Configure Certificate Authentication for Users
Before you begin, review the requirements described in the Certificate Authentication for Users topic.
To configure user authentication using certificates, you need to install and configure Reflection PKI Services Manager, and configure your server and client. Use the following procedures to get started. Many additional variations are possible. For more information, see the Reflection PKI Services Manager User Guide, which is available from http://support.attachmate.com/manuals/pki.html.
You can install and configure a single instance of PKI Services Manager to support user certificate authentication for multiple Reflection for Secure IT servers. However, because Reflection for Secure IT settings allow only one entry for the PKI Services Manager address and port, this configuration creates a potential single point of failure. If PKI Services Manager is unreachable or the server is not running, all authentication attempts using certificates will fail. In order to provide load balancing and failover, you can define a round-robin DNS entry for the PKI Services Manager host name or place the PKI Services Manager host behind a load balancing server.
To install and configure PKI Services Manager
Note: You can configure PKI Services Manager using the console, or by editing the configuration files directly. Default settings and map files are created in the the first time you run the console and are updated when you make and save changes using the console. These instructions use the console.
- Install Reflection PKI Services Manager.
- Start the PKI Services Manager console:
Programs > Attachmate Reflection > Utilities > PKI Manager
- Put a copy of the certificate you want to designate as a trust anchor into your local store. The default PKI Services Manager store is in the following location:
(This step is not required if you are using certificates in the Windows store or you have a copy of the trust anchor available somewhere else on your system.)
- From the Trusted Chain pane, add your trust anchor (or anchors) to the list of trust anchors.
To use this store
Your local certificate store or a certificate file on your system
Click Add. Select either Local store certificate or Certificate file, click Browse and select the certificate for your trust anchor.
The Windows certificate store
Under Search order to use when building path to trust anchor, select "Windows certificate store."
From the Add Trust Anchor dialog box, select Windows certificate then click Browse to select an available certificate.
Note: PKI Services Manager uses only those certificates that are installed for use by the local computer (not certificates installed for the current user) and are in either the trusted root certification authorities list or the trusted intermediate authorities list. To view and manage the local computer certificates, use the Microsoft Management Console. Add the Certificates Snap-in and configure it to manage certificates for the computer account.
- From the Revocation pane, configure certificate revocation checking.
Note: By default PKI Services Manager looks for CRLs in the local store. If you use this configuration, you need to copy the CRLs to your local store.
- From the Identity Mapper pane, add rules to determine which identities can authenticate with a valid certificate.
After a certificate is determined to be valid, rules are processed in order (based on rule type then sequence). If the certificate meets the requirements defined in the conditional expression (or if the rule has no condition), the allowed identities specified in that rule are allowed to authenticate. No additional rules are applied after the first match.
Note: When you create rules for authentication of Windows domain users, you need to include both the domain and user name in this format:
- Click File > Save.
- Start the PKI Services Manager service if it isn't already running. If the service is already running, reload your settings (Server > Reload).
To configure the Reflection for Secure IT server
- If PKI Services Manager is not installed on the same host as the Reflection for Secure IT server, copy the PKI Services Manager public key to the Reflection for Secure IT server. The key location on PKI Services Manager is:
Copy this to any location on the Reflection for Secure IT host. For example:
C:\Documents and Settings\All Users\Application Data\Attachmate\RSecureServer\pki_key.pub
- Start the Reflection for Secure IT console.
- From the Public Key pane, ensure that Public key authentication is set to Allow or Require. (Allow is the default.)
- From the Certificates pane, edit PKI server and Port to match the PKI server address values configured in the PKI Services Manager console.
- For Public key file, specify the location to which you copied the key in step 1.
- Save your settings (File > Save Settings).
To configure the client
You will need to perform the following basic steps on your Secure Shell client computer. Reflection for Secure IT Windows client procedures are included here. For other clients, refer to the client documentation.
- Install the user certificate and associated private key on the client computer.
For connections from the Reflection for Secure IT Windows client, you can import certificates using PKCS#12 files (typically *.pfx or *.p12) that contain a certificate and its associated private key. You can import these to either the Windows certificate store or the Reflection certificate store. Access to both stores is available from the Reflection Secure Shell Settings dialog box using buttons on the PKI tab.
- Configure the client to authenticate using the certificate.
In the Reflection for Secure IT Windows client, open Reflection Secure Shell Settings dialog box, and select the User Keys tab. Certificates you have imported into the Windows and Reflection stores are automatically included in the list of available keys. Select the certificate(s) you want to use for authentication.
- Confirm that the client supports public key authentication.
All Reflection clients support public key authentication by default. To confirm authentication settings from the Reflection Secure Shell Settings dialog box, go to the General tab.