-0.1.12
sudo mkdir /usr/cac/pcsc-lite-1.4.3
sudo mkdir /usr/cac/pcsc-tools-1.4.9
sudo mkdir /usr/cac/ccid-1.3.0
sudo mkdir /usr/cac/coolkey-1.1.0
Maybe I should not have included the version numbers on the end, but this is how I got it working.
I had to install these additional libraries:
libc6-dev
zliblg
zliblg-dev
zlibc
and these programs:
gcc
g++
Gnome-apt was useful for figuring out what I had installed and installing zlib.
Also, Firefox has a DOD add-on that will get all the certificates for you. To get it, go here: https://addons.mozilla.org/en-US/firefox/addon/3182
Lastly, in instruction 6 the command to start pcscd requires superuser privileges:
sudo /usr/cac/sbin/pcscd
I will be looking for comments as to whether the install directories made sense to Linux professionals.
Ben
Thanks for posting this… I think this is going to help out a lot, considering I travel all the time, hate windows, and currently have no way to check my work email on the road.
I am having a problem… when I configure coolkey and get an error after it runs for awhile:
#checking for a BSD-compatible install… /usr/bin/install -c
#checking whether ln -s works… yes
#checking for uncompress in -lz… no
#configure: error: could not locate libz compression library
I wasn’t sure if this affected anything. When I try to “make”, I get:
jason@jason-laptop:~/coolkey-1.1.0$ make
make: *** No targets specified and no makefile found. Stop.
This is true, there is no makefile. I tried the automake command, but this did not work.
Any ideas where I’m messing up? Thanks,
Jason
jason, you need to run ./configure to create the Makefile.
Slightly off base here, but you are clearly experts: what is the format of a CAC file (e.g. the files that are used to distribute the root certificates of DoD certificate authorities? I can import them into (e.g.) Firefox and display them so there are no secrets, but I want to use my own software to import them and/or convert them to other format(s).
Of course, http://ossg.disa.mil/projects/linuxcac/ gets a ‘403 Forbidden’ error, so it’s either a .mil-only site or the project has been shut down 😦 I recently flashed my CAC reader in an attempt to use it with my wife’s iMac, so I’m interested to see if I can get it working on Ubuntu as well. Now all I need is some open-source way to edit XML IMTs and I can buy that Macbook pro I want instead of a Windows laptop…
jason: see Ben’s earlier post about having to install additional libraries. The “error: could not locate libz compression library” is significant because it kept a makefile from being built. Try installing zlibc to see if you can finish the ./configure.
Wow – lotta comments here! Sorry I am just getting to this – I have been on vacation.
TJ – you are correct about it being a .mil only web site.
Jason – TJ’s tip is what I would start with – be sure zlibc is installed, then move on to “./configure”, “make”, etc.
As far as the format of the certs – I really do not know much about that. I saved all of the certs manually through IE as .cer files, then moved them to my Linux box and imported them into Firefox. I do not remember all the details, other than I had to try saving in different formats before Firefox on Windows would take one. Sorry I can’t be more specific.
And Ben – thanks for your input for Ubuntu distros. I am very glad you found the article useful.
On fedora 7, it was extremely easy…the software was already installed for me. But if not for you (as root)
yum -y install coolkey pcsc-lite pcsc-tools ccid libusb firefox
Will install the required software.
Then in firefox, click each of these links in order found at
http://dodpki.c3pki.chamb.disa.mil/rootca.html
http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_1024.cac
http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.cac
http://dodpki.c3pki.chamb.disa.mil/dodeca.cac
checking all three of the radio buttons.
Then in firefox I had to go to
Edit -> Preferences -> Advanced -> Encryption -> Security Devices -> Load
and then put: /usr/lib64/pkcs11/libcoolkeypk11.so
for the module filename. Yours may not need the 64.
That was it.
I posted directions for fedora 7 here a couple days ago and now they are gone? Will repost if there assurance it won’t be deleted again.
Cry – sorry if it looks like that, but I actually have not ever deleted a comment (other than spam). In fact, I have not even been back on the blog for a couple of weeks now. Not really sure what happened, but whatever useful comments and instructions you have to offer, I will graciously accept. Please try again. Thanks!
Update – Cry, for some reason, your comment was in my Awaiting Moderation queue, so I approved it. Congrats – yours was the first to be moderated!
I guess I need to check this a little more often, huh?
Thanks for the help… it was the zlibc that I needed for the steps to work right. Ben said so from the start, but I wasn’t paying attention. Always learning!
Thanks for approving my moderated email! No problems. It was just very confusing when the message was showing up when the system new who I was and wasn’t when it didn’t.
Has anyone reviewed the code for the addon mentioned above:
https://addons.mozilla.org/en-US/firefox/addon/3182
I took a quick look in it and it seems more intrusive than needed. Also, it makes one machine I tested it on ask for my CAC password when loggin in to normal sites.
No problem, Cry. Speaking of that addon, I have not checked into it, but now I do remember having this occur a few times as well.
Procedure worked great . I got it to work on Ubuntu 7.04 on 64 bit intel core 2 duo.
But :{
The 64 bit firefox has plugin issues(flash,java) so I went back to the 32 bit firefox . Now the cac software no longer works . (32 bit firefox vs 64 bit cac I assume)
Any thoughts ?
I need some help here is the erro I keep getting
../../libtool: line 1036: g++: command not found
make[3]: *** [libcoolkeypk11_la-coolkey.lo] Error 1
make[3]: Leaving directory `/home/kiwi/Desktop/coolkey-1.1.0/src/coolkey’
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/kiwi/Desktop/coolkey-1.1.0/src/coolkey’
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/kiwi/Desktop/coolkey-1.1.0′
make: *** [all] Error 2
John, I don’t use 64-bit, but I would think you would think you need to rebuild the software specifically compiled for 32-bit. I do not know how to do this myself, but I’ll bet Google does. ^_________^
If you get it working and want to post it, let me know. Good luck!
higherclaws, make sure g++ is installed (try which g++, or whereis g++). Googling your error briefly seemed to point to this as an easy first step. If it is, I dunno – I would keep Googling (it is how I learn).
got it to work with
CXXFLAGS=-m32;export CXXFLAGS
CFLAGS=-m32;export CFLAGS
GNUTARGET=elf32-i386;export GNUTARGET
declare -x PKG_CONFIG_PATH=/usr/cac/lib/pkgconfig
cd /usr/local/cac-src-32
cd libusb-0.1.12;./configure –prefix=/usr/cac;make;make install
cd ../pcsc-lite-1.4.2;./configure –prefix=/usr/cac;make;make install
cd ../pcsc-tools-1.4.8;vi ./Makefile;make;make install
cd ../ccid-1.3.0;./configure –prefix=/usr/cac;make;make install
cd ../coolkey-1.1.0;./configure –prefix=/usr/cac;make;make install
The coolkey-devel and muscle lists are at http://www.redhat.com/mailman/listinfo/coolkey-devel and http://musclecard.com/list.html respectively. There are people from at least DISA, the Navy and the Air Force on those lists, who are quite sharp.
rdesktop, which speaks RDP with Windows terminal servers, has smart card support in its CVS HEAD using the –enable-smartcard option to the configure script. This support is not in the 1.5.0 release. It also doesn’t work on Macs at the moment.
Cry, symbolik: it appears that comments with links in them await moderation.
i am having a problem getting pcsc-tools compiled and working. every time i use make i get this error.
bh@bh-mobile:/usr/cac/pcsc-tools-1.4.10$ make
cc -Wall -O2 -g -DVERSION=\”`echo \`pwd\` | sed s/.*tools-//`\” `pkg-config libpcsclite –cflags` -c -o pcsc_scan.o pcsc_scan.c
Package libpcsclite was not found in the pkg-config search path.
Perhaps you should add the directory containing `libpcsclite.pc’
to the PKG_CONFIG_PATH environment variable
No package ‘libpcsclite’ found
pcsc_scan.c:32:22: error: winscard.h: No such file or directory
pcsc_scan.c: In function ‘main’:
pcsc_scan.c:56: error: ‘LONG’ undeclared (first use in this function)
pcsc_scan.c:56: error: (Each undeclared identifier is reported only once
pcsc_scan.c:56: error: for each function it appears in.)
pcsc_scan.c:56: error: expected ‘;’ before ‘rv’
pcsc_scan.c:57: error: ‘SCARDCONTEXT’ undeclared (first use in this function)
pcsc_scan.c:57: error: expected ‘;’ before ‘hContext’
pcsc_scan.c:58: error: ‘SCARD_READERSTATE_A’ undeclared (first use in this function)
pcsc_scan.c:58: error: ‘rgReaderStates_t’ undeclared (first use in this function)
pcsc_scan.c:59: error: ‘DWORD’ undeclared (first use in this function)
pcsc_scan.c:59: error: expected ‘;’ before ‘dwReaders’
pcsc_scan.c:60: error: ‘LPSTR’ undeclared (first use in this function)
pcsc_scan.c:60: error: expected ‘;’ before ‘mszReaders’
pcsc_scan.c:63: error: ‘MAX_ATR_SIZE’ undeclared (first use in this function)
pcsc_scan.c:74: error: expected ‘)’ before ‘PCSCLITE_VERSION_NUMBER’
pcsc_scan.c:130: error: ‘rv’ undeclared (first use in this function)
pcsc_scan.c:130: warning: implicit declaration of function ‘SCardEstablishContext’
pcsc_scan.c:130: error: ‘SCARD_SCOPE_SYSTEM’ undeclared (first use in this function)
pcsc_scan.c:130: error: ‘hContext’ undeclared (first use in this function)
pcsc_scan.c:131: error: ‘SCARD_S_SUCCESS’ undeclared (first use in this function)
pcsc_scan.c:133: warning: implicit declaration of function ‘pcsc_stringify_error’
pcsc_scan.c:133: warning: format ‘%s’ expects type ‘char *’, but argument 2 has type ‘int’
pcsc_scan.c:158: warning: implicit declaration of function ‘SCardListReaders’
pcsc_scan.c:158: error: ‘dwReaders’ undeclared (first use in this function)
pcsc_scan.c:161: warning: format ‘%s’ expects type ‘char *’, but argument 2 has type ‘int’
pcsc_scan.c:164: error: ‘dwReadersOld’ undeclared (first use in this function)
pcsc_scan.c:167: error: ‘mszReaders’ undeclared (first use in this function)
pcsc_scan.c:183: warning: format ‘%s’ expects type ‘char *’, but argument 2 has type ‘int’
pcsc_scan.c:240: error: ‘SCARD_STATE_UNAWARE’ undeclared (first use in this function)
pcsc_scan.c:246: warning: implicit declaration of function ‘SCardGetStatusChange’
pcsc_scan.c:247: error: ‘SCARD_E_TIMEOUT’ undeclared (first use in this function)
pcsc_scan.c:261: error: ‘SCARD_STATE_CHANGED’ undeclared (first use in this function)
pcsc_scan.c:289: error: ‘SCARD_STATE_IGNORE’ undeclared (first use in this function)
pcsc_scan.c:293: error: ‘SCARD_STATE_UNKNOWN’ undeclared (first use in this function)
pcsc_scan.c:300: error: ‘SCARD_STATE_UNAVAILABLE’ undeclared (first use in this function)
pcsc_scan.c:304: error: ‘SCARD_STATE_EMPTY’ undeclared (first use in this function)
pcsc_scan.c:308: error: ‘SCARD_STATE_PRESENT’ undeclared (first use in this function)
pcsc_scan.c:312: error: ‘SCARD_STATE_ATRMATCH’ undeclared (first use in this function)
pcsc_scan.c:316: error: ‘SCARD_STATE_EXCLUSIVE’ undeclared (first use in this function)
pcsc_scan.c:320: error: ‘SCARD_STATE_INUSE’ undeclared (first use in this function)
pcsc_scan.c:324: error: ‘SCARD_STATE_MUTE’ undeclared (first use in this function)
pcsc_scan.c:367: warning: format ‘%s’ expects type ‘char *’, but argument 2 has type ‘int’
pcsc_scan.c:370: warning: implicit declaration of function ‘SCardReleaseContext’
pcsc_scan.c:373: warning: format ‘%s’ expects type ‘char *’, but argument 2 has type ‘int’
pcsc_scan.c:64: warning: unused variable ‘atr_command’
pcsc_scan.c:63: warning: unused variable ‘atr’
make: *** [pcsc_scan.o] Error 1
any ideas?
Brandon H,
Did you ever resolve your list of errors? I seem to be having the same difficulty.
Steve, brandon (sorry for the really late answer) – is pcsc-lite installed first? Also, what is your distro? For Ubuntu variants, and probably for Debian, you can install from the package repositories without having to compile and make anything. Unless you are running something different that does not have similar package support, or want/need functions available from a custom-rolled version or a later version than is packaged…
In such case, I would see if pcsc-lite is first installed. I googled, but only found stuff two and three years old, so, YMMV. Maybe a different search engine will give better results….
Does anyone know how to get around the errors with this for webmail.nmci.navy.mil? Nearly every link you click on within, it prompts for user/pass again, and it’s blank every time.
Sorry, John, I have no idea. I suppose it could be as a result of how the OWA server is configured, in which case you are out of luck. Probably best to try it on multiple different computers to see if it is common to all of them, if you still cannot find any answers for a client-side fix.
Have a problem with coolkey also after i enter
./configure -prefix=/usr/cac
the last part reads
checking for a BSD-compatible install… /usr/bin/install -c
checking whether ln -s works… yes
checking for uncompress in -lz… no
configure: error: could not locate libz compression library
any ideas? thanks
Scott – I think I saw this when I setup CAC on Kubuntu 7.10. I ran Adept and searched the repositories for libz. I found the missing libraries that way. As soon as they were installed, I was able to complete the CAC install.
well got coolkey installed, I think I got everything else installed,
When I run pcscd everything seems good stops and restarts
pcsc_scan recognizes the card reader as a SCR331 but thats it, no card info at all!
What the heck am I missing?
guess I forgot I am running Suse 10.3 shouldn’t really matter. I hope!
Scott, does the card actually work? Can you use it to get into CAC-enabled websites? If not, have you checked if the firmware on the reader is the right version? If not, you will need to update it (need Windows for that – there is an article on this site for the procedure). Other than that, check your logs for error messages and start Googling, I guess. I see no reason why this should not work on Suse.
Card works fine under windows the reader is a SCR 331 P/N 904622. the reader recognizes shows that the card is installed thats it!
Stopping PC/SC smart card daemon done
Starting PC/SC smart card daemon done
Scott@linux-gg8s:~> pcsc_scan
PC/SC device scanner
V 1.4.12 (c) 2001-2008, Ludovic Rousseau
Compiled with PC/SC lite version: 1.4.99
Scanning present readers
0: SCM SCR 331 (21120732230669) 00 00
Wed Feb 20 16:50:11 2008
Reader 0: SCM SCR 331 (21120732230669) 00 00
Card state: Card inserted,
The light on the card reader blinks just no card info. from what I understand I need it to recognize the card so Firefox can use the info. am I just way off base here?
Scott, I am using pcsc_scan 1.4.11, compiled with PC/SC Lite 1.4.4. My card scans fine. Have you tried just seeing if Firefox works with the card, to eliminate the possibility of a problem only with the pcsc_scan package? If it does not work, I am at a loss, other than using Google and your logs to troubleshoot.
It is possible you may need to remove and reinstall the CAC software (sorry for the Microsoft answer)….
Wish I could be more helpful here.
Thanks symbolik. after fixing the short between the chair and the keyboard I got it to work. had to find right Coolkeypk11.so. I had installed everything without putting it into the /usr/cac, made it a little harder to find the damn pk11. was in /usr/lib/
Not sure if it will help anyone but keep trying you’ll get it. if I can do it anyone can!
Glad you got it to work, Scott!
I have been able to compile all of the required packages but when I try to load into Firefox it says unable to add module. Does anyone know what steps I need to take to get my card reader accessing cards? It seems it doesnt read any further than the first line of the card….
Here is my system log.
Feb 4 10:32:20 linux-dm228 pcscd: eventhandler.c:418:EHStatusHandlerThread() Card inserted into SCR331 USB Smart Card Reader 00 00
Feb 4 10:32:20 linux-dm228 pcscd: Card ATR: 3B DB 96 00 80 1F 03 00 31 C0 64 77 E3 03 00 82 90 00 C1
Feb 4 10:34:35 linux-dm228 pcscd: eventhandler.c:349:EHStatusHandlerThread() Card Removed From SCR331 USB Smart Card Reader 00 00
Feb 4 10:34:37 linux-dm228 pcscd: eventhandler.c:418:EHStatusHandlerThread() Card inserted into SCR331 USB Smart Card Reader 00 00
Feb 4 10:34:37 linux-dm228 pcscd: Card ATR: 3B DB 96 00 80 1F 03 00 31 C0 64 77 E3 03 00 82 90 00 C1
On a windows box we use ActivCard Gold. Are you saying i will not need this on a Ubuntu box and that I just need the drivers?
Rybran: Sorry, no idea.
Brian: ActiveCard gold is for Windows only (AFAIK). Not needed on Linux.
when i run make for the pscslite i get this:
*** no targets specified and no make file found.
Please help
Brian, I seem to remember having the same problem. I brained my way out of it, but apparently wasn’t smart enough to jot down my solution.
If you are using *buntu, try these links:
https://help.ubuntu.com/community/CommonAccessCard
http://ubuntuforums.org/showthread.php?t=457084
For any one interested, I’ve made this work on openSuSE 11.0 by using packages available in default repositories:
pcsc-lite
ccid
coolkey
all installed from the Software Manager. Started pcscd and worked like a charm with the O2 based CAC reader in my Dell D630 laptop. I then followed the steps for Firefox with one exception, I use the DOD Certs addon. Just search for DOD in the addons.
My USB reader at home though is “Bogus”
Speaking of Dell D630 O2 based CAC reader. RHEL 5.3 now supports it native as well… Ensure the packages are installed like stated by Scott.
Has anyone since fedora 4 had success importing their certs via a citrix portal. In the past I could digitally sign and encrypt however, now I get a ActivClient error complaining about not having a smartcard.
KR: No idea, sorry. Any logs that might yield a clue?
I need help getting OWA to work. I’m running Firefox version 3.0.8 I’m unable to use the DoD add on.
Justin: Outlook Web Access? Hmmm… The DoD plugin should install the certs needed for DoD web sites that use CAC authentication, like AKO. I do not have much experience using OWA with Firefox. I thought it needed Explorer to fully leverage its capabilities…. Sorry I can’t be of more help.
i’ve been using this for a while now under fedora 9. when i set mine up, it was similar to this way. i am air force and i am able to log into everything from home. a standard fedora distro comes with everything you need, fyi….
josh: Very cool, ain’t it? Wish more military relied on Linux – maybe we could start pushing Microsoft out of DoD.
Dare to dream….
I’m a newbie, attempting to get an SCM SCR111 serial smart card reader to work on Xubuntu 9.0.4 (Jaunty) and Firefox 3.0.10. I have partial success. I’m using the Linux version of the SCR110 driver, along with the currently more simplified
“sudo apt-get install coolkey pcscd pcsc-tools”. I realize that the USB SCR331 reader works but I like a challenge.
“pcsc_scan” works, detecting the card reader and an inserted CAC card. I’ve loaded all the DOD certificates onto Firefox under Edit-Preferences-Advance-Encryption. While I have assigned the CAC Module to “/usr/lib/pkcs11/libcoolkeypk11.so”, Firefox returns the Status of “Not Present” for the actual card reader. That’s my only hiccup so far. Any suggestions welcomed.
Joat: I have never tried with a serial card. Everything sounds as if you are done. What do you do to get Firefox to give you a “Not Present” status? Is this when you are attempting to log into a CAC-protected DoD website? Do you get this with a USB reader as well? If USB works, then Firefox is not communicating with the serial port your reader is attached to and the solution may be as simple as a symbolic link somewhere.
I leave you to your challenge – please let me know what your solution is. ^____^
Good luck!
symbolik: In Firefox, when I assign the CAC Module to “/usr/lib/pkcs11/libcoolkeypk11.so”, Firefox does not recognize the reader (or the CAC card) as “Ready”. It won’t display any content of the CAC card either.
In terminal, “pcsc_scan” will display my CAC card type, compared against the list created by Ludovic Rousseau.
I haven’t tried using a USB Smart Card reader. I suspect that I would have better success with the SCR 331 model readers that others have reported.
Yeah, I will continue my challenge to find where the missing link is between the serial (COM) port and Firefox. I don’t if it matters that I’m using the serial SCR 111 model with the Linux SCR110 driver from M.U.S.C.L.E. Thanks for your input.
I’m having the exact same problem Joat. I’m using a SCR3310 reader. I was wondering if you ever got it to work? If os, what did you need to do?
Thanks.
I’m having the same problem with the SCR331 USB reader. Firefox says “Not present” but pcsc_scan reads it fine. Not sure where the disconnect is.
carl, under Firefox Preferences, Advanced, Security Devices, make sure you have a security device loaded in Device Manager pointing to libcoolkeypk11.so (mine is in /usr/lib/pkcs11/). You can duplicate this in Thunderbird as well, for using your CAC with AKO, and with Adobe Acrobat Reader (the acroread package from the Ubuntu Partner repository) for signing PDF documents.
This assumes the latest Firefox and Ubuntu, but should not differ much, if at all, for earlier versions.
symbolik, I’ve done that already. That’s where Firefox says “Not present” for the CAC reader. I think this has to do with my card because my last CAC worked fine.
carl, if pcsc_scan sees it, do other apps like Thunderbird and acroread see it as well? Is Firefox the only app that is not seeing the card? If so, try running Firefox from a shell so you can see possible error outputs when you try to use your card.
Also, try hiding your current profile in the ~/.mozilla/Firefox folder (rename it to profile.old or something) and let Firefox create a new profile. If it works, then it would point to a problem with your old profile.
I usually don’t write in Blogs however your Blog forced me to, beautiful writing style…. just unreal!! The content are different but your Blog and freecreditreport.com Blog are both the most favorable I’ve read to this date. Keep up the good work!!
Can I just say what a relief to discover an individual who actually understands what they’re discussing on the net. You certainly understand how to bring a problem to light and make it important. More people should look at this and understand this side of the story. I was surprised that you aren’t more
popular since you surely have the gift.
I leave a comment when I like a post on a website or if I
have something to add to the discussion. Usually it is triggered by the fire displayed in the post I browsed.
And on this article Using DoD CAC and SmartCard Readers on Linux | Linux Free Trade Zone.
I was actually excited enough to leave a leave a responsea response :
-) I do have a couple of questions for you if you don’t mind. Is it simply me or do some of these responses appear like written by brain dead visitors? 😛 And, if you are writing at other sites, I’d like to keep up
with you. Could you list every one of all your public sites like your linkedin profile, Facebook page or twitter feed?
You will find some fascinating points in time in this write-up even so I don know if I see all of them middle to heart. There might be some validity but I will take hold opinion until I look into it further. Very good post, thanks and we want extra! Added to FeedBurner as well
Make your images, videos, and infographics easy to pin by placing
them on the page rather than displayed as a background.
To add an exciting note to this aspect, popular public figures and top level
politicians are now harnessing the potential of this tool
for their specific purposes. With Pinterest, you can pin a picture of your customers
and include a blurb of the case study or testimonial.
Hello there, just became alert to your blog through Google, and found
that it is truly informative. I’m going to watch out for brussels.
I will be grateful if you continue this in future.
Many people will be benefited from your writing. Cheers!
Colocation hosting may be the next best thing if you happen to be willing to deliver the
server and manage it by yourself. Now they can send the domains towards the client at very cheap website
hosting prices.Its functional area includes space allocation, protocol identifier assignment, top-level website name system management, and root
server system management. The reseller rations your disk space which was rented from the real
website hosting company into tiny segments and resells it to unsuspecting customers at inflated prices.
5 of the allocated internet space, which means you
could double or even triple sell your allocated quota, earning way hard earned dough within the long run. Further, apart from youjr marketing
plan, a successful website name reseller must implement smart and intelligent implementation from
the devised strategy. There a wide range of places that you simply can see how to start out a hosting service,
though the leader from the sites may be considered as one of the very best.
One must have every one of the necessary details available around the business and competition, before creating ones own marketing strategy.
Having a tiered price schedule gives your web visitors more options determined by their needs and budget.
Even though some Unlimited Hosting packages allow you to definitely host an unlimited amount of domains in just one account, reseller internet hosting
is dissimilar in the means that it provides you the facility to set up
separate client accounts for each and every individual website that you are hosting.
These instructions are great, and i can log into all the DoD websites i need to except the mail.mil owa. I was blessed with a dual persona email acct and need to be able to log into my owa acct with my PIV cert instead of the typical email cert. Linux/Firefox sees that there is a PIV II cert there but after i select that cert i get a “Secure Connection Failed”. Am i just SOL on this or is there something i can do to prevent this from happening?
You really make it appear so easy with your presentation but I in finding this matter to be really one thing that I believe I’d by no means understand. It sort of feels too complex and extremely vast for me. I’m looking ahead in your subsequent publish, I will attempt to get the cling of it!
Great beat ! I would like to apprentice whilst you amend your web site, how could i subscribe for a weblog web site? The account aided me a appropriate deal. I were a little bit acquainted of this your broadcast offered shiny clear idea
After research a number of of the blog posts in your web site now, and I truly like your method of blogging. I bookmarked it to my bookmark web site record and will probably be checking again soon. Pls take a look at my web site as properly and let me know what you think.
Definitely consider that which you said. Your favorite reason appeared to be at the internet the easiest factor to take into account of. I say to you, I certainly get irked even as other folks think about issues that they just don’t understand about. You managed to hit the nail upon the highest neatly as|and also|and} outlined out the whole thing without having side-effects , other folks could take a signal. Will probably be back to get more. Thanks