Enabling Firefox and Thunderbird to access protected web sites
Firefox and Thunderbird cannot be used with a smart card for secure browsing and e-mail signing because they require a PKCS#11
module and Centrify Management Services for Mac ships with Tokend
only, not with PKCS#11
. However, Apple provides an open-source module, TokenPKCS11.so
, which can act as a shim between Tokend
and PKCS#11
. Centrify provides group policies that allow you to install the TokenPKCS11.so
module to provide the PKCS#11
interface to Firefox and Thunderbird.
The following group policies, located in User Configuration > Policies > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy, enable Firefox and Thnderbird to be used with a smart card:
- Allow NSSDB based applications to use smart card allows NSSDB-based applications to use a smart card and adds Firefox and Thunderbird to the list of applications.
- NSSDB based applications allowed to use smart card loads the
TokenPKCS11
module to the appropriate location for Firefox and Thunderbird.
To enable smart card use with Firefox and Thunderbird:
- Enable the “Enable smart card support” policy:
Computer Configuration > Policies > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Enable smart card support
Click OK.
-
Enable the “Allow NSSDB based applications to use smart card” group policy.
User Configuration > Policies > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Allow NSSDB based applications to use smart card
Click OK.
-
Open the “NSSDB based applications allowed to use smart card” group policy.
This policy loads the
TokenPKCS11
module to a specified location. Note that enabling “Allow NSSDB based applications to use smart card” automatically added the appropriate locations for Firefox and Thunderbird.Click OK.
-
In the Centrify configuration file, set the
smartcard.name.mapping
parameter to true.This parameter allows the use of multi-user smart cards. See Enabling support for multi-user PIV and multi-user smart cards for more information.
-
In a Terminal window, run
adgpupdate
andadreload
to apply the group policy and configuration parameter changes.
To verify that Firefox and Thunderbird are configured for smart card users:
- Use a smart card to log in to the computer.
- Open Firefox (and Thunderbird) and click Options > Advanced > Certificates > Security Devices.
You should see the
Centrify PKCS #11 Module
. -
Open Firefox (and Thunderbird) and click Options > Advanced > Certificates > View Certificates > Authorities.
You should see
U.S Government
. -
Open Firefox, type and type
https://10.100.2.133
in the address bar.You are prompted to select the certificate.
-
After selecting the certificate, the web page should load successfully.
-
Open Thunderbird and configure smart card e-mail.
You should be able to send encrypted e-mail and decrypt encrypted e-mails from othr users.