HP-UX 11i June 2004 Release Notes
Security
Generic Security Services for Developing Secure Applications
Chapter 13
272
Generic Security Services for Developing Secure
Applications
new at 11i
original release
The Generic Security Services Application Programming Interface (GSS API) is a newly
introduced product for HP-UX 11i. It contains all the GSS APIs as per RFC 2743 and is
implemented as C programming language interfaces as defined in the RFC 2744,
“Generic Security Service API: C-bindings.” It provides security services for applications
independent of various underlying security mechanisms. GSS API is also independent of
communication protocols. The GSS API is available as a separate shared library. The
security services available to an application include authentication, integrity, and
confidentiality services.
A set of GSS APIs is already available in libdce libraries, which are a part of the DCE
Core product in this release, as well as in previous HP-UX releases. However, these GSS
APIs are dependent on the DCE security mechanism and cannot be used as general
purpose APIs.
Because of GSS API independence, an application developer writing secure applications
need only write the code once and need not change it whenever the underlying security
mechanism changes. This will prove to be quite advantageous during this period where
security technology changes are rather frequent.
An application developer who uses the GSS API C-binding interfaces will need to include
/usr/include/gssapi.h in the program and will need to link with libgss.sl. The
underlying security mechanism and its library can be specified in a configuration file
called /etc/gss/mech. The library will then dynamically load the corresponding
mechanism-specific shared library (for example, libgssapi_krb5.sl in the case of
Kerberos). The default mechanism configuration file is /etc/gss/mech, which can be
altered with the environment variable called GSSAPI_MECH_CONF.
In addition to this configuration file, there are two other configuration files, namely
/etc/gss/qop and /etc/gss/gsscred.conf for libgss.sl:
•The /etc/gss/qop file contains information about the GSS API-based quality of
protection (QOP) for each underlying security mechanism.
•The /etc/gss/gsscred.conf is a configuration file that selects how the underlying
mechanism stores the gsscred table. The gsscred table is used to store the mapping
between a security principal and the UNIX uid. In this release, the supported
gsscred backend mechanism is only flat files. Therefore, the entry “files” must be
specified in /etc/gss/gsscred.conf for the successful operation of the library.
The 32-bit and 64-bit versions of libgss.sl library is available at the /usr/lib and
/usr/lib/pa20_64 directories respectively.
Symbol Clashes
Since the symbols of GSS APIs in the libdce libraries clash with the symbols of
libgss.sl, application programmers who want to use GSS API and DCE together may
need to resolve the symbol clashes by linking the libgss.sl library first and then the
libdce library.