NAME

sec_key_mgmt_manage_key-Automatically change a principal's key on a periodic basis.

SYNOPSIS

#include <dce/keymgmt.h>

void sec_key_mgmt_manage_key(
    sec_key_mgmt_authn_service authn_service,
    void *get_key_fn_arg,
    idl_char *principal_name,
    error_status_t *status);

PARAMETERS

Input

authn_service

Identifies the authentication service appropriate for this key.

get_key_fn_arg

Key acquisition routine argument (see <dce/keymgmt.h>).

principal_name

Name of the principal whose key is to be managed.

Output

status

The completion status.

DESCRIPTION

The sec_key_mgmt_manage_key() routine changes (both locally and remotely) the specified principal's key on a periodic basis, as determined by the local cell's policy. It runs indefinitely, never returning during normal operation (and therefore should be invoked only from a dedicated "key management thread").

Conceptually, this routine operates as follows (this description imposes no requirements on implementations). First it queries the login context to determine the password expiration date that applies to the named principal. It then idles until a "short time" (implementation-dependent) before the current key is due to expire, and then calls sec_key_mgmt_gen_rand_key() (or similar functionality), thereby changing both the local key store and the RS datastore to a new random key. This routine may also call sec_key_mgmt_garbage_collect() (or similar functionality) as needed to discard unusable keys from the local key store.

ERRORS

error_status_ok, sec_rgy_object_not_found, sec_key_mgmt_e_authn_invalid, sec_key_mgmt_e_key_unavailable, sec_key_mgmt_e_key_unsupported, sec_key_mgmt_e_unauthorized, sec_rgy_server_unavailable.

SEE ALSO

Functions: sec_key_mgmt_change_key(), sec_key_mgmt_gen_rand_key(), sec_key_mgmt_garbage_collect().