0Current as of

advertisement
0Current as of: 24 October 2009
If you have questions or problems pertaining to using your CAC on your MAC
computer (after you read information below), please contact Bill Hankins by
visiting the Apple contact page (Please know that he is currently in Iraq, so there
will be a delay in a return email). Therefore, please attempt to follow the
instructions below BEFORE emailing him).
The following information is provided for your situational awareness while setting
up the utilization of your CAC on your Mac. It is updated as additional
information is available and your input is appreciated for solutions not outlined
here.
ActiveClient is a middleware program used by the DoD to facilitate the cross talk
between Windows computers (prior to Windows 7) and your Common Access Card. It
was offered for the “Tiger” release (MAC OS X 10.4.9) and is not compatible with
Leopard or Snow Leopard (the current release of MAC OS X (10.6.1)). The program
is available for purchase through the manufacturer, and is not available for download
from DoD. The use of this program is not supported here for Apple operating systems,
as it is not required for Tiger, Leopard or Snow Leopard.
ADmitMac for CAC is another middleware program, created by Thursby Software, in
use by the DoD on some NETCOM Apple Baseline images. This software allows easy
configuration of systems for CAC only authentication and logon for systems being
added to a DoD domain. This software is not required on non-DoD computers. It is
available on a trial download basis from the manufacturer and is available for purchase
at that location; it does not support Snow Leopard at the time of this publication.
PureEdge is currently only available for Windows, and although there is a Citrix based
version floating around the internet it only functions on older Mac systems, and not very
well. The Citrix based version does not support signatures and has been problematic
since it’s inception. There is another program available on windows, Lotus Form
Viewer, though, this too, is only available on Windows.
Windows on your MAC: While you have made a conscious decision to “be a Mac”, the
NETCOM Engineers have not, and therefore the easiest solution for some problems,
such as PureEdge, ApproveIt, and some websites, is to use Windows through a Virtual
Machine, such as Parallels or VMWare, or through Apple’s native Boot Camp. This will
require you to have a legal copy of Windows. With this you can install the ActiveClient,
PureEdge, and ApproveIt software and utilize all the DoD tools from your MAC. The
benefit of the Virtual machines over Boot Camp is that is will allow you to run Windows
as an additional program (without restarting your computer) and keep OS X running the
entire time.
DBSign: In order to access some sites, such as DTS (Defense Travel System), a digital
signature is needed. This is currently being executed through a program called DBSign
installed on an end users computer in coordination with the website. This software is
not currently available for MAC, and is in the process of being replaced by a Java applet
installed on the site server to alleviate the need for additional software on the end users
system. This site will be updated with a notification of this update when complete. Here
is the current information.
CAC Readers: With a variety of CAC readers available today there are also a variety
of issues. Currently there is a known issue with the SCR-3310 Card Reader with
Firmware version 5.22 with the Snow Leopard (10.6.1) release of OS X. The issue
consists of the reader appearing in System Profiler, though not recognizing ID Cards.
This appears to be an issue with driver compatibility with the 64-bit kernel Snow
Leopard utilizes. The SCR-331 functions fully with all releases of OS X and is
recommended.
Apple updates: OS X Update 10.5.6 repairs a variety of problems associated with
previously identified CAC issues. The Smart Card Services software available through
various websites is for 10.5.4 and 10.5.5 only. It has not been tested on 10.5.6 as it is
not required. If you have 10.5.5 and install it, you can update to 10.5.6 with no issues.
Firefox Web Browser: The commonly used web browser, Firefox, offered my Mozilla,
offers CAC support only on Windows computers at this time. The program has support
for such systems imbedded, however the files required to utilize a CAC are nonfunctioning at this time. The steps outlined below are for use with the Safari browser, as
it is native to the OS and functions by using the Keychains Access program.
Outlook Web Access Portals: The use of Outlook Web Access portals (OWA) on
MAC current has known issue with time outs. Beware that when using OWA on your
MAC that if you are inactive on the primary window, i.e. the inbox, while replying to an
email, your browser may time out. On your Windows machine the client side software,
[ActiveClient] actively maintains communications with the server side CAC software and
re-requests validation of your credentials. On your MAC this is not so, Safari will
respond to a direct request for validation of your credentials, however it will not rerequest that you verify as the server requires. Be sure that prior to selecting the Send
button that you copy your work to the clipboard as you will most likely have to restart
Safari and log back in. The issue is being worked at this time and updates will be made
available here when complete.
Setting up your CAC for use on your Macintosh (Visually):
Step 1: Update your system. (10.5.6 is the minimum required for Leopard, though
10.5.8 is currently available for Leopard, and 10.6.1 is available for Snow Leopard)
Step 2: Plug in your CAC Reader to an available USB Port
Step 3: Click the Apple Icon in the upper left corner of your desktop and select "About
This Mac"
Step 4: Click the "More Info" Button within the window that pops up. (This opens
System Profiler)
Step 5: Within the "Hardware" Category select "USB." On the right hand side of the
screen the window will display all hardware plugged into the USB ports on your Mac.
You should see “Smart Card Reader.” If the Smart Card reader is present, it is installed
on your system, and no further hardware changes are required, i.e. additional drivers /
Firmware upgrades. Unplug the CAC Reader from your system and Quit System
Profiler.
Step 6: Click: Go, Applications, Keychain Access, then click "Edit" in the menu bar, and
select "Keychain List"
Step 6a: Click the "+" button in the lower left of the window opened
Step 6b: Click on the local hard drive (under Devices on the left), then System / Library
/ Keychains, and double click X509Anchors.
Step 6c: Check the Box on the left of the X509Anchors in the Shared column as well as
the System Box. Click "Ok".
Step 7: Plug in your CAC Reader, allow approx. 5 seconds for the reader to initialize
and insert your CAC into the CAC Reader. In the upper left of the Keychain Access
window, under "Keychains" your CAC should show up (CAC XXXX-XXXX-XXXX-XXXXXXXX), click it. In the right hand side you will see the certificates that are on your CAC.
(If your CAC does not appear remove it from the reader, unplug the CAC Reader, quit,
and re-open Keychains Access, plug in the Card Reader, and insert your CAC)
Step 8: Click the "Padlock" icon in the upper left corner of the program window, which
will prompt you for your CAC PIN. Enter your PIN to unlock your CAC.
Step 9: Select the desired certificate, which will show DOD CA-XX or DOD EMAIL CAXX in the upper window. Right Click (Control Click) and select "New Identity
Preference"
Step 10: Enter the URL / website (choose from the below links) for the appropriate
website you wish to access using your CAC, select the appropriate certificate and click
“Add”:
Step 11: Quit Keychain Access (and Applications (if it is still open)), remove your CAC
from the reader, and re-insert it. Open Safari and begin navigating to your CAC
enabled site.
Examples of URLs to add to your Keychain Access
Army:
- AKO: https://akocac.us.army.mil/ (DOD CA-XX)
- AKO Webmail: https://wmcac.us.army.mil/ (DOD CA-XX)
- Fort Gordon OWA (NASE Email Access): https://rw3.army.mil/EXCHANGE (EMAIL
CA-XX)
- Army Reserve OWA (USAR Email Access): https://owa.usar.army.mil/ (EMAIL CAXX)
- Center for Army Lessons Learned (CALL): https://call3.leavenworth.army.mil (DOD
CA-XX)
- CONUS AMEDD Exchange OWA: https://medmail-conus.amedd.army.mil/Exchange
(EMAIL CA-XX)
- National Guard Knowledge Online: https://gkoportal.ngb.army.mil (DOD CA-XX)
- NORAD NORTHCOM CAC Registration Site: https://registration.noradnorthcom.mil/
(DOD CA-XX)
- NORAD NORTHCOM External Access Site: https://operations.noradnorthcom.mil
(DOD CA_XX)
- Soldier Survey Site: https://fcportal.forscom.army.mil/ (EMAIL CA-XX)
Navy:
- Navy Knowledge Online (1 of 2): https://cac01.nko.navy.mil (DOD CA-XX)
- Navy Knowledge Online (2 of 2): https://cac01.nko.navy.mil:443/app1/index2.jsp
(DOD CA-XX)
- Navy Webmail: https://webmail.nmci.navy.mil (DOD CA-XX)
- Reserve Portal: https://private.navyreserve.navy.mil/ (DOD CA-XX)
- NADSUSEA (Navy East OWA): https://webmail.east.nmci.navy.mil (EMAIL CA-XX)
- NADSUSWE (Navy West OWA): https://webmail.west.nmci.navy.mil (EMAIL CA-XX)
- NADSUSEA NCIS COI (Navy NCIS OWA): https://webmail.ncis.nmci.navy.mil (EMAIL
CA-XX)
- NMCI-ISF (Navy ISF OWA): https://webmail.isf.nmci.navy.mil (EMAIL CA-XX)
- PADS (Navy PADS OWA): https://webmail.pacom.mil (EMAIL CA-XX)
- PADS (Navy PACOM SMR Users OWA): https://webmail.exceptions.pacom.mil
(EMAIL CA-XX)
- IATS NMCI Webmail (1 of 3): https://iats.nmci.navy.mil (EMAIL CA-XX)
- IATS NMCI Webmail (2 of 3): https://iats.nmci.navy.mil/ (EMAIL CA-XX)
- IATS NMCI Webmail (3 of 3): https://iats.nmci.navy.mil/cas (EMAIL CA-XX)
- Marine Corps Webmail: https://webmail.us.nmci.usmc.mil/Exchange (EMAIL CA-XX)
- Navy E-learning: https://www.sas.cnet.navy.mil/ (DOD CA-XX)
- Navy Forces Online: https://www.portal.navy.mil/ (EMAIL CA-XX)
- Navy Homeport (NMCI Default Homepage): https://homeport.nmci.navy.mil/ (EMAIL
CA-XX)
- Navy InfoSec: https://infosec.navy.mil (DOD CA-XX)
- Navy Medical (1 of 3): www.med.navy.mil:80 (DOD CA-XX)
- Navy Medical (2 of 3): https://nmo.med.navy.mil/ (DOD CA-XX)
- Navy Medical (3 of 3): https://nmo.med.navy.mil/pki/default.cfm (DOD CA-XX)
- Navy Medical Outlook Web Access: https://sscc-fe-03.med.navy.mil/EXCHANGE
(EMAIL CA-XX)
- JTF-GNO: https://www.jtfgno.mil (EMAIL CA-XX)
- BUPERS: https://pki.bol.navy.mil/ (DOD CA-XX)
- NSIPS (1 of 2); https://nsips.nmci.navy.mil (DOD CA-XX)
- NSIPS (2 of 2): https://nsipsweb.nmci.navy.mil/nsipsclo/logon (DOD CA-XX)
- NROWS: https://nrows.sscno.nmci.navy.mil (DOD CA-XX)
- Navy Reserve Portal (1 of 2): https://private.navyreserve.nay.mil/ (DOD CA-XX)
- Navy Reserve Portal (2 of 2): https://private.navyreserve.nay.mil/pages/default.aspx
(DOD CA-XX)
Air Force: (There are currently issues with the AF Portal, the issues are being
addressed and updates will be posted here when available)
- AF Portal (1 of 3): https://www.my.af.mil (DOD CA-XX)
- AF Portal (2 of 3): https://www.my.af.mil/EAI_JUNCTION/eai/ (DOD CA-XX)
- AF Portal (3 of 3): https://www.my.af.mil/EAI_JUNCTION/eai/auth (DOD CA-XX)
- Air Force Portal Virtual MPF Site: https://w20.afpc.randolph.af.mil/afpcsecurenet20/
(DOD CA-XX)
- Air Force Top Flite Website: https://logon.jag.af.mil (DOD CA-XX)
- Air Force Jag Site: https://aflsa.jag.af.mil/ (DOD CA-XX)
- Air Force Education Exchange: https://cacwebmail.afit.edu/Exchange (EMAIL CA-XX)
- AF AMC Exchange Email: https://mail.amc.af.mil/exchange (EMAIL CA-XX)
Coast Guard:
- Coast Guard Email: http://cgwebmail.uscg.mil/ (DOD CA-XX)
DoD:
- Defense Manpower Data Center: https://pki.dmdc.osd.mil (DOD CA-XX)
- DOD 411 Directory: https://jeds.gds.disa.mil (EMAIL CA-XX)
- Tricare Online: https://www.tricareonline.com/preloginHome.do (DOD CA-XX)
- Tricare (1 of 3): https://cac1.tricareonline.com/ (EMAIL CA-XX)
- Tricare (2 of 3): https://cac2.tricareonline.com/ (EMAIL CA-XX)
- Tricare (2 of 3): https://cac3.tricareonline.com/ (EMAIL CA-XX)
- Military Health System: https://mhssc.timpo.osd.mil (DOD CA-XX)
Note on URL’s: It is important to understand that when entering URL’s into an identity
preference they must be precise. As you can see in the preceding references some
end with a “/”. Not all websites will have this. Every website that attempts to validate
your CAC must search a database (Usually internal to the site) and the URL you enter
is creating the link between that database and your CAC. As there is not a single
database that all sites use for this purpose you will encounter sites that do not function
properly initially. If you pay attention to the actions of the browser when you click the
login button you will usually see where the browser is being pointed and can use that
URL in your Identity Preference. For the most part you will not need to reference a
specific site, i.e. ending in .html etc, but instead the will use the broad address as
above.
Note on Certificate Selection: When creating Identity Preferences within Keychains it
is important to understand the difference between your Certificates. I will not go into
great detail as to the differences here however I will give you the information you need
to know. There are 3 certificates on your CAC:
- DOD CA-XX, used for identification verification, is the top most certificate shown in
Keychains. This will be used when logging into AKO. This will show up with a red “x”
beside it a majority of the time as “Unsigned”.
- DOD CA-XX EMAIL, used for signatures, is the second in the list of certificates in the
list. This certificate is used when you digitally sign an email, or document, and by some
websites for verification of your identity, i.e. Outlook Web Access. When logging into a
non-AKO site keep in mind that whatever certificate you used when logging on at your
work computer will be required on your MAC.
- DOD CA-XX EMAIL, used for encryption, is the third in the list of certificates. This will
not be used when accessing websites, and unless you are accustomed to encrypting
your email, will not be used at all.
When creating Identity Preferences there will be some trial and error involved in
selecting the correct URL/Certificate combination. If you create an Identity Preference
and attempt to change the certificate it uses you may see more than 3 certificates when
you open the drop down menu as below, they are grouped into their respective classes,
the first pair being the DOD CA-XX, second pair EMAIL CA-XX (Signature) and the third
pair EMAIL CA-XX (Encryption). Choose either of the first two if you want the DOD CAXX and so forth. They point to the same certificate.
This should set you up to access sites that are authenticated with your CAC. Please let
me know how this works out for you and what issues you have. Once again if you have
additional sites you have found solutions for please let me know and I will include them
in the list on this page. If you still have questions, feel free to contact me. (Please
know that I am currently heading to Iraq, so there will be a delay in a return
email). Therefore, please attempt to follow the instructions above BEFORE
emailing me).
Current as of: 24 October 2009
Written by CPT Bill Hankins, Revised by CW3 Michael J. Danberry while following the instructions on my
own iBook G4.
Download