The connection server

The connection server is a standing process or daemon that runs on all client machines. It is used to establish connections for all network services that communicate over TLI connection-oriented and dialup connections. The connection server is started automatically during initialization when the system goes to multi-user mode. It receives requests for network services from client machine applications, establishes connections to the server-machine ports associated with the requested services, and passes the connections back to the application. Before passing a connection to an application, the connection server may invoke an authentication scheme.

Connection server components

The following are the components an application programmer will be concerned with:

• An application interface to the standing server. The interface consists of library routines that make the connection over connection-oriented networks or using dialup connections, and an error reporting routine. These routines are described here and on the cs_connect(3N) and dials(3N) manual pages.

• An /etc/iaf/serve.allow file, maintained on the client machine. /etc/iaf/serve.allow contains a list of network services that client applications expect to use and the acceptable authentication scheme or schemes for each service. This file is optional if client applications do not authenticate server identities, that is, if client applications will accept any authentication scheme imposed by server machines. /etc/iaf/serve.allow is described in ``Administering the connection server''.

• An optional file, /etc/iaf/serve.alias, also maintained on the client machine. /etc/iaf/serve.alias contains a list of network service names and their aliases. The serve.alias file is described in ``Administering the connection server''.

• A non-standing network service, reportscheme, that tells client machine applications what authentication scheme to use for a requested network service. The reportscheme service must exist on each port monitor that offers network services if the server is to enforce authentication scheme invocation. reportscheme is described in ``Administering the connection server'' and on the reportscheme(1Mbnu) manual page.

• If Enhanced Security is installed, a LIDAUTH.map file. LIDAUTH.map is an attribute mapping file created by the client system administrator to control the levels at which a local process can communicate with a remote system. When a local process attempts to connect to a remote system, the connection server reads the LIDAUTH.map file to determine whether the connection is authorized at the level of the running process. If LIDAUTH.map contains a line that authorizes the connection, the connection server sends the request to the server. If LIDAUTH.map does not authorize a connection at the security level of the local process, the connection server does not pass the connection request to the server. If a system is running Enhanced Security and a LIDAUTH.map file does not exist, the connection server fails all outgoing connection requests. LIDAUTH.map is described in ``Administering the connection server''.

• A connection server log file in /var/adm/log/cs.log.

The Service Access Facility's administrative command pmadm is used to install, remove, or change authentication schemes on the server machine. The command is described on the pmadm(1M) manual page and in ``Administering port services''.

Details of connection server administration that are not covered in this topic can be found in ``Administering the connection server''.