Show Contents / Index / Search

Configure PKI Services Manager on UNIX

Installing the server on UNIX automatically initializes the server and starts the service, however before Reflection PKI Services Manager can validate certificates you need to customize the default configuration and map files. Use the following procedures to get started. Many additional variations are possible. For more information, see PKI Services Manager Configuration File Reference and PKI Services Manager Map File Reference.

To set up your configuration and map files

  1. Log in as root on the Reflection PKI Services Manager server.
  2. Install Reflection PKI Services Manager.
  3. Put a copy of the certificate you want to designate as a trust anchor into your local store. The default PKI Services Manager store is in the following location:

    /opt/attachmate/pkid/local-store

  4. Open the PKI Services Manager configuration file in a text editor. The default name and location is:

    /opt/attachmate/pkid/config/pki_config

  5. Use the TrustAnchor keyword to identify your trust anchor. For example:

    TrustAnchor = trustedca.crt

    -or-

    TrustAnchor = CN=SecureCA,O=Acme,C=US

    Note: To configure multiple trust anchors, add additional TrustAnchor lines.

  6. Configure certificate revocation checking. For example:

    To

    Sample Configuration

    Use CRLs stored on an LDAP server.

    RevocationCheckOrder = crlserver
    CRLServers=ldap://crlserver

    Use an OCSP responder.

    RevocationCheckOrder = ocsp
    OCSPResponders = http://ocspresponder

    Note: By default PKI Services Manager looks for CRLs in the local store. If you use this configuration, you need to copy the CRLs to your local store.

  7. If intermediate certificates are required by the chain of trust in your certificates, configure access to these certificates. For example:

    To

    Sample Configuration

    Use intermediate certificates you have added to your local store.

    CertSearchOrder=local

    Use certificates stored on an LDAP server.

    CertSearchOrder=certserver
    CertServers=ldap://ldapserver
  8. Save your changes to the configuration file.
  9. Open the PKI Services Manager map file in a text editor. The default name and location is:

    /opt/attachmate/pkid/config/pki_mapfile

  10. Add one or more rules to determine how the contents of a certificate determine which identities can authenticate with a valid certificate, and save your changes to the map file. For example:

    RuleType = user
      {root joe fred susan} UPN.host Equals "acme.com"
    RuleType = host
      {acme.com} Subject.CN Contains "acme"

    For more sample rules, see Sample PKI Services Manager Mapping Rules.

    Note: After a certificate is determined to be valid, rules are processed in order (based on rule type then sequence). If the certificate meets the requirements defined in the conditional expression (or if the rule has no condition), the allowed identities specified in that rule are allowed to authenticate. No additional rules are applied after the first match.

  11. Test for valid PKI Services Manager configuration:

    /usr/local/sbin/pkid -k

    No errors. Configuration is valid:

  12. Restart Reflection PKI Services Manager.

    /usr/local/sbin/pkid restart

Related Topics

pkid_config Configuration File Reference

pki_mapfile Map File Reference

Sample Mapping Rules

Sample Map File with RuleType Stanzas