Russ’ Personal Glossary

A glossary of frequently used terms and acronyms. Not super well maintained.

A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   P   Q   R   S   T   U   V   W   X   Y   Z

 
ACE access control entry.
ACL access control list.
Active Directory Microsoft's network directory service for computers.
ADAM Active Directory Application Mode, a Windows 2003 service in which LDAP runs as a user service rather than as a system service. ADAM addresses requirements of directory-enabled applications that don't need to store their data in AD but could still benefit from the security and authentication AD can offer. For example, an application might have to store a large amount of information that other applications don't need or that doesn't need to be replicated to every domain controller (DC). ADAM uses a separate database that has many of AD's features (e.g., schema, replication, management) but is totally separate from AD. This separate database means that you can have a separate schema for each ADAM instance—a feature that can be useful for testing.
ADFS Active Directory Federation Services is a solution to enable organizations to share a user's identity information securely across organizational boundaries and to connect processes that are using different technologies, identity storage, security approaches and programming models. This technology belongs to Windows 2003 R2 and beyond.
ADM Active Directory management, type of instantiation of group policy tied to an interface producing a preg file for the Windows registry. (this gloss is very rough)
ADSI Active Directory Services Interface, an editor (browser), scripting language, etc.
ADUC Active Directory Users and Computers, an acronym referring to the two most frequently encountered objects in Active Directory, users and the computer hosts on which they consume services through Microsoft Active Directory.
affinity with respect to a directory, the organization of the accounts relies on properties they have in common. This similarity may be due to departmental structure or geographical location of the people that use the accounts.
Amazon S3 Amazon Simple Storage Service, is a web service that offers to store and retrieve any amount of data at any time anywhere from the Internet. It is designed to make web-scale computing easier for developers.
ARC4 See RC4 below.
ARCFOUR See RC4 below.
ARS ActiveRoles Server, a product from Quest Software, Inc., is installed on a Windows server and uses SQL Server for configuration data and publishing itself as a connection point object within Active Directory. ARS is a cross-platform, roles-based provisioning system and allows additional attributes to be stored for an object. For example, ARS can put a newly hired engineer into all the appropriate groups on all platforms relevant to his or her job description.
ASN Abstract Syntax Notation is an internation standard whose main purpose is the specification of data used in communication protocols, between heterogeneous systems. Also, ASN.1: ibid number One. See http://asn1.elibel.tm.fr.
authoritative
   source
in migrating identities from disparate NIS domains, identities from the first source repository are migrated without any changes to their internal identity (ID) and the first repository becomes the authoritative source. In case of ID conflict or mismatch, IDs in all remaining sources are changed to match those in the first source.
CAC Common Access Card, a smartcard issued by the United States Department of Defense (DoD) for active-duty military, civilian employees and contractors.
CAL Client Access License, a Microsoft term referring to its licensing technology by which feature-level access for clients to Microsoft Exchange is granted. VAS does not refer to or use this terminology.
canonical
     name
is essentially the distinguished name in reverse, generally, a software-internal representation, such as acme.com/engineering/jim.
Catalina is Tomcat's servlet container and follows Sun Microsystems' specifications for servlets and JSPs.
CIFS Common Internet File System, a Microsoft technology. It is another name for SMB.
clock skew In Kerberos, the client and application server clocks must agree within five minutes of each other in order for authentication to be successful. Network Time Protocol (NTP) can be used on both to keep clocks identical.
CN Common Name, a component of a distinguished name (DN).
COM Component Object Model, a Microsoft technology that enables components to communicate, used by developers to create reusable software components, link components together to build applications and take advantage of Windows services like Active Directory.
credential a proof of qualification or competence attached to a user or session, an object verified during an authentication transaction. In Kerberos parlance, a message containing the random key along with a service name and the user's long-term key. See ticket.
CRUD Create, Read, Update and Delete.
DC usually domain controller, but in distinguished names (DN), DC refers instead to "domain content", e.g.: CN=jim,OU=engineering,DC=acme,DC=com.
DDL Data Definition Language, a language for defining data structures. SQL is one such language when the programmer uses the CREATE TABLE, ALTER TABLE and CREATE SEQUENCE commands.
DML Data Manipulation Language, a language for retrieving, insertion, deletion and update of data in a database. SQL is such a language when using the SELECT, INSERT, DELETE and UPDATE commands.
DES Data Encryption Standard is a cypher selected as an official Federal Information Processing Standard (FIPS) for the United States in 1976. It is characterized by a relatively short key length (56 bits) and is considered less secure for many application environments than some alternatives.
disconnected
   authentication
provisory authentication based on storing a password hash from a prior login against the case of network failure. The maximum duration of a stored password hash is configurable.
distinguished
   name (DN)
via which each object in Active Directory is uniquely specified using a path string containing at least 4 components, e.g.: CN=jim,OU=engineering,DC=acme,DC=com, sometimes more. See also FQDN.
DNS Domain Name Service, a look-up database that equates domain names with IP addresses.
domain in Active Directory, a centrally-managed group of computers.
domain
   controller (DC)
the server that responds to security authentication requests in the Active Directory domain. See also primary domain controller.
DSE Directory-specific Entry in an LDAP environment.
DTD document type definition, is a set of mark-up declarations that define a document type for XML documents. It declares which elements and references may appear in a document of the particular type being created.
ERP Enterprise Resource Planning, a software system that integrates all data and processes of an organization into one making use of plural software components or modules. Central to the software is a single database for keeping data about the various system components.
Facelets is an open-source web template system augmenting JavaServer Faces (JSF). Such a system also guarantees that files consuming it "remain" HTML files and therefore are editable using traditional web designer tools. It can allow one to employ <span />, <input />, etc. tags instead of <h: ... /> tags.
FIPS Federal Information Processing Standards, publicly announced standards developed by the United States Federal government for use by non-military agencies and government contractors. Many of these standards are modified versions of those in use by wider communities like ANSI, IEEE, ISO, etc. Some standards include the two-letter country and other geographic codes, also, requirements for cryptography modules, personal identity verification for U.S. Federal employees and contractors.
firewall a piece of hardware and/or software that sets rules about what network traffic can cross it. These rules can focus on the protocols used by the traffic and ports in use. VAS, for instance, requires a set of ports by which it implements its services. Those ports must not be blocked. However, if a host has access to Active Directory, to its domain controllers, etc., then the ports needed by VAS are open. Fo VAS specifically, this means 88 (TCP/UDP for Kerberos ticket services), 389 (LDAP queries and ping), 464 (TCP/UDP for Kerberos passwords) and 3268 (TCP for Global Catalog access), optionally, 53 (UDP for DNS SRV records), 123 (UDP for time-synchronization with Active Directory). For VGP, port 445 (TCP for Microsoft DS).
first normal form 1NF is used in database normalization assuring that a table is a faithful representation of a relation and is free of repeating groups, i.e.: columns contain only atomic values and those values aren't repeated on multiple rows.

For example, the two following tables are not in normal form, the first because there are multiple (not atomic) values in the varied cars and the second because the columns themselves are of the same category. Table 2 is therefore not a normalization of the table 1.

id name cars
5 Russ Ford Aerostar, Mitsubishi Galant
9 Jim Corvette Stingray
2 Chuck Chrysler 300, VW Beetle, Ford Aerostar
 
id name car1 car2 car3
5 Russ Ford Aerostar Mitsubishi Galant  
9 Jim Corvette Stingray    
2 Chuck Chrysler 300 VW Beetle Ford Aerostar

Normalization would necessarily involve the creation of one or more additional tables.

id name
5 Russ
9 Jim
2 Chuck
 
name_id car
5 Ford Aerostar
5 Mitsubishi Galant
9 Corvette Stingray
2 Chrysler 300
2 VW Beetle
2 Ford Aerostar
forest the collection of all objects and their attributes and rules in Active Directory. It is named "forest" because it holds one or more trust-linked trees, allowing users in one domain to access resources in another domain.
FQDN Fully Qualified Distinguished Name, a domain name specified exhaustively such as CN=jim,OU=engineering,DC=acme,DC=com.
FSMO Flexible Single Master Operations. A multimaster-enabled database such as Active Directory provides the flexibility of allowing changes at any domain controller in the enterprise, but also gives rise to the possibility of conflicts and need to resolve them, especially for certain tasks. Collectively, FSMO tasks are used where standard data transfer and update methods on multiple peer domain controllers are ill adapted to multimaster replication, to wit: schema update and modification, domain naming (addition or removal of domains in the forest), relative ID assignment (including SIDs), infrastructure (security) maintenance (including GUIDs, SIDs and reference object DN in cross-domain references), and primary domain controller (PDC) emulation. These tasks are handled in a single master model by Windows 2000/2003.
GC Global Catalog.
GDM GNOME Display Manager, an alternate display manager for the X Window System.
GECOS (also in lower case), a field in the Unix /etc/passwd file that contains general information about the user including things like full name, telephone number, etc., depending completely on the host implementation.
GID group identity, broad term referring to the underlying number that identifies a group of users or other objects in a directory service.
gid Group Identity, standard C library object, represented by gid_t, identifying a group.
GPMC Group Policy Management Console, a Microsoft tool for creating GPOs in the Microsoft Management Console.
GPO Group Policy Object, an actual directory object tied to system volume instance. The group policy object is a collection of settings that define what a system looks like and how it behaves for a defined group of users. A GPO is created, using the Group Policy Management Console (see above), when there are such settings. GPOs are associated with a container such as a site, domain or organizational unit (OU). GPOs are very powerful and can be used even to distribute software and updates à la Tivoli (IBM). See also group policy.
group policy a Microsoft technology that reduces the cost of supporting Windows users by providing centralized management of computers and user in Active Directory. Group policy controls various aspects of an object including security policy, software installation, login, folder redirection and software settings. Such policies are stored on group policy objects (GPOs).
GSS Generic Security Service, security services provided atop underlying, alternative cryptographic mechanisms such as Kerberos. According to RFC 1509, the GSS API allows a caller application to authenticate a principal identity associated with a peer application to delegate rights to another peer, and to apply security services such as confidentiality and integrity on a per-message basis.
GUID Globally unique Identifier a number, address or other cookie used to represent an object uniquely in a directory service, file system, etc. In Active Directory, the GUID is a unique, unchanging 128-bit string used for search and replication.
IKE Internet Key Exchange is the protocol used to set up a security association in the IPsec protocol suite.
IPsec IP Security, a set of protocols developed by the Internet Engineering Task Force (IETF), an open international community of researchers, designers, vendors and operators concerned with the evolution and smooth operation of the Internet, to support secure exchange of packets at the IP layer. For IPsec to work, sending and receiving devices must share a public key, which is done via Internet Security Association and Key Management Protocol (ISAKMP) allowing the receiver to obtain a public key with which to authenticate the sender using digital certificates.
IWA Integrated Windows Authentication, formerly NT LAN Manager (not the network service), is a computer networking security protocol that operates in a variety of Windows network protocols. It is not a very secure authentication method. VAS does not support it.
Jasper the JSP engine in Tomcat that compiles JavaServer Pages (JSP) into Java servlet code which Catalina can execute.
JDBC Java database connectivity is an API for accessing databases from Java, oriented toward relational databases.
JNDI Java naming and directory interface is an API for a directory service allowing Java software clients to discover and look up data and objects via a name.
joining describes the action of a Unix or Linux workstation being incorporated into an Active Directory domain via the vastool join command.
JSF JavaServer Faces is a Java-based web-application framework intended to simplify web-based user interfaces, particularly, as an enhancement over Struts and over JSP. JSP caused Java code to be strewn throughout the public-facing web page sometimes exposing business logic. Struts suffered from an awkward "action" servlet. JSF introduces the concept of managed beans, also called backing beans or page beans, that implement what might have been done in-page in JSP. This system is also seen as advanced beyond how Struts does it.
JTA Java transaction API is a JEE API for implementing distributed transactions across multiple resources in Java.
KDC Key Distribution Center, in Kerberos, part of a cryptosystem to reduce the intrinsic risk of exchanging keys, basically consisting of the authentication server (AS) and the ticket-granting server (TGS). Communication to the KDC is done in UDP and TCP via port 88.
KDM KDE Display Manager, a graphical interface that is the K desktop environment replacement for the default X Window System display manager.
Kerberos a computer network authentication protocol that proves the identity of intercommunicating points on an insecure network like a LAN or the Internet in a secure manner. Guards against evesdropping and replay attacks. There are different Kerberos encryptions including DES and ARC4, the latter being more secure as well as the default in VAS since release 2.6 SP4.
keytab a file containing authentication credentials used, usually in place of a password, for authentication.
kvno In Kerberos, the Key Version Number. The kvno of the stored key must match the version number of a ticket.
LAM Loadable Authentication Module, IBM's precursor to PAM on the AIX (Unix) operating system. VAS provides a LAM-based implementation on AIX. LAMs are configured in /usr/lib/security/methods.cfg.
LDAP Lightweight Directory Access Protocol, a networking protocol for working with a directory service running over TCP/IP. Such a directory service would usually adhere to X.500, a tree of entries each possessing attributes and values for those attributes. LDAP deployments typically use DNS for simple structure most useful for casual access, but full-scale directory services are more complex with hierarchical organizational units and wide-ranging services from printers and documents themselves to groups of people, company divisions, groups, etc. See RFC 3377.
LVD Local Virtual Directory.
MAC Media Access Control address (MAC address) or Ethernet Hardware Address (EHA), hardware address, adapter address or physical address is a quasi-unique identifier assigned to most network adapters or network interface cards (NICs) by the manufacturer for identification. If assigned by the manufacturer, a MAC address usually encodes the manufacturer's registered identification number.
Mapped User feature allowing users on the local host to authenticate against Active Directory while taking their identity and Unix attributes from local files like /etc/passwd, /etc/group, etc. It is implemented by replacing the 'x' placeholder in those files with the user principal name (UPN) or by creating a local-to-AD user map file and specifying the location of that file in /etc/opt/quest/vas/vas.conf. This feature was formerly known as Personality Service Switch (PSS).
MIIS Microsoft Identity Integration Server, a server that manages the flow of data between all connected data sources and automates the process of updating identity information (e.g.: of employees, etc.) in the implementing environment.
MIME multipurpose Internat mail extensions, an Internet standard that extends the format of e-mail to support:
  • Text in character sets other than ASCII
  • Non-text attachments
  • Message bodies with multiple parts
  • Header information in non-ASCII character sets
  • However, MIME has out-grown mere e-mail content to describe Internet media type in general.
MMC Microsoft Management Console, for which Vintela has a snap-in whose effect is visible when browsing users or groups and getting their properties. For example, the MMC allows the creation of GPOs that define registry-based policies, security options, and software installation and maintenance options. A GPO is created via the Group Policy Management Console (GPMC), an MMC plug-in.
MOM Microsoft Operations Manager, an event and performance management element of Microsoft's Windows Server System. MOM occasions monitoring of server and workstations interconnected by a network. Applications such as Active Directory, SQL Server, Exchange Server and even MOM itself can be monitored by MOM. Sort of a network-wide syslog facility.
_msdcs Microsoft Domain Controller Subdomain(?), a subdomain or zone created to register Microsoft-specific services as Microsoft uses DNS and LDAP like many others, this fits Microsoft services into the larger, standard picture. If you wanted to log into a Windows domain, you need a Windows controller. Windows domain controllers use LDAP to query Active Directory for an account during login. By using _mscdcs, Windows clients get a Windows DC and not a foreign one such as a Linux LDAP server which would not be listed in this special zone/domain.
multihomed (or, multi-homed) refers to the practice of installing one network interface card (NIC) and assigning two IP addresses to it. There are variants to this notion including multiple NICs with redundant addresses and solutions are heavily influenced by the type (IPv4, IPv6) of address. See Wikipedia article.
NAS network-attached storage, file-level data storage connected, often remote, but not appearing as a local volume/disk. This is in opposition to storage area network (SAN).
nscd Name Service Caching Daemon, provides a cache for the most common name service requests on Linux and Unix from the passwd, group and hosts databases through standard C library interfaces including getpwnam, getpwuid, getgrnam, getgrgid, gethostbyname and others. Its configuration file is at /etc/nscd.conf.
"native mode" Native Active Directory mode refers to a network being serviced completely by either Windows 2000 or Windows 2003 servers but not both. If servers from both versions are present, the services offered can only be a common subset of the two. If all servers are running Windows 2003 Server, then all the features that this operating system offers over its predecessor are available. Not being in native mode has ramifications for various components, e.g.: local groups are not added to the PAC of the Kerberos ticket; group membership is not available.
NIS Network Information Services, a Unix client-server directory service protocol, originally Sun Microsystems' "Yellow Pages", it provides centralized control over many types of network objects including users, groups and network services like printers. NIS arose as a solution to each Unix host having its own /etc/passwd and /etc/groups files as the resident authority on users and groups when these notions needed to be extended over a network. NIS domains are flat (no hierarchy), use no authentication and the NIS map files are limited to 1024 bytes in size.
NIS+ Beyond Network Information Services (see this entry above), are new features and changed standards. In NIS+, dots (the period character '.') are prohibited from the machine name and any and all usernames. Domains are hierarchical. In a nod to the Windows world, names and commands are not case sensitive. DES authentication is used. There is no maximum size to records in NIS map files. The client chooses the information source from among NIS, NIS+, DNS or local /etc. NIS+ is not supported by VAS.
NSS Name Service Switch; interface to nsswitch.conf that controls how look-ups are done for users (/etc/passwd), groups (/etc/grps), hosts (/etc/hosts), etc. For example, getpwnam goes through NSS, which is extensible and configurable (just as is PAM), to reach variably passwd, vasd, NIS or LDAP.
NTLM NT LAN Manager, see Integrated Windows Authentication (IWA). This is not to be confused with the LAN Manager product that briefly rivaled Novell NetWare in the early 1990s.
NTP Network Time Protocol, as implemented by a server that keeps time on the network and is accessible to other nodes for the purpose of all keeping the same notion of time.
OU Organizational Unit, a component of the distinguished name (DN) in X.500 parlance. Objects held in a domain are grouped into containers called organizational units (OU) that give a domain hierarchy, ease administration and can mirror the structure of a company's organization and/or geography. An OU can hold other, nested OUs. The OU is the common level at which group policy is applied, called Group Policy Objects in Active Directory (although policies can be applied at the domain and site level).
ORM Object-relational Mapping, is a programming technique for converting data between incompatible type systems in relational databases and object-oriented programming languages like Java.
PAC a Privilege Access Certificate is used by Kerberized applications for fine-grained access control to services, a feature of Microsoft's Kerberos implementation.
PAM Pluggable Authentication Module; an architecture and shared libraries created by Sun Microsystems for the Solaris operating system that permits intervention into and specialization of the authentication process. PAMs are configured in /etc/pam.conf or in individual files off /etc/pam.d/.
PDC Primary Domain Controller, an NT concept, emulated on Windows 2000/2003, that performs a number of crucial tasks in an enterprise including time synchronization, password replication, recording of password failures, account lock-out and modification or creation of group policy objects (GPOs). The PDC is the most heavily used of all flexible single master operation (FSMO) roles and has the widest range of functions.
personality
   container
an Active Directory Organizational Unit (OU) designated to contain Unix user and group personalities. Unix clients specify a Unix personality container (vastool join -p) in order to join the domain in Unix Personality Management (UPM) mode.
personality
   scope
the set of containers consisting of the personality container and all shared containers referenced by the personality container.
PKI public key infrastructure; a way to ensure secure transactions over the wire; an arrangement providing for third-party vetting of user identities typically placing any keys within a certificate. Not yet a standard; there are myriad implementations.
POJO or "plain old Java object". A class that doesn't follow any special convention, model or framework, but is just written in Java. While it could (and does) mean just any piece of Java code that doesn't make use of special features or APIs outside a subset of primitive Java library functionality, nowdays, POJO is most frequently applied to simple beans and other code consumed from frameworks such as JSF, Hibernate and Spring, but which, in contrast, does not do anything framework-related itself. A managed bean in JSF is a POJO; the bean that defines the row in a database table is a POJO.

POJO was created more or less in opposition to Enterprise JavaBean (EJB), which is a specialized, server-side component within the EJB architecture.
principal or "principal name". In Kerberos, this is basically a simple account including name, password and other information stored in the database and encrypted using a master key.
PSS Personality Service Switch. This term is obsolete: see Mapped User.
RACF Resource Access Control Facility, IBM software that provides access control by identifying and verifying users to the system, authorizing access to protected resources, logging detected, unauthorized attempts to enter the system and detected, unauthorized attempts to access protected resources. RACF is available as a separate program for the IBM MVS and VM operating environments.
RC4 (pronounced /arcfour/) the most widely used stream cipher (algorithm) in such popular protocols as secure sockets layer (SSL). RC4 generates a pseudorandom stream of bits XOR'd with the clear-text password, for example. RC4 is more secure than DES.
realm a Kerberos term that usually maps to an Active Directory domain, not because they are the same thing, but because for implementation, it is a natural alignment.
RFC 1509 specifies the Generic Security Service API C Bindings.
RFC 1630 specifies universal resource identifiers (URI) in the World-wide Web.
RFC 1738 specification for universal resource locators (URL) including the "mail-to" scheme.
RFC 2222 specifies the SASL Internet-standard protocol; now obsoleted by RFC 4422.
RFC 2251 entitled, Lightweight Directory Access Protocol (LDAP), with RFC 3377, specifies this Internet-standard protocol.
RFC 2254 entitled, The String Representation of LDAP Search Filters, specifies the syntax of search filters for use with an LDAP server in human-readable (string) form. The vastool search command takes an argument of this format. The following are examples of search filters; more can be found in the RFC:
	(cn=Matt Peterson) (|(objectclass=container)(objectclass=organizationalunit)) (o=univ*of*mich*)
RFC 2307 entitled, An Approach for Using LDAP as a Network Information Service (NIS), defines a protocol for the Internet for mapping TCP/IP and UNIX entities into X.500 entries in order for them to be resolved using LDAP.
RFC 2396 specifies generic syntax of universal resource identifiers (URI).
RFC 2478 simple and protected GSS-API negociation mechanism.
RFC 3244 protocols for changing and setting Kerberos passwords on Windows 2000 and later platforms.
RFC 3377 the technical specification for LDAP.
RFC 4120 specifies the Kerberos network authentication service.
RFC 4422 now specifies the SASL Internet-standard protocol obsoleting RFC 2222.
RPC Remote Procedure Call, a protocol that permits one computer to cause execution of code on another, physically separate computer. Sun Microsystem's Secure RPC is an implementation whose goal is to make this process safe by using a combination of public and secret key cryptography.
Samba a free software implementation of Microsoft's networking protocol (see SMB) that runs on Unix and Linux systems and is capable of integrating with an Active Directory (Windows) domain as either a primary domain controller or as a domain member.
SAM Security Account Manager, associated with NetBIOS and Active Directory. equivalent on a Windows server of the Unix /etc/passwd file.
SAN Storage area network, an architecture for attaching remote storage devices (disk arrays, tape libraries, optical jukeboxes, etc.) to servers in such a way that to the operating system these appear as locally attached. This is in opposition to network-attached storage (NAS) where it is clear that the storage is remote.
SAP Systems, Applications and Products in Data Processing (SAP) is German corporation with a branch in the United States. Its R/3 integrated suite of applications and ABAP/4 Development Workbench became popular starting around 1993. In documents, SAP refers to the software product of the company by the same name.
SASL Simple Authentication and Security Layer, a framework for authentication and data security on the Internet created by John Meyers at Carnegie-Mellon University. Presently a proposed standard, see RFC 2222, now obsoleted by RFC 4422.
schema in a directory or database, the plan and relationship of pieces of information to be held as useful to the implementation. For instance, a user in a directory may be required to associate information such as a telephone number, password and preferred loging shell. A printer may associate a network address or description.
SFU Microsoft Services for UNIX, an interoperability toolkit that enables Windows and UNIX clients and servers to share network resources, integrate account management, simplify cross-platform management and full UNIX scripting and application execution environments running natively on Windows.
shared
   container
a Unix personality container may refer to other organizational units (OUs) or containers, called "shared containers". Multiple personality containers may refer to the same shared container. Any Unix-enabled users, groups or personality objects in secondary containers are considered valid for any Unix computers joined to a Unix personality container in Active Directory.
SID security identity.
smartcard any pocket-sized card with embedded circuits containing memory or microprocessor and tamper-resistant properties to provide security services.
SMB Server Message Block, a protocol that exists primarily for trust relationships, the concept on which NetBIOS is based and hence, used by DOS and Windows. The message format is used for sharing files, directories and devices. CIFS (Common Internet File System) is a synonym for SMB. Samba is based on SMB.
SOAP Simple Object Access Protocol, a platform-independent protocol based on XML for exchanging structured information in the implementation of web services.
SOX Sarbanes-Oxley Act, reference to legislation enacted, in response to recent and spectacular financial scandals, to protect shareholders and the general public from accounting errors and fraudulent practices. The act is administered by the Securities and Exchange Commission, which sets deadlines for compliance and publishes rules on requirements. SOX defines which records are to be stored and for how long. It also affects IT departments whose job it is to store electronic records.
SPML Service Provisioning Markup Language, an XML-based framework developed by OASIS (Organization for the Advancement of Structured Information Standards) for exchanging user, resource and service provisioning information between cooperating organizations. Service provisioning refers to preliminary preparations held read by an IT organization to carry out a specific activity like user startup, maintenance or termination (setting up and revoking passwords, access to to services and applications, etc.) and any other organizational activity.
SPN Service Principal Name, the principal name of a network service (as different from a user or group).
SQL Structured Query Language, a database language designed for the retrieval and management of relational database management systems (RDBMS). See Data Definition Language (DDL) and Data Manipulation Language (DML)
SPNEGO Simple and Protected GSS API Negociation, a mechanism for for peers to determine which GSSAPI mechanisms are shared, select one and then establish a security context with it. See RFC 2478. Sometimes pronounced /spengo/.
SSH Secure SHell, a network protocol that exhanges data over a secure channel. ssh is typically used to work between remote hosts. By default, an SSH server listens on TCP port 22.
SSO Single Sign-on, specialized form of software that facilitates a user logging in only once while subsequently accessing software resources that normally each require separate authentication. Also termed more formally enterprise reduced sign-on with the admission that absent a truly unified or homogeneous IT infrastructure, every last instance of re-authentication cannot be eliminated.
Struts Apache Struts sought to overcome some of the awkwardness of JavaServer Pages (JSP) which exposed business logic and was very unhelpful in maintaining model-view-controller separation. Struts had an awkward sort of "action" servlet approach in its search to remove Java code intermingled with HTML (as done in JSP). Technologically, Struts is superceded by JavaServer Faces (JSF) and Spring MVC.
TAM Tivoli Access Manager, a product of IBM, audits application and platform activity to guard against malicious or fraudulent behavior. Combines a firewall with user tracking.
tenured generation is a reference to garbage collection in Java which is divided between "young" and "tenured." See young generation.
TGS Ticket-granting Server, part of a key-distribution server (KDC).
TGT Ticket-granting Ticket, the initial ticket given by the Kerberos authentication server permitting the TGS to be contacted.
ticket a voucher that isn't easily forged and proves that the bearer has properly applied for authentication to a service. In Kerberos parlance, a message containing a random key, the same one that was passed in the credential, plus the user's name, the whole being encrypted using the service's long-term key. Tickets obviate the inconvenience of using a password in that they can be supplied to different services rather than performing separate authentication of the password with each service. See credential.
Tomcat or Apache Tomcat or Jakarta Tomcat is a servlet container from the Apache Software Foundation that provides a "pure" Java web server container that can execute Java code. Tomcat is often run in concert with Apache's httpd web server written in C.
transient a Java keyword indicating a variable (member field, local, etc.) that may not be serialized, so its state will always be defaulted even after serialization.
tree holds one or more domains linked in a trust hierarchy. The root of every tree has a two-way trust with the root domain of the forest in which it lives.
UDDI Universal description, discovery and integration, is a platform-independent XML-based registry for businesses worldwide to list themselves on the Internet. A registration consists of white pages (address or contact), yellow pages (industrial categorization), and green pages (information about a business' offered services).
UDT User-defined Type, an SQL term.
UID User Identity, broad term referring to the underlying number that identifies a user in a directory.
uid User Identity, standard C library object, represented by uid_t, identifying a single user.
UNC Universal (or Uniform) Naming Convention, originally a Microsoft notion, specifies a common syntax for describing the location of a resource be it file, directory, printer, etc. On Windows, this takes the form of \\computer-name\shared-folder\resource-name. However, Unix and Linux break this because of the long-standing practice of folding two slashes into one (that predates DOS and certainly Windows). Therefore, Unix uses computer-name:/shared-folder/resource-name. A common example is the location argument to the scp application:
	# scp local-file user@computer.domain.com:/home/user
			
UNIX the UNIX operating system definition; UNIX® is a trademark owned by the Open Group originally belonging to UNIX System Laboratories, a division of Bell Laboratories, Inc. owned by American Telephone and Telegraph, Inc.), a system fully conformant to the Open Group's Single UNIX Specification.
Unix generic reference to UNIX or a UNIX-like operating system which may or may not be fully conformant to the Single UNIX Specification.
UPM Unix Personality Management, the capability of VAS to allow for the definition of alternative personalities for Unix and Linux systems, groups or users associated with specific organizational units (OUs). It allows users of VAS to benefit from Active Directory (AD) authentication and password policies without requiring a re-permission of conflicting system resources. This is a key capability as organizations migrate to AD-based authentication, but are unable to reconcile UID/GID conflicts between Unix systems.
UPN User Principal Name, or user login name, eg: jim@acme.com.
URI Universal Resource Identifier, broad term referring to a syntax by which names and addresses of objects on the Internet are specified. Includes both URLs and URNs as two types of URIs. See RFC 1630 and 2396.
URL Universal Resource Locator, see RFC 1738.
URN Universal Resource Name.
VSJ Vintela single sign-on to Active Directory product for J2EE.
VAS Vintela Authentication Services product, now dubbed Quest Authentication Services or QAS.
Vintela a company owned by Quest Software, Inc.
VMX Vintela SMS Management Server product.
volatile a Java keyword indicating a variable (member field, local, etc.) will be accessed (read and modified) by multiple threads. it will never be cached thread-locally, and acts as if enclosed in a synchronized block (there is even a barrier lock used beginning in Java 5).
web service an application converted to be of general or specific service to users on the Internet or a LAN. The conversion consists of mounting the application in a framework defined by WSDL using SOAP and, perhaps, UDDI so that users can access it.
WebDAV Web-based Distributed Authoring and Versioning, a set of extensions to HTTP allowing users to edit and manage files collaboratively on the World Wide Web. Documenting this effort is RFC 2291.
WSDL Web Services Description Language, an XML-based languages that provides a model for describing web services.
-Xmn specifies how much (virtual) space the "young generation" is allowed to consume on the (ordinary) heap. Properly tuning this can reduce the overhead of garbage collection, improving response time and throughput. The proper setting is approximately 25% of the total heap size.
-Xmn256m
		
-Xms specifies the original (starting, virtual) size for the ordinary heap in Java, the heap that holds application objects. Sample setting:
-Xms256m
		
-Xmx specifies the maximum (virtual) size for the ordinary heap in Java, the heap that holds application objects. This must never exceed the actual total of physical memory on the computer host. Sample setting:
-Xmx1024m
		
-XX:MaxPermSize specifies the maximum virtual size for the permanent generation heap, the heap that holds classes including methods. (It's the ordinary heap in Java that hold application objects.) When encountering excessive garbage-collection times, increasing this might solve the issue. Because it's a maximum, increasing this value is safe even if not known that an application will actually need that much.

Note that when debugging, permanent memory behaves differently to wit that the JDK may fail to collect permanent memory in some cases such as when some code introspects a class with a primitive array (like byte[]). This can cause permanent space to run out.
-XX:MaxPermSize=512m
		
-XX:PermSize specifies the initial virtual size for the permanent generation heap, the heap that holds classes including methods. (It's the ordinary heap in Java that hold application objects.)
-XX:PermSize=128m
		
young generation is a reference to garbage collection in Java which is divided between "young" and "tenured." Most allocations to the application are done in the young generation which is optimized for objects that have a short lifetime relative to the interval between collections. Objects that survive several collections in the young generation are upgraded to "tenured." The young generation is typically smaller and collected more often.