SSL/TLS and Secure Shell connections can be configured to authenticate hosts using digital certificates An integral part of a PKI (Public Key Infrastructure). Digital certificates (also called X.509 certificates) are issued by a certificate authority (CA), which ensures the validity of the information in the certificate. Each certificate contains identifying information about the certificate owner, a copy of the certificate owner's public key (used for encrypting and decrypting messages and digital signatures), and a digital signature (generated by the CA based on the certificate contents). The digital signature is used by a recipient to verify that the certificate has not been tampered with and can be trusted. . Depending on how you have configured the Reflection Certificate Manager, InfoConnect may use certificates in just the Reflection Certificate Manager store or in both the Windows store and the Reflection Certificate Manager stores. The Windows store holds intermediate as well as trusted root certificates. The Reflection Certificate Manager store holds trusted root certificates only. Reflection can also be configured to locate intermediate certificates from an LDAP server.
To configure InfoConnect to locate intermediate certificates stored in an LDAP directory, use the tab of the Reflection Certificate Manager to identify the LDAP server (or servers).
Configuring the LDAP server
InfoConnect can locate a certificate in the LDAP directory only if the LDAP distinguished name (DN) exactly matches the contents of the Subject field in the certificate. For example, if the Subject field of the certificate displays the following objects:
CN = Some CA
O = Acme
C = US
The DN of the entry in the LDAP directory must be exactly: "CN = Some CA, O=Acme, C = US".
The attributes of the LDAP entry identified by this DN must include one of the following. (InfoConnect looks for these attributes in order from top to bottom.)
Attribute |
OID (Object Identifier) |
---|---|
userCertificate;binary |
2.5.4.36 |
cACertificate;binary |
2.5.4.37 |
userCertificate |
2.5.4.36 |
cACertificate |
2.5.4.37 |
mosaicKMandSigCertificate |
2.16.840.1.101.2.1.5.5 |
sdnsKMandSigCertificate |
2.16.840.1.101.2.1.5.3 |
fortezzaKMandSigCertificate |
2.16.840.1.101.2.1.5.5 |
crossCertificatePair;binary |
2.5.4.40 |
crossCertificatePair |
2.5.4.40 |