Using PKI Services Manager with Reflection X Advantage

Reflection PKI Services Manager is a service that provides X.509 certificate validation services. If you configure Secure Shell connections to X client hosts that authenticate using certificates, you need to download and install this application. It is available at no additional charge from the Reflection X Desktop and Reflection Pro Desktop download pages.

  • Reflection PKI Services Manager is required for Secure Shell connections that use certificates for host authentication. (It is not required for user authentication with certificates.)

  • Reflection PKI Services Manager is required if you configure connections using the Management and Security Server Administrative WebStation that use the Security Proxy. For these connections PKI Services Manager validates the Security Proxy's certificate.

  • Reflection PKI Services Manager is supported on both Windows and UNIX platforms.

  • Reflection PKI Services Manager supports central management of PKI settings. You can install and configure a single instance of PKI Services Manager to provide certificate validation services for all supported Micro Focus products. (Because Reflection X Advantage settings allow only one entry for the PKI Services Manager address and port, this configuration creates a potential single point of failure. If PKI Services Manager is unreachable or the server is not running, all authentication attempts using certificates will fail. In order to provide load balancing and failover, you can define a round-robin DNS entry for the PKI Services Manager host name or place the PKI Services Manager host behind a load balancing server.)

  • You can run Reflection PKI Services Manager on the same host as a Reflection X Advantage domain controller or on a different host.

This user guide provides basic information about installing PKI Services Manager and configuring Reflection X Advantage to use it for certificate validation services. For additional information, refer to the PKI Services Manager documentation at

How it Works

  1. The X client host presents a certificate to Reflection X Advantage for host authentication.

  2. Reflection X Advantage connects to Reflection PKI Services Manager and verifies its identity using an installed public key.

  3. Reflection X Advantage sends the certificate and host name to PKI Services Manager.

  4. PKI Services Manager determines if the certificate is valid and uses mapping rules to determine whether the host is allowed to authenticate with this certificate.

  5. If the certificate is valid and the host presenting it is an allowed identity for this certificate, Reflection X Advantage validates the host's digital signature. If the digital signature is verified, host authentication is successful.