After some tinkering I finally got a [SafeNet eToken 5110 Token-Based Authentication](https://cpl.thalesgroup.com/access-management/authenticators/pki-usb-authentication/etoken-5110-usb-token) connecting to a Cisco VPN working. My case is a pre configured and PIN protected hardware token which is needed to connect to a private VPN. If you want to create or modify such a token, your are wrong here. ## Problems - Latest SafeNet Software and a old hardware token did not work. I was only able to use an older SafeNet software and the 5110 hardware token. - [Existing ebuilds](https://gpo.zugaina.org/app-crypt/etoken-sac) did not work well. But I ended up doing most of the stuff [this ebuild](https://data.gpo.zugaina.org/vayerx/app-crypt/etoken-sac/) does. ## Hardware [SafeNet eToken 5110 Token-Based Authentication](https://cpl.thalesgroup.com/access-management/authenticators/pki-usb-authentication/etoken-5110-usb-token) lsusb output `Bus 001 Device 009: ID 0529:0620 Aladdin Knowledge Systems Token JC` ## Software - Gentoo with kernel version `5.4.38-gentoo` no-multilib - [SafeNetAuthenticationClient-9.0.43-0_amd64.deb](https://support.comodo.com/index.php?/Knowledgebase/Article/View/1211/0/safenet-download-for-ev-codesigning-certificates) Following packages with the latest stable version available as of this writing. net-libs/gnutls USE="cxx idn nls openssl pkcs11 seccomp tls-heartbeat tools" sys-apps/pcsc-lite USE="policykit udev" sys-apps/pcsc-tools net-vpn/openconnect USE="gnutls nls" dev-libs/opensc USE="pcsc-lite readline ssl zlib" ## Setup Since I do not use an ebuild I write down the files I've copied to make a uninstall easier. After installing the required packages create en empty folder in which you store all the SafeNet and vpn stuff. Download the .deb package and place this in this new folder. Unpack the deb file with `ar x filename.deb`. You only need the data.tar.gz file. Unpack it with `tar -xvf data.tar.gz`. Change into `lib` and create symlinks like this: lrwxrwxrwx libcardosTokenEngine.so -> libcardosTokenEngine.so.9.0.43 lrwxrwxrwx libcardosTokenEngine.so.9 -> libcardosTokenEngine.so.9.0.43 lrwxrwxrwx libcardosTokenEngine.so.9.0 -> libcardosTokenEngine.so.9.0.43 -rwxr-xr-x libcardosTokenEngine.so.9.0.43 lrwxrwxrwx libeTokenHID.so -> libeTokenHID.so.9.0.43 lrwxrwxrwx libeTokenHID.so.9 -> libeTokenHID.so.9.0.43 lrwxrwxrwx libeTokenHID.so.9.0 -> libeTokenHID.so.9.0.43 -rwxr-xr-x libeTokenHID.so.9.0.43 lrwxrwxrwx libeToken.so -> libeToken.so.9.0.43 lrwxrwxrwx libeToken.so.9 -> libeToken.so.9.0.43 lrwxrwxrwx libeToken.so.9.0 -> libeToken.so.9.0.43 -rwxr-xr-x libeToken.so.9.0.43 lrwxrwxrwx libeTPkcs11.so -> libeToken.so.9.0.43 lrwxrwxrwx libetvTokenEngine.so -> libetvTokenEngine.so.9.0.43 lrwxrwxrwx libetvTokenEngine.so.9 -> libetvTokenEngine.so.9.0.43 lrwxrwxrwx libetvTokenEngine.so.9.0 -> libetvTokenEngine.so.9.0.43 -rwxr-xr-x libetvTokenEngine.so.9.0.43 lrwxrwxrwx libiKeyTokenEngine.so -> libiKeyTokenEngine.so.9.0.43 lrwxrwxrwx libiKeyTokenEngine.so.9 -> libiKeyTokenEngine.so.9.0.43 lrwxrwxrwx libiKeyTokenEngine.so.9.0 -> libiKeyTokenEngine.so.9.0.43 -rwxr-xr-x libiKeyTokenEngine.so.9.0.43 lrwxrwxrwx libSACLog.so -> libSACLog.so.9.0.43 lrwxrwxrwx libSACLog.so.9 -> libSACLog.so.9.0.43 lrwxrwxrwx libSACLog.so.9.0 -> libSACLog.so.9.0.43 -rwxr-xr-x libSACLog.so.9.0.43 lrwxrwxrwx libSACUI.so -> libSACUI.so.9.0.43 lrwxrwxrwx libSACUI.so.9 -> libSACUI.so.9.0.43 lrwxrwxrwx libSACUI.so.9.0 -> libSACUI.so.9.0.43 -rwxr-xr-x libSACUI.so.9.0.43 Now you can copy those files and symlinks to `/usr/lib64/` with `cp -av`. Only the lib files are needed. Copy the binaries from `usr/bin/` to `/usr/bin/`. Create the following folder `mkdir -p /usr/lib64/readers/usb/` and copy `usr/share/eToken/drivers/aks-ifdh.bundle` with `cp -avR` into it. Change into `/usr/lib64/readers/usb/aks-ifdh.bundle/Contents/Linux/` and make sure the files look like this: lrwxrwxrwx libAksIfdh.so -> libAksIfdh.so.9.0 lrwxrwxrwx libAksIfdh.so.9 -> libAksIfdh.so.9.0 -rwxr-xr-x libAksIfdh.so.9.0 Now make sure the binaries can be executet and all the files have the correct ownership. Create the file `eToken.module` in `/etc/pkcs11/modules/` and place the following content in it: `module: /usr/lib64/libeTPkcs11.so` Create or use this [init script](https://data.gpo.zugaina.org/vayerx/app-crypt/etoken-sac/files/) for starting `/usr/bin/SACSrv` in `/etc/init.d/`. Now start the needed deamons and the right order: /etc/init.d/pcscd start /etc/init.d/SACSrc start After that a `pcsc_scan` should show your token (output modified). You need to stop the command to end it: Scanning present readers... 0: AKS ifdh [eToken 5110 SC] 00 00 Reader 0: AKS ifdh [eToken 5110 SC] 00 00 Event number: 0 Card state: Card inserted, Shared Mode, ATR: 3B D5 18 00 81 31 FE 7D 80 73 C8 21 10 F4 ATR: 3B D5 18 00 81 31 FE 7D 80 73 C8 21 10 F4 + TS = 3B --> Direct Convention + T0 = D5, Y(1): 1101, K: 5 (historical bytes) Now comes the fun part. Finding the [right value for openconnect](https://www.infradead.org/openconnect/pkcs11.html). Run `p11tool --list-tokens` to get the URL for your token. Should look like this. Token 1: URL: pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=0000000;token=some-label Label: some-label Type: Hardware token Flags: RNG, Requires login Manufacturer: SafeNet, Inc. Model: eToken Serial: 0000000 Module: /usr/lib64/libeTPkcs11.so Use the above URL with the next command: `p11tool --login --list-all-certs 'pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=0000000;token=some-label'`. It should list all the available certs and prompt you for a PIN. In my case there is only one: Object 0: URL: pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=0000000;token=some-label;id=%25%43%64%32%F7%B1%AE%C7;object=%7B7e206816-cdce-4360-ae64-ea65c3277523%7D;type=cert Type: X.509 Certificate (RSA-1024) Expires: Mon May 29 09:43:02 2023 Label: {7e206816-cdce-4360-ae64-ea65c3277523} ID: 25:43:64:32:f7:b1:ae:c7 This URL from the Object is the URL which is needed for the openconnect command: openconnect -c 'pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=0000000;token=some-label;id=%25%43%64%32%F7%B1%AE%C7;object=%7B7e206816-cdce-4360-ae64-ea65c3277523%7D;type=cert' https://endpoint.url This should trigger the PIN input and then your usename and password. POST https://endpoint.url Connected to 1.1.1.1:443 PIN required for some-label Enter PIN: Using client certificate 'some-label' SSL negotiation with endpoint.url Connected to HTTPS on endpoint.url with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM) POST https://endpoint.url SSL negotiation with endpoint.url Connected to HTTPS on endpoint.url with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM) XML POST enabled Please enter your username and password. Username: Password: POST https://endpoint.url Got CONNECT response: HTTP/1.1 200 OK CSTP connected. DPD 30, Keepalive 20 Connected as 1.1.1.225, using SSL, with DTLS in progress Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM). Done. You are now connected. To end the connection simple press `Ctrl+C` and make sure no openconnect process is running. Jun 14 2020 © https://www.bananas-playground.net 2000 - 2025