libgss.4 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

libgss(4) libgss(4)

NAME

libgss - shared library for GSSAPI (Generic Security Service Application Programming Interface)

SYNOPSIS

#include<gssapi.h>

/usr/lib/libgss.sl

DESCRIPTION

libgss is a shared library which contains all the GSSAPIs as per the RFC 2743 and implemented as C-

language interfaces as deﬁned in the RFC 2744, Generic Security Service API : C-bindings.

GSSAPI provides security services for applications independent of the various underlying security

mechanisms. The services include authentication, integrity and/or conﬁdentiality services. GSSAPI pro-

vides secure communication between two peers with a data structure called a security context. A GSSAPI

caller is responsible for transfer of token between peers. GSSAPI is independent of the underlying com-

munication protocols.

The application that establishes the secure connection is called the context initiator or simply initiator.

The application that accepts the secure connection is the context acceptor or simply acceptor.

An application developer who uses GSSAPI C-binding interfaces can link an application with

libgss.sl. The underlying security mechanism can be speciﬁed at runtime in a conﬁguration ﬁle

called /etc/gss/mech and the library will dynamically load the corresponding mechanism speciﬁc

shared library (for example, libgssapi_krb5.sl

in the case of Kerberos), from the path speciﬁed in

the conﬁguration ﬁle.

The

/etc/gss/mech ﬁle has the following format:

first column contains the names of the backend security mechanism which support GSSAPI.

second column contains the object identiﬁer (OID).

third column contains the name of the shared library which implements the backend security mechan-

ism for GSSAPI. (The backend library has to be placed in

/usr/lib/gss path for 32bit

and /usr/lib/pa20_64/gss

path for 64bit versions)

The default path of the mechanism ﬁle (

/etc/gss/mech

) can be changed by GSSAPI_MECH_CONF

environment variable.

Example /etc/gss/mech file

# Mechanism Name Object Identifier Shared Library

krb5_mech 1.2.840.113554.1.2.2 libgssapi_krb5.sl

Besides this conﬁguration ﬁle, there are two other conﬁguration ﬁles

/etc/gss/qop and

/etc/gss/gsscred.conf

, which can be used in association with libgss.sl.

The

/etc/gss/qop ﬁle contains information about the GSSAPI-based quality of protection (QOP) for

each underlying security mechanisms. The /etc/gss/qop ﬁle has the following format:

first column speciﬁes the string name of QOP.

second column contains its QOP value (32-bit integer).

third column contains names of the security mechanism.

Example /etc/gss/qop file

# QOP string QOP Value Mechanism Name

GSS_KRB5_INTEG_C_QOP_DES_MD5 0 kerberos_v5

The

/etc/gss/gsscred.conf is a conﬁguration ﬁle that selects the underlying mechanism used to

store the gsscred table. The gsscred table is used to store the mapping between a security principal

and the UNIX uid. The supported gsscred backend mechanism is only ﬂat ﬁles. Therefore, the entry

"ﬁles" must be speciﬁed in /etc/gss/gsscred.conf for the successful operation of the library.

Example /etc/gss/gsscred.conf file

# gsscred configuration file

# Valid gsscred backend mechanisms are:

# files

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (4 pages)

PAGE 1
libgss(4) libgss(4) NAME libgss - shared library for GSSAPI (Generic Security Service Application Programming Interface) SYNOPSIS #include /usr/lib/libgss.sl DESCRIPTION libgss is a shared library which contains all the GSSAPIs as per the RFC 2743 and implemented as Clanguage interfaces as defined in the RFC 2744, Generic Security Service API : C-bindings. GSSAPI provides security services for applications independent of the various underlying security mechanisms.
PAGE 2
libgss(4) libgss(4) # files Using the GSSAPI framework Applications communicating using the GSSAPI framework go through the following main stages: 1. The communicating applications acquire a set of credentials to prove their identity to other applications. The applications’ credentials vouch for their global identities. 2. The applications establish a joint security context using their credentials. This information is used to provide per message security services like integrity and confidentiality.
PAGE 3
libgss(4) libgss(4) gss_wrap: To encrypt a message for Confidentiality Service. gss_unwrap: To decrypt a message for Confidentiality Service. Name Manipulation APIs Names identify principals. Names are represented in printable form (for presentation to an application) or in internal for (canonical form) that is used by the API and is opaque to applications. The following are the APIs that are used manipulate the names: gss_import_name: Convert a contiguous string name to a internal form.
PAGE 4
(Notes) A (Notes) lA 4 Hewlett-Packard Company −1− HP-UX 11i Version 3: September 2010