Apple Federal Smart Card Package User Manual
Apple Federal Smart Card Package
1
Installation and Setup Guide
About the Federal Smart Card Package
The Apple Federal Smart Card Package (FSCP) is software you install on a Macintosh computer
that lets users gain access to the computer using a Department of Defense Common Access
Card.
Users can use a Common Access Card to verify their permission to
m
Log in to the computer
m
Access the computer when the screen saver is on
m
Make changes to some System Preferences panes
m
Install software
To use FSCP, you need the following:
m
A Macintosh computer with Mac OS X v10.2.3 installed
m
A Department of Defense Common Access Card issued since 2001
m
An SCM Microsystems SCR331 USB High Speed EMV Reader
You can also use one of these smart card readers, but you must download and install driver
software from the manufacturer’s website:
m
Gemplus GemPC430 USB Smart Card Reader
m
OMNIKEY CardMan Desktop USB 2020
m
Schlumberger Sema Reflex USB v.2 Reader or Reflex USB Lite Reader
If you are using your own directory service for user accounts, you need to be connected to
your network.
Users should also be connected the first time they log in using the Common Access Card so
that FSCP can access any Certificate Revocation Lists (CRL) needed to verify certificates.
Installing the Federal Smart Card Package
To install the Apple Federal Smart Card Package:
Log in as an administrator for your computer and insert the FSCP installation disc.
1
The user you created when you set up Mac OS X is an administrator.
Double-click the “FederalSmartCardPackage.pkg” icon on the CD.
2
A message asks you to enter your password and restart the computer.
3
Follow the onscreen instructions to install the software.
FSCP installs the software necessary to use your smart card reader. It also installs the
ReadCAC application in the Smartcard folder in Applications/Utilities.
Setting Up the Federal Smart Card Package
After you install the FSCP software, you need to set up your computer and the software. This
includes setting up user accounts, setting login options, adding the EDI Identifier for each
smart card to the FSCP software, and setting up the FSCP software.
Setting Up User Accounts
Each person using a smart card to log in to a computer needs a user account. You can use
existing user accounts on the computer or create new accounts. You can also use user
accounts in an existing directory service, such as LDAP or Active Directory. To learn more
about doing this, see “Setting Up FSCP to Use Other Directories” later in this document.
To create a user account on the computer:
1
Open System Preferences and click Accounts, then click New User.
To create a user, you need to log in as an administrator of the computer or click the lock icon
in the Accounts preferences pane and enter an administrator name and password.
2
Type a name and short name for the user that is different from other user accounts.
3
Type a password for the user account. Users can change their password later using the My
Account preferences pane.
If you want, select the “Allow user to administer this computer” checkbox.
4
Click Save.
5
6
If automatic login is turned on, a message asks if you want to turn it off. You should turn it
off.
2
FSCP Installation and Setup Guide
Setting Login Options
Mac OS X is set up to log in automatically as the user you create when you set up Mac OS X.
Before using a Common Access Card to log in to your computer, you need to turn off
automatic login. To reduce the possibility of someone circumventing the security of your
computer, you can hide the Restart and Shut Down buttons that appear in the login window.
To change login options:
1
Open System Preferences and click Accounts.
2
Make sure you have deselected the “Log in automatically” checkbox.
To hide the Restart and Shut Down buttons in the login window, click Login Options and
3
select the checkbox.
Getting the Identifier for a Common Access Card
For a user to authenticate using a Common Access Card, you must associate the user’s
account with the card by adding the card’s Electronic Data Interchange (EDI) Identifier to
the user account. The identifier is a ten-digit number stored on the card. You get this number
using the ReadCAC application.
To get the EDI Identifier:
Open the ReadCAC application in the Smartcard folder (in Utilities), then insert the smart
card in the reader and enter the PIN for the card.
The identifier appears with the label “DoD EDI Identifier” in the ReadCAC window.
FSCP saves the EDI Identifier for each card used with the computer in a file named
CACRecords.txt, which is in your Documents folder.
Adding the EDI Identifier to a Mac OS X User Account
If you use Mac OS X user accounts for smart card authentication, you can use the
cac_addid
Note:
Open Terminal (in Utilities) and execute this command (as root):
cac_addid username ID
The
If you’re familiar with NetInfo Manager (in Utilities), you can use it to add the identifier to the
user account. Open the application and in the columns at the top of the window, select
“users” and then select the user account name. Choose New Property from the Directory
menu. In the Property column, type “_DoD_EDI_Identifier”. In the Value(s) column, type
the identifier for the card. Choose Save Changes from the Domain menu.
FSCP Installation and Setup Guide
command in Terminal to add the EDI Identifier to the user account.
If you are using a different directory service, you do not need to do this step.
username
is the short name for the user account and ID is the identifier.
3
Starting Authentication With the Common Access Card
To start using the Common Access Card to authenticate access to the computer, execute this
command in Terminal (as root):
cac_setup
To stop authentication using the card and restore the standard Mac OS X authentication,
execute this command:
cac_setup -off
Authenticating With the Common Access Card
You can now use the Common Access Card to gain access to the computer.
To log in to the computer the first time using the card:
Users should be connected to the network so that FSCP can access any Certificate
1
Revocation Lists (CRLs) needed to verify certificates.
To see where the CRLs are located, check the URI field in the Certificates pane of ReadCAC
for a certificate.
2
Insert the card and type the PIN in the dialog.
An “X” appears below the PIN text box for each time you type an incorrect PIN since the
Common Access Card was inserted. If you exceed the maximum number of times you can
enter an incorrect PIN (3), your card is locked. See your administrator if your card is locked.
Note:
If you need to log in using your password instead of a smart card, click the Other
button in the login window and type your user name and password.
To authenticate access to the computer using the Common Access Card later:
When a message asks you to authenticate (for example, when you’re changing a setting in
System Preferences), insert your card and type the PIN for the card.
Because it takes place on the smart card, authentication takes longer than when you use a
password.
4
FSCP Installation and Setup Guide
Making Sure FSCP Is Running
For the smart card reader to work, an FSCP system daemon named “pcscd” must be running.
To make sure the daemon is running and that it recognizes your reader, execute this
command in Terminal:
pcsctest
You should see messages similar to these in the Terminal window:
MUSCLE PC/SC Lite Test Program
Testing SCardEstablishContext : Command successful.
Testing SCardGetStatusChange
Please insert a working reader : Command successful.
Testing SCardListReaders : Command successful.
Reader 01: SCM SCR-331 CCID 0 0
Enter the reader number :
Type the number 1.
If the Common Access Card is not inserted, you will see this message:
Waiting for card insertion
If so, insert the card. You will then see messages similar to these:
: Command successful.
Testing SCardConnect : Command successful.
Testing SCardStatus : Command successful.
Current Reader Name : SCM SCR-331 CCID 0 0
Current Reader State : 34
Current Reader Protocol : 0
Current Reader ATR Size : 9
Current Reader ATR Value : 3B 65 00 00 9C 02 02 07 02
Testing SCardDisconnect : Command successful.
Testing SCardReleaseContext : Command successful.
If you do not see messages similar to these, you may need to restart the “pcscd” daemon.
FSCP Installation and Setup Guide
5
Restarting the FSCP Daemon
To restart the FSCP “pcscd” daemon, execute this in Terminal as root:
/System/Library/StartupItems/SmartCardServices/SmartCardServices
restart
You can also use
Adding a Smart Card to SmartCardServices
stop
and
start
instead of
restart
.
The FSCP software contains the ATR values for the Common Access Cards currently available.
If you are issued a new card that is not recognized by FSCP, you may be able to use the
pcsctool
command to add the card’s ATR value to FSCP.
To add a card to FSCP:
Execute this command in Terminal as root:
1
pcsctool
You should see several options.
Enter 1 for the Common Access Card bundle.
2
When a message asks, insert your smart card.
3
If the SmartCardServices daemon doesn’t recognize the ATR value of the card, it adds the
value to the bundle.
Changing other configuration options
Several options are defined in a file named configuration.plist, which is in the
SCLoginPlugin.bundle installed by FSCP. The SCLoginPlugin.bundle is located here:
/System/Library/CoreServices/SecurityAgentPlugins/
Here is the full pathname for the file:
/System/Library/CoreServices/SecurityAgentPlugins/SCLoginPlugin.bundle/Contents/
Resources/configuration.plist
Note:
To see the contents of SCLoginPlugin.bundle, hold down the Control key and click
the SCLoginPlugin.bundle icon, then choose Show Package Contents from the menu. In the
window that opens, double-click the Contents folder, then the Resources folder.
The configuration.plist file defines the options as XML key and value pairs. You can change
the file using any XML editor. Because the file is located in the Mac OS X System folder, you
need to log in as root to change it.
6
FSCP Installation and Setup Guide
Loading...