<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Glenn,
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>We are using both at LLNL, although we are looking into replacing the .Net cards since it causes issues switching libraries on the linux boxes.</div>
<div class="">The .Net cards use the PKCS11.tokend module that Ludovic Rousseau wrote, along with a Framework and some libraries to provide the pkcs11 support.</div>
<div class="">Unfortunately, the version that Gemalto is currently providing will only look in /usr/lib/pkcs11, and since that location is restricted on SIP enabled systems, it breaks.</div>
<div class="">Luckily, the source for PKCS11.tokend is on the smartcard services web site, and Ludovic has an updated version there that will look in /usr/local/lib/pkcs11.</div>
<div class="">Hopefully Gemalto updates their installer to use that version in the future, but in the meantime I simply pulled down the newer tokend code, built it, and packaged it with the existing libraries set to be put in SIP compliant locations.</div>
<div class="">They do use different pkcs11 modules, so if thats part of your deployment, you may have issues.</div>
<div class="">I can use the tokendpkcs11.so for generating a key off the .Net cards, but trying to use it with SSH it relays a signing error, and fails. Considering its doing the gemalto PKCS11 -> PKCS11.tokend -> tokendPKCS11.so, its not really surprising
that its flakey. Most tools allow you to point to a separate library at the command line though, so you could always have an aliased SSH for the .NET card that uses -I /usr/local/lib/pkcs11/<whichever gemalto pkcs11.so you are using></div>
<div class="">The biggest issue with using a “civ” card along side the PIV is user mapping. Once we solved that, everything else has been pretty straight forward.</div>
<div class="">I’d be happy to discuss the details of our implementation if you’d like. You know how to get ahold of me. :)</div>
<div class=""><br class="">
</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>—DH</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Apr 8, 2016, at 10:32 AM, Machin, Glenn D <<a href="mailto:GMachin@sandia.gov" class="">GMachin@sandia.gov</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;" class="">
<div class=""><br class="">
</div>
<div class="">We have a situation where will have users using a PIV (Oberthur ID-One PIV (type A)) and the ID Prime .Net from Gemalto.</div>
<div class=""><br class="">
</div>
<div class="">We want to make sure MacOSX can support both cards. Out of the box on MacOSX ID Prime .Net from Gemalto does not work and we want to make sure we don’t break the PIV to get the .Net card to work.</div>
<div class=""><br class="">
</div>
<div class="">We have found that on Linux (red hat) only one pkcs11 module will work at a time for either pam_pkcs11 or pam_krb5, and each card needs its own pkcs11 module, therefore only one card can be configured at a time. We don’t want to fall into the
same trap with MacOSX.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Appreciate any help.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Glenn</div>
<div class=""><br class="">
</div>
</div>
_______________________________________________<br class="">
SmartcardServices-Users mailing list<br class="">
<a href="mailto:SmartcardServices-Users@lists.macosforge.org" class="">SmartcardServices-Users@lists.macosforge.org</a><br class="">
https://lists.macosforge.org/mailman/listinfo/smartcardservices-users<br class="">
</div>
</blockquote>
</div>
<br class="">
<div apple-content-edited="true" class=""><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; " class="">
<div class="">Daniel Hoit</div>
<div class=""><a href="mailto:hoit2@llnl.gov" class="">hoit2@llnl.gov</a></div>
<div class="">925.424.5256</div>
<div class=""><br class="">
</div>
</div>
</span><br class="Apple-interchange-newline">
</span><br class="Apple-interchange-newline">
</div>
<br class="">
</div>
</body>
</html>