On May 9th, 1996 the DCE Users Group of Michigan met at the University of Michigan's Center for Information Technology Integration (CITI). The meeting was sponsored by the "Client/Server Exchange", A joint partnership of IBM and the University of Michigan promoting open, client/server computing.

Hosting the meeting was Janani Janakiraman of UofM/CITI. Bob Brandt of the Ford Motor Company kept the minutes.

The agenda of the meeting was as follows:

Al Johnson, Chrysler was one of the attendees of the DCE User and Developer Conference held in San Jose in April, here are the minutes he took.

DUGM Minutes dugm-request@umich.edu

Next Meeting: July 11th
Need to find somebody to represent the "Introduction to Java" talk.
- "Introduction to Java"
- "DCE, Java, and Transarc's Web Strategy"

Secure Single-Signon with DCE"
Mike Crane
DCE Brand Mgmt.
- NetSP product handled logging into MVS through 3270. They have
migrated to supporting a DCE product.

Distributed Security issues
- cross platform security model needed
- inconsistent incompatible security providers
- users require multiple IDs and PWs
- no centralized security registry/repository
- multiple administrators

Ideal security structure
secure single signon (auth)
- single point of admin
- applications and OS's use common auth mech
- integrates/interoperates with existing systems
frameworks for easy extension/ customization
- works across priv/pub network
- provide audit capabilities

DCE and the Open BluePrint

What is secured Single SignOn (SSO)?
- integration of various mechanisms which provides authentication of
userids and paswords
- provides SSO for desktop client workstations

SSO Approaches
- standardize on single security mech
- federate security mech with

DCE+ security applications from IBM

DCE+RACF interoperability
- functions: identity mapping, single authentication, security database
cross-linking utilities
- LANserver 4.0a w/ DCE dir & sec - uses DCE Regisry ERAs
- Can use ERAs but doesn't require them
- Application support for CICS & IMS

Identity mapping:
- Computer Associates has recently announced a similar product
- Requires Open Edition MVS 5.2

Why not integrate DCE into MVS?
Because corporations may want to retain control of RACF abilities. DCE
Security server is available if you don't need RACF integration.

Single Authentication:
if RACF auth'd: performs dce_login if the need for credentials occurs
if DCE auth'd: will perform the RACF login for the user

Registry Relationships
principals rgy entry
- Uses an MVS User's User Profile
- DCE Segment: dce, principal, cell's uuid, principals uuid, principals
- DCE UUIDS Profile
-dce's uuid

Tool to sync passwords between RACF and DCE?
- manual commands

Does the security server have to be on IBM?
- Can be anywhere as long as it's DCE 1.1

DB2 announced support for GSSPAI, CICS has plans to support
single GUI login to do a single login that will do necessary logins
under the covers

3270 session will be DCE rpc?
- pass ticket technology relies on HLLAPI interface (screen scraping)

Does the future hold integrated technology instead of screen
scraping (telnet ftp rsh 3270)?
- Yes

1. User does network login, has icons representing apps that are
available. This does a dce login.
2. Client speaks with a DCE-based login server, this gets ERAs from DCE
server, then gives LAN and host info to client.
3. Login server communicates with target machines
#The technology logs you into all hosts that you are able to when you
get network credentials. Issue of having 2-user license for host and
how 100 users would impact that.
Speaker will investigate.
- Uses DCE group membership to determine access.

Authentication Coordinator
login program - authentication framework (uses PAM)
Utilities (PSM) : Authentication Mgr
Gives ability to plug other modules such as DCE client, public key,
other public key including smart card
The auth mgr does this and then talks with the logon coordinator.

This module may have the ability to provide for multiple modules for
authent. Both DCE and smart card.

IBM can now resell Open Horizon products.
Looking at year-end target for this solution. DCE services group will
consult to provide SSO today.
Platforms - looking at supporting windows 95 and NT and OS/2, AIX-
client. targets - MVS, ACF2 (passticket) netware 3.x/4.x, lanserver
3.x/4.x, AIX (looking at Notes integration through publickey)

Does DB2 integrate with DCE?
- Possibly some future, DRDA access support

Tivoli for admin explanation?
- IBM had a product called DSM on MVS that create users, modify
registries, RACF IDs, etc. That functionality will be rolled into the
TME framework.

Platforms other then IBM?
- First release will be Windows/OS/2 (client). Requests for other unix
may come in the future.

DCE registry is focal signon piece, passwd strength?
- Will see shortly

Any plans to be more intelligent about logging into all hosts?
- Will allow users to define what hosts to login to in future.

Will password synchronization be supported?
- Probably in future but not right away.

Use of ERAs breaks cell-to-cell. How does this get addressed in the
- Will look into.

Craig Demeris
Open Horizons

The clients, servers, and DBs are constantly changing. C/S use to mean
database access. Now it is more requestor to service.

Missing Benefits of Mainframe
-reason that 90% of corporate data is on mainframe is because the
mainframes can provide these services. As these are available
elsewhere, the data will move off.

Connection: Benefits of Both
They are middleware as a product
View the network as one logical computer. Once logged into an use any

DCE Users Group of Michigan (DUGM)
Janani Janakiraman
Revised: 08/29/96
URL: http://www.citi.umich.edu/dugm