To configure client host authentication using certificates, you need to install and configure Reflection PKI Services Manager. Use the following procedure to get started. Many variations are possible. For more information about each of the steps below, see the Reflection PKI Services Manager User Guide, which is available from the PKI Services Manager console, and from http://support.attachmate.com/manuals/pki.html.
Before you begin
Obtain the trusted CA certificate and any intermediate certificates that are needed to validate the certificate that will be presented by the host you are connecting to.
Determine how certificate revocation checking should be handled for the host certificate. You can configure PKI Services Manager to use CRL lists, OCSP responders, or to contact a CRL distribution point specified within the certificate.
To configure PKI Services Manager
Log in as root on the Reflection PKI Services Manager server.
Install Reflection PKI Services Manager.
Put a copy of the certificate (or certificates) you want to designate as a trust anchor into your certificate store. The default PKI Services Manager store is in the following location:
/opt/microfocus/pkid/ local-store
Open the PKI Services Manager configuration file in a text editor. The default name and location is:
/opt/attachmate/pkid/ config/pki_config
Use the TrustAnchor keyword to identify your trust anchor. For example:
TrustAnchor = trustedca.crt
-or-
TrustAnchor = CN=SecureCA,O=Acme,C=US
NOTE:To configure multiple trust anchors, add additional TrustAnchor lines.
Configure certificate revocation checking. For example:
To |
Sample Configuration |
---|---|
Use CRLs stored on an LDAP server. |
RevocationCheckOrder = crlserver CRLServers=ldap://crlserver |
Use an OCSP responder. |
RevocationCheckOrder = ocsp OCSPResponders = http://ocspresponder |
NOTE:By default PKI Services Manager looks for CRLs in the local store. If you use this configuration, you need to copy the CRLs to your local store.
If intermediate certificates are required by the chain of trust in your certificates, configure access to these certificates. For example:
To |
Sample Configuration |
---|---|
Use intermediate certificates you have added to your local store. |
CertSearchOrder=local |
Use certificates stored on an LDAP server. |
CertSearchOrder=certserver CertServers=ldap://ldapserver |
Save your changes to the configuration file.
Open the PKI Services Manager map file in a text editor. The default name and location is:
/opt/attachmate/pkid/ config/pki_mapfile
Add one or more rules to determine which client hosts can authenticate with a valid certificate. For example, to allow client hosts to connect if the host name is specified in the Common Name value of the certificate's Subject field:
RuleType = host {acme.com}
Test for valid PKI Services Manager configuration:
/usr/local/sbin/pkid -k
No errors. Configuration is valid:
Restart Reflection PKI Services Manager.
/usr/local/sbin/pkid restart