But DCE uses a RPC call for client-server communication. The CORBA standard is based on connection-oriented calls or TCP calls. Does this mean that the OrbixSecurity is not CORBA complaint? Can somebody please clarify the authentication process used in OrbixSecurity.
Ludwig Brinckmann (June, 1998):
GSSAPI as such does not actually define how to log on to a system, but how to
exchange secure messages between authenticated principals. For this a principal
has to present its credentials to the GSSAPI routines. To obtain these
credentials, a DCE login is used. This actually requires a DCE installation
on the client machine and the protocol used for this is DCE RPC. Once the DCE
login context has been established, it is passed to the gssdce_login_context_to_cred
routine to obtain the GSSAPI credential. (The DCE implementation of GSSAPI provides
a few routines prefixed with gssdce that bridge between DCE and GSSAPI.)
The credential is then used in GSSAPI routines to for a handshake between client
and server and then to routines like gss_sign to encrypt the messages
between peers. Technically the Orbix/DCE security implementation is hybrid:
it uses DCE to establish the authentication of client and server and the Tickets
obtained are then used to encrypt IIOP traffic. This is good, because it provides
the best implementation of authentication available for the mass market and
bad, because you will need a separate DCE installation (with all the maintenance
and licensing costs).