Certificate Authentication and Reflection for Secure IT UNIX Server 7.1 or Higher

  • 7022084
  • 16-Jul-2009
  • 02-Mar-2018

Environment

Reflection for Secure IT UNIX Server version 7.1 or higher
Reflection for Secure IT UNIX Client version 7.1 or higher
Reflection for Secure IT Windows Client version 7.0 or higher

Situation

You can use digital certificates to establish secure connections with Public Key Infrastructure (PKI). This technical note outlines how to generate a certificate request using the ssh-certtool utility, obtain a signed certificate from a Certificate Authority (CA), import it to the Reflection for Secure IT UNIX server, and properly configure the server to use certificate authentication.

Resolution

Overview of Certificate Authentication for Servers

Rather than using public keys to authenticate your session, you can use certificates that authenticate the server during the Diffie-Hellman key exchange:

  1. The server sends its certificate to the client.
  2. The client verifies the certificate was signed by a valid Certificate Authority (CA).
  3. The client verifies that the certificate has the fully qualified domain name of the server.
  4. The client uses the challenge command to verify the private key of the server.

To have fully-enabled certificate authentication, both the server and the client must be configured for certificate authentication. However you can opt for server-only or client-only certificate authentication, depending on the needs of your environment. This technical note explains how to configure the server. Note: Some preliminary configuration is also required on the Reflection SSH client.

To configure Client Certificate authentication for Reflection for Secure IT UNIX Client, see KB 7022083; for Reflection for Secure IT Windows Client, see KB 7021987.

Overview of Configuration Steps

Configuring Reflection for Secure IT UNIX Server for certificate authentication is a multi-step process:

  1. Preliminary Steps: Verify the server hostname, generate a certificate request for the server, and send it to a Certificate Authority to be signed.
  2. Configure Reflection for Secure IT UNIX Server 7.1 or higher to use certificate authentication.
  3. Configure Reflection for Secure IT Clients to validate server certificates.

A. Preliminary Steps

Before you obtain the server certificate, you must verify the server's fully qualified domain name (FQDN). Then, generate a certificate request for the server.

Verify the Server Hostname

To verify the host FQDN, at the command line enter the following command:

hostname –f

It should display the FQDN, for example:

myHost.myCo.com

If the hostname command does not display the FQDN, please review your host documentation for further information.

Generate a Certificate Request for the Server and Send it to a Certificate Authority to be Signed

Follow these steps to generate a certificate request and use it to obtain the server certificate from a Certificate Authority:

  1. Change your directory to /etc/ssh2 and enter the following command to generate a certificate request that you can send to your Certificate Authority for signing:
ssh-certtool –n <rsa or dsa> -o <output file name> req CN=<Server’s Fully Qualified Domain Name>,O=<Company>,OU=<OrganizationalUnit>,L=<City>,ST=<State>,C=<Country>

For example:

ssh-certtool -n rsa -o myHost req CN=myHost.myCo.com,O=Attachmate,OU=support,L=Seattle,ST=Washington,C=US

If you need to add the Subject Alternative Name, use the following formats:

ssh-certtool -n <rsa or dsa> -o <output file name> -z DNS=<FQDN> req CN=<FQDN>,O=<company>,OU=<OrganizationalUnit>,L=<City>,ST=<State>,C=<Country>

For example:

ssh-certtool -n rsa -o myHost -z DNS= myHost.myCo.com req CN=myHost.myCo.com,O=Attachmate,OU=support,L=Seattle,ST=Washington,C=US
  1. The ssh-certtool will generate two files under the /etc/ssh2 folder:
myHost.ssh2 (the private key)
myHost.pkcs10 (the certificate request)
  1. Send the resulting pkcs10 package (in our example, myHost.pkcs10 file) to a Certificate Authority for signing. The package is an ASCII file that you can view in Notepad; it is simply a request for a certificate based on the key generated in step 1.

If you choose to submit the request by cutting and pasting the text into the CA’s pkcs10 request form, be certain to copy the entire text including

-----BEGIN CERTIFICATE-----

and

-----END CERTIFICATE-----
  1. You will receive your CA-signed server certificate in a "Base-64 encoded" or ".pem" format depending on the CA. Either format is acceptable. Note: Do not use DER encoded binary format.

B. Configure the Server to Use Certificate Authentication

Follow these steps to configure the Reflection for Secure IT UNIX Server 7.1 or higher to use certificate authentication:

  1. After you receive your CA-signed server certificate, upload it in binary format to the /etc/ssh2 directory.

In this example, the CA-signed server certificate is renamed to myHost.ssh2.crt.

  1. Modify the following lines in the sshd2_config file:
HostCertificateFile=/etc/ssh2/ myHost.ssh2.crt
HostKeyFile=/etc/ssh2/myHost.ssh2

  1. Save the sshd2_config file.

C. Configure Reflection for Secure IT Clients to Validate Server Certificates

Follow the steps to configure the Reflection for Secure IT Client on either Windows or UNIX:

Configuring Reflection for Secure IT UNIX Client 7.1 or Higher

Beginning in Reflection for Secure IT UNIX client version 7.1, the UNIX client uses Reflection PKI Services Manager for X.509 certificate validation.

Note: The PKI Services Manager is available for either the Windows or the UNIX environment. See KB 7021870, “Reflection PKI Services Manager Overview,” for more information and sample configurations.

The steps to configure Reflection for Secure IT UNIX Client depend on whether the Reflection for Secure IT UNIX Client and the PKI Services Manager are installed on different machines or on the same machine.

Different Machines: Follow these steps if Reflection for Secure IT UNIX Client and PKI Services Manager are installed on different machines.

  1. Determine the IP Address of the PKI Service Manager.
  2. Download a copy of the PKI Service Manager’s public key. The default public key name is pki_key.pub.
  3. Transfer the pki_key.pub to /opt/attachmate/pkid/config onto the UNIX client.
  4. In the ssh2_config, edit the PkidAddress line with the PKI Service Manager’s IP address.
  5. Uncomment both PkidAddress and PkidPublickey lines.

Example:

### Add PkidAddress and pkiPublickey for testing
##
PkidAddress=10.10.1.216:18081
PkidPublicKey=/opt/attachmate/pkid/config/pki_key.pub
##
##
  1. Save the config file.

Same Machine: Follow these steps to configure Reflection for Secure IT UNIX Client to use the PKI Services Manager validation services.

  1. In the /etc/ssh2/sshd2_config file, uncomment both PkidAddress and PkidPublickey lines, keeping the defaults. For example:
### Add PkidAddress and pkiPublickey for testing
##
PkidAddress=localhost:18081
PkidPublicKey=/opt/attachmate/pkid/config/pki_key.pub
##
##
  1. Save the config file.

Configuring Reflection for Secure IT Windows Client 7.0 or Higher

For detailed instructions on how to configure Windows clients to validate server certificates, see the “Configuring Reflection for Secure IT Windows Clients 7.0 or Higher” section in KB 7022019.

Additional Information

Legacy KB ID

This article was originally published as Attachmate Technical Note 2450.