gss_add_cred()--Add Credential Element to Existing GSS Credential


  Syntax 
 #include <gssapi.h>

 OM_uint32 gss_add_cred(
     OM_uint32 *    minor_status,
     gss_cred_id_t    input_cred_handle,
     gss_name_t     desired_name,
     gss_OID      mech_type,
     gss_cred_usage_t   cred_usage,
     OM_uint32      init_time_req,
     OM_uint32      accept_time_req,
     gss_cred_id_t *    output_cred_handle,  
     gss_OID_set *    actual_mechs,
     OM_uint32 *    init_time_rec,
     OM_uint32 *    accept_time_rec);
  Service Program Name: QSYS/QKRBGSS

  Default public authority: *USE

  Threadsafe: Yes

The gss_add_cred() function adds a credential element to an existing GSS credential. The credential must not already contain an element for the mechanism. A GSS credential must contain an element for each mechanism that will be used for contexts that are initiated or accepted using the credential.


Parameters

minor_status  (Output)
A status code from the security mechanism.

input_cred_handle  (Input)
The GSS credential that is to be modified. Specify GSS_C_NO_CREDENTIAL to modify the default GSS credential.

desired_name  (Input)
The principal name to be used for the credential.

mech_type  (Input)
The mechanism element to be added to the credential. The credential must not already contain an element for this mechanism.

The following security mechanisms are supported:

gss_mech_krb5_old Beta Kerberos V5 mechanism
gss_mech_krb5 Kerberos V5 mechanism


cred_usage  (Input)
The desired credential usage as follows:

GSS_C_ACCEPT The credential can be used only to accept security contexts.
GSS_C_BOTH The credential can be used to both initiate and accept security contexts.
GSS_C_INITIATE The credential can be used only to initiate security contexts.


init_time_req  (Input)
The number of seconds the credential remains valid for initiating contexts. The IBM® i implementation of GSS does not support separate initiate and accept expiration times. The actual expiration time will be the smaller of the initiate and accept times. Specify zero to request the default lifetime of 2 hours. Specify GSS_C_INDEFINITE to request the maximum lifetime.

accept_time_req  (Input)
The number of seconds the credential remains valid for accepting contexts. The IBM i implementation of GSS does not support separate initiate and accept expiration times. The actual expiration time will be the smaller of the initiate and accept times. Specify zero to request the default lifetime of 2 hours. Specify GSS_C_INDEFINITE to request the maximum lifetime.

output_cred_handle  (Output)
The credential handle for the updated credential. If NULL is specified for this parameter, the new credential element is added to the input credential. Otherwise, a new credential is created from the input credential and contains all of the credential elements of the input credential plus the new credential element. NULL may not be specified for this parameter if GSS_C_NO_CREDENTIAL is specified for the input credential.

actual_mechs  (Output)
The total set of mechanisms supported by the GSS credential. Specify NULL for this parameter if the actual mechanisms are not required. The gss_OID_set returned for this parameter should be released by calling the gss_release_oid_set() routine when it is no longer needed.

init_time_rec  (Output)
The initiate expiration time in seconds. Specify NULL for this parameter if the initiate time is not required.

accept_time_rec  (Output)
The accept expiration time in seconds. Specify NULL for this parameter if the accept time is not required.

Return Value

The return value is one of the following status codes:

GSS_S_BAD_MECH
The specified mechanism is not supported.

GSS_S_BAD_NAME
The name specified for the desired_name parameter is not valid.

GSS_S_BAD_NAMETYPE
The name specified for the desired_name parameter is not supported by the applicable underlying GSS mechanisms.

GSS_S_COMPLETE
The routine completed successfully.

GSS_S_DUPLICATE_ELEMENT
The credential already contains an element for the specified mechanism.

GSS_S_FAILURE
The routine failed for reasons that are not defined at the GSS level. The minor_status return parameter contains a mechanism-dependent error code describing the reason for the failure.

GSS_S_NO_CRED
The referenced credential does not exist.


Authorities

Object Referred to Data Authority Required
Each directory in the path name preceding the configuration file *X
Configuration file *R


Error Messages

Message ID Error Message Text
CPE3418 E Possible APAR condition or hardware failure.


Usage Notes

  1. The gss_add_cred() routine performs the same functionas the gss_acquire_cred() routine for a single mechanism.

API introduced: V5R1

[ Back to top | Security APIs | UNIX-Type APIs | APIs by category ]