Digital DCE for OpenVMS VAX and OpenVMS Alpha
Installation and Configuration Guide

4.3.10 Configuring

Once you answer YES to saving the service configuration, the actual configuration begins. You receive messages similar to the following:

Establishing security environment for principal "cell_admin" . . . Starting Security Service Client daemon (DCE$SEC_CLIENTD) . . . %RUN-S-PROC_ID, identification of created process is 00000DAE Testing access to the security registry . . . Initializing CDS... Starting CDS Name Service Advertiser daemon (DCE$CDSADV) . . . %RUN-S-PROC_ID, identification of created process is 00000EEF Starting CDS Name Service Client daemon (DCE$CDSCLERK) . . . %RUN-S-PROC_ID, identification of created process is 00000EC2 Configuring client host objects in the cell namespace . . . Setting up required objects in namespace directory "/.:/hosts/excess" . . . Creating namespace directories and objects . . . Configuring required RPC information . . . Modifying ACL's on namespace objects . . . /.:/hosts/excess /.:/hosts/excess/self /.:/hosts/excess/cds-clerk /.:/hosts/excess/profile /.:/lan-27.0.66-profile Starting Distributed Time Service daemon (DCE$DTSD) . . . %RUN-S-PROC_ID, identification of created process is 00000EC3 Press <RETURN> to continue . . .

After you press the Return key, the DCE Configuration Menu is displayed.

4.3.11 Exiting from the Configuration

After the configuration is completed, the initial DCE Configuration Menu is displayed once again. Enter 0 to exit.

DCE Configuration Menu 1) RPC_Only Provide DCE RPC services only 2) Client Configure this host as a DCE client system 3) Server Configure this host as a full DCE server system 4) Custom Define a customized DCE configuration for this host 5) IntLogin Enable or disable DCE integrated login support 6) Rebuild Rebuild DCE on this host using the current configuration 7) Add_SecRep Add a Security Replica to the configuration on this host 8) Add_CdsRep Add a CDS Replica clearinghouse to the configuration on this host 0) Exit Return to previous menu ?) Help Display helpful information Please enter your selection: 0

4.4 DCE System Management Command Procedure

In DCE for OpenVMS Version 1.5, the DCE system management command procedure (DCE$SETUP.COM) has been changed. These changes are described in the following sections.

RPCD can be started with the new startup command procedure described in the next section.
DCE$SETUP no longer directly starts RPCD. Instead, it calls DCE$RPC_STARTUP.
DCE$SETUP no longer performs UCX parameter checking. This is now performed by DCE$RPC_STARTUP.
DCE$SETUP no longer stops RPCD under any circumstances. RPCD can only be stopped by calling DCE$RPC_SHUTDOWN.
DCE$RPC_SHUTDOWN checks whether any DCE components are running before it stops the RPC daemon.
Invoking DCE$SETUP with the CLEAN or CLOBBER option no longer deletes the RPC endpoint database (DCE$LOCAL:[VAR.RPC]RPCDEP.DAT). However, the endpoints for any DCE components are removed. The only way to delete the entire RPC endpoint database is to invoke DCE$RPC_SHUTDOWN with the CLEAN option.

4.4.1 Starting and Stopping the RPC Daemon

The RPC daemon can be started and stopped with the two new command files DCE$RPC_STARTUP.COM and DCE$RPC_SHUTDOWN.COM. These files are located in SYS$COMMON:[SYSMGR].

To start the RPC daemon, execute DCE$RPC_STARTUP.COM. You can specify the following option:

[NO]CONFIRM Turns user prompting on or off. CONFIRM is the default.

To stop the RPC daemon, execute DCE$RPC_SHUTDOWN.COM. You can specify the following options in any order:

[NO]CONFIRM Turns user prompting on or off. CONFIRM is the default.

CLEAN Deletes all entries from the RPC endpoint database.

Note

Do not stop the RPC daemon if any RPC applications are running on the system.

4.4.2 Limiting RPC Transports

The RPC daemon can limit the protocols used by RPC applications. To restrict the protocols that can be used, set a logical name RPC_SUPPORTED_PROTSEQS to contain the valid protocols separated by a colon. Valid protocols are ncadg_ip_udp, ncacn_ip_tcp, and ncacn_dnet_nsp.

For example:

$ DEFINE RPC_SUPPORTED_PROTSEQS "ncacn_ip_tcp:ncacn_dnet_nsp"

This prevents RPC applications from registering endpoints that utilize TCP/UDP.

4.5 Client Configuration Considerations

By default, the client configuration configures the following components:

RPC
Security client
CDS clerk and advertiser
DTS clerk

See Appendix C for an example of a client configuration.

4.6 Server Configuration Considerations

By default, the server configuration configures the following components:

RPC
CDS Master Server
Security Server
DTS Server
PC NSI Agent

See Appendix C for an example of a server configuration.

4.7 Custom Configuration Considerations

Before you begin a custom configuration, make sure you are familiar with all the components of a configuration. Performing a custom configuration is more complex than performing other configurations.

When you choose either the client or the server configurations, defaults are automatically set for you. However, if you do not want all the defaults, or if you want additional DCE components (such as Security Replica or GDA), consider performing a custom configuration.

The custom configuration lets you tailor a client or server system as well as include the following options:

Security
- Master
- Replica
CDS
- Master
- Replica
- GDA
Time services
NSI
The ability to configure a split server (with CDS master server and security registry on different hosts)
If your system time is synchronized with another time service, a custom configuration lets you eliminate DTS from the configuration.
See Appendix C for an example of a custom configuration.

4.7.1 Custom Configuration for a Split Server Cell

The only way you can configure a split server cell (so that the CDS master server is on one host and the security registry is on another) is through a custom configuration.

To configure a split server cell, you need two custom configurations occurring at almost the same time. In brief, the process is as follows:

Start the security registry server configuration.
You are asked some or all of the following questions:
- Do you wish to configure "hostname" as the security master server?
- Do you wish to configure "hostname" as the security replica server? (You receive this question if you answered NO to the previous question.)
- Please enter the principal name to be used [cell_admin]:
- Please enter the password for principal "cell_admin":
- Please enter the password again to confirm it:
Pause the configuration when requested.
Perform the CDS master server configuration.
You are asked some or all of the following questions:
- Will "hostname" be the CDS master server for the cell?
- Do you wish to configure "hostname" as the CDS replica server? (You receive this question if you answered NO to the previous question.)
- Is the CDS master server within broadcast range?
- Do you want to enable the Global Directory Agent? (If you answer YES, you are asked to enter the Domain and Bond Server address.)
Return to the paused security registry server configuration and finish the split server configuration.

The following steps describe in more detail how to configure a split server cell:

Choose Custom from the DCE Configuration Menu.

Start the Security Registry Server by answering the configuration questions in a way similar to the following example:

Please enter the DCE hostname for this system [opra]: Do you wish to search the LAN for known DCE cells (YES/NO/?) [Y]? n Please enter the name for your DCE cell []: leaper_cell.dce.zko.dec.com Hostname: opra Cellname: leaper_cell.dce.zko.dec.com Do you want to save these names for your DCE configuration (YES/NO/?) [Y]? Do you wish to configure opra as the Security Master server (YES/NO/?) [N]? y Please enter the principal name to be used [cell_admin]: Please enter the password for principal "cell_admin" (or ? for help): Please enter the password again to confirm it: Will opra be the CDS Master server for the cell (YES/NO/?) [N]? n Do you wish to configure opra as a CDS Replica server (YES/NO/?) [N]? n Is the CDS Master Server within broadcast range (YES/NO/?) [N]? y Do you want to enable DCE DTS (YES/NO/?) [N]? y Do you want this host to be a DCE DTS Local Server (YES/NO/?) [N]? y Do you want to configure the NSI Agent (YES/NO/?) [N]? y Do you want to enable DCE integrated login support (YES/NO/?) [N]? **************************** WARNING **************************** *** You have selected a split-server configuration. This requires *** that you coordinate the configuration of the two hosts where the *** Security Registry Server and the CDS Master Server will reside. *** You cannot configure one without configuring the other. *** You have chosen to configure this host as the Security Registry *** Server. *** Continue with the configuration and the process will pause and *** prompt you to configure the CDS Master Server. Do you want to proceed with this operation (YES/NO/?) [N]? y Do you want to save this service configuration (YES/NO/?) [Y]

Pause this configuration after you receive the following message:

**************************** INFO ***************************** *** *** This system has now been configured as a security server. Since *** you chose not to configure this system as a CDS server, you must *** now configure another host as the Master CDS Server for this *** cell. Once you have done this, answer YES to the following *** question to complete the configuration of this system. *** ********************************************************************** Has the CDS Master Server been configured (YES?NO/?) ?

Choose Custom from the DCE Configuration Menu.

Start the CDS Master Server by answering the configuration questions in a way similar to the following example (note that the hostnames are different for each configuration but the cell name is the same):

Please enter the DCE hostname for this system [leaper]: Do you wish to search the LAN for known DCE cells (YES/NO/?) [Y]? n Please enter the name for your DCE cell []: leaper_cell.dce.zko.dec.com Hostname: leaper Cellname: leaper_cell.dce.zko.dec.com Do you want to save these names for your DCE configuration (YES/NO/?) [Y]? Do you wish to configure leaper as the Security Master server (YES/NO/?) [N]? Do you wish to configure leaper as a Security Replica server (YES/NO/?) [N]? Please enter the hostname of the DCE security registry []: opra Checking TCP/IP local host database for address of "opra". Please wait . . . Checking BIND servers for address of "opra". Please wait . . . Please enter the principal name to be used [cell_admin]: Please enter the password for principal "cell_admin" (or ? for help): Will leaper be the CDS Master server for the cell (YES/NO/?) [N]? y Do you want to enable the Global Directory Agent (YES/NO/?) [N]? n Does this cell use multiple LANs (YES/NO/?) [N]? Do you want to enable DCE DTS (YES/NO/?) [N]? y Do you want this host to be a DCE DTS Local Server (YES/NO/?) [N]? y Do you want to configure the NSI Agent (YES/NO/?) [N]? y Do you want to enable DCE integrated login support (YES/NO/?) [N]? Do you want to proceed with this operation (YES/NO/?) [N]? y Do you want to save this service configuration (YES/NO/?) [Y]

When you are finished configuring the CDS master server, return to the paused security registry server configuration. Answer YES to the following question:
Has the CDS Master Server been configured (YES?NO/?) [Y]? YES
The configuration for split servers is completed.

4.8 Considerations for Rebuilding Split Servers

If you have a split server configuration, you must rebuild the security server first. When it pauses, rebuild the CDS server configuration. When the CDS server configuration is completed, continue rebuilding the security server.

4.9 Running the Configuration Verification Procedure

You can run the Configuration Verification Procedure (CVP) at the end of a successful configuration by choosing Test (Option 8) on the initial DCE Configuration Menu or by entering the following command:

$ @SYS$MANAGER:DCE$SETUP TEST

The CVP starts and displays the following informational messages:

The CVP invokes tests of the 10 DCE RPC interfaces, displaying a dot (.) as each test is successful. A completely successful test execution results in 10 dots printed in succession.

The CVP test requires CDS and Security. The test procedure does not run correctly if your system has been configured for RPC only.

4.10 Logical Names Created During Configuration

The configuration process creates the following logical names:

Logical Name Description

DCE Defines a search list pointing to directories SYS$COMMON:[DCE$LIBRARY] and SYS$LIBRARY. These directories contain Application Developer's Kit include files and other files for creating DCE applications.

DCE$COMMON Points to the directory SYS$COMMON: [DCELOCAL]. This directory holds DCE-specific files common to all DCE hosts in a cluster.

DCE$LOCAL Points to the directory DCE$SPECIFIC. This directory defines the top of the DCE directory hierarchy.

DCE$SPECIFIC Points to the directory SYS$SPECIFIC: [DCELOCAL]. This directory is for internal use only.

Logical Name	Description
DCE	Defines a search list pointing to directories SYS$COMMON:[DCE$LIBRARY] and SYS$LIBRARY. These directories contain Application Developer's Kit include files and other files for creating DCE applications.
DCE$COMMON	Points to the directory SYS$COMMON: [DCELOCAL]. This directory holds DCE-specific files common to all DCE hosts in a cluster.
DCE$LOCAL	Points to the directory DCE$SPECIFIC. This directory defines the top of the DCE directory hierarchy.
DCE$SPECIFIC	Points to the directory SYS$SPECIFIC: [DCELOCAL]. This directory is for internal use only.

4.11 Configuration Error Recovery

If the system configuration utility encounters problems, error messages are displayed. When the procedure encounters nonfatal errors, it tries to continue. If the procedure encounters a fatal error, it terminates the requested operation.

The following list provides suggestions for dealing with errors encountered during a configuration:

Read SYS$MANAGER:DCE$SETUP.LOG.
If the configuration utility displays an error message, you can get more detailed information about the cause of the error by examining the associated log file, SYS$MANAGER:DCE$SETUP.LOG. This log file contains a record of the operations invoked by the system configuration utility and may help you diagnose the cause of the problem.
Retry the operation.
Because of the inherent nature of distributed computing, some errors are caused by transitory conditions such as the temporary shutdown of a server. The error may not recur if you retry the operation.
If the error occurs during a configure operation, make sure the reported problem has been corrected and then restart the configuration. If an error occurs during a START operation, follow these steps:
1. Stop all active daemons and delete all temporary local DCE databases using the following command:
  $ @SYS$MANAGER:DCE$SETUP.COM CLEAN
2. Re-enter the START command, as follows:
  $ @SYS$MANAGER:DCE$SETUP.COM START

If the previous steps do not work and you have an Alpha system running OpenVMS Version 7.2, follow these steps:

Stop all active daemons and delete all temporary local DCE databases using the followng command:
$ @SYS$MANAGER:DCE$SETUP.COM CLEAN
Stop the RPC deamon and clean out the RPC endpoint database using the following command:
$ @SYS$MANAGER:DCE$RPC_SHUTDOWN CLEAN
Reenter the START command, as follows:
$ @SYS$MANAGER:DCE$SETUP.COM START

4.12 Configuring on a VMScluster

You must configure each node in a VMScluster separately by entering the following command on each node:

$ @SYS$MANAGER:DCE$SETUP.COM CONFIG

4.13 Configuring in a POSIX Environment

If POSIX is already installed and running on your system, then the DCE configuration (DCE$SETUP.COM) performs the DCE setup for POSIX. However, if POSIX is installed after you perform the DCE configuration, then SYS$STARTUP:POSIX$STARTUP.COM performs the DCE setup for POSIX.

4.13.1 When POSIX Is Installed Before the Configuration

If POSIX is already installed and running on your system, the following symbolic links are defined during the DCE configuration:

/usr/dce/examples, which points to SYS$COMMON: [SYSHLP.EXAMPLES.DCE]
This directory is the top-level directory for all OpenVMS DCE examples. Each subdirectory also includes makefiles for POSIX builds.
/usr/dce/bin, which points to SYS$COMMON: [SYSHLP.EXAMPLES.DCE
OSIX]
This directory contains POSIX images for dce_login, kinit, klist, kdestroy, and acl_edit. These images may be called without specifying their full pathname. The pathname is added to the user's PATH environment variable during POSIX shell activation.

After installing and configuring DCE, the system manager should enter the following line at the end of /etc/profile:

. /usr/dce/bin/dce_defs.sh

Note the dot (.) at the beginning of the line. (In a future release of POSIX, it will not be necessary to add this line.)

4.13.2 When POSIX Is Installed After the Configuration

If POSIX is not installed and running until after the DCE configuration, then have the system manager perform the following steps:

Run the command procedure SYS$STARTUP: POSIX$STARTUP.COM.
Add the following line at the end of /etc/profile:
. /usr/dce/bin/dce_defs.sh
Note the dot (.) at the beginning of the line. (In a future release of POSIX, it will not be necessary to add this line.)

Contents

Index

[NO]CONFIRM	Turns user prompting on or off. CONFIRM is the default.
CLEAN	Deletes all entries from the RPC endpoint database.