Plug-in Types

The types of plug-ins that are currently supported by Network Identity Manager are :

Credential Provider

A credential provider plug-in essentially acts as an interface between Network Identity Manager and some entity which defines the credentials for the purpose of managing those credentials.

There can be more than one credential provider in a module.


Communication between Network Identity Manager and a credential provider occurs through a message processor. When registering a credential provider, the module initialization code in init_module() specifies KHM_PITYPE_CRED as the type member and sets msg_proc member to a valid message processor in the khm_plugin record.


Once init_module() has completed, the module manager sends a <KMSG_SYSTEM,KMSG_SYSTEM_INIT> message to the message processor.

For credential provider plug-ins, <KMSG_SYSTEM,KMSG_SYSTEM_INIT> is guaranteed to be the first message it receives.

The callback function should return KHM_ERROR_SUCCESS if it initializes properly or some other value otherwise. If the return value signals an error, then the plug-in is assumed to have failed initialization and is immediately unloaded.

The message processor is automatically subscribed to the following message types:

Although a plug-in can use the <KMSG_SYSTEM,KMSG_SYSTEM_INIT> message enumerate existing credentials in the system, it should not obtain new credentials. This is because other plug-ins that may depend on the new credential messages may not be loaded at this time. See the section on Handling credentials provider messages for more information.


When the plug-in is to be removed, the module manager sends a <KMSG_SYSTEM,KMSG_SYSTEM_EXIT> to the message processor. The plug-in must perform any necessary shutdown operations, free up resources and unsubscribe from any messages that it has subscribed to.

This message is guaranteed to be the last message received by a credentials manager plug-in if the plug-in unsubsribes from all additional message classes that it subsribed to.

The message types that the message processor is automatically subscribed to (See Initialization) do not have to be unsubscribed from as they are automatically removed.

Other Notes

Since credential managers may receive privileged information, the signature requirements for credential managers are specially strict.
Generated on Fri Aug 3 08:27:13 2007 for Network Identity Manager by Doxygen 1.5.2
© 2004-2007 Massachusetts Institute of Technology.
© 2005-2007 Secure Endpoints Inc.