Open dba02996tt opened 8 years ago
@dba02996tt, there is a more detailed log found in the Mac GSA Signing Tool Application. Will you please post it so we can take a look at what is happening?
Please follow the steps below to navigate to the log file --- FYI, no confidential info should be present in the log file --- feel free to scan it first if you'd like to verify.
Also, do you have any other card readers you can test with? So far we are only aware of the Dell keyboard/smart card reader combo that doesn't seem to work with the GSA Signing Tool.
Thanks - will get this information tomorrow (client is not in the office today) and send along. I have tested on 3 different HID Omnikey card readers but they are all model 3021.
@dba02996tt just following up to see if you were able to get the log file or try a different reader?
Hi Jordan,
Finally was able to see the user, and the log file is attached. It was the only log file present from 2016, the next most recent log file was for 5-4-2015 (I didn’t work here then). I pasted the log text below:
Jun 22, 2016 11:50:45 AM pkcs7.signing.tool.Gui main
INFO: Launching the PKCS#7 Signing Tool Application...
Jun 22, 2016 11:51:31 AM pkcs7.signing.tool.SigningTool
@dba02996tt Hmm... I am thinking it may be a driver issue as there are no errors showing in the log you pasted above. The tool relies on an open source driver called OpenSC for communicating to the reader. It is possible the OpenSC driver doesn't support this version of the HID reader. I will see if I can get my hands on the same reader and troubleshoot from there. In the meantime, if you also get your hands on a different reader model, it would be good to test and see if it has the same issues.
Hi Jordan,
We may have 1 other card reader around – I will check. The potential problem is that Mac users now must use their PIV cards to log in to their computers, and having more than one card reader/driver set up on the machine caused problems during testing. We had to uninstall the ActivClient driver in order for the HID Omnikey reader to work properly. I could ask the client if he would be ok using a different card reader but then he would be in a 1-off situation that might cause help desk delays if he has an issue.
David
@dba02996tt Have you tested this on a Mac as well as a PC? Just curious if the results are the same on a Mac. I'm still getting my hands on a HID reader to test.
Hi Jordan – no issues on PC – just Macs.
Hi Jordan,
Would it be worth a shot to replace the ActivClient tokend file back on his system? That should not cause any conflicts with our Mac PIV implementation. We had to uninstall the ActivClient driver due to Mac PIV mandate which also removed the tokend file.
David
@dba02996tt
Yes, I would try adding the tokend file back to the original location and see if that helps, as long as you're not conflicting with any policy : ) I assume the HID reader probably won't even register you added the tokend file back and still use the HID drver. Its worth a shot though.
Can you please send me the name of the tokend file as I know there are various versions of the tokend file on Macs.
FYI, for a similar issue we had with the Dell Keyboard/Smart Card Reader combo device that wasn't working with the GSA Signing Tool on PCs, we had to remove the Dell driver from the system and select the reader to use the Window's default driver for smart cards.
Just tested…adding the ActiveClient tokend file back to my Mac fixed it, now need to go to the user’s Mac and confirm it also fixes it there.
The tokend file is ac.ac4mac.tokend and when I added it back to root/Library/Security/tokend the signing tool started to work on my laptop.
David
Great news!
A few questions, just out of curiosity, is the HID reader driver in the same location "root/Library/Security/tokend"? I believe you use the HID reader for also logging into your system. Now that you've added the ac.ac4mac.tokend file back, are you able to login to your Mac successfully? Lastly, did you need to delete the ac.ac4mac.tokend file, previously, due to the Mandate you mentioned earlier or was it causing issues having both the tokend and HID driver installed?
Hi Jordan:
Is the HID reader driver in the same location "root/Library/Security/tokend"? -No, it installs at the root of volume
Now that you've added the ac.ac4mac.tokend file back, are you able to login to your Mac successfully? -Yes, what I had to do was 1) temporarily install the ActivClient card reader driver, 2) grab the “ac.ac4mac.tokend” file and copy it to Desktop, 3) uninstall ActivClient driver, 4) replace the “ac.ac4mac.tokend” in root/Library/Security/tokend or root/System/Library/Security/tokend (depending on version of Mac OS).
Did you need to delete the ac.ac4mac.tokend file, previously, due to the Mandate you mentioned earlier or was it causing issues having both the tokend and HID driver installed? -This file was automatically removed during ActivClient uninstall process that we had to do as part of Mac PIV mandate and switching over to the HID Omnikey card readers – we utilized the uninstaller included in the ActivClient software.
David
We had an org-wide mandate to enable our Macs to use smart cards for logging in and application authentication. The mandate required us to change card readers, and remove the ActivClient driver and install HID OmniKey 3021 driver. The GSA signing tool stopped working when we made this change. The log displayed by GUI hangs at 40% complete while showing the card reader make/model. See screen shot. IMG_5188.pdf