Georgi Sotirov's Blog

My personal and professional life

2014-07-27

Using InfoNotary certificate on OmniKey CardMan 6121 under Slackware

Abstract

This small article describes the installation and configuration of OmniKey CardMan 6121 card read under Slackware, which enables the usage of InfoNotary's universal certificates for e-banking.

Getting started

Plug in the device to a USB port on your computer, after it's recognized by the kernel in the output of command lsusb you should find the following:

Bus 001 Device 028: ID 076b:6622 OmniKey AG CardMan 6121

Installation of device drivers

The manufacturer of the device offers binary drivers for the CardMan 6121 and other readers.

Manual installation

Download the driver archive and unpack it to a temporary directory, then run the install script, for example in Slackware64 14.1:

# cd /tmp
# wget 'http://www.hidglobal.com/sites/hidglobal.com/files/drivers/ifdokccid_linux_x86_64-v4.0.5.4.tar.gz'
# tar -xvf ifdokccid_linux_x86_64-v4.0.5.4.tar.gz
# cd ifdokccid_linux_x86_64-v4.0.5.4
# ./install

Automatic installation

A package is provided by the SlackPack repositories for different Slackware versions called pcsc-omnikay, so alternatively, you could use slapt-get utility, configure SlackPack repositories and then just issue the following command:

# slapt-get --install pcsc-omnikey

Installation of necessary software

You need PC/SC Lite middleware for accessing the smart card using SCard API (PC/SC standard), for packages could be found in SlackPack repositories for different Slackware versions. You also need OpenSC tools and libraries for work with smart cards that are used by Firefox and Thunderbird. Packages could be found from the same place.

Manual installation

Download the packages into a temporary directory, obtain root privileges and then enter following commands to install them, for example in Slackware64 14.1:

# installpkg pcsc-lite-1.8.11-x86_64-1gds.txz
# installpkg opensc-0.14.0-x86_64-1gds.txz

Automatic installation

Alternatively, you could use slapt-get utility, configure SlackPack repositories and then just issue the following command:

# slapt-get --install pcsc-lite opensc

The PC/SC Lite daemon from the package comes bundled with a startup/shutdown script, so you could start it by just issueing the following command:

# /etc/rc.d/rc.pcscd start

If you want the daemon to start automatically with the system, then just add it to local initialization script like this:

# echo '/etc/rc.d/rc.pcscd start' >> /etc/rc.d/rc.local

Configuration of Firefox

Now that the driver and necessary software are installed it remains only to configure Firefox to be able to communicate with the card read. This is done in the following way:
  1. Open Edit -> Preferences;
  2. In Firefox Preferences window navigate to Advanced, then to tab Certificates;
  3. Click on Security devices button;
  4. In window Device Manager that opens click on button Load on the right;
  5. Enter "OpenSC PKCS#11 Module" in Module Name and select /usr/lib64/onepin-opensc-pkcs11.so file as Module filename, then click OK;

After the module is loaded the window manager would display the information about the reader:



See also

Installation of card reader drivers and smart card under Linux (in Bulgarian, translation in English).

2013-10-29

Enable negotiatable authentication in Firefox

Well, I've spend some time investigating this, so I decided to share. I have tired to set up NTLM authentication in Firefox by Googling the web, but what was bugging me was that it was not working, while with IE there was no problem at all. Most of the sites suggested setting network.automatic-ntlm-auth.trusted-uris and I've entered the internal sites there. Even tried to enable it for all sites by setting the value "http://,https://", but still no success.

Today, I decided it's about time I find the solution, so I started by refreshing my knowledge from the Internet. Normally, for the autentication the web server sends HTTP 401 Unauthorized (or Authorization Required) response, so I've started investigating the HTTP headers (with the help of Live HTTP Headers extension) and I noticed that after it Firefox actually sends nothing for the internal host names that I have already set up in network.automatic-ntlm-auth.trusted-uris. Strange? Yes, until at some point I noticed the following:

Authorization: Negotiate ...

So, the web server was actually negotiating authentication mechanism, instead of asking for NTLM directly, but Firefox wasn't negotiating. This made me think that something is missing and I searched about other keys related to authentication into about:config. Thus, I found network.negotiate-auth.trusted-uris and once I set the internal site host names into this value everything come into place - Firefox was already negotiating the authorization, which turned out to be Kerberos actually.

So whenever you setup automatic authentication for internal sites consider setting both network.automatic-ntlm-auth.trusted-uris and network.negotiate-auth.trusted-uris, so it works for you, even if the authentication mechanism is negotiable.

2011-02-12

Plane over Lyulin motorway

Digging in Google Earth I've accidentally got over this image of plane over Lyulin motorway in its section through the mountain just before Malo Buchino. As in a shadow the image is decomposed in the three main colors, which reminds me of a previous similar image published in Internet.

2011-02-07

Remove old server certificates in Nokia N900 browser (Firefox)

On my personal web site I'm using self signed certificates for SSL. These are stored by the browser and everything is fine until the moment they're regenerated. However, when you regenerate them (in the way I do, I'm only changing validity) you could not longer access the site, because the browser still uses the old certificate. In the desktop version of Firefox, I'm just removing the old certificate from Tools -> Settings... -> Advanced -> Encryption -> button Certificates -> tab Servers. Unfortunately, Nokia N900 has interface only for management of certificates of client authorities. Hopefully, the same interface as in desktop Firefox is available in it's mobile version. You just have to: 1. Open the browser; 2. Type chrome://pippki/content/certManager.xul; 3. Click on "Servers" under "Your certificates" and delete the certificate of your server. I haven't found exactly the same information on Internet, so I'm posting here for everyone with the same "problem" as me :-)

2010-08-13

Wish upon a falling star

This morning I woke up with a wish in my mind. Last night I was not able to watch The Perseids, because I was in Sofia and the possibility to see something from the small peace of sky, visible from our apartment, was close to zero. Nevertheless, I have two "stars" in my home, one of which is a just born lioness, so I wish the world to be a better place for all of us people around the globe. It depends on all of us to make this happen...

2010-08-04

I become a father (version 2.0)

Today I become a father for second time. The experience was unique and unforgettable again. Moreover, this time I was on the front line :-) You could look at the first pictures of our little precious in her album.

2007-11-03

To be or not to be...

For some time, I'm questioning myself whether to continue or discontinue writing in this blog. I almost can't find free time to write and I didn't see the meaning of doing it. Yet I'll wait some more before taking the final decision.

2007-03-15

Lot of work...

Few days ago I took a glimpse of my buglist at Bugzilla on my home server and I literally dumbfounded. "Only" 18 bugs. I can not understand when they get so much, but lots of work is ongoing. Some of them are pressing and I should finish them till the end of the month, because I'm planing to release new version of SlackPack. Actually one big part of what I have to do is on SlackPack... I'm having so much ideas, that I don't have the time to release them and I only report them for later reference. Let's hope I have more spare time until the end of the month, so I can complete what I have planed for 0.3.0, and after this I'm starting the preparations for 0.5.0, where lot of interesting things should be included. If I just think about, that I've only started the translations of Buzilla 3.0, which should be released sometime in April... a great spring is on the horizon :-)

2007-02-23

Translation of Bugzilla 2.22.2

Yesterday I released the updated Bulgarian localization of Bugzilla 2.22.2. Although, that there was only one new sentence for translation I had to update the templates to the last version, so they do not cause problem for those who use the locale.

I don't know why, but again the update was late by almost 3 weeks, because again I found out for the new versions late. Although, the I keep an eye on the feeds and newsgroups, somehow the news of the new version slipped out of me. I one of the newsgroups that I watch there is announce, but I can't understand why I've missed that out. Maybe it is a good idea the translators to be notified timely for the new versions even before their release.

But yet I managed to catch the announce of Bugzilla 3.0rc1 and I'll begin the preparation of the translation just now, so when the new stable version comes out in April I would be ready and I do not have to catch up.

As usual you can download the new packages from:

Enjoy using!

2007-02-08

Gabi begun walking

Few days ago (I think on January 31-st) my daughter Gabriella nicely surprised me by welcoming me home from work walking alone. Thanks to the continuous efforts of his grandmother (my mother) Mariana, which takes care of her currently, she now it touring the whole flat alone and is very hard to stop it :-)

Some time ago a friend told me "You can sens how fast the time is going by the children...". Yes, its an absolute truth. As if I took breath only once between the birth of Gabi and the moment she begun walking. But how they says "The life doesn't measure with the count of breaths, we took, but with the moments, we stopped breathing".