Installing ECA Tokens¶
The purpose of this documentation is to outline the entire process of aquiring an ECA hardware token from Identrust and provisioning the token to work with Platform one Applications, specifically to access IL-5 resources
Equipment used: - MacBook Pro M2 - IOGEAR GSR203 card reader - LENTION 4-in-1 USB-C hub
Step 1: Acquire ECA¶
- Hardware Tokens are the only thing Authorized for IL-5 Access
- Acquiring an ECA token from Identrust must be accomplished within 30 days of purchase to receive the token. If this is not completed within the time frame the process must be reinitiated.
1.1 ECA Submission Process¶
To begin the ECA acquisition process, you need a voucher from your company, or to use your own credit card to purchase an ECA from IdenTrust.com.
- Go to ECA Certificates for DoD Access | IdenTrust
- Click the BUY NOW hyperlink
- Scroll to the bottom of the page, and under “DoD ECA Programs,” check No ECA Agency Affiliation Is Required / Click NEXT
- “I Live in the US.” Click Yes / Click NEXT
- “Select A Certificate” Check ECA Medium Token Assurance | Hardware Storage $185.00 - $445.00 / Click NEXT
- “Please Select The Certificate Validity Period” Check 1 Year - $185.00 / “Please Select The Storage Device For Your Certificate” Check HID Smart Card - $71.00 / Click NEXT
- *Note: If a card reader is required you have three options available
- You can select "HID Smart card with card reader"
- Inquire with your company if the company will provide one to you
- Purchase one online
- Note: The card reader provided by Identrust has a USB-A interface, this means you will need to purchase a USB hub/dongle for your computer if it only has USB-C ports.
- *Note: If a card reader is required you have three options available
- “Verify Your Selections” Click BUY NOW
- “Retrieve Your Certificate” (Voucher, if you have one) Enter Voucher – Provided by your company
- Scroll down to Program Affiliation Select NO PROGRAM AFFILIATION IS REQUIRED / Click NEXT
- “Headquarters Information” (Organization Name) Enter your company name (Your Email Address) Enter your email address and corporate postal code
- Search Results Select your company name / click SELECT ORGANIZATION / (Confirm Your Organization Information) Pop up / Click Yes
- “Personal Information” Complete all Fields – NOTE: enter your home address or where you want the PKI card sent. Click Next
- Once your account is created you should be asked to download the “DoD ECA Medium Assurance | Software Storage & Medium Token Assurance | Hardware Storage Certificate Forms Packet”
1.2 ECA Authorization Verification¶
Once you have downloaded and printed the “DoD ECA Medium Assurance | Software Storage & Medium Token Assurance | Hardware Storage Certificate Forms Packet” please read through it carefully. The steps below are extracted from the documentation.
NOTE: This will need to be WET SIGNED and original. Photocopies or scans are not allowed. IdenTrust must receive the inked paper.
At the Bottom of Page 2 under Applicant put the following information
- Print Applicants legal first and last name: (do not use nickname)
- Print Organization name
- Address line 1
- City, State/Province, Country, Postal Code
- Organization Officer's name
- Organization Officer's title
- Organization Officer's telephone number
- Organization Officer's email
Your organization Officer will WET sign on "Organization Officer's Signature" and Date it on "Date Organization Officer signed"
Page 4 must be completed in the presence of a licensed notary in your county. Do not mark or sign this paper at home. All the material needs to be filled in in front of the notary, or the notary may choose to not sign it.
You will need to present an ID for 2 of the 3 lists below.
- US Citizens: One from List A and one from list B or C, – or – One from List B and one from List C.
- Non-US Citizens: Valid Passport and one from List B.
If you made more than one citizenship assertion in your certificate request, you must provide a valid passport for each.
A | B | C |
---|---|---|
Photo ID document that establishes identity and citizenship - Passport from country of citizenship - Certificate of U.S. Citizenship issued by USCIS (formerly INS) - Certificate of Naturalization issued by a court of competent jurisdiction prior to October 1, 1991 or the USCIS (INS) since that date |
Photo ID document that establishes identity - Military ID w/ photo - Driver’s license or government issued ID card w/ photo - Permanent or Unexpired Temporary Resident Card issued by the USCIS w/ photo |
Document that establishes US Citizenship - Consular Report of Birth from a US Consulate (Form FS-240) - Certificate of Birth Abroad issued by the US Department of State (Form DS-1350) - Original or certificated copy of birth certificate issued by County, State or government authority bearing an official seal |
Once this form is signed by the notary, you will mail it to the address provided on part 2.
Registration Department
IdenTrust Services
5225 W. Wiley Post Way, Ste 450
Salt Lake City, UT 84116-2898
This should be sent in a document mailer, with full tracking for best results. IdenTrust may not claim to have received your documents if you do not have a tracking number on them, at which point you need to start over.
NOTE: IdenTrust will physically call your registered phone number for your company. They must speak to the person who signed the form in part 1. If they cannot contact or reach that person, your application will be on hold. Do not submit this paperwork directly preceding your security officers known out of office status or vacation as this will cause the application process to fail and you will need to re-complete it.
1.3 ECA Aquisition¶
Once your paperwork is complete, and has been approved (typically 3-5 business days from Identrust receiving the paperwork) you will receive an email with instructions on certificate installation.
DO NOT PROCEED until you physically have your token.
Once you have received you card and card reader you can continue on to Step 2: Provisioning your ECA Card
Step 2: Provision your ECA Card¶
Once you have received your physical token.
2.1 Install OpenSC¶
Installing OpenSC is fairly simple, you will want to navigate to the OpenSC releases page and download the latest version in dmg format. In this dmg will be an installer and an uninstaller. Use the installer to install the software and it's libraries into your computer. Alternatively for the more advanced MacOS user, there is a brew formula available, no documentation is provided for the brew formula with this guide, if you're familiar with brew this may be a better alternative for you. However, please keep in mind, all library paths will be different than this guide and you will need to sort that out yourself.
2.2 Reboot Your Computer¶
While this seems unnecessary on a Mac, I found that a reboot cleanly allowed the card reader to initialize after OpenSC was installed. Please reboot your computer at this point without your smart card in the reader. Upon rebooting, log back into your computer, and insert your smart card only after you've reached your desktop. Once you insert your card, you should have a notification window showing that the card was detected and asking to pair it to your user account. This pairing process allows you to login to your computer with the smart card and pin. This is also a good indicator that your smart card is being read properly and is ready for use.
2.3 (Optional) Testing OpenSC¶
Once OpenSC is installed, and your card reader is plugged in, you've rebooted, you can test your card reader.
Open a terminal on your computer and use this command with your card in your card reader:
$ /Library/OpenSC/bin/pkcs11-tool --login --test
You should get output that looks very similar to the following:
$ /Library/OpenSC/bin/pkcs11-tool --login --test
Using slot 0 with a present token (0x0)
Logging in to "Johnny Example:A0000B0000000...".
Please enter User PIN: ******
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only for RSA)
testing key 0 (CAC Cert 5) -- can't be used for signature, skipping
testing key 1 (CAC Cert 14)
all 4 signature functions seem to work
testing signature mechanisms:
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
SHA256-RSA-PKCS: OK
testing key 1 (CAC Cert 14) with 1 mechanism
RSA-X-509: OK
Verify (currently only for RSA)
testing key 0 (CAC Cert 5) -- can't be used to sign/verify, skipping
testing key 1 (CAC Cert 14) with 1 mechanism
RSA-X-509: OK
Decryption (currently only for RSA)
testing key 0 (CAC Cert 5)
RSA-X-509: OK
RSA-PKCS: OK
testing key 1 (CAC Cert 14) -- can't be used to decrypt, skipping
No errors
Once you get the "no errors" line, your card is now communicating properly with your computer and you can move on to configuration applications to consume your new ECA.
LikeBe the first to like this
2.4 Retrieve IdentTrust Certificates¶
Open the email "Your IdenTrust Certificate has been Approved!" sent by Registration@identrust.com and follow the instructions.
- Proceed to URL: www.identtrust.com/install
- Enter Activation code and password (Password was set up during your ECA Submission process)
- Click "I'M READY - PLEASE CHECK IF MY SYSTEM IS READY"
- Click "YES - I am ready to retrieve"
- Download and open IdentTrust Retrieval Application and follow the prompts to test functionality.
Step 3: Install Certificates¶
In order to properly access sites and have your ECA work on websites, you need to trust the certificates that are being used throughout the various DOD websites you'll be accessing. This can be done by installing the corresponding DOD CA roots to your computer.
DOD Certificates¶
First, you're going to need to install the various DOD certificates. Instead of duplicating information, the MilitaryCAC.com website is considered the greater source of truth when it comes to this information. You can view the DOD certificate installation process located here.
These certificates should also be installed in Firefox, so please make sure you follow the steps in the above article fully from beginning to end, with an emphasis on step 5a.
IdenTrust Certificates¶
You're also going to want to install the IdenTrust ECA certificate which you can find here. You'll want to download and install the certificates exactly how you did for the DOD Certificates above.
Step 4: Configure Applications¶
If configuration was not done automatically below are some things to try.
When configuring a new application that allows for the introduction of a new PKCS11 library, the library you want to use is /Library/OpenSC/lib/onepin-opensc-pkcs11.so
, this library is what will be used to enable SmartCard/PIV in your various applications. If you choose to install OpenSC via brew
, your actual library path will differ. Depending on when you installed brew and what platform you installed it on, the library could be in /usr/local
or in /opt
somewhere. The documentation past this point assumes you installed OpenSC from the GitHub page and it's located at the standard location in /Library/OpenSC
though.