Server Reference Guide : Configuring the OpenROAD Server : DCOM Security
 
Share this page          
DCOM Security
Note:  DCOM is available only on Windows versions of OpenROAD.
The OpenROAD Server is built on top of DCOM and can be configured to use DCOM security features.
DCOM supports a hierarchy of authentication levels, from NONE, to CONNECT, to PACKET, PACKET INTEGRITY, and PACKET PRIVACY. At the CONNECT level, authentication is performed at initial connection, but the message traffic is not signed or encrypted. At the PACKET PRIVACY level, all message headers and payloads are encrypted. The levels in between provide varying degrees of protection against message tampering.
Each process can declare its desired authentication level when it initializes COM, or it can allow COM to make that setting based on what was configured in the orserver.json configuration file. The DCOM client and DCOM server use the highest minimum security specified:
The DCOM authentication level of the client process determines the minimum level of authentication that the client is willing to accept.
The DCOM authentication level of the server process determines the minimum level of authentication that the server is willing to accept.
DCOM always uses whichever is the higher of those two levels.
Unauthenticated communication requires that both the client and server set their authentication levels to NONE.
The authentication level for the ASO and SPO is controlled by JSON configuration file entries specifically associated with those servers. Those settings can be configured with the DCOMCNFG utility (described in DCOM Configuration).
The client authentication level depends on the client program. A client program can explicitly set any desired authentication level when it initializes COM. If it does not explicitly specify a value, COM uses the machine-wide default that is contained in the orserver.json configuration file. This is the Default Authentication Level value found on the Default Properties tab of DCOMCNFG. OpenROAD clients use this machine-wide default setting. Other clients, such as IIS, do not.
DCOM servers, such as the ASO and SPO, are also configured with an Access Control List (ACL) to limit which users are allowed to access the server.