Configuring DCE for Open Client and Open Server  Client-Library applications and DCE security

Appendix D: DCE Security Services

Open Server applications and DCE security

You can run a custom Open Server application or the Security Guardian server in your DCE cell.

For the server and its clients to communicate over the network, you must perform the normal configuration steps described in Chapter 3, “Basic Configuration for Open Server.” For the server and its clients to use DCE security services, you must perform these additional configuration steps:

  1. Decide which DCE principal the server will run as.

    You can run the server as the DCE root user, /.:/hosts/hostname/self, where hostname is the computer where the server runs. You can also create a new principal for the server.

    If necessary, use the DCE dcecp tool’s user create command to create a new principal. The command options must specify that the new principal can act as a server.

  2. If you do not run the server as the root principal, you must create a DCE keytab file for the server principal.

    A DCE keytab file is an operating system file that contains a principal’s password in an encrypted form. You create a keytab file with the DCE dcecp utility’s keytab create command. The keytab file must allow read permission for the operating system user who starts the Open Server. In a production environment, you must control the access to this file. If a user can read the keytab file, they can create a server that impersonates your server.

  3. Make sure the DCE security driver is configured in the [SECURITY] section of libtcl.cfg. See “SECURITY section” for details.

  4. When starting the server, specify the server principal name if it is not the same as the server’s network name.

    The Open Server’s network name is its name in interfaces or DCE directory service. If the principal name does not match the network name, you must specify the principal name separately.

    A custom Open Server application specifies the principal name by setting the SRV_S_SEC_PRINCIPAL Server-Library property.

    Security Guardian users can specify the server’s principal name with the -R command-line option.

  5. When starting the server, specify the location of a DCE keytab file (see step 2 above) if the server is not run as the DCE root user (/.:/hosts/hostname/self).

    A custom Open Server application specifies the location of a keytab file by setting the SRV_S_SEC_KEYTAB Server-Library property.

    Security Guardian users can specify the server’s principal name with the -K command-line option.




Copyright © 2005. Sybase Inc. All rights reserved. Client-Library applications and DCE security

View this book as PDF