The TrustBroker™ Application Security SDK is a software development kit designed for C/C++ application security software development. An enhanced version of this SDK is also available, known as TrustBroker™ Application Security Java SDK and includes additional support for Java application security software development.

The toolkit is based on the industry standard GSS-API v2 interface specification. Read more...

A complementary CyberSafe product known as the TrustBroker™ Application Security Runtime Library is also available to allow applications developed using the SDK or using the GSS-API v2 standard to be easily deployed on multiple operating systems.

Operating Systems

The following operating systems are supported by the SDK.

• Microsoft® Windows® 2000, XP & 2003 on x86 (32-bit)
• SUN Solaris™ Versions 8, 9 & 10 on Sparc (32-bit & 64-bit)
• SUN Solaris™ Version 10 on x86 (32-bit)
• SUN Solaris™ Version 10 on x86_64 (AMD64) (32-bit & 64-bit)
• Compaq Tru64™ Versions 4.0D, 5.0, 5.1, 5.1A & 5.1B (64-bit)
• IBM AIX™ Versions 5.1, 5.2 & 5.3 on PowerPC (32-bit & 64-bit)
• i5/OS v5r3 or later on IBM Series i (32-bit & 64-bit)
• Hewlett Packard HP/UX™ Versions 11 & 11i v1 or v2 on PA-RISC (32-bit & 64-bit)
• Hewlett Packard HP/UX™ Version 11i v2 on Itanium (IA-64) (32-bit & 64-bit)
• Red Hat Linux Version 7.2 or later on x86 (32-bit)
• Red Hat Enterprise Linux (RHEL) Version 3 on x86 (32-bit)
• Red Hat Enterprise Linux (RHEL) Version 4 on x86_64 (AMD64 / EM64T) (32-bit & 64-bit)
• Red Hat Enterprise Linux (RHEL) Version 4 on PowerPC (e.g. IBM iSeries / pSeries) (32-bit & 64-bit)
• SuSE Linux Enterprise Server (SLES) Version 8 on x86 (32-bit)
• SuSE Linux Enterprise Server (SLES) Version 9 on x86_64 (AMD64 / EM64T) (32-bit & 64-bit)
• SuSE Linux Enterprise Server (SLES) Version 9 on PowerPC (e.g. IBM iSeries / pSeries) (32-bit & 64-bit)

The versions of the Application Security SDK are listed below, along with details of the available and supported Runtime Libraries.

• Application Security SDK, Version 2.0. This SDK was included with the CyberSafe product known as Devpack 1 as well as a Version 2.0.0 Runtime Library for Windows & UNIX platforms. The version 2.0.0 Runtime Library was also included with the TrustBroker v2.0 and 2.1 Secure Client and a maintenance release (Version 2.0.1) was included with the ActiveTRUST v3.0 and v4.0 SSO distribution.
• Application Security SDK, Version 2.1. This release includes a Version 2.1.0 Runtime Library for 64-bit UNIX platforms only.
• Application Security SDK, Version 3.1. This SDK includes a Version 3.1.0 Runtime Library for Windows, Linux & 32-bit / 64-bit UNIX.

An application developed using the 2.0, 2.1 or 3.1 SDK will work with either 2.0.0, 2.0.1, 2.1.0 or 3.1.0 Runtime Libraries.

For additional information about the various Runtime Library versions please read here ...

The following list summarises the features and benefits of this SDK :

• Based on the Version 2, Release 1 Generic Security Services API defined in RFC2743.
• The GSS-API Library functions are based on the Kerberos 5 Bindings for GSS-API v2 documented in RFC1964.
• The GSS-API Mechanism OID's for Kerberos 5 RFC1964 {1 2 840 113554 1 2 2} and Pre-RFC1964 {1 3 5 1 5 2} are both supported.
• The RFC1964 OID is the default OID used with version 3.1.0 or later of the Runtime Library. The Pre-RFC1964 OID is used by default for earlier Runtime Library versions.
• The SDK is provided with C/C++ bindings based on RFC2744
• The Library is fully interoperable with Microsoft's SSPI, MIT GSS-API, Sun's JGSS, Wedgetail JCSI Kerberos and many other implementations of RFC1964.
• The Application Security development toolkit is designed and tested to be robust and stable, and CyberSafe can provide this SDK along with an appropriate infrastructure and a support/consulting service to allow you to secure your applications.
• Unlike some other RFC1964 GSS-API Libraries the CyberSafe Library functions for initialising and accepting a security context are designed to be multi-thread safe.
• On Microsoft Windows 2000 and XP operating systems the Microsoft operating system supplied credential cache is used as the default credential store instead of a separate memory or file cache.
• Applications can be developed to authenticate a user using a different user name to the account name they are logged onto the operating system as. This allows for workstations to be easily shared by application users. This is not possible with some RFC1964 based implementations.
• There is no need to manage any per-host configuration files to determine the address of a KDC for a specific REALM, or to determine the REALM for a specific host/service. Instead, this information is stored in the DNS server in a format defined by IETF draft-ietf-krb-wg-krb-dns-locate and can therefore be managed centrally. If you are using Microsoft Active Directory your DNS servers should be already configured with the appropriate information for your Active Directory REALM.

Additional benefits and extended functions in the SDK, for improved usebility and functionality, compared to what is normally provided in an RFC1964 GSS-API v2 implementation include :

• Addition of the PKINIT standard, which allows public-key credentials to be used for initial authentication to Kerberos 5 PKINIT capable security servers. This links the two different security mechanisms in a secure Kerberos environment during the initial authentication step. It provides a synergy that would otherwise not be possible using the GSS-API standard.
• Recognition of smart cards for storage of public-key credentials used with the PK-INIT option. The CyberSafe extensions can recognize both hardware and virtual smart cards that use the PKCS#11 standard.
• Complete support for Triple DES (DES3), including encryption of authentication tokens and user data. CyberSafe recommends that all data be encrypted using DES3, which provides significantly increased security in comparison to DES encryption.
• Programmatic support for acquiring the initial credentials needed before the initiator application can establish a security context. Using the CyberSafe extension function eliminates the need to use kinit, or TrustBroker Secure Client to obtain these initial credentials. This functionality is ideally suited to situations where you require the application to obtain the initial credentials instead of perhaps during the operaitng system logon.
• Recognition of hardware authentication devices, such as token cards. This adds an extra level of security at the client level during authentication requests.
• Ability to renew Kerberos 5 credentials. This prolongs the lifetime of an existing valid credential, improves overall security and reduces the number of times the user is required to provide their username and password.
• Support for Kerberos 5 principals to change their password from within an application created using the Application Security SDK.
• Support for Web applications where it might be desirable to store credential related information inside encrypted browser cookies.
• Functions are provided for backwards compatability with applications based on GSS-API Version 1 standard interfaces.