Configure Certificate Authentication for Users
Use the following steps to configure user authentication using certificates:
Step 1: Install and configure PKI Services Manager.
Step 2: Configure the Reflection for Secure IT server.
Step 3: Configure the client.
Note: For more complete information about configuring Reflection PKI Services Manager, refer to the Reflection PKI Services Manager User Guide, which is available from http://support.attachmate.com/manuals/pki.html.
You can configure PKI Services Manager using the console, or by editing the PKI Services Manager configuration files directly. These instructions use the console.
Step 1: Install and configure PKI Services Manager
- Install Reflection PKI Services Manager.
- Start the PKI Services Manager console:
Programs > Attachmate Reflection > Utilities > PKI Manager
- Put a copy of the certificate you want to designate as a trust anchor into your local store. The default PKI Services Manager store is in the following location:
(This step is not required if you are using certificates in the Windows store or you have a copy of the trust anchor available somewhere else on your system.)
- From the Trusted Chain pane, add your trust anchor (or anchors) to the list of trust anchors.
To use this store
Your local certificate store or a certificate file on your system
Click Add. Select either Local store certificate or Certificate file, click Browse and select the certificate for your trust anchor.
The Windows certificate store
Under Search order to use when building path to trust anchor, select "Windows certificate store."
From the Add Trust Anchor dialog box, select Windows certificate then click Browse to select an available certificate.
Note: PKI Services Manager uses only those certificates that are installed for use by the local computer (not certificates installed for the current user) and are in either the trusted root certification authorities list or the trusted intermediate authorities list. To view and manage the local computer certificates, use the Microsoft Management Console. Add the Certificates Snap-in and configure it to manage certificates for the computer account.
- From the Revocation pane, configure certificate revocation checking.
Note: By default PKI Services Manager looks for CRLs in the local store. If you use this configuration, you need to copy the CRLs to your local store.
- From the Identity Mapper pane, add rules to determine which identities can authenticate with a valid certificate.
After a certificate is determined to be valid, rules are processed in order (based on rule type then sequence). If the certificate meets the requirements defined in the conditional expression (or if the rule has no condition), the allowed identities specified in that rule are allowed to authenticate. No additional rules are applied after the first match.
Note: When you create rules for authentication of Windows domain users, you need to include both the domain and user name in this format:
- Click File > Save.
- Start the PKI Services Manager service if it isn't already running. If the service is already running, reload your settings (Server > Reload).
Step 2: Configure the Reflection for Secure IT server
- Start the Reflection for Secure IT console.
- From the Public Key pane, ensure that Public key authentication is set to Allow or Require. (Allow is the default.)
- Open the Certificates pane (Configuration > Authentication > Certificates) and use the steps that follow to configure connections to one or more running instances of PKI Services Manager.
Note: If PKI Services Manager is running on the same computer as Reflection for Secure IT, you can use the default localhost entry. If PKI Services Manager is running on a different computer, delete the localhost entry and use the following steps to add one or more PKI servers to the list.
- Click Add to open the PKI Configuration dialog box.
- For PKI server, specify the name or IP address of the computer running PKI Services Manager. In the Port field, the default port used by PKI Services Manager is already configured. Edit this if you use a non-default port.
- Click Retrieve public key. You'll see a dialog box that displays the fingerprint of the PKI Services Manager public key. (From PKI Services Manager you can use Utility > View Public Key to view the actual key fingerprint. This enables you to confirm that the key you are importing is the correct key.) Click Yes to confirm the key fingerprint.
You'll have an opportunity to confirm the name and location for this key. When you click OK, the full path to the key file is entered automatically in PKI server public key.
Note: The Retrieve public key option is supported by PKI Services Manager 1.2 and later. If you are running an earlier version, you can manually copy the PKI Services Manager public key to the computer running Reflection for Secure IT, then manually enter the key name and location in the Public key file field.
- Click OK to close the PKI Configuration dialog box.
- (Optional) Add additional PKI servers to your list. If you configure connections to more than one PKI server, Reflection for Secure IT uses a round robin method to determine which PKI server to contact. If a PKI server is not available, Reflection for Secure IT contacts the next server on the list.
Note: To ensure that each PKI server returns the same validation for all certificates, make sure that all your instances of PKI Services Manager have identical trust anchors, configuration settings, and mapping files.
- Save your settings (File > Save Settings).
Step 3: Configure the client
You will need to perform the following basic steps on your Secure Shell client computer. (Details for configuring Reflection for Secure IT Windows clients are included in parentheses. For other clients, refer to the client documentation.)
- Install the user certificate and associated private key on the client computer.
(For connections from the Reflection for Secure IT Windows client, you can import certificates using PKCS#12 files (typically *.pfx or *.p12) that contain a certificate and its associated private key. You can import these to either the Windows certificate store or the Reflection certificate store. Access to both stores is available from the Reflection Secure Shell Settings dialog box using buttons on the PKI tab.)
- Configure the client to authenticate using the certificate.
(In the Reflection for Secure IT Windows client, open Reflection Secure Shell Settings dialog box, and select the User Keys tab. Certificates you have imported into the Windows and Reflection stores are automatically included in the list of available keys. Select the certificate(s) you want to use for authentication.)
- Confirm that the client supports public key authentication.
(All Reflection clients support public key authentication by default. To confirm authentication settings from the Reflection Secure Shell Settings dialog box, go to the General tab.)