dce: past, present, and future what we’ve done what we want “the new dce”
TRANSCRIPT
DCE: Past, Present, and Future
What we’ve done
What we want
““The New DCE”The New DCE”
Content
• Why we chose DCE– What we liked, what we expected
• What we are doing with DCE– How we extend DCE as infrastructure– What we’ve built using DCE
• What we see for the future of DCE– The Securities Industry Middleware Council– “The New DCE”
Who’s speaking
• Eliot M. Solomon– Senior Technical Director
Securities Industry Automation Corporation (SIAC)
• 25 years experience in information technologies– Mission critical computing– Distributed and global systems
Additional “Hats”
• Securities Industry Middleware Council– Chair
• The DCE Program of The Open Group– Chair
What sort of organization is ?
• SIAC provides NYSE and AMEX...– Facilities management– System design, development, and operation– Communications and network operations
• 1400 employees, mainly IT professionals• Supports key securities industry organizations
– Consolidated “tapes” for all US stock exchanges– National Securities Clearing Corp. and allied clearing companies
• Center of a network reaching nearly every securities firm in the United States
The New York Stock Exchange in 1997
• Premier equities market in the world• Listed issues from more than 3,000 companies• 1,428* members from 467 securities firms• On an average day, NYSE systems handled:
– 527,000,000 shares (sold)– 405,000 trades– 569,300 orders handled electronically by SuperDot
• System capacity > 500 messages/second**
(Now 600 messages/second)
* 1,366 members own “seats” ** year-end 1997
DCE Past
Why we chose it
How we deployed it
We chose DCE...
• To make UNIX operationally sound– Consistent, single system image– The promise of DME
• To help make security automatic– Implicit inclusion in RPC mechanism– Single point of administration
• To make “open systems” a business reality– Making us vendor-neutral, i.e. -independent
We liked DCE….
• For the process more than the product– The “RFT” mechanism for finding and fitting
• For the future more than the features– That the process would continue indefinitely
• For the consistency more than the constancy– That it would facilitate change and evolution while
allowing us to achieve operational continuity
Did we get what we hoped?
But we rarely get exactly what we want, so we pushed on...
DCE Present
What we are doing with it
How we are adding to it
Central Services Extends the Infrastructure
• Provide a framework to support the user’s access to a wide variety of services in a unified, cohesive, secure manner, while maintaining adequate user accountability
• Perform centrally administrative functions that would otherwise have to be replicated in multiple applications
Administrative Services
• Entitlement Management System & Shared Configuration Data Base– High-level view of entire system
• In terms of users and their services• Not technical artifacts or systems
– Single point of administration for all aspects of service entitlement and delivery
• Reduce transcriptions and steps• Help ensure consistent application of rights
EM Workstationrunning EM Tool
NYSE Bulk Update File
PC running Browser/spreadsheet
SCDB
EM Host
Login Servers
AuthenticationServers
User Utilities Servers
Hand HeldLogin Servers
DFS Servers
Administrator’s View: Entitlement Management
“Dynamic” “Directories”
• User location and activity information– Captured from the X-servers and Login Servers
• Detailed “device characterizations”– Allows terminals, printers, etc. to be located by
attributes or characteristics
• Operational State Server– Provides real-time information about the state
of systems and business
XAS ComponentsCloser Look
User Events
XAS Collector
XAS Local File
XAS Local File
XAS Server
XAS Query
XAS Database
XAS Database
XAS CollectorInterface
Object Request Broker
XAS MonitorInterface
XAS MonitorInterface
Policy-based, dynamic access control
• Login Servers
• Distributed Authorization Services
• “RFC 68.4” Cross-realm authentication
• “Xhost” control mechanisms
• Role-based policies use “become user” mechanism
OPS
DCS
SCDB
Login
Application Hosts
DBK
BBSS
Profiles
PreferencesDirectories
Servers
X NC NT XAS
Dynamic Directories
Distributed Authorization ServiceDistributed Authorization Service
Context Servers
DCE Registry
Display Devices
APE“Access Policy Engine”
Authorization Server
Policy Databases
Business
Application
Other Services Based on DCE
• “Emergency Broadcast” Server
• Radio Paging Server
• Wireless Data System Authentication Server
• Network Print Services
• And, of course, DFS
Login Server
Brow Server Web Server
XAS Server
DCE Server
Login Server
Emergency Broadcast Messaging using XAS
http
dce login
Dceauthentication
Set property
dialog
DCE Future
What we needat SIAC, NYSE and
the Securities Industry
The Message of the Securities Industry Middleware Council
• We must improve the quality of "infrastructure" software vendors provide to the Securities Industry– This is not to say that quality of middleware is
bad, only that the quality metrics peculiarly relevant to our industry were not being met with any consistency
We need The New DCE to…
• Deliver Business Value to the User– Real solutions at appropriate cost– Preserve and leverage prior investments
• Focus on the need of the Mission-critical enterprise– Secure the core of IT while enabling it to reach
out to the world.
A stable base on which we can build business strategies
• Protection from the inconstancy of technology trends
• Protection from the depredations of the monopolist
• Protection from the risks of immature or incomplete infrastructure
Enhanced integration
• Enterprise directory infrastructure– Aligning directories with the larger enterprise
• Consistent AuthN/AuthZ over all models– RPC, Messaging, Objects, Components
• Consistent model of operation– Replication for throughput and availability– Security administration– Monitoring, management
DCE
SecuritySecurity
DirectoryDirectory
RemoteInvocation
TIME
Technologies to choose among
Wire RPC
What is DCE? “Our” view.
• An approach to integrating diverse technologies
• A process for innovating while maintaining stability
• A support framework for a business-critical operational profile
• A common substrate of core services
DCE and Security“Find and Fit” as a Technology Strategy
• Security is DCE’s best success
• DCE selected Kerberos as “best of class”
• The “hardened” DCE version interoperates with “conventional” versions
DCE
KerberosKerberos
DCESecurityServices
DCESecurityServices
Migration to LDAP directorytechnology follows this model
DCE and PKI DCE RFC 68.4 “Finds and Fits” a Solution
• The goal was to solve a business problem
• A proven solution was selected as the model
• The approach ensures business interoperability, not technology hegemony
DCE
KerberosKerberos
DCESecurityServices
DCESecurityServices
DCERFC 68.4
DCERFC 68.4
It’s not “DCE or PKI.”DCE finds the best solutions
Solutions in Layers
• Anything that leverages the infrastructure is DCE
– DCE “flows up” the solution stack
– DCE must allow selective use of its features
• Layered middleware that uses DCE becomes DCE
DCE
layered middleware
Businesssolution
layered middleware
Business solutionBusiness solution
And so, “The New DCE” must...
• Increase the completeness of the solution
• Reduce total cost of ownership
• Focus on the enterprise
Business Model of “The New DCE”
• The New DCE is loyal to its customers, not its technology
• What preserves and leverages a customer’s investment in mission critical infrastructure is by definition “The New DCE”
• The New DCE ensures that the buyer is never coerced