Document revision date: 5 July 2000

Compaq recommends that you change only your DCE password. After changing your DCE password, the next time you log in to the OpenVMS system specifying your new DCE password at the OpenVMS password prompt, your OpenVMS password is changed to match your DCE password. There is no need to separately change your OpenVMS password.

To change your DCE password, invoke the CHPASS utility with an optional DCE principal name. For example, entering any of the following invokes the CHPASS utility:

$ chpass $ chpass smith $ mcr dce$chpass $ mcr dce$chpass smith

If you do not specify a DCE principal name on the command line, the CHPASS utility obtains the DCE principal name from the current credentials. For example:

$ chpass Old password: New password: Verification:

If the process does not have a default login context, you are prompted for your principal name. For example:

$ kdestroy $ chpass Please enter the principal name: smith Old password: New password: Verification:

As you enter the old and new passwords, the terminal does not echo the input. Because echoing is turned off, the user is asked to enter the new password twice to verify the input.

SYS$COMMON:[SYSMGR]DCE$DEFINE_REQUIRED_COMMANDS.COM defines the DCE symbol CHPASS, which is used to invoke DCE$CHPASS. If this symbol is not defined in your environment, you can define the symbol as follows:

$ CHPASS :== $SYS$SYSTEM:DCE$CHPASS.EXE

8.5 Enabling/Disabling Integrated Login on Your OpenVMS System

By default, Integrated Login is not enabled on your system. To enable Integrated Login, go to the Configuration Modify menu, and select the following:

8) Enable DCE Integrated Login

If Integrated Login is already enabled, the menu will display the following:

8) Disable DCE Integrated Login

Select this option to turn off Integrated Login capabilities on your system.

Each user on the OpenVMS system who wants to use Integrated Login must have an entry in the DCE$UAF file. DCE$UAF entries are created by using the DCE UAF utility (see Section 8.6) or by using the DCE IMPORT utility (see Section 8.7).

The DCE login required feature allows you to disable a user's account on all systems in the cell by simply removing that user's name from the DCE registry.

To enable the DCE login required flag, define the logical name DCE$IL_DCE_LOGIN_REQUIRED as follows:

$ DEFINE/SYSTEM/EXEC DCE$IL_DCE_LOGIN_REQUIRED TRUE

To disable the flag, enter the following command:

$ DEASSIGN/SYSTEM/EXEC DCE$IL_DCE_LOGIN_REQUIRED

8.5.1 Disabling a System Account for Integrated Login

When DCE is unavailable and Integrated Login is enabled with the DCE login required flag set, you are also prevented from logging in to OpenVMS. Compaq recommends that you do not include an entry for at least one system account in DCE$UAF. This disables that system account for Integrated Login, which ensures that you can log in to OpenVMS from that account even if DCE is unavailable.

8.5.2 Password Expiration Dates on User Accounts

This section contains information for system administrators who set up users' DCE and OpenVMS accounts.

If you use the password expiration date feature on accounts on your OpenVMS system, set the password expiration for the users' DCE and OpenVMS accounts to the same date (or set the OpenVMS expiration date to a slightly later date). In this case, if a user changes his DCE password when it expires, the next time the user logs in to OpenVMS, his OpenVMS password is updated.

If the DCE expiration date occurs first, or if the user does not update his DCE password when it expires, the user receives a message when he logs in stating that his OpenVMS password has expired. The user is forced to enter a new OpenVMS password if the DISFORCE_PWD_CHANGE flag is not set on the user's OpenVMS account. (By default, this flag is not set.) This is inconvenient and confusing for the user because the new OpenVMS password is not propagated back into the DCE registry. The next time the user logs in with the new OpenVMS password, he will be logged in to OpenVMS only, without DCE credentials.

8.5.3 Potential Integrated Login and SYSGEN Problems

The Integrated Login component of DCE uses the SYSGEN parameter LGI_CALLOUTS. LGI_CALLOUTS must be set to 1 only in the ACTIVE SYSGEN parameter set when DCE is running with Integrated Login enabled. LGI_CALLOUTS must never be set to 1 in the CURRENT SYSGEN parameter set --- this would prevent all logins from occurring on a subsequent reboot of the system. The following paragraphs discuss the reasons for this restriction. See the Troubleshooting chapter for information on how to solve this problem if it occurs.

If Integrated Login is enabled on your system, the DCE startup and configuration procedure, DCE$SETUP.COM, sets the SYSGEN parameter LGI_CALLOUTS to 1 in the ACTIVE SYSGEN parameter set when DCE is started and resets the parameter when DCE is shut down. LGI_CALLOUTS must never be set to 1 in the CURRENT SYSGEN parameter set because, in that case, the next time the system is booted the LGI_CALLOUTS parameter is set in the ACTIVE SYSGEN parameter set before DCE is started. This prevents logins from occurring.

If the ACTIVE value of LGI_CALLOUTS is set to 1 when DCE and Integrated Login are not running, the following error is displayed when LOGINOUT attempts to run (for example, for interactive or batch logins):

No logical name match

Consequently, all users are prevented from logging in to the system.

This problem can occur if, for example, a SYSGEN parameter is modified in the following way while Integrated Login is enabled. This prevents logins because it causes LGI_CALLOUTS to be set to 1 the next time the system is booted.

$ RUN SYS$SYSTEM:SYSGEN SYSGEN> SET param value SYSGEN> WRITE CURRENT SYSGEN> EXIT $

The correct way to modify a SYSGEN parameter is to make the change in MODPARAMS.DAT and then run AUTOGEN. If it is essential to modify a SYSGEN parameter without using MODPARAMS.DAT and AUTOGEN, you must ensure that if you use ACTIVE, you write the parameters into ACTIVE only; and if you use CURRENT, you write the parameters into CURRENT only. Do not copy the ACTIVE parameters into CURRENT.

Following are two examples of acceptable ways to modify a SYSGEN parameter:

$ RUN SYS$SYSTEM:SYSGEN SYSGEN> USE CURRENT SYSGEN> SET param value SYSGEN> WRITE CURRENT SYSGEN> EXIT $ $ RUN SYS$SYSTEM:SYSGEN SYSGEN> USE ACTIVE ! optional, default is ACTIVE SYSGEN> SET param value SYSGEN> WRITE ACTIVE SYSGEN> EXIT $

8.6 DCE User Authorization File (DCE$UAF)

The DCE User Authorization File (DCE$UAF) contains DCE account information about users who have an OpenVMS account on the local system and who want to use Integrated Login. DCE$UAF maps an OpenVMS account name to a DCE principal name, and is a logical extension to the OpenVMS System User Authorization File (SYSUAF).

8.6.1 DCE$UAF File Information

The DCE UAF utility is shipped as an OpenVMS executable image named DCE$UAF.EXE. The image resides in the SYS$SYSTEM directory.

The DCE$UAF database is an OpenVMS file that by default is named DCE$UAF.DAT and resides in SYS$SYSTEM. You can change the name or location, or both, of this file by defining the logical name DCE$UAF to point to the new filename and location.

8.6.2 Running the DCE$UAF Utility

Integrated Login includes a command line interface to the DCE$UAF utility that allows system administrators to create, edit, and display DCE$UAF records. See the Compaq DCE for OpenVMS VAX and OpenVMS Alpha Reference Guide for detailed descriptions of the DCE$UAF commands.

Integrated Login provides two methods of running the DCE$UAF utility, as follows:

• By invoking the DCE$UAF utility using a predefined symbol.

  $ DCE$UAF DCEUAF>

  
  You can also specify a single DCE$UAF command on the command line. Control returns to DCL after the command is executed.

  $ DCE$UAF command $

  
  SYS$COMMON:[SYSMGR]DCE$DEFINE_REQUIRED_COMMANDS.COM defines the DCE symbol DCE$UAF, which is used to invoke the DCE$UAF utility. If this symbol is not defined in your environment, you can define the symbol as follows:

  $ DCE$UAF :== $SYS$SYSTEM:DCE$UAF

• By issuing the RUN command.

  $ RUN SYS$SYSTEM:DCE$UAF DCEUAF>

The DCE IMPORT utility allows you to create principal and account entries in a DCE registry based on accounts in an existing OpenVMS authorization file. It is used for the following purposes:

• To populate the DCE registry when a new DCE cell is first established
• To add entries to an existing DCE registry when a new OpenVMS system joins an existing DCE cell
• To add entries to an existing DCE registry when new users have joined an OpenVMS system that is already part of an existing DCE cell

The DCE IMPORT utility also creates and maintains an exclude list. The exclude list contains the OpenVMS usernames of users who do not have, and do not require, a DCE account. This feature allows DCE IMPORT to skip over these users during import operations.

Passwords cannot be imported. Instead, the automatic synchronization feature that occurs during integrated login is used to import user passwords.

8.7.1 DCE IMPORT File Information

The DCE IMPORT utility is shipped as an OpenVMS executable image named DCE$IMPORT.EXE. The image resides in the SYS$SYSTEM directory.

The DCE IMPORT exclude file is named by default DCE$IMPORT_EXCLUDE.DAT and also resides in SYS$SYSTEM. You can change the name or location, or both, of this file by defining the logical name DCE$IMPORT_EXCLUDE to point to the new filename and location.

8.7.2 Running DCE IMPORT

The DCE IMPORT utility allows system administrators to create principal and account entries in a DCE registry based on accounts in SYSUAF.

Integrated Login provides two methods of running the DCE IMPORT utility, as follows:

• By invoking the DCE IMPORT utility using a predefined symbol.

  $ DCE$IMPORT IMPORT>

  
  You can also specify a single DCE IMPORT command on the command line. Control returns to DCL after the command is executed.

  $ DCE IMPORT command $

  
  SYS$COMMON:[SYSMGR]DCE$DEFINE_REQUIRED_COMMANDS.COM defines the DCE symbol DCE$IMPORT, which is used to invoke the DCE IMPORT utility. If this symbol is not defined in your environment, you can define the symbol as follows:

  $ DCE$IMPORT :== $SYS$SYSTEM:DCE$IMPORT

• By issuing the RUN command.

  $ RUN SYS$SYSTEM:DCE$IMPORT IMPORT>

See the Compaq DCE for OpenVMS VAX and OpenVMS Alpha Reference Guide for detailed descriptions of the DCE IMPORT commands.

8.8 DCE Registry Export

The DCE EXPORT utility allows you to create entries in an OpenVMS authorization file from an existing DCE registry.

Using the DCE EXPORT utility, you convert DCE registry entries (or a subset of the registry entries) into records in the OpenVMS SYSUAF file and rights database. Conversions are essentially a reversal of those made with the DCE IMPORT function.

Passwords cannot be exported. Instead, the automatic synchronization feature that occurs during integrated login is used to export user passwords.

The DCE EXPORT utility also creates and maintains an exclude list. The exclude list contains the DCE names of users who do not have, and do not require, an OpenVMS account. This feature allows DCE EXPORT to skip over these users during export operations.

The DCE EXPORT utility is shipped as an OpenVMS executable image named DCE$EXPORT.EXE. The image resides in the SYS$SYSTEM directory.

The DCE EXPORT exclude file is named by default DCE$EXPORT_EXCLUDE.DAT and also resides in SYS$SYSTEM. You can change the name or location, or both, of this file by defining the logical name DCE$EXPORT_EXCLUDE to point to the new filename and location.

8.8.2 Running DCE EXPORT

The DCE EXPORT utility allows system administrators to create an OpenVMS authorization file from an existing DCE registry.

Integrated Login provides two methods of running the DCE EXPORT utility, as follows:

• By invoking the DCE EXPORT utility using a predefined symbol.

  $ DCE$EXPORT EXPORT>

  
  You can also specify a single DCE EXPORT command on the command line. Control returns to DCL after the command is executed.

  $ DCE EXPORT command $

  
  SYS$COMMON:[SYSMGR]DCE$DEFINE_REQUIRED_COMMANDS.COM defines the DCE symbol DCE$EXPORT, which is used to invoke the DCE EXPORT utility. If this symbol is not defined in your environment, you can define the symbol as follows:

  $ DCE$EXPORT :== $SYS$SYSTEM:DCE$EXPORT

• By issuing the RUN command.

  $ RUN SYS$SYSTEM:DCE$EXPORT EXPORT>

See the Compaq DCE for OpenVMS VAX and OpenVMS Alpha Reference Guide for detailed descriptions of the DCE EXPORT commands.

8.9 Frequently Asked Questions for Users

Q: What exactly does Integrated Login do for me?
A: It performs a DCE_LOGIN on your behalf when you interactively log in to an OpenVMS system. (You will see an informational message stating that the login was successful if the DCE_LOGIN occurs.)

Q: Are there any other benefits to using Integrated Login?
A: Yes. It allows you to use a single username and password across multiple systems and/or OpenVMS clusters. With Integrated Login, you can use the same account information to log in to your OpenVMS systems as you do to log in to your non OpenVMS systems.

Q: At the OpenVMS username prompt, do I enter my OpenVMS username or my DCE account (principal) name?
A: Either the username or principal name is valid.

Q: Which password should I use to log in to the OpenVMS system (my DCE password or my OpenVMS password)?
A: Your OpenVMS and DCE passwords are normally the same because OpenVMS attempts to synchronize your passwords. If your passwords are not the same, you should log in using your DCE password. This will cause your OpenVMS password to be set to the same value as your DCE password. You can log in with your OpenVMS password, but if you do so, your passwords will not be synchronized and you will not obtain DCE credentials.

Q: If I enter my OpenVMS username, can I then enter my DCE password (and vice versa)?
A: Yes. But remember that you will only get DCE credentials if you enter your DCE password.

Q: Is the input at the OpenVMS username case-sensitive?
A: Yes. And since this input is parsed by the standard DCL parsing routines, all text not enclosed in quotation marks is converted to uppercase. Therefore, if you want to enter a principal name of "Smith" you must enclose the text in quotation marks.

Q: My DCE password contains lowercase characters. Do I need to enclose my password in quotes?
A: No. The password is not parsed by the DCE parsing routines, so quotes are not needed.

Q: How do I keep my DCE and OpenVMS passwords in sync?
A: OpenVMS does this for you. Your password is automatically propagated from the DCE registry to the OpenVMS System User Authorization file (SYSUAF) when you log in to the OpenVMS system using your valid DCE password.

Q: Do OpenVMS passwords get copied to the DCE registry?
A: No. This is why Integrated Login users should always use their DCE password when logging in to an OpenVMS system. This way DCE and OpenVMS passwords will stay synchronized.

Q: How should I change my password?
A: You should use the CHPASS utility on any node in the cell. This will change your password in the DCE registry, and the next time you log in to an OpenVMS system (using the new password) your local OpenVMS password will be automatically updated.

Q: What if I update my password using the OpenVMS command SET PASSWORD?
A: Your password will only be changed on that OpenVMS system; it will not be updated in the DCE registry. The next time you log in to that system, if you use the new OpenVMS password you will receive an "OpenVMS only" login. If you use your old DCE password you will receive an Integrated Login and your password on the OpenVMS system will be resynchronized to your old DCE password.

Q: Will account passwords on the OpenVMS system stay synchronized through the password synchronization mechanism when the password is changed on a UNIX system?
A: Yes. A password is automatically propagated from the DCE registry to the OpenVMS System User Authorization file (SYSUAF) when a user logs in to the OpenVMS system. Note that this assumes that the UNIX system updates the user's password in the DCE registry, and not just on the local UNIX system.

Q: Can I use Integrated Login when I start a DECwindows session?
A: Yes.

Q: Which password do I enter to unpause my workstation?
A: You must always enter your current OpenVMS password to resume a paused DECwindows session (this is usually your DCE password since OpenVMS attempts to keep them synchronized).

8.10 Frequently Asked Questions for System Administrators

Q: How do I enable Integrated Login on my system?
A: Use the DCE setup utility. (See the Compaq DCE for OpenVMS VAX and OpenVMS Alpha Installation and Configuration Guide for more information.)

Q: Is Integrated Login enabled by default?
A: No. After you install Compaq DCE for OpenVMS VAX and OpenVMS Alpha Version 3.0, Integrated Login is initially disabled.

Q: I've enabled Integrated Login on my system by using the DCE setup utility, but it still does not work. Why not?
A: Integrated Login is only available to users who have an entry in the DCE Integrated Login authorization file (DCE$UAF). You must populate the DCE$UAF file before Integrated Login can be used. If a user does not have an entry in the DCE$UAF file, then he or she cannot use Integrated Login.

Q: What is the purpose of the DCE$UAF file?
A: Entries in this file associate OpenVMS account names with DCE account names.

Q: How do I populate the DCE$UAF file?
A: The Compaq DCE for OpenVMS VAX and OpenVMS Alpha Reference Guide provides full details. Essentially, you issue ADD commands similar to the following to get entries into the DCE$UAF file:

$ dce$uaf DCEUAF> ADD SMITH "john"

This creates an entry for the OpenVMS account name "SMITH" and associates it with the DCE account name "john".

Q: All of my users have DCE account names that are similar to their OpenVMS account names (for example, "SMITH" on OpenVMS and "smith" on DCE). Do I need to enter the principal name in this case?
A: No. To make adding these entries easier, the ADD command defaults the principal name to the lowercase equivalent of the OpenVMS username if you do not specify the principal name. If your OpenVMS account name is "JONES" and your DCE account name is "jones" you can simply enter:

DCEUAF> ADD JONES

Q: Is there an easier way to populate the DCE$UAF file without typing each name?
A: If all or most of your account names are the same on DCE as they are on OpenVMS (except for the case), you can use the ADD/ALL command. This will create an entry in the DCE$UAF file for every record in the SYSUAF file, as follows:

DCEUAF> ADD/ALL

Q: Should every account be set up for Integrated Login?
A: Compaq does not recommend that you enable the SYSTEM account for Integrated Login. If you have problems with your DCE configuration, you should have an account that you can log in to where an integrated login is not attempted. Operator and field service accounts are other accounts that you might want to omit from Integrated Login.

Q: Will existing users who already have DCE accounts, but do not have OpenVMS accounts, be able to log in to the OpenVMS system?
A: No. For a user to be able to log in to an OpenVMS system, he must have an OpenVMS account in the SYSUAF file.

Q: What happens when a user who doesn't have an entry in the DCE$UAF file tries to log in to the OpenVMS system?
A: If the user specifies a valid OpenVMS username and password, then he will be logged in as usual (as if Integrated Login was not installed or enabled). If the user specifies a DCE account name, the login will fail.

Q: How can I create accounts in the DCE registry based on the contents of my existing system user authorization file (SYSUAF)?
A: The DCE IMPORT utility performs this task. See the Compaq DCE for OpenVMS VAX and OpenVMS Alpha Reference Guide for more information.

Q: How can I create accounts in the OpenVMS authorization file (SYSUAF) based on the contents of the existing DCE registry?
A: The DCE EXPORT utility performs this task. See the Compaq DCE for OpenVMS VAX and OpenVMS Alpha Reference Guide for more information.

	privacy and legal statement
6532_DCE_PG_PRO_004.HTML