1. October 10, 2011

      Aladdin eToken on Ubuntu 11.10 (oneiric ocelot) amd64

      Update: In my mad rush to get everything working, I completely missed that 8.1 was released, which adds native 64-bitness. Apart from linking /usr/lib64/libeToken.so to /usr/lib/libeToken.so.8, there are no hacks required anymore! Yay!

      I’ve just installed the oneiric release candidate. And I like the changes. And I like that with a little tweaking, my eToken still works!

      I did a bare-metal install, as I’ve now upgraded to SSD. So, I’ve updated my tutorial to match.

      1. Install 11.10 amd64. Now, even though SAC amd64 is supposed to be amd64, they lied, and it ships with i386 binaries that just happen to work on amd64. So you’ll need to prep your x86_64 system with i386 goodness, by using:
        sudo apt-get install ia32-libs libhal1 opensc pcscd

        • Note that I said libhal1, in DIRECT CONTRADICTION to SafeNet’s user guide. if you don’t, you’ll see things pop up in /var/log/syslog like
          pcscd: dyn_unix.c:37:DYN_LoadLibrary() /usr/lib/pcsc/drivers/aks-ifdh.bundle/Contents/Linux/libAksIfdh.so: libhal.so.1: cannot open shared object file: No such file or directory
      2. You’ll need the 32-bit libpcsclite1 and libhal1. Simply run:
        wget http://archive.ubuntu.com/ubuntu/pool/main/p/pcsc-lite/libpcsclite1_1.7.2-2ubuntu2_i386.deb
        wget http://archive.ubuntu.com/ubuntu/pool/main/h/hal/libhal1_0.5.14-0ubuntu6_i386.deb
        dpkg -x libpcsclite1_1.7.2-2ubuntu2_i386.deb libpcsclite1-i386
        dpkg -x libhal1_0.5.14-0ubuntu6_i386.deb libhal1-i386
        sudo cp libpcsclite1-i386/lib/libpcsclite.so.1.0.0 /lib32
        sudo cp libhal1-i386/usr/lib/libhal.so.1.0.0 /usr/lib32
        sudo ln -s /usr/lib32/libhal.so.1.0.0 /usr/lib32/libhal.so.1
        sudo ln -s /lib32/libpcsclite.so.1.0.0 /lib32/libpcsclite.so.1
      3. Download the SafeNet Authentication Client for Linux 8.0. In theory you should have a support agreement with SafeNet to download this, but you CAN find it on Google, including from SafeNet themselves (hint: try SAC instead of the full spelling). Install it with
        dpkg -i SafenetAuthenticationClient-8.0.5-0_amd64.deb

      Note: if you’ve got this working before, you’ll notice that in 11.10 they’ve moved from /usr/lib being a link of /usr/lib64 to being it’s own directory; the result being the new location of /usr/lib64/libeTPkcs11.so for your PKCS11 applications.

      So there you go. If you add the /usr/lib64/libeTPkcs11.so to Firefox and Thunderbird, you should see your certificates. If you run PKIMonitor, you should be able to modify your eToken.

      For a quick verification, run

      pkcs11-tool --module /usr/lib64/libeTPkcs11.so -L

      , and you should see your eToken.

      6 Responses to “Aladdin eToken on Ubuntu 11.10 (oneiric ocelot) amd64”

      1. Ilian says:

        Tried to follow these instructions, but the token still does not work. I think everything installs fine, but in the end I get:
        # pkcs11-tool –module /usr/lib64/libeTPkcs11.so -L
        Available slots:

        Slot 0 (0x0):
        Slot 1 (0x1):
        Slot 2 (0x2):
        Slot 3 (0x3):
        Slot 4 (0x4):
        Slot 5 (0x5):

        Any ideas?

      2. geistteufel says:

        It’s because you can’t access to /dev/bus/usb

        the pcscd has to be run in root, (but eTSrv service run as the current user)
        or we have to change the right for /dev/bus/usb

      3. geistteufel says:

        try this chmod u+s /usr/sbin/pcscd
        it should work

      4. Red says:

        could you tell me how to get SAC 8.1 ? i cant find it.. :(

      5. Cesar says:

        Excellent article! but i have same problem as Ilian.

        and more information…

        # pcscd -f -d

        00000049 hotplug_libudev.c:309:HPAddDevice() Adding USB device: Rainbow iKey 2000
        00000090 readerfactory.c:934:RFInitializeReader() Attempting startup of Rainbow iKey 2000 00 00 using /usr/lib/pcsc/drivers/openct-ifd.bundle/Contents/Linux/openct-ifd.so
        00000330 dyn_unix.c:81:DYN_GetAddress() IFDHCreateChannelByName: /usr/lib/pcsc/drivers/openct-ifd.bundle/Contents/Linux/openct-ifd.so: undefined symbol: IFDHCreateChannelByName
        00000021 readerfactory.c:792:RFBindFunctions() Loading IFD Handler 2.0
        00000152 readerfactory.c:965:RFInitializeReader() Open Port 0x200000 Failed (usb:04b9/1202:libudev:0:/dev/bus/usb/002/013)
        00000016 readerfactory.c:275:RFAddReader() Rainbow iKey 2000 init failed.

      6. geistteufel says:

        Here a short tutorial to make OpenVPN work with this method above,

        so the token will work in browser, with openvpn and everything else.

        Enjoy :

        I have found a way to make it work ! at least token work fine for everything now :

        http://sck.to/X8 (little tutorial).

        Tell me if it’s ok for you.

      Leave a Reply