Akenti Client API
Security Hompage
![]() ![]() ![]() ![]() ![]() |
Using these interfaces instead of the direct calls allows the Akenti server to be run indepently of a resource gatekeeper. The Akenti server may be run on a different machine than the resource gatekeeper and may handle resource authorization for more than one gatekeeper. If the Akenti server is run on a remote host, it must either be configured to run over SSL or the gatekeeper must verify the signature of the returned capability certificates.
The client interface must be initialzed before the first check access code. The initialization code takes a client configuration file which defines where to find the server and provides whatever credentials are needed for initializing an SSL connection or verifying a capability certificate.
#include <AkEngInf.h>
#include <cap.h>
int akentiClientInit(const char *confFile, char**status);
where:
confFile | the name of an client configuration file |
status | returned error message |
#include <AkEngInf.h>
#include <cap.h>
int remoteCheckAccess(const char *subjectDN,
const char *subjectCA,
const char *resource,
CapCert* cert,
AKMessage* mesg);
int remoteCheckAccessByCertFile(const char *subjectCertFile,
const char *resource,
CapCert* cert,
AKMessage* mesg);
int remoteCheckAccessByCertString(const char *subjectCert,
const char *resource,
CapCert* cert,
AKMessage* mesg);
where:
subjectDN | Distinguished Name of the user requesting access |
subjectCA | DN of the CA that issued the subjectDN |
subjectCertFile | is a file containing a PEM encoded X.509 certificate or certificate chain for the user requesting access |
subjectCert | a string containing a PEM encoded X.509 |
Resource | name of resource as requested by the user |
cert | returned pointer to a capability certificate containing the Resource Name, the user's DN, his rights, any conditions on those rights. |
Methods for examining CapCert and AKMessage
The CapCert is a certificate signed with the Akenti credentials that contains the name of the resource, validity dates, the name of the user, any unconditional rights granted to the user and any unconditional rights. See Capability Certificate. There is a complete set of methods in cap.h to look at each of the pieces of the capability certificate.
AKMessage is a structure containing a numeric error code and a description of the error. Methods to extract the pieces are also in cap.h
/**
* Program to check a user's access to a specified resource
* Usage: EngInfTest <UserCertificate> <Resource> <config-file>
* prints out unconditional and conditional actions
*/
#include <stdio.h>
#include "AkEngInf.h"
#include "cap.h"
int main (int argc, char *argv[]) {
char *status = NULL;
FILE *cert;
char certS[5000];
char *rs;
AKMessage repStatus = NULL;
CapCert cap = NULL;
CondActions cAct;
int i,j;
if (argc < 4 ) {
printf ("Usage is EngInfTest UserCertificate Resource config-file \n");
exit (-1);
}
akentiClientInit(argv[3],&status);
printf ("%s\n",status);
if (remoteCheckAccessByCertFile(argv[1], argv[2], &cap,&repStatus) == 0 ) {
printf ("Status:%d %s\n",AKMsg_getCode(repStatus), AKMsg_getDescription(repStatus));
printf ("Actions granted are: ");
for (i=0; i < CapCert_numOfGrantedActions(cap); i++){
printf ("%s ", CapCert_grantedActionAt(cap,i));
}
printf ("\n\n");
for (i=0;i < CapCert_numOfCondActions(cap); i++){
printf ("Conditional actions are: \n");
cAct = CapCert_condActionsAt(cap,i);
if (CondAct_isCritical(cAct)) {
printf ("Critical constraint is %s \n",CondAct_getConstraint(cAct));
} else {
printf ("Non-critical constraint is %s ", CondAct_getConstraint(cAct));
}
printf ("Actions granted are: ");
for (j = 0; j < CondAct_numOfActions(cAct); j++) {
printf ("%s ", CondAct_actionAt(cAct,j));
}
printf ("\n");
}
} else {
printf("Call failed: %d %s\n",AKMsg_getCode(repStatus),AKMsg_getDescription(repStatus));
}
CapCert_free(cap);
AKMsg_free(repStatus);
exit (0);