Red Hat Bugzilla – Bug 385181
Gemalto 64K token detection issues
Last modified: 2008-05-21 10:30:00 EDT
Description of problem:
We have detected various detection issues with coolkey and the Gemalto 64K
tokens based on OS platform and actual token type.
Steps to Reproduce:
1. Log into a machine
2. Put in a Gemalto 64K token
Based on Platform:
1. OS X everything is fine.
2. Windows. The Smart Card sized token works fine, the USB token is only
recognized once per application session.
3. Linux. The initial detection can be inconsistent.
The tokens should be recognized easily in all cases.
The main cause for this issue is the fact that these Gemalto cards now use CCID
compliant readers instead of the built in egate reader in the previous card. The
smart card sized tokens work better since the reader is usually plugged in first
(ex SCR 331) and then the card is placed in the reader. For the case of the USB
token, the reader and the card are essentially being inserted at the same time.
We have a patch in hand that resolves the Windows issue that fixes the smart
card detection event code specific to Windows. The Linux issue has also been
addressed by code that makes a few extra attempts to connect to the token.
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
Resolved in build coolkey-1.1.0-6.el5
How to test:
1. Obtain an uninitialized gemalto 64k token usb form factor. If a smart card
form factor is used, obtain an SCR 331 smart card reader.
2. Make sure ESC is running.
3. Insert the uninitialized token into the computer.
4. Fill in the phone home information for the test TPS system.
5. Make sure the token can be formatted.
6. Make sure the token can be enrolled.
7. Make sure the pin can be reset on the token.
8 Bring up Firefox and make sure the enrolled token and its contents are visible
in the PSM or security manager UI.
Here's the new card spec that works.
Cyberflex Access 64K v2 Standard with DER SHA1 value configured as in PKCS1 v2
with the above card, I can do :
(1) smartcard format, enroll, password reset operations.
(2) smartcard login with HIEMDAL kerberos kdc for pkinit
(3) firefox webpage smartcard detection when the module is loaded.
I tried to play with card detection. Approx after about 15 insertions/removals,
the apps becomes unresponsive. Jack tells me that this is a pcscd slot
availability issue. So, ignoring that for now.
This card seems to work ok.
marking bug verified.
RHEL 5.2 now supports this new card type and we need it added to the Release
Notes (and the single-sign-on chapter of the Deployment Guide). Info needed
within bug, but will work with ChandraK and KevinU to assist with verbiage as
thanks Scott, adding to RHEL5.2 release notes under "Resolved Issues":
Gemalto 64K smart cards now use readers compliant with Chip/Smart Card Interface
Devices (CCID). Previously, this smart card used the built-in e-gate reader,
which essentially meant that the card and reader were being inserted at the same
time. As a result, coolkey did not consistently recognize Gemalto 64K smart cards.
In this update, coolkey now works correctly with Gemalto 64k smart cards.
please advise if any further revisions are required to the release notes. i'll
track the Deployment Guide revisions through the RT ticket mhideo wrote on your
the RHEL5.2 release notes will be dropped to translation on April 15, 2008, at
which point no further additions or revisions will be entertained.
a mockup of the RHEL5.2 release notes can be viewed at the following link:
please use the aforementioned link to verify if your bugzilla is already in the
release notes (if it needs to be). each item in the release notes contains a
link to its original bug; as such, you can search through the release notes by
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.