Reflection PKI Services Manager Overview
Technical Note 2425
Last Reviewed 24-Oct-2014
Applies To
Reflection PKI Services Manager
Summary

This technical note provides an overview of Reflection PKI Services Manager, a service that provides certificate validation services for many Attachmate products. Information about how to obtain this component and how it works is also included.

Note:

  • For a list of products that include Reflection PKI Services Manager, see Technical Note 2716.
  • For information about platforms Reflection PKI Services Manager is supported on, see Technical Note 2427.

The following topics are covered in this technical note:

For information about the latest PKI Services Manager release, see Technical Note 2688.

About PKI Services Manager

Reflection PKI Services Manager uses PKI to validate the authenticity of certificates presented by communicating parties. Using PKI Manager you can centrally configure and administer PKI functions, such as the following:

  • Trust anchor certificates and trust chains
  • Local or remote certificate stores
  • Certificate revocation checking using certificate revocation lists (CRLs) or Online Certificate Status Protocol (OCSP)
  • Certificate-to-user-ID mapping
  • Audit logging for multiple servers and clients

PKI Services Manager provides X.509 certificate validation services for the products listed in Technical Note 2716.

Note: Reflection for Secure IT Client for Windows (all versions) does not use the PKI Services Manager for X.509 certificate validation; instead, the client performs its own certificate validation.

After installing and configuring PKI Services Manager, you should configure your installed Attachmate product to connect to the PKI Services Manager and use the certificate validation services provided. For details about setting up client or server authentication, see the product user guides available from http://support.attachmate.com/manuals/. For an example of configuring PKI Services Manager in a Windows environment, see Technical Note 2490.

PKI Services Manager is included as a component of the products listed in Technical Note 2716 at no additional cost. Note: PKI Services Manager is a separate download and installation.

Obtaining PKI Services Manager

The directions for obtaining the Reflection PKI Services Manager add-on vary depending on the type of customer: maintained or new customers, or evaluating customers.

Note: You can install or upgrade the PKI Services Manager component without changing your installed version of Reflection for Secure IT or Reflection X Advantage.

Maintained or New Customers

Maintained customers are eligible to download the latest release from the Attachmate Downloads web site: https://download.attachmate.com/Upgrades/.

New Volume Purchase Account customers can use link(s) in the e-mail message sent to the order "ship to" contact to download PKI Services Manager files.

The PKI Services Manager file downloads for various platforms are listed in the Download Library on your product's download page under the heading, "Supplemental File – Utility or Add-On," which appears below the "Current Product Release" and "Service Pack or Patch" headings.

You will be prompted to login and accept the Software License Agreement before you can select and download the PKI Services Manager file. For more information on using the Download Library web site, see Technical Note 0200.

Evaluating Customers

The latest product release is available to evaluate when you request an evaluation copy of the products listed in Technical Note 2716 from the Attachmate web site (https://www.attachmate.com/products/).

You will be prompted to fill out a form and then will receive an e-mail with instructions about downloading the evaluation software.

The PKI Services Manager file downloads are intermixed in the file listing of Attachmate product downloads, which are organized by available platforms under the "Description" heading. The PKI Services Manager file downloads include "PKI Services Manager Add-On" in the description.

After downloading the product evaluation software, you must navigate back to the file listing page to obtain the PKI Services Manager Add-On. Alternatively, you can click the link in the original e-mail to return to the file listing page.

How PKI Services Manager Works

The following diagrams show how PKI Services Manager validates certificates used for authentication. The first example shows how an SSH Windows or UNIX server uses PKI Services Manager to validate a certificate used for client authentication, and the second example shows how an SSH UNIX client performs the same task during host certificate authentication. Refer to the steps below each diagram for an explanation of the process in each environment.

SSH Windows Client Example – Validate Client Authentication Certificate

2425_0.gif

Figure 1: Validate client authentication certificate process diagram.

  1. During the process of user authentication, the SSH client sends a certificate packet to the SSH server (which has Reflection for Secure IT Server for Windows or Server for UNIX installed on it). The Reflection for Secure IT Server includes a PKI Services Manager client.
  2. The PKI Services Manager client contacts the PKI Services Manager (which may be installed on a UNIX or Windows box) using a proprietary protocol.
  3. The PKI Services Manager verifies the chain of trust, checks to see if the certificate is revoked, and evaluates the mapped rules. Revocation checking is done locally or is done remotely by retrieving CRL files from LDAP or HTTP servers or by contacting an OCSP Responder.
  4. The certificate validation or revocation and user mapping is communicated from the PKI Services Manager to the SSH server.
  5. The SSH server communicates authentication success or authentication failure to the SSH client.

SSH UNIX Client Example – Validate Host Authentication Certificate

2425_1.gif

Figure 2: Validate host authentication certificate process diagram.

  1. The SSH client connects to the SSH server to set up an ssh connection.
  2. During the connection setup process, the server identifies itself to the client using a certificate packet.
  3. The PKI Services Manager client contacts the PKI Services Manager (which may be installed on a UNIX or Windows box) using a proprietary protocol.
  4. The PKI Services Manager verifies the chain of trust, checks to see if the certificate is revoked, and evaluates the mapped rules. Revocation checking is done locally or is done remotely by retrieving CRL files from LDAP or HTTP servers or by contacting an OCSP server.
  5. The certificate validation or revocation is communicated from the PKI Services Manager to the SSH UNIX client. The SSH client either accepts or rejects the host identity.

Support for RFCs, Standards, and Extensions

Reflection PKI Services Manager supports the following RFCs, standards, and extensions:

  • FIPS 140-2 Level 1 validated for most supported platforms (Certificate in Process - Coordination)
  • JITC DoD PKI certification for Reflection PKI Services Manager 1.3 is in process.
  • RFCs 2253, 2560, and 3280
  • X.509 certificates for server and client authentication (X.509 versions 1-3)
  • Version 2 X.509 CRL
  • PKCS#7 – for packaging of Federal Bridge Certificate Authority (FBCA) bridge certificates (Added in version 1.1)
  • PKCS#10 – for certificate requests to a Certificate Authority (CA) (Added in version 1.1)
  • Support for the following certificate extensions:
CDP
IDP
AIA
Policy Constraints
Basic Constraints
Name Constraints
Extended Key Usage

Additional Resources

Reflection PKI Services Manager Technical Resources:

Reflection PKI Services Manager Supported Platforms: Technical Note 2427

Related Technical Notes
0200 Using the Attachmate Downloads Web Site (FAQ)
2427 Reflection PKI Services Manager Supported Platforms
2490 Configuring PKI in a Windows Environment - An Example
2582 Configuring PKI in a UNIX Environment - An Example
2640 Reflection PKI Services Manager 1.2 Service Pack 2 New Features and Release Notes
2688 Reflection PKI Services Manager 1.3 New Features and Release Notes
2716 Which Products Include Reflection PKI Services Manager?

Did this technical note answer your question?

           



Need further help? For technical support, please contact Support.