By default, Transfer Site user authentication is done using a user name and password. You can also configure authentication using X.509 certificates, for example using a smart card.
Before you begin
PKI Services Manager must be installed, configured, and running, with mapping rules that return a single allowed user for any valid certificate. See Set Up PKI Services Manager.
You can install and configure PKI Services Manager on multiple systems to ensure availability of certificate authentication services. When you add multiple servers to the PKI Servers list, Gateway Administrator contacts the first available server on the list. The reply from this PKI Server (valid or not valid) is used, and no other servers on the list are contacted. All PKI servers must have identical trust anchors, configuration settings, and mapping files to ensure that each of your PKI Services Manager servers returns the same validation for all certificates.
You must know the host name or IP address of the PKI server, and the listening port used by this server (18081 is the default).
Configure Gateway Administrator to contact your PKI Services Manager
Log on to Gateway Administrator using an account in the Administrators group (or any account that has the
role enabled).On the
tab, click .Click
.For PKI Services Manager.
, specify the name or IP address of the system runningClick
.If the server is running and available, Gateway Administrator retrieves the public key and displays it. (This key should match the key displayed in the PKI Services Manager console when you go to
> .)Click
. If Gateway Administrator can successfully contact PKI Services Manager, you will see a message saying the connection is successful.Click
. This step is required; verifying the connection does not save the configuration.You will be returned to the PKI Servers tab with your added server visible in the list.
Enable Certificate authentication for Transfer Client users
This procedure is required if users will connect using the Reflection Transfer Client.
From the Gateway Administrator
tab, click .Select
.Click
.NOTE:When Client X.509 certificate authentication is selected, certificate authentication is required for all Reflection Transfer Client users. This setting does not affect connections from alternate clients.
Configure the SFTP client system
After you have completed the procedures above, subsequent user logins will not display a user name and password prompt. Login will succeed only if the SFTP client you are using is configured to present user certificates.
If users connect using the Reflection Transfer Client, the browser needs to be configured to present the user certificate. For example, you might have users connect from a laptop with a built-in smart card reader that adds smart card certificates to the browser or system certificate store. Other options include installing a PKCS#11 client, such as ActivClient, onto user systems or importing user certificates manually into the browser or system certificate store.
If users connect from an alternate SFTP client, the alternate client needs to be configured for certificate authentication. For example, in the Reflection for Secure IT Client for Windows, you can configure certificate authentication for SFTP connections using the Reflection Certificate Manager and the Secure Shell Settings dialog box.
If a user certificate is available on the client system, Gateway Administrator sends the certificate to PKI Services Manager for validation. If the certificate is valid, PKI Services Manager uses the preconfigured identity mapping to return the name of the user who is authorized to authenticate with the presented certificate.