This technical note provides an overview of Reflection PKI Services Manager, a service that provides certificate validation services for Reflection for Secure IT, Reflection X Advantage (available with Reflection X 2011 and Reflection Suite for X 2011), Reflection for the Web 2014, and Reflection Security Gateway 2014 including how to obtain this component and how it works.
The following topics are covered in this technical note:
For information about the latest PKI Services Manager release, see Technical Note 2688.
Reflection PKI Services Manager uses PKI to validate the authenticity of certificates presented by communicating parties. Using PKI Manager you can centrally configure and administer PKI functions, such as the following:
PKI Services Manager provides X.509 certificate validation services for the following products:
Note: Reflection for Secure IT Client for Windows (all versions) does not use the PKI Services Manager for X.509 certificate validation; instead, the client performs its own certificate validation.
After installing and configuring PKI Services Manager, you should configure your installed Reflection for Secure IT product to connect to the PKI Services Manager and use the certificate validation services provided. For details about setting up client or server authentication, see the product user guides available from http://support.attachmate.com/manuals/sshdocs.html. For an example of configuring PKI Services Manager in a Windows environment, see Technical Note 2490.
PKI Services Manager is included as a component of Reflection for Secure IT Server and Client for UNIX, Reflection for Secure IT Server for Windows, Reflection for Secure IT Web Edition, Reflection X 2011, Reflection Suite for X 2011, Reflection for the Web 2014, and Reflection Security Gateway 2014 at no additional cost. Note: PKI Services Manager is a separate download and installation.
The directions for obtaining the Reflection PKI Services Manager add-on vary depending on the type of customer: maintained or new customers, or evaluating customers.
Note: You can install or upgrade the PKI Services Manager component without changing your installed version of Reflection for Secure IT or Reflection X Advantage.
Maintained customers are eligible to download the latest release from the Attachmate Downloads web site: https://download.attachmate.com/Upgrades/.
New Volume Purchase Account customers can use link(s) in the e-mail message sent to the order "ship to" contact to download PKI Services Manager files.
The PKI Services Manager file downloads for various platforms are listed in the Download Library on your product's download page under the heading, "Supplemental File Utility or Add-On," which appears below the "Current Product Release" and "Service Pack or Patch" headings.
You will be prompted to login and accept the Software License Agreement before you can select and download the PKI Services Manager file. For more information on using the Download Library web site, see Technical Note 0200.
The latest product release is available to evaluate when you request an evaluation copy of the following products from the Attachmate web site (http://www.attachmate.com/Evals/rsit/rsit-eval.htm):
You will be prompted to fill out a form and then will receive e-mail with instructions about downloading the evaluation software.
The PKI Services Manager file downloads are intermixed in the file listing of Reflection for Secure IT or Reflection X Advantage product downloads, which are organized by available platforms under the "Description" heading. The PKI Services Manager file downloads include "PKI Add-On" at the end of the platform description.
If you downloaded the Reflection for Secure IT, Reflection X 2011 (which includes Reflection X Advantage), Reflection for the Web 2014, or Reflection Security Gateway 2014 evaluation software, you must navigate back to the file listing page to obtain the PKI Add-On. Alternatively, you can click the link in the original e-mail to return to the file listing page.
The following diagrams show how PKI Services Manager validates certificates used for authentication. The first example shows how an SSH Windows or UNIX server uses PKI Services Manager to validate a certificate used for client authentication, and the second example shows how an SSH UNIX client performs the same task during host certificate authentication. Refer to the steps below each diagram for an explanation of the process in each environment.
Figure 1: Validate client authentication certificate process diagram.
Figure 2: Validate host authentication certificate process diagram.
Reflection PKI Services Manager supports the following RFCs, standards, and extensions:
Reflection PKI Services Manager Technical Resources:
Reflection PKI Services Manager Supported Platforms: Technical Note 2427