Most if not all US Government employees are now issued a CAC (Common Access Card). This includes active members of the Armed Services and civilian government employees. Many government contractors may also be issued a CAC.
The CAC serves as an identification card that humans can read and includes a picture, expiration date, and ID number. The CAC is also a Smart Card that can be read to access government signed certificates stored on the CAC. Reading the CAC requires entry of a Personal Identification Number (PIN). The combination of the CAC (something you have) and the PIN (something you know) for authentication is a form of Two factor Authentication which is a requirement to access many U.S. Government (USG) Information Systems (IS) and the preffered way for many more.
Getting a US Government CAC to work on a 64 bit REHL 6.4 machine or a 64 bit CentOS 6.4 machine running the x86_64 version of Firefox is a lot easier than getting a CAC to work on Linux was in the past. The US Government mostly uses MS Windows workstations and offers little or no official support for using a CAC on another platform.
This procedure has been used on Red Hat Enterprise Linux (RHEL) 6.4 machines and CentOS 6.4 machines and should also work on Scientific Linux (SL) 6.4 machines.
Install esc (Enterprise Security Client Smart Card Client) which will cause the ccid, coolkey, pcsc-lite, and pcsc-lite-libs dependancies to be installed.
yum -y install esc
Update xulrunner which updates firefox.
yum -y update xulrunner
Reboot
At this point the "Smart Card Manager" can see information on the CAC card.
Select "Preferences" from the "Edit" menu. Click on the "Advanced" icon and then select the "Encryption" tab.
Click on the "Security Devices" button and then the "Load" button in the window that appears. Under "Module Name" put a name you will recognize such as "CAC Reader".
Click the browse button and navigate to /usr/lib64/pkcs11/libcoolkeypk11.so and select that, or, alternatively, enter "/usr/lib64/pkcs11/libcoolkeypk11.so" in the "Module Filename" field.
The "CAC Reader" module will now appear in the previous window, and, if you have a CAC Reader plugged into the computer with a CAC inserted, your personal information will appear as well.
Once you are at this point you can now visit DoD CAC enabled sites.
You could install DoD root certificates but then you would have to keep updating them anyway.
Expired certificates that have been added by exception may have to delete before you can add a new certificate for the same site.
These appear in Firefox -> Edit -> Preferences -> Advanced -> Encryption -> View Certificates -> Servers
Contents
Retrieved from "
https://intrawiki.arsc.edu/index.php/Card_reader"
- Saturday, May 18, 2013 @ 7:06:12 PM (Alaska Time) |