10 October, 2011

Aladdin eToken on Ubuntu 11.10 (oneiric ocelot) amd64

Update: In my mad rush to get everything working, I completely missed that 8.1 was released, which adds native 64-bitness. Apart from linking /usr/lib64/libeToken.so to /usr/lib/libeToken.so.8, there are no hacks required anymore! Yay! I've just installed the oneiric release candidate. And I like the changes. And I like that with a little tweaking, my eToken still works! I did a bare-metal install, as I've now upgraded to SSD. So, I've updated my tutorial to match.

  1. Install 11.10 amd64. Now, even though SAC amd64 is supposed to be amd64, they lied, and it ships with i386 binaries that just happen to work on amd64. So you'll need to prep your x86_64 system with i386 goodness, by using sudo apt-get install ia32-libs libhal1 opensc pcscd

    • Note that I said libhal1, in DIRECT CONTRADICTION to SafeNet's user guide. if you don't, you'll see things pop up in /var/log/syslog like: pcscd: dyn_unix.c:37:DYN_LoadLibrary() /usr/lib/pcsc/drivers/aks-ifdh.bundle/Contents/Linux/libAksIfdh.so: libhal.so.1: cannot open shared object file: No such file or directory
  2. You'll need the 32-bit libpcsclite1 and libhal1. Simply run:

wget http://archive.ubuntu.com/ubuntu/pool/main/p/pcsc-lite/libpcsclite1_1.7.2-2ubuntu2_i386.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/h/hal/libhal1_0.5.14-0ubuntu6_i386.deb
dpkg -x libpcsclite1_1.7.2-2ubuntu2_i386.deb libpcsclite1-i386
dpkg -x libhal1_0.5.14-0ubuntu6_i386.deb libhal1-i386
sudo cp libpcsclite1-i386/lib/libpcsclite.so.1.0.0 /lib32
sudo cp libhal1-i386/usr/lib/libhal.so.1.0.0 /usr/lib32
sudo ln -s /usr/lib32/libhal.so.1.0.0 /usr/lib32/libhal.so.1
sudo ln -s /lib32/libpcsclite.so.1.0.0 /lib32/libpcsclite.so.1
  1. Download the SafeNet Authentication Client for Linux 8.0. In theory you should have a support agreement with SafeNet to download this, but you CAN find it on Google, including from SafeNet themselves (hint: try SAC instead of the full spelling). Install it with:
dpkg -i SafenetAuthenticationClient-8.0.5-0_amd64.deb

Note: if you've got this working before, you'll notice that in 11.10 they've moved from /usr/lib being a link of /usr/lib64 to being it's own directory; the result being the new location of /usr/lib64/libeTPkcs11.so for your PKCS11 applications.

So there you go. If you add the /usr/lib64/libeTPkcs11.so to Firefox and Thunderbird, you should see your certificates. If you run PKIMonitor, you should be able to modify your eToken. For a quick verification, run:

pkcs11-tool --module /usr/lib64/libeTPkcs11.so -L

and you should see your eToken.