action.skip

Managing Keys and Certificates

Use these procedures to manage keys and certificates in the Reflection Key Agent.


Add Keys to the Key Agent

You can add keys to the Key Agent by generating keys using the Key Agent, or by importing keys that you have created using your Rocket Software application or other applications. Keys you create using the Key Agent are stored by the agent in encrypted form and can only be accessed by using the Key Agent. Keys you create using the Reflection Secure Shell Settings dialog box are stored in your personal-documents-folder\Micro Focus\product-name\.ssh folder. When you import a key into the Key Agent, the imported key is stored within the agent in encrypted form, and the original key also remains available unless you delete it.

To generate a new key pair using the Key agent

  1. Start and unlock the Key Agent.

  2. Select Generate Key.

  3. Specify a key name, key type, and key length, and select OK.

To generate a new key pair using your Rocket Software application

  1. Open the Reflection Secure Shell Settings dialog box

  2. From the side menu, select User Keys. Select the generate icon ().

  3. Specify a key name, key type, and key length. (Use the Browse button to specify a non-default name or location for the key.)

  4. Either specify a passphrase, or select No passphrase.

  5. Select Create.

To import a private key into the Key Agent

  1. Start and unlock the Key Agent.

  2. From the File menu, select Import Private Key.

  3. Select the key you want to add. The default location for keys you create using your Rocket Software application is:

    personal_documents_folder\Micro Focus\product-name\.ssh

    For example:

    C:\users\joe\documents\Micro Focus\product-name\.ssh

    The Agent opens this folder by default when you select Import Private Key. Each key pair includes two files: one with a *.pub extension; and one with no file extension. The private key is the file with no extension.

  4. If the key is protected by a passphrase, you must enter the phrase correctly before you can import the key.

    After you import the key, it is protected by the Key Agent passphrase. The original key and passphrase are not changed.

More Information


Upload Keys to the Server

Secure Shell key authentication uses a public/private key pair. The public key must be added to the authorized keys on a host before you can authenticate to that host using the key pair. You can use the Key Agent to make the upload process easy. The agent automatically determines what kind of Secure Shell server is running on the host you specify, exports your public key using the correct key type for that host, and installs it (using SFTP) to the correct location for the user you specify.

The public key is transferred using the secure SFTP protocol. You will need the ability to use password authentication in order to upload the public key.

To upload the public key to the server

  1. Start and unlock the Key Agent.

  2. Select the key you want to use for authentication to the server, and click Upload.

  3. Enter the name of the host to which you are uploading the key. (In most cases you can leave SSH config scheme blank. The Key Agent makes a Secure Shell connection to the host in order to upload the key. The SSH configuration scheme you specify determines which SSH settings are used for this connection.) Select OK.

  4. When prompted, enter the name and password of the user who will authenticate to the host using the key.

    After the secure connection to the host has been established, a dialog box appears displaying information about where on the host your Rocket Software application will upload this key. In most cases you do not need to change these settings. See the notes below for more information.

note

  • Upload is not available if the Key Agent is locked.
  • The Upload Public Key dialog box displays information about the transfer. Click OK to close this dialog box.
  • Keys uploaded to hosts running Reflection for Secure IT, F-Secure, and SSH Communications (SSH Tectia) servers are exported to SECSH format. By default these are installed to the user's .ssh2 directory and an appropriate KEY entry is made in the authorization file. If this file did not previously exist, it is created and given appropriate file permissions.
  • Keys uploaded to hosts running OpenSSH servers are exported using OPENSSH format. By default they are added to the authorized_keys file located in the user's .ssh2 directory. If this file did not previously exist, it is created and given appropriate file permissions.

Import Keys to the Key Agent

  • Choose File > Import Private Key.

note

Import Private Key is not available if the Key Agent is locked.

After the import, the original key remains in its original location. A copy is added in encrypted form to the agent. If the imported key is encrypted with a passphrase, you are prompted to enter it.

More Information


Import Certificates to the Key Agent

  1. Start and unlock the Key Agent.

  2. From the File menu, select Import Certificate from .

    All certificates currently available in the certificate store you selected are displayed.

  3. Select the certificate you want to import, and then select OK.


Export Public Keys

You can export plain text public keys from keys stored in the Reflection Key agent.

To export a plain text public key

  1. Select the public key that you want to export.

  2. Choose File > Export Public Key.

    The agent exports the public key for the currently selected key.

    Note

    The Key Agent exports keys using the your Rocket Software application native format by default.

  3. (Optional) Select Save in OpenSSH format to save to the format used by OpenSSH servers.

note

  • If you want to upload a public key to a Secure Shell server, you can use the Upload button to do this in a single step; you do not need to export the public key first. The upload utility automatically determines the correct key format for the server you specify.
  • Export Public Key is not available if the Key Agent is locked.

Allow Adding Keys Remotely

You can configure your Rocket Software application to add keys to the Reflection Key Agent automatically when you add them to a remote host.

To enable this feature

  1. From the Key Agent Options menu, select Allow Adding Keys Remotely.

  2. Open the Secure Shell Settings dialog box.

  3. From the side menu, select User Keys, select Allow agent forwarding.

note

Agent forwarding must also be enabled on the host.


Allow Deleting Keys Remotely

You can configure your Rocket Software application to remove keys from the Reflection Key Agent automatically when you delete them from a remote host.

To enable this feature

  1. From the Key Agent Options menu, select Allow Deleting Keys Remotely.

  2. Open the Secure Shell Settings dialog box.

  3. From the side menu, select User Keys, select Allow agent forwarding.

note

Agent forwarding must also be enabled on the host.


Confirm Remote Private Key Operations

You can configure whether to have the Key Agent confirm whenever a connection is made using a key in the agent.

To configure remote private key operations

  • From the Key Agent Options menu, select or clear Confirm Remote Private Key Operations.

    The Key Agent displays a confirmation dialog box whenever a connection is made using a key in the agent; when cleared, a key exchange occurs in the background, and connections are made with no prompting.


Limiting RSA Signatures to SHA1

For compatibility with older servers, you can configure the agent to only include RSA signatures that use SHA1 when responding to the Agent Identities Request.

note

Agent forwarding to some servers may not be supported when this option is unchecked because of the length of the reply to the list request.


Generate Key Dialog Box

Getting there
  1. Start the Key Agent.
  2. Select Generate Key.

Secure Shell key authentication uses a public/private key pair. From this dialog box, you can create a new key pair and add it to the Key Agent. When you generate keys using the Key Agent, the private key is always kept in encrypted form for use by the Reflection Key Agent only.

The options are:

Name Enter a name to identify this key.
Type Specifies the algorithm used for key generation.
Length Specifies the key size. Up to a point, a larger key size improves security. Increasing key size slows down the initial connection, but has no effect on the speed of encryption or decryption of the data stream after a successful connection has been made. The length of key you should use depends on many factors, including: the key type, the lifetime of the key, the value of the data being protected, the resources available to a potential attacker, and the size of the symmetric key you use in conjunction with this asymmetric key. To ensure the best choice for your needs, we recommend that you contact your security officer.

note

Only public keys can be exported from the agent.