Install Aladdin eToken on Ubuntu 12.04 LTS

Today I did a new install on my workstation at work going from Ubuntu 10.04 LTS to Ubuntu 12.04 LTS. I am using a Aladdin eToken which comes with proprietary software. Because the previous version of the software was outdated and the documentation stated not to work on newer kernels I needed to install the latest SafeNet Client Authentication package to support this eToken.

Install dependencies:

$ sudo apt-get install pcscd libccid libhal1 opensc

Install the eToken software:

$ sudo dpkg -i SafenetAuthenticationClient-8.1.0-4_i386.deb
Selecting previously unselected package safenetauthenticationclient.
(Reading database ... 143516 files and directories currently installed.)
Unpacking safenetauthenticationclient (from SafenetAuthenticationClient-8.1.0-4_i386.deb) ...
Setting up safenetauthenticationclient (8.1.0-4) ...
Adding Token security provider....done
Please reboot to run Token PKI service.
SafeNet Authentication Client installation completed.
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place

Because ‘/etc/ld.so.conf.d/wwwwetoken-ld.conf’ was empty the PKIMonitor program in the Ubuntu startup applications did not start at boot. I needed to add ‘/usr/lib/eToken’ to it.

The new startup method for pcscd did not work for me. It is described on this page of the author. I commented out the exit 0 in ‘/etc/init.d/pcscd’ on line 43.

eToken, Personal certificate and the Mozilla suite

Recently I have a personal certificate also known as a Digital ID on a smart card (Aladdin eToken) to access a secure web service. While installing the certificate I noticed it is also possible to use it to digitally sign and encrypt email with the same certificate, so I fired up Thunderbird and added the PCKS#11 security device to configure signing using S/MIME. See the steps below.

“PKCS#11 is one of the family of standards called Public-Key Cryptography Standards (PKCS), published by RSA Laboratories. It defines a platform-independent API to cryptographic tokens, such as Hardware Security Modules (HSM) and smart cards.” (Source: http://en.wikipedia.org/wiki/PKCS11)

I assume you already have installed the eToken software. In case you haven’t, take a look at this article I wrote earlier.

Open Thunderbird and go to Preferences -> Advanced -> Encryption -> Security Devices

Click on “Load” and enter a Module name or choose the default like I did, which is “New PKCS#11 Module” and browse for the ‘libeTPkcs11.so’ library. This file probably sits in ‘/usr/lib’ or ‘/usr/lib64’. Be sure to pick the right one, because you need the 64bit version if you’re using 64bit Firefox.

Open Account Settings -> Security

Select the certificate on your smart card you like to use.

Thunderbird and Firefox are not bundled with the needed CA’s to support GlobalSign PersonalSign Class 2 out-of-the-box. You have to Import the GlobalSign Primary Class 2 CA (http://secure.globalsign.net/cacert/PrimClass2.crt) and GlobalSign PersonalSign Class 2 CA (http://secure.globalsign.net/cacert/PersonalSignClass2.crt) to make it work in Thunderbird, otherwise you’ll notice you’re not able to send digitally signed email.

eToken and Linux

To make the eToken PKI 5.0 client work on my 64bit Fedora 11 workstation with the 32bit version of the Aladdin eToken middle ware I had to install the following packages: hal-libs.i586, libusb.i586, openct.i586, pcsc-lite-openct.i586, pcsc-lite-libs.i586, pcsc-lite.i586 and dependencies.

[code lang=”text”]
# rpm -ivh pkiclient-5.00.28-0.i386.rpm
Preparing… ########################################### [100%]
1:pkiclient ########################################### [100%]
Adding eToken security provider….done.
Starting PC/SC smart card daemon (pcscd): [ OK ]
PKI Client installation completed.
#
[/code]

If you don’t install the 32bit version of the packages, the installation of the pkiclient software will result in a error. The pkiclient software does need one of the following bundle dirs ‘/usr/lib/readers’ or ‘/usr/lib/pcsc/drivers’, or else it will exit with the error message below.

[code lang=”text”]
# rpm -ivh pkiclient-5.00.28-0.i386.rpm
Preparing… ########################################### [100%]
Error: cannot find pcsc-lite bundles directory.
error: %pre(pkiclient-5.00.28-0.i386) scriptlet failed, exit status 11
error: install: %pre scriptlet failed (2), skipping pkiclient-5.00.28-0
#
[/code]

Do not try to add the eToken as a security device in Firefox or Thunderbird as you’re probably running the 64bit version of the applications. The 64bit applications refuse to load the 32bit ‘libeTPkcs11.so’, you’ll be prompted with a message “Unable to add module”.
I have requested the 64bit version of the middle ware, which should make things easier.