ibm-information-center/dist/eclipse/plugins/i5OS.ic.apis_5.4.0.1/gss_acquire_cred.htm

332 lines
8.9 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Copyright" content="Copyright (c) 2006 by IBM Corporation">
<title>gss_acquire_cred()--Acquire GSS Credential</title>
<!-- Begin Header Records -->
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<!-- Change History: -->
<!-- Edited by Kersten Jan 02 -->
<!-- Created by Kent Hofer for V5R1 -->
<link rel="stylesheet" type="text/css" href="../rzahg/ic.css">
</head>
<body>
<!-- End Header Records -->
<!--Java sync-link-->
<script type="text/javascript" language="Javascript" src="../rzahg/synch.js">
</script>
<a name="Top_Of_Page"></a>
<h2>gss_acquire_cred()--Acquire GSS Credential</h2>
<div class="box" style="width: 80%;">
<br>
&nbsp;&nbsp;Syntax
<pre>
#include &lt;gssapi.h&gt;
OM_uint32 gss_acquire_cred(
OM_uint32 * <em>minor_status</em>,
gss_name_t <em>desired_name</em>,
OM_uint32 <em>time_req</em>,
gss_OID_set <em>desired_mechs</em>,
gss_cred_usage_t <em>cred_usage</em>,
gss_cred_id_t * <em>output_cred_handle</em>,
gss_OID_set * <em>actual_mechs</em>,
OM_uint32 * <em>time_rec</em>);
</pre>
&nbsp;&nbsp;Service Program Name: QSYS/QKRBGSS <br>
<!-- iddvc RMBR -->
<br>
&nbsp;&nbsp;Default public authority: *USE <br>
<!-- iddvc RMBR -->
<br>
&nbsp;&nbsp;Threadsafe: Yes<br>
<!-- iddvc RMBR -->
<br>
</div>
<p>The <strong>gss_acquire_cred()</strong> function allows an application to
acquire a GSS credential. The application can then use the credential with the
<strong>gss_init_sec_context()</strong> and
<strong>gss_accept_sec_context()</strong> routines.</p>
<br>
<h3>Parameters</h3>
<dl>
<dt><strong>minor_status</strong>&nbsp;&nbsp;(Output)</dt>
<dd>A status code from the security mechanism.<br>
<br>
</dd>
<dt><strong>desired_name</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The principal name to be used for the credential. Specify
<strong>GSS_C_NO_NAME</strong> for this parameter to use the name obtained from
the default login context.<br>
<br>
</dd>
<dt><strong>time_req</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The number of seconds that the credential remains valid. Specify
<strong>GSS_C_INDEFINITE</strong> to request the maximum credential lifetime.
Specify zero for the default lifetime of 2 hours. The actual credential
lifetime is limited by the lifetime of the underlying ticket-granting ticket
for <strong>GSS_C_INITIATE</strong> and <strong>GSS_C_BOTH</strong>
credentials.<br>
<br>
</dd>
<dt><strong>desired_mechs</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The desired security mechanisms for use with the credential. Mechanisms
that are not available on the local system are ignored. The actual mechanisms
that can be used with the credential are returned in the <em>actual_mechs</em>
parameter. Specify <strong>GSS_C_NO_OID_SET</strong> for this parameter to use
the default mechanism of <strong>gss_mech_krb5</strong>.<br>
<br>
<p>The following security mechanisms are supported:</p>
<table cellpadding="5">
<!-- cols="15 85" -->
<tr>
<td align="left" valign="top"><em>gss_mech_krb5_old</em></td>
<td align="left" valign="top">Beta Kerberos V5 mechanism</td>
</tr>
<tr>
<td align="left" valign="top"><em>gss_mech_krb5</em></td>
<td align="left" valign="top">Kerberos V5 mechanism</td>
</tr>
</table>
<br>
<br>
</dd>
<dt><strong>cred_usage</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The desired credential usage as follows:<br>
<br>
<table cellpadding="5">
<!-- cols="15 85" -->
<tr>
<td align="left" valign="top"><em>GSS_C_ACCEPT</em></td>
<td align="left" valign="top">The credential can be used only to accept
security contexts.</td>
</tr>
<tr>
<td align="left" valign="top"><em>GSS_C_BOTH</em></td>
<td align="left" valign="top">The credential can be used to both initiate and
accept security contexts.</td>
</tr>
<tr>
<td align="left" valign="top"><em>GSS_C_INITIATE</em></td>
<td align="left" valign="top">The credential can be used only to initiate
security contexts.</td>
</tr>
</table>
<br>
<br>
</dd>
<dt><strong>output_cred_handle</strong>&nbsp;&nbsp;(Output)</dt>
<dd>The handle for the GSS credential.<br>
<br>
</dd>
<dt><strong>actual_mechs</strong>&nbsp;&nbsp;(Output)</dt>
<dd>The set of mechanism identifiers for which the credential is valid. If the
actual mechanisms are not required, specify <strong>NULL</strong> for this
parameter. The gss_OID_set returned for this parameter should be released by
calling the <strong>gss_release_oid_set()</strong> routine when it is no longer
needed.<br>
<br>
</dd>
<dt><strong>time_rec</strong>&nbsp;&nbsp;(Output)</dt>
<dd>The number of seconds for which the credential will remain valid. If the
time remaining is not required, specify <strong>NULL</strong> for this
parameter.</dd>
</dl>
<br>
<h3>Return Value</h3>
<p>The return value is one of the following status codes:</p>
<dl>
<dt><strong>GSS_S_BAD_MECH</strong></dt>
<dd>None of the requested mechanisms are supported by the local system.<br>
<br>
</dd>
<dt><strong>GSS_S_BAD_NAME</strong></dt>
<dd>The name specified for the <em>desired_name</em> parameter is not
valid.<br>
<br>
</dd>
<dt><strong>GSS_S_BAD_NAMETYPE</strong></dt>
<dd>The name specified for the <em>desired_name</em> parameter is not supported
by the applicable underlying GSS mechanisms.<br>
<br>
</dd>
<dt><strong>GSS_S_COMPLETE</strong></dt>
<dd>The routine completed successfully.<br>
<br>
</dd>
<dt><strong>GSS_S_FAILURE</strong></dt>
<dd>The routine failed for reasons that are not defined at the GSS level. The
<em>minor_status</em> return parameter contains a mechanism-dependent error
code describing the reason for the failure.<br>
<br>
</dd>
<dt><strong>GSS_S_NO_CRED</strong></dt>
<dd>No credentials are available or the credentials are valid for context
initiation use only.</dd>
</dl>
<br>
<h3>Authorities</h3>
<br>
<table border width="80%">
<tr>
<th align="left" valign="bottom">Object Referred to</th>
<th align="center" valign="bottom">Data Authority Required</th>
</tr>
<tr>
<td align="left" valign="top">Each directory in the path name preceding the
configuration file</td>
<td align="center" valign="top">*X</td>
</tr>
<tr>
<td align="left" valign="top">Configuration file</td>
<td align="center" valign="top">*R</td>
</tr>
<tr>
<td align="left" valign="top">Each directory preceding the credential cache
file if <strong>GSS_C_INITIATE</strong> or <strong>GSS_C_BOTH</strong> is
specified for credential usage</td>
<td align="center" valign="top">*X</td>
</tr>
<tr>
<td align="left" valign="top">Credential cache file</td>
<td align="center" valign="top">*RW</td>
</tr>
<tr>
<td align="left" valign="top">Each directory preceding the keytab file if
<strong>GSS_C_ACCEPT</strong> or <strong>GSS_C_BOTH</strong> is specified for
credential usage</td>
<td align="center" valign="top">*X</td>
</tr>
<tr>
<td align="left" valign="top">Keytab file</td>
<td align="center" valign="top">*R</td>
</tr>
</table>
<br>
<h3>Error Messages</h3>
<table width="100%" cellpadding="5">
<!-- cols="15 85" -->
<tr>
<th align="left" valign="top">Message ID</th>
<th align="left" valign="top">Error Message Text</th>
</tr>
<tr>
<td width="15%" valign="top">CPE3418 E</td>
<td width="85%" valign="top">Possible APAR condition or hardware failure.</td>
</tr>
</table>
<br>
<h3>Usage Notes</h3>
<ol>
<li>If <strong>GSS_C_INITIATE</strong> or <strong>GSS_C_BOTH</strong> is
specified for the credential usage, the application must have a valid
ticket-granting ticket in the default credentials cache and the ticket must not
expire for at least 10 minutes. The <strong>gss_acquire_cred()</strong> routine
uses this ticket-granting ticket to create the GSS credential. The principal
specified by the <em>desired_name</em> parameter must match the principal
obtained from the credentials cache or must be specified as
<strong>GSS_C_NO_NAME</strong>. The <strong>KRB5CCNAME</strong> environment
variable is used to identify the credentials cache used by the Kerberos
security mechanism.<br>
<br>
</li>
<li>If <strong>GSS_C_ACCEPT</strong> or <strong>GSS_C_BOTH</strong> is
specified for the credential usage, the principal specified by the
<em>desired_name</em> parameter must be defined in a key table. The
<strong>KRB5_KTNAME</strong> environment variable can be used to set the key
table used by the Kerberos security mechanism.</li>
</ol>
<br>
<hr>
API introduced: V5R1
<hr>
<center>
<table cellpadding="2" cellspacing="2">
<tr align="center">
<td valign="middle" align="center"><a href="#Top_Of_Page">Top</a> |
<a href="sec.htm">Security APIs</a> <br><a href="unix.htm">UNIX-Type APIs</a> |
<a href="aplist.htm">APIs by category</a> </td>
</tr>
</table>
</center>
</body>
</html>