Previous | Contents |
If the process has its UIC set to DCD$SERVER, and does not have the BYPASS privilege set, DCE command line utilities will fail with the following error:
error creating SMG virtual keyboard. %NONAME-E-NOMSG, Message number 00000002 |
The resolution to this problem is to either run under a UIC other than DCE$SERVER, or to set the BYPASS privilege on accounts set to the DCE$SERVER UIC.
This problem does not affect the running of the DCE daemons, only user
processes.
14.33 Dumping the CDS Cache
The CDSCP and DCEDP commands to examine the CDS cache will fail with the following errors if CDSCP or DCECP is run under a Process UIC other than [DCE$SERVER]:
$ CDSCP DUMP CLERK CACHE Cannot map -1 - check id and protection An error occured calling a CDS API function. (dce / cds) $ DCECP -C CDSCACHE DUMP Cannot map -1 - check id and protection Error: The cache dump failed in an indeterministic mode. |
To work around this restriction, issue the following DCL command before you invoke CDSCP or DCECP:
$ SET UIC [DCE$SERVER] |
Remember to reset your UIC to its original value after you use this
command.
14.34 CDS Clerk Failing on UCX Shutdown
If you issue a SYS$STARTUP:UCX$SHUTDOWN command while running DCE, you may get a CDS Clerk failure and an Access Violation. You may then encounter problems restarting the CDS Clerk (and DCE itself) with the DCE$SETUP START command.
The primary problem is that UCX is being shut down while DCE is still active. Because DCE uses UCX, DCE should always be shut down first.
To recover from this problem, you need to shut down DCE first and then
restart. Simply trying to restart without first shutting down DCE will
not fix the underlying problem. Because temporary files may be left in
an indeterminate state, you may also want to perform a DCE$SETUP CLEAN
operation before restarting.
14.35 Global Directory Agent Configuration
The Global Directory Agent (GDA) is configured on the OpenVMS node that contains the CDS Master Replica name server. The DNS domain name (for example, zko.dec.com) and the Internet Address of an authoritative DNS Master Bind Server (for example, 16.32.2.11) are required during configuration if you are using DNS Bind style cellnames.
Before access to multiple CDS namespaces is possible, the following are required after the configuration:
If you are unsuccessful in configuring intercell communication, check for the following:
$ STOP/ID=xxxxxxxx $ @sys$manager:dce$setup start |
In DCE for OpenVMS Version 1.5, a change was made to disassociate RPC shutdown from DCE shutdown. This was done to allow RPC only applications to remain active while DCE changes were being made.
In DCE Version 1.5, DCE$SETUP stop/clean/clobber did not call the RPC
shutdown procedure, and gave a warning that RPC would not be shut down.
DCE Version 3.0 requires that dced (the new RPC endpoint mapper) be
shut down during certain operations. Therefore, the behavior of DCE
Version 3.0 has changed, and the RPC shutdown procedure is now called
from DCE$SETUP.COM. This requires the system manager to be aware of any
RPC-only applications that may be active at the time of DCE
configuration operations.
14.37 IDL Error When Installing DCE
When installing DCE over an existing DCE implementation, you may see an IDL error if the DCE Application Developer's Kit was previously installed, but is not being installed for the upgrade.
The installation is attempting to remove the DCL commands that are associated with the developer's kit from DCLTABLES.EXE, and is failing. The following error can be ignored. Answer NO to the question "Do you want to terminate?".
%PCSI-E-MODDELERR, error deleting module IDL_CLD from library %PCSI-E-OPFAILED, operation failed Terminating is strongly recommended. Do you want to terminate? [YES] n |
When installing DCE on OpenVMS VAX Version 6.2, you may see the following errors:
%PCSI-E-ERROWNER, error in owner specification 'DCE$SERVER' %PCSI-E-OPFAILED, operation failed |
or
%PCSI-E-PARUDF, the directory [DCELOCAL.ETC] has not been provided by a previous Install or Register operation - file ownership and protection update skipped |
followed by:
Terminating is strongly recommended. Do you want to terminate? [YES] n |
These errors can be safely ignored - answer NO to the question "Do you
want to terminate?".
14.39 Port Error During DCE Configuration
If the error shown below occurs during DCE configuration, your system has the TCP/IP NTP daemon configured. Since DCE also provides an NTP daemon, you must decide which daemon you want to use.
If you use the DCE NTP daemon, you must disable the TCP/IP NTP daemon using your TCP/IP configuration program before you can enable the DCE one.
If you use the TCP/IP NTP daemon, then you can ignore the following error. Answer "Y" to the question about whether you want to proceed.
*************************** ERROR ******************************** Port number 123 is in use by a service other than "ntp". Please check configuration! Service "ntp" must use port number 123. ***************************************************************** Press <RETURN> to continue . . . Do you want to proceed with this operation (YES/NO/?) [N]? |
When the DCE Configuration Verification Program (CVP) or the test option from the DCE main menu is run, the following error may occur:
%CMA-F-EXCCOPLOS, exception raised; some information lost |
This error can be ignored.
14.41 Problem Converting DTS Local to DTS Global Server
Modification of the DCE configuration to convert an existing DTS local server to a DTS global server results in the following error:
ERROR- An error occurred attempting to log in to DCE with principal name "cell_admin" Sorry. Password Validation Failure. - Cannot log in with zero-length password (dce/sec) Do you wish to try another principal name? |
If you answer yes to this question, and give the cell_admin username
and password to the prompts, the conversion to the DTS global server
will be successful.
14.42 Problems With Sun Solaris DCE System as CDS Master
There are known problems with Sun Solaris Version 2.6 and Transarc DCE
Version 2.1 as the CDS master if you are attempting to configure a
split server configuration using DCE on OpenVMS, Tru64 UNIX, or Windows
NT. Solaris Version 2.4 and Transarc DCE Version 1.1 work correctly.
Contact your DCE vendor for further information.
14.43 Compile Warning in Example Programs
The CXX example programs may produce the following warning on compilation:
IDL_ms.IDL_call_h = (volatile rpc_call_handle_t)IDL_call_h; ...............^ %CXX-W-CASTQUALTYP, type qualifier is meaningless on cast type at line number 117 in file USER$1:[DCE12.EXAMPLES.RPC.IDLCXX. ACCOUNT]ACCOUNT_SSTUB.CXX;1 |
This warning can be safely ignored.
14.44 Missing CXX Library
Some versions of CXX may not include the library
SYS$LIBRARY:LIBCXXSTD.OLB. If this is the case, this line may be
removed from the options file found in
SYS$COMMON:[DCE$LIBRARY]DCE_CXX.OPT.
14.45 Unknown Ethernet Device on Host System
If your system is relatively new, DCE may not know about the Ethernet device on the system. DCE uses the Ethernet device to obtain an Ethernet address which is used in the generation of UUIDs. If you see errors such as the following, your Ethernet device is not known by DCE:
%UUIDGEN-F-RPC_MESSAGE, Received Error Status: "no IEEE 802 hardware address (dce / rpc)" |
You can define one additonal Ethernet device in the table used by DCE by defining the logical name DCE$IEEE_802_DEVICE to the name of your Ethernet device as shown in the following example:
DEFINE/SYSTEM DCE$IEEE_802_DEVICE EWA0 |
This will allow DCE to operate using the Ethernet device named EWA0 (a
device type of DE500).
14.46 Public Key Routines Not Supported on OpenVMS
DCE public key technology is not currently supported on OpenVMS. The pkc_* routines and classes ( pkc_add_trusted_key , etc.) are not in DCE$LIB_SHR.EXE, and will generate undefined symbols if an application that uses them attempts to link.
The Open Group has stated their intention to replace the existing public key technology in DCE with a noninteroperable replacement, based on X.509v3, in a future release.
There has been such a high volume of change activity in the IETF relative to Public Key Infrastructure (PKI) and Kerberos that the [RFC 68.3] functionality will not be forward compatible with this Specification. Therefore, current users of DCE 1.2.2-based products with [RFC 68.3] functionality should refrain from deploying the public key based login support1. |
For this reason, Compaq is not supplying the obsolete public key functionality in Compaq DCE for OpenVMS Version 3.0. For information on the status of public key in DCE, see The Open Group's DCE World Wide Web (WWW) address:
http://www.opengroup.org/tech/dce/ |
The command to show the DCE audit trail files requires a UNIX style file specification. For example:
$ dcecp -c audtrail show /dcelocal/var/audit/adm/central_trail |
Some systems may see the following warnings when installing DCE:
The following product will be installed to destination: DEC VAXVMS DCE V3.0 DISK$MOOSE2_SYS:[VMS$COMMON.] %PCSI-I-RETAIN, file [SYSEXE]DTSS$SET_TIMEZONE.EXE was not replaced because file from kit does not have higher generation number %PCSI-I-RETAIN, file [SYSLIB]DTSS$RUNDOWN.EXE was not replaced because file from kit does not have higher generation number %PCSI-I-RETAIN, file [SYSUPD]DTSS$INSTALL_TIMEZONE_RULE.COM was not replaced because file from kit does not have higher generation number %PCSI-I-RETAIN, file [SYSUPD]DTSS$TIMEZONE_RULES.DAT was not replaced because file from kit does not have higher generation number |
These warnings can be safely ignored. They indicate that certain files that may also be provided by Compaq OpenVMS are newer than the files in the DCE kit.
1 Draft Technical Standard - DCE 1.2.3 Public Key Certificate Login, Draft 0.8, The Open Group, August 1998 |
15 New APIs for Authenticated RPC
The following APIs are included in DCE Version 1.5 and above to
manipulate the sec_winnt_auth_identity structure. They are supported on
OpenVMS Version 7.2-1 and higher.
15.1 RPC_WINNT_SET_AUTH_IDENTITY
NAME rpc_winnt_set_auth_identity - This function is called by the client RPC application to allocate and populate a WINNT auth_identity structure to be used as a parameter to rpc_binding_set_auth_info(). The caller must use the rpc_winnt_free_auth_identity() function to free the WINNT auth_idenity. The strings that are passed in may be ASCI or Unicode (UCS-4) strings. The input flag will tell which type of strings they are. SYNOPSIS #include <rpc.h> PUBLIC void rpc_winnt_set_auth_identity ( rpc_winnt_auth_string_p_t Username; rpc_winnt_auth_string_p_t Password; rpc_winnt_auth_string_p_t Domain; unsigned __int64 CharacterSetFlag; rpc_auth_identity_handle_t *auth_identity; unsigned32 *stp) PARAMETERS INPUT username - Pointer to a null terminated string containing username. password - Pointer to a null terminated string containing password. domain - Pointer to a null terminated string containing domain. CharacterSetFlag SEC_WINNT_AUTH_IDENTITY_UNICODE 4 byte Unicode (UCS-4) SEC_WINNT_AUTH_IDENTITY_ANSI ASCII (ISO8859-1) OUTPUT auth_identity - Pointer to a pointer to WINNT auth_identity structure. stp - Pointer to returned status. |
Be sure to allocate space for three strings (username, password, domain). The string variables will probably be pointers of type unsigned_char_t if the strings are ASCII, or pointers of type wchar_t if the strings are Unicode (UCS-4). If the domain string is a valid empty string, then the domain of the computer will be used. |
NAME rpc_winnt_free_auth_identity - This function is called by the client RPC application to free a a WINNT auth_identity structure that was previously allocated by a call to rpc_winnt_set_auth_identity(). SYNOPSIS #include <rpc.h> PUBLIC void rpc_winnt_free_auth_identity ( rpc_auth_identity_handle_t *auth_identity, unsigned32 *stp) PARAMETERS INPUT auth_identity - Pointer to a pointer to WINNT auth_identity structure. On output auth_identity will be set to NULL. OUTPUT stp Pointer to returned status. |
The following APIs are included in DCE Version 1.5 and higher to
support server impersonation of a client. This means that the server
runs with the security credentials of the client, and all of the
capabilities of the client belong to the server.
16.1 RPC_IMPERSONATE_CLIENT
NAME rpc_impersonate_client - This function is called by the server application to allow the current server thread to run with all of the client privileges. SYNOPSIS #include <rpc.h> void rpc_impersonate_client( rpc_binding_handle_t binding_handle, rpc_status_t *status) PARAMETERS INPUT binding_handle - Specifies a server-side call handle for this RPC which represents the client to impersonate. OUTPUT status - Specifies a pointer to an unsigned 32 bit integer that holds a status code. |
NAME rpc_revert_to_self - This function is called by the server application to revert back to its original security context after impersonating a client. SYNOPSIS #include <rpc.h> rpc_revert_to_self(*status) PARAMETERS INPUT NONE OUTPUT status - Specifies a pointer to an unsigned 32 bit integer that holds a status code. |
NAME rpc_revert_to_self_ex - This function is called by the server application to revert back to its original security context after impersonating a client. This acts as a call to rpc_revert_to_self(); SYNOPSIS #include <rpc.h> rpc_revert_to_self_ex( rpc_binding_handle_t binding_handle, rpc_status_t *status) PARAMETERS INPUT call handle - This parameter is ignored. OUTPUT status - Specifies a pointer to an unsigned 32 bit integer that holds a status code. |
For more information on existing enhanced RPC security APIs, see the
Compaq DCE for OpenVMS VAX and OpenVMS Alpha Reference Guide.
17 The Routing File
To use routing file services on OpenVMS, define the following logical name for the process or the system for which logging information is desired: (syntax is exact for the routing file):
$ define/sys DCE_SVC_ROUTING_FILE "dce_local/var/svc/routing." |
This enables DCE applications to find and interpret the routing file, and direct any output to the locations specified in the routing file.
You can also set the number of buffered writes to perform before data is flushed to the file, as follows:
$ define/sys DCE_SVC_FSYNC_FREQ 10 |
The example above will flush the buffer every 10 writes.
Previous | Next | Contents |