HP DCE/9000 Core Services Software

HP DCE/9000 Version 1.7 is based on OSF DCE Version 1.2.1 source code, with bug fixes and value-added functionality. This section describes the contents of this release.

OSF DCE Components Included in This Release

This release includes the following OSF DCE components:

Remote Procedure Call (RPC) Facility, supporting both connection-oriented (TCP/IP) and connectionless (UDP/IP) transport protocols.
User-space Threads, based on Draft 4 of POSIX 1003.4a, Threads Extension for Portable Operating Systems.
Cell Directory Service (CDS), including CDS server replication.
Access to the CDS name space through the X/Open Directory Service (XDS) and X/Open Object Management (XOM) services. The OSF DCE 1.0.3 versions of the XDS, XOM, and dua libraries are a part of libdce, and the necessary XDS and XOM header files are provided.
Security Service, including security server replication and additional security server replication functionality, and the Audit Service.
Distributed Time Service (DTS); this release supports ntp, null, and Spectracom DTS time providers; it also supports global time servers and DCE time zones.
Global Directory Agent (GDA), using the Berkeley Internet Naming Daemon (BIND).

The DCE application library is provided as both a shared library (libdce.sl) and an archive library (libdce.a). If you use the shared library, a DCE application can share a single copy of the library with other DCE applications that are running on the same host. If you use the archive library, each application binary will contain its own copy of DCE routines that it either directly or indirectly calls.




	NOTE: At HP DCE 1.7, both libdce and libcma were versioned for compatibility reasons. libdce.1 and libcma.1 are the latest patched HP DCE 1.5 libraries. libdce.2 and libcma.2 support HP DCE 1.7 on HP-UX 11.0. Shared applications built on HP DCE 1.6 may have to recompile to run on HP DCE 1.7.

Hewlett-Packard strongly recommends the use of shared libraries when building DCE applications. In our opinion, the advantages of shared libraries — smaller executable size, reduced memory requirement, and the ability to make use of forthcoming improvements to libdce without rebuilding or relinking binaries — outweigh the modest performance penalty HP has measured when testing a high-volume transaction processing application linked with DCE shared libraries.

HP DCE/9000 Features Added by Hewlett-Packard

Features Added at Previous Releases of HP DCE

HP DCE 1.7 supports the following features that were added to
HP DCE/ 9000:

The HP DCE Account Manager (HP DCE 1.4 and later releases) provides a graphical interface for creating and administering the DCE registry. The Account Manager requires a bit-mapped display. There is no ASCII terminal support. Online help is provided for the Account Manager. See “HP DCE Account Manager” later in this chapter for more information on the Account Manager.
The HP DCE Cell Monitor (HP DCE 1.4 and HP DCE1.5 only) provides a graphical display of the status of each node in a DCE cell.
DCM, the DCE Configuration Manager (HP DCE 1.4 and later releases) allows you to configure the nodes in a DCE cell. This tool is accessible via SAM (the HP-UX System Administration Manager) and is documented in online help.
A set of HP-UX Integrated login utilities that authenticate users via the DCE Security Registry instead of via /etc/passwd and
/etc/group. HP DCE/9000 includes improvements to login, dtlogin, su, passwd, telnet, and rlogin, as well as new HP-UX Integrated versions of ftpd and dtsession and enhanced support for CDE/PAM. See Chapter 6 for more information about these utilities.
The DCE cell diagnostic tool dceping.
An enhanced version of the OSF CDS browser (cdsbrowser), which has been ported to Release 6 of the X11 Windows system and the Common Desktop Environment (CDE). The browser is accessible through SAM. See the CDS Browser online help (accessible via the CDS Browser Help menu) for details.
Two sets of tools for developing DCE applications are available as separately priced options to HP DCE/9000. For DCE application development in C, HP DCE/9000 Application Development Tools includes a modified IDL compiler (I2DL), tracing and logging facility, error reporting facility, and sample applications. For DCE application development in C++, HP DCE/9000 Object-Oriented DCE (HP OODCE) includes an IDL++ compiler, tracing and logging facility, C++ class library, sample applications, include files, and modified header files for C++ application development.
cdsclerk (new at HP DCE 1.5) no longer runs as separate processes. cdsclerk functionality has been merged into the cdsadv process. cdsadv, therefore, is now the only HP DCE CDS client process.
HP's dced (new at HP DCE 1.5) supports the new -r option. This option starts dced in remote-update mode, which allows DCE cell administration tasks to be performed by an administrator on a remote machine. In order to help prevent attacks, the dced default behavior is to disallow any remote administration.

HP has enhanced the dcecp registry connect command with two new options that support intercell login:

-acctvalid	Marks the local cell account as a valid account. A valid local cell account allows users from the foreign cell to login to nodes in the local cell. The default is invalid.
-facctvalid	Marks the foreign cell account as a valid account. A valid foreign cell account allows users from the local cell to login to nodes in the foreign cell. The default is invalid.

See "Establishing Peer-to-peer Trust" in Chapter 7 for more information on these important new options.

HP has added a new -r option, which refreshes a user's credentials, to dce_login. Users are encouraged to use dce_login -r rather than kinit to refresh their credentials, since dce_login -r uses the more secure DCE Third-party preauthentication protocol, whereas kinit uses the less secure Kerberos 5 Timestamps protocol.
HP has changed the default behavior of its configuration tools to automatically enable audit filtering. In addition, the default behavior of secd has been changed to enable audit filtering at start-up, and a new secd option, -noauditfilters, had been added to disable audit filtering. See "Configuring the DCE Audit Service" in Chapter 5, and the online secd man page for more information.
HP DCE Measurement Service (DMS) to monitor resource utilization and performance of HP DCE 1.6 servers.
Support for large uids.
Support for context-switching 64-bit machine registers in DCE threads ( libcma and libdce).
Support for MC/ServiceGuard.
Support for Secure Remote Utilities (Secure Internet Services) in the InternetSrvcs product.

Features Added at HP DCE 1.7

The following features are new at HP DCE 1.7:

NSS-DCE: a DCE module for the Name Service Switch (see "Integrating DCE with HP-UX Integrated Login" in Chapter 6 for more information).
DCE support for Kerberos V5 applications through creation of configuration and keytab files.
All integrated login utilities, including ftpd, now use the Pluggable Authentication Module (PAM). There are no longer any separate .auth binaries.

In addition, HP DCE 1.7 contains numerous bug fixes.

Features Removed at HP DCE 1.6 and 1.7

The following features were removed at HP DCE 1.6:

Distributed File Service (see "Installation Notes" in Chapter 4 for information about unconfiguring DFS before installing HP DCE 1.6).
Global Directory Service.
HP DCE Cell Monitor.
The DCE cell diagnostic tool dceval.

The following feature was removed at HP DCE 1.7:

Network Computing System (NCS) Version 1.5.1 compatibility (see "Note for Users of NCS-based Software" in Chapter 5 for important HP DCE/9000 configuration information).

Version Identification

Version information for individual HP DCE/9000 Version 1.7 components may be obtained via the /opt/dce/bin/dce_version utility. This utility prints the version of the installed DCE and can also retrieve what strings (see what (1)) from HP DCE/9000 programs and libraries. See the dce_version man page for information on how to use dce_version.

Cell Configuration and Diagnostics

HP DCE supplies two configuration tools with this release:

dce_config is the cell configuration tool provided by OSF, with substantial modifications by Hewlett-Packard.
DCM, the DCE Configuration Manager, provides a SAM interface to cell management.
HP's DCE cell validation and diagnostic tool dceping.

Common Desktop Environment (CDE) and Online Help

As of HP-UX 10.20 and later releases, the default environment is the Common Desktop Environment (CDE). (HP VUE was available with releases of HP-UX earlier than 10.30.) All HP DCE 1.7 online help and context-sensitive help works in CDE. If you print HP DCE 1.7 online help and context-sensitive help from CDE, the text is not formatted as it is on the screen; only text is printed (graphics are not printed).

DES and DES-Hidden Versions of this Release

The DCE Security component uses the Data Encryption Standard (DES) algorithm as its default encryption algorithm. Because the United States State Department restricts the export of DES software, HP supplies three binary versions of the dced daemon and the DCE library (libdce.1, libdce.2, and libdce.a):

The U.S./Canada version is available only to HP customers in the United States and Canada. The U.S./Canada version of libdce supports use of DES to encrypt RPC argument values, via the "privacy" authentication level, and the use of DES to encrypt gssapi messages, via the gss_seal "confidentiality requested" flag. The
U.S./Canada version of dced supports secure remote key table management.
The Export version is available to all HP customers. The Export version of libdce disables the "privacy" authentication level in RPC, the gss_seal "confidentiality requested" flag, and all program entry points to DES routines. The Export version of dced does not support secure remote key table management.

If an application uses the Export version of the DCE library and specifies the "privacy" level or "confidentiality requested", the library returns an error at run time. This restriction does not apply to the U.S./Canada version of this release.

See the dced (1M) man page for more information about remote key table management support in the two versions of the daemon.




	NOTE: Users of the Export version of HP DCE 1.7 should start dced with the -c option. See the dced man page for more information.