HOWTO_DoD_CAC
The U.S. Department of Defense has widely deployed the Common Access Card which is primarily used to access email. Setting up a Gentoo machine to use the CAC is a pretty simple procedure. If you're trying to setup a server that uses CAC authentication try here
This HOWTO assumes that you will be using the ActivCard USB Reader v2.0.
Contents |
Installing the Software
First make sure that you have the required software:
emerge -av libusb pcsc-lite ccid coolkey
Coolkey and ccid are (as of this writing) both marked testing, so you'll need to do the following before doing the emerge:
echo "app-crypt/coolkey ~x86" >> /etc/portage/package.keywords echo "app-crypt/ccid ~x86" >> /etc/portage/package.keywords
If you're not on x86 obviously use your own architecture, but as of this writing coolkey on Gentoo has only been tested on x86, ppc, and ppc64. If you are able to test it on another architecture and it works, please file a bug in Gentoo Bugzilla to have it keyworded for that architecture. Note that Fedora has a binary RPM for amd64, so at minimum it should also work on that architecture.
Post-Install configuration
The ActivCard USB Reader v2.0 is not correctly identified by ccid. To fix this edit /usr/lib/readers/usb/ifd-ccid.bundle/Contents/Info.plist so that it contains:
| File: /usr/lib/readers/usb/ifd-ccid.bundle/Contents/Info.plist |
<key>ifdDriverOptions</key> <string>0x0004</string> |
Start up the pcsc daemon:
sudo /etc/init.d/pcscd start sudo rc-update add pcscd default
Configure Your Browser
First the DoD certificates must be installed. They can be downloaded from [1]. Be sure to grab them all.
| Code: Configure Firefox |
Edit->Preferences menu Advanced section Encryption tab View Certificates button Import button |
Unfortunately, certificates can only be imported one at a time.
Firefox must also be able to communicate with the CAC using libcoolkey.
| Code: Configure Firefox |
Edit->Preferences menu Advanced section Encryption tab Security Devices button Load button under Module Name type CAC Module under Module Filename type /usr/lib/pkcs11/libcoolkeypk11.so click Ok button |
You can test Firefox by visiting [2]. If you get in, then it probably works.
Caveats
Recently, It has been discovered that some of DoD's Outlook Web Access Servers have a problem with packets that have too large an mtu size.
bash$ sudo ifconfig eth0 mtu 1420
You might also want to add the line `mtu_eth0="1420"` to your /etc/conf.d/net.
References
- Kenneth Van Alstyne's paper Procedure for Setting up United States Department of Defense Common Access Cards on a Linux System using PC/SC and CoolKey
- Wikipedia article on Common Access Card
Created by NickStallman.net, Luxury Homes Australia
Real estate agents should be using interactive floor plans and real estate agent tools.