Manualshelf

OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
151152153154155156157158159160
OSF DCE Administration Guide—Core Components
10.3.2 Restricting Endpoints
You can restrict the assignment of endpoints (ports) for DCE servers and clients to a
specific set. This is useful if your environment has applications other than DCE that are
designed to use certain endpoints, and you do not want to be concerned about DCE
servers or clients monopolizing them.
The facility is activated by setting the RPC_RESTRICTED_PORTS environment
variable with the list of endpoints to which dynamic assignment should be restricted
before starting a client or server application. RPC_RESTRICTED_PORTS governs
only the dynamic assignment of server ports by the RPC runtime. It does not affect
well-known endpoints.
The following example restricts servers to using TCP/IP endpoints ranging from 5000 to
5110, and 5500 to 5521. It restricts UDP/IP endpoints to the range of 6500 to 7000.
% set RPC_RESTRICTED_PORTS \
ncacn_ip_tcp[5000-5110,5500-5521]:ncadg_ip_udp[6500-7000]
To use RPC_RESTRICTED_PORTS for DCE servers such as CDS, set the
environment variable each time before starting your cell.
Note that this facility does not add any security to RPC and is not intended as a security
feature. It merely facilitates configuring a network ‘‘firewall’’ to allow incoming calls to
DCE servers.
10.3.3 Viewing Information in the Endpoint Map
For the most part, the endpoint map on each host takes care of itself, purging stale entries
when necessary and removing the endpoint information each time the host reboots. So
there’s really no administration needed for the endpoint map.
However, when client/server communication problems arise, the information stored in
the endpoint map might be useful to administrators, particularly for determining whether
servers are supplying the correct endpoint information to clients. In this case, you can
use the endpoint object to view endpoint map information. Besides its use in
troubleshooting, you can also use the endpoint object for other specialized server
operations such as adding new object UUIDs to existing mappings.
Endpoints are not protected by ACLs. This means anyone who can run dcecp can use an
endpoint show operation on their host to view endpoint information on any other host in
the cell. Other endpoint operations, such as creating or deleting endpoints, can be
performed only by users who are logged into the local host. No other special privileges,
such as system administrator or root privileges, are needed for local access to endpoint
information.
10 18 Tandem Computers Incorporated 124243