• Provide secure log-in for employees on the trading floor of the NY Stock Exchange
• Requirements include efficient through-put and highly available systems in a distributed environment
• Ability to manage user access privileges

• DCE Integrated log-in used with X-terminals, obtaining DCE credentials for authentication of traders logging in
• DCE Version 1.5 Security Server running on 2 HP 9000 servers used for obtaining credentials
• Six replica HP 9000 servers used for high availability
• Entitlement Management System for configuration of the users' accounts and entitlements.

• Controlled access by authorized personnel to valuable information through DCE authentication, authorization and audit capabilities
• Continuous up-time through DCE replication
• An infrastructure that SIAC can grow with, incorporating future applications

The Securities Industry Automation Corporation operates the computer and communications systems behind the New York and American Stock Exchanges. They provide system design, development and operation and also are responsible for communications and network operations. They are at the center of a network that reaches nearly every securities firm in the U.S. To manage such a far-reaching environment, requires accurate configurations, global administration, fault-tolerant implementations and real-time monitoring and management capabilities.

One of their major challenges is ensuring that only authorized users have access to information and transactions on their systems. To do this there must be support for authentication of the user: are you who you say you are? And there must be a mechanism for ensuring users only have access to information depending on their responsibilities and/or the privileges they have been granted and auditing of user actions. To provide these core security capabilities, and to meet their other security requirements of a standards-based, highly available and extensible solution, SIAC chose DCE/9000 as their foundation technology.

SIAC tested several configurations of memory and CPU to determine best performance and consistent behavior. They settled on the following configuration. The main cell in SIAC's NYSE operations is the "floor users' cell." This cell includes in its registry all the users who work on the trading floor. The main systems in this cell are the HP 9000 login servers, which control the X-terminals and authenticate the users. At this time there are 28 login servers in the cell, each capable of supporting 100 X-terminals in normal operations, and as many as 200 in emergency situations. The login process can be extended to provide two factor authentication through the use of SecureID tokens from Security Dynamics. Eight DCE servers running HP-UX version 10.20 are included in the cell. Two primary servers running DCE Security Server and CDS, and six for replication. This replication provides redundancy to create a highly available environment and also provides more efficient throughput.

The Entitlement Management System, which is also included in the cell, is the system through which administrators configure the users' accounts and entitlements. It provides a single point of control for all aspects of a users privileges and ensures consistent administration of all systems. It allows for run-time configuration and access control and enables the auditing of user access to applications such as Network Print Services and the NYSE Wireless Data System (access to Exchange order handling systems).

DCE provides secure access to "floor" and "admnistrative" users today and positions SIAC well for future projects. In addition to SecureID login, other methods of authentication such as smartcards or biometrics can be incorporated down the road. One of the key success factors in SIAC's implementation was HP services. Involvement from HP's Professional Services Organization and Advanced Technology Center for Distributed Computing helped SIAC architect, configure, and implement DCE/9000 and integrate SecurID with the DCE login subsystem.