IBM Hub/Switch 2.8.4 Security Policy, 2.8.4.1 Client API, 2.8.4.2 Non-DCE Client API

Chapter 2 HPSS Planning

HPSS Installation Guide September 2002 87

Release 4.5, Revision 2

Ifa user has their default account index encoded in a string of the form AA=<default-acct-idx> in

theirDCE account's gecos field or in their DCE principal's HPSS.gecos extended registry attribute

(ERA),then Site-style accounting will be used for them. Otherwise it will be assumed that they are

using UNIX-style accounting.

To keep the accounting information consistent, it is important for this reason to set up all users in

theDCE registry with the same style of accounting (i.e. they should all have the AA= string in their

HPSSsoftware uses these services to determine the caller identity and credentials. Server security

configuration is discussed more in Section 6.5: Basic Server Configuration (page 262).

Once the identity and credential information of a client has been obtained, HPSS servers enforce

access to their interfaces based on permissions granted by the access control list attached to a

Security object in the server's Cell Directory Service (CDS) directory. Access to interfaces that

change a server's metadata generally requires control permission. Because of the reliance on DCE

security features, HPSS security is only as good as the security employed in the HPSS DCE cell.

HPSS client interface authentication and authorization security features for end users depend on

the interface, and are discussed in the following subsections.

then encrypted and sent to the Non-DCE Gateway. The gateway will then try to use this

combinationto acquire DCE credentials. The encryption is performed using either the DES

algorithm or a simple hashing function (for sites where DES restrictions apply).