Manualshelf

Configuration Guide for Kerberos Client Products on HP-UX

ManualsBrandsHP ManualsSoftwareHP-UX Kerberos Data Security Software
71727374757677787980
Introduction to the Kerberos Products and GSS-API
Generic Security Service Application Programming Interface (GSS-API)
Chapter 272
gss_context_time: Indicate validity time remaining in context
Authentication Services
Two sets of per-message calls provide security to the context. The
gss_get_mic() and gss_verify_mic()function calls provide data
origin authentication and data integrity services. The gss_wrap() and
gss_unwrap() function calls support caller requested confidentiality. For
more information, see Confidentiality Service on page 72.
The gss_get_mic() function call generates a token. The peer that
receives the application data along with the message token verifies the
communication using gss_verify_mic().
Each deployment can select their own configurable Quality Of Protection
(QOP) options.
In summary, per-message calls that authenticate messages are:
gss_get_mic: Apply integrity check, receive as token separate from
message
gss_verify_mic: Validate integrity check token along with message.
Confidentiality Service
GSS-APIs provide confidentiality with the gss_wrap() and
gss_unwrap() functions. The output of gss_wrap() is passed to the
remote peer encapsulated and optionally encrypted with the associated
token. This data element is an input to gss_unwrap() at the target,
where it is decapsulated or optionally decrypted.
In summary, the APIs for confidentiality service include the following:
gss_wrap: Sign, optionally encrypt, encapsulate
gss_unwrap: Decapsulate, decrypt if needed, validate integrity
check.
Support Services
GSS-API support services include the following APIs:
gss_display_status: Translate status codes into printable format
gss_indicate_mechs: Indicate supported mech_type on local system