DIGITAL Software Product Description ___________________________________________________________________ PRODUCT NAME: Digital X.500 Directory Service SPD 40.77.08 DESCRIPTION Introduction The Digital[TM] X.500 Directory Service products may be used to im- plement a distributed network directory service following the CCITT X.500 Recommendations. These Recommendations split the functions of the directory between one of more Directory System Agents (DSA), where all information is held, and one or more Directory User Agents (DUA), from which all inquiries and other directory actions are made. Using the X.500 model, departments and organizations may adopt an incremen- tal independent approach to the establishment of a directory service using conforming products from multiple vendors. These separate im- plementations may then be connected together to provide a single log- ical directory service which spans the department, the organization, the region or the world, as appropriate. The Directory may contain in- formation on anything of interest, typically people, systems, network resources and databases and may be accessed both by individual users and applications. The Digital X.500 Directory Service product set includes: o Digital X.500 Directory Server - a Directory System Agent o Digital X.500 Administration Facility - a Directory User Agent March 1997 AE-PX3PJ-TE Other Digital messaging and networking products, such as ALL-IN-1, Mail- Works for Digital UNIX and the InfoBroker Server, also provide the di- rectory user agent function in order to access information in the Dig- ital X.500 Directory Server. The Digital X.500 Directory Service products are based on the 1993 edi- tion of ISO/IEC 9594 and the CCITT X.500 series of Recommendations. Version Numbers and Operating Systems The current Digital X.500 Directory Service product version numbers and supported operating systems are: ___________________________________________________________________ Operating_System______X.500_Product_Version________________________ Digital UNIX[R] 3.1 OpenVMS[TM] Alpha 3.1 OpenVMS_VAX[TM]_______3.1__________________________________________ Abstract Services The Digital X.500 Directory Service components provide and support all of the X.500 Abstract Services, including: Read Read attributes from a named entry Compare Test an attribute value without reading it Abandon Abandon an outstanding operation List List names of subordinate entries Search Find entries matching a search expression Add Create a new entry Remove Delete an entry Modify Add or remove attributes or values Entry Modify RDN Rename an entry 2 Schema The Digital X.500 Directory Service uses a configurable schema allow- ing customer definition of attributes, object classes, structure rules, and name forms. The schema is installed individually at each DSA. A default schema that implements the schema in X.520 and X.521 (1993 edi- tion) as well as other useful definitions is included. Security The Digital X.500 Directory Service supports a subset of the Simpli- fied Access Control scheme from the 1993 edition of the standard. This allows administrators to define policies that control access rights (such as read, browse, modify, remove) to entries and individual at- tributes within a particular part of the directory (naming context). The Digital X.500 Directory Service allows for the authentication of users by name and password. It also allows access to be restricted based on network address, and, for chained operations, originating DSA. Distributed Operations The DSA supports standard X.500 distributed operations including chain- ing and referrals. Knowledge management of superior and subordinate references allows a Digital X.500 DSA to participate as a first-level DSA or a subordinate DSA in a multi-vendor distributed Directory In- formation Base (DIB). Replication The Digital X.500 Directory Service supports shadowing of data between DSAs, allowing data to be replicated in the network for availability and performance. Shadowing also allows replication of knowledge in- formation for distributed operation, access control policies and au- thentication information, thus reducing the amount of management re- quired. 3 Shadowed information is represented using the DSA Information Model defined in the 1993 edition of the standard. Digital X.500 Directory Service supports the shadowing service defined in X.525, including supplier- initiated and consumer-initiated agreements, both scheduled and on- change replication providing full or incremental updates. 4 Protocols The Directory Service is based on the client-server model. The DSA server supports the directorySystemAC application context (DSP protocol) to communicate with other DSAs. Communications between server DSAs and client DUAs are supported by the directoryAccessAC application con- text (DAP protocol). DAP enables DUAs in other X.500 implementations to access the Digital X.500 Directory Service DSA and vice-versa. DSP enables full interworking with DSAs in other implementations. For shadowing, of the DSA supports shadowSupplierInitiatedAC and shad- owConsumerInitiatedAC application contexts in both the synchronous and asynchronous variants (DISP protocol) and the directoryOperational- BindingManagementAC application context (DOP protocol). The Digital X.500 Directory Service runs on the Digital UNIX, Open- VMS Alpha and OpenVMS VAX operating systems. It provides integrated, multi-protocol support allowing concurrent DAP and DSP access over OSI (using transport classes TP0, TP2, TP4) and RFC1006 over TCP/IP. In conjunction with the InfoBroker Server (see SPD 53.32.xx) access to the directory service may be obtained using LDAP (Lightweight Di- rectory Access Protocol). For the Digital UNIX environment, the un- limited system use license for the X.500 Directory Server includes the right to install and use the InfoBroker Server on the same system as the DSA. Where the InfoBroker Server is to be installed and run on a system separate from the DSA, or with a concurrent use DSA license, a separate InfoBroker Server license is required. Database The Digital X.500 Directory Service provides a Directory Information Base based on the 1993 edition of Extended Information Models. This indexed database supports high-performance searching and sophisticated matching including approximate (Soundex) match. The database is held in main memory to ensure optimal response times. 5 Service Management The Digital X.500 Directory Service provides DSA management conform- ing to Digital's Enterprise Management Architecture (EMA), integrated with DECnet/OSI[TM]. This provides remote management facilities to con- figure and control DSAs, and to log significant events. Programming Interface Application access to the Digital X.500 Directory Service is provided through the X/Open[TM] Company Limited's OSI-Abstract-Data Manipula- tion API and API to Directory Services, also known as the XDS/XOM Ap- plication Program Interface. Documentation, useful libraries and sup- porting files for the API are included with the X.500 Directory Server. The Digital X.500 Directory Service includes a base component that con- tains the DUA libraries and other supporting files necessary to sup- port applications written to the directory API. This base component, therefore, provides run-time client access to the API libraries; it is distributed with the Digital X.500 Directory Server product. The license for the Digital X.500 Directory Server includes the right to install this base component on any system having an application need- ing access to that properly licensed Digital X.500 Directory Server. It is not required to load a license into the License Management Fa- cility in order for the base kit to function. Directory User Agents The Digital X.500 Administration Facility provides a Directory User Agent. The Information Management Utility (DXIM) allows users to search and browse the directory and to maintain the data stored in it. Op- erations include the addition, modification, and deletion of entries. DXIM supports both DECwindows[TM] Motif[R] and command line interfaces. It can be used on a DSA node or remotely from any other node in the network. DXIM is configurable, based on the schema definitions, to support customer- defined attributes and classes. 6 Access to the Digital X.500 Directory Service may also be obtained through other Digital software products which contain the Directory User Agent function. For example, MailWorks for Digital UNIX will allow users of TeamLinks clients access to information in the X.500 Directory. STANDARDS SUPPORTED The Digital X.500 Directory Service products are implemented accord- ing to the the 1993 edition of ISO/IEC 9594 and the CCITT X.500 se- ries of Recommendations. The products have successfully completed test- ing to the Open Systems Testing Consortium (OSTC) 1988 X.500 confor- mance tests. The conformance testing was carried out by the United King- dom National Computer Centre, an accredited OSTC testing center, who produced OSTC test reports valid in all European Community states. The products have been registered by the U.S. National Institute of Stan- dards and Technology (NIST) as conformant to U.S. GOSIP. The products are designed and implemented to conform, with some mi- nor exceptions, to the following European and US profiles: o NIST OIW Stable Implementor's Agreements - Version 5 edition 1 o ENV 41210 o ENV 41212 o ENV 41215 o ENV 41512 The products also support, where applicable, the following Internet standards: o RFC 1006 o RFC 1274 o RFC 1277 (as it applies to TCP/IP networks) o RFC 1278 7 HARDWARE REQUIREMENTS Processors Supported For Digital UNIX: Digital X.500 Directory Service is supported on all valid Digital UNIX Alpha configurations. Refer to the configuration charts listed in the Digital UNIX Operating System Software Product Description (SPD 41.61.xx) for further information on supported hardware configurations. For OpenVMS Alpha: Digital X.500 Directory Service is supported on all valid OpenVMS Al- pha configurations supported by DECnet/OSI. Refer to the DECnet/OSI for OpenVMS Alpha Software Product Description (SPD 50.45.xx) for fur- ther information on supported hardware configurations. For OpenVMS VAX: Digital X.500 Directory Service is supported on all valid OpenVMS VAX configurations supported by DECnet/OSI, with the exception of those listed below. Refer to the DECnet/OSI for OpenVMS VAX Software Prod- uct Description (SPD 25.03.xx) for further information on supported hardware configurations. Processors Not Supported MicroVAX I, VAXstation I, VAX-11/725, VAX-11/782, VAXstation 8000 Disk Space Requirements The counts below refer to the disk space required on the system disk or specified file systems. The sizes are approximate; actual sizes may vary depending on the user's system environment, configuration, and software options selected. 8 The counts below refer to the space required to install the X.500 Server, Administration, and Application Programming components. The Base com- ponent is a mandatory component for all installations. Permanent disk space requirements for the components are cumulative. Directory data files are not included and will require additional space which can be on a non-system disk. 9 For Digital UNIX Systems: Disk space required for installation and for use (permanent): ___________________________________________________________________ Component File System (Kbytes): ______________________________/usr_______/var______________________ Base: 3000 500 Server: 4000 50 Administration: 4300 600 Application 7800 Programming: Look-up client: 8300 Reference Pages: 300 Release_Notes:_________________300_________________________________ Directory data files are stored in the /var file system. For OpenVMS Alpha Systems (Block Cluster Size = 1): Disk space required for installation: ___________________________________________________________________ Component_____________________Blocks_____Kbytes____________________ All:__________________________40000______20480_____________________ Disk space required for use (permanent): ___________________________________________________________________ Component_____________________Blocks_____Kbytes____________________ Base: 6000 3072 Server: 18000 9216 Administration: 7000 3584 Application 1000 512 Programming: Look-up_client:________________5000______2560______________________ 10 For OpenVMS VAX Systems (Block Cluster Size = 1): Disk space required for installation: ___________________________________________________________________ Component_____________________Blocks_____Kbytes____________________ All:__________________________40000______20480_____________________ Disk space required for use (permanent): ___________________________________________________________________ Component_____________________Blocks_____Kbytes____________________ Base: 6000 3072 Server: 18000 9216 Administration: 7000 3584 Application 1000 512 Programming: Look-up_client:________________5000______2560______________________ Memory Requirements The performance of this product is dependent on the amount of system memory. The memory size suggested for most typical hardware config- urations is at least 64 Mbytes for Digital UNIX or at least 32 Mbytes for OpenVMS, for systems running the Directory Server. On these server systems, memory usage increases in proportion to the amount of data stored in the database. CLUSTER ENVIRONMENT This layered product is fully supported when installed on any valid and licensed VMScluster[TM]* configuration without restrictions. Only one Directory System Agent (DSA) can be active on a single node or VM- Scluster at any one time. The HARDWARE REQUIREMENTS section of this document details any special hardware required by this product. 11 * VMScluster configurations are fully described in the VMScluster Soft- ware Product Description (29.78.xx) and include CI, Ethernet, and Mixed Interconnect configurations. SOFTWARE REQUIREMENTS For Digital UNIX Systems: For All Systems: o Digital UNIX Operating System V4.0D or later. Digital UNIX Oper- ating System V4.0A may be used provided patch 123.00 (OSF405-400151) is applied. Digital UNIX Operating System V4.0B may be used pro- vided patch 44.00 (OSF410-400151) is applied. At the time of writ- ing, no patch is available for Digital UNIX V4.0C. o DECnet/OSI for Digital UNIX V4.0A or later For OpenVMS Alpha Systems: For Systems Using Terminals: o OpenVMS Alpha Operating System V6.1 or later o DECnet/OSI V6.2 for OpenVMS Alpha or later For OpenVMS VAX Systems: For Systems Using Terminals (No DECwindows Interface): o OpenVMS VAX Operating System V6.1 o DECnet/OSI V6.2 for OpenVMS VAX For All OpenVMS Systems: This product may run in either of the following ways: o Standalone Execution - Running the X11 display server and the client application on the same machine. 12 o Remote Execution - Running the X11 display server and the client application on different machines. VMS DECwindows is part of the OpenVMS VAX operating system but must be installed separately. Installation of VMS DECwindows gives you the option to install any or all of the following three components: o VMS DECwindows Compute Server (Base kit; includes runtime support) o VMS DECwindows Device Support o VMS DECwindows Programming Support For stand-alone execution, the following DECwindows components must be installed on the machine: o VMS DECwindows Compute Server o VMS DECwindows Device Support For remote execution, the following DECwindows components must be in- stalled on the machine: Server Machine o VMS DECwindows Compute Server o VMS DECwindows Device Support Client Machine o VMS DECwindows Compute Server o VMS DECwindows Device Support OpenVMS Tailoring: The following OpenVMS classes are required for full functionality of this layered product: o OpenVMS Required Saveset o Network Support o Programming Support 13 o VMS Workstation Support GROWTH CONSIDERATIONS The minimum hardware/software requirements for any future version of this product may be different from the requirements for the current version. DISTRIBUTION MEDIA This product is available on the Digital UNIX, OpenVMS Alpha and Open- VMS VAX Layered Products CD-ROM distributions. The documentation for this product is available on the Digital UNIX, OpenVMS Alpha and OpenVMS VAX Online Documentation CD-ROM distribu- tions. A printed documentation kit is available that covers all platforms. ORDERING INFORMATION In this section, an asterisk (*) denotes variant fields. For additional information on available licenses, services, and media, refer to the appropriate price book. Digital X.500 Directory Server: o Software Licenses: For Digital UNIX QL-2FYA*-** systems: For OpenVMS Alpha Systems: - Unlimited system QL-2NZA*-** use: 14 - Concurrent use: QL-0P4A*-** For OpenVMS VAX QL-0P4A*-** Systems: o Software Product Services: For Digital UNIX QT-2FYA*-** systems: For OpenVMS Alpha QT-2NZA*-** Systems: For OpenVMS VAX QT-0P4A*-** Systems: Digital X.500 Administration Facility: o Software Licenses: For Digital UNIX QL-2FZA*-** systems: For OpenVMS Alpha QL-2P0A*-** Systems: For OpenVMS VAX QL-0P5A*-** Systems: o Software Product Services: For Digital UNIX QT-2FZA*-** systems: For OpenVMS Alpha QT-2P0A*-** Systems: For OpenVMS VAX QT-0P5A*-** Systems: 15 Media for all products: o Software Media: For Digital UNIX QA-054AA-H8 systems (CD-ROM): For OpenVMS Alpha QA-03XAA-H8 Systems (CD-ROM): For OpenVMS VAX QA-VWJ8A-A8 Systems (CD-ROM): For OpenVMS VAX QA-0P4A*-** Systems (tapes): Documentation for all products: o Printed Documentation: For Digital UNIX QA-0P4AA-GZ systems: For OpenVMS Alpha QA-0P4AA-GZ Systems: For OpenVMS VAX QA-0P4AA-GZ Systems: SOFTWARE LICENSING This software is furnished under the licensing provisions of Digital Equipment Corporation's Standard Terms and Conditions. For more in- formation about Digital's licensing terms and policies, contact your local Digital office. License Management Facility Support This layered product supports the Digital UNIX and OpenVMS License Man- agement Facilities (LMF). License units for the Digital X.500 Directory Server are allocated on an Unlimited System Use and Concurrent Use basis. 16 Each Server Concurrent Use license allows a specified number of en- tries to be added to the local directory database, according to the number of units in the license. The number of entries counted includes all sub-entries (access control, shadowing agreement and other sub- entries), intermediate entries in the naming hierarchy, a small num- ber of overhead entries used for internal DSA management purposes, all shadowed entries from other DSAs as well as normal entries such as those used by human users or used by other dependent software, for example MAILbus 400 MTA routing and gateway entries. In a messaging environ- ment with mail user agents, a MAILbus 400 MTA and gateways, a 5000 en- try DSA may only be sufficient to support a user population of 1000 people. For further details of this mechanism, consult the product doc- umentation. The Server Unlimited System Use license imposes no fixed limits on di- rectory size. The Digital X.500 Directory Service includes a base component that con- tains the DUA libraries and other supporting files necessary to sup- port applications written to the directory API. This base component, therefore, provides run-time client access to the API libraries; it is distributed with the Digital X.500 Directory Server product. The license for the Digital X.500 Directory Server includes the right to install this base component on any system having an application need- ing access to that properly licensed Digital X.500 Directory Server. It is not required to load a license into the License Management Fa- cility in order for the base kit to function. The Unlimited System Use license for the Digital X.500 Directory Server for Digital UNIX allows the installation and use of the InfoBroker Server for Digital UNIX on the same Digital UNIX system as the Digital X.500 Directory Server. This does not apply to the Concurrent Use license for the Digital X.500 Directory Server for Digital UNIX; in this case an additional InfoBroker Server license is required. License units for the Digital X.500 Administration Facility are al- located on a Unlimited System Use and Concurrent Use basis. Each Con- current Use license allows any one individual at a time to use the lay- ered product. 17 For more information on the Digital UNIX or the OpenVMS License Man- agement Facilities, refer to the appropriate Software Product Descrip- tion or documentation. SOFTWARE PRODUCT SERVICES A variety of service options are available from Digital. For more in- formation, contact your local Digital office. SOFTWARE WARRANTY Warranty for this software product is provided by Digital with the pur- chase of a license for the product as defined in the Software Warranty Addendum of this SPD. [R] Motif, OSF, OSF/Motif and OSF/1 are registered trademarks of Open Software Foundation, Inc. UNIX is a registered trademark in the United States of America and other countries, licensed exclusively by X/Open Company Limited. [TM]X/Open is a trademark of X/Open Company Limited. [TM]The DIGITAL Logo, ALL-IN-1, CI, DEC, DECnet, DECstation, DEC- system, DECwindows, DECthreads, Digital, MicroVAX, OpenVMS, TK, VAX, VMScluster, VAXft, VAXserver, VAXstation, and VMS are trademarks of Digital Equipment Corporation. © Digital Equipment Corporation. 1993, 1997. All rights reserved. Digital Equipment Corporation makes no representation that the use of its products in the manner described in this publication will not in- fringe on existing or future patent rights, nor do the descriptions contained in this publication imply the granting of licenses to make, use, or sell equipment or software in accordance with the description. 18 Possession, use, or copying of the software described in this publi- cation is authorized only pursuant to a valid written license from Dig- ital or an authorized sublicensor. 19