HP-UX 11i December 2004 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

281

282

283

284

285

286

287

288

289

290

Table Of Contents

Security

Generic Security Services for Developing Secure Applications

Chapter 13

282

Generic Security Services for Developing Secure

Applications

new at 11i

original release

The Generic Security Services Application Programming Interface (GSS API) is a newly

introduced product for HP-UX 11i. It contains all the GSS APIs as per RFC 2743 and is

implemented as C programming language interfaces as defined in the RFC 2744,

“Generic Security Service API: C-bindings.” It provides security services for applications

independent of various underlying security mechanisms. GSS API is also independent of

communication protocols. The GSS API is available as a separate shared library. The

security services available to an application include authentication, integrity, and

confidentiality services.

A set of GSS APIs is already available in libdce libraries, which are a part of the DCE

Core product in this release, as well as in previous HP-UX releases. However, these GSS

APIs are dependent on the DCE security mechanism and cannot be used as general

purpose APIs.

Because of GSS API independence, an application developer writing secure applications

need only write the code once and need not change it whenever the underlying security

mechanism changes. This will prove to be quite advantageous during this period where

security technology changes are rather frequent.

An application developer who uses the GSS API C-binding interfaces will need to include

/usr/include/gssapi.h in the program and will need to link with libgss.sl. The

underlying security mechanism and its library can be specified in a configuration file

called /etc/gss/mech. The library will then dynamically load the corresponding

mechanism-specific shared library (for example, libgssapi_krb5.sl in the case of

Kerberos). The default mechanism configuration file is /etc/gss/mech, which can be

altered with the environment variable called GSSAPI_MECH_CONF.

In addition to this configuration file, there are two other configuration files, namely

/etc/gss/qop and /etc/gss/gsscred.conf for libgss.sl:

•The /etc/gss/qop file contains information about the GSS API-based quality of

protection (QOP) for each underlying security mechanism.

•The /etc/gss/gsscred.conf is a configuration file that selects how the underlying

mechanism stores the gsscred table. The gsscred table is used to store the mapping

between a security principal and the UNIX uid. In this release, the supported

gsscred backend mechanism is only flat files. Therefore, the entry “files” must be

specified in /etc/gss/gsscred.conf for the successful operation of the library.

The 32-bit and 64-bit versions of libgss.sl library is available at the /usr/lib and

/usr/lib/pa20_64 directories respectively.

Symbol Clashes

Since the symbols of GSS APIs in the libdce libraries clash with the symbols of

libgss.sl, application programmers who want to use GSS API and DCE together may

need to resolve the symbol clashes by linking the libgss.sl library first and then the

libdce library.