OSF DCE Application Development Guide--Core Components
The Key Management API
principal. (The key version specified in this routine must not be 0 [zero].) The
replicas should notify the master when they have completed setting their local
stores to the new key.
4. Cause the master to call sec_key_mgmt_change_key( ) (here again, the key
version must not be 0) after all replicas have set the new key locally, thereby
updating both the master’s local storage and the registry database entry.
Of course, if the master and each replica has its own principal identity, each server may
call sec_key_mgmt_change_key() without coordinating this activity with any others.
30.3 Automatic Key Management
It is sometimes convenient for a principal to be able to change its key on a schedule
determined by the password expiration policy for that principal, rather than to rely on a
network administrator to decide when this should be done. In this case, the application
may call sec_key_mgmt_manage_key( ). This function invokes sec_key_mgmt_gen_-
rand_key( ) shortly before the current key is due to expire, updates both the local key
storage and the registry database entry with the new key, and then calls
sec_key_mgmt_garbage_collect() to discard any obsolete keys. This function runs
indefinitely; it will never return during normal operation and so should be invoked from
a thread dedicated to key management. It is not intended for use by server principals
that share the same key.
30.4 Deleting Expired Keys
In order to prevent service interruptions, the key management API does not immediately
discard keys that have been replaced; instead, it maintains the keys, with a version
number and key-type identifier, in the local key storage. However, after a key has been
out of use for longer than the maximum life of a ticket to the principal, it is no longer
possible that any client of that principal has a valid ticket encoded with that key. At this
time, the key storage may have its ‘‘garbage’’ collected.
The sec_key_mgmt_garbage_collect( ) routine collects garbage in the local key storage
by deleting all keys older than the maximum ticket lifetime for the cell. The
garbage_collect_time argument, which is returned by sec_key_mgmt_change_key(),
specifies when key-storage garbage is to be collected.
30.5 Deleting a Compromised Key
When a principal’s key has been compromised, it should be deleted as soon as the
damage has been discovered in order to prevent another party from masquerading as that
124245 Tandem Computers Incorporated 30−3