Reflection PKI Services Manager is a service that Provides certificate validation services for Reflection for Secure IT and Reflection X Advantage (available with Reflection X 2011 and Reflection Suite for X 2011). This technical note outlines the features available in the Reflection PKI Services Manager 1.1 release, as well as product release notes and information about how to obtain and install this service.
Note: For a list of features included in Reflection PKI Services Manager 1.2 Service Pack 2, see KB 7021877.
Reflection PKI Services Manager 1.1 New Features
- SOCKS proxy support
You can configure PKI Services Manager to connect to remote servers via a SOCKS proxy. When a SOCKS proxy is configured, connections made to remote servers for OCSP queries, or to download intermediate certificates or CRLs, are routed through the SOCKS proxy.
- pki-client command line utility
You can use the pki-client command line utility to query PKI Services Manager for information about whether a certificate is valid, and which servers or user clients are allowed to authenticate using the certificate. You can run pki-client on the PKI Services Manager host, or run it from a remote computer. (Java 1.5 or newer is required.)
- Certificates signed with the MD2 RSA hash are no longer allowed by default
A new setting is available if you need to enable use of intermediate certificates signed using this deprecated hash algorithm. From the console, enable "Allow MD2 signed certificates". Or, in the configuration file, set AllowMD2Certificates = yes.
Note: MD2 hashes in X.509 certificates might allow remote attackers to spoof intermediate CA certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. The scope of this issue is currently limited because the amount of computation required is still large. (This is a related issue to CVE-2009-2409.)
- Support for HSPD-12
PKI Services Manager now supports the bridge certificate architecture mandated by Homeland Security Presidential Directive 12.
- PKCS#7 support
PKI Services Manager can now use certificates that are stored in PKCS#7 files on the local computer or on an LDAP or HTTP server.
- Support for LDAP servers that respond with more than one certificate
When an LDAP server response includes multiple certificates, PKI Services Manager can now determine the correct certificate to use when building a certificate path.
- Console updates to support trust-specific revocation settings
The console now includes options that enable you to use trust-specific revocation settings that override global values. This functionality was previously available only by modifying the configuration file.
The following issues were resolved in this release:
- The presence of unrecognized OIDs in a certificate's SubjectAltName no longer causes an ASN error.
- The PKI Services Manager now displays a warning message when a map file contains multiple default rules (rules that have no defining condition). The warning message helps clarify that only the first default rule will be applied, and subsequent rules will be ignored.
- This service pack installs Version 6 Update 13 of the Java Runtime Environment (JRE). This JRE update addresses potential security vulnerabilities. For current information about security alerts and advisories that may affect Reflection PKI Services Manager, see Security Alerts - Reflection PKI Services Manager.
Obtaining Your Component Upgrade
The directions for obtaining the Reflection PKI Services Manager add-on vary depending on the type of customer: maintained or new customers, or evaluating customers.
Note: You can install or upgrade the PKI Services Manager component without changing your installed version of Reflection for Secure IT or Reflection X Advantage.
Maintained or New Customers
Maintained customers are eligible to download PKI Services Manager 1.1 from the Attachmate Download Library web site: https://download.attachmate.com/Upgrades/.
New Volume Purchase Account customers can use link(s) in the e-mail message sent to the order "ship to" contact to download PKI Services Manager files.
The PKI Services Manager file downloads for various platforms are listed in the Download Library on your product's download page under the heading, "Supplemental File â Utility or Add-On," which appears below the "Current Product Release" and "Service Pack or Patch" headings.You will be prompted to login and accept the Software License Agreement before you can select and download the PKI Services Manager file. For more information on using the Download Library web site, see KB 7021965.
PKI Services Manager 1.1 is available to evaluate when you request an evaluation copy of the following products from the Attachmate web site (https://www.attachmate.com/Evals/rsit/rsit-eval.htm):
Reflection for Secure IT UNIX Server
Reflection for Secure IT Windows Server
Reflection X 2011 (includes Reflection X Advantage)
Reflection Suite for X 2011 (includes Reflection X Advantage)
You will be prompted to fill out a form and then will receive e-mail with instructions about downloading the evaluation software.
The PKI Services Manager file downloads are intermixed in the file listing of Reflection for Secure IT or Reflection X Advantage product downloads, which are organized by available platforms under the "Description" heading. The PKI Services Manager file downloads include "PKI Add-On" at the end of the platform description.
If you downloaded the Reflection for Secure IT or Reflection X 2011 (which includes Reflection X Advantage) evaluation software, you must navigate back to the file listing page to obtain the PKI Add-On. Alternatively, you can click the link in the original e-mail to return to the file listing page.
For information about Reflection PKI Services Manager supported platforms, see KB 7021871.
Installing Reflection PKI Services Manager Upgrade
Reflection PKI Services Manager version 1.1 is a full product installation and does not require 1.0 to be installed. Installation instructions vary depending on platform. For detailed installation instructions on a Windows or UNIX platform, see the PKI Services Manager 1.1 User Guide on the documentation page: https://support.microfocus.com/manuals/pki.html.