OSF DCE Application Development Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

241

242

243

244

245

246

247

248

249

250

OSF DCE Application Development Guide—Core Components

On the application level, a server makes itself available for authenticated

communications by registering its principal name and the authentication service that it

supports with the RPC runtime. The server principal name is the name used to identify

the server as a principal to the registry service provided by the security service. In

practice, this name is usually the same as the name that the server uses to register itself

with the DCE Directory Service.

A client must establish the authentication service, protection level, and authorization

service that it wishes to use in its communications with a server. The client identiﬁes the

intended server by means of the principal name that the server has registered with the

RPC runtime. Once the required authentication, protection, and authorization

parameters have been established for the server binding handle, the client issues remote

procedure calls to the server as it normally does.

The security service, in conjunction with the RPC runtime, assumes responsibility for the

following:

• Authenticating the client and server in accordance with the requested authentication

service

• Applying the requested level of protection to communications between the client and

server

• Providing client authorization data to the server in a form determined by the

requested authorization service

Note: For a detailed discussion of authentication within the context of DCE

security, refer to Chapter 23 of this guide.

14.2.1 Authentication

When a client establishes authenticated RPC, it must indicate the authentication service

that it wants to use. The possible values are the following:

rpc_c_authn_none No authentication

rpc_c_authn_dce_secret DCE shared-secret key authentication

rpc_c_authn_dce_public DCE public key authentication

rpc_c_authn_default DCE default authentication service

The value rpc_c_authn_none is used to turn off authentication already established for a

binding handle. The default authentication is DCE shared-secret (also known as private

key) authentication.

Before a client and server can engage in authenticated RPC, they must ‘‘agree’’ on

which authentication service to use. Speciﬁcally, the server must register the ‘‘agreed

on’’ authentication service with the RPC runtime, along with the server’s principal

name. For its part, the client must select the same service for the server’s binding

handle. The client indicates the appropriate server by supplying the server’s principal

name. If the client does not know the server’s name, it can use the rpc_mgmt_inq_-

server_princ_name() routine to determine the name.

14 − 8 Tandem Computers Incorporated 124245