Before you begin, review the requirements described in the Server Certificate Authentication Overview topic.
To configure server authentication using certificates, you need to install and configure Reflection PKI Services Manager and configure your server and client. Use the following procedures to get started. Many additional variations are possible. For more information, see the Reflection PKI Services Manager User Guide, which is available from http://support.attachmate.com/manuals/pki.html.
You can install and configure a single instance of PKI Services Manager to support certificate authentication requests from multiple Reflection for Secure IT clients and/or servers. However, because Reflection for Secure IT settings allow only one entry for the PKI Services Manager address and port, this configuration creates a potential single point of failure. If PKI Services Manager is unreachable or the server is not running, all authentication attempts using certificates will fail. To provide load balancing and failover, you can define a round-robin DNS entry for the PKI Services Manager host name or place the PKI Services Manager host behind a load balancing server. You can also configure PKI Services Manager to run in a Microsoft cluster environment.
NOTE:Paths shown here are based on the default installation options.
To install and configure PKI Services Manager
Log in as root on the Reflection PKI Services Manager server.
Put a copy of the certificate (or certificates) you want to designate as a trust anchor into your certificate store. The default PKI Services Manager store is in the following location in the installation folder:
.../pkid/ local-store
Open the PKI Services Manager configuration file in a text editor:
.../pkid/ config/pki_config
Use the TrustAnchor keyword to identify your trust anchor. For example:
TrustAnchor = trustedca.crt
-or-
TrustAnchor = CN=SecureCA,O=Acme,C=US
NOTE:To configure multiple trust anchors, add additional TrustAnchor lines.
Configure certificate revocation checking. For example:
To |
Sample Configuration |
---|---|
Use CRLs stored on an LDAP server. |
RevocationCheckOrder = crlserver CRLServers=ldap://crlserver |
Use an OCSP responder. |
RevocationCheckOrder = ocsp OCSPResponders = http://ocspresponder |
NOTE:By default PKI Services Manager looks for CRLs in the local store. If you use this configuration, you need to copy the CRLs to your local store.
If intermediate certificates are required by the chain of trust in your certificates, configure access to these certificates. For example:
To |
Sample Configuration |
---|---|
Use intermediate certificates you have added to your local store. |
CertSearchOrder=local |
Use certificates stored on an LDAP server. |
CertSearchOrder=certserver CertServers=ldap://ldapserver |
Save your changes to the configuration file.
Open the PKI Services Manager map file in a text editor:
.../pkid/ config/pki_mapfile
Create a host RuleType stanza and add one or more rules that define which hosts can authenticate with a valid certificate. For example:
RuleType = host {myhost.com} Subject Contains "myhost"
For more sample rules, see Sample PKI Services Manager Mapping Rules.
NOTE:After a certificate is determined to be valid, rules are processed in order (based on rule type then sequence). If the certificate meets the requirements defined in the conditional expression (or if the rule has no condition), the allowed identities specified in that rule are allowed to authenticate. No additional rules are applied after the first match. This means that if you create a rule with no conditions, all allowed identities must be included in that rule.
Test for valid PKI Services Manager configuration:
/usr/local/sbin/pkid -k
No errors. Configuration is valid:
Restart Reflection PKI Services Manager.
/usr/local/sbin/pkid restart
To configure the Reflection for Secure IT server
Install the server certificate and associated private key. For example:
/etc/ssh2/server.key /etc/ssh2/server.crt
Set permissions on the server key for user-only read-only access:
chmod 400 server.key
Open the server configuration file (/etc/ssh2/sshd2_config) in a text editor.
Configure the following keywords:
HostCertificateFile=/etc/ssh2/server.crt HostKeyFile=/etc/ssh2/server.key
To configure the Reflection for Secure IT client
If PKI Services Manager is not installed on the same host as the Reflection for Secure IT client, copy the PKI Services Manager public key to the Reflection for Secure IT client. The key location on PKI Services Manager is in the config directory in the PKI Services Manager installation directory:
.../pkid/config/pki_key.pub
Copy this to any location on the Reflection for Secure IT client. For example:
/etc/ssh2/pki_key.pub
Open the client configuration file (/etc/ssh2/ssh2_config) in a text editor.
Edit PkidPublicKey to specify the location in which you placed the PKI Services Manager public key. For example:
PkidPublicKey= /etc/ssh2/ pki_key.pub
Edit PkidAddress to specify the PKI Services Manager host and port. For example:
PkidAddress=pkiserver.acme.com:18081
NOTE:If you specify a host and omit the port, the default PKI Services Manager port (18081) is used.
Confirm that HostKeyAlgorithms is configured to prefer X.509 certificates over host keys. This is the default.
x509v3-rsa2048-sha256,x509v3-sign-rsa,x509v3-sign-dss,ssh-rsa-sha2-256@attachmate.com,ssh-rsa,ssh-dss