Have you been using my CAC?

For there record if you say "CAC Card" in my presence you will be "SOL Luck" talking again soon.

If you are running Linux or Mac there is a good chance you haven’t been touching my CAC, otherwise known as Common Access Card. George Bush signed HSPD-12 way back in 2004 to mandate the usage of CAC and multifactor authentication on federal networks. The DoD giggled as it was already deploying limited installs at choice commands and was way ahead of the curve. The rest of the government and corporate entities are starting to roll-out the installs and a common theme I see is lack of heterogenous OS support. In this day and age your CIO/CTO/CISO must think beyond what the Microsoft sales lead tells them and think of the user base. Here is a big hint to save you from looking silly – You can’t say iOS/Android development is important to your divisions and then mandate they use Windows computers to comply with your SmartCard policy. I only mention that having sat in the room when the mobile development PM had to make his leadership aware they were basically shutting his group down.

The great thing about the OSS community is they recognize the shortfall in the SmartCard support and have risen to the challenge. OpenSC has made great strides in supporting the technology for authentication and SSO type installs. I can personally vouch that the instructions below will allow you use your SmartCard on the worlds second largest IT network with no trouble. There are commercial  packages that will provide nice GUI and support plans, but if your enterprise just has a few geeks in the basement needing support, the ROI may not be worth it. A few gotcha’s to be aware of:

  • While the site states Linux/Mac support; Linux is really the only full featured platform
  • Snow Leopard requires the beta builds. Apple changed the crypto mechanism from 10.5 to 10.6 and Safari is no longer supported. If you are using your SmartCard for web-based applications you must use Firefox
  • Ensure your card reader is supported. If you are a Dell house then the Cherry Keyboards with built-in SmartCard reader work great. Here is a full list.
  • If you are scared of the Command Line I recommend you skip this and look at a commercial package instead

Instructions for Install on Snow Leopard:

  1. Download http://www.opensc-project.org/files/sca/experimental/sca-0.3.0-pre3.dmg
  2. Mount the .dmg
  3. Run the installer.
  4. Launch Firefox.
  5. In Firefox, select “Firefox -> Preferences”, click on the “Advanced” tab, then click on “Encryption” tab, then click on “Security Devices”…
  6. Click on “Load” button, then type in Module Name of “OpenSC PKCS#11 Module”
  7. Found I had to manually type in the path to the library which is “/Library/OpenSC/lib/opensc-pkcs11.so”
  8. Click OK, then quit and relaunch Firefox.
  9. Connect to a website that requires SmartCard access using Firefox, select to use “SecureBadge”. It will ask for your PIN, then will authenticate you.

Instructions for Debian-based Distro IE Ubuntu:

  1. As root or with sudo: apt-get install opensc mozilla-opensc libp11
  2. Launch Firefox.
  3. In Firefox, select “Firefox -> Preferences”, click on the “Advanced” tab, then click on “Encryption” tab, then click on “Security Devices”…
  4. Click on “Load” button, then type in Module Name of “OpenSC PKCS#11 Module”
  5. Found I had to manually type in the path to the library which is “/usr/lib/onepin-opensc-pkcs11.so”
  6. Click OK, then quit and relaunch Firefox.
  7. Connect to a website that requires SmartCard access using Firefox, select to use “SecureBadge”. It will ask for your PIN, then will authenticate you.

These are really the first few steps to getting SmartCards working. If you can access the websites using your card then you are just a few steps away from loading the required PAM modules and integrating your systems into Active Directory. That blog post is more likely to be part of a book than online as it is VERY extensive. Feel free to drop me any questions you might have!