Wednesday, March 21, 2018

Linux + Smart Cards: A Rare Technical Breakthrough

Do you hate Windows and/or prefer Linux? Does Firefox annoy you? Are you still holding on to that crappy laptop just to be able to check your Army/Navy/Air Force/Marine e-mail? This entry is for you.

This article builds on/modifies the instructions in the following two articles:
http://www.militarycac.com/linux.htm
https://help.ubuntu.com/community/CommonAccessCard

My thanks to both for putting the data out there. Now I don't have to scream at my old laptop once a month.

First off, here are my system specs:

Computer:

Card Reader: SCM Micro SCR331 (PN: 904622)
Browser Version: Google Chrome Version 65.0.3325.162 (Official Build) (64-bit)

First, I opened a Terminal and installed the middleware as follows:

sudo apt-get install libpcsclite1 pcscd pcsc-tools

I then plugged in the CAC reader and inserted my CAC. Then I ran the PCSC diagnostic tool to check the reader status:

pcsc_scan

Next, following the instructions from MilitaryCAC.com, I downloaded the DoD certificates and installed them in Chrome:

Settings --> Advanced --> Manage Certificates --> Authorities --> Import

Note: You have to check all THREE permissions boxes for EACH certificate when you install it.

After that, I utilized Synaptic Package Manager to install Coolkey and all its relevant components.

Note: I had tried a few different things to get Cackey to work (e.g. using the App for Chrome) but AKO still didn't recognize that my card was inserted.

Following the directions from the Ubuntu help site, I installed NSS (which Linux apparently uses to manage SSL certificates) as follows:

WARNING: Close out Chrome before you do this! If you don't, it might corrupt it.

CAUTIONDO NOT use sudo to add the CAC Module! It will lock the pkcs11.txt file that allows your web browser to recognize that the CAC is inserted into the reader.

modutil -dbdir sql:.pki/nssdb/ -add "CAC Module" -libfile /usr/lib/pkcs11/libcoolkeypk11.so

Note: Your library file location might be different. Utilize a search to look for the Coolkey library file.

After that, I checked to see if the reader recognized my card:

modutil -dbdir sql:.pki/nssdb/ -list

You should see something like this:

1. NSS Internal PKCS #11 Module
     slots: 2 slots attached
     status:loaded

     slot: NSS Internal Cryptographic Services
     token: NSS Generic Crypto Services

     slot: NSS User Private Key and Certificate Services
     token: NSS Certificate DB

2. CAC Module
     library name: /usr/lib/libcackey.so
     slots: 1 slot attached
     status: loaded

     slot: CACKey Slot
     token: LASTNAME.FIRSTNAME.NMN.123456789

If not, MilitaryCAC suggests that you probably were not in your home directory during install. That is a must.

That was literally it. I was able to log onto AKO, MyPay, and my Enterprise E-mail.

NOTE: If CAC reader light does not go on once plugged in or when card is plugged in, running pcsc_scan should reinitialize communications.

UPDATE [5-7-2018]: Have successfully installed CAC reader on Zorin OS 12.3 and utilized to access AKO. Changes to previous system specs as follows:

OS: Zorin OS 12.3 (64-bit)
Browser: Chromium Version 64.0.3282.167 (Official Build) Built on Ubuntu , running on Zorin 12 (64-bit)
System: 

UPDATE [6-1-2018]: Successfully accessed the Evaluation Entry System and signed an OER.

2 comments:

  1. Great writ up for getting the CAC working on your Ubuntu system. It's nice to see no PPA is required to get all the required packages installed.

    ReplyDelete
    Replies
    1. Thanks Nathan! I'll keep updating as I try more systems and browsers.

      Delete