Document revision date: 15 July 2002

The system uses the systemwide default security values unless you specify a different setting.

The system displays the Application Security submenu.

Figure 6-6 Application Security Submenu

--------------------------------------------------------- Application Security Application name: Inside COM, Chapter 11 Example Current Access permissions: Custom Current Launch permissions: Custom Current Configuration permissions: Default 1 - Use Default Access permission 2 - Edit Custom Access permission 3 - Use Default Launch permission 4 - Edit Custom Launch permission 5 - Use Default Configuration permission 6 - Edit Custom Configuration permission (E to Exit to previous menu) (H for Help) Please enter your choice: ---------------------------------------------------------

The options are as follows:

• 1 - Use Default Access permission
  Sets the system to the default access permission values.
• 2 - Edit Custom Access permission
  Displays the Registry Value Permissions submenu. This submenu allows you to view, add, modify, and delete access permission values for this application. For this set of submenus, see Section 6.3.2.
  The ACL Editor starts with the systemwide default values unless you previously set other values.
• 3 - Use Default Launch permission
  Use the systemwide default launch permission values.
• 4 - Edit Custom Launch permission
  Displays the Registry Value Permissions submenu. This submenu allows you to view, add, modify, and delete launch permission values for this application. For this set of submenus, see Section 6.3.2.
  The ACL Editor starts with the systemwide default values unless you previously set other values.
• 5 - Use Default Configuration permission
  Use the systemwide configuration permission values.
• 6 - Edit Custom Configuration permission
  The system displays the Registry Key Permissions submenu. This submenu allows you to view, add, modify, delete, and configure special access security permissions for this application. For this set of submenus, see Section 6.3.3.

To display this submenu:

1. From the DCOM$CNFG menu, choose option 1.
2. From the Applications List submenu, choose any application.
3. From the Application Properties submenu, choose option 2.
4. From the Application Security submenu, choose option 2 or 4.

Figure 6-7 Registry Value Permissions Submenu

--------------------------------------------------------- Registry Value Permissions Application name: Inside COM, Chapter 11 Example Registry Value: LaunchPermission Owner: Administrator Index Name Type of Access 1 OPENVMS_DCOM\USER1 Deny 2 BUILTIN\Administrators Allow 3 Everyone Allow 4 NT AUTHORITY\SYSTEM Allow 5 OPENVMS_DCOM\USER2 Allow (Index Number to Delete or Modify Access) (A to Add to list) (E to Exit to previous menu) (H for Help) Please enter your choice: ---------------------------------------------------------

The options are as follows:

• Index Number...
  To change or delete an access type, enter the corresponding index number. The system displays Edit Registry Value Permissions submenu. See Figure 6-8.
• A to Add to List
  This option displays the Add Registry Value Permissions submenu. This submenu allows you to add a new entry to the OpenVMS Registry value's Access Control List. See Figure 6-9.

Figure 6-8 Edit Registry Value Permissions Submenu

--------------------------------------------------------- Edit Registry Value Permissions Application name: Inside COM, Chapter 11 Example Registry Value: AccessPermission Owner: Administrator Name: OPENVMS_DCOM\USER1 Type of Access: Deny 1 - Delete entry from list 2 - Change Access (E to Exit to previous menu) (H for Help) Please enter your choice: ---------------------------------------------------------

The options are as follows:

• 1 - Delete entry from list
  Delete the entry from the Access Control List. If you delete all entries, you will deny access and launch permissions to everyone for the selected value.
• 2 - Change Access
  Toggle the access type from Allow to Deny or Deny to Allow.

  Figure 6-9 Add Registry Value Permissions Submenu

  ---

  --------------------------------------------------------- Add Registry Value Permissions Application name: Inside COM, Chapter 11 Example Registry Value: LaunchPermission Owner: ROLLO 1 - Add Specific User or Group 2 - Add Everyone 3 - Add NT AUTHORITY\System 4 - Add BUILTIN\Administrators (E to Exit to previous menu) (H for Help) Please enter your choice: ---------------------------------------------------------

  
  The options are as follows:

  • 1 - Add Specific User or Group
    Prompts for a user/group name and type of access. Specify the user name as domain\username or username if the account exists on the current domain.
  • 2 - Add Everyone
    Allow or Deny Everyone Access/Launch permission to the application.
  • 3 - Add NT AUTHORITY\System
    Allow or Deny System Access/Launch permission to the application.
  • 4 - Add BUILTIN\Administrators
    Allow or Deny Administrator Access/Launch permission to the application.
  
  When a user is part of two or more groups, Deny access takes precedence over Allow access .

To display this submenu:

1. From the DCOM$CNFG menu, choose option 1.
2. From the Applications List submenu, choose any application.
3. From the Application Properties submenu, choose option 2.
4. From the Application Security submenu, choose option 6.

Figure 6-10 Registry Key Permissions Submenu

--------------------------------------------------------- Registry Key Permissions Application name: Inside COM, Chapter 11 Example Registry Key: Inside COM, Chapter 11 Example Owner: Administrator Index Name Type of Access 1 BUILTIN\Administrators Full Control 2 NT AUTHORITY\SYSTEM Full Control 3 CREATOR OWNER Full Control 4 Everyone Special Access 5 OPENVMS_DCOM\USER1 Read (Index Number to Delete or Modify Access) (A to Add to list) (E to Exit to previous menu) (H for Help) Please enter your choice: ---------------------------------------------------------

The options are as follows:

• Index Number...
  To change or delete an access type, enter the corresponding index number. The system displays Edit Registry Key Permissions submenu. See Figure 6-11.
• A to Add to List
  This option displays the Add Registry Key Permissions submenu. This submenu allows you to add a new entry to the OpenVMS Registry key's Access Control List. See Figure 6-13.

Figure 6-11 Edit Registry Key Permissions Submenu

--------------------------------------------------------- Edit Registry Key Permissions Application name: Inside COM, Chapter 11 Example Registry Key: Inside COM, Chapter 11 Example Owner: Administrator Name: BUILTIN\Administrators Type of Access: Full Control 1 - Delete entry from list 2 - Allow Full Control 3 - Allow Read Access 4 - Set/View Special Access (E to Exit to previous menu) (H for Help) Please enter your choice: ---------------------------------------------------------

The options are as follows:

• 1 - Delete entry from list
  Delete the entry from the security permissions list. If you delete all entries, noone can access the key and only the owner can change the permissions.
• 2 - Allow Full Control
  Allow the user to access, to edit, and to take ownership of the key.
• 3 - Allow Read Access
  Allow the user to read the key but not to save any changes to it.
• 4 - Set/View Special Access
  Displays the Special Access Registry Key Permissions submenu. This submenu allows you to set customized permissions for the selected user or groups. See Figure 6-12.

Figure 6-12 Special Access Registry Key Permissions Submenu

--------------------------------------------------------- Special Access Registry Key Permissions Application name: Inside COM, Chapter 11 Example Registry Key: Inside COM, Chapter 11 Example Name: Everyone Type of Access Current Value 0 - Query Value Yes 1 - Set Value Yes 2 - Create Subkey Yes 3 - Enumerate Subkeys Yes 4 - Notify Yes 5 - Create Link No 6 - Delete Yes 7 - Write DACL No 8 - Write Owner No 9 - Read Control Yes (E to Exit to previous menu) (H for Help) Please enter your choice: ---------------------------------------------------------

The options are as follows:

• 0 - Query Value
  Allow the user to read a value from the key.
• 1 - Set Value
  Allow the user to set one or more values for the key.
• 2 - Create Subkey
  Allow the user to create subkeys on the key.
• 3 - Enumerate Subkeys
  Allow the user to identify the subkeys of the key.
• 4 - Notify
  Allow the user to audit notification events from the key.
• 5 - Create Link
  Allow the user to create a symbolic link in the key.
• 6 - Delete
  Allow the user to delete the key.
• 7 - Write DACL
  Allow the user access to the key to write a discretionary ACL to the key.
• 8 - Write Owner
  Allow the user access to the key to take ownership of the key.
• 9 - Read Control
  Allow the user access to the security information on the key.

Figure 6-13 Add Registry Key Permissions Submenu

--------------------------------------------------------- Add Registry Key Permissions Application name: Inside COM, Chapter 11 Example Registry Key: Inside COM, Chapter 11 Example Owner: Administrator 1 - Add Specific User or Group 2 - Add Everyone 3 - Add NT AUTHORITY\System 4 - Add BUILTIN\Administrators (E to Exit to previous menu) (H for Help) Please enter your choice: ---------------------------------------------------------

The options are as follows:

• 1 - Add Specific User or Group
  Prompts for a user/group name and type of access. Specify the user name as domain\username or username if the account exists on the current domain.
• 2 - Add Everyone
  Allow Everyone Full Control or Read Access to the application.
• 3 - Add NT AUTHORITY\System
  Allow System Full Control or Read Access to the application.
• 4 - Add BUILTIN\Administrators
  Allow Administrator Full Control or Read Access to the application.

To display this submenu:

1. From the DCOM$CNFG menu, choose option 1.
2. From the Applications List submenu, choose any application.
3. From the Application Properties submenu, choose option 3.

The system displays the Application Identity submenu.

Figure 6-14 Application Identity Submenu

--------------------------------------------------------- Application Identity Which user account do you want to use to run this application? Application name: Inside COM, Chapter 11 Example Current Identity: NTLM Account OPENVMS_DCOM\USER2 1 - Launching User 2 - NTLM Account 3 - OpenVMS Username 4 - OpenVMS DCOM Guest Account (E to Exit to previous menu) (H for Help) Please enter account you wish to use: ---------------------------------------------------------

The options are as follows:

• 1 - Launching User
  Specifies that the application will run using the security context of the user who started the application. This is the default if NTLM security is available.
• 2 - NTLM Account
  Specifies that the application will run using the security context of the specified NTLM account. If you specify a valid User/Group name, the system prompts you for a password. The system checks that the password matches the password you used to log on (through NTA$LOGON ). If the passwords do not match, you can either continue and write this new password to the OpenVMS Registry or reenter a password that matches your logon password.

  Note If you enter a new password, the system does not synchronize the new password with any other password. You must synchronize the passwords manually. You must have the IMPERSONATE privilege for the password to be validated. You must have system write access (SYSPRV or REG$UPDATE) to the OpenVMS Registry to write the password to the database.

• 3 - OpenVMS Username
  Specifies that the application will run using the security context of the specified OpenVMS account. This option is active only when you are using unauthenticated COM for OpenVMS.
• 4 - OpenVMS DCOM Guest Account
  Specifies that the application will run using the security context of the OpenVMS DCOM Guest account. This option is active only when you are using unauthenticated COM for OpenVMS. If you are using unauthenticated COM for OpenVMS, this option is the default.

To display this submenu, from the DCOM$CNFG Main menu, choose option 2.

The system displays the System-wide Default Properties submenu.

Figure 6-15 System-wide Default Properties Submenu

--------------------------------------------------------- System-wide Default Properties 1 - Enable Distributed COM on this computer (Yes/No) Current value: Yes 2 - Default Authentication Level 3 - Default Impersonation Level (E to Exit to previous menu) (H for Help) Please enter your choice: ---------------------------------------------------------

The options are as follows:

• 1 - Enable Distributed COM on this computer (Yes/No)
  Enables or disables COM on this computer.
• 2 - Default Authentication Level
  Sets packet-level security on communications between applications. This systemwide default applies to all applications installed on this computer.

  Figure 6-16 Default Authentication Level Submenu

  ---

  ------------------------------------------------------------------ Default Authentication Level The Authentication Level specifies security at the packet level. Current value: Connect 1 - Default 2 - None 3 - Connect 4 - Call 5 - Packet 6 - Packet Integrity (E to Exit to previous menu) (H for Help) Please enter your choice: ------------------------------------------------------------------

  
  Enter a number to select the desired Authentication level. When installed, the system default for the Default Authentication Level is Connect .

• 3 - Default Impersonation Level
  Specifies whether applications can determine who is calling them, and whether the application can perform operations using the client's identity.

  Figure 6-17 Default Impersonation Level Submenu

  ---

  ------------------------------------------------------------------ Default Impersonation Level The Impersonation Level specifies whether applications can determine who is calling them, and whether the application can perform operations using the client's identity. Current value: Identify 1 - Anonymous 2 - Identify 3 - Impersonate (E to Exit to previous menu) (H for Help) Please enter your choice: ------------------------------------------------------------------

  
  Enter a number to select the desired Impersonation level. When installed, the system default for the Default Impersonation Level is Identify .

To display this submenu, from the DCOM$CNFG Main Menu, choose option 3.

The system displays the System-wide Default Security submenu.

Figure 6-18 System-wide Default Security Submenu

------------------------------------------------------------------ System-wide Default Security 1 - Access Permissions Default 2 - Launch Permissions Default 3 - Configuration Permissions Default (E to Exit to previous menu) (H for Help) Please enter your choice: ------------------------------------------------------------------

The options are as follows:

• 1 - Access Permissions Default :
  Displays the Registry Value Permissions submenu. This submenu allow you to view, add, modify, and delete Access permission values for the systemwide default for all applications.
• 2 - Launch Permissions Default :
  Displays the Registry Value Permissions submenu. This submenu allows you to view, add, modify, and delete Launch Permission Values for the systemwide default for all applications. You must restart the COM for OpenVMS Service Control Manager for the new setting to take effect.
• 3 - Configuration Permissions Default :
  Displays the security permission values for the HKEY_CLASSES_ROOT Registry key.

When you first install the system, by default only Administrator and System accounts have application launch and access permissions. Compaq recommends that you do not change these default settings. Typically you modify an individual application's launch and access security to grant or deny permissions to Everyone , various Groups , or even specific users. Compaq recommends this technique over adjusting the machinewide default security settings that affect all applications.

6.4 Registering In-Process Servers: DCOM$REGSVR32 Utility

All COM components (implemented as either an out-of-process server or as an in-process server) must be registered in the OpenVMS Registry before you can use them.

Out-of-process servers, which are implemented as executable programs ( .EXE files), usually contain code to register and unregister the components contained within them. The advantage an out-of-process server has over an in-process server is that you can run the executable and automatically create the necessary registry keys.

In-process servers, which are usually implemented as dynamic link libraries ( .DLL files) on Windows NT or as shareable images on OpenVMS, also contain code to register and unregister the components within them automatically. However, these in-process servers cannot be run the same way as an executable image because they do not contain a main entry point. As a result, you must manually register the components contained within a .DLL , or create a command procedure to perform the registration.

Microsoft provides the REGSVR32 utility that you can use to register the components contained within a DLL. REGSVR32 takes as a command line argument the following:

• DLL name
• Switches to register or unregister the components

When registering a DLL's components, REGSVR32 searches the specified DLL for the DllRegisterServer symbol and, if found, calls it. When unregistering a DLL, REGSVR32 calls DllUnregisterServer . This means that all in-process components that you want to register automatically must include these two entry points in their export files.

To facilitate the registration of components contained within shareable images on OpenVMS systems, Compaq created the DCOM$REGSVR32 utility. The DCOM$REGSVR32 utility does the same things that the Microsoft REGSVR32 utility does. Any shareable images that contain components to be registered must also include the DllRegisterServer and DllUnregisterServer universal symbols in their symbol vectors. Both the DCOM$REGSVR32 and the REGSVR32 utilities use the same command line syntax.

During the COM for OpenVMS installation, the system places the DCOM$REGSVR32.EXE file in the SYS$SYSTEM directory.

Before you use the DCOM$REGSVR32 utility, you must define a symbol that allows the utility to accept foreign command lines. For example:

$ regsvr32 :== $DCOM$REGSVR32

Alternatively, you can activate the DCOM$REGSVR32 utility as follows:

$ MCR DCOM$REGSVR32

You can use either method to activate the utility, and register or unregister components contained in shareable images.

To display help for DCOM$REGSVR32, enter the following:

$ regsvr32 -?

Table 6-1 summarizes the DCOM$REGSVR32 command line options.

Table 6-1 DCOM$REGSVR32 Command Line Options

Switch	Use
-?, /?	Display help file (this table).
shareable-image-name	Register the specified shareable image name.
-u or /u image-name	Unregister the specified shareable image name.

Example 6-4 demonstrates how to register an in-process component (contained within a shareable image) using the DCOM$REGSVR32 utility.

Example 6-4 Registering a Component Using the DCOM$REGSVR32 Utility

$ regsvr32 USER$DISK:[SEYMOUR.DISPATCH_SAMPLE1]CMPNT$SHR.EXE Class factory: Create self. DllRegisterServer: Registering Server DLL Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682} Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}\InProcServer32 Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}\ProgID Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}\VersionIndependentProgID Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}\TypeLib Creating key InsideCOM.Chap11 Creating key InsideCOM.Chap11\CLSID Creating key InsideCOM.Chap11\CurVer Creating key InsideCOM.Chap11.1 Creating key InsideCOM.Chap11.1\CLSID Class factory: Destroy self.

Example 6-5 demonstrates how to unregister an in-process component (contained within a shareable image) using the DCOM$REGSVR32 utility.

Example 6-5 Unregistering a Component Using the DCOM$REGSVR32 Utility

$ regsvr32 /u USER$DISK:[SEYMOUR.DISPATCH_SAMPLE1]CMPNT$SHR.EXE Class factory: Create self. DllUnregisterServer: Unregistering Server DLL Deleting key InProcServer32 Deleting key ProgID Deleting key VersionIndependentProgID Deleting key TypeLib Deleting key LocalServer32 Deleting key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682} Deleting key CLSID Deleting key CurVer Deleting key InsideCOM.Chap11 Deleting key CLSID Deleting key InsideCOM.Chap11.1 Class factory: Destroy self.

	privacy and legal statement
6539PRO_006.HTML