[an error occurred while processing this directive]

HP OpenVMS Systems

Content starts here COM, Registry, and Events for HP OpenVMS Developer's Guide

COM, Registry, and Events for
HP OpenVMS Developer's Guide


Previous Contents Index


Chapter 5
COM for OpenVMS Security

COM V1.1-A and higher for OpenVMS supports NTLM (NT LAN Manager) authentication for controlling access to COM objects.

Processes that execute client and server applications must obtain Windows credentials in order to be authenticated. Processes created automatically by DCOM$RPCSS to execute server applications obtain Windows credentials based on the Registry settings for the server being launched. Interactive processes that are used to execute client and server applications must obtain Windows credentials by running the NTA$LOGON utility (see Section 8.2).

This chapter applies to COM for OpenVMS in authenticated mode. See Appendix E for information about running COM for OpenVMS in an unauthenticated environment.

This chapter discusses the following topics:

  • How to configure an OpenVMS system for NTLM authentication
  • How to acquire Windows credentials
  • The way security affects COM applications
  • The way your domain configuration affects COM applications
  • The Application Server run-time environment

5.1 System Configuration

NTLM authentication on OpenVMS is implemented in three major components of the operating system (see Section 4.10).

  • ACME server --- controls the granting of credentials
  • RPC and SSPI --- provide remote procedure calls and Windows-style authentication
  • Advanced Server for OpenVMS --- maintains Windows accounts and provides mapping of Windows accounts to OpenVMS accounts

The ACME server, RPC, and SSPI are installed as part of the OpenVMS operating system and require no special configuration. Advanced Server for OpenVMS must be installed as a layered product and must be configured to support NTLM authentication for COM applications (see Section 4.4).

After installing Advanced Server for OpenVMS, you must create Windows domain accounts that will be used to execute COM applications. You must also map the Windows domain accounts to OpenVMS accounts.

The Advanced Server ADMINISTER utility is used to create Windows domain accounts. For example, to create the Windows domain account NTUSER1, use the following command:


$ ADMINISTER ADD USER NTUSER1 /PASSWORD="pppppp" /FLAG=NOPWDEXPIRED

The password is case sensitive, so it is enclosed in quotation marks in order to maintain case. A password without quotation marks is converted to uppercase. By default, Windows domain accounts are created with the password pre-expired, thus forcing the user to change the password at the first login. The NOPWDEXPIRED flag overrides this default.

A hostmap entry defines the association between a Windows user account and a local OpenVMS user account. When OpenVMS authenticates a Windows user, OpenVMS uses the hostmap entry to map the OpenVMS user account to the Windows user account and build the local OpenVMS user profile and the Windows NT user profile. If no hostmap entry exists, OpenVMS uses the Windows user account name as the local OpenVMS user account name.

Use the HP Advanced Server for OpenVMS ADMINISTER utility to define hostmap information. For example, to map the Windows domain account NTUSER1 to the OpenVMS account VMSUSER1, use the following command:


$ ADMINISTER ADD HOSTMAP NTUSER1 VMSUSER1

If the OpenVMS account does not already exist, you must create the account using the OpenVMS Authorize utility (AUTHORIZE). The OpenVMS account must have the EXTAUTH flag set, or the IGNORE_EXTAUTH flag (bit 11, %X0800) must be set in the SECURITY_POLICY SYSGEN parameter (see Section 5.1). This policy allows the OpenVMS system manager to control which OpenVMS user accounts can be used with Windows authentication. For example, to set the EXTAUTH flag for an OpenVMS account VMSUSER1, use the following command. For example:


$ AUTHORIZE == "$AUTHORIZE"
$ AUTHORIZE MODIFY VMSUSER1 /FLAG=EXTAUTH

5.1.1 LOGINOUT.EXE Use of External Authentication

The EXTAUTH flag also directs LOGINOUT.EXE to use external authentication to authenticate an OpenVMS user during the login process (that is, local, dialup, remote, interactive, and network logins). When you set the EXTAUTH flag, LOGINOUT.EXE uses external authentication, not the OpenVMS SYSUAF.DAT record, to verify the user name and password.

LOGINOUT external authentication always requires that you set the EXTAUTH flag in the SYSUAF account record. Unlike NTA$LOGON and authenticated RPC, you cannot override this requirement using the IGNORE_EXTAUTH flag.

5.1.2 DCE Integrated Login Restriction

A site cannot use both external authentication and the older LGI-callout feature on the same system. If you have an LGI-callout image installed, external authentication is disabled for login purposes. Because DCE integrated login uses the LGI-callout mechanism, OpenVMS does not allow logins using Windows-based external authentication if DCE integrated login is enabled.

5.2 Cross-Domain Configuration

You can run a COM application on a system in one domain and have the application authenticated by a system in a second domain.

To configure authentication across Windows domains, you must do the following:

  1. Set up trust relationships between domains.
    For more information, see the HP Advanced Server for OpenVMS Server Administrator's Guide.
  2. Set up the HostMapDomains parameter on HP Advanced Server for OpenVMS domains (see Example 5-1).
    For more information, see the HP Advanced Server for OpenVMS Server Administrator's Guide.
  3. Set up account hostmap entries between the Windows user account and a local OpenVMS user account.

Example 5-1 shows how you can set up the HostMapDomains parameter. In this example, there are two domains: DOMAIN_1 and DOMAIN_2 . Domain DOMAIN_2 is running HP Advanced Server for OpenVMS; domain DOMAIN_1 is a Windows domain. The commands in Example 5-1 introduce DOMAIN_2 to DOMAIN_1 .

Example 5-1 Sample: Setting Up HostMapDomains

SYSJANE$ show sym regutl
  REGUTL == "$SYS$SYSTEM:PWRK$REGUTL.EXE"
SYSJANE$ regutl
REGUTL> SET PARAM /CREATE VMSSERVER HOSTMAPDOMAINS DOMAIN_1
REGUTL> SHOW VALUE * HOSTMAPDOMAINS
Key: SYSTEM\CurrentControlSet\Services\AdvancedServer\UserServiceParameters
Value: HostmapDomains
Type: String
Current Data: DOMAIN_1

5.3 Acquiring Windows Credentials

After the Windows domain account and the OpenVMS account have been set up as described in Section 5.1, you can log in to the OpenVMS account using the usual OpenVMS login procedures. You can then acquire Windows credentials using the NTA$LOGON utility. For example:


$ NTA$LOGON == "$NTA$LOGON"
$ NTA$LOGON NTUSER1 "pppppp"

In this format, pppppp is the password you specified when you created the Windows domain account. The password is enclosed in quotation marks to preserve case. A password without quotation marks is converted to lowercase. If the user name or password is not specified on the command line, the program prompts the user for the required input (see Section 8.2).

To acquire Windows credentials using NTA$LOGON , you must be logged in to the OpenVMS account to which the Advanced Server account is hostmapped. If not are not logged in, you must have the IMPERSONATE privilege and use the NTA$LOGON /OVERRIDE_MAPPING option. For example:


$ NTA$LOGON == "$NTA$LOGON"
$ NTA$LOGON /OVERRIDE_MAPPING NTUSER2 "pppppp"

To determine whether a process has Windows credentials, use the NTA$LOGON utility with the /LIST switch. For example:


$ NTA$LOGON == "$NTA$LOGON"
$ NTA$LOGON /LIST

5.4 Application Security

The COM security model allows the creation of secure distributed applications. COM security can be enabled by using settings in the OpenVMS Registry and by using COM security APIs and interfaces. There are two primary areas of security that can be applied to COM applications: launch security and activation security.

Launch security and activation security have system default settings; application-specific settings override these defaults. The settings are stored in the Registry and are maintained by using the DCOMCNFG utility on Windows and by using the DCOMCNFG option of DCOM$SETUP.COM on OpenVMS. The COM API CoInitializeSecurityEx can be used from within an application to enhance or override the Registry settings.

5.4.1 Launch Security

Launch security determines which Windows domain accounts can be used to create, or "launch" server processes. The launch security settings are referenced when a COM request is received on a system that will result in the launching of a server process to satisfy the request. These settings can explicitly or implicitly allow or disallow a user request to launch a server. The DCOM$RPCSS process authenticates the incoming request to determine the identity of the client. If DCOM$RPCSS determines that it needs to launch a server process to satisfy the request, DCOM$RPCSS allows or disallows the launching of the server based on the identity of the client and the launch security settings.

5.4.2 Activation Security

Activation security determines which Windows domain accounts can be used to execute method calls in server applications. The activation security settings are referenced when a COM request is received on a system for a method call in an existing server process. The server process authenticates the incoming request to determine the identity of the client. The server process allows or disallows the execution of the method call based on the identity of the client and the activation security settings.

5.4.3 Server Process Identity

A server process created by DCOM$RPCSS on OpenVMS is a detached process that has an OpenVMS identity and follows all the OpenVMS security rules for a detached process. In addition, it has a network identity that is used to enforce the COM security model (see Section 5.5).

COM servers create separate server threads to execute each client request. These server threads have their own OpenVMS identity and network identity, based on the identity of the client. When a server thread is executing a request on behalf of a client, it is the thread's identities, not the process' identities, that are used to enforce security.

5.4.4 Domain Issues

Two systems running COM client and server applications can exist in one of three possible domain configurations:

  • Systems are in the same domain
  • Systems are in separate domains with trusts established between the two domains
  • Systems are in separate domains without trusts, or systems are not in a domain

The ability for servers and DCOM$RPCSS to authenticate client requests are affected by the domain configurations. When both systems are in the same domain or when the systems are in separate but trusted domains there is no problem authenticating. The trusted domain configuration is a bit more complex and requires that the trusts and mappings be configured correctly but once configured, there is no trouble authenticating (see Section 5.2).

Systems in separate, nontrusted domains or systems not in any domain cannot be authenticated using the normal mechanisms. To run authenticated COM applications between such systems, you must pass authentication information (user name and password) from the client to the server. COM provides this capability in the CoCreateInstanceEx API. The pServerInfo parameter of the CoCreateInstanceEx API allows you to specify a user name and password to be used for authentication on the remote server system. The user name and password are part of the COAUTHIDENTITY structure, within the COAUTHINFO structure within the COSERVERINFO structure, that is passed as the pServerInfo parameter to CoCreateInstanceEx.

Section C.3 shows how you can authenticate a remote client that is neither in the server's domain nor in a domain that has a trust with the server's domain.

The current NTLM security implementation on OpenVMS does not support this feature for COM client applications on OpenVMS. This feature is supported for COM clients on Windows that communicate with COM servers on OpenVMS. To run COM client applications on OpenVMS where the server is not in the same domain or in a trusted domain, you must disable authentication for the application, as described in Section 5.4.5.

5.4.5 Disabling Authentication

Under certain conditions, you may want to disable authentication between a client and server applications. This feature disables many of the security features of COM and of the operating system and should not be used in an environment where security is required. There are two ways to disable authentication for COM applications:

  • Use DCOMCNFG to change the default authentication level to None on both systems.
  • Add a call to CoInitializeSecurity in both the client and server applications and set the dwAuthnLevel parameter to RPC_C_AUTHN_LEVEL_NONE.

The server must be configured to run with a specific NTLM account identity. Since the client will not be authenticated, there is no way for the server to run with a client's identity. To configure a server to run with a specific NTLM identity, use DCOMCNFG and change the application properties to select the NTLM account.

5.4.6 Access Denied Problems (80070005)

The most common security error a COM application will encounter is access denied (error status value 80070005). The following is a list of the most common causes of this error:

  • Client process on OpenVMS does not have Windows credentials. Run NTA$LOGON to acquire Windows credentials.
  • Application-specific launch or access permissions do not allow access. Check the application settings using DCOMCNFG (see Section 6.3.1).
  • System default launch or access permissions do not allow access. Check the system defaults using DCOMCNFG (see Section 6.3.6).
  • CoInitializeSecurityEx API call is incorrect. Verify that the client and server security calls are valid.
  • Server process or thread does not have permission to perform a particular operation. Verify that the OpenVMS identity being used to execute a client request has the necessary privileges to perform the operation.
  • Server process does not have access to the server images. Verify that the OpenVMS identity used to launch a server process has read and execute permissions for the server image and any dynamically loaded images (.EXE files).
  • Advanced Server hostmap entry problems. In order for NTLM authentication to work correctly, Windows domain accounts must be mapped to OpenVMS accounts (see Section 5.1). To verify the mapping of Windows domain accounts to OpenVMS accounts, use the ADMINISTER command:


    $ ADMINISTER SHOW HOSTMAP
    

    In a multiple-domain environment with trusts established between domains, cross-domain mappings must be created (see Section 5.2). Under certain conditions, the Advanced Server is unable to verify a user account associated with a hostmap entry. Any attempt to display the hostmap entry of a user name that can not be verified will result in the user name being displayed using its eight-digit hexadecimal internal representation (for example, "DOMAINNAME\000003fd"). If this happens, verify that the Advanced Server is running on each machine. You should also verify the trusts between domains using the following ADMINISTER command:


    $ ADMINISTER SHOW TRUST
    

    If the trusts are valid and the hostmap entries are still displayed with the numeric format, you should shut down and restart the Advanced Server.

5.5 Server Run-Time Environment

When DCOM$RPCSS launches a server in response to a client request for a COM object, DCOM$RPCSS creates a detached process and executes either the server image or server command file in the context of the detached process. The image or command file that is executed is determined by the value of the Registry key HKEY_CLASSES_ROOT\CLSID\{iid}\LocalServer32, where iid is the unique identifier of the COM object.

The run-time environment of the detached process is as follows:

  • Default directory
    The default directory of the detached process is the same as the default directory of DCOM$RPCSS . This is determined by the default directory of the process that executed the DCOM$STARTUP command file. If DCOM$STARTUP is executed by the system startup procedure, then the default directory will be SYS$SYSTEM .
  • Windows identity
    Depends on the application identity setting. This setting is made using DCOMCNFG .
    If the application identity is set to "launching user" (the default), then the Windows identity of the detached process is the same as the Windows identity of the client.
    If the application identity is set to a specific NTLM account then the Windows identity of the detached process is that of the NTLM account.
  • OpenVMS user name
    The OpenVMS user name of the detached process is the user name that is mapped to the Windows identity of the detached process. The mapping of OpenVMS user name to Windows identity is established using the Advanced Server ADMINISTER utility (see Section 5.1).
  • OpenVMS privileges
    Depends on the application identity setting. This setting is made using DCOMCNFG .
    If the application identity is set to "launching user" (the default), then the privileges depend on the location of the client. If the client is running on the same system as the server, then the privileges of the detached process will match the privileges of the client. If the client is running on a different system from the server, then the privileges of the detached process will be the default privileges of the OpenVMS user name account.
    If the application identity is set to a specific NTLM account then the privileges of the detached process will be the default privileges of the OpenVMS user name account.
  • Process logicals
    SYS$INPUT and SYS$OUTPUT are defined to the disk device where the server image or command file is located. For example, if the server image is DKA0:[TEST]CMPNT.EXE , then SYS$INPUT and SYS$OUTPUT are defined to DKA0: . SYS$SCRATCH is not defined.
    If these environment settings are not sufficient for the successful execution of your server, then you should explicitly define the environment settings you need. One way to easily set up an environment for your server is to create a command file to run your server, and register the command file, instead of the executable image, as the file to be executed when the server is launched. You can define the environment in the command file prior to executing the server image. For example, if you build SAMPLE1 in the directory DKA0:[SAMPLE1] and register it using the BUILD_SAMPLE1 command file, then the server image will be named DKA0:[SAMPLE1]CMPNT.EXE . The Registry key HKEY_CLASSES_ROOT\CLSID\{0C092C21-882C-A6BB-0080C7B2D682}\LocalServer32 will have a value of DKAO:[SAMPLE1]CMPNT.EXE . You can change the value of that key to DKA0:[SAMPLE1]RUN_CMPNT.COM and create the command file, as follows:


    $! RUN_CMPNT.COM
    $! Command file to run SAMPLE1
    $ set default DKA0:[SAMPLE1]
    $ define sys$output DKA0:[SAMPLE1]SAMPLE1.LOG
    $ ! Other definitions as needed
    $  RUN CMPNT.EXE
    $ exit
    

    When DCOM$RPCSS receives a request for SAMPLE1 and launches a server, the server executes this command file in the detached process.


Chapter 6
COM for OpenVMS Utilities for Application Development and Deployment

This chapter describes how to configure your OpenVMS system (and, optionally, your Windows system) to develop and deploy COM applications. It describes the following COM for OpenVMS utilities:

  • The DCOM$SETUP utility, which helps a system manager configure the COM for OpenVMS system environment.
  • The DCOM$CNFG utility, which helps an application developer configure and examine COM applications.
  • The DCOM$REGSVR32 utility, which allows an application developer to register and unregister in-process server applications.

This chapter also includes information about configuring OpenVMS and Windows systems to interoperate.

Before you begin

Before you configure COM for OpenVMS on your OpenVMS system, you must install and configure required components and install COM for OpenVMS. See Chapter 4 for information about these steps.

6.1 DCOM$SETUP Utility

DCOM$SETUP is a collection of tools to help a system manager configure the COM for OpenVMS system environment.

DCOM$SETUP Conventions and Requirements

  • For Yes/No questions, you can enter any one of the following:
    • YES or NO
    • Y or N
    • [Return] (to accept the default value)
  • Some DCOM$SETUP options require system manager privileges and OpenVMS Registry access.

6.2 Running DCOM$SETUP

To run DCOM$SETUP , enter @SYS$STARTUP:DCOM$SETUP at the OpenVMS system prompt.

The system displays the OpenVMS COM Tools menu.

Figure 6-1 DCOM$SETUP OpenVMS COM Tools Menu



---------------------------------------------------------
                         OpenVMS COM Tools

           1) DCOMCNFG, COM Configuration Properties
           2) GUIDGEN, Globally Unique Identifier Generator
           3) Populate the Registry database for COM
           4) Start the COM server
           5) Stop the COM server
           6) Register a COM application
           7) Create the DCOM$GUEST account and directory
           8) Configure the DCOM$RPCSS accounts

           H) Help
           E) Exit

Please enter your choice:
---------------------------------------------------------

To choose an option, enter the option number. The options are as follows:

  • 1) DCOMCNFG, COM Configuration Properties
    Use to query information and manipulate properties of COM for OpenVMS applications. For more information, see Section 6.3.
  • 2) GUIDGEN, Globally Unique Identifier Generator
    Generate CLSIDs (class IDs) (or GUIDs [globally unique identifiers]) in various formats (for example, the OpenVMS Registry or Windows Registry format). The CLSID tags each application with a unique identifier.
    This version of DCOM$SETUP generates GUIDs in OpenVMS Registry and Windows Registry formats only. For a discussion of other formats, see Section 7.1.
  • 3) Populate the Registry database for COM
    Set up the OpenVMS Registry database. COM for OpenVMS requires that specific keys and values be added to the OpenVMS Registry database. You must have both write access to the OpenVMS Registry and Windows Administrator privileges.
  • 4) Start the COM server
    Start the COM for OpenVMS Server Control Manager server ( DCOM$RPCSS ). DCOM$SETUP calls the SYS$STARTUP:DCOM$STARTUP procedure to start the server. For more information, see Section 6.2.2.
  • 5) Stop the COM server
    Shut down the COM for OpenVMS Service Control Manager server ( DCOM$RPCSS ). DCOM$SETUP calls the SYS$STARTUP:DCOM$SHUTDOWN procedure to stop the server. For more information, see Section 6.2.2.
  • 6) Register a COM application
    Register a COM for OpenVMS server application. You can register the following types of servers:
    • In-process server
      When you register an in-process server, the system prompts you for the server's location.
    • Local server or out-of-process server
      When you register a local server or out-of-process server, the system prompts you for the following information:
      • Full path information (location of the server)
        This is a required value. Use the following syntax: device::[directory]file-name.ext
      • Application title
        This is an optional value. If you do not supply a title, the system uses a default title.
      • CLSID (GUID)
        This is a required value. If the server does not have a CLSID, the system generates one automatically. For more information about CLSIDs and LocalServer32, see Section 7.5.1.

      After you complete the registration process, the system generates the following files:
      1. A Windows Registry file ( server-name.REG_NT ) that you can use to register the application on a Windows system.
      2. An OpenVMS command procedure ( server-name.REG_VMS ) that you can use to register the server on an OpenVMS system.

      When you use these files on other systems, you must modify the path statement to point to the server's current location. For more information, see Section 6.2.3.
  • 7) Create the DCOM$GUEST account and directory
    You must create the DCOM$GUEST account before you can use COM for OpenVMS without NTLM authentication.
  • 8) Configure the DCOM$RPCSS accounts
    Configure and create the DCOM$RPCSS HP Advanced Server for OpenVMS user and SYSUAF accounts. The COM for OpenVMS Service Control Manager ( DCOM$RPCSS ) requires these accounts for authentication. For more information, see Section 6.2.1.
  • H) Help
    Display help about each menu option.
  • E) Exit
    Exit the menu.

6.2.1 Creating and Configuring DCOM$RPCSS Accounts

To display these functions, choose option 8 from the OpenVMS COM Tools menu. The system displays the following:


---------------------------------------------------------
Configure the COM for OpenVMS Service Control Manager (DCOM$RPCSS) accounts

   1) Create the DCOM$RPCSS account in both the SYSUAF database and the
      Advanced Server for OpenVMS SAM database. The password you specify
      for the new DCOM$RPCSS user is stored in a protected file.

   2) Update the DCOM$RPCSS user password in the COM for OpenVMS Service
      Control Manager password file.

   E) Exit

Please enter your choice:
---------------------------------------------------------

Enter one of the following:

  • 1) Create the DCOM$RPCSS account . . .
    This option creates the DCOM$RPCSS account in both the SYSUAF database and the HP Advanced Server for OpenVMS SAM database.
    The password you specify for the DCOM$RPCSS user is stored in a protected file that the COM for OpenVMS Service Control Manager uses to log into the NTLM network and obtain a Windows identity.

    Note

    The system creates this account in the HP Advanced Server for OpenVMS database with a password that will not expire. To change this behavior (that is, modify the account so that the password expires according to the HP Advanced Server for OpenVMS User Policy), use the following procedure:
    1. Run the HP Advanced Server for OpenVMS ADMIN utility.
    2. Log into the Administrator account.
    3. Issue the following ADMIN command:


        ADMIN> MODIFY USER DCOM$RPCSS/FLAG=NODISPWDEXP
      

    To determine the maximum password age in the HP Advanced Server for OpenVMS User Policy, enter the following ADMIN command:


    ADMIN> SHOW ACCOUNT POLICY
    

    If you change the HP Advanced Server for OpenVMS password of the DCOM$RPCSS account, you must update the password in the COM for OpenVMS Service Control Manager password file. (See option 2 [Update the DCOM$RPCSS user password].)

    Use the following procedure:
    1. Enter 1 .
      The system displays the following:


              To create a new account, you must be logged on to an existing
              Advanced Server for OpenVMS account that is capable of adding
              new users.
      
      Enter Y[ES] to log on to this account:
      

      You must belong to the PATHWORKS administrator group to create this account.
    2. Enter Y .
      The system prompts you to log on. The password is not displayed as you enter it.


       Enter username: JOSEPHM
       Password:
       Confirm password:
      

      The system prompts you to enter a new password, and then asks you to confirm the password. The password is not displayed as you enter it.


              Enter the new DCOM$RPCSS password.
      
      Enter password:
      Confirm password:
      

      The system uses this password for both the SYSUAF account (DCOM$RPCSS) and the PATHWORKS user account (DCOM$RPCSS). The system stores this password in the COM for OpenVMS Service Control Manager password file.
      The system displays the following account creation information:


      %PWRK-S-USERADD, user "DCOM$RPCSS" added to domain "DCOM1_DOMAIN"
      
      Username: DCOM$RPCSS                       Owner:  COM
      Account:                                   UIC:    [37776,1] ([DCOM$RPCSS])
      CLI:      DCL                              Tables: DCLTABLES
      Default:  SYS$SYSDEVICE:[DCOM$RPCSS]
      LGICMD:
      Flags:  ExtAuth
      Primary days:   Mon Tue Wed Thu Fri
      Secondary days:                     Sat Sun
      No access restrictions
      Expiration:            (none)    Pwdminimum:  6   Login Fails:     0
      Pwdlifetime:           (none)    Pwdchange:      (pre-expired)
      Last Login:            (none) (interactive),            (none) (non-interactive)
      Maxjobs:         0  Fillm:       100  Bytlm:        64000
      Maxacctjobs:     0  Shrfillm:      0  Pbytlm:           0
      Maxdetach:       0  BIOlm:       150  JTquota:       4096
      Prclm:           8  DIOlm:       150  WSdef:         1024
      Prio:            4  ASTlm:       250  WSquo:         4000
      Queprio:         4  TQElm:        10  WSextent:      8000
      CPU:        (none)  Enqlm:      2000  Pgflquo:     130000
      Authorized Privileges:
        NETMBX       TMPMBX
      Default Privileges:
        NETMBX       TMPMBX
      %PWRK-S-HOSTMAPADD, user "DCOM$RPCSS" mapped to host user "DCOM$RPCSS"
      
      Press RETURN to continue:
      
  • 2) Update the DCOM$RPCSS user password . . .
    If you change the DCOM$RPCSS user password in the HP Advanced Server for OpenVMS SAM database, you must also update the password in the COM for OpenVMS Service Control Manager password file.
    Use the following procedure:
    1. Enter 2 .
      The system displays the following:


              Enter the new DCOM$RPCSS password.
      
      Enter password:
      Confirm password:
      
    2. Enter the new password and confirm the password.
  • E) Exit
    Exit the menu.

6.2.2 Starting and Stopping the COM Server (DCOM$RPCSS Process)

COM for OpenVMS requires that the COM server process ( DCOM$RPCSS ) always be running. The DCOM$RPCSS process on OpenVMS provides the same functions for the COM run-time environment that the RPCSS process provides on Microsoft Windows, including the following:

  • Build and maintain the list of server objects running on the system.
  • Build and maintain a cache of known applications as defined in the registry. This cache improves COM performance.
  • Start a server as a detached process whenever a client requests a connection to a server object that is not currently running.
  • Communicate with the RPCSS process on remote Windows systems or the DCOM$RPCSS process on OpenVMS systems to locate or start remote server objects.

To start DCOM$RPCSS , either use DCOM$SETUP option 4 ("Start") (see Section 6.2) or call the COM for OpenVMS startup procedure directly from SYS$STARTUP:DCOM$STARTUP . See Section 4.13 for information on starting COM for OpenVMS.

To stop DCOM$RPCSS on your system, either use the DCOM$SETUP option 5 ("Stop") (see Section 6.2) or call the COM for OpenVMS shutdown procedure directly from SYS$STARTUP:DCOM$SHUTDOWN . See Section 4.14 for information on shutting down COM for OpenVMS.

6.2.3 Registering an Application

The following example shows how to register the COM for OpenVMS "Simple" application included on the COM for OpenVMS kit. You can use the resulting Windows file to register the server on a Windows system as long as the application is available on your Windows system.

To build the "Simple" application on a Windows system, see and execute the instructions in the README-SIMPLE.TXT file in DCOM$EXAMPLES:[SIMPLE] .

Note

You must build and compile the application before you can register it. For complete details, see the step-by-step example in DCOM$EXAMPLES:[SIMPLE] included in the COM for OpenVMS kit.

Use the following procedure:

  1. From the DCOM$SETUP menu, enter 6 or REGISTER .
  2. Answer the questions as follows:

    Note

    The "Simple" application already has a CLSID.

    Example 6-1 Sample" Simple" Application Registration on OpenVMS

    Enter server type (1. In-Proc  2. Out-Proc): 2 [Return]
    Enter Local Path (device:[directory]filename.ext): DKA0:[SMITH]SSERVER.EXE [Return]
    Enter Application Name (<RETURN> to assign default): COM Simple Server [Return]
    Does the server have a CLSid {GUID} (Yes/No) [N]: Y [Return]
    Enter the CLSid (i.e. {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}:
       {5e9ddec7-5767-11cf-beab-00aa006c3606} [Return]
    
    Verify Application Information:
    
             Application Name: COM SIMPLE SERVER
             Local Path: DKA0:[SMITH]SSERVER.EXE
             Application ID: {5E9DDEC7-5767-11CF-BEAB-00AA006C3606}
    
    Is the information correct (Yes/No) [Y]: [Return]
    Register application (Yes/No)? [Y]: [Return]
    
    SETUP-I-NEWFILES, The following files have been created:
    
          DKA0:[SMITH]SSERVER.REG_NT
          DKA0:[SMITH]SSERVER.REG_VMS
    
    SETUP-I-SRVIN, Server has been registered
    Press RETURN to continue: [Return]
    

To register the "Simple" application on a Windows system, use the following procedure:

  1. Copy all the files in the DCOM$EXAMPLES:[SIMPLE] directory to your Windows system.
  2. Rename SSERVER.REG_NT to SSERVER.REG .
  3. Edit the file to point to the local server path.
    For example, replace DEVICE:\SSERVER with C:\SSERVER .
  4. Run the Install.bat program to add the necessary keys to the Windows registry.

Example 6-2 shows the contents of SSERVER.REG_NT .

Example 6-2 Contents of SSERVER.REG_NT

REGEDIT
HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\ = DCOM server application SSERVER
HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LaunchPermission = Y
HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LocalServer32 = DEVICE:\SSERVER

To reregister the "Simple" application on an OpenVMS system, enter the following command at the system prompt:


$ @SSERVER.REG_VMS

Example 6-3 shows the contents of the SSERVER.REG_VMS command procedure:

Example 6-3 Contents of SSERVER.REG_VMS

$ Set noon
$ regcp :=  $regcp
$ crekey := $regcp create key
$ creval := $regcp create value
$ modval := $regcp modify value
$ lisval := $regcp list value
$ crekey HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}
$ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606} -
              /data="DCOM server application SSERVER" /type=sz
$ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}/name="AppID" -
              /data="{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}" /type=sz
$ crekey HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LaunchPermission
$ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LaunchPermission -
              /data="Y" /type=sz
$ crekey HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LocalServer32
$ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LocalServer32 -
              /data="DKA0::[SMITH]SSERVER.EXE" /type=sz
$

6.3 Running DCOM$CNFG

DCOM$CNFG is a utility to help COM developers configure and manage COM for OpenVMS applications on OpenVMS. Use the DCOM$CNFG utility to query information and manipulate properties of COM for OpenVMS applications.

To use the DCOM$CNFG utility, choose option 1 from the DCOM$SETUP menu.

Note

Before running the DCOM$CNFG utility, you must:
  • Have OpenVMS Registry Read access to read application properties, and Write access to modify application properties.
  • Ensure that the ACME server is running on the current system. The ACME server must be running to view and change application security properties. For more information, see Table 4-1.
  • Acquire Windows security credentials before you can change an application identity. For more information, see Section 8.2.

The system displays the DCOM$CNFG Main menu.

Figure 6-2 DCOM$CNFG Main Menu



---------------------------------------------------------
                DCOM$CNFG Main

   1 - Applications List
   2 - System-wide Default Properties
   3 - System-wide Default Security

   (E to Exit)
   (H for Help)

   Enter <CTRL-Z> or 'E' to return to the previous menu at any time

   Please enter your choice:
---------------------------------------------------------

The options are as follows:

  • 1 - Applications List
    Lists all applications registered on this machine. For more information about this option, see Section 6.3.1.
  • 2 - System-wide Default Properties
    Allows you to set systemwide machine properties. For more information about this option, see Section 6.3.5.
  • 3 - System-wide Default Security
    Allows you to set systemwide security parameters. For more information about this option, see Section 6.3.6.

6.3.1 The DCOM$CNFG Application List Submenu

To display this submenu, from the DCOM$CNFG Main menu, choose option 1.

The system displays the Applications List submenu.

Figure 6-3 Applications List Submenu



---------------------------------------------------------
                Applications List

   Index    Name
    1      Inside COM, Chapter 11 Example
    2      application 2
    3      application 3
    .      ...
    .      ...
    .      ...

  (E to Exit to previous menu)
  (H for Help)

  Please enter Index number to select an Application:
---------------------------------------------------------

Enter a number to select an application. You can then view or configure its properties.

This option displays the Application Properties submenu.

Note

The system stores the Application Properties (Location, Security, and Identity) (see Figure 6-4) in a special key in the OpenVMS Registry that is associated with each application. You cannot change the Application Properties until you create this special key using the DCOM$CNFG utility. The DCOM$CNFG utility creates this special key when the utility discovers a newly registered application. In this case, the DCOM$CNFG user must have acquired Windows security credentials for an account that is a member of the Administrator group. Otherwise, the key will not be created. For more information about acquiring Windows credentials, see Section 8.2).

Use the following procedure to manage the Application Properties:

  1. Register the application.
  2. Do either of the following:
    • Acquire Windows security credentials for an account that is a member of the Administrator group and then run DCOM$CNFG.
    • Have a system administrator with the appropriate credentials run DCOM$CNFG.
  3. Run DCOM$CNFG from your own account to manage the properties.

Figure 6-4 Application Properties Submenu



------------------------------------------------------------------
               Application Properties

   General Properties of this DCOM Application

   Application name:  Inside COM, Chapter 11 Example
   Application id:    {0C092C2C-882C-11CF-A6BB-0080C7B2D682}
   Application type:  local server
   Local path:        DISK1:[SMITH.DISPATCH_SAMPLE1]CMPNT.EXE
   Type Library:      {D3011EE1-B997-11CF-A6BB-0080C7B2D682}
   version: 1.0  DISK1:[SMITH.DISPATCH_SAMPLE1]Server.tlb

   1 - Location    Machine to run application
   2 - Security    Security permissions for application
   3 - Identity    User account to use to run application

   (E to Exit to previous menu)
   (H for Help)

   Please enter Application Property you wish to change:
------------------------------------------------------------------

If the system cannot find the type library file or if the type library is unaccessible, the system displays an error message next to the type library file name.

The options are as follows:

  • 1 - Location: Machine to run application
    This option allows you to set or change the machine on which the COM application will run.
    The system displays the Application Location submenu.

    Figure 6-5 Application Location Submenu



    ---------------------------------------------------------
                    Application Location
    
       The following settings allow DCOM to locate the correct computer
       for this application. If more than one machine is selected then
       DCOM uses the first available one. Client applications may override
       these selections.
    
       Application name:  Inside COM, Chapter 11 Example
    
       1 - Run application on this computer (Yes/No)
               Current value: Yes
    
       2 - Run application on another computer
               Current value: Currently Disabled
    
       (E to Exit to previous menu)
       (H for Help)
    
       Please enter your choice:
    ---------------------------------------------------------
    

    The options are as follows:
    • 1 - Run application on this computer
      Indicates whether the application will be run on the local computer. Select the option to change the current value.
    • 2 - Run application on another computer
      Indicates that the application will be run on the specified computer. Select the option and enter one of the following:
      • A valid system name to change the current value.
      • A hyphen (-) to disable the value. This sets the field to "Currently Disabled."
  • 2 - Security: Security permissions for application
    This option allows you to set the following security properties:
    • Access permission: allow or deny access to users or groups to access this application.
    • Launch permission: allow or deny access to users or groups to run this application.
    • Configuration permission: identify users or groups who have read, write, or special access to the OpenVMS Registry area that contains information about the application.
  • 3 - Identity: User account to use to run application
    This option allows you to run the application server using the security context of the specified user account.
    The system displays the Application Identity submenu. See Section 6.3.4.

The system uses the systemwide default security values unless you specify a different setting.

The system displays the Application Security submenu.

Figure 6-6 Application Security Submenu



---------------------------------------------------------
                Application Security

   Application name:  Inside COM, Chapter 11 Example
   Current Access permissions:  Custom
   Current Launch permissions:  Custom
   Current Configuration permissions:  Default

   1 - Use Default Access permission
   2 - Edit Custom Access permission
   3 - Use Default Launch permission
   4 - Edit Custom Launch permission
   5 - Use Default Configuration permission
   6 - Edit Custom Configuration permission

   (E to Exit to previous menu)
   (H for Help)

   Please enter your choice:
---------------------------------------------------------

The options are as follows:

  • 1 - Use Default Access permission
    Sets the system to the default access permission values.
  • 2 - Edit Custom Access permission
    Displays the Registry Value Permissions submenu. This submenu allows you to view, add, modify, and delete access permission values for this application. For this set of submenus, see Section 6.3.2.
    The ACL Editor starts with the systemwide default values unless you previously set other values.
  • 3 - Use Default Launch permission
    Use the systemwide default launch permission values.
  • 4 - Edit Custom Launch permission
    Displays the Registry Value Permissions submenu. This submenu allows you to view, add, modify, and delete launch permission values for this application. For this set of submenus, see Section 6.3.2.
    The ACL Editor starts with the systemwide default values unless you previously set other values.
  • 5 - Use Default Configuration permission
    Use the systemwide configuration permission values.
  • 6 - Edit Custom Configuration permission
    The system displays the Registry Key Permissions submenu. This submenu allows you to view, add, modify, delete, and configure special access security permissions for this application. For this set of submenus, see Section 6.3.3.

6.3.2 Registry Value Permissions Submenus

To display this submenu:

  1. From the DCOM$CNFG menu, choose option 1.
  2. From the Applications List submenu, choose any application.
  3. From the Application Properties submenu, choose option 2.
  4. From the Application Security submenu, choose option 2 or 4.

Figure 6-7 Registry Value Permissions Submenu



---------------------------------------------------------
                Registry Value Permissions

   Application name: Inside COM, Chapter 11 Example
   Registry Value: LaunchPermission
   Owner: Administrator

   Index    Name                           Type of Access
     1      OPENVMS_DCOM\USER1                Deny
     2      BUILTIN\Administrators            Allow
     3      Everyone                          Allow
     4      NT AUTHORITY\SYSTEM               Allow
     5      OPENVMS_DCOM\USER2                Allow

        (Index Number to Delete or Modify Access)
        (A to Add to list)

        (E to Exit to previous menu)
        (H for Help)

        Please enter your choice:
---------------------------------------------------------

The options are as follows:

  • Index Number...
    To change or delete an access type, enter the corresponding index number. The system displays Edit Registry Value Permissions submenu. See Figure 6-8.
  • A to Add to List
    This option displays the Add Registry Value Permissions submenu. This submenu allows you to add a new entry to the OpenVMS Registry value's Access Control List. See Figure 6-9.

Figure 6-8 Edit Registry Value Permissions Submenu



---------------------------------------------------------
                Edit Registry Value Permissions

        Application name: Inside COM, Chapter 11 Example
        Registry Value: AccessPermission
        Owner: Administrator

        Name: OPENVMS_DCOM\USER1
        Type of Access: Deny

        1 - Delete entry from list
        2 - Change Access

        (E to Exit to previous menu)
        (H for Help)

        Please enter your choice:
---------------------------------------------------------

The options are as follows:

  • 1 - Delete entry from list
    Delete the entry from the Access Control List. If you delete all entries, you will deny access and launch permissions to everyone for the selected value.
  • 2 - Change Access
    Toggle the access type from Allow to Deny or Deny to Allow.

    Figure 6-9 Add Registry Value Permissions Submenu



    ---------------------------------------------------------
                  Add Registry Value Permissions
    
       Application name: Inside COM, Chapter 11 Example
       Registry Value: LaunchPermission
       Owner: ROLLO
    
       1 - Add Specific User or Group
       2 - Add Everyone
       3 - Add NT AUTHORITY\System
       4 - Add BUILTIN\Administrators
    
       (E to Exit to previous menu)
       (H for Help)
    
       Please enter your choice:
    ---------------------------------------------------------
    

    The options are as follows:
    • 1 - Add Specific User or Group
      Prompts for a user/group name and type of access. Specify the user name as domain\username or username if the account exists on the current domain.
    • 2 - Add Everyone
      Allow or Deny Everyone Access/Launch permission to the application.
    • 3 - Add NT AUTHORITY\System
      Allow or Deny System Access/Launch permission to the application.
    • 4 - Add BUILTIN\Administrators
      Allow or Deny Administrator Access/Launch permission to the application.

    When a user is part of two or more groups, Deny access takes precedence over Allow access .

6.3.3 Registry Key Permissions Submenus

To display this submenu:

  1. From the DCOM$CNFG menu, choose option 1.
  2. From the Applications List submenu, choose any application.
  3. From the Application Properties submenu, choose option 2.
  4. From the Application Security submenu, choose option 6.

Figure 6-10 Registry Key Permissions Submenu



---------------------------------------------------------
                Registry Key Permissions

   Application name: Inside COM, Chapter 11 Example
   Registry Key: Inside COM, Chapter 11 Example
   Owner: Administrator

   Index    Name                     Type of Access

   1     BUILTIN\Administrators      Full Control
   2     NT AUTHORITY\SYSTEM         Full Control
   3     CREATOR OWNER               Full Control
   4     Everyone                    Special Access
   5     OPENVMS_DCOM\USER1          Read

   (Index Number to Delete or Modify Access)
   (A to Add to list)

   (E to Exit to previous menu)
   (H for Help)

   Please enter your choice:
---------------------------------------------------------

The options are as follows:

  • Index Number...
    To change or delete an access type, enter the corresponding index number. The system displays Edit Registry Key Permissions submenu. See Figure 6-11.
  • A to Add to List
    This option displays the Add Registry Key Permissions submenu. This submenu allows you to add a new entry to the OpenVMS Registry key's Access Control List. See Figure 6-13.

Figure 6-11 Edit Registry Key Permissions Submenu



---------------------------------------------------------
                Edit Registry Key Permissions

   Application name: Inside COM, Chapter 11 Example
   Registry Key: Inside COM, Chapter 11 Example
   Owner: Administrator

   Name: BUILTIN\Administrators
   Type of Access: Full Control

   1 - Delete entry from list
   2 - Allow Full Control
   3 - Allow Read Access
   4 - Set/View Special Access

   (E to Exit to previous menu)
   (H for Help)

   Please enter your choice:
---------------------------------------------------------

The options are as follows:

  • 1 - Delete entry from list
    Delete the entry from the security permissions list. If you delete all entries, noone can access the key and only the owner can change the permissions.
  • 2 - Allow Full Control
    Allow the user to access, to edit, and to take ownership of the key.
  • 3 - Allow Read Access
    Allow the user to read the key but not to save any changes to it.
  • 4 - Set/View Special Access
    Displays the Special Access Registry Key Permissions submenu. This submenu allows you to set customized permissions for the selected user or groups. See Figure 6-12.

Figure 6-12 Special Access Registry Key Permissions Submenu



---------------------------------------------------------
                Special Access Registry Key Permissions

   Application name: Inside COM, Chapter 11 Example
   Registry Key: Inside COM, Chapter 11 Example

   Name: Everyone

   Type of Access                          Current Value

   0 - Query Value                           Yes
   1 - Set Value                             Yes
   2 - Create Subkey                         Yes
   3 - Enumerate Subkeys                     Yes
   4 - Notify                                Yes
   5 - Create Link                           No
   6 - Delete                                Yes
   7 - Write DACL                            No
   8 - Write Owner                           No
   9 - Read Control                          Yes

   (E to Exit to previous menu)
   (H for Help)

   Please enter your choice:
---------------------------------------------------------

The options are as follows:

  • 0 - Query Value
    Allow the user to read a value from the key.
  • 1 - Set Value
    Allow the user to set one or more values for the key.
  • 2 - Create Subkey
    Allow the user to create subkeys on the key.
  • 3 - Enumerate Subkeys
    Allow the user to identify the subkeys of the key.
  • 4 - Notify
    Allow the user to audit notification events from the key.
  • 5 - Create Link
    Allow the user to create a symbolic link in the key.
  • 6 - Delete
    Allow the user to delete the key.
  • 7 - Write DACL
    Allow the user access to the key to write a discretionary ACL to the key.
  • 8 - Write Owner
    Allow the user access to the key to take ownership of the key.
  • 9 - Read Control
    Allow the user access to the security information on the key.

Figure 6-13 Add Registry Key Permissions Submenu



---------------------------------------------------------
                Add Registry Key Permissions

   Application name: Inside COM, Chapter 11 Example
   Registry Key: Inside COM, Chapter 11 Example
   Owner: Administrator

   1 - Add Specific User or Group
   2 - Add Everyone
   3 - Add NT AUTHORITY\System
   4 - Add BUILTIN\Administrators

   (E to Exit to previous menu)
   (H for Help)

   Please enter your choice:
---------------------------------------------------------

The options are as follows:

  • 1 - Add Specific User or Group
    Prompts for a user/group name and type of access. Specify the user name as domain\username or username if the account exists on the current domain.
  • 2 - Add Everyone
    Allow Everyone Full Control or Read Access to the application.
  • 3 - Add NT AUTHORITY\System
    Allow System Full Control or Read Access to the application.
  • 4 - Add BUILTIN\Administrators
    Allow Administrator Full Control or Read Access to the application.

6.3.4 Application Identity Submenu

To display this submenu:

  1. From the DCOM$CNFG menu, choose option 1.
  2. From the Applications List submenu, choose any application.
  3. From the Application Properties submenu, choose option 3.

The system displays the Application Identity submenu.

Figure 6-14 Application Identity Submenu



---------------------------------------------------------
                Application Identity

   Which user account do you want to use to run this application?

   Application name:  Inside COM, Chapter 11 Example
   Current Identity:  NTLM Account OPENVMS_DCOM\USER2

   1 - Launching User
   2 - NTLM Account
   3 - OpenVMS Username
   4 - OpenVMS DCOM Guest Account

   (E to Exit to previous menu)
   (H for Help)

   Please enter account you wish to use:
---------------------------------------------------------

The options are as follows:

  • 1 - Launching User
    Specifies that the application will run using the security context of the user who started the application. This is the default if NTLM security is available.
  • 2 - NTLM Account
    Specifies that the application will run using the security context of the specified NTLM account. If you specify a valid User/Group name, the system prompts you for a password. The system checks that the password matches the password you used to log on (through NTA$LOGON ). If the passwords do not match, you can either continue and write this new password to the OpenVMS Registry or reenter a password that matches your logon password.

    Note

    If you enter a new password, the system does not synchronize the new password with any other password. You must synchronize the passwords manually.
    You must have the IMPERSONATE privilege for the password to be validated.
    You must have system write access (SYSPRV or REG$UPDATE) to the OpenVMS Registry to write the password to the database.
  • 3 - OpenVMS Username
    Specifies that the application will run using the security context of the specified OpenVMS account. This option is active only when you are using unauthenticated COM for OpenVMS.
  • 4 - OpenVMS DCOM Guest Account
    Specifies that the application will run using the security context of the OpenVMS DCOM Guest account. This option is active only when you are using unauthenticated COM for OpenVMS. If you are using unauthenticated COM for OpenVMS, this option is the default.

6.3.5 The DCOM$CNFG System-wide Default Properties Submenu

To display this submenu, from the DCOM$CNFG Main menu, choose option 2.

The system displays the System-wide Default Properties submenu.

Figure 6-15 System-wide Default Properties Submenu



---------------------------------------------------------
            System-wide Default Properties

   1 - Enable Distributed COM on this computer (Yes/No)
              Current value: Yes
   2 - Default Authentication Level
   3 - Default Impersonation Level


   (E to Exit to previous menu)
   (H for Help)

   Please enter your choice:
---------------------------------------------------------

The options are as follows:

  • 1 - Enable Distributed COM on this computer (Yes/No)
    Enables or disables COM on this computer.
  • 2 - Default Authentication Level
    Sets packet-level security on communications between applications. This systemwide default applies to all applications installed on this computer.

    Figure 6-16 Default Authentication Level Submenu



    ------------------------------------------------------------------
                    Default Authentication Level
    
       The Authentication Level specifies security at the packet level.
    
       Current value: Connect
    
          1 - Default
          2 - None
          3 - Connect
          4 - Call
          5 - Packet
          6 - Packet Integrity
    
          (E to Exit to previous menu)
          (H for Help)
    
        Please enter your choice:
    ------------------------------------------------------------------
    

    Enter a number to select the desired Authentication level. When installed, the system default for the Default Authentication Level is Connect .
  • 3 - Default Impersonation Level
    Specifies whether applications can determine who is calling them, and whether the application can perform operations using the client's identity.

    Figure 6-17 Default Impersonation Level Submenu



    ------------------------------------------------------------------
                    Default Impersonation Level
    
       The Impersonation Level specifies whether applications can determine
       who is calling them, and whether the application can perform
       operations using the client's identity.
    
       Current value: Identify
    
          1 - Anonymous
          2 - Identify
          3 - Impersonate
    
          (E to Exit to previous menu)
          (H for Help)
    
       Please enter your choice:
    ------------------------------------------------------------------
    

    Enter a number to select the desired Impersonation level. When installed, the system default for the Default Impersonation Level is Identify .

6.3.6 System-wide Default Security Submenu

To display this submenu, from the DCOM$CNFG Main Menu, choose option 3.

The system displays the System-wide Default Security submenu.

Figure 6-18 System-wide Default Security Submenu



------------------------------------------------------------------
                System-wide Default Security

        1 - Access Permissions Default
        2 - Launch Permissions Default
        3 - Configuration Permissions Default

        (E to Exit to previous menu)
        (H for Help)

        Please enter your choice:
------------------------------------------------------------------

The options are as follows:

  • 1 - Access Permissions Default :
    Displays the Registry Value Permissions submenu. This submenu allow you to view, add, modify, and delete Access permission values for the systemwide default for all applications.
  • 2 - Launch Permissions Default :
    Displays the Registry Value Permissions submenu. This submenu allows you to view, add, modify, and delete Launch Permission Values for the systemwide default for all applications. You must restart the COM for OpenVMS Service Control Manager for the new setting to take effect.
  • 3 - Configuration Permissions Default :
    Displays the security permission values for the HKEY_CLASSES_ROOT Registry key.

When you first install the system, by default only Administrator and System accounts have application launch and access permissions. HP recommends that you do not change these default settings. Typically you modify an individual application's launch and access security to grant or deny permissions to Everyone , various Groups , or even specific users. HP recommends this technique over adjusting the machinewide default security settings that affect all applications.

6.4 Registering In-Process Servers: DCOM$REGSVR32 Utility

All COM components (implemented as either an out-of-process server or as an in-process server) must be registered in the OpenVMS Registry before you can use them.

Out-of-process servers, which are implemented as executable programs ( .EXE files), usually contain code to register and unregister the components contained within them. The advantage an out-of-process server has over an in-process server is that you can run the executable and automatically create the necessary registry keys.

In-process servers, which are usually implemented as dynamic link libraries ( .DLL files) on Windows or as shareable images on OpenVMS, also contain code to register and unregister the components within them automatically. However, these in-process servers cannot be run the same way as an executable image because they do not contain a main entry point. As a result, you must manually register the components contained within a .DLL , or create a command procedure to perform the registration.

Microsoft provides the REGSVR32 utility that you can use to register the components contained within a DLL. REGSVR32 takes as a command line argument the following:

  • DLL name
  • Switches to register or unregister the components

When registering a DLL's components, REGSVR32 searches the specified DLL for the DllRegisterServer symbol and, if found, calls it. When unregistering a DLL, REGSVR32 calls DllUnregisterServer . This means that all in-process components that you want to register automatically must include these two entry points in their export files.

To facilitate the registration of components contained within shareable images on OpenVMS systems, HP created the DCOM$REGSVR32 utility. The DCOM$REGSVR32 utility does the same things that the Microsoft REGSVR32 utility does. Any shareable images that contain components to be registered must also include the DllRegisterServer and DllUnregisterServer universal symbols in their symbol vectors. Both the DCOM$REGSVR32 and the REGSVR32 utilities use the same command line syntax.

During the COM for OpenVMS installation, the system places the DCOM$REGSVR32.EXE file in the SYS$SYSTEM directory.

Before you use the DCOM$REGSVR32 utility, you must define a symbol that allows the utility to accept foreign command lines. For example:


$ regsvr32 :== $DCOM$REGSVR32

You can use either method to activate the utility, and register or unregister components contained in shareable images.

To display help for DCOM$REGSVR32, enter the following:


$ regsvr32 -?

Table 6-1 summarizes the DCOM$REGSVR32 command line options.

Table 6-1 DCOM$REGSVR32 Command Line Options
Switch Use
-?, /? Display help file (this table).
shareable-image-name Register the specified shareable image name.
-u or /u image-name Unregister the specified shareable image name.

Note

The DCOM$REGSVR32 utility requires that the shareable image name contain a full directory specification.

Example 6-4 demonstrates how to register an in-process component (contained within a shareable image) using the DCOM$REGSVR32 utility.

Example 6-4 Registering a Component Using the DCOM$REGSVR32 Utility

$ regsvr32 USER$DISK:[SEYMOUR.DISPATCH_SAMPLE1]CMPNT$SHR.EXE
Class factory:          Create self.
DllRegisterServer:      Registering Server DLL
Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}
Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}\InProcServer32
Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}\ProgID
Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}\VersionIndependentProgID
Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}\TypeLib
Creating key InsideCOM.Chap11
Creating key InsideCOM.Chap11\CLSID
Creating key InsideCOM.Chap11\CurVer

Creating key InsideCOM.Chap11.1
Creating key InsideCOM.Chap11.1\CLSID
Class factory:          Destroy self.

Example 6-5 demonstrates how to unregister an in-process component (contained within a shareable image) using the DCOM$REGSVR32 utility.

Example 6-5 Unregistering a Component Using the DCOM$REGSVR32 Utility

$ regsvr32 /u USER$DISK:[SEYMOUR.DISPATCH_SAMPLE1]CMPNT$SHR.EXE

Class factory:          Create self.
DllUnregisterServer:    Unregistering Server DLL
Deleting key InProcServer32
Deleting key ProgID
Deleting key VersionIndependentProgID
Deleting key TypeLib
Deleting key LocalServer32
Deleting key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}
Deleting key CLSID
Deleting key CurVer
Deleting key InsideCOM.Chap11
Deleting key CLSID
Deleting key InsideCOM.Chap11.1
Class factory:          Destroy self.


Previous Next Contents Index