Interoperability and Compatibility

Binary Compatibility with Previous HP DCE Releases

Applications built on HP-UX 10.30 with HP DCE 1.6 may need to recompile due to the versioning of libdce and libcma in HP-UX 11.0. HP DCE 1.7 supports binary compatibility with HP DCE 1.2.1 and later releases. Applications linked with the archived HP DCE 1.2, 1.2.1, 1.3.1, 1.4, 1.4.1, 1.4.2, and 1.5 libdce are fully compatible with applications built with HP DCE 1.7 libraries. These applications can share login contexts and credentials without loss of data.

Binary compatibility for statically-linked HP DCE 1.2, 1.2.1, 1.3.1, 1.4, 1.4.1, 1.4.2, and 1.5 applications can be disabled, resulting in minor performance gains and slightly smaller credentials files. By default, binary compatibility is enabled when HP DCE 1.7 is installed and configured. You may disable binary compatibility on a per-host basis with the following commands:

#ps -ef|grep dced
#kill <dced PID#>
#/opt/dce/sbin/dced -r
#ps -ef|grep dced
#kill -SIGUSR1 <dced pid#>
#dcecp -local
dcecp> acl mod hostdata -change 
{user hosts/$HOST/self criI} -local
dcecp> acl mod hostdata -io -change 
{users hosts/$HOST/self cdprw} -local
dcecp> quit
#kill -SIGUSR1 <dced pid#>
dcecp>
dcecp> hostvar set -secbinarycompat off

To enable binary compatibility after it has been disabled, do the following:

For information about the U.S./Canada version of HP DCE, see the
HP DCE/9000 Version 1.7 U.S./Canda Version Release Note.

Source Code Compatibility with Previous HP DCE Releases

There are no known source code incompatibilities between HP DCE 1.7 and previous releases.

Interoperability with Other Implementations of OSF DCE

This release has been tested to ensure interoperability with the implementations of OSF DCE on the platforms listed in Table Table 1-1 “HP DCE Interoperability With Other Platforms and DCE Implementations”:

Hewlett-Packard's DCE configuration tools are not guaranteed to interoperate with other vendor's DCE implementations. In particular:

Interoperability of the DES and DES-Hidden Versions

The DES and DES-hidden versions of this release are interoperable with the following limitation: DES-based application servers or clients that specify the "privacy" RPC data protection level or the gss_seal "confidentiality requested" flag are not interoperable with servers or clients based on the DES-hidden version.

Neither DES nor DES-hidden versions of DCE are interoperable with any DCE version that has been built with the DES code omitted (instead of hidden). Some DCE ports from other vendors were built in this way in order to meet U.S. export requirements. If you are running a DCE port from another vendor, check with that vendor for details.

Kerberos Authentication Protocol Compatibility

The DCE Security authentication service implements Kerberos Version 5. DCE Security does not provide backward compatibility support for Kerberos Version 4.

DCE Support for Kerberos Applications and Configuration Notes

HP DCE 1.7 makes available enhanced configuration features specific to Kerberos Version 5. Configuration with dce_config has been updated to do the following for either a security server or client:

The host principal uses a fully qualified host name. To construct this name, dce_config appends the Internet domain name to the host name in the format: host_name.domain_name. For example, when the domain name is ch.hp.com, and the host name is fred, the fully qualified host name is fred.ch.hp.com.

When configuring either a security server or client, dce_config checks the file /etc/resolv.conf for the Internet domain name. If the domain name is not found in this file, then the user is prompted to enter a domain name.

Before running dce_config, you can choose to set the environment variable DOMAIN_NAME to provide the domain name during configuration. Other environment variables used by dce_config are described in the section "Component Scripts and Environment Variables for dce_config" in Chapter 5.

An example of a standard domain name is ch.apollo.hp.com.

A DCE principal name takes the form:

/.../cellname/host/fully_qualified_hostname

Configuration for secure remote utilities may require the additional step of adding entries to inetd.conf.

Remote Services File

The following describes the service and port settings in /etc/services for the different versions of Kerberos. Kerberos V5 Release 1.0 expects the service "kerberos" to use port 88. However, older versions of Kerberos (V4) expect the "kerberos" service to use port 750. For this reason, dce_config does not set/reset the service "kerberos" in /etc/services. dce_config does set the following in /etc/services:

kerberos5 88 udp kdc for V5 Beta 5-7 applications

kerberos-sec 88 udp kdc for V5 Release 1.0 applications

If a customer has an environment where they are supporting different versions of Kerberos clients, they can set the port number for V5 Release 1.0 clients explicitly in the [realms] section of the /etc/krb5.conf file:

kdc = host:88

For related and more detailed information, see the whitepaper Using HP DCE 9000 Security with Kerberos Applications in /opt/dce/newconfig/RelNotes/krbWhitePaper.ps.

Support for Secure Internet Services

The DCE KDC is used by the Secure Internet Services, also known as the Secure Remote Utilities, that are shipped as part of the InternetSrvcs product on HP-UX 11.0. The kerberized utilities include rlogin, remshd, rcp, ftp, and telnet services. A new command, k5dcelogin, has been added to DCE in support of these utilities. When ticket forwarding is requested, k5dcelogin promotes a principal's Kerberos V5 credentials to DCE credentials. Refer to documentation on Secure Internet Services for configuration information.

DCE GSS-API Interoperability with MIT and Third-Party Kerberos Implementations

The GSS-API has been updated to conform to the latest Kerberos and GSS-API standards, while other changes accomodate the non-conformance of older DCE and MIT GSS-API implementations.