In case there are any DoD Solaris users lurking out there, I updated the
below steps to get DoD CAC support in the Solaris 11 11/11 release
(snv_175):
PCSC (pcsc-lite-1.6.1):
env LIBUSB_CFLAGS="-I/usr/include" LIBUSB_LIBS="-L/usr/lib -lusb"
./configure CCC=/opt/sunstudio12.1/bin/CC CC=/opt/sunstudio12.1/bin/cc
--prefix=/usr/local --enable-debugatr --enable-libusb --disable-libhal
make
su
make install
CCID (ccid-1.3.13):
env PCSC_CFLAGS=-I/usr/local/include/PCSC PCSC_LIBS="-L/usr/local/lib
-lpcsclite" ./configure LIBUSB_CFLAGS=-I/usr/include
LIBUSB_LIBS="-L/usr/lib -lusb" CCC=/opt/sunstudio12.1/bin/CC
CC=/opt/sunstudio12.1/bin/cc --prefix=/usr/local
--enable-usbdropdir=/usr/local/pcsc/drivers
make
su
make install
OpenSC (opensc-0.12.2):
env PCSC_CFLAGS=-I/usr/local/include/PCSC PCSC_LIBS="-L/usr/local/lib
-lpcsclite" ./configure --prefix=/usr/local --sysconfdir=/etc
--enable-pcsc CCC=/opt/sunstudio12.1/bin/CC CC=/opt/sunstudio12.1/bin/cc
make
su
make install
pfexec vi /usr/local/etc/opensc.conf
Look for these lines:
# PKCS#15 initialization / personalization
# profiles directory for pkcs15-init.
# Default: /usr/local/share/opensc
#
# profile_dir = /usr/local/share/opensc;
# What reader drivers to load at start-up
#
# A special value of 'internal' will load all
# statically linked drivers. If an unknown (ie. not
# internal) driver is supplied, a separate configuration
# configuration block has to be written for the driver.
# Default: internal
# NOTE: if "internal" keyword is used, must be the
# last entry in reader_drivers list
#
# reader_drivers = openct, ctapi;
And change the reader_drivers line to:
reader_drivers = pcsc;
Then look for these lines:
# Use specific pcsc provider.
# Default: /usr/lib/libpcsclite.so
# provider_library = /usr/lib/libpcsclite.so
And change the last line to:
provider_library = /usr/local/lib/libpcsclite.so.1.0.0
Save changes.
In a second terminal:
su
ln -s /usr/local/etc/opensc.conf /etc/opensc.conf
/usr/local/sbin/pcscd -d -f
Now to run OpenSC back in our first terminal:
pfexec /usr/local/bin/opensc-tool -l
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes SCM SCR 331 (21120727G00110) 00 00
To use a DoD CAC with Firefox:
Edit > Preferences
Go to the 'Advanced' icon/option up top, then to the 'Encryption' tab
Click the 'Security Devices' button
Click the 'Load' button, type in an appropriate module name such as
"OpenSC DoD CAC" and select the path to the following:
/usr/local/lib/pkcs11/opensc-pkcs11.so
Restart Firefox and enjoy CAC support in Solaris 11 (11/11). :)
On 01/20/11 02:53 PM, Kevin Reinholz wrote:
It's been a while, but as I finally solved this issue, sharing what I did so
other DoD CAC holders can get more joy out of Solaris.
I did this on Solaris 11 Express snv_151a, and I have a PIV-compliant GEMALTO
TOPDLGX4 144 Common Access Card (CAC).
Here are the compiling/configuration options I used to get CAC support in
Solaris 11:
Download pcsc-lite-1.6.1, ccid-1.3.13, and opensc-0.12.0. (I had to use older
versions of pcsc-lite and ccid because as of ccid-1.4.0 support for libusb-0.1
has been dropped in favor of libusb-1.0, and Oracle is still packaging
libusb-0.1 with Solaris snv_151a).
PCSC-LITE-1.6.1:
Download and extract, then:
env LIBUSB_CFLAGS="-I/usr/include" LIBUSB_LIBS="-L/usr/lib -lusb" ./configure
CCC=/opt/sunstudio12.1/bin/CC CC=/opt/sunstudio12.1/bin/cc --prefix=/usr/local --enable-debugatr
--enable-libusb --disable-libhal
make
pfexec make install
CCID-1.3.13:
Download and extract, then:
env PCSC_CFLAGS=-I/usr/local/include/PCSC PCSC_LIBS="-L/usr/local/lib -lpcsclite"
./configure LIBUSB_CFLAGS=-I/usr/include LIBUSB_LIBS="-L/usr/lib -lusb"
CCC=/opt/sunstudio12.1/bin/CC CC=/opt/sunstudio12.1/bin/cc --prefix=/usr/local
--enable-usbdropdir=/usr/local/pcsc/drivers
make
pfexec make install
OPENSC-0.12.0:
Download and extract, then:
env PCSC_CFLAGS=-I/usr/local/include/PCSC PCSC_LIBS="-L/usr/local/lib
-lpcsclite" ./configure --prefix=/usr/local --sysconfdir=/etc --enable-pcsc
CCC=/opt/sunstudio12.1/bin/CC CC=/opt/sunstudio12.1/bin/cc
make
pfexec make install
pfexec vi /usr/local/etc/opensc.conf
Look for these lines:
# PKCS#15 initialization / personalization
# profiles directory for pkcs15-init.
# Default: /usr/local/share/opensc
#
# profile_dir = /usr/local/share/opensc;
# What reader drivers to load at start-up
#
# A special value of 'internal' will load all
# statically linked drivers. If an unknown (ie. not
# internal) driver is supplied, a separate configuration
# configuration block has to be written for the driver.
# Default: internal
# NOTE: if "internal" keyword is used, must be the
# last entry in reader_drivers list
#
# reader_drivers = openct, ctapi;
And change the reader_drivers line to:
reader_drivers = pcsc;
Then look for these lines:
# Use specific pcsc provider.
# Default: /usr/lib/libpcsclite.so
# provider_library = /usr/lib/libpcsclite.so
And change the last line to:
provider_library = /usr/local/lib/libpcsclite.so.1.0.0
Save changes and exit.
In a second terminal:
pfexec /usr/local/sbin/pcscd -d -f
Now to verify that OpenSC can "see" my smart card reader via pcsc-lite back in
my first terminal:
pfexec /usr/local/bin/opensc-tool -l
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes SCM SCR 331 (21120727G00110) 00 00
To use a DoD CAC with Firefox:
Edit> Preferences
Go to the 'Advanced' icon/option up top, then to the 'Encryption' tab
Click the 'Security Devices' button
Click the 'Load' button, type in an appropriate module name such as "OpenSC DoD
CAC" and select the path to the following:
/usr/local/lib/pkcs11/opensc-pkcs11.so
Login from the security modules section of Firefox (and Thunderbird) works with
the CAC PIN, and I successfully tested this with Air Force Portal, a
CAC-restricted site.
_______________________________________________
crypto-discuss mailing list
crypto-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/crypto-discuss
