HP OpenVMS Systems

HP Advanced Server for OpenVMS
Server Installation and Configuration Guide

HP provides numerous command procedures that, for example, provide shortcuts for invoking certain server management commands and procedures. You can see a list of these commands by examining the contents of the file SYS$MANAGER:PWRK$DEFINE_COMMANDS.COM.

You can define these Advanced Server management commands automatically when you log in to the account that you use to manage the Advanced Server. To define Advanced Server commands at login, edit the LOGIN.COM file of the privileged account to add the following line:

$ @SYS$MANAGER:PWRK$DEFINE_COMMANDS

The OpenVMS operating system Versions 7.1 and higher provide support for external authentication. Advanced Server participates with the operating system to allow Advanced Server domain users to log in to the OpenVMS operating system using their Advanced Server domain user names and passwords. The Advanced Server externally authenticates the login request.

External authentication can provide automatic password synchronization between an OpenVMS account and a corresponding Advanced Server domain account. Users who have both OpenVMS and Advanced Server domain user accounts can avoid maintaining two different passwords. If the domain account password is changed, the OpenVMS LOGINOUT program sets the OpenVMS account password to the domain account password the next time the user logs in to the OpenVMS account. If the user changes the OpenVMS password with the DCL SET PASSWORD command, the the SET PASSWORD command sends the password change to the Advanced Server external authenticator. For synchronization to succeed, an Advanced Server domain controller must be available and the domain account password must meet OpenVMS syntax requirements.

When you start the Advanced Server, server external authentication is automatically enabled for user accounts tagged for external authentication in the SYSUAF (to enable external authentication, PWRK$ACME_STARTUP.COM defines bit 0 of the SYS$SINGLE_SIGNON logical in SYSTARTUP_VMS.COM to the value 1. You can disable external authentication by changing the default value of this bit. For information on disabling external authentication and on defining the other bits in the SYS$SINGLE_SIGNON logical, see Section 5.7.5, Disabling External Authentication.)

For more information about enabling external authentication on OpenVMS systems, refer to the OpenVMS Guide to System Security.

No additional configuration is necessary on cluster members running the Advanced Server to enable the Advanced Server to participate in the external authentication process. However, to use external authentication in an Advanced Server cluster, all cluster members should be configured to be able to process OpenVMS logon requests for network users, so that externally authenticated users can log on to the cluster through any node in the cluster. A cluster member that is not running the complete Advanced Server can be configured to authenticate logon requests from network users if it has access to external authentication software on a shared cluster system disk. If it does not have access to external authentication software on a shared cluster system disk, you can enable external authentication on that system by copying only the external authentication images to the system disk, following the steps given in Section 5.7.1, Setting Up External Authentication in OpenVMS Clusters.

To provide external authentication on the Advanced Server system, perform the following steps:

1. Install one of the following:
   • The Advanced Server
   • The standalone external authentication software

   Note At least one node in the cluster must run the complete Advanced Server software.

   
   For more information, see Chapter 2, Installing Advanced Server for OpenVMS Software.
2. Set the appropriate OpenVMS user accounts to allow external authentication (in SYSUAF). For more information, refer to the OpenVMS Guide to System Security.
3. If the complete Advanced Server software is installed, start the server and external authentication will be enabled for all user accounts allowing external authentication.
   If the standalone Advanced Server external authentication software is installed, perform the following:
   1. Add the following lines to your SYSTARTUP_VMS.COM file:

      $ DEFINE/SYSTEM/EXE SYS$SINGLE_SIGNON 1 $ @SYS$STARTUP:PWRK$ACME_STARTUP.COM

      
      In a cluster, add these preceding two lines plus the following in a node-specific system startup file (not clusterwide); or if using a shared system startup file such as SYS$COMMON:[SYSMGR]SYLOGICALS.COM, ensure that you conditionalize the DEFINE command based on the node name (that is, using the lexical function F$GETSYI).

      $ DEFINE/SYSTEM/EXE PWRK$ACME_SERVER scsnode1_name[,scsnode2_name,...]

      
      Each scsnodex_name is an equivalence name, which is the SCSNODE name of a cluster member running an Advanced Server that can be used to process external authentication requests. You can include all, or a subset of, the names of the Advanced Server member nodes. This allows you to specify the order in which the requesting host contacts the hosts running the complete Advanced Server software for an authentication request. If the first node in the list does not respond, the requesting host asks the next host, and so forth.
   
   For more information, refer to the OpenVMS Guide to System Security and Section 5.7.1.
4. Establish host mapping between Advanced Server domain user accounts and the corresponding OpenVMS user accounts, if necessary. For more information, refer to the HP Advanced Server for OpenVMS Server Administrator's Guide.
5. If your Advanced Server is participating in an OpenVMS Cluster, set up external authentication on all cluster members. For more information, see Section 5.7.1, Setting Up External Authentication in OpenVMS Clusters.
6. If you want to change the default domain used for external authentication, set the system logical PWRK$ACME_DEFAULT_DOMAIN accordingly. (The local server's domain is the default domain for users when external authentication is established: if a user does not specify a domain name at login, the system uses the default domain for authentication.) For more information, refer to the HP Advanced Server for OpenVMS Server Administrator's Guide.
7. If establishing external authentication for users in trusted domains, add the name of the trusted domain(s) to the OpenVMS Registry value HOSTMAPDOMAINS. For more information, refer to the HP Advanced Server for OpenVMS Server Administrator's Guide.

For information about enabling Authentication and Credential Management (SYS$ACM) for authenticating users and determining the user security profile for OpenVMS and Windows NT, refer to the COM, Registry, and Events for OpenVMS Developer's Guide (included in the OpenVMS Documentation CD-ROM).

5.7.1 Setting Up External Authentication in OpenVMS Clusters

If external authentication is being used in an OpenVMS Cluster, make sure the OpenVMS Registry is started somewhere in the cluster. In addition, HP recommends that all cluster members be configured to be able to process OpenVMS logon requests for network users.

As noted in the preceding section, when the Advanced Server is started on a system, external authentication is enabled automatically for user accounts tagged for external authentication in the SYSUAF. A cluster member that is not running the complete Advanced Server can authenticate logon requests from network users if it has access to external authentication software on a shared cluster disk. Note that external authentication is not supported on OpenVMS systems prior to V7.1. Therefore, to ensure that external authentication works properly on the cluster, HP recommends that you make sure all systems in the cluster that are not running the Advanced Server are running OpenVMS V7.1 or later.

If the cluster member does not have access to external authentication software on a shared cluster disk, you can enable external authentication on that system by copying just the external authentication images onto that system.

If the cluster member has a shared system disk, skip step 1 below and perform the remaining steps. If the cluster member does not have a shared system disk, perform all steps.

1. If the cluster member is a VAX node, copy the following external authentication files from any system disk where the complete Advanced Server for OpenVMS is installed to the location indicated on the VAX node:

   File	Destination on VAX Node
   SYS$LIBRARY:PWRK$ACME_MODULE_VAX.EXE	SYS$COMMON:[SYSLIB]
   SYS$STARTUP:PWRK$ACME_STARTUP.COM	SYS$COMMON:[SYS$STARTUP]

   
   If the cluster member is an OpenVMS Alpha node, Version 7.3-2 or later, run the POLYCENTER Software Installation utility on the system, using the PRODUCT INSTALL ADVANCEDSERVER command, as explained in Section 2.1.2, Installing the Server. Select the External Authentication Images only option to install the External Authentication images without the Advanced Server.
   If the Alpha system is Version 7.1, then copy the following external authentication files from any system disk where the complete Advanced Server for OpenVMS is installed to the location indicated on the Alpha node:

   File	Destination on Alpha V7.1 Node
   SYS$LIBRARY:PWRK$ACME_MODULE_ALPHA.EXE	SYS$COMMON:[SYSLIB]
   SYS$STARTUP:PWRK$ACME_STARTUP.COM	SYS$COMMON:[SYS$STARTUP]

   
   
2. Define the following logical names in a node-specific system startup file (not clusterwide), or if using a shared system startup file such as SYS$COMMON:[SYSMGR]SYLOGICALS.COM, ensure that you conditionalize the DEFINE command based on the node name (that is, using the lexical function F$GETSYI).

   $ DEFINE/SYSTEM/EXE SYS$SINGLE_SIGNON 1 $ DEFINE/SYSTEM/EXE PWRK$ACME_SERVER scsnode1_name[,scsnode2_name,...]

   
   In the second line, each scsnodex_name is an equivalence name, which is the SCSNODE name of a cluster member running an Advanced Server that can be used to process external authentication requests. You can include all, or a subset of, the names of the Advanced Server member nodes. This allows you to specify the order in which the requesting host contacts the hosts running the complete Advanced Server software for an authentication request. If the first node in the list does not respond, the requesting host asks the next host, and so forth.

   Note If you specify a subset of the Advanced Server member nodes, in order for external authentication requests to be processed properly, the Advanced Server should be running (available) on at least one of those specified cluster members. Otherwise, even if another Advanced Server member node not specified in the list is currently running, the requests will not be processed.

3. Invoke the SYS$STARTUP:PWRK$ACME_STARTUP command procedure during system startup.
4. Set the appropriate OpenVMS user accounts on all cluster members to allow external authentication, and if necessary, set up host mapping between the OpenVMS user accounts and the Advanced Server user accounts. For more information about enabling OpenVMS user accounts for external authentication, refer to the OpenVMS Guide to System Security. For more information about setting up host mapping, refer to the HP Advanced Server for OpenVMS Server Administrator's Guide.

To allow users to be externally authenticated over DECnet-Plus for OpenVMS, set the OpenVMS system parameter NET_CALLOUTS to 255. This enables Advanced Server user ID mapping and authentication for network logins.

5.7.3 Configuring the Server Capacity for External Authentication

By default, the Advanced Server can support up to 10 simultaneous external authentication logon requests (signons). You can modify this maximum to suit the Advanced Server requirements, using the Configuration Manager. To start the Configuration Manager, enter the following command:

$ ADMINISTER/CONFIGURATION

The basic server parameters include the number of simultaneous activations for users with external authentication.

For more information about using the Configuration Manager, refer to the HP Advanced Server for OpenVMS Server Administrator's Guide.

5.7.4 Bypassing External Authentication When the Network Is Down

External authentication cannot occur if a network connection is required and the network is down. However, as a temporary solution, privileged users can enter the /LOCAL_PASSWORD qualifier after the OpenVMS user name at the login prompt, to specify local authentication. Be sure to specify the OpenVMS user name and password when using the /LOCAL_PASSWORD qualifier.

Because using the /LOCAL_PASSWORD qualifier effectively overrides the security policy established by the system manager, it is allowed only when the user's account has SYSPRV as an authorized privilege. This allows the system manager to gain access to the system when the network is down. When Bit 1 of the equivalence string is set in the SYS$SINGLE_SIGNON logical name, nonprivileged users who are normally externally authenticated can log in locally (the /LOCAL_PASSWORD qualifier need not be specified).

For more information about the /LOCAL_PASSWORD qualifier for the login command line, refer to the OpenVMS Guide to System Security.

5.7.5 Disabling External Authentication

If you want to disable external authentication, then before starting the Advanced Server, define the SYS$SINGLE_SIGNON logical to a value of 0, as in the following example:

$ DEFINE/SYSTEM/EXECUTIVE SYS$SINGLE_SIGNON 0

For more information about SYS$SINGLE_SIGNON and disabling external authentication on OpenVMS, refer to the OpenVMS Guide to System Security.

5.8 Converting Encoded File Names from ODS-2 to ODS-5

Existing Advanced Server shares may be converted from ODS-2 to ODS-5 to take advantage of the OpenVMS support of extended file specifications. The Advanced Server for OpenVMS software provides a conversion utility for converting ODS-2 encoded file names on ODS-5 devices that have been converted from ODS-2. The conversion utility removes escape-encoded characters in file names, changing the file names to ISO Latin-1 characters. For example, if a file name is created on an ODS-2 disk containing the character-encoding sequence __E4, to represent the lowercase a-umlaut (ä), the conversion utility removes the encoding and replaces it with the ä character.

You can convert ODS-2 file names to ODS-5 file names after:

• The Advanced Server for OpenVMS has been installed and configured.
• The disk device containing escape-encoded file names has been converted from ODS-2 to ODS-5. Refer to the OpenVMS Guide to Extended File Specifications for information about converting disk devices to ODS-5.

The file name conversion utility that converts file names from the encoding used on ODS-2 file systems to ISO Latin-1 file names is:

SYS$SYSTEM:PWRK$CNVTOHFS.EXE

When the Advanced Server commands have been defined, you can use the PWCONVERT system management command to invoke the file name conversion utility. For information about defining Advanced Server system management commands, see Section 5.6, Special Advanced Server Management Commands. For example, to define the PWCONVERT command, enter the following DCL command:

$ PWCONVERT :== $SYS$SYSTEM:PWRK$CNVTOHFS.EXE

The format of the PWCONVERT command is:

$ PWCONVERT /qualifiers file-spec

Where:

• Qualifiers are optional. They are described in Table 5-2, PWCONVERT Qualifiers. The default setting is used if you omit the qualifier.
• The file-spec argument is required, and may include the device name, directory name, and file name.
  • If you specify only a disk device, the conversion utility scans the entire device for file names that are encoded, and converts them if necessary.
  • If you specify a disk device and a directory, all the files in the specified directory are scanned and converted if necessary. You may include wildcard characters in directory names and file names.
  • If you specify a disk device, directory, and a single file name, only that file is converted.
  • If you enter the PWCONVERT command with no file specification, it prompts you for a file specification. For example:

    $ PWCONVERT FILENAME:

    
    In response to this prompt, you must supply a device name, and optionally a directory and file name to convert. You may include qualifiers.

In this example, the file named A FILE.TXT has been created by a Windows 95 client on DISKA, and has been encoded as A__20FILE.TXT. The device DISKA has been converted from ODS-2 to ODS-5. As viewed from OpenVMS, the file appears as follows:

$ DIRECTORY DISKA:[FILES]
Directory DISKA:[FILES]
   .
   .
   .
A__20FILE.TXT
$

Use the PWCONVERT command to convert this file name, as follows:

$ PWCONVERT/VERBOSE DISKA:[FILES]A__20FILE.TXT

Scanning file - DISKA:[FILES]A__20FILE.TXT;1
Renamed A__20FILE.TXT to A FILE.TXT

Convert Utility Complete

$

To convert all the encoded file names on a disk device and directory, enter the PWCONVERT command, specifying the disk device and directory without a file name. For example, to convert all the encoded file names stored on device DISK$USER1, enter the following:

$ PWCONVERT
FILENAME: DISK$USER1:

Renamed A__20FILE.TXT to A FILE.TXT
   .
   .
   .
Convert Utility Complete

The Advanced Server provides optional client-based server administration tools that allow you to manage the server from Windows NT, Windows 2000, or Windows XP clients. These tools are available in the PWUTIL share.

If you had chosen not to install Windows client utilities during Advanced Server configuration, then PWUTIL share would not have been created. If needed, the Windows client utilities and PWUTIL share may be installed at any time by executing the command procedure:

$ @SYS$UPDATE:PWRK$PWUTIL.COM

Please refer to note under Section 3.3.3, Do You Want this Server to Share the Client-Based License Software? for more information.

The SRVTOOLS directory in the PWUTIL share contains a subdirectory for each type of client computer. Refer to the README.TXT file in the appropriate subdirectory for instructions on installing the software on the client computer.

Refer to the Windows NT Server documentation or use online Help for more information about how to use Windows NT server administration tools.