On May 9th, 1996 the DCE Users Group of Michigan met at the University of Michigan's Center for Information Technology Integration (CITI). The meeting was sponsored by the "Client/Server Exchange", A joint partnership of IBM and the University of Michigan promoting open, client/server computing.
Hosting the meeting was Janani Janakiraman of UofM/CITI. Bob Brandt of the Ford Motor Company kept the minutes.
The agenda of the meeting was as follows:
Al Johnson, Chrysler was one of the attendees of the DCE User
and Developer Conference held in San Jose in April, here are the
minutes he took.
DUGM Minutes dugm-request@umich.edu
--------------------------------------------------------------
Next Meeting: July 11th
Need to find somebody to represent the "Introduction to
Java" talk.
- "Introduction to Java"
- "DCE, Java, and Transarc's Web Strategy"
Secure Single-Signon with DCE"
Mike Crane
DCE Brand Mgmt.
m_crane@vnet.ibm.com
- NetSP product handled logging into MVS through 3270. They have
migrated to supporting a DCE product.
Distributed Security issues
- cross platform security model needed
- inconsistent incompatible security providers
- users require multiple IDs and PWs
- no centralized security registry/repository
- multiple administrators
Ideal security structure
secure single signon (auth)
- single point of admin
- applications and OS's use common auth mech
- integrates/interoperates with existing systems
frameworks for easy extension/ customization
- works across priv/pub network
- provide audit capabilities
DCE and the Open BluePrint
What is secured Single SignOn (SSO)?
- integration of various mechanisms which provides authentication
of
userids and paswords
- provides SSO for desktop client workstations
SSO Approaches
- standardize on single security mech
- federate security mech with
DCE+ security applications from IBM
DCE+RACF interoperability
- functions: identity mapping, single authentication, security
database
cross-linking utilities
- LANserver 4.0a w/ DCE dir & sec - uses DCE Regisry ERAs
- Can use ERAs but doesn't require them
- Application support for CICS & IMS
Identity mapping:
- Computer Associates has recently announced a similar product
- Requires Open Edition MVS 5.2
Why not integrate DCE into MVS?
Because corporations may want to retain control of RACF
abilities. DCE
Security server is available if you don't need RACF integration.
Single Authentication:
if RACF auth'd: performs dce_login if the need for credentials
occurs
if DCE auth'd: will perform the RACF login for the user
Registry Relationships
principals rgy entry
- Uses an MVS User's User Profile
- DCE Segment: dce, principal, cell's uuid, principals uuid,
principals
password
- DCE UUIDS Profile
-dce's uuid
Tool to sync passwords between RACF and DCE?
- manual commands
Does the security server have to be on IBM?
- Can be anywhere as long as it's DCE 1.1
DB2 announced support for GSSPAI, CICS has plans to support
single GUI login to do a single login that will do necessary
logins
under the covers
3270 session will be DCE rpc?
- pass ticket technology relies on HLLAPI interface (screen
scraping)
Does the future hold integrated technology instead of screen
scraping (telnet ftp rsh 3270)?
- Yes
Overview:
1. User does network login, has icons representing apps that are
available. This does a dce login.
2. Client speaks with a DCE-based login server, this gets ERAs
from DCE
server, then gives LAN and host info to client.
3. Login server communicates with target machines
#The technology logs you into all hosts that you are able to when
you
get network credentials. Issue of having 2-user license for host
and
how 100 users would impact that.
Speaker will investigate.
- Uses DCE group membership to determine access.
Authentication Coordinator
login program - authentication framework (uses PAM)
Utilities (PSM) : Authentication Mgr
Gives ability to plug other modules such as DCE client, public
key,
other public key including smart card
The auth mgr does this and then talks with the logon coordinator.
This module may have the ability to provide for multiple
modules for
authent. Both DCE and smart card.
IBM can now resell Open Horizon products.
Looking at year-end target for this solution. DCE services group
will
consult to provide SSO today.
Platforms - looking at supporting windows 95 and NT and OS/2,
AIX-
client. targets - MVS, ACF2 (passticket) netware 3.x/4.x,
lanserver
3.x/4.x, AIX (looking at Notes integration through publickey)
Does DB2 integrate with DCE?
- Possibly some future, DRDA access support
Tivoli for admin explanation?
- IBM had a product called DSM on MVS that create users, modify
registries, RACF IDs, etc. That functionality will be rolled into
the
TME framework.
Platforms other then IBM?
- First release will be Windows/OS/2 (client). Requests for other
unix
may come in the future.
DCE registry is focal signon piece, passwd strength?
- Will see shortly
Any plans to be more intelligent about logging into all hosts?
- Will allow users to define what hosts to login to in future.
Will password synchronization be supported?
- Probably in future but not right away.
Use of ERAs breaks cell-to-cell. How does this get addressed
in the
future?
- Will look into.
Craig Demeris
Open Horizons
(teleconference)
Client/Server:
The clients, servers, and DBs are constantly changing. C/S use to
mean
database access. Now it is more requestor to service.
Missing Benefits of Mainframe
-reason that 90% of corporate data is on mainframe is because the
mainframes can provide these services. As these are available
elsewhere, the data will move off.
Connection: Benefits of Both
They are middleware as a product
View the network as one logical computer. Once logged into an use
any
services.
DCE Users Group of Michigan (DUGM)
Author: Janani Janakiraman
Revised: 08/29/96
URL: http://www.citi.umich.edu/dugm