Install and Configure PKI Services Manager

Reflection PKI Services Manager is a service that provides certificate validation services. If your client users will authenticate using X.509 certificates, you need to install and configure this service. It is available at no additional charge from the Reflection for Secure IT download page.

You can install PKI Services Manager on Windows or UNIX. The following procedure provides an overview of configuration steps on Windows. For more detailed information about using PKI Services Manager, including procedures on UNIX, see the PKI Services Manager User Guide, which is available from http://support.attachmate.com/manuals/pki.html and from the PKI Services Manager console's Help menu.

To install and configure PKI Services Manager

Download and install PKI Services Manager.

PKI Services Manager can run on both Windows and UNIX systems. You can install it on the same system as Reflection for Secure IT or on another system in your network.
Create a certificate store (or locate an existing store on your system) that contains the CA certificates that are required to validate your user certificates. You can create a private certificate store or use the Windows certificate store. See "Certificate Storage" in the PKI Services Manager User Guide for details.
Start the PKI Services Manager console:
From the Trusted Chain pane, specify one or more certificates to act as trust anchors; and specify where PKI Services Manager should search for intermediate certificates when building a path to your trust anchors.
From the Revocation pane, configure how PKI Services Manager should handle certificate revocation checking.
From the Identity Mapper pane, configure one or more certificate identity mapping rules. After PKI Services Manager has validated a user certificate, it will use the mapping rules you configure to determine if the client user can authenticate with this certificate.

NOTE:After a certificate is determined to be valid, rules are processed in order (based on rule type then sequence). If the certificate meets the requirements defined in the conditional expression (or if the rule has no condition), the allowed identities specified in that rule are allowed to authenticate. No additional rules are applied after the first match.
Save all settings changes (File > Save) and restart the PKI Services Manager server (Server > Stop, Server > Start).
Use the test utility (Utility > Test Certificate) to test your configuration by testing user certificates.

NOTE:The certificate validation test applies only to end-entity certificates, not CA certificates. Valid CA-signed root and intermediate certificates will not pass the validation test.

Mapping rules for Authenticating to the Reflection for Secure IT server

To determine if a client user can authenticate with a certificate, PKI Services Manager compares the user name sent by the Reflection for Secure IT server to the allowed values configured in the identity map. For domain users, the Reflection for Secure IT server sends the user name as entered by the client user and also one or more equivalent formats.

To create mapping rules for domain users, you can use any of the following:

The name as entered by the client user.
Any of the following equivalent domain formats that apply to your domain and user certificates.
- domain\user (for example, acme\joe)
- user@domain (for example, joe@acme)
- full.domain\user (for example, acme.com\joe)
- user@full.domain (for example, joe@acme.com)

In some environments, a user can log in using an alternative account identifier. For example, the user joe who is a member of the acme.com domain can log in as ID123@altdomain. In this case, the server will look up the domain account using this identifier and will send the four formats above in addition to ID123@altdomain.

To map local users:

Specify the username only (for example joe). Local users with a system name added (for example computername\joe) are not accepted as allowed identities.

The following table shows samples of how mapping rules are handled for validation requests coming from the Reflection for Secure IT server. Additional sample mapping rules are provided in the PKI Services Manager User Guide.

Client login	Domain	Rule	What happens
joe	acme.com	{ %UPN.user%}	Allowed if the user name part of the UPN field in the certificate is "joe".
joe	local user	{ %UPN.user%}	Allowed if the user name part of the UPN field in the certificate is "joe".
acme\joe	acme.com	{ %UPN.user%}	Not allowed for any certificate.
acme\joe	acme.com	{ %UPN.user%@acme.com }	Allowed if the user name part of the UPN field in the certificate is "joe".
joe	local user	{ %UPN.user%@acme.com }	Not allowed for any certificate.
mycomputer\joe	local user on 'mycomputer'	{ mycomputer\%UPN.user% }	Not allowed for any certificate.