DCE Security Programming

Curious hospital staff peeking at medical records of famous people. Snoopers grabbing passwords and tunneling through a private network. Practical jokers changing documents under their authors' noses.

Network security affects all of us. Here lies one of the greatest strengths of the Distributed Computing Environment (DCE) from the Open Software Foundation (OSF). DCE offers the most complete, flexible, and well-integrated network security package in the industry.

The heart of DCE Security lies in access control lists (ACLs). But before you start to play with these, you have to do some design work. For instance, ACLs need to be stored on disk so that they can last between runs of the applications.

This book helps you plan your application and lay the groundwork for ACLs, as well as use the calls that come with the DCE Security interfaces. It covers the purpose of DCE Security, how the whole system fits together, what is required of the programmer, and how to figure out what needs protection. Using a sample application, increasingly sophisticated types of security are discussed:

• Authenticating and authorization
• Using ACLs for authorization
• The notorious, dreaded ACL manager

This book focuses on version 1.0 of DCE. However, issues in version 1.1 are also discussed so that you can migrate to that interface.

1. Security and the Distributed Computing Environment
• The Role of Security in Distributed Computing
• DCE Security Framework
• Components of DCE Security
• Fundamental Techniques
• Kerberos Authentication Service
• Single Logins
• Summary
2. What Does a DCE Security Server Do?
• The Security API and the Network Interface
• DCE Security Services
• Authentication Service
• Privilege Service
• Registry Service
• Management Interface
• Differences Between DCE AS and Standard Kerberos
3. Overview of the DCE Security Application Programming Interface
• Overview of the DCE Security API
• Tasks in Security Programming
• managing Server Secret Keys
• Setting Up and Maintaining a Login Context
• Authenticated RPC Setup
• Using the Security Registry
• Mapping Between UUIDs and names
• Managing ACLs
4. How to Write an Application That Uses Security
• Employee Database Application
• Using Authentication and Name-Based Authorization
• Using PAC-based Authorization
• Making the Server Standalone
• Summary
5. A Programmer's View of Access Control Lists
• What Is an Access Control List?
• The DCE ACL Data Structure
• Compatibility ACL Entry Types
• ACL Entry Permissions
• ACL Manager Overview
• ACL Manager APIs
• ACL Storage
• Summary
6. Writing an Application That Uses ACLs
• Using ACLs in the Employee Database Applicatrion
• Writing an ACL Storage Library
• Writing the Employee Database Manager Code
• Writing a Reference Monitor That Uses ACLs
• Implementing sec_acl_mgr_is_authorized
• Running the Application
• Summary
7. Writing the Remote ACL Management Interface
• Implementing the rdaclif Manager Code
• Registering the Interface
• ACL Manager Configuration
• Using acl_edit to Manager Our ACLs
• Summary
8. DCE 1.1 Security Enhancements
• Delegation
• Generic Security Service API (GSSAPI)
• ACL Library
• Audit API
• Enhanced Administration

1. Unauthenticated Version of the Employee Database Application
2. Employee Database Application: Authorization by Name
3. Employee Database Application: PAC-based Authorization
4. Employee Database Application: ACL-based Authorization

Covers mostly DCE 1.0 even though 1.1 is mentioned. It's OK.