You
can use your CAC with your [Snow Leopard
(10.6.X)] Apple computer
Download
/ Save this entire page as a PDF
Leopard
Users, please use the Leopard page
NOTE: MAJ Chuck
Wack is providing support to MAC users who are
having problems. Please attempt what is on this page, and if you continue
to have problems, use the contact at the bottom of this page.
He is currently deployed, so, a few days response may be the timeframe.
You may
want to consider using Windows virtually with "Parallels"
or the native Boot Camp ( (You
WILL
be able to use ApproveIt).
PureEdge
is available through
Grants.gov (you
will need to
tweak
it to be able to use it on your Intel based Mac, AND you still CANNOT digitally sign forms without ApproveIt)
Article
on how to utilize Windows on your MAC from
Online Tech Tips.com
 How to
make a web server think your using
Internet Explorer
How
to configure your Firefox on your MAC
If your
new CAC [the one you were just issued] does not work, you may have received
one of the new PIV II CAC's. You
can tell if yours is this type by looking on the back at the top for either
of these:
"Gemalto TOP DL GX4 144K" or "Oberthur
ID One 128 v5.5 Dual."
A possible fix for you is to download the updated TOKEND from
MAC
OS FORGE.org download the
CAC-NG (BETA v0.95)
INFORMATION: This
build supports the Gemalto TOPDLGX4 144 cards, but does
not yet support the Oberthur ID One 128 v5.5 Dual card.
Subsequent builds will provide support needed for the Oberthur card. If you
attempt to access this newer Oberthur card, it will be picked up by the
original CAC.tokend and will show no certs/keys within Keychain Access
-indicating a lack of support.
The following
information is provided for your situational awareness while setting up the
utilization of your CAC on your Mac. It is updated as additional
information is available and your input is appreciated for solutions not
outlined here. Installation
instructions can be found below.
ActiveClient
is a middleware program used by the DoD to facilitate the cross talk between
Windows computers and your Common Access Card. It was
offered for the “Tiger” release (MAC OS X 10.4.9) and is not compatible
with Leopard or Snow Leopard (the current release of MAC OS X
(10.6.X)). The program is available for purchase through the manufacturer,
and is not available for download from DoD. The use of this program is not
supported here for Apple operating systems, as it is not required for
Leopard or Snow Leopard.
ADmitMac
for CAC
is another middleware program, created by Thursby Software, in use by the
DoD on some NETCOM Apple Baseline images. This software allows easy
configuration of systems for CAC only authentication and logon for systems
being added to a DoD domain. This software is not required on non-DoD
computers. It is available on a trial download basis from the manufacturer
and is available for purchase at that location.
PureEdge
is currently only available for Windows (except for the one available
through
Grants.gov) Windows users are now being migrated over to Lotus Forms Viewer.
Windows on
your MAC:
While you have made a conscious decision to “be a Mac,” the NETCOM Engineers
have not, and therefore the easiest solution for some problems, such
as: ApproveIt, and some websites, is to use Windows through a Virtual
Machine, such as Parallels,
VirtualBox, VMware, or through Apple’s native Boot Camp.
This will require you to have a legal copy of Microsoft Windows. With these
programs, you can
install the ActiveClient,
Lotus Forms, and ApproveIt software and
also utilize all
the DoD tools from your MAC. The benefit of the Virtual machines over Boot
Camp is that it will allow you to run Windows as an additional program
(without restarting your computer) and keep OS X running the entire time.
NOTE:
If you are having problems getting your CAC reader to be recognized in your
virtual Windows when using VMware, go to the menu bar, select USB.
Find your CAC reader and select it.
DTS
(Defense Travel System) has been
upgraded to a Java applet instead of the proprietary DBSign.
This should allow you to use DTS from your MAC. Some 64 bit
Snow Leopard users will need this
patch.
If the patch still does not work, try running your Safari in 32 bit mode.
More information can be found on the Gradkell's
website.
NOTE: If you get a blank page after successfully
logging into DTS trying to navigate to your authorizations or vouchers,
Click the word Safari, Select Security, uncheck the box for
Block pop-up windows. Try it again now.
DCO
(Defense Connect Online) works with your Snow Leopard MAC. The
servers have been updated to work. Make sure you select the check box
to Allow all applets from "www.dco.dod.mil"
with this signature and select Allow. You "should" now see a Java
based screen with logon / password, or CAC PIN. Select the CAC PIN
option. I did not have to add this site to my keychain.
CAC Readers:
With a variety of CAC readers available today there are also a variety of
issues. The SCR series of CAC readers work very well. The SCR-331 reader may
need a Firmware Update. See links to
purchase CAC readers here. You will see a
small note on some of the readers to show you how to make the reader
compatible with your MAC.
Outlook Web
Access Portals:
The use of
Outlook Web Access portals (OWA) on MAC current has known issue with time
outs. Beware that when using OWA on your MAC that if you are
inactive on the primary window, i.e. the inbox, while replying to an email,
your browser may time out. On your Windows machine the client side
software, [ActiveClient] actively maintains communications with the server
side CAC software and re-requests validation of your credentials. On your
MAC this is not so, Safari will respond to a direct request for validation
of your credentials, however it will not re-request that you verify as the
server requires. Be sure that prior to selecting the Send button that you
copy your work to the clipboard as you will most likely have to restart
Safari and log back in. The issue is being worked at this time and updates
will be made available here when complete.
Internet
Explorer Emulation: If you visit a website
with your MAC that states it can only be accessed via Internet Explorer, or
some web pages simply won't work while using your CAC with Safari, please
try this: Make sure you MAC is updated (like step 1 & 2 below).
Open Safari, Click on the word Safari (in the bar at the top), select
Preferences..., Advanced, click the Show Develop menu in menu bar box.
Close Advanced screen, Now when you need to emulate IE, click on the word
Develop at the top, click User Agent, then select Internet Explorer 7 or 8.
This was received from the Air Force IMA JAGs.
Air Force
Users look here for some
helpful information
Setting
up your CAC for use on your Mac:
Download
/ Save this entire page as a PDF
Step 1:
Update your system. (10.6.4 is the latest for Snow
Leopard)
Step 2:
Plug in your CAC Reader to an available USB Port
Step
3:
Click the Apple Icon in the upper left corner of your desktop and select
"About This Mac"
Step
4:
Click the "More Info" Button within the window that pops up. (This opens
System Profiler)
Step 5:
Within the "Hardware" Category select "USB." On the right
side of the screen the window will display all hardware plugged into the USB
ports on your Mac. You should see “Smart Card Reader.” If the Smart
Card reader is present, it is installed on your system, and no further
hardware changes are required, i.e. additional drivers / Firmware upgrades.
You can now Quit System Profiler.
Step 6:
From the Finder Menu:
Click: Go, Utilities, click the
little triangle to open it up, double click Keychain Access
NOTE: If you don't see Go, click the finder
 icon in
your taskbar. It should show up now in the menu bar
Step 7:
Insert your CAC into the CAC Reader. In the upper left portion of
the Keychain Access window, under "Keychains" your CAC should show up (CAC
XXXX-XXXX-XXXX-XXXX-XXXX), click it. In the right side you will see the
certificates that are on your CAC. (If your CAC does not appear remove it
from the reader and repeat).
Step 8:
Double
Click the "Padlock" icon in the upper left corner of the program window,
which will prompt you for your CAC PIN. Enter your PIN and select OK to unlock your CAC.
NOTE: If
your padlock will not unlock, and you have one of the new CACs, read
above
Step 9:
Select the desired certificate, which will show as:
LASTNAME.FIRSTNAME.MIDDLENAME.NUMBERS on the right side of the screen. Right Click
your mouse and select "New Identity
Preference" If you don't have a two button mouse, hold the <ctrl>
key and click your mouse to get the "New Identity Preference" option.
Step 10:
Enter the URL / website (from the links below) for the appropriate
website you wish to access using your CAC, select the appropriate
certificate and click “Add”:
Step 10a:
I was unable to save the email certificate for my OWA (it kept defaulting
back to the non-email certificate)
Step 10b:
I copied the email certificate (s) from the CAC...2-75E4 section.
Step
10c: I first verified it was the email certificate before
pasting it into the login section
Step 10d:
I pasted the above email certificate(s) into the login screen section of
Keychain Access. I had 2 for some reason, so, I copy and pasted both
of them.
Step 11:
Quit Keychain Access (and Applications (if it is still open)), remove your
CAC from the reader, and re-insert it. Open Safari and begin navigating to
your CAC enabled site.
Examples
of URLs to add to your Keychain Access
NOTE:
The slash at the end of the URL does make a difference
Army:
- AKO: https://akocac.us.army.mil/
(DOD CA-XX)
- AKO
Webmail:
https://wmcac.us.army.mil/
(DOD CA-XX)
- Fort
Gordon OWA (NASE Email Access):
https://rw3.army.mil/EXCHANGE
(EMAIL CA-XX)
- Army
Reserve OWA (USAR Email Access):
https://owa.usar.army.mil (EMAIL CA-XX)
-
US Army
garrison Hawaii:
https://owa.hawaii.army.mil/EXCHANGE (EMAIL CA-XX)
- Center for
Army Lessons Learned (CALL):
https://call3.leavenworth.army.mil
(DOD CA-XX)
- CONUS
AMEDD Exchange OWA:
https://medmail-conus.amedd.army.mil/Exchange
(EMAIL CA-XX)
- National
Guard Knowledge Online:
https://gkoportal.ngb.army.mil
(DOD CA-XX)
- NORAD
NORTHCOM CAC Registration Site:
https://registration.noradnorthcom.mil/
(DOD CA-XX)
- NORAD
NORTHCOM External Access Site:
https://operations.noradnorthcom.mil
(DOD CA-XX)
- Soldier
Survey Site:
https://fcportal.forscom.army.mil/
(EMAIL CA-XX)
Navy:
- Navy
Knowledge Online (1 of 2):
https://cac01.nko.navy.mil
(DOD CA-XX)
- Navy
Knowledge Online (2 of 2):
https://cac01.nko.navy.mil:443/app1/index2.jsp
(DOD CA-XX)
- Navy
Webmail: https://webmail.nmci.navy.mil
(DOD CA-XX)
- Reserve
Portal:
https://private.navyreserve.navy.mil/
(EMAIL CA-XX)
- NADSUSEA
(Navy East OWA):
https://webmail.east.nmci.navy.mil
(EMAIL CA-XX)
- NADSUSWE
(Navy West OWA):
https://webmail.west.nmci.navy.mil
(EMAIL CA-XX)
- NADSUSEA
NCIS COI (Navy NCIS OWA):
https://webmail.ncis.nmci.navy.mil
(EMAIL CA-XX)
- NMCI-ISF
(Navy ISF OWA):
https://webmail.isf.nmci.navy.mil
(EMAIL CA-XX)
- PADS (Navy
PADS OWA):
https://webmail.pacom.mil
(EMAIL CA-XX)
- PADS (Navy
PACOM SMR Users OWA):
https://webmail.exceptions.pacom.mil
(EMAIL CA-XX)
- IATS NMCI
Webmail (1 of 3):
https://iats.nmci.navy.mil
(EMAIL CA-XX)
- IATS NMCI
Webmail (2 of 3):
https://iats.nmci.navy.mil/
(EMAIL CA-XX)
- IATS NMCI
Webmail (3 of 3):
https://iats.nmci.navy.mil/cas
(EMAIL CA-XX)
- Marine
Corps Webmail:
https://webmail.us.nmci.usmc.mil/Exchange
(EMAIL CA-XX)
- Navy
InfoSec:
https://infosec.navy.mil
(DOD CA-XX)
- Navy
Medical (1 of 3):
www.med.navy.mil:80
(DOD CA-XX)
- Navy
Medical (2 of 3):
https://nmo.med.navy.mil/
(DOD CA-XX)
- Navy
Medical (3 of 3):
https://nmo.med.navy.mil/pki/default.cfm
(DOD CA-XX)
- Navy
Medical Outlook Web Access:
https://sscc-fe-03.med.navy.mil/EXCHANGE
(EMAIL CA-XX)
- JTF-GNO:
https://www.jtfgno.mil
(EMAIL CA-XX)
-
NRRM:
https://nrrm.navyreserve.navy.mil/Nrrm.Web/Modules/Shell/Shell.aspx
(EMAIL CA-XX)
- BUPERS:
https://pki.bol.navy.mil/
(DOD CA-XX)
- NSIPS (1
of 2);
https://nsips.nmci.navy.mil
(DOD CA-XX)
- NSIPS (2
of 2):
https://nsipsweb.nmci.navy.mil/nsipsclo/logon
(DOD CA-XX)
- NROWS:
https://nrows.sscno.nmci.navy.mil
(DOD CA-XX)
- Navy
Reserve Portal (1 of 2):
https://private.navyreserve.navy.mil/
(DOD CA-XX)
- Navy
Reserve Portal (2 of 2):
https://private.navyreserve.nayv.mil/pages/default.aspx
(DOD CA-XX)
Air
Force:
(The issues with the AF Portal have been remedied, look
here for how to make it
work)
- AF Portal
(1 of 3):
https://www.my.af.mil
(DOD CA-XX)
- AF Portal
(2 of 3):
https://www.my.af.mil/EAI_JUNCTION/eai/
(DOD CA-XX)
- AF Portal
(3 of 3):
https://www.my.af.mil/EAI_JUNCTION/eai/auth
(DOD CA-XX)
- Air Force
Portal Virtual MPF Site:
https://w20.afpc.randolph.af.mil/afpcsecurenet20/
(DOD CA-XX)
- Air Force
Jag WebFLITE (1 of 2):
https://logon.jag.af.mil
(DOD CA-XX)
- Air Force
Jag WebFLITE (2 of 2):
https://aflsa.jag.af.mil/
(DOD CA-XX)
- Air Force
Education Exchange:
https://cacwebmail.afit.edu/Exchange
(EMAIL CA-XX)
- AF AMC
Exchange Email:
https://mail.amc.af.mil/exchange
(EMAIL CA-XX)
Coast
Guard:
- Coast
Guard Email:
https://cgwebmail.uscg.mil/
(EMAIL CA-XX)
DoD:
- Defense
Manpower Data Center:
https://pki.dmdc.osd.mil
(DOD CA-XX)
- DOD 411
Directory:
https://jeds.gds.disa.mil
(EMAIL CA-XX)
- Tricare
Online:
https://www.tricareonline.com/preloginHome.do
(DOD CA-XX)
- Tricare (1
of 3):
https://cac1.tricareonline.com/
(EMAIL CA-XX)
- Tricare (2
of 3):
https://cac2.tricareonline.com/
(EMAIL CA-XX)
- Tricare (2
of 3):
https://cac3.tricareonline.com/
(EMAIL CA-XX)
- Military
Health System:
https://mhssc.timpo.osd.mil
(DOD CA-XX)
Note on
URL’s:
It is important to understand that when entering URL’s into an identity
preference they must be precise. As you can see in the preceding references
some end with a “/”. Not all websites will have this. Every website that
attempts to validate your CAC must search a database (Usually internal to
the site) and the URL you enter is creating the link between that database
and your CAC. As there is not a single database that all sites use for this
purpose you will encounter sites that do not function properly initially.
If you pay attention to the actions of the browser when you click the login
button you will usually see where the browser is being pointed and can use
that URL in your Identity Preference. For the most part you will not need
to reference a specific site, i.e. ending in .html etc, but instead the will
use the broad address as above.
Note on
Certificate Selection:
When creating Identity Preferences within Keychains it is important to
understand the difference between your Certificates. I will not go into
great detail as to the differences here however I will give you the
information you need to know. There are 3 certificates on your CAC:
- DOD
CA-XX, used for identification verification, is the top most certificate
shown in Keychains. This will be used when logging into AKO. This will
show up with a red “x” beside it a majority of the time as “Unsigned”.
- DOD
CA-XX EMAIL, used for signatures, is the second in the list of
certificates in the list. This certificate is used when you digitally sign
an email, or document, and by some websites for verification of your
identity, i.e. Outlook Web Access. When logging into a non-AKO site keep in
mind that whatever certificate you used when logging on at your work
computer will be required on your MAC.
- DOD
CA-XX EMAIL, used for encryption, is the third in the list of
certificates. This will not be used when accessing websites, and unless you
are accustomed to encrypting your email, will not be used at all.
When
creating Identity Preferences there will be some trial and error involved in
selecting the correct URL/Certificate combination. If you create an
Identity Preference and attempt to change the certificate it uses you may
see more than 3 certificates when you open the drop down menu as below, they
are grouped into their respective classes, the first pair being the DOD
CA-XX, second pair EMAIL CA-XX (Signature) and the third pair EMAIL CA-XX
(Encryption). Choose either of the first two if you want the DOD CA-XX and
so forth. They point to the same certificate.
This
should set you up to access sites that are authenticated with your CAC.
Please let me know how this works out for you and what issues you have.
Once again if you have additional sites you have found solutions for please
let me know and I will include them in the list on this page.
Written by CPT Bill Hankins, Revised by CW3 Michael J.
Danberry while following the instructions on my own MacBook.
Some
other links that may assist you if you are still having problems with the
instructions above:
http://www.applemacgeniusville.com/2008/10/06/cac-enable-firefox/
file can be found at next link
http://directory.fedoraproject.org/wiki/BuildCoolKey#Pre_Built_Binary
http://www.applemacgeniusville.com/2008/10/06/setting-up-safari-for-cac-login-to-dod-websites/
http://www.applemacgeniusville.com/2009/09/15/enabling-cac-login-and-creating-filevault-cac-user/
For Firefox
users - install this:
https://www.forge.mil/Resources-Firefox.html
A user sent
this to me: "I followed the
instructions at
http://www.applemacgeniusville.com/page/21/?wpforumaction=profile&id=1
and it all worked 100%. The Coolkey app is the way to go. It's a little
piece of software that has saved me some serious headaches. Load it per the
instructions on the site, plug in the reader, insert the card, and you're
ready to roll."
Another single
file for CAC installation on your MAC.
(This one is 9MB)
Set
up the AKO "white pages" using your MAC
If you are still having problems,
contact Chuck Wack
|
