Installation on "unsupported" systems

  • The install script Install.pm checks the distribution against /etc/issue. It will fail if it is not suse, enterprise, or fedora. That is a feature since you don't want to run the installer anyway.
  • The most common source of problems is hotplug/udev/devfs confusion.
  • We have not found a current distribution of Linux where the middleware does not work.

Aladdin eToken Pro 64k Notes

  • With RTE 3.60, pcsc_scan and etckdump do not see the token.
  • OpenSC cardos-info 
    $ cardos-info
Info : CardOS V4.2B (C) Siemens AG 1994-2005
Chip type: 124
Serial number: 26 04 f6 0f 12 1d
Full prom dump:
33 66 00 22 9A 9A 9A 9A 7C FF 26 04 F6 0F 12 1D 3f."....|.&.....
00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
OS Version: 200.9 (unknown Version)
Current life cycle: 32 (administration)
Security Status of current DF:
Free memory : 1024
ATR Status: 0x0 ROM-ATR
Packages installed:
Ram size: 4, Eeprom size: 64, cpu type: 66, chip config: 63
Free eeprom memory: 37007
System keys: PackageLoadKey (version 0xfe, retries 10)
System keys: StartKey (version 0xff, retries 10)
Path to current DF:
  • Aladdin RTE 3.65.3 for Linux says it is the first version to work with CardOS 4.20B.

Manual install of etoken-3-65.3-linux-Fedora-i386 on Mandriva 2007.1 (Spring)

  • Follow manual procedure below
  • perl-pcsc-perl-1.4.2-1mdv2007.0
  • pcsc-lite-1.4.0-1mdv2007.1
  • libpcsclite1-1.4.0-1mdv2007.1
  • pcsc-tools-1.4.7-1mdv2007.1
  • libpcsclite1-devel-1.4.0-1mdv2007.1
  • Note: Firefox did not display the reader AKS after the PKCS#11 module was installed. I ended up removing and re-installing mozilla-firefox-2.0.0.4-1mdv2007.1. After that, insertion and removal worked fine.

Manual install of 3-60.14-RHE4 on Mandriva 2006

Pre-Install Checks

  • Install pcsc-lite (pcscd)
  • Install pcsc-tools (pcsc_scan) (optional, but recommended)
  • Stop pcscd if running
  • backup /etc/reader.conf
  • backup /etc/init.d/pcscd, if it exists

Manual Installation

The Aladdin install script petoken requires some modification to work on unsupported Linux systems. It also has a few quirks where if it fails you have to manually cleanup before running again. Here's how to do it manually. The following install also uses opt_depot. Adjust file paths as required for your system.
The following commands are used in the distribution directory.

  • pcsc
    • mv /etc/init.d/pcscd /etc/init.d/pcscd.backup
    • cp -p pcscd.startup.script /etc/init.d/pcscd
  • mkdir -p /usr/local/depot/etoken-3.60.19/lib
  • aksifdh
    • cp aksifdh.so.3-60.19 /usr/local/depot/etoken-3.60.19/lib/
    • pushd /usr/local/depot/etoken-3.60.19/lib; ln -s aksifdh.so.3-60.19 aksifdh.so; popd
  • etokend
    • mkdir -p /usr/local/depot/etoken-3.60.19/sbin
    • cp -p etokend /usr/local/depot/etoken-3.60.19/sbin
    • cp -p etokend.startup.script /etc/init.d/etokend
    • mkdir -p /etc/hotplug.d/usb; cp -p etoken /etc/hotplug.d/usb/etoken.hotplug
  • libetokendll
    • cp -p libetokendll.so.3-60.19 /usr/local/depot/etoken-3.60.19/lib/
    • pushd /usr/local/depot/etoken-3.60.19/lib; ln -s libetokendll.so.3-60.19 libetokendll.so; popd
  • Etpcks11
    • cp -p libetpkcs11.so.3-60.19 /usr/local/depot/etoken-3.60.19/lib/
    • pushd /usr/local/depot/etoken-3.60.19/lib; ln -s libetpkcs11.so.3-60.19 libetpkcs11.so; popd
    • cp -p etsrvd /usr/local/depot/etoken-3.60.19/sbin/
    • cp -p etsrvd.startup.script /etc/init.d/etsrvd
    • Make sure libpcsclite is linked as /usr/lib/libpcsclite.so.0
  • Install utilities
    • mkdir -p /usr/local/depot/etoken-3.60.19/bin
    • cp -p etckdump /usr/local/depot/etoken-3.60.19/bin
    • cp -p etckinit /usr/local/depot/etoken-3.60.19/bin
  • Add config file in /usr/local/etc/reader.conf.d

Post Installation

  • Shared libraries
    • Make sure /etc/ld.so.conf contains /usr/local/lib.
    • Run ldconfig.
  • Create/modify startup scripts
    • Start in this order: etokend, pcscd, etsrvd. Stop them in the opposite order.

Testing/Troubleshooting

  • etokend
    • must be running
    • /var/tmp/.etokend socket should exist.
    • does do some syslogging
    • must start before pcscd
    • If etokend exits without any error messages, make sure usbfs is mounted on /proc/bus/usb.
    • waits in a select() on /var/tmp/.etokend
    • clone() itself when a token is added and opens /proc/bus/usb/<dev>.
  • pcscd
    • must be running
    • If it failed to start with Aladdin's script, restore /etc/init.d/pcscd.
  • etsrvd
    • must be running
    • /var/tmp/.etsrvd should exist.
    • must start after pcscd
    • doesn't syslog
    • Opens /var/run/pcscd.pub. (Use lsof.)
  • /etc/hotplug.d/usb/etoken.hotplug
    • Expects environment variables DEVICE and ACTION to be set.
    • Connects to /var/tmp/.etokend
    • Writes a message for add or remove token and the DEVICE environment variable.
  • Normal Startup syslog

    Sep 25 15:48:50 analon pcscd: readerfactory.c:1093:RFInitializeReader() Attempting startup of AKS ifdh 00 00 using /usr/local/lib/aksifdh.so
    Sep 25 15:48:50 analon pcscd: readerfactory.c:930:RFBindFunctions() Loading IFD Handler 2.0
    Sep 25 15:48:50 analon pcscd: pcscdaemon.c:464:main() pcsc-lite 1.3.2 daemon ready.
    Sep 25 15:48:50 analon pcscd: hotplug_libusb.c:105:HPReadBundleValues() Cannot open PC/SC drivers directory: /usr/local/pcsc/drivers
    Sep 25 15:48:50 analon pcscd: hotplug_libusb.c:106:HPReadBundleValues() Disabling USB support for pcscd.

    • The message about USB being disabled is OK. etoken.hotplug takes care of things when a token is inserted.
    • You must see the startup messages for AKS ifdh
  • Token insertion

    Sep 25 15:52:50 analon kernel: usb 4-2: new low speed USB device using uhci_hcd and address 9
    Sep 25 15:52:50 analon etoken.hotplug[5431]: Starting.
    Sep 25 15:52:50 analon etoken.hotplug[5431]: Called without ACTION or DEVICE environment variables.
    Sep 25 15:52:50 analon etoken.hotplug[5439]: Starting.
    Sep 25 15:52:50 analon etoken.hotplug[5439]: device=/proc/bus/usb/004/009 action=add
    Sep 25 15:52:50 analon etoken.hotplug[5439]: Connecting to /var/tmp/.etokend.
    Sep 25 15:52:50 analon etoken.hotplug[5439]: Normal exit. device=/proc/bus/usb/004/009 action=add
    Sep 25 15:52:52 analon etokend: Power up succeed from 1 attempt
    Sep 25 15:52:52 analon etokend: connection closed by client on fd = 3, (connection=3)
    Sep 25 15:52:52 analon etokend: PowerICC - no more than 33 bytes of answer are expected
    Sep 25 15:52:53 analon etokend: Power up succeed
    Sep 25 15:52:53 analon pcscd: eventhandler.c:419:EHStatusHandlerThread() Card inserted into AKS ifdh 00 00
    Sep 25 15:52:53 analon pcscd: Card ATR: 3B E2 00 FF C1 10 31 FE 55 C8 02 9C

    • syslog messages from etoken.hotplug are a mod by Phil. You may not see them.
    • the last two lines are probably the most important.
  • etsrvd message with missing library

    /usr/local/sbin/etsrvd: error while loading shared libraries: libpcsclite.so.0: cannot open shared object file: No such file or directory

  • etckdump
    etckdump without login

    $ etckdump --slot=0
    Dumping token "phil-prod " in slot #0
    Free public memory = 6517
    Free private memory = 6517
    Skipping C_Login (use etckdump --pin | --pinhex | -h)
    Found 2 Objects
    etckdump complete

    etckdump with login

    $ etckdump --slot=0 --pin=XXXXXXXXXX
    Dumping token "Phillip E Benchoff " in slot #0
    Free public memory = 3896
    Free private memory = 3896
    login successful
    Found 3 Objects
    etckdump complete

    etckdump verbose with login

    analon:/etc/dynamic/user-scripts (2)
    $ etckdump --slot=0 --pin=xxxxxxxx -v1
    Dumping token "phil-prod " in slot #0
    The token's serial number is: 31 30 62 31 32 35 31 34 10b12514
    30 63 30 65 20 20 20 20 0c0e
    Free public memory = 6517
    Free private memory = 6517
    login successful
    Found 3 Objects

    Object #0:
    -----------
    CKA_CLASS size:4, 01 00 00 00 CKO_CERTIFICATE
    CKA_TOKEN size:1, 01 .
    CKA_PRIVATE size:1, 00 .
    CKA_LABEL size:61, 28 65 54 43 41 50 49 29 (eTCAPI)
    20 50 68 69 6c 6c 69 70 Phillip
    20 45 20 42 65 6e 63 68 E Bench
    6f 66 66 27 73 20 54 68 off's Th
    61 77 74 65 20 43 6f 6e awte Con
    73 75 6c 74 69 6e 67 20 sulting
    28 50 74 79 29 20 4c 74 (Pty) Lt
    64 2e 20 49 44 d. ID
    CKA_VALUE size:622, 30 82 02 6a 30 82 01 d3 0..j0...
    a0 03 02 01 02 02 03 0f ........
    21 01 30 0d 06 09 2a 86 !.0...*.
    48 86 f7 0d 01 01 04 05 H.......
    00 30 62 31 0b 30 09 06 .0b1.0..
    03 55 04 06 13 02 5a 41 .U....ZA
    31 25 30 23 06 03 55 04 1%0#..U.
    0a 13 1c 54 68 61 77 74 ...Thawt
    65 20 43 6f 6e 73 75 6c e Consul
    74 69 6e 67 20 28 50 74 ting (Pt
    79 29 20 4c 74 64 2e 31 y) Ltd.1
    2c 30 2a 06 03 55 04 03 ,0*..U..
    13 23 54 68 61 77 74 65 .#Thawte
    20 50 65 72 73 6f 6e 61 Persona
    6c 20 46 72 65 65 6d 61 l Freema
    69 6c 20 49 73 73 75 69 il Issui
    6e 67 20 43 41 30 1e 17 ng CA0..
    0d 30 35 30 37 31 33 31 .0507131
    32 35 32 35 32 5a 17 0d 25252Z..
    30 36 30 37 31 33 31 32 06071312
    35 32 35 32 5a 30 64 31 5252Z0d1
    11 30 0f 06 03 55 04 04 .0...U..
    13 08 42 65 6e 63 68 6f ..Bencho
    66 66 31 12 30 10 06 03 ff1.0...
    55 04 2a 13 09 50 68 69 U.*..Phi
    6c 6c 69 70 20 45 31 1b llip E1.
    30 19 06 03 55 04 03 13 0...U...
    12 50 68 69 6c 6c 69 70 .Phillip
    20 45 20 42 65 6e 63 68 E Bench
    6f 66 66 31 1e 30 1c 06 off1.0..
    09 2a 86 48 86 f7 0d 01 .*.H....
    09 01 16 0f 62 65 6e 63 ....benc
    68 6f 66 66 40 76 74 2e hoff@vt.
    65 64 75 30 81 9f 30 0d edu0..0.
    06 09 2a 86 48 86 f7 0d ..*.H...
    01 01 01 05 00 03 81 8d ........
    00 30 81 89 02 81 81 00 .0......
    d0 07 5a a0 77 de a4 54 ..Z.w..T
    d0 6b 8a 00 ec 57 60 04 .k...W`.
    a4 7e f1 dc 3c 33 c7 27 .~..<3.'
    52 94 1d d6 c4 df b0 5d R......]
    23 fa 99 44 f7 fa 92 6b #..D...k
    16 bc f7 de 8d 9f b8 83 ........
    f6 a8 12 fd 23 bc 19 0e ....#...
    ef 7d f0 5e e1 a1 f7 29 .}.^...)
    ac 8e c8 37 7f fa 4c ee ...7..L.
    b1 71 9f 20 69 0f c3 8a .q. i...
    2b 3a 45 78 7f df ae 19 +:Ex....
    26 d8 89 53 8d c8 f6 40 &..S...@
    ae d2 13 c5 55 ec e9 99 ....U...
    d4 bc ae 25 a6 92 76 6b ...%..vk
    9a fc 5b 1c 94 e9 4a 9c ..[...J.
    9c fb 50 95 89 24 76 f1 ..P..$v.
    02 03 01 00 01 a3 2c 30 ......,0
    2a 30 1a 06 03 55 1d 11 *0...U..
    04 13 30 11 81 0f 62 65 ..0...be
    6e 63 68 6f 66 66 40 76 nchoff@v
    74 2e 65 64 75 30 0c 06 t.edu0..
    03 55 1d 13 01 01 ff 04 .U......
    02 30 00 30 0d 06 09 2a .0.0...*
    86 48 86 f7 0d 01 01 04 .H......
    05 00 03 81 81 00 97 af ........
    93 26 b0 01 c4 4c 6b af .&...Lk.
    04 63 a9 cc 15 3f 4b e6 .c...?K.
    38 2a b6 e1 11 4d ed a0 8*...M..
    16 05 01 61 cb 3f 0f db ...a.?..
    91 78 08 f8 0b 31 b0 29 .x...1.)
    2b 6c bd aa 99 23 a3 5b +l...#.[
    d7 19 9b 0c dc 0d cb 15 ........
    01 cf 01 9d 73 e8 53 5a ....s.SZ
    01 b9 b9 e5 3e 6d 87 33 ....>m.3
    b9 57 ab ec 72 0c f7 63 .W..r..c
    84 17 3a 9d 40 78 ab 10 ..:.@x..
    0c be 65 75 9c 55 8b a6 ..eu.U..
    e7 94 65 25 e2 db 2a 83 ..e%..*.
    2f f0 fa 5b c2 72 df b2 /..[.r..
    a2 48 f0 b3 96 3a b1 d9 .H...:..
    35 96 c6 0c 00 40 5....@
    CKA_CERTIFICATE_TYPE size:4, 00 00 00 00 ....
    CKA_ISSUER size:100, 30 62 31 0b 30 09 06 03 0b1.0...
    55 04 06 13 02 5a 41 31 U....ZA1
    25 30 23 06 03 55 04 0a %0#..U..
    13 1c 54 68 61 77 74 65 ..Thawte
    20 43 6f 6e 73 75 6c 74 Consult
    69 6e 67 20 28 50 74 79 ing (Pty
    29 20 4c 74 64 2e 31 2c ) Ltd.1,
    30 2a 06 03 55 04 03 13 0*..U...
    23 54 68 61 77 74 65 20 #Thawte
    50 65 72 73 6f 6e 61 6c Personal
    20 46 72 65 65 6d 61 69 Freemai
    6c 20 49 73 73 75 69 6e l Issuin
    67 20 43 41 g CA
    CKA_SERIAL_NUMBER size:3, 0f 21 01 .!.
    CKA_SUBJECT size:102, 30 64 31 11 30 0f 06 03 0d1.0...
    55 04 04 13 08 42 65 6e U....Ben
    63 68 6f 66 66 31 12 30 choff1.0
    10 06 03 55 04 2a 13 09 ...U.*..
    50 68 69 6c 6c 69 70 20 Phillip
    45 31 1b 30 19 06 03 55 E1.0...U
    04 03 13 12 50 68 69 6c ....Phil
    6c 69 70 20 45 20 42 65 lip E Be
    6e 63 68 6f 66 66 31 1e nchoff1.
    30 1c 06 09 2a 86 48 86 0...*.H.
    f7 0d 01 09 01 16 0f 62 .......b
    65 6e 63 68 6f 66 66 40 enchoff@
    76 74 2e 65 64 75 vt.edu
    CKA_ID size:38, 39 45 39 45 37 33 35 31 9E9E7351
    2d 33 35 45 44 2d 34 30 -35ED-40
    31 61 2d 38 46 37 30 2d 1a-8F70-
    32 38 46 36 36 39 30 36 28F66906
    36 30 42 30 3a 30 60B0:0
    CKA_MODIFIABLE size:1, 00 .
    -----------
    Object #1:
    -----------
    CKA_CLASS size:4, 02 00 00 00 CKO_PUBLIC_KEY
    CKA_TOKEN size:1, 01 .
    CKA_PRIVATE size:1, 00 .
    CKA_LABEL size:17, 65 54 43 41 50 49 20 70 eTCAPI p
    75 62 6c 69 63 20 6b 65 ublic ke
    79 y
    CKA_KEY_TYPE size:4, 00 00 00 00 CKK_RSA
    CKA_SUBJECT size:0, NULL
    CKA_ID size:38, 39 45 39 45 37 33 35 31 9E9E7351
    2d 33 35 45 44 2d 34 30 -35ED-40
    31 61 2d 38 46 37 30 2d 1a-8F70-
    32 38 46 36 36 39 30 36 28F66906
    36 30 42 30 3a 30 60B0:0
    CKA_ENCRYPT size:1, 01 .
    CKA_WRAP size:1, 01 .
    CKA_VERIFY size:1, 01 .
    CKA_VERIFY_RECOVER size:1, 01 .
    CKA_DERIVE size:1, 00 .
    CKA_START_DATE size:8, 00 00 00 00 00 00 00 00 ........
    CKA_END_DATE size:8, 00 00 00 00 00 00 00 00 ........
    CKA_MODULUS size:128, xx xx xx xx xx xx xx xx ........

    CKA_MODULUS_BITS size:4, 00 04 00 00 ....
    CKA_PUBLIC_EXPONENT size:3, 01 00 01 ...
    CKA_LOCAL size:1, 00 .
    CKA_MODIFIABLE size:1, 00 .
    -----------
    Object #2:
    -----------
    CKA_CLASS size:4, 03 00 00 00 CKO_PRIVATE_KEY
    CKA_TOKEN size:1, 01 .
    CKA_PRIVATE size:1, 01 .
    CKA_LABEL size:18, 65 54 43 41 50 49 20 70 eTCAPI p
    72 69 76 61 74 65 20 6b rivate k
    65 79 ey
    CKA_KEY_TYPE size:4, 00 00 00 00 CKK_RSA
    CKA_SUBJECT size:0, NULL
    CKA_ID size:38, 39 45 39 45 37 33 35 31 9E9E7351
    2d 33 35 45 44 2d 34 30 -35ED-40
    31 61 2d 38 46 37 30 2d 1a-8F70-
    32 38 46 36 36 39 30 36 28F66906
    36 30 42 30 3a 30 60B0:0
    CKA_SENSITIVE size:1, 01 .
    CKA_DECRYPT size:1, 01 .
    CKA_UNWRAP size:1, 01 .
    CKA_SIGN size:1, 01 .
    CKA_SIGN_RECOVER size:1, 01 .
    CKA_DERIVE size:1, 00 .
    CKA_START_DATE size:8, 00 00 00 00 00 00 00 00 ........
    CKA_END_DATE size:8, 00 00 00 00 00 00 00 00 ........
    CKA_MODULUS size:128, xx xx xx xx xx xx xx xx ........

    CKA_PUBLIC_EXPONENT size:3, 01 00 01 ...
    CKA_EXTRACTABLE size:1, 00 .
    CKA_LOCAL size:1, 00 .
    CKA_MODIFIABLE size:1, 00 .
    -----------
    etckdump complete

Udev configuration
Fedora Core 6 with:

THESE PACKAGES:
pcsc-lite version 1.3.X
etoken-3-60.14-linux-Fedora4-i386.tar.gz

THESE SOFT LINKS:
># ln -s /usr/lib/libpcsclite.so.1 /usr/lib/libpcsclite.so.0 ln -s /usr/sbin/pcscd /usr/local/sbin/pcscd





CREATE THIS UDEV RULES FILE: /etc/udev/rules.d/01-etoken.rules

add the below text to this file



######start text ############

ACTION=="add",           GOTO="Insert_eToken"
ACTION=="remove",        GOTO="Remove_eToken"

GOTO="hotplug_end"

LABEL="Insert_eToken"
BUS=="usb", SYSFS{product}=="eToken Pro [0-9][0-9][0-9][0-9]", SYSFS{manufacturer}=="AKS", SYMLINK="eTokenPro", ENV{DEVICE}="eTokenPro", RUN="/etc/hotplug.d/usb/etoken.hotplug add /dev/eTokenPro"

LABEL="Remove_eToken"
BUS=="usb", SYSFS{product}=="eToken Pro [0-9][0-9][0-9][0-9]", SYSFS{manufacturer}=="AKS", SYMLINK="eTokenPro", ENV{DEVICE}="eTokenPro", RUN="/etc/hotplug.d/usb/etoken.hotplug remove /dev/eTokenPro"

    
LABEL="hotplug_end"
##############end text ####################
  • No labels