Compaq DCE for OpenVMS VAX and OpenVMS Alpha

Document revision date: 5 July 2000

Compaq DCE for OpenVMS VAX and OpenVMS Alpha
Installation and Configuration Guide

Contents

Index

Chapter 5
Configuring DCE

This chapter explains how to create a cell and configure the Security server and CDS server on the same system. It also discusses how to configure a client system into an existing DCE cell.

5.1 DCE System Management Command Procedure

In DCE for OpenVMS Version 3.0, the DCE system management command procedure SYS$MANAGER:DCE$SETUP.COM has been changed. These changes are described in the following sections.

An RPC only configuration can be started with the startup command procedure described in the next section. DCE$SETUP stops RPCD during configuration. In DCE for OpenVMS Version 1.5, DCE$SETUP was modified not to stop RPCD. Changes in the DCE daemons required reverting to the previous behavior. DCE$SETUP.COM has been rewritten to add the new functionality for DCE R1.2.2, and to more closely match the configuration program for DCE for Tru64 UNIX.

5.1.1 Starting and Stopping the RPC Daemon

The RPC daemon can be started and stopped with the command files DCE$RPC_STARTUP.COM and DCE$RPC_SHUTDOWN.COM. These files are located in SYS$COMMON:[SYSMGR].

To start the RPC daemon, execute DCE$RPC_STARTUP.COM. You can specify the following option:

[NO]CONFIRM Turns user prompting on or off. CONFIRM is the default.

To stop the RPC daemon, execute DCE$RPC_SHUTDOWN.COM. You can specify the following options in any order:

[NO]CONFIRM Turns user prompting on or off. CONFIRM is the default. CLEAN Deletes all entries from the RPC endpoint database.

Note

Do not stop the RPC daemons if any RPC applications are running on the system.

5.1.2 Limiting RPC Transports

The RPC daemon can limit the protocols used by RPC applications. To restrict the protocols that can be used, set a logical name RPC_SUPPORTED_PROTSEQS to contain the valid protocols separated by a colon. Valid protocols are ncadg_ip_udp , ncacn_ip_tcp , and ncacn_dnet_nsp . For example:

$ DEFINE RPC_SUPPORTED_PROTSEQS "ncadg_ip_udp:ncacn_ip_tcp"

This prevents applications and servers from registering endpoints that utilize DECnet.

5.1.3 Logical Names Created During Configuration

The configuration process creates the following logical names:

Logical Name Description

DCE Defines a search list pointing to directories SYS$COMMON:[DCE$LIBRARY] and SYS$LIBRARY. These directories contain the Application Developer's Kit include files and other files for creating DCE applications.

DCE$COMMON,DCE_COMMON Points to the directory SYS$COMMON:[DCELOCAL]. This directory holds DCE-specific files common to all DCE hosts in a cluster.

DCE$LOCAL,DCE_LOCAL Points to the directory DCE$SPECIFIC:. This directory defines the top of the DCE directory hierarchy.

DCE$SPECIFIC Points to the directory SYS$SPECIFIC:[DCELOCAL]. This directory is for internal use only.

DCE$SYSROOT Points to the directories DCE$SPECIFIC:, DCE$COMMON:. This logical is used to find DCE files that may be in either system-specific or cluster-general trees.

TCL_LIBRARY Points to the directory DCE_COMMON/TCL (UNIX file syntax). This directory holds files that allow the TCL interface to the DCE command line programs to function.

Logical Name	Description
DCE	Defines a search list pointing to directories SYS$COMMON:[DCE$LIBRARY] and SYS$LIBRARY. These directories contain the Application Developer's Kit include files and other files for creating DCE applications.
DCE$COMMON,DCE_COMMON	Points to the directory SYS$COMMON:[DCELOCAL]. This directory holds DCE-specific files common to all DCE hosts in a cluster.
DCE$LOCAL,DCE_LOCAL	Points to the directory DCE$SPECIFIC:. This directory defines the top of the DCE directory hierarchy.
DCE$SPECIFIC	Points to the directory SYS$SPECIFIC:[DCELOCAL]. This directory is for internal use only.
DCE$SYSROOT	Points to the directories DCE$SPECIFIC:, DCE$COMMON:. This logical is used to find DCE files that may be in either system-specific or cluster-general trees.
TCL_LIBRARY	Points to the directory DCE_COMMON/TCL (UNIX file syntax). This directory holds files that allow the TCL interface to the DCE command line programs to function.

The logical names with a dollar sign in them define VMS style directory syntax. The logical names with underscores in them define UNIX style directory syntax (for use by various DCE internal applications).

5.1.4 Configuring on a VMScluster

You must configure each node in a VMScluster separately by entering the following command on each node:

$ @SYS$MANAGER:DCE$SETUP CONFIG

5.2 Overview of New Cell Configuration

To configure a new cell, you must complete the following steps:

To begin your initial cell creation and server configuration, invoke the DCE configuration utility.
If you are creating a new cell or adding a CDS server, choose option 6 (Terminate all active DCE daemons and remove all temporary local DCE databases) to stop the DCE daemons in a controlled manner. Be sure to back up your security and CDS databases before proceeding if this has not been done.

Choose option 1 from the DCE Setup Main Menu to configure DCE services on your system. You must have system privileges to modify the DCE system configuration.
The procedure displays the following menu:

DCE Configuration Menu DCE for OpenVMS Alpha V3.0 1) Client Configure this system as a DCE client 2) New Cell Create a new DCE cell 3) CDS Server Add Master CDS Server 4) Modify Modify DCE cell configuration 5) RPC_Only Configure this system for RPC only 0) Exit Exit this procedure ?) Help Display helpful information Please enter your selection:

Table 5-1 provides descriptions of the options available on the DCE Configuration Menu.

Table 5-1 Configuration Menu Options
Option Description

Client Provides full DCE RPC services, client services for CDS and Security, and optional time services. A DCE client system must join an existing DCE cell with a security registry and a CDS master server available on other systems in the cell.

New Cell Provides full DCE RPC services, a security registry server for the cell, a CDS master server, a DTS server, and the NSI agent for name service independent access to directory services from PC client systems. There can be only one security registry and CDS master server in a cell, although they need not reside on the same host.

CDS Server Provides a DCE client system with a CDS master server added. This option is used if a split server configuration is desired, and the new cell (on another system) was configured without a CDS master server.

Modify Provides a submenu of additional configuration options that are available after the initial configuration has completed.

RPC_Only Provides a subset of the DCE RPC services. If DCE Version 3.0 is installed on an OpenVMS Alpha system running Version 7.2-1 or higher, NTLM security may be utilized for authenticated RPC requests. With an RPC only configuration, there are no RPC name service interface routines available. This configuration will, however, allow applications to communicate if full string bindings are supplied by the RPC client, or if the client requests the port number to complete the partial string binding from the end point mapper (DCED daemon).

Choose option 2 to create a new DCE cell.
At each prompt, you can press RETURN to take the default displayed in brackets or enter a question mark (?) for help. When prompted, select a cell name and a host name; the name is used again when you configure DCE client systems.
The configuration utility asks if you want to configure the host as a CDS server. Answer Y to configure the CDS and security servers on the same system. Answer N to perform a split server installation in which you configure the security server on the current host and the CDS server on a different host.
If you answered Y to configure the CDS and security servers on the same system, the utility asks:
Will there be any DCE pre-R1.1 CDS servers in this cell? (YES/NO/?) [N]:
If your cell will be running any CDS servers based on OSF DCE Release 1.0.3a or lower (equivalent to Compaq DCE for OpenVMS Version 1.5 or lower), you should answer Y. The configuration utility sets the directory version number to 3.0 for compatibility with pre-R1.1 servers. This setting disables the use of OSF DCE Release 1.1 features such as alias cells, CDS delegation ACLs, and so on.
If all CDS servers in your cell will be based on Compaq DCE for OpenVMS Version 3.0 (or higher) and based on OSF DCE Release 1.1 (or higher), answer N.
The configuration utility sets the directory version number to 4.0 for compatibility with Compaq DCE for OpenVMS Version 3.0 CDS servers (OSF DCE Releases 1.2.2). This enables the use of OSF DCE Release 1.1 features such as alias cells, CDS delegation ACLs, and so on, and OSF DCE Release 1.2.2 features. Once the directory version is set to 4.0, you cannot set it back to 3.0.
You are prompted to confirm the system time; it is important that you check the current time before you respond.
The configuration utility will prompt for the Domain Name and DNS server address.

**Table 5-1 Configuration Menu Options**
Option	Description
Client	Provides full DCE RPC services, client services for CDS and Security, and optional time services. A DCE client system must join an existing DCE cell with a security registry and a CDS master server available on other systems in the cell.
New Cell	Provides full DCE RPC services, a security registry server for the cell, a CDS master server, a DTS server, and the NSI agent for name service independent access to directory services from PC client systems. There can be only one security registry and CDS master server in a cell, although they need not reside on the same host.
CDS Server	Provides a DCE client system with a CDS master server added. This option is used if a split server configuration is desired, and the new cell (on another system) was configured without a CDS master server.
Modify	Provides a submenu of additional configuration options that are available after the initial configuration has completed.
RPC_Only	Provides a subset of the DCE RPC services. If DCE Version 3.0 is installed on an OpenVMS Alpha system running Version 7.2-1 or higher, NTLM security may be utilized for authenticated RPC requests. With an RPC only configuration, there are no RPC name service interface routines available. This configuration will, however, allow applications to communicate if full string bindings are supplied by the RPC client, or if the client requests the port number to complete the partial string binding from the end point mapper (DCED daemon).

If DECnet/OSI is installed on your system, the configuration utility displays the following message and then asks several questions about configuring a DCE Distributed Time Service server on your system.

You seem to have DECnet/OSI installed on this system. DECnet/OSI includes a distributed time synchronization service (DECdts), which does not currently support the DCE Distributed Time Service (DCE DTS) functionality. The DCE DTS in this release provides full DECdts functionality. This installation will stop DECdts and use DCE DTS instead. For further clarification, please consult the Compaq DCE for OpenVMS VAX and OpenVMS Alpha Product Guide.

Even though DCE DTS will be used, it is possible to accept time from DECdts servers.

Should this node accept time from DECdts servers? (YES/NO/?) [N]: Do you want this system to be a DTS Server (YES/NO/?) [Y]: Do you want this system to be a DTS Global Server (YES/NO/?) [N]: Does this cell use multiple LANs? (YES/NO/?) [N]:

Answer the questions appropriately.

The configuration utility asks if you want to run the MIT Kerberos 5 services on this machine. A Y answer runs the configuration utility.
Do you intend to run MIT Kerberos 5 services on this machine? (YES/NO/?) [N]
The configuration utility asks if you want to configure the LDAP name service on this system. A yes answer prompts the question, "Do you want to configure the system as an LDAP client?" and requires that you enter further information regarding LDAP services.
Do you want to configure the LDAP name service? (YES/NO/?) [N]:
The configuration utility asks if you want to configure gdad to use LDAP. ( gdad is the daemon for Global Directory Agent.)
Do you want to configure gdad to use LDAP? (YES/NO/?) [N]:
Next, the screen displays your selections and asks whether to save them as your DCE system configuration. Answer Y.
All previous temporary and permanent DCE databases and configuration files are now removed prior to starting the new configuration.

The configuration utility asks you to enter some random keystrokes in order to supply a keyseed for the security server.

*********************************************************************** * Starting the security server requires that you supply * * a `keyseed.' When asked for a `keyseed,' type some * * random, alphanumeric keystrokes, followed by RETURN. * * (You won't be required to remember what you type.) * *********************************************************************** Enter keyseed for initial database master key:

The configuration utility asks you to enter the password for the cell_admin account, and asks for confirmation.
Please type new password for cell_admin (or `?' for help): Type again to confirm:
The DCE daemons are started and configuration information is set up. After the dts daemon is started, you are prompted to run the DCE Configuration Verification Program (CVP). Press RETURN to start the CVP.
To verify that all requested services are configured, choose option 2 (Show DCE configuration and active daemons) from the DCE Setup Main Menu. The screen displays all configured DCE services and active DCE daemons.

You have completed creating a cell.

5.3 Configuring Your System as a DCE Client with Run-Time Services

If you want to add your system to an existing cell, choose option 1 (Configure this system as a DCE Client) from the Configuration Choice Menu. This option configures the run-time services subset on your system.

Note

During the initial DCE client configuration, the client software may have problems locating the Cell Directory Service server if the Internet protocol netmask for your client machine is not consistent with the netmask used by other machines operating on the same LAN segment. You might need to consult your network administrator to determine the correct value to use as a netmask on your network.

When you choose option 1, the procedure displays the following messages:

Starting DCE client configuration . . . At each prompt, enter your response. You may enter RETURN for the default response, displayed in [brackets], or `?' for help. Entering a CONTROL-Z will terminate this configuration request. Press RETURN to continue . . . Removing temporary local DCE databases and configuration files Removing permanent local DCE databases and configuration files Starting client configuration Initializing RPC & Security Client Services daemon (DCE$DCED) . . . %RUN-S-PROC-ID, identification of created process is 2380A9A6 Starting RPC & Security Client Services daemon (DCE$DCED) . . . % RUN-S-PROC-ID, identification of created process is 238110A8

The configuration utility asks whether to search the LAN for known cells within the broadcast range of your system.

Would you like to search the LAN for known cells? (YES/NO/?) [Y]:

If you know the name of your DCE cell, answer N. As prompted, supply the name of your DCE cell, your DCE host name, and the host name of your cell's master CDS server. You also need to specify whether your host can broadcast to the host where the master CDS server is installed.

Answer Y to see a list of available DCE cells. As prompted, supply your DCE host name. At the next prompt, supply the appropriate DCE cell name from the list.

Gathering list of currently accessible cells (please wait) Please enter your DCE hostname [dcehost]: The following cells were discovered within broadcast range of this system: Buster-cell Kauai-cell Myhost-cell Tahoe-cell Please enter the name of your DCE cell [buster-cell]:

If you do not know the name of the cell you want to join, consult your network administrator. Do not add the /.../ prefix to the cell name; the procedure automatically adds it.

The prompt might contain a cell name that is the last configured cell name for this host or the first cell name from the alphabetical list of available cells. If you enter a cell name that is not on the list of cell names, the procedure assumes you are performing a WAN configuration, and asks you whether the CDS server is located on the same LAN or subnet.

Is the CDS Master Server within broadcast range (YES/NO/?) [N]:

After you enter your cell name, the procedure continues, displaying information similar to the following, but dependent on your configuration:

Terminating RPC Services/Dce Security Client daemon (DCE$DCED) . . . *** RPC (DCED) shutdown successful *** Starting RPC & Security Client Services daemon (DCE$DCED) . . . % RUN-S-PROC-ID, identification of created process is 238110B0 Starting CDS Name Service Advertiser daemon (DCE$CDSADVER) . . . % RUN-S-PROC-ID, identification of created process is 238110B1 Starting CDS Name Service Client daemon (DCE$CDSCLERK) . . . % RUN-S-PROC-ID, identification of created process is 238110B2 Could not find security master using dcecp registry show Attempting to locate security server Found security server Creating dce$local:[etc.security]pe_site.; file Checking local system time Looking for DTS servers in the LAN profile Looking for Global DTS servers in this cell Found DTS server The local system time is: Wed October 13 12:01:14 1999 Is this time correct? (y/n):

Make sure you check that the correct time is displayed before you continue with the configuration. If the time is incorrect, answer N, and the procedure exits to the operating system to allow you to reset the system time. After you correct or verify the time, answer Y, and the procedure resumes.

Even though DCE DTS will be used, it is possible to accept time from DECdts servers.

Should this node accept time from DECdts servers? (YES/NO/?) [N]:

Answer Y to accept time from any DECnet/OSI DECdts server; however, time from this source is unauthenticated. If you answer N, this system accepts time only from DCE time servers.

If DECnet/OSI is not installed on your system, the configuration utility omits the previous DECdts questions and instead, asks:

Do you need the Distributed Time Service (YES/NO/?) [Y]:

Answer Y to configure the host as a DTS client.

The configuration utility asks if you want to run the MIT Kerberos 5 services on this machine. An answer of Y runs the configuration utility.

Do you intend to run MIT Kerberos 5 services on this machine? (YES/NO/?) [N]:

After you respond to the prompt, the procedure stops the CDS advertiser and clerk and asks you to perform a dce_login operation, as follows:

Terminating CDS Name Service Advertiser daemon (DCE$CDSADVER) . . . Terminating CDS Name Service Client daemon (DCE$CDSCLERK) . . . Please enter the principal name to be used [cell_admin]: Please enter the password for principal "cell_admin" (or ? for help):

Obtain the password from your system administrator. After you perform the dce_login operation, the procedure begins configuring the security client software. If this system was previously configured as a DCE client or your cell has another host with the same name, the configuration utility also displays a list of client principals that already exist for this system and asks whether to delete the principals. You must delete these principals to continue with the configuration.

Configuring security client Creating Dce$Specific:[krb5]krb.conf The following principal(s) already exist under /hosts/dcehost/: /./buster-cell/hosts/dcehost/self Do you wish to delete these principals? (YES/NO/?) [Y]: Deleting client principals Creating ktab entry for client Terminating RPC & Security Client Services daemon (DCE$DCED) . . . Starting RPC & Security Client Services daemon (DCE$DCED) . . . %RUN-S-PROC-ID, identification of created process is 238110B3 Starting sec_client service (please wait). This machine is now a security client. Press <RETURN> to continue . . . Configuring CDS client Creating the cds.conf file Starting CDS Name Service Advertiser daemon (DCE$CDSADVER) . . . %RUN-S-PROC-ID, identification of created process is 238110B4 Starting CDS Name Service Client daemon (DCE$CDSCLERK) . . . %RUN-S-PROC-ID, identification of created process is 238110B5 Testing access to CDS server (please wait). Logging in to DCE using principal "cell_admin" . . . Checking TCP/IP local host database address of "dcehost". Please wait . . . Configuring client host objects in cell namespace . . . Creating /.:/hosts/dcehost objects in name space Checking TCP/IP local host database for address of "dcehost". Please wait . . .

If your cell uses multiple LANs, you are prompted as follows:

Please enter the name of your LAN [1.2.3]:

If your LAN has not been defined in the namespace, you are asked whether you want to define it. The configuration procedure then continues:

This machine is now a CDS client. Stopping sec_client service... Starting sec_client service (please wait). Modifying acls on /.:/hosts/dcehost/config secval xattrschema srvrexec keytab keytab/self hostdata hostdata/dce_cf.db hostdata/cell_name hostdata/pe_site hostdata/cds_attributes hostdata/cds_globalnames hostdata/host_name hostdata/cell_aliases hostdata/post_processors hostdata/svc_routing hostdata/cds.conf hostdata/passwd_override hostdata/group_override hostdata/krb.conf srvrconf Logging in to DCE using principal "cell_admin" . . . Configuring DTS daemon as client (DCE$DTSD) Starting Distributed Time Service daemon (DCE$DTSD) . . . %RUN-S-PROC-ID, identification of created process is 238110B5 This machine is now a DTS clerk. Do you want to run the DCE Configuration Verification Program? (YES/NO/?) [Y]:

The DCE Configuration Verification Program (CVP) exercises the components of DCE that are running in this cell. It requires approximately 1 to 2 minutes to run.

If you type y to run the CVP at this time, you see the following display:

When the procedure is completed, the DCE Setup Main Menu is displayed again.