friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.apis_5.4.0.1/krb5_mk_req.htm

226 lines
6.4 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Copyright" content="Copyright (c) 2006 by IBM Corporation">
<title>krb5_mk_req()--Create Kerberos AP_REQ Message</title>
<!-- Begin Header Records -->
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<!-- Change History: -->
<!-- YYMMDD USERID Change description -->
<!-- Created by Kent Hofer for V5R1 -->
<!-- Edited by Kersten Jan 02 -->
<link rel="stylesheet" type="text/css" href="../rzahg/ic.css">
</head>
<body>
<!-- End Header Records -->
<!--Java sync-link-->
<script type="text/javascript" language="Javascript" src="../rzahg/synch.js">
</script>
<a name="Top_Of_Page"></a>
<h2>krb5_mk_req()--Create Kerberos AP_REQ Message</h2>
<div class="box" style="width: 70%;">
<br>
&nbsp;&nbsp;Syntax
<pre>
#include &lt;krb5.h&gt;
krb5_error_code krb5_mk_req(
krb5_context <em>context</em>,
krb5_auth_context * <em>auth_context</em>,
krb5_const krb5_flags <em>ap_req_options</em>,
char * <em>service</em>,
char * <em>hostname</em>,
krb5_data * <em>in_data</em>,
krb5_ccache <em>ccache</em>,
krb5_data * <em>out_data</em>);
</pre>
&nbsp;&nbsp;Service Program Name: QSYS/QKRBGSS<br>
<!-- iddvc RMBR -->
<br>
&nbsp;&nbsp;Default Public Authority: *USE<br>
<!-- iddvc RMBR -->
<br>
&nbsp;&nbsp;Threadsafe: Conditional. See <a href="#usage_notes">Usage
notes</a>.<br>
<!-- iddvc RMBR -->
<br>
</div>
<p>The <strong>krb5_mk_req()</strong> function creates a Kerberos AP_REQ
message. The checksum of the input data is included in the authenticator that
is part of the AP_REQ message. This message is then sent to the partner
application, which calls the <strong>krb5_rd_req()</strong> routine to extract
the application data after validating the authenticity of the message. The
checksum method set in the authentication context is used to generate the
checksum.</p>
<br>
<h3>Authorities</h3>
<p>No authorities are required.</p>
<br>
<h3>Parameters</h3>
<dl>
<dt><strong>context</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The Kerberos context.<br>
<br>
</dd>
<dt><strong>auth_context</strong>&nbsp;&nbsp;(Input/Output)</dt>
<dd>The authentication context. A new authentication context is created and
returned in this parameter if the value is <strong>NULL</strong>.<br>
<br>
</dd>
<dt><strong>ap_req_options</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The request options as follows:<br>
<br>
<table cellpadding="5">
<!-- cols="45 55" -->
<tr>
<td align="left" valign="top"><em>AP_OPTS_USE_SESSION_KEY</em>
(x'40000000')</td>
<td align="left" valign="top">Use session key instead of server key. The
credentials must include a ticket that is encrypted in the session key.</td>
</tr>
<tr>
<td align="left" valign="top" nowrap><em>AP_OPTS_MUTUAL_REQUIRED</em>
(x'20000000')</td>
<td align="left" valign="top">Mutual authentication required.</td>
</tr>
<tr>
<td align="left" valign="top"><em>AP_OPTS_USE_SUBKEY</em> (x'00000001')</td>
<td align="left" valign="top">Generate a subsession key from the current
session key obtained from the credentials.</td>
</tr>
</table>
<br>
</dd>
<dt><strong>service</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The name of the service.<br>
<br>
</dd>
<dt><strong>hostname</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The host name that identifies the desired service instance.<br>
<br>
</dd>
<dt><strong>in_data</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The application data's checksum that is to be included in the
authenticator. Specify <strong>NULL</strong> for this parameter if no checksum
is to be included in the authenticator.<br>
<br>
</dd>
<dt><strong>ccache</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The credentials cache that is to be used to obtain credentials to the
desired service.<br>
<br>
</dd>
<dt><strong>out_data</strong>&nbsp;&nbsp;(Output)</dt>
<dd>The AP_REQ message. The <strong>krb5_free_data_contents()</strong> routine
should be called to release the storage pointed to by the <em>data</em> field
of the krb5_data structure when it is no longer needed.</dd>
</dl>
<br>
<h3>Return Value</h3>
<p>If no errors occur, the return value is 0. Otherwise, a Kerberos error code
is returned.</p>
<br>
<h3>Error Messages</h3>
<table width="100%" cellpadding="5">
<!-- cols="15 85" -->
<tr>
<th align="left" valign="top">Message ID</th>
<th align="left" valign="top">Error Message Text</th>
</tr>
<tr>
<td width="15%" valign="top">CPE3418 E</td>
<td width="85%" valign="top">Possible APAR condition or hardware failure.</td>
</tr>
</table>
<br>
<br>
<h3><a name="usage_notes">Usage Notes</a></h3>
<ol>
<li>The <strong>krb5_sname_to_principal()</strong> routine is called to convert
the <em>service</em> and <em>hostname</em> parameters to a Kerberos principal.
The <strong>krb5_get_host_realm()</strong> routine is called to convert the
<em>hostname</em> parameter to a Kerberos realm. If the credentials cache does
not already contain a service ticket for the target server, the Kerberos
protocol runtime issues a default TGS request to obtain the credentials and
store them in the cache.<br>
<br>
</li>
<li>The Kerberos protocol runtime provides no concurrency control for the
authentication context. If the application wants to use the same authentication
context in multiple threads, it is the responsibility of the application to
serialize access to the authentication context so that only a single thread is
accessing the authentication context at any time. Because message sequence
numbers are contained in the authentication context, this serialization needs
to be extended to encompass the message exchange between the two applications.
Otherwise, message sequence errors are liable to occur if the messages are
delivered out of sequence.</li>
</ol>
<br>
<hr>
API introduced: V5R1
<hr>
<center>
<table cellpadding="2" cellspacing="2">
<tr align="center">
<td valign="middle" align="center"><a href="#Top_Of_Page">Top</a> | <a href=
"sec.htm">Security APIs</a> <br>
<a href="unix.htm">UNIX-Type APIs</a> | <a href="aplist.htm">APIs by
category</a> </td>
</tr>
</table>
</center>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink