Gemplus Card Reader Driver



The latest version of gemplus smart card reader tools is 3.15.1.0, released on. If, in the future, there is a minidriver available for these cards, the new driver can be uploaded to windows update by participating in the windows logo program. The latest driver, this site. Msi Gt 710 2gb Ddr3. The gemplus smart card driver pursuant, and nikolai petrovitch raided, euphonous, useful, and self-appointed.Gemplus smart card driver demulsifyed her pretty from him, and gum disposables World.

  1. Gemplus Usb Smart Card Reader Driver Windows 10 64 Bit
  2. Gemplus Usb Smart Card Reader Drivers
  3. Gemplus Usb Smart Card Driver
  4. Gemplus Usb Smart Card Reader Driver Windows 10

Contents

  1. Basic PKI Authentication
  2. Applications
    1. Firefox
    2. Lock Gnome Screensaver on Card Removal
  3. Special considerations
  4. References

The Department of Defense (DoD) issues Common Access Cards (CACs) which are smart cards set up in a particular way. You can use these cards for Public Key Infrastructure (PKI) authentication and email. Overwhelmingly, the first thing most users need is PKI authentication.

Get a card reader

Obtain a compatible smart card reader. Known compatible readers are:

  • SCM Micro SCR3310 - Stand alone reader
  • O2 Micro OZ776 - Built-in laptop reader
  • Gemplus GemPC Card - PCMCIA card reader

  • ActivCard USB Reader 2.0 - Stand alone reader (outdated)

    • Note: Double check version number on bottom of device. You must flash the reader to the latest firmware. Currently, this must be done from a windows machine.

Note: If you have trouble with your reader, review device compatibility

Reader

Packages

You need middleware to access a smart card using the SCard API (PC/SC), and a PKCS#11 standard interface for smartcards connected to a PC/SC compliant reader. US government smartcards may also need support for the Government Smartcard Interoperability Specification (GSC-IS) v2.1 or newer. The pcsclite project provides the middleware layer. Ubuntu splits pcsclite into a few packages. As of this writing, the average user needs libpcsclite1 and pcscd. For the PKCS#11 interface, users can choose between coolkey and cackey. US Government users are probably better off with cackey instead of coolkey, so the coolkey package is omitted here. Since you're downloading packages, you may as well download pcsc-tools now too, as you'll want it soon enough, for testing.

Other items

You will need the DoD certificates.

You will almost certainly want want the cackey package instead of coolkey. Even if you prefer Chrome for your primary browser, you will probably want the DoD Configuration extension for Firefox, if for no other reason than testing.

Forge.mil hosts both cackey and the DoD Configuration extension, but it presents a chicken and egg problem: you need CAC authentication to get the packages. The easiest thing to do is just download them all at work and figure out how to get them to your Ubuntu machine (thumb drive, dropbox, etc). Here's your forge.mil shopping list:

  • the latest version of cackey

  • the latest version of the DoD Configuration extension for Firefox

I recommend stashing these two on Dropbox somewhere, just to make sure you have access to them later, when that thumb drive gets lost in your car seat and you want to set this up for your buddy on a Saturday, or something like that. Trust me. Just do it.

pcsc_tools

Yes, grasshopper, we know you want Firefox. We're getting there. First, it's prudent to make sure your card reader is talking to the operating system. The pcsc_tools package provides an especially handy utility, pcsc_scan, which can help verify that your CAC reader really is talking to the OS, regardless of what any application is telling you:

It should output something like this:

If you see this instead:

You probably did not update your firmware properly. See symbolik's instructions to see how to update your firmware.

Firefox

To setup Firefox to authenticate with sites via SSL/PKI, you must:

  • download the DoD Certificates so that you can verify the server, and
  • setup firefox to read your client certificates from your CAC card.

As of Onereic, running Firefox 9.0.1, the DoD Configuation extension (version 1.3.6) sets all this up for you, assuming your card reader is interacting with Ubuntu. The following directions are mainly preserved for folks running older versions. YMMV.

DoD Certificates in Firefox

The DoD has created a hierarchy of certificates. The top level certificate signs the intermediate certificate and the intermediate certificate signs the site's certificate in most cases. If you import and trust the top most certificate, it saves you from having to install and trust a significantly higher number of certificates.

The original way to install DoD root certificates, even on Windows XP, was to visit http://dodpki.c3pki.chamb.disa.mil/rootca.html and just click on each one to install.

You may also download the certificates and install each one using the following procedure.

  1. Preferences Menu

  2. Advanced Section

  3. Encryption Tab

  4. View Certificates Button

  5. Authorities Tab

  6. Import Button

Places to download the certificates are:

  • https://crl.chamb.disa.mil/

  • http://dodpki.c3pki.chamb.disa.mil/rootca.html

  • https://eportal.ctnosc.army.mil/ (must have Army Knowledge Online [AKO] account)

Firefox Client Certificate Setup

  1. Insert CAC into reader - the green light should flash.
  2. Add CAC Module to Firefox as a Security Device

    1. Preferences Menu

    2. Advanced Section

    3. Encryption Tab

    4. Security Devices Button

    5. Load Button

    6. Enter CAC Module as the module name, and browse to /usr/lib/pkcs11/libcoolkeypk11.so for the module filename (or /usr/bin/libcackey.so or /usr/lib/libcackey.so if using the CACKey custom PKCS#11 library available from cackey).

NOTE: If you are updating from an existing install, or are having issues getting Firefox to play nice when trying to login in with CAC, you may need to remove all existing libcoolkeypk11.so modules and start from the beginning. For example: $ sudo updatedb, $ locate libcool, and delete all modules found.

Testing Firefox

You can test Firefox by going to https://teamware.dt.navy.mil/ and clicking on New Account at the top. If it works, you should be prompted to enter your PIN and the site should say Your PKI Certificate has been detected.

Google Chrome/Chromium Setup

For SSL certificate management, Google Chrome on Linux uses NSS. No UI is provided to install PKCS11 modules. It is important to complete the initial steps above for the CAC reader and Firefox setup prior to Google Chrome setup.

Gemplus

1. Install NSS tools

Debian/Ubuntu:

2. Add the 'CAC Module' pkcs11 library

2b. Close Chrome

3. Make sure you are in your home directory and your CAC card is inserted, Open a terminal window and enter this:

4. Check if the library was successfully added

5. You should see something like this:

Listing of PKCS #11 Modules

6. Now you can start using your certs in Chrome.

Evolution

The Evolution email client does not currently have a means to configure the security device (CAC reader) through the GUI as does Firefox or Thunderbird.

However, there is a fairly simple (but obscure) workaround that can be executed from the command line. Mozilla's certificate database can be imported into Evolution by copying three files within a terminal window:

This appears to import in all the DoD certificates and security devices (CAC reader) previously configured in Firefox as outlined in the above instructions. Look under the 'U.S. Government' heading to confirm ('Edit/Preferences.../Certificates/Authorities tab'). You'll need to select each individual certificate (ie 'DOD CA-11'), click the 'Edit' button, and then select the boxes for both trust to ID sites, and trust to ID email users. Do this for all the certificates under the U.S. Government heading. This step is tedious, but you'll only need to do it once.

Next, select the appropriate certificate for signing and encrypting email. From 'Edit/Preferences', click on 'Mail Accounts', select your previously configured AKO/DKO account (either POP or IMAP), click the 'Edit' button, and then the 'Security' tab. Under the 'Secure MIME (S/MIME)' heading, select both the signing and encryption certificates, and any of the option check boxes desired.

When composing a new message, pull down the 'Security' menu and select 'S/MIME Sign' and/or 'S/MIME Encrypt' as appropriate.

Please note the author of the above section has not yet fully tested this functionality, but initial testing was successful. Nevertheless, implement with caution.

Note: There is currently no way to authenticate to the Exchange server though Evolution with a CaC and the above instructions are only to use the CaC for signing and encrypting the messages. This has been requested in Bug 253574 and may be implemented in version 2.23.x. The bug tracker has a patch for those wishing to recompile Evolution with untested code.

Gemplus Card Reader Driver

Machine and Screensaver login with CAC

With a little work you can also use your CAC card to log into Ubuntu or un-screenlock.

Note: If you are using cackey for CAC middleware, it's highly recommended to use cackey with CAC login. Using coolkey for login will most likely result in authentication conflict, resulting in CAC lockout.

Needed libraries:

Needed tools to build pam_pkcs11:

Get the latest version of pam_pkcs11 from https://github.com/OpenSC/pam_pkcs11.git and build pam_pkcs:

Gemplus Usb Smart Card Reader Driver Windows 10 64 Bit

Make sure that the directories /usr/lib/pam_pkcs11 and /usr/share/pam are present and populated.

Although documentation states that make install should create a directory structure at /etc/pam_pkcs11 it doesn't seem to.

Create said directories:

Edit pam_pkcs11.conf for use with cackey:

Change the line that reads:

to be

Then directly after the aforementioned changed line:

Find and change the line:

to

Save. LDAP or other mappings will most likely be used in the future, but the above will work for now.

Information to unlock your system with your CAC can be obtained via the following:

Run:

Find where it says your name with the syntax LASTNAME.FIRSTNAME.MIDDLENAME.DODIDand take note of it.

Open /etc/pam_pkcs11/subject_mappping:

Add the line:

Edit to allow your system to use CAC authentication for unlocking:

Add the line:

to the top of the following files:

If you want to have your system try to use CAC authentication for everything including ssh, su, sudo, etc, add the line to the top of /etc/pam.d/common-auth.

Try rebooting and logging in with your CAC card. At the username prompt I had to just hit enter, then it asked me for my CAC PIN.

One thing to note. If you are using a Windows virtual machine under VMware Player or Server with CAC authentication in the virtual machine - the virtual machine will tie up the reader so Ubuntu can't get access to it. You'll get errors like token unavailable.

Lock Gnome Screensaver on Card Removal

The package pcsc-tools includes the tool pcsc_scan. This command line application will print the insertion and removal of a Smart Card to the stdout. Using this information, a script can be written to recognize this change. The following script requires the package inotify-tools.

After saving this script, you need to update line 13. Run pcsc_scan and look for the line that says 'ATR: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX'. This number is unique to your card. Update the XX's in the script with your unique line.

Make the script executable:

Add it to your Startup Applications.

This script will only unlock the screensaver if your CAC is inserted however, if you do not desire the unlock behavior, simply comment line 17: 'gnome-screensaver-command -d'.

Using CAs and CRLs

Surrender all hope, ye who enter here...

There seems to be a problem with pam_pkcs11 verifying the certificates with valid CAs and CRLs (the project has had little activity in the past few years.) For now, using the cert_policy = signature setting in pam_pkcs11.conf will work to log you in via CAC, but it won't actually be running checks to verify with the locally stored certificates.

If you want to try to experiment with getting certificates to work, use the CA and CRL instrutions below as a starting point, and set cert_policy = ca in pam_pkcs.conf.

CAs

With CAs, you're mostly on your own. You may be able to find what you need from here.If you get another x.509 format like .pfx, you can use openssl to change it to .pem.

Certificate Revocation Lists

ActivCard USB Reader v2.0

ActivCard USB Reader v2.0 P/N ZFG-9800-AD was flashed using the instructions at http://symbolik.wordpress.com/2007/02/26/scm-scr-331-usb-smartcard-reader-firmware-upgrade/. The rest of this guide was then followed without issue.

Gemplus GemPC Card (PCMCIA)

Gemplus Usb Smart Card Reader Drivers

This card reader uses the ccid driver. Since it uses a serial port connection, you must tell pcscd where it is located. Before you begin, you need to install the software as shown in the next step. Once the apt-get procedure is completed, come back here to configure your reader.

First, determine which serial port on which it has loaded. Insert the card into the pc card slot and run dmesg in a terminal. You should get output similar to the following; note the tty.

Next, edit /etc/reader.conf.d/libccidtwin to add the following lines:

Then run sudo update-reader.conf, followed by sudo service pcscd restart. If everything worked correctly, you may proceed with the next step.

LPS

Gemplus Usb Smart Card Driver

LPS-Public is a thin Linux LiveCD with a PIV/CAC-enabled Firefox browser that cannot mount the harddrive.It aims to open all DoD websites and OWA (webmail) clients. The developer at SAIC will roll custom versions on request, however, LPS is also very locked down. Experience suggests the typical user is far better off with Ubuntu (circa late 2011, early 2012).

Coolkey

Note that coolkey, a Red Hat project, does not always work on Ubuntu in a US government environment. One bug in coolkey can be tracked here

You can get coolkey from Fedora's BuildSystem. Its an RPM. Just extract the lib folder and copy to /usr/, overwriting existing files. Follow this procedure:

  1. $ wget http://kojipkgs.fedoraproject.org/packages/coolkey/1.1.0/17.fc15/i686/coolkey-1.1.0-17.fc15.i686.rpm

  2. $ sudo apt-get install rpm2cpio

  3. $ rpm2cpio coolkey-1.1.0-17.fc15.i686.rpm | sudo cpio -idmv

  4. $ sudo rsync -va ./usr/lib/ /usr/lib/

OpenSC

In rare cases, you may be the first to use a new card. In the path to diagnosing that and pushing the information upstream, you may find the OpenSC project helpful.

Big thanks to symbolik and his article Using DoD CAC and smartcard Readers on Linux

Department of Defense PKI Management https://crl.chamb.disa.mil/

Naval Research Laboratory DoD PKI Notes and accompanying PDF

Relevant Discussion Threads

Gemplus Usb Smart Card Reader Driver Windows 10

  • http://ubuntuforums.org/showthread.php?t=457084

  • http://ubuntuforums.org/showthread.php?t=294200

  • http://ubuntuforums.org/showthread.php?t=454234

  • http://ubuntuforums.org/showthread.php?t=1221961