[SmartcardServices-Users] Enable Debug for IDentity Pref Troubleshooting

Evans, Paul CIV NAVAIR Bldg 1463 paul.evans1 at navy.mil
Fri Feb 5 07:33:41 PST 2010 

Shawn,

I turned on the debug.  There were no syslog messages for ID preference lookups.  There were however these security related entries.

Feb  5 10:11:42 macbook-pro com.apple.SecurityServer[33]: securityd(33,0xb0081000) malloc: *** error for object 0x1249000: pointer being freed was not allocated

Feb  5 10:11:42 macbook-pro com.apple.SecurityServer[33]: *** set a breakpoint in malloc_error_break to debug

Feb  5 10:11:42 macbook-pro securityd[33]: securityd(33,0xb0081000) malloc: *** error for object 0x1235000: pointer being freed was not allocated\n*** set a breakpoint in malloc_error_break to debug

Feb  5 10:11:42 macbook-pro securityd[33]: securityd(33,0xb0081000) malloc: *** error for object 0x123f000: pointer being freed was not allocated\n*** set a breakpoint in malloc_error_break to debug

Feb  5 10:11:42 macbook-pro securityd[33]: securityd(33,0xb0081000) malloc: *** error for object 0x1249000: pointer being freed was not allocated\n*** set a breakpoint in malloc_error_break to debug

Are these messages saying the debug command didn't work or is it something unrelated?

Thanks,

pe

-----Original Message-----
From: Shawn A. Geddis [mailto:geddis at apple.com] 
Sent: Thursday, February 04, 2010 15:45
To: Evans, Paul CIV NAVAIR Bldg 1463
Cc: SmartCardServices-Users
Subject: Enable Debug for IDentity Pref Troubleshooting

Paul,

Here is a better way to troubleshoot any Identity related issue.

Keep in mind that the single wildcard IDPref approach *may* be more appropriate for you within NMCI services.  Also note the nuance between how you configure a "Per Server" URL and a "Per-Domain" Wildcard URL within the IDPref.

"Per Server" URL IDPref: https://TheServer.navy.mil/ (Make sure you use "https" as well as the trailing slash)

"Per-Domain" Wildcard URL IDPref: *.navy.mil (Note there is NO protocol defined - no "https")

It is hard to determine what Identity Prefs settings you have right now, so lets do some troubleshooting.



Troubleshooting:
To provide the ability to troubleshoot why you may still be failing to authenticate to a given server, Apple enabled a debug flag which, when enabled, will log identity preference information to the System log (/\var/log/system.log).

Enable Identity Preference Debug Mode in 10.5.4+:

$ defaults write com.apple.security LogIdentityPreferenceLookup -boolean true


When enabled, each identity preference lookup is written as in the following example:

Jul  1 18:12:51 /Applications/Safari.app/Contents/MacOS/Safari[386]: preferred identity: "User" found for "https://Full.Server.Name/"



Enable the debug as noted and then send the 

-Shawn
__________________________________________________
Shawn Geddis       geddis at mac.com
Security Consulting Engineer    geddis at apple.com

MacOSForge Project Lead:                           Smart Card Services                                                                 
Web: http://smartcardservices.macosforge.org/
Lists: http://lists.macosforge.org/mailman/listinfo
__________________________________________________





	Shawn,
	
	If the identity preferences are the issues, shouldn't the old identity preferences that I had in the keychain still have been correct for the websites in question, other than, of course, there being an expired cert listed?  In other words, if I edited my identity preference for a particular website and chose the appropriate certificate from my new CAC, shouldn't that have worked?  I've edited/removed/recreated ID preferences for the CAC enabled websites, trying every cert available with no luck.  I always get the following message from Safari.  
	
	"The website 'insert CAC-enabled website url here' did not accept the certificate 'insert your EDIPI here'".
	
	It then gives me a list of other certs available to choose from, but no matter which one I choose I end up in the same endless loop.  I've captured the traffic exchange via Wireshark and it appears that things fail in the key exchange portion of TLS.
	
	I'm certainly looking forward to upgrading to 10.6, but for the moment I'm still running 10.5.8.  And even if I did upgrade, from a previous post you said there's no guarantee that the out of the box tokend on 10.6 will work with the new cards.
	
	Anyway, I appreciate your help with this.  If anything I'm saying doesn't make sense, please let me know.
	
	pe



	-----Original Message-----
	From: Shawn A. Geddis [mailto:geddis at apple.com] 
	Sent: Thursday, February 04, 2010 12:52
	To: Evans, Paul CIV NAVAIR Bldg 1463
	Cc: SmartcardServices-Users SmartCardServices-Users
	Subject: Re: [SmartcardServices-Users] New CAC-NG Installer v.96
	
	On Feb 4, 2010, at 6:33 AM, Evans, Paul CIV NAVAIR Bldg 1463 wrote:
	
	Shawn,
	
	Good new is that the installer places the tokend in the correct location.  Bad news is that I still can't use any of the certs at any CAC enabled websites.  I set up identity preferences as I have in the past, but I end up in an endless loop where Safari tells me that the web server will not accept my certificate, choose another.
	
	pe 
	
	
	
	Paul,
	
	The CAC-NG Tokend is not what is causing you heartburn for accessing PK-enabled websites....
	
	Due to the unfortunate/varying configurations of DoD Web Servers, it requires the Identity Preference (IDPref).  Good news is that as of 10.6.0, you can create ONE Wildcard IDPref for your purposes and be done (for most if not all of your use cases).
	
	Within the IDPref Panel:
	
	*.navy.mil
	
	
	This will resolve ANY server request....  say:
	
	
	SubDomain1.navy.mil
	
	SubDomain1.navy.mil/directory/
	
	SubDomain2.navy.mil
	
	MyServer.SubDomain1.navy.mil
	
	
	
	You can also look at the MAN page for 'security' for clarity as well. 
	
	$ man security
	
	....
	Starting with 10.6, it is possible to specify identity preferences on a per-domain basis, by using the wild-card character '*' as the leftmost component of the service name. Unlike SSL wildcards, an identity preference wildcard can match more than one subdomain. For example, an identity preference for the name "*.army.mil" will match "server1.subdomain1.army.mil" or "server2.subdomain2.army.mil". Likewise, a preference for "*.mil" will match both "server.army.mil" and "server.navy.mil".
	
	
	keep in mind that where a Wildcard may not be appropriate to resolve all of your sites, Mac OS X would of course continue to support multiple URL specific IDPrefs...
	
	Try this and let us know how it goes for you...
	
	-Shawn
	
	__________________________________________________
	Shawn Geddis       geddis at mac.com
	Security Consulting Engineer    geddis at apple.com
	
	MacOSForge Project Lead:                           Smart Card Services                                                                 
	Web: http://smartcardservices.macosforge.org/
	Lists: http://lists.macosforge.org/mailman/listinfo
	__________________________________________________
	
	
	_______________________________________________
	SmartcardServices-Users mailing list
	SmartcardServices-Users at lists.macosforge.org
	http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
	



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5686 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100205/62b8f58b/attachment.bin>

More information about the SmartcardServices-Users mailing list