action.skip

Configure PKI Services Manager on Linux

To configure client host authentication using certificates, you need to install and configure Reflection PKI Services Manager. Use the following procedure to get started. Many variations are possible. For more information about each of the steps below, see the Reflection PKI Services Manager User Guide, which is available from the PKI Services Manager console, and from http://support.attachmate.com/manuals/pki.html.

Before you begin

  • Install PKI Services Manager.

  • Obtain the trusted CA certificate and any intermediate certificates that are needed to validate the certificate that will be presented by the host you are connecting to.

  • Determine how certificate revocation checking should be handled for the host certificate. You can configure PKI Services Manager to use CRL lists, OCSP responders, or to contact a CRL distribution point specified within the certificate.

To configure Reflection PKI Services Manager

  1. Log in as root on the Reflection PKI Services Manager server.

  2. Install Reflection PKI Services Manager.

  3. Put a copy of the certificate (or certificates) you want to designate as a trust anchor into your certificate store. The default PKI Services Manager store is in the following location:

    /opt/microfocus/pkid/local-store

  4. Open the PKI Services Manager configuration file in a text editor. The default name and location is:

    /opt/attachmate/pkid/config/pki_config

  5. Use the TrustAnchor keyword to identify your trust anchor. For example:

    TrustAnchor = trustedca.crt

    -or-

    TrustAnchor = CN=SecureCA,O=Acme,C=US

    note

    To configure multiple trust anchors, add additional TrustAnchor lines.

  6. Configure certificate revocation checking. For example:

    To Sample Configuration
    Use CRLs stored on an LDAP server. RevocationCheckOrder = crlserver CRLServers=ldap://crlserver
    Use an OCSP responder. RevocationCheckOrder = ocsp OCSPResponders = http://ocspresponder

    note

    By default PKI Services Manager looks for CRLs in the local store. If you use this configuration, you need to copy the CRLs to your local store.

  7. If intermediate certificates are required by the chain of trust in your certificates, configure access to these certificates. For example:

    To Sample Configuration
    Use intermediate certificates you have added to your local store. CertSearchOrder=local
    Use certificates stored on an LDAP server. CertSearchOrder=certserver CertServers=ldap://ldapserver
  8. Save your changes to the configuration file.

  9. Open the PKI Services Manager map file in a text editor. The default name and location is:

    /opt/attachmate/pkid/config/pki_mapfile

  10. Add one or more rules to determine which client hosts can authenticate with a valid certificate. For example, to allow client hosts to connect if the host name is specified in the Common Name value of the certificate's Subject field:

    RuleType = host

    {acme.com}

  11. Test for valid PKI Services Manager configuration:

    /usr/local/sbin/pkid -k

    No errors. Configuration is valid:

  12. Restart Reflection PKI Services Manager.

    /usr/local/sbin/pkid restart

More information