local interface KRB5JCSIArgBuilder
inherits from SL3TCPIP::TCPIPArgBuilder
The KRB5JCSIArgBuilder builds an argument for the KerberosJCSIArgs
credentials acquisition method. This builder specifies the use of the
Wedgtail JCSI Kerberos implementation.
Besides using "addKerberosConfig" operation, only one of the "addKerberosSession", "addKerberosService", "addKerberosServiceClient", "addKerberosPassword" can be used.
void addKerberosConfig(in string realm,
in CORBA::StringSeq kdc_addresses);
The addKerberosConfig method adds a parameter that specifies
where to find the realm and KDC information required by
the JCSI.
The realm argument should contain the default realm for these credentials.
The kdc_addresses argument holds a sequence of strings representing the "host[:port]" combinations of internet addresses of the KDCs servicing this realm. Currently, the limit on this sequence is 2 KDC addresses.
These parameters override the default realm and kdc specifications found in the Krb5 Conf file.
If the realm is an empty string (""), then the default is assumed. The default realm comes from the [libdefaults] section of the krb5.conf file, if it exists. Otherwise, the system property, jcsi.kerberos.realm, must be set.
If the sequence of kdcs is empty, the default is assumed. Defaults come from the krb5.config file if it exists. Otherwise, the system property, jcsi.kerberos.KDChost, must be set. This system property holds only the hostname and not the port number. Setting the jcsi.kerberos.KDChost property assumes that the KDC's port is 88.
void addKerberosPassword(in string principal,
in string password,
in string lifetime,
in boolean proxiable,
in boolean forwardable,
in string renewablelife);
This operation adds the credentials specification parameter.
It picks the desired principal and creates an internal
credentials store.
void addKerberosService(in string principal,
in string keytab);
The addKerberosService specifies that the principal
and its key is to be picked up from a keytab.
It picks the desired principal and key from a specified
file keytab. If the Credentials Usage is Initiate or
InitiateAndAccept an internal credentials store will be
created for this principal with indefinite default
parameters for lifetime. The initiator will not be forwardable,
proxiable, or renewable.
If the principal is an empty string, the default is assumed, which means the system property, jcsi.kerberos.principal, must be set.
If the keytab argument contains an empty string, the default is assumed, which means the system property, jcsi.kerberos.keytab, must be set.
void addKerberosServiceClient(in string principal,
in string keytab,
in string lifetime,
in boolean proxiable,
in boolean forwardable,
in string renewablelife);
The addKerberosServiceClient operation specifies that the
desired principal and key are taken from a specified
file keytab, and creates an internal credentials store
for client operations. This operation can only be used with
InitiateOnly, or InitiateAndAccept.
void addKerberosSession(in string ccache);The addKerberosSession specifies the credentials ccache and to use the default principal in that credentials store. It is usually a file URL.
If the ccache argument is an empty string, it signifies to use the Session mode of operation with the default credentials cache, which means, the system property, jcsi.kerberos.ccache, must be set.
void addKrb5ConfFile(in string url);The addKrb5ConfigFile method adds a parameter that specifies where to find the krb5.conf file, if it is not in the default place. Default places are resolved from the following order:
For java:
${java.security.krb5.conf}
${java.home}/lib/security/krb5.conf
c:\winnt\krb5.ini on Windows from ${os.name}
/etc/krb5/krb5.conf on SunOS from ${os.name}
/etc/krb5.conf on Linux from ${os.name}
If it cannot read the Java system properties, it guesses depending on the File.separator character as follows:
If it is '\', then it tries to load "c:\winnt\krb5.ini". If it is '/', then it tries to load "/etc/krb5.conf".
void addUseEmbodiedClientCredentials(in TransportSecurity::ClientCredentials creds);This operation adds embodied client credentials in order to convert them to credentials that we can use for initiating purposes.