Sphinx Page 1 Tuesday, January 14, 2003 12:53 PM 1 Apple Federal Smart Card Package Installation and Setup Guide About the Federal Smart Card Package The Apple Federal Smart Card Package (FSCP) is software you install on a Macintosh computer that lets users gain access to the computer using a Department of Defense Common Access Card.
Sphinx Page 2 Tuesday, January 14, 2003 12:53 PM Installing the Federal Smart Card Package To install the Apple Federal Smart Card Package: 1 Log in as an administrator for your computer and insert the FSCP installation disc. The user you created when you set up Mac OS X is an administrator. 2 Double-click the “FederalSmartCardPackage.pkg” icon on the CD. A message asks you to enter your password and restart the computer. 3 Follow the onscreen instructions to install the software.
Sphinx Page 3 Tuesday, January 14, 2003 12:53 PM Setting Login Options Mac OS X is set up to log in automatically as the user you create when you set up Mac OS X. Before using a Common Access Card to log in to your computer, you need to turn off automatic login. To reduce the possibility of someone circumventing the security of your computer, you can hide the Restart and Shut Down buttons that appear in the login window. To change login options: 1 Open System Preferences and click Accounts.
Sphinx Page 4 Tuesday, January 14, 2003 12:53 PM Starting Authentication With the Common Access Card To start using the Common Access Card to authenticate access to the computer, execute this command in Terminal (as root): cac_setup To stop authentication using the card and restore the standard Mac OS X authentication, execute this command: cac_setup -off Authenticating With the Common Access Card You can now use the Common Access Card to gain access to the computer.
Sphinx Page 5 Tuesday, January 14, 2003 12:53 PM Making Sure FSCP Is Running For the smart card reader to work, an FSCP system daemon named “pcscd” must be running.
Sphinx Page 6 Tuesday, January 14, 2003 12:53 PM Restarting the FSCP Daemon To restart the FSCP “pcscd” daemon, execute this in Terminal as root: /System/Library/StartupItems/SmartCardServices/SmartCardServices restart You can also use stop and start instead of restart. Adding a Smart Card to SmartCardServices The FSCP software contains the ATR values for the Common Access Cards currently available.
Sphinx Page 7 Tuesday, January 14, 2003 12:53 PM The contents of the file look like this: allowPasswordLogon 1 verboseMessages 1 crlVerificationOptional 1 The value of the allowPasswordLogon key lets users log in using a user name and password. Set the value to 0 (zero) to prevent this. The value of the verboseMessages key sets whether diagnostic information is on (1) or off (0).
Sphinx Page 8 Tuesday, January 14, 2003 12:53 PM Setting up Mozilla to Work With Your Smart Card You can use the Mozilla application for Mac OS X to send and receive signed and encrypted email messages using S/MIME with certificates stored on your Common Access Card. Note: Mozilla is not included with Mac OS X and is not supported by Apple. To download Mozilla for Mac OS X, visit the Mozilla website at www.mozilla.org and download version 1.2.1 or later.
Sphinx Page 9 Tuesday, January 14, 2003 12:53 PM Setting Up Mozilla to Sign and Encrypt Messages To set up Mozilla to use your Common Access Card to authenticate signing and encrypting email messages: 1 Choose Mail & Newsgroups from the Window menu. You may need to set up your email account information before you continue. 2 Insert the Common Access Card in the reader, if necessary. 3 Choose Mail & Newsgroups Account Settings from the Edit menu, then click Security.
Sphinx Page 10 Tuesday, January 14, 2003 12:53 PM 5 Make sure the “Import the CA certificate chain into your browser” button is selected and click Submit. A message appears asking you the purpose of trusting the new Certificate Authority. 6 If you are installing an email certificate, select the “Trust this CA to identify email users” checkbox. If you are installing an ID certificate, do not select any of the checkboxes. Note: If you want to see the certificate you are accepting, click View.
Sphinx Page 11 Tuesday, January 14, 2003 12:53 PM Setting Up FSCP to Use Other Directories To authenticate a user when he or she logs in, FSCP gets information from the Common Access Card and sends it to Open Directory. Open Directory uses this information to look up the user record from the local NetInfo directory service and returns it to FSCP, which then passes the record to Mac OS X to finish the login process.
Sphinx Page 12 Tuesday, January 14, 2003 12:53 PM Format of the userLookupConfig.plist file When it’s installed, the userLookupConfig.plist file looks like this.
Sphinx Page 13 Tuesday, January 14, 2003 12:53 PM You can change the lookup configuration based on your existing directory service. For example, if your directory service specifies user records by using the “NT Principal Name” from the signing certificate and the name of the key in the directory schema is “KeyName,” the userLookupConfig.
Sphinx Page 14 Tuesday, January 14, 2003 12:53 PM If the value of the type key is DemographicData, the array has two additional keys: m The value of the tag key specifies the demographic data to get from the card. For example, specifying 23 for the tag value returns the EDI Identifier number. m The value of the value key is a placeholder. It is replaced by the information returned by the card. For example, the EDI Identifier might be “1603987654”. You must specify the value of the tag as a decimal number.
Sphinx Page 15 Tuesday, January 14, 2003 12:53 PM The formatString Key The value of the formatString key specifies the format of the search string. You can specify which items in the values array to use in the search string, their order, and any literal string elements needed to search your directory service for the user record. To specify values in the values array to include in the search string, use $, where is an index to the item in the values array.
Sphinx Page 16 Tuesday, January 14, 2003 12:53 PM Examples of Searching User Records This section provides additional examples for changing the userLookupConfig.plist file. A Simple Change This example gets the EDI Identifier from the Common Access Card.
Sphinx Page 17 Tuesday, January 14, 2003 12:53 PM Searching Using Certificate Data This example searches for the user record using two search values from the certificate data on the Common Access Card.
Sphinx Page 18 Tuesday, January 14, 2003 12:53 PM Searching Using a Combination of Data This example searches using both demographic data and certificate data.
Sphinx Page 19 Tuesday, January 14, 2003 12:53 PM Demographic Tag Values The “Defense Manpower Data Center Common Access Card Application Programming Interface” specifies demographic tags in hexadecimal. You specify the tag value in the userLookupConfig.plist file using the decimal equivalent. This table lists the demographic tags with their hexadecimal and decimal values.
Sphinx Page 20 Tuesday, January 14, 2003 12:53 PM Demographic tag Decimal Hexadecimal Civilian Health Care Entitlement Type Code 208 D0 Direct Care Benefit Type Code 209 D1 Civilian Health Care End Date 210 D2 Meal Plan Type Code 26 1A DoD Contractor Function Code 25 19 US Government Agency/Subagency Code 32 20 Branch of Service Code 36 24 Pay Grade Code 37 25 Rank Code 38 26 Personnel Category Code 52 34 Non-US Government Agency/Subagency Code 53 35 Pay Plan Code 54 3
