71 lines
5.2 KiB
HTML
71 lines
5.2 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="concept" />
|
||
|
<meta name="DC.Title" content="Principals and credentials" />
|
||
|
<meta name="abstract" content="The identity under which an application engages in JGSS secure communication with a peer is called a principal. A principal may be a real user or an unattended service. A principal acquires security mechanism-specific credentials as proof of identity under that mechanism." />
|
||
|
<meta name="description" content="The identity under which an application engages in JGSS secure communication with a peer is called a principal. A principal may be a real user or an unattended service. A principal acquires security mechanism-specific credentials as proof of identity under that mechanism." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzahajgssconcept.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzahajgssklst.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzahajgssknit.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzahajgssktab.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzahajgssconcept10" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Principals and credentials</title>
|
||
|
</head>
|
||
|
<body id="rzahajgssconcept10"><a name="rzahajgssconcept10"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Principals and credentials</h1>
|
||
|
<div><p>The identity under which an application engages in JGSS secure
|
||
|
communication with a peer is called a principal. A principal may be a real
|
||
|
user or an unattended service. A principal acquires security mechanism-specific
|
||
|
credentials as proof of identity under that mechanism.</p>
|
||
|
<p>For example, when using the Kerberos mechanism, a principal's credential
|
||
|
is in the form of a ticket-granting ticket (TGT) issued by a Kerberos key
|
||
|
distribution center (KDC). In a multi-mechanism environment, a GSS-API credential
|
||
|
can contain multiple credential elements, each element representing an underlying
|
||
|
mechanism credential. </p>
|
||
|
<p> The GSS-API standard does not prescribe how a principal acquires credentials,
|
||
|
and GSS-API implementations typically do not provide a means for credential
|
||
|
acquisition. A principal obtains credentials before using GSS-API; GSS-API
|
||
|
merely queries the security mechanism for credentials on behalf of the principal. </p>
|
||
|
<p> IBM<sup>®</sup> JGSS
|
||
|
includes Java™ versions of Kerberos credential management tools <a href="rzahajgssknit.htm#rzahajgssknit">com.ibm.security.krb5.internal.tools Class Kinit</a>, <a href="rzahajgssktab.htm#rzahajgssktab">com.ibm.security.krb5.internal.tools Class Ktab</a>, and <a href="rzahajgssklst.htm#klsttest">com.ibm.security.krb5.internal.tools Class Klist</a>. Additionally, IBM JGSS enhances the standard GSS-API by
|
||
|
providing an optional Kerberos login interface that uses JAAS. The pure Java JGSS
|
||
|
provider supports the optional login interface; the native iSeries™ provider
|
||
|
does not. For more information, see the following topics:</p>
|
||
|
<ul><li><a href="rzahajgssusejaas.htm">Obtaining Kerberos credentials</a></li>
|
||
|
<li><a href="rzahajgsscfg15.htm">JGSS providers</a></li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
<div>
|
||
|
<ul class="ullinks">
|
||
|
<li class="ulchildlink"><strong><a href="rzahajgssklst.htm">com.ibm.security.krb5.internal.tools Class Klist</a></strong><br />
|
||
|
This class can execute as a command-line tool to list entries in credential cache and key tab.</li>
|
||
|
<li class="ulchildlink"><strong><a href="rzahajgssknit.htm">com.ibm.security.krb5.internal.tools Class Kinit</a></strong><br />
|
||
|
Kinit tool for obtaining Kerberos v5 tickets.</li>
|
||
|
<li class="ulchildlink"><strong><a href="rzahajgssktab.htm">com.ibm.security.krb5.internal.tools Class Ktab</a></strong><br />
|
||
|
This class can execute as a command-line tool to help the user manage entires in the key table. Available functions include list/add/update/delete service key(s).</li>
|
||
|
</ul>
|
||
|
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahajgssconcept.htm" title="JGSS operations consist of four distinct stages, as standardized by the Generic Security Service Application Programming Interface (GSS-API).">JGSS concepts</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|