Manualshelf

OSF DCE Application Development Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
541542543544545546547548549550
Authentication
Ticket
EPAC(s)
Encrypted time stamp
It sends the GSSAPI token to the initiator, which forwards it to the acceptor.
4. The acceptor calls the gss_accept_sec_context() routine which separates the
ticket, the EPAC(s), and the encrypted time stamp, and send them to the
acceptors Security Runtime.
5. The acceptor’s Security runtime:
Decrypts the ticket to get the fourth conversation key
Checks the time encrypted under the fourth conversation key
If the time matches, the Security Runtime:
Verifies the seal of the initiator’s EPAC(s)
Creates a success message and encrypts the message under the fourth
conversation key
Sends the EPAC(s), the message, and the fourth conversation key to the
acceptors GSSAPI
If the time doesn’t match, it sends a failure message to the acceptor’s
GSSAPI.
6. The acceptors GSSAPI holds onto the fourth conversation key and the
EPAC(s), and creates a GSSAPI token containing the success message. It passes
the token to the acceptor.
7. The acceptor forwards the GSSAPI token to the initiator.
8. The initiator passes the token to its GSSAPI to send to the Security Runtime by
calling the gss_init_sec_context() routine again.
9. The Security Runtime tries to decrypt the message. If it can, it returns a success
status to the GSSAPI that the acceptors identity is authenticated. If not, it
returns a failure status to the GSSAPI.
The context acceptor and context initiator can use the fourth conversation key in
future communications calling the gss_sign and gss_seal routines. The context
acceptor can get the initiator’s EPAC(s) in the form of an rpc_authz_cred_handle_t
object so it can perform a DCE ACL check by calling the
gssdce_extract_creds_from_sec_context routine. If the context initiator wants to talk
to a new context acceptor, it must acquire a ticket to that context acceptor.
23.3 Intercell Authentication
While the intercell authentication model is an extension of intracell authentication,
there are certain concepts that are particular to intercell authentication. The following
subsections discuss those concepts.
124245 Tandem Computers Incorporated 2325