action.skip

Using PKI Services Manager with Reflection X

Reflection PKI Services Manager is a service that provides X.509 certificate validation services. If you configure Secure Shell connections to X client hosts that authenticate using certificates, you need to download and install this application. It is available at no additional charge from the Reflection X and Reflection Desktop for X download pages.

  • Reflection PKI Services Manager is required for Secure Shell connections that use certificates for host authentication. (It is not required for user authentication with certificates.)

  • Reflection PKI Services Manager is required if you configure connections using the Management and Security Server Administrative Console that use the Security Proxy. For these connections PKI Services Manager validates the Security Proxy's certificate.

  • Reflection PKI Services Manager is supported on both Windows and Linux platforms.

  • Reflection PKI Services Manager supports central management of PKI settings. You can install and configure a single instance of PKI Services Manager to provide certificate validation services for all supported Micro Focus products. (Because Reflection X settings allow only one entry for the PKI Services Manager address and port, this configuration creates a potential single point of failure. If PKI Services Manager is unreachable or the server is not running, all authentication attempts using certificates will fail. In order to provide load balancing and failover, you can define a round-robin DNS entry for the PKI Services Manager host name or place the PKI Services Manager host behind a load balancing server.)

  • You can run Reflection PKI Services Manager on the same host as a Reflection X domain controller or on a different host.

This user guide provides basic information about installing PKI Services Manager and configuring Reflection X to use it for certificate validation services. For additional information, refer to the Reflection PKI Services Manager - Documentation.

How it Works

  1. The X client host presents a certificate to Reflection X for host authentication.

  2. Reflection X connects to Reflection PKI Services Manager and verifies its identity using an installed public key.

  3. Reflection X sends the certificate and host name to PKI Services Manager.

  4. PKI Services Manager determines if the certificate is valid and uses mapping rules to determine whether the host is allowed to authenticate with this certificate.

  5. If the certificate is valid and the host presenting it is an allowed identity for this certificate, Reflection X validates the host's digital signature. If the digital signature is verified, host authentication is successful.

More information