Show Contents / Index / Search

Glossary of Terms


The process of reliably determining the identity of a communicating party. Identity can be proven by something you know (such as a password), something you have (such as a private key or token), or something intrinsic about you (such as a fingerprint).

authentication server (AS)

A service of the KDC (Key Distribution Center) that issues authentication credentials for a principal. When a user requests a service that requires Kerberos authentication, the AS consults the Principals database for valid principals and passwords, then issues a set of authentication credentials, which includes a TGT (ticket-granting ticket).

CA (certification authority)

A server, in a trusted organization, which issues digital certificates. The CA manages the issuance of new certificates and revokes certificates that are no longer valid for authentication. A CA may also delegate certificate issuance authority to one or more intermediate CAs creating a chain of trust. The highest level CA certificate is referred to as the trusted root.


A cipher is an encryption algorithm. The cipher you select determines which mathematical algorithm is used to obscure the data being sent after a successful Secure Shell connection has been established.

credentials cache

The location of stored credentials. Credentials consist of session keys, TGTs, and service tickets issued to a client by the KDC. The client uses its credentials to authenticate itself when it requests a service.

credentials file

This file is used by a client to authenticate itself when it requests a service. The credentials file stores the session keys, TGTs, and service tickets issued to the client by the KDC.

If your system administrator has installed a configuration file, Reflection Kerberos Manager automatically sets a default credentials filename and location the first time you start. If not, specify a credentials filename and location in the Initial Configuration dialog box, or use the suggested default (your Windows personal documents folder). You can modify the credential storage location for each principal profile using Kerberos Manager.

CRL (Certificate Revocation List)

A digitally signed list of certificates that have been revoked by the Certification Authority. Certificates identified in a CRL are no longer valid.

digital certificate

An integral part of a PKI (Public Key Infrastructure). Digital certificates are issued by a certification authority (CA), which ensures the validity of the information in the certificate. Each certificate contains identifying information about the certificate owner, a copy of the certificate owner's public key (used for encrypting and decrypting messages and digital signatures), and a digital signature (generated by the CA based on the certificate contents). The digital signature is used by a recipient to verify that the certificate has not been tampered with and can be trusted.


Encryption is the process of scrambling data by use of a secret code or cipher so it is unreadable except by authorized users. Encrypted data is far more secure than unencrypted data.


Also called a message digest, a hash or hash value is a fixed-length number generated from variable-length digital data. The hash is substantially smaller than the original data, and is generated by a formula in such a way that it is statistically unlikely that some other data will produce the same hash value.

hosts file

A list that maps recognizable host names to Internet addresses, similar to a domain name system. You can use a hosts file whether there is a domain name server on your network.


Hotspots are specific areas or text that are associated with host functions, macros, or commands. When enabled, hotspots appear in the terminal area of a display session.

KDC (Key Distribution Center)

The security server that maintains the database of principal information, uses the information in the database to authenticate users, and controls access to kerberized services in a realm.


A host, server, or client application that has been modified to use Kerberos for authentication and encryption.


A protocol that uses a trusted third party to enable secure communications over a TCP/IP network. The protocol uses encrypted tickets rather than plain-text passwords for secure network authentication.


A layout is a settings file that you can create to restore your workspace and all open documents. It also restores the workspace position and tab properties of open documents.

LDAP (Lightweight Directory Access Protocol)

A standard protocol that can be used to store information in a central location and distribute that information to users.

OCSP (Online Certificate Status Protocol)

A protocol (using the HTTP transport) that can be used as an alternative to CRL checking to confirm whether a certificate is valid. An OCSP responder responds to certificate status requests with one of three digitally signed responses: "good", "revoked", and "unknown". Using OCSP removes the need for servers and/or clients to retrieve and sort through large CRLs.

Office Tools

The Office Tools feature allows you to integrate host data with Microsoft Office applications, if those applications are installed on your computer. You can create Word documents and PowerPoint presentations, send e-mail, schedule appointments, add notes and tasks, and create new contacts.


A passphrase is similar to a password, except it can be a phrase with a series of words, punctuation, numbers, white space, or any string of characters. Passphrases improve security by limiting access to secure objects, such as private keys and/or a key agent.


PKCS (Public Key Cryptography Standards) is a set of standards devised and published by RSA laboratories that enable compatibility among public key cryptography implementations.

Different PKCS standards identify specifications for particular cryptographic uses, for example:

  • PKCS#7 can be used to sign and/or encrypt messages. It can also be used to store certificates and to disseminate certificates (for instance as a response to a PKCS#10 message).
  • PKCS#10 is a certification request syntax.
  • PKCS#11 is a programming interface used for cryptographic hardware tokens.
  • PKCS#12 defines the personal information exchange syntax used for storage and transportation of certificates and associated private keys. Files in this format typically use a *.pfx or *.p12 extension.
port forwarding

A way to redirect unsecured traffic through a secure SSH tunnel. Two types of port forwarding are available: local and remote. Local (also called outgoing) port forwarding sends outgoing data sent from a specified local port through the secure channel to a specified remote port. You can configure a client application to exchange data securely with a server by configuring the client to connect to the redirected port instead of directly to the computer running the associated server. Remote (also called incoming) port forwarding sends incoming data from a specified remote port through the secure channel to a specified local port.


Any user, client, network service, application, or host system that is recognized by the Kerberos server. Each principal has a unique name within a realm. The format of a full principal name is:

<principal name>@<realm name>

If the realm name is omitted, the default realm is assumed.

principal profile

A collection of information that defines who you are (your principal and realm names) and which settings you want to use (requested ticket lifetime, how your credentials should be stored, and the name of your profile).

principals database

A database containing valid principals and passwords for a particular realm. Each realm has its own credentials database. This database is part of the KDC (Key Distribution Center).

Privacy Filters

This feature provides a way to filter out sensitive data (for example, Social Security or account numbers), and refrain from displaying it in productivity features, such as Office Tools integration, Screen History, Recent Typing, and Auto Complete, and to obscure data from the Print Screen and Cut/Copy/Paste commands.

product installation folder

The default is \Program Files\Attachmate\Reflection2011.

Public Key Infrastructure (PKI)

PKI is a framework of policies, services, and encryption software used for authentication and encryption of sensitive information. The PKI framework depends on trusted third parties called certification authorities (CAs), which issue digital certificates.

public key/private key

Public keys and private keys are pairs of cryptographic keys that are used to encrypt or decrypt data. Data encrypted with the public key can only be decrypted with the private key; and data encrypted with the private key can only be decrypted with the public key.


The name applied to a group of Kerberos principals on a network. All principals in a Kerberos realm are governed by the same Kerberos policies. The realm name is often similar to, or the same as, the domain name. The realm name is case sensitive — typically uppercase in a Kerberos environment.

Recent Typing

Using the Recent Typing gallery or task pane, you can quickly view and select from a list of recently typed items, and send the selected string to the active document. This eliminates the need to manually re-enter information, saving time, and reducing errors when entering commonly-typed commands or field data.

Scratch Pad

Use the Scratch Pad to keep notes associated with a session. From the task pane you can print or save the Scratch Pad notes as .RTF or .TXT files.

Screen History

Screen History creates recordings of IBM 3270 and 5250 host screens as you navigate to them. VT screens can be recorded using manual capture. You can view and/or verify the information from those screens, and send multiple host screens to Microsoft Word, PowerPoint, and Outlook (Email Message and Note only), if they are installed on your computer.

secret key cryptography

In this form of cryptography, which is sometimes referred to as symmetric cryptography, data is encrypted and decrypted using the same key or shared secret quantity.

Secure Shell

A protocol for securely logging onto a remote computer and executing commands. It provides a secure alternative to Telnet, FTP, rlogin, or rsh. Secure Shell connections require both server and user authentication, and all communications pass between hosts over an encrypted communication channel. You can also use Secure Shell connections to forward X11 sessions or specified TCP/IP ports through the secure tunnel.

service ticket

To gain access to a service that requires Kerberos authentication, the client application must present a valid service ticket. The KDC issues the service ticket when Reflection Kerberos sends a valid TGT and requests a ticket to the service.

A service ticket typically remains valid for the life of the TGT. A new service ticket is required to log into a different host, or to use a different service on the same host.

services provider

A kerberized server that processes the requests of its clients. Services providers are often running as server daemons, such as telnetd or ftpd, on host machines.


SOCKS is a software protocol used in conjunction with a firewall host system to provide secure, controlled access to internal and external networks. When you request a network connection from a SOCKS-enabled application, the SOCKS Client software communicates with the SOCKS server software to determine if the connection is allowed. If it is, the connection is established. If it is not, the SOCKS server rejects the connection request.


The Secure Sockets Layer protocol (SSL) and its compatible successor, the Transport Layer Security protocol (TLS), enable a client and server to established a secure, encrypted connection over a public network. When you connect using SSL/TLS, the client authenticates the server before making a connection, and all data passed between Reflection and the server is encrypted.


A template includes all of the settings specific to documents. When you create a new document based on this template, it is configured identically, except that it prompts the user for a new name.

TGT request

A request for a ticket-granting ticket sent by the Reflection Kerberos client application to the KDC (Key Distribution Center).

ticket lifetime

Refers to the the period of time for which a ticket-granting ticket is valid. The user can request a ticket lifetime value when requesting a ticket-granting ticket. The server determines the maximum ticket lifetime. The default is eight hours (8h).

ticket-granting server (TGS)

The component of the KDC (Key Distribution Center) that issues service tickets to clients requesting services from a kerberized application. The Reflection Kerberos client sends a request to the TGS containing the identity of the principal. If the TGS verifies that the principal and realm are valid, it sends a TGT and a session key (encrypted using a key derived from the principal's password which is stored on the KDC) to the Reflection Kerberos client.

ticket-granting ticket (TGT)

The KDC generates a ticket-granting ticket (TGT) when a user requests access to a service that requires Kerberos authentication.

The Reflection Kerberos client uses the TGT to obtain service tickets each time the user requests access to a kerberized application. The user does not have to authenticate again until the ticket-granting ticket expires.

trusted host

A trusted host is one for which you hold the public key.

URI (Uniform Resource Identifier)

A string of characters that represents the location or address of a resource. URIs can be used to locate resources on the Internet or on an LDAP server.

Windows common application data folder

Note: The application data folder is hidden by default.

The default is:

  • Windows 7, Windows Vista, Windows Server 2008:
  • Windows XP, Windows Server 2003:
    \Documents and Settings\all users\Application Data\
Windows personal application data folder

Note: The personal application data folder is hidden by default.

The default personal roaming application data folder is:

  • Windows 7, Windows Vista, Windows Server 2008:
  • Windows XP, Windows Server 2003:
    \Documents and Settings\username\Application Data\
Windows personal documents folder

The default is:

  • Windows 7, Windows Vista, Windows Server 2008:
  • Windows XP, Windows Server 2003:
    \Documents and Settings\username\My Documents\
Workspace Menu

The Workspace menu contains layout options, application and document settings, and a list of recent documents. It is accessed by clicking the Reflection button The Reflection button (when using the Office 2007 look and feel) or the File menu (when using the Office 2010 look and feel).