Solved problems with DBsign, military CAC issues

[Colm]

Despite own bumbling and technical ineptitude, I have managed to gain full functionality of my military CAC on webmail, AROWS, and DTS, on Linux Mint 17. Relevant and accurate online information was very difficult to find during this years-long process. If you are a linux CAC user who is having problem with issues such as:

Signing orders in AROWS
Signing DTS documents
Logging in to AF Portal, milconnect, or other CAC login-enabled sites
DBsign configuration
Java-CAC compatibility issues in general

Feel free to contact me. I'm no whiz, but I am happy to share solutions that worked for me. I am sure there are others in this small subset of users, who struggle(d) with these particular issues, and are out there, getting frustrated with google and the lack of good info available.

~Colm

[phd21]

Hi "Colm", & Anyone Else Interested in this,

That's nice of you to offer for people who need it.

Do you have any specific details, instructions, and or web links to share?

Here is what I found below:

The following is a guide to assist in setting up your Linux computer to access CAC-enabled DoD websites from the general to the specific.
https://militarycac.com/linux.htm

Ian's TechBlog - CAC on Firefox using Ubuntu, October 7, 2015
https://cheesehead-techblog.blogspot.co ... -1504.html

Arch Linux regarding CAC, etc... 2017
https://wiki.archlinux.org/index.php/Common_Access_Card

US DoD CAC Setup Instructions for Ubuntu 10.4 LTS (32-bit) '2013
http://zxq9.com/dodcac/U10.4-LTS-32/Ubu ... TS-32.html

Hope this helps ...

[Colm]

you've covered the most useful links, I think. they got me up and running with most CAC login websites. But I had to do a little more to get full functionality of DBSign (i.e. for DTS and AROWS)

For that, I will add this link to yours:
http://www.webupd8.org/2012/09/install- ... a-ppa.html

I've managed all of this by following the general directions on those websites, ultimately I have the following packages installed:
coolkey
cackey
pcsc-tools
pcscd
ca-certificates-java
oracle-java8-installer
oracle-java8-set-default

I added the webupd8team/java PPA for the last two packages. I had futzed around with update-alternatives quite a bit, without any apparent efficacy... finally the oracle-java8-set-default did the trick.

Note, I have a 64-bit machine, and I installed both the 32- and 64-bit packages for java and some other things, because for a while some websites only seemed to work with 32-bit software. Not sure if that is still necessary or not... likely not anymore, but if you get stuck you can try that possibility.

I had no problem with the SCR-family CAC readers that were available through my place of work.

Current Firefox (50.1.0) with the DoD certificates manually imported (66 of them). I switch the user agent to an "Internet Explorer 10" or earlier string for AROWS. None of the other websites care which browser I use. Make sure the Firefox java plugin in about:plugins points to the right java package, i.e. Oracle java (and not icedtea, which is probably a dependency of something else you've installed).

Finally, I had to configure Java with .../jre1.8.0_111/bin/ControlPanel as follows:
Security tab -> Exception Site List -> Add these websites:
https://arows.sscno.nmci.navy.mil/
https://dtsproweb.defensetravel.osd.mil
Advanced tab -> Advanced Security Settings ->
Check: Use TLS 1.0
Uncheck: Use TLS 1.1. Use TLS 1.2

All this is from trial and error over several years. I can't take much credit for figuring anything out, it's not due to me making any brilliant decisions. In fact I'm sure I have included some completely unnecessary steps, I just don't know which ones It's probably mostly to DoD systems improving their compatibility and 3rd party vendors updating and bugfixing their products, and general improved evolution of software working together the way it was supposed to in the first place.

But it does now work better on my linux machine than on 80% of the computers at work!

edit to add: If you get certificate problems blocking access to certain pages, don't get discouraged-- just clicking reload several times sometimes just works.

If someone gets stuck using these suggestions feel free to PM me I am happy to try to help, I am a sucker for punishment after all.

I am using Linux Mint 17.2 MATE 64-bit

[nsgilmore1]

Colm,
This is great stuff, and helped me out a ton. Thank You!
So far, I've got everything working except Arows.
Even with a custom user agent string: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)
Arows still tells me that I'm on an unsupported browser.

The other Item I'm still struggling with is digital signatures on PDFs - What PDF editor / reader are you using for DoD work, and how did you end up configuring it?

Thanks in Advance!

[Colm]

So glad it helped someone. Here is my user agent string: "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)"

I currently use use Firefox ESR 52, the add-on "User Agent Switcher" 0.7.3.1 by "chrispederick".

Hope that helps further. I have not found any solutions to working with PDFs. I have a windows partition I use for that, or I just save it for the office. It will be super nice when secure/signed PDF functionality finally comes to linux.

[Colm]

Update:
DBsign stopped working after I upgraded to Java 8 update 181. It actually broke the java plugin for firefox (52 ESR and prior versions), nothing specific to DBsign itself. DBsign is of course required for full AROWS functionality. Despite a web search, I wasn't able to find any other reports of this problem. I put some more detail in a [url viewtopic.php?f=47&t=281669]very similar post[/url] so I'll try not to duplicate here what isn't relevant to military CAC issues.

Save yourself the trouble, whoever may benefit from my toils. Don't upgrade to u181. If you did, don't worry, not all is lost. Revert to a prior build any way you can. I don't know which is the most recent build that still works, so if you know, please share. I went straight back to build 111 as a known prior, and things are working again for me. Because I am not a wizard with update-alternatives, was over-tired, and ran out of give-a-$h1t, I didn't revert very cleanly and I'm frankly shocked I didn't break anything else that uses other java versions. But if I can do it, so can you.

Please share any similar experiences!
Colm

[Colm]

Next update: This should be more helpful to someone who is starting from scratch. I did a fresh install of 19.1 recently.

I had recently broken my CAC & AROWS functionality (and some other useful things) with the latest Java 8 build 201 update, which I accidentally installed in a moment of distraction. It took a lot of trial and error, but I was able to regain full functionality in LM 19.1 on my 64-bit machine (plus full linux encryption alongside a Windows 10 dual boot, as a bonus)

First, I installed java-8-oracle (the normal 64-bit version) by adding the webupd8team repository and installing oracle-java8-installer. Instructions are found many places on the web, but check out https://launchpad.net/~webupd8team/+archive/ubuntu/java and maybe http://tipsonubuntu.com/2016/07/31/inst ... x-mint-18/

enable 32-bit support. This should do the trick, its a lot easier than selecting all the packages individually, which many tutorials inexplicably suggest instead:
sudo apt-get install ia32-libs

I installed these libraries:
libpcsc-perl
pcsc-tools
libccid:i386
pcscd:i386
coolkey:i386
libpcsclite1:i386
openjdk-8-jdk:i386 (more on this below, you probably don't need it)

This will automatically pull in various dependencies such as libckyapplet1:i386, I didn't bother writing them all down

If at some point you want to use 64-bit Chrome with your CAC, you can install
libnss3-tools
But note it won't do you any good for a while because the other libraries you need to run firefox are 32-bit and don't coexist with the 64-bit version of libnss3-tools. See the excellent tutorial at https://cubiclenate.com/linux/applicati ... linuxmint/ (trackback: viewtopic.php?t=266786) for more info on CAC in Chrome.

I had also installed openjdk-8-jdk:i386 just to make sure i wasn't missing any 32-bit dependencies for java, that's maybe not a necessary step though.
Anyway, next, install 32-bit java 1.8.0_201 into /usr/lib/jvm. To make it super simple, I first backed up the old java-8-oracle folder and then emptied the new tar.gz into java-8-oracle which will may not be the best way, but I'm not the best computer user, and it's an easy hack.

If it's not already set by another step (i.e. installing oracle-java8-installer package), it appears widely recommended to set JAVA_HOME=/usr/lib/jvm/java-8-oracle, and export PATH=$PATH:/usr/lib/jvm/java-8-oracle/bin, but it worked for me even before I did this.

Install Firefox 52esr 32-bit somewhere convenient. IMPORTANT: before you run firefox 52esr for the first time, go offline. Then, open up firefox, go to Preferences->Advanced->Update->Select "Never check for updates." If you fail to do this, firefox will update to the latest esr version as soon as you run it and NOT EVEN TELL YOU and you will be wondering why the java plugin never loads. You have to download the old version from the mozilla ftp site (link at bottom), they hide the link more and more with every passing day because normally one shouldn't use outdated software unless you really have no other option and understand the risks.

In Firefox, load all the DOD certs and the coolkey security module (For brevity's sake, see the cubiclenate tutorial link above). There are 44 certs to load as of currently, which you can download from militarycac.net (link at the end)

On my setup, I find that I need to have the CAC reader with my inserted card plugged in, before I open Firefox, or Firefox won't recognize it. If successful, the green LED on my SCR3310 stays lit up when running Firefox. Test it out by making sure you can login to some CAC-enabled websites.

Create the ~/.mozilla/plugins directory.
You can either: create a simlink in the ~/.mozilla/plugins directory to /usr/lib/jvm/java-8-oracle/jre/lib/i386/libnpjp2.so, or, just copy the .so file into the plugins directory, either way works.

run ControlPanel in the terminal (it should be in your $PATH if you've done everything right so far, otherwise its in /usr/lib/jvm/java-8-oracle/bin or a link in /usr/bin), go to the security tab, and checkbox enable java content for browser and web start
Also on the security tab, add any websites you plan to go to ("https://javatester.org","https://arows.sscno.nmci.navy.mil", etc)
Also, make sure the radio button for "High" security is checked (instead of "Very high"). If you don't do these last steps, Java won't load on any of the websites you care about.

Next part was a little tricky to discover, but straightforward to fix, and explains a lot of people's difficulty with AROWS in particular. Install the correct user agent switcher firefox extension. I tried several seemingly functional extensions before finally finding one that had a user agent string that AROWS actually accepted. Analyzing why is left as an exercise for the reader (i.e. I'm too busy). Anyway, I previously used "User Agent Switcher" by "chrispederick", but it's no longer maintained in the official Firefox repository. So here's what I did.
First, go to about:config, find the key "xpinstall.signatures.required" and set it to False.
Find the extension at https://github.com/chrispederick/user-agent-switcher/
Download this source code as a .zip, and unpack it into a temporary folder.
Navigate to about:addons, and click the gear icon, and select "Install Add-on From File..." Using that dialogue, browse to user-agent-switcher.xpi in the temporary folder tree. Firefox will complain and warn you that this is not recommended. Live on the edge, do it anyway. Go ahead, run with scissors, it feels good.

If it ever disappears from github, message me directly, I probably saved the archive.

Now:
Navigate to about:plugins and confirm that the java plugin loaded correctly, if you haven't already.
Test out your ability to use the java plugin on a website like javatester.org or java.com
Select a user agent string from an older IE option, google a user agent checker and make sure it is working too.
You already tested your CAC login. Now, check that AROWS accepts your user agent string and lets you navigate to certifying duty, and you should be in business! Great success.

Some notes and other weird things:
Firefox doesn't render the date selector dialogue in AROWS properly, so you have to hand type in the dates of duty in the following format: YYYY/MM/DD, I struggled with that for a while
I haven't fully explored the source code to understand why chrispederick's extension is successful with AROWS, yet all the others active extensions in the official repository fail. It may be the specific text of the string, or maybe it tweaks some additional things I'm not aware of fully.
Firefox has some weird bugs: strange pixels in the rendering of web pages, which happened before I installed the user agent extension. And, sometimes you can't hit "enter" to navigate to a URL you just typed in, but you can force it to go there by clicking the arrow icon at the right end of the URL bar. I'm not sure if 52.0.0esr was just buggy, or if it's a result of running a 32-bit program on a 64-bit OS, or what, but it's generally a mere annoyance.
Lastly, (and possibly related) when you are using a fake user agent, expect that many websites will not render exactly correctly. But it's not recommended that you go to any websites besides trusted DOD websites anyway, because you are using a very out-of-date software version of Firefox and there's a reason they disabled NPAPI plugins in the first place (besides wanting to make your life harder, obviously. If you're a Firefox dev, that's a joke. Mostly.)

I can't guarantee this list of steps is 100% complete, because there was a lot of trial & error & cursing going on, so I may have unknowingly accomplished a small, vital step somewhere along the way that isn't listed. But these instructions should get you 99% of the way there, if not fully up and running. Please reply with feedback!!

Incidentally, during the 20-30 sleep-deprived hours it took me to figure this out by trial and error, I was able to get the F5 vpn client plugin working in this firefox install too, which is something I use separately from any DOD websites. But that's for another post. Message me if you have needs with that too.

Lastly, one of the Gradkell dbsign engineers advised me that AROWS-NG is migrating away from using the JAVA plugin, to a Javascript system like DTS uses. Welcome to 2016, AROWS. AROWS-R apparently already made the transition, so reservists, consider yourself lucky not to have to deal with this insanity. When AROWS-NG migration is complete, I plan on reverting back to the 64-bit coolkey libraries and forever deleting Firefox ESR, and will resume using up-to-date firefox (and Chrome!) to access DOD websites.

Helpful websites:
https://militarycac.com/linux.htm
https://github.com/chrispederick/user-agent-switcher/
download the 32-bit Java 8 build 201 JDK (not JRE) package from java.com
download old firefox versions from https://ftp.mozilla.org/pub/firefox/releases/

Unhelpful websites:
every single post on stackexchange where someone asked a reasonable question, and some linux god replied, "why would you want to do THAT?" or just as bad, clearly did not know the answer and/or read the question, but proceeded to give unhelpful advice anyway. Hopefully this answers some questions for people and I will try to answer any followup questions to the best of my limited knowledge! Good luck!

2019-02-20 Update: The AROWS help desk informed me yesterday, that reports of switching to Javascript are premature. "There are discussions about it," but no formal development effort at this time, or anticipated dates.

[Colm]

Update on user agent strings:
After some experimenting, it looks like all AROWS cares about is that the user agent string contains the token, "MSIE" somewhere in there. I have pared my entire custom user agent string down to just those 4 characters and it lets me login without giving me that stupid "unsupported browser" redirect.

The chrispederick plugin is still the only extension I know of, that seems to actually change the user agent string correctly for these old, old versions of firefox. (Using a modern extension, I go to google or a website such as getright.com/useragent.html and still displays the default user agent string even if I selected a custom one, i.e. modern extensions that are available in the firefox store, just aren't compatible with old firefox versions so that method will never work).

BUT there's a better way, no outdated extension required. Just make a custom config string in about:config.

Option A: Works with AROWS and Outlook Webmail:

go to about:config, right click somewhere, and click "New"->"String" and in the dialogue that pops up, enter: "general.useragent.override", hit enter. Next it will ask for "String Value". Enter simply, "MSIE". Confirm this takes effect, by checking a web page that displays your user agent. It should say nothing but "MSIE".

Option B: Works with AROWS, and still relays your user agent more-or-less accurately to other webpages (may help with rendering):
Before you change the user agent string, figure out what your default string is. [ i.e. Mozilla/5.0 (X11; Linux i686 on x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 ]

Then go to about:config, create the new key "general.useragent.override", and for string value enter something like "Mozilla/5.0 (X11; Linux i686 on x86_64; rv:52.0) Gecko/20100101 Firefox/52.0; MSIE" <- see what I did there, just add MSIE to the end of my default string. This makes AROWS happy, and if you go to other websites, it hopefully doesn't confuse them too much.

That should get you into AROWS without relying on any user agent switchers ever again... BUT it will cause problems with the Outlook Webmail because it now complains that ActiveX controls aren't active,

Also if you login to iCloud it will complain that your browser is not supported, but it will let you continue anyway if you just click "ignore" so fear not.

[Colm]

Update:
Some time within the last week, approximately, AROWS updated their website and now I'm not able to log in using my redneck-rigged Firefox 52 ESR setup.

The problem is with selecting the proper certificate to sign in to AROWS. Previously, I had no problem signing in after selecting the ID certificate on the CAC.

AROWS now requires the user to present the "Authentication" certificate to log in, not the ID cert. The problem is, Firefox only recognizes two certs on my CAC: the E-mail signing certficiate, and the ID certificate. I am not sure how to get it to offer the Auth cert as an option.

If anyone knows how to get Firefox to recognize the Auth Cert, or maybe it's an issue with CoolKey, please advise! I will try to install the i386 builds of OpenSC and CACkey the next time I have time to go down rabbit holes.

[Colm]

Update: Quantum leap in functionality for using AROWS from a Linux Mint box.

First of all, AROWS help desk advises anyone without a 16-digit certificate identifier, go to your nearest DEERS office and get a replacement CAC card. If your card is more than ~6 months old this might include you. You will simply not be able to login from home unless you do that.

Second of all, AROWS has also updated to a non-Java implementation of DBsign. So you no longer are married to the 32-bit Java libraries. Huge win.

You can now use the latest version(s) of firefox in any architecture. The website still kicks you out if it detects a non-Internet Explorer user agent, but of course that's a simple workaround. I use the about:config page to add the "general.useragent.override" token with string value "MSIE", then boom, the page works flawlessly. I delete the string after logging out of AROWS. A user agent switcher would probably work just as well.

Happy telecommuting.

[Colm]

Hopefully closing this sad, sad saga, of completely unnecessary and avoidable compatibility restraints, wasted hours of life, and tears of frustration... AROWS a few days ago updated their site. Instead of requiring Internet Explorer as they have in the past, they now block it (thanks to the EOL announcement?), and recommend Edge or Chrome instead. Firefox 88.0.1 64-bit on Mint 20.1 finally seems to simply work, without any user agent fudging, version downgrading, or other weird tweaks (though I haven't had to digitally sign anything yet). All you need is to have the DOD PKI certificates properly imported into Firefox and a suitable CAC reader security module loaded.

Hallelujah.