6.3.1 Configure Certificate Authentication for Users

Before you begin, review the requirements described in the Certificate Authentication for Users topic.

To configure user authentication using certificates, you need to install and configure Reflection PKI Services Manager and configure your server and client. Use the following procedures to get started. Many additional variations are possible. For more information, see the Reflection PKI Services Manager User Guide, which is available from http://support.attachmate.com/manuals/pki.html.

You can install and configure a single instance of PKI Services Manager to support certificate authentication requests from multiple Reflection for Secure IT clients and/or servers. However, because Reflection for Secure IT settings allow only one entry for the PKI Services Manager address and port, this configuration creates a potential single point of failure. If PKI Services Manager is unreachable or the server is not running, all authentication attempts using certificates will fail. To provide load balancing and failover, you can define a round-robin DNS entry for the PKI Services Manager host name or place the PKI Services Manager host behind a load balancing server. You can also configure PKI Services Manager to run in a Microsoft cluster environment.

NOTE:Paths shown here are based on the default installation options.

To install and configure PKI Services Manager

  1. Log in as root on the Reflection PKI Services Manager server.

  2. Install Reflection PKI Services Manager.

  3. Put a copy of the certificate (or certificates) you want to designate as a trust anchor into your certificate store. The default PKI Services Manager store is in the following location:

    /opt/attachmate/pkid/ local-store

  4. Open the PKI Services Manager configuration file in a text editor. The default name and location is:

    /opt/attachmate/pkid/ config/pki_config

  5. Use the TrustAnchor keyword to identify your trust anchor. For example:

    TrustAnchor = trustedca.crt

    -or-

    TrustAnchor = CN=SecureCA,O=Acme,C=US

    NOTE:To configure multiple trust anchors, add additional TrustAnchor lines.

  6. Configure certificate revocation checking. For example:

    To

    Sample Configuration

    Use CRLs stored on an LDAP server.

    RevocationCheckOrder = crlserver CRLServers=ldap://crlserver

    Use an OCSP responder.

    RevocationCheckOrder = ocsp OCSPResponders = http://ocspresponder

    NOTE:By default PKI Services Manager looks for CRLs in the local store. If you use this configuration, you need to copy the CRLs to your local store.

  7. If intermediate certificates are required by the chain of trust in your certificates, configure access to these certificates. For example:

    To

    Sample Configuration

    Use intermediate certificates you have added to your local store.

    CertSearchOrder=local

    Use certificates stored on an LDAP server.

    CertSearchOrder=certserver CertServers=ldap://ldapserver

  8. Save your changes to the configuration file.

  9. Open the PKI Services Manager map file in a text editor. The default name and location is:

    /opt/attachmate/pkid/ config/pki_mapfile

  10. Create a user RuleType stanza and add one or more rules that define which users can authenticate with a valid certificate. For example:

    • RuleType = user
    •   { %UPN.user% } UPN.host Equals "acme.com"
    •   { fred root } Subject.CN Contains "Fred"

    For more sample rules, see Sample PKI Services Manager Mapping Rules.

    NOTE:After a certificate is determined to be valid, rules are processed in order (based on rule type then sequence). If the certificate meets the requirements defined in the conditional expression (or if the rule has no condition), the allowed identities specified in that rule are allowed to authenticate. No additional rules are applied after the first match.

  11. Test for valid PKI Services Manager configuration:

    /usr/local/sbin/pkid -k

    No errors. Configuration is valid:
  12. Restart Reflection PKI Services Manager.

    /usr/local/sbin/pkid restart

To configure the Reflection for Secure IT server

  1. If PKI Services Manager is not installed on the same host as the Reflection for Secure IT server, copy the PKI Services Manager public key to the Reflection for Secure IT server.

    The key location on PKI Services Manager is:

    /opt/attachmate/pkid/config/pki_key.pub

    Copy this to any location on the Reflection for Secure IT host. For example:

    /etc/ssh2/pki_key.pub

    NOTE:This key file should be owned by root and not be writable by any user but root.

  2. Open the server configuration file (/etc/ssh2/sshd2_config) in a text editor.

  3. Edit PkidPublicKey to specify the location in which you placed the PKI Services Manager public key. For example:

    PkidPublicKey= /etc/ssh2/ pki_key.pub

  4. Edit PkidAddress to specify the PKI Services Manager host and port. For example:

    PkidAddress=pkiserver.acme.com:18081

    NOTE:If you specify a host and omit the port, the default PKI Services Manager port (18081) is used.

  5. Configure AllowedAuthentications or RequiredAuthentications to allow or require public key authentication. The defaults shown below allow public key authentication, but don't require it:

    AllowedAuthentications=gssapi-with-mic,publickey,keyboard-interactive,password
    RequiredAuthentications=

To configure the Reflection for Secure IT client

  1. Obtain a user certificate and associated private key.

  2. Install the certificate and private key. For example:

    ~/.ssh2/userkey
    ~/.ssh2/userkey.crt

    NOTE:The certificate must be in the same directory as the private key and use the same base name with a .crt file extension.

  3. Set permissions on the user key for user-only read-only access:

    chmod 400 userkey
  4. Create (or edit) the client identification file. (The default is ~/.ssh2/identification.) Configure this file for user-only write access:

    chmod 600 identification
  5. Add a line to the client identification file that identifies the private key. Use the CertKey keyword. (Path information is optional if the key is in the ~/.ssh2/ directory.) For example:

    CertKey userkey
  6. Open the client configuration file (/etc/ssh2/ssh2_config) in a text editor.

  7. Check your configuration of the following client settings. AllowedAuthentications must include publickey. IdentificationFile must specify the file you configured in step 3. The defaults are shown here:

    AllowedAuthentications=gssapi-with-mic,publickey,keyboard-interactive,password
    IdentificationFile=~/.ssh2/identification