Enabling Firefox and Thunderbird to access protected web sites

Firefox and Thunderbird cannot be used with a smart card for secure browsing and e-mail signing because they require a PKCS#11 module and Centrify Management Services for Mac ships with Tokend only, not with PKCS#11. However, Apple provides an open-source module, TokenPKCS11.so, which can act as a shim between Tokend and PKCS#11. Centrify provides group policies that allow you to install the TokenPKCS11.so module to provide the PKCS#11 interface to Firefox and Thunderbird.

The following group policies, located in User Configuration > Policies > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy, enable Firefox and Thnderbird to be used with a smart card:

  • Allow NSSDB based applications to use smart card allows NSSDB-based applications to use a smart card and adds Firefox and Thunderbird to the list of applications.
  • NSSDB based applications allowed to use smart card loads the TokenPKCS11 module to the appropriate location for Firefox and Thunderbird.

To enable smart card use with Firefox and Thunderbird:

  1. Enable the “Enable smart card support” policy:

    Computer Configuration > Policies > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Enable smart card support

    Click OK.

  2. Enable the “Allow NSSDB based applications to use smart card” group policy.

    User Configuration > Policies > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Allow NSSDB based applications to use smart card

    Click OK.

  3. Open the “NSSDB based applications allowed to use smart card” group policy.

    This policy loads the TokenPKCS11 module to a specified location. Note that enabling “Allow NSSDB based applications to use smart card” automatically added the appropriate locations for Firefox and Thunderbird.

    Click OK.

  4. In the Centrify configuration file, set the smartcard.name.mapping parameter to true.

    This parameter allows the use of multi-user smart cards. See Enabling support for multi-user PIV and multi-user smart cards for more information.

  5. In a Terminal window, run adgpupdate and adreload to apply the group policy and configuration parameter changes.

To verify that Firefox and Thunderbird are configured for smart card users:

  1. Use a smart card to log in to the computer.
  2. Open Firefox (and Thunderbird) and click Options > Advanced > Certificates > Security Devices.

    You should see the Centrify PKCS #11 Module.

  3. Open Firefox (and Thunderbird) and click Options > Advanced > Certificates > View Certificates > Authorities.

    You should see U.S Government.

  4. Open Firefox, type and type https://10.100.2.133 in the address bar.

    You are prompted to select the certificate.

  5. After selecting the certificate, the web page should load successfully.

  6. Open Thunderbird and configure smart card e-mail.

    You should be able to send encrypted e-mail and decrypt encrypted e-mails from othr users.