DoD Enterprise Email from Linux
1,287 views
Skip to first unread message
Andrew Dunn
Sep 16, 2012, 11:31:28 AM9/16/12
to mil...@googlegroups.com
This may not be new news to some people, but it was a really wonderful victory for me this weekend.
I’ve for a long time desired being able to unify communications for both my professional and personal activities to a single platform that I can trust. I use Linux for all of my servers, networking equipment and desktop. My solution was to run a virtual machine of windows and use a usb smart card sled to access my DoD email. Now this likely sounds like a very first world problem, but it really pains me to have to boot up a VM to get to my email, enough so that I actually shirk the responsibility to check my email more than you would expect.
Disappointingly on windows there is a host of issues. The only one I think is worth mentioning here is the continuous ‘timeout’ issue that you have when using OWA via IE. To explain a bit further, whenever you are using OWA via IE you get kicked out of the session after some arbitrarily short amount of time (less than 10 minutes). For an average ‘session’ of email at work for me this may require me to close all instances of IE and re-login somewhere between five and ten times.
Onward: How to use DoD Enterprise Email Outlook Web Access from Linux
Short: You need to use a PKI enabled browser (Firefox) with software to read your CAC (Coolkey) and the key element is to have the proper Certificate Authorities loaded in your browser.
Long:
I’m doing this on Fedora 17, Fedora has pretty up to date packages which will matter for coolkey since the new CAC cards being issued have some incompatibilities with older versions of
coolkey.
1: Install coolkey
sudo yum install coolkey
2: Set firefox to use coolkey as a security device:
1: Preferences Menu
2: Advanced Section
3: Encryption Tab
4: Security Devices Button
5: Load Button
6: Enter CAC Module as the module name, and browse to
/lib/pkcs11/libcoolkeypk11.so or
/lib64/pkcs11/libcoolkeypk11.so
If you reader works at this time you should be able to see your CAC loaded (it will prompt you for your pin when you click load).
3: Find out what CA your CAC certs are issued from:
1: Preferences Menu
2: Advanced Section
3: Encryption Tab
4: View Certificates
5: Double click on each of the certificates (usually 3) and look for the ‘Issued By’ section.
6 :Read the Common Name, should be something like CA-29
4: Load the proper certificate authority from https://crl.chamb.disa.mil/
Instead of steps, just go here and make sure to download the CA and Email CA for whatever issued CA you found in step section three above.
5: Load https://web.mail.mil
Make sure, when prompted, that you select the email certificate.
Resources:
http://www.forge.mil/Resources-Firefox.html
https://help.ubuntu.com/community/CommonAccessCard
I’ve for a long time desired being able to unify communications for both my professional and personal activities to a single platform that I can trust. I use Linux for all of my servers, networking equipment and desktop. My solution was to run a virtual machine of windows and use a usb smart card sled to access my DoD email. Now this likely sounds like a very first world problem, but it really pains me to have to boot up a VM to get to my email, enough so that I actually shirk the responsibility to check my email more than you would expect.
Disappointingly on windows there is a host of issues. The only one I think is worth mentioning here is the continuous ‘timeout’ issue that you have when using OWA via IE. To explain a bit further, whenever you are using OWA via IE you get kicked out of the session after some arbitrarily short amount of time (less than 10 minutes). For an average ‘session’ of email at work for me this may require me to close all instances of IE and re-login somewhere between five and ten times.
Onward: How to use DoD Enterprise Email Outlook Web Access from Linux
Short: You need to use a PKI enabled browser (Firefox) with software to read your CAC (Coolkey) and the key element is to have the proper Certificate Authorities loaded in your browser.
Long:
I’m doing this on Fedora 17, Fedora has pretty up to date packages which will matter for coolkey since the new CAC cards being issued have some incompatibilities with older versions of
coolkey.
1: Install coolkey
sudo yum install coolkey
2: Set firefox to use coolkey as a security device:
1: Preferences Menu
2: Advanced Section
3: Encryption Tab
4: Security Devices Button
5: Load Button
6: Enter CAC Module as the module name, and browse to
/lib/pkcs11/libcoolkeypk11.so or
/lib64/pkcs11/libcoolkeypk11.so
If you reader works at this time you should be able to see your CAC loaded (it will prompt you for your pin when you click load).
3: Find out what CA your CAC certs are issued from:
1: Preferences Menu
2: Advanced Section
3: Encryption Tab
4: View Certificates
5: Double click on each of the certificates (usually 3) and look for the ‘Issued By’ section.
6 :Read the Common Name, should be something like CA-29
4: Load the proper certificate authority from https://crl.chamb.disa.mil/
Instead of steps, just go here and make sure to download the CA and Email CA for whatever issued CA you found in step section three above.
5: Load https://web.mail.mil
Make sure, when prompted, that you select the email certificate.
Resources:
http://www.forge.mil/Resources-Firefox.html
https://help.ubuntu.com/community/CommonAccessCard
David Dyess
Sep 16, 2012, 6:32:58 PM9/16/12
to mil...@googlegroups.com
Nice write up. Is there a way around the MIME plugin for using attachments with encryption? That has so far been the show stopper for me.
D. Dyess
--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
www.mil-oss.org
Andrew Dunn
Sep 16, 2012, 6:57:01 PM9/16/12
to mil...@googlegroups.com
From what I gather the implementation for MIME in OWA is ActiveX.
It is a pain that this is unsupported, however being able read and respond to emails from Linux is a huge improvement for me.
It is a pain that this is unsupported, however being able read and respond to emails from Linux is a huge improvement for me.
JCusick
Sep 19, 2012, 7:35:59 AM9/19/12
to mil...@googlegroups.com
If anyone is interested I've packaged up the complete setup for this in srpm format. It is not 100% automatic, you have to follow-up with setting up firefox and a couple of other minor settings for coolkey but it works like a charm from about Fedora 13 and newer. All you need to do is set up the rpm dev and build environment, drop in the src rpm and rpmbuild the source. Install the rpm and follow the instructions on your screen.
Essentially it installs all the DoD certs and revocations properly and into their proper locations and adds a short text doc into /usr/local/doc/xxx with instructions for completing the procedure. I rebuild the src rpm about every 6 months or so to account for new certs issued by DoD. Anyone with experience in creating srpm's and rpm's will have no problem maintaining this locally for the occasional upgrade.
Regards,
John C
NAWCWD China Lake RDT&E Sys Admin/HBSS Site Lead.
Essentially it installs all the DoD certs and revocations properly and into their proper locations and adds a short text doc into /usr/local/doc/xxx with instructions for completing the procedure. I rebuild the src rpm about every 6 months or so to account for new certs issued by DoD. Anyone with experience in creating srpm's and rpm's will have no problem maintaining this locally for the occasional upgrade.
Regards,
John C
NAWCWD China Lake RDT&E Sys Admin/HBSS Site Lead.
Wheeler, David A
Sep 19, 2012, 10:22:10 AM9/19/12
to mil...@googlegroups.com
John C: Have you considered placing this package in the Fedora repository?
I’d be cool to be able to “yum install” it, and have so much done automatically.
--- David A. Wheeler
Andrew Dunn
Sep 19, 2012, 10:25:34 AM9/19/12
to mil...@googlegroups.com
If you could run your own yum repo, or see if you can get it put in rpmfusion that would be awesome.
I'm guessing it might be hard to get it in fedora proper.
I'm guessing it might be hard to get it in fedora proper.
Reply all
Reply to author
Forward
0 new messages