5.7 Configure Server Certificate Authentication

Before you begin, review the requirements described in the Server Certificate Authentication Overview topic.

To configure server authentication using certificates, you need to install and configure Reflection PKI Services Manager and configure your server and client. Use the following procedures to get started. Many additional variations are possible. For more information, see the Reflection PKI Services Manager User Guide, which is available from http://support.attachmate.com/manuals/pki.html.

You can install and configure a single instance of PKI Services Manager to support certificate authentication requests from multiple Reflection for Secure IT clients and/or servers. However, because Reflection for Secure IT settings allow only one entry for the PKI Services Manager address and port, this configuration creates a potential single point of failure. If PKI Services Manager is unreachable or the server is not running, all authentication attempts using certificates will fail. To provide load balancing and failover, you can define a round-robin DNS entry for the PKI Services Manager host name or place the PKI Services Manager host behind a load balancing server. You can also configure PKI Services Manager to run in a Microsoft cluster environment.

NOTE:Paths shown here are based on the default installation options.

To install and configure PKI Services Manager

  1. Log in as root on the Reflection PKI Services Manager server.

  2. Install Reflection PKI Services Manager.

  3. Put a copy of the certificate (or certificates) you want to designate as a trust anchor into your certificate store. The default PKI Services Manager store is in the following location in the installation folder:

    .../pkid/ local-store

  4. Open the PKI Services Manager configuration file in a text editor:

    .../pkid/ config/pki_config

  5. Use the TrustAnchor keyword to identify your trust anchor. For example:

    TrustAnchor = trustedca.crt

    -or-

    TrustAnchor = CN=SecureCA,O=Acme,C=US

    NOTE:To configure multiple trust anchors, add additional TrustAnchor lines.

  6. Configure certificate revocation checking. For example:

    To

    Sample Configuration

    Use CRLs stored on an LDAP server.

    RevocationCheckOrder = crlserver CRLServers=ldap://crlserver

    Use an OCSP responder.

    RevocationCheckOrder = ocsp OCSPResponders = http://ocspresponder

NOTE:By default PKI Services Manager looks for CRLs in the local store. If you use this configuration, you need to copy the CRLs to your local store.

  1. If intermediate certificates are required by the chain of trust in your certificates, configure access to these certificates. For example:

    To

    Sample Configuration

    Use intermediate certificates you have added to your local store.

    CertSearchOrder=local

    Use certificates stored on an LDAP server.

    CertSearchOrder=certserver CertServers=ldap://ldapserver

  2. Save your changes to the configuration file.

  3. Open the PKI Services Manager map file in a text editor:

    .../pkid/ config/pki_mapfile

  4. Create a host RuleType stanza and add one or more rules that define which hosts can authenticate with a valid certificate. For example:

    RuleType = host
      {myhost.com} Subject Contains "myhost"

    For more sample rules, see Sample PKI Services Manager Mapping Rules.

    NOTE:After a certificate is determined to be valid, rules are processed in order (based on rule type then sequence). If the certificate meets the requirements defined in the conditional expression (or if the rule has no condition), the allowed identities specified in that rule are allowed to authenticate. No additional rules are applied after the first match. This means that if you create a rule with no conditions, all allowed identities must be included in that rule.

  5. Test for valid PKI Services Manager configuration:

    /usr/local/sbin/pkid -k

    No errors. Configuration is valid:
  6. Restart Reflection PKI Services Manager.

    /usr/local/sbin/pkid restart

To configure the Reflection for Secure IT server

  1. Install the server certificate and associated private key. For example:

    /etc/ssh2/server.key
    /etc/ssh2/server.crt
  2. Set permissions on the server key for user-only read-only access:

    chmod 400 server.key
  3. Open the server configuration file (/etc/ssh2/sshd2_config) in a text editor.

  4. Configure the following keywords:

    HostCertificateFile=/etc/ssh2/server.crt
    HostKeyFile=/etc/ssh2/server.key
  5. Restart the server.

To configure the Reflection for Secure IT client

  1. If PKI Services Manager is not installed on the same host as the Reflection for Secure IT client, copy the PKI Services Manager public key to the Reflection for Secure IT client. The key location on PKI Services Manager is in the config directory in the PKI Services Manager installation directory:

    .../pkid/config/pki_key.pub

    Copy this to any location on the Reflection for Secure IT client. For example:

    /etc/ssh2/pki_key.pub

  2. Open the client configuration file (/etc/ssh2/ssh2_config) in a text editor.

  3. Edit PkidPublicKey to specify the location in which you placed the PKI Services Manager public key. For example:

    PkidPublicKey= /etc/ssh2/ pki_key.pub

  4. Edit PkidAddress to specify the PKI Services Manager host and port. For example:

    PkidAddress=pkiserver.acme.com:18081

    NOTE:If you specify a host and omit the port, the default PKI Services Manager port (18081) is used.

  5. Confirm that HostKeyAlgorithms is configured to prefer X.509 certificates over host keys. This is the default.

    x509v3-rsa2048-sha256,x509v3-sign-rsa,x509v3-sign-dss,ssh-rsa-sha2-256@attachmate.com,ssh-rsa,ssh-dss