[SmartcardServices-Users] Enable Debug for IDentity Pref Troubleshooting

Evans, Paul CIV NAVAIR Bldg 1463 paul.evans1 at navy.mil
Mon Feb 8 06:35:17 PST 2010 

Shawn,

I tried again this morning and get the same results.  When I attempted to access https://infosec.navy.mil I get prompted for my CAC PIN, then get in an endless loop of being told that the website will not accept my certificate and being asked to choose a new one.  It doesn't matter which one I choose.  The only entries that show up in the log are the memory allocation errors.  I had a colleague try it on his account on the same machine.  He does not have the CACNG and when he tries to access a CAC-enabled site the following error shows up in the log.

/System/Library/Security/tokend/PIV.tokend/Contents/MacOS/PIV[137]: error writing cache file /0-CCC: Permission denied.

This is followed by the same set of memory allocation errors that show up when I try to access the site.

Don't know if this sheds any more light on the issue or not.  I'll continue to see what I can dig up on this end.

Thanks again for your help.

pe

-----Original Message-----
From: Shawn A. Geddis [mailto:geddis at apple.com] 
Sent: Friday, February 05, 2010 16:43
To: Evans, Paul CIV NAVAIR Bldg 1463
Cc: SmartCardServices-Users
Subject: Re: [SmartcardServices-Users] Enable Debug for IDentity Pref Troubleshooting

Paul,

The log entries below are not related and unfortunately not helpful for this.

The logging of IDPref usage takes place only when for example you are attempting/connect to PK-enabled websites.  You would need to have enabled the logging as previously noted and then attempted to access sites.  Please try again and get the contents of  /\var/log/system.log.

-Shawn
__________________________________________________
Shawn Geddis				  			   geddis at mac.com
Security Consulting Engineer				   geddis at apple.com

MacOSForge Project Lead:                           Smart Card Services                                                                 
	Web:	http://smartcardservices.macosforge.org/
	Lists:	http://lists.macosforge.org/mailman/listinfo
__________________________________________________

On Feb 5, 2010, at 10:33 AM, Evans, Paul CIV NAVAIR Bldg 1463 wrote:

> Shawn,
> 
> I turned on the debug.  There were no syslog messages for ID preference lookups.  There were however these security related entries.
> 
> Feb  5 10:11:42 macbook-pro com.apple.SecurityServer[33]: 
> securityd(33,0xb0081000) malloc: *** error for object 0x1249000: 
> pointer being freed was not allocated
> 
> Feb  5 10:11:42 macbook-pro com.apple.SecurityServer[33]: *** set a 
> breakpoint in malloc_error_break to debug
> 
> Feb  5 10:11:42 macbook-pro securityd[33]: securityd(33,0xb0081000) 
> malloc: *** error for object 0x1235000: pointer being freed was not 
> allocated\n*** set a breakpoint in malloc_error_break to debug
> 
> Feb  5 10:11:42 macbook-pro securityd[33]: securityd(33,0xb0081000) 
> malloc: *** error for object 0x123f000: pointer being freed was not 
> allocated\n*** set a breakpoint in malloc_error_break to debug
> 
> Feb  5 10:11:42 macbook-pro securityd[33]: securityd(33,0xb0081000) 
> malloc: *** error for object 0x1249000: pointer being freed was not 
> allocated\n*** set a breakpoint in malloc_error_break to debug
> 
> Are these messages saying the debug command didn't work or is it something unrelated?
> 
> Thanks,
> 
> pe
> 
> -----Original Message-----
> From: Shawn A. Geddis [mailto:geddis at apple.com]
> Sent: Thursday, February 04, 2010 15:45
> To: Evans, Paul CIV NAVAIR Bldg 1463
> Cc: SmartCardServices-Users
> Subject: Enable Debug for IDentity Pref Troubleshooting
> 
> Paul,
> 
> Here is a better way to troubleshoot any Identity related issue.
> 
> Keep in mind that the single wildcard IDPref approach *may* be more appropriate for you within NMCI services.  Also note the nuance between how you configure a "Per Server" URL and a "Per-Domain" Wildcard URL within the IDPref.
> 
> "Per Server" URL IDPref: https://TheServer.navy.mil/ (Make sure you 
> use "https" as well as the trailing slash)
> 
> "Per-Domain" Wildcard URL IDPref: *.navy.mil (Note there is NO 
> protocol defined - no "https")
> 
> It is hard to determine what Identity Prefs settings you have right now, so lets do some troubleshooting.
> 
> 
> 
> Troubleshooting:
> To provide the ability to troubleshoot why you may still be failing to authenticate to a given server, Apple enabled a debug flag which, when enabled, will log identity preference information to the System log (/\var/log/system.log).
> 
> Enable Identity Preference Debug Mode in 10.5.4+:
> 
> $ defaults write com.apple.security LogIdentityPreferenceLookup 
> -boolean true
> 
> 
> When enabled, each identity preference lookup is written as in the following example:
> 
> Jul  1 18:12:51 /Applications/Safari.app/Contents/MacOS/Safari[386]: preferred identity: "User" found for "https://Full.Server.Name/"
> 
> 
> 
> Enable the debug as noted and then send the
> 
> -Shawn
> __________________________________________________
> Shawn Geddis       geddis at mac.com
> Security Consulting Engineer    geddis at apple.com
> 
> MacOSForge Project Lead:                           Smart Card Services                                                                 
> Web: http://smartcardservices.macosforge.org/
> Lists: http://lists.macosforge.org/mailman/listinfo
> __________________________________________________
> 
> 
> 
> 
> 
> 	Shawn,
> 	
> 	If the identity preferences are the issues, shouldn't the old identity preferences that I had in the keychain still have been correct for the websites in question, other than, of course, there being an expired cert listed?  In other words, if I edited my identity preference for a particular website and chose the appropriate certificate from my new CAC, shouldn't that have worked?  I've edited/removed/recreated ID preferences for the CAC enabled websites, trying every cert available with no luck.  I always get the following message from Safari.  
> 	
> 	"The website 'insert CAC-enabled website url here' did not accept the certificate 'insert your EDIPI here'".
> 	
> 	It then gives me a list of other certs available to choose from, but no matter which one I choose I end up in the same endless loop.  I've captured the traffic exchange via Wireshark and it appears that things fail in the key exchange portion of TLS.
> 	
> 	I'm certainly looking forward to upgrading to 10.6, but for the moment I'm still running 10.5.8.  And even if I did upgrade, from a previous post you said there's no guarantee that the out of the box tokend on 10.6 will work with the new cards.
> 	
> 	Anyway, I appreciate your help with this.  If anything I'm saying doesn't make sense, please let me know.
> 	
> 	pe
> 
> 
> 
> 	-----Original Message-----
> 	From: Shawn A. Geddis [mailto:geddis at apple.com] 
> 	Sent: Thursday, February 04, 2010 12:52
> 	To: Evans, Paul CIV NAVAIR Bldg 1463
> 	Cc: SmartcardServices-Users SmartCardServices-Users
> 	Subject: Re: [SmartcardServices-Users] New CAC-NG Installer v.96
> 	
> 	On Feb 4, 2010, at 6:33 AM, Evans, Paul CIV NAVAIR Bldg 1463 wrote:
> 	
> 	Shawn,
> 	
> 	Good new is that the installer places the tokend in the correct location.  Bad news is that I still can't use any of the certs at any CAC enabled websites.  I set up identity preferences as I have in the past, but I end up in an endless loop where Safari tells me that the web server will not accept my certificate, choose another.
> 	
> 	pe
> 	
> 	
> 	
> 	Paul,
> 	
> 	The CAC-NG Tokend is not what is causing you heartburn for accessing PK-enabled websites....
> 	
> 	Due to the unfortunate/varying configurations of DoD Web Servers, it requires the Identity Preference (IDPref).  Good news is that as of 10.6.0, you can create ONE Wildcard IDPref for your purposes and be done (for most if not all of your use cases).
> 	
> 	Within the IDPref Panel:
> 	
> 	*.navy.mil
> 	
> 	
> 	This will resolve ANY server request....  say:
> 	
> 	
> 	SubDomain1.navy.mil
> 	
> 	SubDomain1.navy.mil/directory/
> 	
> 	SubDomain2.navy.mil
> 	
> 	MyServer.SubDomain1.navy.mil
> 	
> 	
> 	
> 	You can also look at the MAN page for 'security' for clarity as well. 
> 	
> 	$ man security
> 	
> 	....
> 	Starting with 10.6, it is possible to specify identity preferences on a per-domain basis, by using the wild-card character '*' as the leftmost component of the service name. Unlike SSL wildcards, an identity preference wildcard can match more than one subdomain. For example, an identity preference for the name "*.army.mil" will match "server1.subdomain1.army.mil" or "server2.subdomain2.army.mil". Likewise, a preference for "*.mil" will match both "server.army.mil" and "server.navy.mil".
> 	
> 	
> 	keep in mind that where a Wildcard may not be appropriate to resolve all of your sites, Mac OS X would of course continue to support multiple URL specific IDPrefs...
> 	
> 	Try this and let us know how it goes for you...
> 	
> 	-Shawn


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5686 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100208/627a895e/attachment.bin>

More information about the SmartcardServices-Users mailing list