Glossary of Terms

The process of reliably determining the identity of a communicating party. Identity can be proven by something you know (such as a password), something you have (such as a private key or token), or something intrinsic about you (such as a fingerprint).

A server, in a trusted organization, which issues digital certificates. The CA manages the issuance of new certificates and revokes certificates that are no longer valid for authentication. A CA may also delegate certificate issuance authority to one or more intermediate CAs creating a chain of trust. The highest level CA certificate is referred to as the trusted root.

A cipher is an encryption algorithm. The cipher you select determines which mathematical algorithm is used to obscure the data being sent after a successful Secure Shell connection has been established.

The default configuration file location is: C:\ProgramData\Micro Focus\RSecureServer\rsshd_config.xml

A digitally signed list of certificates that have been revoked by the Certification Authority. Certificates identified in a CRL are no longer valid.

The default data folder location is: C:\ProgramData\Micro Focus\RSecureServer

The assurance that data has not been changed from its original source. Methods to preserve data integrity are designed to ensure that data has not been accidentally or maliciously modified, altered or destroyed.

An integral part of a PKI (Public Key Infrastructure). Digital certificates (also called X.509 certificates) are issued by a certificate authority (CA), which ensures the validity of the information in the certificate. Each certificate contains identifying information about the certificate owner, a copy of the certificate owner's public key (used for encrypting and decrypting messages and digital signatures), and a digital signature (generated by the CA based on the certificate contents). The digital signature is used by a recipient to verify that the certificate has not been tampered with and can be trusted.

Used to confirm the authenticity and integrity of a transmitted message. Typically, the sender holds the private key of a public/private key pair and the recipient holds the public key. To create the signature, the sender computes a hash from the message, and then encrypts this value with its private key. The recipient decrypts the signature using the sender's public key, and independently computes the hash of the received message. If the decrypted and calculated values match, the recipient trusts that the sender holds the private key, and that the message has not been altered in transit.

Encryption is the process of scrambling data by use of a secret code or cipher so that it is unreadable except by authorized users. Encrypted data is far more secure than unencrypted data.

An application programming interface that provides programs with access to security services.

Also called a message digest, a hash or hash value is a fixed-length number generated from variable-length digital data. The hash is substantially smaller than the original data, and is generated by a formula in such a way that it is statistically unlikely that some other data will produce the same hash value.

A protocol that uses a trusted third party to enable secure communications over a TCP/IP network. The protocol uses encrypted tickets rather than plain-text passwords for secure network authentication.

Used to verify that data is not changed in transit, a MAC is a hash created using an arbitrary-length packet of data and a shared secret key. The sending and receiving party compute the MAC independently for each packet of transferred data using the shared key and an agreed-upon algorithm. If the message has changed in transit, the hash values are different and the packet is rejected.

C:\ProgramData\Micro Focus\RSecureServer\Logs\migration.log

A passphrase is similar to a password, except it can be a phrase with a series of words, punctuation, numbers, white space, or any string of characters. Passphrases improve security by limiting access to secure objects, such as private keys and/or a key agent.

PKCS (Public Key Cryptography Standards) is a set of standards devised and published by RSA laboratories that enable compatibility among public key cryptography implementations. Different PKCS standards identify specifications for particular cryptographic uses. The following standards are supported in Reflection for Secure IT Server for Windows:

PKCS#10 is used for certificate requests to a Certificate Authority (CA). You can use the ssh-certtool utility to create PKCS#10 files.

PKCS#12 is used for storage and transportation of certificates and associated private keys. Files in this format typically use a *.pfx or *.p12 extension. Reflection for Secure IT supports authentication using certificates and keys stored in this format.

\ProgramData\Attachmate\ReflectionPKI\config\pkiconfig

\ProgramData\Attachmate\ReflectionPKI\

\ProgramData\Attachmate\ReflectionPKI\

A way to redirect unsecured traffic through a secure SSH tunnel. Two types of port forwarding are available: local and remote. Local (also called outgoing) port forwarding sends outgoing data sent from a specified local port through the secure channel to a specified remote port. You can configure a client application to exchange data securely with a server by configuring the client to connect to the redirected port instead of directly to the computer running the associated server. Remote (also called incoming) port forwarding sends incoming data from a specified remote port through the secure channel to a specified local port.

Public keys and private keys are pairs of cryptographic keys that are used to encrypt or decrypt data. Data encrypted with the public key can only be decrypted with the private key; and data encrypted with the private key can only be decrypted with the public key.

Often abbreviated as regex, a regular expression is a string of characters that describes one or more matching strings. Within a regular expression, some characters have a predefined meaning that determines what qualifies as a match. For example, the regular expression "t.*t" matches any word that starts and ends in the letter t, while the regular expression "text" matches only itself.

An early implementation of the SCP protocol used by OpenSSH. This protocol does not use the SFTP subsystem; it executes an rcp command through the secure channel.

A file transfer implementation that uses the SFTP subsystem. SCP2 is useful for scripted file transfer.

A protocol for securely logging onto a remote computer and executing commands. It provides a secure alternative to Telnet, FTP, rlogin, or rsh. Secure Shell connections require both server and user authentication, and all communications pass between hosts over an encrypted communication channel. You can also use Secure Shell connections to forward X11 sessions or specified TCP/IP ports through the secure tunnel.

An interactive file transfer client that uses the sftp subsystem. SFTP transfer commands can also be used in batch files for automated transfers.

A certificate that can be used as the final trust point in a certificate chain of trust. Note: PKI Services Manager validates certificates using only those trust anchors that have been explicitly configured for use by PKI Services Manager. You can configure a trust anchor using a root CA certificate, an intermediate CA certificate, or a self-signed certificate (one which can only validate itself).

A high-precision time standard. When describing time zones, UTC refers to the time kept on the Greenwich meridian (longitude zero), also known as Greenwich Mean Time. UTC times are generally given in terms of a 24-hour clock.

The home folder is configurable by the Windows system administrator. When no home folder is configured (the default), the home folder is the same as the User profile. The default User profile is: \Users\username.

The user profile folder is configurable by the Windows system administrator. The default is: \Users\username