HP_DCE_for_OpenVMS_Alpha_and_OpenVMS_I64____________ Installation and Configuration Guide Order Number: BA361-90001 January 2005 This guide describes the installation procedure and the system configuration utility for the HP Distributed Computing Environment (DCE) for OpenVMS Alpha and OpenVMS I64. Revision/Update Information: This guide supersedes the Compaq DCE for OpenVMS VAX and OpenVMS Alpha Installation and Configuration Guide Version 3.0. Operating System: OpenVMS Alpha Version 7.3-2 or higher OpenVMS I64 Version 8.2 Software Version: HP DCE for OpenVMS Version 3.2 Hewlett-Packard Company Palo Alto, California ________________________________________________________________ © Copyright 2005 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Intel and Itanium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. All Java and Java-based marks are trademarks or registered trademarks of Sun Microsystems, Inc., in the U.S. and other countries. Oracle is a US registered trademark of Oracle Corporation, Redwood City, California. OSF and Motif are trademarks of The Open Group in the US and other countries. UNIX is a registered trademark of The Open Group. Microsoft, Windows, Windows NT, and MS Windows are US registered trademarks of Microsoft Corporation. X/Open is a registered trademark, and the X device is a trademark of X/Open Company Ltd. in the UK and other countries. Printed in the US ZK6531 The HP OpenVMS documentation set is available on CD-ROM. _________________________________________________________________ Preface This guide describes the installation procedure and the system configuration utility for the HP Distributed Computing Environment (DCE) for OpenVMS Alpha and OpenVMS Industry Standard 64 (I64) Version 3.2, which consists of the following services: o Remote Procedure Call (RPC) service provides connectivity between individual procedures in an application across heterogeneous systems in a transparent way. o Interface Definition Language (IDL) compiler is required for developing distributed DCE applications. o Threads service provides user-mode control and synchronization of multiple operations. Threads is packaged with the base operating system. o Cell Directory Service (CDS) provides a location- independent method of identifying resources within a cell. A cell is the smallest group of DCE systems that share a common naming and security domain. o DCE Security Service provides authentication and authorization within a cell and is based on MIT's Kerberos private key encryption system. o Distributed Time Service (DTS) provides date and time synchronization within a cell. Four kits are installed: Runtime Services Kit Application Developer's Kit CDS Server Kit Security Server Kit vii The Runtime Services Kit contains the following: o Authenticated CDS Advertiser and Client Support o CDS Browser o CDS Control Program (cdscp) o Authenticated DCE RPC runtime support (supports DECnet, TCP/IP, and UDP) o Authenticated RPC runtime support (supports DECnet, TCP /IP, and UDP via NTLM security protocol on OpenVMS Alpha Version 7.2-1 and higher.) o RTI (Remote Task Invocation) RPC for HPs ACMSxp TP product on OpenVMS Alpha systems o Security Client Support o Integrated Login o A DCE_LOGIN tool for obtaining credentials o A RGY_EDIT tool for registry maintenance functions o KINIT, KLIST, and KDESTROY Kerberos tools o An ACL_EDIT tool for access control lists (ACLs) for DCE objects o RPC Control Program (rpccp) o DCE Control Program (dcecp) o Name Service Interface Daemon (nsid); also known as the PC Nameserver Proxy o Native Kerberos o XDS Directory Services o XDS Object Management The Application Developer's Kit contains the following: o The contents of the Runtime Services Kit o Required DCE application development header files o Interface Definition Language (IDL) compiler o Object-Oriented RPC o Generic Security Service (GSSAPI) viii o LSE Templates for IDL o UUID Generator o The .H (Include) files and .IDL files for application development o Sample DCE applications The CDS Server Kit contains the following: o CDS server (cdsd) o Global Directory Agent (GDA) o PC Name Service Interface Daemon (nsid) The Security Server Kit contains the following: o Security server (secd) o Tool used to create the security database (sec_create_ db) o Security server administrative tool (sec_admin) Keep this document with your distribution kit. You will need it to install maintenance updates or to reinstall HP DCE. Intended Audience This guide is intended for managers of distributed computing environments on one or more systems and installers of the HP DCE for OpenVMS Alpha or OpenVMS I64 Version 3.2. Document Structure This guide is organized as follows: o Chapter 1 describes the requirements and procedures that you must complete before installing the software. o Chapter 2 describes the installation process. o Chapter 3 describes procedures that you must complete after the installation. o Chapter 4 describes the steps necessary to set up a DCE cell, and the DCE system configuration utility for HP DCE for OpenVMS Alpha and OpenVMS I64. ix o Chapter 5 explains how to create a cell and configure the Security server and CDS server on the same system. It also discusses how to configure a client system into an existing DCE cell. o Chapter 6 describes the steps you need to complete to modify a cell configuration. o Appendix A lists the directories and files created by the installation procedure and system configuration utility. o Appendix B contains sample logs of the installation procedure. o Appendix C contains sample logs of the configuration procedure. Related Documents For additional information about HP OpenVMS products and services, visit the following World Wide Web address: http://www.hp.com/go/openvms Reader's Comments HP welcomes your comments on this manual. Please send comments to either of the following addresses: Internet openvmsdoc@hp.com Postal Hewlett-Packard Company Mail OSSG Documentation Group, ZKO3-4/U08 110 Spit Brook Rd. Nashua, NH 03062-2698 How To Order Additional Documentation For information about how to order additional documentation, visit the following World Wide Web address: http://www.hp.com/go/openvms/doc/order x Conventions VMScluster systems are now referred to as OpenVMS Cluster systems. Unless otherwise specified, references in this document to OpenVMS Clusters or clusters are synonymous with VMSclusters. The following conventions are used in this guide: Ctrl/x A sequence such as Ctrl/x indicates that you must hold down the key labeled Ctrl while you press another key or a pointing device button. italic text Italic text indicates important information, complete titles of manuals, or variables. Variables include information that varies in system output (Internal error number), in command lines (/PRODUCER=name), and in command parameters in text (where device- name contains up to five alphanumeric characters). UPPERCASE TEXT Uppercase text indicates a command, the name of a routine, the name of a file, or the abbreviation for a system privilege. Monospace text Monospace text indicates code examples and interactive screen displays. In the C programming language, monospace text identifies the following elements: keywords, the names of independently compiled external functions and files, syntax summaries, and references to variables or identifiers introduced in an example. Case- OpenVMS operating system commands do sensitivity not differentiate between uppercase and lowercase. However, many DCE commands do make this distinction. In particular, the system configuration utility interprets names in a case-sensitive manner. xi 1 _________________________________________________________________ Preparing for Installation This chapter describes the preparations you must make before you install and configure the HP Distributed Computing Environment (DCE) for OpenVMS Alpha and OpenVMS I64 software. HP DCE is an enabling software technology for the development of distributed applications. It provides a variety of common services needed for the development of distributed applications, such as name services and a standard remote procedure call interface. 1.1 Planning for Installation and Configuration This section helps you plan for the installation and configuration of the HP DCE. It presents a brief overview of some concepts that you need to understand before you install and configure HP DCE software. This understanding can help you decide how to configure DCE. Refer to Understanding DCE for detailed explanations of DCE concepts. The installation and configuration procedures set up the DCE environment so that you can use DCE services. Before you can use HP DCE software, you must both install the software and configure DCE on your system. 1.1.1 What Is a Cell? A cell is the basic DCE unit consisting of a group of nodes that share a directory service namespace and a security service registry under a common administration. Usually, the nodes in a cell are in the same geographic area, but cell boundaries are not limited by geography. Although a cell can contain from one to several thousand nodes, each node can belong only to one cell at a time. Preparing for Installation 1-1 Preparing for Installation 1.1 Planning for Installation and Configuration The system configuration utility allows you to join an existing cell. The cell must provide a directory server and a security server. These servers may be resident on the same system or may be running on separate systems. Note that if you rely on DCE time services for time synchronization, by default, you need a minimum of three time servers to synchronize time in a cell. See the section on the DCE Distributed Time Service in the OSF DCE Administration Guide for more information. 1.1.2 Creating a Cell See Chapter 4 for cell configuration guidelines. 1.1.3 Joining a Cell You need the following information to join a DCE cell: o Full cell name o Host name of the DCE Security Server o Security principal name and password authorized to perform cell administration operations o Location of the cell's CDS server (on or not on the same LAN as you are) When the client joining the cell is on the same LAN as the CDS directory master server, the CDS advertiser automatically determines the server's location by using IP (Internet Protocol) broadcast packets. If the CDS master server is not on the LAN, then you need to provide the host name where the CDS master server is running. 1.2 Inspecting the Distribution Kit The Software Bill of Materials (BOM) included with your distribution kit specifies the contents of your distribution kit. Carefully compare the items you received with the items listed in the BOM. If any components are missing or damaged, contact your HP customer service representative before you continue with the installation. The Read Before Installing letter listed on your BOM provides important information that you should be aware of before you install HP DCE. Some of this information may not be included in either this guide or the release notes. 1-2 Preparing for Installation Preparing for Installation 1.2 Inspecting the Distribution Kit HP DCE provides online release notes. Read the release notes before you install the product. They contain information about changes to the product. 1.3 Troubleshooting The HP DCE for OpenVMS Alpha and OpenVMS I64 Product Guide includes a chapter on troubleshooting. Read this chapter if you are having installation or configuration problems. For example, the Troubleshooting chapter discusses problems you may encounter with time and time zones. 1.4 Installation Procedure Requirements The following sections discuss the requirements for installing HP DCE. The length of time the installation takes to complete depends on the type of machine, the load on that machine, and the kit you choose to install. 1.4.1 Required Hardware To perform the installation, you need the following hardware: o A processor running OpenVMS I64 Version 8.2 or OpenVMS Alpha Version 7.3-2 or higher. o A software distribution device, if you are installing the software from media. You need a distribution device that corresponds with the software distribution media. ________________________ Note ________________________ Systems running OpenVMS Alpha should have access to a CD-ROM reader so you can install the software. Please check to see that you have a CD-ROM reader installed. ______________________________________________________ Preparing for Installation 1-3 Preparing for Installation 1.4 Installation Procedure Requirements 1.4.2 Required Software This section describes the software that must be installed on an OpenVMS system before you can properly perform the installation, configure the system, or use the software. In cases where the minimum version is not specified, refer to the Software Product Description (SPD) for more information. 1.4.2.1 On OpenVMS Alpha and I64 Systems Before installing HP DCE, you need the following software on your system: o OpenVMS I64 Version 8.2 or OpenVMS Alpha Version 7.3-2 or higher. o DECnet Phase IV or DECnet/OSI DECnet is required only if you run applications that use DECnet as their transport. o HP TCP/IP Services Version 5.0 or higher You must have HP TCP/IP Services installed and configured on each host from which you plan to execute DCE applications. See HP TCP/IP Services for OpenVMS Installation and Configuration for more information about the UDP/IP and TCP/IP transports. If you plan to use MultiNet or TCPware from Process Software (instead of HP's TCP/IP Services for OpenVMS), please see the release notes for more information. o If you are installing the Application Developer's Kit and plan on using the LSE templates, LSE and an appropriate license must be installed before you install DCE. 1.4.3 Time Required for Installation Depending on your configuration, the installation can take from 10 to 30 minutes. 1-4 Preparing for Installation Preparing for Installation 1.4 Installation Procedure Requirements 1.4.4 Disk Space, Global Pages, and Global Sections Required The disk space, global pages, and global sections requirements of HP DCE are different for the DCE Runtime Services Kit (RTK) and for the Application Developer's Kit (ADK). These requirements also differ on OpenVMS Alpha and on OpenVMS I64 systems. Table 1-1 lists the requirements before the installation for each kit on each platform. (Disk space requirements are listed in blocks.) Note that the DCE CDS Server and Security Server images are part of the DCE Kit and are enabled by license PAKs. Table 1-1 Disk Space, Global Pages, and Global Sections __________Requirements_____________________________________ Global Global Kit___________________Disk_Space__Pages_______Sections_____ OpenVMS Alpha RTK 48,000 7350 35 OpenVMS Alpha RTK & 58,000 7350 35 ADK OpenVMS I64 RTK 101,000 17,500 90 OpenVMS I64 RTK & 113,000 17,500 90 ADK________________________________________________________ To determine how much free disk space is on your system disk, enter the following command: $ SHOW DEVICE SYS$SYSDEVICE The system responds with a short table; the column labeled Free Blocks shows the amount of storage space remaining on your system disk. If there is not enough disk space to install or to run HP DCE, work with your system manager to delete and purge files that are no longer needed. To determine the number of free global pages and global sections on your system, enter the following commands: $ WRITE SYS$OUTPUT F$GETSYI("FREE_GBLPAGES") $ WRITE SYS$OUTPUT F$GETSYI("FREE_GBLSECTS") Preparing for Installation 1-5 Preparing for Installation 1.4 Installation Procedure Requirements If the values displayed by the system are greater than the minimum required, your system has adequate free global pages and global sections. If the values are less than the minimum required, use the AUTOGEN command procedure to increase the values, as follows: $ EDIT SYS$SYSTEM:MODPARAMS.DAT For details on using AUTOGEN, see the HP OpenVMS System Manager's Manual. 1.4.5 Privileges and Quotas Required To install HP DCE for OpenVMS Alpha and OpenVMS I64, log in to the system manager account. If you are not logged in to the system manager's account during installation, you must have at least the SETPRV privilege. To determine the privileges you have, enter the following command: $ SHOW PROCESS/PRIVILEGES If you do not have sufficient privileges to install HP DCE, see your system manager. The DCE system management utility requires WORLD privileges for the SHOW command and WORLD, SYSPRV, and CMKRNL privileges for all other commands. You should also check to make sure you have adequate quotas for the installation. You need the following quota values: o ASTLM = 24 o BIOLM = 18 o BYTLM = 18000 o DIOLM = 18 o ENQLM = 30 o FILLM = 20 Use the OpenVMS Authorize Utility if you want to verify and change process quotas for the installation account in the user authorization file (UAF). For example, to change the BYTLM quota for your installation account, enter the following command sequence: 1-6 Preparing for Installation Preparing for Installation 1.4 Installation Procedure Requirements $ RUN SYS$SYSTEM:AUTHORIZE UAF> MODIFY account-name /BYTLM = 18000 UAF> SHOW account-name UAF> EXIT $ LOGOUT After you change the quotas for your installation account, log out of the installation account and log in again for the new quotas to take effect. You can then proceed with the installation. User account quotas are stored in the file SYSUAF.DAT. For more information on modifying account quotas, see the description of the Authorize Utility in the OpenVMS system management documentation. 1.4.6 Completing License Management Facility Requirements If you are installing only the Runtime Services Kit of HP DCE, you do not need a separate license. The right to use the HP DCE Runtime Services Kit is granted with the OpenVMS operating system. The installation procedure for DCE installs the following kits by default without checking for licenses: DCE Runtime Services, CDS Server Kit, and the Security Server Kit. To install the Application Developer's Kit, you must override the installation defaults by answering NO to the following question: Do you want the defaults for all options? [YES] If you are installing the Application Developer's Kit and plan on using LSE templates, LSE and an appropriate license must be installed before you install DCE. To register a license under OpenVMS, first log in to the system manager's account, SYSTEM. Then use either of two ways to perform the registration: o Invoke the SYS$UPDATE:VMSLICENSE.COM procedure. When it prompts you for information, respond with data from your License PAK. o At the DCL prompt, enter the LICENSE REGISTER command with the appropriate qualifiers that correspond to License PAK information. Preparing for Installation 1-7 Preparing for Installation 1.4 Installation Procedure Requirements The license for the Application Developer's Kit is DCE- APP-DEV. The license for the Security Server Kit is DCE- SECURITY. The license for the CDS Server Kit is DCE-CDS. Although it is necessary to have only one license active for this product, the License Management Facility (LMF) checks for the existence of any valid license. If LMF displays license failures for some of these other licenses, disregard the messages. If you plan to use HP DCE on more than one node in a VMScluster environment, you must register and load a license for each of the other nodes before you configure them. For complete information about using LMF, see the HP OpenVMS License Management Utility Manual. 1.4.7 Performing System Backup Back up your system disk before installing any software. Use the backup procedures established at your site. For details on backing up a system disk, see the OpenVMS Backup Utility Manual. 1.4.8 Installing DCE Version 3.2 Over Previous Versions If you are installing HP DCE for OpenVMS Alpha Version 3.2 over a previous version of DCE - V3.0 or V3.1 for OpenVMS Alpha, you do not have to reconfigure DCE after the installation. Before the installation, stop the DCE daemons with the following command: $ @SYS$MANAGER:DCE$SETUP CLEAN Then, after the installation, enter the following command: $ @SYS$MANAGER:DCE$SETUP START 1-8 Preparing for Installation 2 _________________________________________________________________ Installing DCE This chapter describes the installation procedure for HP DCE for OpenVMS Alpha and OpenVMS I64. You can use different media to install HP DCE. The examples in this chapter show the installation procedure using disk files. See Appendix B for logs of sample installations. 2.1 About the OpenVMS Installation Procedure This section gives a brief overview of the OpenVMS installation procedure for HP DCE Version 3.2 called DCE$INSTALL.COM. The OpenVMS installation command has the following format: $ @DKA300:[000000]DCE$INSTALL [HELP] where: o DKA300: is a device name on which the distribution volumes will be mounted. Remember that all Alpha systems come with CD-ROM readers. o DCE$INSTALL is the supplied command procedure that drives the installation. It is not necessary to use the console drive to install DCE. If you do use the console drive, replace any media you remove from the drive. Include the optional parameter HELP if you want PCSI to display help information. When you invoke DCE$INSTALL, it checks the following conditions: o Whether you are logged in to a privileged account. Install software from the system manager's account with your default device and directory set to SYS$UPDATE. Installing DCE 2-1 Installing DCE 2.1 About the OpenVMS Installation Procedure o Whether you have adequate quotas for installation. See Section 1.4.5 for more information on quota values. You can stop the installation at any time by pressing Ctrl /C or Ctrl/Y. However, files created up to that point are not deleted. You must delete these files manually, using the OpenVMS DELETE command. Appendix A lists the files and directories created during the installation procedure. 2.2 Starting the HP DCE Installation Procedure See Section 1.4.2 for more information about software requirements. Start the installation procedure as follows: 1. Log in to the account from which you are installing the HP DCE. 2. If you are installing a kit other than the Runtime Services Kit, make sure you have registered the appropriate LMF PAK. 3. Invoke the following command procedure, substituting the correct name of your media device and directory for DKA300 (used in the example): $ @DKA300:[000000]DCE$INSTALL HELP 2.3 Continuing the Installation This section describes the part of the installation procedure that is specific to DCE. $ @DKA300:[000000]dce$install help Performing DCE pre-installation tasks...please wait. Creating a DCE$SERVER Account If you do not already have a DCE$SERVER account, the installation procedure creates one for you with TMPMBX, NETMBX, DETACH, and SYSPRV privileges. This installation procedure has detected an existing DCE$SERVER account. Correct operation of DCE on this system requires that the DCE$SERVER account have TMPMBX, NETMBX, DETACH and SYSPRV privileges. The installation procedure will modify the DCE$SERVER account to ensure that the prerequisite privileges are present. 2-2 Installing DCE Installing DCE 2.3 Continuing the Installation %UAF-I-MDFYMSG, user record(s) updated The following product has been selected: DEC AXPVMS DCE V3.2 Layered Product [Installed] Do you want to continue? [YES] Configuration phase starting ... You will be asked to choose options, if any, for each selected product and for any products that may be installed to satisfy software dependency requirements. DEC AXPVMS DCE V3.2: DCE V3.2 for OpenVMS Alpha Description of Kits The installation procedure displays information about the four HP DCE kits (Runtime Services Kit, Application Developers' Kit, Security Server Kit, and CDS Server Kit). Depending on the kit, the procedure displays specific information about the kit that will be installed. Greetings! This is DCE V3.2 for OpenVMS Alpha. There are four components: the DCE Runtime Services, the DCE Application Development Kit, the DCE Security Server, and the DCE CDS Server. 1. The Runtime Services provides the core services necessary to execute and manage DCE applications. 2. The Application Development Kit provides the services and tools required to develop, execute, and manage DCE applications. The Runtime Services capability is automatically provided with the Application Development Kit. 3. The security server supplies support for a cell wide security database. A cell must have at least one system running a security server. 4. The CDS server supplies support for a cell wide naming database. A cell must have at least one system running a CDS server. (C) Copyright 2005 Hewlett-Packard Development Company, LP. Installing DCE 2-3 Installing DCE 2.3 Continuing the Installation Confidential computer software. Valid license from HP and/or its subsidiaries required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation and Technical Data for Commercial use. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing here in should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. This product uses the following PAKS: DCE-SECURITY, DCE-CDS, DCE-APP-DEV Do you want the defaults for all options? [YES] NO The Application Development Kit is optional and enabled with a PAK. It provides the services and tools required to develop, execute, and manage DCE applications. The Application Development Kit installs: + Required DCE application development header files + Interface Definition Language Compiler (IDL) + Language-Sensitive Editor (LSE) Templates for the Interface Definition Language + Unique User Identifier (UUID) Generator + Sample DCE Applications The Application Development Kit [NO] YES Do you want to review the options? [NO] Execution phase starting ... The following product will be installed to destination: DEC AXPVMS DCE V3.2 DISK$SYSTEM:[VMS$COMMON.] Portion done: 0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100% The following product has been installed: DEC AXPVMS DCE V3.2 Layered Product *** DCE Product installation successful...beginning post-installation. The rights identifier NET$DECLAREOBJECT will now be granted to the DCE$SERVER account. You may IGNORE the message: 2-4 Installing DCE Installing DCE 2.3 Continuing the Installation "%UAF-E-GRANTERR, unable to grant identifier NET$DECLAREOBJECT to DCE$SERVER-SYSTEM-F-DUPIDENT, duplicate identifier" if it should occur. Press return to Continue %UAF-E-GRANTERR, unable to grant identifier NET$DECLAREOBJECT to DCE$SERVER-SYSTEM-F-DUPIDENT, duplicate identifier Installing Language Sensitive Editor (LSE) Templates for IDL If you are installing DCE on a cluster on which the Language Sensitive Editor (LSE) is installed, the system or the user must have a license to run LSE in order for DCE to install the LSE templates for the Interface Definition Language (IDL) compiler. Type YES to the following question if you have a license to run LSE. Load the Language-Sensitive Editor (LSE) templates for IDL? [Y]: NO NOTE: Please add the following to your system's SYS$MANAGER:SYLOGIN.COM. These files define foreign commands for using DCE on OpenVMS. $ @SYS$MANAGER:DCE$DEFINE_REQUIRED_COMMANDS.COM $ @SYS$COMMON:[DCE$LIBRARY]DCE$DEFINE_OPTIONAL_COMMANDS.COM Selecting a TCP/IP Product You are now asked to update SYS$STARTUP:SYSTARTUP_VMS.COM and choose a TCP/IP product. Please add the following command to SYS$STARTUP:SYSTARTUP_VMS.COM on your system. This ensures that DCE$STARTUP.COM is executed at system boot. The parameters supplied to DCE$STARTUP.COM depend on the specific TCP/IP product you intend to use. You will now be asked to select the name of this TCP/IP product, and the installation will supply you with the correct command for SYS$STARTUP:SYSTARTUP_VMS.COM. TCP/IP product Keyword HP's TCP/IP Services for OpenVMS UCX Multinet from TGV MULTINET TCPware from Process Software TCPWARE No TCP/IP Available at this time NONE Enter one of the keywords from the table above [UCX]: Installing DCE 2-5 Installing DCE 2.3 Continuing the Installation See the release notes for more information on UCX, MultiNet and TCPware. Enter $ @SYS$STARTUP:DCE$STARTUP in your SYS$STARTUP:SYSTARTUP_VMS.COM %DCE-S-INSTALL, Installation of OpenVMS DCE V3.2 completed 2.4 Installing on a VMScluster On a VMScluster with a common system disk, you need only install HP DCE once. After the initial installation, ensure that a separate license is registered and loaded on each cluster member that you plan to use for DCE services. If you are installing DCE for OpenVMS over an existing version of DCE on a common system disk in a VMScluster environment, be sure to shut down DCE on all nodes that share the common system disk before the installation. ________________________ Note ________________________ You must configure each node separately. ______________________________________________________ To configure each node separately, enter the following command on each node: $ @SYS$MANAGER:DCE$SETUP.COM CONFIG If you are installing HP DCE on a VMScluster that does not have a common system disk, you must install the software on each node and configure each node that you plan to use for DCE services. 2-6 Installing DCE 3 _________________________________________________________________ Postinstallation Procedures This chapter describes postinstallation steps that you need to take and lists ways to recover from errors that you encounter during the installation. 3.1 Postinstallation Tasks After the installation is completed successfully, note the following. 1. DCE Version 3.2 provides support for the RPC runtime environment and RPC applications (which are not dependent on DCE services) to remain active when DCE is shut down. This requires the use of separate startup files: SYS$STARTUP:DCE$RPC_STARTUP.COM and SYS$STARTUP:DCE$STARTUP.COM. On OpenVMS Alpha Version 7.2 and higher and on OpenVMS I64 Version 8.2, the RPC runtime environment files are shipped with the operating system. When installing DCE Version 3.2 on OpenVMS Alpha Version 7.3-2, you MUST install the latest RPC Kit for 3.2 or an Operating System Update Kit that contains the 3.2 RPC Runtime files. If you want all of the configured DCE services to start with the system startup, add the following line to SYS$MANAGER:SYSTARTUP_VMS.COM after the startup commands for the network transports, DECnet, and/or HP TCP/IP services: $ @SYS$STARTUP:DCE$STARTUP.COM If you want only the RPC runtime environment to start with the system startup, add the following line to SYS$MANAGER:SYSTARTUP_VMS.COM: $ @SYS$STARTUP:DCE$RPC_STARTUP.COM Postinstallation Procedures 3-1 Postinstallation Procedures 3.1 Postinstallation Tasks It is not necessary to run both procedures. Invoking DCE$STARTUP.COM will first start the RPC Runtime, then the DCE services. See Chapter 4 for more information about configuring DCE. 2. Depending on your choice for system startup, add the following commands to SYS$MANAGER:SYSHUTDOWN.COM before the shutdown commands for the network transports, DECnet, and/or HP TCP/IP services: o If you have configured DCE services on your system: $ @SYS$STARTUP:DCE$SHUTDOWN.COM o If you have the RPC runtime environment only: $ @SYS$STARTUP:DCE$RPC_SHUTDOWN.COM NOCONFIRM If DCE$SHUTDOWN.COM is added to the system shutdown file, it will prompt you for a password before shutting down DCE. This will delay the shutdown until the password is specified. 3. Configure this node by entering the following command: $ @SYS$MANAGER:DCE$SETUP CONFIG You must configure the DCE services before you can use them. See Chapter 5 for more information about configuring DCE. 4. If you are running DCE server applications that are listening over the DECnet Phase IV (ncacn_dnet_nsp) protocol or the DECnet/OSI (ncacn_osi_dna) protocol, you must grant the NET$DECLAREOBJECT rights identifier to those processes from which the server runs. 5. Define foreign commands. There are two foreign command definition files: one file contains required commands and the other file is optional. Add the following line to the file SYS$MANAGER:SYLOGIN.COM: $ @SYS$MANAGER:DCE$DEFINE_REQUIRED_COMMANDS.COM DCE$DEFINE_REQUIRED_COMMANDS.COM, the required command definition file, defines the following foreign commands: o acl_edit, which invokes the ACL editor (Security) 3-2 Postinstallation Procedures Postinstallation Procedures 3.1 Postinstallation Tasks o cdscp, which invokes the CDS control program o chpass, which invokes the DCE change password utility o dce$uaf, which invokes the DCE Integrated Login User Authorization File utility o dtscp, which invokes the DTS control program o dce$export, which invokes the DCE Integrated Login EXPORT utility o dce$import, which invokes the DCE Integrated Login IMPORT utility o dce_config, which invokes the DCE configuration utility o dce_setup, which invokes the DCE configuration utility o dcecp, which invokes the DCE control program o dtscp, which invokes the DCE Time Control program o dce_login, which validates a principal's identity and obtains network credentials (Security) o kdestroy, which destroys a principal's login context (Security) o kinit, which obtains a ticket-granting ticket (Security) o klist, which lists tickets (Security) o rgy_edit, which invokes the registry database editor (Security) o rpccp, which invokes the RPC Control Program o sec_admin, which invokes the DCE Security Administration utility If you choose not to execute this command definition file, you cannot use any of the previous programs and commands. DCE$DEFINE_OPTIONAL_COMMANDS.COM, the optional command definition file, is installed with the Application Development kit and defines the following foreign commands: Postinstallation Procedures 3-3 Postinstallation Procedures 3.1 Postinstallation Tasks o idl, which invokes the IDL compiler o rpclm, which invokes the RPC Log Manager o uuidgen, which invokes the UUID generator utility By default, these utilities use DCL-style interfaces. If you execute the optional foreign commands file, you have access to the version of these utilities that uses the universal interface. There are three possible actions that you can take: o Define the universal interface for all users on your system to ensure that the same interface is available to users across operating system platforms. Note that all examples that document these four utilities use the universal interface. Include the following line in the file SYS$MANAGER:SYLOGIN.COM: $ @SYS$COMMON:[DCE$LIBRARY]DCE$DEFINE_OPTIONAL_COMMANDS.COM o Give users access to only the DCL-style interface. In this case, you do not need to take any action. o Make the DCL-style interface available to some users, but allow others access to the universal interface. Do not define the optional commands in SYLOGIN.COM. Tell users who want to use the universal interface to include the following line in their account's LOGIN.COM procedure: $ @SYS$COMMON:[DCE$LIBRARY]DCE$DEFINE_OPTIONAL_COMMANDS.COM 6. If you are installing DCE on a VMScluster, you must take the following steps: a. Ensure that a license is registered and loaded on each node in the cluster from which users plan to use DCE. (If you are installing only the HP DCE Runtime Services Kit, you already have a right to use the DCE Runtime Services Kit. This right was granted with the OpenVMS operating system license.) b. Configure each node in the cluster from which users plan to use DCE by entering the following command: $ @SYS$MANAGER:DCE$SETUP CONFIG 3-4 Postinstallation Procedures Postinstallation Procedures 3.2 Installation Error Recovery 3.2 Installation Error Recovery The following list describes errors that you may encounter during installation and provides suggestions about how to recover from those errors: o You try to install the OpenVMS I64 kit on an OpenVMS Alpha system (or vice versa). Reinstall with the correct kit. o The system does not have the required version of OpenVMS installed. Upgrade the operating system to at least the minimum required version and restart the installation procedure. o You run out of disk space. Either clean up your disk or install less of the kit. o If you plan to run DCE applications by IP, you must have TCP/IP Version 5.0 installed. Install the correct version of UCX. The installation procedure checks for the prerequisites. o No network transports were found. You must install and configure DECnet, UCX, or both before running any DCE applications. o SYS$SYSTEM:RIGHTSLIST.DAT does not exist on this system. RUN AUTHORIZE and then issue the CREATE/RIGHTS command. RIGHTSLIST.DAT is created for you. o Invalid UIC. Find and enter the correct UIC in the correct format. Postinstallation Procedures 3-5 4 _________________________________________________________________ Configuring a DCE Cell This chapter describes the steps necessary to set up a DCE cell, and the DCE system configuration utility for HP DCE for OpenVMS Alpha and OpenVMS I64. Note that DCE must be configured. 4.1 Overview of the DCE Cell A cell is the basic DCE unit. It is a group of networked systems and resources that share common DCE services. Usually, the systems in a cell are in the same geographic area, but cell boundaries are not limited by geography. A cell can contain from one to several thousand systems. The boundaries of a cell are typically determined by its purpose, as well as by security, administrative, and performance considerations. A DCE cell is a group of systems that share a namespace under a common administration. The configuration procedure allows you to configure your system as a DCE client, create a new DCE cell, add a master Cell Directory Service (CDS) server, add a replica CDS server, and add a Distributed Time Service (DTS) local server. When you create a new cell, you automatically configure a Security server. You do not need to create a DCE cell if you are using only the DCE Remote Procedure Call (RPC) and if your applications use only explicit RPC string bindings to provide the binding information that connects server to clients. If there are other systems in your network already using DCE services, it is possible there may be an existing cell that your system can join. If you are not sure, consult your network administrator to find out which DCE services may already be in use in your network. Configuring a DCE Cell 4-1 Configuring a DCE Cell 4.1 Overview of the DCE Cell At a minimum, a cell configuration includes the DCE Cell Directory Service, the DCE Security Service, and the DCE Distributed Time Service. One system in the cell must provide a DCE Directory Service server to store the cell namespace database. You can choose to install both the Cell Directory Server and the Security Server on the system from which you invoked the procedure, or you can split the two servers and put them on different systems. ________________________ Note ________________________ You must run the installation and configuration procedures on the system where you are creating a cell before you install and configure DCE on the systems that are joining the cell. ______________________________________________________ 4.1.1 Creating a Cell All DCE systems participate in a cell. If you are installing DCE and there is no cell to join, the first system on which you install the software is also the system on which you create the cell. Remember that this system is also the DCE Security Server. You can also make this system your Cell Directory Server. When you create a cell, you must name it. The cell name must be unique across your global network. The name is used by all cell members to indicate the cell in which they participate. The configuration procedure provides a default name that is unique and is easy to remember. If you choose a name other than the default, the name must be unique. If you want to ensure that separate cells can communicate, the cell name must follow BIND or X.500 naming conventions. 4.1.2 Joining a Cell Once the first DCE system is installed and configured and a cell is created, you can install and configure the systems that join that cell. During configuration, you need the name of the cell you are joining. Ask your network administrator for the cell name. 4-2 Configuring a DCE Cell Configuring a DCE Cell 4.1 Overview of the DCE Cell 4.1.3 Defining a Cell Name You need to define a name for your DCE cell that is unique in your global network and is the same on all systems that participate in this cell. The DCE naming environment supports two kinds of names: global names and local names. All entries in the DCE Directory Service have a global name that is universally meaningful and usable from anywhere in the DCE naming environment. All Directory Service entries also have a cell-relative name that is meaningful and usable only from within the cell in which that entry exists. If you plan to connect this cell to other DCE cells in your network either now or in the future, it is important that you choose an appropriate name for this cell. You cannot change the name of the cell once the cell has been created. If you are not sure how to choose an appropriate name for your DCE cell, consult Chapter 9 of the HP DCE for OpenVMS Alpha and OpenVMS I64 Product Guide, or the section on global names in the OSF DCE Administration Guide - Introduction. Before you can register the cell in X.500, you must ensure that the HP X.500 Directory Service kit is installed on your CDS server. HP recommends that you use the following convention to create DCE cell names: the Internet name of your host system followed by the suffix - cell, followed by the Internet address of your organization. For example, if the Internet name of your system is myhost, and the Internet address of your organization is smallco.bigcompany.com, your cell name, in DCE syntax, would be myhost- cell.smallco.bigcompany.com. This convention has the following benefits: o The Internet name of your host is unique in your network, so if all DCE users in your network follow this convention, your cell name will also be unique. o It clearly identifies the system on which the writable copy of the root directory of the cell namespace is located. o It does not prohibit intercell communication with outside organizations. o It is easy to remember. Configuring a DCE Cell 4-3 Configuring a DCE Cell 4.1 Overview of the DCE Cell If there is already a cell name defined in a previously existing DCE system configuration, do not change it unless you are removing this system from the cell in which it is currently a member and you are joining a different cell. When the configuration procedure prompts you for the name of your DCE cell, type the cell name without the /.../ prefix; the prefix is added automatically. For example, if the full global name selected for the cell, in DCE name syntax, is /.../myhost-cell.smallco.bigcompany.com, enter myhost-cell.smallco.bigcompany.com. 4.1.4 Defining a Host Name You need to define a name for your system that is unique within your DCE cell. You should use the default host name, which is the Internet host name (the name specified before the first dot(.)). The following example shows the default host name derived from the Internet name of myhost.mycompany.com. Please enter your DCE host name [myhost]: 4.1.5 Intercell Naming Using DNS This section provides tips on defining a cell name in the Domain Name System (DNS). Names in DNS are associated with one or more data structures called resource records. The resource records define cells and are stored in a data file. For TCP/IP Services for OpenVMS, this file is called SYS$SPECIFIC:[TCPIP$BIND].DB. If you are using a UNIX DNS Bind server, it is called /etc/namedb/hosts.db. To create a cell entry, you must edit the data file and create two resource records for each CDS server that maintains a replica of the cell namespace root. The following example shows a cell called ruby.axpnio.dec.com. The cell belongs to the BIND domain axpnio.dec.com. Host alo010.axpnio.dec.com is the master CDS server for the ruby.axpnio.dec.com cell. The BIND server must be authoritative for the domains of the cell name. The BIND master server requires the following entries in its data file: 4-4 Configuring a DCE Cell Configuring a DCE Cell 4.1 Overview of the DCE Cell alo010.axpnio.dec.com I A 25.0.0.149 ruby.axpnio.dec.com IN MX 1 alo010.axpnio.dec.com ruby.axpnio.dec.com IN TXT "1 c8f5f807-487c-11cc-b499-08002b32b0ee Master /.../ruby.azpnio.dec.com/alo010_ch c84946a6-487c-11cc-b499-08002b32b0ee alo010.axpnio.dec.com" ________________________ Note ________________________ TXT records must span only one line. The third entry above incorrectly occupies three lines to show the information included in the TXT record. You need to do whatever is required with your text editor of choice to ensure this. Widening your window helps. You should also ensure that the quotes are placed correctly and that the host name is at the end of the record. ______________________________________________________ The information to the right of the TXT column in the Hesiod Text Entry (that is, 1 c8f5f807-48...) comes directly from the cdscp show cell /.: as dns command. For example, to obtain the information that goes in the ruby.axpnio.dec.com text record (TXT), you would go to a host in the ruby cell, and enter the cdscp show cell /.: as dns command. Then, when the system displays the requested information, cut and paste this information into the record. This method ensures that you do not have any typing errors. To ensure that the records that you have entered are valid, restart the DNS Bind server process. 4.1.6 Intercell Naming Using LDAP/X.500 This section provides tips on defining a cell name in LDAP /X500. The cells that will communicate using intercell must be part of the same LDAP/X500 namespace. This is true only if they share a common root in the namespace tree. For example, the cells /c=us/o=hp/ou=laser-cell and /c=us/o=hp /ou=ruby-cell share the root /c=us/o=hp, and would be able to participate in intercell communications. Configuring a DCE Cell 4-5 Configuring a DCE Cell 4.1 Overview of the DCE Cell If your cell is part of an X.500 namespace, answer Yes to the question "Do you want to register the DCE cell in X.500?". If your cell is part of an LDAP namespace, answer Yes to the question "Do you want to register the DCE cell in LDAP?". Additional information about Intercell operations can be found in Chapter 9 of the HP DCE for OpenVMS Alpha and OpenVMS I64 Product Guide. 4.2 The DCE System Configuration Utility - DCE$SETUP.COM The DCE$SETUP command procedure begins the configuration process. Many of the system configuration utility prompts have default values associated with them. The default responses are based on your existing configuration, if you have one. Otherwise, default values for the most common DCE system configurations are provided. At each prompt, press RETURN to take the default displayed in brackets, type a question mark (?) for help, or supply the requested information. The system configuration utility sets up the DCE environment on your node so that you can use DCE services. The system configuration utility leads you through the process of creating or joining a cell. ________________________ Note ________________________ If you are installing HP DCE for OpenVMS Alpha Version 3.2 over a previous version of DCE - V3.0 or V3.1 for OpenVMS Alpha, you do not have to reconfigure DCE after the installation. Before the installation, stop the DCE daemons with the following command: $ @SYS$MANAGER:DCE$SETUP CLEAN Then, after the installation, enter the following command: $ @SYS$MANAGER:DCE$SETUP START You must configure if you are installing DCE for the first time. ______________________________________________________ 4-6 Configuring a DCE Cell Configuring a DCE Cell 4.2 The DCE System Configuration Utility - DCE$SETUP.COM 4.2.1 Configuring LDAP, NSI, and GDA The Lightweight Directory Access Protocol (LDAP) provides access to the X.500 directory services without the overhead of the full Directory Access Protocol (DAP). The simplicity of LDAP, along with the powerful capabilities it inherits from DAP, makes it the defacto standard for Internet directory services and for TCP/IP. Inside a cell, a directory service is accessed mostly through the name service interface (NSI) implemented as part of the run-time library. Cross-cell directory service is controlled by a global directory agent (GDA), which looks up foreign cell information on behalf of the application in either the Domain Naming Service (DNS) or X.500 database. Once that information is obtained, the application contacts the foreign CDS in the same way as the local CDS. Once LDAP is configured, applications can request directory services from either CDS or LDAP or both. LDAP is provided as an optional directory service that is independent of CDS and duplicates CDS functionality. LDAP is for customers looking for an alternative to CDS that offers TCP/IP and Internet support. With LDAP directory service available, GDA can look up foreign cell information by communicating through LDAP to either an LDAP-aware X.500 directory service or a standalone LDAP directory service, in addition to DNS and DAP. Note that DCE for OpenVMS provides it's own client implementation of LDAP. Prior to installing DCE, a DCE administrator must obtain LDAP server software and install it as an LDAP server in the environment. Next, a DCE administrator must choose LDAP during the DCE installation and configuration procedure and intentionally configure LDAP directory service for a cell. Configuring a DCE Cell 4-7 Configuring a DCE Cell 4.2 The DCE System Configuration Utility - DCE$SETUP.COM 4.2.2 Kerberos 5 Security The DCE authentication service is based on Kerberos 5. The Kerberos Key Distribution Center (KDC) is part of the DCE Security Server secd. The authorization information that is created by the DCE for OpenVMS privilege server is passed in the Kerberos 5 ticket's authorization field. DCE provides a Kerberos configuration program (DCE$KCFG.EXE) to assist in the interoperability between DCE Kerberos and standard Kerberos. To find out more information about the kcfg program, use the following two commands. To display individual command switches and their arguments enter: kcfg -? To display a short description of the command and what it does enter: kcfg -h This provides information on the configuration file management, principal registration, and service configuration. ________________________ Note ________________________ The dcesetup configuration script sets all tickets as forwardable, a default value. If tickets are not set as forwardable, the Kerberos Distribution Center (KDC) server does not provide authentication and authorization information to the telnet process. The command, kinit -f, marks tickets as forwardable. ______________________________________________________ All machines within a cell that plan to use Kerberos- enabled tools need to check and possibly modify the registry and the krb5 configuration with the kcfg executable. To make sure that Kerberos Version 4 interoperates with Kerberos Version 5, an administrator can use the kcfg -k command to change krb.conf entries. This command needs to be entered on each machine in the cell. 4-8 Configuring a DCE Cell Configuring a DCE Cell 4.2 The DCE System Configuration Utility - DCE$SETUP.COM The registry must contain a principal entry that describes the host machine of the KDC server. This principal entry is of the form host/. The principal and the associated keytable entry can be created with kcfg -p. This verifies that the host entry exists; if not, it creates the host entry. 4.2.3 Starting the System Configuration Utility You must be logged in as a privileged user. The SHOW command requires only NETMBX and TMPMBX privileges. All other commands require WORLD, SYSPRV, CMKRNL, and SYSNAM privileges. The CONFIG command requires BYPASS privileges. You can use the same command to perform an initial configuration or to reconfigure DCE. See the Appendix for several sample configurations. To start the system configuration utility, at the DCL prompt enter the following command: $ @SYS$MANAGER:DCE$SETUP The DCE System Management Main Menu appears: DCE System Management Main Menu DCE for OpenVMS Alpha V3.2 1) Configure Configure DCE services on this system 2) Show Show DCE configuration and active daemons 3) Stop Terminate all active DCE daemons 4) Start Start all DCE daemons 5) Restart Terminate and restart all DCE daemons 6) Clean Terminate all active DCE daemons and remove all temporary local DCE databases 7) Clobber Terminate all active DCE daemons and remove all permanent local DCE databases 8) Test Run Configuration Verification Program 0) Exit Exit this procedure ?) Help Display helpful information Please enter your selection: Enter 1 to view the DCE Configuration Menu. To skip the previous menu and go directly to the DCE Configuration Menu, enter the following command: $ @SYS$MANAGER:DCE$SETUP CONFIG Configuring a DCE Cell 4-9 Configuring a DCE Cell 4.2 The DCE System Configuration Utility - DCE$SETUP.COM For information on how to configure a DCE cell or how to add a client, see Chapter 5. For information on modifying an existing configuration, see Chapter 6. 4-10 Configuring a DCE Cell 5 _________________________________________________________________ Configuring DCE This chapter explains how to create a cell and configure the Security server and CDS server on the same system. It also discusses how to configure a client system into an existing DCE cell. 5.1 DCE System Management Command Procedure Starting from DCE Version 3.0 onwards, the DCE system management command procedure SYS$MANAGER:DCE$SETUP.COM has been changed. These changes are described in the following sections. An RPC only configuration can be started with the startup command procedure described in the next section. DCE$SETUP stops RPCD during configuration. In DCE for OpenVMS Version 1.5, DCE$SETUP was modified not to stop RPCD. Changes in the DCE daemons required reverting to the previous behavior. DCE$SETUP.COM has been rewritten to add the new functionality for DCE R1.2.2, and to more closely match the configuration program for DCE for Tru64 UNIX. 5.1.1 Starting and Stopping the RPC Daemon The RPC daemon can be started and stopped with the command files DCE$RPC_STARTUP.COM and DCE$RPC_SHUTDOWN.COM. These files are located in SYS$COMMON:[SYSMGR]. To start the RPC daemon, execute DCE$RPC_STARTUP.COM. You can specify the following option: [NO]CONFIRM Turns user prompting on or off. CONFIRM is the default. To stop the RPC daemon, execute DCE$RPC_SHUTDOWN.COM. You can specify the following options in any order: Configuring DCE 5-1 Configuring DCE 5.1 DCE System Management Command Procedure [NO]CONFIRM Turns user prompting on or off. CONFIRM is the default. CLEAN Deletes all entries from the RPC endpoint database. ________________________ Note ________________________ Do not stop the RPC daemons if any RPC applications are running on the system. ______________________________________________________ 5.1.2 Limiting RPC Transports The RPC daemon can limit the protocols used by RPC applications. To restrict the protocols that can be used, set a logical name RPC_SUPPORTED_PROTSEQS to contain the valid protocols separated by a colon. Valid protocols are ncadg_ip_udp, ncacn_ip_tcp, and ncacn_dnet_nsp. For example: $ DEFINE RPC_SUPPORTED_PROTSEQS "ncadg_ip_udp:ncacn_ip_tcp" This prevents applications and servers from registering endpoints that utilize DECnet. 5.1.3 Logical Names Created During Configuration The configuration process creates the following logical names: ___________________________________________________________ Logical_Name__________Description__________________________ DCE Defines a search list pointing to directories SYS$COMMON:[DCE$LIBRARY] and SYS$LIBRARY. These directories contain the Application Developer's Kit include files and other files for creating DCE applications. DCE$COMMON,DCE_ Points to the directory COMMON SYS$COMMON:[DCELOCAL]. This directory holds DCE-specific files common to all DCE hosts in a cluster. DCE$LOCAL,DCE_LOCAL Points to the directory DCE$SPECIFIC:. This directory defines the top of the DCE directory hierarchy. 5-2 Configuring DCE Configuring DCE 5.1 DCE System Management Command Procedure ___________________________________________________________ Logical_Name__________Description__________________________ DCE$SPECIFIC Points to the directory SYS$SPECIFIC:[DCELOCAL]. This directory is for internal use only. DCE$SYSROOT Points to the directories DCE$SPECIFIC:, DCE$COMMON:. This logical is used to find DCE files that may be in either system-specific or cluster-general trees. TCL_LIBRARY Points to the directory DCE_COMMON /TCL (UNIX file syntax). This directory holds files that allow the TCL interface to the DCE command ______________________line_programs_to_function.___________ The logical names with a dollar sign in them define VMS style directory syntax. The logical names with underscores in them define UNIX style directory syntax (for use by various DCE internal applications). 5.1.4 Configuring on a VMScluster You must configure each node in a VMScluster separately by entering the following command on each node: $ @SYS$MANAGER:DCE$SETUP CONFIG 5.2 Overview of New Cell Configuration To configure a new cell, you must complete the following steps: 1. To begin your initial cell creation and server configuration, invoke the DCE configuration utility. 2. If you are creating a new cell or adding a CDS server, choose option 6 (Terminate all active DCE daemons and remove all temporary local DCE databases) to stop the DCE daemons in a controlled manner. Be sure to back up your security and CDS databases before proceeding if this has not been done. Configuring DCE 5-3 Configuring DCE 5.2 Overview of New Cell Configuration 3. Choose option 1 from the DCE Setup Main Menu to configure DCE services on your system. You must have system privileges to modify the DCE system configuration. The procedure displays the following menu: DCE Configuration Menu DCE for OpenVMS Alpha V3.2 1) Client Configure this system as a DCE client 2) New Cell Create a new DCE cell 3) CDS Server Add Master CDS Server 4) Modify Modify DCE cell configuration 5) RPC_Only Configure this system for RPC only 0) Exit Exit this procedure ?) Help Display helpful information Please enter your selection: Table 5-1 provides descriptions of the options available on the DCE Configuration Menu. Table_5-1_Configuration_Menu_Options_______________________ Option______Description____________________________________ Client Provides full DCE RPC services, client services for CDS and Security, and optional time services. A DCE client system must join an existing DCE cell with a security registry and a CDS master server available on other systems in the cell. New Cell Provides full DCE RPC services, a security registry server for the cell, a CDS master server, a DTS server, and the NSI agent for name service independent access to directory services from PC client systems. There can be only one security registry and CDS master server in a cell, although they need not reside on the same host. (continued on next page) 5-4 Configuring DCE Configuring DCE 5.2 Overview of New Cell Configuration Table_5-1_(Cont.)_Configuration_Menu_Options_______________ Option______Description____________________________________ CDS Server Provides a DCE client system with a CDS master server added. This option is used if a split server configuration is desired, and the new cell (on another system) was configured without a CDS master server. Modify Provides a submenu of additional configuration options that are available after the initial configuration has completed. RPC_Only Provides a subset of the DCE RPC services. If DCE is installed on an OpenVMS Alpha system running Version 7.2-1 or higher, NTLM security may be utilized for authenticated RPC requests. With an RPC only configuration, there are no RPC name service interface routines available. This configuration will, however, allow applications to communicate if full string bindings are supplied by the RPC client, or if the client requests the port number to complete the partial string binding from the end point ____________mapper_(DCED_daemon).__________________________ 4. Choose option 2 to create a new DCE cell. 5. At each prompt, you can press RETURN to take the default displayed in brackets or enter a question mark (?) for help. When prompted, select a cell name and a host name; the name is used again when you configure DCE client systems. 6. The configuration utility asks if you want to configure the host as a CDS server. Answer Y to configure the CDS and security servers on the same system. Answer N to perform a split server installation in which you configure the security server on the current host and the CDS server on a different host. 7. If you answered Y to configure the CDS and security servers on the same system, the utility asks: Will there be any DCE pre-R1.1 CDS servers in this cell? (YES/NO/?) [N]: Configuring DCE 5-5 Configuring DCE 5.2 Overview of New Cell Configuration If your cell will be running any CDS servers based on OSF DCE Release 1.0.3a or lower (equivalent to HP DCE for OpenVMS Version 1.5 or lower), you should answer Y. The configuration utility sets the directory version number to 3.0 for compatibility with pre-R1.1 servers. This setting disables the use of OSF DCE Release 1.1 features such as alias cells, CDS delegation ACLs, and so on. If all CDS servers in your cell will be based on HP DCE for OpenVMS Version 3.0 (or higher) and based on OSF DCE Release 1.1 (or higher), answer N. The configuration utility sets the directory version number to 4.0 for compatibility with HP DCE for OpenVMS Version 3.0 CDS servers (OSF DCE Releases 1.2.2). This enables the use of OSF DCE Release 1.1 features such as alias cells, CDS delegation ACLs, and so on, and OSF DCE Release 1.2.2 features. Once the directory version is set to 4.0, you cannot set it back to 3.0. 8. You are prompted to confirm the system time; it is important that you check the current time before you respond. 9. The configuration utility will prompt for the Domain Name and DNS server address. 10.If DECnet/OSI is installed on your system, the configuration utility displays the following message and then asks several questions about configuring a DCE Distributed Time Service server on your system. You seem to have DECnet/OSI installed on this system. DECnet/OSI includes a distributed time synchronization service (DECdts), which does not currently support the DCE Distributed Time Service (DCE DTS) functionality. The DCE DTS in this release provides full DECdts functionality. This installation will stop DECdts and use DCE DTS instead. For further clarification, please consult the HP DCE for OpenVMS Alpha and OpenVMS I64 Product Guide. Even though DCE DTS will be used, it is possible to accept time from DECdts servers. 5-6 Configuring DCE Configuring DCE 5.2 Overview of New Cell Configuration Should this node accept time from DECdts servers? (YES/NO/?) [N]: Do you want this system to be a DTS Server (YES/NO/?) [Y]: Do you want this system to be a DTS Global Server (YES/NO/?) [N]: Does this cell use multiple LANs? (YES/NO/?) [N]: Answer the questions appropriately. 11.The configuration utility asks if you want to run the MIT Kerberos 5 services on this machine. A Y answer runs the configuration utility. Do you intend to run MIT Kerberos 5 services on this machine? (YES/NO/?) [N] 12.The configuration utility asks if you want to configure the LDAP name service on this system. A yes answer prompts the question, "Do you want to configure the system as an LDAP client?" and requires that you enter further information regarding LDAP services. Do you want to configure the LDAP name service? (YES/NO/?) [N]: 13.The configuration utility asks if you want to configure gdad to use LDAP. (gdad is the daemon for Global Directory Agent.) Do you want to configure gdad to use LDAP? (YES/NO/?) [N]: 14.Next, the screen displays your selections and asks whether to save them as your DCE system configuration. Answer Y. 15.All previous temporary and permanent DCE databases and configuration files are now removed prior to starting the new configuration. 16.The configuration utility asks you to enter some random keystrokes in order to supply a keyseed for the security server. *********************************************************************** * Starting the security server requires that you supply * * a `keyseed.' When asked for a `keyseed,' type some * * random, alphanumeric keystrokes, followed by RETURN. * * (You won't be required to remember what you type.) * *********************************************************************** Enter keyseed for initial database master key: Configuring DCE 5-7 Configuring DCE 5.2 Overview of New Cell Configuration 17.The configuration utility asks you to enter the password for the cell_admin account, and asks for confirmation. Please type new password for cell_admin (or `?' for help): Type again to confirm: 18.The DCE daemons are started and configuration information is set up. After the dts daemon is started, you are prompted to run the DCE Configuration Verification Program (CVP). Press RETURN to start the CVP. 19.To verify that all requested services are configured, choose option 2 (Show DCE configuration and active daemons) from the DCE Setup Main Menu. The screen displays all configured DCE services and active DCE daemons. You have completed creating a cell. 5.3 Configuring Your System as a DCE Client with Run-Time Services If you want to add your system to an existing cell, choose option 1 (Configure this system as a DCE Client) from the Configuration Choice Menu. This option configures the run- time services subset on your system. ________________________ Note ________________________ During the initial DCE client configuration, the client software may have problems locating the Cell Directory Service server if the Internet protocol netmask for your client machine is not consistent with the netmask used by other machines operating on the same LAN segment. You might need to consult your network administrator to determine the correct value to use as a netmask on your network. ______________________________________________________ When you choose option 1, the procedure displays the following messages: 5-8 Configuring DCE Configuring DCE 5.3 Configuring Your System as a DCE Client with Run-Time Services Starting DCE client configuration . . . At each prompt, enter your response. You may enter RETURN for the default response, displayed in [brackets], or `?' for help. Entering a CONTROL-Z will terminate this configuration request. Press RETURN to continue . . . Removing temporary local DCE databases and configuration files Removing permanent local DCE databases and configuration files Starting client configuration Initializing RPC & Security Client Services daemon (DCE$DCED) . . . %RUN-S-PROC-ID, identification of created process is 2380A9A6 Starting RPC & Security Client Services daemon (DCE$DCED) . . . % RUN-S-PROC-ID, identification of created process is 238110A8 The configuration utility asks whether to search the LAN for known cells within the broadcast range of your system. Would you like to search the LAN for known cells? (YES/NO/?) [Y]: If you know the name of your DCE cell, answer N. As prompted, supply the name of your DCE cell, your DCE host name, and the host name of your cell's master CDS server. You also need to specify whether your host can broadcast to the host where the master CDS server is installed. Answer Y to see a list of available DCE cells. As prompted, supply your DCE host name. At the next prompt, supply the appropriate DCE cell name from the list. Gathering list of currently accessible cells (please wait) Please enter your DCE hostname [dcehost]: The following cells were discovered within broadcast range of this system: Buster-cell Kauai-cell Myhost-cell Tahoe-cell Please enter the name of your DCE cell [buster-cell]: If you do not know the name of the cell you want to join, consult your network administrator. Do not add the /.../ prefix to the cell name; the procedure automatically adds it. Configuring DCE 5-9 Configuring DCE 5.3 Configuring Your System as a DCE Client with Run-Time Services The prompt might contain a cell name that is the last configured cell name for this host or the first cell name from the alphabetical list of available cells. If you enter a cell name that is not on the list of cell names, the procedure assumes you are performing a WAN configuration, and asks you whether the CDS server is located on the same LAN or subnet. Is the CDS Master Server within broadcast range (YES/NO/?) [N]: After you enter your cell name, the procedure continues, displaying information similar to the following, but dependent on your configuration: Terminating RPC Services/Dce Security Client daemon (DCE$DCED) . . . *** RPC (DCED) shutdown successful *** Starting RPC & Security Client Services daemon (DCE$DCED) . . . % RUN-S-PROC-ID, identification of created process is 238110B0 Starting CDS Name Service Advertiser daemon (DCE$CDSADVER) . . . % RUN-S-PROC-ID, identification of created process is 238110B1 Starting CDS Name Service Client daemon (DCE$CDSCLERK) . . . % RUN-S-PROC-ID, identification of created process is 238110B2 Could not find security master using dcecp registry show Attempting to locate security server Found security server Creating dce$local:[etc.security]pe_site.; file Checking local system time Looking for DTS servers in the LAN profile Looking for Global DTS servers in this cell Found DTS server The local system time is: Wed October 13 12:01:14 1999 Is this time correct? (y/n): Make sure you check that the correct time is displayed before you continue with the configuration. If the time is incorrect, answer N, and the procedure exits to the operating system to allow you to reset the system time. After you correct or verify the time, answer Y, and the procedure resumes. 5-10 Configuring DCE Configuring DCE 5.3 Configuring Your System as a DCE Client with Run-Time Services If DECnet/OSI is installed on your system, the configuration utility displays the following message and then asks several questions about configuring a DCE Distributed Time Service server on your system. You seem to have DECnet/OSI installed on this system. DECnet/OSI includes a distributed time synchronization service (DECdts), which does not currently support the DCE Distributed Time Service (DCE DTS) functionality. The DCE DTS in this release provides full DECdts functionality. This installation will stop DECdts and use DCE DTS instead. For further clarification, please consult the HP DCE for OpenVMS Alpha and OpenVMS I64 Product Guide. Even though DCE DTS will be used, it is possible to accept time from DECdts servers. Should this node accept time from DECdts servers? (YES/NO/?) [N]: Answer Y to accept time from any DECnet/OSI DECdts server; however, time from this source is unauthenticated. If you answer N, this system accepts time only from DCE time servers. If DECnet/OSI is not installed on your system, the configuration utility omits the previous DECdts questions and instead, asks: Do you need the Distributed Time Service (YES/NO/?) [Y]: Answer Y to configure the host as a DTS client. The configuration utility asks if you want to run the MIT Kerberos 5 services on this machine. An answer of Y runs the configuration utility. Do you intend to run MIT Kerberos 5 services on this machine? (YES/NO/?) [N]: After you respond to the prompt, the procedure stops the CDS advertiser and clerk and asks you to perform a dce_ login operation, as follows: Terminating CDS Name Service Advertiser daemon (DCE$CDSADVER) . . . Terminating CDS Name Service Client daemon (DCE$CDSCLERK) . . . Please enter the principal name to be used [cell_admin]: Please enter the password for principal "cell_admin" (or ? for help): Configuring DCE 5-11 Configuring DCE 5.3 Configuring Your System as a DCE Client with Run-Time Services Obtain the password from your system administrator. After you perform the dce_login operation, the procedure begins configuring the security client software. If this system was previously configured as a DCE client or your cell has another host with the same name, the configuration utility also displays a list of client principals that already exist for this system and asks whether to delete the principals. You must delete these principals to continue with the configuration. Configuring security client Creating Dce$Specific:[krb5]krb.conf The following principal(s) already exist under /hosts/dcehost/: /./buster-cell/hosts/dcehost/self Do you wish to delete these principals? (YES/NO/?) [Y]: Deleting client principals Creating ktab entry for client Terminating RPC & Security Client Services daemon (DCE$DCED) . . . Starting RPC & Security Client Services daemon (DCE$DCED) . . . %RUN-S-PROC-ID, identification of created process is 238110B3 Starting sec_client service (please wait). This machine is now a security client. Press to continue . . . Configuring CDS client Creating the cds.conf file Starting CDS Name Service Advertiser daemon (DCE$CDSADVER) . . . %RUN-S-PROC-ID, identification of created process is 238110B4 Starting CDS Name Service Client daemon (DCE$CDSCLERK) . . . %RUN-S-PROC-ID, identification of created process is 238110B5 Testing access to CDS server (please wait). Logging in to DCE using principal "cell_admin" . . . Checking TCP/IP local host database address of "dcehost". Please wait . . . Configuring client host objects in cell namespace . . . Creating /.:/hosts/dcehost objects in name space 5-12 Configuring DCE Configuring DCE 5.3 Configuring Your System as a DCE Client with Run-Time Services Checking TCP/IP local host database for address of "dcehost". Please wait . . . If your cell uses multiple LANs, you are prompted as follows: Please enter the name of your LAN [1.2.3]: If your LAN has not been defined in the namespace, you are asked whether you want to define it. The configuration procedure then continues: This machine is now a CDS client. Stopping sec_client service... Starting sec_client service (please wait). Modifying acls on /.:/hosts/dcehost/config secval xattrschema srvrexec keytab keytab/self hostdata hostdata/dce_cf.db hostdata/cell_name hostdata/pe_site hostdata/cds_attributes hostdata/cds_globalnames hostdata/host_name hostdata/cell_aliases hostdata/post_processors hostdata/svc_routing hostdata/cds.conf hostdata/passwd_override hostdata/group_override hostdata/krb.conf srvrconf Logging in to DCE using principal "cell_admin" . . . Configuring DTS daemon as client (DCE$DTSD) Starting Distributed Time Service daemon (DCE$DTSD) . . . %RUN-S-PROC-ID, identification of created process is 238110B5 This machine is now a DTS clerk. Configuring DCE 5-13 Configuring DCE 5.3 Configuring Your System as a DCE Client with Run-Time Services Do you want to run the DCE Configuration Verification Program? (YES/NO/?) [Y]: The DCE Configuration Verification Program (CVP) exercises the components of DCE that are running in this cell. It requires approximately 1 to 2 minutes to run. If you type y to run the CVP at this time, you see the following display: Executing DCE for OpenVMS Alpha V3.2 CVP (please wait) Copyright (c) Hewlett-Packard Development Company 2005. All Rights Reserved. . . . . . . . . . . . DCE for OpenVMS Alpha V3.2 CVP completed successfully When the procedure is completed, the DCE Setup Main Menu is displayed again. 5.4 Split Server Configuration (Adding a Master CDS Server) This section discusses a split server installation in which a new cell and the master Security Server are created on one system and the master CDS Server is configured on another system. The master CDS Server maintains the master replica of the cell root directory. A split server configuration has four phases: o Begin creating the new cell and master Security Server on one system. o Begin creating the master CDS Server on another system. o Complete creating the new cell and master Security on the first system. 5-14 Configuring DCE Configuring DCE 5.4 Split Server Configuration (Adding a Master CDS Server) o Complete creating the master CDS Server on the second system. 5.4.1 Creating a New Cell and Master Security Server This is the first phase of a split server configuration. Begin this phase by creating the new cell on the machine where the master security server will reside. Choose option 2 (Create a new DCE cell) from the Configuration Choice Menu. Answer the prompts appropriately for the cell name and host name. Then answer N at the following prompt: Do you wish to configure myhost as a CDS server? (YES/NO/?) [Y]: N Proceed through the rest of the configuration answering the remaining questions as shown in section 5.1, until you get to the following: ******************************************************************************* * This system has now been configured as a security server. * * Since you chose not to configure this system as a CDS server, * * you must now configure another system as the Master CDS Server * * for this cell (Option 1 on the dcesetup Main Menu, Option 3 on * * the Configuration Choice Menu.) * * * * When the Master CDS server has been installed and configured, * * press the key to continue configuring this system. * ******************************************************************************* Go to the machine where you will configure the master CDS Server. 5.4.2 Creating a Master CDS Server on Another System This is the second phase of a split server configuration. You must have created a new cell and begun configuring the security server on another machine. Log on to the system on which you want to install the CDS master server, and choose option 3 (Add Master CDS Server) from the Configuration Choice Menu. Answer the following prompts: Please enter the name of your DCE cell []: Please enter your DCE hostname [myhost2]: The procedure asks: Will there be any DCE pre-R1.1 CDS servers in this cell? (YES/NO/?) [N]: Configuring DCE 5-15 Configuring DCE 5.4 Split Server Configuration (Adding a Master CDS Server) If your cell will be running any CDS servers based on OSF DCE Release 1.0.3a or lower, you should answer Y. The configuration utility sets the directory version number to 3.0 for compatibility with pre-R1.1 servers. This disables the use of OSF DCE Release 1.1 features such as alias cells, CDS delegation ACLs, and so on. If all CDS servers in your cell will be based on DCE for OpenVMS Version 3.0 or higher (or an equivalent DCE version based on OSF DCE Release 1.1 or higher) answer N. The configuration utility sets the directory version number to 4.0 for compatibility with DCE for OpenVMS (Version 3.0 or OSF DCE Release 1.1 or higher) CDS servers. This enables the use of OSF DCE Release 1.1 features such as alias cells, CDS delegation ACLs, and so on. Once the directory version is set to 4.0, you cannot set it back to 3.0. The procedure configures accordingly and prompts you to enter the host name of the security server that you just configured. What is the hostname of the Security Server for this cell? []: The configuration procedure continues, and requests additional client information as described in section 5.2. The procedure configures the requested services, and then prompts you to complete the configuration of the security server on the other machine before continuing: ****************************************************************************** * This system has now been configured as the Master CDS Server. * * * * Before continuing, complete the configuration of the Security * * Server... * ****************************************************************************** Press to continue: Return to the system on which you configured the security server. 5-16 Configuring DCE Configuring DCE 5.4 Split Server Configuration (Adding a Master CDS Server) 5.4.3 Completing the Security Server Configuration This is the third phase of a split server configuration. You must have created a new cell and begun configuring the Security Server on one machine. Then you created a master CDS Server on another machine. Now you will complete the Security Server configuration on the first machine. Return to the system on which you configured the Security Server and press the RETURN key. The following prompt is displayed: What is the hostname of the Master CDS Server for this cell [ ]: The configuration procedure proceeds as described in the section Overview of New Cell Configuration. Once the Security Server configuration is complete, return to the host on which you are configuring the master CDS Server and complete the installation. 5.4.4 Completing the CDS Master Server Configuration This is the fourth and final phase of a split server configuration. You must have created a new cell and begun configuring the security server on one machine. Then you created a master CDS server on another machine. You completed the security server configuration on the first machine. Now you will complete the CDS master server configuration. Completion of this phase consists of running the configuration verification program: Do you want to run the DCE Configuration Verification Program? (YES/NO/?) [Y]: You can run the CVP now by answering Y, or you can run the CVP at a later time by answering N. The procedure completes the configuration and returns to the DCE Setup Main Menu. Choose option 2 (Show DCE configuration and active daemons) from the DCE Setup Main Menu to verify your configuration choices. Configuring DCE 5-17 Configuring DCE 5.5 Migrating Your Cell 5.5 Migrating Your Cell Some DCE cells may be running security or CDS servers on hosts with different versions of DCE. This might happen because a cell has DCE software from multiple vendors, each supplying upgrades at different times. Or perhaps upgrading all the hosts simultaneously is not feasible. DCE for OpenVMS Version 3.2 security servers and CDS servers can interoperate with older servers (based on OSF DCE Release 1.0.3a, 1.0.2, and so on). However, new DCE security features associated with OSF DCE Release 1.1 and DCE Release 1.2.2 will generally not be available until all security server replicas in your cell are based on OSF DCE Release 1.1 and 1.2.2. Additionally, new CDS capabilities will not be available until all security servers and some or all CDS servers are based on OSF DCE Release 1.1 and 1.2.2. If your cell contains older versions of Security or CDS Servers, you will need to migrate (gradually upgrade) older servers until all of them are running DCE server software based on OSF DCE Release 1.1 and 1.2.2. Once all Security or CDS Servers have been upgraded, you must perform some additional steps so that your servers can provide the new security and CDS capabilities. Security Servers and CDS Servers use separate procedures to complete migration. Security Migration provides the instructions for completing Security server migration. CDS migration provides the instructions for completing CDS Server migration. 5.5.1 Security Migration After you install the new security server version on a host where an older version security replica (master or slave) exists, that replica will operate with the new Security Server, but with the behavior of the older version server. Note that a server based on OSF DCE 1.1 or higher cannot create a new replica and operate it as an older version replica. Once OSF DCE Release 1.1 has been installed on all hosts that have security replicas, you must issue a single cell-wide command that simultaneously migrates all the replicas to operate at the level of DCE 1.1. At this 5-18 Configuring DCE Configuring DCE 5.5 Migrating Your Cell point the cell will support new security features such as extended registry attributes. ________________________ Note ________________________ Once you have migrated the security servers to DCE 1.1 or higher, it is not possible to create a replica on a host running an earlier version. ______________________________________________________ If all of the Security Server replicas in your cell are based on OSF DCE Release 1.1, you can perform the final migration steps in this section. If your cell is still running any Security Servers based on a DCE release prior to OSF DCE Release 1.1, do not complete the upgrade steps in this section. The upgrade steps will advance some security database attributes. Older servers cannot operate on newer version databases. Once you have installed and configured DCE for OpenVMS Version 3.2 Security Servers in your cell, perform the following actions as cell administrator: 1. Ensure that at lease one security replica can write to the cell profile. Use the following operation to check the cell-profile ACL for: user:dce-rgy:rw-t---. $ dcecp -c acl show -io /.:/cell_profile 2. On all Security Servers, set the server version to: secd.dce.1.1. $ dcecp -c registry modify -version secd.dce.1.1 3. Verify that the version has been set to secd.dce.1.1. $ dcecp -c registry show ________________________ Note ________________________ If you have not updated all 1.0.3 security replicas to DCE 1.1, any original 1.0.3 replicas will be stopped when you move the registry version forward to DCE 1.1. You may want to verify that any original 1.0.3 replicas are no longer running. ______________________________________________________ Configuring DCE 5-19 Configuring DCE 5.5 Migrating Your Cell 5.5.2 CDS Migration If you have installed and configured DCE for OpenVMS Version 3.2 CDS servers in your cell, you might need to perform additional steps to complete the upgrade process. If you created a new DCE cell and, during the dcesetup process, you set the default directory version information for each CDS server to Version 4.0, you do not need to perform the migration steps in this section. If your cell is still running any security or CDS servers based on a DCE release prior to OSF DCE Release 1.1, do not complete the upgrade steps in this section. The upgrade steps will advance some security database and CDS directory attributes. Older servers cannot operate on newer version databases or directories. DCE for OpenVMS Version 3.0 (or equivalent) features, such as hierarchical cells and alias cells, will be available only when all of your cell's security and CDS servers are running DCE for OpenVMS Version 3.0 or higher and the upgrade steps have been completed. Refer to the HP DCE for OpenVMS Alpha and OpenVMS I64 Product Guide and to the OSF DCE documentation for descriptions of available features. Once the necessary DCE servers have been upgraded to DCE software based on OSF DCE Release 1.1 or 1.2.2, you can perform the migration steps in this section. The migration steps will enable the use of hierarchical cells, alias cells, and delegation. ________________________ Note ________________________ Directory version information can only be set forward. If you migrate a CDS server to OSF DCE 1.1 or 1.2.2 behavior, you cannot revert that server to 1.0.3 behavior. ______________________________________________________ Once you have installed and configured DCE for OpenVMS Version 3.2 (or equivalent) security servers and CDS servers, perform the following actions as cell administrator: 1. If you have not done so, perform the security migration steps in Security Migration. 5-20 Configuring DCE Configuring DCE 5.5 Migrating Your Cell 2. For all CDS clearinghouses, manually update the CDS_UpgradeTo attribute to 4.0. The following two operations ensure that new directories created in this clearinghouse will receive the correct directory version number: $ dcecp -c clearinghouse modify/.:/dummy_ch -add "{CDS_UpgradeTo 4.0}" $ dcecp -c clearinghouse verify chname 3. Manually upgrade all older directory version information to 4.0 as follows: $ dcecp -c directory modify /.: -upgrade -tree The -tree option operates recursively on all subdirectories (in this example, it operates on the entire cell). This command does not work unless all CDS servers housing the affected directories are running DCE for OpenVMS Version 3.0 or higher. This command can take a long time to execute depending on the size of the namespace. 5.6 Running the DCE Configuration Verification Program Once the DCE daemons are started, you can run the DCE Configuration Verification Program (CVP) to ensure that the DCE services are properly installed. The procedure prompts you with the following message: Do you want to run the DCE Configuration Verification Program? (YES/NO/?)[Y]: If you enter Y or press RETURN, the procedure indicates that the CVP is running. Executing DCE for OpenVMS Alpha V3.2 CVP (please wait) Copyright (c) Hewlett-Packard Development Company 2005. All Rights Reserved. Configuring DCE 5-21 Configuring DCE 5.6 Running the DCE Configuration Verification Program Verifying . . . . . . . . . . . The CVP invokes tests of the 10 DCE RPC interfaces, printing a dot (.) as each test is successful. A completely successful test execution results in 10 dots printed in succession. When the CVP tests are completed successfully, you receive the following message: DCE for OpenVMS V3.2 CVP completed successfully ________________________ Note ________________________ You can repeat the CVP whenever you want by choosing option 8 (Run Configuration Verification Program) from the DCE Setup Main Menu. ______________________________________________________ After you run the CVP, the configuration procedure updates your system startup procedure so that the daemons restart automatically whenever the system is rebooted. 5.7 Error Recovery During Configuration If the procedure encounters any errors during DCE system configuration, it displays error messages. Some errors are not fatal, and the procedure attempts to continue. Other errors are fatal, and the procedure terminates. If a fatal error is encountered while the procedure is starting the DCE daemons, the procedure attempts to stop any daemons that have already been started. This returns the system to its original state before you began the configuration. 5-22 Configuring DCE Configuring DCE 5.7 Error Recovery During Configuration If you receive an error message at any time while running the DCE System Configuration utility, you can get more detailed information about the cause of the error by examining the associated log file in SYS$MANAGER:DCE$SETUP.LOG. This log file contains a record of the operations invoked by the System Configuration utility the last time it was executed, and may help you diagnose the cause of the problem. Sometimes the cause of an error is transitory and may not recur if you repeat the operation. Configuring DCE 5-23 6 _________________________________________________________________ Modifying Cell Configuration This chapter describes the steps you need to complete to modify a cell configuration. 6.1 Modify Configuration Menu The Modify Configuration Menu varies slightly depending on which components are currently enabled. If a component is enabled, the menu displays the option to disable it. If the component is disabled, the menu displays the option to enable it. In the following view, all options are disabled. *** Modify Configuration Menu *** DCE for OpenVMS Alpha V3.2 1) Add Replica CDS Server 2) Add Replica Security Server 3) Change from DTS Global Server to DTS Local Server 4) Change from DTS Global Server to DTS clerk 5) Add Null Time Provider 6) Add NTP Time Provider 7) Enable Auditing 8) Enable DCE Integrated Login 9) Enable Kerberos 5 10) Configure LDAP Name Service 11) Add LDAP Client Service 12) Enable LDAP GDA 13) Register in X.500 0) Exit Return to previous menu ?) Help Display helpful information Please enter your selection: Modifying Cell Configuration 6-1 Modifying Cell Configuration 6.1 Modify Configuration Menu Table 6-1 provides descriptions of the options available on the DCE Modify Configuration Menu. Table_6-1_Modify_Configuration_Menu_Options________________ Option________________Description__________________________ Add Replica CDS Adds a CDS Replica clearinghouse to Server the configuration on this host. The host must be an existing client or split cell configuration. Add Replica Security Adds a Security Replica to the Server configuration on this host. The host must be an existing client or split cell. Change from DTS Downgrades an existing DTS Global Global Server to DTS Server to a DTS Local Server on this Local Server host. Change from DTS Downgrades an existing DTS Global Global Server to DTS Server to a DTS clerk on this host. clerk Add Null Time Adds a DTS Null Time Provider to the Provider existing configuration on this host. Add NTP Time Adds a DTS NTP Time Provider to the Provider existing configuration on this host. Enable Auditing Enables the DCE auditing daemon to allow the capture and display of DCE audit trails. Enable DCE Provides support for Integrated Integrated Login Login, which combines the DCE and OpenVMS login procedures. See the HP DCE for OpenVMS Alpha and OpenVMS I64 Product Guide for information about Integrated Login. Enable Kerberos 5 Enable DCE on this host to coexist with other Kerberos 5 implementations. (continued on next page) 6-2 Modifying Cell Configuration Modifying Cell Configuration 6.1 Modify Configuration Menu Table_6-1_(Cont.)_Modify_Configuration_Menu_Options________