action.skip

Credential Store - Reflection for the Web

The credential store is a database of usernames and passwords that have been used to log on to a host. Reflection for the Web uses these credentials in conjunction with login macros to automatically log on to host sessions. The Credential Store requires Windows on the client machine.

Enable credential store

Check Enable credential store to save new credentials or to read existing ones.

Select form of identity

By default, users are represented in the credential store depending on how they authenticate, such as with a Windows domain and username.

Check Use LDAP distinguished name to represent users by their LDAP Distinguished Name. This option requires LDAP authorization to be enabled in Configure Authentication.

Regenerate encryption key

When you enable the credential store, you should back up the key used to encrypt usernames and passwords in the credential store.

To backup the key

  1. First, shell into an application instance (pod) in Kubernetes:

    a. Log in to the Kubernetes Dashboard. See the MSS Deployment Guide for instructions to use the Kubernetes dashboard.

    b. Under Workloads, click Pods.

    c. Use the Name column to locate the pod named mss-mss-server. Use the dashboard's Filter button to narrow the list of pods with that name.

    d. Click vertical ellipsis Exec, which opens a shell to access the pod's file system.

  2. After you have shelled into an mss pod, then run this command, to backup PropertyDS.xml:

    cp /mssdata/PropertyDS.xml /mssdata/PropertyDS.bak

  3. Exit the shell, and exit K8S Dashboard.

When you click REGENERATE KEY:

A new key is generated to either replace an existing key or to add a key when the credential store is empty. When replacing an existing key, the data is decrypted using the old key and re-encrypted using the new key. Subsequent encryption uses the new key.

Note

Re-encrypting the credential store with a new key could take quite a bit of time. During the re-encryption, nothing can be written to or read from the credential store.

You cannot regenerate a key if the existing key is corrupted or maliciously altered. You must first recover the old key from a backup or delete all credentials before generating a new key.

Recovering an encryption key

To recover the old encryption key from the backup, edit PropertyDS.xml (requires administrator privileges):

  1. Open the current PropertyDS.xml file and the backup copy in an editor.

  2. Copy the values for the following properties from the backup to the current version of PropertyDS.xml:

    CS.EncKey

    CS.EncAlgorithm

    CS.EncKeyLength

    CS.EncIV

  3. Save PropertyDS.xml.

  4. Restart the Management and Security Server.

Delete selected credentials

When the credential store is enabled, new credentials are added when users run sessions configured with single sign-on macros. As time goes by, you may wish to remove older credentials. Use this option to delete stored user credentials based on the last-used date.

Note

Once credentials are deleted, they cannot be recovered.

To delete credentials:

  1. Select one or more USERS.

  2. Sort by CREDENTIAL LAST USED.

  3. Check the credentials you want to delete, and click DELETE.