Tuesday, December 10, 2013

Using Ubuntu to access CAC-enabled DoD websites


The Department of Defense (DoD) issues Common Access Cards (CACs) which are smart cards set up in a particular way. You can use these cards for Public Key Infrastructure (PKI) authentication and email. Overwhelmingly, the first thing most users need is PKI authentication.  We are going to set this up using FireFox on Ubuntu.

A few things you are going to need to be able to do this is a newer CAC reader and a current Common Access Card.  Most CACs will look like the one to the right.  This is where your PKI authentication is stored.  As we said earlier you need a newer CAC reader.  If you have an older square one, those are no longer supported by DoD websites.  The newer one is semi-round and looks like the one to the left.  Here in a moment we will use some commands to make sure you have a supported reader.  You need middleware to access a smart card using the SCard API (PC/SC), and a PKCS#11 standard interface for smartcards connected to a PC/SC compliant reader. US government smartcards may also need support for the Government Smartcard Interoperability Specification (GSC-IS) v2.1 or newer. The pcsclite project provides the middleware layer. Ubuntu splits pcsclite into a few packages.  So let's begin our installation.

Install Software Packages

Open a terminal and type the following:
$ sudo apt-get install libpcsclite-dev pcscd pcsc-tools libccid build-essential autoconf

Now for those packages you just installed to take effect you will need to restart your computer.  Once your computer comes back up you will need to plug in your CAC reader if you haven't done so already.  Open a terminal window again and type:
$ pcsc_scan

You should see something like this:
PC/SC device scanner
V 1.4.16 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.5.3
Scanning present readers...
0: SCM SCR 3310 (21120839GXXXXX) 00 00

Mon Aug 15 11:47:42 2011
 Reader 0: SCM SCR 3310 (21120839GXXXXX) 00 00
  Card state: Card inserted, 
  ATR: 3B 7D 96 00 00 80 XX XX XX XX XX XX XX XX XX XX XX XX

ATR: 3B 7D 96 00 00 80 XX XX XX XX XX XX XX XX XX XX XX XX
+ TS = 3B --> Direct Convention
+ T0 = 7D, Y(1): 0111, K: 13 (historical bytes)
  TA(1) = 96 --> Fi=512, Di=32, 16 cycles/ETU
    250000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 312500 bits/s
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = 00 --> Extra guard time: 0
+ Historical bytes: 80 31 80 65 B0 XX XX XX XX XX XX XX XX
  Category indicator byte: 80 (compact TLV data object)
    Tag: 3, len: 1 (card service data byte)
      Card service data byte: 80
        - Application selection: by full DF name
        - EF.DIR and EF.ATR access services: by GET RECORD(s) command
        - Card with MF
    Tag: 6, len: 5 (pre-issuing data)
      Data: B0 XX XX XX XX
    Tag: 8, len: 3 (status indicator)
      LCS (life card cycle): 00 (No information given)
      SW: 9000 (Normal processing.)

Possibly identified card (using /home/user_name/.smartcard_list.txt):
3B 7D 96 00 00 80 XX XX XX XX XX XX XX XX XX XX XX XX
        DoD CAC card issued Jan XX, 2010

This means you have a compatible CAC reader.  If your window doesn't look like this and you have one that's more like this:

You either don't have a compatible CAC reader or it is unable to locate your CAC reader.  You can try unplugging and plugging your reader back in.  If that doesn't work you'll probably need a new reader.

The next step is to install the PKCS #11 module and FireFox extension.  NOTE:  A computer with working CAC authentication is required for the downloads. You'll probably have to download this part at work and email it to yourself.  You'll need to go to DISA's Linux development site and download the latest version of CACKEY and DoD Configuration Extension for Firefox.  Try this link for CACKEY https://software.forge.mil/ and this one for the DoD Configuration Extension for Firefox http://www.forge.mil/Resources-Firefox.html
Before install open a terminal and do the following:
$ sudo mkdir /usr/lib64

Once this is complete you can now install CACKEY.  If that installs successfully you are now ready to configure FireFox.  Open FireFox and go to the Tools menu.  Click on Add-ons.  Now up on the right next to the search bar that says Search all add-ons should be a drop down menu similar to the one pictured.

You want to click on Install Add-on From File.  Navigate to where you saved the DoD Configuration Extension for Firefox.  Let it install the plugin and restart; don't worry about all of the errors just click
through them and restart your browser.  If you get an error that says it can't install because the add-on cannot be verified, you'll have to type, about:config into another tab.  Search for xpinstall.signatures.required to false.  You should now be good to go to use your CAC and CAC reader to access DoD websites.  There is a possibility that you might have to install the DoD Class 3 PKI Root Certificate Authorities.  If you get an error you can go to Download Root CA Certificate.  When they install you'll also get a lot of errors.  Just click OK through them and then restart your browser again.


Creative Commons License
Using Ubuntu to access CAC-enabled DoD websites by Randy Rowland is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Based on a work at https://militarycac.com/linux.htm.