Before you can use cac-agent
, you may need to setup your machine to use a CAC (or smart) card.
If you already have your CAC card working with Firefox, then you can skip this section.
These are links from DISA that helped with Firefox:
This is a link from Ubuntu that helped with Chrome:
- Stable in firefox/chrome (unlike OpenSC)
- Works with all government-issued CACs we've tried
- Doesn't work with any retail CACs we've tried (PIVkey, Yubikey, etc)
- Stable in firefox/chrome
- Works with Gemalto and Yubikey.
- For Ubuntu 18, you may need to force it to use
libcrypto.so -> libcrypto.so.1.0.0
instead oflibcrypto.so.1.1.0
- Expected to be the future of CAC support for RHEL
- Available on Windows too
- Unstable in firefox/chrome, but generally stable with command line tools
- Works with all government-issued and retail CACs we've tried
NOTE: You can install both middle-wares and selectively use as desired.
Install "pcsc":
sudo apt-get install pcscd pcsc-tools coolkey
Then install one or both of the middleware libraries:
sudo apt-get install coolkey
sudo apt-get install opensc
You can verify that your CAC read is working by lauching:
pcsc_scan
... and watching for activity as you insert/remove your CAC.
While coolkey used to work without problems (from /usr/lib/pkcs11/libcoolkeypk11.so
), it recently started failing
(same OS--still Ubuntu 16.04). The workaround is to add a symlink from a lib64
path:
sudo ln -s /usr/lib/pkcs11/libcoolkeypk11.so /usr/lib64/pkcs11/libcoolkeypk11.so
No telling how this will change in the future, so you probably want to skip this step and come back if things fail.
To add a smart card device to Firefox:
- Click the main button, then "Preferences"
- Search for "Devices", click "Security Devices..." button
- Click the "Load" button
- Set the "Module Name" (
Coolkey
orOpenSC
works nicely) - Set "Module filename" to...
- (for original coolkey):
/usr/lib/pkcs11/libcoolkeypk11.so
- (for coolkey with 64-bit fix):
/usr/lib64/pkcs11/libcoolkeypk11.so
- (for opensc):
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
- (for original coolkey):
- Set the "Module Name" (
Chrome uses NSS for security devices. By configuring NSS, we're actually enabling CAC support in other Ubuntu subsystems as well.
Install NSS modules:
sudo apt-get install libnss3-tools
Move to home directory:
cd ~/
Install the middleware library as a security device provider:
- (for original coolkey):
modutil -dbdir sql:.pki/nssdb/ -add "CAC Module" -libfile /usr/lib/pkcs11/libcoolkeypk11.so
- (for coolkey with 64-bit fix):
modutil -dbdir sql:.pki/nssdb/ -add "CAC Module" -libfile /usr/lib64/pkcs11/libcoolkeypk11.so
- (for opensc):
modutil -dbdir sql:.pki/nssdb/ -add "CAC Module" -libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
Verify the module was added:
modutil -dbdir sql:.pki/nssdb/ -list
Some devices may need the slot defined. For example, Yubikey's may need to use slotListIndex=1
library=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
name="Yubikey"
slotListIndex=1
Note that multiple slots are now supported. See Configuring Support for Multiple Slots
in Configure-cac-agent-for-Linux.