Apple Federal Smart Card Package
Installation and Setup Guide
About the Federal Smart Card Package
The Apple Federal Smart Card Package (FSCP) is software you install on a Macintosh computer that lets users gain access to the computer using a Department of Defense Common Access Card.
Users can use a Common Access Card to verify their permission to
mLog in to the computer
mAccess the computer when the screen saver is on
mMake changes to some System Preferences panes
mInstall software
To use FSCP, you need the following:
mA Macintosh computer with Mac OS X v10.2.3 installed
mA Department of Defense Common Access Card issued since 2001
mAn SCM Microsystems SCR331 USB High Speed EMV Reader
You can also use one of these smart card readers, but you must download and install driver software from the manufacturer’s website:
mGemplus GemPC430 USB Smart Card Reader
mOMNIKEY CardMan Desktop USB 2020
mSchlumberger Sema Reflex USB v.2 Reader or Reflex USB Lite Reader
If you are using your own directory service for user accounts, you need to be connected to your network.
Users should also be connected the first time they log in using the Common Access Card so that FSCP can access any Certificate Revocation Lists (CRL) needed to verify certificates.
To install the Apple Federal Smart Card Package:
1Log in as an administrator for your computer and insert the FSCP installation disc.
The user you created when you set up Mac OS X is an administrator.
2Double-click the “FederalSmartCardPackage.pkg” icon on the CD.
A message asks you to enter your password and restart the computer.
3Follow the onscreen instructions to install the software.
FSCP installs the software necessary to use your smart card reader. It also installs the ReadCAC application in the Smartcard folder in Applications/Utilities.
After you install the FSCP software, you need to set up your computer and the software. This includes setting up user accounts, setting login options, adding the EDI Identifier for each smart card to the FSCP software, and setting up the FSCP software.
Each person using a smart card to log in to a computer needs a user account. You can use existing user accounts on the computer or create new accounts. You can also use user accounts in an existing directory service, such as LDAP or Active Directory. To learn more about doing this, see “Setting Up FSCP to Use Other Directories” later in this document.
To create a user account on the computer:
1Open System Preferences and click Accounts, then click New User.
To create a user, you need to log in as an administrator of the computer or click the lock icon in the Accounts preferences pane and enter an administrator name and password.
2Type a name and short name for the user that is different from other user accounts.
3Type a password for the user account. Users can change their password later using the My Account preferences pane.
4If you want, select the “Allow user to administer this computer” checkbox.
5Click Save.
6If automatic login is turned on, a message asks if you want to turn it off. You should turn it off.
2 |
FSCP Installation and Setup Guide |
Mac OS X is set up to log in automatically as the user you create when you set up Mac OS X. Before using a Common Access Card to log in to your computer, you need to turn off automatic login. To reduce the possibility of someone circumventing the security of your computer, you can hide the Restart and Shut Down buttons that appear in the login window.
To change login options:
1Open System Preferences and click Accounts.
2Make sure you have deselected the “Log in automatically” checkbox.
3To hide the Restart and Shut Down buttons in the login window, click Login Options and select the checkbox.
For a user to authenticate using a Common Access Card, you must associate the user’s account with the card by adding the card’s Electronic Data Interchange (EDI) Identifier to the user account. The identifier is a ten-digit number stored on the card. You get this number using the ReadCAC application.
To get the EDI Identifier:
Open the ReadCAC application in the Smartcard folder (in Utilities), then insert the smart card in the reader and enter the PIN for the card.
The identifier appears with the label “DoD EDI Identifier” in the ReadCAC window.
FSCP saves the EDI Identifier for each card used with the computer in a file named CACRecords.txt, which is in your Documents folder.
If you use Mac OS X user accounts for smart card authentication, you can use the cac_addid command in Terminal to add the EDI Identifier to the user account.
Note: If you are using a different directory service, you do not need to do this step.
Open Terminal (in Utilities) and execute this command (as root):
cac_addid username ID
The username is the short name for the user account and ID is the identifier.
If you’re familiar with NetInfo Manager (in Utilities), you can use it to add the identifier to the user account. Open the application and in the columns at the top of the window, select “users” and then select the user account name. Choose New Property from the Directory menu. In the Property column, type “_DoD_EDI_Identifier”. In the Value(s) column, type the identifier for the card. Choose Save Changes from the Domain menu.
FSCP Installation and Setup Guide |
3 |
To start using the Common Access Card to authenticate access to the computer, execute this command in Terminal (as root):
cac_setup
To stop authentication using the card and restore the standard Mac OS X authentication, execute this command:
cac_setup -off
You can now use the Common Access Card to gain access to the computer.
To log in to the computer the first time using the card:
1Users should be connected to the network so that FSCP can access any Certificate Revocation Lists (CRLs) needed to verify certificates.
To see where the CRLs are located, check the URI field in the Certificates pane of ReadCAC for a certificate.
2Insert the card and type the PIN in the dialog.
An “X” appears below the PIN text box for each time you type an incorrect PIN since the Common Access Card was inserted. If you exceed the maximum number of times you can enter an incorrect PIN (3), your card is locked. See your administrator if your card is locked.
Note: If you need to log in using your password instead of a smart card, click the Other button in the login window and type your user name and password.
To authenticate access to the computer using the Common Access Card later:
When a message asks you to authenticate (for example, when you’re changing a setting in System Preferences), insert your card and type the PIN for the card.
Because it takes place on the smart card, authentication takes longer than when you use a password.
4 |
FSCP Installation and Setup Guide |
For the smart card reader to work, an FSCP system daemon named “pcscd” must be running. To make sure the daemon is running and that it recognizes your reader, execute this command in Terminal:
pcsctest
You should see messages similar to these in the Terminal window:
MUSCLE PC/SC Lite Test Program |
|
Testing SCardEstablishContext |
: Command successful. |
Testing SCardGetStatusChange |
|
Please insert a working reader |
: Command successful. |
Testing SCardListReaders |
: Command successful. |
Reader 01: SCM SCR-331 CCID 0 0 |
|
Enter the reader number |
: |
Type the number 1.
If the Common Access Card is not inserted, you will see this message:
Waiting for card insertion
If so, insert the card. You will then see messages similar to these:
|
: Command successful. |
Testing SCardConnect |
: Command successful. |
Testing SCardStatus |
: Command successful. |
Current Reader Name |
: SCM SCR-331 CCID 0 0 |
Current Reader State |
: 34 |
Current Reader Protocol |
: 0 |
Current Reader ATR Size |
: 9 |
Current Reader ATR Value |
: 3B 65 00 00 9C 02 02 07 02 |
Testing SCardDisconnect |
: Command successful. |
Testing SCardReleaseContext |
: Command successful. |
If you do not see messages similar to these, you may need to restart the “pcscd” daemon.
FSCP Installation and Setup Guide |
5 |
To restart the FSCP “pcscd” daemon, execute this in Terminal as root:
/System/Library/StartupItems/SmartCardServices/SmartCardServices
restart
You can also use stop and start instead of restart.
The FSCP software contains the ATR values for the Common Access Cards currently available. If you are issued a new card that is not recognized by FSCP, you may be able to use the pcsctool command to add the card’s ATR value to FSCP.
To add a card to FSCP:
1Execute this command in Terminal as root:
pcsctool
You should see several options.
2Enter 1 for the Common Access Card bundle.
3When a message asks, insert your smart card.
If the SmartCardServices daemon doesn’t recognize the ATR value of the card, it adds the value to the bundle.
Several options are defined in a file named configuration.plist, which is in the SCLoginPlugin.bundle installed by FSCP. The SCLoginPlugin.bundle is located here:
/System/Library/CoreServices/SecurityAgentPlugins/
Here is the full pathname for the file:
/System/Library/CoreServices/SecurityAgentPlugins/SCLoginPlugin.bundle/Contents/
Resources/configuration.plist
Note: To see the contents of SCLoginPlugin.bundle, hold down the Control key and click the SCLoginPlugin.bundle icon, then choose Show Package Contents from the menu. In the window that opens, double-click the Contents folder, then the Resources folder.
The configuration.plist file defines the options as XML key and value pairs. You can change the file using any XML editor. Because the file is located in the Mac OS X System folder, you need to log in as root to change it.
6 |
FSCP Installation and Setup Guide |