How To: Setup DOD Common Access Card (CAC) for service portals

[mole84]

I was able to get my government email working from the Air Force portal on the non-gov network today running Ubuntu Jaunty and Firefox 3. I am just hoping to consolidate several previous threads into this one for Jaunty.

(Update) Working on 11.04 - the Natty Narwhal with Firefox 11.0

1. The first step was to purchase an SCR331 CAC Card Reader, they can be found many places. This seems to be most widely supported CAC Reader.
2. The second step was to install the necessary packages. I ran this command from the terminal (applications -> accessories -> terminal) to install all the packages and their dependencies.
   
   
   Code:

   sudo apt-get install libpcsclite-dev pcscd pcsc-tools libccid coolkey

   In case you're wondering what all of those programs do, here's a quick breakdown:
   
   • libpcsclite-dev: Middleware to access a smart card using PC/SC (development files)
   • pcscd: Middleware to access a smart card using PC/SC (daemon side)
   • pcsc-tools: Some tools to use with smart cards and PC/SC
   • libccid: PC/SC driver for USB CCID smart card readers
   • coolkey: Smart Card PKCS #11 cryptographic module
   
   
3. Next I plugged in my CAC card reader with my CAC card inserted and ran pcsc_scan from the terminal
   
   Code:

   pcsc_scan

   which gave me the following output
   
   Code:

   livingroom@livingroom-laptop:~$ pcsc_scan
   PC/SC device scanner
   V 1.4.14 (c) 2001-2008, Ludovic Rousseau <ludovic.rousseau@free.fr>
   Compiled with PC/SC lite version: 1.4.99
   Scanning present readers
   0: SCM SCR 331 00 00
   
   Fri Jul 24 09:39:45 2009
    Reader 0: SCM SCR 331 00 00
     Card state: Card inserted, 
     ATR: 3B 7D 96 00 00 80 31 80 65 B0 83 11 13 AC 83 00 90 00
   
   ATR: 3B 7D 96 00 00 80 31 80 65 B0 83 11 13 AC 83 00 90 00
   + TS = 3B --> Direct Convention
   + T0 = 7D, Y(1): 0111, K: 13 (historical bytes)
     TA(1) = 96 --> Fi=512, Di=32, 16 cycles/ETU (223200 bits/s at 3.57 MHz)
     TB(1) = 00 --> VPP is not electrically connected
     TC(1) = 00 --> Extra guard time: 0
   + Historical bytes: 80 31 80 65 B0 83 11 13 AC 83 00 90 00
     Category indicator byte: 80 (compact TLV data object)
       Tag: 3, len: 1 (card service data byte)
         Card service data byte: 80
           - Application selection: by full DF name
           - EF.DIR and EF.ATR access services: by GET RECORD(s) command
           - Card with MF
       Tag: 6, len: 5 (pre-issuing data)
         Data: B0 83 11 13 AC
       Tag: 8, len: 3 (status indicator)
         LCS (life card cycle): 00 (No information given)
         SW: 9000 (Normal processing.)
   
   Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
   	NONE
   
   Your card is not present in the database.
   You can get the latest version of the database from
     http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt
   or use: wget http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt --output-document=/home/livingroom/.smartcard_list.txt
   
   If your ATR is still not in the latest version then please send a mail
   to <ludovic.rousseau@free.fr> containing:
   - your ATR
   - a card description

   As you can see initially the DOD CAC cards signature is not recognised so we must update the signatures as instructed from the output. Make sure you copy out the command from your output because it writes the file into your home directory. For me it was.
   
   Code:

   wget http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt --output-document=/home/livingroom/.smartcard_list.txt

   Another option here is to visit the authors site and download the file manually, just make sure to save it in your home folder as .smartcard_list.txt
   http://ludovic.rousseau.free.fr/soft...tcard_list.txt
   
   Now run pcsc_scan again and it should say the card is recognised.
   
   
4. Now we need to setup the various DOD root certificates. I had to do this in two steps.
   
   1. Go to http://iase.disa.mil/pki-pke/function_pages/tools.html and download the InstallRoot #.## A file. This is a zip file containing the certificates. Extract it to a folder.
   2. From Firefox Edit-> Preferences -> Advanced -> Encryption
   3. Click Certificates -> Import, browse to the folder you just extracted the zip to and import, set it to trust all settings.
   4. Install additional DOD certificates and put a check-mark on all of them. Just click on each one and Firefox will ask you if it's ok, you may get an error saying its already installed which is fine.
      http://dodpki.c3pki.chamb.disa.mil/rootca.html
   
   
5. Continuing on, now we will make the CAC available to Firefox. Open Firefox and browse to:
   
   
   1. Edit-> Preferences -> Advanced -> Encryption
   2. Click on the Security Devices button
   3. Click the Load button to load a new module. Name it CAC Module and either type in or browse to /usr/lib/pkcs11/libcoolkeypk11.so
   4. A note here is that if you are running a 64 bit machine the path will be /usr/lib64/pkcs11/libcoolkeypk11.so
   5. From the devices window, Enable FIPS, to do this you will have to click the default Firefox security device and hit "Change Password" (Not on the CAC module) to set the initial password, then you should be able to click Enable FIPS
   6. Restart Firefox
   
   
6. When you browse to a DOD site it will first ask you for the FIPS password that you set on the default device, then it should ask you for your CAC pin, all certificates should now be available.
   
7. In order to make your email work you must use specific portal settings. For the Air Force it required going into My Profile and entering the base specific outlook email server into the email settings field.
   

[kidux]

Thank you for this tutorial, it was very helpful. I had a few more hoops to go through to get it working though. I had to flash the bios on my reader to the newest version, which was supposed to be able to be done in a virtual machine, but I could not get Linux to give up control of it and so had to do it on a friends XP machine. After I did that, I was able to follow your instructions and get it working properly. AKO allows access now. I'm still working on getting access to my other work email.

[aatyler]

Wow! Thanks so much. Now that I can login using CAC, I can get rid of my windows partition all together, the CAC was the only reason that I was ever having to keep windows around.

[dkermitb]

I cannot get Step 3 to work: pcsc-scan. I think it's because I have Windows XP and Jaunty duel working on my computer. I'm guess that Jaunty is unable to find my newly installed pcsc program/library.

The error I am getting is:

bash: pcsc-scan: command not found.

I appreciate any advice out there to help. It fails to load on multiple computers with Win and Ubuntu. Thanks

Kermie

[mole84]

I cannot get Step 3 to work: pcsc-scan. I think it's because I have Windows XP and Jaunty duel working on my computer. I'm guess that Jaunty is unable to find my newly installed pcsc program/library.

The error I am getting is:

bash: pcsc-scan: command not found.

I appreciate any advice out there to help. It fails to load on multiple computers with Win and Ubuntu. Thanks

Kermie

Kermie,

Make sure that you are using pcsc_scan. There is an underscore there rather than a dash between the two words. One neat way to check your commands is to use the tab auto complete feature in bash. All that takes is to type in the first few letters of a command so pcsc, and then hit tab a few times and it will display all the programs installed on your machine that start with those letters, then you can select the proper command. If the pcsc_scan is not auto completing that means you dont have it installed, so try to go back and re-install it.

[dkermitb]

Mole,

Nice job with the forum!! I was able to get my CAC Card working with your help, I really appreciate it. However, I need help the webmail now.

First of all, how do you view your webmail with Jaunty? On my XP computer, I viewed webmail on Internet Explorer using ActiveX. Since Ubuntu doesn't have these, how does Ubuntu webmail work? I can get to the Portal, but I can't get my webmail to work even after I enter my PIN. I appreciate any advice you have. I couldn't find anything under "My Profile" to help configure my webmail. Thanks again for all the help!

v/r,

Kermie

[mole84]

Mole,

Nice job with the forum!! I was able to get my CAC Card working with your help, I really appreciate it. However, I need help the webmail now.

First of all, how do you view your webmail with Jaunty? On my XP computer, I viewed webmail on Internet Explorer using ActiveX. Since Ubuntu doesn't have these, how does Ubuntu webmail work? I can get to the Portal, but I can't get my webmail to work even after I enter my PIN. I appreciate any advice you have. I couldn't find anything under "My Profile" to help configure my webmail. Thanks again for all the help!

v/r,

Kermie

Kermie,

Well the good news if you were able to go to your portal, enter your master pin, and select your certificate you've won most of the battle. Webmail in and of itself is only a function of a web browser, so I am just able to open up my webmail link through firefox. I am not sure which service portal you are using, (I only have experience with the Air Force portal), but for me there is a separate link from the portal to webmail once I use my CAC / PIN to enter the portal. The note about the "my profile" setting was that in the Air Force at least all of our bases have individual (and disjoint) webmail servers so you have to put in the link to your bases server in your settings on the portal in order for it to direct you to the right place and carry your credentials.

[zz97]

Has anyone successfully gotten this to work with Ubuntu Jaunty 64-bit?

I've installed the required packages--no problem there. And pcsc_scan says everything's fine.

But when I try to load the security module libcoolkeypk11.so, Firefox "freezes" and stops responding. If I insert and remove the CAC a few times it will come back to life.

But then if I try to access an https:// site, things don't work. It will attempt to connect to the site for a minute or two, then (sometimes) eventually ask for my master password, but entering the pin has yet to actually get me into a site.

I get the same basic result with both Firefox 3.0 and Firefox 3.5.

My card reader is an SCR3310 v2.0.

Any ideas?

[dkermitb]

Mole,

I'm tracking with you referencing the "My Profile". I have tried to check my email from the AF Portal and using the separate website. Both of them ask for the passwords and certificates. However they don't load, instead I get:

Error Code: 401 Unauthorized. The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. (12209)

I am using Firefox from Jaunty as well. I think there is something wrong with my Firefox setting. Got any more tricks on your end about how I should fix this? Thanks...

Kermie

[dkermitb]

Mole,

Good news, I got the webmail working. I had to use another website that what you had posted to get my certificates. After playing around with that, everything works. Thanks for the nice job on here!!

Kermie