HP OpenVMS Systems Documentation

The IPv6 programming APIs have been updated. New programming examples are provided with this release. The following is a list of the specific changes to the IPv6 APIs:

• IPv6 Changes:
  • The flag value AI_DEFAULT, which could previously be specified in the ai_flags parameter for a call to the getaddrinfo function, has been deprecated. It will be removed from the NETDB.H file in a future release. To achieve the behavior defined by this flag, specify the logical OR of the flag values AI_V4MAPPED and AI_ADDRCONFIG.
  • The BIND resolver has been updated as described in the following RFC draft:

    draft-ietf-ipngwg-scoping-arch-04.txt

    
    This change allows the specification of an IPv6 nonglobal address without ambiguity by also specifying an intended scope zone. The format is as follows:

    address%zone_id

    
    The format of the nonglobal address includes the following:
    • address is a literal IPv6 address
    • zone_id is a string to identify the zone of the address
    • % is a delimiter character to distinguish between the address and zone identifier.
    
    For example, the following specifies a nonglobal address on interface WE0:

    fe80::1234%WE0

• The IPv4 TCP and UDP client and server C socket programming example programs that reside in SYS$COMMON:[SYSHLP.EXAMPLES.TCPIP] have been ported to IPv6. The IPv6 versions of these example programs are located in SYS$COMMON:[SYSHLP.EXAMPLES.TCPIP.IPV6].
• The IPv6 example database and configuration files in SYS$COMMON:[SYSHLP.EXAMPLES.TCPIP.IPV6.BIND] have been updated to reflect current practice.

For more information about using the IPv6 APIs, refer to the HP TCP/IP Services for OpenVMS Guide to IPv6.

1.6 BIND Version 9.2.1

The BIND server has been updated from Version 9.2.0 to Version 9.2.1. This update provides corrections to problems in the previous version of the software.

1.7 Performance Enhancements to the INET Driver

For Alpha systems only, the INETDRIVER now uses the faster internal interface to the TCP/IP networking kernel. The impact on nonpaged pool consumption and process quotas is now greatly reduced.

1.8 Performance Enhancements to the NFS Server

The NFS server now caches the contents of directory files, in addition to the content of other files. The server must access the directory files to cache them.

For information about managing the NFS directory cache, see the HP TCP/IP Services for OpenVMS Management guide.

1.9 Performance Enhancements to the TELNET Server

The TELNET/RLOGIN server (TNDRIVER) has been improved as follows:

• The amount of CPU overhead required for maintaining the TN devices has been reduced.
• IOLOCK8 spinlocks are no longer used.
• Concurrent operation of TN devices has been added.

This feature allows a system, such as a web server, to have more than 10,000 devices. To enable this feature, set the following net subsystem attribute to a value from 9999 to 32767:

ovms_unit_maximum

This subsystem attribute must be defined in the SYSCONFIGTAB.DAT. For more information about modifying the SYSCONFIGTAB.DAT file, see the HP TCP/IP Services for OpenVMS Tuning and Troubleshooting guide.

1.11 Support for Fast BG Device Creation and Deletion

To support systems where large numbers of BG devices are continuously being created and deleted, as well as systems where the number of BG devices has been increased above the default 10,000 device unit limit, a new subsystem attribute enables fast creation and deletion of BG devices:

ovms_unit_fast_credel

The default setting for this attribute is 0, or OFF. This attribute must be defined in the SYSCONFIGTAB.DAT file. For more information about modifying the SYSCONFIGTAB.DAT file, see the HP TCP/IP Services for OpenVMS Tuning and Troubleshooting guide.

1.12 Updated TCP/IP Kernel

The TCP/IP Services kernel has been updated to Tru64 UNIX 5.1B.

1.13 tcpdump Support

This version of TCP/IP Services includes the tcpdump utility. The tcpdump utility provides dump analysis and packet capturing. Specifically:

• Native packet tracing and file-based tracing
• Native tracing in copy-all mode (no promiscuous support)
• Filter expression (boolean-based). For example:

  $ tcpdump ip host lassie and (port 21 or port 20)

For information about using the tcpdump utility, see the HP TCP/IP Services for OpenVMS Tuning and Troubleshooting guide.

Use this chapter in conjunction with the HP TCP/IP Services for OpenVMS Installation and Configuration manual.

2.1 Installing Over V5.3 Early Adopter's Kits (EAKs)

If you have installed one or more of the following V5.3 EAKs, you must use the PCSI REMOVE command to remove the EAKs before you install TCP/IP Services V5.4:

• SSH for OpenVMS EAK
• failSAFE IP EAK

The TCPIP$VMS_FILES.DOC file is no longer included in the installation of the TCP/IP Services software kit.

2.3 Configuring IPv6

The following sections describe procedures specific to systems where IPv6 is to be enabled.

2.3.1 Information for Users of the IPv6 Early Adopter's Kit

If you are running any version of the TCP/IP Services V5.0 IPv6 EAK, remove the EAK and then install the current version of the TCP/IP Services software. You must then run the TCPIP$IP6_SETUP.COM command procedure. For more information, refer to the HP TCP/IP Services for OpenVMS Guide to IPv6.

The definition of a sockaddr structure has been changed. This change breaks binary compatibility for IPv6 applications that were compiled using the TCP/IP Services Version 5.0 EAK. You must recompile and relink your applications after you install the current version of TCP/IP Services.

2.3.2 Warning Message in TCPIP$CONFIG.COM

If you have run the TCPIP$IP6_SETUP.COM procedure to enable IPv6, and then you run the TCPIP$CONFIG.COM command procedure, TCPIP$CONFIG.COM displays the following warning message when you select the Core environment option:

                           WARNING

This node has been configured for IPv6.  If you make any additional
changes to the configuration of the interfaces, you must run
TCPIP$IP6_SETUP again and update your host name information in
BIND/DNS for the changes to take effect.

The following list describes the restrictions on starting TCP/IP Services:

• Booting OpenVMS with MIN, INST, or UPGRADE is not supported. The product configuration and startup command procedures (TCPIP$CONFIG.COM and TCPIP$STARTUP.COM) fail if you perform any kind of boot other than a full boot.
• The TCPIP$CONFIG.COM command procedure fails on systems that do not have a SYSUAF database and a RIGHTSLIST database. These OpenVMS files must be created before you configure TCP/IP Services.

The following sections describe how to preserve the behavior of the software when you upgrade from an older version of TCP/IP Services (UCX) to the current version.

2.5.1 Upgrading LPD

• When you merge edits into the system startup command procedure, do not include the commands to start and stop the queue UCX$LPD_QUEUE. This queue has been replaced with TCPIP$LPD_QUEUE. The commands for starting and stopping TCPIP$LPD_QUEUE are in the LPD startup and shutdown command procedure files.
• After you merge the edits, modify the value of the /PROCESSOR qualifier in the LPD client queue startup commands that you have just appended, replacing UCX$LPD_SMB with TCPIP$LPD_SMB. For example, enter the following command:

  LSE Command> SUBSTITUTE/ALL "ucx$lpd_smb" "tcpip$lpd_smb"

The new version of SMTP includes control files that are different from previous versions. Before upgrading to the current version of TCP/IP Services, use the TCP/IP management command ANALYZE MAIL to pick up any dead letters (SMTP control files that have not been submitted to a print queue). For example:

$ TCPIP ANALYZE MAIL/REPAIR

After you upgrade to the current version of TCP/IP Services, you must perform one of the following actions to ensure correct SNMP startup:

• If SNMP was configured under an old TCP/IP Services installation (UCX) and you want to retain the previous configuration, run the SYS$MANAGER:TCPIP$CONFIG.COM command procedure and select the option to automatically convert UCX configuration files.
• After you upgrade to the current version of TCP/IP Services, run the SYS$MANAGER:TCPIP$CONFIG.COM command procedure. If SNMP is still enabled, disable SNMP then enable it again. This is necessary for the proper operation of this component.

If you have customized versions of the UCX$SNMP_STARTUP.COM and UCX$SNMP_SHUTDOWN.COM command procedures (used to start and stop extension subagents), save your customized files to a different directory before upgrading to the new version of TCP/IP Services. If you do not perform this step, your customized changes will be lost.

Check for versions of these files in the following locations:

• SYS$MANAGER
• SYS$STARTUP
• SYS$SYSDEVICE:[UCX$SNMP]

After you install TCP/IP Services, manually enter commands into the TCPIP$SNMP_SYSTARTUP.COM and TCPIP$SNMP_SYSHUTDOWN.COM command procedures, as described in the HP TCP/IP Services for OpenVMS Management guide.

2.5.4 Customizing SNMP Startup and Shutdown

Enabling SNMP using the TCPIP$CONFIG.COM command procedure no longer creates the following files:

• TCPIP$SNMP_SYSTARTUP.COM
• TCPIP$SNMP_SYSHUTDOWN.COM

These command procedures are used for starting and stopping custom SNMP subagents. They will not be affected by installing future versions of TCP/IP Services.

2.5.5 SNMP Messages When You Install TCP/IP Services

For sites where the same version of TCP/IP Services is installed multiple times, informational messages similar to the following may appear in the installation dialog:

Do you want to review the options? [NO]

Execution phase starting ...

The following product will be installed to destination:
    DEC AXPVMS TCPIP T5.3-9I               DISK$AXPVMSSYS:[VMS$COMMON.]
The following product will be removed from destination:
    DEC AXPVMS TCPIP T5.3-9H               DISK$AXPVMSSYS:[VMS$COMMON.]
%PCSI-I-RETAIN, file [SYSEXE]TCPIP$ESNMP_SERVER.EXE was not replaced because
file from kit does not have higher generation number
%PCSI-I-RETAIN, file [SYSEXE]TCPIP$HR_MIB.EXE was not replaced because file
from kit does not have higher generation number
%PCSI-I-RETAIN, file [SYSEXE]TCPIP$OS_MIBS.EXE was not replaced because file
from kit does not have higher generation number
%PCSI-I-RETAIN, file [SYSLIB]TCPIP$ESNMP_SHR.EXE was not replaced because file
from kit does not have higher generation number
%PCSI-I-RETAIN, file [SYSLIB]UCX$ESNMP_SHR.EXE was not replaced because file
from kit does not have higher generation number

You can ignore these messages.

2.5.6 SNMP Subagent Startup Messages

The SNMP startup procedure can produce the following error messages in subagent log files:

25-JUL-2001 14:13:32.47 **ERROR ESNMP_INIT.C line 3777: Could not
connect to master: connection refused
25-JUL-2001 14:13:32.94 WARNING OS_MIBS.C line 942: Master agent
cannot be reached.  Waiting to attempt reconnect.

These messages are the result of a timing problem and can be ignored.

2.6 Troubleshooting SMTP and LPD Shutdown Problems

If SMTP or LPD shutdown generates errors indicating that the queue manager is not running, check your site-specific shutdown command procedure (VMS_SYSHUTDOWN.COM). If this procedure contains the command to stop the queue manager (STOP/QUEUE/MANAGER), make sure this command is after the command that runs the TCPIP$SHUTDOWN.COM command procedure.

This chapter provides information about problems and restrictions in the current version of TCP/IP Services

3.1 Advanced Programming Environment Restrictions and Guidelines

If you use the TCP/IP advanced programming features, you should keep the following in mind:

• The header files provided in TCPIP$EXAMPLES are provided as part of our advanced TCP/IP programming environment. The following list describes restrictions and guidelines for using them:
  • Use of the functions and data structures described in TCPIP$EXAMPLES:RESOLV.H is limited to 32-bit pointers. The underlying implementation will only handle 32-bit pointers. Previously, 64-bit pointers were wrongly accepted, resulting in undefined behavior for the underlying implementation.
  • IP.H and IP6.H are header files that are incomplete in the OpenVMS environment. They contain include directives for header files that are not provided in this version of TCP/IP Services.
  • NAMESER.H and RESOLV.H contain transliterations that intercept calls made to nameserver and resolver API routines and redirect them to TCPIP$LIB.OLB. If you wish to use an implementation of these routines other than the one provided by TCP/IP Services, define the following symbols:

    __TCPIP_NO_NS_TRANSLITERATIONS for the nameserver API routines.
    
    __TCPIP_NO_RES_TRANSLITERATIONS for the resolver API routines.

• Problems with the basic socket API
  The routines getaddrinfo , getnameinfo , and freeaddrinfo , which are described as part of the Basic Socket Interface Extensions for IPv6 (RFC 2553bis), are not thread-safe.

After an interface failure has occurred, the TCP/IP management command SHOW INTERFACE will not display pseudo interface addresses. Users of failSAFE IP must use the ifconfig utility to view IP addresses. For more information about using failSAFE IP, refer to the HP TCP/IP Services for OpenVMS Management guide.

3.3 BIND/DNS Restrictions

BIND Version 9 has the following restrictions when using DNSSEC:

• Certain BIND server implementations do not support AAAA (IPv6 address) records. When queried for a AAAA (IPv6) record type by the BIND resolver, these name servers will return an NXDOMAIN status, even if an A (IPv4) record exists for the same domain name. These name servers should be returning NOERROR as the status for such a query. This problems can result in delays during host name resolution.
  BIND Version 9.2.1, which is supported with this version of TCP/IP Services does not exhibit this problem.
• Serving secure zones
  When acting as an authoritative name server, BIND Version 9 includes KEY, SIG, and NXT records in responses as specified in RFC 2535 when the request has the DO flag set in the query.
  Response generation for wildcard records in secure zones is not fully supported. Responses indicating the nonexistence of a name include a NXT record proving the nonexistence of the name itself, but do not include any NXT records to prove the nonexistence of a matching wildcard record. Positive responses resulting from wildcard expansion do not include the NXT records to prove the nonexistence of a non-wildcard match or a more specific wildcard match.
• Secure resolution
  Basic support for validation of DNSSEC signatures in responses has been implemented but should be considered experimental.
  When acting as a caching name server, BIND Version 9 is capable of performing basic DNSSEC validation of positive as well as nonexistence responses. This functionality is enabled by including a trusted-keys clause containing the top-level zone key of the DNSSEC tree in the configuration file.
  Validation of wildcard responses is not currently supported. In particular, a " name does not exist " response will validate successfully even if the server does not contain the NXT records to prove the nonexistence of a matching wildcard.
  Proof of insecure status for insecure zones delegated from secure zones works when the zones are completely insecure. Privately secured zones delegated from secure zones will not work in all cases, such as when the privately secured zone is served by the same server as an ancestor (but not parent) zone.
  Handling of the CD bit in queries is now fully implemented. Validation is not attempted for recursive queries if CD is set.
• Secure dynamic update
  Dynamic updating of secure zones has been partially implemented. Affected NXT and SIG records are updated by the server when an update occurs. Use the update-policy statement in the zone definition for advanced access control.
• Secure zone transfers
  BIND Version 9 does not implement the zone transfer security mechanisms of RFC 2535 because they are considered inferior to the use of TSIG or SIG(0) to ensure the integrity of zone transfers.

In many ways, tcpdump works the same way on OpenVMS as it does on UNIX systems, with the following restrictions:

• On UNIX systems, tcpdump sets the NIC into promiscuous mode and everything in the transmission is sent to tcpdump .
  On OpenVMS systems, tcpdump only sees the packets destined for and sent from the local host. Therefore, tcpdump works in copy-all mode. Because it only sees a copy of the the packets that are processed by the TCP/IP kernel, tcpdump can only trace natively IP, IPv6, and ARP protocols on Ethernet.
  tcpdump can format or filter packets that have been traced from another platform running tcpdump in promiscuous mode. In this case it will process other protocols, like DECnet.
• Ethernet is the only supported type of NIC. Other types of NICS (such as ATM, FDDI, Token Ring, SLIP, and PPP) are not supported.
• The -i option is not supported. On UNIX systems, this option specifies the interface that tcpdump is attached to.
  On OpenVMS systems, tcpdump obtains packets from the TCP/IP kernel.
• The -p option is not supported.
  On UNIX systems, this option specifies that tcpdump stops working in promiscuous mode.
  On OpenVMS, tcpdump does not work in promiscuous mode. Therefore, this option is set by default.
• If you are using the Ethereal software to dump IPv6 network traffic, use the following command format to write the data in the correct format:

  $ tcpdump -w filename

• Only one process at a time can issue traces. This is a common restriction for both TCPTRACE and tcpdump.

This section contains the following information:

• General SSH restrictions ( Section 3.5.1)
• File transfer restrictions ( Section 3.5.2)
• Restrictions in the use of the SSH_ADD utlity ( Section 3.5.3)

This section describes restrictions not specific to a particular SSH application.

• If hostbased authentication does not work, the SSH server may have failed to match the host name sent by the client with the one it finds in DNS. You can check whether this problem exists by comparing the output of the following commands (ignoring differences in case of the output text):
  • On the server host:

    $ TCPIP TCPIP> SHOW HOST client-ip-address

  • On the client host:

    $ write sys$output - $_ "''f$trnlnm("TCPIP$INET_HOST")'.''f$trnlnm("TCPIP$INET_DOMAIN")'"

    
    If the two strings do not match, you should check the host name and domain configuration on the client host. It may be necessary to reconfigure and restart TCP/IP Services on the client host.
• In this release, an SSH client user can copy its own version of the public key from an SSH server not previously contacted. To force users to use only the systemwide version of the server public key, you can perform the following steps.

  Note Steps 2 and 3 involve modification of system files. Therefore, it may be necessary to repeat them after a future update of TCP/IP Services.

  1. Edit TCPIP$SSH_DEVICE:[TCPIP$SSH]SSH2_CONFIG. to include the following line:

     StrictHostKeyChecking yes

  2. Restrict user access to TCPIP$SSH_DEVICE:[TCPIP$SSH]SSH2_CONFIG. For example:

     $ SET SECURITY/PROTECTION=(G,W) TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]SSH2_CONFIG.;

  3. Edit the SYS$STARTUP:TCPIP$SSH_CLIENT_STARTUP.COM command procedure to install the SSH server image with the READALL privilege on startup. In the following example, change the existing line to the replacement line, as indicated:

     ... $ image = f$edit("sys$system:tcpip$ssh_ssh2.exe","upcase") $! call install_image 'image' "" <== existing line $ call install_image 'image' "readall" <== replacement ...

  4. Enable the SSH client, as described in the HP TCP/IP Services for OpenVMS Guide to SSH.
• When you execute remote commands on the OpenVMS SSH server, the log file TCPIP$SSH_RCMD.LOG is created in the directory defined by the logical name SYS$LOGIN for your user account. This log file must be purged manually.
• When you execute remote commands on an OpenVMS SSH client connected to a non-OpenVMS SSH server:
  • Output may not display correctly. For example, sequential lines might be offset as if missing a linefeed, as in the following example:

    $ ssh user@unixhost ls -a user's password: Authentication successful. . .. .TTauthority .Xauthority .cshrc .dt .dtprofile

    
    To get the output to display correctly, use the following format:

    $ ssh -t [options] user@unixhost [command]

  • Commands that automatically refresh the display, such as the MONITOR utility, may not display correctly.
• The server configuration parameter PermitRootLogin is not supported.
• The client configuration parameter EnforceSecureRutils is not supported.
• There is no automatic mapping from the UNIX ROOT account to the OpenVMS SYSTEM account.
• The SSH1 protocol suite is not supported for terminal sessions, remote command execution, and file transfer operations. Parameters related to SSH1 in the server and client configuration files are ignored.
• Starting SSH sessions recursively (for example, starting one SSH session from within an existing SSH session) creates a layer of sessions. Logging out of the innermost session may return to a layer other than the one from which the session was started.
• Some SSH informational, warning, and error message codes are truncated in the display. For example:

  %TCPIP-E-SSH_FC_ERR_NO_S, file doesn't exist

• Cutting and pasting from SSH terminal sessions on an OpenVMS server can cause data truncation. When this happens, the following error message is displayed:

  -SYSTEM-W-DATAOVERUN, data overrun

• Some SSH log and trace output messages, and informational, warning, and error messages display file specifications as UNIX path names.
• From a UNIX client, if you use OpenVMS syntax for names (such as device names), enclose the names in single quotation marks to prevent UNIX-style interpretation of certain characters.
  For example, in the following command, UNIX interprets the dollar sign ($) in the device name SYS$SYSDEVICE:[user] as SYS:[user] .

  # ssh user@vmssystem directory SYS$SYSDEVICE:[user]

  
  To avoid this problem, enter the command using the following format: formats:

  ---

  Previous

  Next

  Contents