Centrify Express Smart Card

ActivClient for Mac | CACKey | Centrify Express | CSSI | High Sierra built in Smart Card ability | Mojave built in Smart Card ability | OpenSC | PKard | Sierra built in Smart Card ability | Smart Card Services / Files to manually remove | How to Unpair your smart card

Click the word GO at the top of your main desktop, select Computer

Card

STANLEY GLOBAL SGT118X. The SGT118X Smart Badge combines a rugged wearable ID Badge Holder with an integrated CAC Smart Card Reader. It is TAA compliant and FIPS 201-2 approved. The smart looking badge holder includes a basic OSHA compliant lanyard or use your own lanyard or fastener. Perfect for corporate users, government workers, health care. Centrify Express Quick Start. Smart card support. For Mac OS X and Red Hat users, the ability to use PIV or CAC smart cards for authentication and single sign-on.

If you don't see the word GO, click Finder (2 little faces) in the bottom left corner of screen

Go to:

Hard disk / Library /

Delete 'CACKey' folder

Also follow this section to remove .tokend files

Run in Terminal.app:

sudo /usr/local/bin/opensc-uninstall

or

Go to:

Card

Hard disk / Library /

Delete 'OpenSC' folder

Go to: Hard disk / Library / LaunchAgents /

Delete 'opensc-notify.plist'

Also follow this section to remove .tokend files

Go to:

Hard disk / Library / Application Support /

Delete 'CSSi' folder

Also follow this section to remove .tokend files

Go to:

Hard disk / Library / Application Support / PKard

Run the PKard Uninstall program, select 'Uninstall PKard'

Click 'Uninstall'

You also need to modify a system file that Thursby changed. This does not happen automatically when running the Uninstall option listed above.

1. Remove your CAC from the reader

2. Open Terminal, by typing Terminal in the spotlight search

3. Copy the entire command below [starting with sudo, and ending with ~/] and paste it into the terminal window (or manually retype it)

sudo mv /Library/Preferences/com.apple.security.smartcard.plist ~/.Trash/

4. When prompted for your computer password, know that the cursor will not move, type it in, and hit enter to process.

5. Logout of Terminal,

6. Restart computer

Information provided from: https://www.thursby.com/forum/viewtopic.php?t=3394

Also follow this section to remove .tokend files

.

Go to:

Hard disk / Applications / Utilities / Centrify /

Double click: SmartCardTool or SmartCardAssist

Select 'Uninstall' from the Centrify Express for Smart Card window

Also follow this section to remove .tokend files

.

How to Remove ActivClient for Mac

Go to:

Hard disk / Applications / Utilities

Double click: ActivID ActivClient for Mac Uninstaller

Select 'Uninstall' from the ActivID ActivClient for Mac Uninstaller screen

ActivClient for Mac users must also remove the 'acpkcs220.dylib' file

Mac OS X 10.5.x - Mac OS X 10.10.x, 10.11.x - 11.x.x users look below

Go to:

Hard disk / System / Library / Security / tokend /

Delete 'BELPIC.tokend', 'CAC.tokend', 'CACNG.tokend', 'CSSI.tokend', 'OpenSC.tokend', 'JPKI.tokend', 'ac.ac4mac.token', 'PIV.tokend', and / or 'PKCS11.tokend' files

Sometimes a few other files need to be removed, they are found in:

Hard disk / System / Library / Security / tokend /uiplugins /

Delete 'BELPICViewerPlugin.bundle', 'CACViewerPlugin.bundle', and / or 'PIVViewerPlugin.bundle' files

NOTE: If you can't delete them, skip them and follow next step.

Mac OS X 10.11.x through 11.x.x systems

Go to:

Hard disk / Library / Security / tokend /

Delete 'BELPIC.tokend', 'CAC.tokend', 'CACNG.tokend', 'CSSI.tokend', 'OpenSC.tokend', 'JPKI.tokend', 'PIV.tokend', and / or 'PKCS11.tokend' files

Go to:

Hard disk / Library / Frameworks / ac.ac4mac.pkcs11.framework / Versions / Current / Libraries/

Delete 'acpkcs220.dylib'

DO NOT DISABLE on 10.15.x or 11.x.x, there is NO alternative

NOTE: Mojave, High Sierra, and Sierra have a 'built in Smart Card ability' that works for 'some' people 'some' of the time. To use your CAC 'more consistently' I recommend you install a 3rd party CAC enabler, such as CACKey or PKard. This section shows you how to disable the built in smart card ability found on Mojave, High Sierra, and Sierra.


NOTE2: Doing this will remove the ability to login to your computer with your CAC, and will require you to install a 3rd party CAC enabler such as CACKey or PKard.

1. Remove your CAC from the reader

2. Open Terminal, by typing Terminal in the spotlight search

3. Copy the command below [starting with sudo, and ending with pivtoken] and paste it into the terminal window (or manually retype it)

sudo defaults write /Library/Preferences/com.apple.security.smartcard DisabledTokens -array com.apple.CryptoTokenKit.pivtoken

3a. I recommend you run this command twice.

4. When prompted for your computer password, know that the cursor will not move, type it in, and hit enter to process.

5. After that it should be disabled. Logout of Terminal, restart computer, and try again

NOTE3: If you have recently updated to Mac OS Catalina (10.15.x) or Mac OS Big Sur (11.00.x), you need to re-enable the built in Smart Card ability after removing all installed enablers listed above:

1. Remove your CAC from the reader

2. Open Terminal, by typing Terminal in the spotlight search

3. Copy the entire command below [starting with sudo, and ending with pivtoken] and paste it into the terminal window (or manually retype it)

sudo defaults write /Library/Preferences/com.apple.security.smartcard DisabledTokens -array && sudo defaults write /Library/Preferences/com.apple.security.smartcard EnabledTokens -array com.apple.CryptoTokenKit.pivtoken

3a. I recommend you run this command twice.

4. When prompted for your computer password, know that the cursor will not move, type it in, and hit enter to process.

5. After performing these steps, the built in smart card ability should be enabled.

6. Logout of Terminal,

7. Restart computer

8. When prompted to Pair your Smart Card with your computer, you can select Pair, or Cancel. If you elect to pair, you will have an additional option to utilize your CAC and PIN to access your computer [when the CAC is in the reader]. If the CAC is not in the reader, you can still use your fingerprint, or username/password option.

How to UNPAIR your smart card

1. Remove your CAC from the reader

2. Open Terminal, by typing Terminal in the spotlight search.

3. Type: sc_auth list

4. Copy the hash, which will be 40 characters comprising of numbers and letters, paste it in place of the [hash] in the command below

5. Type: sc_auth unpair -h [hash]

Instructions found at: https://support.yubico.com/support/solutions/articles/15000006468-using-your-yubikey-as-a-smart-card-in-macos

20 Oct 2014 Using PIV smart cards with Mac OS X 10.10 Yosemite

Posted at 16:06h in Employee Posts, Tech Notes11 Comments

Using PIV smart cards for HHS VPN login with Mac OS X 10.10 Yosemite

Note: This entire post is basically google search bait designed to (hopefully) allow others struggling with the same issues to save a bit of time. Hope it helps!


October 30, 2014 Update

There is an active Citrix support thread on the “no valid certificates found” issue. If this is bothering or interesting you, you may want to monitor this URL: http://discussions.citrix.com/topic/357156-no-certificate-found-at-windows-logon-screen-for-smartcard-authentication/

October 24, 2014 Update

The bulk of this post concerns the $29 Pkard product from Thursby which is the first I found with explicit OS X 10.10 support. I just had a chance to test the new Yosemite 10.10 compatible free SmartCard utility from Centrfy mentioned here: http://www.centrify.com/mac/smartcard/free-smart-card-for-federal-military-cac-piv.asp
. Long story short: It works to get past the VPN gateway but throws the same “no valid certificates found” error when trying to login to the Windows desktop via a Citrix Receiver client. Still no idea why this is happening – on other versions of OS X my smart card credentials transparently passed onto the OS. Still – consider the Centrify software if you don’t want to spend $29.

Short Summary

I need to use a HHS PIV card to remotely access computer systems from a brand new Macbook air running OS X 10.10 Yosemite. As of the time I wrote this article, the state of freely available open source software for PIV smart card support on Yosemite is pretty lacking. This will change but if you are in a hurry (as I was) the best thing you can do in the short term is pay $29.95 for the Thursby PKard software from http://www.thursby.com/products/pkard-mac — it installed seamlessly and allowed me to login via VPN although for some reason my certificates were not passed on to the Windows remote desktop system, hopefully I don’t need the $179 “ADmitMac” product for that.

I expect the state of open source smart card and tokend implementations to get better and more easily usable on Yosemite so I may only be using the Thursday product for a short time. It did, however work fast and got me successfully logged onto the remote VPN server.

Current status: Thursby PKard software works well on Yosemite for VPN access but the Windows desktop I get sent to via a Citrix client reports “no valid certificates” and I’m forced to use my standard user login name and password to complete the final authentication. This was not something I needed to do on OS X 10.7 or 10.7 with the open source smart card software stack.

Background

I do some subcontracting work for a few US Government agencies, one of which requires me to be able to connect remotely to US.GOV networks and infrastructure. The way I connect is via a federal standard PIV Card which is a very cool physical badge that doubles as a holder of biometric and personal crypto certificate information. When I’m trying to physically enter a building the PIV card is my secure photo ID badge (with backup biometrics and fingerprints stored o it) — when I try to enter a US Government network “virtually” the same PIV card doubles as VPN access device because it contains a personal set of crypto keys that uniquely identify me. Two-factor authentication is achieved by having to punch in a PIN code when my certs are presented to the remote system. It’s a very slick and interesting system.

From what I can tell, PIV cards are very similar to the CAC cards carried by military members that are often required for secure web browsing and access to military resources In fact, when searching the internet for PIV assistance you will find that some of the best help resources are coming from the military CAC-user community. A perfect example of this is https://militarycac.com/macnotes.htm and https://militarycac.com/cacenablers.htm – the site that I turned to first when looking for OS X Yosemite PIV/smartcard status info.

My Gear

  • SCM SCR3500 Smart Card Reader – Amazon Link: http://amzn.com/B00434WQVU
  • Belkin flexible USB adapter – Amazon Link: http://amzn.com/B000BK107G
  • Macbook Air running OS X 10.10 Yosemite

Getting the PIV card to work on 10.10 Yosemite

Verify your reader works

Attach your reader, use the OS X “About this Mac” -> “System Report” function to verify that your computer and OS actually see and recognize a smart card device:

Buy and install the PKard software


Launch OS X Keychain Assistant

What you want to see is the certificates and credentials that are stored on the smart card. If your USB reader and the PKard software are working, Yosemite 10.10 can now “see” the crypto info stored on the PIV card

Fix the Trust Chain (If your PIV certificate is not trusted)

This may not be an issue for an upgraded system but on my brand new laptop my host OS was missing the intermediate certificate trust chain. Keychain Assistant helpfully throws up the red text saying: “This certificate was signed by an unknown authority

OS X Yosemite does not “trust” the Certificate Authorities that signed my PIV card certificates.

The solution is to go out and install the intermediate certificates necessary to build the full lenght trust chain.

The source of trust chain certificates almost certainly depends on what agency you work for or are trying to access. In my case I needed the US GOV Health and Human Services (HHS) intermediate certificates and the best online resource I found for HHS certificates needed for PIV cards is actually over on a NIH hosted site:

Centrify Express For Smart Card

I downloaded and installed the “HHS Entrust FPKI Certificate Chain” from the above website:


Installing the certificates results in a chain of trust that culminates with your personal PIV certificates being recognizes as trusted:

Now Test

At this point you have a recognized USB card reader, your personal PIV certificates are visible to Mac OS X and the trust chain is complete. This should be all you need to access or login to PIV-enabled websites.

Express

I removed screenshots showing the portal site I was logging into out of paranoia so I can’t show examples of successful logins. I’ll just show this OS X window which is the system prompt you get when your certificate is being used and the host OS wants to verify your PIN code as part of the two-factor authentication process.

If you see this, this is your PIN entry prompt and it means that stuff is generally working:

Remember that this is where your PIN goes, ignore the system text about “keychain password” …

Minor Issue

Using the steps outlined above I can successfully authenticate to the remote access environment I need to use on a daily basis. However, on my older laptop my PIV card credentials were transparently passed onto the Windows OS as well and I was not prompted for a second login.

That is not the case now. After getting past the VPN, the remote desktop session can’t see my PIV certificate and I have to fallback to using standard AD username and password. Not optimal but it works for my purposes.

Centrify Express For Smart Card

Longer term I want this issue to go away. I’m not sure if it’s a Citrix Receiver issue or perhaps this is a designed-in behavior of the Thursday software designed to upsell software that offers more functionality. I was willing to pay $29.99 for the functionality I needed and the software and documentation is great but I’m not going to shell out $179 for SSO access to a Windows Desktop.

I’m going to keep researching this and will keep an eye on the state of open source / free smart card services for Yosemite 10.10. Will update this post as needed.

ExpressRelated Posts
One of the most important capabilities in a scientific data ecosystem is a workflow management system. The tools in

16

16

2020-01-23 08:08:45
Centrify

Centrify Express For Smart Card

16

16

2011-04-19 15:47:43

Centrify Express For Mac Smart Card

16