1 — PC-DCE Overview

[Previous] [Next] [Contents] [Index]

Entegrity® PC-DCE™ is a Windows implementation of OSF DCE Version 1.2.2, and is fully compliant with the The Open Software Foundation (OSF) DCE standards.

NOTE: Throughout documents related to Entegrity PC-DCE, use of the term Windows refers to all supported Windows operating systems unless noted otherwise.

The purpose of this document is to provide DCE developers and administrators an overview of how PC-DCE is implemented under Windows, special features that are available only with PC-DCE, and technical details regarding the client implementation.

This chapter contains the following sections:

1.1 OSF DCE Overview
1.2 How PC-DCE Implements DCE Under Windows
1.3 Special Features
1.4 PC-DCE Kit Components

1.1 OSF DCE Overview

OSF Distributed Computing Environment provides services and tools that support the creation, use, and maintenance of distributed applications in a heterogeneous computing environment.

By distributed computing we mean computing that involves the cooperation of two or more machines communicating over a network. The machines participating in the system can range from personal computers to supercomputers; the network can connect machines in one building or on different continents.

1.2 How PC-DCE Implements DCE Under Windows

This section discusses how PC-DCE implements specific aspects of OSF DCE in a Windows environment.

1.2.1 Client/Server Architecture

A PC-DCE cell includes client systems and at least one system installed with server components. Each cell member running Windows must have the PC-DCE Client Runtime installed. The runtime component is included in both the Server kit and the Client Runtime kit.

1.2.1.1 Server

The PC-DCE server implementation integrates DCE service daemons directly into the Windows Services subsystem. The primary daemons are:

• Security Service daemon (secd)
  
• Cell Directory Service daemon (cdsd)
  
• Cell Directory Service Advertiser (cdsadv)
  
• DCE daemon (dced)
  
• Distributed Time Service daemon (dtsd)
  
• Global Directory Agent (gdad)
  
• Name Service Interfaces daemon (nsid)
  

NOTE: The nsid can also function as a client.

The implementation of the client components under Windows is treated in detail in Chapter 2.

1.2.2 DCE_Service Process

The dce_service process manages a number of different tasks within your DCE environment. The actual list of services it ultimately offers depends on the type of configuration you choose.

The dce_service process also performs the following housekeeping functions:

• Deletes stale credential files

• Manages the dce_update process

• Starts, stops, and displays individual DCE processes in a server or full client configuration

• Handles the priming mechanism for the optional Endpoint Services Only option

On all supported Windows operating systems except Windows 98, PC-DCE uses the Microsoft endpoint mapper service, rpcss.exe, to provide socket lookup services for applications. Enable Endpoint Service Only on the Options tab of the PC-DCE Configuration Panel to start the DCE endpoint primer, which determines if rpcss.exe is running, and starts it if it is not. See Section 1.2.3 on page 10.

On Windows 98, dced.exe provides endpoint mapping services.

1.2.4 Error Message Handling

On all supported Windows operating systems except Windows 98, all error messages generated by the DCE services are written directly to the Windows NT Event Logger to provide consistent error handling.

On Windows 98, DCE errors are logged to the install_directory\dce32.log file.

1.2.5 Environment

DCE environment information (environment variables, path information, login credentials, and so on.) is incorporated into the Windows Registry and system environment variables. You can modify registry keys and environment variables to fine-tune PC-DCE behavior.

1.2.6 Integrated Login

PC-DCE provides integrated login to Windows and to DCE. When a user logs into Windows, PC-DCE automatically logs the user into DCE. For integrated login to work:

• The user's Windows and DCE user names must be identical
  
• The user's Windows and DCE passwords must be identical
  
• The integrated login feature must be enabled in the local PC-DCE configuration
  

The integrated login feature also detects when the user changes his Windows password and automatically updates the DCE password.

1.2.7 Pthreads

PC-DCE offers the common DCE pthread API, but uses the available Windows kernel threads under that interface. This integration lets developers monitor pthreads using native Windows tools such as the Performance Monitor and the Process Viewer provided with the Win32® Software Developer's Kit and Resource Kit.

1.2.8 PC-DCE Tools

You can manage PC-DCE using a variety of graphical and command-line tools.

1.2.8.1 DCEsetup

DCEsetup, shown in Figure 1-1, is a tool that provides an easy-to-use graphical interface for configuring DCE services on your Windows system. With DCEsetup, you can configure the following DCE components:

• DCE Security Service
  
• DCE Cell Directory Service (CDS), including:
  
  • Name Service Interface Gateway
    
  • Global Directory Agent (GDA)
    
• Distributed Time Service (DTS)
  

DCEsetup can configure these components so that your Windows NT or Windows 2000 system can function as a:

• DCE client system
  
• Full DCE server system
  
• Split server system
  
• CDS read-only replica server
  
• Security read-only replica server
  

When you configure a system as a server, you automatically configure DCE client services on that system as well.

Many of the text entry fields that you will encounter during configuration have default values associated with them. These default values are based on your existing configuration, if you have one. Otherwise, DCEsetup provides values that are appropriate for the most common DCE configurations.

You must be logged in as a member of the Windows Administrators Group to perform a DCE configuration or make changes to a configuration.

For more information on using DCEsetup, refer to the DCEsetup online help system.

1.2.8.2 DCE Director

The DCE Director is a graphical tool for managing DCE cells. The DCE Director (Figure 1-2) makes it easy to perform management tasks, such as creating, deleting, and modifying user accounts, security groups, and CDS directories. In addition, the DCE Director allows you to access the standard DCE control programs (rgy_edit, cdscp, acl_edit, and dtscp), while providing new functions, such as allowing authorized users to preconfigure host machines in a cell and manage user accounts.

The DCE Director includes an enhanced ACL editor, the Visual DCE ACL Editor (see Section 1.2.8.3 on page 14), which allows you to graphically manage ACLs. You can invoke the Visual ACL Editor directly from the DCE Director or you can use it as a stand-alone tool by clicking its icon in the DCE program group.

Figure 1-2: DCE Director

For more information on either the DCE Director or the Visual DCE ACL Editor, refer to their respective online help systems.

If you are not using DCE Director, you can use the DCE command line tools as described in PC-DCE Administrator's Guide to perform the same functions.

1.2.8.3 Visual DCE ACL Editor

The Visual DCE ACL Editor (Figure 1-3) makes it easy for you to set the permissions for all security-relevant objects within DCE, including Registry objects and CDS objects. It allows you to display, add, modify, copy, and remove ACL entries for a specific object in a cell's namespace. You can also go past junctions to application-specific namespaces and set permissions on the ACLs of application-specific objects.

Figure 1-3: Visual DCE ACL Editor

Among the tasks you can perform using the ACL Editor are the following:

• View an object's ACL.

• Create, modify, and remove ACL entries (from your home cell and in other cells).

• Display the permissions implemented for an object's ACL by the object's application server.

• Ask about your access to an object.

• Ask about someone else's access to an object.

• Copy one ACL to another ACL.

• Create, modify, and remove masks used to restrict allowable permissions.

For more information on the Visual DCE ACL Editor, refer to the Visual DCE ACL Editor online help system.

1.2.8.4 PC-DCE Service Panel

All DCE services configured on your system are, by default, started automatically whenever you reboot your system. Sometimes, however, you may need to stop or restart PC-DCE manually.

On all Windows platforms supported, you can use the graphical PC-DCE Service Panel (Figure 1-4) to start, stop, test and review the operational status of individual DCE components.

Figure 1-4: PC-DCE Service Panel

NOTE: On all supported Windows operating systems except Windows 98, you can also use the Windows Services control panel to stop and restart PC-DCE.

1.2.8.5 PC-DCE Configuration Panel

The PC-DCE Configuration panel (Figure 1-5) provides an additional tool for configuring DCE cells, servers, and clients.

Figure 1-5: PC-DCE Configuration Panel

1.2.8.6 DCE Command Line Tools

PC-DCE fully implements dcecp (Distributed Computing Environment Control Program), the primary command-line management interface for managing DCE. dcecp allows you to manage core DCE administrative functions and administer DCE components remotely.

1.3 Special Features

In addition to the standard DCE functionality in The Open Group's DCE, PC-DCE provides some added features.

1.3.1 Lightweight Client

You can choose to configure a lightweight DCE client, which does not configure the dced, dtsd or cdsadv client daemons. This lightweight configuration reduces computing overhead on the client system and eliminates the need for you to specify the cell administrator principal and password during the configuration process. The lightweight client is discussed in detail in Chapter 2.

1.3.2 Per-Thread Login Contexts

Standard DCE allows you to have as many login contexts as you want, since you supply the login context handle when annotating an RPC binding handle with security or when negotiating a GSSAPI session. However, DCE allows only one process-wide default login context to be set via the sec_login_set_context() call.

PC-DCE enhances standard DCE to allow default login contexts on a per-thread basis. Your application calls sec_login_set_thread_context() to set up the thread-specific context. Then, calling sec_login_get_current_context() from that thread returns the per-thread context rather than the process-wide context.

1.3.3 CDS Preferencing

CDS preferencing lets you assign ranks to clearinghouses in a preference file, which PC-DCE reads at startup. In this way, you control a client's preference for CDS clearinghouses. CDS preferencing is useful in situations where multiple clearinghouses exist; if some of the clearinghouses are connected to the client's LAN by a low-performance WAN link, you can assign preference to a local clearinghouse.

1.3.4 Co-Authentication Service

The PC-DCE Co-Authentication Service (CAS) provides developers with the ability to plug alternative authentication methods into PC-DCE. A user logging in through CAS uses an alternative authentication method, for example a biometric device such as a fingerprint scanner, to obtain DCE login credentials.

1.3.5 C++ Support

PC-DCE includes an enhanced IDL compiler that supports C++ based application development. Developers can write client and server programs that access C++ objects transparently, independent of their location. C++ features such as inheritance and object references are supported.

1.3.6 Microsoft Terminal Server

PC-DCE v4.1 provides support for systems running Windows NT Terminal Server and Windows 2000 Terminal Server. This support is only available when you purchase PC-DCE specificlly to run in a Terminal Server Environment. The licence and cofiguration need to account for multiple clients configured with the Terminal Server. Special requirements at installation are explaind in the PC-DCE Installation and Release Notes.

1.3.7 Designating a Local Configuration Administrator

The preconfig.tcl script has been updated to include NetCrusader/Web support.

This script is a TCL/TK script that allows the cell administrator to designate a local administrator who can configure a DCE client on host machines. This allows local administrators to configure a full client into a cell without knowing the cell administrator password.

Designation can be by principal name or group name. If you designate a group, any member of the group can be a local administrator.

This feature is sometimes referred to as a preconfiguration script because the script does some of the configuration ahead of time, before the local administrator finishes the configuration. This feature is also sometimes referred to as a split configuration because the cell administrator uses the script to perform some of the configuration and then splits off the rest of the configuration tasks to a local administrator, who performs further administrator tasks on the remote client host.

NOTE: Other Entegrity products, DCE for Linux and DCE for Tru64 UNIX use a similar term for something different. There, split server configuration is where the CDS and Security master servers are on different hosts in a cell.

Information You Need to Run preconfig.tcl

The preconfig.tcl script asks for the following information:

• A list of fully qualified domain names of the hosts that you want to configure

• An entity name (principal or group name)

• The entity type for the entity name (group or principal)

• Administrator password

The entity (single or group) name must have a valid login in the cell to which the client machine will belong.

What the Script Does

The script creates new groups, accounts, and CDS entries necessary for the client to perform post configuration tasks such as adding the client host to the cell.

Installation steps are in the PC-DCE Administrator's Guide section 2.3.1. See the PC-DCE Configuration Panel help file for information about configuring clients.

1.4 PC-DCE Kit Components

PC-DCE kits are available in domestic and export versions. Due to U.S. federal trade restrictions, encrypted RPC (packet privacy) and encryption via the GSSAPI are disabled in the export kit.

1.4.1 Client Runtime Kit

The PC-DCE Runtime Kit (RTK) includes the PC-DCE client runtime. Once you install the Runtime Kit, you can configure the system as a DCE client in an existing cell. The client runtime runs on all Windows platforms supported.

The Client Runtime Kit includes the PC-DCE runtime software, the message catalogs, sample client/server programs, and basic administration utilities.

1.4.2 Server Kit

PC-DCE Server Kit includes the client runtime, CDS server, and standard security server.

1.4.3 Application Developer's Kit

PC-DCE Application Developer's Kit (ADK) includes the libraries, utilities, and header files that you need to create DCE-compliant applications for the Windows environment.

[Previous] [Next] [Contents] [Index]

To make comments or ask for help, contact support@entegrity.com.

Portions of this document were derived from materials provided by Compaq Computer Corporation. Copyright © 1998-2003 Compaq Computer Corporation.

Copyright © 2003 Entegrity Solutions Corporation & its subsidiaries.

All rights reserved.