DOD PKI Information

This section describes how to install, configure, and use Reflection PKI Services Manager to operate within the Department of Defense (DOD) or other Public Key Infrastructure (PKI) environment.

Installing and Removing Trust Points

A trust point is any CA certificate in a chain of trust.

Note: Reflection PKI Services Manager uses only those trust points that you have explicitly configured. Certificates in other stores are not used unless you configure this.

To install and configure a trust anchor

  1. Copy the certificate to the local certificate store. The default store location is:

    Operating System

    Default local certificate store

    Windows

    common application data folder\Attachmate\ReflectionPKI\local-store

    Unix

    /opt/attachmate/pkid/local-store

    Note: You can configure other store locations. In the pki_config configuration file use the LocalStore keyword. Or, from the PKI Services Manager console (Windows only), go to Local Store > Add.

  2. Configure PKI Services Manager to use this certificate:

    Using this

    Do this

    Console

    Trusted Chain >Trust Anchors > Add > Browse

    Save and reload your modified configuration.

    Configuration file

    Open pki_config and configure the TrustAnchor keyword. For example:

    TrustAnchor = myTrustedCA.cer

  3. Save and reload your modified configuration.

To remove a trust anchor

  1. Remove the certificate from your list of trust anchors.

    Using this

    Do this

    Console

    Trusted Chain > Trusted Anchors > Remove

    Save and reload your modified configuration.

    Configuration file

    Open pki_config and remove the TrustAnchor line that specifies this trust anchor, or modify it to use a different certificate.

  2. Save and reload your modified configuration.

Retrieving Intermediate Certificates from an LDAP or HTTP Server

Intermediate CA trust points can be retrieved from an LDAP or HTTP server which may be identified by explicit URIs defined in the Authority Information Access (AIA) extension of a certificate, or by configuring explicit LDAP or HTTP server access using Reflection PKI Services Manager.

To configure a downloadable certificate server store using the console

  1. Open the Trusted Chain pane.
  2. In the search order list, select Certificate servers.
  3. Under Certificate servers, click Add.
  4. Specify the server using either HTTP or LDAP format. This example species an LDAP server:

    ldap://ldapserver.myhost.com:10389

  5. Save and reload your modified configuration.

To configure a downloadable certificate server store using the configuration file

  1. Open the pki_config file.
  2. Include 'certserver' in the CertSearchOrder list. For example:

    CertSearchOrder = local, certserver

  3. Use CertServers to identify your server using either HTTP or LDAP format. This example species an LDAP server:

    CertServers = ldap://ldapserver.myhost.com:10389

  4. Save and reload your modified configuration.

Configuring Certificate Revocation Checking

Revocation checking ensures that certificates used for validation have not been revoked by their issuers. Certificate revocation checking must be configured to meet DOD PKI requirements.

To configure certificate revocation checking using the console

  1. Open the Revocation pane.

    To

    Do this

    Use locally stored CRLs

    In the search order list, select Local store, then copy the CRL lists to the local-store directory.

    Use CRLs stored on an LDAP or HTTP server

    In the search order list, select CRL servers. Under CRL servers, click Add and then specify the server URI.

    Use an OCSP responder

    In the search order list, select OCSP. Under OCSP responder URIs, click Add and then specify the responder URI.

    If your OCSP responder uses a certificate that is self-signed, or not the same as the intermediate CA certificate, you also need to specify a certificate that can be used to sign the OCSP response. Add this certificate to the OCSP certificates list.

    Use revocation checking configured in the certificate.

    In the search order list, select CDP extension.

  2. Save and reload your modified configuration.

To configure certificate revocation checking using the configuration file

  1. Open the pki_config file.

    To

    Use these example settings

    Use locally stored CRLs

    RevocationCheckOrder = local

    With this configuration, you need to copy the CRL lists to the local-store directory.

    Use CRLs stored on an LDAP or HTTP server

    RevocationCheckOrder = certserver
    CRLServers = ldap://ldapserver.com

    -or-

    CRLServers = http://ldapserver.com

    Configure an OCSP responder when no OCSP responder is configured in the certificate's AIA extension

    RevocationCheckOrder = ocsp
    OCSPResponders = http://ocsp.myhost.com

    If your OCSP responder uses a certificate that is self-signed, or not the same as the intermediate CA certificate, you also need to specify a certificate that can be used to sign the OCSP response. Add this certificate to the OCSP certificates list.

    Use an OCSP responder configured in the certificate's AIA extension.

    RevocationCheckOrder = ocsp

    Include 'aia' in the certificate search order. For example:

    CertSearchOrder = local, aia

    Use revocation checking configured in the certificate.

    RevocationCheckOrder = cdp

  2. Save and reload your modified configuration.

Configuring PKI Services Manager to Meet DOD Requirements

By default, PKI Services Manager allows some configurations that do not meet DOD PKI requirements. To ensure that certificate validation meets DOD requirements, refer to the following procedures.

To configure DOD requirements using the console

  1. Install and configure at least one trust anchor.
  2. From the General pane:
    • Select Enforce DOD PKI Settings.
    • Select FIPS Mode.
    • Clear Allow MD5 signed certificates.
    • Clear Allow version 1 certificates.
  3. From the Trusted Chain pane:
    • Under Search order when building path to trust anchor, ensure that "Windows certificate store" is not selected.
  4. From the Revocation pane:
    • Under Search order to use for revocation, ensure that "None" is not selected.
    • Select and configure at least one option for checking certificate revocation.
  5. Save your settings and restart the service.

To configure DOD requirements using the configuration file

  1. Install and configure at least one trust anchor.
  2. Open the pki_config file.
  3. Configure the following:

    EnforceDODPKI = yes

    FipsMode = yes

    AllowMD5InFipsMode = no

    AllowVers1 = no

  4. Use RevocationCheckOrder ensure that "none" is not included in the list of options, and configure at least one option for checking certificate revocation.
  5. Ensure that "windows" is not included in the list of options specified for CertSearchOrder.
  6. Save your settings and restart the service.

Configuring Attachmate Products to Use PKI Services Manager for Certificate Authentication

After Reflection PKI Services Manager is correctly configured, you must also configure the Reflection products that use PKI Services Manager for certificate authentication. For details, search on "PKI Services Manager" in the product documentation.

Private Key Safeguards

If a client private key is stolen, a malicious user can gain access to files on any servers accessible to that user. If a server private key is stolen, a malicious user can use this key to accomplish an impersonation attack, in which another server poses as your host. Use the following guidelines to minimize these risks.

Protecting private keys on the client:

  • Each client user should always protect his or her private key with a passphrase. This ensures that only someone who knows the passphrase can authenticate with that key.
  • Users should create and protect passphrases following your the specifications for password length and complexity in your organization’s Security Policy.
  • File permissions on the private key should be set so that only the user has access to the key.

Protecting private keys on the server:

  • Attachmate servers enforce permissions on server private keys to ensure that only the server administrator has access to private keys. If key permissions are altered to allow greater access in a way that allows other access, the server resets correct permissions and logs a warning. If you see this warning, you should investigate to determine the cause.

Actions to Take if a Key is Compromised

Consider a private key compromised if it has become available to any unauthorized entity, or if you have reason to distrust the actions of any person who has access to the key.

If a private key is compromised, revoke the client certificate.

To replace a compromised key:

  1. Obtain a new private key and certificate
  2. Replace the compromised key, and update the PKI Services Manager client application to authenticate using the new key.

To remove the compromised key

  1. Remove the key from the local store using a DOD-approved file erasure utility.
  2. If the original file containing the old key and certificate (*.pfx or *.p12) is still on the client computer, use a DOD-approved file erasure utility to delete this file.

Using Uniform Resource Identifiers for DOD PKI Services

PKI Services Manager supports the use of URIs for automatic retrieval of updated CRL lists as defined in section 4.2.1.14 of RFC3280.

PKI Services Manager checks for certificate revocation as follows:

  1. Check the crl_cache for valid revocation information. If none is found, continue on to step 2.
  2. If CDP checking is enabled, check the CDP extension in the certificate for HTTP or LDAP URIs and query these in the order specified (first HTTP, then LDAP). If the certificate is found to be revoked, the validation fails. If the certificate is not found continue on to step 3.
  3. If download from a CRL server is enabled ,and one or more CRL servers are configured for PKI Services Manager, assemble the Distinguished Name for the CA listed in the Issuer extension of the certificate and query for the CRL file. If the certificate is not found to be revoked in any CRL, continue to the next validation step.

Updates for expired CRLs are handled automatically, and do not require administrator intervention or configuration.

If OCSP checking is enabled, PKI Services Manager always checks all available OCSP responders to ensure that the connection will fail if any of these responders knows that the certificate has been revoked. For the connection to succeed at least one OCSP responder must be available and return a value of 'good' for the certificate status. PKI Services Manager performs these checks as follows.

  1. If AIA extension checking is enabled, check the AIA extension in the certificate for one or more OCSP responders and query each of those responders. If the status of the certificate comes back as 'revoked' from any responder, the validation fails.
  2. Check for one or more user-configured OCSP responders and query each of those responders. If the status of the certificate comes back as 'revoked' from any responder, the validation fails.
  3. If all responders returned 'unknown' the validation fails. If a 'good' response was returned from at least one of the queried OCSP responders continue on to the next validation step.

Using URIs to Retrieve Intermediate Certificates

As defined in section 4.2.2.1 of RFC3280, PKI Services Manager can use URIs to retrieve intermediate CA certificates as follows:

  1. If the local store is enabled, check the cert_cache file for the required intermediate certificate. If it is not found, continue on to step 2.
  2. If AIA is enabled, and either HTTP or LDAP URIs are defined in the Authority Information Access (AIA) extension of a certificate, attempt to use these (first HTTP, then LDAP) to retrieve intermediate CA certificates.
  3. If download from a certificate server is enabled, and one or more servers are configured in the certificate servers list, the preceding attempts fail, assemble a Distinguished Name from the issuing certificate's Subject Name, and queries the defined LDAP or HTTP server for the contents of the CACertificate attribute.