United States-English |
|
|
HP-UX Reference > Llibgss(4)HP-UX 11i Version 3: February 2007 |
|
NAMElibgss — shared library for GSSAPI (Generic Security Service Application Programming Interface) DESCRIPTIONlibgss is a shared library which contains all the GSSAPIs as per the RFC 2743 and implemented as C-language interfaces as defined in the RFC 2744, Generic Security Service API : C-bindings. GSSAPI provides security services for applications independent of the various underlying security mechanisms. The services include authentication, integrity and/or confidentiality services. GSSAPI provides secure communication between two peers with a data structure called a security context. A GSSAPI caller is responsible for transfer of token between peers. GSSAPI is independent of the underlying communication protocols. The application that establishes the secure connection is called the context initiator or simply initiator. The application that accepts the secure connection is the context acceptor or simply acceptor. An application developer who uses GSSAPI C-binding interfaces can link an application with libgss.sl. The underlying security mechanism can be specified at runtime in a configuration file called /etc/gss/mech and the library will dynamically load the corresponding mechanism specific shared library (for example, libgssapi_krb5.sl in the case of Kerberos), from the path specified in the configuration file. The /etc/gss/mech file has the following format:
The default path of the mechanism file (/etc/gss/mech) can be changed by GSSAPI_MECH_CONF environment variable. Example /etc/gss/mech file # Mechanism Name Object Identifier Shared Library # krb5_mech 1.2.840.113554.1.2.2 libgssapi_krb5.sl Besides this configuration file, there are two other configuration files /etc/gss/qop and /etc/gss/gsscred.conf, which can be used in association with libgss.sl. The /etc/gss/qop file contains information about the GSSAPI-based quality of protection (QOP) for each underlying security mechanisms. The /etc/gss/qop file has the following format:
Example /etc/gss/qop file # QOP string QOP Value Mechanism Name # GSS_KRB5_INTEG_C_QOP_DES_MD5 0 kerberos_v5 The /etc/gss/gsscred.conf is a configuration file that selects the underlying mechanism used to store the gsscred table. The gsscred table is used to store the mapping between a security principal and the UNIX uid. The supported gsscred backend mechanism is only flat files. Therefore, the entry "files" must be specified in /etc/gss/gsscred.conf for the successful operation of the library. Example /etc/gss/gsscred.conf file # gsscred configuration file # # Valid gsscred backend mechanisms are: # files # files Using the GSSAPI frameworkApplications communicating using the GSSAPI framework go through the following main stages:
Credential Manipulation APIsCredentials are used to prove the identity of an application to another application. GSSAPIs assume that credentials of the applications are already in place. The following GSSAPIs are used to inquire and manipulate them. gss_acquire_cred: Allows an application to acquire a handle for a pre-existing credential by name. gss_release_cred: Informs GSSAPI that the specified credential is no longer required by the process. When all the processes have released a credential, it will be deleted. gss_inquire_cred: Obtain information about a credential. gss_inquire_cred_by_mech: Obtain per mechanism information about a credential. gss_add_cred: Construct credentials by adding incrementally. Context Manipulation APIsFor the applications to establish a joint security context and use it for security services the following GSSAPIs are required. gss_init_sec_context: Initiate a security context with a peer application. gss_accept_sec_context: Accept a security context initiated by a peer application. gss_delete_sec_context: Discard a security context (release the memory of the context structure). gss_inquire_context: Obtain information about a security context. gss_process_context_token: Process a token from a peer application. gss_export_sec_context: Transfer a security context to another process. gss_import_sec_context: Import a transferred context. gss_context_time: Determine for how long a context will remain valid. gss_wrap_size_limit: Determine token size limit for gss_wrap on a context. Per Message Operation APIsTo perform per message operations like data integrity and data privacy services the following GSSAPIs could be used: gss_get_mic: To calculate a cryptographic Message Integrity Code (MIC) for a message (Integrity Service). gss_verify_mic: To verify message integrity. gss_wrap: To encrypt a message for Confidentiality Service. gss_unwrap: To decrypt a message for Confidentiality Service. Name Manipulation APIsNames identify principals. Names are represented in printable form (for presentation to an application) or in internal for (canonical form) that is used by the API and is opaque to applications. The following are the APIs that are used manipulate the names: gss_import_name: Convert a contiguous string name to a internal form. gss_display_name: Convert a internal form name to a text. gss_compare_name: Compare two internal form names. gss_release_name: Discard an internal form name. gss_inquire_names_for_mech: List the name types supported by a specific mechanism. gss_inquire_mechs_for_name: List mechanisms that support the specified name type. gss_canonicalize_name: Convert an internal name to a mechanism specific Mechanism Name (MN). gss_export_name: Convert an MN to flat name representation suitable for bitwise comparison. gss_duplicate_name: Create a copy of an internal name. Miscellaneous Operation APIsBesides the above mentioned category of APIs, there are APIs which are used for miscellaneous operations like creating and deleting list of mechanism OIDs, display the GSSAPI error status codes in text format, releasing the memory for the buffer etc. as given below: as gss_add_oid_set_member: Add object identifier to a set of OIDs. gss_release_oid_set: Release the memory of a set of OID's. gss_create_empty_oid_set: Create an OID set with no OID's. gss_test_oid_set_member: Determine whether an OID is a member of a set. gss_release_buffer: Release the memory of a buffer. gss_release_oid: Release the memory of an OID structure. gss_release_name: Release the memory of a nametype. gss_display_status: Convert GSSAPI status code to text. gss_indicate_mechs: Determine available underlying security mechanisms. |
Printable version | ||
|