I need to use both a CAC and a company issued smart card (PIV). I’m using OS 10.9 and find that if I have both the CAC.tokend and the PIV.tokend installed, that only the first card used is supported and the next is not recognized. I end up having to remove one of the tokend for the other to work. Is there a tokend that supports both CAC and PIV or some way to allow both to be used such that the correct tokend is selected based on the card inserted? R/ Ed Rogers SWFTS SE&I Technical Director LM Manassas (703) 367-1620
CACs *are* PIVs (the have a PIV interface); PIV.tokend can drive both. The DoD Identity certificate is not available through the PIV interface, so if you need that certificate you'll have a problem with applications that need it (e.g., for MyPay/MyBenefits). There is thrid party software that will manage both on OS X, but it's not appropriate to stump for a vendor here, so I'll leave you to your Googling. :) -- T ________________________________________ From: smartcardservices-users-bounces@lists.macosforge.org [smartcardservices-users-bounces@lists.macosforge.org] on behalf of Rogers, Ed [ed.rogers@lmco.com] Sent: Wednesday, November 20, 2013 07:24 To: smartcardservices-users@lists.macosforge.org Subject: [SmartcardServices-Users] use multiple tokend I need to use both a CAC and a company issued smart card (PIV). I’m using OS 10.9 and find that if I have both the CAC.tokend and the PIV.tokend installed, that only the first card used is supported and the next is not recognized. I end up having to remove one of the tokend for the other to work. Is there a tokend that supports both CAC and PIV or some way to allow both to be used such that the correct tokend is selected based on the card inserted? R/ Ed Rogers SWFTS SE&I Technical Director LM Manassas (703) 367-1620 _______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
On Nov 25, 2013, at 8:52 AM, Miller, Timothy J. <tmiller@mitre.org> wrote:
CACs *are* PIVs (the have a PIV interface); PIV.tokend can drive both. The DoD Identity certificate is not available through the PIV interface, so if you need that certificate you'll have a problem with applications that need it (e.g., for MyPay/MyBenefits).
There is thrid party software that will manage both on OS X, but it's not appropriate to stump for a vendor here, so I'll leave you to your Googling. :)
-- T
________________________________________ From: smartcardservices-users-bounces@lists.macosforge.org [smartcardservices-users-bounces@lists.macosforge.org] on behalf of Rogers, Ed [ed.rogers@lmco.com] Sent: Wednesday, November 20, 2013 07:24 To: smartcardservices-users@lists.macosforge.org Subject: [SmartcardServices-Users] use multiple tokend
I need to use both a CAC and a company issued smart card (PIV). I’m using OS 10.9 and find that if I have both the CAC.tokend and the PIV.tokend installed, that only the first card used is supported and the next is not recognized. I end up having to remove one of the tokend for the other to work. Is there a tokend that supports both CAC and PIV or some way to allow both to be used such that the correct tokend is selected based on the card inserted?
R/ Ed Rogers SWFTS SE&I Technical Director LM Manassas (703) 367-1620
Tim, After sending a response to Ed just now on his message, I saw and realized that you had provided a response on Nov 25, unfortunately, with respect to Smart Card Services on OS X your information is not correct. With respect to the OS X Tokend modules (originally included in OS X and now provided via the SmarCardServices Project): CAC - Original Common Access Cards with a single CAC Applet CACNG - CACNG Cards with both CACv2 and PIV Applets (some refer to this as Dual-Persona) PIV - Cards with only the PIV Applet Each one of these Card Profiles are supported by the corresponding Tokend modules provided: CAC.tokend, CACNG.tokend, and PIV.tokend Cards recognized on OS X as having the CACNG profile will have objects from both Applets appear and be usable from one single Dynamic Keychain. Its default Keychain Name will begin with “CACNG-…..” You can use and select ANY of the certificates from either the CACv2 or the PIV side of the CACNG Card at all times on OS X. If you or anyone who has an issued CACNG is having troubles with this, I would love to get more information on the actual/perceived failures. - Shawn _____________________________________________________________________ Shawn Geddis geddis@{Mac | Me | iCloud}.com Enterprise Security Consulting Engineer, Apple geddis@apple.com Smart Card Services Project/Dev Lead: Project Wiki: [SmartCardServices.MacOSFforge.Org] Mailing Lists: [Lists.MacOSForge.Org/mailman/listinfo] SCS Contact: [scs-cotact@macosforge.org] SCS Admin: [scs-admin@macosforge.org] _____________________________________________________________________
Did you finally update CACNG to manage the full list of active CAC/PIV I and II cards? Last time I checked, I still couldn't get it to handle at least one cardstock in active issuance. Also, how does CACNG resolve the PIN-Always rule conflict on the Digital Signature key? For those who care: The PIV data model applies a PIN-Always ACL on the (optional) digital signature key; PIN-Once is used for the PIV authentication key, and the PIV middleware specification requires collecting the PIN from the user for every action using a key with a PIN-Always ACL. This means that when using the DoD-Signature certificate for, e.g., website authN, a PIV-compliant middleware (like PIV.tokend) will ask for the PIN for every private key operation--a real nuisance, I assure you. :) The CAC data model and DoD Middleware Specification have no such rule, which meant it was effectively PIN-Once. Much more usable. This is a clear problem for middleware that claims compliance with PIV and CAC specifications. You can't do both at the same time. :) I believe NIST is considering more explicit guidance re: middleware and PIN-Always; e.g., allowing an acknowledgement vs. PIN collection, but AFAIK this hasn't made it into the SPs yet. -- T ________________________________ From: Shawn Geddis [geddis@icloud.com] Sent: Thursday, January 16, 2014 17:22 To: Miller, Timothy J. Cc: Mr. Ed Rogers; SmartCard Services-Users Subject: Re: [SmartcardServices-Users] use multiple tokend On Nov 25, 2013, at 8:52 AM, Miller, Timothy J. <tmiller@mitre.org<mailto:tmiller@mitre.org>> wrote: CACs *are* PIVs (the have a PIV interface); PIV.tokend can drive both. The DoD Identity certificate is not available through the PIV interface, so if you need that certificate you'll have a problem with applications that need it (e.g., for MyPay/MyBenefits). There is thrid party software that will manage both on OS X, but it's not appropriate to stump for a vendor here, so I'll leave you to your Googling. :) -- T ________________________________________ From: smartcardservices-users-bounces@lists.macosforge.org<mailto:smartcardservices-users-bounces@lists.macosforge.org> [smartcardservices-users-bounces@lists.macosforge.org<mailto:bounces@lists.macosforge.org>] on behalf of Rogers, Ed [ed.rogers@lmco.com<mailto:ed.rogers@lmco.com>] Sent: Wednesday, November 20, 2013 07:24 To: smartcardservices-users@lists.macosforge.org<mailto:smartcardservices-users@lists.macosforge.org> Subject: [SmartcardServices-Users] use multiple tokend I need to use both a CAC and a company issued smart card (PIV). I’m using OS 10.9 and find that if I have both the CAC.tokend and the PIV.tokend installed, that only the first card used is supported and the next is not recognized. I end up having to remove one of the tokend for the other to work. Is there a tokend that supports both CAC and PIV or some way to allow both to be used such that the correct tokend is selected based on the card inserted? R/ Ed Rogers SWFTS SE&I Technical Director LM Manassas (703) 367-1620 Tim, After sending a response to Ed just now on his message, I saw and realized that you had provided a response on Nov 25, unfortunately, with respect to Smart Card Services on OS X your information is not correct. With respect to the OS X Tokend modules (originally included in OS X and now provided via the SmarCardServices Project): CAC - Original Common Access Cards with a single CAC Applet CACNG - CACNG Cards with both CACv2 and PIV Applets (some refer to this as Dual-Persona) PIV - Cards with only the PIV Applet Each one of these Card Profiles are supported by the corresponding Tokend modules provided: CAC.tokend, CACNG.tokend, and PIV.tokend Cards recognized on OS X as having the CACNG profile will have objects from both Applets appear and be usable from one single Dynamic Keychain. Its default Keychain Name will begin with “CACNG-…..” You can use and select ANY of the certificates from either the CACv2 or the PIV side of the CACNG Card at all times on OS X. If you or anyone who has an issued CACNG is having troubles with this, I would love to get more information on the actual/perceived failures. - Shawn _____________________________________________________________________ Shawn Geddis geddis@{Mac | Me | iCloud}.com Enterprise Security Consulting Engineer, Apple geddis@apple.com<mailto:geddis@apple.com> Smart Card Services Project/Dev Lead: Project Wiki: [SmartCardServices.MacOSFforge.Org<http://SmartCardServices.MacOSFforge.Org>] Mailing Lists: [Lists.MacOSForge.Org/mailman/listinfo] SCS Contact: [scs-cotact@macosforge.org] SCS Admin: [scs-admin@macosforge.org] _____________________________________________________________________
On Nov 20, 2013, at 8:24 PM, Rogers, Ed <ed.rogers@lmco.com> wrote:
I need to use both a CAC and a company issued smart card (PIV). I’m using OS 10.9 and find that if I have both the CAC.tokend and the PIV.tokend installed, that only the first card used is supported and the next is not recognized. I end up having to remove one of the tokend for the other to work. Is there a tokend that supports both CAC and PIV or some way to allow both to be used such that the correct tokend is selected based on the card inserted?
R/ Ed Rogers SWFTS SE&I Technical Director LM Manassas (703) 367-1620
Ed, Looks like you never got a response to your above question from back on Nov 20….. CAC, CACNG, and PIV are all separate Card Profiles where each would be support by the corresponding Tokend module. There would not be a case where you should have to move / remove a Tokend module to allow for another Tokend to be used. They are all independent and will each be used to probe and support the cards inserted in to each of your attached and supported readers. In your case, when you insert the first card (say your CAC), the CAC.tokend should remain and support comms to that card. When you add a second reader / insert your second card the corresponding PIV.tokend would remain and support comms to that card. If you look at the running processes via Terminal you should see both CAC and PIV in the list. When you say:
that only the first card used is supported and the next is not recognized.
Can you explain further about what you mean when you say “note the first card used is supported” ? If you are attempting to authenticate, say for accounts and system config changes (i.e. System Preferences) then yes the first Token is assumed to be your Primary Authentication token. However, that is not the case for any other Service / Application on OS X - For example, HTTPS, S/MIME, EAP-TLS, etc. If you explain more I can help further. - Shawn _____________________________________________________________________ Shawn Geddis geddis@{Mac | Me | iCloud}.com Enterprise Security Consulting Engineer, Apple geddis@apple.com Smart Card Services Project/Dev Lead: Project Wiki: [SmartCardServices.MacOSFforge.Org] Mailing Lists: [Lists.MacOSForge.Org/mailman/listinfo] SCS Contact: [scs-cotact@macosforge.org] SCS Admin: [scs-admin@macosforge.org] _____________________________________________________________________
participants (3)
-
Miller, Timothy J.
-
Rogers, Ed
-
Shawn Geddis