SCR CAC reader for Leopard

The other thing i notice is that when the keychain access is open there are two logins displayed in the keychain list.

Anyone have an idea?

Hi Everyone I am pulling my hair out trying to enable my MacBook to read my NMCI e-mail. I have read the entire chain of posts below and am still having problems. If anyone can offer suggestions I will be grateful.

1. I don't think my certificates are properly installed in keychain, and there is no 509 Anchor Files. This MacBook is relatively new and I simply migrated from my iMac. How can I remove and reinstall. The keychain is seeing my CAC Card and Reader.

2. Once the certificates are installed do I only have to establish identities as indicated below? I did that, got to the OWA login screen, attempted to Login and recieved the message "Your certificates are not installed...."

3. Should I use Firefox? If so how should I enable it?

Thanks for the help.

With the help of this thread got things working.

Background Information:
System: Macbook Pro 2.2 GHz
OS: OS X 10.5.4 (Just completed a clean install, i.e., wiped my drive.)
CAC equipment: Athena Smartcard ASEDrive IIIe USB v2
CAC Software: None required.

Key Steps:
1. Had to install the X509Anchors keychain. I found this in 10.5.4 in /System/Library/Keychains [Some of the other posts list the wrong path.]

2. I tried creating the new identity for only 1 of the certificates as mentioned in another post. That DID NOT work. Did the same thing for all three and things started working.

Thanks monolith1 and all others that provided good information on this subject.

Thanks for the reply. How did you install the X509 Anchors? I tried to install using File/New Keychain and went to the location you described but got an error message that it already exists. It's not there only what looks like a piece of paper saying X509Certificates, which is empty.

If you wouldn't mind can you give me a blow by bow description? I would appreciate it.

Steppenwolf323 ,

In order to install the X509 anchors in Keychain access:

File->Add Keychain...

Then navigate (from Machintosh HD icon in Finder) to:
/System/Library/Keychains/X509Anchors

On my Macbook, running 10.5.4, this file is 280k in size

After loading the X509Anchors, be sure to then go to:
Edit->Keychain List

And check the box to share X509Anchors.


Hope this helps,

Jeff

Hello, and thanks to everyone for your help!! I'm having a bit of trouble...

1) macbook pro 10.5.4, scr331, downloaded libusb, (suggested on some list)
2) found this discussion, and tried to add x 509...successful
3) saw my cac certificates on keychain access, though not on the left side...I think they were with all certs
3) tried to unlock x 509, no luck (incorrect password, found this had happened to others)
4) reset keychains in keychain access, still no luck and can't find cac certs anymore.

hmmm. any ideas?

Chaplain Mike Moreno....(somewhere, I think even God is scratching his head on this one...)

Chaplain Moreno,

The X509 keychain should not need to be unlocked in order to function. From what I understand, as long as the permissions for the X509 are set up (see my earlier post in this thread), it should work. THere is no need to download any third-party drivers for SCR331 to operate. This is assuming you are running a version of the firmware on the reader which makes it CCID compliant (see the Apple Federal web site at http://www.apple.com/itpro/federal/ for a summary of this).

As per an email exchange I had with SCM Systems support earlier this year, newer SCR331 readers are CCID compliant, and therefore should be plug-and-play ready for the Mac.

Please ensure you're doing the following to eliminate possible CAC headaches, based on my experience with CAC and Macs. I have found this works for me, and several people I work with.. I do not work for Apple, nor have I seen much in the way of official documentation to address using CACs on Macs....

1. Remove any third-party drivers you may have installed for the CAC. Reboot Mac.
2. Ensure you're running the latest OS X updates (from Apple menu "Software Update..." function)
3. Close down Safari if currently running.
4. Start Keychain Access if its not already running
5. Run First Aid on your Keychain, if you have not done so recently -- this can fix a lot of Keychain problems. To do so, in Keychain Access: menu Keychain Access->Keychain First Aid. Enter your account's password where prompted, and click Verify radio button, then click START

If any errors are indicated, run Click on the Repair button several times in a row until no more errors are indicated, then run Verify one more time.

6. Quit, and Re-start Keychain access so that changes you just made are saved to the hard drive.


7. Insert SCR331 CAC reader USB cable in to USB port on Mac without your CAC in it.
8. Wait a moment, THEN insert your CAC. The Green LED should start blinking, and remain blinking. Observe the CAC should become visible on the left-hand column in Keychain access

9. Click once on your CAC, you should see your 3 certificates on the right-hand side.

10. For each of the 3 certificates on the right-hand side, you will be binding the NMCI webmail address. This is a work-around for a bug in OS X/Safari which Apple is well aware of.. I opened a trouble ticket via AppleCare some time ago, and received confirmation this is being addressed.

To bind a web site to a certificate (so that Safari knows which certs to use for Webmail)....

Right-click on the cert, select "New Identity Preference...", enter the full HTTPS address for Webmail https://webmail.xxx..xxx.mil, and select the corresponding certificate in the pull-down menu. Yes, this is redundant as you had previously selected the certificate you wanted to bind the web address to.

Repeat this process for the second and third CAC certificate, ensuring you select the 2nd and third certificate within the New Identify Preference dialog box.

11. Close Keychain Access to save changes to your hard drive.

12. Start Safari, and BE SURE to reset (clear) Safari.. check the options to clear Cache and cookies. (Do this going forward Webmail login screen doesn't come up)

13. Surf over to the Webmail .mil site... you should be prompted for the CAC PIN.. upon proper entry, you'll see the NMCI login screen.

Please advise if you have further questions and/or if this works.

v/r

Jeff

I've tried all of the suggestions in this post and still can't get my CAC to show up in keychain access. I have flashed my reader to be CCID compliant,updated all software via software udate, added X509Anchors to keychain access, run first aid (no problems), restarted everything and still cant see my CAC. I'm running a vanilla 2 day old MacBook Pro (10.5.4). Is there something I'm missing?

Thanks.

When you insert your CAC in to the reader, does the LED start (and remain) flashing? I've found that unless the LED is flashing, it will not be visible in Keychain. (Ensure you're not running VMware or anything else at that moment that may be trying to use the USB ports...) You may also have to re-insert the CAC firmly in to the reader, making sure its gold contact.

Jeff

Yep, light continues to flash after I put the CAC in the reader. I've tried a few flashed readers too, same result. I don't have any other software or hardware installed that should be interfering. Is libusb required? Also, to confirm, where in keychain access should I see the CAC? I don't see it in the left and when I click on X509 Anchors, I see tons of certs but none that start with CAC as mentioned in this post?...

Thanks.

I do not have the libusb file installed on my system.. just did find for it.. MAC OS X apparently has the drivers it needs without it.

The CAC appears in Keychain Access on the left-most column ("Keychains"), at the top of the list of keychains, as an entry like:

CAC-2050-5001-1234-2211-6779

Until the keychain appears there, I do not believe it will be usable by Safari, at least not using the Apple-supplied drivers.

The manufacturer of the SCR331, SCM Microsystems, is responsive to emails you send to tech support. I recommending checking out their web site:
http://www.scmmicro.com/security/viewproducten.php?PID=2

And click on "Support" link, then click on PC Security (link appears a few lines down from the blue horizontal bar), and then click on link "In case you want to send us a support request via E-mail, please use our support form."

In the event you do not get a timely response, I found the North American point of contact is Tatiana Andrade, email: Tatiana.Andrade@scmmicro.com .. she is not Tech Support, but can get their attention should you not get a response within 24 hours.

~ Jeff

Jeff,

Thanks...you don't work for apple, but you should! 😉

Ok, did all you suggested, still no joy. CAC reader does not appear on left hand side, though DOD certs are visible when I select login. I entered the appropriate website addresses to those certs, and no joy...

Chaps Moreno

This solution is how I got it working, although I have done it without adding the x509Anchors. And, it is still stubborn.

However, the part about not using the email certificate is questionable. The AFMC webmail server likes the email cert, not the plain one. If we connect via webmail from a Government PC, on an AFMC network, it still wants the email cert. I think it depends on how the particular server was set up.

I just reset everything on my home PowerMac because I got new certs, and I set the identity of each one to the webmail server. I initially had issues and found that I had some old certs copied to my login and system keychain. I got rid of all of them. Once that was clean, I logged in and it told me that the server rejected by cert and asked me to choose from the others. When I chose the email cert, I connected fine.

http://lists.apple.com/archives/fed-talk/2007/Dec/msg00058.html


Kj

You may wish to sign up for the Apple Federal Mailing list.

There are a number of configuration steps to go though to get the reader to work.
Unfortunately, the last instruction set that is easy to locate was for 10.3, which does not work with 10.4 and 10.5.