Configuring PKI in a UNIX Environment - An Example

  • 7021876
  • 01-Sep-2011
  • 01-Apr-2018

Environment

Reflection PKI Services Manager
Reflection for Secure IT UNIX Server version 7.1 or higher

Situation

The example in this technical note provides basic steps to configure PKI in a UNIX environment. Use this information as a starting place to understand how to configure PKI for your environment.

Resolution

Configuring PKI in a UNIX Environment – An Example

Configuring PKI is a multi-step process:

A. Configure PKI Services Manager

The following steps use UNIX PKI Services Manager, a Local Store for the RootCA (Trust Anchor) Certificate, an Intermediate Certificate, and configure for certificate revocation (CRL) checking.

  1. Log in as root on the server where Reflection PKI Services Manager will be installed.
  2. Install Reflection PKI Services Manager. See the Installing PKI Services Manager topic in the PKI Services Manager User Guide for installation details: https://support.microfocus.com/manuals/pki.html.
  3. Collect and store copies of RootCA certificate, IntermediateCA Certificate and CRLs.
    1. The default PKI Services Manager store is in the following location:
/opt/attachmate/pkid/local-store
    1. Place a copy of the certificate you want to designate as a trust anchor into your local store. If Intermediate Certificates are required by the chain of trust in your certificates, include copies of the Intermediate Certificates under the local store.
    2. By default PKI Services Manager looks for CRLs in the local store. Copy the CRLs to your local store.
  1. Edit the PKI Services Manager map file to identify a user to a server or server to a user. The default name and location is:
/opt/attachmate/pkid/config/pki_mapfile
  1. Map user certificates or server certificates:

Add one or more rules to determine how the contents of a certificate determine which identities can authenticate with a valid certificate, and save your changes to the map file.

For example:

RuleType= user
{ user1 test1 local1 } Subject.CN Contains “user1 one”

RuleType= host
{ 10.10.7.244 rh53.attachmate.com } Subject.CN Equals “rh53.attachmate.com”
{ 10.10.3.247 sol10.attachmate.com } Subject.CN Equals “sol10.attachmate.com”

For more details on rules, see the Sample Mapping Rules topic under Reference in the Reflection PKI Services Manager User Guide: https://support.microfocus.com/manuals/pki.html.

  1. Reload the pki_mapfile:
/usr/local/sbin/pkid reload
  1. Edit the PKI Services Manager configuration file. Open the PKI Services Manager configuration file in a text editor. The default name and location is
/opt/attachmate/pkid/config/pki_config
  1. Use the TrustAnchor keyword to identify your trust anchor.
TrustAnchor = trustedca.crt

-or-

TrustAnchor = CN=SecureCA,O=Acme,C=US
  1. Configure certificate revocation checking using local store. For example:
RevocationCheckOrder = local
  1. Configure access to Intermediate Certificates.
CertSearchOrder = local

Example: If a site requires multiple TrustAnchors, you can use a TrustAnchor stanza:

# ------------------------------------------------------------
# Sample of a TrustAnchor stanza
# -------------------------------------------------------------
TrustAnchor = trustedca.crt
RevocationCheckOrder = local
MapFile = pki_map
# ------------------------------------------------------------
# Sample of a second TrustAnchor stanza
# -------------------------------------------------------------
TrustAnchor = trustedca2.crt
RevocationCheckOrder = ocsp
OCSPResponders = http://ocsp.myhost.com:1080
OCSPCertificate = /opt/attachmate/pkid/local-store/ocsp.cer
MapFile = pki_map
  1. Save your changes and restart PKI Services Manager:
/etc/init.d/pkid restart

or:

/etc/init.d/pkid/stop
/etc/init.d/pkid/start

B. Configure Reflection for Secure IT UNIX Server to use PKI Services Manager validation services

The following steps use Reflection for Secure IT UNIX Server as an example.

Modify the PkidAddress and PkidPublicKey lines in the sshd2_config file. The method you follow depends on where PKI Services Manager is running:

  • If the Reflection for Secure IT server and PKI Services Manager are running on the same UNIX host:

Open the sshd2_config file in a text editor and uncomment the following two lines:

PkidAddress=localhost:18081
PkidPublicKey=/opt/attachmate/pkid/config/pki_key.pub
  • If the Reflection for Secure IT server and PKI Services Manager are running on different UNIX systems:
    1. Copy the pki_key.pub to the system that runs the Reflection for Secure IT server; we recommend the /etc/ssh2 directory.

Tip: Rename the public key to include a reference to the UNIX system that runs the PKI Services Manager, for example, the IP address (see sample below).

    1. Open the sshd2_config file in a text editor, then uncomment and modify the following two lines:
PkidAddress=10.10.7.244:18081
PkidPublicKey=/etc/ssh2/pki_key_10.10.7.244.pub

C. Configure clients to authenticate using certificates

For instructions about configuring the Reflection for Secure IT clients (either Windows or UNIX) to authenticate using certificates, see the appropriate product documentation:

For Reflection for Secure IT Windows Client, see https://support.microfocus.com/manuals/rsit_win_client.html.

For Reflection for Secure IT UNIX Client, see https://support.microfocus.com/manuals/rsit_unix.html.

Additional Information

Reflection PKI Services Manager Documentation:

Reflection for Secure IT Windows Server Documentation:

Reflection for Secure IT Windows Client Documentation:

Reflection for Secure IT UNIX Client and Server Documentation:

Reflection PKI Services Manager Supported Platforms: KB 7021871

Legacy KB ID

This document was originally published as Attachmate Technical Note 2582.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.