Difference between revisions of "Common Access Card"

From ArchWiki
Jump to: navigation, search
m (Software Installation)
(Software Installation)
Line 2: Line 2:
 
This page explains how to setup Arch to use a US Department of Defense [http://en.wikipedia.org/wiki/Common_Access_Card Common Access Card] (CAC).  It was tested with an SCR331 USB card reader which is a very common one.  Others may work...or not.
 
This page explains how to setup Arch to use a US Department of Defense [http://en.wikipedia.org/wiki/Common_Access_Card Common Access Card] (CAC).  It was tested with an SCR331 USB card reader which is a very common one.  Others may work...or not.
  
==Software Installation==
+
== Installation ==
* Install {{Pkg|pcsclite}} and {{Pkg|ccid}} from [community] and install cackey.
+
* Enable {{Ic|pcscd}} '''sudo systemctl enable pcscd'''
+
The following packages should be installed from '''[community]''':
* Reboot -or- type '''sudo systemctl start pcscd''' in a terminal to enable the smart card reader.
+
* Download the latest version of cackey (https://software.forge.mil/sf/go/projects.community_cac/frs.cackey)
+
* Extract the cackey zip archive:
+
# 7z x 0.6.8.zip
+
* Untar the source tarball:
+
# tar xzf cackey-0.6.8.tar.gz
+
* Change directory into the cackey folder:
+
# cd cackey-0.6.8
+
* Build cackey from source:
+
# ./configure
+
# make
+
# sudo make install
+
* Install the latest version of the DoD Configuration extension for Firefox. (http://www.forge.mil/Resources-Firefox.html)
+
* Plug in the card reader without a card inserted.  The SCR331's light should turn on (not flashing).
+
* Put a CAC into the reader and make sure (at least on the SCR331) that the light starts flashing.  If it does, it's set up correctly.
+
  
'''''NOTE: You must log in using a CAC card to access the cackey file. This may require you to download it on a seperate computer and transfer the file.'''''
+
* {{Pkg|pcsclite}}
 +
* {{Pkg|ccid}}
 +
* {{Pkg|opensc}}
 +
 
 +
== Enable pcscd ==
 +
 
 +
$ sudo systemctl enable pcscd
 +
$ sudo systemctl start pcscd
 +
 
 +
== Configure browser ==
 +
 
 +
=== Firefox ===
 +
 
 +
Navigate to Edit -> Preference -> Advanced -> Certificates -> Security Devices and load a module using /usr/lib/opensc-pkcs11.so.
  
 
==Configuring Firefox==
 
==Configuring Firefox==

Revision as of 10:35, 5 September 2013

This page explains how to setup Arch to use a US Department of Defense Common Access Card (CAC). It was tested with an SCR331 USB card reader which is a very common one. Others may work...or not.

Installation

The following packages should be installed from [community]:

Enable pcscd

$ sudo systemctl enable pcscd
$ sudo systemctl start pcscd

Configure browser

Firefox

Navigate to Edit -> Preference -> Advanced -> Certificates -> Security Devices and load a module using /usr/lib/opensc-pkcs11.so.

Configuring Firefox

Enabling Firefox to use the CAC Reader

Insert CAC into reader - the green light should flash on the SCR331.

Add CAC Reader to Firefox as a Security Device

  1. Go to Edit->Preferences on the toolbar.
  2. Click on Advanced
  3. Click on the Encryption Tab
  4. Click on the Security Devices Button
  5. Click on the Load Button
  6. Enter CAC Reader as the module name, and browse to /usr/local/lib/libcackey.so then click Open.

Importing the DoD Certificates

If you have installed the DoD Configuration extension for Firefox you can use it to import the appropriate certificates.

Tools > Addons > Extensions > DoD Configuration > Preferences

If you're using a branded version of Firefox you should be able to go to http://dodpki.c3pki.chamb.disa.mil/rootca.html and click on the high-level certificates to install them and be done.

If you're using Namoroka this site will not recognize it as Firefox and simply clicking on the link above will not get you into the site. You can work around this problem (which affects some other websites too) by changing Namoroka's configuration a little.

  1. Open a new tab in Namoroka
  2. Type about:config in the address bar and press enter
  3. Type 'useragent' in the search box
  4. Double-click on the value where you see "Namoroka"
  5. Change "Namoroka" to "Firefox"
  6. Close the tab

Once you get into the site, you can download the certificates by following the directions on the page.

The primary root certificate used has a CN of "DoD Root CA 2": this certificate can be converted to PEM format for use in other browsers:

  1. Download the CA bundle. This includes approximately 36 certificates. $ curl -O http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.p7b
  2. Extract the root certificate into a PEM-formatted file.

$ openssl pkcs7 -inform DER -in rel3_dodroot_2048.p7b -print_certs | sed -n '/subject=.*CN=DoD Root CA 2/,${/^$/q;P;D}' > DoD_Root_CA_2.pem

Testing

Visit your favorite CAC secured web page and you should be asked for the Master Password for your certificate. Enter it and if you get in, you know it's working.