SmartCard Services Stopped Working
I am unable to use my Government CAC anymore with the Mac. The CAC is recognized in the System.log but is not accessible in Mail.app or any browser. The following is our log… notice that CAC-5FFF-7F00-62FF-00F0-B5D3 is being inserted and added to the keychain. When I remove the card it is removed from the keyhain and when I add it back it is inserted into the keychaing. But when I try and use the CAC with Mail or browsing a CAC required site the CAC doesn't work or initialize in the application. See below, it look like it is trying but getting the deny file-read-data. Help please, I've been trying to get this working since I upgraded to 10.8. I've installed the most recent update (i.e., Smart Card Services Update 2.0b2-ML-signed.pkg). Oct 17 09:14:35 graphite.local com.apple.SecurityServer[15]: Token reader OmniKey CardMan 3121 00 00 removed from system Oct 17 09:14:35 graphite.local com.apple.SecurityServer[15]: reader OmniKey CardMan 3121 00 00 removed token "CAC-5FFF-7F00-62FF-00F0-B5D3" (CAC-5FFF-7F00-62FF-00F0-B5D3) subservice 31 Oct 17 09:14:41 graphite.local com.apple.SecurityServer[15]: Token reader OmniKey CardMan 3121 00 00 inserted into system Oct 17 09:14:45 graphite.local com.apple.SecurityServer[15]: token inserted into reader OmniKey CardMan 3121 00 00 Oct 17 09:14:45 graphite.local com.apple.SecurityServer[15]: reader OmniKey CardMan 3121 00 00 inserted token "CAC-5FFF-7F00-69FF-00F0-0592" (CAC-5FFF-7F00-69FF-00F0-0592) subservice 32 using driver com.apple.tokend.cac Oct 17 09:15:23 graphite.local com.apple.SecurityServer[15]: Session 100022 created Oct 17 09:15:23 graphite.local com.apple.security.XPCKeychainSandboxCheck[708]: Can't get dir or base (likely out of memory) for CAC-5FFF-7F00-69FF-00F0-0592 Oct 17 09:16:53 graphite.local sandboxd[725] ([259]): WebProcess(259) deny file-read-data /Library/Preferences/com.apple.security-common.plist graphite:log rmora$ security list-keychains "CAC-5FFF-7F00-69FF-00F0-0592" "/Users/rmora/Library/Keychains/login.keychain" "/Users/rmora/Library/Keychains/Microsoft_Intermediate_Certificates" "/Users/rmora/Library/Application Support/Adobe/AIR/ELS/com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1/PrivateEncryptedDatak" "/System/Library/Keychains/SystemCACertificates.keychain" graphite:log rmora$ when trying to bring up mail: Oct 17 09:33:38 graphite.local Mail[864]: Using V2 Layout Oct 17 09:33:38 graphite.local com.apple.SecurityServer[15]: Session 100027 created Oct 17 09:33:38 graphite.local com.apple.security.XPCKeychainSandboxCheck[866]: Can't get dir or base (likely out of memory) for CAC-5FFF-7F00-69FF-00F0-A581 Oct 17 09:33:44 graphite.local Mail[864]: *** -[IADomainCache init]: IA domains cache is out of date. Oct 17 09:33:44 graphite.local SyncServer[868]: [0x7ff56940be40] |DataManager|Warning| Client com.apple.Mail sync alert tool path /System/Library/Frameworks/Message.framework/Resources/MailSync does not exist. THUS the Mail.app will not initialize the ability to digitally sign my emails then when bring up Safari… Oct 17 09:34:47 graphite.local sandboxd[878] ([877]): WebProcess(877) deny file-read-data /Library/Preferences/com.apple.security-common.plist Oct 17 09:34:47 graphite kernel[0]: Sandbox: sandboxd(878) deny mach-lookup com.apple.coresymbolicationd And can't access the customers CAC enabled site. Software OS X 10.8.2 (12C60) Hardware Overview: Model Name: MacBook Pro Model Identifier: MacBookPro10,1 Processor Name: Intel Core i7 Processor Speed: 2.6 GHz Number of Processors: 1 Total Number of Cores: 4 L2 Cache (per Core): 256 KB L3 Cache: 6 MB Memory: 16 GB Boot ROM Version: MBP101.00EE.B02 SMC Version (system): 2.3f32 Serial Number (system): C02HXBMSDKQ5 Hardware UUID: 0B42596B-3FA9-59DD-814E-AD141081775A
Randall, When you say it is recognizing your CAC in the System.log I think you are referring to the Token identifier you see as "CAC-5FFF-7F00-69FF-00F0-0592". What I fear is your issue is that the card you are using is not actually properly recognized by the Tokend. Allow me to explain. The identifier "5FFF-7F00-69FF-00F0-0592" *should* match the 20-digit alphanumeric identifier printed at the top of the back of your card. If the two (printed identifier Keychain Identifier) do not match, then there is an issue with the Tokend in use. If that is the case, please submit a ticket [ http://smartcardservices.macosforge.org/trac/newticket ] with all of the relevant information from your system (ie. system profiler) and information about your card (ie. CAC, CACNG, PIV, PIV-I, Manufacturer Branding name. Note on the wiki, blog and installer that the CACNG Tokend only supports the Gemalto TOPDLGX4 144 - ONLY at this time. If you have the Oberthur ID One card, it may not work at this time. -Shawn On Oct 17, 2012, at 12:54 PM, "Randall P. Mora" <randall@avum.com> wrote:
I am unable to use my Government CAC anymore with the Mac. The CAC is recognized in the System.log but is not accessible in Mail.app or any browser. The following is our log… notice that CAC-5FFF-7F00-62FF-00F0-B5D3 is being inserted and added to the keychain. When I remove the card it is removed from the keyhain and when I add it back it is inserted into the keychaing. But when I try and use the CAC with Mail or browsing a CAC required site the CAC doesn't work or initialize in the application. See below, it look like it is trying but getting the deny file-read-data. Help please, I've been trying to get this working since I upgraded to 10.8. I've installed the most recent update (i.e., Smart Card Services Update 2.0b2-ML-signed.pkg).
Oct 17 09:14:35 graphite.local com.apple.SecurityServer[15]: Token reader OmniKey CardMan 3121 00 00 removed from system Oct 17 09:14:35 graphite.local com.apple.SecurityServer[15]: reader OmniKey CardMan 3121 00 00 removed token "CAC-5FFF-7F00-62FF-00F0-B5D3" (CAC-5FFF-7F00-62FF-00F0-B5D3) subservice 31 Oct 17 09:14:41 graphite.local com.apple.SecurityServer[15]: Token reader OmniKey CardMan 3121 00 00 inserted into system Oct 17 09:14:45 graphite.local com.apple.SecurityServer[15]: token inserted into reader OmniKey CardMan 3121 00 00 Oct 17 09:14:45 graphite.local com.apple.SecurityServer[15]: reader OmniKey CardMan 3121 00 00 inserted token "CAC-5FFF-7F00-69FF-00F0-0592" (CAC-5FFF-7F00-69FF-00F0-0592) subservice 32 using driver com.apple.tokend.cac Oct 17 09:15:23 graphite.local com.apple.SecurityServer[15]: Session 100022 created Oct 17 09:15:23 graphite.local com.apple.security.XPCKeychainSandboxCheck[708]: Can't get dir or base (likely out of memory) for CAC-5FFF-7F00-69FF-00F0-0592 Oct 17 09:16:53 graphite.local sandboxd[725] ([259]): WebProcess(259) deny file-read-data /Library/Preferences/com.apple.security-common.plist
graphite:log rmora$ security list-keychains "CAC-5FFF-7F00-69FF-00F0-0592" "/Users/rmora/Library/Keychains/login.keychain" "/Users/rmora/Library/Keychains/Microsoft_Intermediate_Certificates" "/Users/rmora/Library/Application Support/Adobe/AIR/ELS/com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1/PrivateEncryptedDatak" "/System/Library/Keychains/SystemCACertificates.keychain" graphite:log rmora$
when trying to bring up mail: Oct 17 09:33:38 graphite.local Mail[864]: Using V2 Layout Oct 17 09:33:38 graphite.local com.apple.SecurityServer[15]: Session 100027 created Oct 17 09:33:38 graphite.local com.apple.security.XPCKeychainSandboxCheck[866]: Can't get dir or base (likely out of memory) for CAC-5FFF-7F00-69FF-00F0-A581 Oct 17 09:33:44 graphite.local Mail[864]: *** -[IADomainCache init]: IA domains cache is out of date. Oct 17 09:33:44 graphite.local SyncServer[868]: [0x7ff56940be40] |DataManager|Warning| Client com.apple.Mail sync alert tool path /System/Library/Frameworks/Message.framework/Resources/MailSync does not exist.
THUS the Mail.app will not initialize the ability to digitally sign my emails
then when bring up Safari… Oct 17 09:34:47 graphite.local sandboxd[878] ([877]): WebProcess(877) deny file-read-data /Library/Preferences/com.apple.security-common.plist Oct 17 09:34:47 graphite kernel[0]: Sandbox: sandboxd(878) deny mach-lookup com.apple.coresymbolicationd
And can't access the customers CAC enabled site.
Software OS X 10.8.2 (12C60) Hardware Overview:
Model Name: MacBook Pro Model Identifier: MacBookPro10,1 Processor Name: Intel Core i7 Processor Speed: 2.6 GHz Number of Processors: 1 Total Number of Cores: 4 L2 Cache (per Core): 256 KB L3 Cache: 6 MB Memory: 16 GB Boot ROM Version: MBP101.00EE.B02 SMC Version (system): 2.3f32 Serial Number (system): C02HXBMSDKQ5 Hardware UUID: 0B42596B-3FA9-59DD-814E-AD141081775A
_______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo/smartcardservices-users
Randall, Any update or did you submit a ticket ? - Shawn ______________________________________________________ Shawn Geddis geddis@me.com Enterprise Security Consulting Engineer, Apple geddis@apple.com MacOSForge: Smart Card Services Project Lead: Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo ______________________________________________________ On Oct 18, 2012, at 11:34 AM, Shawn Geddis <geddis@me.com> wrote:
Randall,
When you say it is recognizing your CAC in the System.log I think you are referring to the Token identifier you see as "CAC-5FFF-7F00-69FF-00F0-0592". What I fear is your issue is that the card you are using is not actually properly recognized by the Tokend. Allow me to explain. The identifier "5FFF-7F00-69FF-00F0-0592" *should* match the 20-digit alphanumeric identifier printed at the top of the back of your card.
If the two (printed identifier Keychain Identifier) do not match, then there is an issue with the Tokend in use. If that is the case, please submit a ticket [ http://smartcardservices.macosforge.org/trac/newticket ] with all of the relevant information from your system (ie. system profiler) and information about your card (ie. CAC, CACNG, PIV, PIV-I, Manufacturer Branding name. Note on the wiki, blog and installer that the CACNG Tokend only supports the Gemalto TOPDLGX4 144 - ONLY at this time. If you have the Oberthur ID One card, it may not work at this time.
-Shawn
participants (3)
-
Randall P. Mora
-
Shawn Geddis
-
Shawn Geddis