Configuring Reflection for PKI Auto Sign-on

  • 7021428
  • 12-Nov-2014
  • 02-Mar-2018


Reflection 2014 R1 SP1
Reflection Pro 2014 R1 SP1
Reflection X 2014 R1 SP1
Reflection for UNIX and OpenVMS 2014 R1 SP1
Reflection PKI Auto Sign-on Add-On Client version 1.0


This technical note shows how to configure a Reflection 2014 session to use the PKI Auto Sign-on Add-On Client product, which allows the use of a Common Access Card (CAC) or other smart card for authentication.



To use PKI Auto Sign-on, the PKI Auto Sign-on host module must be installed on your host server. This module can be used to verify that a client is in control of a CAC or other smart card, and to extract the Distinguished Name (DN) from the certificate used for authentication. The DN, or some substring contained in the DN, can then be used to provide service to the authorized user. PKI Auto Sign-on is designed to provide a validated identity even via a shared host login, that is, the identity comes from the smart card itself, not from the host user ID.

When a session is configured to use PKI Auto Sign-on:

  • System administrators can set up an OpenVMS or UNIX session to use a shared log-on that provides the host application with a strongly validated identity directly from a CAC.
  • Host programmers can get the strongly validated DN of a user in control of a CAC. The programmers can then extract information from the DN and use it as an identifier to authorize access (for example, to the CAC-bearer's health records).


  • The Reflection PKI Auto Sign-on host module must be installed on the host server.
  • You can use PKI Auto Sign-on with Reflection 2014 R1 SP1 (or higher) VT terminals using the SSH protocol. All of the client-side functionality required for PKI Auto Sign-on is included only in Reflection 2014 version R1 SP1 or higher.


Use the following procedure to create an SSH-enabled Reflection session that uses PKI Auto Sign-on:

  1. Create a new VT session document.
  2. In the Document Settings dialog box, under Connection, select Secure Shell and then enter the Host name and User name.
  3. Click Configure additional settings and then click OK.
  4. In the Settings dialog box, under Host Connection, select Set up Connection Security.
  5. On the Reflection Secure Shell Settings dialog box General tab, under User authentication, deselect Public Key.
  6. On the PKI tab, click Reflection Certificate Manager.
  7. On the Reflection Certificate Manager dialog box PKCS #11 tab, click Add.

Note: If ActivClient 7.0.2 and later is installed, please use MSCAPI as the provider.

As of Reflection 2014, UNIX and OpenVMS 2014, MSCAPI can be used as a provider. If MSCAPI is used then a token provider is not used, and step 8 of section is skipped. Instead the two check boxes “Use System Certificate Store for SSH connections” and “Use System Certificate Store for SSL/TLS connections” under ‘Reflection Certificate Manager/Trusted Certificate Authorities” need to be checked.

  1. In the PKCS #11 Provider dialog box, browse to the Provider DLL required to access your CAC.
  2. In the .ssh/config file for this session document, add the appropriate PKIC prompt string configured on the server. The following example shows an entry for a prompt “Starting PKI Validation...”
PKICPrompt "Starting PKI Validation..."

When you are done, the file should look like this:

Host myHostName
RSAAuthentication no
PubkeyAuthentication no
connectionReuse no
PKICPrompt "Starting PKI Validation..."

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 2757.