DCE?

Short for Distributed Computing Environment, a suite of technology services developed by The Open Group for creating distributed applications that run on different platforms. DCE services include:

DCE is a popular choice for very large systems that require robust security and fault tolerance.

The OSF Distributed Computing Environment (DCE) is a key technology in three of today's most important areas of computing: security, the World Wide Web, and distributed objects. It is the only suite of integrated services from a vendor-neutral source that enables organizations to develop, use, and maintain distributed applications across heterogeneous networks.

DCE comprises services that reside on top of the operating system, forming middleware that allows organizations to distribute processing and data across the enterprise. Middleware such as DCE insulates developers from the complexities of the underlying network and its transport mechanisms, and provides an environment that allows key services (such as security and naming) to be integrated into distributed applications.

Because DCE is independent of the operating system and network, it enables interaction between clients and servers in virtually any type of environment an organization may have in place.

DCE Release 1.2.2 builds on the Release 1.2.1 improvements in ease of programming, integration with other computing environments, distributed file system (DFS), and administration.

The primary goal for DCE Release 1.2.2 is to enhance DCE's widely acclaimed security services and to provide improvements in manageability, fault-tolerance, performance, and scalability for DFS and other services.

DCE is available for virtually all major computer platforms, including UNIX, MVS, Windows, Windows NT, VMS, OS/2, and Macintosh.

Security

Public Key Support

• DCE 1.2.2 allows public key technology (such as that from RSA, or smart cards) to be used to support login. With this technology, the security server need not store the long-term key (or password) for a principal (a user, server, printer, or other network object which can communicate securely with another such object). The key, therefore, will remain undisclosed should the security server be compromised.
• Administrators have the flexibility to specify that some principals may use the pre-DCE 1.2.2 mechanisms, while others have access to the public key mechanism. DCE 1.2.2 will retain full interoperability with previous DCE releases.
• In DCE 1.2.2, a new pre-authentication protocol is used. At login, public key users will receive credentials that allow them to use the current Kerberos-based DCE authentication mechanism. The login client need not determine whether a given user is public-key-capable prior to requesting credentials. To facilitate transition, a new "keystore server" stores private keys for users or sites without access to hardware-based cryptographic tokens, secure filesystem storage, and so on.
• A new certification API also is provided. This facility handles the mapping of a principal name to a public key, allowing programmers to hide the details of their own certificate authority access methods and trust model. By letting developers "plug in" their own policy and storage modules, this facility continues the DCE practice of providing a widespread foundation without dictating a single-use model.

Kerberos Version 5 Support

The authentication portion of the DCE Security Service is based on Version 5 (V5) of the Massachusetts Institute of Technology (MIT) Kerberos authentication and key distribution service. With previous releases of DCE, Kerberos V5 applications running either on DCE or non-DCE platforms have been able to use the DCE Security Service as a Kerberos server. DCE Release 1.2.2 adds testing and official support for this capability.

In addition, DCE Release 1.2.2 includes implementations of the network utilities rlogin and rsh, which use the DCE Kerberos facilities to avoid exposing passwords on a network.

User-to-User Authentication

In DCE Release 1.2.2, the user-to-user authentication facility provides an alternate Ticket Granting Service (TGS) protocol as defined in the Internet Engineering Task Force (IETF)-RFC 1510 (Kerberos V5). It offers server applications the same sort of insulation from a principal's long-term key that is available for client applications. In particular it is possible to direct a protected remote procedure call (RPC) to a program that only has a login context, and no key table (file) or other access to a long-term key.

Global Groups

DCE 1.2.2 will allow principals from a foreign cell to be added to groups in the local cell. For example, suppose a user in a DCE cell (the foreign cell) needs to cooperate with a group of users in a different cell (at the same or a different location). The user in the foreign cell can have his or her identity added to the group in the other cell, automatically allowing the user to assume the same access privileges as the group members with whom the user is working. This new feature should ease enterprise-wide security administration, cell reconfiguration, and other management tasks.

Scalability Improvements

Changes made to the DCE Security Server deliver considerable performance improvements when servicing large cells (those with more than 50,000 principals). These changes include documenting the configurable checkpoint interval and partitioning internal datasets so that the amount of data written to disk during a checkpoint is proportional to the amount of data modified.

In addition, DCE 1.2.2 has addressed bottlenecks and areas of excess resource consumption.

Distributed File System (DFS)

Use of protected RPC

New administrative controls allow administrators to distinguish same-cell communication from inter-cell communication. As a result, a DFS Cache Manager can implement one set of RPC protection rules for intra-cell use (presumably protected behind a network firewall), while using another set for data-sharing outside the cell. Command line arguments and management clients enable administrators to achieve the right balance between protection and computational overhead. All architectural uses of unauthenticated RPCs have been eliminated.

DFS Server Multi-Home Support

DCE 1.2.2 has enhanced the DFS services to perform better on hosts connected through multiple interfaces to multiple networks ("multi-homed" hosts). This enhancement enables the DFS server to route its responses more efficiently when running on such machines. The DCE 1.2.2 version of DFS also gains fault-tolerance by handling network failures as transparently as possible on a multi-homed host.

64-Bit Filesystem Support

DCE DFS 1.2.2 now supports 64-bit files and filesystems while maintaining interoperability with 32-bit machines and systems.

Ease of Programming

Thread-Free RPC

Developers often use third-party packages that are not thread-aware, resulting in applications that cannot take advantage of DCE threads. A thread-free version of DCE RPC increases software reuse by making it substantially easier for non-threaded applications to be adapted to DCE.

Documentation

SGML Documentation

SGML is an industry standard for representing documentation that is intended to be viewed in a variety of formats, encompassing printed matter and on-line "hypertext" viewing. In DCE 1.2.2 all documentation is available as SGML source, using the DocBook Document Type Definition.

DCE Release 1.2.1 New Features

Ease of Programming

Interface Definition Language (IDL) Support for C++ -- enables C++ developers to write client and server programs that utilize DCE RPC in a highly transparent manner using natural C++ constructs. The IDL has been extended to support C++ features such as inheritance and object references.

Integration with Other Computing Environments

ONC Co-existence -- enhances the secure NFS protocol gateway of DCE Release 1.1 with support for the DFS host-specific (@HOST) and architecture-specific (@SYS) file naming features. With DCE 1.2.1, NFS inherits the DFS benefits of machine-independent file names, making scripts and configuration files more portable.

Netware Co-existence -- provides file sharing services and administrative aids that allow Netware 3.X users to have a single identity and access to the DCE file system, DFS.

Improved Distributed File System (DFS)

Optimized Token Manager -- decreases the memory requirements and improves the performance and reliability of DFS.

DFS Server Preferences -- enables administrators to identify server preferences on a per-fileset basis. Default preferences are based on IP subnet numbers. DFS clients now can make intelligent choices about which servers to use for different filesets enhancing the performance and scalability of DFS in a wide area network (WAN).

Vnode/VM Management -- enables DFS to perform significantly better as the system is subjected to higher levels of stress.

Replication Enhancements -- improve the DFS replication implementation to achieve greater reliability and better performance.

Bulk Status RPC -- supports more efficient directory browsing by fetching the status of up to 32 files in one RPC, as opposed to fetching the status one file per RPC.

Enhanced Backup Utility -- supports unattended backup of large DFS file systems using stackers and jukeboxes.

DCE Administration Enhancements

DCECP (Distributed Computing Environment Control Program) Enhancements -- build on the Release 1.1 dcecp by completing administrative functions and adding useful extensions.

Reference Platforms

The OSF-supported reference platform for DCE Release 1.2.2 is the
IBM RS/6000 running AIX 3.2.5. Release 1.2.2 development also was performed on Hewlett Packard HP-UX, Digital UNIX, Sun Solaris, and Hitachi Flora (PC compatible with Netware 3.12) platforms.

© 1996 The Open Group.
All rights reserved.
OSF/1, OSF/Motif and Motif are registered trademarks, and OSF and the OSF logo are trademarks of The Open Group, Inc. All other trademarks and registered trademarks mentioned herein are the property of their respective owners.

Permission is granted to reproduce any portion of the text or graphic images of this document provided that you prominently display both the copyright notice listed above and the following acknowledgment: Portions of this document have been reproduced with the permission of the copyright owner The Open Group