Compaq DCE for OpenVMS VAX and OpenVMS Alpha Installation and Configuration_Guide Order Number: AA-PV4CE-TE July 2000 This guide describes the installation procedure and the system configuration utility for the Compaq Distributed Computing Environment (DCE) for OpenVMS VAX and OpenVMS Alpha. Revision/Update Information: This guide supersedes the Compaq DCE for OpenVMS VAX and OpenVMS Alpha Installation and Configuration Guide Version 1.5. Operating System: OpenVMS VAX Version 6.2 or higher OpenVMS Alpha Version 6.2 or higher Software Version: Compaq DCE for OpenVMS Version 3.0 Compaq Computer Corporation Houston, Texas ________________________________________________________________ © 2000 Compaq Computer Corporation Compaq, VAX, VMS, the Compaq logo, and the DIGITAL logo Registered in U.S. Patent and Trademark office. OpenVMS is a trademark of Compaq Information Technologies Group, L.P. Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation. OSF/1 and UNIX are trademarks of The Open Group. All other product names mentioned herein may be the trademarks or registered trademarks of their respective companies. Confidential computer software. Valid license from Compaq required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Compaq shall not be liable for technical or editorial errors or omissions contained herein. The information in this publication is subject to change without notice and is provided "AS IS" WITHOUT WARRANTY OF ANY KIND. THE ENTIRE RISK ARISING OUT OF THE USE OF THIS INFORMATION REMAINS WITH RECIPIENT. IN NO EVENT SHALL COMPAQ BE LIABLE FOR ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE, OR OTHER DAMAGES WHATSOEVER (INCLUDING WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION), EVEN IF COMPAQ HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING SHALL APPLY REGARDLESS OF THE NEGLIGENCE OR OTHER FAULT OF EITHER PARTY AND REGARDLESS OF WHETHER SUCH LIABILITY SOUNDS IN CONTRACT, NEGLIGENCE, TORT, OR ANY OTHER THEORY OF LEGAL LIABILITY, AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. The limited warranties for Compaq products are exclusively set forth in the documentation accompanying such products. Nothing herein should be construed as constituting a further or additional warranty. ZK6531 The OpenVMS documentation set is available on CD-ROM. _________________________________________________________________ Contents Preface................................................... vii 1 Preparing for Installation 1.1 Planning for Installation and Configuration... 1-1 1.1.1 What Is a Cell?........................... 1-1 1.1.2 Creating a Cell........................... 1-2 1.1.3 Joining a Cell............................ 1-2 1.2 Inspecting the Distribution Kit............... 1-2 1.3 Troubleshooting............................... 1-3 1.4 Installation Procedure Requirements........... 1-3 1.4.1 Required Hardware......................... 1-3 1.4.2 Required Software......................... 1-4 1.4.2.1 On OpenVMS Alpha and VAX Systems........ 1-4 1.4.3 Time Required for Installation............ 1-5 1.4.4 Disk Space, Global Pages, and Global Sections Required......................... 1-5 1.4.5 Privileges and Quotas Required............ 1-6 1.4.6 Completing License Management Facility Requirements.............................. 1-7 1.4.7 Performing System Backup.................. 1-8 1.4.8 Installing DCE Version 3.0 Over Previous Versions.................................. 1-8 2 Installing DCE 2.1 About the OpenVMS Installation Procedure...... 2-1 2.2 Starting the Compaq DCE Installation Procedure..................................... 2-2 2.3 Continuing the Installation................... 2-2 2.4 Installing on a VMScluster.................... 2-6 iii 3 Postinstallation Procedures 3.1 Postinstallation Tasks........................ 3-1 3.2 Installation Error Recovery................... 3-5 4 Configuring a DCE Cell 4.1 Overview of the DCE Cell...................... 4-1 4.1.1 Creating a Cell........................... 4-2 4.1.2 Joining a Cell............................ 4-2 4.1.3 Defining a Cell Name...................... 4-3 4.1.4 Defining a Host Name...................... 4-4 4.1.5 Intercell Naming Using DNS................ 4-4 4.1.6 Intercell Naming Using LDAP/X.500......... 4-5 4.2 The DCE System Configuration Utility - DCE$SETUP.COM................................. 4-6 4.2.1 Configuring LDAP, NSI, and GDA............ 4-7 4.2.2 Kerberos 5 Security....................... 4-8 4.2.3 Starting the System Configuration Utility................................... 4-9 5 Configuring DCE 5.1 DCE System Management Command Procedure....... 5-1 5.1.1 Starting and Stopping the RPC Daemon...... 5-1 5.1.2 Limiting RPC Transports................... 5-2 5.1.3 Logical Names Created During Configuration............................. 5-2 5.1.4 Configuring on a VMScluster............... 5-3 5.2 Overview of New Cell Configuration............ 5-3 5.3 Configuring Your System as a DCE Client with Run-Time Services............................. 5-8 5.4 Split Server Configuration (Adding a Master CDS Server)................................... 5-15 5.4.1 Creating a New Cell and Master Security Server.................................... 5-15 5.4.2 Creating a Master CDS Server on Another System.................................... 5-16 5.4.3 Completing the Security Server Configuration............................. 5-17 5.4.4 Completing the CDS Master Server Configuration............................. 5-18 5.5 Migrating Your Cell........................... 5-18 5.5.1 Security Migration........................ 5-19 iv 5.5.2 CDS Migration............................. 5-20 5.6 Running the DCE Configuration Verification Program....................................... 5-22 5.7 Error Recovery During Configuration........... 5-23 6 Modifying Cell Configuration 6.1 Modify Configuration Menu..................... 6-1 6.2 Adding a Replica CDS Server................... 6-3 6.3 Adding a Security Replica..................... 6-6 6.4 Adding/Removing a DTS Local Server............ 6-8 6.5 Adding a DTS Global Server.................... 6-8 6.6 Adding a Null Time Provider................... 6-8 6.7 Adding an NTP Time Provider................... 6-9 6.8 Enabling Auditing............................. 6-9 6.9 Enabling DCE Integrated Login................. 6-10 6.10 Enabling Kerberos 5........................... 6-10 6.11 Configuring the LDAP Name Service............. 6-11 6.12 Adding LDAP Client Service.................... 6-12 6.13 Configuring LDAP Support for the Global Directory Assistant........................... 6-12 6.14 Registering a Cell in X.500................... 6-13 A Files Created or Used on Your System A.1 Installation Files............................ A-1 A.2 Run-Time Services Kit Files................... A-1 A.3 Application Developer's Kit Files............. A-6 A.4 Example Application Files..................... A-12 B Sample Installation Logs B.1 Installing Compaq DCE on OpenVMS Alpha........ B-1 C Sample Configuration Logs C.1 Initial Client Configuration.................. C-1 C.2 Initial Server Configuration.................. C-6 C.3 Showing the DCE System Configuration and the DCE Daemons................................... C-14 C.4 Modifying Configuration....................... C-15 v Index Tables 1-1 Disk Space, Global Pages, and Global Sections Requirements..................... 1-5 5-1 Configuration Menu Options................ 5-4 6-1 Modify Configuration Menu Options......... 6-2 vi _________________________________________________________________ Preface This guide describes the installation procedure and the system configuration utility for the Compaq Distributed Computing Environment (DCE) for OpenVMS VAX and OpenVMS Alpha Version 3.0, which consists of the following services: o Remote Procedure Call (RPC) service provides connectivity between individual procedures in an application across heterogeneous systems in a transparent way. o Interface Definition Language (IDL) compiler is required for developing distributed DCE applications. o Threads service provides user-mode control and synchronization of multiple operations. Threads is packaged with the base operating system. o Cell Directory Service (CDS) provides a location- independent method of identifying resources within a cell. A cell is the smallest group of DCE systems that share a common naming and security domain. o DCE Security Service provides authentication and authorization within a cell and is based on MIT's Kerberos private key encryption system. o Distributed Time Service (DTS) provides date and time synchronization within a cell. Four kits are installed: Runtime Services Kit Application Developer's Kit CDS Server Kit Security Server Kit vii The Runtime Services Kit contains the following: o Authenticated CDS Advertiser and Client Support o CDS Browser o CDS Control Program (cdscp) o Authenticated DCE RPC runtime support (supports DECnet, TCP/IP, and UDP) o Authenticated RPC runtime support (supports DECnet, TCP/IP, and UDP via NTLM security protocol on OpenVMS Alpha Version 7.2-1 and higher.) o RTI (Remote Task Invocation) RPC for Compaq's ACMSxp TP product o Security Client Support o Integrated Login o A DCE_LOGIN tool for obtaining credentials o A RGY_EDIT tool for registry maintenance functions o KINIT, KLIST, and KDESTROY Kerberos tools o An ACL_EDIT tool for access control lists (ACLs) for DCE objects o RPC Control Program (rpccp) o DCE Control Program (dcecp) o Name Service Interface Daemon (nsid); also known as the PC Nameserver Proxy o Native Kerberos o XDS Directory Services o XDS Object Management The Application Developer's Kit contains the following: o The contents of the Runtime Services Kit o Required DCE application development header files o Interface Definition Language (IDL) compiler o Object-Oriented RPC o Generic Security Service (GSSAPI) viii o LSE Templates for IDL o UUID Generator o The .H (Include) files and .IDL files for application development o Sample DCE applications The CDS Server Kit contains the following: o CDS server (cdsd) o Global Directory Agent (GDA) o PC Name Service Interface Daemon (nsid) The Security Server Kit contains the following: o Security server (secd) o Tool used to create the security database (sec_create_ db) o Security server administrative tool (sec_admin) Keep this document with your distribution kit. You will need it to install maintenance updates or to reinstall Compaq DCE. Intended Audience This guide is intended for managers of distributed computing environments on one or more systems and installers of the Compaq DCE for OpenVMS VAX or OpenVMS Alpha Kit Version 3.0. Document Structure This guide is organized as follows: o Chapter 1 describes the requirements and procedures that you must complete before installing the software. o Chapter 2 describes the installation process. o Chapter 3 describes procedures that you must complete after the installation. o Chapter 4 describes the steps necessary to set up a DCE cell, and the DCE system configuration utility for Compaq DCE for OpenVMS VAX and OpenVMS Alpha. ix o Chapter 5 explains how to create a cell and configure the Security server and CDS server on the same system. It also discusses how to configure a client system into an existing DCE cell. o Chapter 6 describes the steps you need to complete to modify a cell configuration. o Appendix A lists the directories and files created by the installation procedure and system configuration utility. o Appendix B contains sample logs of the installation procedure. o Appendix C contains sample logs of the configuration procedure. Related Documents For additional information about OpenVMS products and services, access the following World Wide Web address: http://www.compaq.com/ Reader's Comments Compaq welcomes your comments on this manual. Please send comments to either of the following addresses: Internet openvmsdoc@compaq.com Mail Compaq Computer Corporation OSSG Documentation Group, ZKO3-4/U08 110 Spit Brook Rd. Nashua, NH 03062-2698 How To Order Additional Documentation Use the following World Wide Web address to order additional documentation: http://www.compaq.com/ If you need help deciding which documentation best meets your needs, call 800-282-6672. x Conventions VMScluster systems are now referred to as OpenVMS Cluster systems. Unless otherwise specified, references in this document to OpenVMS Clusters or clusters are synonymous with VMSclusters. The following conventions are also used in this guide: Ctrl/x A sequence such as Ctrl/x indicates that you must hold down the key labeled Ctrl while you press another key or a pointing device button. italic text Italic text indicates important information, complete titles of manuals, or variables. Variables include information that varies in system output (Internal error number), in command lines (/PRODUCER=name), and in command parameters in text (where device- name contains up to five alphanumeric characters). UPPERCASE TEXT Uppercase text indicates a command, the name of a routine, the name of a file, or the abbreviation for a system privilege. Monospace text Monospace text indicates code examples and interactive screen displays. In the C programming language, monospace text identifies the following elements: keywords, the names of independently compiled external functions and files, syntax summaries, and references to variables or identifiers introduced in an example. Case- OpenVMS operating system commands do sensitivity not differentiate between uppercase and lowercase. However, many DCE commands do make this distinction. In particular, the system configuration utility interprets names in a case-sensitive manner. xi 1 _________________________________________________________________ Preparing for Installation This chapter describes the preparations you must make before you install and configure the Compaq Distributed Computing Environment (DCE) for OpenVMS VAX and OpenVMS Alpha software. Compaq DCE is an enabling software technology for the development of distributed applications. It provides a variety of common services needed for the development of distributed applications, such as name services and a standard remote procedure call interface. 1.1 Planning for Installation and Configuration This section helps you plan for the installation and configuration of the Compaq DCE. It presents a brief overview of some concepts that you need to understand before you install and configure Compaq DCE software. This understanding can help you decide how to configure DCE. Refer to Understanding DCE for detailed explanations of DCE concepts. The installation and configuration procedures set up the DCE environment so that you can use DCE services. Before you can use Compaq DCE software, you must both install the software and configure DCE on your system. 1.1.1 What Is a Cell? A cell is the basic DCE unit consisting of a group of nodes that share a directory service namespace and a security service registry under a common administration. Usually, the nodes in a cell are in the same geographic area, but cell boundaries are not limited by geography. Although a cell can contain from one to several thousand nodes, each node can belong only to one cell at a time. Preparing for Installation 1-1 Preparing for Installation 1.1 Planning for Installation and Configuration The system configuration utility allows you to join an existing cell. The cell must provide a directory server and a security server. These servers may be resident on the same system or may be running on separate systems. Note that if you rely on DCE time services for time synchronization, by default, you need a minimum of three time servers to synchronize time in a cell. See the section on the DCE Distributed Time Service in the OSF DCE Administration Guide for more information. 1.1.2 Creating a Cell See Chapter 4 for cell configuration guidelines. 1.1.3 Joining a Cell You need the following information to join a DCE cell: o Full cell name o Host name of the DCE Security Server o Security principal name and password authorized to perform cell administration operations o Location of the cell's CDS server (on or not on the same LAN as you are) When the client joining the cell is on the same LAN as the CDS directory master server, the CDS advertiser automatically determines the server's location by using IP (Internet Protocol) broadcast packets. If the CDS master server is not on the LAN, then you need to provide the host name where the CDS master server is running. 1.2 Inspecting the Distribution Kit The Software Bill of Materials (BOM) included with your distribution kit specifies the contents of your distribution kit. Carefully compare the items you received with the items listed in the BOM. If any components are missing or damaged, contact your Compaq customer service representative before you continue with the installation. 1-2 Preparing for Installation Preparing for Installation 1.2 Inspecting the Distribution Kit The Read Before Installing letter listed on your BOM provides important information that you should be aware of before you install Compaq DCE. Some of this information may not be included in either this guide or the release notes. Compaq DCE provides online release notes. Read the release notes before you install the product. They contain information about changes to the product. For example, the release notes contain important information on modifications you should make to TCP/IP parameters before you begin the installation. 1.3 Troubleshooting The Compaq DCE for OpenVMS VAX and OpenVMS Alpha Product Guide includes a chapter on troubleshooting. Read this chapter if you are having installation or configuration problems. For example, the Troubleshooting chapter discusses problems you may encounter with time and time zones. 1.4 Installation Procedure Requirements The following sections discuss the requirements for installing Compaq DCE. The length of time the installation takes to complete depends on the type of machine, the load on that machine, and the kit you choose to install. 1.4.1 Required Hardware To perform the installation, you need the following hardware: o A processor running OpenVMS VAX or Alpha Version 6.2 or higher. o A software distribution device, if you are installing the software from media. You need a distribution device that corresponds with the software distribution media. Preparing for Installation 1-3 Preparing for Installation 1.4 Installation Procedure Requirements ________________________ Note ________________________ Systems running OpenVMS Alpha should have access to a CD-ROM reader so you can install the software. Please check to see that you have a CD-ROM reader installed. ______________________________________________________ 1.4.2 Required Software This section describes the software that must be installed on an OpenVMS system before you can properly perform the installation, configure the system, or use the software. In cases where the minimum version is not specified, refer to the Software Product Description (SPD) for more information. 1.4.2.1 On OpenVMS Alpha and VAX Systems Before installing Compaq DCE, you need the following software on your system: o OpenVMS Version 6.2 or higher o DECnet Phase IV or DECnet/OSI DECnet is required only if you run applications that use DECnet as their transport. o Compaq TCP/IP Services Version 4.2 or higher You must have Compaq TCP/IP Services installed and configured on each host from which you plan to execute DCE applications. See Compaq TCP/IP Services for OpenVMS Installation and Configuration for more information about the UDP/IP and TCP/IP transports. If you plan to use MultiNet or TCPware from Process Software or Pathway from Wollongong (instead of Compaq's TCP/IP Services for OpenVMS), please see the release notes for more information. o If you are installing the Application Developer's Kit and plan on using the LSE templates, LSE and an appropriate license must be installed before you install DCE. 1-4 Preparing for Installation Preparing for Installation 1.4 Installation Procedure Requirements 1.4.3 Time Required for Installation Depending on your configuration, the installation can take from 10 to 30 minutes. 1.4.4 Disk Space, Global Pages, and Global Sections Required The disk space, global pages, and global sections requirements of Compaq DCE are different for the DCE Runtime Services Kit (RTK) and for the Application Developer's Kit (ADK). These requirements also differ on OpenVMS VAX and on OpenVMS Alpha systems. Table 1-1 lists the requirements before the installation for each kit on each platform. (Disk space requirements are listed in blocks.) Note that the DCE CDS Server and Security Server images are part of the DCE Kit and are enabled by license PAKs. Table 1-1 Disk Space, Global Pages, and Global Sections __________Requirements_____________________________________ Global Global Kit___________________Disk_Space__Pages_______Sections_____ OpenVMS VAX RTK 120,000 3750 40 OpenVMS VAX RTK & 150,000 3750 40 ADK OpenVMS Alpha RTK 48,000 7350 35 OpenVMS Alpha RTK & 58,000 7350 35 ADK________________________________________________________ To determine how much free disk space is on your system disk, enter the following command: $ SHOW DEVICE SYS$SYSDEVICE The system responds with a short table; the column labeled Free Blocks shows the amount of storage space remaining on your system disk. If there is not enough disk space to install or to run Compaq DCE, work with your system manager to delete and purge files that are no longer needed. Preparing for Installation 1-5 Preparing for Installation 1.4 Installation Procedure Requirements To determine the number of free global pages and global sections on your system, enter the following commands: $ WRITE SYS$OUTPUT F$GETSYI("FREE_GBLPAGES") $ WRITE SYS$OUTPUT F$GETSYI("FREE_GBLSECTS") If the values displayed by the system are greater than the minimum required, your system has adequate free global pages and global sections. If the values are less than the minimum required, use the AUTOGEN command procedure to increase the values, as follows: $ EDIT SYS$SYSTEM:MODPARAMS.DAT For details on using AUTOGEN, see the OpenVMS System Manager's Manual. 1.4.5 Privileges and Quotas Required To install Compaq DCE for OpenVMS VAX and OpenVMS Alpha, log in to the system manager account. If you are not logged in to the system manager's account during installation, you must have at least the SETPRV privilege. To determine the privileges you have, enter the following command: $ SHOW PROCESS/PRIVILEGES If you do not have sufficient privileges to install Compaq DCE, see your system manager. The DCE system management utility requires WORLD privileges for the SHOW command and WORLD, SYSPRV, and CMKRNL privileges for all other commands. You should also check to make sure you have adequate quotas for the installation. You need the following quota values: o ASTLM = 24 o BIOLM = 18 o BYTLM = 18000 o DIOLM = 18 o ENQLM = 30 o FILLM = 20 1-6 Preparing for Installation Preparing for Installation 1.4 Installation Procedure Requirements Use the OpenVMS Authorize Utility if you want to verify and change process quotas for the installation account in the user authorization file (UAF). For example, to change the BYTLM quota for your installation account, enter the following command sequence: $ RUN SYS$SYSTEM:AUTHORIZE UAF> MODIFY account-name /BYTLM = 18000 UAF> SHOW account-name UAF> EXIT $ LOGOUT After you change the quotas for your installation account, log out of the installation account and log in again for the new quotas to take effect. You can then proceed with the installation. User account quotas are stored in the file SYSUAF.DAT. For more information on modifying account quotas, see the description of the Authorize Utility in the OpenVMS system management documentation. 1.4.6 Completing License Management Facility Requirements If you are installing only the Runtime Services Kit of Compaq DCE, you do not need a separate license. The right to use the Compaq DCE Runtime Services Kit is granted with the OpenVMS operating system. The installation procedure for DCE installs the following kits by default without checking for licences: DCE Runtime Services, CDS Server Kit, and the Security Server Kit. To install the Application Developer's Kit, you must override the installation defaults by answering NO to the following question: Do you want the defaults for all options? [YES] If you are installing the Application Developer's Kit and plan on using LSE templates, LSE and an appropriate license must be installed before you install DCE. To register a license under OpenVMS, first log in to the system manager's account, SYSTEM. Then use either of two ways to perform the registration: Preparing for Installation 1-7 Preparing for Installation 1.4 Installation Procedure Requirements o Invoke the SYS$UPDATE:VMSLICENSE.COM procedure. When it prompts you for information, respond with data from your License PAK. o At the DCL prompt, enter the LICENSE REGISTER command with the appropriate qualifiers that correspond to License PAK information. The license for the Application Developer's Kit is DCE- APP-DEV. The license for the Security Server Kit is DCE- SECURITY. The license for the CDS Server Kit is DCE-CDS. Although it is necessary to have only one license active for this product, the License Management Facility (LMF) checks for the existence of any valid license. If LMF displays license failures for some of these other licenses, disregard the messages. If you plan to use Compaq DCE on more than one node in a VMScluster environment, you must register and load a license for each of the other nodes before you configure them. For complete information about using LMF, see the OpenVMS License Management Utility Manual. 1.4.7 Performing System Backup Back up your system disk before installing any software. Use the backup procedures established at your site. For details on backing up a system disk, see the OpenVMS Backup Utility Manual. 1.4.8 Installing DCE Version 3.0 Over Previous Versions ________________________ Note ________________________ If you are installing Compaq DCE for OpenVMS VAX or OpenVMS Alpha Version 3.0 over a previous version of DCE, you do not have to reconfigure DCE after the installation. Before the installation, stop the DCE daemons with the following command: $ @SYS$MANAGER:DCE$SETUP CLEAN Then, after the installation, enter the following command: 1-8 Preparing for Installation Preparing for Installation 1.4 Installation Procedure Requirements $ @SYS$MANAGER:DCE$SETUP START You must reconfigure if you are installing DCE for the first time or if you are installing a new version over DCE Version 1.0. ______________________________________________________ If you are installing DCE over an existing Compaq DCE for OpenVMS VAX or OpenVMS Alpha, perform the following steps: 1. Stop the DCE daemons with the following commands: $ @SYS$MANAGER:DCE$SETUP CLEAN If you are installing DCE over an existing Compaq DCE for OpenVMS VAX or OpenVMS Alpha prior to Version 1.5, you do not need to complete the RPC shutdown step. The RPC shutdown is done automatically as part of the CLEAN operation in DCE$SETUP.COM. DCE$RPC_SHUTDOWN should be executed for DCE Version 1.5 only. As in prior versions, DCE$SETUP.COM in DCE Version 3.0 automatically shuts down RPC as part of a CLEAN, STOP, or CONFIG operation. $ @SYS$MANAGER:DCE$RPC_SHUTDOWN 2. After the installation, enter the following command: $ @SYS$MANAGER:DCE$SETUP START Preparing for Installation 1-9 2 _________________________________________________________________ Installing DCE This chapter describes the installation procedure for Compaq DCE for OpenVMS VAX and OpenVMS Alpha. You can use different media to install Compaq DCE. The examples in this chapter show the installation procedure using disk files. See Appendix B for logs of sample installations. 2.1 About the OpenVMS Installation Procedure This section gives a brief overview of the OpenVMS installation procedure for Compaq DCE Version 3.0 called DCE$INSTALL.COM. The OpenVMS installation command has the following format: $ @DKA300:[000000]DCE$INSTALL [HELP] where: o DKA300: is a device name on which the distribution volumes will be mounted. Remember that all Alpha systems come with CD-ROM readers. o DCE$INSTALL is the supplied command procedure that drives the installation. It is not necessary to use the console drive to install DCE. If you do use the console drive, replace any media you remove from the drive. Include the optional parameter HELP if you want PCSI to display help information. When you invoke DCE$INSTALL, it checks the following conditions: o Whether you are logged in to a privileged account. Install software from the system manager's account with your default device and directory set to SYS$UPDATE. Installing DCE 2-1 Installing DCE 2.1 About the OpenVMS Installation Procedure o Whether you have adequate quotas for installation. See Section 1.4.5 for more information on quota values. You can stop the installation at any time by pressing Ctrl/C or Ctrl/Y. However, files created up to that point are not deleted. You must delete these files manually, using the OpenVMS DELETE command. Appendix A lists the files and directories created during the installation procedure. 2.2 Starting the Compaq DCE Installation Procedure See Section 1.4.2 for more information about software requirements. Start the installation procedure as follows: 1. Log in to the account from which you are installing the Compaq DCE. 2. If you are installing a kit other than the Runtime Services Kit, make sure you have registered the appropriate LMF PAK. 3. Invoke the following command procedure, substituting the correct name of your media device and directory for DKA300 (used in the example): $ @DKA300:[000000]DCE$INSTALL HELP 2.3 Continuing the Installation This section describes the part of the installation procedure that is specific to DCE. $ @DKA300:[000000]dce$install help Performing DCE pre-installation tasks...please wait. Creating a DCE$SERVER Account If you do not already have a DCE$SERVER account, the installation procedure creates one for you with TMPMBX, NETMBX, DETACH, and SYSPRV privileges. 2-2 Installing DCE Installing DCE 2.3 Continuing the Installation This installation procedure has detected an existing DCE$SERVER account. Correct operation of DCE on this system requires that the DCE$SERVER account have TMPMBX, NETMBX, DETACH and SYSPRV privileges. The installation procedure will modify the DCE$SERVER account to ensure that the prerequisite privileges are present. %UAF-I-MDFYMSG, user record(s) updated The following product has been selected: DEC AXPVMS DCE V3.0 Layered Product [Installed] Do you want to continue? [YES] Configuration phase starting ... You will be asked to choose options, if any, for each selected product and for any products that may be installed to satisfy software dependency requirements. DEC AXPVMS DCE V3.0: DCE V3.0 for OpenVMS Alpha Description of Kits The installation procedure displays information about the four Compaq DCE kits (Runtime Services Kit, Application Developers' Kit, Security Server Kit, and CDS Server Kit). Depending on the kit, the procedure displays specific information about the kit that will be installed. Greetings! This is DCE V3.0 for OpenVMS Alpha. There are four components: the DCE Runtime Services, the DCE Application Development Kit, the DCE Security Server, and the DCE CDS Server. 1. The Runtime Services provides the core services necessary to execute and manage DCE applications. 2. The Application Development Kit provides the services and tools required to develop, execute, and manage DCE applications. The Runtime Services capability is automatically provided with the Application Development Kit. 3. The security server supplies support for a cell wide security database. A cell must have at least one system running a security server. 4. The CDS server supplies support for a cell wide naming database. A cell must have at least one system running a CDS server. Installing DCE 2-3 Installing DCE 2.3 Continuing the Installation © Compaq Computer Corporation. 1995,2000. All Rights Reserved. Unpublished rights reserved under the copyright laws of the United States. This software is proprietary to and embodies the confidential technology of Compaq Computer Corporation. Possession, use, or copying of this software and media is authorized only pursuant to a valid written license from Compaq or an authorized sublicensor. Restricted Rights: Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of DFARS 252.227-7013, or in FAR 52.227-19, or in FAR 52.227-14 Alt. III, as applicable. Compaq Computer Corporation The software product is sold by Compaq Computer Corporation. This product uses the following PAKS: DCE-SECURITY, DCE-CDS, DCE-APP-DEV This product currently has 3 Product Authorization Keys: Producer PAK Name Version Release Date DEC DCE-SECURITY V3.0 01-JUL-2000 DEC DCE-CDS V3.0 01-JUL-2000 DEC DCE-APP-DEV V3.0 01-JUL-2000 Do you want the defaults for all options? [YES] NO The Application Development Kit is optional and enabled with a PAK. It provides the services and tools required to develop, execute, and manage DCE applications. The Application Development Kit installs: + Required DCE application development header files + Interface Definition Language Compiler (IDL) + Language-Sensitive Editor (LSE) Templates for the Interface Definition Language + Unique User Identifier (UUID) Generator + Sample DCE Applications The Application Development Kit [NO] YES Do you want to review the options? [NO] Execution phase starting ... 2-4 Installing DCE Installing DCE 2.3 Continuing the Installation The following product will be installed to destination: DEC AXPVMS DCE V3.0 DISK$SYSTEM:[VMS$COMMON.] Portion done: 0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100% The following product has been installed: DEC AXPVMS DCE V3.0 Layered Product *** DCE Product installation successful...beginning post-installation. The rights identifier NET$DECLAREOBJECT will now be granted to the DCE$SERVER account. You may IGNORE the message: "%UAF-E-GRANTERR, unable to grant identifier NET$DECLAREOBJECT to DCE$SERVER-SYSTEM-F-DUPIDENT, duplicate identifier" if it should occur. Press return to Continue %UAF-E-GRANTERR, unable to grant identifier NET$DECLAREOBJECT to DCE$SERVER-SYSTEM-F-DUPIDENT, duplicate identifier Installing Language Sensitive Editor (LSE) Templates for IDL If you are installing DCE on a cluster on which the Language Sensitive Editor (LSE) is installed, the system or the user must have a license to run LSE in order for DCE to install the LSE templates for the Interface Definition Language (IDL) compiler. Type YES to the following question if you have a license to run LSE. Load the Language-Sensitive Editor (LSE) templates for IDL? [Y]: NO NOTE: Please add the following to your system's SYS$MANAGER:SYLOGIN.COM. These files define foreign commands for using DCE on OpenVMS. $ @SYS$MANAGER:DCE$DEFINE_REQUIRED_COMMANDS.COM $ @SYS$COMMON:[DCE$LIBRARY]DCE$DEFINE_OPTIONAL_COMMANDS.COM Installing DCE 2-5 Installing DCE 2.3 Continuing the Installation Selecting a TCP/IP Product You are now asked to update SYS$STARTUP:SYSTARTUP_VMS.COM and choose a TCP/IP product. Please add the following command to SYS$STARTUP:SYSTARTUP_VMS.COM on your system. This ensures that DCE$STARTUP.COM is executed at system boot. The parameters supplied to DCE$STARTUP.COM depend on the specific TCP/IP product you intend to use. You will now be asked to select the name of this TCP/IP product, and the installation will supply you with the correct command for SYS$STARTUP:SYSTARTUP_VMS.COM. TCP/IP product Keyword Compaq's TCP/IP Services for OpenVMS UCX Multinet from TGV MULTINET Pathway from Wollongong PATHWAY TCPware from Process Software TCPWARE No TCP/IP Available at this time NONE Enter one of the keywords from the table above [UCX]: See the release notes for more information on UCX, MultiNet, Pathway, and TCPware. Enter $ @SYS$STARTUP:DCE$STARTUP in your SYS$STARTUP:SYSTARTUP_VMS.COM %DCE-W-INSTALL, Please increase the sysgen parameter GBLPAGES to 118171 %DCE-S-INSTALL, Installation of OpenVMS DCE V3.0 completed 2.4 Installing on a VMScluster On a VMScluster with a common system disk, you need only install Compaq DCE once. After the initial installation, ensure that a separate license is registered and loaded on each cluster member that you plan to use for DCE services. If you are installing DCE for OpenVMS over an existing version of DCE on a common system disk in a VMScluster environment, be sure to shut down DCE on all nodes that share the common system disk before the installation. ________________________ Note ________________________ You must configure each node separately. ______________________________________________________ 2-6 Installing DCE Installing DCE 2.4 Installing on a VMScluster To configure each node separately, enter the following command on each node: $ @SYS$MANAGER:DCE$SETUP.COM CONFIG If you are installing Compaq DCE on a VMScluster that does not have a common system disk, you must install the software on each node and configure each node that you plan to use for DCE services. Installing DCE 2-7 3 _________________________________________________________________ Postinstallation Procedures This chapter describes postinstallation steps that you need to take and lists ways to recover from errors that you encounter during the installation. 3.1 Postinstallation Tasks After the installation is completed successfully, note the following. 1. DCE Version 3.0 provides support for the RPC runtime environment and RPC applications (which are not dependent on DCE services) to remain active when DCE is shut down. This requires the use of separate startup files: SYS$STARTUP:DCE$RPC_STARTUP.COM and SYS$STARTUP:DCE$STARTUP.COM. On OpenVMS VAX and Alpha Version 7.2 and higher, the RPC runtime environment files are shipped with the operating system. When installing DCE Version 3.0 on OpenVMS VAX and Alpha Version 6.2 through 7.1, DCE provides the RPC runtime environment files. On OpenVMS Version 7.2 and higher, the DCE installation may update the RPC files provided by the system if the DCE installation files are more recent. If you want all of the configured DCE services to start with the system startup, add the following line to SYS$MANAGER:SYSTARTUP_VMS.COM after the startup commands for the network transports, DECnet, and/or Compaq TCP/IP services: $ @SYS$STARTUP:DCE$STARTUP.COM Postinstallation Procedures 3-1 Postinstallation Procedures 3.1 Postinstallation Tasks If you want only the RPC runtime environment to start with the system startup, add the following line to SYS$MANAGER:SYSTARTUP_VMS.COM: $ @SYS$STARTUP:DCE$RPC_STARTUP.COM It is not necessary to run both procedures. Invoking DCE$STARTUP.COM will first start the RPC Runtime, then the DCE services. See Chapter 4 for more information about configuring DCE. 2. Depending on your choice for system startup, add the following commands to SYS$MANAGER:SYSHUTDWN.COM before the shutdown commands for the network transports, DECnet, and/or DEC TCP/IP services: o If you have configured DCE services on your system: $ @SYS$STARTUP:DCE$SHUTDOWN.COM o If you have the RPC runtime environment only: $ @SYS$STARTUP:DCE$RPC_SHUTDOWN.COM NOCONFIRM If DCE$SHUTDOWN.COM is added to the system shutdown file, it will prompt you for a password before shutting down DCE. This will delay the shutdown until the password is specified. 3. Configure this node by entering the following command: $ @SYS$MANAGER:DCE$SETUP CONFIG You must configure the DCE services before you can use them. See Chapter 5 for more information about configuring DCE. 4. If you are running DCE server applications that are listening over the DECnet Phase IV (ncacn_dnet_nsp) protocol or the DECnet/OSI (ncacn_dnet_nsp) protocol, you must grant the NET$DECLAREOBJECT rights identifier to those processes from which the server runs. 5. Define foreign commands. There are two foreign command definition files: one file contains required commands and the other file is optional. Add the following line to the file SYS$MANAGER:SYLOGIN.COM: 3-2 Postinstallation Procedures Postinstallation Procedures 3.1 Postinstallation Tasks $ @SYS$MANAGER:DCE$DEFINE_REQUIRED_COMMANDS.COM DCE$DEFINE_REQUIRED_COMMANDS.COM, the required command definition file, defines the following foreign commands: o acl_edit, which invokes the ACL editor (Security) o cdscp, which invokes the CDS control program o chpass, which invokes the DCE change password utility o dce$uaf, which invokes the DCE Integrated Login User Authorization File utility o dtscp, which invokes the DTS control program o dce$export, which invokes the DCE Integrated Login EXPORT utility o dce$import, which invokes the DCE Integrated Login IMPORT utility o dce_config, which invokes the DCE configuration utility o dce_setup, which invokes the DCE configuration utility o dcecp, which invokes the DCE control program o dtscp, which invokes the DCE Time Control program o dce_login, which validates a principal's identity and obtains network credentials (Security) o kdestroy, which destroys a principal's login context (Security) o kinit, which obtains a ticket-granting ticket (Security) o klist, which lists tickets (Security) o rgy_edit, which invokes the registry database editor (Security) o rpccp, which invokes the RPC Control Program o sec_admin, which invokes the DCE Security Administration utility Postinstallation Procedures 3-3 Postinstallation Procedures 3.1 Postinstallation Tasks If you choose not to execute this command definition file, you cannot use any of the previous programs and commands. DCE$DEFINE_OPTIONAL_COMMANDS.COM, the optional command definition file, is installed with the Application Development kit and defines the following foreign commands: o idl, which invokes the IDL compiler o rpclm, which invokes the RPC Log Manager o uuidgen, which invokes the UUID generator utility By default, these utilities use DCL-style interfaces. If you execute the optional foreign commands file, you have access to the version of these utilities that uses the universal interface. There are three possible actions that you can take: o Define the universal interface for all users on your system to ensure that the same interface is available to users across operating system platforms. Note that all examples that document these four utilities use the universal interface. Include the following line in the file SYS$MANAGER:SYLOGIN.COM: $ @SYS$COMMON:[DCE$LIBRARY]DCE$DEFINE_OPTIONAL_COMMANDS.COM o Give users access to only the DCL-style interface. In this case, you do not need to take any action. o Make the DCL-style interface available to some users, but allow others access to the universal interface. Do not define the optional commands in SYLOGIN.COM. Tell users who want to use the universal interface to include the following line in their account's LOGIN.COM procedure: $ @SYS$COMMON:[DCE$LIBRARY]DCE$DEFINE_OPTIONAL_COMMANDS.COM 6. If you are installing DCE on a VMScluster, you must take the following steps: a. Ensure that a license is registered and loaded on each node in the cluster from which users plan to use DCE. (If you are installing only the Compaq DCE Runtime Services Kit, you already have a right to use 3-4 Postinstallation Procedures Postinstallation Procedures 3.1 Postinstallation Tasks the DCE Runtime Services Kit. This right was granted with the OpenVMS operating system license.) b. Configure each node in the cluster from which users plan to use DCE by entering the following command: $ @SYS$MANAGER:DCE$SETUP CONFIG 3.2 Installation Error Recovery The following list describes errors that you may encounter during installation and provides suggestions about how to recover from those errors: o You try to install the OpenVMS VAX kit on an OpenVMS Alpha system (or vice versa). Reinstall with the correct kit. o The system does not have the required version of OpenVMS installed. Upgrade the operating system to at least the minimum required version and restart the installation procedure. o You run out of disk space. Either clean up your disk or install less of the kit. o If you plan to run DCE applications by IP, you must have UCX Version 4.2 installed. Install the correct version of UCX. The installation procedure checks for the prerequisites. o No network transports were found. You must install and configure DECnet, UCX, or both before running any DCE applications. o SYS$SYSTEM:RIGHTSLIST.DAT does not exist on this system. RUN AUTHORIZE and then issue the CREATE/RIGHTS command. RIGHTSLIST.DAT is created for you. o Invalid UIC. Find and enter the correct UIC in the correct format. Postinstallation Procedures 3-5 4 _________________________________________________________________ Configuring a DCE Cell This chapter describes the steps necessary to set up a DCE cell, and the DCE system configuration utility for Compaq DCE for OpenVMS VAX and OpenVMS Alpha. Note that DCE must be configured. 4.1 Overview of the DCE Cell A cell is the basic DCE unit. It is a group of networked systems and resources that share common DCE services. Usually, the systems in a cell are in the same geographic area, but cell boundaries are not limited by geography. A cell can contain from one to several thousand systems. The boundaries of a cell are typically determined by its purpose, as well as by security, administrative, and performance considerations. A DCE cell is a group of systems that share a namespace under a common administration. The configuration procedure allows you to configure your system as a DCE client, create a new DCE cell, add a master Cell Directory Service (CDS) server, add a replica CDS server, and add a Distributed Time Service (DTS) local server. When you create a new cell, you automatically configure a Security server. You do not need to create a DCE cell if you are using only the DCE Remote Procedure Call (RPC) and if your applications use only explicit RPC string bindings to provide the binding information that connects server to clients. If there are other systems in your network already using DCE services, it is possible there may be an existing cell that your system can join. If you are not sure, consult your network administrator to find out which DCE services may already be in use in your network. Configuring a DCE Cell 4-1 Configuring a DCE Cell 4.1 Overview of the DCE Cell At a minimum, a cell configuration includes the DCE Cell Directory Service, the DCE Security Service, and the DCE Distributed Time Service. One system in the cell must provide a DCE Directory Service server to store the cell namespace database. You can choose to install both the Cell Directory Server and the Security Server on the system from which you invoked the procedure, or you can split the two servers and put them on different systems. ________________________ Note ________________________ You must run the installation and configuration procedures on the system where you are creating a cell before you install and configure DCE on the systems that are joining the cell. ______________________________________________________ 4.1.1 Creating a Cell All DCE systems participate in a cell. If you are installing DCE and there is no cell to join, the first system on which you install the software is also the system on which you create the cell. Remember that this system is also the DCE Security Server. You can also make this system your Cell Directory Server. When you create a cell, you must name it. The cell name must be unique across your global network. The name is used by all cell members to indicate the cell in which they participate. The configuration procedure provides a default name that is unique and is easy to remember. If you choose a name other than the default, the name must be unique. If you want to ensure that separate cells can communicate, the cell name must follow BIND or X.500 naming conventions. 4.1.2 Joining a Cell Once the first DCE system is installed and configured and a cell is created, you can install and configure the systems that join that cell. During configuration, you need the name of the cell you are joining. Ask your network administrator for the cell name. 4-2 Configuring a DCE Cell Configuring a DCE Cell 4.1 Overview of the DCE Cell 4.1.3 Defining a Cell Name You need to define a name for your DCE cell that is unique in your global network and is the same on all systems that participate in this cell. The DCE naming environment supports two kinds of names: global names and local names. All entries in the DCE Directory Service have a global name that is universally meaningful and usable from anywhere in the DCE naming environment. All Directory Service entries also have a cell-relative name that is meaningful and usable only from within the cell in which that entry exists. If you plan to connect this cell to other DCE cells in your network either now or in the future, it is important that you choose an appropriate name for this cell. You cannot change the name of the cell once the cell has been created. If you are not sure how to choose an appropriate name for your DCE cell, consult Chapter 9 of the Compaq DCE for OpenVMS VAX and OpenVMS Alpha Product Guide, or the section on global names in the OSF DCE Administration Guide - Introduction. Before you can register the cell in X.500, you must ensure that the Compaq X.500 Directory Service kit is installed on your CDS server. Compaq recommends that you use the following convention to create DCE cell names: the Internet name of your host system followed by the suffix - cell, followed by the Internet address of your organization. For example, if the Internet name of your system is myhost, and the Internet address of your organization is smallco.bigcompany.com, your cell name, in DCE syntax, would be myhost- cell.smallco.bigcompany.com. This convention has the following benefits: o The Internet name of your host is unique in your network, so if all DCE users in your network follow this convention, your cell name will also be unique. o It clearly identifies the system on which the writable copy of the root directory of the cell namespace is located. o It does not prohibit intercell communication with outside organizations. o It is easy to remember. Configuring a DCE Cell 4-3 Configuring a DCE Cell 4.1 Overview of the DCE Cell If there is already a cell name defined in a previously existing DCE system configuration, do not change it unless you are removing this system from the cell in which it is currently a member and you are joining a different cell. When the configuration procedure prompts you for the name of your DCE cell, type the cell name without the /.../ prefix; the prefix is added automatically. For example, if the full global name selected for the cell, in DCE name syntax, is /.../myhost-cell.smallco.bigcompany.com, enter myhost-cell.smallco.bigcompany.com. 4.1.4 Defining a Host Name You need to define a name for your system that is unique within your DCE cell. You should use the default host name, which is the Internet host name (the name specified before the first dot(.)). The following example shows the default host name derived from the Internet name of myhost.mycompany.com. Please enter your DCE host name [myhost]: 4.1.5 Intercell Naming Using DNS This section provides tips on defining a cell name in the Domain Name System (DNS). Names in DNS are associated with one or more data structures called resource records. The resource records define cells and are stored in a data file. For TCP/IP Services for OpenVMS, this file is called SYS$SPECIFIC:[TCPIP$BIND].DB. If you are using a UNIX DNS Bind server, it is called /etc/namedb/hosts.db. To create a cell entry, you must edit the data file and create two resource records for each CDS server that maintains a replica of the cell namespace root. The following example shows a cell called ruby.axpnio.dec.com. The cell belongs to the BIND domain axpnio.dec.com. Host alo010.axpnio.dec.com is the master CDS server for the ruby.axpnio.dec.com cell. The BIND server must be authoritative for the domains of the cell name. The BIND master server requires the following entries in its data file: 4-4 Configuring a DCE Cell Configuring a DCE Cell 4.1 Overview of the DCE Cell alo010.axpnio.dec.com I A 25.0.0.149 ruby.axpnio.dec.com IN MX 1 alo010.axpnio.dec.com ruby.axpnio.dec.com IN TXT "1 c8f5f807-487c-11cc-b499-08002b32b0ee Master /.../ruby.azpnio.dec.com/alo010_ch c84946a6-487c-11cc-b499-08002b32b0ee alo010.axpnio.dec.com" ________________________ Note ________________________ TXT records must span only one line. The third entry above incorrectly occupies three lines to show the information included in the TXT record. You need to do whatever is required with your text editor of choice to ensure this. Widening your window helps. You should also ensure that the quotes are placed correctly and that the host name is at the end of the record. ______________________________________________________ The information to the right of the TXT column in the Hesiod Text Entry (that is, 1 c8f5f807-48...) comes directly from the cdscp show cell /.: as dns command. For example, to obtain the information that goes in the ruby.axpnio.dec.com text record (TXT), you would go to a host in the ruby cell, and enter the cdscp show cell /.: as dns command. Then, when the system displays the requested information, cut and paste this information into the record. This method ensures that you do not have any typing errors. To ensure that the records that you have entered are valid, restart the DNS Bind server process. 4.1.6 Intercell Naming Using LDAP/X.500 This section provides tips on defining a cell name in LDAP/X500. The cells that will communicate using intercell must be part of the same LDAP/X500 namespace. This is true only if they share a common root in the namespace tree. For example, the cells /c=us/o=compaq/ou=laser- cell and /c=us/o=compaq/ou=ruby-cell share the root /c=us/o=compaq, and would be able to participate in intercell communications. Configuring a DCE Cell 4-5 Configuring a DCE Cell 4.1 Overview of the DCE Cell If your cell is part of an X.500 namespace, answer Yes to the question "Do you want to register the DCE cell in X.500?". If your cell is part of an LDAP namespace, answer Yes to the question "Do you want to register the DCE cell in LDAP?". Additional information about Intercell operations can be found in Chapter 9 of the Compaq DCE for OpenVMS VAX and OpenVMS Alpha Product Guide. 4.2 The DCE System Configuration Utility - DCE$SETUP.COM The DCE$SETUP command procedure begins the configuration process. Many of the system configuration utility prompts have default values associated with them. The default responses are based on your existing configuration, if you have one. Otherwise, default values for the most common DCE system configurations are provided. At each prompt, press RETURN to take the default displayed in brackets, type a question mark (?) for help, or supply the requested information. The system configuration utility sets up the DCE environment on your node so that you can use DCE services. The system configuration utility leads you through the process of creating or joining a cell. ________________________ Note ________________________ If you are installing Compaq DCE for OpenVMS VAX or OpenVMS Alpha Version 3.0 over a previous version of DCE, you do not have to reconfigure DCE after the installation. Before the installation, stop the DCE daemons with the following command: $ @SYS$MANAGER:DCE$SETUP CLEAN Then, after the installation, enter the following command: $ @SYS$MANAGER:DCE$SETUP START You must configure if you are installing DCE for the first time or reconfigure if you are installing a new version over DCE Version 1.0. ______________________________________________________ 4-6 Configuring a DCE Cell Configuring a DCE Cell 4.2 The DCE System Configuration Utility - DCE$SETUP.COM If you are installing DCE over an existing Compaq DCE for OpenVMS VAX or OpenVMS Alpha, perform the following steps: 1. Stop the DCE daemons with the following command: $ @SYS$MANAGER:DCE$SETUP CLEAN 2. If installing DCE over version 1.5 of Compaq DCE for OpenVMS VAX or OpenVMS Alpha, also perform the following step to stop the RPC daemon: $ @SYS$MANAGER:DCE$RPC_SHUTDOWN 3. After the installation, enter the following command: $ @SYS$MANAGER:DCE$SETUP START 4.2.1 Configuring LDAP, NSI, and GDA The Lightweight Directory Access Protocol (LDAP) provides access to the X.500 directory services without the overhead of the full Directory Access Protocol (DAP). The simplicity of LDAP, along with the powerful capabilities it inherits from DAP, makes it the defacto standard for Internet directory services and for TCP/IP. Inside a cell, a directory service is accessed mostly through the name service interface (NSI) implemented as part of the run-time library. Cross-cell directory service is controlled by a global directory agent (GDA), which looks up foreign cell information on behalf of the application in either the Domain Naming Service (DNS) or X.500 database. Once that information is obtained, the application contacts the foreign CDS in the same way as the local CDS. Once LDAP is configured, applications can request directory services from either CDS or LDAP or both. LDAP is provided as an optional directory service that is independent of CDS and duplicates CDS functionality. LDAP is for customers looking for an alternative to CDS that offers TCP/IP and Internet support. With LDAP directory service available, GDA can look up foreign cell information by communicating through LDAP to either an LDAP-aware X.500 directory service or a standalone LDAP directory service, in addition to DNS and DAP. Configuring a DCE Cell 4-7 Configuring a DCE Cell 4.2 The DCE System Configuration Utility - DCE$SETUP.COM Note that DCE for OpenVMS provides it's own client implementation of LDAP. Prior to installing DCE, a DCE administrator must obtain LDAP server software and install it as an LDAP server in the environment. Next, a DCE administrator must choose LDAP during the DCE installation and configuration procedure and intentionally configure LDAP directory service for a cell. 4.2.2 Kerberos 5 Security The DCE authentication service is based on Kerberos 5. The Kerberos Key Distribution Center (KDC) is part of the DCE Security Server secd. The authorization information that is created by the DCE for OpenVMS privilege server is passed in the Kerberos 5 ticket's authorization field. DCE provides a Kerberos configuration program (DCE$KCFG.EXE) to assist in the interoperability between DCE Kerberos and standard Kerberos. To find out more information about the kcfg program, use the following two commands. To display individual command switches and their arguments enter: kcfg -? To display a short description of the command and what it does enter: kcfg -h This provides information on the configuration file management, principal registration, and service configuration. ________________________ Note ________________________ The dcesetup configuration script sets all tickets as forwardable, a default value. If tickets are not set as forwardable, the Kerberos Distribution Center (KDC) server does not provide authentication and authorization information to the telnet process. The command, kinit -f, marks tickets as forwardable. ______________________________________________________ 4-8 Configuring a DCE Cell Configuring a DCE Cell 4.2 The DCE System Configuration Utility - DCE$SETUP.COM All machines within a cell that plan to use Kerberos- enabled tools need to check and possibly modify the registry and the krb5 configuration with the kcfg executable. To make sure that Kerberos Version 4 interoperates with Kerberos Version 5, an administrator can use the kcfg -k command to change krb.conf entries. This command needs to be entered on each machine in the cell. The registry must contain a principal entry that describes the host machine of the KDC server. This principal entry is of the form host/. The principal and the associated keytable entry can be created with kcfg -p. This verifies that the host entry exists; if not, it creates the host entry. 4.2.3 Starting the System Configuration Utility You must be logged in as a privileged user. The SHOW command requires only NETMBX and TMPMBX privileges. All other commands require WORLD, SYSPRV, CMKRNL, and SYSNAM privileges. The CONFIG command requires BYPASS privileges. You can use the same command to perform an initial configuration or to reconfigure DCE. See the Appendix for several sample configurations. To start the system configuration utility, at the DCL prompt enter the following command: $ @SYS$MANAGER:DCE$SETUP The DCE System Management Main Menu appears: DCE System Management Main Menu DCE for OpenVMS Alpha V3.0 1) Configure Configure DCE services on this system 2) Show Show DCE configuration and active daemons 3) Stop Terminate all active DCE daemons 4) Start Start all DCE daemons 5) Restart Terminate and restart all DCE daemons 6) Clean Terminate all active DCE daemons and remove all temporary local DCE databases 7) Clobber Terminate all active DCE daemons and remove all permanent local DCE databases 8) Test Run Configuration Verification Program Configuring a DCE Cell 4-9 Configuring a DCE Cell 4.2 The DCE System Configuration Utility - DCE$SETUP.COM 0) Exit Exit this procedure ?) Help Display helpful information Please enter your selection: Enter 1 to view the DCE Configuration Menu. To skip the previous menu and go directly to the DCE Configuration Menu, enter the following command: $ @SYS$MANAGER:DCE$SETUP CONFIG For information on how to configure a DCE cell or how to add a client, see Chapter 5. For information on modifying an existing configuration, see Chapter 6. 4-10 Configuring a DCE Cell 5 _________________________________________________________________ Configuring DCE This chapter explains how to create a cell and configure the Security server and CDS server on the same system. It also discusses how to configure a client system into an existing DCE cell. 5.1 DCE System Management Command Procedure In DCE for OpenVMS Version 3.0, the DCE system management command procedure SYS$MANAGER:DCE$SETUP.COM has been changed. These changes are described in the following sections. An RPC only configuration can be started with the startup command procedure described in the next section. DCE$SETUP stops RPCD during configuration. In DCE for OpenVMS Version 1.5, DCE$SETUP was modified not to stop RPCD. Changes in the DCE daemons required reverting to the previous behavior. DCE$SETUP.COM has been rewritten to add the new functionality for DCE R1.2.2, and to more closely match the configuration program for DCE for Tru64 UNIX. 5.1.1 Starting and Stopping the RPC Daemon The RPC daemon can be started and stopped with the command files DCE$RPC_STARTUP.COM and DCE$RPC_SHUTDOWN.COM. These files are located in SYS$COMMON:[SYSMGR]. To start the RPC daemon, execute DCE$RPC_STARTUP.COM. You can specify the following option: [NO]CONFIRM Turns user prompting on or off. CONFIRM is the default. To stop the RPC daemon, execute DCE$RPC_SHUTDOWN.COM. You can specify the following options in any order: Configuring DCE 5-1 Configuring DCE 5.1 DCE System Management Command Procedure [NO]CONFIRM Turns user prompting on or off. CONFIRM is the default. CLEAN Deletes all entries from the RPC endpoint database. ________________________ Note ________________________ Do not stop the RPC daemons if any RPC applications are running on the system. ______________________________________________________ 5.1.2 Limiting RPC Transports The RPC daemon can limit the protocols used by RPC applications. To restrict the protocols that can be used, set a logical name RPC_SUPPORTED_PROTSEQS to contain the valid protocols separated by a colon. Valid protocols are ncadg_ip_udp, ncacn_ip_tcp, and ncacn_dnet_nsp. For example: $ DEFINE RPC_SUPPORTED_PROTSEQS "ncadg_ip_udp:ncacn_ip_tcp" This prevents applications and servers from registering endpoints that utilize DECnet. 5.1.3 Logical Names Created During Configuration The configuration process creates the following logical names: ___________________________________________________________ Logical_Name__________Description__________________________ DCE Defines a search list pointing to directories SYS$COMMON:[DCE$LIBRARY] and SYS$LIBRARY. These directories contain the Application Developer's Kit include files and other files for creating DCE applications. DCE$COMMON,DCE_ Points to the directory COMMON SYS$COMMON:[DCELOCAL]. This directory holds DCE-specific files common to all DCE hosts in a cluster. 5-2 Configuring DCE Configuring DCE 5.1 DCE System Management Command Procedure ___________________________________________________________ Logical_Name__________Description__________________________ DCE$LOCAL,DCE_LOCAL Points to the directory DCE$SPECIFIC:. This directory defines the top of the DCE directory hierarchy. DCE$SPECIFIC Points to the directory SYS$SPECIFIC:[DCELOCAL]. This directory is for internal use only. DCE$SYSROOT Points to the directories DCE$SPECIFIC:, DCE$COMMON:. This logical is used to find DCE files that may be in either system-specific or cluster-general trees. TCL_LIBRARY Points to the directory DCE_ COMMON/TCL (UNIX file syntax). This directory holds files that allow the TCL interface to the DCE command line ______________________programs_to_function.________________ The logical names with a dollar sign in them define VMS style directory syntax. The logical names with underscores in them define UNIX style directory syntax (for use by various DCE internal applications). 5.1.4 Configuring on a VMScluster You must configure each node in a VMScluster separately by entering the following command on each node: $ @SYS$MANAGER:DCE$SETUP CONFIG 5.2 Overview of New Cell Configuration To configure a new cell, you must complete the following steps: 1. To begin your initial cell creation and server configuration, invoke the DCE configuration utility. 2. If you are creating a new cell or adding a CDS server, choose option 6 (Terminate all active DCE daemons and remove all temporary local DCE databases) to stop the DCE daemons in a controlled manner. Be sure to back up Configuring DCE 5-3 Configuring DCE 5.2 Overview of New Cell Configuration your security and CDS databases before proceeding if this has not been done. 3. Choose option 1 from the DCE Setup Main Menu to configure DCE services on your system. You must have system privileges to modify the DCE system configuration. The procedure displays the following menu: DCE Configuration Menu DCE for OpenVMS Alpha V3.0 1) Client Configure this system as a DCE client 2) New Cell Create a new DCE cell 3) CDS Server Add Master CDS Server 4) Modify Modify DCE cell configuration 5) RPC_Only Configure this system for RPC only 0) Exit Exit this procedure ?) Help Display helpful information Please enter your selection: Table 5-1 provides descriptions of the options available on the DCE Configuration Menu. Table_5-1_Configuration_Menu_Options_______________________ Option______Description____________________________________ Client Provides full DCE RPC services, client services for CDS and Security, and optional time services. A DCE client system must join an existing DCE cell with a security registry and a CDS master server available on other systems in the cell. (continued on next page) 5-4 Configuring DCE Configuring DCE 5.2 Overview of New Cell Configuration Table_5-1_(Cont.)_Configuration_Menu_Options_______________ Option______Description____________________________________ New Cell Provides full DCE RPC services, a security registry server for the cell, a CDS master server, a DTS server, and the NSI agent for name service independent access to directory services from PC client systems. There can be only one security registry and CDS master server in a cell, although they need not reside on the same host. CDS Server Provides a DCE client system with a CDS master server added. This option is used if a split server configuration is desired, and the new cell (on another system) was configured without a CDS master server. Modify Provides a submenu of additional configuration options that are available after the initial configuration has completed. RPC_Only Provides a subset of the DCE RPC services. If DCE Version 3.0 is installed on an OpenVMS Alpha system running Version 7.2-1 or higher, NTLM security may be utilized for authenticated RPC requests. With an RPC only configuration, there are no RPC name service interface routines available. This configuration will, however, allow applications to communicate if full string bindings are supplied by the RPC client, or if the client requests the port number to complete the partial string binding ____________from_the_end_point_mapper_(DCED_daemon)._______ 4. Choose option 2 to create a new DCE cell. 5. At each prompt, you can press RETURN to take the default displayed in brackets or enter a question mark (?) for help. When prompted, select a cell name and a host name; the name is used again when you configure DCE client systems. Configuring DCE 5-5 Configuring DCE 5.2 Overview of New Cell Configuration 6. The configuration utility asks if you want to configure the host as a CDS server. Answer Y to configure the CDS and security servers on the same system. Answer N to perform a split server installation in which you configure the security server on the current host and the CDS server on a different host. 7. If you answered Y to configure the CDS and security servers on the same system, the utility asks: Will there be any DCE pre-R1.1 CDS servers in this cell? (YES/NO/?) [N]: If your cell will be running any CDS servers based on OSF DCE Release 1.0.3a or lower (equivalent to Compaq DCE for OpenVMS Version 1.5 or lower), you should answer Y. The configuration utility sets the directory version number to 3.0 for compatibility with pre-R1.1 servers. This setting disables the use of OSF DCE Release 1.1 features such as alias cells, CDS delegation ACLs, and so on. If all CDS servers in your cell will be based on Compaq DCE for OpenVMS Version 3.0 (or higher) and based on OSF DCE Release 1.1 (or higher), answer N. The configuration utility sets the directory version number to 4.0 for compatibility with Compaq DCE for OpenVMS Version 3.0 CDS servers (OSF DCE Releases 1.2.2). This enables the use of OSF DCE Release 1.1 features such as alias cells, CDS delegation ACLs, and so on, and OSF DCE Release 1.2.2 features. Once the directory version is set to 4.0, you cannot set it back to 3.0. 8. You are prompted to confirm the system time; it is important that you check the current time before you respond. 9. The configuration utility will prompt for the Domain Name and DNS server address. 10. If DECnet/OSI is installed on your system, the configuration utility displays the following message and then asks several questions about configuring a DCE Distributed Time Service server on your system. 5-6 Configuring DCE Configuring DCE 5.2 Overview of New Cell Configuration You seem to have DECnet/OSI installed on this system. DECnet/OSI includes a distributed time synchronization service (DECdts), which does not currently support the DCE Distributed Time Service (DCE DTS) functionality. The DCE DTS in this release provides full DECdts functionality. This installation will stop DECdts and use DCE DTS instead. For further clarification, please consult the Compaq DCE for OpenVMS VAX and OpenVMS Alpha Product Guide. Even though DCE DTS will be used, it is possible to accept time from DECdts servers. Should this node accept time from DECdts servers? (YES/NO/?) [N]: Do you want this system to be a DTS Server (YES/NO/?) [Y]: Do you want this system to be a DTS Global Server (YES/NO/?) [N]: Does this cell use multiple LANs? (YES/NO/?) [N]: Answer the questions appropriately. 11. The configuration utility asks if you want to run the MIT Kerberos 5 services on this machine. A Y answer runs the configuration utility. Do you intend to run MIT Kerberos 5 services on this machine? (YES/NO/?) [N] 12. The configuration utility asks if you want to configure the LDAP name service on this system. A yes answer prompts the question, "Do you want to configure the system as an LDAP client?" and requires that you enter further information regarding LDAP services. Do you want to configure the LDAP name service? (YES/NO/?) [N]: 13. The configuration utility asks if you want to configure gdad to use LDAP. (gdad is the daemon for Global Directory Agent.) Do you want to configure gdad to use LDAP? (YES/NO/?) [N]: 14. Next, the screen displays your selections and asks whether to save them as your DCE system configuration. Answer Y. 15. All previous temporary and permanent DCE databases and configuration files are now removed prior to starting the new configuration. Configuring DCE 5-7 Configuring DCE 5.2 Overview of New Cell Configuration 16. The configuration utility asks you to enter some random keystrokes in order to supply a keyseed for the security server. ************************************************************** * Starting the security server requires that you supply * * a `keyseed.' When asked for a `keyseed,' type some * * random, alphanumeric keystrokes, followed by RETURN. * * (You won't be required to remember what you type.) * ************************************************************** Enter keyseed for initial database master key: 17. The configuration utility asks you to enter the password for the cell_admin account, and asks for confirmation. Please type new password for cell_admin (or `?' for help): Type again to confirm: 18. The DCE daemons are started and configuration information is set up. After the dts daemon is started, you are prompted to run the DCE Configuration Verification Program (CVP). Press RETURN to start the CVP. 19. To verify that all requested services are configured, choose option 2 (Show DCE configuration and active daemons) from the DCE Setup Main Menu. The screen displays all configured DCE services and active DCE daemons. You have completed creating a cell. 5.3 Configuring Your System as a DCE Client with Run-Time Services If you want to add your system to an existing cell, choose option 1 (Configure this system as a DCE Client) from the Configuration Choice Menu. This option configures the run- time services subset on your system. ________________________ Note ________________________ During the initial DCE client configuration, the client software may have problems locating the Cell Directory Service server if the Internet protocol netmask for your client machine is not consistent 5-8 Configuring DCE Configuring DCE 5.3 Configuring Your System as a DCE Client with Run-Time Services with the netmask used by other machines operating on the same LAN segment. You might need to consult your network administrator to determine the correct value to use as a netmask on your network. ______________________________________________________ When you choose option 1, the procedure displays the following messages: Starting DCE client configuration . . . At each prompt, enter your response. You may enter RETURN for the default response, displayed in [brackets], or `?' for help. Entering a CONTROL-Z will terminate this configuration request. Press RETURN to continue . . . Removing temporary local DCE databases and configuration files Removing permanent local DCE databases and configuration files Starting client configuration Initializing RPC & Security Client Services daemon (DCE$DCED) . . . %RUN-S-PROC-ID, identification of created process is 2380A9A6 Starting RPC & Security Client Services daemon (DCE$DCED) . . . % RUN-S-PROC-ID, identification of created process is 238110A8 The configuration utility asks whether to search the LAN for known cells within the broadcast range of your system. Would you like to search the LAN for known cells? (YES/NO/?) [Y]: If you know the name of your DCE cell, answer N. As prompted, supply the name of your DCE cell, your DCE host name, and the host name of your cell's master CDS server. You also need to specify whether your host can broadcast to the host where the master CDS server is installed. Answer Y to see a list of available DCE cells. As prompted, supply your DCE host name. At the next prompt, supply the appropriate DCE cell name from the list. Gathering list of currently accessible cells (please wait) Please enter your DCE hostname [dcehost]: The following cells were discovered within broadcast range of this system: Configuring DCE 5-9 Configuring DCE 5.3 Configuring Your System as a DCE Client with Run-Time Services Buster-cell Kauai-cell Myhost-cell Tahoe-cell Please enter the name of your DCE cell [buster-cell]: If you do not know the name of the cell you want to join, consult your network administrator. Do not add the /.../ prefix to the cell name; the procedure automatically adds it. The prompt might contain a cell name that is the last configured cell name for this host or the first cell name from the alphabetical list of available cells. If you enter a cell name that is not on the list of cell names, the procedure assumes you are performing a WAN configuration, and asks you whether the CDS server is located on the same LAN or subnet. Is the CDS Master Server within broadcast range (YES/NO/?) [N]: After you enter your cell name, the procedure continues, displaying information similar to the following, but dependent on your configuration: Terminating RPC Services/Dce Security Client daemon (DCE$DCED) . . . *** RPC (DCED) shutdown successful *** Starting RPC & Security Client Services daemon (DCE$DCED) . . . % RUN-S-PROC-ID, identification of created process is 238110B0 Starting CDS Name Service Advertiser daemon (DCE$CDSADVER) . . . % RUN-S-PROC-ID, identification of created process is 238110B1 Starting CDS Name Service Client daemon (DCE$CDSCLERK) . . . % RUN-S-PROC-ID, identification of created process is 238110B2 Could not find security master using dcecp registry show Attempting to locate security server Found security server Creating dce$local:[etc.security]pe_site.; file Checking local system time Looking for DTS servers in the LAN profile Looking for Global DTS servers in this cell Found DTS server The local system time is: Wed October 13 12:01:14 1999 5-10 Configuring DCE Configuring DCE 5.3 Configuring Your System as a DCE Client with Run-Time Services Is this time correct? (y/n): Make sure you check that the correct time is displayed before you continue with the configuration. If the time is incorrect, answer N, and the procedure exits to the operating system to allow you to reset the system time. After you correct or verify the time, answer Y, and the procedure resumes. If DECnet/OSI is installed on your system, the configuration utility displays the following message and then asks several questions about configuring a DCE Distributed Time Service server on your system. You seem to have DECnet/OSI installed on this system. DECnet/OSI includes a distributed time synchronization service (DECdts), which does not currently support the DCE Distributed Time Service (DCE DTS) functionality. The DCE DTS in this release provides full DECdts functionality. This installation will stop DECdts and use DCE DTS instead. For further clarification, please consult the Compaq DCE for OpenVMS VAX and OpenVMS Alpha Product Guide. Even though DCE DTS will be used, it is possible to accept time from DECdts servers. Should this node accept time from DECdts servers? (YES/NO/?) [N]: Answer Y to accept time from any DECnet/OSI DECdts server; however, time from this source is unauthenticated. If you answer N, this system accepts time only from DCE time servers. If DECnet/OSI is not installed on your system, the configuration utility omits the previous DECdts questions and instead, asks: Do you need the Distributed Time Service (YES/NO/?) [Y]: Answer Y to configure the host as a DTS client. The configuration utility asks if you want to run the MIT Kerberos 5 services on this machine. An answer of Y runs the configuration utility. Do you intend to run MIT Kerberos 5 services on this machine? (YES/NO/?) [N]: Configuring DCE 5-11 Configuring DCE 5.3 Configuring Your System as a DCE Client with Run-Time Services After you respond to the prompt, the procedure stops the CDS advertiser and clerk and asks you to perform a dce_ login operation, as follows: Terminating CDS Name Service Advertiser daemon (DCE$CDSADVER) . . . Terminating CDS Name Service Client daemon (DCE$CDSCLERK) . . . Please enter the principal name to be used [cell_admin]: Please enter the password for principal "cell_admin" (or ? for help): Obtain the password from your system administrator. After you perform the dce_login operation, the procedure begins configuring the security client software. If this system was previously configured as a DCE client or your cell has another host with the same name, the configuration utility also displays a list of client principals that already exist for this system and asks whether to delete the principals. You must delete these principals to continue with the configuration. Configuring security client Creating Dce$Specific:[krb5]krb.conf The following principal(s) already exist under /hosts/dcehost/: /./buster-cell/hosts/dcehost/self Do you wish to delete these principals? (YES/NO/?) [Y]: Deleting client principals Creating ktab entry for client Terminating RPC & Security Client Services daemon (DCE$DCED) . . . Starting RPC & Security Client Services daemon (DCE$DCED) . . . %RUN-S-PROC-ID, identification of created process is 238110B3 Starting sec_client service (please wait). This machine is now a security client. Press to continue . . . Configuring CDS client Creating the cds.conf file Starting CDS Name Service Advertiser daemon (DCE$CDSADVER) . . . %RUN-S-PROC-ID, identification of created process is 238110B4 5-12 Configuring DCE Configuring DCE 5.3 Configuring Your System as a DCE Client with Run-Time Services Starting CDS Name Service Client daemon (DCE$CDSCLERK) . . . %RUN-S-PROC-ID, identification of created process is 238110B5 Testing access to CDS server (please wait). Logging in to DCE using principal "cell_admin" . . . Checking TCP/IP local host database address of "dcehost". Please wait . . . Configuring client host objects in cell namespace . . . Creating /.:/hosts/dcehost objects in name space Checking TCP/IP local host database for address of "dcehost". Please wait . . . If your cell uses multiple LANs, you are prompted as follows: Please enter the name of your LAN [1.2.3]: If your LAN has not been defined in the namespace, you are asked whether you want to define it. The configuration procedure then continues: This machine is now a CDS client. Stopping sec_client service... Starting sec_client service (please wait). Configuring DCE 5-13 Configuring DCE 5.3 Configuring Your System as a DCE Client with Run-Time Services Modifying acls on /.:/hosts/dcehost/config secval xattrschema srvrexec keytab keytab/self hostdata hostdata/dce_cf.db hostdata/cell_name hostdata/pe_site hostdata/cds_attributes hostdata/cds_globalnames hostdata/host_name hostdata/cell_aliases hostdata/post_processors hostdata/svc_routing hostdata/cds.conf hostdata/passwd_override hostdata/group_override hostdata/krb.conf srvrconf Logging in to DCE using principal "cell_admin" . . . Configuring DTS daemon as client (DCE$DTSD) Starting Distributed Time Service daemon (DCE$DTSD) . . . %RUN-S-PROC-ID, identification of created process is 238110B5 This machine is now a DTS clerk. Do you want to run the DCE Configuration Verification Program? (YES/NO/?) [Y]: The DCE Configuration Verification Program (CVP) exercises the components of DCE that are running in this cell. It requires approximately 1 to 2 minutes to run. If you type y to run the CVP at this time, you see the following display: Executing DCE for OpenVMS Alpha V3.0 CVP (please wait) Copyright (c) Compaq Computer Corporation. 1999. All Rights Reserved. 5-14 Configuring DCE Configuring DCE 5.3 Configuring Your System as a DCE Client with Run-Time Services . . . . . . . . . . . DCE for OpenVMS Alpha V3.0 CVP completed successfully When the procedure is completed, the DCE Setup Main Menu is displayed again. 5.4 Split Server Configuration (Adding a Master CDS Server) This section discusses a split server installation in which a new cell and the master Security Server are created on one system and the master CDS Server is configured on another system. The master CDS Server maintains the master replica of the cell root directory. A split server configuration has four phases: o Begin creating the new cell and master Security Server on one system. o Begin creating the master CDS Server on another system. o Complete creating the new cell and master Security on the first system. o Complete creating the master CDS Server on the second system. 5.4.1 Creating a New Cell and Master Security Server This is the first phase of a split server configuration. Begin this phase by creating the new cell on the machine where the master security server will reside. Choose option 2 (Create a new DCE cell) from the Configuration Choice Menu. Answer the prompts appropriately for the cell name and host name. Then answer N at the following prompt: Do you wish to configure myhost as a CDS server? (YES/NO/?) [Y]: N Configuring DCE 5-15 Configuring DCE 5.4 Split Server Configuration (Adding a Master CDS Server) Proceed through the rest of the configuration answering the remaining questions as shown in section 5.1, until you get to the following: ********************************************************************* * This system has now been configured as a security server. * * Since you chose not to configure this system as a CDS server, * * you must now configure another system as the Master CDS Server * * for this cell (Option 1 on the dcesetup Main Menu, Option 3 on * * the Configuration Choice Menu.) * * * * When the Master CDS server has been installed and configured, * * press the key to continue configuring this system. * ********************************************************************* Go to the machine where you will configure the master CDS Server. 5.4.2 Creating a Master CDS Server on Another System This is the second phase of a split server configuration. You must have created a new cell and begun configuring the security server on another machine. Log on to the system on which you want to install the CDS master server, and choose option 3 (Add Master CDS Server) from the Configuration Choice Menu. Answer the following prompts: Please enter the name of your DCE cell []: Please enter your DCE hostname [myhost2]: The procedure asks: Will there be any DCE pre-R1.1 CDS servers in this cell? (YES/NO/?) [N]: If your cell will be running any CDS servers based on OSF DCE Release 1.0.3a or lower, you should answer Y. The configuration utility sets the directory version number to 3.0 for compatibility with pre-R1.1 servers. This disables the use of OSF DCE Release 1.1 features such as alias cells, CDS delegation ACLs, and so on. If all CDS servers in your cell will be based on DCE for OpenVMS Version 3.0 or higher (or an equivalent DCE version based on OSF DCE Release 1.1 or higher) answer N. The configuration utility sets the directory version number to 4.0 for compatibility with DCE for OpenVMS (Version 5-16 Configuring DCE Configuring DCE 5.4 Split Server Configuration (Adding a Master CDS Server) 3.0 or OSF DCE Release 1.1 or higher) CDS servers. This enables the use of OSF DCE Release 1.1 features such as alias cells, CDS delegation ACLs, and so on. Once the directory version is set to 4.0, you cannot set it back to 3.0. The procedure configures accordingly and prompts you to enter the host name of the security server that you just configured. What is the hostname of the Security Server for this cell? []: The configuration procedure continues, and requests additional client information as described in section 5.2. The procedure configures the requested services, and then prompts you to complete the configuration of the security server on the other machine before continuing: **************************************************************** * This system has now been configured as the Master CDS Server. * * * * Before continuing, complete the configuration of the * * Security Server... * ***************************************************************** Press to continue: Return to the system on which you configured the security server. 5.4.3 Completing the Security Server Configuration This is the third phase of a split server configuration. You must have created a new cell and begun configuring the Security Server on one machine. Then you created a master CDS Server on another machine. Now you will complete the Security Server configuration on the first machine. Return to the system on which you configured the Security Server and press the RETURN key. The following prompt is displayed: What is the hostname of the Master CDS Server for this cell [ ]: The configuration procedure proceeds as described in the section Overview of New Cell Configuration. Configuring DCE 5-17 Configuring DCE 5.4 Split Server Configuration (Adding a Master CDS Server) Once the Security Server configuration is complete, return to the host on which you are configuring the master CDS Server and complete the installation. 5.4.4 Completing the CDS Master Server Configuration This is the fourth and final phase of a split server configuration. You must have created a new cell and begun configuring the security server on one machine. Then you created a master CDS server on another machine. You completed the security server configuration on the first machine. Now you will complete the CDS master server configuration. Completion of this phase consists of running the configuration verification program: Do you want to run the DCE Configuration Verification Program? (YES/NO/?) [Y]: You can run the CVP now by answering Y, or you can run the CVP at a later time by answering N. The procedure completes the configuration and returns to the DCE Setup Main Menu. Choose option 2 (Show DCE configuration and active daemons) from the DCE Setup Main Menu to verify your configuration choices. 5.5 Migrating Your Cell Some DCE cells may be running security or CDS servers on hosts with different versions of DCE. This might happen because a cell has DCE software from multiple vendors, each supplying upgrades at different times. Or perhaps upgrading all the hosts simultaneously is not feasible. DCE for OpenVMS Version 3.0 security servers and CDS servers can interoperate with older servers (based on OSF DCE Release 1.0.3a, 1.0.2, and so on). However, new DCE security features associated with OSF DCE Release 1.1 and DCE Release 1.2.2 will generally not be available until all security server replicas in your cell are based on OSF DCE Release 1.1 and 1.2.2. Additionally, new CDS capabilities will not be available until all security servers and some or all CDS servers are based on OSF DCE Release 1.1 and 1.2.2. 5-18 Configuring DCE Configuring DCE 5.5 Migrating Your Cell If your cell contains older versions of Security or CDS Servers, you will need to migrate (gradually upgrade) older servers until all of them are running DCE server software based on OSF DCE Release 1.1 and 1.2.2. Once all Security or CDS Servers have been upgraded, you must perform some additional steps so that your servers can provide the new security and CDS capabilities. Security Servers and CDS Servers use separate procedures to complete migration. Security Migration provides the instructions for completing Security server migration. CDS migration provides the instructions for completing CDS Server migration. 5.5.1 Security Migration After you install the new security server version on a host where an older version security replica (master or slave) exists, that replica will operate with the new Security Server, but with the behavior of the older version server. Note that a server based on OSF DCE 1.1 or higher cannot create a new replica and operate it as an older version replica. Once OSF DCE Release 1.1 has been installed on all hosts that have security replicas, you must issue a single cell-wide command that simultaneously migrates all the replicas to operate at the level of DCE 1.1. At this point the cell will support new security features such as extended registry attributes. ________________________ Note ________________________ Once you have migrated the security servers to DCE 1.1 or higher, it is not possible to create a replica on a host running an earlier version. ______________________________________________________ If all of the Security Server replicas in your cell are based on OSF DCE Release 1.1, you can perform the final migration steps in this section. If your cell is still running any Security Servers based on a DCE release prior to OSF DCE Release 1.1, do not complete the upgrade steps in this section. The upgrade steps will advance some security database attributes. Older servers cannot operate on newer version databases. Configuring DCE 5-19 Configuring DCE 5.5 Migrating Your Cell Once you have installed and configured DCE for OpenVMS Version 3.0 Security Servers in your cell, perform the following actions as cell administrator: 1. Ensure that at lease one security replica can write to the cell profile. Use the following operation to check the cell-profile ACL for: user:dce-rgy:rw-t---. $ dcecp -c acl show -io /.:/cell_profile 2. On all Security Servers, set the server version to: secd.dce.1.1. $ dcecp -c registry modify -version secd.dce.1.1 3. Verify that the version has been set to secd.dce.1.1. $ dcecp -c registry show ________________________ Note ________________________ If you have not updated all 1.0.3 security replicas to DCE 1.1, any original 1.0.3 replicas will be stopped when you move the registry version forward to DCE 1.1. You may want to verify that any original 1.0.3 replicas are no longer running. ______________________________________________________ 5.5.2 CDS Migration If you have installed and configured DCE for OpenVMS Version 3.0 CDS servers in your cell, you might need to perform additional steps to complete the upgrade process. If you created a new DCE cell and, during the dcesetup process, you set the default directory version information for each CDS server to Version 4.0, you do not need to perform the migration steps in this section. If your cell is still running any security or CDS servers based on a DCE release prior to OSF DCE Re