4 — Deploying CAS Applications


[Previous] [Next] [Contents] [Index]


This chapter provides information on deploying CAS applications, and contains the following sections:

4.1 Full PC-DCE Client Requirement
4.2 ERAs Supporting CAS
4.3 Specifying Authentication Methods Using ERAs
4.4 Installing Co-Authentication DLLs
4.5 Setting up the cass_handlers File
4.6 Using the Windows Event Log to Verify CAS Operation

4.1 Full PC-DCE Client Requirement

For this release of PC-DCE, the CAS client functions require the full PC-DCE client. You configure the full PC-DCE client by selecting the Configure Client Daemons setting in the PC-DCE configuration panel.

4.2 ERAs Supporting CAS

The ERAs that support CAS are CASAUTHSVCS and pre_auth_req.

4.2.1 CASAUTHSVCS ERA

CASAUTHSVCS is a multipart ERA that allows you to specify authentication methods on a per-principal basis. Refer to Chapter 2 on page 11 for a discussion of how the security server uses this ERA to select the authentication method to be used for a principal.

4.2.1.1 Creating the CASAUTHSVCS ERA Schema

The CASAUTHSVCS ERA schema is normally created by the PC-DCE configuration program when you configure PC-DCE on your system. If you do not wish to reconfigure PC-DCE (for example, if you are installing PC-DCE as an upgrade), you can create the schema using dcecp as follows:

dcecp> xattrschema create  /.:/sec/xattrschema/CASAUTHSVCS
-encoding stringarray
-aclmgr {principal {query r}
                   {update m}
                   {test r}
                   {delete m}} -multivalued yes

4.2.2 pre_auth_req ERA

You can use the pre_auth_req ERA (with a value of 11) to specify that the principal must log in using a CAS method; no fallback to a straight DCE name/password login is allowed.

4.3 Specifying Authentication Methods Using ERAs

To associate a principal with one or more authentication methods, use dcecp to attach the CASAUTHSVCS ERA to the principal. This ERA is a prioritized list of DLLs: if more than one method is supported by both the security server and the client, the security server selects the first that appears in the ERA.

In addition, you can use the pre_auth_req ERA to specify that the principal must log in using a CAS method; no fallback to a straight DCE name/password login is allowed.

The following example adds two methods (DLLs) to principal groucho:

dcecp> principal modify groucho -add {CASAUTHSVCS 
{securidcass.dll}{examplecass.dll}}

In this list, SecurID authentication is the highest priority.

The following example adds the pre_auth_req ERA:

dcecp> principal modify groucho -add {pre_auth_req 11}

To verify that the ERA was added correctly use the dcecp principal show command :

dcecp> principal show groucho -all|{fullname {}}|{uid 105}|{uuid 
00000069-e706-259c-b400-00802964ff95}
{alias no}
{quota unlimited}
{groups none}
{CASAUTHSVCS
 securidcass.dll
 examplecass.dll}
 {pre_auth_req 11}

4.4 Installing Co-Authentication DLLs

Install co-authentication DLLs in the install_directory\bin directory (for example: pcdce32\bin).

4.5 Setting up the cass_handlers File

The cass_handlers file is a text file that the Gradient Security Server reads to identify installed co-authentication DLLs. The full path is install_directory\opt\dcelocal\var\security\cass\cass_handlers.

The file is a list of DLL names, each terminated by a carriage return. Comments begin with a semicolon and blank lines are ignored. The following is an example cass_handlers file:

; Security Dynamics DLL
securidcass.dll
; Example Co-authentication DLL
examplecass.dll

4.6 Using the Windows Event Log to Verify CAS Operation

To verify that a particular CAS authentication service has been loaded by the Security Server, use the Windows Event Viewer. Each successfully-loaded authentication service adds a trace to the log with a Source label of Entegrity DCE. When you click the trace entry, an event detail dialog box appears with information similar to the following:

[CAS] securidcass.dll auth. service loaded.
uuid:00389c30-4341-13de-91b9-00802969679f   

Each successfully-loaded authentication service adds an entry.

NOTE: The Gradient Security Server loads authentication services after the first login. Therefore a user may need to perform an initial login, CAS or normal, before the CAS traces appear in the log.


[Previous] [Next] [Contents] [Index]


To make comments or ask for help, contact support@entegrity.com.

Copyright © 1997-2003 Entegrity Solutions Corporation & its subsidiaries