DCE: Past, Present, and Future What we’ve done What we want “The New DCE”

DCE: Past, Present, and Future

What we’ve done

What we want

““The New DCE”The New DCE”

Content

• Why we chose DCE– What we liked, what we expected

• What we are doing with DCE– How we extend DCE as infrastructure– What we’ve built using DCE

• What we see for the future of DCE– The Securities Industry Middleware Council– “The New DCE”

Who’s speaking

• Eliot M. Solomon– Senior Technical Director

Securities Industry Automation Corporation (SIAC)

• 25 years experience in information technologies– Mission critical computing– Distributed and global systems

Additional “Hats”

• Securities Industry Middleware Council– Chair

• The DCE Program of The Open Group– Chair

What sort of organization is ?

• SIAC provides NYSE and AMEX...– Facilities management– System design, development, and operation– Communications and network operations

• 1400 employees, mainly IT professionals• Supports key securities industry organizations

– Consolidated “tapes” for all US stock exchanges– National Securities Clearing Corp. and allied clearing companies

• Center of a network reaching nearly every securities firm in the United States

The New York Stock Exchange in 1997

• Premier equities market in the world• Listed issues from more than 3,000 companies• 1,428* members from 467 securities firms• On an average day, NYSE systems handled:

– 527,000,000 shares (sold)– 405,000 trades– 569,300 orders handled electronically by SuperDot

• System capacity > 500 messages/second**

(Now 600 messages/second)

* 1,366 members own “seats” ** year-end 1997

DCE Past

Why we chose it

How we deployed it

We chose DCE...

• To make UNIX operationally sound– Consistent, single system image– The promise of DME

• To help make security automatic– Implicit inclusion in RPC mechanism– Single point of administration

• To make “open systems” a business reality– Making us vendor-neutral, i.e. -independent

We liked DCE….

• For the process more than the product– The “RFT” mechanism for finding and fitting

• For the future more than the features– That the process would continue indefinitely

• For the consistency more than the constancy– That it would facilitate change and evolution while

allowing us to achieve operational continuity

Did we get what we hoped?

But we rarely get exactly what we want, so we pushed on...

DCE Present

What we are doing with it

How we are adding to it

Central Services Extends the Infrastructure

• Provide a framework to support the user’s access to a wide variety of services in a unified, cohesive, secure manner, while maintaining adequate user accountability

• Perform centrally administrative functions that would otherwise have to be replicated in multiple applications

Administrative Services

• Entitlement Management System & Shared Configuration Data Base– High-level view of entire system

• In terms of users and their services• Not technical artifacts or systems

– Single point of administration for all aspects of service entitlement and delivery

• Reduce transcriptions and steps• Help ensure consistent application of rights

EM Workstationrunning EM Tool

NYSE Bulk Update File

PC running Browser/spreadsheet

SCDB

EM Host

Login Servers

AuthenticationServers

User Utilities Servers

Hand HeldLogin Servers

DFS Servers

Administrator’s View: Entitlement Management

“Dynamic” “Directories”

• User location and activity information– Captured from the X-servers and Login Servers

• Detailed “device characterizations”– Allows terminals, printers, etc. to be located by

attributes or characteristics

• Operational State Server– Provides real-time information about the state

of systems and business

XAS ComponentsCloser Look

User Events

XAS Collector

XAS Local File

XAS Local File

XAS Server

XAS Query

XAS Database

XAS Database

XAS CollectorInterface

Object Request Broker

XAS MonitorInterface

XAS MonitorInterface

Policy-based, dynamic access control

• Login Servers

• Distributed Authorization Services

• “RFC 68.4” Cross-realm authentication

• “Xhost” control mechanisms

• Role-based policies use “become user” mechanism

OPS

DCS

SCDB

Login

Application Hosts

DBK

BBSS

Profiles

PreferencesDirectories

Servers

X NC NT XAS

Dynamic Directories

Distributed Authorization ServiceDistributed Authorization Service

Context Servers

DCE Registry

Display Devices

APE“Access Policy Engine”

Authorization Server

Policy Databases

Business

Application

Other Services Based on DCE

• “Emergency Broadcast” Server

• Radio Paging Server

• Wireless Data System Authentication Server

• Network Print Services

• And, of course, DFS

Login Server

Brow Server Web Server

XAS Server

DCE Server

Login Server

Emergency Broadcast Messaging using XAS

http

dce login

Dceauthentication

Set property

dialog

DCE Future

What we needat SIAC, NYSE and

the Securities Industry

The Message of the Securities Industry Middleware Council

• We must improve the quality of "infrastructure" software vendors provide to the Securities Industry– This is not to say that quality of middleware is

bad, only that the quality metrics peculiarly relevant to our industry were not being met with any consistency

We need The New DCE to…

• Deliver Business Value to the User– Real solutions at appropriate cost– Preserve and leverage prior investments

• Focus on the need of the Mission-critical enterprise– Secure the core of IT while enabling it to reach

out to the world.

A stable base on which we can build business strategies

• Protection from the inconstancy of technology trends

• Protection from the depredations of the monopolist

• Protection from the risks of immature or incomplete infrastructure

Enhanced integration

• Enterprise directory infrastructure– Aligning directories with the larger enterprise

• Consistent AuthN/AuthZ over all models– RPC, Messaging, Objects, Components

• Consistent model of operation– Replication for throughput and availability– Security administration– Monitoring, management

DCE

SecuritySecurity

DirectoryDirectory

RemoteInvocation

TIME

Technologies to choose among

Wire RPC

What is DCE? “Our” view.

• An approach to integrating diverse technologies

• A process for innovating while maintaining stability

• A support framework for a business-critical operational profile

• A common substrate of core services

DCE and Security“Find and Fit” as a Technology Strategy

• Security is DCE’s best success

• DCE selected Kerberos as “best of class”

• The “hardened” DCE version interoperates with “conventional” versions

DCE

KerberosKerberos

DCESecurityServices

DCESecurityServices

Migration to LDAP directorytechnology follows this model

DCE and PKI DCE RFC 68.4 “Finds and Fits” a Solution

• The goal was to solve a business problem

• A proven solution was selected as the model

• The approach ensures business interoperability, not technology hegemony

DCE

KerberosKerberos

DCESecurityServices

DCESecurityServices

DCERFC 68.4

DCERFC 68.4

It’s not “DCE or PKI.”DCE finds the best solutions

Solutions in Layers

• Anything that leverages the infrastructure is DCE

– DCE “flows up” the solution stack

– DCE must allow selective use of its features

• Layered middleware that uses DCE becomes DCE

DCE

layered middleware

Businesssolution

layered middleware

Business solutionBusiness solution

And so, “The New DCE” must...

• Increase the completeness of the solution

• Reduce total cost of ownership

• Focus on the enterprise

Business Model of “The New DCE”

• The New DCE is loyal to its customers, not its technology

• What preserves and leverages a customer’s investment in mission critical infrastructure is by definition “The New DCE”

• The New DCE ensures that the buyer is never coerced