HP Visualize b132L hp visualize workstation - Interoperable Security for HP-UX - Page 6
Integration of, Windows NT, Security into the, UNIX Environment
View all HP Visualize b132L manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 6 highlights
Integration of Windows NT Security into the UNIX Environment Security paradigms need to be consistent between Windows NT and UNIX as a way to help keep the total cost of ownership down. However, this requires a centralized approach to security administration that is pervasive across many systems. There are two fundamental security building blocks that are available (or soon will be) on UNIX and Windows NT. These building blocks are DCE and Kerberos. Today, the DCE implementation on Windows NT does not allow a DCE client to use security to make a request to a Microsoft RPC server. If the DCE encrypts part of the RPC, the Windows NT server cannot de-encrypt the RPC information. Therefore to get this scenario to work, the Client side must not be secure. On the other hand, a Microsoft RPC client can effectively communicate to a secure UNIX DCE server. Using minimal security, the objects are accessible through the DCE server from a Microsoft RPC client. The Microsoft RPC calls do not contain identification information however. The DCE server must then treat them as unauthenticated requests. These requests can be handled with the use of DCE's Cell Directory Service (CDS) and the use of ACL's within the CDS. The Kerberos method for authentication utilizes a central database of information about users. Thus, when a user logs on, a security ticket is requested from a local server (ticketgranting server of the realm). However, realms (administrative domain) in Kerberos can register with other realms. Thus a user can be authenticated from a remote security server using Kerberos protocol. The Kerberos protocols from Windows NT and UNIX servers should then be able to authenticate each other's users. However, Kerberos does not authorize users for utilizing system resources. The system still must provide an authorization scheme, such as an ACL or a SID (Security IDentifier) to allow access to resources. For example, a UNIX user could be authorized to log onto a Windows NT domain or vice versa. The user authorization level, however, would be as a "Guest". This would mean that user access levels would still need to be maintained separately on Windows NT and UNIX. 02/04/00 HP VISUALIZE WORKSTATIONS 5