Reflection for Secure IT for UNIX > User Authentication > Certificate Authentication for Users

Certificate Authentication for Users

Using certificates for client authentication solves some of the problems presented by public key authentication. With public key authentication, each client must upload a copy of the public key to every server. Certificate authentication avoids this problem by using a trusted third party, the certification authority (CA), to verify the validity of information coming from the client. With certificates, you can configure authentication using a single trust anchor instead of multiple unique client public keys.

NOTE:Reflection PKI Services Manager supports central management of PKI settings. You can install and configure a single instance of PKI Services Manager to provide certificate validation services for all supported Micro Focus and Attachmate products.

Requirements

Requirement

Function

Reflection PKI Services Manager must be installed and correctly configured.

PKI Services Manager validates the certificate and uses a map file to determine which users can authenticate with a valid certificate. You need to configure at least one trust anchor and one mapping rule for certificate validation to succeed. You may also need to configure access to intermediate certificates and to certificate revocation information.

A certificate signed by a CA and the associated private key must be installed on the client.

The client sends this certificate to the server to authenticate the user.

The Reflection for Secure IT server must have a copy of the PKI Services Manager public key and be configured to connect to PKI Services Manager.

The server communicates with PKI Services Manager to confirm the validity of the user certificate.

How it Works

  1. The Reflection for Secure IT client presents a certificate to the server for user authentication.

  2. The Reflection for Secure IT server connects to Reflection PKI Services Manager. (Set the server name and port for this connection using the Reflection for Secure IT server PkidAddress keyword.)

  3. Reflection for Secure IT verifies the identity of PKI Services Manager using an installed public key. (Set the key name and location using the Reflection for Secure IT server PkidPublicKey keyword.)

  4. Reflection for Secure IT sends the certificate and user name to PKI Services Manager.

  5. PKI Services Manager determines if the certificate is valid and determines if the user is allowed to authenticate with this certificate based on the rules the PKI Services Manager administrator has configured in the PKI Services Manager map file (/opt/attachmate/pkid/config/pki_mapfile by default). This information is returned to Reflection for Secure IT.

  6. If the certificate is valid and the user presenting it is an allowed identity for this certificate, the Reflection for Secure IT server validates the user's digital signature to prove the client possesses the private key associated with the public key contained in the user's certificate. If the digital signature is verified, the user authentication is successful.

Related Topics