ibm-information-center/dist/eclipse/plugins/i5OS.ic.apis_5.4.0.1/krb5_rd_req.htm

212 lines
6.1 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Copyright" content="Copyright (c) 2006 by IBM Corporation">
<title>krb5_rd_req()--Process Kerberos AP_REQ Message</title>
<!-- Begin Header Records -->
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<!-- Change History: -->
<!-- YYMMDD USERID Change description -->
<!-- Created by Kent Hofer for V5R1 -->
<!-- Edited by Kersten Jan 02 -->
<link rel="stylesheet" type="text/css" href="../rzahg/ic.css">
</head>
<body>
<!-- End Header Records -->
<!--Java sync-link-->
<script type="text/javascript" language="Javascript" src="../rzahg/synch.js">
</script>
<a name="Top_Of_Page"></a>
<h2>krb5_rd_req()--Process Kerberos AP_REQ Message</h2>
<div class="box" style="width: 70%;">
<br>
&nbsp;&nbsp;Syntax
<pre>
#include &lt;krb5.h&gt;
krb5_error_code krb5_rd_req(
krb5_context <em>context</em>,
krb5_auth_context * <em>auth_context</em>,
krb5_const krb5_data * <em>in_data</em>,
krb5_const_principal <em>server</em>,
krb5_keytab <em>keytab</em>,
krb5_flags * <em>ap_req_options</em>,
krb5_ticket ** <em>ticket</em>);
</pre>
&nbsp;&nbsp;Service Program Name: QSYS/QKRBGSS<br>
<!-- iddvc RMBR -->
<br>
&nbsp;&nbsp;Default Public Authority: *USE<br>
<!-- iddvc RMBR -->
<br>
&nbsp;&nbsp;Threadsafe: Conditional. See <a href="#usage_notes">Usage
notes</a>.<br>
<!-- iddvc RMBR -->
<br>
</div>
<p>The <strong>krb5_rd_req()</strong> function processes a Kerberos AP_REQ
message generated by the partner application. The authenticator is extracted,
validated, and stored in the authentication context. If the <em>server</em>
parameter is not <strong>NULL</strong> and no replay cache is associated with
the authentication context, the Kerberos protocol runtime creates a replay
cache and stores the cache handle in the authentication context.</p>
<br>
<h3>Parameters</h3>
<dl>
<dt><strong>context</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The Kerberos context.<br>
<br>
</dd>
<dt><strong>auth_context</strong>&nbsp;&nbsp;(Input/Output)</dt>
<dd>The authentication context. A new authentication context is created and
returned in this parameter if the value is <strong>NULL</strong>.<br>
<br>
</dd>
<dt><strong>in_data</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The buffer containing the AP_REQ message.<br>
<br>
</dd>
<dt><strong>server</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The server name. The server principal in the AP_REQ must be the same as the
principal specified by this parameter. Specify <strong>NULL</strong> if any
server principal is acceptable.<br>
<br>
</dd>
<dt><strong>keytab</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The key table that contains the server key. The default key table is used
if <strong>NULL</strong> is specified for this parameter.<br>
<br>
</dd>
<dt><strong>ap_req_options</strong>&nbsp;&nbsp;(Output)</dt>
<dd>The options from the AP_REQ message. Specify <strong>NULL</strong> for this
parameter if the options are not needed.<br>
<br>
</dd>
<dt><strong>ticket</strong>&nbsp;&nbsp;(Output)</dt>
<dd>The ticket from the AP_REQ message. Specify <strong>NULL</strong> for this
parameter if the ticket is not needed. The <strong>krb5_free_ticket()</strong>
routine should be called to release the ticket when it is no longer
needed.</dd>
</dl>
<br>
<h3>Return Value</h3>
<p>If no errors occur, the return value is 0. Otherwise, a Kerberos error code
is returned.</p>
<br>
<h3>Authorities</h3>
<p>No authorities are required.</p>
<br>
<h3>Error Messages</h3>
<table width="100%" cellpadding="5">
<tr>
<th align="left" valign="top">Message ID</th>
<th align="left" valign="top">Error Message Text</th>
</tr>
<tr>
<td width="15%" valign="top">CPE3418 E</td>
<td width="85%" valign="top">Possible APAR condition or hardware failure.</td>
</tr>
</table>
<br>
<br>
<h3><a name="usage_notes">Usage Notes</a></h3>
<ol>
<li>If the authentication context contains a keyblock, it is used to decrypt
the ticket in the AP_REQ message. This is useful for user-to-user
authentication. If the authentication context does not contain a keyblock, the
key table specified on the function call is used to obtain the decryption
key.<br>
<br>
</li>
<li>The client in the authenticator must match the client in the ticket. If the
remote address has been set in the authentication context, the request must
have come from that address. If a replay cache handle is stored in the
authentication context, the new authenticator is stored in the cache after
checking for replay.<br>
<br>
</li>
<li>If no errors are detected, the authenticator, subsession key, and remote
sequence number are stored in the authentication context. If
<strong>AP_OPTS_MUTUAL_REQUIRED</strong> (x'20000000') is specified in the
AP_REQ message, the local sequence number is XORed with the remote sequence
number.<br>
<br>
</li>
<li>The Kerberos protocol runtime provides no concurrency control for the
authentication context. If the application wants to use the same authentication
context in multiple threads, it is the responsibility of the application to
serialize access to the authentication context so that only a single thread is
accessing the authentication context at any time. Because message sequence
numbers are contained in the authentication context, this serialization needs
to be extended to encompass the message exchange between the two applications.
Otherwise, message sequence errors are liable to occur if the messages are
delivered out of sequence.</li>
</ol>
<br>
<hr>
API introduced: V5R1
<hr>
<center>
<table cellpadding="2" cellspacing="2">
<tr align="center">
<td valign="middle" align="center"><a href="#Top_Of_Page">Top</a> | <a href=
"sec.htm">Security APIs</a> <br>
<a href="unix.htm">UNIX-Type APIs</a> | <a href="aplist.htm">APIs by
category</a> </td>
</tr>
</table>
</center>
</body>
</html>