|
HP OpenVMS Systems |
|
COM, Registry, and Events for
|
| Previous | Contents | Index |
COM V1.1-A and higher for OpenVMS supports NTLM (NT LAN Manager) authentication for controlling access to COM objects.
Processes that execute client and server applications must obtain Windows credentials in order to be authenticated. Processes created automatically by DCOM$RPCSS to execute server applications obtain Windows credentials based on the Registry settings for the server being launched. Interactive processes that are used to execute client and server applications must obtain Windows credentials by running the NTA$LOGON utility (see Section 8.2).
This chapter applies to COM for OpenVMS in authenticated mode. See Appendix E for information about running COM for OpenVMS in an unauthenticated environment.
This chapter discusses the following topics:
NTLM authentication on OpenVMS is implemented in three major components of the operating system (see Section 4.10).
The ACME server, RPC, and SSPI are installed as part of the OpenVMS operating system and require no special configuration. Advanced Server for OpenVMS must be installed as a layered product and must be configured to support NTLM authentication for COM applications (see Section 4.4).
After installing Advanced Server for OpenVMS, you must create Windows domain accounts that will be used to execute COM applications. You must also map the Windows domain accounts to OpenVMS accounts.
The Advanced Server ADMINISTER utility is used to create Windows domain accounts. For example, to create the Windows domain account NTUSER1, use the following command:
$ ADMINISTER ADD USER NTUSER1 /PASSWORD="pppppp" /FLAG=NOPWDEXPIRED |
The password is case sensitive, so it is enclosed in quotation marks in order to maintain case. A password without quotation marks is converted to uppercase. By default, Windows domain accounts are created with the password pre-expired, thus forcing the user to change the password at the first login. The NOPWDEXPIRED flag overrides this default.
A hostmap entry defines the association between a Windows user account and a local OpenVMS user account. When OpenVMS authenticates a Windows user, OpenVMS uses the hostmap entry to map the OpenVMS user account to the Windows user account and build the local OpenVMS user profile and the Windows NT user profile. If no hostmap entry exists, OpenVMS uses the Windows user account name as the local OpenVMS user account name.
Use the HP Advanced Server for OpenVMS ADMINISTER utility to define hostmap information. For example, to map the Windows domain account NTUSER1 to the OpenVMS account VMSUSER1, use the following command:
$ ADMINISTER ADD HOSTMAP NTUSER1 VMSUSER1 |
If the OpenVMS account does not already exist, you must create the account using the OpenVMS Authorize utility (AUTHORIZE). The OpenVMS account must have the EXTAUTH flag set, or the IGNORE_EXTAUTH flag (bit 11, %X0800) must be set in the SECURITY_POLICY SYSGEN parameter (see Section 5.1). This policy allows the OpenVMS system manager to control which OpenVMS user accounts can be used with Windows authentication. For example, to set the EXTAUTH flag for an OpenVMS account VMSUSER1, use the following command. For example:
$ AUTHORIZE == "$AUTHORIZE" $ AUTHORIZE MODIFY VMSUSER1 /FLAG=EXTAUTH |
The EXTAUTH flag also directs LOGINOUT.EXE to use external authentication to authenticate an OpenVMS user during the login process (that is, local, dialup, remote, interactive, and network logins). When you set the EXTAUTH flag, LOGINOUT.EXE uses external authentication, not the OpenVMS SYSUAF.DAT record, to verify the user name and password.
LOGINOUT external authentication always requires that you set the
EXTAUTH flag in the SYSUAF account record. Unlike
NTA$LOGON
and authenticated RPC, you cannot override this requirement using the
IGNORE_EXTAUTH flag.
5.1.2 DCE Integrated Login Restriction
A site cannot use both external authentication and the older
LGI-callout feature on the same system. If you have an LGI-callout
image installed, external authentication is disabled for login
purposes. Because DCE integrated login uses the LGI-callout mechanism,
OpenVMS does not allow logins using Windows-based external
authentication if DCE integrated login is enabled.
5.2 Cross-Domain Configuration
You can run a COM application on a system in one domain and have the application authenticated by a system in a second domain.
To configure authentication across Windows domains, you must do the following:
Example 5-1 shows how you can set up the HostMapDomains parameter. In this example, there are two domains: DOMAIN_1 and DOMAIN_2 . Domain DOMAIN_2 is running HP Advanced Server for OpenVMS; domain DOMAIN_1 is a Windows domain. The commands in Example 5-1 introduce DOMAIN_2 to DOMAIN_1 .
| Example 5-1 Sample: Setting Up HostMapDomains |
|---|
SYSJANE$ show sym regutl REGUTL == "$SYS$SYSTEM:PWRK$REGUTL.EXE" SYSJANE$ regutl REGUTL> SET PARAM /CREATE VMSSERVER HOSTMAPDOMAINS DOMAIN_1 REGUTL> SHOW VALUE * HOSTMAPDOMAINS Key: SYSTEM\CurrentControlSet\Services\AdvancedServer\UserServiceParameters Value: HostmapDomains Type: String Current Data: DOMAIN_1 |
After the Windows domain account and the OpenVMS account have been set up as described in Section 5.1, you can log in to the OpenVMS account using the usual OpenVMS login procedures. You can then acquire Windows credentials using the NTA$LOGON utility. For example:
$ NTA$LOGON == "$NTA$LOGON" $ NTA$LOGON NTUSER1 "pppppp" |
In this format, pppppp is the password you specified when you created the Windows domain account. The password is enclosed in quotation marks to preserve case. A password without quotation marks is converted to lowercase. If the user name or password is not specified on the command line, the program prompts the user for the required input (see Section 8.2).
To acquire Windows credentials using NTA$LOGON , you must be logged in to the OpenVMS account to which the Advanced Server account is hostmapped. If not are not logged in, you must have the IMPERSONATE privilege and use the NTA$LOGON /OVERRIDE_MAPPING option. For example:
$ NTA$LOGON == "$NTA$LOGON" $ NTA$LOGON /OVERRIDE_MAPPING NTUSER2 "pppppp" |
To determine whether a process has Windows credentials, use the NTA$LOGON utility with the /LIST switch. For example:
$ NTA$LOGON == "$NTA$LOGON" $ NTA$LOGON /LIST |
The COM security model allows the creation of secure distributed applications. COM security can be enabled by using settings in the OpenVMS Registry and by using COM security APIs and interfaces. There are two primary areas of security that can be applied to COM applications: launch security and activation security.
Launch security and activation security have system default settings;
application-specific settings override these defaults. The settings are
stored in the Registry and are maintained by using the
DCOMCNFG
utility on Windows and by using the
DCOMCNFG
option of
DCOM$SETUP.COM
on OpenVMS. The COM API CoInitializeSecurityEx can be used from within
an application to enhance or override the Registry settings.
5.4.1 Launch Security
Launch security determines which Windows domain accounts can be used to
create, or "launch" server processes. The launch security
settings are referenced when a COM request is received on a system that
will result in the launching of a server process to satisfy the
request. These settings can explicitly or implicitly allow or disallow
a user request to launch a server. The
DCOM$RPCSS
process authenticates the incoming request to determine the identity of
the client. If
DCOM$RPCSS
determines that it needs to launch a server process to satisfy the
request,
DCOM$RPCSS
allows or disallows the launching of the server based on the identity
of the client and the launch security settings.
5.4.2 Activation Security
Activation security determines which Windows domain accounts can be
used to execute method calls in server applications. The activation
security settings are referenced when a COM request is received on a
system for a method call in an existing server process. The server
process authenticates the incoming request to determine the identity of
the client. The server process allows or disallows the execution of the
method call based on the identity of the client and the activation
security settings.
5.4.3 Server Process Identity
A server process created by DCOM$RPCSS on OpenVMS is a detached process that has an OpenVMS identity and follows all the OpenVMS security rules for a detached process. In addition, it has a network identity that is used to enforce the COM security model (see Section 5.5).
COM servers create separate server threads to execute each client
request. These server threads have their own OpenVMS identity and
network identity, based on the identity of the client. When a server
thread is executing a request on behalf of a client, it is the thread's
identities, not the process' identities, that are used to enforce
security.
5.4.4 Domain Issues
Two systems running COM client and server applications can exist in one of three possible domain configurations:
The ability for servers and DCOM$RPCSS to authenticate client requests are affected by the domain configurations. When both systems are in the same domain or when the systems are in separate but trusted domains there is no problem authenticating. The trusted domain configuration is a bit more complex and requires that the trusts and mappings be configured correctly but once configured, there is no trouble authenticating (see Section 5.2).
Systems in separate, nontrusted domains or systems not in any domain cannot be authenticated using the normal mechanisms. To run authenticated COM applications between such systems, you must pass authentication information (user name and password) from the client to the server. COM provides this capability in the CoCreateInstanceEx API. The pServerInfo parameter of the CoCreateInstanceEx API allows you to specify a user name and password to be used for authentication on the remote server system. The user name and password are part of the COAUTHIDENTITY structure, within the COAUTHINFO structure within the COSERVERINFO structure, that is passed as the pServerInfo parameter to CoCreateInstanceEx.
Section C.3 shows how you can authenticate a remote client that is neither in the server's domain nor in a domain that has a trust with the server's domain.
The current NTLM security implementation on OpenVMS does not support
this feature for COM client applications on OpenVMS. This feature is
supported for COM clients on Windows that communicate with COM servers
on OpenVMS. To run COM client applications on OpenVMS where the server
is not in the same domain or in a trusted domain, you must disable
authentication for the application, as described in Section 5.4.5.
5.4.5 Disabling Authentication
Under certain conditions, you may want to disable authentication between a client and server applications. This feature disables many of the security features of COM and of the operating system and should not be used in an environment where security is required. There are two ways to disable authentication for COM applications:
The server must be configured to run with a specific NTLM account
identity. Since the client will not be authenticated, there is no way
for the server to run with a client's identity. To configure a server
to run with a specific NTLM identity, use
DCOMCNFG
and change the application properties to select the NTLM account.
5.4.6 Access Denied Problems (80070005)
The most common security error a COM application will encounter is access denied (error status value 80070005). The following is a list of the most common causes of this error:
$ ADMINISTER SHOW HOSTMAP |
$ ADMINISTER SHOW TRUST |
When DCOM$RPCSS launches a server in response to a client request for a COM object, DCOM$RPCSS creates a detached process and executes either the server image or server command file in the context of the detached process. The image or command file that is executed is determined by the value of the Registry key HKEY_CLASSES_ROOT\CLSID\{iid}\LocalServer32, where iid is the unique identifier of the COM object.
The run-time environment of the detached process is as follows:
$! RUN_CMPNT.COM $! Command file to run SAMPLE1 $ set default DKA0:[SAMPLE1] $ define sys$output DKA0:[SAMPLE1]SAMPLE1.LOG $ ! Other definitions as needed $ RUN CMPNT.EXE $ exit |
This chapter describes how to configure your OpenVMS system (and, optionally, your Windows system) to develop and deploy COM applications. It describes the following COM for OpenVMS utilities:
This chapter also includes information about configuring OpenVMS and Windows systems to interoperate.
Before you configure COM for OpenVMS on your OpenVMS system, you must install and configure required components and install COM for OpenVMS. See Chapter 4 for information about these steps. |
DCOM$SETUP is a collection of tools to help a system manager configure the COM for OpenVMS system environment.
DCOM$SETUP Conventions and Requirements
To run DCOM$SETUP , enter @SYS$STARTUP:DCOM$SETUP at the OpenVMS system prompt.
The system displays the OpenVMS COM Tools menu.
Figure 6-1 DCOM$SETUP OpenVMS COM Tools Menu
---------------------------------------------------------
OpenVMS COM Tools
1) DCOMCNFG, COM Configuration Properties
2) GUIDGEN, Globally Unique Identifier Generator
3) Populate the Registry database for COM
4) Start the COM server
5) Stop the COM server
6) Register a COM application
7) Create the DCOM$GUEST account and directory
8) Configure the DCOM$RPCSS accounts
H) Help
E) Exit
Please enter your choice:
---------------------------------------------------------
|
To choose an option, enter the option number. The options are as follows:
To display these functions, choose option 8 from the OpenVMS COM Tools menu. The system displays the following:
---------------------------------------------------------
Configure the COM for OpenVMS Service Control Manager (DCOM$RPCSS) accounts
1) Create the DCOM$RPCSS account in both the SYSUAF database and the
Advanced Server for OpenVMS SAM database. The password you specify
for the new DCOM$RPCSS user is stored in a protected file.
2) Update the DCOM$RPCSS user password in the COM for OpenVMS Service
Control Manager password file.
E) Exit
Please enter your choice:
---------------------------------------------------------
|
Enter one of the following:
The system creates this account in the HP Advanced Server for OpenVMS database with a password that will not expire. To change this behavior (that is, modify the account so that the password expires according to the HP Advanced Server for OpenVMS User Policy), use the following procedure:
To determine the maximum password age in the HP Advanced Server for OpenVMS User Policy, enter the following ADMIN command:
If you change the HP Advanced Server for OpenVMS password of the DCOM$RPCSS account, you must update the password in the COM for OpenVMS Service Control Manager password file. (See option 2 [Update the DCOM$RPCSS user password].) |
To create a new account, you must be logged on to an existing
Advanced Server for OpenVMS account that is capable of adding
new users.
Enter Y[ES] to log on to this account:
|
Enter username: JOSEPHM Password: Confirm password: |
Enter the new DCOM$RPCSS password.
Enter password:
Confirm password:
|
%PWRK-S-USERADD, user "DCOM$RPCSS" added to domain "DCOM1_DOMAIN" Username: DCOM$RPCSS Owner: COM Account: UIC: [37776,1] ([DCOM$RPCSS]) CLI: DCL Tables: DCLTABLES Default: SYS$SYSDEVICE:[DCOM$RPCSS] LGICMD: Flags: ExtAuth Primary days: Mon Tue Wed Thu Fri Secondary days: Sat Sun No access restrictions Expiration: (none) Pwdminimum: 6 Login Fails: 0 Pwdlifetime: (none) Pwdchange: (pre-expired) Last Login: (none) (interactive), (none) (non-interactive) Maxjobs: 0 Fillm: 100 Bytlm: 64000 Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0 Maxdetach: 0 BIOlm: 150 JTquota: 4096 Prclm: 8 DIOlm: 150 WSdef: 1024 Prio: 4 ASTlm: 250 WSquo: 4000 Queprio: 4 TQElm: 10 WSextent: 8000 CPU: (none) Enqlm: 2000 Pgflquo: 130000 Authorized Privileges: NETMBX TMPMBX Default Privileges: NETMBX TMPMBX %PWRK-S-HOSTMAPADD, user "DCOM$RPCSS" mapped to host user "DCOM$RPCSS" Press RETURN to continue: |
Enter the new DCOM$RPCSS password.
Enter password:
Confirm password:
|
COM for OpenVMS requires that the COM server process ( DCOM$RPCSS ) always be running. The DCOM$RPCSS process on OpenVMS provides the same functions for the COM run-time environment that the RPCSS process provides on Microsoft Windows, including the following:
To start DCOM$RPCSS , either use DCOM$SETUP option 4 ("Start") (see Section 6.2) or call the COM for OpenVMS startup procedure directly from SYS$STARTUP:DCOM$STARTUP . See Section 4.13 for information on starting COM for OpenVMS.
To stop
DCOM$RPCSS
on your system, either use the
DCOM$SETUP
option 5 ("Stop") (see Section 6.2) or call the COM for
OpenVMS shutdown procedure directly from
SYS$STARTUP:DCOM$SHUTDOWN
. See Section 4.14 for information on shutting down COM for OpenVMS.
6.2.3 Registering an Application
The following example shows how to register the COM for OpenVMS "Simple" application included on the COM for OpenVMS kit. You can use the resulting Windows file to register the server on a Windows system as long as the application is available on your Windows system.
To build the "Simple" application on a Windows system, see and execute the instructions in the README-SIMPLE.TXT file in DCOM$EXAMPLES:[SIMPLE] .
You must build and compile the application before you can register it. For complete details, see the step-by-step example in DCOM$EXAMPLES:[SIMPLE] included in the COM for OpenVMS kit. |
Use the following procedure:
The "Simple" application already has a CLSID. |
| Example 6-1 Sample" Simple" Application Registration on OpenVMS |
|---|
Enter server type (1. In-Proc 2. Out-Proc): 2 [Return]
Enter Local Path (device:[directory]filename.ext): DKA0:[SMITH]SSERVER.EXE [Return]
Enter Application Name (<RETURN> to assign default): COM Simple Server [Return]
Does the server have a CLSid {GUID} (Yes/No) [N]: Y [Return]
Enter the CLSid (i.e. {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}:
{5e9ddec7-5767-11cf-beab-00aa006c3606} [Return]
Verify Application Information:
Application Name: COM SIMPLE SERVER
Local Path: DKA0:[SMITH]SSERVER.EXE
Application ID: {5E9DDEC7-5767-11CF-BEAB-00AA006C3606}
Is the information correct (Yes/No) [Y]: [Return]
Register application (Yes/No)? [Y]: [Return]
SETUP-I-NEWFILES, The following files have been created:
DKA0:[SMITH]SSERVER.REG_NT
DKA0:[SMITH]SSERVER.REG_VMS
SETUP-I-SRVIN, Server has been registered
Press RETURN to continue: [Return]
|
To register the "Simple" application on a Windows system, use the following procedure:
Example 6-2 shows the contents of SSERVER.REG_NT .
| Example 6-2 Contents of SSERVER.REG_NT |
|---|
REGEDIT
HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\ = DCOM server application SSERVER
HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LaunchPermission = Y
HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LocalServer32 = DEVICE:\SSERVER
|
To reregister the "Simple" application on an OpenVMS system, enter the following command at the system prompt:
$ @SSERVER.REG_VMS |
Example 6-3 shows the contents of the SSERVER.REG_VMS command procedure:
| Example 6-3 Contents of SSERVER.REG_VMS |
|---|
$ Set noon
$ regcp := $regcp
$ crekey := $regcp create key
$ creval := $regcp create value
$ modval := $regcp modify value
$ lisval := $regcp list value
$ crekey HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}
$ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606} -
/data="DCOM server application SSERVER" /type=sz
$ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}/name="AppID" -
/data="{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}" /type=sz
$ crekey HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LaunchPermission
$ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LaunchPermission -
/data="Y" /type=sz
$ crekey HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LocalServer32
$ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LocalServer32 -
/data="DKA0::[SMITH]SSERVER.EXE" /type=sz
$
|
DCOM$CNFG is a utility to help COM developers configure and manage COM for OpenVMS applications on OpenVMS. Use the DCOM$CNFG utility to query information and manipulate properties of COM for OpenVMS applications.
To use the DCOM$CNFG utility, choose option 1 from the DCOM$SETUP menu.
Before running the DCOM$CNFG utility, you must:
|
The system displays the DCOM$CNFG Main menu.
Figure 6-2 DCOM$CNFG Main Menu
---------------------------------------------------------
DCOM$CNFG Main
1 - Applications List
2 - System-wide Default Properties
3 - System-wide Default Security
(E to Exit)
(H for Help)
Enter <CTRL-Z> or 'E' to return to the previous menu at any time
Please enter your choice:
---------------------------------------------------------
|
To display this submenu, from the DCOM$CNFG Main menu, choose option 1.
The system displays the Applications List submenu.
Figure 6-3 Applications List Submenu
---------------------------------------------------------
Applications List
Index Name
1 Inside COM, Chapter 11 Example
2 application 2
3 application 3
. ...
. ...
. ...
(E to Exit to previous menu)
(H for Help)
Please enter Index number to select an Application:
---------------------------------------------------------
|
Enter a number to select an application. You can then view or configure its properties.
This option displays the Application Properties submenu.
The system stores the Application Properties (Location, Security, and Identity) (see Figure 6-4) in a special key in the OpenVMS Registry that is associated with each application. You cannot change the Application Properties until you create this special key using the DCOM$CNFG utility. The DCOM$CNFG utility creates this special key when the utility discovers a newly registered application. In this case, the DCOM$CNFG user must have acquired Windows security credentials for an account that is a member of the Administrator group. Otherwise, the key will not be created. For more information about acquiring Windows credentials, see Section 8.2). Use the following procedure to manage the Application Properties:
|
Figure 6-4 Application Properties Submenu
------------------------------------------------------------------
Application Properties
General Properties of this DCOM Application
Application name: Inside COM, Chapter 11 Example
Application id: {0C092C2C-882C-11CF-A6BB-0080C7B2D682}
Application type: local server
Local path: DISK1:[SMITH.DISPATCH_SAMPLE1]CMPNT.EXE
Type Library: {D3011EE1-B997-11CF-A6BB-0080C7B2D682}
version: 1.0 DISK1:[SMITH.DISPATCH_SAMPLE1]Server.tlb
1 - Location Machine to run application
2 - Security Security permissions for application
3 - Identity User account to use to run application
(E to Exit to previous menu)
(H for Help)
Please enter Application Property you wish to change:
------------------------------------------------------------------
|
If the system cannot find the type library file or if the type library is unaccessible, the system displays an error message next to the type library file name.
Figure 6-5 Application Location Submenu
---------------------------------------------------------
Application Location
The following settings allow DCOM to locate the correct computer
for this application. If more than one machine is selected then
DCOM uses the first available one. Client applications may override
these selections.
Application name: Inside COM, Chapter 11 Example
1 - Run application on this computer (Yes/No)
Current value: Yes
2 - Run application on another computer
Current value: Currently Disabled
(E to Exit to previous menu)
(H for Help)
Please enter your choice:
---------------------------------------------------------
|
The system uses the systemwide default security values unless you specify a different setting.
The system displays the Application Security submenu.
Figure 6-6 Application Security Submenu
---------------------------------------------------------
Application Security
Application name: Inside COM, Chapter 11 Example
Current Access permissions: Custom
Current Launch permissions: Custom
Current Configuration permissions: Default
1 - Use Default Access permission
2 - Edit Custom Access permission
3 - Use Default Launch permission
4 - Edit Custom Launch permission
5 - Use Default Configuration permission
6 - Edit Custom Configuration permission
(E to Exit to previous menu)
(H for Help)
Please enter your choice:
---------------------------------------------------------
|
The options are as follows:
To display this submenu:
Figure 6-7 Registry Value Permissions Submenu
---------------------------------------------------------
Registry Value Permissions
Application name: Inside COM, Chapter 11 Example
Registry Value: LaunchPermission
Owner: Administrator
Index Name Type of Access
1 OPENVMS_DCOM\USER1 Deny
2 BUILTIN\Administrators Allow
3 Everyone Allow
4 NT AUTHORITY\SYSTEM Allow
5 OPENVMS_DCOM\USER2 Allow
(Index Number to Delete or Modify Access)
(A to Add to list)
(E to Exit to previous menu)
(H for Help)
Please enter your choice:
---------------------------------------------------------
|
The options are as follows:
Figure 6-8 Edit Registry Value Permissions Submenu
---------------------------------------------------------
Edit Registry Value Permissions
Application name: Inside COM, Chapter 11 Example
Registry Value: AccessPermission
Owner: Administrator
Name: OPENVMS_DCOM\USER1
Type of Access: Deny
1 - Delete entry from list
2 - Change Access
(E to Exit to previous menu)
(H for Help)
Please enter your choice:
---------------------------------------------------------
|
The options are as follows:
Figure 6-9 Add Registry Value Permissions Submenu
---------------------------------------------------------
Add Registry Value Permissions
Application name: Inside COM, Chapter 11 Example
Registry Value: LaunchPermission
Owner: ROLLO
1 - Add Specific User or Group
2 - Add Everyone
3 - Add NT AUTHORITY\System
4 - Add BUILTIN\Administrators
(E to Exit to previous menu)
(H for Help)
Please enter your choice:
---------------------------------------------------------
|
To display this submenu:
Figure 6-10 Registry Key Permissions Submenu
---------------------------------------------------------
Registry Key Permissions
Application name: Inside COM, Chapter 11 Example
Registry Key: Inside COM, Chapter 11 Example
Owner: Administrator
Index Name Type of Access
1 BUILTIN\Administrators Full Control
2 NT AUTHORITY\SYSTEM Full Control
3 CREATOR OWNER Full Control
4 Everyone Special Access
5 OPENVMS_DCOM\USER1 Read
(Index Number to Delete or Modify Access)
(A to Add to list)
(E to Exit to previous menu)
(H for Help)
Please enter your choice:
---------------------------------------------------------
|
The options are as follows:
Figure 6-11 Edit Registry Key Permissions Submenu
---------------------------------------------------------
Edit Registry Key Permissions
Application name: Inside COM, Chapter 11 Example
Registry Key: Inside COM, Chapter 11 Example
Owner: Administrator
Name: BUILTIN\Administrators
Type of Access: Full Control
1 - Delete entry from list
2 - Allow Full Control
3 - Allow Read Access
4 - Set/View Special Access
(E to Exit to previous menu)
(H for Help)
Please enter your choice:
---------------------------------------------------------
|
The options are as follows:
Figure 6-12 Special Access Registry Key Permissions Submenu
---------------------------------------------------------
Special Access Registry Key Permissions
Application name: Inside COM, Chapter 11 Example
Registry Key: Inside COM, Chapter 11 Example
Name: Everyone
Type of Access Current Value
0 - Query Value Yes
1 - Set Value Yes
2 - Create Subkey Yes
3 - Enumerate Subkeys Yes
4 - Notify Yes
5 - Create Link No
6 - Delete Yes
7 - Write DACL No
8 - Write Owner No
9 - Read Control Yes
(E to Exit to previous menu)
(H for Help)
Please enter your choice:
---------------------------------------------------------
|
The options are as follows:
Figure 6-13 Add Registry Key Permissions Submenu
---------------------------------------------------------
Add Registry Key Permissions
Application name: Inside COM, Chapter 11 Example
Registry Key: Inside COM, Chapter 11 Example
Owner: Administrator
1 - Add Specific User or Group
2 - Add Everyone
3 - Add NT AUTHORITY\System
4 - Add BUILTIN\Administrators
(E to Exit to previous menu)
(H for Help)
Please enter your choice:
---------------------------------------------------------
|
The options are as follows:
To display this submenu:
The system displays the Application Identity submenu.
Figure 6-14 Application Identity Submenu
---------------------------------------------------------
Application Identity
Which user account do you want to use to run this application?
Application name: Inside COM, Chapter 11 Example
Current Identity: NTLM Account OPENVMS_DCOM\USER2
1 - Launching User
2 - NTLM Account
3 - OpenVMS Username
4 - OpenVMS DCOM Guest Account
(E to Exit to previous menu)
(H for Help)
Please enter account you wish to use:
---------------------------------------------------------
|
If you enter a new password, the system does not synchronize the new password with any other password. You must synchronize the passwords manually. You must have the IMPERSONATE privilege for the password to be validated. You must have system write access (SYSPRV or REG$UPDATE) to the OpenVMS Registry to write the password to the database. |
To display this submenu, from the DCOM$CNFG Main menu, choose option 2.
The system displays the System-wide Default Properties submenu.
Figure 6-15 System-wide Default Properties Submenu
---------------------------------------------------------
System-wide Default Properties
1 - Enable Distributed COM on this computer (Yes/No)
Current value: Yes
2 - Default Authentication Level
3 - Default Impersonation Level
(E to Exit to previous menu)
(H for Help)
Please enter your choice:
---------------------------------------------------------
|
Figure 6-16 Default Authentication Level Submenu
------------------------------------------------------------------
Default Authentication Level
The Authentication Level specifies security at the packet level.
Current value: Connect
1 - Default
2 - None
3 - Connect
4 - Call
5 - Packet
6 - Packet Integrity
(E to Exit to previous menu)
(H for Help)
Please enter your choice:
------------------------------------------------------------------
|
Figure 6-17 Default Impersonation Level Submenu
------------------------------------------------------------------
Default Impersonation Level
The Impersonation Level specifies whether applications can determine
who is calling them, and whether the application can perform
operations using the client's identity.
Current value: Identify
1 - Anonymous
2 - Identify
3 - Impersonate
(E to Exit to previous menu)
(H for Help)
Please enter your choice:
------------------------------------------------------------------
|
To display this submenu, from the DCOM$CNFG Main Menu, choose option 3.
The system displays the System-wide Default Security submenu.
Figure 6-18 System-wide Default Security Submenu
------------------------------------------------------------------
System-wide Default Security
1 - Access Permissions Default
2 - Launch Permissions Default
3 - Configuration Permissions Default
(E to Exit to previous menu)
(H for Help)
Please enter your choice:
------------------------------------------------------------------
|
The options are as follows:
When you first install the system, by default only
Administrator
and
System
accounts have application launch and access permissions. HP recommends
that you do not change these default settings. Typically you modify an
individual application's launch and access security to grant or deny
permissions to
Everyone
, various
Groups
, or even specific users. HP recommends this technique over adjusting
the machinewide default security settings that affect all applications.
6.4 Registering In-Process Servers: DCOM$REGSVR32 Utility
All COM components (implemented as either an out-of-process server or as an in-process server) must be registered in the OpenVMS Registry before you can use them.
Out-of-process servers, which are implemented as executable programs ( .EXE files), usually contain code to register and unregister the components contained within them. The advantage an out-of-process server has over an in-process server is that you can run the executable and automatically create the necessary registry keys.
In-process servers, which are usually implemented as dynamic link libraries ( .DLL files) on Windows or as shareable images on OpenVMS, also contain code to register and unregister the components within them automatically. However, these in-process servers cannot be run the same way as an executable image because they do not contain a main entry point. As a result, you must manually register the components contained within a .DLL , or create a command procedure to perform the registration.
Microsoft provides the REGSVR32 utility that you can use to register the components contained within a DLL. REGSVR32 takes as a command line argument the following:
When registering a DLL's components, REGSVR32 searches the specified DLL for the DllRegisterServer symbol and, if found, calls it. When unregistering a DLL, REGSVR32 calls DllUnregisterServer . This means that all in-process components that you want to register automatically must include these two entry points in their export files.
To facilitate the registration of components contained within shareable images on OpenVMS systems, HP created the DCOM$REGSVR32 utility. The DCOM$REGSVR32 utility does the same things that the Microsoft REGSVR32 utility does. Any shareable images that contain components to be registered must also include the DllRegisterServer and DllUnregisterServer universal symbols in their symbol vectors. Both the DCOM$REGSVR32 and the REGSVR32 utilities use the same command line syntax.
During the COM for OpenVMS installation, the system places the DCOM$REGSVR32.EXE file in the SYS$SYSTEM directory.
Before you use the DCOM$REGSVR32 utility, you must define a symbol that allows the utility to accept foreign command lines. For example:
$ regsvr32 :== $DCOM$REGSVR32 |
You can use either method to activate the utility, and register or unregister components contained in shareable images.
To display help for DCOM$REGSVR32, enter the following:
$ regsvr32 -? |
Table 6-1 summarizes the DCOM$REGSVR32 command line options.
| Switch | Use |
|---|---|
| -?, /? | Display help file (this table). |
| shareable-image-name | Register the specified shareable image name. |
| -u or /u image-name | Unregister the specified shareable image name. |
The DCOM$REGSVR32 utility requires that the shareable image name contain a full directory specification. |
Example 6-4 demonstrates how to register an in-process component (contained within a shareable image) using the DCOM$REGSVR32 utility.
| Example 6-4 Registering a Component Using the DCOM$REGSVR32 Utility |
|---|
$ regsvr32 USER$DISK:[SEYMOUR.DISPATCH_SAMPLE1]CMPNT$SHR.EXE
Class factory: Create self.
DllRegisterServer: Registering Server DLL
Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}
Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}\InProcServer32
Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}\ProgID
Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}\VersionIndependentProgID
Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}\TypeLib
Creating key InsideCOM.Chap11
Creating key InsideCOM.Chap11\CLSID
Creating key InsideCOM.Chap11\CurVer
Creating key InsideCOM.Chap11.1
Creating key InsideCOM.Chap11.1\CLSID
Class factory: Destroy self.
|
Example 6-5 demonstrates how to unregister an in-process component (contained within a shareable image) using the DCOM$REGSVR32 utility.
| Example 6-5 Unregistering a Component Using the DCOM$REGSVR32 Utility |
|---|
$ regsvr32 /u USER$DISK:[SEYMOUR.DISPATCH_SAMPLE1]CMPNT$SHR.EXE
Class factory: Create self.
DllUnregisterServer: Unregistering Server DLL
Deleting key InProcServer32
Deleting key ProgID
Deleting key VersionIndependentProgID
Deleting key TypeLib
Deleting key LocalServer32
Deleting key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}
Deleting key CLSID
Deleting key CurVer
Deleting key InsideCOM.Chap11
Deleting key CLSID
Deleting key InsideCOM.Chap11.1
Class factory: Destroy self.
|
| Previous | Next | Contents | Index |