| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 1372.1 | | SEND::SLAVIN | | Wed Feb 19 1997 14:13 | 24 |
| Here are some answers:
> a) On what platforms is ObjectBroker available, in particular on what
> platforms are the security services availabl.
In OBB V2.7 DCE security is tested by Digital on NT and Digital Unix.
Other GSSAPI security implementation may work. GSSAPI interfaces are
provided on all OBB systems in V2.7. We have not tested them on these
platforms.
> b) How strong is the security provided by the security package?
> Is it subject to US export restrictions? Algorithms. key length etc.
OBB is not export restricted. GSSAPI implementations such as DCE are
optional layered products. They are export restricted. The GSSAPI or
DCE product is a separate purchase from ObjectBroker.
> h) is the GSS-API security part of DCE available seperately ?
OBB V2.7 includes GSSAPI and DCE security features. These features are
integrated into specific version of OBB and are not separate from OBB.
The DCE or GSSAPI layered products are separate and are optional from
OBB's point of view. If you do not need DCE or GSSAPI security, then
you do not need to buy the products than implement them.
|
| 1372.2 | what to order if Authentication is an issue? | EMNTAL::STADELMANN | Sepp @ZUO 760-2609 | Thu Feb 20 1997 08:25 | 112 |
| Thank you very much, ( >= 1000 times :-) Mary Ann for this good
explanations.
I do currentyl study the ObjectBroker Documentation Supplement and
others notes. However, in absent of some pictures and diagrams
explaining the pices and bits and minimal requirements and design
entities I have more questions.
Assuming I have the following networked systems all running TCP/IP
The following are all said to be Client Computers
100 PC Windows 3.11
100 PC Windows NT 4.0 Workstation
100 PC Windows 95
100 WS Digital Unix
100 WS Digital OpenVMS Sattelites (25 per Server Cluster)
The following are all said to be Server Computers
2 PC Windows NT 4.0 Server
2 SV Digital Unix
4 Clusters each 4 SV Digital OpenVMS (Acting as Boot Members
to the 100 OpenVMS WS)
My goal is it to install on all Server Systems ObjectBroker
Implementation Servers and my goal is it further that each
Implementation Server requests Authentication based on DCE-Kerberos
Authentication.
Also my Goal is it to order, learn, install, setup, maintain as less as
possible any other SW then ObjectBroker. Basically I do not want to
maintain an NT, a DCE and an ObjectBroker Domain, so keep it as simple
as possible.
I want 4 Servers (2 Digital Unix, 2 Windows NT Server and 2OpenVMS)
to play the role of DCE Security Servers.
a) What do I have to order on DCE Products to make OBB Authentication
based on DCE Kerberos Authentication work on all Systems given above?
b) What do I need for each Client System to enable a dce_login ?
c) Do I have to install first on all sytems DCE SW Kit components and
bring them into an operational Secure DCE Domain before I can goon and
install ObjectBroker and enable on each system DCE based Authentication
if yes: what DCE components do I have to install for each client to
make authentication of OBB work.
if yes: what DCE components do I have to install on Servers
Microsoft Windows NT Server,
Digital UNIX and
Digital OpenVMS
OR
d) are Client DCE security Components provided with ObjectBroker 2.7
Kit sufficently to a degree which allows to put this Clients after OBB
2.7 is installed, into a DCE Domain and allow them for the dce_login to
work.
OR
e) do I have to order and install DCE Client SW first in order to
perform a dce_login and then go and install ObjectBroker.
What are the rules of thumb?
Note: I want to install as less SW as possible other then ObjectBroker;
also Customers shall not arg, that the overhead on SW, maintenance and
learning is too big, if an operational DCE Domain has to be installed,
and learned first just to get DCE Kerberos based Authentication work
with Objectbroker. Also they shall not arg that the have to maintain to
Middleware Networks.
(this is not critic, it is just for my understanding, Authentication
and Security both have it's price)
e) Can I install the DCE Security Server on any Server Platform (not
only on Digital UNIX or Windows NT) for which a OSF DCE product is
available and have on all Cleint Systems using ObjectBroker [and DCE
Client SW], Authentication enabled?
in other words, I can have as few/many DCE security Primary/Backup
Servers as I want. OBB Authentication is shilded (decoupled)
sufficently from Clients to have them not take notice about that, and
all OBB 2.7 equipped Systems are capable to enable Authentication by
DCE Kerberos Security Servers, and are able to establish theire
Authentication Security Context.
What I think would be best, to have the OBB sales and learning tool
help on such subject matters; also have them to assist in planing the
absolut required minimal DCE installation and setup. Also have them
give a hint in which order this stuff should be installed, setup and
put into operation.
Also for my understanding from your answers,
DCE Security based on Kerberos (or as it ships when a Europeanee is
ordering the OSF DCE Kit for Digital UNIX and Windows NT) IS NOT
subject to U.S. Export Restrictions for Authentication but is Subject
to U.S. Export Restrictions for Message (Data Package) Encryption.
Also the precises question from the customer was
1. How long is the key used for authentication
(how strong is Authentication)
2. What algorithms are in used for Authentication ?
Sepp,
|
| 1372.3 | | RECV::SLAVIN | | Thu Feb 20 1997 12:31 | 66 |
|
Some answers:
> a) What do I have to order on DCE Products to make OBB Authentication
> based on DCE Kerberos Authentication work on all Systems given above?
You need to pick a single provider of GSSAPI security that works on
ALL of your desired platforms. It must provide clients and servers
where you need them. ObjectBroker does not federate between
different GSSAPI security providers.
> b) What do I need for each Client System to enable a dce_login ?
What ever the GSSAPI security provider says you need.
> c) Do I have to install first on all sytems DCE SW Kit components and
> bring them into an operational Secure DCE Domain before I can goon and
> install ObjectBroker and enable on each system DCE based Authentication
>
> if yes: what DCE components do I have to install for each client to
> make authentication of OBB work.
>
> if yes: what DCE components do I have to install on Servers
> Microsoft Windows NT Server,
> Digital UNIX and
> Digital OpenVMS
Again see your GSSAPI provider's installation. I think you need to
have the GSSAPI product installed prior to OBB installation. You also
need to follow the OBB administration rules for setting up a security
provider for GSSAPI.
> d) are Client DCE security Components provided with ObjectBroker 2.7
> Kit sufficently to a degree which allows to put this Clients after OBB
> 2.7 is installed, into a DCE Domain and allow them for the dce_login to
> work.
No we provide NO DCE components. You must purchase DCE or some GSSAPI
provider separately.
> e) do I have to order and install DCE Client SW first in order to
> perform a dce_login and then go and install ObjectBroker.
Yes. We provide no DCE or GSSAPI secuirty implementation, only the
hooks to it.
> Note: I want to install as less SW as possible other then ObjectBroker;
> also Customers shall not arg, that the overhead on SW, maintenance and
> learning is too big, if an operational DCE Domain has to be installed,
> and learned first just to get DCE Kerberos based Authentication work
> with Objectbroker. Also they shall not arg that the have to maintain to
> Middleware Networks.
You must install the GSSAPI provider as described by its own
installation and you must be able to administer it's domain, as well
as ObjectBroker and any operating system domains such as NT.
> e) Can I install the DCE Security Server on any Server Platform (not
> only on Digital UNIX or Windows NT) for which a OSF DCE product is
> available and have on all Cleint Systems using ObjectBroker [and DCE
> Client SW], Authentication enabled?
You need GSSAPI product on all platforms from which OBB will use it.
|
| 1372.4 | more help required. | EMNTAL::STADELMANN | Sepp @ZUO 760-2609 | Thu Feb 20 1997 16:16 | 23 |
| Thanks Mary Ann
Who can be a bit more concret or lead me to a practical example.
"GSSAPI security provider" is too abstract. What is it? What does it
propose to order given my system szenario in .-2.
I have to propose to a customer, asking me what he has to order on SW
required to make DCE based Authenication work for OBB, from Digital.
I am interessed to know the minimal parts on DCE I have to order from
DEC to make my szenario work. Also If it does not work using DEC SW,
(missing SW to satisfy my szenario) what do you propose then ? Which
vendow such Gradient or CyberSafe can make my environemt work. i.e.
SyberSafe does not provie for Windows 95 and not for OpenVMS WS/SV,
also only NT 3.5 is mentioned but notr NT 4.0 and not Digital UNIX.
The szenario I mentioned IS an example of OUR INSTALLED BASE CUSTOMERS.
Unfortunately It does not mach with Syber Safe and probabbly not with
what DEC can provide. So is there an chance to setup this environment
and make it work.
Sepp,
|
| 1372.5 | | SEND::SLAVIN | | Thu Feb 20 1997 19:17 | 6 |
| A GSSAPI security provider is some product like DCE from some vendor,
or Cybersafe, or other product that implements to the OSF GSSAPI
standard. We have been working with Cybersafe, and have not been able
to get it working with ObjectBroker yet. We are working with their
Beta code, so what we have is not on the market yet. I do not know if
any vendor has security that matches your platform requirements.
|
| 1372.6 | | LEMAN::DONALDSON | Froggisattva! Froggisattva! | Mon Feb 24 1997 05:40 | 9 |
| Sepp,
another source of info would be Jean-Paul Gaschen who I know
installed and demonstrated OBB+DCE Security for Swiss PTT.
(He had a tough time, by the way, and if you know
J-P that will tell you something!).
John D.
|
| 1372.7 | no details yet ? | EMNTAL::STADELMANN | Sepp @ZUO 760-2609 | Mon Feb 24 1997 07:02 | 24 |
| John,
Meanwhile, with the same hope, I had several discussions with Jean-Paul
Gaschen. Most he could tell me was that Telecom had setup already an
OSF DCE from Gradient before. Unfortunately at this did not work with
the 2.6 OBB, and as Telecom was unwilling to wait for 2.7 OBB, they
ordered an OSF DCE kit from Digital for Digital UNIX and Windows NT. JP
could not say what GSSAPI security provider components Telecom had
installed as a minimum; so I am back at the gussing level (until I
start to setup my own OSF DCE Domain first (lots of planning and work))
or until I go and ask Telecom as my primary support contact / backup; as
it seams to be impossible to get a clear answer from OBB folks for
this subject matters. (Also the OBB SPD does not give some details now
and I am about to propose to a customer what they would have to order).
All I want to now is:
What are the minimal componets to be installed from the Digital OSF DCE
kit to use OBB and DCE based Authentication, given I have a networked
platform scenario as stated in my previous note.
Sepp,
|
| 1372.8 | | RECV::SLAVIN | | Mon Feb 24 1997 13:17 | 7 |
| > What are the minimal componets to be installed from the Digital OSF DCE
> kit to use OBB and DCE based Authentication, given I have a networked
> platform scenario as stated in my previous note.
Th SPD tells you what version of OSF DCE to order. Order that and
install it.
|
| 1372.9 | DCE components required for OBB Authentication | EMNTAL::STADELMANN | Sepp @ZUO 760-2609 | Tue Feb 25 1997 07:15 | 44 |
| Thank you Mary Ann,
meanwhile I found a partner explaining what I need, here the extract.
If a DCE Cell is not setup .... then
Setup a DCE Cell, install on at least one Server Node the following
a) DCE Security Server
b) DCE Cell Directory Server
c) DCE Run Time Service
install on each Client Node
c) DCE Run Time Service
DCE Run Time Service brings you threads, RPC, CDS-Advertiser, Security
Client, BTW: this is the minimum one needs for Authentication
You can start with ObjectBroker first and then install DCE, or you
install ObjectBroker into an existing DCE environment and setup and
activate then DCE based Authentication for ObjectBroker.
the following Digital OSF DCE products are available per SPD's
Digital OSF DCE 2.0.a for Digital UNIX
Digital OSF DCE 1.1.c for Microsoft Windows NT
Digital OSF DCE 1.0 for Microsoft Windows 95
Digital OSF DCE 1.4 for Digital Open VMS AXP & VAX
based on OSF DCE standard 1.0.3
each kit above provides a GSSAPI, but only UNIX and Windows NT was
tested, an is supported by ObjectBroker Engineering.
Digital OSF DCE products interoperate to a much better degree then our
current ORB's. i.e. with Gradient: one can have a DCE Security Master
Server installed on a IBM and run its Security Server Replicand Digital
UNIX. This was verified and works.
If other vendors DCE Security Client provide a GSSAPI interface it is
to be tested that ObjectBroker Authentication will work.
(anything wrong with that ?)
Sepp,
|
| 1372.10 | | RECV::SLAVIN | | Tue Feb 25 1997 12:10 | 6 |
| > If other vendors DCE Security Client provide a GSSAPI interface it is
> to be tested that ObjectBroker Authentication will work.
I am not sure if this is a question as to if ObjectBroker is planning
to do this testing with other DCE Security clients. The answer is NO
ObjectBroker is planning to do such testing at this time.
|
| 1372.11 | how to conduct GSSAPI verification | EMNTAL::STADELMANN | Sepp @ZUO 760-2609 | Tue Feb 25 1997 13:23 | 10 |
| To be precise:
If an third party vendors DCE Security Client provides a GSSAPI then
this is subject to be verification and testing. The question is: will
ObjectBroker Engineering do it? As I understand .-1 the answer is NO.
In this case it would be nice if the field gets an idea from OBB
Engineering about how to conduct such a verification and test.
Sepp,
|