Previous | Contents | Index |
The Security extension (SECURITY), along with the MIT-MAGIC-COOKIE-1 and MIT-KERBEROS-5 protocols, provides additional means for defining which clients are authorized to connect to the X server and what operations they can perform once connected. Use the new parameters in this section to specify the location of the files used with these mechanisms (security policy, X authority, access allowed, and access trusted files).
See Section 2.6 for details on defining and implementing an authentication scheme for the DECwindows X11 Display Server. For a brief description of the SECURITY extension, see Section 3.5.1.6.
When using SECURITY, this parameter specifies the name of the security policy file. By default, no file is specified.
The following parameter specifies the security policy file SYS$MANAGER:DECW$SECURITY_POLICY.DAT:
Example
$ DECW$SECURITY_POLICY == "SYS$MANAGER:DECW$SECURITY_POLICY.DAT" |
See Section 2.6.5.2 for a description of the security policy file.
This parameter specifies the name of the server X authority file. This file provides records used to authorize client connections to the server. By default, no file is specified. This allows access to the X server from the local SYSTEM account (via DECnet or the Local transport) without requiring additional authentication from the client.
Note that the settings in the X authority file specified by DECW$SERVER_XAUTHORITY apply to server connections made before a user logs into the DECwindows desktop. Once a user logs into the desktop, the user's X authority settings are applied.
If a file is specified, the values from this file are loaded into the server and can be used by all client connections. To allow a normal login process to occur, trusted access must be explicitly granted using the DECW$SERVER_ACCESS_TRUSTED.DAT file.
The following parameter specifies the X authority file SYS$MANAGER:DECW$XAUTH.DAT:
Example
$ DECW$SERVER_XAUTHORITY == "SYS$MANAGER:DECW$XAUTH.DAT" |
See Section 1.2.2.1 for a description of the X authority file.
This parameter specifies the name of the trusted access file. This file lists those clients who maintain trusted access to the server. The default file is SYS$MANAGER:DECW$SERVER_ACCESS_TRUSTED.DAT.
Note that the settings in the trusted access file specified by DECW$SERVER_ACCESS_TRUSTED apply to server connections made before a user logs into the DECwindows desktop. Once a user logs into the desktop, the user's access settings are applied.
The following parameter changes the trusted access file specification:
Example
$ DECW$SERVER_ACCESS_TRUSTED == "SYS$MANAGER:DECW$SERVER1_ACCESS_TRUSTED.DAT" |
This parameter specifies the name of the access allowed file. This file lists those clients who are granted automatic access to the server without requiring additional authentication. The default file is SYS$MANAGER:DECW$SERVER_ACCESS_ALLOWED.DAT.
Note that the settings in the allowed access file specified by DECW$SERVER_ACCESS_ALLOWED apply to server connections made before a user logs into the DECwindows desktop. Once a user logs into the desktop, the user's access settings are applied.
The following parameter changes the allowed access file specification:
Example
$ DECW$SERVER_ACCESS_ALLOWED == "SYS$MANAGER:DECW$SERVER1_ACCESS_ALLOWED.DAT" |
2.1.5 Error Reporting
The following new parameter replaces the symbol DECW$SERVER_CONNECT_LOG
and provides additional options for controlling the content of the X
server audit logs.
This parameter controls whether normal client connect/disconnect messages are logged in the error log file for the server. Valid values for this parameter are:
The default value is 0.
The following parameter definition enables minimal audit logging:
Example
$ DECW$SERVER_AUDIT_LEVEL == "1" |
Since some combinations of X server extensions present a function or resource conflict if enabled concurrently, two new parameters (DECW$SERVER_EXTENSIONS and DECW$SERVER_DISABLE_TEST) have been added to the server startup file. These parameters allows you to control which groups of extensions are loaded and enabled on one or more servers. Each dynamically loadable extension specified by these symbols is converted to a shareable image, which is run at server startup.
To load and enable a set of extensions, modify the parameter definitions in the DECW$PRIVATE_SERVER_SETUP.COM file, and restart the server. For example, to enable XIE and XINERAMA, add the following line to the file:
$ DECW$SERVER_EXTENSIONS == "XIE,XINERAMA" |
See Section 2.1.1 for a detailed description of the valid values for
these parameters. For the current list of unsupported combinations of X
server extensions, see the hp DECwindows Motif for hp OpenVMS Alpha Release Notes.
2.3 Support for Multihead Systems Using XINERAMA
The XINERAMA extension enables you to connect multiple monitors to a single Alpha system running HP DECwindows Motif for HP OpenVMS Alpha Version 1.3 to create a unified virtual display. In contrast to the traditional way of configuring multiheaded Alpha systems, described in Managing DECwindows Motif for OpenVMS Systems, XINERAMA provides more control over the arrangement of the screens and desktop. Under a multiheaded display that uses XINERAMA, you can customize the number, order, and configuration of each screen in the display, and drag windows and text from screen to screen on the desktop.
The following sections describe how to configure a multiheaded Alpha
system using XINERAMA.
2.3.1 Hardware and Configuration Requirements
XINERAMA is supported only in a homogeneous graphics environment. Each multiheaded configuration must consist of common video cards, bit depths, visual classes, screen resolutions, and monitors of a similar size.
See the hp DECwindows Motif for hp OpenVMS Alpha Software Product Description for a list of the currently supported video graphics cards; see Managing DECwindows Motif for OpenVMS Systems for a description of the logicals you can use to change the default values for these graphics settings.
The X server supports up to 16 monitors in a multiheaded configuration.
Note that the actual number of monitors you can use may be further
limited by the number of available option card slots.
2.3.2 Setting Up a Multiheaded Alpha System
Configuring a multiheaded system using XINERAMA involves the following steps:
The following sections describe this process.
Step 1: Disable VGA Services
Some video cards can dynamically disable or enable VGA services as necessary, but others require that you manually disable VGA via a jumper setting on the video card. Refer to the documentation for your video cards to determine if this change is required. If so, make this change prior to installing the cards in your Alpha system.
If you install multiple video cards on a system without disabling VGA services on all but one of the cards, all of the cards will compete for control of the video subsystem at boot time, resulting in possible system damage. |
Step 2: Install the Video Cards
Shut down the OpenVMS Alpha system and install the video cards, as instructed by the hardware documentation.
Turn the power back on and reboot the operating system. During startup, the OpenVMS Alpha operating system will verify that the video cards were installed correctly.
Step 3: Enable XINERAMA
Although this extension is part of the X server, it is not enabled by default. To enable XINERAMA:
$ DECW$SERVER_EXTENSIONS == "DEC-XTRAP,XINERAMA" |
Step 4: Arrange the Monitors
By default, the system uses the physical location of the video cards on the system bus to assign the device names (such as, GYA0, GYB0, etc.) and subsequently number the screens. For example in a four-monitor multihead configuration, if you have connected the cables to the video cards in the proper order and placed the monitors placed side-by-side, the screens could be numbered in either ascending (0, 1, 2, 3) or descending (3, 2, 1, 0) order.
If the screens are not in the desired order, you can do one of the following depending on your screen configuration:
Once the screens are in the appropriate order, you can further customize the virtual display using the following edge attachment parameters in DECW$PRIVATE_SERVER_SETUP.COM:
These parameters, described in Section 2.1.2, control where each edge of the virtual display is attached.
When the setup process is complete, all the monitors should be active and organized in the proper arrangement. Once you restart DECwindows Motif, the login dialog box for the session is displayed at the center of the virtual display, and you should be able to open application windows and drag them from screen to screen.
2.4 Support for Euro Currency Symbol
HP DECwindows Motif for HP OpenVMS Alpha Version 1.3 includes support for the euro currency symbol. Support
for the euro symbol was formerly provided via a separate DECwindows Motif
remedial kit (ALP_DWEURO_V0101). This support is now offered as an
option during installation of the DECwindows Motif software. Once
installed, you can enter and display the euro symbol on all
HP DECwindows Motif for HP OpenVMS Alpha Version 1.3 or greater systems.
2.4.1 Enabling Euro Support
Support for the euro symbol is enabled through a DECwindows Motif installation option. This option installs the appropriate fonts in the DECW$SYSCOMMON:[SYSFONT.DECW] subdirectory tree and adds references to the euro font directories to the search list defined by the DECW$FONT logical.
No further configuration is required. Note however, that if installed on an OpenVMS Alpha cluster system, you must restart DECwindows on all other systems in the cluster in order for them to recognize the symbol.
Support for the euro locale by the OpenVMS C Run-Time Library is not required for base DECwindows Motif euro support. However, if you want to run Motif applications in a euro locale, you must install Euro locale support, which is included in the OpenVMS Alpha Version 7.3--1 kit.
Once euro support is enabled, the character code 0xA4 may be displayed. This results from the euro sign and the key sequence to enter the euro sign always being in effect, regardless of the locale and codeset of the process. |
Once euro support is enabled on your system, you can display the euro sign with any ISO8859-1 bitmap font on your workstation, with no additional setup. DECwindows Motif applications that use standard ISO Latin-1 fonts to display text will automatically display the euro sign for character 0xA4. The character set portion of the XLFD name for these fonts is ISO8859-1.
To display the euro sign in a DECterm window, be sure the following two items are selected in the DECterm General Options dialog box:
2.4.3 Using the Keyboard to Manually Enter the Euro Symbol
Once euro support is enabled, you can manually enter the symbol using
one of the following key sequences, depending on the type of keyboard
attached to your system:
Keyboard Type | Keymap | Key Sequence |
---|---|---|
LK-style | *LK201* keymap |
Use the same key sequence you use for the universal currency symbol.
For example:
Compose+Space o x or Compose+Space O X |
LK-style | *LK401* keymap 1 | LeftCompose + E |
PC-style 2 | *LK44* keymap | RightAlt + E |
To display and edit the euro symbol in the DECTPU DECwindows interface, specify the ISO Latin-1 character set as follows:
$ EDIT/TPU/INTERFACE=DECWINDOWS/CHARACTER_SET=ISO_LATIN1 |
The X Keyboard keymap files are the standard X Window System alternative to the proprietary keymaps currently provided with DECwindows Motif. They are intended to supplement, rather than replace, the DECwindows Motif keymap files, which will continue to be provided with the DECwindows Motif software.
You can compile X Keyboard layout files to create loadable keymaps using the X Keyboard Compiler utility (xkbcomp), as described in the following section, or the server will compile the files as needed.
Also, since the X Keyboard keymap format (.XKM) is the accepted,
vendor-independent standard for loadable keyboards, you can choose to
load .XKM files from other X11R6-based systems and X Window System
software providers.
2.5.1 Creating a Modified Keymap File
To create a modified keymap file, do the following:
. . . 19 key <AE09> { [ 9, parenleft ] }; 20 key <AE10> { [ 0, parenright ] }; . . . |
$ xkbcomp -RDECW$SYSCOMMON:[SYS$KEYMAP.XKB] -xkm -m lk401 - _$ DECW$SYSCOMMON:[SYS$KEYMAP.XKB.KEYMAP.DIGITAL]us - _$ -o SYS$COMMON:[SYS$KEYMAP.XKB.COMPILED]digital_us_lk401.xkm |
You can then load the modified, compiled keymap file as described in
Section 2.5.2.
2.5.2 Loading a Compiled Keymap File
To load a compiled X Keyboard keymap file, do the following:
$ DECW$SERVER_EXTENSIONS == "XKB,XINERAMA" |
$ DECW$SERVER_XKEYBOARD_LOAD_MAP=="1" |
Some custom keyboard options are not available when using XKB and the X Keyboard keymaps. See the hp DECwindows Motif for hp OpenVMS Alpha Release Notes for a complete listing of X Keyboard keymap restrictions. |
To enable the AccessX key features described in Section 1.2.1, do the following:
You can then further configure the AccessX features using the accessx utility described in Section 1.2.1, or use the slow and sticky key functions, as follows:
To... | Perform This Action... |
---|---|
Toggle slow keys | Hold Shift key by itself for eight seconds |
Toggle sticky keys | Press and release the left or right Shift key five times in a row, without any intervening key events and with less than 30 seconds delay between consecutive presses |
Turn off sticky keys | Simultaneously press two or more modifier keys. |
HP DECwindows Motif for HP OpenVMS Alpha Version 1.3 offers support for additional security mechanisms that provide greater control over access to the server by remote applications. Both the DECwindows Motif client software and the DECwindows X11 Display Server have been modified to support the following:
The following sections describe the available access control schemes
and how to use them to manage access to the DECwindows X11 Display Server.
2.6.1 User-Based Access Control
User-based access control, as described in Chapter 12 of Using DECwindows Motif for OpenVMS, authorizes access to the X server based on the triplet of host, transport, and user name (such as, DECNET ZEPHYR JONES). The user name, node name, and transport information you provide acts as a filter to screen out all except a selected class of users.
User-based access control can be implemented one of two ways depending on your DECwindows Motif system environment:
User-based access control is always available, as long as there are
entries in either the Authorized Users or access allowed list. Due to
lack of encryption and the inability to specify usernames in the TCP/IP
environment, this form of access control is the least secure and is
recommended for authorizing access in the local or DECnet environment
only.
2.6.2 Token-Based Access Control
Token-based access control authorizes access to the X server based on the presentation of a valid password or token by a client application during a connection request. The level to which the client is authenticated and the method of authentication varies depending on the protocol in use, which is specified in a user's X authority file (described in Section 1.2.2.1).
In general, each time a client application attempts to connect to an X server protected with token-based access control, it references the current X authority file to determine the appropriate protocol to apply and authentication method to follow in order to grant the connection.
Not only do token-based protocols offer greater protection for DECwindows X11 Display Server systems, but they also provide more control over the operations that can be performed over an open X server connection. For example, a token could be used to grant or deny trust privileges. Untrusted connections to an X server significantly restrict the operations that can be performed over the connection.
The token-based access control protocols supported by DECwindows Motif are Magic Cookie (MIT-MAGIC-COOKIE-1) and Kerberos (MIT-KERBEROS-5).
MIT-MAGIC-COOKIE-1 and MIT-KERBEROS-5 are standard X Window System protocols. Third-party client applications can use these protocols to connect to protected DECwindows X display servers and DECwindows Motif clients can use them to connect to protected third-party X display servers. Additional X Window System protocols, such as XDM-AUTHORIZATION-1 and SUN-DES-1, are not currently supported. Any third-party client applications using these protocols to access a DECwindows X display server will default to user-based access control. |
Previous | Next | Contents | Index |