[CentOS] Firefox fails to authenticate .mil sites with New DoD CAC

Wed, 03 Dec 2014 14:35:21 -0800 

Can anyone help with getting the new DoD CACs (Smart Card) to work in
CentOS 6.6? I don't use it for console logins, only for email and .mil
web sites.

I recently had to get a new DoD CAC (Smart Card) when one of the
buildings I work in upgraded their security system. My old CAC was
working fine prior to this for signing and encrypting email and for
authenticating to various DoD (.mil) sites from the Internet using the
coolkey libraries. 

After getting my new CAC I am no longer able to authenticate to any DoD
sites. I can still sign and encrypt email in Thunderbird via the coolkey
libraries but .mil sites either simply display blank pages or raise
various errors in firefox. I am prompted for my PIN, which is
successfully accepted but I'm not even prompted for which cert to use,
like I used to be.

I've tried installing and loading the latest "cackey" libraries (see
below) but when I insert my CAC and attempt to login to the module in
the Mozilla device manager it completely freezes firefox. Recovery
requires killing firefox. If I remove the latest and install the next
previous cackey library it works the same as coolkey - doesn't freeze up
firefox but never connects to .mil sites.

I tried building the cackey RPMs from the source RPMs too but the result
is the same.

Latest 64-bit cackey: cackey-0.6.8-3522.x86_64.rpm
Next previous cackey: cackey-0.6.5-2444.x86_64.rpm

I'm pretty sure it has something to do with the newer PIV CAC internal
layout. I went through a similar transition when the GEMAL 144 cards
came out but the cackey libraries did at least work and coolkey
eventually caught up.

One thing is for sure... the cackey RPM from forge.mil is not a drop-in
replacement for coolkey. The cackey RPM only installs the libraries
themselves, nothing else. It doesn't even register them in the nss db I
had to do that manually with modutil. I must be missing something...

Without direct access to forge.mil it's difficult to troubleshoot
cackey. For some silly reason they still require CAC authentication to
get the CAC software and drivers and access the forums, etc.

More relevant information below...

I'd be grateful for any ideas or advice on this. I desperately need to
retrieve vulnerability reports, patches, and other DoD resources.
Thanks!

Cal Webster




Smart Card Reader:
SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202509) 00
00-0

Old CAC:        GEMAL TO TOPDL GX4 144
New CAC:        G&D FIPS 201 SCE 3.2


[root@inet3 ~]# cat /etc/redhat-release 
CentOS release 6.6 (Final)
[root@inet3 ~]# uname -a
Linux inet3 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC
2014 x86_64 x86_64 x86_64 GNU/Linux
[root@inet3 ~]# 

Installed Packages

coolkey.i686                       1.1.0-32.el6                @base
coolkey.x86_64                     1.1.0-32.el6                @base
firefox.i686                       31.2.0-3.el6.centos         @updates
firefox.x86_64                     31.2.0-3.el6.centos         @updates
thunderbird.x86_64                 31.2.0-3.el6.centos         @updates
pcsc-lite.x86_64                   1.5.2-14.el6                @base   
pcsc-lite-devel.x86_64             1.5.2-14.el6                @base   
pcsc-lite-libs.x86_64              1.5.2-14.el6                @base   
nss.i686                           3.16.1-14.el6               @base   
nss.x86_64                         3.16.1-14.el6               @base   
nss-devel.x86_64                   3.16.1-14.el6               @base   
nss-softokn.i686                   3.14.3-18.el6_6             @updates
nss-softokn.x86_64                 3.14.3-18.el6_6             @updates
nss-softokn-devel.x86_64           3.14.3-18.el6_6             @updates
nss-softokn-freebl.i686            3.14.3-18.el6_6             @updates
nss-softokn-freebl.x86_64          3.14.3-18.el6_6             @updates
nss-softokn-freebl-devel.x86_64    3.14.3-18.el6_6             @updates
nss-sysinit.x86_64                 3.16.1-14.el6               @base   
nss-tools.x86_64                   3.16.1-14.el6               @base   
nss-util.i686                      3.16.1-3.el6                @base   
nss-util.x86_64                    3.16.1-3.el6                @base   
nss-util-devel.x86_64              3.16.1-3.el6                @base   


[root@inet3 ~]# modutil -list -dbdir /etc/pki/nssdb

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. CoolKey PKCS #11 Module
        library name: libcoolkeypk11.so
         slots: 1 slot attached
        status: loaded

         slot: SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202
        token: WEBSTER.CALVIN.DALE.9427154028

  3. cackey
        library name: libcackey.so
         slots: 2 slots attached
        status: loaded

         slot: CACKey Slot
        token: WEBSTER.CALVIN.DALE.9427154028

         slot: CACKey Slot
        token: DoD Certificates
-----------------------------------------------------------
[root@inet3 ~]# 


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Reply via email to