The identity under which an application engages in JGSS secure communication with a peer is called a principal. A principal may be a real user or an unattended service. A principal acquires security mechanism-specific credentials as proof of identity under that mechanism.
For example, when using the Kerberos mechanism, a principal's credential is in the form of a ticket-granting ticket (TGT) issued by a Kerberos key distribution center (KDC). In a multi-mechanism environment, a GSS-API credential can contain multiple credential elements, each element representing an underlying mechanism credential.
The GSS-API standard does not prescribe how a principal acquires credentials, and GSS-API implementations typically do not provide a means for credential acquisition. A principal obtains credentials before using GSS-API; GSS-API merely queries the security mechanism for credentials on behalf of the principal.
IBM® JGSS includes Java™ versions of Kerberos credential management tools com.ibm.security.krb5.internal.tools Class Kinit, com.ibm.security.krb5.internal.tools Class Ktab, and com.ibm.security.krb5.internal.tools Class Klist. Additionally, IBM JGSS enhances the standard GSS-API by providing an optional Kerberos login interface that uses JAAS. The pure Java JGSS provider supports the optional login interface; the native iSeries™ provider does not. For more information, see the following topics: