Environment
Reflection for Secure IT UNIX Server version 7.1 or higher
Situation
The example in this technical note provides basic steps to configure PKI in a UNIX environment. Use this information as a starting place to understand how to configure PKI for your environment.
Resolution
Configuring PKI in a UNIX Environment – An Example
Configuring PKI is a multi-step process:
B. Configure Reflection for Secure IT UNIX Server to use PKI Services Manager validation services
C. Configure clients to authenticate using certificates
A. Configure PKI Services Manager
The following steps use UNIX PKI Services Manager, a Local Store for the RootCA (Trust Anchor) Certificate, an Intermediate Certificate, and configure for certificate revocation (CRL) checking.
- Log in as root on the server where Reflection PKI Services Manager will be installed.
- Install Reflection PKI Services Manager. See the Installing PKI Services Manager topic in the PKI Services Manager User Guide for installation details: https://support.microfocus.com/manuals/pki.html.
- Collect and store copies of RootCA certificate, IntermediateCA Certificate and CRLs.
- The default PKI Services Manager store is in the following location:
/opt/attachmate/pkid/local-store- Place a copy of the certificate you want to designate as a trust anchor into your local store. If Intermediate Certificates are required by the chain of trust in your certificates, include copies of the Intermediate Certificates under the local store.
- By default PKI Services Manager looks for CRLs in the local store. Copy the CRLs to your local store.
- Edit the PKI Services Manager map file to identify a user to a server or server to a user. The default name and location is:
/opt/attachmate/pkid/config/pki_mapfile- Map user certificates or server certificates:
Add one or more rules to determine how the contents of a certificate determine which identities can authenticate with a valid certificate, and save your changes to the map file.
For example:
RuleType= user { user1 test1 local1 } Subject.CN Contains “user1 one”RuleType= host { 10.10.7.244 rh53.attachmate.com } Subject.CN Equals “rh53.attachmate.com” { 10.10.3.247 sol10.attachmate.com } Subject.CN Equals “sol10.attachmate.com”For more details on rules, see the Sample Mapping Rules topic under Reference in the Reflection PKI Services Manager User Guide: https://support.microfocus.com/manuals/pki.html.
- Reload the pki_mapfile:
/usr/local/sbin/pkid reload- Edit the PKI Services Manager configuration file. Open the PKI Services Manager configuration file in a text editor. The default name and location is
/opt/attachmate/pkid/config/pki_config - Use the TrustAnchor keyword to identify your trust anchor.
TrustAnchor = trustedca.crt -or-
TrustAnchor = CN=SecureCA,O=Acme,C=US- Configure certificate revocation checking using local store. For example:
RevocationCheckOrder = local- Configure access to Intermediate Certificates.
CertSearchOrder = localExample: If a site requires multiple TrustAnchors, you can use a TrustAnchor stanza:
# ------------------------------------------------------------# Sample of a TrustAnchor stanza# -------------------------------------------------------------TrustAnchor = trustedca.crtRevocationCheckOrder = localMapFile = pki_map# ------------------------------------------------------------# Sample of a second TrustAnchor stanza# -------------------------------------------------------------TrustAnchor = trustedca2.crtRevocationCheckOrder = ocspOCSPResponders = http://ocsp.myhost.com:1080OCSPCertificate = /opt/attachmate/pkid/local-store/ocsp.cerMapFile = pki_map- Save your changes and restart PKI Services Manager:
/etc/init.d/pkid restartor:
/etc/init.d/pkid/stop/etc/init.d/pkid/startB. Configure Reflection for Secure IT UNIX Server to use PKI Services Manager validation services
The following steps use Reflection for Secure IT UNIX Server as an example.
Modify the PkidAddress and PkidPublicKey lines in the sshd2_config file. The method you follow depends on where PKI Services Manager is running:
- If the Reflection for Secure IT server and PKI Services Manager are running on the same UNIX host:
Open the sshd2_config file in a text editor and uncomment the following two lines:
PkidAddress=localhost:18081PkidPublicKey=/opt/attachmate/pkid/config/pki_key.pub- If the Reflection for Secure IT server and PKI Services Manager are running on different UNIX systems:
- Copy the pki_key.pub to the system that runs the Reflection for Secure IT server; we recommend the /etc/ssh2 directory.
Tip: Rename the public key to include a reference to the UNIX system that runs the PKI Services Manager, for example, the IP address (see sample below).
- Open the sshd2_config file in a text editor, then uncomment and modify the following two lines:
PkidAddress=10.10.7.244:18081PkidPublicKey=/etc/ssh2/pki_key_10.10.7.244.pubC. Configure clients to authenticate using certificates
For instructions about configuring the Reflection for Secure IT clients (either Windows or UNIX) to authenticate using certificates, see the appropriate product documentation:
For Reflection for Secure IT Windows Client, see https://support.microfocus.com/manuals/rsit_win_client.html.
For Reflection for Secure IT UNIX Client, see https://support.microfocus.com/manuals/rsit_unix.html.
Additional Information
Reflection PKI Services Manager Documentation:
Reflection for Secure IT Windows Server Documentation:
Reflection for Secure IT Windows Client Documentation:
Reflection for Secure IT UNIX Client and Server Documentation:
Reflection PKI Services Manager Supported Platforms: KB 7021871