0Current as of: 24 October 2009
If you have questions or problems pertaining to using your CAC on your MAC computer (after you read information below), please contact Bill Hankins by visiting the Apple contact page(Please know that he is currently in Iraq, so there will be a delay in a return email). Therefore, please attempt to follow the instructions below BEFORE emailing him).
The following information is provided for your situational awareness while setting up the utilization of your CAC on your Mac. It is updated as additional information is available and your input is appreciated for solutions not outlined here.
ActiveClient is a middleware program used by the DoD to facilitate the cross talk between Windows computers (prior to Windows 7) and your Common Access Card. It was offered for the “Tiger” release (MAC OS X 10.4.9) and is not compatiblewith Leopard or Snow Leopard (the current release of MAC OS X (10.6.1)).The program is available for purchase through the manufacturer, and is not available for download from DoD. The use of this program is not supported here for Apple operating systems, as it is not required for Tiger, Leopard or Snow Leopard.
ADmitMac for CAC is another middleware program,created by Thursby Software, in use by the DoD on someNETCOM Apple Baseline images. This software allows easy configuration of systems for CAC only authentication and logon for systems being added to a DoD domain.This software is not required on non-DoD computers. It is available on a trial download basis from the manufacturer and is available for purchase at that location;it does not support Snow Leopard at the time of this publication.
PureEdge is currently only available for Windows, and although there is a Citrix based version floating around the internet it only functions on older Mac systems, and not very well. The Citrix based version does not support signatures and has been problematic since it’s inception. There is another program available on windows, Lotus Form Viewer, though, this too, is only available on Windows.
Windows on your MAC:While you have made a conscious decision to “be a Mac”, the NETCOM Engineers have not, and therefore the easiest solution for some problems, such as PureEdge, ApproveIt, and some websites, is to use Windows through a Virtual Machine, such as Parallels or VMWare, or through Apple’s native Boot Camp. This will require you to have a legal copy of Windows. With this you can install the ActiveClient, PureEdge, and ApproveIt software and utilize all the DoDtools from your MAC. The benefit of the Virtual machines over Boot Camp is that is will allow you to run Windows as an additional program (without restarting your computer) and keep OS X running the entire time.
DBSign: In order to access some sites, such as DTS (Defense Travel System), a digital signature is needed. This is currently being executed through a program called DBSign installed on an end users computer in coordination with the website. This software is not currently available for MAC, and is in the process of being replaced by a Java applet installed on the site server to alleviate the need for additional software on the end users system. This site will be updated with a notification of this update when complete.Here is the current information.
CAC Readers: With a variety of CAC readers available today there are also a variety of issues. Currently there is a known issue with the SCR-3310 Card Reader with Firmware version 5.22 with the Snow Leopard (10.6.1) release of OS X. The issue consists of the reader appearing in System Profiler, though not recognizing ID Cards. This appears to be an issue with driver compatibility with the 64-bit kernel Snow Leopard utilizes. The SCR-331 functions fully with all releases of OS X and is recommended.
Apple updates:OS X Update 10.5.6 repairs a variety of problems associated with previously identified CAC issues. The Smart Card Services software available through various websites is for 10.5.4 and 10.5.5 only. It has not been tested on 10.5.6 as it is not required. If you have 10.5.5 and install it, you can update to 10.5.6 with no issues.
Firefox Web Browser: The commonly used web browser, Firefox, offered my Mozilla, offers CAC support only onWindows computers at this time. The program has support for such systems imbedded, however the files required to utilize a CAC are non-functioning at this time. The steps outlined below are for use with the Safari browser, as it is native to the OS and functions by using the Keychains Access program.
Outlook Web Access Portals: The use of Outlook Web Access portals (OWA) on MAC current has known issue with time outs. Beware that when using OWAon your MAC that if you are inactive on the primary window, i.e. the inbox, while replying to an email, your browser may time out. On your Windows machine the client side software, [ActiveClient]actively maintains communications with the server side CAC software and re-requests validation of your credentials. On your MAC this is not so, Safari will respond to a direct request for validation of your credentials, however it will not re-request that you verify as the server requires. Be sure that prior to selecting the Send button that you copy your work to the clipboard as you will most likely have to restart Safari and log back in. The issue is being worked at this time and updates will be made available here when complete.
Setting up your CAC for use on your Macintosh (Visually):
Step 1: Update your system. (10.5.6 is the minimum required for Leopard, though 10.5.8 is currently available for Leopard, and 10.6.1 is available for Snow Leopard)
Step 2: Plug in your CAC Reader to an available USB Port
Step 3: Click the Apple Icon in the upper left corner of your desktop and select "About This Mac"
Step 4: Click the "More Info" Button within the window that pops up. (This opens System Profiler)
Step 5: Within the "Hardware" Category select "USB."On the right hand side of the screen the window will display all hardware plugged into the USB ports on your Mac. You should see “Smart Card Reader.”If the Smart Card reader is present, it is installed on your system, and no further hardware changes are required, i.e. additional drivers / Firmware upgrades. Unplug the CAC Reader from your system and Quit System Profiler.
Step 6:Click: Go, Applications, Keychain Access, thenclick "Edit" in the menu bar, and select "Keychain List"
Step 6a: Click the "+" button in the lower left of the window opened
Step 6b: Click on the local hard drive (under Devices on the left), thenSystem / Library / Keychains, and double click X509Anchors.
Step 6c:Check the Box on the left of the X509Anchors in the Shared column as well as the System Box. Click "Ok".
Step 7:Plug in your CAC Reader, allow approx. 5 seconds for the reader to initialize and insert your CAC into the CAC Reader. In the upper left of the Keychain Access window, under "Keychains" your CAC should show up (CAC XXXX-XXXX-XXXX-XXXX-XXXX), click it. In the right hand side you will see the certificates that are on your CAC.(If your CAC does not appear remove it from the reader, unplug the CAC Reader, quit, and re-open Keychains Access, plug in the Card Reader, and insert your CAC)
Step 8: Click the "Padlock" icon in the upper left corner of the program window, which will prompt you for your CAC PIN. Enter your PIN to unlock your CAC.
Step 9: Select the desired certificate, which will show DOD CA-XX or DOD EMAIL CA-XX in the upper window. Right Click (Control Click) and select "New Identity Preference"
Step 10: Enter the URL / website (choose from the below links) for the appropriate website you wish to access using your CAC, select the appropriate certificate and click “Add”:
Step 11:Quit Keychain Access (and Applications (if it is still open)), remove your CAC from the reader, and re-insert it. Open Safari and begin navigating to your CAC enabled site.
Examples of URLs to add to your Keychain Access
Army:
- AKO: (DOD CA-XX)
- AKO Webmail: (DOD CA-XX)
- Fort Gordon OWA (NASE Email Access): (EMAIL CA-XX)
- Army Reserve OWA (USAR Email Access): (EMAIL CA-XX)
- Center for Army Lessons Learned (CALL): (DOD CA-XX)
- CONUS AMEDD Exchange OWA: (EMAIL CA-XX)
- National Guard Knowledge Online: (DOD CA-XX)
- NORAD NORTHCOM CAC Registration Site: (DOD CA-XX)
- NORAD NORTHCOM External Access Site: (DOD CA_XX)
- Soldier Survey Site: (EMAIL CA-XX)
Navy:
-Navy Knowledge Online (1 of 2): (DOD CA-XX)
-Navy Knowledge Online (2 of 2): (DOD CA-XX)
- Navy Webmail: (DOD CA-XX)
- Reserve Portal: (DOD CA-XX)
- NADSUSEA (Navy East OWA): (EMAIL CA-XX)
- NADSUSWE (Navy West OWA): (EMAIL CA-XX)
- NADSUSEA NCIS COI (Navy NCIS OWA): (EMAIL CA-XX)
- NMCI-ISF (Navy ISF OWA): (EMAIL CA-XX)
- PADS (Navy PADS OWA): (EMAIL CA-XX)
- PADS (Navy PACOM SMR Users OWA): (EMAIL CA-XX)
- IATS NMCI Webmail (1 of 3): (EMAIL CA-XX)
- IATS NMCI Webmail (2 of 3): (EMAIL CA-XX)
- IATS NMCI Webmail (3 of 3): (EMAIL CA-XX)
- Marine Corps Webmail: (EMAIL CA-XX)
- Navy E-learning: (DOD CA-XX)
- Navy Forces Online: (EMAIL CA-XX)
- Navy Homeport (NMCI Default Homepage): (EMAIL CA-XX)
- Navy InfoSec: (DOD CA-XX)
- Navy Medical (1 of 3): (DOD CA-XX)
- Navy Medical (2 of 3): (DOD CA-XX)
- Navy Medical (3 of 3): (DOD CA-XX)
- Navy Medical Outlook Web Access: (EMAIL CA-XX)
- JTF-GNO: (EMAIL CA-XX)
- BUPERS: (DOD CA-XX)
- NSIPS (1 of 2); (DOD CA-XX)
- NSIPS (2 of 2): (DOD CA-XX)
- NROWS: (DOD CA-XX)
- Navy Reserve Portal (1 of 2): (DOD CA-XX)
- Navy Reserve Portal (2 of 2): (DOD CA-XX)
Air Force: (There are currently issues with the AF Portal, the issues are being addressed and updates will be posted here when available)
- AF Portal (1 of 3): (DOD CA-XX)
- AF Portal (2 of 3): (DOD CA-XX)
- AF Portal (3 of 3): (DOD CA-XX)
- Air Force Portal Virtual MPF Site: (DOD CA-XX)
- Air Force Top Flite Website: (DOD CA-XX)
- Air Force Jag Site: (DOD CA-XX)
- Air Force Education Exchange: (EMAIL CA-XX)
- AF AMC Exchange Email: (EMAIL CA-XX)
Coast Guard:
- Coast Guard Email: (DOD CA-XX)
DoD:
- Defense Manpower Data Center: (DOD CA-XX)
- DOD 411 Directory: (EMAIL CA-XX)
-Tricare Online: (DOD CA-XX)
-Tricare (1 of 3): (EMAIL CA-XX)
-Tricare (2 of 3): (EMAIL CA-XX)
-Tricare (2 of 3): (EMAIL CA-XX)
- Military Health System: (DOD CA-XX)
Note on URL’s: It is important to understand that when entering URL’s into an identity preference they must be precise. As you can see in the preceding references some end with a “/”.Not all websites will have this. Every website that attempts to validate your CAC must search a database (Usually internal to the site) and the URL you enter is creating the link between that database and your CAC. As there is not a single database that all sites use for this purpose you will encounter sites that do not function properly initially. If you pay attention to the actions of the browser when you click the login button you will usually see where the browser is being pointed and can use that URL in your Identity Preference. For the most part you will not need to reference a specific site, i.e. ending in .html etc, but instead the will use the broad address as above.
Note on Certificate Selection: When creating Identity Preferences within Keychains it is important to understand the difference between your Certificates. I will not go into great detail as to the differences here however I will give you the information you need to know. There are 3 certificates on your CAC:
- DOD CA-XX, used for identification verification, is the top most certificate shown in Keychains. This will be used when logging into AKO. This will show up with a red “x” beside it a majority of the time as “Unsigned”.
- DOD CA-XX EMAIL, used for signatures, is the second in the list of certificates in the list. This certificate is used when you digitally sign an email, or document, and by some websites for verification of your identity, i.e. Outlook Web Access. When logging into a non-AKO site keep in mind that whatever certificate you used when logging on at your work computer will be required on your MAC.
- DOD CA-XX EMAIL, used for encryption, is the third in the list of certificates. This will not be used when accessing websites, and unless you are accustomed to encrypting your email, will not be used at all.
When creating Identity Preferences there will be some trial and error involved in selecting the correct URL/Certificate combination.If you create an Identity Preference and attempt to change the certificate it uses you may see more than 3 certificates when you open the drop down menu as below, they are grouped into their respective classes, the first pair being the DOD CA-XX, second pair EMAIL CA-XX (Signature) and the third pair EMAIL CA-XX (Encryption). Choose either of the first two if you want the DOD CA-XX and so forth. They point to the same certificate.
This should set you up to access sites that are authenticated with your CAC. Please let me know how this works out for you and what issues you have. Once again if you have additional sites you have found solutions for please let me know and I will include them in the list on this page. If you still have questions, feel free to contact me. (Please know thatI am currently heading to Iraq, so there will be a delay in a return email). Therefore, please attempt to follow the instructions above BEFORE emailing me).
Current as of: 24 October 2009
Written by CPT Bill Hankins, Revised by CW3 Michael J. Danberry while following the instructions on my own iBook G4.