Previous | Contents |
If the process has it’s UIC set to DCE$SERVER, and does not have the BYPASS privilege set, DCE command line utilities will fail with the following error:
error creating SMG virtual keyboard. %NONAME-E-NOMSG, Message number 00000002 |
The resolution to this problem is to either run under a UIC other than DCE$SERVER, or to set the BYPASS privilege on accounts set to the DCE$SERVER UIC.
This problem does not effect the running of the DCE deamons, only user
processes.
16.28 Dumping the CDS Cache
The CDSCP and DCECP commands to examine the CDS cache will fail if CDSCP or DCECP is run under a Process UIC other than [DCE$SERVER].
$ cdscp dump clerk cache Cannot map -1 - check id and protection An error occurred calling a CDS API function. (dce / cds) $ dcecp -c cdscache dump Cannot map -1 - check id and protection Error: The cache dump failed in an indeterministic mode. |
To work around this restriction, issue the following DCL command before you invoke CDSCP or DCECP:
$ SET UIC [DCE$SERVER] |
Remember to reset your UIC to its original value after you use this command.
16.29 CDS Clerk Failing on UCX Shutdown
If you issue a SYS$STARTUP:UCX$SHUTDOWN command while running DCE, you may get a CDS Clerk failure and an Access Violation. You may then encounter problems restarting the CDS Clerk (and DCE itself) with the DCE$SETUP START command.
The primary problem is that UCX is being shut down while DCE is still active. Since DCE uses UCX, DCE should always be shut down first.
To recover from this problem, you need to shut down DCE first and then
restart. Simply trying to restart without first shutting DCE down will
not fix the underlying problem. Because temporary files may be left in an
indeterminate state, you may also want to perform a DCE$SETUP CLEAN
operation before restarting.
16.30 Global Directory Agent Configuration
The Global Directory Agent (GDA) is configured on the OpenVMS node that contains the CDS Master Replica name server. The DNS domain name (for example, zko.dec.com) and the Internet Address of an authoritative DNS Master Bind Server (for example, 16.32.2.11) are required during configuration if you are using DNS Bind style cellnames.
Before access to multiple CDS namespaces is possible, the following are required after the configuration:
After the cell command, both cell administrators should rerun DCE_LOGIN before attempting authenticated cross-cell requests.
If you are unsuccessful in configuring intercell communication, check for the following:
$ STOP/ID=xxxxxxxx $ @sys$manager:dce$setup start |
In DCE for OpenVMS Version 1.5, a change was made to disassociate RPC shutdown from DCE shutdown. This was done to allow RPC only applications to remain active while DCE changes were being made.
In DCE Version 1.5, DCE$SETUP stop/clean/clobber did not call the RPC
shutdown procedure, and merely gave a warning that RPC would not be
shut down. DCE 3.1 requires that dced (the new RPC endpoint mapper) be
shut down during certain operations. Therefore, the behavior was changed
in DCE Version 3.0, and the RPC shutdown procedure is now called from
DCE$SETUP.COM. The same is applicable for DCE Version 3.1 as well. This
requires the system manager to be aware of any RPC-only applications that
may be active at the time of DCE configuration operations.
16.32 IDL Error When Installing DCE
If installing DCE over an existing implementation, you may see an IDL error if the DCE Application Developer’s Kit was previously installed, but is not being installed for the upgrade.
The installation is attempting to remove the DCL commands which are associated with the developer’s kit from DCLTABLES.EXE, and failing. This error can safely be ignored - answer NO to the question "Do you want to terminate?".
%PCSI-E-MODDELERR, error deleting module IDL_CLD from library %PCSI-E-OPFAILED, operation failed Terminating is strongly recommended. Do you want to terminate? [YES] n |
If the error shown below occurs during DCE configuration, your system has the TCP/IP NTP daemon configured. Since DCE also provides an NTP daemon, you must decide which one you intend to use.
If you choose to use the DCE NTP daemon, then you must disable the TCP/IP NTP daemon via your TCP/IP configuration program before you can enable the DCE one.
If you choose to use the TCP/IP NTP daemon, then you can ignore the following error, and answer "Y" to the question about whether you want to proceed.
*************************** ERROR ******************************** Port number 123 is in use by a service other than "ntp". Please check configuration! Service "ntp" must use port number 123. ****************************************************************** Press |
There are known problems with Sun Solaris Version 2.6 and Transarc DCE
Version 2.1 as the CDS master if you are attempting to configure a split server
configuration using DCE on OpenVMS, Tru64 UNIX or Windows NT. Solaris
Version 2.4 and Transarc DCE Version 1.1 work correctly. Contact your DCE
vendor for further information.
16.35 Compile Warning in Example Programs
The CXX example programs may produce the following warning on compilation:
IDL_ms.IDL_call_h = (volatile rpc_call_handle_t)IDL_call_h; ...............^ %CXX-W-CASTQUALTYP, type qualifier is meaningless on cast type at line number 117 in file USER$1:[DCE12.EXAMPLES.RPC.IDLCXX. ACCOUNT]ACCOUNT_SSTUB.CXX;1 |
Some versions of CXX may not include the library SYS$LIBRARY:LIBCXXSTD.OLB.
If this is the case, this line may be removed from the options file found in
SYS$COMMON:[DCE$LIBRARY]DCE_CXX.OPT.
16.37 Unknown Ethernet Device on Host System
If your system is using a new type of Ethernet device, then it is possible that DCE might not know about the Ethernet device on the system. DCE uses the Ethernet device to obtain an Ethernet address which is used in the generation of UUIDs. If you see errors such as the following:
%UUIDGEN-F-RPC_MESSAGE, Received Error Status: "no IEEE 802 hardware address (dce / rpc)" |
then your Ethernet device is not known by DCE.
You can define one additional Ethernet device in the table used by DCE by defining the logical name DCE$IEEE_802_DEVICE to the name of your Ethernet device as shown in the following example:
$ DEFINE/SYSTEM DCE$IEEE_802_DEVICE EWA0 |
This will allow DCE to operate using the Ethernet device named EWA0 (a
device type of DE500).
16.38 Public Key Routines Not Supported on OpenVMS
DCE public key technology is not currently supported on OpenVMS. The pkc_* routines and classes ( pkc_add_trusted_key, etc.) are not in DCE$LIB_SHR.EXE, and will generate undefined symbols if an application that uses them attempts to link.
The Open Group has stated their intention to replace the existing public key technology in DCE with a non-interoperable replacement, based on X.509v3, in a future release.
"Note that there has been such a high volume of change activity in the IETF relative to Public Key Infrastructure (PKI) and Kerberos that the [RFC 68.3] functionality will not be forward compatible with this Specification. Therefore, current users of DCE 1.2.2-based products with [RFC 68.3] functionality should refrain from deploying the public key based login support."¹
For this reason, HP is not supplying the obsolete public key functionality in DCE for OpenVMS Version 3.0. For additional information on the status of public key in DCE, see the Open Group’s DCE website at:
http://www.opengroup.org/tech/dce/ |
1 Draft Technical Standard - DCE 1.2.3 Public Key Certificate Login, Draft 0.8, The Open Group, August 1998 |
16.39 Audit Trail Files Require UNIX-Style File Specifications
The command to show the DCE audit trail files requires a UNIX style file specification. For example:
$ dcecp -c audtrail show /dcelocal/var/audit/adm/central_trail |
Some systems may see warnings during DCE installation, as shown below:
The following product will be installed to destination: |
These warnings can be safely ignored. They indicate that certain files which
may also be provided by OpenVMS are newer than the files in the DCE kit.
17 New APIs for Authenticated RPC
The following APIs are included in DCE Version 1.5 and above to manipulate
the sec_winnt_auth_identity structure. They are supported on OpenVMS
V7.2-1 onwards.
17.1 RPC_WINNT_SET_AUTH_IDENTITY
NAME rpc_winnt_set_auth_identity - This function is called by the client RPC application to allocate and populate a WINNT auth_identity structure to be used as a parameter to rpc_binding_set_auth_info(). The caller must use the rpc_winnt_free_auth_identity() function to free the WINNT auth_idenity. The strings that are passed in may be ASCI or Unicode (UCS-4) strings. The input flag will tell which type of strings they are. SYNOPSIS #include <dce/rpc.h> PUBLIC void rpc_winnt_set_auth_identity ( rpc_winnt_auth_string_p_t Username, rpc_winnt_auth_string_p_t Password, rpc_winnt_auth_string_p_t Domain, unsigned __int64 CharacterSetFlag, rpc_auth_identity_handle_t *auth_identity, unsigned32 *stp) PARAMETERS INPUT username - Pointer to a null terminated string containing username. password - Pointer to a null terminated string containing password. domain - Pointer to a null terminated string containing domain. CharacterSetFlag SEC_WINNT_AUTH_IDENTITY_UNICODE 4 byte Unicode (UCS-4) SEC_WINNT_AUTH_IDENTITY_ANSI ASCII (ISO8859-1) OUTPUT auth_identity - Pointer to a pointer to WINNT auth_identity structure. stp - Pointer to returned status. |
Be sure to allocate space for three strings (username, password, domain). The string variables will probably be pointers of type unsigned_char_t if the strings are ASCII or pointers of type wchar_t if the strings are Unicode (UCS-4). If the domain string is a valid empty string, then the domain of the computer will be used. |
NAME rpc_winnt_free_auth_identity - This function is called by the client RPC application to free a a WINNT auth_identity structure that was previously allocated by a call to rpc_winnt_set_auth_identity(). SYNOPSIS #include <dce/rpc.h> PUBLIC void rpc_winnt_free_auth_identity ( rpc_auth_identity_handle_t *auth_identity, unsigned32 *stp) PRAMETERS INPUT auth_identity - Pointer to a pointer to WINNT auth_identity structure. On output auth_identity will be set to NULL. OUTPUT stp Pointer to returned status. |
The following APIs are included in DCE Version 1.5 and above to support
server impersonation of a client. This means that the server runs with the
security credentials of the client, and all of the capabilities of the client belong
to the server.
18.1 RPC_IMPERSONATE_CLIENT
NAME rpc_impersonate_client - This function is called by the server application to allow the current server thread to run with all of the client privileges. SYNOPSIS #include <dce/rpc.h> void rpc_impersonate_client( rpc_binding_handle_t binding_handle, rpc_status_t *status) PARAMETERS INPUT binding_handle - Specifies a server-side call handle for this RPC which represents the client to impersonate. OUTPUT status - Specifies a pointer to an unsigned 32 bit integer that holds a status code. |
NAME rpc_revert_to_self - This function is called by the server application to revert back to its original security context after impersonating a client. SYNOPSIS #include <dce/rpc.h> rpc_revert_to_self(*status) PARAMETERS INPUT NONE OUTPUT status - Specifies a pointer to an unsigned 32 bit integer that holds a status code. |
NAME rpc_revert_to_self_ex - This function is called by the server application to revert back to its original security context after impersonating a client. This acts as a call to rpc_revert_to_self(); SYNOPSIS #include <dce/rpc.h> rpc_revert_to_self_ex( rpc_binding_handle_t binding_handle, rpc_status_t *status) PARAMETERS INPUT call handle - This parameter is ignored. OUTPUT status - Specifies a pointer to an unsigned 32 bit integer that holds a status code. |
For more information on existing enhanced RPC security APIs, see the
Compaq DCE for OpenVMS VAX and OpenVMS Alpha Reference Guide.
19 The Routing File
To use routing file services on OpenVMS, you will need to define the following logical name for the process or the system for which logging information is desired:(Syntax is exact for the routing file).
$ DEFINE/SYS DCE_SVC_ROUTING_FILE "DCE_LOCAL/VAR/SVC/ROUTING." |
This will enable DCE applications to find and interpret the routing file and direct any output to the locations specified in the routing file.
You can also set the number of buffered writes to perform before data is flushed to the file, as shown below:
$ DEFINE/SYS DCE_SVC_FSYNC_FREQ 10 |
The example above will flush the buffer every 10 writes.
19.1 Specifying Filenames in the Routing File
The OpenVMS routing file uses UNIX style filenames when specifying output
log files. You can see examples of this in the current routing file that is found
in the directory dce$common:[var.svc]routing. The DCE code that reads the
routing file uses colons and forward slashes to parse the routing file data lines
for output files.
19.2 Using the Routing File
The routing file contains examples of how to set up logging for various components. See the routing file itself for additional information. The routing file can be found in DCE$COMMON:[VAR.SVC]ROUTING.
Previous | Next | Contents |