10.2 PKI Auto Sign-on

You can configure VT and UTS terminal sessions to use the PKI Auto Sign-on Add-On Client product, which allows the use of a Common Access Card (CAC) or other smart card for authentication.

To use PKI Auto Sign-on, the PKI Auto Sign-on host module must be installed on your host server. This module can be used to verify that a client is in control of a CAC or other smart card, and to extract the Distinguished Name (DN) from the certificate used for authentication. The DN, or some substring contained in the DN, can then be used to provide service to the authorized user. PKI Auto Sign-on is designed to provide a validated identity even via a shared host login, that is, the identity comes from the smart card itself, not from the host user ID.

When a session is configured to use PKI Auto Sign-on:

  • System administrators can set up sessions to use a shared log-on that provides the host application with a strongly validated identity directly from a CAC.

  • Host programmers can get the strongly validated DN of a user in control of a CAC. The programmers can then extract information from the DN and use it as an identifier to authorize access (for example, to the CAC-bearer's health records).

Prerequisites

  • The PKI Auto Sign-on host module must be installed on the host server.

To create an SSH-enabled VT session that uses PKI Auto Sign-on

  1. Create a new VT session document.

  2. Click Configure additional settings and then click OK.

  3. In the Settings dialog box, under Host Connection, select Set up Connection Security.

  4. On the Reflection Secure Shell Settings dialog box General tab, under User authentication, deselect Public Key.

  5. On the PKI tab, click Reflection Certificate Manager.

  6. On the PKCS #11 tab, click Add.

  7. In the PKCS #11 Provider dialog box, browse to the Provider DLL required to access your CAC.

  8. In the .ssh/config file for this session document, add the appropriate PKIC prompt string configured on the server. The following example shows an entry for a prompt “Starting PKI Validation...”

    PKICPrompt "Starting PKI Validation..."

    When you are done, the file should look like this:

    Host myHostNameRSAAuthentication noPubkeyAuthentication noconnectionReuse noPKICPrompt "Starting PKI Validation..."#EndHost

NOTE:To “lock down” these settings, see “Lock Down” InfoConnect To Restrict Access to Controls.