Subject: | |
From: | |
Reply To: | |
Date: | Wed, 11 Apr 2012 01:39:43 +0900 |
Content-Type: | Text/Plain |
Parts/Attachments: |
|
|
On Tuesday 10 April 2012 23:19:37 Novick, Jeffrey L CTR (US) wrote:
> Hi,
>
> I am having some issues getting my CAC to work in my Dell E6500 with SL 6.2
> 64 bit. I followed the instructions at
> http://zxq9.com/dodcac/F13-32/Fedora13.html The only difference was that
> yum install dogtag* did not work, yum search dogtag returned a bunch of
> pki packages. I installed each and every one of them and set up
> certificates and coolkey in Firefox. The card didn't seem to be
> recognized, so I ran the smart card manager (Applications->System
> Tools->Smart Card Manager) and got nothing. I ran "esc" from the command
> line and got "Could not find compatible GRE between version 1.9 and 1.99"
> xulrunner --gre-version returns 10.0.3
> Googled for awhile, only came up with some reinstallation stuff and
> changing the version in /usr/lib64/application.ini. Even tried an external
> reader with no luck. This machine dual boots between Win 7 and SL 6.2, so
> I know the hardware works. Nothing worked and I'm at a loss now. What can
> I try next? Thanks!
I did some digging since I'm the author of the outdated instructional that
failed on you.
I found three issues.
1)
SELinux expects a few rules to be in place that are missing from at least
my SL6 system for an SCR-331 to be recognized when pcscd tries any of
getattr/read/open on the USB device when hotplugged. This might not be a
problem if yours is in the keyboard or on the mainboard already if its a
notebook, but it was on my USB reader. That runs into an AVC denial and driver
loading fails which made my reader seem dead and esc not even try to look for
anything. It also made pcscd -H look like it worked but not find anything.
So some audit2allow magic can fix that without disabling SELinux.
2)
The problem with esc not liking the version numbers was filed as a bug in
Fedora 15 just a few days ago here:
https://bugzilla.redhat.com/show_bug.cgi?id=688361
and patched here:
https://admin.fedoraproject.org/updates/esc-1.1.0-14.fc15
I'm assuming this will find its way into TUV's sources, but that's sometimes
not a sound assumption to make. Building it is easy, though. If you aren't
familiar with that contact me off-list and I can get you something that works
and should get safely overwritten when the real patch comes down.
3)
There have been a few issues with coolkey not being as cool as it once
was depending on how new your card's chip is. Instead of using the pkcs11-
coolkey-blahblah.so module you might have better luck with OpenSC. The steps
to get pkcs11-tool and/or Firefox to talk to the module are the same as for
coolkey, just point them at "/usr/lib64/pkcs11/opensc-pkcs11.so" instead of
the module in the Fedora13 instructional.
All of this information should be fairly accurate, but please note that I am
not in the Army anymore and haven't really kept up with these projects since I
stopped needing CAC login for every silly admin task imaginable. So there is a
point beyond which I won't be able to verify operability because I don't have
an active card.
|
|
|