General Pane

NOTE:You need to restart the server for some changes on this pane to take effect. For details, see the Notes section below.

The options are:

Private key location

The path to the private key used to verify the identify of Reflection PKI Services Manager. If this doesn't point to a valid key, the service won't start.

PKI server address

The address on which PKI Services Manager listens for validation requests. The default is 0.0.0.0, which configures the server to listen on all available network adapters.

To specify a particular IP address, use the drop-down list. Available IPv4 addresses for your system are shown by default. Click "Show IPv6 addresses" to see available IPv6 addresses also.

PKI server port

The port on which PKI Services Manager listens for validation requests. The default is 18081.

Enforce DOD PKI settings

Enforces settings that meet United States Department of Defense PKI requirements.

When this option is selected, the service will not start unless the following conditions are met:

  • On the General pane:
  • FIPS mode is selected
  • Allow MD5 signed certificates is not selected
  • Allow version 1 certificates is not selected
  • On the Trusted Chain pane:
  • Search order to use when building path to trust anchor does not include "Windows certificate store"
  • On the Revocation pane:
  • Search order to use for revocation has at least one option selected and does not include "None".

FIPS mode

Enforces security protocols and algorithms that meet FIPS 140-2 standards.

Allow MD5 signed certificates

Allow certificates signed using the MD5 hash even when FIPS mode is enabled.

Allow version 1 certificates

Allow X.509 version 1 certificates to be used as trust anchors.

Note: Intermediate certificates must be version 3 regardless of the value of this setting.

Client debugging

Specifies whether or not debug messages are sent to the application that is requesting certificate validation.

Log output to file

Log files are created daily and saved to a directory called logs located in the PKI Services Manager data directory The user data directory is configurable. The default is:. UNIX: /opt/attachmate/pkid Windows: \ProgramData\Attachmate\ReflectionPKI\ .

Maximum log files

Specifies the maximum number of log files to create. A new log file is automatically created daily. When the maximum is reached, the oldest log is removed.

Log level

Specifies the amount of information sent to the log. The log can contain both auditing messages (labeled "[audit]"), and debug messages (labeled "[debug]"). Auditing messages provide information about both successful and unsuccessful validation attempts. Debug messages are designed to help in troubleshooting.

The default log level is "Error". At this level, auditing messages are sent to the log, but debug messages are sent only if a PKI Services Manager error occurs, generally because PKI Services Manager is not correctly configured. The other options include audit messages plus increasing levels of detail in the debug messages.

Select None to turn off logging.

NOTE: