Authenticate with Certificates in the Reflection X Advantage Store

Use this procedure to configure Reflection X Advantage Secure Shell sessions to authenticate users with certificates stored in the Reflection X Advantage store.

NOTE:The Secure Shell server administrator must configure the server to accept and validate user certificates. The procedure depends on the server. Refer to the Secure Shell server documentation for details.

Before you begin:

Obtain a personal certificate from a certificate-granting authority and copy it to a secure location on the computer running X Manager. Private keys and PKCS#12 packages should be placed in a folder that is readable only by the owner.

You can use:

  • A certificate file and its associated private key. The two files must be in the same location and the certificate must have the same name as the key with a *.cer or *.crt file extension.

    -or-

  • A PKCS#12 PKCS (Public Key Cryptography Standards) is a set of standards devised and published by RSA laboratories that enable compatibility among public key cryptography implementations. Different PKCS standards identify specifications for particular cryptographic uses. Reflection X Advantage uses the following PKCS standards: PKCS#5 is used to provide password-based encryption for private keys stored in the Reflection X Advantage database. PKCS#11 provides support for authentication using hardware devices, such as smart cards or USB tokens. PKCS#12 is used for storage and transportation of certificates and associated private keys. Files in this format typically use a *.pfx or *.p12 extension. package file (*.p12, or *.pfx) that contains both the certificate and its associated private key.

You will also need to know the passphrase that has been used to protect the private key or certificate package file.

To authenticate with a certificate in the Reflection X Advantage store

  1. Launch X Manager or X Manager for Domains.

  2. From the Tools menu, select Secure Shell User Keys.

  3. Click Import.

  4. Browse to locate the private key file or certificate.

  5. For File passphrase enter the passphrase that currently protects the file. This is required to decrypt the file and import the key.

  6. For Key name enter a name for this certificate. This name shows up in the list of user keys and also appears in the prompt a user sees when this certificate is used to make a connection.

  7. Enter a value for Key passphrase. This can be the same as the original file passphrase or different.

    CAUTION:To help ensure security, you should always specify a passphrase when you import a certificate. This passphrase protects the private key associated with the certificate. If you don't specify a passphrase, the private key is stored in unencrypted form in the Reflection X database, and anyone who gains access to the private key can authenticate using it. In standalone mode keys are stored on the same computer as X Manager. In domain mode all user keys are stored in the database on the domain controller and the administrator of that computer will be able to read these keys.

  8. Click Import.

The imported certificate is added to the User Keys list. As long as you leave Reflection X Advantage Store in the list under User Key Sources, Reflection X Advantage attempts to use certificates in this list when it connects to a host that supports certificate authentication.