Set Up PKI Services Manager

Reflection PKI Services Manager is a service that provides certificate validation services. If your client users will authenticate using X.509 certificates, you need to install and configure this service. It is available at no additional charge from the Reflection for Secure IT Web Edition download page. Reflection for Secure IT Web Edition requires version 1.2 SP2 or later.

If you installed PKI Services Manager on Windows, you can configure required settings using the PKI Services Manager Console (Start > All Programs > Attachmate Reflection > Utilities). Or, on both Windows and UNIX, you can configure these settings by editing the PKI Services Manager configuration files (pki_config and pki_mapfile). For detailed configuration information, see the PKI Services Manager User Guide, which is available from http://support.attachmate.com/manuals/pki.html.

PKI Services Manager Configuration

  1. Download and install PKI Services Manager.

    PKI Services Manager can run on both Windows and UNIX systems. You can install it on the same system as User Manager or on another system in your network.

  2. Create a certificate store that contains the CA certificates that are required to validate your user certificates. On Windows you can create a private certificate store or use the Windows certificate store. On UNIX, you need to create a private store (or use an existing store on your system).
  3. Specify one or more certificates to act as trust anchors; and specify where PKI Services Manager should search for intermediate certificates when building a path to your trust anchors.

    In the console, use the Trusted Chain pane. In pki_config use the TrustAnchor and CertSearchOrder keywords.

  4. Configure how PKI Services Manager should handle certificate revocation checking.

    In the console, use the Revocation pane. In pki_config use RevocationCheckOrder, and (depending on your configuration) OCSPResponders, OCSPCertificate, and CRLServers.

  5. Configure how certificates presented by users will map to allowed users. After PKI Services Manager has validated a user certificate, it will use the mapping you configure to return the user name that will be used to log on with this certificate.

    In the console, use the Identity Mapper pane. Or, add map rules manually to pki_mapfile.

    Note: For Web Edition, your mapping configuration must return a single allowed user for each certificate. Some sample mapping configurations are shown below.

  6. Save all settings changes and restart the PKI Services Manager server.

Sample Mapping Rules for Transfer Client Authentication

When users log in to the Transfer Client using certificates, they present the certificate (for example using a CAC card) without entering a user name. The mapping system you devise must use the presented certificate to identify a user who can log in to the Transfer Client. The mapping rule must return exactly one user ID. If multiple user ID values are returned, the login will fail.

Note: From the console, you can test mapping rules using Utility > Test Certificate. On UNIX, you can use the pki-client command line utility.

The following examples use a single map rule to return the name of an allowed user based on the contents of the certificate that user presents:

{ %Subject.CN% }

The allowed user name is equal to the value of the Subject Common Name field.

{ acme\%UPN.User% }

The allowed user name is constructed by combining the domain "acme\" with the value found in the userID portion of the UPN field.

{ %subst% } Subject.CN Regex [a-zA-Z\.]*([0-9]+)

 

The allowed user name is equal to the first numerical string within the common name portion of the Subject field. For example, if the CN is "joe.smith.12345", the allowed identity is set to "12345".

It is also possible to configure multiple map rules. PKI Services Manager processes each rule in order until it finds a condition that matches the validated certificate. For example:

RuleType user

{ acme\dgreen } Subject.Email Equals donald.green@acme.com

{ acme\jblue} Subject.Email Equals joseph.blue@acme.com

Rules that return multiple names for the same certificate are not supported for authentication to the Web Edition Transfer Client. The following example returns two valid user names for the same certificate. In this case, a logon attempt using the certificate will always fail.

{ root dgreen } Subject.Email Equals donald.green@acme.com

Note: Rules that configure multiple allowed identities for a single certificate are valid for SSH connections. For example, you can use a rule like the one above if you are configuring PKI Services Manager to validate certificates for users logging directly into the Reflection for Secure IT Server. In this case the user has already provided a username and the mapping rule establishes a set of one or more permitted names. Authentication is successful if the presented username is included within that set. In the case of an SSL connection (such as the connection to the Transfer Client), the user presents a certificate without a username and the mapping rules must return the username for exactly one user who can authenticate with this certificate.