226 lines
6.4 KiB
HTML
226 lines
6.4 KiB
HTML
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
|
<html>
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|
||
|
<meta name="Copyright" content="Copyright (c) 2006 by IBM Corporation">
|
||
|
<title>krb5_mk_req()--Create Kerberos AP_REQ Message</title>
|
||
|
<!-- Begin Header Records -->
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<!-- Change History: -->
|
||
|
<!-- YYMMDD USERID Change description -->
|
||
|
<!-- Created by Kent Hofer for V5R1 -->
|
||
|
<!-- Edited by Kersten Jan 02 -->
|
||
|
<link rel="stylesheet" type="text/css" href="../rzahg/ic.css">
|
||
|
</head>
|
||
|
<body>
|
||
|
<!-- End Header Records -->
|
||
|
<!--Java sync-link-->
|
||
|
<script type="text/javascript" language="Javascript" src="../rzahg/synch.js">
|
||
|
</script>
|
||
|
|
||
|
<a name="Top_Of_Page"></a>
|
||
|
|
||
|
<h2>krb5_mk_req()--Create Kerberos AP_REQ Message</h2>
|
||
|
|
||
|
<div class="box" style="width: 70%;">
|
||
|
<br>
|
||
|
Syntax
|
||
|
|
||
|
<pre>
|
||
|
#include <krb5.h>
|
||
|
|
||
|
krb5_error_code krb5_mk_req(
|
||
|
krb5_context <em>context</em>,
|
||
|
krb5_auth_context * <em>auth_context</em>,
|
||
|
krb5_const krb5_flags <em>ap_req_options</em>,
|
||
|
char * <em>service</em>,
|
||
|
char * <em>hostname</em>,
|
||
|
krb5_data * <em>in_data</em>,
|
||
|
krb5_ccache <em>ccache</em>,
|
||
|
krb5_data * <em>out_data</em>);
|
||
|
</pre>
|
||
|
|
||
|
Service Program Name: QSYS/QKRBGSS<br>
|
||
|
<!-- iddvc RMBR -->
|
||
|
<br>
|
||
|
Default Public Authority: *USE<br>
|
||
|
<!-- iddvc RMBR -->
|
||
|
<br>
|
||
|
Threadsafe: Conditional. See <a href="#usage_notes">Usage
|
||
|
notes</a>.<br>
|
||
|
<!-- iddvc RMBR -->
|
||
|
<br>
|
||
|
</div>
|
||
|
|
||
|
|
||
|
<p>The <strong>krb5_mk_req()</strong> function creates a Kerberos AP_REQ
|
||
|
message. The checksum of the input data is included in the authenticator that
|
||
|
is part of the AP_REQ message. This message is then sent to the partner
|
||
|
application, which calls the <strong>krb5_rd_req()</strong> routine to extract
|
||
|
the application data after validating the authenticity of the message. The
|
||
|
checksum method set in the authentication context is used to generate the
|
||
|
checksum.</p>
|
||
|
|
||
|
<br>
|
||
|
<h3>Authorities</h3>
|
||
|
|
||
|
<p>No authorities are required.</p>
|
||
|
|
||
|
<br>
|
||
|
<h3>Parameters</h3>
|
||
|
|
||
|
<dl>
|
||
|
<dt><strong>context</strong> (Input)</dt>
|
||
|
|
||
|
<dd>The Kerberos context.<br>
|
||
|
<br>
|
||
|
</dd>
|
||
|
|
||
|
<dt><strong>auth_context</strong> (Input/Output)</dt>
|
||
|
|
||
|
<dd>The authentication context. A new authentication context is created and
|
||
|
returned in this parameter if the value is <strong>NULL</strong>.<br>
|
||
|
<br>
|
||
|
</dd>
|
||
|
|
||
|
<dt><strong>ap_req_options</strong> (Input)</dt>
|
||
|
|
||
|
<dd>The request options as follows:<br>
|
||
|
<br>
|
||
|
|
||
|
|
||
|
<table cellpadding="5">
|
||
|
<!-- cols="45 55" -->
|
||
|
<tr>
|
||
|
<td align="left" valign="top"><em>AP_OPTS_USE_SESSION_KEY</em>
|
||
|
(x'40000000')</td>
|
||
|
<td align="left" valign="top">Use session key instead of server key. The
|
||
|
credentials must include a ticket that is encrypted in the session key.</td>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td align="left" valign="top" nowrap><em>AP_OPTS_MUTUAL_REQUIRED</em>
|
||
|
(x'20000000')</td>
|
||
|
<td align="left" valign="top">Mutual authentication required.</td>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td align="left" valign="top"><em>AP_OPTS_USE_SUBKEY</em> (x'00000001')</td>
|
||
|
<td align="left" valign="top">Generate a subsession key from the current
|
||
|
session key obtained from the credentials.</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<br>
|
||
|
</dd>
|
||
|
|
||
|
<dt><strong>service</strong> (Input)</dt>
|
||
|
|
||
|
<dd>The name of the service.<br>
|
||
|
<br>
|
||
|
</dd>
|
||
|
|
||
|
<dt><strong>hostname</strong> (Input)</dt>
|
||
|
|
||
|
<dd>The host name that identifies the desired service instance.<br>
|
||
|
<br>
|
||
|
</dd>
|
||
|
|
||
|
<dt><strong>in_data</strong> (Input)</dt>
|
||
|
|
||
|
<dd>The application data's checksum that is to be included in the
|
||
|
authenticator. Specify <strong>NULL</strong> for this parameter if no checksum
|
||
|
is to be included in the authenticator.<br>
|
||
|
<br>
|
||
|
</dd>
|
||
|
|
||
|
<dt><strong>ccache</strong> (Input)</dt>
|
||
|
|
||
|
<dd>The credentials cache that is to be used to obtain credentials to the
|
||
|
desired service.<br>
|
||
|
<br>
|
||
|
</dd>
|
||
|
|
||
|
<dt><strong>out_data</strong> (Output)</dt>
|
||
|
|
||
|
<dd>The AP_REQ message. The <strong>krb5_free_data_contents()</strong> routine
|
||
|
should be called to release the storage pointed to by the <em>data</em> field
|
||
|
of the krb5_data structure when it is no longer needed.</dd>
|
||
|
</dl>
|
||
|
|
||
|
<br>
|
||
|
|
||
|
|
||
|
<h3>Return Value</h3>
|
||
|
|
||
|
<p>If no errors occur, the return value is 0. Otherwise, a Kerberos error code
|
||
|
is returned.</p>
|
||
|
|
||
|
<br>
|
||
|
|
||
|
|
||
|
<h3>Error Messages</h3>
|
||
|
|
||
|
<table width="100%" cellpadding="5">
|
||
|
<!-- cols="15 85" -->
|
||
|
<tr>
|
||
|
<th align="left" valign="top">Message ID</th>
|
||
|
<th align="left" valign="top">Error Message Text</th>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td width="15%" valign="top">CPE3418 E</td>
|
||
|
<td width="85%" valign="top">Possible APAR condition or hardware failure.</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<br>
|
||
|
<br>
|
||
|
|
||
|
|
||
|
<h3><a name="usage_notes">Usage Notes</a></h3>
|
||
|
|
||
|
<ol>
|
||
|
<li>The <strong>krb5_sname_to_principal()</strong> routine is called to convert
|
||
|
the <em>service</em> and <em>hostname</em> parameters to a Kerberos principal.
|
||
|
The <strong>krb5_get_host_realm()</strong> routine is called to convert the
|
||
|
<em>hostname</em> parameter to a Kerberos realm. If the credentials cache does
|
||
|
not already contain a service ticket for the target server, the Kerberos
|
||
|
protocol runtime issues a default TGS request to obtain the credentials and
|
||
|
store them in the cache.<br>
|
||
|
<br>
|
||
|
</li>
|
||
|
|
||
|
<li>The Kerberos protocol runtime provides no concurrency control for the
|
||
|
authentication context. If the application wants to use the same authentication
|
||
|
context in multiple threads, it is the responsibility of the application to
|
||
|
serialize access to the authentication context so that only a single thread is
|
||
|
accessing the authentication context at any time. Because message sequence
|
||
|
numbers are contained in the authentication context, this serialization needs
|
||
|
to be extended to encompass the message exchange between the two applications.
|
||
|
Otherwise, message sequence errors are liable to occur if the messages are
|
||
|
delivered out of sequence.</li>
|
||
|
</ol>
|
||
|
|
||
|
<br>
|
||
|
<hr>
|
||
|
API introduced: V5R1
|
||
|
|
||
|
<hr>
|
||
|
<center>
|
||
|
<table cellpadding="2" cellspacing="2">
|
||
|
<tr align="center">
|
||
|
<td valign="middle" align="center"><a href="#Top_Of_Page">Top</a> | <a href=
|
||
|
"sec.htm">Security APIs</a> <br>
|
||
|
<a href="unix.htm">UNIX-Type APIs</a> | <a href="aplist.htm">APIs by
|
||
|
category</a> </td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
</center>
|
||
|
</body>
|
||
|
</html>
|
||
|
|