Akenti Client API

Client library interfaces

These interfaces can be called by either C or C++. They send a message to an Akenti server to check access for a user. They return a pointer to a capability certifcate for the user. There are functions provided that extract the components from the capability pointer. The interface needs to be intiialized from an Akenti configuration file before the first checkAccess call.

Using these interfaces instead of the direct calls allows the Akenti server to be run indepently of a resource gatekeeper. The Akenti server may be run on a different machine than the resource gatekeeper and may handle resource authorization for more than one gatekeeper. If the Akenti server is run on a remote host, it must either be configured to run over SSL or the gatekeeper must verify the signature of the returned capability certificates.

The client interface must be initialzed before the first check access code. The initialization code takes a client configuration file which defines where to find the server and provides whatever credentials are needed for initializing an SSL connection or verifying a capability certificate.


#include <AkEngInf.h>
#include <cap.h>

int akentiClientInit(const char *confFile, char**status);

where:
confFile the name of an client configuration file
status returned error message


#include <AkEngInf.h>
#include <cap.h>

int remoteCheckAccess(const char *subjectDN,
                      const char *subjectCA,
                      const char *resource,
                      CapCert* cert,
                      AKMessage* mesg);

int remoteCheckAccessByCertFile(const char *subjectCertFile,
                                const char *resource,
                                CapCert* cert,
                                AKMessage* mesg);

int remoteCheckAccessByCertString(const char *subjectCert,
                                  const char *resource,
                                  CapCert* cert,
                                  AKMessage* mesg);


where:
subjectDN Distinguished Name of the user requesting access
subjectCA DN of the CA that issued the subjectDN
subjectCertFile is a file containing a PEM encoded X.509 certificate or certificate chain for the user requesting access
subjectCert a string containing a PEM encoded X.509
Resource name of resource as requested by the user
cert returned pointer to a capability certificate containing the Resource Name, the user's DN, his rights, any conditions on those rights.

Methods for examining CapCert and AKMessage

The CapCert is a certificate signed with the Akenti credentials that contains the name of the resource, validity dates, the name of the user, any unconditional rights granted to the user and any unconditional rights. See Capability Certificate. There is a complete set of methods in cap.h to look at each of the pieces of the capability certificate.

AKMessage is a structure containing a numeric error code and a description of the error. Methods to extract the pieces are also in cap.h

Example C program to check access from a standalone Akenti Server


/**
  * Program to check a user's access to a specified resource
  *   Usage: EngInfTest <UserCertificate> <Resource> <config-file>
  *        prints out unconditional and conditional actions
  */
#include <stdio.h>
#include "AkEngInf.h"
#include "cap.h"

int main (int argc, char *argv[]) {
  char *status = NULL;
  FILE *cert;
  char certS[5000];
  char *rs;
  AKMessage repStatus = NULL;
  CapCert cap = NULL;
  CondActions cAct;
  int i,j;

  if (argc < 4 ) {
    printf ("Usage is EngInfTest UserCertificate Resource config-file \n");
    exit (-1);
  }

  akentiClientInit(argv[3],&status);
  printf ("%s\n",status);

 if (remoteCheckAccessByCertFile(argv[1], argv[2], &cap,&repStatus) == 0 ) {
     printf ("Status:%d %s\n",AKMsg_getCode(repStatus), AKMsg_getDescription(repStatus));
     printf ("Actions granted are: ");
     for (i=0; i < CapCert_numOfGrantedActions(cap); i++){
        printf ("%s ", CapCert_grantedActionAt(cap,i));
     }
     printf ("\n\n");
     for (i=0;i < CapCert_numOfCondActions(cap); i++){
        printf ("Conditional actions are: \n");
        cAct = CapCert_condActionsAt(cap,i);
        if (CondAct_isCritical(cAct)) {
           printf ("Critical constraint is %s \n",CondAct_getConstraint(cAct));
        } else {
           printf ("Non-critical constraint is %s ", CondAct_getConstraint(cAct));
        }
        printf ("Actions granted are: ");
        for (j = 0; j < CondAct_numOfActions(cAct); j++) {
           printf ("%s ", CondAct_actionAt(cAct,j));
        }
        printf ("\n");
     }
  } else {
    printf("Call failed: %d %s\n",AKMsg_getCode(repStatus),AKMsg_getDescription(repStatus));
  }
  CapCert_free(cap);
  AKMsg_free(repStatus);
  exit (0);


Last modified: Mon Dec 9 15:56:16 PST 2002