Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
krb5_rd_req_verify (process a Kerberos AP_REQ message and verify checksum data) z/OS Integrated Security Services Network Authentication Service Programming SC23-6787-00 |
|
PurposeProcesses a Kerberos AP_REQ message and verifies the application data checksum Format
ParametersInput
Input/Output
Output
UsageThe krb5_rd_req_verify() routine processes an AP_REQ message generated by the partner application and verifies the application data checksum contained in the authenticator. The authenticator is extracted, validated, and stored in the authentication context. If the server parameter is not NULL and no replay cache is associated with the authentication context, the Kerberos runtime creates a replay cache and stores the cache handle in the authentication context.. If the authentication context contains a keyblock, it is used to decrypt the ticket in the AP_REQ message. This is useful for user-to-user authentication. If the authentication context does not contain a keyblock, the key table specified on the function call is used to obtain the decryption key. The client in the authenticator must match the client in the ticket. If the remote address has been set in the authentication context, the request must have come from that address. If a replay cache handle is stored in the authentication context, the new authenticator is stored in the cache after checking for replay. If no errors are detected, the authenticator, subsession key, and remote sequence number are stored in the authentication context. If AP_OPTS_MUTUAL_REQUIRED is specified in the AP_REQ message, the local sequence number is XORed with the remote sequence number. The function return value is zero if no errors occurred. Otherwise, it is a Kerberos error code. If the Kerberos security server is running on the same system as
the application, it is not necessary to provide a key table. Instead,
the krb5_rd_req_verify() routine uses the local
instance of the Kerberos security server to decrypt the ticket. In
order to activate this support, the KRB5_SERVER_KEYTAB environment
variable needs to be set to one of the following values and, depending
on the value set, the following requirements must also be met: krb5_recvauth
Note: If requirement 2a is satisfied but 2b is not,
the krb5_rd_req_verify() routine will not fall
back to using a keytab file but will fail.
|
Copyright IBM Corporation 1990, 2014
|