[SmartcardServices-Users] New CAC-NG Installer v.96

Shawn A. Geddis geddis at apple.com
Thu Feb 4 09:52:27 PST 2010 

On Feb 4, 2010, at 6:33 AM, Evans, Paul CIV NAVAIR Bldg 1463 wrote:
> Shawn,
> 
> Good new is that the installer places the tokend in the correct location.  Bad news is that I still can't use any of the certs at any CAC enabled websites.  I set up identity preferences as I have in the past, but I end up in an endless loop where Safari tells me that the web server will not accept my certificate, choose another.
> 
> pe 


Paul,

The CAC-NG Tokend is not what is causing you heartburn for accessing PK-enabled websites....

Due to the unfortunate/varying configurations of DoD Web Servers, it requires the Identity Preference (IDPref).  Good news is that as of 10.6.0, you can create ONE Wildcard IDPref for your purposes and be done (for most if not all of your use cases).

Within the IDPref Panel:

	*.navy.mil

This will resolve ANY server request....  say:

SubDomain1.navy.mil
SubDomain1.navy.mil/directory/
SubDomain2.navy.mil
MyServer.SubDomain1.navy.mil


You can also look at the MAN page for 'security' for clarity as well. 

$ man security

....
Starting with 10.6, it is possible to specify identity preferences on a per-domain basis, by using the wild-card character '*' as the leftmost component of the service name. Unlike SSL wildcards, an identity preference wildcard can match more than one subdomain. For example, an identity preference for the name "*.army.mil" will match "server1.subdomain1.army.mil" or "server2.subdomain2.army.mil". Likewise, a preference for "*.mil" will match both "server.army.mil" and "server.navy.mil".


keep in mind that where a Wildcard may not be appropriate to resolve all of your sites, Mac OS X would of course continue to support multiple URL specific IDPrefs...

Try this and let us know how it goes for you...

-Shawn
__________________________________________________
Shawn Geddis				  			   geddis at mac.com
Security Consulting Engineer				   geddis at apple.com

MacOSForge Project Lead:                           Smart Card Services                                                                 
	Web:	http://smartcardservices.macosforge.org/
	Lists:	http://lists.macosforge.org/mailman/listinfo
__________________________________________________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100204/aac26680/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3864 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100204/aac26680/attachment.bin>

More information about the SmartcardServices-Users mailing list