332 lines
8.9 KiB
HTML
332 lines
8.9 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|
|
<meta name="Copyright" content="Copyright (c) 2006 by IBM Corporation">
|
|
<title>gss_acquire_cred()--Acquire GSS Credential</title>
|
|
<!-- Begin Header Records -->
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<!-- Change History: -->
|
|
<!-- Edited by Kersten Jan 02 -->
|
|
<!-- Created by Kent Hofer for V5R1 -->
|
|
<link rel="stylesheet" type="text/css" href="../rzahg/ic.css">
|
|
</head>
|
|
<body>
|
|
<!-- End Header Records -->
|
|
<!--Java sync-link-->
|
|
<script type="text/javascript" language="Javascript" src="../rzahg/synch.js">
|
|
</script>
|
|
|
|
<a name="Top_Of_Page"></a>
|
|
|
|
<h2>gss_acquire_cred()--Acquire GSS Credential</h2>
|
|
|
|
<div class="box" style="width: 80%;">
|
|
<br>
|
|
Syntax
|
|
|
|
<pre>
|
|
#include <gssapi.h>
|
|
|
|
OM_uint32 gss_acquire_cred(
|
|
OM_uint32 * <em>minor_status</em>,
|
|
gss_name_t <em>desired_name</em>,
|
|
OM_uint32 <em>time_req</em>,
|
|
gss_OID_set <em>desired_mechs</em>,
|
|
gss_cred_usage_t <em>cred_usage</em>,
|
|
gss_cred_id_t * <em>output_cred_handle</em>,
|
|
gss_OID_set * <em>actual_mechs</em>,
|
|
OM_uint32 * <em>time_rec</em>);
|
|
</pre>
|
|
|
|
Service Program Name: QSYS/QKRBGSS <br>
|
|
<!-- iddvc RMBR -->
|
|
<br>
|
|
Default public authority: *USE <br>
|
|
<!-- iddvc RMBR -->
|
|
<br>
|
|
Threadsafe: Yes<br>
|
|
<!-- iddvc RMBR -->
|
|
<br>
|
|
</div>
|
|
|
|
|
|
|
|
|
|
|
|
<p>The <strong>gss_acquire_cred()</strong> function allows an application to
|
|
acquire a GSS credential. The application can then use the credential with the
|
|
<strong>gss_init_sec_context()</strong> and
|
|
<strong>gss_accept_sec_context()</strong> routines.</p>
|
|
|
|
<br>
|
|
|
|
|
|
<h3>Parameters</h3>
|
|
|
|
<dl>
|
|
<dt><strong>minor_status</strong> (Output)</dt>
|
|
|
|
<dd>A status code from the security mechanism.<br>
|
|
<br>
|
|
</dd>
|
|
|
|
<dt><strong>desired_name</strong> (Input)</dt>
|
|
|
|
<dd>The principal name to be used for the credential. Specify
|
|
<strong>GSS_C_NO_NAME</strong> for this parameter to use the name obtained from
|
|
the default login context.<br>
|
|
<br>
|
|
</dd>
|
|
|
|
<dt><strong>time_req</strong> (Input)</dt>
|
|
|
|
<dd>The number of seconds that the credential remains valid. Specify
|
|
<strong>GSS_C_INDEFINITE</strong> to request the maximum credential lifetime.
|
|
Specify zero for the default lifetime of 2 hours. The actual credential
|
|
lifetime is limited by the lifetime of the underlying ticket-granting ticket
|
|
for <strong>GSS_C_INITIATE</strong> and <strong>GSS_C_BOTH</strong>
|
|
credentials.<br>
|
|
<br>
|
|
</dd>
|
|
|
|
<dt><strong>desired_mechs</strong> (Input)</dt>
|
|
|
|
<dd>The desired security mechanisms for use with the credential. Mechanisms
|
|
that are not available on the local system are ignored. The actual mechanisms
|
|
that can be used with the credential are returned in the <em>actual_mechs</em>
|
|
parameter. Specify <strong>GSS_C_NO_OID_SET</strong> for this parameter to use
|
|
the default mechanism of <strong>gss_mech_krb5</strong>.<br>
|
|
<br>
|
|
|
|
|
|
<p>The following security mechanisms are supported:</p>
|
|
|
|
<table cellpadding="5">
|
|
<!-- cols="15 85" -->
|
|
<tr>
|
|
<td align="left" valign="top"><em>gss_mech_krb5_old</em></td>
|
|
<td align="left" valign="top">Beta Kerberos V5 mechanism</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td align="left" valign="top"><em>gss_mech_krb5</em></td>
|
|
<td align="left" valign="top">Kerberos V5 mechanism</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<br>
|
|
<br>
|
|
</dd>
|
|
|
|
<dt><strong>cred_usage</strong> (Input)</dt>
|
|
|
|
<dd>The desired credential usage as follows:<br>
|
|
<br>
|
|
<table cellpadding="5">
|
|
<!-- cols="15 85" -->
|
|
<tr>
|
|
<td align="left" valign="top"><em>GSS_C_ACCEPT</em></td>
|
|
<td align="left" valign="top">The credential can be used only to accept
|
|
security contexts.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td align="left" valign="top"><em>GSS_C_BOTH</em></td>
|
|
<td align="left" valign="top">The credential can be used to both initiate and
|
|
accept security contexts.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td align="left" valign="top"><em>GSS_C_INITIATE</em></td>
|
|
<td align="left" valign="top">The credential can be used only to initiate
|
|
security contexts.</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<br>
|
|
<br>
|
|
</dd>
|
|
|
|
<dt><strong>output_cred_handle</strong> (Output)</dt>
|
|
|
|
<dd>The handle for the GSS credential.<br>
|
|
<br>
|
|
</dd>
|
|
|
|
<dt><strong>actual_mechs</strong> (Output)</dt>
|
|
|
|
<dd>The set of mechanism identifiers for which the credential is valid. If the
|
|
actual mechanisms are not required, specify <strong>NULL</strong> for this
|
|
parameter. The gss_OID_set returned for this parameter should be released by
|
|
calling the <strong>gss_release_oid_set()</strong> routine when it is no longer
|
|
needed.<br>
|
|
<br>
|
|
</dd>
|
|
|
|
<dt><strong>time_rec</strong> (Output)</dt>
|
|
|
|
<dd>The number of seconds for which the credential will remain valid. If the
|
|
time remaining is not required, specify <strong>NULL</strong> for this
|
|
parameter.</dd>
|
|
</dl>
|
|
|
|
<br>
|
|
|
|
|
|
<h3>Return Value</h3>
|
|
|
|
<p>The return value is one of the following status codes:</p>
|
|
|
|
<dl>
|
|
<dt><strong>GSS_S_BAD_MECH</strong></dt>
|
|
|
|
<dd>None of the requested mechanisms are supported by the local system.<br>
|
|
<br>
|
|
</dd>
|
|
|
|
<dt><strong>GSS_S_BAD_NAME</strong></dt>
|
|
|
|
<dd>The name specified for the <em>desired_name</em> parameter is not
|
|
valid.<br>
|
|
<br>
|
|
</dd>
|
|
|
|
<dt><strong>GSS_S_BAD_NAMETYPE</strong></dt>
|
|
|
|
<dd>The name specified for the <em>desired_name</em> parameter is not supported
|
|
by the applicable underlying GSS mechanisms.<br>
|
|
<br>
|
|
</dd>
|
|
|
|
<dt><strong>GSS_S_COMPLETE</strong></dt>
|
|
|
|
<dd>The routine completed successfully.<br>
|
|
<br>
|
|
</dd>
|
|
|
|
<dt><strong>GSS_S_FAILURE</strong></dt>
|
|
|
|
<dd>The routine failed for reasons that are not defined at the GSS level. The
|
|
<em>minor_status</em> return parameter contains a mechanism-dependent error
|
|
code describing the reason for the failure.<br>
|
|
<br>
|
|
</dd>
|
|
|
|
<dt><strong>GSS_S_NO_CRED</strong></dt>
|
|
|
|
<dd>No credentials are available or the credentials are valid for context
|
|
initiation use only.</dd>
|
|
</dl>
|
|
|
|
<br>
|
|
|
|
|
|
<h3>Authorities</h3>
|
|
|
|
<br>
|
|
<table border width="80%">
|
|
<tr>
|
|
<th align="left" valign="bottom">Object Referred to</th>
|
|
<th align="center" valign="bottom">Data Authority Required</th>
|
|
</tr>
|
|
<tr>
|
|
<td align="left" valign="top">Each directory in the path name preceding the
|
|
configuration file</td>
|
|
<td align="center" valign="top">*X</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td align="left" valign="top">Configuration file</td>
|
|
<td align="center" valign="top">*R</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td align="left" valign="top">Each directory preceding the credential cache
|
|
file if <strong>GSS_C_INITIATE</strong> or <strong>GSS_C_BOTH</strong> is
|
|
specified for credential usage</td>
|
|
<td align="center" valign="top">*X</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td align="left" valign="top">Credential cache file</td>
|
|
<td align="center" valign="top">*RW</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td align="left" valign="top">Each directory preceding the keytab file if
|
|
<strong>GSS_C_ACCEPT</strong> or <strong>GSS_C_BOTH</strong> is specified for
|
|
credential usage</td>
|
|
<td align="center" valign="top">*X</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td align="left" valign="top">Keytab file</td>
|
|
<td align="center" valign="top">*R</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<br>
|
|
|
|
|
|
<h3>Error Messages</h3>
|
|
|
|
<table width="100%" cellpadding="5">
|
|
<!-- cols="15 85" -->
|
|
<tr>
|
|
<th align="left" valign="top">Message ID</th>
|
|
<th align="left" valign="top">Error Message Text</th>
|
|
</tr>
|
|
<tr>
|
|
<td width="15%" valign="top">CPE3418 E</td>
|
|
<td width="85%" valign="top">Possible APAR condition or hardware failure.</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<br>
|
|
|
|
|
|
<h3>Usage Notes</h3>
|
|
|
|
<ol>
|
|
<li>If <strong>GSS_C_INITIATE</strong> or <strong>GSS_C_BOTH</strong> is
|
|
specified for the credential usage, the application must have a valid
|
|
ticket-granting ticket in the default credentials cache and the ticket must not
|
|
expire for at least 10 minutes. The <strong>gss_acquire_cred()</strong> routine
|
|
uses this ticket-granting ticket to create the GSS credential. The principal
|
|
specified by the <em>desired_name</em> parameter must match the principal
|
|
obtained from the credentials cache or must be specified as
|
|
<strong>GSS_C_NO_NAME</strong>. The <strong>KRB5CCNAME</strong> environment
|
|
variable is used to identify the credentials cache used by the Kerberos
|
|
security mechanism.<br>
|
|
<br>
|
|
</li>
|
|
|
|
<li>If <strong>GSS_C_ACCEPT</strong> or <strong>GSS_C_BOTH</strong> is
|
|
specified for the credential usage, the principal specified by the
|
|
<em>desired_name</em> parameter must be defined in a key table. The
|
|
<strong>KRB5_KTNAME</strong> environment variable can be used to set the key
|
|
table used by the Kerberos security mechanism.</li>
|
|
</ol>
|
|
|
|
<br>
|
|
<hr>
|
|
API introduced: V5R1
|
|
|
|
<hr>
|
|
<center>
|
|
<table cellpadding="2" cellspacing="2">
|
|
<tr align="center">
|
|
<td valign="middle" align="center"><a href="#Top_Of_Page">Top</a> |
|
|
<a href="sec.htm">Security APIs</a> <br><a href="unix.htm">UNIX-Type APIs</a> |
|
|
<a href="aplist.htm">APIs by category</a> </td>
|
|
</tr>
|
|
</table>
|
|
</center>
|
|
</body>
|
|
</html>
|
|
|