Oct 06

Setting up Safari for CAC login to DOD websites

Apple, DOD | Add comments LoadingAdd to favorites

 

Issue: Setting up CAC logon to DOD websites with OS X 10.5.x release.  

Solution: 

1) Quit Safari completely

 

 

 

 

 

2) Insert card and open Keychain Access.

3) Select the CAC keychain.

4) Select “My Certificates” from “Category” on the sidebar.

5) Right click on the certificate you need to authenticate with (usually the Identity or email signing cert) and select “New Identity Preference”.   You can use the triangle by the certificate to expand it and view its type.

 

 

 

 

 

 

 

 

 

6) Enter the URL for the site. (** make sure you add the “/” at the end of the URL)

 

 

 

 

 

 

 

 

 

NOTES :

The certificate, Identity or Email Signing, selected in step 5 above may be determined by the website.   If the first certificate selected does not work, please select the alternate and re-attempt to access the website.

The identity preference can be picky about the URL used. Here are a few examples below.  If a site is found that has an issue, please notify the AGM Help Desk agm.support@us.army.mil.  We will build a list of sites with known issues as they are reported.

Site  – AKO

Certificate – Identity

ID Pref URL - https://akocac.us.army.mil/

Site – JTF-GNO

Certificate – Email signing

ID Pref URL - https://www.jtfgno.mil

 

Apple Knowledge Base Article: HT1679
Last Modified: June 30, 2008

 

written by admin \\ tags: ,


27 Responses to “Setting up Safari for CAC login to DOD websites”

  1. 1. AppleMacGenius Says:
    June 29th, 2009 at 8:32 am

    For Snow Leopard (10.6) now go in to Keychain Access and just put the following:

    https://*.us.army.mil or https://*.army.mil

  2. 2. disabledarmyvet Says:
    November 11th, 2009 at 6:05 pm

    Hopefully someone will help. I followed the instructions as listed above – it still doesn’t work. The CAC reader, a SCR331, just sits there and blinks when the card is inserted. It’s like it is waiting on OS X to do something – help! I am on a MacBook, 13.3″, OS X 10.5.8.

  3. 3. AppleMacGenius Says:
    November 12th, 2009 at 5:48 am

    Did you also try the first comment? I believe in 10.5.8 you can actually do:

    https://*.us.army.mil or https://*.army.mil

    Also make sure you are selecting the correct certification. Also, What DOD website are you trying to make an identity preference for?

  4. 4. disabledarmyvet Says:
    November 12th, 2009 at 7:09 am

    I tried your last suggestion – it didn’t work. The reader’s access light blinks constantly when the card is inserted into the reader. However, the reader works according to all of the Mac’s built in diagnostics. When I remove the card, the light goes to a steady state and the CAC cerificates disappear from the keychain access – I think the reader is ok, just a communication problem between OS X and the reader.

    I have a document that was written at the Naval Postgraduate school, “CAC for Mac”. I have noticed that X509 shows up in there – Go|Utilities|Keychain Access. Then Edit|Keychain list. Click show and switch to Mac OS X (System)

    As for your last question, I am trying the AKO website – as a medically retired US Army vet/ Department of the AF employee I have an account. After I get the AKO working, I need to get on the AF Portal – sister to the AKO. Finally, I am doing an Online Master’s program through the AF’s Air University. They are moving to CAC access in the future. I need to get my Macs working with the Card.

    One last thing, I have a 20″ iMac running OS X 10.4.11. The reader blinks on that Mac as well. I called SCM but since I could flash the reader to 5.25, we agreed there was nothing wrong. He gave me this link.

    Thanks for your help.

  5. 5. disabledarmyvet Says:
    November 12th, 2009 at 7:16 am

    Try this link http://www.army.mil/AKO/info/guides/CACconfig/setup/index.html This says the same thing as CAC for Mac. The thing dealing with X509 certificates shows up close to the bottom of page 2. I think that is my problem.

  6. 6. AppleMacGenius Says:
    November 12th, 2009 at 7:17 am

    10.4 won’t really work. What is the type of card that you have? It should say on the back, for example mine says GEMAL. I know there is a outstanding issue with CAC2 CACs. Also, go to keychain and make sure your cert. on your CAC are Valid, if it doesn’t say valid you might not have the cert installed.

  7. 7. AppleMacGenius Says:
    November 12th, 2009 at 7:31 am

    I also got another type of card reader. I got tired of dealing with the stupid firmware issues… Mine is from GEMPlus. http://bit.ly/aonUg

  8. 8. AppleMacGenius Says:
    November 12th, 2009 at 7:32 am

    I meant GEMP Twin

  9. 9. disabledarmyvet Says:
    November 12th, 2009 at 8:33 am

    The certs are valid, I just had to renew the card in April.

    Mine also says GEMAL. I’m beginning to think that this is the reason why SCR331s are cheap. However, they are the standard at work. The card you linked to – do they do government-issued CAC cards? I did not see that information on the page.

  10. 10. AppleMacGenius Says:
    November 12th, 2009 at 8:43 am

    They do.. I have 2 of these card readers. As long as it follows the CCID standard it will work on a Mac. Actually my friend at Apple that does the Security suggested this reader.

  11. 11. disabledarmyvet Says:
    November 12th, 2009 at 9:19 am

    Great that’s all I needed to hear. If an Applke employee recommends, then it must be ok. I will order and comment after it comes.

    Thanx!

  12. 12. disabledarmyvet Says:
    November 17th, 2009 at 3:59 pm

    Hey Apple MacGenius:

    Where did you get your card reader. I tried USA Smartcards.com but no one is there.

  13. 13. AppleMacGenius Says:
    November 17th, 2009 at 4:08 pm

    You can try these places:

    http://www.howardcomputers.com/accessories/detail.cfm?source=googlebase&id=S4872448
    http://cgi.ebay.com/GEM-PC-TWIN-SMART-CARD-READER-USB-%1a-NIB!_W0QQitemZ320427745749QQcmdZViewItem?rvr_id=&itemid=320427745749

    Also try to google search for “GemPC Twin Smart Card Reader”

  14. 14. disabledarmyvet Says:
    December 27th, 2009 at 7:52 pm

    AppleMacGenius:

    I received my GEMP Twin card reader a couple weeks ago. When I connected it to my MacBook, it flashed the LED until I put my CAC in then it glowed steady. I couldn’t get it to work. I thought I would wait until I had more time.

    I hooked it up tonight and it flashed as before; however, when I put my CAC in, it still flashed the led. Additionally for step 3 in the above process I won’t read the CAC.

    Any ideas?

  15. 15. Bucks1 Says:
    February 24th, 2010 at 12:06 pm

    I know that my CAC reader is working, however, I can’t access the DoD website (JFCOM). Also, how do you get Safari to work with Outlook Web mail? Thanks

  16. 16. AppleMacGenius Says:
    February 24th, 2010 at 1:00 pm

    What type CAC do you have? Look on the back, if it says GEMALTO TOPDLGX4 144, this could be why. These are new CACs that are not yet supported by Apple. They are working on a fix, keep looking at http://smartcardservices.macosforge.org/. Outlook mail or OWA as it’s refered too works you just need to add the IDPref to you keychain, but you will also have to see if your company has your CAC registered in to their system. Are you Military, Contractor, etc… using AKO Mail or BetaMail?

  17. 17. Bucks1 Says:
    February 24th, 2010 at 3:38 pm

    The CAC is Oberthur ID one V5.2a Dual. I get the flashing lights and the certificates. I am work as a contractor on the DoD JFCOM network…the mail is OWA via PKI. thanks

  18. 18. AppleMacGenius Says:
    March 4th, 2010 at 9:49 am

    This build supports the Gemalto TOPDLGX4 144 cards, but does not yet support the Oberthur ID One 128 v5.5 Dual cards. subsequent builds will provide support needed for the Oberthur card. If you attempt to access this newer Oberthur card, it will be picked up by the original CAC.tokend and will show no certs/keys within Keychain Access -indicating a lack of support.

    http://smartcardservices.macosforge.org/trac/wiki/installers

  19. 19. AppleMacGenius Says:
    March 22nd, 2010 at 10:45 am

    MacOS 10.6.x update to IDPref: WARNING BETA PRODUCT NO APPLECARE SUPPORT

    1. Download **UPDATE** CAC-NG Tokend (BETA v0.91) for Mac OS X 10.6
    link: http://smartcardservices.macosforge.org/post/update-cac-ng-tokend-beta-v091-for-mac-os-x-106/

    2. Add IDPref to Keychain [ *.army.mil ] NO http or https

  20. 20. disabledarmyvet Says:
    April 26th, 2010 at 4:13 pm

    Hey AppleMacGenius dude:

    I finally got the CAC card stuff to work – I can access AKO and the AF Portal via my CAC card. I kept saying something waas missing – it was the X509 anchors. I couldn’t find them anywhere in my installation of 10.5.8. By chance, my son’s iPhone wasn’t working so we went to the Apple store. I happened to pick up a copy of 10.6.3 to upgrade from 10.5. It had the anchors so I installed them into the keychain, then followed the above directions. It works like a champ!

    Also I am using the SCR 331. The Mac won’t recognize the GEM. I think it is bad – an out of box failure…

  21. 21. cdholt1 Says:
    May 20th, 2010 at 2:39 pm

    I have 2 Macs and am having similar issues on each. Both are Intel-based Macs- one running OS 10.5.8, the other running OS 10.6.3. I have a SCR 331 CAC reader with ver 5.18 firmware on it and the newer GELMATO TOPDLGX4 CAC. I am trying to acces the Navy’s OWA using either https://webmail.east.nmci.navy.mil/ or https://*.navy.mil/ with no luck. The first 20 times I attempted to log on, Safari asked me which certificate I wanted to use, I was successful 1 time in logging in using my Mac. The subsequent 50 tries on BOTH computers haven’t even given me a chance to choose a certificate, Safari simply says “The page cannot be displayed…” I successfully added the new Beta token.nd from Shawn Geddis’ website for the Gelmato card. The CAC shows up on Keychain access and I have deleted the login certificate associations and then re-added the “new identity preference” in the keychain.

    Any way anyone can help?

  22. 22. AppleMacGenius Says:
    June 24th, 2010 at 9:28 am

    Try going to http://smartcardservices.macosforge.org/ and get the new CAC-NG driver version v0.95 (10.6.x only)

  23. 23. mjhewlett Says:
    June 27th, 2010 at 12:48 pm

    I’m trying to set up a PowerBook G4, running 10.5.8, to recognize a CAC. I’ve successfully upgraded the firmware on the card reader (the SCR331 is now 5.25). After downloading and installing the Beta token.nd, I can use a different computer (an Intel Mac running Snow Leopard) and open the CAC with Keychain Access. However, the Beta token.nd for Leopard is only for Intel Mac’s. Is there one for PPC’s? Where might I find that?

    Thanks,

    Marty Hewlett

  24. 24. AppleMacGenius Says:
    June 28th, 2010 at 11:52 am

    Sorry intel only.

  25. 25. mjhewlett Says:
    June 28th, 2010 at 9:03 pm

    Thanks for the information. Is there any way of contacting the guys at Mac OS Forge? I have their names (Shawn Geddis, for instance), but I can’t find emails.

    Thanks again,

    Marty Hewlett

  26. 26. muffinmedic Says:
    July 27th, 2010 at 9:15 am

    The url I used in Keychain was “akocac.us.army.mil”. My login worked after that.

    I have a SCR3310, using a GEMALTO ACCESS 64KV2 CAC. I used “CAC-NG (BETA v0.95) Snow Leopard” from http://smartcardservices.macosforge.org/trac/wiki/installers

    I hope this helps everyone.

  27. 27. muffinmedic Says:
    July 27th, 2010 at 9:32 am

    After I got this to work in Safari, I found that it worked in Google Chrome as well.

Leave a Reply

You must be logged in to post a comment.