CAC modules

David Woodhouse dwmw2 at infradead.org
Thu Jul 5 04:13:55 EDT 2012


On Thu, 2012-07-05 at 01:03 -0400, Mcclelland, Michael B Mr CTR USN USA wrote:
> Hopefully I'm not stepping out of bounds of the intended subject matter for
> this list.
> 
> I am using Ubuntu 12.04 and I need to authenticate to a cisco asa which
> requires DOD CAC certificates.  Is it possible to use a CAC module with
> OpenConnect such as the libcoolkeypk11.so or libcackey.so as I do with
> firefox?  

Yes, this is possible with the latest release of OpenConnect, although
not the version that was in Ubuntu 12.04. You'll need to upgrade.

It uses GnuTLS (and hence p11-kit) to access PKCS#11 modules, so you
refer to your cert with a PKCS#11 URL, for example:
openconnect -c 'pkcs11:object=Remote%20Access' https://vpn.mycompany.com/

You need to have your own PKCS#11 module configured so that GnuTLS will
find it and consider its contents to match the URL you provided. So a
~/.pkcs11/pkcs11.conf file containing the line
 module: /usr/lib64/libcoolkeypk11.so
is probably sufficient. See
http://p11-glue.freedesktop.org/doc/p11-kit/config-example.html

When you have GnuTLS/p11-kit set up right, your token should appear when
you run 'p11tool --list-tokens'. And your cert should appear when you
run 'p11tool --list-all'. Or at least 'p11tool --list-all --login'.

This is all fairly new, but it should work. Please let me know if you
have problems.

Note that the NetworkManager integration package will also need to be
updated to allow it to use PKCS#11, because the library API has changed
a little. It also doesn't allow you to use the GUI to *choose* your
cert, but you can edit the NM configuration file manually and *then* it
does work to do your normal connect/disconnect through the GUI.

But get it working from the command line first, and we can talk you
through updating the NetworkManager plugin next.

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20120705/0f21f7bb/attachment.bin>


More information about the openconnect-devel mailing list