gss_add_cred()--Add Credential Element to Existing GSS Credential
Syntax
#include <gssapi.h> OM_uint32 gss_add_cred( OM_uint32 * minor_status, gss_cred_id_t input_cred_handle, gss_name_t desired_name, gss_OID mech_type, gss_cred_usage_t cred_usage, OM_uint32 init_time_req, OM_uint32 accept_time_req, gss_cred_id_t * output_cred_handle, gss_OID_set * actual_mechs, OM_uint32 * init_time_rec, OM_uint32 * accept_time_rec);Service Program Name: QSYS/QKRBGSS
Default public authority: *USE
Threadsafe: Yes
The gss_add_cred() function adds a credential element to an existing GSS credential. The credential must not already contain an element for the mechanism. A GSS credential must contain an element for each mechanism that will be used for contexts that are initiated or accepted using the credential.
Parameters
- minor_status (Output)
- A status code from the security mechanism.
- input_cred_handle (Input)
- The GSS credential that is to be modified. Specify
GSS_C_NO_CREDENTIAL to modify the default GSS credential.
- desired_name (Input)
- The principal name to be used for the credential.
- mech_type (Input)
- The mechanism element to be added to the credential. The credential must
not already contain an element for this mechanism.
The following security mechanisms are supported:
gss_mech_krb5_old Beta Kerberos V5 mechanism gss_mech_krb5 Kerberos V5 mechanism
- cred_usage (Input)
- The desired credential usage as follows:
GSS_C_ACCEPT The credential can be used only to accept security contexts. GSS_C_BOTH The credential can be used to both initiate and accept security contexts. GSS_C_INITIATE The credential can be used only to initiate security contexts.
- init_time_req (Input)
- The number of seconds the credential remains valid for initiating contexts.
The IBM® i implementation of GSS does not support separate initiate and accept
expiration times. The actual expiration time will be the smaller of the
initiate and accept times. Specify zero to request the default lifetime of 2
hours. Specify GSS_C_INDEFINITE to request the maximum
lifetime.
- accept_time_req (Input)
- The number of seconds the credential remains valid for accepting contexts.
The IBM i implementation of GSS does not support separate initiate and accept
expiration times. The actual expiration time will be the smaller of the
initiate and accept times. Specify zero to request the default lifetime of 2
hours. Specify GSS_C_INDEFINITE to request the maximum
lifetime.
- output_cred_handle (Output)
- The credential handle for the updated credential. If NULL
is specified for this parameter, the new credential element is added to the
input credential. Otherwise, a new credential is created from the input
credential and contains all of the credential elements of the input credential
plus the new credential element. NULL may not be specified for
this parameter if GSS_C_NO_CREDENTIAL is specified for the
input credential.
- actual_mechs (Output)
- The total set of mechanisms supported by the GSS credential. Specify
NULL for this parameter if the actual mechanisms are not
required. The gss_OID_set returned for this parameter should be released by
calling the gss_release_oid_set() routine when it is no longer
needed.
- init_time_rec (Output)
- The initiate expiration time in seconds. Specify NULL for
this parameter if the initiate time is not required.
- accept_time_rec (Output)
- The accept expiration time in seconds. Specify NULL for this parameter if the accept time is not required.
Return Value
The return value is one of the following status codes:
- GSS_S_BAD_MECH
- The specified mechanism is not supported.
- GSS_S_BAD_NAME
- The name specified for the desired_name parameter is not
valid.
- GSS_S_BAD_NAMETYPE
- The name specified for the desired_name parameter is not supported
by the applicable underlying GSS mechanisms.
- GSS_S_COMPLETE
- The routine completed successfully.
- GSS_S_DUPLICATE_ELEMENT
- The credential already contains an element for the specified mechanism.
- GSS_S_FAILURE
- The routine failed for reasons that are not defined at the GSS level. The
minor_status return parameter contains a mechanism-dependent error
code describing the reason for the failure.
- GSS_S_NO_CRED
- The referenced credential does not exist.
Authorities
Object Referred to | Data Authority Required |
---|---|
Each directory in the path name preceding the configuration file | *X |
Configuration file | *R |
Error Messages
Message ID | Error Message Text |
---|---|
CPE3418 E | Possible APAR condition or hardware failure. |
Usage Notes
- The gss_add_cred() routine performs the same functionas the gss_acquire_cred() routine for a single mechanism.
API introduced: V5R1
[ Back to top | Security APIs | UNIX-Type APIs | APIs by category ]