Using kx509 certificates from perl

Perl support for KX509 is provided through the DICE::KX509 module, part of the perl-perl-authutils RPM. This module implements a kx509 client directly in perl, providing the ability to get a kx509 certificate using existing Kerberos credentials.

For processes which need to maintain longer lived Kerberos credentials, the DICE::AuthCache::Kerberos and DICE::AuthCache::KX509 modules provide a means of gaining Kerberos credentials from a keytab and obtaining KX509 credentials from this keytab. They then provide a means of ensuring the continued validity of these credentials over the lifetime of the process, without requiring connection to the KDC or KCA with every request.

Example code

This code gets Kerberos credentials based on the hostclient/_hostname_ key stored in the machine's keytab, and then uses those credentials to access a kx509 protected web service.


use LWP;
use LWP::UserAgent;
use DICE::AuthCache::Kerberos;
use DICE::AuthCache::KX509;
use Sys::Hostname;
use File::Temp;

# Get our Kerberos credentials from a keytab
my $krbcache=new DICE::AuthCache::Kerberos("hostclient/".hostname(),

# Now use these to get our KX509 credentials
my $kx5cache=new DICE::AuthCache::KX509($krbcache);

# Now, try with a certificate

$ENV{HTTPS_CERT_FILE} = $kx5cache->file;
$ENV{HTTPS_KEY_FILE} = $kx5cache->file;

my $ua = LWP::UserAgent->new;
$ua->agent("Test/0.1 ");

my $req = HTTP::Request->new(GET => "");

my $res = $ua->request($req);

if ($res->is_success) {
  print $res->content;
} else {
  print "Bad luck\n";
  print $res->message;
  print $res->content;
  print $res->code;

-- SimonWilkinson - 03 Apr 2005

Topic revision: r1 - 03 Apr 2005 - 14:21:00 - SimonWilkinson
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies