SSH Tectia

Defining User Authentication

Under User Authentication, you can configure settings related to public-key and certificate authentication. See Managing Keys and Certificates and Managing Key Providers.

To enable or disable public-key authentication, see Defining Default Settings and Defining Authentication.

Managing Keys and Certificates

On the Keys and Certificates page, you can add key and certificate files used in user authentication, generate a new key, upload a key to a server, or change the passphrase for a key.

Defining keys and certificates

Figure 4.24. Defining keys and certificates

Default keys

The default location of user keys.

Default certificates

The default location of user certificates.

Directories

Use the Add... button to add a directory of keys, Delete to remove.

Files

Select a key from the list and click Change passphrase... to change the passphrase.

Click Upload... to upload the key to a server. See Uploading the Public Key Automatically (Windows).

Click New key... to start the key generation wizard. See Key Generation Wizard.

Use the Add... button to add single keys and certificates, Delete to remove.

[Note]Note

The user-specific Application Data directory is hidden by default. To view hidden directories, change the setting in Windows Explorer. For example, on Windows XP, select Tools → Folder Options on the menu, click the View tab, and select Show hidden files and folders.

Managing Key Providers

On the Key Providers page you can define the settings of external key providers used in user authentication. Available key providers are MSCAPI, Entrust, and PKCS#11.

Defining key providers

Figure 4.25. Defining key providers

Microsoft Crypto API

SSH Tectia Client and Connector can access keys via Microsoft Crypto API (MSCAPI). MSCAPI is a standard cryptographic interface used in Microsoft Windows systems.

Microsoft Crypto API (MSCAPI) providers can be enabled by selecting the Enable Microsoft Crypto API check box. If you enable the MSCAPI providers, you can use software keys and certificates created by Microsoft applications.

You can also select the polling interval (in milliseconds) for MSCAPI. If 0 (zero) is selected, the Connection Broker will not poll MSCAPI, but will wait for system notifications instead.

Entrust

Select the Enable Entrust check box to enable using Entrust.

Enter the Initialization file (*.ini) and Profile file (*.epf).

By using the Entrust provider, SSH Tectia Client and Connector can utilize keys and certificates stored in an Entrust profile file (.epf). The initialization file includes the basic Entrust PKI configuration (for example the CA address).

When the provider is enabled for the first time, Entrust Entelligence will prompt for your Entrust password. As long as the Entrust provider is enabled, the password is asked each time SSH Tectia Client/Connector is started.

PKCS#11

By using the PKCS#11 provider, SSH Tectia Client and Connector can use keys and certificates stored in PKCS#11 tokens (for example, smart cards or USB tokens).

Click Add... to define a PKCS#11 provider.

Defining a PKCS#11 provider, Aladdin eToken DLL path shown as an example

Figure 4.26. Defining a PKCS#11 provider, Aladdin eToken DLL path shown as an example

Use the Dynamic library to define a dynamic library containing the PKCS#11 driver.

Use the Slots to define slots. A slot is a logical reader that potentially contains a token. Slots are manufacturer- specific. They are defined with an integer. Examples: "0,1", "0-3, !2", "2".