Re: [Pki-users] US Government SmartCard question
On 05/01/2015 02:01 PM, John Magne wrote:
Bryce:
We would most welcome a chance to try a dummy card.
I think we should copy Bob first to make sure there is not something
obvious wrong on the coolkey end.
I usually insist on a dummy card because we are always making changes to
coolkey and if I have a dummy card, I can test against that card when I
add additional card support.
BTW is this a PIV or CAC card? You meantion PIV here, but Jack was
speaking as if this were a CAC card.
bob
----- Original Message -----
> From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
> To: "John Magne" <jmagne(a)redhat.com>, rrelyea(a)redhat.com
> Cc: pki-users(a)redhat.com
> Sent: Friday, May 1, 2015 12:26:12 PM
> Subject: RE: [Pki-users] US Government SmartCard question
>
> Jack,
>
> I don't know the process or if it's possible yet, but would it help if I
> could get you guys a dummy LincPass (USDA-issued PIV smart card) with a
> throwaway PIN to debug with? I've often found that eliminating ignorant
> middlemen (me) speeds solutions along.
>
> Ideally, the card would be usable for console logins as well as our public
> facing SAML IdP [1]. Is there an extra step to making the card usable with a
> browser or would a coolkey fix apply to both pam_pkcs11 and the browser?
>
> Thanks,
> Bryce
>
> [1] https://www.eauth.usda.gov/Login/login.aspx
>
>> -----Original Message-----
>> From: John Magne [mailto:jmagne@redhat.com]
>> Sent: Friday, May 01, 2015 12:34 PM
>> To: Nordgren, Bryce L -FS
>> Cc: pki-users(a)redhat.com
>> Subject: Re: [Pki-users] US Government SmartCard question
>>
>> Bryce:
>>
>> Yes, that helps.
>> I can take a look at the code when I get a moment.
>> Also we might bring in Bob Relyea rrelyea(a)redhat.com since he is the
>> coolkey and coolkey/CAC guru.
>>
>>
>> ----- Original Message -----
>> From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
>> To: "John Magne" <jmagne(a)redhat.com>
>> Cc: pki-users(a)redhat.com
>> Sent: Friday, May 1, 2015 11:13:01 AM
>> Subject: RE: [Pki-users] US Government SmartCard question
>>
>> Hi Jack,
>>
>> I wasn't quite sure how to capture an insertion event with pkcs11_inspect.
>> It
>> seems to fail right away if nothing's in the reader. So I ran
>> "pkcs11_eventmgr
>> debug nodaemon" in the terminal that had the COOL_KEY_LOG_FILE variable
>> set. I also ran a pkcs11_inspect with a card already inserted. Log files
>> for both
>> runs are attached.
>>
>> It's not super verbose, but the root cause seems to be "CAC Select
failed".
>>
>> Does this shed any light on the problem?
>>
>> Thanks,
>> Bryce
Attachments:
- smime.p7s (application/pkcs7-signature — 4.2 KB)