HP-UX Reference (11i v3 07/02) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

211

212

213

214

215

216

217

218

219

220

libgss(4) libgss(4)

NAME

libgss - shared library for GSSAPI (Generic Security Service Application Programming Interface)

SYNOPSIS

#include<gssapi.h>

/usr/lib/libgss.sl

DESCRIPTION

libgss is a shared library which contains all the GSSAPIs as per the RFC 2743 and implemented as C-

language interfaces as deﬁned in the RFC 2744, Generic Security Service API : C-bindings.

GSSAPI provides security services for applications independent of the various underlying security mechan-

isms. The services include authentication, integrity and/or conﬁdentiality services. GSSAPI provides secure

communication between two peers with a data structure called a security context. A GSSAPI caller is

responsible for transfer of token between peers. GSSAPI is independent of the underlying communication

protocols.

The application that establishes the secure connection is called the context initiator or simply initiator. The

application that accepts the secure connection is the context acceptor or simply acceptor.

An application developer who uses GSSAPI C-binding interfaces can link an application with libgss.sl.

The underlying security mechanism can be speciﬁed at runtime in a conﬁguration ﬁle called

/etc/gss/mech and the library will dynamically load the corresponding mechanism speciﬁc shared

library (for example, libgssapi_krb5.sl

in the case of Kerberos), from the path speciﬁed in the

conﬁguration ﬁle.

The

/etc/gss/mech ﬁle has the following format:

first column contains the names of the backend security mechanism which support GSSAPI.

second column contains the object identiﬁer (OID).

third column contains the name of the shared library which implements the backend security mechan-

ism for GSSAPI. (The backend library has to be placed in

/usr/lib/gss path for 32bit

and /usr/lib/pa20_64/gss

path for 64bit versions)

The default path of the mechanism ﬁle (

/etc/gss/mech

) can be changed by GSSAPI_MECH_CONF

environment variable.

Example /etc/gss/mech file

# Mechanism Name Object Identifier Shared Library

krb5_mech 1.2.840.113554.1.2.2 libgssapi_krb5.sl

Besides this conﬁguration ﬁle, there are two other conﬁguration ﬁles /etc/gss/qop

and

/etc/gss/gsscred.conf

, which can be used in association with libgss.sl.

The

/etc/gss/qop ﬁle contains information about the GSSAPI-based quality of protection (QOP) for

each underlying security mechanisms. The /etc/gss/qop ﬁle has the following format:

first column speciﬁes the string name of QOP.

second column contains its QOP value (32-bit integer).

third column contains names of the security mechanism.

Example /etc/gss/qop file

# QOP string QOP Value Mechanism Name

GSS_KRB5_INTEG_C_QOP_DES_MD5 0 kerberos_v5

The /etc/gss/gsscred.conf is a conﬁguration ﬁle that selects the underlying mechanism used to

store the gsscred table. The gsscred table is used to store the mapping between a security principal

and the UNIX uid. The supported gsscred backend mechanism is only ﬂat ﬁles. Therefore, the entry

"ﬁles" must be speciﬁed in /etc/gss/gsscred.conf for the successful operation of the library.

Example /etc/gss/gsscred.conf file

# gsscred configuration file

# Valid gsscred backend mechanisms are:

HP-UX 11i Version 3: February 2007 − 1 − Hewlett-Packard Company 213