EDS cooks up fix for NMCI's Mac users

Lonely are the Navy and Marine Corps personnel who use Apple
Macintosh computers to do their jobs. The Navy Department's
official internal network, the Navy Marine Corps Intranet (NMCI),
doesn't support Macs.


However, the chief technology officer at EDS, which manages
NMCI, recently posted a set ofprocedures so Mac users can access NMCI's
public-facing Web services, such as the e-mail and calendar
functions. With some minor adjustments, the fix could also work
with other Defense Department networks.


"Anybody who can follow directions can follow the four or five
steps they need to do to install this software and get it squared
away," said Dennis Hayes, EDS' CTO for NMCI.


Although NMCI mandates use of Microsoft Windows-based desktop
and laptop computers, EDS officials recognized that some personnel
still need to use Macs, largely for creative or design work.


"We were aware of these clusters of [Mac] users," Hayes
said.


Theoretically, such users could access some of NMCI services via
the Internet. But the network's Web-based services have been
more difficult to access in recent years because of security
measures.


Since 2006, logging onto NMCI services requires a DOD-signed
digital certificate on a Common Access Card or USB key drive.
However, Mac users with such certificates have found it difficult
to access NMCI services, especially if their computers run the
Tiger (OS X 10.4) or Leopard (OS X 10.5) operating systems.


The trouble largely occurred because Apple changed the internal
support structure for passing digital certificates from a
peripheral device to a Web service for the Tiger release, Hayes
said.


"They re-architected the support for certificates, and that
ended up breaking a few key capabilities, most notably support for
certificates on the keychain," Hayes said. He added that the Apple
OS X developers had no direct access to CACs and could only
estimate the correct support needed.


Mac OS X had a few other hidden issues. For example, the Safari
browser might not automatically seek the correct service to approve
users' credentials. That feature could be reset, though users
might not have known how to do so. Also, Apple updated the
credential-checking routine to only work with a particular version
of USB reader firmware, which would require users to upgrade older
readers.


Hayes said many Navy and Marine Mac users expressed their
frustration with that state of affairs. A few even engineered
fixes, though most of them only worked under limited
circumstances.


"One guy would get his problem fixed by some unique combination
of firmware and some fixes Apple would put together, and his
problem was fixed," Hayes said. 'But a different guy would
pop up somewhere else with a different reader and URL.'


To solve the problem, Hayes and other members of the EDS team
worked with Apple's federal office to create a standard
process for certifying NMCI users. EDS and Apple spent about two
months creating, documenting and testing the procedure, Hayes
said.


He then posted theprocedure and alerted users on the Apple
Fed-Talk mailinglist.


The fix requires upgrading the USB drive's firmware, if
needed; applying a few updates to the operating system; and
configuring the Web browser to seek the correct source for
validation.


Hayes said the fixes come with no warranty or support from EDS,
but they should work for NMCI patrons.


They should also work for Mac users with appropriate credentials
who want to access Web-based DOD services that use a public-key
infrastructure. They would simply need to substitute the Web
addresses for their own certificate authorities, Hayes said.


The Navy Department is not the only service that has developed a
workaround to give Macs access to the internal networks. The
Defense Knowledge Online portal (formerly the Army Knowledge Online
portal) offersa list of instructions on how to make Macs
work with CAC readers.


Although the NMCI workaround allows Web access to NMCI services,
Navy and Marine personnel still cannot directly connect their Macs
to NMCI because the network would not recognize the machines and
therefore would refuse access, Hayes said.


He added that EDS has thus far taken a wait-and-see attitude
about using Apple Macs on the NMCI network, given that the
computers have not traditionally been deployed in large
enterprises. However, the recent collaboration with the company
served as a positive, if tentative, first step toward considering
future support for Apple machines, he said.


Reader Comments

Tue, Jan 11, 2011 AJ Port Hueneme Ca

How can I get the software for my CAC card workiing on my MAC.

Tue, Apr 7, 2009

Thanks to EDS for all the work in doing this - but geeeeeezzz - 47 pages of instructions just to get a CAC reader working???? I don't think I need to read email at home that much

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above