HP-UX Reference (11i v2 03/08) - 4 File Formats (vol 8)
l
libgss(4) libgss(4)
#
files
Using the GSSAPI framework
Applications communicating using the GSSAPI framework go through the following main stages:
1. The communicating applications acquire a set of credentials to prove their identity to other applica-
tions. The applications’ credentials vouch for their global identities.
2. The applications establish a joint security context using their credentials. This information is used
to provide per message security services like integrity and confidentiality.
Establishing the security context is done as follows. One application (client) initiates the context
setup. The other application (server) accepts it after exchanging zero or more number of tokens.
The number of exchanges depends upon the underlying security mechanism.
3. Per message services apply confidentiality and integrity. An application transmitting a message
that it wishes to protect will call the GSSAPI routine (gss_get_mic or gss_wrap calls) to apply protec-
tion. The transmitting application specifies the appropriate security context and sends this to the
receiving application. The receiver will pass the data to the corresponding decoding routine
(gss_verify_mic or gss_unwrap calls ) to respectively remove the protection and validate the data.
4. At the completion of a communication session, the peer applications call GSSAPI routines to delete
the security context.
The names of the APIs implemented in the
libgss.sl library and a very brief description for each
of them are given below. For details about using these APIs, refer to the respective man pages.
Credential Manipulation APIs
Credentials are used to prove the identity of an application to another application. GSSAPIs assume that
credentials of the applications are already in place. The following GSSAPIs are used to inquire and mani-
pulate them.
gss_acquire_cred: Allows an application to acquire a handle for a pre-existing credential by name.
gss_release_cred
: Informs GSSAPI that the specified credential is no longer required by the pro-
cess. When all the processes have released a credential, it will be deleted.
gss_inquire_cred
: Obtain information about a credential.
gss_inquire_cred_by_mech
: Obtain per mechanism information about a credential.
gss_add_cred: Construct credentials by adding incrementally.
Context Manipulation APIs
For the applications to establish a joint security context and use it for security services the following
GSSAPIs are required.
gss_init_sec_context
: Initiate a security context with a peer application.
gss_accept_sec_context: Accept a security context initiated by a peer application.
gss_delete_sec_context: Discard a security context (release the memory of the context structure).
gss_inquire_context: Obtain information about a security context.
gss_process_context_token: Process a token from a peer application.
gss_export_sec_context: Transfer a security context to another process.
gss_import_sec_context: Import a transferred context.
gss_context_time: Determine for how long a context will remain valid.
gss_wrap_size_limit: Determine token size limit for gss_wrap on a context.
Per Message Operation APIs
To perform per message operations like data integrity and data privacy services the following GSSAPIs
could be used:
gss_get_mic: To calculate a cryptographic Message Integrity Code (MIC) for a message (Integrity
Service).
gss_verify_mic: To verify message integrity.
Section 4−−158 Hewlett-Packard Company − 2 − HP-UX 11i Version 2: August 2003