Configure Certificate User Authentication
By default, Transfer Site user authentication is done using a user name and password. You can also configure authentication using X.509 certificates, for example using a smart card.
Before you begin
-
PKI Services Manager must be installed, configured, and running, with mapping rules that return a single allowed user for any valid certificate. See Set Up PKI Services Manager.
You can install and configure PKI Services Manager on multiple systems to ensure availability of certificate authentication services. When you add multiple servers to the PKI Servers list, Gateway Administrator contacts the first available server on the list. The reply from this PKI Server (valid or not valid) is used, and no other servers on the list are contacted. All PKI servers must have identical trust anchors, configuration settings, and mapping files to ensure that each of your PKI Services Manager servers returns the same validation for all certificates.
-
You must know the host name or IP address of the PKI server, and the listening port used by this server (18081 is the default).
Configure Gateway Administrator to contact your PKI Services Manager
-
Log on to Gateway Administrator using an account in the Administrators group (or any account that has the System setup role enabled).
-
On the System tab, click PKI Servers.
-
Click New.
-
For PKI Server, specify the name or IP address of the system running PKI Services Manager.
-
Click Retrieve Public Key.
If the server is running and available, Gateway Administrator retrieves the public key and displays it. (This key should match the key displayed in the PKI Services Manager console when you go to Utility > View Public Key.)
-
Click Test Connection. If Gateway Administrator can successfully contact PKI Services Manager, you will see a message saying the connection is successful.
-
Click Save. This step is required; verifying the connection does not save the configuration.
You will be returned to the PKI Servers tab with your added server visible in the list.
Configure the SFTP client system
After you have completed the procedures above, subsequent user logins will not display a user name and password prompt. Login will succeed only if the SFTP client you are using is configured to present user certificates.
- When users connect from an SFTP client, the client needs to be configured for certificate authentication. For example, in the Reflection for Secure IT Client for Windows, you can configure certificate authentication for SFTP connections using the Reflection Certificate Manager and the Secure Shell Settings dialog box.
If a user certificate is available on the client system, Gateway Administrator sends the certificate to PKI Services Manager for validation. If the certificate is valid, PKI Services Manager uses the preconfigured identity mapping to return the name of the user who is authorized to authenticate with the presented certificate.
Related Topics