OSF DCE Application Development Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

241

242

243

244

245

246

247

248

249

250

RPC and Other DCE Components

14.2.1.1 Cross-Cell Authentication

A client can engage in authenticated RPC with a target server that is in the client’s cell

or in a foreign cell. In the case of cross-cell authentication, DCE security performs the

necessary additional steps on behalf of the client.

To establish authenticated RPC with a foreign server, a client must supply the fully

qualiﬁed principal name of the server. A fully qualiﬁed name includes the name of the

cell as well as the name of the principal and takes the following form:

/.../cell_name/principal_name

14.2.1.2 Protection Levels

When a client establishes authenticated RPC, it can specify the level of protection to be

applied to its communications with the server. The protection level determines how

much of client/server messages are encrypted. As a rule, the more restrictive the

protection level, the greater the impact on performance. Different levels are provided so

that applications can control the protection versus performance tradeoffs.

Note that the protection level is entirely a client responsibility. When a server registers

its supported authentication service with the RPC runtime, it does not specify any

protection information for that service. However, the server can include the protection

level used for a particular operation when deciding if the caller is authorized to perform

the operation.

Authenticated RPC supports the following protection levels:

rpc_c_protect_level_default

Uses the default protection level for the speciﬁed authentication service.

rpc_c_protect_level_none

There is no protection level.

rpc_c_protect_level_connect

Performs protection only when the client establishes a relationship with

the server. This level performs an encrypted handshake when the client

ﬁrst communicates with the server. Encryption or decryption is not

performed on the data sent between the client and server. The fact that

the handshake succeeds indicates that the client is active on the

network.

rpc_c_protect_level_call

Performs protection only at the beginning of each remote procedure call

when the server receives the request. This level attaches a veriﬁer to

each client call and server response.

This level does not apply to remote procedure calls made over a

connection-based protocol sequence; that is, ncacn_ip_tcp. If this level

is speciﬁed and the binding handle uses a connection-based protocol

124245 Tandem Computers Incorporated 14−9