This module uses the data and valuetype definitions of the SecurityLevel3 module, to give a common representation of important security information, such as Principals and Statements about Principals.
In order to let this module stand on its own, many of the primitive data definitions parallel those of the Security Level 3 module, such as string types, and integer constants. For example, CredentialsType, CredentialsUsage, CredentialsState, CredsDirective, FeatureDirective, all have type names and constant names that parallel in both name and values to their counterparts in the SecurityLevel3 module. At least in Java, where the IDL language mapping dereferences types to their most primitive type (such as int), these values can be used interchangeably between modules, in your Java code.
The Transport Security Service parallels the Security Level 3 module in that brings forth the security service (for the Transport Layer) with two objects that are returned by the ORB's resolve_initial_references call. These two objects are: the TransportSecurity::SecurityManager, and TransportSecurity::SecurityCurrent objects.
The Transport Security Service has the same Credentials model we use in SecurityLevel3. This model, which is heavily based on the Principal Calculus, yields an API for accessing principal information. The credentials represent the ORB's credentials, as well as the establishment of security contexts between client and servers.
The Transport Security Service is currently CSIv1 Level 0 and Level 1 compliant depending on the ORB options
The Credentials Curator is an object that is retrievable off of the TransportSecurity::SecurityManager. You use this object to acquire transport OwnCredentials. Transport Credentials give you the ability to communicate with other clients and servers with transport security protection. However, we model plain IIOP (GIOP/TCP/IP) with the same credentials model. This gives you the ability to extract information from clients and target objects, such as their Internet addresses, which may be useful in your access control and auditing decisions.
You cannot communicate with IIOP ORBs unless you acquire TCPIP credentials.
CredentialsCurator object is a single object per an ORB
instance's Transport Security Service.
SecurityCurrent object holds thread specific
data pertaining to the security service.
typedef sequence<AcceptingContext> AcceptingContextList;
typedef string AcquisitionMethod;This type specifies a method for acquiring the transport credentials which is specific to the MechanismId. It is the AcquisitionMethod that specifies the arguments needed to acquire the credentials.
typedef sequence<AcquisitionMethod> AcquisitionMethodList;
typedef long AcquisitionStatus;An acquisition of credentials may quite possibly fail as well as be a multistep process. A status defines the current state of an acquisition.
typedef long CSIVersion;The CSIVersion type has two constants which represent the versions of Common Security Interoperability as defined by the OMG. These constants are used to indicate whether a transport will handle CSIv1 or CSIv2 requests. This is important, since CSIv2 transports handle state retention of CSIv2 security contexts that are associated with the transports.
typedef string ContextEstablisherId;
typedef sequence<ContextEstablisherId> ContextEstablisherIdList;
typedef sequence<ContextEstablisher> ContextEstablisherList;
typedef string ContextId;A Context Id is a system generated unique identifier for identifying a security context to the application. Security Contexts may be long lived and not established on every request. Therefore, an identifier is assigned.
typedef sequence<ContextId> ContextIdList;
typedef string CredentialsId;
typedef sequence<CredentialsId> CredentialsIdList;
typedef long CredentialsState;A Credentials object has a validity state. Some credentials may be time or use dependent.
typedef unsigned long CredentialsType;Credentials.
Credentials come in three types. OwnCredentials, ClientCredentials, and TargetCredentials. OwnCredentials represent the ORB instance's credentials. Each Credentials has initiating and accepting capability. ClientCredentials represent an established security context with a client. TargetCredentials represent an established security context with a Target's Server.
typedef unsigned long CredentialsUsage;Credentials Usage refers to the concept that Credentials may be used to initiate security context, accept security contexts, or do both. its values are used in the acquisition of credentials for the purpose of designating the abilities of the credentials acquired.
typedef unsigned long CredsDirective;A CredsDirective is a directive on a invocation as to the effects of the initiated security context will have on the the accepting side. Please see ContextEstablishmentPolicy for is use in context with establishing security contexts.
ContextEstablishmentPolicytypedef string ExternalizationType;The ExternalizationType is a string that is used for requesting the externalization format/type of Transport Security credentials, if it is supported by the particular mechanism.
typedef long FeatureDirective;A Feature Directive is a general directive used in policy that stipulates the of a particular feature. Such examples include, confidentiality, integrity, client authentication, etc.
typedef sequence<InitiatingContext> InitiatingContextList;
typedef string ListenerId;This type is used to identify listeners for removal. A Listener identity will be assigned to a listener when it is assigned to a particular object.
typedef string MechanismId;This type specifies the transport mechanisms, such as TCPIP, TLS, SECIOP-Kerberos.
typedef sequence<MechanismId> MechanismList;
typedef sequence<OwnCredentials> OwnCredentialsList;
const unsigned long ADIRON_VMCID = 168935424;The Adiron VMCID, which is used in Minor Error Codes, Policy Tags, etc.
const AcquisitionStatus AQST_Continued = 1;Acquisition needs more processing.
const AcquisitionStatus AQST_Expired = -1;Acquisition has expired.
const AcquisitionStatus AQST_Failed = -2;Acquisition has failed.
const AcquisitionStatus AQST_Initialized = 0;Acquisition is initialized.
const AcquisitionStatus AQST_Succeeded = 2;Acquisition has succeeded.
const CredsDirective CD_Default = 0;The CD_Default CredsDirective is a value that signifies to use the capabilities of the selected credentials.
const CredsDirective CD_EmbodyTarget = 3;The CD_EmbodyTarget CredsDirective is a value that signifies that the selected credentials, if capable, should attempt to embody the target. In other words, it gives the accepting side the ability to impersonate the initiating side.
const CredsDirective CD_EndorseTarget = 2;The CD_EndorseTarget CredsDirective is a value that signifies that the selected credentials, if capable, should attempt to endorse the target. In other words, it gives the accepting side the ability to act on behalf of the initiating side.
const CredsDirective CD_InvokeTarget = 1;The CD_InvokeTarget CredsDirective is a value that signifies that the selected credentials should only be used in a simple invocation fashion. They shall not attempt to endorse or embody the target to act on its behalf.
const CSIVersion CSIv1 = 1;This constant represents CSIv1, which is the ability to handle security only at the transport layer. When credentials are acquired at the Transport Security Layer they usually support CSIv1 and not CSIv2. CSIv2 may have to be explicitly activated. Check with the parameters given to the Credentials Acquirer of a particular mechanism.
const CSIVersion CSIv2 = 2;This constant represents CSIv2, which has the the ability to associate and process CSIv2 requests over its transport protection layer. This option is not supported by default unless TransportSecurity Credentials are implicitly acquired by the SecurityLevel3 Credentials Acquire in support of those CSIv2 enabled Credentials.
const CredentialsState CS_Expired = -2;Credentials with a CredentialsState of CS_Expired can no longer be used for initiating or accepting establishment of any security contexts.
const CredentialsState CS_Initialized = 0;Credentials with a CredentialsState of CS_Initialized can not be used for initiating or accepting establishment of any security contexts. It means that credentials are in an initial state. This value is for internal use, and there is no reason a SecurityLevel3 user should see credentials in this state.
const CredentialsState CS_Invalid = -3;The Credentials with a CredentialsState of CS_Invalid cannot be used in any the initiating or accepting establishment of any security contexts.
const CredentialsState CS_PendingRelease = -1;Credentials with a CredentialsState of CS_PendingRelease can no longer be used for initiating or accepting establishment of any security contexts. It means that "release_credentials" has been called on the credentials.
const CredentialsState CS_Valid = 1;Credentials with a CredentialsState of CS_Valid can be used for initiating or accepting establishment of security contexts.
const CredentialsType CT_ClientCredentials = 1;The CT_ClientCredentials CredentialsTypes signifies that the Credentials can be extended to the ClientCredentials Type.
const CredentialsType CT_OwnCredentials = 0;The CT_OwnCredentials CredentialsTypes signifies that the Credentials can be extended to the OwnCredentials Type.
const CredentialsType CT_TargetCredentials = 2;The CT_TargetCredentials CredentialsTypes signifies that the Credentials can be extended to the ClientCredentials Type.
const CredentialsUsage CU_AcceptOnly = 3;The CU_AcceptOnly CredentialsUsage type is a value that signifies that the credentials can only be used to accept the establishment of security contexts.
const CredentialsUsage CU_Indefinite = 1;The CU_Indefinite CredentialsUsage type is a value that signifies the default. Depending on some other acquisition arguments, the credentials usage may be able to be implicitly determined.
const CredentialsUsage CU_InitiateAndAccept = 5;The CU_InitiateAndAccept CredentialsUsage type is a value that signifies that the credentials can be used to both initiate and accept the establishment of security contexts.
const CredentialsUsage CU_InitiateOnly = 4;The CU_InitiateOnly CredentialsUsage type is a value that signifies that the credentials can only be used to initiate the establishment of security contexts.
const CredentialsUsage CU_None = 2;The CU_None CredentialsUsage type is a value that states the credentials can not be used to make or accept security contexts. ClientCredentials and TargetCredentials have this credentials usage.
const CORBA::PolicyType ContextEstablishmentPolicyType = 168937425;The ContextEstablishmentPolicyType constant is holds value used to denote the ContextEstablishmentPolicy.
const FeatureDirective FD_DoNotUse = -2;The FD_DoNotUse FeatureDirective means definitely not to use the feature.
const FeatureDirective FD_DoNotUseIfPossible = -1;The FD_DoNotUseIfPossible FeatureDirective means not to use the feature if it is possible. Note, some mechanisms may always use confidentiality.
const FeatureDirective FD_Use = 2;The FD_Use FeatureDirective means definitely to use the feature.
const FeatureDirective FD_UseDefault = 0;The FD_UseDefault FeatureDirective means to use or not to use the feature depending on defaults.
const FeatureDirective FD_UseIfPossible = 1;The FD_UseIfPossible FeatureDirective means to use the feature if it is possible.
const CORBA::PolicyType ObjectCredentialsPolicyType = 168937426;The ObjectCredentialsPolicyType constant is holds value used to denote the ObjectCredentialsPolicy.
struct IdentityTokenInfo
{
boolean is_absent;
boolean is_anonymous;
CSI::IdentityToken the_token;
SecurityLevel3::SimplePrincipal the_principal;
SecurityLevel3::IdentityStatement the_statement;
};
The IdentityTokenInfo structure is returned by the
IdentityTokenGenerator when it generates a CSI Identity token.