Document revision date: 5 July 2000
[Compaq] [Go to the documentation home page] [How to order documentation] [Help on this site] [How to contact us]
[OpenVMS documentation]

Compaq DCE for OpenVMS VAX and OpenVMS Alpha
Installation and Configuration Guide


Previous Contents Index


Chapter 5
Configuring DCE

This chapter explains how to create a cell and configure the Security server and CDS server on the same system. It also discusses how to configure a client system into an existing DCE cell.

5.1 DCE System Management Command Procedure

In DCE for OpenVMS Version 3.0, the DCE system management command procedure SYS$MANAGER:DCE$SETUP.COM has been changed. These changes are described in the following sections.

An RPC only configuration can be started with the startup command procedure described in the next section. DCE$SETUP stops RPCD during configuration. In DCE for OpenVMS Version 1.5, DCE$SETUP was modified not to stop RPCD. Changes in the DCE daemons required reverting to the previous behavior. DCE$SETUP.COM has been rewritten to add the new functionality for DCE R1.2.2, and to more closely match the configuration program for DCE for Tru64 UNIX.

5.1.1 Starting and Stopping the RPC Daemon

The RPC daemon can be started and stopped with the command files DCE$RPC_STARTUP.COM and DCE$RPC_SHUTDOWN.COM. These files are located in SYS$COMMON:[SYSMGR].

To start the RPC daemon, execute DCE$RPC_STARTUP.COM. You can specify the following option:


[NO]CONFIRM          Turns user prompting on or off.  CONFIRM is the default. 

To stop the RPC daemon, execute DCE$RPC_SHUTDOWN.COM. You can specify the following options in any order:


[NO]CONFIRM          Turns user prompting on or off.  CONFIRM is the default. 
CLEAN                Deletes all entries from the RPC endpoint database. 

Note

Do not stop the RPC daemons if any RPC applications are running on the system.

5.1.2 Limiting RPC Transports

The RPC daemon can limit the protocols used by RPC applications. To restrict the protocols that can be used, set a logical name RPC_SUPPORTED_PROTSEQS to contain the valid protocols separated by a colon. Valid protocols are ncadg_ip_udp , ncacn_ip_tcp , and ncacn_dnet_nsp . For example:


$ DEFINE RPC_SUPPORTED_PROTSEQS "ncadg_ip_udp:ncacn_ip_tcp" 

This prevents applications and servers from registering endpoints that utilize DECnet.

5.1.3 Logical Names Created During Configuration

The configuration process creates the following logical names:
Logical Name Description
DCE Defines a search list pointing to directories SYS$COMMON:[DCE$LIBRARY] and SYS$LIBRARY. These directories contain the Application Developer's Kit include files and other files for creating DCE applications.
DCE$COMMON,DCE_COMMON Points to the directory SYS$COMMON:[DCELOCAL]. This directory holds DCE-specific files common to all DCE hosts in a cluster.
DCE$LOCAL,DCE_LOCAL Points to the directory DCE$SPECIFIC:. This directory defines the top of the DCE directory hierarchy.
DCE$SPECIFIC Points to the directory SYS$SPECIFIC:[DCELOCAL]. This directory is for internal use only.
DCE$SYSROOT Points to the directories DCE$SPECIFIC:, DCE$COMMON:. This logical is used to find DCE files that may be in either system-specific or cluster-general trees.
TCL_LIBRARY Points to the directory DCE_COMMON/TCL (UNIX file syntax). This directory holds files that allow the TCL interface to the DCE command line programs to function.

The logical names with a dollar sign in them define VMS style directory syntax. The logical names with underscores in them define UNIX style directory syntax (for use by various DCE internal applications).

5.1.4 Configuring on a VMScluster

You must configure each node in a VMScluster separately by entering the following command on each node:


    $ @SYS$MANAGER:DCE$SETUP CONFIG 

5.2 Overview of New Cell Configuration

To configure a new cell, you must complete the following steps:

  1. To begin your initial cell creation and server configuration, invoke the DCE configuration utility.
  2. If you are creating a new cell or adding a CDS server, choose option 6 (Terminate all active DCE daemons and remove all temporary local DCE databases) to stop the DCE daemons in a controlled manner. Be sure to back up your security and CDS databases before proceeding if this has not been done.
  3. Choose option 1 from the DCE Setup Main Menu to configure DCE services on your system. You must have system privileges to modify the DCE system configuration.
    The procedure displays the following menu:


                DCE Configuration Menu 
                DCE for OpenVMS Alpha V3.0 
     
        1)  Client           Configure this system as a DCE client 
        2)  New Cell         Create a new DCE cell 
        3)  CDS Server       Add Master CDS Server 
        4)  Modify           Modify DCE cell configuration 
        5)  RPC_Only         Configure this system for RPC only 
     
        0)  Exit             Exit this procedure 
        ?)  Help             Display helpful information 
     
    Please enter your selection: 
    

    Table 5-1 provides descriptions of the options available on the DCE Configuration Menu.

    Table 5-1 Configuration Menu Options
    Option Description
    Client Provides full DCE RPC services, client services for CDS and Security, and optional time services. A DCE client system must join an existing DCE cell with a security registry and a CDS master server available on other systems in the cell.
    New Cell Provides full DCE RPC services, a security registry server for the cell, a CDS master server, a DTS server, and the NSI agent for name service independent access to directory services from PC client systems. There can be only one security registry and CDS master server in a cell, although they need not reside on the same host.
    CDS Server Provides a DCE client system with a CDS master server added. This option is used if a split server configuration is desired, and the new cell (on another system) was configured without a CDS master server.
    Modify Provides a submenu of additional configuration options that are available after the initial configuration has completed.
    RPC_Only Provides a subset of the DCE RPC services. If DCE Version 3.0 is installed on an OpenVMS Alpha system running Version 7.2-1 or higher, NTLM security may be utilized for authenticated RPC requests. With an RPC only configuration, there are no RPC name service interface routines available. This configuration will, however, allow applications to communicate if full string bindings are supplied by the RPC client, or if the client requests the port number to complete the partial string binding from the end point mapper (DCED daemon).

  4. Choose option 2 to create a new DCE cell.
  5. At each prompt, you can press RETURN to take the default displayed in brackets or enter a question mark (?) for help. When prompted, select a cell name and a host name; the name is used again when you configure DCE client systems.
  6. The configuration utility asks if you want to configure the host as a CDS server. Answer Y to configure the CDS and security servers on the same system. Answer N to perform a split server installation in which you configure the security server on the current host and the CDS server on a different host.
  7. If you answered Y to configure the CDS and security servers on the same system, the utility asks:


    Will there be any DCE pre-R1.1 CDS servers in this cell? (YES/NO/?) [N]: 
    

    If your cell will be running any CDS servers based on OSF DCE Release 1.0.3a or lower (equivalent to Compaq DCE for OpenVMS Version 1.5 or lower), you should answer Y. The configuration utility sets the directory version number to 3.0 for compatibility with pre-R1.1 servers. This setting disables the use of OSF DCE Release 1.1 features such as alias cells, CDS delegation ACLs, and so on.
    If all CDS servers in your cell will be based on Compaq DCE for OpenVMS Version 3.0 (or higher) and based on OSF DCE Release 1.1 (or higher), answer N.
    The configuration utility sets the directory version number to 4.0 for compatibility with Compaq DCE for OpenVMS Version 3.0 CDS servers (OSF DCE Releases 1.2.2). This enables the use of OSF DCE Release 1.1 features such as alias cells, CDS delegation ACLs, and so on, and OSF DCE Release 1.2.2 features. Once the directory version is set to 4.0, you cannot set it back to 3.0.

  8. You are prompted to confirm the system time; it is important that you check the current time before you respond.
  9. The configuration utility will prompt for the Domain Name and DNS server address.
  10. If DECnet/OSI is installed on your system, the configuration utility displays the following message and then asks several questions about configuring a DCE Distributed Time Service server on your system.


    You seem to have DECnet/OSI installed on this system. DECnet/OSI 
    includes a distributed time synchronization service (DECdts), which 
    does not currently support the DCE Distributed Time Service (DCE DTS) 
    functionality. The DCE DTS in this release provides full DECdts 
    functionality. This installation will stop DECdts and use DCE DTS 
    instead. For further clarification, please consult the Compaq DCE 
    for OpenVMS VAX and OpenVMS Alpha Product Guide. 
    

    Even though DCE DTS will be used, it is possible to accept time from DECdts servers.


    Should this node accept time from DECdts servers? (YES/NO/?) [N]: 
     
    Do you want this system to be a DTS Server (YES/NO/?) [Y]: 
     
    Do you want this system to be a DTS Global Server (YES/NO/?) [N]: 
     
    Does this cell use multiple LANs? (YES/NO/?) [N]: 
    

    Answer the questions appropriately.

  11. The configuration utility asks if you want to run the MIT Kerberos 5 services on this machine. A Y answer runs the configuration utility.


    Do you intend to run MIT Kerberos 5 services on this machine? (YES/NO/?)  [N] 
    

  12. The configuration utility asks if you want to configure the LDAP name service on this system. A yes answer prompts the question, "Do you want to configure the system as an LDAP client?" and requires that you enter further information regarding LDAP services.


        Do you want to configure the LDAP name service? (YES/NO/?) [N]: 
    

  13. The configuration utility asks if you want to configure gdad to use LDAP. ( gdad is the daemon for Global Directory Agent.)


    Do you want to configure gdad to use LDAP? (YES/NO/?) [N]: 
    

  14. Next, the screen displays your selections and asks whether to save them as your DCE system configuration. Answer Y.
  15. All previous temporary and permanent DCE databases and configuration files are now removed prior to starting the new configuration.
  16. The configuration utility asks you to enter some random keystrokes in order to supply a keyseed for the security server.


        *********************************************************************** 
        *  Starting the security server requires that you supply              * 
        *  a `keyseed.'  When asked for a `keyseed,' type some                * 
        *  random, alphanumeric keystrokes, followed by RETURN.               * 
        *  (You won't be required to remember what you type.)                 * 
        *********************************************************************** 
     
        Enter keyseed for initial database master key: 
    

  17. The configuration utility asks you to enter the password for the cell_admin account, and asks for confirmation.


    Please type new password for cell_admin (or `?' for help): 
     
    Type again to confirm: 
    

  18. The DCE daemons are started and configuration information is set up. After the dts daemon is started, you are prompted to run the DCE Configuration Verification Program (CVP). Press RETURN to start the CVP.
  19. To verify that all requested services are configured, choose option 2 (Show DCE configuration and active daemons) from the DCE Setup Main Menu. The screen displays all configured DCE services and active DCE daemons.

You have completed creating a cell.

5.3 Configuring Your System as a DCE Client with Run-Time Services

If you want to add your system to an existing cell, choose option 1 (Configure this system as a DCE Client) from the Configuration Choice Menu. This option configures the run-time services subset on your system.

Note

During the initial DCE client configuration, the client software may have problems locating the Cell Directory Service server if the Internet protocol netmask for your client machine is not consistent with the netmask used by other machines operating on the same LAN segment. You might need to consult your network administrator to determine the correct value to use as a netmask on your network.

When you choose option 1, the procedure displays the following messages:


    Starting DCE client configuration . . . 
 
    At each prompt, enter your response.  You may enter RETURN for 
    the default response, displayed in [brackets], or `?' for help. 
    Entering a CONTROL-Z will terminate this configuration request. 
 
    Press RETURN to continue . . . 
 
    Removing temporary local DCE databases and configuration files 
 
    Removing permanent local DCE databases and configuration files 
 
                    Starting client configuration 
 
        Initializing RPC & Security Client Services daemon (DCE$DCED) . . . 
    %RUN-S-PROC-ID, identification of created process is 2380A9A6 
 
        Starting RPC & Security Client Services daemon (DCE$DCED) . . . 
    % RUN-S-PROC-ID, identification of created process is 238110A8 

The configuration utility asks whether to search the LAN for known cells within the broadcast range of your system.


    Would you like to search the LAN for known cells? (YES/NO/?) [Y]: 

If you know the name of your DCE cell, answer N. As prompted, supply the name of your DCE cell, your DCE host name, and the host name of your cell's master CDS server. You also need to specify whether your host can broadcast to the host where the master CDS server is installed.

Answer Y to see a list of available DCE cells. As prompted, supply your DCE host name. At the next prompt, supply the appropriate DCE cell name from the list.


        Gathering list of currently accessible cells (please wait) 
 
    Please enter your DCE hostname [dcehost]: 
 
    The following cells were discovered within broadcast range of this system: 
 
    Buster-cell 
    Kauai-cell 
    Myhost-cell 
    Tahoe-cell 
 
    Please enter the name of your DCE cell [buster-cell]: 

If you do not know the name of the cell you want to join, consult your network administrator. Do not add the /.../ prefix to the cell name; the procedure automatically adds it.

The prompt might contain a cell name that is the last configured cell name for this host or the first cell name from the alphabetical list of available cells. If you enter a cell name that is not on the list of cell names, the procedure assumes you are performing a WAN configuration, and asks you whether the CDS server is located on the same LAN or subnet.


    Is the CDS Master Server within broadcast range (YES/NO/?) [N]: 

After you enter your cell name, the procedure continues, displaying information similar to the following, but dependent on your configuration:


    Terminating RPC Services/Dce Security Client daemon (DCE$DCED) . . . 
 
            ***  RPC (DCED) shutdown successful  *** 
 
        Starting RPC & Security Client Services daemon (DCE$DCED) . . . 
    % RUN-S-PROC-ID, identification of created process is 238110B0 
 
        Starting CDS Name Service Advertiser daemon (DCE$CDSADVER) . . . 
    % RUN-S-PROC-ID, identification of created process is 238110B1 
 
        Starting CDS Name Service Client daemon (DCE$CDSCLERK) . . . 
    % RUN-S-PROC-ID, identification of created process is 238110B2 
 
   Could not find security master using dcecp registry show 
 
                Attempting to locate security server 
                Found security server 
                Creating dce$local:[etc.security]pe_site.; file 
                Checking local system time 
                Looking for DTS servers in the LAN profile 
                Looking for Global DTS servers in this cell 
                Found DTS server 
 
        The local system time is: Wed October 13 12:01:14 1999 
 
    Is this time correct? (y/n): 

Make sure you check that the correct time is displayed before you continue with the configuration. If the time is incorrect, answer N, and the procedure exits to the operating system to allow you to reset the system time. After you correct or verify the time, answer Y, and the procedure resumes.

If DECnet/OSI is installed on your system, the configuration utility displays the following message and then asks several questions about configuring a DCE Distributed Time Service server on your system.


    You seem to have DECnet/OSI installed on this system. DECnet/OSI 
    includes a distributed time synchronization service (DECdts), which 
    does not currently support the DCE Distributed Time Service (DCE DTS) 
    functionality. The DCE DTS in this release provides full DECdts 
    functionality.  This installation will stop DECdts and use DCE DTS 
    instead.  For further clarification, please consult the Compaq DCE 
    for OpenVMS VAX and OpenVMS Alpha Product Guide. 

Even though DCE DTS will be used, it is possible to accept time from DECdts servers.


    Should this node accept time from DECdts servers? (YES/NO/?) [N]: 

Answer Y to accept time from any DECnet/OSI DECdts server; however, time from this source is unauthenticated. If you answer N, this system accepts time only from DCE time servers.

If DECnet/OSI is not installed on your system, the configuration utility omits the previous DECdts questions and instead, asks:


    Do you need the Distributed Time Service (YES/NO/?) [Y]: 

Answer Y to configure the host as a DTS client.

The configuration utility asks if you want to run the MIT Kerberos 5 services on this machine. An answer of Y runs the configuration utility.


  Do you intend to run MIT Kerberos 5 services on this machine? (YES/NO/?)  [N]: 

After you respond to the prompt, the procedure stops the CDS advertiser and clerk and asks you to perform a dce_login operation, as follows:


        Terminating CDS Name Service Advertiser daemon (DCE$CDSADVER) . . . 
 
        Terminating CDS Name Service Client daemon (DCE$CDSCLERK) . . . 
 
    Please enter the principal name to be used [cell_admin]: 
    Please enter the password for principal "cell_admin" (or ? for help): 

Obtain the password from your system administrator. After you perform the dce_login operation, the procedure begins configuring the security client software. If this system was previously configured as a DCE client or your cell has another host with the same name, the configuration utility also displays a list of client principals that already exist for this system and asks whether to delete the principals. You must delete these principals to continue with the configuration.


        Configuring security client 
         Creating Dce$Specific:[krb5]krb.conf 
 
    The following principal(s) already exist under /hosts/dcehost/: 
 
    /./buster-cell/hosts/dcehost/self 
 
 
    Do you wish to delete these principals? (YES/NO/?) [Y]: 
 
            Deleting client principals 
 
            Creating ktab entry for client 
 
        Terminating RPC & Security Client Services daemon (DCE$DCED) . . . 
 
        Starting RPC & Security Client Services daemon (DCE$DCED) . . . 
    %RUN-S-PROC-ID, identification of created process is 238110B3 
 
        Starting sec_client service (please wait). 
 
 
        This machine is now a security client. 
 
    Press <RETURN> to continue . . . 
 
        Configuring CDS client 
            Creating the cds.conf file 
 
        Starting CDS Name Service Advertiser daemon (DCE$CDSADVER) . . . 
    %RUN-S-PROC-ID, identification of created process is 238110B4 
 
        Starting CDS Name Service Client daemon (DCE$CDSCLERK) . . . 
    %RUN-S-PROC-ID, identification of created process is 238110B5 
 
    Testing access to CDS server (please wait). 
 
 
    Logging in to DCE using principal "cell_admin" . . . 
    Checking TCP/IP local host database address of "dcehost". Please wait . . . 
    
    Configuring client host objects in cell namespace . . . 
 
            Creating /.:/hosts/dcehost objects in name space 
 
    Checking TCP/IP local host database for address of "dcehost". Please 
    wait . . . 

If your cell uses multiple LANs, you are prompted as follows:


    Please enter the name of your LAN [1.2.3]: 

If your LAN has not been defined in the namespace, you are asked whether you want to define it. The configuration procedure then continues:


        This machine is now a CDS client. 
 
            Stopping sec_client service... 
 
        Starting sec_client service (please wait). 
 
            Modifying acls on /.:/hosts/dcehost/config 
               secval 
               xattrschema 
               srvrexec 
               keytab 
               keytab/self 
               hostdata 
               hostdata/dce_cf.db 
               hostdata/cell_name 
               hostdata/pe_site 
               hostdata/cds_attributes 
               hostdata/cds_globalnames 
               hostdata/host_name 
               hostdata/cell_aliases 
               hostdata/post_processors 
               hostdata/svc_routing 
               hostdata/cds.conf 
               hostdata/passwd_override 
               hostdata/group_override 
               hostdata/krb.conf 
               srvrconf 
 
    Logging in to DCE using principal "cell_admin" . . . 
 
        Configuring DTS daemon as client (DCE$DTSD) 
 
        Starting Distributed Time Service daemon (DCE$DTSD) . . . 
    %RUN-S-PROC-ID, identification of created process is 238110B5 
 
This machine is now a DTS clerk. 
 
 
Do you want to run the DCE Configuration Verification Program? (YES/NO/?) [Y]: 

The DCE Configuration Verification Program (CVP) exercises the components of DCE that are running in this cell. It requires approximately 1 to 2 minutes to run.

If you type y to run the CVP at this time, you see the following display:


    Executing DCE for OpenVMS Alpha V3.0 CVP (please wait) 
 
    Copyright (c) Compaq Computer Corporation. 1999. All Rights Reserved. 
 
    . 
    . 
    . 
    . 
    . 
    . 
    . 
    . 
    . 
    . 
    . 
 
    DCE for OpenVMS Alpha V3.0 CVP completed successfully 

When the procedure is completed, the DCE Setup Main Menu is displayed again.


Previous Next Contents Index

  [Go to the documentation home page] [How to order documentation] [Help on this site] [How to contact us]  
  privacy and legal statement  
6531_DCE_IG_PRO_003.HTML