Document revision date: 5 July 2000 | |
Previous | Contents | Index |
This section discusses a split server installation in which a new cell and the master Security Server are created on one system and the master CDS Server is configured on another system. The master CDS Server maintains the master replica of the cell root directory.
A split server configuration has four phases:
This is the first phase of a split server configuration. Begin this phase by creating the new cell on the machine where the master security server will reside. Choose option 2 (Create a new DCE cell) from the Configuration Choice Menu. Answer the prompts appropriately for the cell name and host name. Then answer N at the following prompt:
Do you wish to configure myhost as a CDS server? (YES/NO/?) [Y]: N |
Proceed through the rest of the configuration answering the remaining questions as shown in section 5.1, until you get to the following:
******************************************************************************* * This system has now been configured as a security server. * * Since you chose not to configure this system as a CDS server, * * you must now configure another system as the Master CDS Server * * for this cell (Option 1 on the dcesetup Main Menu, Option 3 on * * the Configuration Choice Menu.) * * * * When the Master CDS server has been installed and configured, * * press the <RETURN> key to continue configuring this system. * ******************************************************************************* |
Go to the machine where you will configure the master CDS Server.
5.4.2 Creating a Master CDS Server on Another System
This is the second phase of a split server configuration. You must have created a new cell and begun configuring the security server on another machine. Log on to the system on which you want to install the CDS master server, and choose option 3 (Add Master CDS Server) from the Configuration Choice Menu.
Answer the following prompts:
Please enter the name of your DCE cell []: Please enter your DCE hostname [myhost2]: |
The procedure asks:
Will there be any DCE pre-R1.1 CDS servers in this cell? (YES/NO/?) [N]: |
If your cell will be running any CDS servers based on OSF DCE Release 1.0.3a or lower, you should answer Y. The configuration utility sets the directory version number to 3.0 for compatibility with pre-R1.1 servers. This disables the use of OSF DCE Release 1.1 features such as alias cells, CDS delegation ACLs, and so on.
If all CDS servers in your cell will be based on DCE for OpenVMS Version 3.0 or higher (or an equivalent DCE version based on OSF DCE Release 1.1 or higher) answer N. The configuration utility sets the directory version number to 4.0 for compatibility with DCE for OpenVMS (Version 3.0 or OSF DCE Release 1.1 or higher) CDS servers. This enables the use of OSF DCE Release 1.1 features such as alias cells, CDS delegation ACLs, and so on. Once the directory version is set to 4.0, you cannot set it back to 3.0.
The procedure configures accordingly and prompts you to enter the host name of the security server that you just configured.
What is the hostname of the Security Server for this cell? []: |
The configuration procedure continues, and requests additional client information as described in section 5.2. The procedure configures the requested services, and then prompts you to complete the configuration of the security server on the other machine before continuing:
****************************************************************************** * This system has now been configured as the Master CDS Server. * * * * Before continuing, complete the configuration of the Security * * Server... * ****************************************************************************** Press <RETURN> to continue: |
Return to the system on which you configured the security server.
5.4.3 Completing the Security Server Configuration
This is the third phase of a split server configuration. You must have created a new cell and begun configuring the Security Server on one machine. Then you created a master CDS Server on another machine. Now you will complete the Security Server configuration on the first machine.
Return to the system on which you configured the Security Server and press the RETURN key. The following prompt is displayed:
What is the hostname of the Master CDS Server for this cell [ ]: |
The configuration procedure proceeds as described in the section Overview of New Cell Configuration.
Once the Security Server configuration is complete, return to the host
on which you are configuring the master CDS Server and complete the
installation.
5.4.4 Completing the CDS Master Server Configuration
This is the fourth and final phase of a split server configuration. You must have created a new cell and begun configuring the security server on one machine. Then you created a master CDS server on another machine. You completed the security server configuration on the first machine. Now you will complete the CDS master server configuration.
Completion of this phase consists of running the configuration verification program:
Do you want to run the DCE Configuration Verification Program? (YES/NO/?) [Y]: |
You can run the CVP now by answering Y, or you can run the CVP at a
later time by answering N. The procedure completes the configuration
and returns to the DCE Setup Main Menu. Choose option 2 (Show DCE
configuration and active daemons) from the DCE Setup Main Menu to
verify your configuration choices.
5.5 Migrating Your Cell
Some DCE cells may be running security or CDS servers on hosts with different versions of DCE. This might happen because a cell has DCE software from multiple vendors, each supplying upgrades at different times. Or perhaps upgrading all the hosts simultaneously is not feasible.
DCE for OpenVMS Version 3.0 security servers and CDS servers can interoperate with older servers (based on OSF DCE Release 1.0.3a, 1.0.2, and so on). However, new DCE security features associated with OSF DCE Release 1.1 and DCE Release 1.2.2 will generally not be available until all security server replicas in your cell are based on OSF DCE Release 1.1 and 1.2.2. Additionally, new CDS capabilities will not be available until all security servers and some or all CDS servers are based on OSF DCE Release 1.1 and 1.2.2.
If your cell contains older versions of Security or CDS Servers, you will need to migrate (gradually upgrade) older servers until all of them are running DCE server software based on OSF DCE Release 1.1 and 1.2.2. Once all Security or CDS Servers have been upgraded, you must perform some additional steps so that your servers can provide the new security and CDS capabilities.
Security Servers and CDS Servers use separate procedures to complete
migration. Security Migration provides the instructions for completing
Security server migration. CDS migration provides the instructions for
completing CDS Server migration.
5.5.1 Security Migration
After you install the new security server version on a host where an older version security replica (master or slave) exists, that replica will operate with the new Security Server, but with the behavior of the older version server. Note that a server based on OSF DCE 1.1 or higher cannot create a new replica and operate it as an older version replica. Once OSF DCE Release 1.1 has been installed on all hosts that have security replicas, you must issue a single cell-wide command that simultaneously migrates all the replicas to operate at the level of DCE 1.1. At this point the cell will support new security features such as extended registry attributes.
Once you have migrated the security servers to DCE 1.1 or higher, it is not possible to create a replica on a host running an earlier version. |
If all of the Security Server replicas in your cell are based on OSF DCE Release 1.1, you can perform the final migration steps in this section.
If your cell is still running any Security Servers based on a DCE release prior to OSF DCE Release 1.1, do not complete the upgrade steps in this section. The upgrade steps will advance some security database attributes. Older servers cannot operate on newer version databases.
Once you have installed and configured DCE for OpenVMS Version 3.0 Security Servers in your cell, perform the following actions as cell administrator:
$ dcecp -c acl show -io /.:/cell_profile |
$ dcecp -c registry modify -version secd.dce.1.1 |
$ dcecp -c registry show |
If you have not updated all 1.0.3 security replicas to DCE 1.1, any original 1.0.3 replicas will be stopped when you move the registry version forward to DCE 1.1. You may want to verify that any original 1.0.3 replicas are no longer running. |
If you have installed and configured DCE for OpenVMS Version 3.0 CDS servers in your cell, you might need to perform additional steps to complete the upgrade process.
If you created a new DCE cell and, during the dcesetup process, you set the default directory version information for each CDS server to Version 4.0, you do not need to perform the migration steps in this section.
If your cell is still running any security or CDS servers based on a DCE release prior to OSF DCE Release 1.1, do not complete the upgrade steps in this section. The upgrade steps will advance some security database and CDS directory attributes. Older servers cannot operate on newer version databases or directories.
DCE for OpenVMS Version 3.0 (or equivalent) features, such as hierarchical cells and alias cells, will be available only when all of your cell's security and CDS servers are running DCE for OpenVMS Version 3.0 or higher and the upgrade steps have been completed. Refer to the DCE for OpenVMS Product Guide and to the OSF DCE documentation for descriptions of available features.
Once the necessary DCE servers have been upgraded to DCE software based on OSF DCE Release 1.1 or 1.2.2, you can perform the migration steps in this section. The migration steps will enable the use of hierarchical cells, alias cells, and delegation.
Directory version information can only be set forward. If you migrate a CDS server to OSF DCE 1.1 or 1.2.2 behavior, you cannot revert that server to 1.0.3 behavior. |
Once you have installed and configured DCE for OpenVMS Version 3.0 (or equivalent) security servers and CDS servers, perform the following actions as cell administrator:
$ dcecp -c clearinghouse modify chname -add \{CDS_UpgradeTo 4.0 \} $ dcecp -c clearinghouse verify chname |
$ dcecp -c directory modify /.: -upgrade -tree |
The
-tree
option operates recursively on all subdirectories (in this example, it
operates on the entire cell). This command does not work unless all CDS
servers housing the affected directories are running DCE for OpenVMS
Version 3.0. This command can take a long time to execute depending on
the size of the namespace.
5.6 Running the DCE Configuration Verification Program
Once the DCE daemons are started, you can run the DCE Configuration Verification Program (CVP) to ensure that the DCE services are properly installed. The procedure prompts you with the following message:
Do you want to run the DCE Configuration Verification Program? (YES/NO/?)[Y]: |
If you enter Y or press RETURN, the procedure indicates that the CVP is running.
Executing DCE for OpenVMS Alpha V3.0 CVP (please wait) Copyright (c) Compaq Computer Corporation. 1999. All Rights Reserved. Verifying . . . . . . . . . . . |
The CVP invokes tests of the 10 DCE RPC interfaces, printing a dot (.) as each test is successful. A completely successful test execution results in 10 dots printed in succession. When the CVP tests are completed successfully, you receive the following message:
DCE for OpenVMS V3.0 CVP completed successfully |
You can repeat the CVP whenever you want by choosing option 8 (Run Configuration Verification Program) from the DCE Setup Main Menu. |
After you run the CVP, the configuration procedure updates your system
startup procedure so that the daemons restart automatically whenever
the system is rebooted.
5.7 Error Recovery During Configuration
If the procedure encounters any errors during DCE system configuration, it displays error messages. Some errors are not fatal, and the procedure attempts to continue. Other errors are fatal, and the procedure terminates. If a fatal error is encountered while the procedure is starting the DCE daemons, the procedure attempts to stop any daemons that have already been started. This returns the system to its original state before you began the configuration.
If you receive an error message at any time while running the DCE System Configuration utility, you can get more detailed information about the cause of the error by examining the associated log file in SYS$MANAGER:DCE$SETUP.LOG. This log file contains a record of the operations invoked by the System Configuration utility the last time it was executed, and may help you diagnose the cause of the problem.
Sometimes the cause of an error is transitory and may not recur if you repeat the operation.
This chapter describes the steps you need to complete to modify a cell
configuration.
6.1 Modify Configuration Menu
The Modify Configuration Menu varies slightly depending on which components are currently enabled. If a component is enabled, the menu displays the option to disable it. If the component is disabled, the menu displays the option to enable it. In the following view, all options are disabled.
*** Modify Configuration Menu *** DCE for OpenVMS Alpha V3.0 1) Add Replica CDS Server 2) Add Replica Security Server 3) Change from DTS Global Server to DTS Local Server 4) Change from DTS Global Server to DTS clerk 5) Add Null Time Provider 6) Add NTP Time Provider 7) Enable Auditing 8) Enable DCE Integrated Login 9) Enable Kerberos 5 10) Configure LDAP Name Service 11) Add LDAP Client Service 12) Enable LDAP GDA 13) Register in X.500 0) Exit Return to previous menu ?) Help Display helpful information Please enter your selection: |
Table 6-1 provides descriptions of the options available on the DCE Modify Configuration Menu.
Option | Description |
---|---|
Add Replica CDS Server | Adds a CDS Replica clearinghouse to the configuration on this host. The host must be an existing client or split cell configuration. |
Add Replica Security Server | Adds a Security Replica to the configuration on this host. The host must be an existing client or split cell. |
Change from DTS Global Server to DTS Local Server | Downgrades an existing DTS Global Server to a DTS Local Server on this host. |
Change from DTS Global Server to DTS clerk | Downgrades an existing DTS Global Server to a DTS clerk on this host. |
Add Null Time Provider | Adds a DTS Null Time Provider to the existing configuration on this host. |
Add NTP Time Provider | Adds a DTS NTP Time Provider to the existing configuration on this host. |
Enable Auditing | Enables the DCE auditing daemon to allow the capture and display of DCE audit trails. |
Enable DCE Integrated Login | Provides support for Integrated Login, which combines the DCE and OpenVMS login procedures. See the Compaq DCE for OpenVMS VAX and OpenVMS Alpha Product Guide for information about Integrated Login. |
Enable Kerberos 5 | Enable DCE on this host to coexist with other Kerberos 5 implementations. |
Configure LDAP Name Service | Configure the LDAP Name Service on this host to allow DCE to utilize LDAP as a transport for Intercell communications and NSID. |
Add LDAP Client Service | Adds host-specific information in the LDAP namespace; that is, creates server, group, and profile entries for LDAP like those entries that are used for CDS during the DCE client configuration. |
Enable LDAP GDA | Enables DCE's Global Directory Agent (GDA) to use LDAP to perform cross-cell directory service operations. |
Register in X.500 | Registers the host DCE information in the X.500 namespace, allowing the cell to use X.500 to perform cross-cell directory service operations. |
If you want to create a replica of the master CDS server on your machine, you can do so on a system that has already been configured as a client, or on a system that has not yet been configured for DCE. The following example assumes no prior configuration.
Choose option 1 (Add Replica CDS Server) from the Modify Configuration Menu. The configuration utility asks whether to search the LAN for known cells within broadcast range of your system.
Would you like to search the LAN for known cells? (YES/NO/?) [Y] : |
If you know the name of your DCE cell, answer N. As prompted, supply the name of your DCE cell, your DCE host name, and the host name of your cell's master CDS server. You also need to specify whether your host can broadcast to the host where the master CDS server is installed.
Answer Y to see a list of available DCE cells. As prompted, supply your DCE host name. At the next prompt, supply the appropriate DCE cell name from the list.
You are asked to enter your DCE host name:
Please enter your DCE host name [myhost]: |
The procedure then displays a list of the cells within broadcast range of your system and asks you to enter the name of your DCE cell. After you enter the cell name, the procedure displays the following messages and asks whether the local system time is correct:
Gathering list of currently accessible cells The following cells were discovered within broadcast range of this system: buster_cell kauai_cell myhost_cell tahoe_cell Please enter the name of your DCE cell: myhost_cell. Please enter your DCE hostname [myhost] Terminating RPC Services/DCE Security Client daemon (DCE$DCED) . . . *** RPC (DCED) shutdown successful *** Starting RPC & Security Client Services daemon (DCE$DCED) . . . %RUN-S-PROC-ID, identification of created process is 238110C0 Starting CDS Name Service Advertiser daemon (DCE$CDSADVER) . . . %RUN-S-PROC-ID, identification of created process is 238110C1 Starting CDS Name Service Client daemon (DCE$CDSCLERK) . . . %RUN-S-PROC-ID, identification of created process is 238110C2 Testing access to CDS server (please wait)... Attempting to locate security server Found security server Creating dce$local:[etc.security]pe_site.; file Checking local system time Looking for DTS servers in this LAN Found DTS server The local system time is: Wed Jul 12 11:31:52 1998 Is this time correct? (y/n): |
Please check the time before you respond to this prompt.
Make sure you check that the correct time is displayed before you continue with the configuration. If the time is incorrect, answer N, and the procedure exits to the operating system to allow you to reset the system time. After you correct or verify the time, answer Y, and the procedure continues with the following message (if you have DECnet/OSI installed and configured):
You seem to have DECnet/OSI installed on this system. DECnet/OSI includes a distributed time synchronization service (DECdts), which does not currently support the DCE Distributed Time Service (DCE DTS) functionality. The DCE DTS in this release provides full DECdts functionality. This installation will stop DECdts and use DCE DTS instead. For further clarification, please consult the Compaq DCE for OpenVMS VAX and OpenVMS Alpha Product Guide. |
Even though DCE DTS will be used, it is possible to accept time from DECdts servers.
Should this node accept time from DECdts servers? (YES/NO/?) [N]: |
Answer Y to accept time from any DECnet/OSI DECdts server; however, time from this source is unauthenticated. If you answer N, this system accepts time only from DCE DTS servers.
Do you want this system to be a DTS Local Server (YES/NO/?) [N]: |
If DECnet/OSI is not installed, this system must be configured as either a DTS clerk or a DTS server. For a complete description on the differences between DTS clerks and servers, please consult the section on how DTS works in the OSF DCE Administration Guide. Compaq recommends that you configure three DTS servers per cell.
After you respond, the procedure stops the CDS advertiser and asks you to perform a dce_login operation. After you log in, the procedure configures the system as a client system and asks for a clearinghouse name:
Starting CDS Name Service Server daemon (DCE$CDSD) . . . %RUN-S-PROC-ID, identification of created process is 238110C3 |
When configuring the CDS server, the procedure asks:
What is the name for this clearinghouse? [myhost_ch]: |
Specify a name for this clearinghouse that is unique in this cell. The procedure displays the following messages and asks whether you want to replicate more directories.
Initializing the name space for additional CDS server... Modifying acls on /.:/myhost_ch Modifying acls on /.:/hosts/myhost/cds-server Modifying acls on /.:/hosts/myhost/cds-gda Do you wish to replicate more directories? (YES/NO/?): |
The root directory from the CDS master server has just been replicated. You can replicate more directories if you want by answering Y. Next, you are prompted for the name of a CDS directory to be replicated.
Enter the name of a CDS directory to be replicated: |
Enter the name of a CDS directory existing in the master CDS namespace that you want to replicate on this system. Type the directory name without the /.:/ prefix; it is added automatically. When you are finished, press only the RETURN key. The procedure displays the following messages and asks whether you want to run the CVP.
If your system is already configured as a CDS Replica Server, this option will show "Remove Replica CDS Server" on the Modify Configuration Menu.
Previous | Next | Contents | Index |
privacy and legal statement | ||
6531_DCE_IG_PRO_004.HTML |