Planning and Configuring HP DCE 1.7 First Edition B3190-90073 E1197 November 1997 Printed in: U.S.A. © Copyright 1997 Hewlett-Packard Company. All Rights Reserved.
Notice The information contained in this document is subject to change without notice. HEWLETT-PACKARD MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance or use of this material.
Contents 1. About HP DCE/9000 Version 1.7 HP DCE/9000 Core Services Software . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 OSF DCE Components Included in This Release. . . . . . . . . . . . . . . . 1-2 HP DCE/9000 Features Added by Hewlett-Packard . . . . . . . . . . . . . 1-3 Features Added at Previous Releases of HP DCE. . . . . . . . . . . . . . 1-3 Features Added at HP DCE 1.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Features Removed at HP DCE 1.6 and 1.7 . . . . . . . . .
Contents Security and Credential Lifetime. . . . . . . . . . . . . . . . . . . . . . . . . . . .1-16 ANSI C Requirement for HP DCE/9000 . . . . . . . . . . . . . . . . . . . . . .1-17 dce_login -r Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-17 Removing DCE Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-17 HP-UX Integrated Login Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . .1-18 The DCE Audit Service. . . . . . . . . . .
Contents HP Password Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31 Example Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31 Build Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-32 Administrative Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-32 2. Migrating to HP DCE 1.7 Migration Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Migrating a System and Preserving Current Cell Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-13 Migrating an HP DCE 1.5 Server on HP-UX 10.20 to HP DCE 1.7 on HP-UX 11.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-15 Migration Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-15 Migrating a System Without Retaining Cell Configuration . . . . .
Contents 4. Installing HP DCE 1.7 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Loading HP DCE Software in a Network Source Area . . . . . . . . . . . . . 4-3 Software Loading Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Installing Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Installation Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Removing Systems from the Cell . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-19 Removing and Reconfiguring the DCE Daemons . . . . . . . . . . . . . . .5-20 dce_config Error and Message Logging . . . . . . . . . . . . . . . . . . . . . .5-21 Additional Notes About Log Messages . . . . . . . . . . . . . . . . . . . . . . .5-23 Component Scripts and Environment Variables for dce_config. . .5-24 dce_config Component Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 6. HP-UX Integrated Login Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Deciding Whether to Use HP-UX Integrated Login . . . . . . . . . . . . . . . 6-4 Operation of Integrated Login Utilities . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Activating HP-UX Integrated Login. . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6 Deactivating HP-UX Integrated Login. . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 7. Notes on Cell Administration Diagnostic Tool — dceping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-2 Enhanced CDS Browser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-3 Features of the HP DCE/9000 CDS Browser. . . . . . . . . . . . . . . . . . . .7-3 Overview of Enhanced HP DCE CDS Browser Features . . . . . . . . . .7-4 Creating and Deleting Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 8. HP DCE Measurement Service Overview of DMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 DMS Restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 DMS Prerequisite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Enabling and Disabling DMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Performance Considerations of DMS . . . . . . . . . . . . . . . .
Contents xii
About this document This document describes features of HP DCE/9000 Version 1.7 specific to Hewlett-Packard. For features of standard DCE, see the OSF documentation. This book is organized as follows: • Chapter 1 provides an overview of HP DCE 1.7; it includes information about new features, limitation, interoperability and compatibility, changes at the next release, and documentation. Chapter 1 also includes information about DCE Account Manager, Cell Monitor, and the Password Management Server.
xiv
1 About HP DCE/9000 Version 1.7 HP DCE/9000 Version 1.7 (HP DCE 1.7) makes the functionality of OSF DCE Version 1.2.1 available on HP 9000 Series 700 and Series 800 systems running HP-UX 11. HP DCE 1.7 also includes new functionality and bug fixes.
About HP DCE/9000 Version 1.7 HP DCE/9000 Core Services Software HP DCE/9000 Core Services Software HP DCE/9000 Version 1.7 is based on OSF DCE Version 1.2.1 source code, with bug fixes and value-added functionality. This section describes the contents of this release. OSF DCE Components Included in This Release This release includes the following OSF DCE components: • Remote Procedure Call (RPC) Facility, supporting both connection-oriented (TCP/IP) and connectionless (UDP/IP) transport protocols.
About HP DCE/9000 Version 1.7 HP DCE/9000 Core Services Software NOTE At HP DCE 1.7, both libdce and libcma were versioned for compatibility reasons. libdce.1 and libcma.1 are the latest patched HP DCE 1.5 libraries. libdce.2 and libcma.2 support HP DCE 1.7 on HP-UX 11.0. Shared applications built on HP DCE 1.6 may have to recompile to run on HP DCE 1.7. Hewlett-Packard strongly recommends the use of shared libraries when building DCE applications.
About HP DCE/9000 Version 1.7 HP DCE/9000 Core Services Software • The DCE cell diagnostic tool dceping. • An enhanced version of the OSF CDS browser (cdsbrowser), which has been ported to Release 6 of the X11 Windows system and the Common Desktop Environment (CDE). The browser is accessible through SAM. See the CDS Browser online help (accessible via the CDS Browser Help menu) for details. • Two sets of tools for developing DCE applications are available as separately priced options to HP DCE/9000.
About HP DCE/9000 Version 1.7 HP DCE/9000 Core Services Software See “Establishing Peer-to-peer Trust” in Chapter 7 for more information on these important new options. • HP has added a new -r option, which refreshes a user’s credentials, to dce_login. Users are encouraged to use dce_login -r rather than kinit to refresh their credentials, since dce_login -r uses the more secure DCE Third-party preauthentication protocol, whereas kinit uses the less secure Kerberos 5 Timestamps protocol.
About HP DCE/9000 Version 1.7 HP DCE/9000 Core Services Software Features Removed at HP DCE 1.6 and 1.7 The following features were removed at HP DCE 1.6: • Distributed File Service (see “Installation Notes” in Chapter 4 for information about unconfiguring DFS before installing HP DCE 1.6). • Global Directory Service. • HP DCE Cell Monitor. • The DCE cell diagnostic tool dceval. The following feature was removed at HP DCE 1.7: • Network Computing System (NCS) Version 1.5.
About HP DCE/9000 Version 1.7 HP DCE/9000 Core Services Software Common Desktop Environment (CDE) and Online Help As of HP-UX 10.20 and later releases, the default environment is the Common Desktop Environment (CDE). (HP VUE was available with releases of HP-UX earlier than 10.30.) All HP DCE 1.7 online help and context-sensitive help works in CDE. If you print HP DCE 1.
About HP DCE/9000 Version 1.7 Limitations of This Release Limitations of This Release Some of the limitations described in this section reflect limitations of OSF DCE 1.2.1; others are limitations specific to this release. Limitations of OSF DCE 1.2.1 Following are limitations of OSF DCE 1.2.1: • The tool passwd_import, which imports user account information from /etc/ passwd files to the Registry database, does not import the passwords themselves.
About HP DCE/9000 Version 1.7 Limitations of This Release System Utilities Not Integrated with DCE Security The following utilities are not integrated with DCE Security: • cron • at • rexecd • lp Planning and Configuring HP DCE 1.
About HP DCE/9000 Version 1.7 Interoperability and Compatibility Interoperability and Compatibility This section describes the interoperability of this release with various implementations of OSF DCE, and its compatibility with previous versions of HP DCE, and with DCE-related technologies. Binary Compatibility with Previous HP DCE Releases Applications built on HP-UX 10.30 with HP DCE 1.6 may need to recompile due to the versioning of libdce and libcma in HP-UX 11.0. HP DCE 1.
About HP DCE/9000 Version 1.7 Interoperability and Compatibility 2. Stop and restart DCE daemons. 3. If using Integrated Login, log out and log in. If a statically-linked HP DCE 1.2, 1.2.1, 1.3.1, 1.4, 1.4.1, 1.4.2, or 1.5 application purges a login context (via sec_login_purge_context) which an HP DCE 1.7 application had created or refreshed, one of the credential files will not be deleted from the disk. This file is located in /var/opt/dce/security/creds.
About HP DCE/9000 Version 1.7 Interoperability and Compatibility Platform Operating System DCE Implementation OSF DCE Version Dell 450/ME 486 Microsoft DOS 5.0 Microsoft Windows 3.0 Gradient DCE 1.0.2a, 1.0.3 1.0.2, 1.0.3 Dell 450/ME 486 Digital Windows NT Digital DCE V 1.3 1.0.3 Dell 450/ME 486 IBM OS/2 2.1 IBM DCE 1.1 1.1 Hewlett-Packard’s DCE configuration tools are not guaranteed to interoperate with other vendor’s DCE implementations.
About HP DCE/9000 Version 1.7 Interoperability and Compatibility Neither DES nor DES-hidden versions of DCE are interoperable with any DCE version that has been built with the DES code omitted (instead of hidden). Some DCE ports from other vendors were built in this way in order to meet U.S. export requirements. If you are running a DCE port from another vendor, check with that vendor for details.
About HP DCE/9000 Version 1.7 Interoperability and Compatibility When configuring either a security server or client, dce_config checks the file /etc/resolv.conf for the Internet domain name. If the domain name is not found in this file, then the user is prompted to enter a domain name. Before running dce_config, you can choose to set the environment variable DOMAIN_NAME to provide the domain name during configuration.
About HP DCE/9000 Version 1.7 Interoperability and Compatibility remshd, rcp, ftp, and telnet services. A new command, k5dcelogin, has been added to DCE in support of these utilities. When ticket forwarding is requested, k5dcelogin promotes a principal's Kerberos V5 credentials to DCE credentials. Refer to documentation on Secure Internet Services for configuration information.
About HP DCE/9000 Version 1.7 Notes, Cautions and Warnings Regarding This Release Notes, Cautions and Warnings Regarding This Release dcecp host Command All of the operations of the dcecp host command are implemented. See the host (8dce) man page for syntax and details. Security and Remote Login Utilities You can use standard UNIX remote login utilities (remsh, rlogin, telnet) to perform remote DCE cell administration.
About HP DCE/9000 Version 1.7 Notes, Cautions and Warnings Regarding This Release ANSI C Requirement for HP DCE/9000 Hewlett-Packard supports only the ANSI C compiler for building HP DCE applications. Hewlett-Packard cannot provide support for problems with HP DCE applications that were not compiled using the ANSI C compiler. This restriction also applies to applications on HP-UX 10.x systems built using the HP-UX user-space threads library (libcma). dce_login -r Option Starting with HP DCE 1.
About HP DCE/9000 Version 1.7 Notes, Cautions and Warnings Regarding This Release HP-UX Integrated Login Utilities Most systems will require the transfer of account information from /etc/passwd to the DCE Security Registry before the system will be useful. The script /usr/sbin/auth.adm is supplied to activate the integrated login utilities once your system has been set up with the needed accounts. See Chapter 6 for more information about using the /usr/sbin/auth.adm script. Do not use the auth.
About HP DCE/9000 Version 1.7 Notes, Cautions and Warnings Regarding This Release Administrators should periodically monitor the size of the Security audit logs on the Security server machines. Each audit trail log consists of two files — the actual trail log file and the associated index file. These logs are in: /var/opt/dce/security/sec_audit_trail /var/opt/dce/security/sec_audit_trail.md_index Other older audit logs may also be present.
About HP DCE/9000 Version 1.7 Notes, Cautions and Warnings Regarding This Release dcecp secval Change At HP DCE 1.6, dcecp’s secval activate and secval deactivate commands became asynchronous. They return before the actual change takes place within dced. Therefore, you should use the secval status command to verify the state change. Prior to HP DCE 1.6, secval activate and secval deactivate were synchronous and did not return until the actual state change finished in dced.
About HP DCE/9000 Version 1.7 Features Planned for a Future Release Features Planned for a Future Release This section describes OSF DCE and HP DCE features that will be supported in future releases of HP DCE. • 64-bit libraries to support DCE 64-bit application development • Kernel-threaded (POSIX 1003.1c) DCE • LDAP NSI version for 10.20 and 11.0 • Improved scalibility, robustness, and availability • Improved administration and configuration Future Support for POSIX 1003.
About HP DCE/9000 Version 1.7 HP DCE 1.7 Documentation HP DCE 1.7 Documentation Documentation for HP DCE 1.7 consists of printed and online materials. For a complete list of documentation, including part numbers, see the HP DCE/9000 Version 1.7 Release Note. Printed Documentation The printed documentation for HP DCE 1.7 consists of HP DCE 1.7 manuals, the OSF DCE documentation set, and two books by O’Reilly and Associates.
About HP DCE/9000 Version 1.7 HP DCE 1.
About HP DCE/9000 Version 1.7 HP DCE 1.7 Documentation Man Pages Reference pages describing DCE commands and calls are available online in the form of man pages. There are two styles of man page headers: • “OSF” or “Open Software Foundation” - This header means that the man page originates from OSF and has not been changed by HP. • “HP DCE” - This header means that the man page either originates from HP or is an OSF man page that HP has changed.
About HP DCE/9000 Version 1.7 HP DCE 1.7 Documentation Accessing DCE Online Help From CDE You can access the DCE Online Help from the Front Panel or from a shell. To access the DCE Online Help from the Front Panel, follow these steps: 1. Click on the Front Panel help icon (the “ ?”). A “Welcome to Help Manager” help window appears. 2. In the Help Manager window, click on the “HP DCE/9000, Version 1.7” product-family title. A list of the HP/DCE 9000 help volumes appears. 3.
About HP DCE/9000 Version 1.7 HP DCE Administration Tools HP DCE Administration Tools The administration tools are Account Manager, DCM (the Distributed Configuration Manager), and the HP CDS Browser. The Account Manager provides a graphical interface for creating objects in the DCE registry and for administering the DCE registry.
About HP DCE/9000 Version 1.7 HP DCE Administration Tools NOTE The Account Manager requires a bit-mapped display; it does not run on ASCII terminals. Also, small bit-mapped displays (such as some PC displays), which may cut off portions of dialog boxes, are unsupported. Running the Account Manager If you are running the Account Manager locally, you do not need to set the DISPLAY environment variable ($DISPLAY).
About HP DCE/9000 Version 1.7 HP DCE Administration Tools Tips for New Users • Log into DCE before starting the Account Manager, or use the Login option from within the Account Manager. • Establish your preferences in the Options “Preferences” dialog box when you initially start the Account Manager. If you are administering a very large cell, read “Managing Very Large Cells with Account Manager” below.
About HP DCE/9000 Version 1.7 HP DCE Administration Tools Then proceed as follows: • If you know the names of the objects to manage, select the appropriate Action. You will be prompted to enter the object name or names. • If you wish to read in names from a file, or retrieve a partial listing (such as all users in group XXX), select Options/Specify List. 3.
About HP DCE/9000 Version 1.7 HP DCE Administration Tools ] right square bracket “ double quotation mark \ backslash For other inputs (for example, defining user names and group names), the quote and backslash may cause problems. An example of an illegitimate iname is: \dos\dir. • The Account Manager is not internationalized. • Descriptive text for Registry Attribute Types is currently limited to three lines of text. The tool provides no way to view descriptions which occupy more than three lines.
About HP DCE/9000 Version 1.7 HP Password Management Server HP Password Management Server A Password Management Server implements policies for password strength. Sites can implement site-specific policies by writing their own Password Management Server, and attaching appropriate Extended Registry Attributes (ERAs) to the principals that are subject to these policies. A Password Management Server must implement the interface described in dce/rsec_pwd_mgmt.idl.
About HP DCE/9000 Version 1.7 HP Password Management Server Certain files that contain proprietary SecureWare algorithms have been omitted, but stubs are supplied that allow the resulting server to build. Note that certain values of the pwd_SecureWare_chk ERA (specifically, values 1 and 2) are unsupported, and will result in failures to pass strength checking if you attempt to use the example server as described in the documentation.
About HP DCE/9000 Version 1.7 HP Password Management Server 0 — Check passwords entered by this principal using the DCE Registry policy only. 1 — Check passwords entered by this principal using the Password Management Server. 2 — Principal may either choose a password (which is then checked with the Password Management Server), or can use a password that has been generated by the Password Management Server (no additional strength checking is done).
About HP DCE/9000 Version 1.7 HP Password Management Server If a principal does not have an instance of pwd_SecureWare_chk attached, then the Password Management Server uses the DCE Registry algorithm only. The example Password Management Server does not support values 1 or 2 for pwd_SecureWare_chk, since these use proprietary SecureWare algorithms.
2 Migrating to HP DCE 1.7 This chapter discusses migration procedures and compatibility issues for migrating to HP DCE 1.7 running on HP-UX 11.0.
Migrating to HP DCE 1.7 Migration Paths Migration Paths HP DCE 1.7 supports four direct migration paths from HP-UX 10.01, 10.10, 10.20, and 10.30 to HP-UX 11.0. Earlier versions of HP DCE that run on versions of HP-UX before 10.01 can also be migrated to HP DCE 1.7, but not directly. The direct migraton paths are listed in Table 2-1. Table 2-1 Supported Migration Paths to HP DCE Version 1.7 From NOTE To HP DCE Version Running on HP DCE Version Running on 1.3.1 or 1.4 client HP-UX 10.01 1.
Migrating to HP DCE 1.7 Migration Paths NOTE HP DCE 1.6 and 1.7 do not support the Distributed File Service (DFS). Therefore, if your earlier version of HP DCE had DFS installed and configured, you will be notified during the HP DCE installation that DFS is no longer supported and has been disabled. Do not migrate to HP DCE 1.6 or 1.7 if you plan to support DFS. NOTE HP DCE 1.6 and 1.7 do not support the Global Directory Service. Planning and Configuring HP DCE 1.
Migrating to HP DCE 1.7 Contents of HP DCE Client and Server Contents of HP DCE Client and Server The subsets of HP DCE 1.7 commonly referred to in this document and elsewhere as client and server consist of the following DCE components: NOTE Client Server dced cdsd cdsadv secd dtsd gdad At HP DCE 1.4x, dced replaced rpcd and sec_clientd; and cdsclerk functionality was incorporated in cdsadv. 2-4 Planning and Configuring HP DCE 1.
Migrating to HP DCE 1.7 Migration Compatibility Migration Compatibility This section covers the compatibility of HP DCE 1.2, 1.2.1, 1.3.1, 1.4, 1.4.1, 1.4.2, 1.5, and 1.6 with HP DCE Version 1.7. • Because HP DCE 1.7, clients and servers are binary compatible with HP DCE 1.5 and previous releases, your systems can be migrated to HP DCE 1.7 in any order over a period of time. However, do not move the Security Registry to “dce1.1” mode before all your security servers have been updated to HP DCE 1.7.
Migrating to HP DCE 1.7 Migrating the Cell Directory Service from HP DCE 1.3.1 Migrating the Cell Directory Service from HP DCE 1.3.1 NOTE This section applies only to migrating from HP DCE 1.3.1 to HP DCE 1.7 (because HP DCE 1.3.1 is based on OSF DCE 1.0.3). You should be aware of the following CDS considerations when migrating to HP DCE 1.7: • Installation of HP DCE 1.7 automatically attempts to preserve any CDS defined cached servers from previous configurations of HP DCE.
Migrating to HP DCE 1.7 Migrating Remote Administration of dced from HP DCE 1.3.1 Migrating Remote Administration of dced from HP DCE 1.3.1 When migrating from HP DCE 1.3.1, a cell administrator must create the subsys/dce/dced-admin group before installing HP DCE/9000 1.4.x, 1.5, 1.6, and 1.7. Otherwise, the remote administration of dced will be disabled.
Migrating to HP DCE 1.7 Migrating from HP DCE 1.2, 1.2.1 or 1.4.2 on HP-UX 9.x to HP DCE 1.7 on HP-UX 11.0 Migrating from HP DCE 1.2, 1.2.1 or 1.4.2 on HP-UX 9.x to HP DCE 1.7 on HP-UX 11.0 You must perform this migration in two steps, as follows: 1. Migrate to HP DCE 1.3.1 or HP DCE 1.4 on HP-UX 10.01. Step 1 is described in the appropriate version of Planning and Configuring HP DCE and the related release notes. 2. Migrate the system created in step 1 to HP DCE 1.7 on HP-UX 11.0.
Migrating to HP DCE 1.7 Migrating an HP DCE 1.3.1 or 1.4 Client on HP-UX 10.01 to HP DCE 1.7 on HP-UX 11.0 Migrating an HP DCE 1.3.1 or 1.4 Client on HP-UX 10.01 to HP DCE 1.7 on HP-UX 11.0 This section describes the procedure for migrating an HP DCE 1.3.1 or 1.4 client on HP-UX 10.01 to HP DCE 1.7 on HP-UX 11.0. See Managing HP-UX Software with SD-UX and the swcopy (1M), swinstall (1M), and swremove (1M) man pages for complete information on all aspects of HP-UX installation.
Migrating to HP DCE 1.7 Migrating an HP DCE 1.4.1 Client on HP-UX 10.10 to HP DCE 1.7 on HP-UX 11.0 Migrating an HP DCE 1.4.1 Client on HP-UX 10.10 to HP DCE 1.7 on HP-UX 11.0 See Managing HP-UX Software with SD-UX and the swcopy (1M), swinstall (1M) and swremove (1M) for complete information on all aspects of HP-UX installation. For information about migrating from HP-UX 10.x to HP-UX 11.0, see Installing HP-UX 11.0 and Updating HP-UX 10.x to 11.0 (B2355-90153).
Migrating to HP DCE 1.7 Migrating an HP DCE 1.4 Server on HP-UX 10.01 to HP DCE 1.7 on HP-UX 11.0 Migrating an HP DCE 1.4 Server on HP-UX 10.01 to HP DCE 1.7 on HP-UX 11.0 This section describes the procedure for migrating an HP DCE 1.4 server on HP-UX 10.01 to HP DCE 1.7 on HP-UX 11.0. See Managing HP-UX Software with SD-UX and the swcopy (1M), swinstall (1M) and swremove (1M) man pages for complete information on all aspects of HP-UX installation. For information about migrating from HP-UX 10.
Migrating to HP DCE 1.7 Migrating an HP DCE 1.4 Server on HP-UX 10.01 to HP DCE 1.7 on HP-UX 11.0 1. If you are migrating a security server system, stop secd using the dcecp -c registry stop replica-name command. 2. Stop DCE on the system, using the dce_config STOP command from the main menu; DFS will not run on HP DCE 1.6 or 1.7; if DFS is running, ignore any warnings concerning running processes. CAUTION Hewlett-Packard recommends that you create a single network source area (depot) containing HP-UX 11.
Migrating to HP DCE 1.7 Migrating an HP DCE 1.4.1 Server on HP-UX 10.10 to HP DCE 1.7 on HP-UX 11.0 Migrating an HP DCE 1.4.1 Server on HP-UX 10.10 to HP DCE 1.7 on HP-UX 11.0 See Managing HP-UX Software with SD-UX and the swcopy (1M), swinstall (1M) and swremove (1M) man pages for complete information on all aspects of HP-UX installation. For information about migrating from HP-UX 10.x to HP-UX 11.0, see Installing HP-UX 11.0 and Updating HP-UX 10.x to 11.0 (B2355-90153).
Migrating to HP DCE 1.7 Migrating an HP DCE 1.4.1 Server on HP-UX 10.10 to HP DCE 1.7 on HP-UX 11.0 1. If you are migrating a security server system, stop secd using the dcecp -c registry stop replica-name command. 2. Stop DCE on the system, using the dce_config STOP command from the main menu; DFS will not run on HP DCE 1.6 or 1.7; if DFS is running, ignore any warnings concerning running processes.
Migrating to HP DCE 1.7 Migrating an HP DCE 1.5 Server on HP-UX 10.20 to HP DCE 1.7 on HP-UX 11.0 Migrating an HP DCE 1.5 Server on HP-UX 10.20 to HP DCE 1.7 on HP-UX 11.0 See Managing HP-UX Software with SD-UX and the swcopy (1M), swinstall (1M) and swremove (1M) man pages for complete information on all aspects of HP-UX installation. For information about migrating from HP-UX 10.x to HP-UX 11.0, see Installing HP-UX 11.0 and Updating HP-UX 10.x to 11.0 (B2355-90153).
Migrating to HP DCE 1.7 Migrating an HP DCE 1.5 Server on HP-UX 10.20 to HP DCE 1.7 on HP-UX 11.0 1. If you are migrating a security server system, stop secd using the dcecp -c registry stop replica-name command. 2. Stop DCE on the system, using the dce_config STOP command from the main menu; DFS will not run on HP DCE 1.6 or 1.7; if DFS is running, ignore any warnings concerning running processes. CAUTION Hewlett-Packard recommends that you create a single network source area (depot) containing HP-UX 11.
Migrating to HP DCE 1.7 Migrating an HP DCE 1.6 Server on HP-UX 10.30 to HP DCE 1.7 on HP-UX 11.0 Migrating an HP DCE 1.6 Server on HP-UX 10.30 to HP DCE 1.7 on HP-UX 11.0 See Managing HP-UX Software with SD-UX and the swcopy (1M), swinstall (1M) and swremove (1M) man pages for complete information on all aspects of HP-UX installation. For information about migrating from HP-UX 10.x to HP-UX 11.0, see Installing HP-UX 11.0 and Updating HP-UX 10.x to 11.0 (B2355-90153).
Migrating to HP DCE 1.7 Migrating an HP DCE 1.6 Server on HP-UX 10.30 to HP DCE 1.7 on HP-UX 11.0 1. If you are migrating a security server system, stop secd using the dcecp -c registry stop replica-name command. 2. Stop DCE on the system, using the dce_config STOP command from the main menu; DFS will not run on HP DCE 1.6 or 1.7; if DFS is running, ignore any warnings concerning running processes. CAUTION Hewlett-Packard recommends that you create a single network source area (depot) containing HP-UX 11.
3 Before Installing HP DCE/9000 Version 1.7 This chapter describes prerequisites and preinstallation considerations for installing HP DCE/9000 Version 1.7 (HP DCE 1.7) software. You should read this chapter before installing HP DCE/9000 Version 1.7 software. After reading this chapter, proceed with the installation instructions in Chapter 4, “Installing HP DCE/9000.” After completing the installation of HP DCE/9000 Version 1.7 software, you must configure a DCE cell if you have not done so already.
Before Installing HP DCE/9000 Version 1.7 Overview Overview The following is a brief overview of the HP DCE installation process: NOTE If you are performing an upgrade rather than a new installation, see Chapter 2, “Migrating to HP DCE 1.7”. • Verify that hardware and software prerequisites are met at your site. • Plan where you will install various HP DCE filesets. • Load HP DCE software from media to a network distribution area. • Install filesets on individual systems.
Before Installing HP DCE/9000 Version 1.7 Prerequisites Prerequisites Hardware and Software Requirements Any HP system that you want to make a member of a cell must meet certain hardware and software requirements. The system requirements are: System Type HP 9000 Series 700 or Series 800. Operating System HP-UX 11.0. Kernel Configuration See “Series 700 and 800 Kernel Parameter Recommendations” in this chapter for recommended kernel parameter settings.
Before Installing HP DCE/9000 Version 1.7 Prerequisites • maxfiles must be increased to a minimum of 256 for all systems. • The default value for maxdsize is sufficient except in cases where you have many tens of thousands of users. At this point you should monitor the process size of your secd and cdsd. If the process size approaches the maxdsize value, maxdsize should be increased. Kernel parameter tuning is highly application dependent.
Before Installing HP DCE/9000 Version 1.7 Preinstallation Planning Preinstallation Planning In general, preinstallation planning involves deciding how many cells to configure at your site, which systems to include in each cell, and where to run DCE services (Security, CDS, DTS, and GDA). This section gives you some guidelines for making decisions prior to installation.
Before Installing HP DCE/9000 Version 1.7 Preinstallation Planning If your site is connected to the Internet and you want to obtain a unique DNS name, contact the administrator in charge of the domain under which you want to name your cell. For more information on cell naming, see the OSF DCE Administration Guide — Core Services. For configuration information, see Chapter 5, “Configuring HP DCE”. DCE Services This section outlines some considerations and restrictions on HP DCE/9000 Version 1.
Before Installing HP DCE/9000 Version 1.7 Preinstallation Planning Cell Directory Service Configuration In configuring CDS servers and clients, pay careful attention to the HP DCE/ 9000 hardware requirements for the DCE product. (See “Hardware and Software Requirements” in this chapter.) Appropriate kernel configuration, memory, disk, and especially swap space are essential to the proper functioning of the CDS subsystem.
Before Installing HP DCE/9000 Version 1.7 Preinstallation Planning If you are running AFS, be sure to run the AFS daemon (afsd) with the -nosettime option. Otherwise, afsd periodically resets the system’s time. Also be sure that no other software that sets the time (like ntp or timed) is running on the systems in the cell. See the OSF DCE Administration Guide —- Core Services for more information about DCE Distributed Time Services. At this release, intercell time synchronization is not supported.
Before Installing HP DCE/9000 Version 1.7 Preinstallation Planning Product Integrated Login KRB-Support Fileset Description Dependencies Approx. Size (Kb) DCE-CORE-SHLIB DCE and Threads Shared Libraries none 10802 DCE-JPN-E-MSG Japanese localized message catalogs none 381 DCE-JPN-S-MSG Japanese localized message catalogs none 381 DCEC-ENG-A-MAN DCE Core Man Pages DCE-Core.
Before Installing HP DCE/9000 Version 1.7 Preinstallation Planning Table 3-2 Product DCE-CoreAdmin DCE-CoreTools DCE-C-Tools DCE-CDS-Server HP DCE/9000 Version 1.7 Products and Filesets—Applications Release Fileset Description Dependencies Approx. Size (Kb) DCE-ACCT-MGR HP Account Manager DCE-Core.DCECORE-RUN 1818 DCECDSBROWSER CDS Browser Tool DCE-Core.DCECORE-RUN 1558 DCE-CONFIG-MGR DCE Configuration Manager DCE-Core.DCECORE-RUN 1094 DCE-CORE-DIAG DCE Diagnostic Tools DCE-Core.
Before Installing HP DCE/9000 Version 1.7 Preinstallation Planning Product DCE-Domestic DCE-OO-Tools DCE-SEC-Server Approx. Size (Kb) Fileset Description Dependencies CDSS-ENG-A-MAN CDS Server Man Pages DCE-Core.MACRENG-A-MAN 16 DCE-DOM-BPRG DCE Domestic Programming Libs DCE-CoreTools. DCE-BPRG 6820 DCE-DOM-NOTES DCE Domestic Release Notes none 12 DCE-DOM-RUN DCE Domestic runtime DCE-Domestic. DCE-DOMSHLIB DCE-Core.DCE-C ORE-SHLIB 324 DCE-DOM-SHLIB DCE Domestic Library DCE-Core.
Before Installing HP DCE/9000 Version 1.7 Preinstallation Planning 3-12 Planning and Configuring HP DCE 1.
4 Installing HP DCE 1.7 This chapter outlines the recommended procedures for installing and deinstalling HP DCE/9000 Version 1.7 software. If you are performing an upgrade rather than a new installation, see Chapter 2, “Migrating to HP DCE 1.7”. The procedures outlined in this chapter use the graphical and textual user interface versions of the swcopy, swinstall, and swremove tools. You can also use these tools from a command line.
Installing HP DCE 1.7 Overview Overview Here is a brief overview of the installation steps: 1. Read Chapter 3, “Before Installing HP DCE 1.7”. 2. Load HP DCE software from media to a network source area using swcopy. 3. Install filesets on individual systems using swinstall. NOTE Although HP DCE/9000 Version 1.7 can be installed on both the HP-UX 11.0 32-bit and the 64-bit OS, HP DCE/9000 Version 1.7 remains a 32-bit application. HP DCE/9000 Version 1.
Installing HP DCE 1.7 Loading HP DCE Software in a Network Source Area Loading HP DCE Software in a Network Source Area Before installation of HP DCE/9000 Version 1.7 software on a network, the software typically is transferred from the media on which it was shipped to a network source area, or depot. This section tells how to perform this transfer using the swcopy tool.
Installing HP DCE 1.7 Loading HP DCE Software in a Network Source Area NOTE If you are performing this install as a step in migrating a server system from a previous version of HP DCE, create a single depot containing the HP DCE 1.7 software and the DCE client software that is bundled with HP-UX 11.0. See Chapter 2 for information on migrating from a previous HP DCE version. The target depot path is the pathname to the directory where you want the HP DCE software to be loaded.
Installing HP DCE 1.7 Installing Software Installing Software Installation Notes Once you have loaded HP DCE/9000 Version 1.7 software into a network distribution area, use the swinstall tool to install appropriate filesets on individual systems. CAUTION HP DCE 1.7 on HP-UX 11.0 does not support DFS. Do not install HP DCE 1.7 on any machine requiring a DFS server or client. If you plan to install HP DCE 1.7 over DFS, the installation of HP DCE 1.
Installing HP DCE 1.7 Installing Software Installation Procedure Perform the following steps to install HP DCE 1.7 software from a network source area: 1. Log in to the target system as root. 2. Run swinstall: /usr/sbin/swinstall The swinstall tool has general and context sensitive help if you need assistance on making selections, or on entering appropriate values. Also, see the swinstall (1M) man page for more information. 3. In the Specify Source window, specify the source host and depot. 4.
5 Configuring HP DCE Cells This chapter tells how to choose a DCE cell configuration tool and how to use the tools to configure, destroy (unconfigure), start, and stop cells. Two tools are discussed, the DCE Configuration Manager, DCM, and the dce_config script. This chapter also discusses how to install DCE login utilities, how to set up intercell communication with DCE GDA, and how to configure MC/ServiceGuard. To configure HP DCE/9000 software, you must have previously installed HP DCE.
Configuring HP DCE Cells Choosing a Cell Configuration Tool Choosing a Cell Configuration Tool HP DCE/9000 offers two cell configuration tools: a script-based tool, dce_config, and a SAM-based tool, DCM (DCE Configuration Manager). SAM (System Administration Manager) is an HP-UX menu-driven system administration program that includes several other system administration utilities, in addition to the DCE cell configuration component. DCM and dce_config DCM is essentially a graphical front-end to dce_config.
Configuring HP DCE Cells Choosing a Cell Configuration Tool Limitations of DCM While using DCM is completely compatible with using the dce_config script, there are a few limitations to DCM, as follows. • When DCM examines the cell, it initiates a “discovery” process to determine the status of the cell. If the cell is down, or critical DCE servers are down, the discovery process may fail and DCM will revert to the last successful configuration. • DCM does not ask if you want to create a LAN profile.
Configuring HP DCE Cells Configuring Cells with DCM Configuring Cells with DCM Overview of DCM Functionality DCM enables you to perform the following cell configuration tasks: • In a configured and running cell, if the primary DCE services (Initial CDS and Master Security) are running on HP systems (as opposed to other vendors’ systems), you can configure additional HP DCE 1.2, 1.2.1, 1.3.1, 1.4, 1.4.1, 1.4.2, 1.5, 1.6, or 1.7 clients into the cell from any HP DCE 1.7 cell member system.
Configuring HP DCE Cells Configuring Cells with DCM By using the List menu, you can switch to a template mode that allows you to create prototype DCE cell configurations that can (and must) be tested for validity before actually being created. Important Security Warning CAUTION DCM uses standard UNIX remote login utilities to perform remote administration. This causes the cell administrator’s password to be sent over the network whenever you perform a task on a remote system.
Configuring HP DCE Cells Configuring Cells with DCM 3. Select (double click on) DCE Cell Management. 4. Select (double click on) DCE Configuration Manager. In a configured and running cell, if the primary DCE services (Initial CDS and Master Security) are running on HP systems (as opposed to other vendors’ systems), you can configure additional HP DCE 1.2, 1.2.1, 1.3.1, 1.4, 1.4.1, 1.4.2, 1.5, 1.6, or 1.7 clients into the cell from any HP DCE 1.7 cell member system.
Configuring HP DCE Cells Configuring Cells Using dce_config Configuring Cells Using dce_config The following procedures explain how to configure server and client systems using the menu-driven dce_config tool. The text shows the complete menu at its first occurrence; thereafter it shows only the menu name and current selection, prompts, and recommended input values (in boldface). As you perform each step, various status messages are displayed.
Configuring HP DCE Cells Configuring Cells Using dce_config Initial Cell Configuration NOTE As of HP DCE 1.6, dce_config sets the DCEAUDITFILTERON environment variable to enable audit filtering, which limits the range of audit event types logged. It you want to disable or change the default settings provided by dce_config, you must do so before starting any server that provides data to the Audit Service. See “Configuring the DCE Audit Service” in this chapter and “The DCE Audit Service” in Chapter 1.
Configuring HP DCE Cells Configuring Cells Using dce_config 98. Return to previous menu 99. Exit selection: 2. From the DCE Configuration Menu, choose Initial Cell Configuration: DCE Configuration Menu (on hostname) selection: 1 (Initial Cell Configuration) S:****** Configuring initial cell. Initial Cell Configuration (on hostname) 1. Initial Security Server 2. Initial CDS Server 3. Initial DTS Server 98. Return to previous menu 99. Exit selection: 3.
Configuring HP DCE Cells Configuring Cells Using dce_config 7. dce_config prompts you to choose the Cell Administrator’s principal name and password. The default principal name for the Cell Administrator is cell_admin: Enter desired principal name for the Cell Administrator:(cell_admin) Enter desired password for the Cell Administrator: 8. dce_config prompts you for the starting point for UNIX user and group IDs that will be generated by the DCE Security Service.
Configuring HP DCE Cells Configuring Cells Using dce_config This routine starts up cdsadv and cdsd, initializes the name space, and sets ACLs for all new name space entries. S:****** Configuring initial CDS Server… S:****** Please wait for user authentication and authorization… S:****** Checking for active sec_client service... 10. dce_config asks whether it should create a LAN profile for use in dividing clients and servers into profile groups for higher performance in multi-LAN cells.
Configuring HP DCE Cells Configuring Cells Using dce_config 11. From the Initial Cell Configuration menu, choose Initial DTS Server: selection: 3 S:****** Configuring initial DTS services S:******Please wait for user authentication and authorization... S:****** Checking for active sec_client service... DTS Configuration Menu 1. 2. 3. 4. DTS DTS DTS DTS Local Server Global Server (only in multi-LAN cells.) Clerk Time Provider 98. Return to previous menu 99. Exit selection: 12.
Configuring HP DCE Cells Configuring Cells Using dce_config 15.
Configuring HP DCE Cells Configuring Cells Using dce_config What is the name of a CDS server in this cell (if there is more than one, enter the name of the server to be cached if necessary)? cds_server_node S:****** Checking for active sec_client service... S:****** Starting cdsadv... 4. dce_config asks whether it should create a LAN profile for use in dividing clients and servers into profile groups for higher performance in multi-LAN cells.
Configuring HP DCE Cells Configuring Cells Using dce_config This will initiate the propagation of a consistent copy of the changed root directory information to all the CDS servers, and will prevent problems which might arise from use of inconsistent information before this propagation. The use of several CDS servers may increase the time required to complete the propagation of this information.
Configuring HP DCE Cells Configuring Cells Using dce_config 5. Enter the host name of your cell’s security server: What is the name of a Security Server running in the cell you wish to join? sec_server_node S:****** Starting dced... S:****** Initializing dced... 6. After starting and initializing the Security client daemon, dce_config asks for the name of a node with which it can synchronize the clock on this node: Enter < RETURN> to get the default (the master security machine in the cell).
Configuring HP DCE Cells Configuring Cells Using dce_config Configuring GDA Servers The DCE Global Directory Agent (GDA) facilitates communication between DCE cells. This section describes how to start the GDA server. Before you start a GDA server, see “Establishing Intercell Communication” in Chapter 7 for information about establishing intercell communication with GDA. 1. Start dce_config on the GDA server system. 2.
Configuring HP DCE Cells Configuring Cells Using dce_config 3. dce_config prompts for a name for the security replica. Enter whatever name you wish: Enter the Security Replica name (without subsys/dce/sec): sec_rep_node S:****** Modifying acls on /.:/sec/replist… S:****** Modifying acls on /.:/subsys/dce/sec… S:****** Modifying acls on /.:/sec… S:****** Modifying acls on /.: … S:****** Modifying acls on /.:/cell-profile… 4.
Configuring HP DCE Cells Configuring Cells Using dce_config Removing Systems from the Cell NOTE You cannot use the dce_config UNCONFIGURE option to remove a Master Security Server or Initial CDS Server system from a cell. You must either use the DCM to do this, or reconfigure the entire cell. You can use the dce_config UNCONFIGURE option to remove Additional CDS Server or Replica Security Server systems from a cell.
Configuring HP DCE Cells Configuring Cells Using dce_config 5. Enter the principal name and password of the Cell Administrator for your cell: Enter Cell Administrator’s principal name: (cell_admin) Enter password: dce_config deletes the registry entries and CDS entries for the client, then displays the DCE Main Menu. 6. You must now perform the REMOVE option on the client system. If you ran the UNCONFIGURE operation on a system other than the client, start dce_config on the client system.
Configuring HP DCE Cells Configuring Cells Using dce_config 1. On the system you want to affect, run dce_config. 2. Select REMOVE from the DCE Main Menu: DCE Main Menu (on hostname) selection: 5 (REMOVE) Attempting to stop all running DCE daemons… Successfully stopped all running DCE daemons… Attempting to remove all remnants of previous DCE configurations… Successfully removed all remnants of previous DCE configurations for all components… Re-initializing the dce_config environment 3.
Configuring HP DCE Cells Configuring Cells Using dce_config Table 5-1 dce_config Message Categories Priority Format Content ERROR ERROR: Result of an operation that was not as expected, and is probably fatal. Always followed by a prompt for user to continue or quit. WARNING WARNING: Information the user should be aware of before proceeding. Always non-fatal. Always logged to display and to log file. Always followed by a prompt for user to continue or quit unless DO_CHECKS=“n”.
Configuring HP DCE Cells Configuring Cells Using dce_config Priority Format Content SUMMARY S:****** High-level summary of action being taken or action completed. Always logged to log file. Also logged to display unless DISPLAY_THRESHOLD is WARNING or ERROR. VERBOSE V: Low-level summary of actions being taken, user queries and responses, or actual commands executed that do not affect configuration or node state. Logged to log file unless LOG_THRESHOLD is DETAIL or higher.
Configuring HP DCE Cells Configuring Cells Using dce_config (Also, CHECK_TIME should be set to n and exported when running dce_config from a here-document.) See the ksh (1) man page for more information about here-documents. VERBOSE messages containing “User query:” or “User entry:” contain a complete record of user entries in executing dce_config. The top of the log files contains a set of VERBOSE messages showing the settings of environment variables.
Configuring HP DCE Cells Configuring Cells Using dce_config • dce_config_env: Sets common environment variables used by dce_config. • dce_config_utils: Common internal routines used by dce_config. • /sbin/init.d/dce[start | stop]: Starts or stops HP DCE daemons. Cannot be run remotely; must be run on DCE client or server node. • /etc/rc.config.d/dce: Read by /sbin/init.d/dce to determine which daemons to start. dce_config Environment Variables dce_config recognizes the following environment variables.
Configuring HP DCE Cells Configuring Cells Using dce_config • CHECK_TIME: Set to y to have time checked and possibly synchronized; n otherwise. Default is y. If dce_config is executed with a here-document, CHECK_TIME should be set to n since time checking uses a telnet command that causes input from the here-document to be lost. • CONFIG_PROTSEQ: Communication protocol used for some dce_config operations.
Configuring HP DCE Cells Configuring Cells Using dce_config name. It is appended to the host name to get the fully qualified name in this format: host_name.domain_name (for example: if DOMAIN_NAME=foo.bar.com and host name=abc, the fully qualified host name will be abc.foo.bar.com). • EXIT_ON_ERROR: Set to y to exit from dce_config if a fatal error is encountered. Default is n. This can prevent a here-document from getting out-of-sync with dce_config.
Configuring HP DCE Cells Configuring Cells Using dce_config • REMOVE_PREV_INSTALL: Set to y to remove all remnants of previous DCE installations for all components before installing a security server. Use only in installing the security server software. Default is n. • REMOVE_PREV_CONFIG: Set to y to remove all remnants of previous DCE configurations for all components before configuring a client or an initial CDS server. Default is n. • REP_CLEARINGHOUSE: Name for new clearinghouse.
Configuring HP DCE Cells Note for Users of NCS-based Software Note for Users of NCS-based Software At HP-UX 11.0, NCS has been obsoleted. Users of NCS-based software must take the following precautions when configuring HP DCE/9000: 1. Before configuring HP DCE/9000, stop any servers for NCS-based applications. 2. Stop glbd (via drm_admin “stop”) if it is running. 3. Stop llbd (via kill(1)). 4. Configure HP DCE/9000. 5. If DCE is configured, proceed to step 6.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard Integrating DCE Services with MC/ServiceGuard MC/ServiceGuard is a Series 800 product that was introduced at HP-UX 10.0. MC/ServiceGuard provides an environment in which, if a node fails, services (applications) can be up and running again on another node very quickly.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard While the replication mechanisms of the Security Service and the Naming Service differ in design and implementation, they share this master-slave approach. Therefore, while both services can be considered highly available for read operations, they do present a single point of failure for write operations. The Time Service, on the other hand, does not present the same level of vulnerability.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard exported to the name space, the name space entry will also identify every IP address on the node as providing the service associated with that entry. While it is possible to edit the contents of the binding vector before using it to register endpoints or add entries in the name space, few, if any, DCE server programs actually edit the binding vector.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard important is that you read and understand the section in Chapter 4 entitled “Writing Network Applications as HA Services” before beginning the planning process. Hardware Requirements for a DCE-MC/ServiceGuard Configuration By their very nature, DCE and DCE applications are distributed, and therefore depend heavily on network resources. Each node in the cluster should have multiple redundant LAN cards connected to multiple LANs.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard The DCE-SGUARD template fileset is available on the CD-ROM that ships with the DCE product. See Table 3-2 in Chapter 3 and “Supported Templates for MC/ServiceGuard Integration with DCE” in this chapter for more information about filesets. Supported Templates for MC/ServiceGuard Integration with DCE As part of the DCE product, HP DCE 1.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard First, the DCE service monitor checks to see if the server is running, and, if it is not, the DCE service monitor starts it. Then, the DCE service monitor goes into a loop and checks to ensure that the server process is running. Finally, the DCE service monitor performs a DCE level ping on the server interface. rc.dcepkg.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard DCE Configuration for Integration with ServiceGuard DCE configuration for integration with ServiceGuard is performed in the following steps: 1. Configuring the ServiceGuard cluster 2. Configuring DCE 3. Configuring the package 4. Distributing the package 5. Starting the ServiceGuard cluster 6. Starting the package on the ServiceGuard cluster The following subsections describe these steps in more detail.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard Configuring DCE Perform the following steps to configure DCE on your system if the ServiceGuard is running: 1. Create a volume group for the DCE data file (for example : /dev/vgdce). 2. Manually activate the volume group to be accessed from the primary node (for example: vgchange -a e /dev/vgdce). 3. Identify the filesystems and logical volumes for the package filesystem definition. These should reside in the shared disk.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard Configuring the Package Create a package for the DCE services that ServiceGuard can monitor with the following steps: 1. Create a directory for the DCE package name as follows: mkdir /etc/cmcluster/pkg-name.conf 2. Generate and modify the package configuration script for DCE as follows: cmmakepkg -p /etc/cmcluster/pkg-name/pkg-name.conf This command creates a template for pkg-name. 3.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard 10. Create the DCE daemon restart script using dce.restart as a sample template. Set the environment variable SG_DCE_BASE_DIR to /etc/cmcluster/pkg-name. Distributing the Package To distribute the package follow these steps: 1. Distribute the package configuration and control scripts across the nodes. From the primary node, enter; rcp -r /etc/cmcluster/pkg-name \ secondary_node:/etc/cmcluster/pkg-name 2.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard 1. To restart the package on a specified host, enter: cmrunpkg -n host pkg-name 2. To reenable packet switching after halting the package, enter: cmmodpkg -n host pkg-name See Managing MC/ServiceGuard for procedures on using SAM to administer MC/ServiceGuard clusters and packages.
6 HP-UX Integrated Login This chapter describes the HP-UX Integrated Login product, which became available with HP-UX 10.0. In addition, this chapter discusses how to use the HP-UX Integrated Login product with UNIX and other authentication technologies.
HP-UX Integrated Login Overview Overview At release 10.0, HP-UX made available a new HP-UX Integrated Login product that differs from the DCE-Integrated Login Utilities provided on HP-UX 9.x systems. Whereas DCE-Integrated Login Utilities are tightly coupled with DCE, HP-UX Integrated Login is designed to modularly combine UNIX login with various authentication technologies, including DCE. HP-UX Integrated Login combines UNIX login with other authentication technologies.
HP-UX Integrated Login Overview HP-UX Integrated Login allows system administrators to utilize authentication technologies other than the traditional UNIX scheme (/etc/passwd) to better secure their machines. It also provides flexibility, as system administrators can vary the configurations of machines depending on desired levels of security. As an example, consider a DCE cell.
HP-UX Integrated Login Deciding Whether to Use HP-UX Integrated Login Deciding Whether to Use HP-UX Integrated Login Use HP-UX Integrated Login: • If you want to use an authentication technology other than the traditional UNIX mechanism as the login technology. For this release, this means using DCE Security Services. • If you want to obtain additional credentials from other authentication technologies after machine access is granted via the login technology.
HP-UX Integrated Login Operation of Integrated Login Utilities Operation of Integrated Login Utilities The Integrated Login utilities are login, dtlogin, dtsession, su, and ftpd. The passwd utility is also integrated to facilitate the manipulation of registries (such as the registries for technologies used by HP-UX Integrated Login.) The Secure Internet Services (SIS) version of ftpd is not integrated.
HP-UX Integrated Login Activating HP-UX Integrated Login Activating HP-UX Integrated Login The script /usr/sbin/auth.adm is provided to activate HP-UX Integrated Login and configure a system authentication policy. Until activated, all Integrated Login utilities retain standard HP-UX behavior. auth.adm activates Integrated Login by creating an appropriate /etc/pam.conf file.
HP-UX Integrated Login Activating HP-UX Integrated Login -p tech_name:param=value[:param=value] specifies the values of parameters applicable to an authentication technology being configured. Parameters of different technologies can be specified by repeating the -p[arameter] option. The list of configurable parameters is as follows: TIMEOUT — Timeout (in seconds) on communications with authentication technology.
HP-UX Integrated Login Activating HP-UX Integrated Login 3. Inspect the file /var/adm/ilogin/auth.adm.log for ERROR messages. If there are ERROR messages, correct the error conditions and repeat step 2. 4. auth.adm performs the following actions during the activation process: • Verifies that the policy is an acceptable one. • Activates the login technology. • Activates the fallback technology. • Activates additional technologies. • Records the configured authentication policy in a policy file, /etc/auth.
HP-UX Integrated Login Deactivating HP-UX Integrated Login Deactivating HP-UX Integrated Login To deactivate HP-UX Integrated Login and remove the authentication policy on a system, do the following: 1. Log in as root and issue the following command: /usr/sbin/auth.adm -u[ninstall] auth.adm restores the old version of /etc/pam.conf. 2. Inspect the file /var/adm/ilogin/auth.adm.log for ERROR messages. If there are ERROR messages, correct the error conditions and repeat step 1.
HP-UX Integrated Login Inquiring about Authentication Policy Inquiring about Authentication Policy To inquire about the authentication policy of a system running HP-UX Integrated Login, run the command: /usr/sbin/auth.adm -q[uery] [-f filename] The command will print the authentication policy to stdout, or -filename if -f filename is specified. You do not have to be root to run this option of the command. 6-10 Planning and Configuring HP DCE 1.
HP-UX Integrated Login Notes, Cautions, and Warnings Notes, Cautions, and Warnings • HP-UX Integrated Login on 10.x is not an upgraded version of DCE-Integrated Login Utilities for 9.x systems. Its activation tool is /usr/sbin/auth.adm. You cannot use dce.login, the 9.x activation tool for DCE-Integrated Login, to activate HP-UX Integrated Login. • When changing passwords using passwd, the password format rules imposed by the login technology restrict the format of newly-entered passwords.
HP-UX Integrated Login Notes, Cautions, and Warnings Synchronization of passwords between DCE and an HP-UX Commercial Security Trusted System cannot be achieved through the passwd_export cron job. Such synchronization can only be achieved by separately modifying a user’s DCE and HP-UX passwords to be the same. DCE passwords are global to a network, whereas the Commercial Security passwords are local to a single system.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login HP DCE/9000 provides support for integrating DCE with HP-UX Integrated Login. The binaries for this functionality are included in the AUTH-DCE file set.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login Deciding Whether to Integrate DCE with HP-UX Integrated Login If you want to configure DCE as the login technology with HP-UX Integrated Login, consider the following: • The system environment must be stable. Therefore, DCE must be left configured and the DCE cell must be maintained. The network must remain reliable 24 hours a day. • All users of a system must have a DCE account, including users who are declared in passwd_override.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login • Unlike user root, the cell administrator must provide cell_admin’s password when using the HP-UX Integrated passwd to change other users’ passwords in the DCE Security Registry. • User passwords are limited to 128 characters for ftp; otherwise, passwords can be up to 512 characters. • HP-UX Integrated Login utilities take longer to execute and require more system resources than the HP-UX equivalents.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login • Decide whether to activate the DCE backend to the Name Service Switch (NSS-DCE) so that getpw* and getgr* calls access the DCE registry for user information. (See the previous section, "Operation of the HP-UX Integrated Login Utilities," for further information.) • Create entries in /etc/opt/dce/passwd_override for any accounts (such as printing or backup services) that require access to your system, but not to the DCE cell.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login When using passwd_import to set up accounts from /etc/passwd, be aware that passwd_import: • Creates accounts for all entries in /etc/passwd but marks the accounts invalid. After using passwd_import, the cell administrator must use dcecp to assign a password to each account and to mark each account as valid. • Does not create accounts from NIS information.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login • Starts ilogind (the integrated login daemon) and adds it to the startup list. The DCE backend to PAM (PAM-DCE), as well as the DCE backend to NSS (NSS-DCE), communicate with ilogind, which in turn communicates with secd (the DCE Security daemon) to perform security functions. ilogind was introduced at HP DCE 1.6.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login Activation terminates with an error message when any of these steps fails. Configuring ux as a Fallback Technology for DCE You can configure ux as a fallback technology to allow system access when DCE, as a login technology, is not available (DCE down or network problem).
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login restrictions, and semantics. Also, be aware that configuring the UNIX backend as a backup technology can cause the following known problems: • If the DCE registry enforces hidden passwords (which it does by default), an asterisk (*) is placed in /etc/passwd for all entries and the UNIX backup will be unable to process any password.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login Password successfully changed in DCE registry Permission denied. As shown in the preceding message, the password has been changed in DCE, but not in /etc/passwd. To resynchronize the passwords, the user must login as root and run the passwd -r files command. This command changes the password in the /etc/passwd file only. • UNIX allows the root user to su to any other user’s account without prompting root for a password.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login • If you have set up a passwd_export cron job to update /etc/passwd with DCE Registry data, any changes you make to /etc/passwd will be lost when the cron job updates /etc/passwd.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login WARNPWDEXP and FORCEPWDCHANGE parameters in the section “Activating HP-UX Integrated Login” earlier in this chapter for information on how to manage password expiration. DCE and Anonymous FTP If you are using the HP-UX Integrated Login utilities on a system that supports anonymous ftp, be aware of the following: • An ftp account must exist in the DCE registry. This account need not be password-validated for DCE use, but it must exist.
HP-UX Integrated Login AFS and Kerberos Authentication AFS and Kerberos Authentication Support for AFS and Kerberos Authentication is not provided in this release of HP-UX Integrated Login. 6-24 Planning and Configuring HP DCE 1.
7 Notes on Cell Administration This chapter contains an overview of the diagnostic tools and administrative interfaces that are available in HP DCE/9000. In addition, it contains notes about other topics concerning cell administration.
Notes on Cell Administration Diagnostic Tool — dceping Diagnostic Tool — dceping HP DCE/9000 includes an HP-developed diagnostic tool, dceping. dceping provides information on the status of a client machine within its cell. The following is a brief description of dceping. dceping verifies that a local client can communicate with DCE and other services within a cell.
Notes on Cell Administration Enhanced CDS Browser Enhanced CDS Browser HP DCE/9000 supplies an enhanced version of the CDS Browser. The CDS Browser is a tool for viewing and editing the contents of a name space. It runs on workstations with windowing software based on the OSF/Motif user interface. The HP DCE/9000 CDS Browser provides a superset of the functionality available in the OSF-supplied CDS Browser. Documentation for the product is provided in the form of context-sensitive online help.
Notes on Cell Administration Enhanced CDS Browser Overview of Enhanced HP DCE CDS Browser Features Creating and Deleting Entries Menu options enable you to create and delete clearinghouse entries, directories, object entries, soft links, RPC entries, RPC group entries, RPC profile entries, and RPC server entries. The menu prompts for appropriate information for creation and deletion tasks and requires confirmation before deletions are performed.
Notes on Cell Administration Enhanced CDS Browser • Communication time-out limit • Cache data time-out limit You can also set defaults for these options, and can toggle confirmation of non-destructive dialogs. Manage Replica Locations You can create a replica of a directory, change the location of a master replica, display information about a replica, and delete a replica from a clearinghouse.
Notes on Cell Administration Enhanced CDS Browser CDS Browser Documentation CDS Browser Online Help Access to the documentation is available through the Help option in the CDS Browser menu bar and Help buttons in the CDS browser dialog boxes. CDS Browser Reference Page HP CDS Browser now supports X resources that permit you to customize or localize the HP CDS Browser. These attributes are described in the cdsbrowser (8) man page.
Notes on Cell Administration Administering CDS Administering CDS This section contains information on administering CDS that supplements the information in the OSF DCE Administration Guide —Core Services and OSF DCE Administration Reference. Deleting a Clearinghouse Before removing a CDS server clearinghouse, you must move or delete any directories having master replicas in the clearinghouse. If you do not do this, the clearinghouse removal operation fails, thereby preventing unintended loss of data.
Notes on Cell Administration Administering CDS Known CDS Problems Resource Problems It is important to configure sufficient resources for DCE according to the instructions in this manual. CDS can fail if a CDS server or client system runs out of system resources such as swap space, disk space, or kernel resources. Symptoms usually include a cdsadv or cdsd crash with one of a variety of error messages (which may not directly indicate the source of the problem.
Notes on Cell Administration Establishing Intercell Communication Establishing Intercell Communication The information in this section supplements the information in the OSF DCE Administration Guide — Core Services, and describes how intercell communication should be configured in an HP-UX environment. Communication between DCE cells is facilitated by the gdad daemon, which implements the Global Directory Agent (GDA).
Notes on Cell Administration Establishing Intercell Communication 1. gdad first reads the file /etc/opt/dce/named.ca, which, if present, should contain one or more NS (NameServer) records and associated A (Address) records. These records specify, in DNS “master” format, the name server(s) that gdad should query. The master format is described in the named (1M) man page. 2. If named.ca is not found or does not contain NS records, then gdad looks for name servers in /etc/resolv.conf. The format of resolv.
Notes on Cell Administration Establishing Intercell Communication In some cases it may be sufficient to point GDA at a name server that serves the zone containing cell names, and obtain hostname A (Address) records from that server’s cache data. If the name server is frequently used to look up hostnames, it is likely that A records for “popular” hosts will be in cache.
Notes on Cell Administration Establishing Intercell Communication There may be more than one TXT record for a cell; each clearinghouse in the cell has its own TXT record. Each TXT record appears on a single line (without the slashes that appear in this example). (You can also derive this information, though in a different format, using the dcecp directory show command.) 3. For each TXT record in the output of show cell, create a line in a text file similar to: cell.xyz.com. IN TXT “TXT_data hostname.xyz.
Notes on Cell Administration Establishing Intercell Communication 3. Use the dcecp registry connect command: dcecp> registry connect /.../foreign_cell_name \ -facct cell_admin \ -facctpw foreign_cell_admin_pwd \ -group none\ -fgroup none\ -org none\ -forg none\ -mypwd local_cell_admin_pwd NOTE As of HP DCE 1.6, intercell logins by members of trusted cells are disabled by default to protect against insecure intercell logins. (This differs from standard OSF DCE 1.1 behavior.
Notes on Cell Administration Miscellaneous Notes Miscellaneous Notes This section contains miscellaneous information about HP DCE/9000 cell administration. • To better integrate HP DCE with existing HP-UX systems, HP has added new functionality to the passwd_export utility. Before exporting groups from the DCE registry to the /etc/group file, HP passwd_export looks for the file /etc/ opt/dce/sys.group and prepends any group information from that file to the new /etc/group file.
8 HP DCE Measurement Service This chapter describes the HP Distributed Measurement Service which permits you to monitor resource utilization of HP DCE 1.7 servers that run as root.
HP DCE Measurement Service Overview of DMS Overview of DMS DMS provides performance instrumentation for DCE servers and for the server side of applications that use DCE Remote Procedure Calls (RPCs). When DMS is enabled, it collects data about RPCs that execute in the target process. The collected data is actually displayed using HP GlancePlus.
HP DCE Measurement Service Overview of DMS DMS Prerequisite You must install HP GlancePlus on the system where you intend to run DMS. Enabling and Disabling DMS DMS operates in three different modes: • Disabled • Inactive (the default) • Active You disable DMS by setting the environment variable DMS_FORCEOFF to any value and exporting the variable. (The software checks that DMS_FORCEOFF exists, not that the variable has any particular value.
HP DCE Measurement Service Accessing DMS Data Accessing DMS Data After you start GlancePlus with the gpm command, you can select screens that display DCE metrics. Five HP GlancePlus screens display DCE metrics: • DCE Global Activities Window — Provides global status of DCE services on your system. • DCE Process List Window — Provides a list of all DCE processes on your system running with euid equal to root.
HP DCE Measurement Service Accessing DMS Data For a definition of any metric, select the metric name by clicking on it using the right mouse button; a pop-up help window appears containing the definition of the metric. DCE Process List Window The DCE Process List Window displays a list of all processes running on your system that are DCE servers. For each process displayed, several metrics are available by default.
HP DCE Measurement Service Accessing DMS Data For a selected interface, you can generate a report on the DCE operations the system is performing with that interface. You generate the DCE Operations report by selecting the “Reports” pull down in this window and then selecting “DCE Operations”. DCE Operations Window The DCE Operations Window displays a list of the DCE operations the system is performing within a selected DCE interface. For each process displayed, several metrics are available by default.
