Search:  
Gentoo Wiki

HOWTO_DoD_CAC

The U.S. Department of Defense has widely deployed the Common Access Card which is primarily used to access email. Setting up a Gentoo machine to use the CAC is a pretty simple procedure. If you're trying to setup a server that uses CAC authentication try here

This HOWTO assumes that you will be using the ActivCard USB Reader v2.0.

Contents

Installing the Software

First make sure that you have the required software:

emerge -av libusb pcsc-lite ccid coolkey

Coolkey and ccid are (as of this writing) both marked testing, so you'll need to do the following before doing the emerge:

echo "app-crypt/coolkey ~x86" >> /etc/portage/package.keywords
echo "app-crypt/ccid ~x86" >> /etc/portage/package.keywords

If you're not on x86 obviously use your own architecture, but as of this writing coolkey on Gentoo has only been tested on x86, ppc, and ppc64. If you are able to test it on another architecture and it works, please file a bug in Gentoo Bugzilla to have it keyworded for that architecture. Note that Fedora has a binary RPM for amd64, so at minimum it should also work on that architecture.

Post-Install configuration

The ActivCard USB Reader v2.0 is not correctly identified by ccid. To fix this edit /usr/lib/readers/usb/ifd-ccid.bundle/Contents/Info.plist so that it contains:

File: /usr/lib/readers/usb/ifd-ccid.bundle/Contents/Info.plist
<key>ifdDriverOptions</key>
<string>0x0004</string>

Start up the pcsc daemon:

sudo /etc/init.d/pcscd start
sudo rc-update add pcscd default

Configure Your Browser

First the DoD certificates must be installed. They can be downloaded from [1]. Be sure to grab them all.

Code: Configure Firefox
Edit->Preferences menu
Advanced section
Encryption tab
View Certificates button
Import button

Unfortunately, certificates can only be imported one at a time.

Firefox must also be able to communicate with the CAC using libcoolkey.

Code: Configure Firefox
Edit->Preferences menu
Advanced section
Encryption tab
Security Devices button
Load button
under Module Name type CAC Module
under Module Filename type /usr/lib/pkcs11/libcoolkeypk11.so
click Ok button

You can test Firefox by visiting [2]. If you get in, then it probably works.

Caveats

Recently, It has been discovered that some of DoD's Outlook Web Access Servers have a problem with packets that have too large an mtu size.

bash$ sudo ifconfig eth0 mtu 1420

You might also want to add the line `mtu_eth0="1420"` to your /etc/conf.d/net.

References

Retrieved from "http://www.gentoo-wiki.info/HOWTO_DoD_CAC"

Last modified: Fri, 05 Sep 2008 22:25:00 +0000 Hits: 8,176