Manualshelf

OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
331332333334335336337338339340
Overview of DCE Security
(See Chapter 41 for a detailed description of the structure of the registry database and the
types of information it contains.)
The collection of objects controlled by a registry database is an entity known as a cell.
Authenticated communications are possible between cells only if those cells have special
accounts in the registry database at the cell they wish to communicate with. These
special accounts set up cross-cell authentication, which gives principals from one cell
authenticated access to another cell. (See Chapter 33 for information about establishing
accounts for cross-cell authentication.)
27.3 Physical Security of the Database
The DCE Security Service provides safeguards for network security, protecting
information that is transmitted across the network by guaranteeing the identities of
principals who engage in cross-machine communications. The security server and the
database that it serves, however, reside on a local machine. The registry database is only
as secure as the security provided by the machine on which it resides. In addition to
ensuring that sensitive data can be accessed on the local machine only by root, you need
to provide physical security for the machine on which the security server resides. This
can include situating the machine in a locked room, keeping a log of when and by whom
the machine is accessed, and any other methods that may be appropriate to your needs.
(See the for a more detailed discussion of authentication.)
27.4 How the Registry Database is Stored
Each security server maintains a working copy of the registry database in virtual memory
and a permanent copy on disk. All reads and updates operate on the copy that is in
virtual memory. The servers use the copy that is on disk to initialize the copy in virtual
memory when they start up. An atomic update log is used to guarantee the database state
in the event of server failure.
Figure 27-2 shows the server and the disk and virtual memory copies of the registry
database.
124243 Tandem Computers Incorporated 273