[Pki-users] US Government SmartCard question

John Magne jmagne at redhat.com
Fri May 1 21:01:30 UTC 2015 

Bryce:

We would most welcome a chance to try a dummy card.
I think we should copy Bob first to make sure there is not something
obvious wrong on the coolkey end.



----- Original Message -----
> From: "Bryce L Nordgren -FS" <bnordgren at fs.fed.us>
> To: "John Magne" <jmagne at redhat.com>, rrelyea at redhat.com
> Cc: pki-users at redhat.com
> Sent: Friday, May 1, 2015 12:26:12 PM
> Subject: RE: [Pki-users] US Government SmartCard question
> 
> Jack,
> 
> I don't know the process or if it's possible yet, but would it help if I
> could get you guys a dummy LincPass (USDA-issued PIV smart card) with a
> throwaway PIN to debug with? I've often found that eliminating ignorant
> middlemen (me) speeds solutions along.
> 
> Ideally, the card would be usable for console logins as well as our public
> facing SAML IdP [1]. Is there an extra step to making the card usable with a
> browser or would a coolkey fix apply to both pam_pkcs11 and the browser?
> 
> Thanks,
> Bryce
> 
> [1] https://www.eauth.usda.gov/Login/login.aspx
> 
> > -----Original Message-----
> > From: John Magne [mailto:jmagne at redhat.com]
> > Sent: Friday, May 01, 2015 12:34 PM
> > To: Nordgren, Bryce L -FS
> > Cc: pki-users at redhat.com
> > Subject: Re: [Pki-users] US Government SmartCard question
> > 
> > Bryce:
> > 
> > Yes, that helps.
> > I can take a look at the code when I get a moment.
> > Also we might bring in Bob Relyea rrelyea at redhat.com since he is the
> > coolkey and coolkey/CAC guru.
> > 
> > 
> > ----- Original Message -----
> > From: "Bryce L Nordgren -FS" <bnordgren at fs.fed.us>
> > To: "John Magne" <jmagne at redhat.com>
> > Cc: pki-users at redhat.com
> > Sent: Friday, May 1, 2015 11:13:01 AM
> > Subject: RE: [Pki-users] US Government SmartCard question
> > 
> > Hi Jack,
> > 
> > I wasn't quite sure how to capture an insertion event with pkcs11_inspect.
> > It
> > seems to fail right away if nothing's in the reader. So I ran
> > "pkcs11_eventmgr
> > debug nodaemon" in the terminal that had the COOL_KEY_LOG_FILE variable
> > set. I also ran a pkcs11_inspect with a card already inserted. Log files
> > for both
> > runs are attached.
> > 
> > It's not super verbose, but the root cause seems to be "CAC Select failed".
> > 
> > Does this shed any light on the problem?
> > 
> > Thanks,
> > Bryce
>

More information about the Pki-users mailing list