ibm-information-center/dist/eclipse/plugins/i5OS.ic.apis_5.4.0.1/krb5_get_credentials.htm

220 lines
6.2 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Copyright" content="Copyright (c) 2006 by IBM Corporation">
<title>krb5_get_credentials()--Get Service Ticket</title>
<!-- Begin Header Records -->
<!-- Created by Kent Hofer for V5R1 -->
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<!-- Change History: -->
<!-- YYMMDD USERID Change description -->
<link rel="stylesheet" type="text/css" href="../rzahg/ic.css">
</head>
<body>
<!-- End Header Records --><!-- Edited by Kersten Jan 02 -->
<!--Java sync-link-->
<script type="text/javascript" language="Javascript" src="../rzahg/synch.js">
</script>
<a name="Top_Of_Page"></a>
<h2>krb5_get_credentials()--Get Service Ticket</h2>
<div class="box" style="width: 60%;">
<br>
&nbsp;&nbsp;Syntax
<pre>
#include &lt;krb5.h&gt;
krb5_error_code krb5_get_credentials(
krb5_context <em>context</em>,
krb5_const krb5_flags <em>options</em>,
krb5_ccache <em>ccache</em>,
krb5_creds * <em>in_cred</em>,
krb5_creds ** <em>out_cred</em>);
</pre>
&nbsp;&nbsp;Service Program Name: QSYS/QKRBGSS<br>
<!-- iddvc RMBR -->
<br>
&nbsp;&nbsp;Default Public Authority: *USE<br>
<!-- iddvc RMBR -->
<br>
&nbsp;&nbsp;Threadsafe: Yes<br>
<!-- iddvc RMBR -->
<br>
</div>
<p>The <strong>krb5_get_credentials()</strong> function obtains a service
ticket for the requested server. This routine is the normal way for an
application to obtain a service ticket. If the service ticket is already in the
credentials cache, the <strong>krb5_get_credentials()</strong> routine returns
the cached ticket. Otherwise, the <strong>krb5_get_credentials()</strong>
routine calls the <strong>krb5_get_cred_from_kdc()</strong> routine to obtain a
service ticket from the Kerberos server.</p>
<p>The <strong>krb5_get_credentials()</strong> routine stores any tickets
obtained during its processing in the credentials cache. This includes the
requested service ticket, as well as any ticket-granting tickets required to
obtain the service ticket.</p>
<br>
<h3>Authorities</h3>
<table border cellpadding="5">
<!-- width="80" -->
<!-- cols="30 70" -->
<tr>
<th align="left" valign="bottom">Object Referred to</th>
<th align="center" valign="bottom">Data Authority Required</th>
</tr>
<tr>
<td align="left" valign="top">Each directory in the path name preceding the
credentials cache file</td>
<td align="center" valign="top">*X</td>
</tr>
<tr>
<td align="left" valign="top">Credentials cache file</td>
<td align="center" valign="top">*RW</td>
</tr>
</table>
<br>
<br>
<h3>Parameters</h3>
<dl>
<dt><strong>context</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The Kerberos context.<br>
<br>
</dd>
<dt><strong>options</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The option flags as follows:<br>
<br>
<table cellpadding="5">
<!-- cols="35 65" -->
<tr>
<td align="left" valign="top"><em>KRB5_GC_USER_USER</em> (x'00000001')</td>
<td align="left" valign="top">Obtain a user-to-user ticket.</td>
</tr>
<tr>
<td align="left" valign="top"><em>KRB5_GC_CACHED</em> (x'00000002')</td>
<td align="left" valign="top">Do not obtain a service ticket if one is not
found in the credentials cache.</td>
</tr>
</table>
<br>
<br>
</dd>
<dt><strong>ccache</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The credentials cache to be used. The initial ticket-granting ticket must
already be in the cache.<br>
<br>
</dd>
<dt><strong>in_cred</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The request credentials. The <em>client</em> and <em>server</em> fields
must be set to the desired values for the service ticket. The
<em>second_ticket</em> field must be set if the service ticket is to be
encrypted in a session key. The ticket expiration time can be set to override
the default expiration time. The key encryption type can be set to override the
default ticket encryption type.<br>
<br>
</dd>
<dt><strong>out_cred</strong>&nbsp;&nbsp;(Output)</dt>
<dd>The service ticket. The <strong>krb5_free_creds()</strong> routine should
be called to release the credentials when they are no longer needed.<br>
<br>
</dd>
</dl>
<br>
<h3>Return Value</h3>
<p>If no errors occur, the return value is 0. Otherwise, a Kerberos error code
is returned.</p>
<br>
<h3>Error Messages</h3>
<table width="100%" cellpadding="5">
<!-- cols="15 85" -->
<tr>
<th align="left" valign="top">Message ID</th>
<th align="left" valign="top">Error Message Text</th>
</tr>
<tr>
<td width="15%" valign="top">CPE3418 E</td>
<td width="85%" valign="top">Possible APAR condition or hardware failure.</td>
</tr>
</table>
<br>
<br>
<h3>Usage Notes</h3>
<ol>
<li>If <strong>KRB5_GC_CACHED</strong> is specified, the
<strong>krb5_get_credentials()</strong> routine searches only the credentials
cache for a service ticket.<br>
<br>
</li>
<li>If <strong>KRB5_GC_USER_USER</strong> is specified, the
<strong>krb5_get_credentials()</strong> routine gets credentials for
user-to-user authentication. In user-to-user authentication, the secret key for
the server is the session key from the server's ticket-granting ticket. The
ticket-granting ticket is passed from the server to the client over the
network. (This is safe since the ticket-granting ticket is encrypted in a key
known only by the Kerberos server.) The client must then pass this
ticket-granting ticket to <strong>krb5_get_credentials()</strong> as the second
ticket in the request credentials. The Kerberos server uses this
ticket-granting ticket to construct a user-to-user ticket that can be verified
by the server using the session key from its ticket-granting ticket.</li>
</ol>
<br>
<hr>
API introduced: V5R1
<hr>
<center>
<table cellpadding="2" cellspacing="2">
<tr align="center">
<td valign="middle" align="center"><a href="#Top_Of_Page">Top</a> | <a href=
"sec.htm">Security APIs</a> <br>
<a href="unix.htm">UNIX-Type APIs</a> | <a href="aplist.htm">APIs by
category</a> </td>
</tr>
</table>
</center>
</body>
</html>