5.6 Credential Store (Reflection for the Web)

The credential store is a database of usernames and passwords that have been used to log on to a host. Reflection for the Web uses these credentials in conjunction with login macros to automatically log on to host sessions. The Credential Store requires Windows on the client machine.

5.6.1 Enable credential store

Check Enable credential store to save new credentials or read existing ones.

5.6.2 Select form of identity

By default, users are represented in the credential store depending on how they authenticate, such as with a Windows domain and username.

Check Use LDAP distinguished name to represent users by their LDAP Distinguished Name. This option requires LDAP authorization to be enabled in Configure Authentication.

5.6.3 Regenerate encryption key

When you enable the credential store, you should back up the key used to encrypt usernames and passwords in the credential store.

To back up the key, copy [MSSData]/PropertyDS.xml to a secure location. Make a new backup of PropertyDS.xml whenever you change settings in the Administrative Console so that these settings will not be overwritten when you restore the file. Note: You need administrator privileges to open or edit PropertyDS.xml.

When you click REGENERAT KEY:

A new key is generated to either replace an existing key or to add a key when the credential store is empty. When replacing an existing key, the data is decrypted using the old key and re-encrypted using the new key. Subsequent encryption uses the new key.

NOTE:Re-encrypting the credential store with a new key could take quite a bit of time. During the re-encryption, nothing can be written to or read from the credential store.

You cannot regenerate a key if the existing key is corrupted or maliciously altered. You must first recover the old key from a backup or delete all credentials before generating a new key.

Recovering an encryption key

To recover the old encryption key from the backup, edit PropertyDS.xml (requires administrator privileges):

  1. Open the current PropertyDS.xml file and the backup copy in an editor.

  2. Copy the values for the following properties from the backup to the current version of PropertyDS.xml:

    • CS.EncKey
    • CS.EncAlgorithm
    • CS.EncKeyLength
    • CS.EncIV
  3. Save PropertyDS.xml.

  4. Restart the Management and Security Server.

5.6.4 Delete selected credentials

When the credential store is enabled, new credentials are added when users run sessions configured with single sign-on macros. As time goes by, you may wish to remove older credentials. Use this option to delete stored user credentials based on the last-used date.

Note: Once credentials are deleted, they cannot be recovered.

To delete credentials:

  1. Select one or more USERS.

  2. Sort by CREDENTIAL LAST USED.

  3. Check the credentials you want to delete, and click DELETE.