Red Hat Bugzilla – Bug 385181
Gemalto 64K token detection issues
Last modified: 2008-05-21 10:30:00 EDT
Description of problem: We have detected various detection issues with coolkey and the Gemalto 64K tokens based on OS platform and actual token type. How reproducible: Always Steps to Reproduce: 1. Log into a machine 2. Put in a Gemalto 64K token Actual results: Based on Platform: 1. OS X everything is fine. 2. Windows. The Smart Card sized token works fine, the USB token is only recognized once per application session. 3. Linux. The initial detection can be inconsistent. Expected results: The tokens should be recognized easily in all cases. Additional info: The main cause for this issue is the fact that these Gemalto cards now use CCID compliant readers instead of the built in egate reader in the previous card. The smart card sized tokens work better since the reader is usually plugged in first (ex SCR 331) and then the card is placed in the reader. For the case of the USB token, the reader and the card are essentially being inserted at the same time. We have a patch in hand that resolves the Windows issue that fixes the smart card detection event code specific to Windows. The Linux issue has also been addressed by code that makes a few extra attempts to connect to the token.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
devel_ack+
Resolved in build coolkey-1.1.0-6.el5
How to test: 1. Obtain an uninitialized gemalto 64k token usb form factor. If a smart card form factor is used, obtain an SCR 331 smart card reader. 2. Make sure ESC is running. 3. Insert the uninitialized token into the computer. 4. Fill in the phone home information for the test TPS system. 5. Make sure the token can be formatted. 6. Make sure the token can be enrolled. 7. Make sure the pin can be reset on the token. 8 Bring up Firefox and make sure the enrolled token and its contents are visible in the PSM or security manager UI.
Here's the new card spec that works. Cyberflex Access 64K v2 Standard with DER SHA1 value configured as in PKCS1 v2 .1
with the above card, I can do : (1) smartcard format, enroll, password reset operations. (2) smartcard login with HIEMDAL kerberos kdc for pkinit (3) firefox webpage smartcard detection when the module is loaded. I tried to play with card detection. Approx after about 15 insertions/removals, the apps becomes unresponsive. Jack tells me that this is a pcscd slot availability issue. So, ignoring that for now. This card seems to work ok. marking bug verified.
RHEL 5.2 now supports this new card type and we need it added to the Release Notes (and the single-sign-on chapter of the Deployment Guide). Info needed within bug, but will work with ChandraK and KevinU to assist with verbiage as required.
thanks Scott, adding to RHEL5.2 release notes under "Resolved Issues": <quote> Gemalto 64K smart cards now use readers compliant with Chip/Smart Card Interface Devices (CCID). Previously, this smart card used the built-in e-gate reader, which essentially meant that the card and reader were being inserted at the same time. As a result, coolkey did not consistently recognize Gemalto 64K smart cards. In this update, coolkey now works correctly with Gemalto 64k smart cards. </quote> please advise if any further revisions are required to the release notes. i'll track the Deployment Guide revisions through the RT ticket mhideo wrote on your behalf.
Hi, the RHEL5.2 release notes will be dropped to translation on April 15, 2008, at which point no further additions or revisions will be entertained. a mockup of the RHEL5.2 release notes can be viewed at the following link: http://intranet.corp.redhat.com/ic/intranet/RHEL5u2relnotesmockup.html please use the aforementioned link to verify if your bugzilla is already in the release notes (if it needs to be). each item in the release notes contains a link to its original bug; as such, you can search through the release notes by bug number. Cheers, Don
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0344.html