Compaq DCE for OpenVMS VAX and OpenVMS Alpha
Release Notes

14.32 DCE Command Line Programs Fail With SMG Error

If the process has its UIC set to DCD$SERVER, and does not have the BYPASS privilege set, DCE command line utilities will fail with the following error:

error creating SMG virtual keyboard. %NONAME-E-NOMSG, Message number 00000002

The resolution to this problem is to either run under a UIC other than DCE$SERVER, or to set the BYPASS privilege on accounts set to the DCE$SERVER UIC.

This problem does not affect the running of the DCE daemons, only user processes.

14.33 Dumping the CDS Cache

The CDSCP and DCEDP commands to examine the CDS cache will fail with the following errors if CDSCP or DCECP is run under a Process UIC other than [DCE$SERVER]:

$ CDSCP DUMP CLERK CACHE Cannot map -1 - check id and protection An error occured calling a CDS API function. (dce / cds) $ DCECP -C CDSCACHE DUMP Cannot map -1 - check id and protection Error: The cache dump failed in an indeterministic mode.

To work around this restriction, issue the following DCL command before you invoke CDSCP or DCECP:

$ SET UIC [DCE$SERVER]

Remember to reset your UIC to its original value after you use this command.

14.34 CDS Clerk Failing on UCX Shutdown

If you issue a SYS$STARTUP:UCX$SHUTDOWN command while running DCE, you may get a CDS Clerk failure and an Access Violation. You may then encounter problems restarting the CDS Clerk (and DCE itself) with the DCE$SETUP START command.

The primary problem is that UCX is being shut down while DCE is still active. Because DCE uses UCX, DCE should always be shut down first.

To recover from this problem, you need to shut down DCE first and then restart. Simply trying to restart without first shutting down DCE will not fix the underlying problem. Because temporary files may be left in an indeterminate state, you may also want to perform a DCE$SETUP CLEAN operation before restarting.

14.35 Global Directory Agent Configuration

The Global Directory Agent (GDA) is configured on the OpenVMS node that contains the CDS Master Replica name server. The DNS domain name (for example, zko.dec.com) and the Internet Address of an authoritative DNS Master Bind Server (for example, 16.32.2.11) are required during configuration if you are using DNS Bind style cellnames.

Before access to multiple CDS namespaces is possible, the following are required after the configuration:

The Master Bind Server identified during configuration becomes the repository for information the GDA requires to resolve the Internet addresses and binding information needed by CDS to access foreign cell name spaces. This applies to DNS Bind cellnames only. See the Intercell Naming chapter in the Compaq DCE for OpenVMS VAX and OpenVMS Alpha Product Guide for the binding information content, location, and access.
Authenticated access to foreign (intercell) cell name space requires performing the RGY_EDIT cell command. The information needed for the cell command requires coordination with the foreign cell administrator. For more information, see both the Administering a Multicell Environment chapter in the OSF DCE Administration Guide and the Intercell Naming chapter in the Compaq DCE for OpenVMS VAX and OpenVMS Alpha Product Guide.
Before doing the RGY_EDIT cell command, you must first delete the krbtkt account for the foreign cell if one already exists. Similarly, the administrator for the foreign cell must also delete the krbtkt account in the foreign cell's registry for your cell. For example, if your cell is called first_cell and the foreign cell is called second_cell, then you must run RGY_EDIT on first_ cell to delete the account called krbtkt/second_cell, and the administrator on second_cell must delete the registry account called krbtkt/first_cell.
After the cell command, both cell administrators should rerun DCE_LOGIN before attempting authenticated cross-cell requests.

If you are unsuccessful in configuring intercell communication, check for the following:

The clocks on the systems that are attempting to communicate show times that differ by no more than five minutes. (Use DTS to change the system time once you are running DCE.)
CDS has the information that should be contained in the CDS_GDAPointers field in the cell's root directory. If CDS does not have this information in the cell's root directory, restart the GDA daemon process (DCE$GDAD) by entering the following commands:
$ STOP/ID=xxxxxxxx $ @sys$manager:dce$setup start
where xxxxxxxx is the PID of the DCE$GDAD process.

14.36 Changes to RPC Shutdown

In DCE for OpenVMS Version 1.5, a change was made to disassociate RPC shutdown from DCE shutdown. This was done to allow RPC only applications to remain active while DCE changes were being made.

In DCE Version 1.5, DCE$SETUP stop/clean/clobber did not call the RPC shutdown procedure, and gave a warning that RPC would not be shut down. DCE Version 3.0 requires that dced (the new RPC endpoint mapper) be shut down during certain operations. Therefore, the behavior of DCE Version 3.0 has changed, and the RPC shutdown procedure is now called from DCE$SETUP.COM. This requires the system manager to be aware of any RPC-only applications that may be active at the time of DCE configuration operations.

14.37 IDL Error When Installing DCE

When installing DCE over an existing DCE implementation, you may see an IDL error if the DCE Application Developer's Kit was previously installed, but is not being installed for the upgrade.

The installation is attempting to remove the DCL commands that are associated with the developer's kit from DCLTABLES.EXE, and is failing. The following error can be ignored. Answer NO to the question "Do you want to terminate?".

%PCSI-E-MODDELERR, error deleting module IDL_CLD from library %PCSI-E-OPFAILED, operation failed Terminating is strongly recommended. Do you want to terminate? [YES] n

14.38 Owner Error When Installing DCE

When installing DCE on OpenVMS VAX Version 6.2, you may see the following errors:

%PCSI-E-ERROWNER, error in owner specification 'DCE$SERVER' %PCSI-E-OPFAILED, operation failed

%PCSI-E-PARUDF, the directory [DCELOCAL.ETC] has not been provided by a previous Install or Register operation - file ownership and protection update skipped

followed by:

Terminating is strongly recommended. Do you want to terminate? [YES] n

These errors can be safely ignored - answer NO to the question "Do you want to terminate?".

14.39 Port Error During DCE Configuration

If the error shown below occurs during DCE configuration, your system has the TCP/IP NTP daemon configured. Since DCE also provides an NTP daemon, you must decide which daemon you want to use.

If you use the DCE NTP daemon, you must disable the TCP/IP NTP daemon using your TCP/IP configuration program before you can enable the DCE one.

If you use the TCP/IP NTP daemon, then you can ignore the following error. Answer "Y" to the question about whether you want to proceed.

*************************** ERROR ******************************** Port number 123 is in use by a service other than "ntp". Please check configuration! Service "ntp" must use port number 123. ***************************************************************** Press <RETURN> to continue . . . Do you want to proceed with this operation (YES/NO/?) [N]?

14.40 Exception During DCE Configuration Verification Program

When the DCE Configuration Verification Program (CVP) or the test option from the DCE main menu is run, the following error may occur:

%CMA-F-EXCCOPLOS, exception raised; some information lost

This error can be ignored.

14.41 Problem Converting DTS Local to DTS Global Server

Modification of the DCE configuration to convert an existing DTS local server to a DTS global server results in the following error:

ERROR- An error occurred attempting to log in to DCE with principal name "cell_admin" Sorry. Password Validation Failure. - Cannot log in with zero-length password (dce/sec) Do you wish to try another principal name?

If you answer yes to this question, and give the cell_admin username and password to the prompts, the conversion to the DTS global server will be successful.

14.42 Problems With Sun Solaris DCE System as CDS Master

There are known problems with Sun Solaris Version 2.6 and Transarc DCE Version 2.1 as the CDS master if you are attempting to configure a split server configuration using DCE on OpenVMS, Tru64 UNIX, or Windows NT. Solaris Version 2.4 and Transarc DCE Version 1.1 work correctly. Contact your DCE vendor for further information.

14.43 Compile Warning in Example Programs

The CXX example programs may produce the following warning on compilation:

IDL_ms.IDL_call_h = (volatile rpc_call_handle_t)IDL_call_h; ...............^ %CXX-W-CASTQUALTYP, type qualifier is meaningless on cast type at line number 117 in file USER$1:[DCE12.EXAMPLES.RPC.IDLCXX. ACCOUNT]ACCOUNT_SSTUB.CXX;1

This warning can be safely ignored.

14.44 Missing CXX Library

Some versions of CXX may not include the library SYS$LIBRARY:LIBCXXSTD.OLB. If this is the case, this line may be removed from the options file found in SYS$COMMON:[DCE$LIBRARY]DCE_CXX.OPT.

14.45 Unknown Ethernet Device on Host System

If your system is relatively new, DCE may not know about the Ethernet device on the system. DCE uses the Ethernet device to obtain an Ethernet address which is used in the generation of UUIDs. If you see errors such as the following, your Ethernet device is not known by DCE:

%UUIDGEN-F-RPC_MESSAGE, Received Error Status: "no IEEE 802 hardware address (dce / rpc)"

You can define one additonal Ethernet device in the table used by DCE by defining the logical name DCE$IEEE_802_DEVICE to the name of your Ethernet device as shown in the following example:

DEFINE/SYSTEM DCE$IEEE_802_DEVICE EWA0

This will allow DCE to operate using the Ethernet device named EWA0 (a device type of DE500).

14.46 Public Key Routines Not Supported on OpenVMS

DCE public key technology is not currently supported on OpenVMS. The pkc_* routines and classes ( pkc_add_trusted_key , etc.) are not in DCE$LIB_SHR.EXE, and will generate undefined symbols if an application that uses them attempts to link.

The Open Group has stated their intention to replace the existing public key technology in DCE with a noninteroperable replacement, based on X.509v3, in a future release.

Note

There has been such a high volume of change activity in the IETF relative to Public Key Infrastructure (PKI) and Kerberos that the [RFC 68.3] functionality will not be forward compatible with this Specification. Therefore, current users of DCE 1.2.2-based products with [RFC 68.3] functionality should refrain from deploying the public key based login support¹.

For this reason, Compaq is not supplying the obsolete public key functionality in Compaq DCE for OpenVMS Version 3.0. For information on the status of public key in DCE, see The Open Group's DCE World Wide Web (WWW) address:

http://www.opengroup.org/tech/dce/

14.47 Audit Trail Files Require UNIX-Style File Specifications

The command to show the DCE audit trail files requires a UNIX style file specification. For example:

$ dcecp -c audtrail show /dcelocal/var/audit/adm/central_trail

14.48 Installation Warnings

Some systems may see the following warnings when installing DCE:

The following product will be installed to destination: DEC VAXVMS DCE V3.0 DISK$MOOSE2_SYS:[VMS$COMMON.] %PCSI-I-RETAIN, file [SYSEXE]DTSS$SET_TIMEZONE.EXE was not replaced because file from kit does not have higher generation number %PCSI-I-RETAIN, file [SYSLIB]DTSS$RUNDOWN.EXE was not replaced because file from kit does not have higher generation number %PCSI-I-RETAIN, file [SYSUPD]DTSS$INSTALL_TIMEZONE_RULE.COM was not replaced because file from kit does not have higher generation number %PCSI-I-RETAIN, file [SYSUPD]DTSS$TIMEZONE_RULES.DAT was not replaced because file from kit does not have higher generation number

These warnings can be safely ignored. They indicate that certain files that may also be provided by Compaq OpenVMS are newer than the files in the DCE kit.

Note

¹ Draft Technical Standard - DCE 1.2.3 Public Key Certificate Login, Draft 0.8, The Open Group, August 1998

15 New APIs for Authenticated RPC

The following APIs are included in DCE Version 1.5 and above to manipulate the sec_winnt_auth_identity structure. They are supported on OpenVMS Version 7.2-1 and higher.

15.1 RPC_WINNT_SET_AUTH_IDENTITY

NAME rpc_winnt_set_auth_identity - This function is called by the client RPC application to allocate and populate a WINNT auth_identity structure to be used as a parameter to rpc_binding_set_auth_info(). The caller must use the rpc_winnt_free_auth_identity() function to free the WINNT auth_idenity. The strings that are passed in may be ASCI or Unicode (UCS-4) strings. The input flag will tell which type of strings they are. SYNOPSIS #include <rpc.h> PUBLIC void rpc_winnt_set_auth_identity ( rpc_winnt_auth_string_p_t Username; rpc_winnt_auth_string_p_t Password; rpc_winnt_auth_string_p_t Domain; unsigned __int64 CharacterSetFlag; rpc_auth_identity_handle_t *auth_identity; unsigned32 *stp) PARAMETERS INPUT username - Pointer to a null terminated string containing username. password - Pointer to a null terminated string containing password. domain - Pointer to a null terminated string containing domain. CharacterSetFlag SEC_WINNT_AUTH_IDENTITY_UNICODE 4 byte Unicode (UCS-4) SEC_WINNT_AUTH_IDENTITY_ANSI ASCII (ISO8859-1) OUTPUT auth_identity - Pointer to a pointer to WINNT auth_identity structure. stp - Pointer to returned status.

Note

Be sure to allocate space for three strings (username, password, domain). The string variables will probably be pointers of type unsigned_char_t if the strings are ASCII, or pointers of type wchar_t if the strings are Unicode (UCS-4).

If the domain string is a valid empty string, then the domain of the computer will be used.

15.2 RPC_WINNT_FREE_AUTH_IDENTITY

NAME rpc_winnt_free_auth_identity - This function is called by the client RPC application to free a a WINNT auth_identity structure that was previously allocated by a call to rpc_winnt_set_auth_identity(). SYNOPSIS #include <rpc.h> PUBLIC void rpc_winnt_free_auth_identity ( rpc_auth_identity_handle_t *auth_identity, unsigned32 *stp) PARAMETERS INPUT auth_identity - Pointer to a pointer to WINNT auth_identity structure. On output auth_identity will be set to NULL. OUTPUT stp Pointer to returned status.

16 New APIs for Impersonation in DCE

The following APIs are included in DCE Version 1.5 and higher to support server impersonation of a client. This means that the server runs with the security credentials of the client, and all of the capabilities of the client belong to the server.

16.1 RPC_IMPERSONATE_CLIENT

NAME rpc_impersonate_client - This function is called by the server application to allow the current server thread to run with all of the client privileges. SYNOPSIS #include <rpc.h> void rpc_impersonate_client( rpc_binding_handle_t binding_handle, rpc_status_t *status) PARAMETERS INPUT binding_handle - Specifies a server-side call handle for this RPC which represents the client to impersonate. OUTPUT status - Specifies a pointer to an unsigned 32 bit integer that holds a status code.

16.2 RPC_REVERT_TO_SELF

NAME rpc_revert_to_self - This function is called by the server application to revert back to its original security context after impersonating a client. SYNOPSIS #include <rpc.h> rpc_revert_to_self(*status) PARAMETERS INPUT NONE OUTPUT status - Specifies a pointer to an unsigned 32 bit integer that holds a status code.

16.3 RPC_REVERT_TO_SELF_EX

NAME rpc_revert_to_self_ex - This function is called by the server application to revert back to its original security context after impersonating a client. This acts as a call to rpc_revert_to_self(); SYNOPSIS #include <rpc.h> rpc_revert_to_self_ex( rpc_binding_handle_t binding_handle, rpc_status_t *status) PARAMETERS INPUT call handle - This parameter is ignored. OUTPUT status - Specifies a pointer to an unsigned 32 bit integer that holds a status code.

16.4 Enhanced RPC Security APIs

For more information on existing enhanced RPC security APIs, see the Compaq DCE for OpenVMS VAX and OpenVMS Alpha Reference Guide.

17 The Routing File

To use routing file services on OpenVMS, define the following logical name for the process or the system for which logging information is desired: (syntax is exact for the routing file):

$ define/sys DCE_SVC_ROUTING_FILE "dce_local/var/svc/routing."

This enables DCE applications to find and interpret the routing file, and direct any output to the locations specified in the routing file.

You can also set the number of buffered writes to perform before data is flushed to the file, as follows:

$ define/sys DCE_SVC_FSYNC_FREQ 10

The example above will flush the buffer every 10 writes.

Contents

Compaq DCE for OpenVMS VAX and OpenVMS AlphaRelease Notes

14.32 DCE Command Line Programs Fail With SMG Error

14.36 Changes to RPC Shutdown

1 Draft Technical Standard - DCE 1.2.3 Public Key Certificate Login, Draft 0.8, The Open Group, August 1998

15.2 RPC_WINNT_FREE_AUTH_IDENTITY

Compaq DCE for OpenVMS VAX and OpenVMS Alpha
Release Notes

¹ Draft Technical Standard - DCE 1.2.3 Public Key Certificate Login, Draft 0.8, The Open Group, August 1998