*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->HP-UX 11i man pages -> libgss (4)              


 libgss(4)                                                         libgss(4)

 NAME    [Toc]    [Back]
      libgss - shared library for GSSAPI (Generic Security Service
      Application Programming Interface)

 SYNOPSIS    [Toc]    [Back]


 DESCRIPTION    [Toc]    [Back]
      libgss is a shared library which contains all the GSSAPIs as per the
      RFC 2743 and implemented as C-language interfaces as defined in the
      RFC 2744, Generic Security Service API : C-bindings.

      GSSAPI provides security services for applications independent of the
      various underlying security mechanisms.  The services include
      authentication, integrity and/or confidentiality services. GSSAPI
      provides secure communication between two peers with a data structure
      called a security context.  A GSSAPI caller is responsible for
      transfer of token between peers.  GSSAPI is independent of the
      underlying communication protocols.

      The application that establishes the secure connection is called the
      context initiator or simply initiator.  The application that accepts
      the secure connection is the context acceptor or simply acceptor.

      An application developer who uses GSSAPI C-binding interfaces can link
      an application with libgss.sl.  The underlying security mechanism can
      be specified at runtime in a configuration file called /etc/gss/mech
      and the library will dynamically load the corresponding mechanism
      specific shared library (for example, libgssapi_krb5.sl in the case of
      Kerberos), from the path specified in the configuration file.

      The /etc/gss/mech file has the following format:

      first column   contains the names of the backend security mechanism
                     which support GSSAPI.

      second column  contains the object identifier (OID).

      third column   contains the name of the shared library  which
                     implements the backend security mechanism for GSSAPI.
                     (The backend library has to be placed in /usr/lib/gss
                     path for 32bit and /usr/lib/pa20_64/gss path for 64bit

      The default path of the mechanism file (/etc/gss/mech) can be changed
      by GSSAPI_MECH_CONF environment variable.

      Example /etc/gss/mech file
       # Mechanism Name      Object Identifier      Shared Library

 Hewlett-Packard Company            - 1 -   HP-UX 11i Version 2: August 2003

 libgss(4)                                                         libgss(4)

       krb5_mech             1.2.840.113554.1.2.2   libgssapi_krb5.sl

      Besides this configuration file, there are two other configuration
      files /etc/gss/qop and /etc/gss/gsscred.conf, which can be used in
      association with libgss.sl.

      The /etc/gss/qop file contains information about the GSSAPI-based
      quality of protection (QOP) for each underlying security mechanisms.
      The /etc/gss/qop file has the following format:

      first column   specifies the string name of QOP.

      second column  contains its QOP value (32-bit integer).

      third column   contains names of the security mechanism.

      Example /etc/gss/qop file
       # QOP string                 QOP Value       Mechanism Name
       GSS_KRB5_INTEG_C_QOP_DES_MD5 0               kerberos_v5

      The /etc/gss/gsscred.conf is a configuration file that selects the
      underlying mechanism used to store the gsscred table.  The gsscred
      table is used to store the mapping between a security principal and
      the UNIX uid. The supported gsscred backend mechanism is only flat
      files.  Therefore, the entry "files" must be specified in
      /etc/gss/gsscred.conf for the successful operation of the library.

      Example /etc/gss/gsscred.conf file
       # gsscred configuration file
       # Valid gsscred backend mechanisms are:
       #    files

    Using the GSSAPI framework    [Toc]    [Back]
      Applications communicating using the GSSAPI framework go through the
      following main stages:

      1.   The communicating applications acquire a set of credentials to
           prove their identity to other applications. The applications'
           credentials vouch for their global identities.

      2.   The applications establish a joint security context using their
           credentials. This information is used to provide per message
           security services like integrity and confidentiality.

           Establishing the security context is done as follows.  One
           application (client) initiates the context setup.  The other

 Hewlett-Packard Company            - 2 -   HP-UX 11i Version 2: August 2003

 libgss(4)                                                         libgss(4)

           application (server) accepts it after exchanging zero or more
           number of tokens.  The number of exchanges depends upon the
           underlying security mechanism.

      3.   Per message services apply confidentiality and integrity.  An
           application transmitting a message that it wishes to protect will
           call the GSSAPI routine (gss_get_mic or gss_wrap calls) to apply
           protection.  The transmitting application specifies the
           appropriate security context and sends this to the receiving
           application.  The receiver will pass the data to the
           corresponding decoding routine (gss_verify_mic or gss_unwrap
           calls ) to respectively remove the protection and validate the

      4.   At the completion of a communication session, the peer
           applications call GSSAPI routines to delete the security context.

           The names of the APIs implemented in the libgss.sl library and a
           very brief description for each of them are given below. For
           details about using these APIs, refer to the respective man

    Credential Manipulation APIs    [Toc]    [Back]
      Credentials are used to prove the identity of an application to
      another application. GSSAPIs assume that credentials of the
      applications are already in place. The following GSSAPIs are used to
      inquire and manipulate them.

      gss_acquire_cred: Allows an application to acquire a handle for a
      pre-existing credential by name.

      gss_release_cred: Informs GSSAPI that the specified credential is no
      longer required by the process.  When all the processes have released
      a credential, it will be deleted.

      gss_inquire_cred: Obtain information about a credential.

      gss_inquire_cred_by_mech: Obtain per mechanism information about a

      gss_add_cred: Construct credentials by adding incrementally.

    Context Manipulation APIs    [Toc]    [Back]
      For the applications to establish a joint security context and use it
      for security services the following GSSAPIs are required.

      gss_init_sec_context: Initiate a security context with a peer

      gss_accept_sec_context: Accept a security context initiated by a peer

 Hewlett-Packard Company            - 3 -   HP-UX 11i Version 2: August 2003

 libgss(4)                                                         libgss(4)

      gss_delete_sec_context: Discard a security context (release the memory
      of the context structure).

      gss_inquire_context: Obtain information about a security context.

      gss_process_context_token: Process a token from a peer application.

      gss_export_sec_context: Transfer a security context to another

      gss_import_sec_context: Import a transferred context.

      gss_context_time: Determine for how long a context will remain valid.

      gss_wrap_size_limit: Determine token size limit for gss_wrap on a

    Per Message Operation APIs    [Toc]    [Back]
      To perform per message operations like data integrity and data privacy
      services the following GSSAPIs could be used:

      gss_get_mic: To calculate a cryptographic  Message Integrity Code
      (MIC) for a message (Integrity Service).

      gss_verify_mic: To verify message integrity.

      gss_wrap: To encrypt a message for Confidentiality Service.

      gss_unwrap: To decrypt a message for Confidentiality Service.

    Name Manipulation APIs    [Toc]    [Back]
      Names identify principals. Names are represented in printable form
      (for presentation to an application) or in internal for (canonical
      form) that is used by the API and is opaque to applications. The
      following are the APIs that are used manipulate the names:

      gss_import_name: Convert a contiguous string name to a internal form.

      gss_display_name: Convert a internal form name to a text.

      gss_compare_name: Compare two internal form names.

      gss_release_name: Discard an internal form name.

      gss_inquire_names_for_mech: List the name types supported by a
      specific mechanism.

      gss_inquire_mechs_for_name: List mechanisms that support the specified
      name type.

 Hewlett-Packard Company            - 4 -   HP-UX 11i Version 2: August 2003

 libgss(4)                                                         libgss(4)

      gss_canonicalize_name: Convert an internal name to a mechanism
      specific Mechanism Name (MN).

      gss_export_name: Convert an MN to flat name representation suitable
      for bitwise comparison.

      gss_duplicate_name: Create a copy of an internal name.

    Miscellaneous Operation APIs    [Toc]    [Back]
      Besides the above mentioned category of APIs, there are APIs which are
      used for miscellaneous operations like creating and deleting list of
      mechanism OIDs, display the GSSAPI error status codes in text format,
      releasing the memory for the buffer etc. as given below: as

      gss_add_oid_set_member: Add object identifier to a set of OIDs.

      gss_release_oid_set: Release the memory of a set of OID's.

      gss_create_empty_oid_set: Create an OID set with no OID's.

      gss_test_oid_set_member: Determine whether an OID is a member of a

      gss_release_buffer: Release the memory of a buffer.

      gss_release_oid: Release the memory of an OID structure.

      gss_release_name: Release the memory of a nametype.

      gss_display_status: Convert GSSAPI status code to text.

      gss_indicate_mechs: Determine available underlying security

 AUTHOR    [Toc]    [Back]
      libgss.sl was developed by Sun Microsystems, Inc.

 SEE ALSO    [Toc]    [Back]

      The manpages for DCE-GSSAPI are included with the DCE-CoreTools
      product.  To see those manpages add /opt/dce/share/man to MANPATH.

 Hewlett-Packard Company            - 5 -   HP-UX 11i Version 2: August 2003
[ Back ]
 Similar pages
Name OS Title
gssapi HP-UX Generic Security Service Application Programming Interface
gss_release_buffer FreeBSD Generic Security Service Application Program Interface library
gss_unseal FreeBSD Generic Security Service Application Program Interface library
gss_unwrap FreeBSD Generic Security Service Application Program Interface library
gss_indicate_mechs FreeBSD Generic Security Service Application Program Interface library
gss_verify FreeBSD Generic Security Service Application Program Interface library
gss_verify_mic FreeBSD Generic Security Service Application Program Interface library
gss_wrap FreeBSD Generic Security Service Application Program Interface library
gss_import_sec_context FreeBSD Generic Security Service Application Program Interface library
gss_wrap_size_limit FreeBSD Generic Security Service Application Program Interface library
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service