I was able to get my government email working from the Air Force portal on the non-gov network today running Ubuntu Jaunty and Firefox 3. I am just hoping to consolidate several previous threads into this one for Jaunty.
(Update) Working on 11.04 - the Natty Narwhal with Firefox 11.0
- The first step was to purchase an SCR331 CAC Card Reader, they can be found many places. This seems to be most widely supported CAC Reader.
- The second step was to install the necessary packages. I ran this command from the terminal (applications -> accessories -> terminal) to install all the packages and their dependencies.
In case you're wondering what all of those programs do, here's a quick breakdown:Code:sudo apt-get install libpcsclite-dev pcscd pcsc-tools libccid coolkey
- libpcsclite-dev: Middleware to access a smart card using PC/SC (development files)
- pcscd: Middleware to access a smart card using PC/SC (daemon side)
- pcsc-tools: Some tools to use with smart cards and PC/SC
- libccid: PC/SC driver for USB CCID smart card readers
- coolkey: Smart Card PKCS #11 cryptographic module
- Next I plugged in my CAC card reader with my CAC card inserted and ran pcsc_scan from the terminal
which gave me the following outputCode:pcsc_scan
As you can see initially the DOD CAC cards signature is not recognised so we must update the signatures as instructed from the output. Make sure you copy out the command from your output because it writes the file into your home directory. For me it was.Code:livingroom@livingroom-laptop:~$ pcsc_scan PC/SC device scanner V 1.4.14 (c) 2001-2008, Ludovic Rousseau <ludovic.rousseau@free.fr> Compiled with PC/SC lite version: 1.4.99 Scanning present readers 0: SCM SCR 331 00 00 Fri Jul 24 09:39:45 2009 Reader 0: SCM SCR 331 00 00 Card state: Card inserted, ATR: 3B 7D 96 00 00 80 31 80 65 B0 83 11 13 AC 83 00 90 00 ATR: 3B 7D 96 00 00 80 31 80 65 B0 83 11 13 AC 83 00 90 00 + TS = 3B --> Direct Convention + T0 = 7D, Y(1): 0111, K: 13 (historical bytes) TA(1) = 96 --> Fi=512, Di=32, 16 cycles/ETU (223200 bits/s at 3.57 MHz) TB(1) = 00 --> VPP is not electrically connected TC(1) = 00 --> Extra guard time: 0 + Historical bytes: 80 31 80 65 B0 83 11 13 AC 83 00 90 00 Category indicator byte: 80 (compact TLV data object) Tag: 3, len: 1 (card service data byte) Card service data byte: 80 - Application selection: by full DF name - EF.DIR and EF.ATR access services: by GET RECORD(s) command - Card with MF Tag: 6, len: 5 (pre-issuing data) Data: B0 83 11 13 AC Tag: 8, len: 3 (status indicator) LCS (life card cycle): 00 (No information given) SW: 9000 (Normal processing.) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): NONE Your card is not present in the database. You can get the latest version of the database from http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt or use: wget http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt --output-document=/home/livingroom/.smartcard_list.txt If your ATR is still not in the latest version then please send a mail to <ludovic.rousseau@free.fr> containing: - your ATR - a card description
Another option here is to visit the authors site and download the file manually, just make sure to save it in your home folder as .smartcard_list.txtCode:wget http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt --output-document=/home/livingroom/.smartcard_list.txt
http://ludovic.rousseau.free.fr/soft...tcard_list.txt
Now run pcsc_scan again and it should say the card is recognised.
- Now we need to setup the various DOD root certificates. I had to do this in two steps.
- Go to http://iase.disa.mil/pki-pke/function_pages/tools.html and download the InstallRoot #.## A file. This is a zip file containing the certificates. Extract it to a folder.
- From Firefox Edit-> Preferences -> Advanced -> Encryption
- Click Certificates -> Import, browse to the folder you just extracted the zip to and import, set it to trust all settings.
- Install additional DOD certificates and put a check-mark on all of them. Just click on each one and Firefox will ask you if it's ok, you may get an error saying its already installed which is fine.
http://dodpki.c3pki.chamb.disa.mil/rootca.html- Continuing on, now we will make the CAC available to Firefox. Open Firefox and browse to:
- Edit-> Preferences -> Advanced -> Encryption
- Click on the Security Devices button
- Click the Load button to load a new module. Name it CAC Module and either type in or browse to /usr/lib/pkcs11/libcoolkeypk11.so
- A note here is that if you are running a 64 bit machine the path will be /usr/lib64/pkcs11/libcoolkeypk11.so
- From the devices window, Enable FIPS, to do this you will have to click the default Firefox security device and hit "Change Password" (Not on the CAC module) to set the initial password, then you should be able to click Enable FIPS
- Restart Firefox
- When you browse to a DOD site it will first ask you for the FIPS password that you set on the default device, then it should ask you for your CAC pin, all certificates should now be available.
- In order to make your email work you must use specific portal settings. For the Air Force it required going into My Profile and entering the base specific outlook email server into the email settings field.
Bookmarks