Configuring PKI in a Windows Environment - An Example

  • 7021873
  • 04-Mar-2010
  • 01-Apr-2018

Environment

Reflection PKI Services Manager version 1.2 or higher
Reflection for Secure IT Windows Server version 7.2 or higher
Reflection for Secure IT Web Edition version 8.1 or higher

Situation

The example in this technical note provides basic steps to configure PKI in a Windows environment. Use this information as a starting place to understand how to configure PKI for your environment.

Resolution

Configuring PKI in a Windows Environment – An Example

Configuring PKI is a multi-step process:

Note: The example in this technical note provides basic steps to configure PKI on Windows Server 2008. Use this information as a starting place to understand how to configure PKI for your environment.

A. Configure the PKI Services Manager

The following steps use a Windows PKI Services Manager and a Local Store for the CA Certificate Trust Anchor and CRL checking. When configuring the PKI Services Manager, you must be logged in as an administrator.

  1. Launch the Reflection PKI Services Manager console (Start > All Programs > Attachmate Reflection > PKI Services Manager).

Note: On Windows, starting the console or the service for the first time initializes PKI Services Manager. This creates the required data folders and default settings files.

  1. On the Server menu, click Start to start the PKI Services Manager server. (The PKI Services Manager service also starts automatically when you restart Windows.)
  2. Download a CA certificate (*.cer) to the server running the PKI Services Manager and copy that certificate to the Reflection PKI local store, which is typically located in the following location:
C:\ProgramData\Attachmate\ReflectionPKI\local-store
  1. Download the CRL file(s) (*.crl) to the same local store folder. URL paths for the CRL Distribution Points are normally listed on the Details tab of the Certificate:
Figure 1 -  Identifying URL Paths for the CRL Distribution Points
Figure 1 - Identifying URL Paths for the CRL Distribution Points

  1. In the PKI Services Manager Console, click the Local Store pane. The contents of the default local store are listed by default. You should see the certificates and crls you placed in this store.
View Full Size
Figure 2 - Sample Path to Local Store
Figure 2 - Sample Path to Local Store
  1. Click the Trusted Chain pane. Under Trust Anchors, click Add. Leave "Local store certificate" selected and click Browse. Select the CA certificate you want to use as the Trust Anchor. Click OK twice. At this point, settings can be saved since a Trust Anchor has been established.
  2. Click the Revocation pane and ensure that the Local Store is selected since the Certificate Revocation List (CRL file) resides here (see step 3 above).
  3. Click the Identity Mapper pane, which is used to define rules that map certificates to identities. There are separate procedures for mapping user certificates and for mapping server certificates.

Mapping User Certificates:

    1. Click Add. From the first drop-down list, select "User Certificate (identifies a user to a server).

Select the “Apply this rule only to this server” check box and enter the server name, for example, winserv1. (Do not use the server’s DNS host name).

Note: This step is required if you are using Windows local accounts. You may skip this step if you are using Windows domain accounts.

    1. Specify one or more identities for the mapped certificate using a comma separated list in the field provided, for example:
<domain name1>\<username1>,<domain name1>\<username2>
    1. Specify how the contents of the certificate affect authentication:

- Enable "Allow authentication if the following condition is met."

- Select "Subject Common Name" from the first drop-down list.

- Select "Contains" from the second drop-down list.

- In the third field, enter a value found for Subject when viewing details of the client certificate.

- Click OK. The rule will display as follows:

User-address=winserv1
{<domain name1>\<username1>,<domain name1>\<username2>}Subject Contains <Value>.

Note: The status bar will display the rule as you build it.

View Full Size
Figure 3 - Sample Mapped User Certificate
Figure 3 - Sample Mapped User Certificate

Mapping Server Certificates:

    1. Click Add. Select “Host Certificate (identifies a server to a user)”.
    2. Specify one or more identities for the mapped certificate using a comma separated list in the field provided, for example:
ServerIPAddress, ServerName
    1. Specify how the contents of the certificate affect authentication:

- Enable "Allow authentication if the following condition is met."

- Select "Subject Common Name" from the first drop-down list.

- Select "Contains" from the second drop-down list.

- In the third field, enter a value found for Subject when viewing details of the client certificate.

- Click OK. The rule will display as follows:

host
{<ServerIPAddress>, <ServerName>} Subject.CN Equals <Value>.
View Full Size
Figure 4 - Sample Mapped Server Certificate
Figure 4 - Sample Mapped Server Certificate
  1. Click File > Save. This updates the configuration files.
  2. Click Server > Reload. This ensures that the server is using the current settings.

B. Configure the server (or clients) to use the PKI Services Manager validation services

To use PKI Services Manager for validation, you must configure the application to connect to your configured PKI Services Manager. The following steps use the Reflection for Secure IT Server for Windows Server as an example.

  1. Launch the Reflection for Secure IT console (Start > All Programs > Attachmate Reflection > Reflection SSH Server Configuration).
  2. Click the Configuration tab and go to Authentication > Public Key > Certificates.
  3. The server is configured by default to connect to a PKI Services manager on the local host. Click Edit. For PKI server, specify your PKI Services Manager host name or IP address.
  4. Click Retrieve public key. A dialog box displays with the PKI Services Manager key fingerprint. (You can confirm this fingerprint from the PKI Services Manager console by clicking Utility > Public Key.) Click Yes to accept this key, then save the key to the default location.
  5. Click OK to close the PKI Configuration dialog box.
View Full Size
Figure 5 - Sample PKI Server Configuration
Figure 5 - Sample PKI Server Configuration
  1. Click the Save button or click File > Save Settings to save the PKI settings.

For information about configuring Reflection for Secure IT Web Edition, see the Administrator's Guide, which is available from https://support.microfocus.com/manuals/rsit-web-edition.html. In the User Manager Administration chapter, find the section titled "Configure Certificate Authentication."

For information about configuring the Reflection for Secure IT for UNIX, see the Users Guide, which is available from https://support.microfocus.com/manuals/rsit_unix.html. Find the sections titled "Configure Certificate Authentication for Users" and "Configure Server Certificate Authentication."

C. Configure the clients (or server) to authenticate using certificates

For instructions about configuring the Reflection for Secure IT clients and servers to authenticate using certificates, see the appropriate product documentation:

For Reflection for Secure IT Client for Windows documentation, see https://support.microfocus.com/manuals/rsit_win_client.html.

For Reflection for Secure IT Server for Windows documentation, see https://support.microfocus.com/manuals/rsit_win_server.html.

For Reflection for Secure IT Client or Server for UNIX documentation, see https://support.microfocus.com/manuals/rsit_unix.html.

Additional Information

Reflection PKI Services Manager Technical Resources:

Reflection for Secure IT Server for Windows Technical Resources:

Reflection for Secure IT Client for Windows Technical Resources:

Reflection for Secure IT Client and Server for UNIX Technical Resources:

Reflection PKI Services Manager Supported Platforms: KB 7021871

Legacy KB ID

This document was originally published as Attachmate Technical Note 2490.