Configure PKI Services Manager on Windows

Before Reflection PKI Services Manager can validate certificates you need to customize the default configuration and map files. Use the following procedures to get started. Many additional variations are possible.

Note: Reflection PKI Services Manager supports central management of PKI settings. You can install and configure a single instance of PKI Services Manager to provide certificate validation services for all supported Attachmate products.

To set up your configuration and map files

Log in as an administrator on the PKI Services Manager server.
Start the PKI Services Manager console:
Programs > Attachmate Reflection > Utilities > PKI Manager

Note: On Windows, starting the console or the service for the first time initializes PKI Services Manager. This creates the required data folders and default settings files. If these folders already exist, they are not changed; PKI Services Manager uses your existing data files and folders. (On UNIX the install script automatically initializes PKI Services Manager if required, and starts the service.)
Put a copy of the certificate you want to designate as a trust anchor into your local store. The default PKI Services Manager store is in the following location:
common application data folder\Attachmate\ReflectionPKI\local-store
Note: The application data folder is hidden by default.

The default is:
- Windows XP, Windows Server 2003:
  \Documents and Settings\all users\Application Data\
- Windows 7, Windows Vista, Windows Server 2008:
  \ProgramData\
From the Trusted Chain pane, add your trust anchor to the list of trust anchors. After you click Add, you can browse to select your certificate from your local store, the Windows store, or from a file anywhere on your system. If intermediate certificates are required by the chain of trust in your certificates, configure access to these certificates.
From the Revocation pane, configure certificate revocation checking.
Note: By default PKI Services Manager looks for CRLs in the local store. If you use this configuration, you need to copy the CRLs to your local store.
From the Identity Mapper pane, add rules to determine which identities can authenticate with a valid certificate.
After a certificate is determined to be valid, rules are processed in order (based on rule type then sequence). If the certificate meets the requirements defined in the conditional expression (or if the rule has no condition), the allowed identities specified in that rule are allowed to authenticate. No additional rules are applied after the first match.

Note: When you create rules for authentication of Windows domain users, you need to include both the domain and user name in this format:
domain\user.
Click File > Save.
Start the PKI Services Manager service if it isn't already running.