To configure client host authentication using certificates, you need to install and configure Reflection PKI Services Manager. Use the following procedure to get started. Many variations are possible. For more information about each of the steps below, see the Reflection PKI Services Manager User Guide, which is available from the PKI Services Manager console, and from http://support.attachmate.com/manuals/pki.html.
Before you begin
Determine which trusted CA certificate and intermediate certificates are needed to validate the certificate that will be presented by the host you are connecting to. PKI Services Manager can use certificate files that you copy to your system, or trusted root certificates installed to the Windows certificate store for use by the local computer.
Determine how certificate revocation checking should be handled for the host certificate. You can configure PKI Services Manager to use CRL lists, OCSP responders, or to contact a CRL distribution point specified within the certificate.
To configure PKI Services Manager
Log in as an administrator on the computer running PKI Services Manager.
Start the PKI Services Manager console:
Programs > Attachmate Reflection > Utilities > PKI Services Manager
Put a copy of the certificate (or certificates) you want to designate as a trust anchor into your certificate store. For example:
C:\ProgramData\Attachmate\ReflectionPKI\local-store
(This step is not required if you are using certificates in the Windows store or you have a copy of the trust anchor available somewhere else on your system.)
From the Trusted Chain pane, add your trust anchor (or anchors) to the list of trust anchors.
|
To use this store |
Do this |
|---|---|
|
Your local certificate store or a certificate file on your system |
Click Add. Select either Local store certificate or Certificate file,click Browse and select the certificate for your trust anchor. |
|
The Windows certificate store |
Under Search order to use when building path to trust anchor, select "Windows certificate store." Click Add. From the Add Trust Anchor dialog box, select Windows certificate then click Browse to select an available certificate. NOTE:PKI Services Manager uses only those certificates that are installed for use by the local computer (not certificates installed for the current user) and are in either the trusted root certification authorities list or the trusted intermediate authorities list. To view and manage the local computer certificates, use the Microsoft Management Console. Add the Certificates Snap-in and configure it to manage certificates for the computer account. |
From the Revocation pane, configure certificate revocation checking.
NOTE:By default PKI Services Manager looks for CRLs in the local store. If you use this configuration, you need to copy the CRLs to your local store.
From the Identity Mapper pane, click Add to determine which client hosts can authenticate with a valid certificate.
For example, to allow client hosts to connect if the host name is specified in the Common Name value of the certificate's Subject field:
Set Select type of certificate that is to be mapped to Host Certificate
Click the drop-down arrow for Choose certificate identity to insert and select Subject Common Name.
Refer to the PKI Services Manager documentation for additional information about mapping rules.
Click File > Save.
Start the PKI Services Manager service if it isn't already running. If the service is already running, reload your settings (Server >Reload).