Document revision date: 15 July 2002

When you click Customize Windows NT... on the Customize menu of the Application window, the Availability Manager displays a Security page (Figure 7-14).

Figure 7-14 Windows Security Customization Page

To change the default password for the Data Analyzer to use to access Windows Data Collector nodes, enter a password of exactly 8 alphanumeric characters. Note that this password is case sensitive; any time you type it, you must use the original capitalization.

This password must also match the password for the Windows Data Collector node that you want to access. (See Section 7.6.3 for instructions for changing that password.)

When you are satisfied with your password, click OK. Exit and restart the Availability Manager for the password to take effect.

7.6.2 Changing Security Triplets on OpenVMS Data Collector Nodes

To change security triplets on an OpenVMS Data Collector node, you must edit the AMDS$DRIVER_ACCESS.DAT file, which is installed on all Data Collector nodes. The following sections explain what a security triplet is, how the Availability Manager uses it, and how to change it.

7.6.2.1 Understanding OpenVMS Security Triplets

A security triplet determines which nodes can access system data from an OpenVMS Data Collector node. The AMDS$DRIVER_ACCESS.DAT file on OpenVMS Data Collector nodes lists security triplets.

On OpenVMS Data Collector nodes, the AMDS$AM_CONFIG logical translates to the location of the default security file, AMDS$DRIVER_ACCESS.DAT. This file is installed on all OpenVMS Data Collector nodes.

A security triplet is a three-part record whose fields are separated by backslashes (\). A triplet consists of the following fields:

• A network address (hardware address or wildcard character)
• An 8-character alphanumeric password
  The password is not case sensitive (so the passwords "testtest" and "TESTTEST" are considered to be the same).
• A read, write, or control (R, W, or C) access verification code

The exclamation point (!) is a comment delimiter; any characters to the right of the comment delimiter are ignored.

Example

All Data Collector nodes in group FINANCE have the following AMDS$DRIVER_ACCESS.DAT file:

*\FINGROUP\R ! Let anyone with FINGROUP password read ! 2.1\DEVGROUP\W ! Let only DECnet node 2.1 with ! DEVGROUP password perform fixes (writes)

7.6.2.2 How to Change a Security Triplet

On each Data Collector node on which you want to change security, you must edit the AMDS$DRIVER_ACCESS.DAT file. The data in the AMDS$DRIVER_ACCESS.DAT file is set up as follows:

Network address\password\access

Use a backslash character (\) to separate the three fields.

To edit the AMDS$DRIVER_ACCESS.DAT file, follow these steps:

1. Edit the network address.
   The network address can be either of the following:
   • Hardware address
     The hardware address field is the physical hardware address in the LAN adapter chip. It is used if you have multiple LAN adapters or are running the Compaq DECnet-Plus for OpenVMS networking software on the system (not the Compaq DECnet Phase IV for OpenVMS networking software).
     For adapters provided by Compaq, the hardware address is in the form 08-00-2B-xx-xx-xx, where the 08-00-2B portion is Compaq's valid range of LAN addresses as defined by the IEEE 802 standards, and the xx-xx-xx portion is chip specific.
     To determine the value of the hardware address on a node, use the OpenVMS System Dump Analyzer (SDA) as follows:

     $ ANALYZE/SYSTEM SDA> SHOW LAN

     
     These commands display a list of available devices. Choose the template device of the LAN adapter you will be using, and then enter the following command:

     SDA> SHOW LAN/DEVICE=xxA0

   • Wildcard address
     The wildcard character (*) allows any incoming triplet with a matching password field to access the Data Collector node. Use the wildcard character to allow read access and to run the console application from any node in your network.
     Because the Data Analyzer does not use this field, you should use the wildcard character in this field in the AMDS$CONSOLE_ACCESS.DAT file.
     Caution: Use of the wildcard character for write-access security triplets enables any person using that node to perform system-altering fixes.
2. Edit the password field.
   The password field must be an 8-byte alphanumeric field. The Availability Manager forces upper-case on the password, so "aaaaaaaa" and "AAAAAAAA" are essentially the same password to the Data Collector.
   The password field gives you a second level of protection when you want to use the wildcard address denotation to allow multiple modes of access to your monitored system.
3. Enter R, W, or C as an access code:
   • R means READONLY allowance for the Data Analyzer.
   • W means READ/WRITE allowance for the Data Analyzer. (WRITE implies READ.)
   • C means CONTROL allowance for the Data Analyzer. CONTROL allows you to manipulate objects from which data are derived. (CONTROL implies both WRITE and READ.)

The following security triplets are all valid; an explanation follows the exclamation point (!).

*\1decamds\r ! Anyone with password "1decamds" can monitor *\1decamds\w ! Anyone with password "1decamds" can monitor or write 2.1\1decamds\r ! Only node 2.1 with password "1decamds" can monitor 2.1\1decamds\w ! Only node 2.1 with password "1decamds" can monitor and write 08-00-2b-03-23-cd\1decamds\w ! Allows a particular hardware address to write 08-00-2b-03-23-cd\1decamds\r ! Allows a particular hardware address to read node

OpenVMS Data Collector nodes accept more than one password. Therefore, you might have several security triplets in an AMDS$DRIVER_ACCESS.DAT file for one Data Collector node. For example:

*\1DECAMDS\R *\KOINECLS\R *\KOINEFIX\W *\AVAILMAN\C

In this example, Data Analyzer nodes with the passwords 1DECAMDS and KOINECLS would be able to see the Data Collector data, but only the Data Analyzer node with the KOINEFIX password would be able to write or change information, including performing fixes, on the Data Collector node. The Data Analyzer node with the AVAILMAN password would be able to perform switched LAN fixes.

If you want, you can set up your AMDS$DRIVER_ACCESS.DAT file to allow anyone in the world to read from your system but allow only certain nodes to write or change process or device characteristics on your system.

The Availability Manager performs these steps when using security triplets to ensure security among Data Analyzer and Data Collector nodes:

1. A message is broadcast at regular intervals to all nodes within the LAN indicating the availability of a Data Collector node to communicate with a Data Analyzer node.
2. The node running the Data Analyzer receives the availability message and returns a security triplet that identifies it to the Data Collector, and requests system data from the Data Collector.
3. The Data Collector examines the security triplet to determine whether the Data Analyzer is listed in the AMDS$DRIVER_ACCESS.DAT file to permit access to the system.
   • If the AMDS$DRIVER_ACCESS.DAT file lists Data Analyzer access information, then the Data Provider and the Data Analyzer can exchange information.
   • If the Data Analyzer is not listed in the AMDS$DRIVER_ACCESS.DAT file or does not have appropriate access information, then access is denied and a message is logged to OPCOM. The Data Analyzer receives a message stating that access to that node is not permitted.

Table 7-3 describes how the Data Collector node interprets a security triplet match.

Table 7-3 Security Triplet Verification

Security Triplet	Interpretation
08-00-2B-12-34-56\HOMETOWN\W	The Data Analyzer has write access to the node only when the Data Analyzer is run from a node with this hardware address (multiadapter or DECnet-Plus system) and with the password HOMETOWN.
2.1\HOMETOWN\R	The Data Analyzer has read access to the node when run from a node with DECnet for OpenVMS Phase IV address 2.1 and the password HOMETOWN.
*\HOMETOWN\R	Any Data Analyzer with the password HOMETOWN has read access to the node.

7.6.3 Changing a Password on a Windows Data Collector

To change the Data Collector password in the Registry, follow these steps:

1. Click the Windows Start button. First click Programs and then Command Prompt.
2. Type regedit after the angle prompt (>).
   The system displays a screen for the Registry Editor, with a list of entries under My Computer.
3. On the list displayed, click HKEY_LOCAL_MACHINE .
4. Click SYSTEM.
5. Click CurrentControlSet.
6. Click Services.
7. Click damdrvr.
8. Click Parameters.
9. Double-click Read Password. Then type a new 8-character alphanumeric password, and click OK to make the change.
10. To store the new password, click Exit under File on the main menu bar.
11. On the Control Panel, click Services and then Stop for "PerfServ."
12. Again on the Control Panel, click Devices and then Stop for "damdrvr."
13. First restart damdrvr under "Devices" and then restart PerfServ under "Services."
    This step completes the change of your Data Collector password.

The CPU process states shown in the following table are displayed in the OpenVMS CPU Process States page (see Figure 3-7) and in the OpenVMS Process Information page (see Figure 3-19).

Table A-1 CPU Process States

Process State	Description
CEF	Common Event Flag, waiting for a common event flag
COLPG	Collided Page Wait, involuntary wait state; likely to indicate a memory shortage, waiting for hard page faults
COM	Computable; ready to execute
COMO	Computable Outswapped, COM, but swapped out
CUR	Current, currently executing in a CPU
FPW	Free Page Wait, involuntary wait state; most likely indicates a memory shortage
LEF	Local Event Flag, waiting for a Local Event Flag
LEFO	Local Event Flag Outswapped; LEF, but outswapped
HIB	Hibernate, voluntary wait state requested by the process; it is inactive
HIBO	Hibernate Outswapped, hibernating but swapped out
MWAIT	Miscellaneous Resource Wait, involuntary wait state, possibly caused by a shortage of a systemwide resource, such as no page or swap file capacity or no synchronizations for single-threaded code. Types of MWAIT states are shown in the following table: MWAIT State Definition BYTLM Wait Process waiting for buffered I/O byte count quota. JIB Wait Process in either BYTLM Wait or TQELM Wait state. TQELM Wait Process waiting for timer queue entry quota. EXH Kernel thread in exit handler (not currently used). INNER_MODE Kernel thread waiting to acquire inner-mode semaphore. PSXFR Process waiting during a POSIX fork operation. RWAST Process waiting for system or special kernel mode AST. RWMBX Process waiting because mailbox is full. RWNBX Process waiting for nonpaged dynamic memory. RWPFF Process waiting because page file is full. RWPAG Process waiting for paged dynamic memory. RWMPE Process waiting because modified page list is empty. RWMPB Process waiting because modified page writer is busy. RWSCS Process waiting for distributed lock manager. RWCLU Process waiting because OpenVMS Cluster is in transition. RWCAP Process waiting for CPU that has its capability set. RWCSV Kernel thread waiting for request completion by OpenVMS Cluster server process.
PFW	Page Fault Wait, involuntary wait state; possibly indicates a memory shortage, waiting for hard page faults.
RWAST	Resource Wait State, waiting for delivery of an asynchronous system trap (AST) that signals a resource availability; usually an I/O is outstanding or a process quota is exhausted.
RWBRK	Resource Wait for BROADCAST to finish
RWCAP	Resource Wait for CPU Capability
RWCLU	Resource Wait for Cluster Transition
RWCSV	Resource Wait for Cluster Server Process
RWIMG	Resource Wait for Image Activation Lock
RWLCK	Resource Wait for Lock ID data base
RWMBX	Resource Wait on MailBox, either waiting for data in mailbox (to read) or waiting to place data (write) into a full mailbox (some other process has not read from it; mailbox is full so this process cannot write).
RWMPB	Resource Wait for Modified Page writer Busy
RWMPE	Resource Wait for Modified Page list Empty
RWNPG	Resource Wait for Non Paged Pool
RWPAG	Resource Wait for Paged Pool
RWPFF	Resource Wait for Page File Full
RWQUO	Resource Wait for Pooled Quota
RWSCS	Resource Wait for System Communications Services
RWSWP	Resource Wait for Swap File space
SUSP	Suspended, wait state process placed into suspension; it can be resumed at the request of an external process
SUSPO	Suspended Outswapped, suspended but swapped out

	privacy and legal statement
6552PRO_012.HTML