Managing Keys and Certificates
Use these procedures to manage keys and certificates in the Reflection Key Agent.
Add Keys to the Key Agent
You can add keys to the Key Agent by generating keys using the Key
Agent, or by importing keys that you have created using your Micro Focus
application or other applications. Keys you create using the Key Agent
are stored by the agent in encrypted form and can only be accessed by
using the Key Agent. Keys you create using the Reflection Secure Shell
Settings dialog box are stored in your personal-documents-folder\Micro Focus\product-name\.ssh
folder. When you import a key into the Key Agent, the imported key is stored within the agent in encrypted form, and the original key also remains available unless you
delete it.
To generate a new key pair using the Key agent
-
Start and unlock the Key Agent.
-
Select Generate Key.
-
Specify a key name, key type, and key length, and select OK.
To generate a new key pair using your Micro Focus application
-
Open the Reflection Secure Shell Settings dialog box
-
From the side menu, select User Keys. Select the generate icon ().
-
Specify a key name, key type, and key length. (Use the Browse button to specify a non-default name or location for the key.)
-
Either specify a passphrase, or select No passphrase.
-
Select Create.
To import a private key into the Key Agent
-
Start and unlock the Key Agent.
-
From the File menu, select Import Private Key.
-
Select the key you want to add. The default location for keys you create using your Micro Focus application is:
personal_documents_folder\Micro Focus\product-name\.ssh
For example:
C:\users\joe\documents\Micro Focus\product-name\.ssh
The Agent opens this folder by default when you select Import Private Key. Each key pair includes two files: one with a
*.pub
extension; and one with no file extension. The private key is the file with no extension. -
If the key is protected by a passphrase, you must enter the phrase correctly before you can import the key.
After you import the key, it is protected by the Key Agent passphrase. The original key and passphrase are not changed.
More Information
Upload Keys to the Server
Secure Shell key authentication uses a public/private key pair. The public key must be added to the authorized keys on a host before you can authenticate to that host using the key pair. You can use the Key Agent to make the upload process easy. The agent automatically determines what kind of Secure Shell server is running on the host you specify, exports your public key using the correct key type for that host, and installs it (using SFTP) to the correct location for the user you specify.
The public key is transferred using the secure SFTP protocol. You will need the ability to use password authentication in order to upload the public key.
To upload the public key to the server
-
Start and unlock the Key Agent.
-
Select the key you want to use for authentication to the server, and click Upload.
-
Enter the name of the host to which you are uploading the key. (In most cases you can leave SSH config scheme blank. The Key Agent makes a Secure Shell connection to the host in order to upload the key. The SSH configuration scheme you specify determines which SSH settings are used for this connection.) Select OK.
-
When prompted, enter the name and password of the user who will authenticate to the host using the key.
After the secure connection to the host has been established, a dialog box appears displaying information about where on the host your Micro Focus application will upload this key. In most cases you do not need to change these settings. See the notes below for more information.
note
- Upload is not available if the Key Agent is locked.
- The Upload Public Key dialog box displays information about the transfer. Click OK to close this dialog box.
- Keys uploaded to hosts running Reflection for Secure IT, F-Secure, and SSH Communications (SSH Tectia) servers are exported to SECSH format. By default these are installed to the user's
.ssh2
directory and an appropriateKEY
entry is made in theauthorization
file. If this file did not previously exist, it is created and given appropriate file permissions. - Keys uploaded to hosts running OpenSSH servers are exported using OPENSSH format. By default they are added to the
authorized_keys
file located in the user's.ssh2
directory. If this file did not previously exist, it is created and given appropriate file permissions.
Import Keys to the Key Agent
- Choose File > Import Private Key.
note
Import Private Key is not available if the Key Agent is locked.
After the import, the original key remains in its original location. A copy is added in encrypted form to the agent. If the imported key is encrypted with a passphrase, you are prompted to enter it.
More Information
Import Certificates to the Key Agent
-
Start and unlock the Key Agent.
-
From the File menu, select Import Certificate from
. All certificates currently available in the certificate store you selected are displayed.
-
Select the certificate you want to import, and then select OK.
Export Public Keys
You can export plain text public keys from keys stored in the Reflection Key agent.
To export a plain text public key
-
Select the public key that you want to export.
-
Choose File > Export Public Key.
The agent exports the public key for the currently selected key.
Note
The Key Agent exports keys using the your Micro Focus application native format by default.
-
(Optional) Select Save in OpenSSH format to save to the format used by OpenSSH servers.
note
- If you want to upload a public key to a Secure Shell server, you can use the Upload button to do this in a single step; you do not need to export the public key first. The upload utility automatically determines the correct key format for the server you specify.
- Export Public Key is not available if the Key Agent is locked.
Allow Adding Keys Remotely
You can configure your Micro Focus application to add keys to the Reflection Key Agent automatically when you add them to a remote host.
To enable this feature
-
From the Key Agent Options menu, select Allow Adding Keys Remotely.
-
Open the Secure Shell Settings dialog box.
-
From the side menu, select User Keys, select Allow agent forwarding.
note
Agent forwarding must also be enabled on the host.
Allow Deleting Keys Remotely
You can configure your Micro Focus application to remove keys from the Reflection Key Agent automatically when you delete them from a remote host.
To enable this feature
-
From the Key Agent Options menu, select Allow Deleting Keys Remotely.
-
Open the Secure Shell Settings dialog box.
-
From the side menu, select User Keys, select Allow agent forwarding.
note
Agent forwarding must also be enabled on the host.
Confirm Remote Private Key Operations
You can configure whether to have the Key Agent confirm whenever a connection is made using a key in the agent.
To configure remote private key operations
-
From the Key Agent Options menu, select or clear Confirm Remote Private Key Operations.
The Key Agent displays a confirmation dialog box whenever a connection is made using a key in the agent; when cleared, a key exchange occurs in the background, and connections are made with no prompting.
Limiting RSA Signatures to SHA1
For compatibility with older servers, you can configure the agent to only include RSA signatures that use SHA1 when responding to the Agent Identities Request.
note
Agent forwarding to some servers may not be supported when this option is unchecked because of the length of the reply to the list request.
Generate Key Dialog Box
Getting there
- Start the Key Agent.
- Select Generate Key.
Secure Shell key authentication uses a public/private key pair. From this dialog box, you can create a new key pair and add it to the Key Agent. When you generate keys using the Key Agent, the private key is always kept in encrypted form for use by the Reflection Key Agent only.
The options are:
Name | Enter a name to identify this key. |
Type | Specifies the algorithm used for key generation. |
Length | Specifies the key size. Up to a point, a larger key size improves security. Increasing key size slows down the initial connection, but has no effect on the speed of encryption or decryption of the data stream after a successful connection has been made. The length of key you should use depends on many factors, including: the key type, the lifetime of the key, the value of the data being protected, the resources available to a potential attacker, and the size of the symmetric key you use in conjunction with this asymmetric key. To ensure the best choice for your needs, we recommend that you contact your security officer. |
note
Only public keys can be exported from the agent.