The Open Group's latest release of the Distributed Computing Environment includes significant enhancements to security.
By Kathryn DeNitto
The ongoing development of the OSF Distributed Computing Environment (DCE) is being managed by The Open Group through its pre-structured technology (PST) process. In a PST, companies with a common interest in developing a given software technology pool resources to share development costs and shorten time to market; The Open Group acts as the project manager. This approach toward collaborative development permits industry support and participation, and furthers The Open Group's efforts to accelerate the deployment of open systems.
The DCE 1.2.2 PST is sponsored by Digital Equipment Corp., Hewlett-Packard, Hitachi and IBM. The result of The Open Group's second PST, DCE 1.2.2 was released in December 1996. This release builds on capabilities provided in the previous one, DCE 1.2.1, providing enhancements to DCE's security services and improvements in manageability, fault tolerance, performance and scalability for the Distributed File System and other services. It is designed to ease programming, improve integration with other computing environments and make administration more flexible.
DCE enables organizations to develop, use and maintain distributed applications across heterogeneous networks. It has applicability in three of today's most important areas of computing: security, the World Wide Web and distributed objects.
DCE comprises services that reside on top of the operating system, forming middleware that allows organizations to distribute processing and data across the enterprise. Because DCE is independent of the operating system and network, it enables interaction between clients and server. DCE is available for major computer operating systems, including Unix, MVS, VMS, Windows, Windows NT, OS/2 and Macintosh. Here are the new features that users will find in products based on DCE 1.2.2 technology.
Public key support. DCE 1.2.2 allows public key technology (such as from RSA or smart cards) to be used to support login. With this technology, the security server need not store the long-term key (or password) for a principal (that is, a user, server, printer or other network object that can communicate securely with another such object). The key, therefore, will remain undisclosed should the security server be compromised. Administrators can specify that some principals may use the pre-DCE 1.2.2 mechanisms, while others have access to the public key mechanism. DCE 1.2.2 retains interoperability with previous DCE releases.
In DCE 1.2.2, a new pre-authentication protocol is used. At login, public key users receive credentials that allow them to use the current Kerberos-based DCE authentication mechanism. The login client need not determine whether a given user is public key-capable prior to requesting credentials. To facilitate transition, a new "keystore server" stores private keys for users or sites without access to hardware-based cryptographic tokens, secure file system storage and so on.
A new certification application programming interface (API) also is provided. This facility handles the mapping of a principal name to a public key, so programmers may hide the details of their own certificate authority access methods and trust model. By letting developers "plug in" their own policy and storage modules, this facility continues the DCE practice of providing a foundation without dictating a single-use model.
Kerberos version 5 support. The authentication portion of the DCE security service is based on version 5 (V5) of the Massachusetts Institute of Technology (MIT) Kerberos authentication and key distribution service. With previous releases of DCE, Kerberos V5 applications have been able to use the DCE security service as a Kerberos server. Release 1.2.2 adds testing and official support for this capability. In addition, DCE 1.2.2 includes implementations of the network utilities rlogin and rsh, which use the DCE Kerberos facilities to avoid exposing passwords on a network.
User-to-user authentication. In DCE release 1.2.2, the user-to-user authentication facility provides an alternate ticket granting service (TGS) protocol as defined in the Internet Engineering Task Force (IETF) RFC 1510 (Kerberos V5). It offers server applications the same sort of insulation from a principal's long-term key that is available for client applications. In particular it is possible to direct a protected remote procedure call (RPC) to a program that only has a login context, and no key table (file) or other access to a long-term key.
Global groups. DCE 1.2.2 allows principals from a foreign cell to be added to groups in the local cell. For example, suppose a user in a DCE cell (the foreign cell) needs to cooperate with a group of users in a different cell (at the same or a different location). The user in the foreign cell can have his or her identity added to the group in the other cell, automatically allowing the user to assume the same access privileges as the group members with whom the user is working. This feature should ease enterprise-wide security administration, cell reconfiguration and other management tasks.
Scalability improvements. Changes made to the DCE security server deliver considerable performance improvements when servicing large cells (those with more than 50,000 principals). These changes include documenting the configurable checkpoint interval and partitioning internal data sets so that the amount of data written to disk during a checkpoint is proportional to the amount of data modified. In addition, DCE 1.2.2 addresses bottlenecks and areas of excess resource consumption.
Use of protected RPC. New administrative controls allow administrators to distinguish same-cell communication from intercell communication. As a result, a DFS cache manager can implement one set of RPC protection rules for intracell use (presumably protected behind a network firewall), while using another set for data sharing outside the cell. Command line arguments and management clients enable administrators to achieve the right balance between protection and computational overhead. All architectural uses of unauthenticated RPCs have been eliminated.
DFS server multi-home support. DCE 1.2.2 has enhanced the DFS services to perform better on hosts connected through multiple interfaces to multiple networks ("multi-homed" hosts). This enhancement enables the DFS server to route its responses more efficiently when running on such machines. The DCE 1.2.2 version of DFS also gains fault tolerance by handling network failures as transparently as possible on a multi-homed host.
64-bit file system support. DCE DFS 1.2.2 supports 64-bit files and file systems while maintaining interoperability with 32-bit machines and systems.
Developers often use third-party packages that are not thread-aware, resulting in applications that cannot take advantage of DCE threads. A thread-free version of DCE RPC increases software reuse by making it substantially easier for nonthreaded applications to be adapted to DCE.
Standard Generalized Markup Language (SGML) is an industry standard for representing documentation that is intended to be viewed in a variety of formats, encompassing printed matter and online "hypertext" viewing. In DCE 1.2.2, all documentation is available as SGML source, using the DocBook document type definition.
Today DCE is provided by more vendors and has been ported to more platforms than any other distributed computing product suite on the market. Work is under way at The Open Group to make DCE an even more robust technology.
Kathryn DeNitto is DCE business area manager for The Open Group. She can be reached at k.denitto@opengroup.org.