Previous | Contents | Index |
The COM for OpenVMS Service Control Manager enables COM for OpenVMS.
Process name: DCOM$RPCSS
Requires: OpenVMS Registry, OpenVMS (RPC and SSPI/NTLM layers)
Required by: COM applications
Configured by: DCOM$SETUP. See Section 6.2.
Started by: DCOM$SETUP, option 4. See Section 6.2.
Shutdown procedure: DCOM$SETUP, option 5. See
Section 6.2.
4.8.2 OpenVMS Registry Server
The OpenVMS Registry server manages the OpenVMS Registry database.
Process name: REGISTRY_SERVER
Requires: None.
Required by: COM for OpenVMS, Advanced Server for OpenVMS
Configured by: REG$CONFIG. See Section 11.2.
Started by: REG$STARTUP. See Section 11.3.1.
Shutdown procedure: SET SERVER REGISTRY_SERVER/EXIT.
For more information, see Section 11.4.
4.8.3 Advanced Server for OpenVMS Server
The Advanced Server for OpenVMS server provides Windows NT and OpenVMS connectivity.
Process names:
NETBIOS
PWRK$ADMIN_0
PWRK$KNBDAEMON
PWRK$LICENSE_R
PWRK$LMBROWSER
PWRK$LMDMN
PWRK$LMMCP
PWRK$LMSRV
PWRK$MASTER
PWRK$MONITOR
PWRK$NBDAEMON
The ACME server requires the PWRK$LMSRV process specifically.
Requires: OpenVMS Registry
Required by: ACME server
Configured by: PWRK$CONFIG
Started by: PWRK$STARTUP
Shutdown procedure: PWRK$SHUTDOWN
For more information, see the DIGITAL PATHWORKS for OpenVMS
(Advanced Server) Server Migration Guide.
4.8.4 ACME Server
The ACME server controls the granting of credentials.
Process name: ACME_SERVER
Requires: Advanced Server for OpenVMS
Required by: OpenVMS (RPC and SSPI/NTLM layers) and OpenVMS Events
Started:
$ @SYS$STARTUP:NTA$STARTUP_NT_ACME |
Shutdown procedure:
$ SET SERVER ACME {/EXIT | /ABORT} |
For more information, see Section 8.3.2.
4.8.5 RPC Endpoint Mapper
The RPC endpoint mapper controls authentication and security.
Process name: DCE$RPCD
Requires: RPC image
Required by: COM for OpenVMS Service Control Manager, RPC image
Started by: OpenVMS
Shutdown procedure: Use the following command procedure:
$ @SYS$STARTUP:DCE$RPC_SHUTDOWN.COM |
For more information, see the DIGITAL DCE for OpenVMS VAX and
OpenVMS Alpha manual.
4.8.6 RPC and SSPI/NTLM Layers
The RPC and SSPI/NTLM layers provides remote procedure call and Windows NT-style authentication on OpenVMS.
Process name: n/a (part of OpenVMS operating system)
Requires: OpenVMS, ACME server
Required by: COM for OpenVMS
Started by: OpenVMS
Shutdown procedure: n/a
4.8.7 OpenVMS Events
The Events layer provides Windows NT-style event logging on OpenVMS.
Process name: n/a (part of OpenVMS operating system)
Requires: ACME server
Required by: COM for OpenVMS
Started by: OpenVMS
Shutdown procedure: n/a
For more information, see Chapter 14.
4.9 Installing COM for OpenVMS
The COM for OpenVMS installation kit contains a single POLYCENTER Software Installation file. The name of the kit is DEC-AXPVMS-DCOM-V0101-B-1.PCSI . You must install the COM for OpenVMS files on an OpenVMS Alpha Version 7.2-1 system. Please check the prerequisites before installing the kit. See Section 4.2.
To install COM for OpenVMS, invoke the POLYCENTER Software Installation utility using the following command:
$ PRODUCT INSTALL /SOURCE=device:[user] DCOM |
For device:[user], specify the device name and directory location of the kit, respectively.
The COM for OpenVMS MIDL compiler no longer requires the DCOM-MIDL license. |
Example 4-1 shows a sample installation.
Example 4-1 Sample COM for OpenVMS Installation |
---|
$ product install dcom/source=disk:[directory] The following product has been selected: CPQ AXPVMS DCOM V1.1-B Layered Product Do you want to continue? [YES] Configuration phase starting ... You will be asked to choose options, if any, for each selected product and for any products that may be installed to satisfy software dependency requirements. CPQ AXPVMS DCOM V1.1-B Copyright Compaq Computer Corporation 2000. All rights reserved. Do you want the defaults for all options? [YES] The following software is required to run COM for OpenVMS - OpenVMS Alpha V7.2-1 or later - Includes DCE RPC and OpenVMS Registry - TCP/IP Services for OpenVMS V5.0 or later (or equivalent product) - Advanced Server for OpenVMS V7.2A or later Do you want to continue? [YES] Do you want to review the options? [NO] Execution phase starting ... The following product will be installed to destination: CPQ AXPVMS DCOM V1.1-B DISK$AXP_72PLUS:[VMS$COMMON.] Portion done: 0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100% The following product has been installed: CPQ AXPVMS DCOM V1.1-B Layered Product $ |
After you install the COM for OpenVMS kit, do the following:
Use the following command to start COM for OpenVMS:
$ @SYS$STARTUP:DCOM$STARTUP |
Alternately, you can run DCOM$SETUP and choose option 4. (See Section 6.2.)
The COM for OpenVMS Service Control Manager can be in one of the following states: initializing/running or not started. Depending on the COM for OpenVMS Service Control Manager state, you will see one of the following messages:
DCOM Service Control Manager daemon (DCOM$RPCSS) is active [pid=xxxxxxxx] |
DCOM Service Control Manager daemon (DCOM$STARTUP-**) is active [pid=xxxxxxxx] |
The OpenVMS Registry server is already started on this node. *** DCOM system startup procedure *** Starting DCOM Service Control Manager daemon ( "DCOM$STARTUP-**" ) . . . After initialization, the daemon will use process name "DCOM$RPCSS" . . . %RUN-S-PROC_ID, identification of created process is xxxxxxxx *** DCOM startup successful *** *** DCOM Startup Procedure Complete *** |
Compaq recommends that you modify the SYS$MANAGER:SYLOGICALS.COM command file to control COM for OpenVMS startup.
OpenVMS includes a revised SYLOGICALS.TEMPLATE file that includes new startup commands for COM for OpenVMS and related components. Review the "Coordinated Startup" section of this template file and add the appropriate information to your existing startup files.
To have COM for OpenVMS start automatically when the system boots, copy the following line to your SYLOGICALS.COM file, uncomment the line, and make sure it is set to TRUE :
$ DEFINE DCOM$TO_BE_STARTED TRUE |
If you do not set COM for OpenVMS to start automatically when
the system boots, you can start COM for OpenVMS using the
DCOM$SETUP OpenVMS COM Tools menu, option 4 (see Section 6.2).
4.12 Shutting Down COM for OpenVMS (COM for OpenVMS Service Control Manager)
Use the following command to shut down COM for OpenVMS:
$ @SYS$STARTUP:DCOM$SHUTDOWN |
Alternately, you can run DCOM$SETUP and choose option 5. (See Section 6.2.)
The COM for OpenVMS Service Control Manager can be in one of the following states: stopped, running, or initializing. Depending on the COM for OpenVMS Service Control Manager state, you will see one of the following messages:
*** DCOM system shutdown procedure *** There is no active DCOM$RPCSS daemon on this system. *** DCOM Shutdown Procedure Complete *** |
*** DCOM system shutdown procedure *** *************************** Warning ******************************** *** Stopping the DCOM Service Control Manager daemon (DCOM$RPCSS) *** Active DCOM applications will no longer be operational. Do you want to proceed with this operation (YES/NO/?) [N]? |
For information about suppressing this confirmation step, see Section 4.12.1. |
Terminating DCOM Service Control Manager daemon (DCOM$RPCSS) . . . *** DCOM shutdown successful *** *** DCOM Shutdown Procedure Complete *** |
*** DCOM system shutdown procedure *** *************************** Warning ******************************** *** Stopping the DCOM Service Control Manager daemon (DCOM$RPCSS) *** Active DCOM applications will no longer be operational. Do you want to proceed with this operation (YES/NO/?) [N]? |
Terminating DCOM Service Control Manager daemon (DCOM$STARTUP-**) . . . *** DCOM shutdown successful *** *** DCOM Shutdown Procedure Complete *** |
You can suppress the DCOM$SHUTDOWN command confirmation request by specifying the NOCONFIRM parameter. Use the following command:
$ @SYS$STARTUP:DCOM$SHUTDOWN NOCONFIRM |
The system displays the following shutdown messages without prompting you to confirm the shutdown:
*** DCOM system shutdown procedure *** Terminating DCOM Service Control Manager daemon (DCOM$RPCSS) . . . *** DCOM shutdown successful *** *** DCOM Shutdown Procedure Complete *** |
COM Version 1.1-A for OpenVMS and COM Version 1.1-B for OpenVMS support NTLM (NT LAN Manager) authentication for controlling access to COM objects.
Processes that execute client and server applications must obtain Windows NT credentials in order to be authenticated. Processes created automatically by DCOM$RPCSS to execute server applications obtain Windows NT credentials based on the Registry settings for the server being launched. Interactive processes that are used to execute client and server applications must obtain Windows NT credentials by running the NTA$LOGON utility (see Section 8.2).
This chapter applies to COM for OpenVMS in authenticated mode. See Appendix E for information about running COM for OpenVMS in an unauthenticated environment.
This chapter discusses the following topics:
NTLM authentication on OpenVMS is implemented in three major components of the operating system (see Section 4.8).
The ACME server, RPC, and SSPI are installed as part of the OpenVMS operating system and require no special configuration. Advanced Server for OpenVMS must be installed as a layered product and must be configured to support NTLM authentication for COM applications (see Section 4.4).
After installing Advanced Server for OpenVMS, you must create network accounts that will be used to execute COM applications. You must also map the network accounts to OpenVMS accounts.
The Advanced Server ADMINISTER utility is used to create network accounts. For example, to create the network account NTUSER1, use the following command:
$ ADMINISTER ADD USER NTUSER1 /PASSWORD="pppppp" /FLAG=NOPWDEXPIRED |
The password is case sensitive, so it is enclosed in quotation marks in order to maintain case. A password without quotation marks is converted to uppercase. By default, network accounts are created with the password pre-expired, thus forcing the user to change the password at the first login. The NOPWDEXPIRED flag overrides this default.
A hostmap entry defines the association between a Windows NT user account and a local OpenVMS user account. When OpenVMS authenticates a Windows NT user, OpenVMS uses the hostmap entry to map the OpenVMS user account to the Windows NT user account and build the local OpenVMS user profile and the Windows NT user profile. If no hostmap entry exists, OpenVMS uses the Windows NT user account name as the local OpenVMS user account name.
Use the Advanced Server for OpenVMS ADMINISTER utility to define hostmap information. For example, to map the network account NTUSER1 to the OpenVMS account VMSUSER1, use the following command:
$ ADMINISTER ADD HOSTMAP NTUSER1 VMSUSER1 |
If the OpenVMS account does not already exist, you must create the account using the OpenVMS Authorize utility (AUTHORIZE). The OpenVMS account must have the EXTAUTH flag set, or the IGNORE_EXTAUTH flag (bit 11, %X0800) must be set in the SECURITY_POLICY SYSGEN parameter (see Section 5.1). This policy allows the OpenVMS system manager to control which OpenVMS user accounts can be used with Windows NT authentication. For example, to set the EXTAUTH flag for an OpenVMS account VMSUSER1, use the following command. For example:
$ MCR AUTHORIZE MODIFY VMSUSER1 /FLAG=EXTAUTH |
The EXTAUTH flag also directs LOGINOUT.EXE to use external authentication to authenticate an OpenVMS user during the login process (that is, local, dialup, remote, interactive, and network logins). When you set the EXTAUTH flag, LOGINOUT.EXE uses external authentication, not the password in the SYSUAF.DAT record, to verify the OpenVMS user name and password.
LOGINOUT external authentication always requires that you set the
EXTAUTH flag in the SYSUAF account record. Unlike
NTA$LOGON
and authenticated RPC, you cannot override this requirement using the
IGNORE_EXTAUTH flag.
5.1.2 DCE Integrated Login Restriction
A site cannot use both external authentication and the older
LGI-callout feature on the same system. If you have an LGI-callout
image installed, external authentication is disabled for login
purposes. Because DCE integrated login uses the LGI-callout mechanism,
OpenVMS does not allow logins using Windows NT-based external
authentication if DCE integrated login is enabled.
5.2 Cross-Domain Configuration
You can run a COM application on a system in one domain and have the application authenticated by a system in a second domain.
To configure authentication across Windows NT domains, you must do the following:
Example 5-1 shows how you can set up the HostMapDomains parameter. In this example, there are two domains: DOMAIN_1 and DOMAIN_2 . Domain DOMAIN_2 is running Advanced Server for OpenVMS; domain DOMAIN_1 is a Windows NT domain. The commands in Example 5-1 introduce DOMAIN_2 to DOMAIN_1 .
Example 5-1 Sample: Setting Up HostMapDomains |
---|
SYSJANE$ show sym regutl REGUTL == "$SYS$SYSTEM:PWRK$REGUTL.EXE" SYSJANE$ regutl REGUTL> SET PARAM /CREATE VMSSERVER HOSTMAPDOMAINS DOMAIN_1 REGUTL> SHOW VALUE * HOSTMAPDOMAINS Key: SYSTEM\CurrentControlSet\Services\AdvancedServer\UserServiceParameters Value: HostmapDomains Type: String Current Data: DOMAIN_1 |
After the network account and the OpenVMS account have been set up as described in Section 5.1, you can log in to the OpenVMS account using the usual OpenVMS login procedures. You can then acquire Windows NT credentials using the NTA$LOGON utility. For example:
$ MCR NTA$LOGON NTUSER1 "pppppp" |
In this format, pppppp is the password you specified when you created the network account. The password is enclosed in quotation marks to preserve case. A password without quotation marks is converted to lowercase. If the user name or password is not specified on the command line, the program prompts the user for the required input (see Section 8.2).
To acquire Windows NT credentials for a network account using NTA$LOGON , you must be logged in to the OpenVMS account that is mapped to the network account. Alternatively, if you are logged in to a different OpenVMS account, you must have the IMPERSONATE privilege and use the /OVERRIDE_MAPPING switch. For example:
$ MCR NTA$LOGON /OVERRIDE_MAPPING NTUSER2 "pppppp" |
To determine whether a process has Windows NT credentials, use the NTA$LOGON utility with the /LIST switch. For example:
$ MCR NTA$LOGON /LIST |
The COM security model allows the creation of secure distributed applications. COM security can be enabled by using settings in the OpenVMS Registry and by using COM security APIs and interfaces. There are two primary areas of security that can be applied to COM applications: launch security and activation security.
Launch security and activation security have system default settings;
application-specific settings override these defaults. The settings are
stored in the Registry and are maintained by using the
DCOMCNFG
utility on Windows NT and by using the
DCOMCNFG
option of
DCOM$SETUP.COM
on OpenVMS. The COM API CoInitializeSecurityEx can be used from within
an application to enhance or override the Registry settings.
5.4.1 Launch Security
Launch security determines which network accounts can be used to
create, or "launch" server processes. The launch security
settings are referenced when a COM request is received on a system that
will result in the launching of a server process to satisfy the
request. These settings can explicitly or implicitly allow or disallow
a user request to launch a server. The
DCOM$RPCSS
process authenticates the incoming request to determine the identity of
the client. If
DCOM$RPCSS
determines that it needs to launch a server process to satisfy the
request,
DCOM$RPCSS
allows or disallows the launching of the server based on the identity
of the client and the launch security settings.
5.4.2 Activation Security
Activation security determines which network accounts can be used to
execute method calls in server applications. The activation security
settings are referenced when a COM request is received on a system for
a method call in an existing server process. The server process
authenticates the incoming request to determine the identity of the
client. The server process allows or disallows the execution of the
method call based on the identity of the client and the activation
security settings.
5.4.3 Server Process Identity
A server process created by DCOM$RPCSS on OpenVMS is a detached process that has an OpenVMS identity and follows all the OpenVMS security rules for a detached process. In addition, it has a network identity that is used to enforce the COM security model (see Section 5.5).
COM servers create separate server threads to execute each client
request. These server threads have their own OpenVMS identity and
network identity, based on the identity of the client. When a server
thread is executing a request on behalf of a client, it is the thread's
identities, not the process' identities, that are used to enforce
security.
5.4.4 Domain Issues
Two systems running COM client and server applications can exist in one of three possible domain configurations:
The ability for servers and DCOM$RPCSS to authenticate client requests are affected by the domain configurations. When both systems are in the same domain or when the systems are in separate but trusted domains there is no problem authenticating. The trusted domain configuration is a bit more complex and requires that the trusts and mappings be configured correctly but once configured, there is no trouble authenticating (see Section 5.2).
Systems in separate, nontrusted domains or systems not in any domain cannot be authenticated using the normal mechanisms. To run authenticated COM applications between such systems, you must pass authentication information (user name and password) from the client to the server. COM provides this capability in the CoCreateInstanceEx API. The pServerInfo parameter of the CoCreateInstanceEx API allows you to specify a user name and password to be used for authentication on the remote server system. The user name and password are part of the COAUTHIDENTITY structure, within the COAUTHINFO structure within the COSERVERINFO structure, that is passed as the pServerInfo parameter to CoCreateInstanceEx.
Section C.3 shows how you can authenticate a remote client that is neither in the server's domain nor in a domain that has a trust with the server's domain.
The current NTLM security implementation on OpenVMS does not support
this feature for COM client applications on OpenVMS. This feature is
supported for COM clients on Windows NT that communicate with COM
servers on OpenVMS. To run COM client applications on OpenVMS where the
server is not in the same domain or in a trusted domain, you must
disable authentication for the application, as described in
Section 5.4.5.
5.4.5 Disabling Authentication
Under certain conditions, you may want to disable authentication between a client and server applications. This feature disables many of the security features of COM and of the operating system and should not be used in an environment where security is required. There are two ways to disable authentication for COM applications:
The server must be configured to run with a specific NTLM account
identity. Since the client will not be authenticated, there is no way
for the server to run with a client's identity. To configure a server
to run with a specific NTLM identity, use
DCOMCNFG
and change the application properties to select the NTLM account.
5.4.6 Access Denied Problems (80070005)
The most common security error a COM application will encounter is access denied (error status value 80070005). The following is a list of the most common causes of this error:
$ ADMINISTER SHOW HOSTMAP |
$ ADMINISTER SHOW TRUST |
When DCOM$RPCSS launches a server in response to a client request for a COM object, DCOM$RPCSS creates a detached process and executes either the server image or server command file in the context of the detached process. The image or command file that is executed is determined by the value of the Registry key HKEY_CLASSES_ROOT\CLSID\{iid}\LocalServer32, where iid is the unique identifier of the COM object.
The run-time environment of the detached process is as follows:
$! RUN_CMPNT.COM $! Command file to run SAMPLE1 $ set default DKA0:[SAMPLE1] $ define sys$output DKA0:[SAMPLE1]SAMPLE1.LOG $ ! Other definitions as needed $ RUN CMPNT.EXE $ exit |
This chapter describes how to configure your OpenVMS system (and, optionally, your Windows NT system) to develop and deploy COM applications. It describes the following COM for OpenVMS utilities:
This chapter also includes information about configuring OpenVMS and Windows NT systems to interoperate.
Before you configure COM for OpenVMS on your OpenVMS system, you must install and configure required components and install COM for OpenVMS. See Chapter 4 for information about these steps. |
DCOM$SETUP is a collection of tools to help a system manager configure the COM for OpenVMS system environment.
DCOM$SETUP Conventions and Requirements
To run DCOM$SETUP , enter @SYS$STARTUP:DCOM$SETUP at the OpenVMS system prompt.
The system displays the OpenVMS COM Tools menu.
Figure 6-1 DCOM$SETUP OpenVMS COM Tools Menu
--------------------------------------------------------- OpenVMS COM Tools 1) DCOMCNFG, COM Configuration Properties 2) GUIDGEN, Globally Unique Identifier Generator 3) Populate the Registry database for COM 4) Start the COM server 5) Stop the COM server 6) Register a COM application 7) Create the DCOM$GUEST account and directory 8) Configure the DCOM$RPCSS accounts H) Help E) Exit Please enter your choice: --------------------------------------------------------- |
To choose an option, enter the option number. The options are as follows:
To display these functions, choose option 8 from the OpenVMS COM Tools menu. The system displays the following:
--------------------------------------------------------- Configure the COM for OpenVMS Service Control Manager (DCOM$RPCSS) accounts 1) Create the DCOM$RPCSS account in both the SYSUAF database and the Advanced Server for OpenVMS SAM database. The password you specify for the new DCOM$RPCSS user is stored in a protected file. 2) Update the DCOM$RPCSS user password in the COM for OpenVMS Service Control Manager password file. E) Exit Please enter your choice: --------------------------------------------------------- |
Enter one of the following:
The system creates this account in the Advanced Server for OpenVMS database with a password that will not expire. To change this behavior (that is, modify the account so that the password expires according to the Advanced Server for OpenVMS User Policy), use the following procedure:
To determine the maximum password age in the Advanced Server for OpenVMS User Policy, enter the following ADMIN command:
If you change the Advanced Server for OpenVMS password of the DCOM$RPCSS account, you must update the password in the COM for OpenVMS Service Control Manager password file. (See option 2 [Update the DCOM$RPCSS user password].) |
To create a new account, you must be logged on to an existing Advanced Server for OpenVMS account that is capable of adding new users. Enter Y[ES] to log on to this account: |
Enter username: JOSEPHM Password: Confirm password: |
Enter the new DCOM$RPCSS password. Enter password: Confirm password: |
%PWRK-S-USERADD, user "DCOM$RPCSS" added to domain "DCOM1_DOMAIN" Username: DCOM$RPCSS Owner: COM Account: UIC: [37776,1] ([DCOM$RPCSS]) CLI: DCL Tables: DCLTABLES Default: SYS$SYSDEVICE:[DCOM$RPCSS] LGICMD: Flags: ExtAuth Primary days: Mon Tue Wed Thu Fri Secondary days: Sat Sun No access restrictions Expiration: (none) Pwdminimum: 6 Login Fails: 0 Pwdlifetime: (none) Pwdchange: (pre-expired) Last Login: (none) (interactive), (none) (non-interactive) Maxjobs: 0 Fillm: 100 Bytlm: 64000 Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0 Maxdetach: 0 BIOlm: 150 JTquota: 4096 Prclm: 8 DIOlm: 150 WSdef: 1024 Prio: 4 ASTlm: 250 WSquo: 4000 Queprio: 4 TQElm: 10 WSextent: 8000 CPU: (none) Enqlm: 2000 Pgflquo: 130000 Authorized Privileges: NETMBX TMPMBX Default Privileges: NETMBX TMPMBX %PWRK-S-HOSTMAPADD, user "DCOM$RPCSS" mapped to host user "DCOM$RPCSS" Press RETURN to continue: |
Enter the new DCOM$RPCSS password. Enter password: Confirm password: |
COM for OpenVMS requires that the COM server process ( DCOM$RPCSS ) always be running. The DCOM$RPCSS process on OpenVMS provides the same functions for the COM run-time environment that the RPCSS process provides on Microsoft Windows NT, including the following:
To start DCOM$RPCSS , either use DCOM$SETUP option 4 ("Start") (see Section 6.2) or call the COM for OpenVMS startup procedure directly from SYS$STARTUP:DCOM$STARTUP . See Section 4.11 for information on starting COM for OpenVMS.
To stop
DCOM$RPCSS
on your system, either use the
DCOM$SETUP
option 5 ("Stop") (see Section 6.2) or call the COM for
OpenVMS shutdown procedure directly from
SYS$STARTUP:DCOM$SHUTDOWN
. See Section 4.12 for information on shutting down COM for
OpenVMS.
6.2.3 Registering an Application
The following example shows how to register the COM for OpenVMS "Simple" application included on the COM for OpenVMS kit. You can use the resulting Windows NT file to register the server on a Windows NT system as long as the application is available on your Windows NT system.
To build the "Simple" application on a Windows NT system, see and execute the instructions in the README-SIMPLE.TXT file in DCOM$EXAMPLES:[SIMPLE] .
You must build and compile the application before you can register it. For complete details, see the step-by-step example in DCOM$EXAMPLES:[SIMPLE] included in the COM for OpenVMS kit. |
Use the following procedure:
The "Simple" application already has a CLSID. |
Example 6-1 Sample" Simple" Application Registration on OpenVMS |
---|
Enter server type (1. In-Proc 2. Out-Proc): 2 [Return] Enter Local Path (device:[directory]filename.ext): DKA0:[SMITH]SSERVER.EXE [Return] Enter Application Name (<RETURN> to assign default): COM Simple Server [Return] Does the server have a CLSid {GUID} (Yes/No) [N]: Y [Return] Enter the CLSid (i.e. {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}: {5e9ddec7-5767-11cf-beab-00aa006c3606} [Return] Verify Application Information: Application Name: COM SIMPLE SERVER Local Path: DKA0:[SMITH]SSERVER.EXE Application ID: {5E9DDEC7-5767-11CF-BEAB-00AA006C3606} Is the information correct (Yes/No) [Y]: [Return] Register application (Yes/No)? [Y]: [Return] SETUP-I-NEWFILES, The following files have been created: DKA0:[SMITH]SSERVER.REG_NT DKA0:[SMITH]SSERVER.REG_VMS SETUP-I-SRVIN, Server has been registered Press RETURN to continue: [Return] |
To register the "Simple" application on a Windows NT system, use the following procedure:
Example 6-2 shows the contents of SSERVER.REG_NT .
Example 6-2 Contents of SSERVER.REG_NT |
---|
REGEDIT HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\ = DCOM server application SSERVER HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LaunchPermission = Y HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LocalServer32 = DEVICE:\SSERVER |
To reregister the "Simple" application on an OpenVMS system, enter the following command at the system prompt:
$ @SSERVER.REG_VMS |
Example 6-3 shows the contents of the SSERVER.REG_VMS command procedure:
Example 6-3 Contents of SSERVER.REG_VMS |
---|
$ Set noon $ regcp := $regcp $ crekey := $regcp create key $ creval := $regcp create value $ modval := $regcp modify value $ lisval := $regcp list value $ crekey HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606} $ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606} - /data="DCOM server application SSERVER" /type=sz $ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}/name="AppID" - /data="{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}" /type=sz $ crekey HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LaunchPermission $ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LaunchPermission - /data="Y" /type=sz $ crekey HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LocalServer32 $ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LocalServer32 - /data="DKA0::[SMITH]SSERVER.EXE" /type=sz $ |
DCOM$CNFG is a utility to help COM developers configure and manage COM for OpenVMS applications on OpenVMS. Use the DCOM$CNFG utility to query information and manipulate properties of COM for OpenVMS applications.
To use the DCOM$CNFG utility, choose option 1 from the DCOM$SETUP menu.
Before running the DCOM$CNFG utility, you must:
|
The system displays the DCOM$CNFG Main menu.
Figure 6-2 DCOM$CNFG Main Menu
--------------------------------------------------------- DCOM$CNFG Main 1 - Applications List 2 - System-wide Default Properties 3 - System-wide Default Security (E to Exit) (H for Help) Enter <CTRL-Z> or 'E' to return to the previous menu at any time Please enter your choice: --------------------------------------------------------- |
To display this submenu, from the DCOM$CNFG Main menu, choose option 1.
The system displays the Applications List submenu.
Figure 6-3 Applications List Submenu
--------------------------------------------------------- Applications List Index Name 1 Inside COM, Chapter 11 Example 2 application 2 3 application 3 . ... . ... . ... (E to Exit to previous menu) (H for Help) Please enter Index number to select an Application: --------------------------------------------------------- |
Enter a number to select an application. You can then view or configure its properties.
This option displays the Application Properties submenu.
The system stores the Application Properties (Location, Security, and Identity) (see Figure 6-4) in a special key in the OpenVMS Registry that is associated with each application. You cannot change the Application Properties until you create this special key using the DCOM$CNFG utility. The DCOM$CNFG utility creates this special key when the utility discovers a newly registered application. In this case, the DCOM$CNFG user must have acquired Windows NT security credentials for an account that is a member of the Administrator group. Otherwise, the key will not be created. For more information about acquiring Windows NT credentials, see Section 8.2). Use the following procedure to manage the Application Properties:
|
Figure 6-4 Application Properties Submenu
------------------------------------------------------------------ Application Properties General Properties of this DCOM Application Application name: Inside COM, Chapter 11 Example Application id: {0C092C2C-882C-11CF-A6BB-0080C7B2D682} Application type: local server Local path: DISK1:[SMITH.DISPATCH_SAMPLE1]CMPNT.EXE Type Library: {D3011EE1-B997-11CF-A6BB-0080C7B2D682} version: 1.0 DISK1:[SMITH.DISPATCH_SAMPLE1]Server.tlb 1 - Location Machine to run application 2 - Security Security permissions for application 3 - Identity User account to use to run application (E to Exit to previous menu) (H for Help) Please enter Application Property you wish to change: ------------------------------------------------------------------ |
If the system cannot find the type library file or if the type library is unaccessible, the system displays an error message next to the type library file name.
Figure 6-5 Application Location Submenu
--------------------------------------------------------- Application Location The following settings allow DCOM to locate the correct computer for this application. If more than one machine is selected then DCOM uses the first available one. Client applications may override these selections. Application name: Inside COM, Chapter 11 Example 1 - Run application on this computer (Yes/No) Current value: Yes 2 - Run application on another computer Current value: Currently Disabled (E to Exit to previous menu) (H for Help) Please enter your choice: --------------------------------------------------------- |
The system uses the systemwide default security values unless you specify a different setting.
The system displays the Application Security submenu.
Figure 6-6 Application Security Submenu
--------------------------------------------------------- Application Security Application name: Inside COM, Chapter 11 Example Current Access permissions: Custom Current Launch permissions: Custom Current Configuration permissions: Default 1 - Use Default Access permission 2 - Edit Custom Access permission 3 - Use Default Launch permission 4 - Edit Custom Launch permission 5 - Use Default Configuration permission 6 - Edit Custom Configuration permission (E to Exit to previous menu) (H for Help) Please enter your choice: --------------------------------------------------------- |
The options are as follows:
To display this submenu:
Figure 6-7 Registry Value Permissions Submenu
--------------------------------------------------------- Registry Value Permissions Application name: Inside COM, Chapter 11 Example Registry Value: LaunchPermission Owner: Administrator Index Name Type of Access 1 OPENVMS_DCOM\USER1 Deny 2 BUILTIN\Administrators Allow 3 Everyone Allow 4 NT AUTHORITY\SYSTEM Allow 5 OPENVMS_DCOM\USER2 Allow (Index Number to Delete or Modify Access) (A to Add to list) (E to Exit to previous menu) (H for Help) Please enter your choice: --------------------------------------------------------- |
The options are as follows:
Figure 6-8 Edit Registry Value Permissions Submenu
--------------------------------------------------------- Edit Registry Value Permissions Application name: Inside COM, Chapter 11 Example Registry Value: AccessPermission Owner: Administrator Name: OPENVMS_DCOM\USER1 Type of Access: Deny 1 - Delete entry from list 2 - Change Access (E to Exit to previous menu) (H for Help) Please enter your choice: --------------------------------------------------------- |
The options are as follows:
Figure 6-9 Add Registry Value Permissions Submenu
--------------------------------------------------------- Add Registry Value Permissions Application name: Inside COM, Chapter 11 Example Registry Value: LaunchPermission Owner: ROLLO 1 - Add Specific User or Group 2 - Add Everyone 3 - Add NT AUTHORITY\System 4 - Add BUILTIN\Administrators (E to Exit to previous menu) (H for Help) Please enter your choice: --------------------------------------------------------- |
To display this submenu:
Figure 6-10 Registry Key Permissions Submenu
--------------------------------------------------------- Registry Key Permissions Application name: Inside COM, Chapter 11 Example Registry Key: Inside COM, Chapter 11 Example Owner: Administrator Index Name Type of Access 1 BUILTIN\Administrators Full Control 2 NT AUTHORITY\SYSTEM Full Control 3 CREATOR OWNER Full Control 4 Everyone Special Access 5 OPENVMS_DCOM\USER1 Read (Index Number to Delete or Modify Access) (A to Add to list) (E to Exit to previous menu) (H for Help) Please enter your choice: --------------------------------------------------------- |
The options are as follows:
Figure 6-11 Edit Registry Key Permissions Submenu
--------------------------------------------------------- Edit Registry Key Permissions Application name: Inside COM, Chapter 11 Example Registry Key: Inside COM, Chapter 11 Example Owner: Administrator Name: BUILTIN\Administrators Type of Access: Full Control 1 - Delete entry from list 2 - Allow Full Control 3 - Allow Read Access 4 - Set/View Special Access (E to Exit to previous menu) (H for Help) Please enter your choice: --------------------------------------------------------- |
The options are as follows:
Figure 6-12 Special Access Registry Key Permissions Submenu
--------------------------------------------------------- Special Access Registry Key Permissions Application name: Inside COM, Chapter 11 Example Registry Key: Inside COM, Chapter 11 Example Name: Everyone Type of Access Current Value 0 - Query Value Yes 1 - Set Value Yes 2 - Create Subkey Yes 3 - Enumerate Subkeys Yes 4 - Notify Yes 5 - Create Link No 6 - Delete Yes 7 - Write DACL No 8 - Write Owner No 9 - Read Control Yes (E to Exit to previous menu) (H for Help) Please enter your choice: --------------------------------------------------------- |
The options are as follows:
Figure 6-13 Add Registry Key Permissions Submenu
--------------------------------------------------------- Add Registry Key Permissions Application name: Inside COM, Chapter 11 Example Registry Key: Inside COM, Chapter 11 Example Owner: Administrator 1 - Add Specific User or Group 2 - Add Everyone 3 - Add NT AUTHORITY\System 4 - Add BUILTIN\Administrators (E to Exit to previous menu) (H for Help) Please enter your choice: --------------------------------------------------------- |
The options are as follows:
To display this submenu:
The system displays the Application Identity submenu.
Figure 6-14 Application Identity Submenu
--------------------------------------------------------- Application Identity Which user account do you want to use to run this application? Application name: Inside COM, Chapter 11 Example Current Identity: NTLM Account OPENVMS_DCOM\USER2 1 - Launching User 2 - NTLM Account 3 - OpenVMS Username 4 - OpenVMS DCOM Guest Account (E to Exit to previous menu) (H for Help) Please enter account you wish to use: --------------------------------------------------------- |
If you enter a new password, the system does not synchronize the new password with any other password. You must synchronize the passwords manually. You must have the IMPERSONATE privilege for the password to be validated. You must have system write access (SYSPRV or REG$UPDATE) to the OpenVMS Registry to write the password to the database. |
To display this submenu, from the DCOM$CNFG Main menu, choose option 2.
The system displays the System-wide Default Properties submenu.
Figure 6-15 System-wide Default Properties Submenu
--------------------------------------------------------- System-wide Default Properties 1 - Enable Distributed COM on this computer (Yes/No) Current value: Yes 2 - Default Authentication Level 3 - Default Impersonation Level (E to Exit to previous menu) (H for Help) Please enter your choice: --------------------------------------------------------- |
Figure 6-16 Default Authentication Level Submenu
------------------------------------------------------------------ Default Authentication Level The Authentication Level specifies security at the packet level. Current value: Connect 1 - Default 2 - None 3 - Connect 4 - Call 5 - Packet 6 - Packet Integrity (E to Exit to previous menu) (H for Help) Please enter your choice: ------------------------------------------------------------------ |
Figure 6-17 Default Impersonation Level Submenu
------------------------------------------------------------------ Default Impersonation Level The Impersonation Level specifies whether applications can determine who is calling them, and whether the application can perform operations using the client's identity. Current value: Identify 1 - Anonymous 2 - Identify 3 - Impersonate (E to Exit to previous menu) (H for Help) Please enter your choice: ------------------------------------------------------------------ |
To display this submenu, from the DCOM$CNFG Main Menu, choose option 3.
The system displays the System-wide Default Security submenu.
Figure 6-18 System-wide Default Security Submenu
------------------------------------------------------------------ System-wide Default Security 1 - Access Permissions Default 2 - Launch Permissions Default 3 - Configuration Permissions Default (E to Exit to previous menu) (H for Help) Please enter your choice: ------------------------------------------------------------------ |
The options are as follows:
When you first install the system, by default only Administrator and System accounts have application launch and access permissions. Compaq recommends that you do not change these default settings. Typically you modify an individual application's launch and access security to grant or deny permissions to Everyone , various Groups , or even specific users. Compaq recommends this technique over adjusting the machinewide default security settings that affect all applications.
Previous | Next | Contents | Index |