[SmartcardServices-Users] Can MacOSX work with Oberthur ID-One PIV (type A) cards and ID Prime .Net from Gemalto?
Hoit, Daniel S.
hoit2 at llnl.gov
Fri Apr 8 11:28:49 PDT 2016
Uri,
I’ve got it on my to do list to look at the OpenSC stuff again. If it does a good job supporting PIV, it might be something we could use.
As for why someone would use the .Net cards, I can answer that pretty easily. They work with Microsoft’s Forefront Identity Manager, and are already in use in some places.
We haven’t had any luck getting FIM to provision PIV cards. I don’t know that its not possible… but Microsoft has been less than helpful on providing the needed details, and it certainly seems like its simply not supported.
We’ve been using the .Net cards for years, they are tied into our identity provisioning workflow, and so with mandates looming, it made sense to take what we already had working and adapt it for the new need.
Were we starting from scratch, looking to support smart cards across three platforms, I don’t think we would go down that route.
—DH
On Apr 8, 2016, at 11:17 AM, Uri Blumenthal <uri at mit.edu<mailto:uri at mit.edu>> wrote:
I know PIV is served well by OpenSC.tokend. If it would work with .Net cards (and I’ve no clue what those are, or why one would bother, when PIV and OpenPGP tokens are both available and reliable), going OpenSC route could be a good direct solution that doesn’t require contortions to get various .tokend compiled (as you know, I tried to use PKCS11.tokend, and failed).
P.S. This email is signed by a PIV token in Gemalto Proxy-DU reader, using OpenSC.tokend.
On Apr 8, 2016, at 14:07 , Hoit, Daniel S. <hoit2 at llnl.gov<mailto:hoit2 at llnl.gov>> wrote:
Glenn,
We are using both at LLNL, although we are looking into replacing the .Net cards since it causes issues switching libraries on the linux boxes.
The .Net cards use the PKCS11.tokend module that Ludovic Rousseau wrote, along with a Framework and some libraries to provide the pkcs11 support.
Unfortunately, the version that Gemalto is currently providing will only look in /usr/lib/pkcs11, and since that location is restricted on SIP enabled systems, it breaks.
Luckily, the source for PKCS11.tokend is on the smartcard services web site, and Ludovic has an updated version there that will look in /usr/local/lib/pkcs11.
Hopefully Gemalto updates their installer to use that version in the future, but in the meantime I simply pulled down the newer tokend code, built it, and packaged it with the existing libraries set to be put in SIP compliant locations.
They do use different pkcs11 modules, so if thats part of your deployment, you may have issues.
I can use the tokendpkcs11.so for generating a key off the .Net cards, but trying to use it with SSH it relays a signing error, and fails. Considering its doing the gemalto PKCS11 -> PKCS11.tokend -> tokendPKCS11.so, its not really surprising that its flakey. Most tools allow you to point to a separate library at the command line though, so you could always have an aliased SSH for the .NET card that uses -I /usr/local/lib/pkcs11/<whichever gemalto pkcs11.so you are using>
The biggest issue with using a “civ” card along side the PIV is user mapping. Once we solved that, everything else has been pretty straight forward.
I’d be happy to discuss the details of our implementation if you’d like. You know how to get ahold of me. :)
—DH
On Apr 8, 2016, at 10:32 AM, Machin, Glenn D <GMachin at sandia.gov<mailto:GMachin at sandia.gov>> wrote:
We have a situation where will have users using a PIV (Oberthur ID-One PIV (type A)) and the ID Prime .Net from Gemalto.
We want to make sure MacOSX can support both cards. Out of the box on MacOSX ID Prime .Net from Gemalto does not work and we want to make sure we don’t break the PIV to get the .Net card to work.
We have found that on Linux (red hat) only one pkcs11 module will work at a time for either pam_pkcs11 or pam_krb5, and each card needs its own pkcs11 module, therefore only one card can be configured at a time. We don’t want to fall into the same trap with MacOSX.
Appreciate any help.
Glenn
_______________________________________________
SmartcardServices-Users mailing list
SmartcardServices-Users at lists.macosforge.org<mailto:SmartcardServices-Users at lists.macosforge.org>
https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
Daniel Hoit
hoit2 at llnl.gov<mailto:hoit2 at llnl.gov>
925.424.5256
_______________________________________________
SmartcardServices-Users mailing list
SmartcardServices-Users at lists.macosforge.org<mailto:SmartcardServices-Users at lists.macosforge.org>
https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
--
Uri the Great
uri at mit.edu<mailto:uri at mit.edu>
Daniel Hoit
hoit2 at llnl.gov<mailto:hoit2 at llnl.gov>
925.424.5256
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20160408/415f616a/attachment-0001.html>
More information about the SmartcardServices-Users
mailing list