Reflection PKI Services Manager Overview

  • 7021870
  • 02-Apr-2009
  • 01-Apr-2018

Environment

Reflection PKI Services Manager

Situation

This technical note provides an overview of Reflection PKI Services Manager, a service that provides certificate validation services for many Micro Focus products. Information about how to obtain this component and how it works is also included.

Resolution

Note:

For information about PKI Services Manager 1.3 SP2 (released November 2017), see the Release Notes at https://www.attachmate.com/documentation/pki-1-3sp2/pki-1.3sp2-release-notes/data/pki-1.3sp2-release-notes.html.

About PKI Services Manager

Reflection PKI Services Manager uses PKI to validate the authenticity of certificates presented by communicating parties. Using PKI Manager you can centrally configure and administer PKI functions, such as:

  • Trust anchor certificates and trust chains
  • Local or remote certificate stores
  • Certificate revocation checking using certificate revocation lists (CRLs) or Online Certificate Status Protocol (OCSP)
  • Certificate-to-user-ID mapping
  • Audit logging for multiple servers and clients

PKI Services Manager provides X.509 certificate validation services for the products listed in KB 7021880.

Note: Reflection for Secure IT Client for Windows (all versions) does not use the PKI Services Manager for X.509 certificate validation; instead, the client performs its own certificate validation.

Obtaining and Using PKI Services Manager

PKI Services Manager is included as a component of the products listed in KB 7021880 at no additional cost.

On the Downloads website, PKI Services Manager is provided as a separate download file and installation. These files may be listed under “Supplemental File – Utility or Add-On.”

For more information about the Downloads website, see KB 7021965.

Note: You can install or upgrade the PKI Services Manager component without changing your installed Micro Focus product version.

After installing and configuring PKI Services Manager, you should configure your installed Micro Focus product to connect to the PKI Services Manager and use the certificate validation services provided. For details about setting up client or server authentication, see the product user guides available from https://support.microfocus.com/manuals/reflection.html?prod=PKID. For an example of configuring PKI Services Manager in a Windows environment, see KB 7021873.

How PKI Services Manager Works

The following diagrams show how PKI Services Manager validates certificates used for authentication. The first example shows how an SSH Windows or UNIX server uses PKI Services Manager to validate a certificate used for client authentication. The second example shows how an SSH UNIX client performs the same task during host certificate authentication. Refer to the steps below each diagram for an explanation of the process in each environment. Note: For a list of supported RFCs, standards, and extensions, see KB 7021879.

SSH Windows Client Example – Validate Client Authentication Certificate

2425_0.gif

Figure 1: Validate client authentication certificate process diagram.

  1. During the process of user authentication, the SSH client sends a certificate packet to the SSH server (which has Reflection for Secure IT Server for Windows or Server for UNIX installed on it). The Reflection for Secure IT Server includes a PKI Services Manager client.
  2. The PKI Services Manager client contacts the PKI Services Manager (which may be installed on a UNIX or Windows box) using a proprietary protocol.
  3. The PKI Services Manager verifies the chain of trust, checks to see if the certificate is revoked, and evaluates the mapped rules. Revocation checking is done locally or is done remotely by retrieving CRL files from LDAP or HTTP servers or by contacting an OCSP Responder.
  4. The certificate validation or revocation and user mapping is communicated from the PKI Services Manager to the SSH server.
  5. The SSH server communicates authentication success or authentication failure to the SSH client.

SSH UNIX Client Example – Validate Host Authentication Certificate

2425_1.gif

Figure 2: Validate host authentication certificate process diagram.

  1. The SSH client connects to the SSH server to set up an SSH connection.
  2. During the connection setup process, the server identifies itself to the client using a certificate packet.
  3. The PKI Services Manager client contacts the PKI Services Manager (which may be installed on a UNIX or Windows box) using a proprietary protocol.
  4. The PKI Services Manager verifies the chain of trust, checks to see if the certificate is revoked, and evaluates the mapped rules. Revocation checking is done locally or is done remotely by retrieving CRL files from LDAP or HTTP servers or by contacting an OCSP server.
  5. The certificate validation or revocation is communicated from the PKI Services Manager to the SSH UNIX client. The SSH client either accepts or rejects the host identity.

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 2425.