CyberSafe - TrustBroker Application Security Runtime Library

Products • TrustBroker™

If you have a Kerberos enabled application and require a robust, multi-platform and supported GSS-API v2 standard Runtime Library to enable your application to utilise the Kerberos protocol mechanism then the TrustBroker™ Application Security Runtime Library is required, and described below. Examples of commercially available applications that use GSS-API for security, and are certified to work with the CyberSafe TrustBroker™ Application Security Runtime Library include Sybase, Oracle and SAP® R/3.

Overview

Operating Systems

The TrustBroker™ Application Security Runtime Library is a library used by applications that have been previously developed using the TrustBroker™ Application Security SDK or application that have been devleoped to the GSS-API v2 standards and need a runtime component for use during execution.

The Runtime Library is provided as a .DLL on Windows and a shared library on UNIX and Linux platforms. An installation program is provided to ensure that the pre-requisites are installed and configured correctly. The package provided for installation of the Runtime Library can also be executed silently (i.e. with no user interaction) to aid software distribution.

A complimentary Runtime Library package is available for Java applications. The TrustBroker™ Application Security Java Runtime Library is implemented as a JNI (Java Native Interface) and therefore includes the necessary files from this package.

Application Interfaces

The diagram below shows the interfaces for both non-Java and Java based applications. A common GSS-API implementation and Kerberos protocol library, along with associated configuration settings will be used for both of these application interfaces, thus giving a consistent solution to aid interoperabilty and usability.

The following operating systems are supported by the Runtime Library.

Microsoft® Windows® 2000, XP & 2003 on x86 (32-bit)
SUN Solaris™ Versions 8, 9 & 10 on Sparc (32-bit & 64-bit)
SUN Solaris™ Version 10 on x86 (32-bit)
SUN Solaris™ Version 10 on x86_64 (AMD64) (32-bit & 64-bit)
Compaq Tru64™ Versions 4.0D, 5.0, 5.1, 5.1A & 5.1B (64-bit)
IBM AIX™ Versions 5.1, 5.2 & 5.3 on PowerPC (32-bit & 64-bit)
i5/OS v5r3 or later on IBM Series i (32-bit & 64-bit)
Hewlett Packard HP/UX™ Versions 11 & 11i v1 or v2 on PA-RISC (32-bit & 64-bit)
Hewlett Packard HP/UX™ Version 11i v2 on Itanium (IA-64) (32-bit & 64-bit)
Red Hat Linux Version 7.2 or later on x86 (32-bit)
Red Hat Enterprise Linux (RHEL) Version 3 on x86 (32-bit)
Red Hat Enterprise Linux (RHEL) Version 4 on x86_64 (AMD64 / EM64T) (32-bit & 64-bit)
Red Hat Enterprise Linux (RHEL) Version 4 on PowerPC (e.g. IBM iSeries / pSeries) (32-bit & 64-bit)
SuSE Linux Enterprise Server (SLES) Version 8 on x86 (32-bit)
SuSE Linux Enterprise Server (SLES) Version 9 on x86_64 (AMD64 / EM64T) (32-bit & 64-bit)
SuSE Linux Enterprise Server (SLES) Version 9 on PowerPC (e.g. IBM iSeries / pSeries) (32-bit & 64-bit)

Initiator / Acceptor and Token Formats

Version 2.0.0 Runtime Library (included with TrustBroker v2.0, v2.1 and Devpack 1) :

With this version of the GSS-API Runtime a GSS initiator creates initialisation tokens based on the Pre-RFC1964 mechanism OID {1 3 5 1 5 2} by default. If the environment variable CSF_GSS_VERSION is set to V2 the RFC1964 mechanism OID {1 2 840 113554 1 2 2} is used for token creation instead.

A GSS acceptor using this GSS-API Runtime will accept GSS tokens in either pre-RFC1964 or RFC1964 format, regardless of which mechanism was selected via the API. When the acceptor generates tokens, it generates pre-RFC1964 tokens by default, but RFC1964 tokens can be generated by setting the environment variable CSF_GSS_VERSION to V2.

A GSS acceptor needs to generate tokens on context acceptance, when mutual auth is requested; and also when the acceptor sends a signed/sealed message to the initiator. So, if the initiator does not support Pre-RFC1964 tokens there will likely be an error issued at the initiator when the Pre-RFC1964 tokens created by the acceptor and sent to initiator. To fix this - either use the environment variable to change the GSS token format created by the acceptor to RFC1964 format (i.e. V2) or upgrade the Runtime Library to 2.0.1 or later (see details below).

Version 2.0.1 Runtime Library (included with ActiveTRUST v3.0 and v4.0) :

A GSS acceptor using this GSS-API Runtime will accept GSS tokens in either Pre-RFC1964 or RFC1964 format, regardless of which mechanism was selected via the API. When the acceptor generates tokens, it generates tokens using the same format as chosen by the initiator.

Version 3.1.0 Runtime Library :

With this version of the GSS-API Runtime the CSF_GSS_VERSION environment variable has been deprecated. Also, a GSS initiator will now use the RFC1964 mechanism OID {1 2 840 113554 1 2 2} by default and GSS tokens will be created using this OID. If the API is used to select a different OID such as the Pre-RFC1964 OID the GSS tokens created are based on the OID selected. If the environment variable CSF_GSS_DEFAULT_MECH is set to "Pre-RFC1964" the Pre-RFC1964 mechanism OID {1 3 5 1 5 2} is used as the default instead of the RFC1964 OID, but only if the API is not used to specifically select the RFC1964 mechanism OID. Likewise, if the API is used to specifically select the Pre-RFC1964 OID the CSF_GSS_DEFAULT_MECH environment variable will not be able to override this selection to the RFC1964 OID.