Front cover -- Contents -- Tables -- Figures -- Notices -- Trademarks -- Preface -- The team that wrote this redbook -- Become a published author -- Comments welcome -- Part 1 Description of the DCE replacement strategies -- Chapter 1. DCE review -- 1.1 Defining DCE -- 1.2 Who uses DCE -- 1.3 What DCE does -- 1.3.1 Threads -- 1.3.2 RPC -- 1.3.3 Security core -- 1.3.4 GSS-API -- 1.3.5 Directory -- 1.3.6 Time -- 1.3.7 Cross component -- 1.4 The DCE environment -- 1.5 Application dependencies on DCE -- 1.5.1 Direct dependencies -- 1.5.2 Indirect dependencies -- 1.5.3 No dependencies -- 1.6 Summary of DCE review -- Chapter 2. Replacement technologies -- 2.1 Criteria for selecting the technologies -- 2.1.1 Compliance with industry standards -- 2.1.2 Coverage of predominant DCE services -- 2.1.3 Ease of migration -- 2.1.4 Similarity to DCE services -- 2.1.5 Technologies considered strategic -- 2.1.6 Support of predominant platforms -- 2.1.7 Support of predominant programming languages -- 2.1.8 Availability of IBM implementations -- 2.2 Technologies for C/C++ applications -- 2.2.1 aznAPI -- 2.2.2 CORBA -- 2.2.3 DCE RPC -- 2.2.4 DCE UUID -- 2.2.5 Kerberos -- 2.2.6 LDAP -- 2.2.7 Network Time Protocol -- 2.2.8 Platform auditing -- 2.2.9 Platform logging and messaging -- 2.2.10 POSIX 1003.1c threads -- 2.2.11 Web services -- 2.3 Technologies for Java applications -- 2.3.1 J2EE application environment -- 2.3.2 Standards for the J2EE -- 2.3.3 DCE services that can be replaced by J2EE -- 2.3.4 IBM implementation of J2EE: WebSphere Application Server -- 2.3.5 Additional information on IBM WebSphere Application Server -- 2.4 Summary -- Chapter 3. Replacement strategies -- 3.1 Replacement strategies for C/C++ applications -- 3.1.1 Auditing -- 3.1.2 Authentication -- 3.1.3 Authorization, PAC, and UUID -- 3.1.4 Backing store -- 3.1.5 Configuration.

3.1.6 Delegation, GSS-API, and login -- 3.1.7 Directory -- 3.1.8 Extended Registry Attributes -- 3.1.9 Event management -- 3.1.10 GSS-API -- 3.1.11 Host management -- 3.1.12 Integrated login -- 3.1.13 Login -- 3.1.14 Messaging -- 3.1.15 PAC -- 3.1.16 Password strength -- 3.1.17 Protection -- 3.1.18 Registry -- 3.1.19 RPC services -- 3.1.20 Serviceability -- 3.1.21 Threads -- 3.1.22 Time -- 3.1.23 UUID -- 3.2 Replacement strategy for Java applications -- 3.2.1 Determining a new architecture -- 3.2.2 Revising the application environment for the new architecture -- 3.2.3 Rewriting the DCE applications to the new architecture -- 3.3 Replacement strategies for mixed applications -- 3.3.1 CORBA interoperability -- 3.3.2 Java Native Interface -- 3.3.3 JCA and JNI -- Chapter 4. Using DCE data with IBM Network Authentication Service -- 4.1 Introduction -- 4.2 Migrating DCE data to an LDAP directory -- 4.3 Configuring IBM Network Authentication Service -- 4.4 Managing the data in a shared environment -- 4.5 Removing DCE-specific data -- 4.6 Details about shared data -- 4.7 Details about non-shared data -- Chapter 5. Using DCE objects with IBM Tivoli Access Manager -- 5.1 Introduction -- 5.2 Data representation -- 5.3 Configuration scenarios -- 5.3.1 Scenario 1 -- 5.3.2 Scenario 2 -- 5.3.3 Scenario 3 -- 5.4 Managing objects in a shared environment -- 5.4.1 Creating a user with IBM Tivoli Access Manager -- 5.4.2 Creating a group with IBM Tivoli Access Manager -- 5.4.3 Adding a member to a group using IBM Tivoli Access Manager -- 5.4.4 Deleting a user using IBM Tivoli Access Manager -- 5.4.5 Deleting a group using IBM Tivoli Access Manager -- 5.4.6 Removing a member from an IBM Tivoli Access Manager group -- 5.4.7 Creating a principal with DCE -- 5.4.8 Creating a DCE group -- 5.4.9 Adding a member to a group using DCE -- 5.4.10 Deleting a user using DCE.

5.4.11 Deleting a group using DCE commands -- 5.4.12 Removing a member from a group with DCE commands -- 5.4.13 Sharing policies -- 5.4.14 Attaching a DCE policy -- 5.4.15 Deleting a shared DCE policy -- Chapter 6. Binary structure of DCE ERA data in LDAP -- 6.1 Recap: The DCE to LDAP migration process -- 6.2 Reading binary DCE ERA data in LDAP -- Part 2 Replacement sample scenarios -- Chapter 7. Common replacement considerations -- 7.1 How to read the example scenarios -- 7.2 Common assumptions in the sample scenarios -- 7.3 Simplifications in the sample scenarios -- 7.4 Security considerations -- 7.5 Performance considerations -- 7.6 Using an LDAP directory -- 7.6.1 LDAP security considerations -- 7.6.2 Availability and performance considerations -- 7.7 SSL implementation hints -- 7.7.1 SSL and TLS overview -- 7.7.2 Uses of SSL -- 7.7.3 Using SSL in the replacement scenarios -- 7.7.4 IBM GSKit -- 7.7.5 Authentication with certificates -- 7.7.6 Using self-signed certificates -- 7.7.7 Using certificates from a Certificate Authority (CA) -- 7.7.8 Additional hints and considerations -- Chapter 8. Scenario 1: GSS-API application -- 8.1 Scenario description -- 8.1.1 Initial application with DCE dependencies -- 8.1.2 Revised application without DCE dependencies -- 8.2 DCE application -- 8.2.1 Configuring and running the DCE application -- 8.2.2 Application client -- 8.2.3 Application server -- 8.3 Replacement roadmap -- 8.3.1 Software requirements -- 8.3.2 Migration of DCE security registry to IBM Directory Server -- 8.3.3 Configuring IBM Network Authentication Service -- 8.3.4 Configuring IBM Tivoli Access Manager -- 8.3.5 Configuring the Windows Kerberos client -- 8.3.6 Revising the application -- 8.3.7 Cleaning up the DCE related information in the IBM Directory -- 8.4 Revised application discussion.

8.4.1 Configuring and running the revised application -- 8.4.2 Application client -- 8.4.3 Application server -- 8.5 Administration considerations and interfaces -- 8.5.1 Administration during the migration process -- 8.5.2 Administration after the migration process -- 8.5.3 IBM Network Authentication Service administration interface -- 8.5.4 IBM Tivoli Access Manager administration interface -- 8.6 Discussion and conclusions -- Chapter 9. Scenario 2: Non-secure RPC application -- 9.1 Scenario description -- 9.1.1 Initial application with DCE dependencies -- 9.1.2 Revised application without DCE dependencies -- 9.2 DCE application -- 9.2.1 Configuring and running the DCE application -- 9.2.2 Application client -- 9.2.3 Application server -- 9.3 Replacement roadmap -- 9.3.1 Software requirements -- 9.3.2 Installing and configuring WebSphere Application Server -- 9.3.3 Revising the application -- 9.3.4 Removing DCE -- 9.4 Revised application discussion -- 9.4.1 Building, configuring, and running the revised application -- 9.4.2 CORBA IDL file -- 9.4.3 Application client -- 9.4.4 Application server -- 9.5 Administration considerations and interfaces -- 9.6 Discussion and conclusions -- Chapter 10. Scenario 3: Secure RPC application #1 -- 10.1 Scenario description -- 10.1.1 Initial application with DCE dependencies -- 10.1.2 Revised application without DCE dependencies -- 10.2 DCE application -- 10.2.1 Configuring and running the DCE application -- 10.2.2 Application interface definition -- 10.2.3 Application client -- 10.2.4 Application server -- 10.3 Replacement roadmap -- 10.3.1 Software requirements -- 10.3.2 Installing and configuring IBM WebSphere Application Server -- 10.3.3 Configuring WebSphere Application Server security -- 10.3.4 Configuring the application client -- 10.3.5 Developing the application -- 10.3.6 Configuring IBM Directory Server.

10.3.7 Assembling the scenario application -- 10.3.8 Deploying and starting the application -- 10.3.9 Running the application client -- 10.4 Revised application discussion -- 10.4.1 Enterprise bean wrappers -- 10.4.2 CORBA IDL file -- 10.4.3 Application client -- 10.4.4 Application server -- 10.4.5 Java Native Interface -- 10.4.6 J2EE Connector Architecture -- 10.5 Administration considerations and interfaces -- 10.6 Discussion and conclusions -- Chapter 11. Scenario 4: Secure RPC application #2 -- 11.1 Scenario description -- 11.1.1 Initial application with DCE dependencies -- 11.1.2 Revised application without DCE dependencies -- 11.2 DCE application -- 11.3 Replacement roadmap -- 11.3.1 Software requirements -- 11.3.2 Installing and configuring IBM WebSphere Application Server -- 11.3.3 Configuring WebSphere Application Server security -- 11.3.4 Configuring the application client -- 11.3.5 Developing the application -- 11.3.6 Configuring IBM Directory Server -- 11.3.7 Assembling the scenario application -- 11.3.8 Deploying and starting the application -- 11.3.9 Running the application client -- 11.4 Revised application discussion -- 11.4.1 Application client -- 11.4.2 Application server -- 11.5 Administration considerations and interfaces -- 11.6 Discussion and conclusions -- Part 3 Appendixes -- Appendix A. Scenario 1: Source code listings -- Application with DCE dependencies -- Makefile for application client -- Makefile for application server -- DCE dependent application client -- DCE dependent application server -- Authorization module with DCE dependencies -- Utility source of the DCE dependent application -- Header file for utility source -- Revised application without DCE dependencies -- Makefile for application client -- Makefile for application server -- Revised application client -- Revised application server.

Authorization module using aznAPI.