Skip to content

Configure Reflection for PKI Auto Sign-on

You can configure a Reflection Desktop session to use the PKI Auto Sign-on Add-On Client product, which allows the use of a Common Access Card (CAC) or other smart card for authentication.

To use PKI Auto Sign-on, the PKI Auto Sign-on host module must be installed on your host server. This module can be used to verify that a client is in control of a CAC or other smart card, and to extract the Distinguished Name (DN) from the certificate used for authentication. The DN, or some substring contained in the DN, can then be used to provide service to the authorized user. PKI Auto Sign-on is designed to provide a validated identity even via a shared host login, that is, the identity comes from the smart card itself, not from the host user ID.

When a session is configured to use PKI Auto Sign-on:

  • System administrators can set up an OpenVMS or UNIX session to use a shared log-on that provides the host application with a strongly validated identity directly from a CAC.

  • Host programmers can get the strongly validated DN of a user in control of a CAC. The programmers can then extract information from the DN and use it as an identifier to authorize access (for example, to the CAC-bearer's health records).


  • The Reflection PKI Auto Sign-on host module must be installed on the host server.

  • You can use PKI Auto Sign-on with Reflection Desktop or Reflection 2014 R1 SP1 VT terminals using the SSH protocol. All of the client-side functionality required for PKI Auto Sign-on is included only in these product versions.

To create an SSH-enabled Reflection session that uses PKI Auto Sign-on

  1. Create a new VT session document.

  2. Click Configure additional settings and then click OK.

  3. In the Settings dialog box, under Host Connection, select Set up Connection Security.

  4. On the Reflection Secure Shell Settings dialog box General tab, under User authentication, deselect Public Key.

  5. On the PKI tab, click Reflection Certificate Manager.

  6. On the Reflection Certificate Manager dialog box PKCS #11 tab, click Add.

  7. In the PKCS #11 Provider dialog box, browse to the Provider DLL required to access your CAC.

  8. In the .ssh/config file for this session document, add the appropriate PKIC prompt string configured on the server. The following example shows an entry for a prompt "Starting PKI Validation..."

    PKICPrompt "Starting PKI Validation..."

    When you are done, the file should look like this:

    Host myHostName

    RSAAuthentication no

    PubkeyAuthentication no

    connectionReuse no

    PKICPrompt "Starting PKI Validation..."


  9. To lock down settings, see Control Access to Lock Down Settings and Controls.