OpenVMS Connectivity Developer Guide


Previous Contents Index

4.8.1 COM for OpenVMS Service Control Manager (SCM)

The COM for OpenVMS Service Control Manager enables COM for OpenVMS.

Process name: DCOM$RPCSS

Requires: OpenVMS Registry, OpenVMS (RPC and SSPI/NTLM layers)

Required by: COM applications

Configured by: DCOM$SETUP. See Section 6.2.

Started by: DCOM$SETUP, option 4. See Section 6.2.

Shutdown procedure: DCOM$SETUP, option 5. See Section 6.2.

4.8.2 OpenVMS Registry Server

The OpenVMS Registry server manages the OpenVMS Registry database.

Process name: REGISTRY_SERVER

Requires: None.

Required by: COM for OpenVMS, Advanced Server for OpenVMS

Configured by: REG$CONFIG. See Section 11.2.

Started by: REG$STARTUP. See Section 11.3.1.

Shutdown procedure: SET SERVER REGISTRY_SERVER/EXIT. For more information, see Section 11.4.

4.8.3 Advanced Server for OpenVMS Server

The Advanced Server for OpenVMS server provides Windows NT and OpenVMS connectivity.

Process names:

NETBIOS
PWRK$ADMIN_0
PWRK$KNBDAEMON
PWRK$LICENSE_R
PWRK$LMBROWSER
PWRK$LMDMN
PWRK$LMMCP
PWRK$LMSRV
PWRK$MASTER
PWRK$MONITOR
PWRK$NBDAEMON

The ACME server requires the PWRK$LMSRV process specifically.

Requires: OpenVMS Registry

Required by: ACME server

Configured by: PWRK$CONFIG

Started by: PWRK$STARTUP

Shutdown procedure: PWRK$SHUTDOWN

For more information, see the DIGITAL PATHWORKS for OpenVMS (Advanced Server) Server Migration Guide.

4.8.4 ACME Server

The ACME server controls the granting of credentials.

Process name: ACME_SERVER

Requires: Advanced Server for OpenVMS

Required by: OpenVMS (RPC and SSPI/NTLM layers) and OpenVMS Events

Started:

Shutdown procedure:


$ SET SERVER ACME {/EXIT | /ABORT}

For more information, see Section 8.3.2.

4.8.5 RPC Endpoint Mapper

The RPC endpoint mapper controls authentication and security.

Process name: DCE$RPCD

Requires: RPC image

Required by: COM for OpenVMS Service Control Manager, RPC image

Started by: OpenVMS

Shutdown procedure: Use the following command procedure:


  $ @SYS$STARTUP:DCE$RPC_SHUTDOWN.COM 

For more information, see the DIGITAL DCE for OpenVMS VAX and OpenVMS Alpha manual.

4.8.6 RPC and SSPI/NTLM Layers

The RPC and SSPI/NTLM layers provides remote procedure call and Windows NT-style authentication on OpenVMS.

Process name: n/a (part of OpenVMS operating system)

Requires: OpenVMS, ACME server

Required by: COM for OpenVMS

Started by: OpenVMS

Shutdown procedure: n/a

4.8.7 OpenVMS Events

The Events layer provides Windows NT-style event logging on OpenVMS.

Process name: n/a (part of OpenVMS operating system)

Requires: ACME server

Required by: COM for OpenVMS

Started by: OpenVMS

Shutdown procedure: n/a

For more information, see Chapter 14.

4.9 Installing COM for OpenVMS

The COM for OpenVMS installation kit contains a single POLYCENTER Software Installation file. The name of the kit is DEC-AXPVMS-DCOM-V0101-B-1.PCSI . You must install the COM for OpenVMS files on an OpenVMS Alpha Version 7.2-1 system. Please check the prerequisites before installing the kit. See Section 4.2.

To install COM for OpenVMS, invoke the POLYCENTER Software Installation utility using the following command:


 $ PRODUCT INSTALL /SOURCE=device:[user] DCOM 

For device:[user], specify the device name and directory location of the kit, respectively.

MIDL compiler license no longer required

The COM for OpenVMS MIDL compiler no longer requires the DCOM-MIDL license.

Example 4-1 shows a sample installation.

Example 4-1 Sample COM for OpenVMS Installation

$ product install dcom/source=disk:[directory] 
 
The following product has been selected: 
    CPQ AXPVMS DCOM V1.1-B                 Layered Product 
 
Do you want to continue? [YES] 
 
Configuration phase starting ... 
 
You will be asked to choose options, if any, for each selected product 
and for any products that may be installed to satisfy software dependency 
requirements. 
 
CPQ AXPVMS DCOM V1.1-B 
 
    Copyright Compaq Computer Corporation 2000. All rights reserved. 
 
Do you want the defaults for all options? [YES] 
 
    The following software is required to run COM for OpenVMS
 
      - OpenVMS Alpha V7.2-1 or later 
        - Includes DCE RPC and OpenVMS Registry 
      - TCP/IP Services for OpenVMS V5.0 or later (or equivalent product) 
      - Advanced Server for OpenVMS V7.2A or later 
 
 
    Do you want to continue? [YES] 
 
Do you want to review the options? [NO] 
 
Execution phase starting ... 
 
The following product will be installed to destination: 
    CPQ AXPVMS DCOM V1.1-B                 
DISK$AXP_72PLUS:[VMS$COMMON.] 
 
Portion done: 
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100% 
 
The following product has been installed: 
    CPQ AXPVMS DCOM V1.1-B                 Layered Product 
 
$ 

4.10 COM for OpenVMS Postinstallation Procedures

After you install the COM for OpenVMS kit, do the following:

  1. Verify that the OpenVMS Registry is running. (See Chapter 11.)
  2. Verify that the Advanced Server for OpenVMS is running. (See Section 4.8.3 for the Advanced Server for OpenVMS process names.)
  3. Verify that the ACME server is running. (See Section 4.8.4 for the name of this process.)
  4. Verify that the RPC daemon is running. (See Section 4.8.5 for the name of the process.)
  5. Populate the OpenVMS Registry with the required COM for OpenVMS keys and values using the DCOM$SETUP utility, option 3. (See Section 6.2.) You must do this only once on an OpenVMS cluster.
  6. Configure the DCOM$RPCSS account using the DCOM$SETUP utility, option 8. (See Section 6.2.1.) You must do this only once on an OpenVMS cluster.
  7. Start COM for OpenVMS using the DCOM$SETUP utility, option 4. (See Section 6.2.) You must do this on every node in an OpenVMS cluster.
  8. If you want COM for OpenVMS to start automatically when the system reboots, modify the DEFINE DCOM$TO_BE_STARTED line in the SYLOGICALS.COM file. (See Section 4.11.1.) You must do this on every node in an OpenVMS cluster.
  9. Configure COM for OpenVMS security. See Chapter 5.

4.11 Starting COM for OpenVMS (COM for OpenVMS Service Control Manager)

Use the following command to start COM for OpenVMS:


  $ @SYS$STARTUP:DCOM$STARTUP 

Alternately, you can run DCOM$SETUP and choose option 4. (See Section 6.2.)

The COM for OpenVMS Service Control Manager can be in one of the following states: initializing/running or not started. Depending on the COM for OpenVMS Service Control Manager state, you will see one of the following messages:

4.11.1 Starting COM for OpenVMS Automatically after a Reboot

Compaq recommends that you modify the SYS$MANAGER:SYLOGICALS.COM command file to control COM for OpenVMS startup.

OpenVMS includes a revised SYLOGICALS.TEMPLATE file that includes new startup commands for COM for OpenVMS and related components. Review the "Coordinated Startup" section of this template file and add the appropriate information to your existing startup files.

To have COM for OpenVMS start automatically when the system boots, copy the following line to your SYLOGICALS.COM file, uncomment the line, and make sure it is set to TRUE :


$ DEFINE DCOM$TO_BE_STARTED TRUE 

If you do not set COM for OpenVMS to start automatically when the system boots, you can start COM for OpenVMS using the DCOM$SETUP OpenVMS COM Tools menu, option 4 (see Section 6.2).

4.12 Shutting Down COM for OpenVMS (COM for OpenVMS Service Control Manager)

Use the following command to shut down COM for OpenVMS:


  $ @SYS$STARTUP:DCOM$SHUTDOWN 

Alternately, you can run DCOM$SETUP and choose option 5. (See Section 6.2.)

The COM for OpenVMS Service Control Manager can be in one of the following states: stopped, running, or initializing. Depending on the COM for OpenVMS Service Control Manager state, you will see one of the following messages:

4.12.1 Suppressing the DCOM$SHUTDOWN Confirmation Request

You can suppress the DCOM$SHUTDOWN command confirmation request by specifying the NOCONFIRM parameter. Use the following command:


   $ @SYS$STARTUP:DCOM$SHUTDOWN NOCONFIRM 

The system displays the following shutdown messages without prompting you to confirm the shutdown:


        ***  DCOM system shutdown procedure  *** 
 
   Terminating DCOM Service Control Manager daemon (DCOM$RPCSS) . . . 
 
        ***  DCOM shutdown successful  *** 
 
     ***  DCOM Shutdown Procedure Complete  *** 


Chapter 5
COM for OpenVMS Security

COM Version 1.1-A for OpenVMS and COM Version 1.1-B for OpenVMS support NTLM (NT LAN Manager) authentication for controlling access to COM objects.

Processes that execute client and server applications must obtain Windows NT credentials in order to be authenticated. Processes created automatically by DCOM$RPCSS to execute server applications obtain Windows NT credentials based on the Registry settings for the server being launched. Interactive processes that are used to execute client and server applications must obtain Windows NT credentials by running the NTA$LOGON utility (see Section 8.2).

This chapter applies to COM for OpenVMS in authenticated mode. See Appendix E for information about running COM for OpenVMS in an unauthenticated environment.

This chapter discusses the following topics:

5.1 System Configuration

NTLM authentication on OpenVMS is implemented in three major components of the operating system (see Section 4.8).

The ACME server, RPC, and SSPI are installed as part of the OpenVMS operating system and require no special configuration. Advanced Server for OpenVMS must be installed as a layered product and must be configured to support NTLM authentication for COM applications (see Section 4.4).

After installing Advanced Server for OpenVMS, you must create network accounts that will be used to execute COM applications. You must also map the network accounts to OpenVMS accounts.

The Advanced Server ADMINISTER utility is used to create network accounts. For example, to create the network account NTUSER1, use the following command:


$ ADMINISTER ADD USER NTUSER1 /PASSWORD="pppppp" /FLAG=NOPWDEXPIRED 

The password is case sensitive, so it is enclosed in quotation marks in order to maintain case. A password without quotation marks is converted to uppercase. By default, network accounts are created with the password pre-expired, thus forcing the user to change the password at the first login. The NOPWDEXPIRED flag overrides this default.

A hostmap entry defines the association between a Windows NT user account and a local OpenVMS user account. When OpenVMS authenticates a Windows NT user, OpenVMS uses the hostmap entry to map the OpenVMS user account to the Windows NT user account and build the local OpenVMS user profile and the Windows NT user profile. If no hostmap entry exists, OpenVMS uses the Windows NT user account name as the local OpenVMS user account name.

Use the Advanced Server for OpenVMS ADMINISTER utility to define hostmap information. For example, to map the network account NTUSER1 to the OpenVMS account VMSUSER1, use the following command:


$ ADMINISTER ADD HOSTMAP NTUSER1 VMSUSER1 

If the OpenVMS account does not already exist, you must create the account using the OpenVMS Authorize utility (AUTHORIZE). The OpenVMS account must have the EXTAUTH flag set, or the IGNORE_EXTAUTH flag (bit 11, %X0800) must be set in the SECURITY_POLICY SYSGEN parameter (see Section 5.1). This policy allows the OpenVMS system manager to control which OpenVMS user accounts can be used with Windows NT authentication. For example, to set the EXTAUTH flag for an OpenVMS account VMSUSER1, use the following command. For example:


$ MCR AUTHORIZE MODIFY VMSUSER1 /FLAG=EXTAUTH 

5.1.1 LOGINOUT.EXE Use of External Authentication

The EXTAUTH flag also directs LOGINOUT.EXE to use external authentication to authenticate an OpenVMS user during the login process (that is, local, dialup, remote, interactive, and network logins). When you set the EXTAUTH flag, LOGINOUT.EXE uses external authentication, not the password in the SYSUAF.DAT record, to verify the OpenVMS user name and password.

LOGINOUT external authentication always requires that you set the EXTAUTH flag in the SYSUAF account record. Unlike NTA$LOGON and authenticated RPC, you cannot override this requirement using the IGNORE_EXTAUTH flag.

5.1.2 DCE Integrated Login Restriction

A site cannot use both external authentication and the older LGI-callout feature on the same system. If you have an LGI-callout image installed, external authentication is disabled for login purposes. Because DCE integrated login uses the LGI-callout mechanism, OpenVMS does not allow logins using Windows NT-based external authentication if DCE integrated login is enabled.

5.2 Cross-Domain Configuration

You can run a COM application on a system in one domain and have the application authenticated by a system in a second domain.

To configure authentication across Windows NT domains, you must do the following:

  1. Set up trust relationships between domains.
    For more information, see the Advanced Server for OpenVMS Server Administrator's Guide.
  2. Set up the HostMapDomains parameter on Advanced Server for OpenVMS domains (see Example 5-1).
    For more information, see the Advanced Server for OpenVMS Server Administrator's Guide.
  3. Set up account hostmap entries between the Windows NT user account and a local OpenVMS user account.

Example 5-1 shows how you can set up the HostMapDomains parameter. In this example, there are two domains: DOMAIN_1 and DOMAIN_2 . Domain DOMAIN_2 is running Advanced Server for OpenVMS; domain DOMAIN_1 is a Windows NT domain. The commands in Example 5-1 introduce DOMAIN_2 to DOMAIN_1 .

Example 5-1 Sample: Setting Up HostMapDomains

SYSJANE$ show sym regutl 
  REGUTL == "$SYS$SYSTEM:PWRK$REGUTL.EXE" 
SYSJANE$ regutl 
REGUTL> SET PARAM /CREATE VMSSERVER HOSTMAPDOMAINS DOMAIN_1 
REGUTL> SHOW VALUE * HOSTMAPDOMAINS 
Key: SYSTEM\CurrentControlSet\Services\AdvancedServer\UserServiceParameters 
Value: HostmapDomains 
Type: String 
Current Data: DOMAIN_1 

5.3 Acquiring Windows NT Credentials

After the network account and the OpenVMS account have been set up as described in Section 5.1, you can log in to the OpenVMS account using the usual OpenVMS login procedures. You can then acquire Windows NT credentials using the NTA$LOGON utility. For example:


$ MCR NTA$LOGON NTUSER1 "pppppp" 

In this format, pppppp is the password you specified when you created the network account. The password is enclosed in quotation marks to preserve case. A password without quotation marks is converted to lowercase. If the user name or password is not specified on the command line, the program prompts the user for the required input (see Section 8.2).

To acquire Windows NT credentials for a network account using NTA$LOGON , you must be logged in to the OpenVMS account that is mapped to the network account. Alternatively, if you are logged in to a different OpenVMS account, you must have the IMPERSONATE privilege and use the /OVERRIDE_MAPPING switch. For example:


$ MCR NTA$LOGON /OVERRIDE_MAPPING NTUSER2 "pppppp" 

To determine whether a process has Windows NT credentials, use the NTA$LOGON utility with the /LIST switch. For example:


$ MCR NTA$LOGON /LIST 

5.4 Application Security

The COM security model allows the creation of secure distributed applications. COM security can be enabled by using settings in the OpenVMS Registry and by using COM security APIs and interfaces. There are two primary areas of security that can be applied to COM applications: launch security and activation security.

Launch security and activation security have system default settings; application-specific settings override these defaults. The settings are stored in the Registry and are maintained by using the DCOMCNFG utility on Windows NT and by using the DCOMCNFG option of DCOM$SETUP.COM on OpenVMS. The COM API CoInitializeSecurityEx can be used from within an application to enhance or override the Registry settings.

5.4.1 Launch Security

Launch security determines which network accounts can be used to create, or "launch" server processes. The launch security settings are referenced when a COM request is received on a system that will result in the launching of a server process to satisfy the request. These settings can explicitly or implicitly allow or disallow a user request to launch a server. The DCOM$RPCSS process authenticates the incoming request to determine the identity of the client. If DCOM$RPCSS determines that it needs to launch a server process to satisfy the request, DCOM$RPCSS allows or disallows the launching of the server based on the identity of the client and the launch security settings.

5.4.2 Activation Security

Activation security determines which network accounts can be used to execute method calls in server applications. The activation security settings are referenced when a COM request is received on a system for a method call in an existing server process. The server process authenticates the incoming request to determine the identity of the client. The server process allows or disallows the execution of the method call based on the identity of the client and the activation security settings.

5.4.3 Server Process Identity

A server process created by DCOM$RPCSS on OpenVMS is a detached process that has an OpenVMS identity and follows all the OpenVMS security rules for a detached process. In addition, it has a network identity that is used to enforce the COM security model (see Section 5.5).

COM servers create separate server threads to execute each client request. These server threads have their own OpenVMS identity and network identity, based on the identity of the client. When a server thread is executing a request on behalf of a client, it is the thread's identities, not the process' identities, that are used to enforce security.

5.4.4 Domain Issues

Two systems running COM client and server applications can exist in one of three possible domain configurations:

The ability for servers and DCOM$RPCSS to authenticate client requests are affected by the domain configurations. When both systems are in the same domain or when the systems are in separate but trusted domains there is no problem authenticating. The trusted domain configuration is a bit more complex and requires that the trusts and mappings be configured correctly but once configured, there is no trouble authenticating (see Section 5.2).

Systems in separate, nontrusted domains or systems not in any domain cannot be authenticated using the normal mechanisms. To run authenticated COM applications between such systems, you must pass authentication information (user name and password) from the client to the server. COM provides this capability in the CoCreateInstanceEx API. The pServerInfo parameter of the CoCreateInstanceEx API allows you to specify a user name and password to be used for authentication on the remote server system. The user name and password are part of the COAUTHIDENTITY structure, within the COAUTHINFO structure within the COSERVERINFO structure, that is passed as the pServerInfo parameter to CoCreateInstanceEx.

Section C.3 shows how you can authenticate a remote client that is neither in the server's domain nor in a domain that has a trust with the server's domain.

The current NTLM security implementation on OpenVMS does not support this feature for COM client applications on OpenVMS. This feature is supported for COM clients on Windows NT that communicate with COM servers on OpenVMS. To run COM client applications on OpenVMS where the server is not in the same domain or in a trusted domain, you must disable authentication for the application, as described in Section 5.4.5.

5.4.5 Disabling Authentication

Under certain conditions, you may want to disable authentication between a client and server applications. This feature disables many of the security features of COM and of the operating system and should not be used in an environment where security is required. There are two ways to disable authentication for COM applications:

The server must be configured to run with a specific NTLM account identity. Since the client will not be authenticated, there is no way for the server to run with a client's identity. To configure a server to run with a specific NTLM identity, use DCOMCNFG and change the application properties to select the NTLM account.

5.4.6 Access Denied Problems (80070005)

The most common security error a COM application will encounter is access denied (error status value 80070005). The following is a list of the most common causes of this error:

5.5 Server Run-Time Environment

When DCOM$RPCSS launches a server in response to a client request for a COM object, DCOM$RPCSS creates a detached process and executes either the server image or server command file in the context of the detached process. The image or command file that is executed is determined by the value of the Registry key HKEY_CLASSES_ROOT\CLSID\{iid}\LocalServer32, where iid is the unique identifier of the COM object.

The run-time environment of the detached process is as follows:


Chapter 6
COM for OpenVMS Utilities for Application Development and Deployment

This chapter describes how to configure your OpenVMS system (and, optionally, your Windows NT system) to develop and deploy COM applications. It describes the following COM for OpenVMS utilities:

This chapter also includes information about configuring OpenVMS and Windows NT systems to interoperate.

Before you begin

Before you configure COM for OpenVMS on your OpenVMS system, you must install and configure required components and install COM for OpenVMS. See Chapter 4 for information about these steps.

6.1 DCOM$SETUP Utility

DCOM$SETUP is a collection of tools to help a system manager configure the COM for OpenVMS system environment.

DCOM$SETUP Conventions and Requirements

6.2 Running DCOM$SETUP

To run DCOM$SETUP , enter @SYS$STARTUP:DCOM$SETUP at the OpenVMS system prompt.

The system displays the OpenVMS COM Tools menu.

Figure 6-1 DCOM$SETUP OpenVMS COM Tools Menu



--------------------------------------------------------- 
                         OpenVMS COM Tools 
 
           1) DCOMCNFG, COM Configuration Properties 
           2) GUIDGEN, Globally Unique Identifier Generator 
           3) Populate the Registry database for COM 
           4) Start the COM server 
           5) Stop the COM server 
           6) Register a COM application 
           7) Create the DCOM$GUEST account and directory 
           8) Configure the DCOM$RPCSS accounts 
 
           H) Help 
           E) Exit 
 
Please enter your choice: 
--------------------------------------------------------- 

To choose an option, enter the option number. The options are as follows:

6.2.1 Creating and Configuring DCOM$RPCSS Accounts

To display these functions, choose option 8 from the OpenVMS COM Tools menu. The system displays the following:


--------------------------------------------------------- 
Configure the COM for OpenVMS Service Control Manager (DCOM$RPCSS) accounts 
 
   1) Create the DCOM$RPCSS account in both the SYSUAF database and the 
      Advanced Server for OpenVMS SAM database. The password you specify 
      for the new DCOM$RPCSS user is stored in a protected file. 
 
   2) Update the DCOM$RPCSS user password in the COM for OpenVMS Service 
      Control Manager password file. 
 
   E) Exit 
 
Please enter your choice: 
--------------------------------------------------------- 

Enter one of the following:

6.2.2 Starting and Stopping the COM Server (DCOM$RPCSS Process)

COM for OpenVMS requires that the COM server process ( DCOM$RPCSS ) always be running. The DCOM$RPCSS process on OpenVMS provides the same functions for the COM run-time environment that the RPCSS process provides on Microsoft Windows NT, including the following:

To start DCOM$RPCSS , either use DCOM$SETUP option 4 ("Start") (see Section 6.2) or call the COM for OpenVMS startup procedure directly from SYS$STARTUP:DCOM$STARTUP . See Section 4.11 for information on starting COM for OpenVMS.

To stop DCOM$RPCSS on your system, either use the DCOM$SETUP option 5 ("Stop") (see Section 6.2) or call the COM for OpenVMS shutdown procedure directly from SYS$STARTUP:DCOM$SHUTDOWN . See Section 4.12 for information on shutting down COM for OpenVMS.

6.2.3 Registering an Application

The following example shows how to register the COM for OpenVMS "Simple" application included on the COM for OpenVMS kit. You can use the resulting Windows NT file to register the server on a Windows NT system as long as the application is available on your Windows NT system.

To build the "Simple" application on a Windows NT system, see and execute the instructions in the README-SIMPLE.TXT file in DCOM$EXAMPLES:[SIMPLE] .

Note

You must build and compile the application before you can register it. For complete details, see the step-by-step example in DCOM$EXAMPLES:[SIMPLE] included in the COM for OpenVMS kit.

Use the following procedure:

  1. From the DCOM$SETUP menu, enter 6 or REGISTER .
  2. Answer the questions as follows:

    Note

    The "Simple" application already has a CLSID.

    Example 6-1 Sample" Simple" Application Registration on OpenVMS

    Enter server type (1. In-Proc  2. Out-Proc): 2 [Return] 
    Enter Local Path (device:[directory]filename.ext): DKA0:[SMITH]SSERVER.EXE [Return] 
    Enter Application Name (<RETURN> to assign default): COM Simple Server [Return] 
    Does the server have a CLSid {GUID} (Yes/No) [N]: Y [Return] 
    Enter the CLSid (i.e. {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}: 
       {5e9ddec7-5767-11cf-beab-00aa006c3606} [Return] 
     
    Verify Application Information: 
     
             Application Name: COM SIMPLE SERVER 
             Local Path: DKA0:[SMITH]SSERVER.EXE 
             Application ID: {5E9DDEC7-5767-11CF-BEAB-00AA006C3606} 
     
    Is the information correct (Yes/No) [Y]: [Return] 
    Register application (Yes/No)? [Y]: [Return] 
     
    SETUP-I-NEWFILES, The following files have been created: 
     
          DKA0:[SMITH]SSERVER.REG_NT 
          DKA0:[SMITH]SSERVER.REG_VMS 
     
    SETUP-I-SRVIN, Server has been registered 
    Press RETURN to continue: [Return] 
    

To register the "Simple" application on a Windows NT system, use the following procedure:

  1. Copy all the files in the DCOM$EXAMPLES:[SIMPLE] directory to your Windows NT system.
  2. Rename SSERVER.REG_NT to SSERVER.REG .
  3. Edit the file to point to the local server path.
    For example, replace DEVICE:\SSERVER with C:\SSERVER .
  4. Run the Install.bat program to add the necessary keys to the Windows NT registry.

Example 6-2 shows the contents of SSERVER.REG_NT .

Example 6-2 Contents of SSERVER.REG_NT

REGEDIT 
HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\ = DCOM server application SSERVER 
HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LaunchPermission = Y 
HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LocalServer32 = DEVICE:\SSERVER 

To reregister the "Simple" application on an OpenVMS system, enter the following command at the system prompt:


$ @SSERVER.REG_VMS

Example 6-3 shows the contents of the SSERVER.REG_VMS command procedure:

Example 6-3 Contents of SSERVER.REG_VMS

$ Set noon 
$ regcp :=  $regcp 
$ crekey := $regcp create key 
$ creval := $regcp create value 
$ modval := $regcp modify value 
$ lisval := $regcp list value 
$ crekey HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606} 
$ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606} - 
              /data="DCOM server application SSERVER" /type=sz 
$ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}/name="AppID" - 
              /data="{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}" /type=sz 
$ crekey HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LaunchPermission 
$ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LaunchPermission - 
              /data="Y" /type=sz 
$ crekey HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LocalServer32 
$ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LocalServer32 - 
              /data="DKA0::[SMITH]SSERVER.EXE" /type=sz 
$ 

6.3 Running DCOM$CNFG

DCOM$CNFG is a utility to help COM developers configure and manage COM for OpenVMS applications on OpenVMS. Use the DCOM$CNFG utility to query information and manipulate properties of COM for OpenVMS applications.

To use the DCOM$CNFG utility, choose option 1 from the DCOM$SETUP menu.

Note

Before running the DCOM$CNFG utility, you must:
  • Have OpenVMS Registry Read access to read application properties, and Write access to modify application properties.
  • Ensure that the ACME server is running on the current system. The ACME server must be running to view and change application security properties. For more information, see Table 4-1.
  • Acquire Windows NT security credentials before you can change an application identity. For more information, see Section 8.2.

The system displays the DCOM$CNFG Main menu.

Figure 6-2 DCOM$CNFG Main Menu



--------------------------------------------------------- 
                DCOM$CNFG Main 
 
   1 - Applications List 
   2 - System-wide Default Properties 
   3 - System-wide Default Security 
 
   (E to Exit) 
   (H for Help) 
 
   Enter <CTRL-Z> or 'E' to return to the previous menu at any time 
 
   Please enter your choice: 
--------------------------------------------------------- 

The options are as follows:

6.3.1 The DCOM$CNFG Application List Submenu

To display this submenu, from the DCOM$CNFG Main menu, choose option 1.

The system displays the Applications List submenu.

Figure 6-3 Applications List Submenu



--------------------------------------------------------- 
                Applications List 
 
   Index    Name 
    1      Inside COM, Chapter 11 Example 
    2      application 2
    3      application 3
    .      ... 
    .      ... 
    .      ... 
 
  (E to Exit to previous menu) 
  (H for Help) 
 
  Please enter Index number to select an Application: 
--------------------------------------------------------- 

Enter a number to select an application. You can then view or configure its properties.

This option displays the Application Properties submenu.

Note

The system stores the Application Properties (Location, Security, and Identity) (see Figure 6-4) in a special key in the OpenVMS Registry that is associated with each application. You cannot change the Application Properties until you create this special key using the DCOM$CNFG utility. The DCOM$CNFG utility creates this special key when the utility discovers a newly registered application. In this case, the DCOM$CNFG user must have acquired Windows NT security credentials for an account that is a member of the Administrator group. Otherwise, the key will not be created. For more information about acquiring Windows NT credentials, see Section 8.2).

Use the following procedure to manage the Application Properties:

  1. Register the application.
  2. Do either of the following:
    • Acquire Windows NT security credentials for an account that is a member of the Administrator group and then run DCOM$CNFG.
    • Have a system administrator with the appropriate credentials run DCOM$CNFG.
  3. Run DCOM$CNFG from your own account to manage the properties.

Figure 6-4 Application Properties Submenu



------------------------------------------------------------------ 
               Application Properties 
 
   General Properties of this DCOM Application 
 
   Application name:  Inside COM, Chapter 11 Example 
   Application id:    {0C092C2C-882C-11CF-A6BB-0080C7B2D682} 
   Application type:  local server 
   Local path:        DISK1:[SMITH.DISPATCH_SAMPLE1]CMPNT.EXE 
   Type Library:      {D3011EE1-B997-11CF-A6BB-0080C7B2D682} 
   version: 1.0  DISK1:[SMITH.DISPATCH_SAMPLE1]Server.tlb 
 
   1 - Location    Machine to run application 
   2 - Security    Security permissions for application 
   3 - Identity    User account to use to run application 
 
   (E to Exit to previous menu) 
   (H for Help) 
 
   Please enter Application Property you wish to change: 
------------------------------------------------------------------ 

If the system cannot find the type library file or if the type library is unaccessible, the system displays an error message next to the type library file name.

The options are as follows:

The system uses the systemwide default security values unless you specify a different setting.

The system displays the Application Security submenu.

Figure 6-6 Application Security Submenu



--------------------------------------------------------- 
                Application Security 
 
   Application name:  Inside COM, Chapter 11 Example 
   Current Access permissions:  Custom 
   Current Launch permissions:  Custom 
   Current Configuration permissions:  Default 
 
   1 - Use Default Access permission 
   2 - Edit Custom Access permission 
   3 - Use Default Launch permission 
   4 - Edit Custom Launch permission 
   5 - Use Default Configuration permission 
   6 - Edit Custom Configuration permission 
 
   (E to Exit to previous menu) 
   (H for Help) 
 
   Please enter your choice: 
--------------------------------------------------------- 

The options are as follows:

6.3.2 Registry Value Permissions Submenus

To display this submenu:

  1. From the DCOM$CNFG menu, choose option 1.
  2. From the Applications List submenu, choose any application.
  3. From the Application Properties submenu, choose option 2.
  4. From the Application Security submenu, choose option 2 or 4.

Figure 6-7 Registry Value Permissions Submenu



--------------------------------------------------------- 
                Registry Value Permissions 
 
   Application name: Inside COM, Chapter 11 Example 
   Registry Value: LaunchPermission 
   Owner: Administrator 
 
   Index    Name                           Type of Access 
     1      OPENVMS_DCOM\USER1                Deny 
     2      BUILTIN\Administrators            Allow 
     3      Everyone                          Allow 
     4      NT AUTHORITY\SYSTEM               Allow 
     5      OPENVMS_DCOM\USER2                Allow 
 
        (Index Number to Delete or Modify Access) 
        (A to Add to list) 
 
        (E to Exit to previous menu) 
        (H for Help) 
 
        Please enter your choice: 
--------------------------------------------------------- 

The options are as follows:

Figure 6-8 Edit Registry Value Permissions Submenu



--------------------------------------------------------- 
                Edit Registry Value Permissions 
 
        Application name: Inside COM, Chapter 11 Example 
        Registry Value: AccessPermission 
        Owner: Administrator 
 
        Name: OPENVMS_DCOM\USER1 
        Type of Access: Deny 
 
        1 - Delete entry from list 
        2 - Change Access 
 
        (E to Exit to previous menu) 
        (H for Help) 
 
        Please enter your choice: 
--------------------------------------------------------- 

The options are as follows:

6.3.3 Registry Key Permissions Submenus

To display this submenu:

  1. From the DCOM$CNFG menu, choose option 1.
  2. From the Applications List submenu, choose any application.
  3. From the Application Properties submenu, choose option 2.
  4. From the Application Security submenu, choose option 6.

Figure 6-10 Registry Key Permissions Submenu



--------------------------------------------------------- 
                Registry Key Permissions 
 
   Application name: Inside COM, Chapter 11 Example 
   Registry Key: Inside COM, Chapter 11 Example 
   Owner: Administrator 
 
   Index    Name                     Type of Access 
 
   1     BUILTIN\Administrators      Full Control 
   2     NT AUTHORITY\SYSTEM         Full Control 
   3     CREATOR OWNER               Full Control 
   4     Everyone                    Special Access 
   5     OPENVMS_DCOM\USER1          Read 
 
   (Index Number to Delete or Modify Access) 
   (A to Add to list) 
 
   (E to Exit to previous menu) 
   (H for Help) 
 
   Please enter your choice: 
--------------------------------------------------------- 

The options are as follows:

Figure 6-11 Edit Registry Key Permissions Submenu



--------------------------------------------------------- 
                Edit Registry Key Permissions 
 
   Application name: Inside COM, Chapter 11 Example 
   Registry Key: Inside COM, Chapter 11 Example 
   Owner: Administrator 
 
   Name: BUILTIN\Administrators 
   Type of Access: Full Control 
 
   1 - Delete entry from list 
   2 - Allow Full Control 
   3 - Allow Read Access 
   4 - Set/View Special Access 
 
   (E to Exit to previous menu) 
   (H for Help) 
 
   Please enter your choice: 
--------------------------------------------------------- 

The options are as follows:

Figure 6-12 Special Access Registry Key Permissions Submenu



--------------------------------------------------------- 
                Special Access Registry Key Permissions 
 
   Application name: Inside COM, Chapter 11 Example 
   Registry Key: Inside COM, Chapter 11 Example 
 
   Name: Everyone 
 
   Type of Access                          Current Value 
 
   0 - Query Value                           Yes 
   1 - Set Value                             Yes 
   2 - Create Subkey                         Yes 
   3 - Enumerate Subkeys                     Yes 
   4 - Notify                                Yes 
   5 - Create Link                           No 
   6 - Delete                                Yes 
   7 - Write DACL                            No 
   8 - Write Owner                           No 
   9 - Read Control                          Yes 
 
   (E to Exit to previous menu) 
   (H for Help) 
 
   Please enter your choice: 
--------------------------------------------------------- 

The options are as follows:

Figure 6-13 Add Registry Key Permissions Submenu



--------------------------------------------------------- 
                Add Registry Key Permissions 
 
   Application name: Inside COM, Chapter 11 Example 
   Registry Key: Inside COM, Chapter 11 Example 
   Owner: Administrator 
 
   1 - Add Specific User or Group 
   2 - Add Everyone 
   3 - Add NT AUTHORITY\System 
   4 - Add BUILTIN\Administrators 
 
   (E to Exit to previous menu) 
   (H for Help) 
 
   Please enter your choice: 
--------------------------------------------------------- 

The options are as follows:

6.3.4 Application Identity Submenu

To display this submenu:

  1. From the DCOM$CNFG menu, choose option 1.
  2. From the Applications List submenu, choose any application.
  3. From the Application Properties submenu, choose option 3.

The system displays the Application Identity submenu.

Figure 6-14 Application Identity Submenu



--------------------------------------------------------- 
                Application Identity 
 
   Which user account do you want to use to run this application? 
 
   Application name:  Inside COM, Chapter 11 Example 
   Current Identity:  NTLM Account OPENVMS_DCOM\USER2 
 
   1 - Launching User 
   2 - NTLM Account 
   3 - OpenVMS Username 
   4 - OpenVMS DCOM Guest Account 
 
   (E to Exit to previous menu) 
   (H for Help) 
 
   Please enter account you wish to use: 
--------------------------------------------------------- 

The options are as follows:

6.3.5 The DCOM$CNFG System-wide Default Properties Submenu

To display this submenu, from the DCOM$CNFG Main menu, choose option 2.

The system displays the System-wide Default Properties submenu.

Figure 6-15 System-wide Default Properties Submenu



--------------------------------------------------------- 
            System-wide Default Properties 
 
   1 - Enable Distributed COM on this computer (Yes/No) 
              Current value: Yes 
   2 - Default Authentication Level 
   3 - Default Impersonation Level 
 
 
   (E to Exit to previous menu) 
   (H for Help) 
 
   Please enter your choice: 
--------------------------------------------------------- 

The options are as follows:

6.3.6 System-wide Default Security Submenu

To display this submenu, from the DCOM$CNFG Main Menu, choose option 3.

The system displays the System-wide Default Security submenu.

Figure 6-18 System-wide Default Security Submenu



------------------------------------------------------------------ 
                System-wide Default Security 
 
        1 - Access Permissions Default 
        2 - Launch Permissions Default 
        3 - Configuration Permissions Default 
 
        (E to Exit to previous menu) 
        (H for Help) 
 
        Please enter your choice: 
------------------------------------------------------------------ 

The options are as follows:

When you first install the system, by default only Administrator and System accounts have application launch and access permissions. Compaq recommends that you do not change these default settings. Typically you modify an individual application's launch and access security to grant or deny permissions to Everyone , various Groups , or even specific users. Compaq recommends this technique over adjusting the machinewide default security settings that affect all applications.


Previous Next Contents Index