Accessing Secure DoD Sites with Safari and a CAC

You should log a trouble report directly with Apple. At least a feedback. There's NO guarantee that Apple reads this. I agree that this is a serious problem and Apple should get on with fixing it.

Is it common knowledge that one cannot use a CAC card reader with OS X 10.5.7? I have a document entitled "CAC for a Mac: Using an Intel-Based Apple OS X System to Access NMCI Outlook Web Access" that shows how to set up OS X 10.5.4 or 10.5.5 to use a CAC. I cannot get these instructions to work under 10.5.7, though I appear to be agonizingly close.

Should I give up and wait for an Apple fix or has anyone found 10.5.7 instructions that work? Mac help has an "about common access card viewer" entry but it points to a "CAC setup" document that has apparently been removed from the knowledge base.

Any help anyone can offer will be most welcome ...

I've got everything (with the exception of the pig known as DTS) using an SCR3310 reader and a recently issued Oberthur card. I got some additional info from militarycac.com that helped put the final touches in place. I could see the certificates on the CAC but sites like the AF and JFCOM portals wouldn't let me get on! BTW, it worked under 10.5.6 and everything worked Golden under 10.6 (Snow Leopard).

These steps gave me what I needed:
From militarycac.com:

Step 9: Insert Your CAC Card into the Card Reader. If in the upper left of the Keychain Access window, under "Keychains" your CAC should show up (CAC XXXX-XXXX-XXXX-XXXX-XXXX), select it. In the right hand side you will see the certificates that are on your CAC.
Step 10: Click the "Padlock" icon in the upper left corner of the program window, which will prompt you for your CAC PIN. Enter your PIN to unlock your CAC.
Step 11: Select the desired certificate, which will show DOD CA-XX or DOD EMAIL CA-XX in the upper window. Right Click (Control Click) and select "New Identity Preference"
Step 12: Enter the following URL for for the appropriate website you wish to access, select the appropriate certificate and click “Add”:
Army:
- AKO: https://akocac.us.army.mil/ (DOD CA-XX)
- AKO Webmail: https://wmcac.us.army.mil/ (DOD CA-XX)
- Fort Gordon OWA (Email Access): https://rw3.army.mil/EXCHANGE (EMAIL CA-XX)
- Soldier Survey Site: https://fcportal.forscom.army.mil/ (EMAIL CA-XX)
- Tricare Online: https://www.tricareonline.com/preloginHome.do (DOD CA-XX)
- Tricare (1 of 3): https://cac1.tricareonline.com/ (EMAIL CA-XX)
- Tricare (2 of 3): https://cac2.tricareonline.com/ (EMAIL CA-XX)
- Tricare (2 of 3): https://cac3.tricareonline.com/ (EMAIL CA-XX)
Navy:
- Webmail: https://webmail.nmci.navy.mil (DOD CA-XX)
- Reserve Portal: https://private.navyreserve.navy.mil/ (DOD CA-XX)
- NADSUSEA (Navy East OWA): https://webmail.east.nmci.navy.mil (EMAIL CA-XX)
- NADSUSWE (Navy West OWA): https://webmail.west.nmci.navy.mil (EMAIL CA-XX)
- NADSUSEA NCIS COI (Navy NCIS OWA): https://webmail.ncis.nmci.navy.mil (EMAIL CA-XX)
- NMCI-ISF (Navy ISF OWA): https://webmail.isf.nmci.navy.mil (EMAIL CA-XX)
- PADS (Navy PADS OWA): https://webmail.pacom.mil (EMAIL CA-XX)
- PADS (Navy PACOM SMR Users OWA): https://webmail.exceptions.pacom.mil (EMAIL CA-XX)
- JTF-GNO: https://www.jtfgno.mil (EMAIL CA-XX)
Air Force:
- AF Portal (1 of 3): https://www.my.af.mil (DOD CA-XX)
- AF Portal (2 of 3): https://www.my.af.mil/EAI_JUNCTION/eai/ (DOD CA-XX)
- AF Portal (3 of 3): https://www.my.af.mil/EAI_JUNCTION/eai/auth (DOD CA-XX)
- Air Force Portal Virtual MPF Site: https://w20.afpc.randolph.af.mil/afpcsecurenet20/ (DOD CA-XX)
- Air Force Top Flite Website: https://logon.jag.af.mil (DOD CA-XX)
- Air Force Jag Site: https://aflsa.jag.af.mil/ (DOD CA-XX)


R,
wedge

In a word, no. Just poorly advertised. See my previous post for directions... It took me two years but I found it!

R,
wedge

You mention DTS - do not forget that DTS requires dbsign a windows app to be able to function. At present DTS is looking at a multi platform signing process by the makers of dbsign, but at present you need to be in a windows environment (boot camp or virtual)

Go to militarycac.com and follow the instructions and it works. This is the easiest and quickest. I did it in less than 10 minutes

I've tried all the instructions in this thread and still nothing works. I am running 10.6.1 and a Litronic 215 (all the certs show up when I open Keychain). I've added the URL for USMC (https://webmail.nmci.usmc.mil) to my email cert and still it doesn't work. I echo the frustrations of others in that I was able to do this running 10.4 18 months ago. Then all of a sudden it stopped working. I had hope that upgrading to 10.6 would again grant me access but I still cannot seem to get this right. Any help is appreciated.

I am having the same problems accessing the USMC websites. I have identical hardware (Litronic 215) and it does show up on the keychain as everything works as expected. But Safari, Mail, etc doesn't know how to look at it. I know you have to program which sites are supposed to look up the CAC card, but there is insufficient documentation out there to help us Marines out on that one. If someone knows how to upgrade the certificates on the keychain to reflect these websites it would be greatly appreciated.

Right now if I try to add an instance of a weblink it's like dropping it into a hole, and there are six identical certs when I look to add one. Is this right, or am I supposed to add the weblink to all certs? There must be an easier way!

My latest challenges are: 1) getting Outlook Web Access (OWA) into the e-mail servers for the Joint Staff, and 2) Registering my new CAC with AF Portal, as my new CAC certificates are not registered/recognized.

Setting "New Identity Preference" (from the "File" menu) for your CAC certificates is part of the battle. As other posts have noted, of the three certificates on a DoD CAC, one includes an Identity key, an E-mail Signing Key, and an E-mail Encryption key. My IT contractors at work advise me OWA requires an identity preference mated to the the E-mail signing key.

Another discovery: a previous post correctly noted the need for very accurate URL identification when creating an identity preference. Something I found helpful: creating an identity preference for "*.mil" , that is, making the URL read *.mil/(whatever) . The asterisk in the character string seems to work as you would hope/expect.

In order to get onto my OWA, I created an identity preference for the basic website ( https://owa.js.mil), and then one for the popup address that follows ( https://owa.js.mil/DODwarning). Along with a preference for *.mil, I can get about halfway there - the CAC is accessed, and I am prompted for my CAC password - but I am not sure the website actually responds, as I get an error message after the CAC is accepted:

"Safari can’t open the page “ https://owa.js.mil/DODwarning/” because the server unexpectedly dropped the connection. This sometimes occurs when the server is busy. Wait for a few minutes, and then try again."

The suggested fix is to reset Safari - this has not resolved the issue. Monday, I will ask the IT folks if I have been able to access the server at all thus far, but if anyone knows how to get past the latest Safari warning, I will be grateful.

Regarding 2): AF Portal can be accessed by CAC, only if your CAC has been registered with Portal ahead of time. Although I could get to Portal with a username/password, Gunter Annex could not help register my CAC from within Portal. I will go back to work, register the card again, and see if it works from home.

EDS came out with instructions on doing this with NMCI (Navy CONUS network). I don't have a link and I can't attach the doc (it's long), but instructions are out there. Contact your IA guys. If they're any good, they have instructions. Otherwise, send me your email and I'll see it to you.

I will portly get dinged for this here but Apple Federal and I have been working on this and I have a post on my blog on how to do this. Apple Federal has been directing their clients here so I hope this helps.

How to setup Safari to access DOD sites:
http://www.applemacgeniusville.com/2008/10/06/setting-up-safari-for-cac-login-to -dod-websites/

How to setup Firefox to access DOD Sites:
http://www.applemacgeniusville.com/2008/10/06/cac-enable-firefox/

If you need other help on DOD issues, feel free to contact me. I work with Apple Federal regularly and I am also the Apple Program Lead for the US Army.

- Jonathan