Before you begin, review the requirements described in the Certificate Authentication for Users topic.
To configure user authentication using certificates, you need to install and configure Reflection PKI Services Manager and configure your server and client. Use the following procedures to get started. Many additional variations are possible. For more information, see the Reflection PKI Services Manager User Guide, which is available from http://support.attachmate.com/manuals/pki.html.
You can install and configure a single instance of PKI Services Manager to support certificate authentication requests from multiple Reflection for Secure IT clients and/or servers. However, because Reflection for Secure IT settings allow only one entry for the PKI Services Manager address and port, this configuration creates a potential single point of failure. If PKI Services Manager is unreachable or the server is not running, all authentication attempts using certificates will fail. To provide load balancing and failover, you can define a round-robin DNS entry for the PKI Services Manager host name or place the PKI Services Manager host behind a load balancing server. You can also configure PKI Services Manager to run in a Microsoft cluster environment.
NOTE:Paths shown here are based on the default installation options.
To install and configure PKI Services Manager
Log in as root on the Reflection PKI Services Manager server.
Put a copy of the certificate (or certificates) you want to designate as a trust anchor into your certificate store. The default PKI Services Manager store is in the following location:
/opt/attachmate/pkid/ local-store
Open the PKI Services Manager configuration file in a text editor. The default name and location is:
/opt/attachmate/pkid/ config/pki_config
Use the TrustAnchor keyword to identify your trust anchor. For example:
TrustAnchor = trustedca.crt
-or-
TrustAnchor = CN=SecureCA,O=Acme,C=US
NOTE:To configure multiple trust anchors, add additional TrustAnchor lines.
Configure certificate revocation checking. For example:
To |
Sample Configuration |
---|---|
Use CRLs stored on an LDAP server. |
RevocationCheckOrder = crlserver CRLServers=ldap://crlserver |
Use an OCSP responder. |
RevocationCheckOrder = ocsp OCSPResponders = http://ocspresponder |
NOTE:By default PKI Services Manager looks for CRLs in the local store. If you use this configuration, you need to copy the CRLs to your local store.
If intermediate certificates are required by the chain of trust in your certificates, configure access to these certificates. For example:
To |
Sample Configuration |
---|---|
Use intermediate certificates you have added to your local store. |
CertSearchOrder=local |
Use certificates stored on an LDAP server. |
CertSearchOrder=certserver CertServers=ldap://ldapserver |
Save your changes to the configuration file.
Open the PKI Services Manager map file in a text editor. The default name and location is:
/opt/attachmate/pkid/ config/pki_mapfile
Create a user RuleType stanza and add one or more rules that define which users can authenticate with a valid certificate. For example:
For more sample rules, see Sample PKI Services Manager Mapping Rules.
NOTE:After a certificate is determined to be valid, rules are processed in order (based on rule type then sequence). If the certificate meets the requirements defined in the conditional expression (or if the rule has no condition), the allowed identities specified in that rule are allowed to authenticate. No additional rules are applied after the first match.
Test for valid PKI Services Manager configuration:
/usr/local/sbin/pkid -k
No errors. Configuration is valid:
Restart Reflection PKI Services Manager.
/usr/local/sbin/pkid restart
To configure the Reflection for Secure IT server
If PKI Services Manager is not installed on the same host as the Reflection for Secure IT server, copy the PKI Services Manager public key to the Reflection for Secure IT server.
The key location on PKI Services Manager is:
/opt/attachmate/pkid/config/pki_key.pub
Copy this to any location on the Reflection for Secure IT host. For example:
/etc/ssh2/pki_key.pub
NOTE:This key file should be owned by root and not be writable by any user but root.
Open the server configuration file (/etc/ssh2/sshd2_config) in a text editor.
Edit PkidPublicKey to specify the location in which you placed the PKI Services Manager public key. For example:
PkidPublicKey= /etc/ssh2/ pki_key.pub
Edit PkidAddress to specify the PKI Services Manager host and port. For example:
PkidAddress=pkiserver.acme.com:18081
NOTE:If you specify a host and omit the port, the default PKI Services Manager port (18081) is used.
Configure AllowedAuthentications or RequiredAuthentications to allow or require public key authentication. The defaults shown below allow public key authentication, but don't require it:
AllowedAuthentications=gssapi-with-mic,publickey,keyboard-interactive,password RequiredAuthentications=
To configure the Reflection for Secure IT client
Install the certificate and private key. For example:
~/.ssh2/userkey ~/.ssh2/userkey.crt
NOTE:The certificate must be in the same directory as the private key and use the same base name with a .crt file extension.
Set permissions on the user key for user-only read-only access:
chmod 400 userkey
Create (or edit) the client identification file. (The default is ~/.ssh2/identification.) Configure this file for user-only write access:
chmod 600 identification
Add a line to the client identification file that identifies the private key. Use the CertKey keyword. (Path information is optional if the key is in the ~/.ssh2/ directory.) For example:
CertKey userkey
Open the client configuration file (/etc/ssh2/ssh2_config) in a text editor.
Check your configuration of the following client settings. AllowedAuthentications must include publickey. IdentificationFile must specify the file you configured in step 3. The defaults are shown here:
AllowedAuthentications=gssapi-with-mic,publickey,keyboard-interactive,password IdentificationFile=~/.ssh2/identification