Re: [Pki-users] US Government SmartCard question

From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us&gt; To: "John Magne" <jmagne(a)redhat.com&gt;, rrelyea(a)redhat.com Cc: pki-users(a)redhat.com Sent: Friday, May 1, 2015 12:26:12 PM Subject: RE: [Pki-users] US Government SmartCard question Jack, I don't know the process or if it's possible yet, but would it help if I could get you guys a dummy LincPass (USDA-issued PIV smart card) with a throwaway PIN to debug with? I've often found that eliminating ignorant middlemen (me) speeds solutions along. Ideally, the card would be usable for console logins as well as our public facing SAML IdP [1]. Is there an extra step to making the card usable with a browser or would a coolkey fix apply to both pam_pkcs11 and the browser? Thanks, Bryce [1] https://www.eauth.usda.gov/Login/login.aspx > -----Original Message----- > From: John Magne [mailto:jmagne@redhat.com] > Sent: Friday, May 01, 2015 12:34 PM > To: Nordgren, Bryce L -FS > Cc: pki-users(a)redhat.com > Subject: Re: [Pki-users] US Government SmartCard question > > Bryce: > > Yes, that helps. > I can take a look at the code when I get a moment. > Also we might bring in Bob Relyea rrelyea(a)redhat.com since he is the > coolkey and coolkey/CAC guru. > > > ----- Original Message ----- > From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us&gt; > To: "John Magne" <jmagne(a)redhat.com&gt; > Cc: pki-users(a)redhat.com > Sent: Friday, May 1, 2015 11:13:01 AM > Subject: RE: [Pki-users] US Government SmartCard question > > Hi Jack, > > I wasn't quite sure how to capture an insertion event with pkcs11_inspect. > It > seems to fail right away if nothing's in the reader. So I ran > "pkcs11_eventmgr > debug nodaemon" in the terminal that had the COOL_KEY_LOG_FILE variable > set. I also ran a pkcs11_inspect with a card already inserted. Log files > for both > runs are attached. > > It's not super verbose, but the root cause seems to be "CAC Select failed". > > Does this shed any light on the problem? > > Thanks, > Bryce