| Skip Navigation Links | |
| Exit Print View | |
|
Developer's Guide to Oracle Solaris 11 Security Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Developer's Guide to Oracle Solaris 11 Security Oracle Solaris 11.1 Information Library |
1. Oracle Solaris Security for Developers (Overview)
2. Developing Privileged Applications
3. Writing PAM Applications and Services
4. Writing Applications That Use GSS-API
GSSAPI Client Example: main() Function
Opening a Connection With the Server
Establishing a Security Context With the Server
Translating a Service Name into GSS-API Format
Establishing a Security Context for GSS-API
Miscellaneous GSSAPI Context Operations on the Client Side
Wrapping and Sending a Message
Reading and Verifying a Signature Block From a GSS-API Client
7. Writing Applications That Use SASL
8. Introduction to the Oracle Solaris Cryptographic Framework
9. Writing User-Level Cryptographic Applications
10. Introduction to the Oracle Solaris Key Management Framework
A. Secure Coding Guidelines for Developers
B. Sample C-Based GSS-API Programs
The sample client-side program gss-client creates a security context with a server, establishes security parameters, and sends the message string to the server. The program uses a simple TCP-based sockets connection to make the connection.
The following sections provide a step-by-step description of how gss-client works. Because gss-client is a sample program that has been designed to show off GSSAPI functionality, only relevant parts of the program are discussed in detail. The complete source code for the two applications appears in the appendix and can be downloaded from the Oracle download center. See http://www.oracle.com/technetwork/indexes/downloads/sdlc-decommission-333274.html.
The gss-client application performs the following steps:
Parses the command line.
Creates an object ID (OID) for a mechanism, if a mechanism is specified. Otherwise, the default mechanism is used, which is most commonly the case.
Creates a connection to the server.
Establishes a security context.
Wraps and sends the message.
Verifies that the message has been “signed” correctly by the server.
Deletes the security context.
The gss-client example takes this form on the command line:
gss-client [-port port] [-d] [-mech mech] host service-name [-f] msg
port – The port number for making the connection to the remote machine that is specified by host.
-d flag – Causes security credentials to be delegated to the server. Specifically, the deleg-flag variable is set to the GSS-API value GSS_C_DELEG_FLAG. Otherwise, deleg-flag is set to zero.
mech – The name of the security mechanism, such as Kerberos v5 to be used. If no mechanism is specified, the GSS-API uses a default mechanism.
host – The name of the server.
service-name – The name of the network service requested by the client. Some typical examples are the telnet, ftp, and login services.
msg – The string to send to the server as protected data. If the -f option is specified, then msg is the name of a file from which to read the string.
A typical command line for client application program might look like the following example:
% gss-client -port 8080 -d -mech kerberos_v5 erebos.eng nfs "ls"
The following example does not specify a mechanism, port, or delegation:
% gss-client erebos.eng nfs "ls"
|