Smart Card Setup Guide
K Apple Computer, Inc. © 2006 Apple Computer, Inc. All rights reserved. Under the copyright laws, this manual may not be copied, in whole or in part, without the written consent of Apple. The Apple logo is a trademark of Apple Computer, Inc., registered in the U.S. and other countries. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws.
1 Contents Chapter 1 4 4 5 5 5 About Using Smart Cards with Mac OS X Setting Up Your Computer Updating Your Computer’s System Software Compatible Smart Card Readers Compatible Smart Cards Chapter 2 6 6 8 8 8 9 10 10 11 12 Setting Up Your Smart Card Enabling Smart Card Login Setting Up an Account for Smart Card Access Setting Account Preferences Securing Your Idle Computer Using Keychain Access Setting Up Directory Services for Smart Cards Using the Public Key Hash Method Using the Attribute Lookup Me
1 About Using Smart Cards with Mac OS X 1 The security architecture in Mac OS X v10.4 Tiger and later includes improvements in smart card services and integration. Follow the instructions in this guide to configure your system to use smart cards. A smart card is a plastic card, similar in size to a credit card, that has memory and a microprocessor embedded in it. Smart cards can store passwords, certificates, and keys.
Updating Your Computer’s System Software Make sure you are using Mac OS X Tiger or later to take advantage of the latest smart card features. m To identify which version you are using, choose Apple () menu > About This Mac. You should update your system software regularly to be sure you have the most reliable and up-to-date software. To update your system software: 1 Choose Apple () menu > Software Update. 2 If an update for Mac OS X appears in the list, select its checkbox.
2 Setting Up Your Smart Card 2 Follow the instructions in this chapter to learn how to enable smart card services and configure your computer to use smart cards. Smart card services are preinstalled with Mac OS X v10.4 Tiger or later, but smart card login and system administration are not enabled. You can enable smart card login on any system with or without a smart card reader attached. When the smart card services are enabled, your computer checks whether a smart card reader is attached.
5 To back up the original authorization file and create a separate file to modify, enter: cp authorization authorization.orig cp authorization /tmp/authorization.mod 6 Open the authorization.mod file you just created in a text editor or property list editor. The file is located in the tmp folder on your startup drive: /tmp/authorization.mod 7 The authorization.mod file is made up of a list of properties arranged in a hierarchy of dictionaries.
Setting Up an Account for Smart Card Access You must have a user account to bind to the smart card, and then configure that account to work properly with the smart card. Follow these instructions to set up a user account for a smart card. Setting Account Preferences Use the Accounts preferences pane in System Preferences to create or configure the user account that will be bound to the smart card.
Using Keychain Access You must set up Keychain Access to work with your organization’s policy. There are two common methods for verifying the validity of a certificate: Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL). Information about the status of certificates is stored on a revocation server. The Mac OS X security system can check with the revocation server to validate the certificate.
Setting Up Directory Services for Smart Cards Smart card login does a lookup for the expected user in a directory service to authenticate the user’s identification. It uses one of two methods: Â The public key hash method Adds the public key hash (pubkeyhash) to the user's directory record. This method uses Open Directory and the default directory schema is NetInfo. Â The attribute lookup method Performs a search for a value based on a key from the email signing certificate on the smart card.
5 You bind the card to the user’s local directory domain by using the sc_auth accept command.
Modifying the Configuration File for Attribute Lookup In most directory services you will use a configuration file that contains a search key for an Open Directory search. A configuration file is an array of dictionaries. Each dictionary in this array contains one search key in an Open Directory search. The default configuration file is: /etc/caclogingconfig.
Here is an example of CAC keys that can appear as fields in the configuration file: Key String Example Country U.S. Organization U.S. Government Organizational Unit:1 DoD Organizational Unit:2 PKI Organizational Unit:3 USN Common Name SURNAME.GIVEN.MI.1160048910 RFC 822 Name gsurname@navy.
3 Using Smart Cards 3 Follow the instructions in this chapter to learn how to use smart cards in Mac OS X v10.4 Tiger or later and how to manage authorization.
Viewing Smart Card Information in Keychain Access Smart cards are displayed in Keychain Access as keychains in the Keychain list. With Keychain Access you can view and manage authorization information related to your smart card. To view smart card information: 1 Open Keychain Access located in the Utilities folder in the Applications folder. 2 Select the smart card keychain in the Keychains list (click Show Keychains if the list is not open).
For more information about security configurations, visit these websites: Â NSA security configuration guides at www.nsa.gov/snac/ Â NIST Security Configuration Checklists Repository at checklists.nist.gov/repository/ category.
