Principals and Credentials

The identity under which an application engages in JGSS secure communication with a peer is called principal. A principal can be a real user or an unattended service. A principal acquires security mechanism-specific credentials as proof of identity under that mechanism. For example, when using the Kerberos mechanism, a principal's credential is in the form of a ticket granting ticket (TGT) issued by a Kerberos key distribution center (KDC). In a multi-mechanism environment, a GSSAPI credential can contain multiple credential elements, with each element representing an underlying mechanism credential.

The GSSAPI standard does not prescribe how a principal acquires credentials, and GSSAPI implementations typically do not provide a means for credentials acquisition. A principal obtains credentials before using GSSAPI; GSSAPI merely queries the security mechanism for credentials on behalf of the principal.

IBM JGSS provides Java™ versions of the traditional Kerberos credential management tools kinit, ktab and klist. Moreover, using JAAS, IBM JGSS enhances standard, traditional GSSAPI with an optional Kerberos login interface. This interface is one of the JAAS Features provided by IBM JGSS.