Notes, Cautions and Warnings Regarding This Release

dcecp host Command

All of the operations of the dcecp host command are implemented. See the host (8dce) man page for syntax and details.

Security and Remote Login Utilities

You can use standard UNIX remote login utilities (remsh, rlogin, telnet) to perform remote DCE cell administration. However, these utilities expose the cell administrator's password to network attackers whenever you perform a task on a remote system. If a network attacker obtains the password, the security of the cell's DCE services is compromised. The most secure way to perform cell administration is to log in locally to each system you want to administer. The use of Secure Internet Services (SIS) does not provide better security for the purpose of remote DCE cell administration.

Security and Credential Lifetime

DCE credentials consist of Kerberos tickets shared by principals and the security server. The security server encrypts the tickets with a server key. Usually, the credential lifetime for a Kerberos ticket is a defined expiration time.

Hewlett-Packard recommends using Kerberos tickets with a defined expiration time and changing the server keys frequently. Using tickets with an infinite lifetime makes it difficult to automatically change server keys without invalidating the outstanding tickets. It also defeats the automatic key garbage collection, which the sec_key_mgmt_change_key operation performs.

ANSI C Requirement for HP DCE/9000

Hewlett-Packard supports only the ANSI C compiler for building HP DCE applications. Hewlett-Packard cannot provide support for problems with HP DCE applications that were not compiled using the ANSI C compiler.

This restriction also applies to applications on HP-UX 10.x systems built using the HP-UX user-space threads library (libcma).

dce_login -r Option

Starting with HP DCE 1.4, the -r option, which refreshes a user's credentials, was added to dce_login. Users are encouraged to use dce_login -r rather than kinit to refresh their credentials, since dce_login -r uses the more secure DCE Third-party preauthentication protocol, whereas kinit uses the less secure Kerberos 5 Timestamps protocol.

Removing DCE Credentials

A user's DCE credentials (stored in the directory /var/opt/dce/security/creds) are not automatically removed by exiting a shell or logging out. Unless you plan to leave background processes running that require your DCE credentials, you should manually remove your credentials before logging out by running the kdestroy utility. This will make the system more secure by decreasing the opportunity for someone to maliciously gain access to your network credentials.

The kdestroy command has been modified to allow destruction of credentials older than a specified number of hours. kdestroy -e
exp-period may be run manually or regularly as a cron job to purge older credential files. See the kdestroy (1) man page for syntax and usage information.

Credentials are automatically removed at system boot.

HP-UX Integrated Login Utilities

Most systems will require the transfer of account information from /etc/passwd to the DCE Security Registry before the system will be useful.

The script /usr/sbin/auth.adm is supplied to activate the integrated login utilities once your system has been set up with the needed accounts. See Chapter 6 for more information about using the /usr/sbin/auth.adm script.

Do not use the auth.adm script to activate the HP-UX Integrated login utilities until after you have set up the accounts necessary for your site in the DCE security service registry.

The DCE Audit Service

The DCE Audit Service was first released with HP DCE 1.4.x; the DCE Audit Service provides auditing capabilities for DCE Security and Time services.

By default, all audit events are disabled (not logged). As part of the default DCE configuration start-up, the DCEAUDITFILTERON environment variable is set. When set, the DCEAUDITFILTERON environment variable specifies that audit event filtering must be utilized to enable logging the desired set of audit events.

To enable auditing, the auditd server process must be started on any system where auditing is desired. As part of the standard DCE configuration start-up for auditd, a set of audit filters is specified for the Security, DTS and auditd server processes. (You can modify these filters as necessary for your site.).

You will need to do some planning to determine the degree of audit proper for your site, and to allow for disk space overhead for your audit logs. If you want to do some auditing, such as logging and tracking modifications to the security registry database, audit filtering is highly recommended. By using audit filtering, it is possible to change the types of events being audited dynamically, without needing to restart the servers for the changes to take effect.

Administrators should periodically monitor the size of the Security audit logs on the Security server machines. Each audit trail log consists of two files — the actual trail log file and the associated index file. These logs are in:

/var/opt/dce/security/sec_audit_trail
/var/opt/dce/security/sec_audit_trail.md_index

Other older audit logs may also be present. These can be found under the same directory, but have a date and time stamp format inserted into the name. As an example:

sec_audit_trail.1995-08-31-15-19-52
sec_audit_trail.1995-08-31-15-19-52.md_index

For detailed information on the DCE Audit Service, see the OSF DCE Administration Guide and Reference. For Audit Service configuration information see Chapter 5 of this manual.

Setting LANG and NLSPATH Environment Variables

English-language users of HP DCE/9000 should set the NLSPATH environment variable to include /usr/lib/nls/C/%N or should set NLSPATH to include /usr/lib/nls/%L/%N and LANG to C. Users who want to use another language should set the NLSPATH environment variable to include / usr/lib/nls/%L/%N and LANG to their preferred language. See the environ (5) and locale (1) man pages for details on LANG and NLSPATH syntax.

dcecp in Local Mode

When you run dcecp in "local" mode (that is, when you start dcecp with the local option) on a host with dced in partial-service mode, there is a possibility that a dcecp `acl modify -add' command will not work. The interactive dcecp session may hang or a Bus Error may be returned. One workaround for this condition is to run dcecp in normal mode on a host that is running dced, also in normal mode, and then execute dcecp again. Alternatively, you can quit out of local mode between acl modify -add commands, as follows:

dcecp -local 
dcecp> acl modify -local foo1 -add ... 
dcecp> quit 
dcecp -local 
dcecp> acl modify -local foo2 -add ... 
dcecp> quit

dcecp secval Change

At HP DCE 1.6, dcecp's secval activate and secval deactivate commands became asynchronous. They return before the actual change takes place within dced. Therefore, you should use the secval status command to verify the state change. Prior to HP DCE 1.6, secval activate and secval deactivate were synchronous and did not return until the actual state change finished in dced. Although future
HP DCE/9000 releases may reimplement synchronous secval activate and deactivate commands, the verification by secval status is still recommended.

HP DCE/9000 Interoperability with SharedPrint/UX

SharedPrint/UX 1.3 or earlier will not operate with HP DCE/9000.

k5dcelogin Limitation

There is a limitation in the k5dcelogin command when called by rlogin -f to log in to the local node.

If you already have Kerberos credentials on the local node when using rlogin -f to log in, then when you exit or log out, your local Kerberos credentials will be deleted. This is a limitation in k5dcelogin, where the local credentials are deleted on completion of the process.

The workaround is to use rlogin without the -f option when logging in to the local node. When you use rlogin -f to log in to a remote node, k5dcelogin deletes the credentials on the remote system once you exit the remote system; this is intended behavior.