When I plug in my ActivIdentity smartcard reader, I see the following error in the console: 12/7/09 2:35:45 PM com.apple.securityd[25] /SourceCache/SmartcardCCID/SmartcardCCID-35253/ccid/ccid/src/ccid_usb.c:746:ccid_check_firmware() Firmware (2.02) is bogus! Upgrade the reader firmware or get a new reader. This very likely explains why I my CAC certs are not showing up in the keychain. Can anyone confirm functionality with an ActivIdentity USB 2.0 Smartcard Reader (P/N: ZFG-9800GAE) on Mac OS X 10.6.2? Will this reader work, and if so, what is the correct version of firmware? Thanks, -- -- Fabrizio
On Dec 7, 2009, at 5:38 PM, Fabrizio Rizzo wrote:
When I plug in my ActivIdentity smartcard reader, I see the following error in the console:
12/7/09 2:35:45 PM com.apple.securityd[25] /SourceCache/SmartcardCCID/SmartcardCCID-35253/ccid/ccid/src/ccid_usb.c:746:ccid_check_firmware() Firmware (2.02) is bogus! Upgrade the reader firmware or get a new reader.
This very likely explains why I my CAC certs are not showing up in the keychain.
Can anyone confirm functionality with an ActivIdentity USB 2.0 Smartcard Reader (P/N: ZFG-9800GAE) on Mac OS X 10.6.2? Will this reader work, and if so, what is the correct version of firmware?
Thanks, -- -- Fabrizio
Fabrizi, The ActivIdentity USB v2.0 Smart Card Reader with its current Firmware version (v2.02) is indeed your issue. That physical reader is actually an SCM SCR331 reader and you need to flash it with SCM Microsystems Firmware Update v5.25 and it will work just fine then. Go to: http://www.scmmicro.com/support/pc-security-support/downloads.html Select the following: Smartcard reader: SCR331/SCR531 CCID USB Operating System: <Your version of Windows> (ie. WIndows XP 32-bit) Select the Firmware to download and update your reader. Note: SCM requires you use Windows to update the firmware, since the Updater only runs under Windows and not Mac OS X. __________________________________________________ Shawn Geddis geddis@mac.com Apple, Security Consulting Engineer MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
That did the trick. Thank you. -- Frank On Jan 3, 2010, at 10:27 PM, Shawn A. Geddis wrote:
On Dec 7, 2009, at 5:38 PM, Fabrizio Rizzo wrote:
When I plug in my ActivIdentity smartcard reader, I see the following error in the console:
12/7/09 2:35:45 PM com.apple.securityd[25] /SourceCache/SmartcardCCID/SmartcardCCID-35253/ccid/ccid/src/ccid_usb.c:746:ccid_check_firmware() Firmware (2.02) is bogus! Upgrade the reader firmware or get a new reader.
This very likely explains why I my CAC certs are not showing up in the keychain.
Can anyone confirm functionality with an ActivIdentity USB 2.0 Smartcard Reader (P/N: ZFG-9800GAE) on Mac OS X 10.6.2? Will this reader work, and if so, what is the correct version of firmware?
Thanks, -- -- Fabrizio
Fabrizi,
The ActivIdentity USB v2.0 Smart Card Reader with its current Firmware version (v2.02) is indeed your issue. That physical reader is actually an SCM SCR331 reader and you need to flash it with SCM Microsystems Firmware Update v5.25 and it will work just fine then.
Go to: http://www.scmmicro.com/support/pc-security-support/downloads.html
Select the following:
Smartcard reader: SCR331/SCR531 CCID USB Operating System: <Your version of Windows> (ie. WIndows XP 32-bit)
Select the Firmware to download and update your reader.
Note: SCM requires you use Windows to update the firmware, since the Updater only runs under Windows and not Mac OS X.
__________________________________________________ Shawn Geddis geddis@mac.com Apple, Security Consulting Engineer
MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
Hi ALL, I can specify a different OCSP URL other than the one on my Smart Card with Windows client? Is there a way I can do the same on OS X? Thanks for the help. PSK
On Jan 4, 2010, at 2:19 PM, Paul Kwan wrote:
Hi ALL,
I can specify a different OCSP URL other than the one on my Smart Card with Windows client? Is there a way I can do the same on OS X? Thanks for the help.
PSK _______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
Paul, No. Mac OS X enforces what is in the certificate, because that is what can be absolutely validated. There are third-party products which have incorporated additional services to rewrite/process the Cert Revocation URI found in the Cert to a *configurable* URI -- allowing you to go from CRLDistribution Points to AIA Extensions (for OCSP). __________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
Hi Shawn, Thanks for the quick response as always. Can you please tell me what are the 3rd party products you refer to? Thanks again. PSK On 1/4/10 12:37 PM, "Shawn A. Geddis" <geddis@apple.com> wrote:
On Jan 4, 2010, at 2:19 PM, Paul Kwan wrote:
Hi ALL,
I can specify a different OCSP URL other than the one on my Smart Card with Windows client? Is there a way I can do the same on OS X? Thanks for the help.
PSK _______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
Paul,
No. Mac OS X enforces what is in the certificate, because that is what can be absolutely validated.
There are third-party products which have incorporated additional services to rewrite/process the Cert Revocation URI found in the Cert to a *configurable* URI -- allowing you to go from CRLDistribution Points to AIA Extensions (for OCSP).
__________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer
MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
Paul, One of the products was previously available from Tumbleweed and is now from Axway http://www.axway.com/products-solutions/email-identity-security/identity-sec... -Shawn On Jan 4, 2010, at 5:59 PM, Paul Kwan wrote:
Hi Shawn,
Thanks for the quick response as always. Can you please tell me what are the 3rd party products you refer to? Thanks again.
PSK
On 1/4/10 12:37 PM, "Shawn A. Geddis" <geddis@apple.com> wrote:
On Jan 4, 2010, at 2:19 PM, Paul Kwan wrote:
Hi ALL,
I can specify a different OCSP URL other than the one on my Smart Card with Windows client? Is there a way I can do the same on OS X? Thanks for the help.
PSK _______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
Paul,
No. Mac OS X enforces what is in the certificate, because that is what can be absolutely validated.
There are third-party products which have incorporated additional services to rewrite/process the Cert Revocation URI found in the Cert to a *configurable* URI -- allowing you to go from CRLDistribution Points to AIA Extensions (for OCSP).
__________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer
MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
_______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
- Shawn ________________________________________ Shawn Geddis T (703) 264-5103 Security Consulting Engineer C (703) 623-9329 Apple Enterprise Division geddis@apple.com 11921 Freedom Drive, Suite 600, Reston VA 20190-5634
participants (3)
-
Fabrizio Rizzo
-
Paul Kwan
-
Shawn A. Geddis