Previous | Contents | Index |
In either case, a handle to the resulting persona will be returned as specified by item code ACME$_PERSONA_HANDLE_OUT.
When a new persona is created, the ISS$_PRIMARY_EXTENSION designator indicates which persona extension representing the domain of interpretation was responsible for authenticating the user.
On a subsequent call $ACM will use that designator to guide processing of the ACME$M_DEFAULT_PRINCIPAL function modifier, for instance when there is an ACME$_FC_CHANGE_PASSWORD request.
This function requires the ACME$_NEW_PASSWORD_FLAGS item code.
To determine what event processing might be available, see the documentation provided by the vendors of the supporting ACME agents.
To determine what query processing might be available, see the documentation provided by the vendors of the supporting ACME agents.
Table SYS-11 indicates which Function Modifiers are applicable to the various Function Codes:
Function Codes | ||||||
---|---|---|---|---|---|---|
Function Modifiers | Authenticate Principal | Change Password | Event | Free Context | Query | Release Credentials |
ACME$M_ACQUIRE_CREDENTIALS | IP | |||||
ACME$M_COPY_PERSONA | <> | |||||
ACME$M_DEFAULT_PRINCIPAL | <> | <> | ||||
ACME$M_FOREIGN_POLICY_HINTS | SR | |||||
ACME$M_MERGE_PERSONA | <> | |||||
ACME$M_NOAUDIT | SR | |||||
ACME$M_NOAUTHORIZATION | SR | |||||
ACME$M_OVERRIDE_MAPPING | IR | |||||
ACME$M_TIMEOUT | ||||||
ACME$M_UCS2_4 | <> | <> | <> | <> | <> |
<> ---Permitted
IP---IMPERSONATE Privilege Required for the MAPPED _VMS _USERNAME to differ from the one current when the initial call to $ACM is made
IR---IMPERSONATE Privilege Required to override default values
SR---SECURITY Privilege Required
ACME$M_ACQUIRE_CREDENTIALS
The ACME$M_ACQUIRE_CREDENTIALS function modifier requests credentials be acquired during a successful authentication.ACME$M_COPY_PERSONA
The ACME$M_COPY_PERSONA function modifier requests acquired credentials be attached to a copy of the persona specified with item code ACME$_PERSONA_HANDLE_IN.ACME$M_DEFAULT_PRINCIPAL
The ACME$M_DEFAULT_PRINCIPAL specifies that the principal name and target domain of interpretation should be taken from the input persona, such as for changing the password of the logged-in user or reauthenticating the logged-in user.ACME$M_FOREIGN_POLICY_HINTS
The ACME$M_FOREIGN_POLICY_HINTS function modifier indicates ACME agents should honor the ACME$M_NOAUDIT and ACME$M_NOAUTHORIZATION function modifiers for non-VMS domains of interpretation.ACME$M_MERGE_PERSONA
The ACME$M_MERGE_PERSONA function modifier requests acquired credentials be attached to the persona specified with item code ACME$_PERSONA_HANDLE_IN.ACME$M_NOAUDIT
The ACME$M_NOAUDIT function modifier indicates that auditing actions should not be performed. Unless the ACME$M_FOREIGN_POLICY_HINTS function modifier is also specified, this modifier applies only to the VMS domain of interpretation.ACME$M_NOAUTHORIZATION
The ACME$M_NOAUTHORIZATION function modifier indicates authorization restrictions, such as the enforcement of modal constraints, should not apply. This provides a mechanism for performing pure authentication operations. Unless the ACME$M_FOREIGN_POLICY_HINTS function modifier is also specified, this modifier applies only to the VMS domain of interpretation.ACME$M_OVERRIDE_MAPPING
The ACME$M_OVERRIDE_MAPPING function modifier allows for the acquisition of non-VMS credentials during a persona merge or copy operation. This occurs when an externally authorized principal name maps to an OpenVMS user name that differs from the user name associated with the native (VMS) credentials. By default, mixing credentials is prohibited.ACME$M_TIMEOUT
The ACME$M_TIMEOUT modifier indicates that the caller requests timeout processing. The timeout interval is specified by the ACME$_TIMEOUT_INTERVAL item code.Timeout processing is always enforced for non-privileged callers. Privileged callers (those running in exec mode or kernel mode or possessing SECURITY privilege) must explicitly specify ACME$M_TIMEOUT for timeout processing to be enforced.
ACME$M_UCS2_4
The ACME$M_UCS2_4 function modifier indicates item codes that specify string values use a 4-byte UCS-2 (Unicode) representation rather than 8-bit ASCII.
Item codes are 16-bit unsigned values and are encoded as follows:
The item codes can be categorized in three different ways and are described as follows:
See the Item Codes section for a description of the common item codes and their data formats.
Documentation of ACME-specific codes in general comes in the documentation from the vendor of each ACME agent.
For documentation of ACME-specific codes for the VMS ACME, see the VMS ACME-specific Item Codes section of this description. Common Item Codes This section describes the common item codes for the function codes supported by the $ACM service.
The item code space is partitioned into common items and ACME-specific items. ACME-specific items are used to request information that is unique to a particular domain of interpretation. The item codes described in this section fall into the common item code space.
Table SYS-12 indicates which Common Item Codes are applicable to the various Function Codes:
Function Codes | ||||||
---|---|---|---|---|---|---|
Item Codes | Authenticate Principal | Change Password | Event | Free Context | Query | Release Credentials |
ACME$_ACCESS_MODE | <> | |||||
ACME$_ACCESS_PORT (U) | IR | IR | ||||
ACME$_AUTH_MECHANISM | <> | |||||
ACME$_AUTHENTICATING_DOI_ID (O) | <> | <> | ||||
ACME$_AUTHENTICATING_DOI_NAME (U,O) | <> | <> | ||||
ACME$_CHAIN | <> | <> | <> | <> | <> | |
ACME$_CHALLENGE_DATA | IR | |||||
ACME$_CONTEXT_ACME_ID (U) | <> | <> | ||||
ACME$_CONTEXT_ACME_NAME | <> | <> | ||||
ACME$_CREDENTIALS_NAME (U) | <>++ | |||||
ACME$_CREDENTIALS_TYPE | <>++ | |||||
ACME$_DIALOGUE_SUPPORT | <> | <> | ||||
ACME$_EVENT_DATA_IN | <> | |||||
ACME$_EVENT_DATA_OUT (O) | <> | |||||
ACME$_EVENT_TYPE | <> | |||||
ACME$_LOCALE (U) | <> | <> | ||||
ACME$_LOGON_INFORMATION (O) | <> | |||||
ACME$_LOGON_TYPE | <> | |||||
ACME$_MAPPED_VMS_USERNAME (U,O) | <> | <> | ||||
ACME$_MAPPING_ACME_ID (O) | <> | <> | ||||
ACME$_MAPPING_ACME_NAME (U,O) | <> | <> | ||||
ACME$_NEW_PASSWORD_1 (U) | <> | <> | ||||
ACME$_NEW_PASSWORD_2 (U) | <> | <> | ||||
ACME$_NEW_PASSWORD_FLAGS | <> | <> | ||||
ACME$_NEW_PASSWORD_SYSTEM (U) | SR | SR | ||||
ACME$_NULL | <> | <> | <> | <> | <> | |
ACME$_PASSWORD_1 (U) | <> | <> | ||||
ACME$_PASSWORD_2 (U) | <> | <> | ||||
ACME$_PASSWORD_SYSTEM (U) | <> | <> | ||||
ACME$_PERSONA_HANDLE_IN | <> | |||||
ACME$_PERSONA_HANDLE_OUT (O) | <> | |||||
ACME$_PHASE_TRANSITION (O) | ||||||
ACME$_PRINCIPAL_NAME_IN (U) | <> | <> | ||||
ACME$_PRINCIPAL_NAME_OUT (U,O) | <> | <> | ||||
ACME$_QUERY_DATA (O) | <>+ | |||||
ACME$_QUERY_KEY_TYPE | <>+ | |||||
ACME$_QUERY_KEY_VALUE | <>+ | |||||
ACME$_QUERY_TYPE | <>+ | |||||
ACME$_REMOTE_HOST_ADDRESS | IR | IR | ||||
ACME$_REMOTE_HOST_ADDRESS_TYPE | IR | IR | ||||
ACME$_REMOTE_HOST_FULLNAME (U) | IR | IR | ||||
ACME$_REMOTE_HOST_NAME (U) | IR | IR | ||||
ACME$_REMOTE_USERNAME (U) | IR | IR | ||||
ACME$_RESPONSE_DATA | <> | |||||
ACME$_SERVER_NAME_IN (U) | <> | |||||
ACME$_SERVER_NAME_OUT (U,O) | <> | |||||
ACME$_SERVICE_NAME (U) | IR | IR | IR | IR | IR | IR |
ACME$_TARGET_DOI_ID | <> | <> | <>++ | <>++ | ||
ACME$_TARGET_DOI_NAME (U) | <> | <> | <>++ | <>++ | ||
ACME$_TIMEOUT_INTERVAL |
<> ---Permitted
IR---IMPERSONATE Privilege Required to override default values
SR---SECURITY Privilege Required
O---Output item code
U---Subject to Unicode Conversion
ACME$_ACCESS_MODE
The ACME$_ACCESS_MODE item code is an input item code. It specifies the access mode at which a new persona, resulting from credential acquisition processing, is to be created. The buffer must contain a longword value specifying the access mode.The $PSLDEF macro defines the following symbols for the four access modes:
PSL$C_KERNEL
PSL$C_EXEC
PSL$C_SUPER
PSL$C_USERThe most privileged access mode used is the access mode of the caller. The specified access mode and the access mode of the caller are compared. The less privileged of the two access modes becomes the access mode at which the persona is created.
ACME$_ACCESS_PORT
The ACME$_ACCESS_PORT item code is an input item code. It specifies the name of local device (for example, a terminal) applicable to an authentication request. The buffer must contain a case-insensitive name string.If not specified, $ACM passes the name string contained in the PCB$T_TERMINAL field of the process control block for the process, or, if that is empty, for the nearest ancestor process (if any) where the PCB$T_TERMINAL field is not empty.
ACME$_AUTH_MECHANISM
The ACME$_AUTH_MECHANISM item code is an input item code. It specifies the authentication mechanism applicable to an authentication request. The buffer must contain a longword value specifying the desired mechanism code. If not specified, the authenticating domain of interpretation applies its default mechanism.The $ACMEDEF macro defines the following symbols for the standard mechanism types:
ACMEMECH$K_CHALLENGE_RESPONSE
ACMEMECH$K_PASSWORDIndividual ACME agents may define their own authentication mechanisms specific to their domain of interpretation.
ACME$_AUTHENTICATING_DOI_ID
The ACME$_AUTHENTICATING_DOI_ID item code is an output item code. It specifies the buffer to receive the agent ID of the domain of interpretation that successfully authenticated the principal.ACME$_AUTHENTICATING_DOI_NAME
The ACME$_AUTHENTICATING_DOI_NAME item code is an output item code. It specifies the buffer to receive the name of the domain of interpretation that successfully authenticated the principal.The maximum data returned for this item code is the number of characters represented by the symbol, ACME$K_MAXCHAR_DOI_NAME, so a caller's buffer should be at least that long, with the number of bytes allocated dependent on whether the ACME$M_UCS2_4 function code modifier was specified on the call to $ACM[W].
ACME$_CHAIN
The ACME$_CHAIN item code is an input item code. It specifies the address of the next item list segment to process immediately after processing the current list segment.The buffer address field in the item descriptor specifies the address of the next item list segment to be processed. The ACME$_CHAIN item code must be last in the item list segment; $ACM treats this as the logical end of the current item list segment. Any item list entries following the ACME$_CHAIN item code are ignored.
On Alpha and Integrity servers platforms, both 32- and 64-bit item lists can be chained together.
ACME$_CHALLENGE_DATA
The ACME$_CHALLENGE_DATA item code is an input item code. It specifies the challenge data that was used as the basis for generating the response data specified by the ACME$_RESPONSE_DATA item code. The meaning of this data is specific to the domain of interpretation for which it is used.
Previous Next Contents Index