[an error occurred while processing this directive]

HP OpenVMS Systems Documentation

HP TCP/IP Services for OpenVMS

HP TCP/IP Services for OpenVMS
Release Notes

# ssh user@vmssystem directory 'SYS$SYSDEVICE:[user]'

The translation of the system logical name SYS$ANNOUNCE is displayed after authentication is complete. In this version of SSH, no automated mechanism exists for displaying this text as a prelogin banner.
To provide a prelogin banner from a text file, create the file SSH_BANNER_MESSAGE. containing the text to be displayed before login.
To enter multiple lines in the banner text, make sure each line ends with an explicit carriage-return character except the last line.
Save the banner message file in the TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2] directory, with privileges that allow it to be read by the user account [TCPIP$SSH].
If you do not use the default file name and location for the message banner file, define them using the BannerMessageFile option in the TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]SSHD2_CONFIG. file. Specify the location and file name of your banner message file as the argument to the option using one of the following formats:

BannerMessageFile   TCPIP$SSH_DEVICE:[TCPIP$SSH]BANNER1.TXT
BannerMessageFile   /TCPIP$SSH_DEVICE/TCPIP$SSH/BANNER2.TXT
BannerMessageFile   /etc/banner3.txt

Note that the argument may be in either OpenVMS or UNIX format and is not case sensitive. (If multiple definitions for the same option are included in the configuration file, the last one listed will take effect.)
The UNIX path /etc is interpreted by the OpenVMS SSH server as TCPIP$SSH_DEVICE:[TCPIP$SSH].

After you execute an SSH remote command, you might need to press the [Return] key to get back to the DCL prompt.

When you log out, the message "Connection to hostname closed." may overwrite the last line of the logout message, as in the following example from an SSH session established with host tst1 :

$ LOGOUT
Connection to tst1 closed.at  7-AUG-2003 14:37:15.01

You cannot shut down an OpenVMS system from an SSH session, such as by executing the command:

$ @SYS$SYSTEM:SHUTDOWN.COM

In this version of SSH, the phase of shutdown that stops user processes disconnects the SSH session.

SSH access from a non-OpenVMS client to a user with an expired password on an OpenVMS server is controlled by the value of the AllowNonvmsLoginWithExpiredPw option in the SSHD2_CONFIG file. For more information about this option, refer to the HP TCP/IP Services for OpenVMS Guide to SSH.

SSH escape sequences are not fully supported. For example, you may have to enter the Escape . exit sequence twice for it to take effect. On exit, the terminal is left in NOECHO and PASTHRU mode.

Any OpenVMS command that refreshes the display can have unexpected results when executed as a remote SSH command. For example, the following command exhibits this behavior:

$ MONITOR PROCESS/TOPCPU

Executed locally, this command displays a bar chart that is continuously updated. When executed as a remote command, it displays each update sequentially. In addition, you cannot terminate the command using Ctrl/C.

3.5.2 SSH File Copy Restrictions

On OpenVMS, setting the ForcePTTYAllocation keyword to YES in the SSH2_CONFIG. file can result in failures when performing file copy operations. (In other implementations of SSH, setting the keyword ForcePTTYAllocation to YES in the SSH2_CONFIG. file has the same effect as using the -t option to the SSH command.)
Using the scp and sftp commands from an OpenVMS SSH client to a UNIX server running OpenSSH is not fully supported because certain operations cause the OpenVMS client to hang. The hang cannot be terminated by entering Ctrl/C and Ctrl/Y.
File transfer is limited to OpenVMS files with the following record formats (as displayed by the DIRECTORY/FULL command):
- STREAM_LF
- Fixed-length 512-byte records
Not all variants of UNIX path names are supported when referring to files on OpenVMS clients and servers.
Using the SCP and SFTP commands from a non-OpenVMS client may have unpredictable results, depending on how the client formats the target file name and whether the client is SSH2 compatible.

3.5.3 SSH_ADD Utility Restrictions

If you do not specify the key file in the SSH_ADD command, and SSH_ADD finds no INDENTIFICATION. file, it adds only the first private key it finds in the [username.SSH2] directory.

3.6 LPD Restrictions

The LPD$SPOOL logical name has been removed from the software.

3.7 IMAP Dependencies

The IMAP server is limited in the number of connections an IMAP server process can handle before it forces the kernel to create a new IMAP server process. This value is set in the TCPIP$IMAP.CONF file to 25. For example:

Max-Connections:25

3.8 NSLOOKUP Over a TELNET Connection Fails Under OpenVMS V7.3-1

If you use TELNET to connect to a system where the subsystem attribute maxbuf is set to greater than 32767 and execute a C program that uses a C runtime call (such as getc or gets ) to read data from the terminal, the C program may return a generic user IO error message rather than the specific errors returned by RMS.

To solve this problem:

Set the subsystem attribute maxbuf to 32767. This is a dynamic parameter, so no reboot is required.
Install the OpenVMS patch VMS731_RMS-V0100.
Reset the maxbuf attribute to the desired value.

3.9 FTP Restrictions

The FTP server does not allow you to specify an IP address other than that of the connected client, or the specification of a privileged port, in the PORT, LPRT, or EPRT commands. Any such commands are rejected with the following error:

500 Illegal {PORT|LPRT|EPRT} command.

The FTP server and client prevent data connection "theft" by a third party. For the FTP server, this applies to passive-mode connections from an IP address other than the client's, or from a privileged port. For the FTP client, this applies to active-mode connections from an IP address other than the server's, or from a port other than port 20.

You can restore the original behavior by defining the following logical names:

Server	Client
TCPIP$FTPD_ALLOW_ADDR_REDIRECT	TCPIP$FTP_ALLOW_ADDR_REDIRECT
TCPIP$FTPD_ALLOW_PORT_REDIRECT	TCPIP$FTP_ALLOW_PORT_REDIRECT

These logical names allow you to relax the IP address and port checks independently in the FTP server and the FTP client.

3.10 Determining the TCP/IP Device Name from a Channel Assignment

OpenVMS provides several ways to determine the name of a device on a channel assignment. Using the SYS$GETDVI/SYS$GETDVIW system services, the DVI$_DEVNAM, DVI$_FULLDEVNAM, and DVI$_UNIT items all return information about the device. While the first two items provide the full device name, the DVI$_UNIT item returns only the unit number of the device. To form the complete device name, a program must prefix the unit number (as a string) with the device name and controller information. In the case of the TCP/IP device name, the programmer could add the string BG or BGA . For example, BG + 1234 would produce the device name BG1234: .

The TCP/IP device name may be altered in a future release. It is good programming practice to use the DVI$_DEVNAM or DVI$_FULLDEVNAM items to obtain the full device-name string. Such programs are not based on the assumption that the TCP/IP device name is BGnnnn or BGAnnnn, and would not be affected by any change in the TCP/IP device name strategy.

3.11 RCP Full Transparent Copy Operations

The following sections describe limitations of RCP on OpenVMS.

3.11.1 Using RCP to Transfer STREAM_LF Files

RCP on OpenVMS is best used for transferring text files. Under previous versions of TCP/IP Services, RCP converts any type of OpenVMS file that is not STREAM_LF to STREAM_LF format using the standard OpenVMS $CONVERT utility by specifying the files in the following way:

FILE;ORGA SEQU;RECO;CARR CARR;FORM STREAM_LF;SIZE 0;BLOCK YES

RCP sends the converted file using block-mode RMS file I/O (SYS$READ()) and writes the data using block-mode (SYS$WRITE()).

This behavior has been changed so that RCP does not convert FIXED or UNDEFINED format files (in addition to STREAM_LF files). You can restore the old behavior using the following logical name:

TCPIP$RCP_SEND_FIX_FORMAT_AS_ASCII

If this logical name is set, the original behavior of converting FIXED and UNDEFINED files is restored. If this logical name is set to a number other than 1, the default behavior is enabled. Files with a fixed-length record size that exactly matches the value of the logical name are not converted.

For example, if you set this logical name to 512, all FIXED and UNDEFINED files are converted except for files with a fixed-length record size of 512 (such as OpenVMS executable image files).

The receiving peer, if OpenVMS, always creates a file of type STREAM_LF. The RCP protocol provides no method of transferring file type information between sender and receiver. Therefore, the receiving peer has no way of knowing anything about file structure.

In an OpenVMS-to-OpenVMS transfer, if the original file was FIXED or UNDEFINED and was not converted, use the DCL command SET FILE/ATTRIBUTES to change the attributes on the resulting STREAM_LF file to correspond to the format of the original file.

For example, after transferring an OpenVMS executable image file (FIXED format with a record-length of 512 bytes), enter the following command to make it an executable image again:

$ SET FILE/ATTR=(RFM:FIX,LRL:512) RCP-COPIED-FILE.EXE

3.11.2 RCP File Size Limitations

The RCP protocol requires that the length of the file be sent as part of the protocol. The length is interpreted as a signed 32-bit integer. On OpenVMS, the file's length is determined using an RTL call to fstat() . Therefore, files transferred using RCP must be less than 2 GB minus 1 byte (2147483647 bytes).

In comparison, FTP does not have any of these limitations. However, FTP uses a different security model.

3.12 NFS Problems and Restrictions

The following sections describe problems and restrictions with NFS.

3.12.1 NFS Server Problems and Restrictions

Using the ls command from a Solaris Version 9 client may hang the OpenVMS server with no error message on either client or server. To avoid this problem, set the nfs subsystem attribute ovms_xqp_plus_enabled to 7. Refer to the HP TCP/IP Services for OpenVMS Management guide for more information about this attribute.
Directories in a container file system cannot be deleted, either by the TCP/IP management command REMOVE DIRECTORY or by clients. The following error message is displayed:
no such file
Under TCP/IP Services Version 5.3, the NFS client command "mkdir dirname.dir" used on an ODS-5 volume with the TYPELESS_DIRECTORIES export option produces a directory with the OpenVMS name "dirname.DIR;1", which is displayed back to the NFS client as simply "dirname."
This problem has been fixed in TCP/IP Services Version 5.4. The directory is now created with the OpenVMS file specification "dirname.dir.DIR;1", which is displayed back to the client as "dirname.dir," as expected.
Therefore, non-OpenVMS clients using an ODS-5 volume should always refer to directories according to whether or not the TYPELESS_DIRECTORIES option is in use.
- With the TYPELESS_DIRECTORIES option, the file "dirname.DIR;1" must be referred to as "dirname".
- Without the TYPELESS_DIRECTORIES option, the file "dirname.DIR;1" must be referred to as "dirname.dir".
Note that you may need to change some export records, either to include the ".dir" at each directory level, or to add the TYPELESS_DIRECTORIES option.
Client MOUNT commands must also conform to this convention.
When performing a mount operation or starting the NFS server with OPCOM enabled, the TCP/IP Services MOUNT server can erroneously display the following message:
%TCPIP-E-NFS_BFSCAL, operation MOUNT_POINT failed on file /dev/dir
This message appears even when the MOUNT or NFS startup has successfully completed. In the case of a mount operation, if it has actually succeeded, the following message will also be displayed:
%TCPIP-S-NFS_MNTSUC, mounted file system /dev/dir
If the NFS server and the NFS client are in different domains and unqualified host names are used in requests, the lock server (LOCKD) fails to honor the request and leaves the file unlocked.
When the server attempts to look up a host using its unqualified host name (for example, johnws ) instead of the fully qualified host name (for example, johnws.abc com ), and the host is not in the same domain as the server, the request fails.
To solve this type of problem, you can do one of the following:
- When you configure the NFS client, specify the fully qualified host name, including the domain name. This ensures that translation will succeed.
- Add an entry to the NFS server's hosts database for the client's unqualified host name. Only that NFS server will be able to translate this host name. This solution will not work if the client obtains its address dynamically from DHCP.

3.12.2 NFS Client Problems and Restrictions

To get proper timestamps, when the system time is changed for daylight savings time (DST), dismount all DNFS devices. (The TCP/IP management command SHOW MOUNT should show zero mounted devices.) Then remount the devices.
The NFS client should properly handle file names with the semicolon character on ODS-5 disk volumes. (For example, a^;b.dat;5 is a valid file name.)
The current version does not handle these types of file names properly; they are truncated at the semicolon.
The NFS client included with TCP/IP Services uses the NFS Version 2 protocol only.
With the NFS Version 2 protocol, the value of the file size is limited to 32 bits.
The ISO Latin-1 character set is supported. The UCS-2 characters are not supported.
File names, including file extensions, can be no more than 236 characters long.
Files containing characters not accepted by ODS-5 on the active OpenVMS version or whose name and extension exceeds 236 characters are truncated to zero length. This makes them invisible to OpenVMS and is consistent with prior OpenVMS NFS client behavior.

3.13 IPv6 Restrictions

The following sections describe restrictions in the use of IPv6.

3.13.1 Mobile IPv6 Restrictions

The implementation of mobile IPv6 in this version of TCP/IP Services does not support binding update authentication as specified in draft-ietf-mobileip-ipv6-15.TXT , Section 4.4, including the authentication data sub-option defined in Section 5.6. You should limit the use of this version to testing environments that are not subject to attack, because system integrity can be compromised by accepting unauthenticated bindings.

3.13.2 6to4 Configuration is Not Supported

TCP/IP Services contains the TCPIP$IP6_SETUP.COM command procedure for configuring IPv6 on a node. The use of this procedure to configure the 6to4 tunnel mechanism is not supported in this release. Attempts to configure 6to4 with the procedure will not succeed.

3.13.3 IPv6 Requires the BIND Resolver

If you are using IPv6, you must enable the BIND resolver. To enable the BIND resolver, use the TCPIP$CONFIG.COM command procedure. From the Core menu, select BIND Resolver.

You must specify the BIND server to enable the BIND resolver. If you do not have access to a BIND server, specify the node address 127.0.0.0 as your BIND server.

3.14 TCP/IP Management Command Restrictions

The following restrictions apply to the TCP/IP management commands:

TCP/IP Services version 5.4 introduces failSAFE IP, which obsoletes the IP cluster alias address. Consequently, the following TCP/IP management commands are no longer supported:
- TCPIP SET INTERFACE /NOCLUSTER
- TCPIP SHOW INTERFACE /CLUSTER
To show interface addresses, including IP cluster alias addresses, you must use the following sequence of DCL commands:
$ @SYS$MANAGER:TCPIP$DEFINE_COMMANDS.COM $ ifconfig -a
To delete a cluster alias address from the active system, use a DCL command similar to the following:
$ ifconfig ie0 -alias 10.10.10.1
For backward compatibility, the following TCP/IP management commands continue to be supported:
- SET CONFIGURATION INTERFACE /CLUSTER
- SET CONFIGURATION INTERFACE /NOCLUSTER
- SHOW CONFIGURATION INTERFACE /CLUSTER
SET NAME_SERVICE /PATH
This command requires the SYSNAM privilege. If you enter the command without the appropriate privilege at the process level, the command does not work and you are not notified. If you enter the command at the SYSTEM level, the command does not work and receive an error message.
SET SERVICE command
When you modify parameters to a service, disable and reenable the service for the modifications to take effect.

3.15 NTP Problems and Restrictions

NTP uses a slew mechanism to synchronize the system clock. The method that NTP uses to obtain a maximum slew value (the maximum amount that NTP will adjust the clock in one attempt) changes when you upgrade from NTP Version 3 to NTP Version 4. As a result of this change, it may take longer for clocks to come into synchronization under NTPv4 than it did under NTPv3.
The NTP server has a stratum limit of 15. The server does not synchronize to any time server that reports a stratum of 15 or greater. This may cause problems if you try to synchronize to a server running the UCX NTP server, if that server has been designated as "free running" (with the local-master command). For proper operation, the local-master designation must be specified with a stratum no greater than 14.
Whenn running on certain high-performance Alpha systems, NTP may be unable to adjust the system clock; therefore, NTP will not be able to provide accurate timekeeping. When this happens, the following error message appears in the NTP log file:
%SYSTEM-F-BADLOGIC, internal logic error detected VMS timekeeping is not working as expected - can't proceed

3.16 SNMP Problems

This section describes restrictions to the SNMP component for this release. For more information about using SNMP, refer to the Compaq TCP/IP Services for OpenVMS SNMP Programming and Reference manual.

3.16.1 Incomplete Restart

When the SNMP master agent and subagents fail or are stopped, TCP/IP Services is often able to restart all processes automatically. However, under certain conditions, subagent processes may not restart. When this happens, the display from the DCL command SHOW SYSTEM does not include TCPIP$OS_MIBS and TCPIP$HR_MIB. If this situation occurs, restart SNMP by entering the following commands:

$ @SYS$STARTUP:TCPIP$SNMP_SHUTDOWN.COM

$ @SYS$STARTUP:TCPIP$SNMP_STARTUP.COM

3.16.2 SNMP IVP Error

On slow systems, the SNMP Installation Verification Procedure can fail because a subagent does not respond to the test query. The error messages look like this:

   .
   .
   .
Shutting down the SNMP service... done.


Creating temporary read/write community SNMPIVP_153.

Enabling SET operations.

Starting the SNMP service... done.

SNMPIVP: unexpected text in response to SNMP request:
"- no such name - returned for variable 1"
See file SYS$SYSDEVICE:[TCPIP$SNMP]TCPIP$SNMP_REQUEST.DAT for more
details.
sysContact could not be retrieved.  Status = 0
The SNMP IVP has NOT completed successfully.
SNMP IVP request completed.
Press Return to continue ...

You can ignore these types of messages in the IVP.

3.16.3 Using Existing MIB Subagent Modules

If an existing subagent does not execute properly, you may need to relink it against the current version of TCP/IP Services to produce a working image. Some subagents (such as those for OpenVMS support of Compaq Insight Manager) also require a minimum version of OpenVMS and a minimum version of TCP/IP Services.

The following restrictions apply:

In general, only executable images linked against the following versions of the eSNMP shareable image are upward compatible with the current version of TCP/IP Services:
- UCX$ESNMP_SHR.EXE from TCP/IP Services Version 4.2 ECO 4
- TCPIP$ESNMP_SHR.EXE from TCP/IP Services Version 5.0A ECO 1
Images built under versions other than these can be relinked with one of the shareable images, or with TCPIP$ESNMP_SHR.EXE in the current version of TCP/IP Services.
The underlying eSNMP API changed from DPI in Version 5.0 to AgentX in the current version of TCP/IP Services. Therefore, executable images linked against older object library versions of the API (*$ESNMP.OLB) must be relinked against either the new object library or the new shareable image. Linking against the shareable image ensures future upward compatibility and results in smaller image sizes.

Note
Although images may run without being relinked, backward compatibility is not guaranteed. These images can result in inaccurate data or run-time problems.
This version of TCP/IP Services provides an updated version of the UCX$ESNMP_SHR.EXE shareable image to provide compatibility with subagents linked under TCP/IP Services Version 4.2 ECO 4. Do not delete this file.
The SNMP server responds correctly to SNMP requests directed to a cluster alias. Note, however, that an unexpected host may be reached when querying from a TCP/IP Services Version 4.x system that is a member of a cluster group but is not the current impersonator.
The SNMP master agent and subagents do not start if the value of logical name TCPIP$INET_HOST does not yield the IP address of a functional interface on the host when used in a DNS query. This problem does not occur if the server host is configured correctly with a permanent network connection (for example, Ethernet or FDDI). The problem can occur when a host is connected through PPP and the IP address used for the PPP connection does not match the IP address of the TCPIP$INET_HOST logical name.
Under certain conditions observed primarily on OpenVMS VAX systems, the master agent or subagent exits with an error from an internal select() socket call. In most circumstances, looping does not occur. You can control the number of iterations if looping occurs by defining the TCPIP$SNMP_SELECT_ERROR_LIMIT logical name.
The MIB browser provided with TCP/IP Services (TCPIP$SNMP_REQUEST.EXE) supports getnext processing of OIDs that include the 32-bit OpenVMS process ID as a component. However, other MIB browsers may not provide this support.
For example, the following OIDs and values are supported on OpenVMS:
1.3.6.1.2.1.25.4.2.1.1.1321206828 = 1321206828 1.3.6.1.2.1.25.4.2.1.1.1321206829 = 1321206829 1.3.6.1.2.1.25.4.2.1.1.1321206830 = 1321206830
These examples are from hrSWRunTable ; the hrSWRunPerfTable may be affected as well.
You can ignore the following warning that appears in the log file if a null OID value (0.0) is retrieved in response to a Get , GetNext , or GetBulk request:
o_oid; Null oid or oid->elements, or oid->nelem == 0

Contents