I load up NetBeans to run that code sample in this thread (scroll down) however I’m getting some errors. I think this is due to me not putting the card.config thing in right.
Can someone who knows Java walk me through? Not sure how many people know Java on here.
java.security.ProviderException: Error parsing configuration
at sun.security.pkcs11.Config.getConfig(Config.java:88)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:129)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:103)
at cacpkcs.Cacpkcs.main(Cacpkcs.java:21)
Caused by: java.io.FileNotFoundException: pkcs11.properties (The system cannot find the file specified)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.(FileInputStream.java:131)
at java.io.FileInputStream.(FileInputStream.java:87)
at sun.security.pkcs11.Config.(Config.java:211)
at sun.security.pkcs11.Config.getConfig(Config.java:84)
… 3 more
I also don’t know if I have the PKCS package installed though…dunno. Someone with Java knowledge probably can read more into this than I can.
Yes I do believe this is caused by it being unable to find the package. However I’m unsure how to install this. I’ve googled this and it’s all very confusing.
If you’re using Apache, there are several lines remarked out in one of the config files that will make these available if a CAC is inserted into the reader. There might be the same in IIS, but don’t know. Also, check to make sure that the CAC has exported certificates to the Operating System for use.
(If you are on a Windows desktop, right-click the ActivClient icon and choose OPEN, then click on TOOLS > ADVANCED, and select “Make certificates available to Windows”)
Ultimately the goal here was to get all EDIPI numbers (10digit number on back of the cards) and loop through all 7000ish results and insert them into ActiveDirectory.
They said they can only release those numbers on court order. Well sh**.
We do have an IIS server but we have no test server of it so I’d be making changes on a live server. That’s extremely no-no so that’s out of the question.
We do have a test apache server but I’m a lowly junior developer who doesn’t have access…man this whole thing is a PITA. I don’t speak server language / Apache either so I’m reading all these articles and crap and it’s like Chinese to me. This is getting ridiculous.
The current effort I have to make now is to have a web form which lets users fill out their first/last name, and then a script to grab the CaC EDIPI (validated against the PIN) which then inserts into the ActiveDirectory. LET IT BE KNOWN that I have to AUTOMATICALLY get the number instead of users entering it in so it’s correct and user-error free.
Just ONE clear and CONCISE tutorial would make this a whole lot easier but all these server folks try to talk smart to impress others. Super annoying. I’m going to go bald before my 24th birthday at this rate…
If I may ask, what server-side language are you scripting? If it’s ColdFusion, and if the web server is set for it, the EPIDI appears in the CGI scope. It will be in the following format:
LAST dot (CADENCE, if any dot) FIRST dot MI dot {10 digit number}
If you do a #ListLast(cgi.CLIENT_S_DN_CN,'.')#, you’ll have the EPIDI.
Once this program is working then I’ll need to somehow include this as a servlet or something (maybe PHP exec()?) and somehow be able to grab whatever number this program grabs.
I’m not SURE, but I think that CGI variables are in the $_ENV superglobal. If you can output that array, you should be able to see if CLIENT_S_DN_CN is present.
Theoretically, given my lack of PHP knowledge/experience, I’d guess yes. If you want to see EVERYTHING, loop the array (or use an arrayOutput, if PHP has one.)
2.1 Requirements
The Sun PKCS#11 provider is supported on Solaris (SPARC and x86) and Linux (x86) in both 32-bit and 64-bit Java processes. It is also supported on 32-bit Windows (x86) but not currently on 64-bit Windows platforms due to the lack of suitable PKCS#11 libraries.
The Sun PKCS#11 provider requires an implementation of PKCS#11 v2.0 or later to be installed on the system. This implementation must take the form of a shared-object library (.so on Solaris and Linux) or dynamic-link library (.dll on Windows). Please consult your vendor documentation to find out if your cryptographic device includes such a PKCS#11 implementation, how to configure it, and what the name of the library file is.
The Sun PKCS#11 provider supports a number of algorithms, provided that the underlying PKCS#11 implementation offers them. The algorithms and their corresponding PKCS#11 mechanisms are listed in the table in Appendix A.