PreviousNext

Summary of DCE Security Services and Facilities

The DCE Security Service consists of services and facilities. The security services are

· The registry service, which maintains a database of principals, groups, organizations, accounts, and administrative policies.

· The authentication service, which verifies the identity of a principal and issues tickets that the principal uses to access remote services. (A ticket is data about a principal that is presented to the entity providing the service.)

· The privilege service, which certifies a principal's privilege attributes (that is, its name and group memberships, which are represented as UUIDs).

The three security services are implemented in a single daemon, the security server.

The DCE Security Service facilities are

· The login facility, which enables a principal to establish its network identity.

· The ERA facility, which extends the registry database to maintain attribute types and instances.

· The EPA facility, which provides access to the information in extended privilege attribute certificates (EPACs)

· The ACL facility, which enables a principal's access to an object to be determined by a comparison of the principal's privilege attributes to the object's permissions.

· The key management facility, which enables noninteractive principals (most frequently, servers) to manage their secret keys.

· The ID map facility, which maps cell-relative principal names to global principal names, and global principal names to cell-relative principal names. This facility is used in connection with the transmission of information about principals that are members of different DCE cells.

· The password management facility, which enables principal's passwords to be generated, and to be subjected to strength-checks beyond those defined in DCE standard policy.

For UNIX system compatibility with DCE, the DCE Security Service also provides implementations of UNIX system C library interfaces to the /etc/passwd and /etc/group files.

More:

Interfaces to the Security Server

Interfaces to the Login Facility

Interfaces to the Extended Registry Attribute Facility

Interfaces to the Extended Privilege Attribute Facility

Interfaces to the Key Management Facility

Interfaces to the ID Map Facility

Interfaces to the Access Control List Facility

DCE Implementations of UNIX System Program Interfaces

Interfaces to the Password Management Facility