Technical Notes

This technical note provides an overview of Reflection PKI Services Manager, a service that provides certificate validation services for Reflection for Secure IT and Reflection X Advantage (available with Reflection X 2011 and Reflection Suite for X 2011), including how to obtain this component and how it works.

The following topics are covered in this technical note:

For information about the latest PKI Services Manager release, see Technical Note 2640.

About PKI Services Manager

Reflection PKI Services Manager uses PKI to validate the authenticity of certificates presented by communicating parties. Using PKI Manager you can centrally configure and administer PKI functions, such as the following:

• Trust anchor certificates and trust chains
• Local or remote certificate stores
• Certificate revocation checking using certificate revocation lists (CRLs) or Online Certificate Status Protocol (OCSP)
• Certificate-to-user-ID mapping
• Audit logging for multiple servers and clients

PKI Services Manager provides X.509 certificate validation services for the following products:

Note: Reflection for Secure IT Windows Client (all versions) does not use the PKI Services Manager for X.509 certificate validation; instead, the client performs its own certificate validation.

After installing and configuring PKI Services Manager, you should configure your installed Reflection for Secure IT product to connect to the PKI Services Manager and use the certificate validation services provided. For details about setting up client or server authentication, see the product user guides available from http://support.attachmate.com/manuals/sshdocs.html. For an example of configuring PKI Services Manager in a Windows environment, see Technical Note 2490.

PKI Services Manager is included as a component of Reflection for Secure IT UNIX Server and Client and Reflection for Secure IT Windows Server, at no additional cost. Note: It is a separate download and installation.

Obtaining PKI Services Manager

The directions for obtaining the Reflection PKI Services Manager add-on vary depending on the type of customer: maintained or new customers, or evaluating customers.

Note: You can install or upgrade the PKI Services Manager component without changing your installed version of Reflection for Secure IT or Reflection X Advantage.

Maintained or New Customers

Maintained customers are eligible to download PKI Services Manager 1.2 Service Pack 1 (1.2+SP1) from the Attachmate Download Library web site: https://download.attachmate.com/Upgrades/.

New Volume Purchase Account customers can use link(s) in the e-mail message sent to the order "ship to" contact to download PKI Services Manager files.

The PKI Services Manager file downloads for various platforms are listed in the Download Library on your product's download page under the heading, "Supplemental File – Utility or Add-On," which appears below the "Current Product Release" and "Service Pack or Patch" headings.

You will be prompted to login and accept the Software License Agreement before you can select and download the PKI Services Manager file. For more information on using the Download Library web site, see Technical Note 0200.

Evaluating Customers

PKI Services Manager 1.2 Service Pack 1 (1.2+SP1) is available to evaluate when you request an evaluation copy of the following products from the Attachmate web site (http://www.attachmate.com/Evals/rsit/rsit-eval.htm):

You will be prompted to fill out a form and then will receive e-mail with instructions about downloading the evaluation software.

The PKI Services Manager file downloads are intermixed in the file listing of Reflection for Secure IT or Reflection X Advantage product downloads, which are organized by available platforms under the "Description" heading. The PKI Services Manager file downloads include "PKI Add-On" at the end of the platform description.

If you downloaded the Reflection for Secure IT or Reflection X 2011 (which includes Reflection X Advantage) evaluation software, you must navigate back to the file listing page to obtain the PKI Add-On. Alternatively, you can click the link in the original e-mail to return to the file listing page.

How PKI Services Manager Works

The following diagrams show how PKI Services Manager validates certificates used for authentication. The first example shows how an SSH Windows or UNIX server uses PKI Services Manager to validate a certificate used for client authentication, and the second example shows how an SSH UNIX client performs the same task during host certificate authentication. Refer to the steps below each diagram for an explanation of the process in each environment.

SSH Windows Client Example – Validate Client Authentication Certificate

Figure 1: Validate client authentication certificate process diagram.

1. During the process of user authentication, the SSH client sends a certificate packet to the SSH server (which has Reflection for Secure IT Windows Server or UNIX Server installed on it). The Reflection for Secure IT Server includes a PKI Services Manager client.
2. The PKI Services Manager client contacts the PKI Services Manager (which may be installed on a UNIX or Windows box) using a proprietary protocol.
3. The PKI Services Manager verifies the chain of trust, checks to see if the certificate is revoked, and evaluates the mapped rules. Revocation checking is done locally or is done remotely by retrieving CRL files from LDAP or HTTP servers or by contacting an OCSP Responder.
4. The certificate validation or revocation and user mapping is communicated from the PKI Services Manager to the SSH server.
5. The SSH server communicates authentication success or authentication failure to the SSH client.

SSH UNIX Client Example – Validate Host Authentication Certificate

Figure 2: Validate host authentication certificate process diagram.

1. The SSH client connects to the SSH server to set up an ssh connection.
2. During the connection setup process, the server identifies itself to the client using a certificate packet.
3. The PKI Services Manager client contacts the PKI Services Manager (which may be installed on a UNIX or Windows box) using a proprietary protocol.
4. The PKI Services Manager verifies the chain of trust, checks to see if the certificate is revoked, and evaluates the mapped rules. Revocation checking is done locally or is done remotely by retrieving CRL files from LDAP or HTTP servers or by contacting an OCSP server.
5. The certificate validation or revocation is communicated from the PKI Services Manager to the SSH UNIX client. The SSH client either accepts or rejects the host identity.

Support for RFCs, Standards, and Extensions

Reflection PKI Services Manager supports the following RFCs, standards, and extensions:

• FIPS 140-2 Level 1 validated for most supported platforms (certificate #1048)
• RFCs 2253, 2560, and 3280
• X.509 certificates for server and client authentication (X.509 versions 1-3
• Version 2 X.509 CRL
• PKCS#7 – for packaging of Federal Bridge Certificate Authority (FBCA) bridge certificates (Added in version 1.1)
• PKCS#10 – for certificate requests to a Certificate Authority (CA) (Added in version 1.1)
• Support for the following certificate extensions:

Additional Resources

Reflection PKI Services Manager Documentation:

Reflection for Secure IT Windows Server Documentation:

Reflection for Secure IT Windows Client Documentation:

Reflection for Secure IT UNIX Client and Server Documentation:

Reflection PKI Services Manager Supported Platforms: Technical Note 2427