Planning and Configuring HP DCE 1.8 Second Edition Manufacturing Part Number: B3190-90074 E0301 United States © Copyright 1983-2000 Hewlett-Packard Company.
Legal Notices The information in this document is subject to change without notice. HEWLETT-PACKARD MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MANUAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty.
©copyright 1980, 1984, 1986 Novell, Inc. ©copyright 1986-1992 Sun Microsystems, Inc. ©copyright 1985-86, 1988 Massachusetts Institute of Technology. ©copyright 1989-93 The Open Software Foundation, Inc. ©copyright 1986 Digital Equipment Corporation. ©copyright 1990 Motorola, Inc. ©copyright 1990, 1991, 1992 Cornell University ©copyright 1989-1991 The University of Maryland ©copyright 1988 Carnegie Mellon University ©copyright 1991-2000 Mentat Inc. ©copyright 1996 Morning Star Technologies, Inc.
Contents 1. About HP DCE/9000 Version 1.8 HP DCE/9000 Core Services Software . . . . . . . . . . . . . . . . . . . . . . . . . . .14 OSF DCE Components Included in This Release. . . . . . . . . . . . . . . . .14 HP DCE/9000 Features Added by Hewlett-Packard . . . . . . . . . . . . . .15 Features Removed at HP DCE 1.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Version Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents HP-UX Integrated Login Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . The DCE Audit Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting LANG and NLSPATH Environment Variables . . . . . . . . . . . dcecp in Local Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . dcecp secval Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HP DCE/9000 Interoperability with SharedPrint/UX . .
Contents Migrating an HP DCE 1.7 Server on HP-UX 11.0 to HP DCE 1.8 on HP-UX 11i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Migration Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 3. Before Installing HP DCE/9000 Version 1.8 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Limitations of DCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Configuring Cells with DCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overview of DCM Functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Important Security Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requirements for Running DCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Running DCM . . . . . . . . . . . . . .
Contents Supported Templates for MC/ServiceGuard Integration with DCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109 Planning for the DCE Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110 DCE Configuration for Integration with ServiceGuard . . . . . . . . . . .110 Summary of DCE-MC/ServiceGuard Installation and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115 6.
Contents Diagnostic Tool — dceping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Enhanced CDS Browser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Features of the HP DCE/9000 CDS Browser. . . . . . . . . . . . . . . . . . . Overview of Enhanced HP DCE CDS Browser Features . . . . . . . . . User Interface Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CDS Browser Documentation. . . . . . . . . . . . . . . . . . . . . . . . . .
About this document This document describes features of HP DCE/9000 Version 1.8 specific to Hewlett-Packard. For features of standard DCE, see the OSF documentation. This book is organized as follows: • Chapter 1 provides an overview of HP DCE 1.8; it includes information about new features, limitation, interoperability and compatibility, changes at the next release, and documentation. Chapter 1 also includes information about DCE Account Manager, Cell Monitor, and the Password Management Server.
About HP DCE/9000 Version 1.8 1 About HP DCE/9000 Version 1.8 HP DCE/9000 Version 1.8 (HP DCE 1.8) makes the functionality of OSF DCE Version 1.2.1 available on HP 9000 Series 700 and Series 800 systems running HP-UX 11i. HP DCE 1.8 also includes new functionality and bug fixes.
About HP DCE/9000 Version 1.8 HP DCE/9000 Core Services Software HP DCE/9000 Core Services Software HP DCE/9000 Version 1.8 is based on OSF DCE Version 1.2.1 source code, with bug fixes and value-added functionality. This section describes the contents of this release. OSF DCE Components Included in This Release This release includes the following OSF DCE components: • Remote Procedure Call (RPC) Facility, supporting both connection-oriented (TCP/IP) and connectionless (UDP/IP) transport protocols.
About HP DCE/9000 Version 1.8 HP DCE/9000 Core Services Software NOTE At HP DCE 1.8, both libdce and libcma are versioned for compatibility reasons. libdce.1 and libcma.1 are the latest patched HP DCE 1.5 libraries. libdce.2 and libcma.2 support HP DCE 1.8 on HP-UX 11i. Shared applications built on HP DCE 1.6 may have to recompile to run on HP DCE 1.7 or any later release. NOTE HP DCE will not have any archived libraries supported in the application in any of the future releases.
About HP DCE/9000 Version 1.8 HP DCE/9000 Core Services Software provides a graphical display of the status of each node in a DCE cell. • DCM, the DCE Configuration Manager (HP DCE 1.4 and later releases) allows you to configure the nodes in a DCE cell. This tool is accessible via SAM (the HP-UX System Administration Manager) and is documented in online help. • A set of HP-UX Integrated login utilities that authenticate users via the DCE Security Registry instead of via /etc/passwd and /etc/group.
About HP DCE/9000 Version 1.8 HP DCE/9000 Core Services Software new options that support intercell login: -acctvalid -facctvalid Marks the local cell account as a valid account. A valid local cell account allows users from the foreign cell to login to nodes in the local cell. The default is invalid. Marks the foreign cell account as a valid account. A valid foreign cell account allows users from the local cell to login to nodes in the foreign cell. The default is invalid.
About HP DCE/9000 Version 1.8 HP DCE/9000 Core Services Software Authentication Module (PAM). There are no longer any separate .auth binaries.
About HP DCE/9000 Version 1.8 HP DCE/9000 Core Services Software Features Added at HP DCE 1.8 The following features have been added at HP DCE 1.8: • 32 / 64 bit DCE Application Development with kernel Threads. HP DCE Version 1.8 core services comes with 32 bit and 64 bit DCE kernel threaded libraries to support Application Development with kernel Threads. To use HP-UX kernel Threads, DCE applications should either define the pre-compiler name _POSIX_D10_THREADS or define _POSIX_C_SOURCE = 1995061.
About HP DCE/9000 Version 1.8 HP DCE/9000 Core Services Software restriced to US / Canada is now available to all customers. Hence, there will be no separate DCE-Domestic product in DCE 1.8 version. • Libraries shipped in DCE-KT-Tools: DCE -KT-SHLIB fileset and DCE-KT-Domestic. DCE-KT-SHLIB are not part of the DCE core. • DCE-KT-Tools: DCE-KT-BPRG fileset of HP DCE 1.7.1 will be part of DCE-CoreTools product. DCE-KT-Tools product will not be available for HP DCE 1.
About HP DCE/9000 Version 1.8 HP DCE/9000 Core Services Software DCE-Domestic is no longer required. Those systems which do not have the US/Canada version will be automatically upgraded to support 56 bit DES encryptiion on upgrading to HP-UX 11i. Those systems which have installed the US/Canada version will continue to support DCE 56 Bit DES encryption on upgrading HP-UX 11i. • This release also includes many major bug fixes. Version Identification Version information for individual HP DCE/9000 Version 1.
About HP DCE/9000 Version 1.8 HP DCE/9000 Core Services Software algorithm as its default encryption algorithm. NOTE For those International customers who were receiving the DES hidden version because of the export restrictions, can now avail the DES version of DCE. The DES hidden version has been removed starting HP-UX 11i , since there is no export restriction imposed by the United States State Department.
About HP DCE/9000 Version 1.8 Limitations of This Release Limitations of This Release Some of the limitations described in this section reflect limitations of OSF DCE 1.2.1; others are limitations specific to this release. Limitations of OSF DCE 1.2.1 Following are limitations of OSF DCE 1.2.1: • The tool passwd_import, which imports user account information from /etc/ passwd files to the Registry database, does not import the passwords themselves.
About HP DCE/9000 Version 1.
About HP DCE/9000 Version 1.8 Interoperability and Compatibility Interoperability and Compatibility This section describes the interoperability of this release with various implementations of OSF DCE, and its compatibility with previous versions of HP DCE, and with DCE-related technologies. Binary Compatibility with Previous HP DCE Releases Applications built on HP-UX 10.30 with HP DCE 1.6 may need to recomplile due to the versioning of libdce and libcma in HP-UX 11i. HP DCE 1.
About HP DCE/9000 Version 1.8 Interoperability and Compatibility 3. If using Integrated Login, log out and log in. If a statically-linked HP DCE 1.7 application purges a login context (via sec_login_purge_context) which an HP DCE 1.8 application had created or refreshed, one of the credential files will not be deleted from the disk. This file is located in /var/opt/dce/security/creds directory. The file name will consist of the unique credential cache ID associated with the login context and a ".data.
About HP DCE/9000 Version 1.8 Interoperability and Compatibility remote utilities. • Create the file /etc/krb5.conf for use by KerberosV5 Beta 5-7 and Release 1.0 applications. • Create the file /krb5/krb.realms for Kerberos V5 B4 applications. • Add the entries klogin, kshell, ekshell, and eklogin as well as kerberos5 and kerberos-sec to /etc/services. • Link the /etc/krb5.keytab file, which is the default keytab used by Kerberos V5 Release 1.
About HP DCE/9000 Version 1.8 Interoperability and Compatibility dce_config does not set/reset the service "kerberos" in /etc/services. However, dce_config does set the following in /etc/services: kerberos5 88 udp kdc for V5 Beta 5-7 applications kerberos-sec 88 udp kdc for V5 Release 1.0 applications If a customer has an environment where they are supporting different versions of Kerberos clients, they can set the port number for V5 Release 1.
About HP DCE/9000 Version 1.8 Notes, Cautions and Warnings Regarding This Release Notes, Cautions and Warnings Regarding This Release dcecp host Command All of the operations of the dcecp host command are implemented. See the host (8dce) man page for syntax and details. Security and Remote Login Utilities You can use standard UNIX remote login utilities (remsh, rlogin, telnet) to perform remote DCE cell administration.
About HP DCE/9000 Version 1.8 Notes, Cautions and Warnings Regarding This Release compiler. This restriction also applies to applications on HP-UX 10.x systems built using the HP-UX user-space threads library (libcma). dce_login -r Option Starting with HP DCE 1.4, the -r option, which refreshes a user's credentials, was added to dce_login.
About HP DCE/9000 Version 1.8 Notes, Cautions and Warnings Regarding This Release Do not use the auth.adm script to activate the HP-UX Integrated login utilities until after you have set up the accounts necessary for your site in the DCE security service registry. The DCE Audit Service The DCE Audit Service was first released with HP DCE 1.4.x; the DCE Audit Service provides auditing capabilities for DCE Security and Time services. By default, all audit events are disabled (not logged).
About HP DCE/9000 Version 1.8 Notes, Cautions and Warnings Regarding This Release Administration Guide and Reference. For Audit Service configuration information see Chapter 5 of this manual. Setting LANG and NLSPATH Environment Variables English-language users of HP DCE/9000 should set the NLSPATH environment variable to include /usr/lib/nls/C/%N or should set NLSPATH to include /usr/lib/nls/%L/%N and LANG to C.
About HP DCE/9000 Version 1.8 Notes, Cautions and Warnings Regarding This Release HP DCE/9000 Interoperability with SharedPrint/UX SharedPrint/UX 1.3 or earlier will not operate with HP DCE/9000. k5dcelogin Limitation There is a limitation in the k5dcelogin command when called by rlogin -f to log in to the local node. If you already have Kerberos credentials on the local node when using rlogin -f to log in, then when you exit or log out, your local Kerberos credentials will be deleted.
About HP DCE/9000 Version 1.8 Features Planned for a Future Release Features Planned for a Future Release This section describes OSF DCE and HP DCE features that will be supported in future releases of HP DCE. • Improved scalibility, robustness, and availability • Improved administration and configuration • RPC support on IA64 Future Support for POSIX 1003.1c Threads CMA applications are likely to migrate from Draft 4 of the POSIX threads standard to the final, ratified 1003.
About HP DCE/9000 Version 1.8 HP DCE 1.8 Documentation HP DCE 1.8 Documentation Documentation for HP DCE 1.8 consists of printed and online materials. For a complete list of documentation, including part numbers, see the HP DCE/9000 Version 1.8 Release Note (B3193-90023). Printed Documentation The printed documentation for HP DCE 1.8 consists of HP DCE 1.8 manuals, the OSF DCE documentation set, and two books by O'Reilly and Associates.
About HP DCE/9000 Version 1.8 HP DCE 1.8 Documentation • OSF DCE Application Development Guide Volume 2 - Core Components (B3190-90039) • OSF DCE Application Development Guide Volume 3 - Directory Services (B3190-90040) The following books are published by O'Reilly & Associates: • Understanding DCE (B3190-90018) • Guide to Writing DCE Applications (B3190-90029) For general information on installing software on HP-UX 11i systems, see Installing HP-UX 11i and Updating HP-UX 11.
About HP DCE/9000 Version 1.8 HP DCE 1.8 Documentation • /opt/dce/share/man • /opt/dce/usr/man • /usr/share/man To read DCE man pages by using the man command, include the path names listed above in your MANPATH shell environment variable. NOTE Use the following command to display the dts_update man page: man dts_update HP DCE Online Help HP DCE/9000 offers a DCE Online Help feature that provides information about various aspects of HP DCE.
About HP DCE/9000 Version 1.8 HP DCE 1.8 Documentation shell. To access the DCE Online Help from the Front Panel, follow these steps: 1. Click on the Front Panel help icon (the " ?"). A "Welcome to Help Manager" help window appears. 2. In the Help Manager window, click on the "HP DCE/9000, Version 1.8" product-family title. A list of the HP/DCE 9000 help volumes appears. 3. To display a help volume, click on its title.
About HP DCE/9000 Version 1.8 HP DCE Administration Tools HP DCE Administration Tools The administration tools are Account Manager, DCM (the Distributed Configuration Manager), and the HP CDS Browser. The Account Manager provides a graphical interface for creating objects in the DCE registry and for administering the DCE registry.
About HP DCE/9000 Version 1.8 HP DCE Administration Tools NOTE The Account Manager requires a bit-mapped display; it does not run on ASCII terminals. Also, small bit-mapped displays (such as some PC displays), which may cut off portions of dialog boxes, are unsupported. Running the Account Manager If you are running the Account Manager locally, you do not need to set the DISPLAY environment variable ($DISPLAY).
About HP DCE/9000 Version 1.8 HP DCE Administration Tools when you initially start the Account Manager. If you are administering a very large cell, read "Managing Very Large Cells with Account Manager" below. • It is recommended that you bring up the Assistant from the File menu when you initially start the Account Manager, and iconize it when not in use.
About HP DCE/9000 Version 1.8 HP DCE Administration Tools • If you wish to read in names from a file, or retrieve a partial listing (such as all users in group XXX), select Options/Specify List. 3. If the retrieval of large lists degrades Account Manager performance, you may wish to assist the Account Manager by retrieving the list during an off-time using the dcecp command and saving the list to a file. This file could be generated automatically (for example, nightly by a cron job).
About HP DCE/9000 Version 1.8 HP DCE Administration Tools which occupy more than three lines. • A profile that is created from a View operation (such as "View User") does not correctly handle an alias name. As a workaround, create profiles including aliases only from Add operation dialogs. • Cross-cell administration is not supported. • Importation of user account information from /etc/passwd is not supported.
About HP DCE/9000 Version 1.8 HP Password Management Server HP Password Management Server A Password Management Server implements policies for password strength. Sites can implement site-specific policies by writing their own Password Management Server, and attaching appropriate Extended Registry Attributes (ERAs) to the principals that are subject to these policies. A Password Management Server must implement the interface described in dce/rsec_pwd_mgmt.idl.
About HP DCE/9000 Version 1.8 HP Password Management Server omitted, but stubs are supplied that allow the resulting server to build. Note that certain values of the pwd_SecureWare_chk ERA (specifically, values 1 and 2) are unsupported, and will result in failures to pass strength checking if you attempt to use the example server as described in the documentation. The logfile entry will report that the pwd_SecureWare_chk level is not supported.
About HP DCE/9000 Version 1.8 HP Password Management Server policy only. 1 — Check passwords entered by this principal using the Password Management Server. 2 — Principal may either choose a password (which is then checked with the Password Management Server), or can use a password that has been generated by the Password Management Server (no additional strength checking is done). 3 — Principal must use a password generated by the Password Management Server.
About HP DCE/9000 Version 1.8 HP Password Management Server attached, then the Password Management Server uses the DCE Registry algorithm only. The example Password Management Server does not support values 1 or 2 for pwd_SecureWare_chk, since these use proprietary SecureWare algorithms. If a principal is configured with a pwd_SecureWare_chk value of 1 or 2, the principal will be unable to change passwords, and the logfile /var/ opt/dce/security/pwd_strength.
About HP DCE/9000 Version 1.
Migrating to HP DCE 1.8 2 Migrating to HP DCE 1.8 This chapter discusses migration procedures and compatibility issues for migrating to HP DCE 1.8 running on HP-UX 11i.
Migrating to HP DCE 1.8 Migration Paths Migration Paths HP DCE 1.8 supports two direct migration paths from HP-UX 10.20 and 11.0 to HP-UX 11i. Earlier versions of HP DCE that run on versions of HP-UX before 10.20 can also be migrated to HP DCE 1.8, but not directly. The direct migraton paths are listed in Table 2-1. Table 2-1 Supported Migration Paths to HP DCE Version 1.8 From NOTE To HP DCE Version Running on HP DCE Version Running on 1.5 client 1.5 server 1.7 client 1.7 server HP-UX 10.
Migrating to HP DCE 1.8 Migration Paths NOTE HP DCE 1.6, 1.7 and 1.8 do not support the Global Directory Service.
Migrating to HP DCE 1.8 Contents of HP DCE Client and Server Contents of HP DCE Client and Server The subsets of HP DCE 1.8 commonly referred to in this document and elsewhere as client and server consist of the following DCE components: NOTE Client Server dced cdsadv dtsd cdsd secd gdad At HP DCE 1.4x, dced replaced rpcd and sec_clientd; and cdsclerk functionality was incorporated in cdsadv.
Migrating to HP DCE 1.8 Migration Compatibility Migration Compatibility This section covers the compatibility of HP DCE 1.2, 1.2.1, 1.3.1, 1.4, 1.4.1, 1.4.2, 1.5, and 1.6 with HP DCE Version 1.8. • Because HP DCE 1.8, clients and servers are binary compatible with HP DCE 1.7, your systems can be migrated to HP DCE 1.8 in any order over a period of time. However, do not move the Security Registry to "dce1.1" mode before all your security servers have been updated to HP DCE 1.8.
Migrating to HP DCE 1.8 Migrating from HP DCE 1.2, 1.2.1 or 1.4.2 on HP-UX 9.x to HP DCE 1.8 on HP-UX 11i Migrating from HP DCE 1.2, 1.2.1 or 1.4.2 on HP-UX 9.x to HP DCE 1.8 on HP-UX 11i You must perform this migration in three steps, as follows: 1. Migrate to HP DCE 1.3.1 or HP DCE 1.4 on HP-UX 10.01. For information about migrating from HP-UX 9.x to HP-UX 10.x, see Upgrading from HP-UX 9.x to 10.x (B3782-90073).
Migrating to HP DCE 1.8 Migrating an HP DCE 1.5 Server on HP-UX 10.20 to HP DCE 1.8 on HP-UX 11i Migrating an HP DCE 1.5 Server on HP-UX 10.20 to HP DCE 1.8 on HP-UX 11i See Managing HP-UX Software with SD-UX and the swcopy (1M), swinstall (1M) and swremove (1M) man pages for complete information on all aspects of HP-UX installation. For information about migrating from HP-UX 10.x to HP-UX 11.0, see Installing HP-UX 11.0 and Updating HP-UX 10.x to 11.0 (B2355-90153).
Migrating to HP DCE 1.8 Migrating an HP DCE 1.5 Server on HP-UX 10.20 to HP DCE 1.8 on HP-UX 11i CAUTION Hewlett-Packard recommends that you create a single network source area (depot) containing HP-UX 11i and HP DCE 1.8 software, so you can simultaneously install HP-UX 11i and HP DCE 1.8. If you do not install HP-UX 11i and HP DCE 1.8 at the same time, your old HP DCE 1.5 servers will be automatically started when your system reboots after HP-UX 11i installation completes.
Migrating to HP DCE 1.8 Migrating an HP DCE 1.7 Server on HP-UX 11.0 to HP DCE 1.8 on HP-UX 11i Migrating an HP DCE 1.7 Server on HP-UX 11.0 to HP DCE 1.8 on HP-UX 11i See Managing HP-UX Software with SD-UX and the swcopy (1M), swinstall (1M) and swremove (1M) man pages for complete information on all aspects of HP-UX installation. For information about migrating from HP-UX 11.0 to HP-UX 11i, see Installing HP-UX 11i and Updating HP-UX 11.0 to 11i (B2355-90153).
Migrating to HP DCE 1.8 Migrating an HP DCE 1.7 Server on HP-UX 11.0 to HP DCE 1.8 on HP-UX 11i CAUTION Hewlett-Packard recommends that you create a single network source area (depot) containing HP-UX 11i and HP DCE 1.8 software, so you can simultaneously install HP-UX 11i and HP DCE 1.8. If you do not install HP-UX 11i and HP DCE 1.8 at the same time, your old HP DCE 1.7 servers will be automatically started when your system reboots after HP-UX 11i installation completes.
Before Installing HP DCE/9000 Version 1.8 3 Before Installing HP DCE/9000 Version 1.8 This chapter describes prerequisites and preinstallation considerations for installing HP DCE/9000 Version 1.8 (HP DCE 1.8) software. You should read this chapter before installing HP DCE/9000 Version 1.8 software. After reading this chapter, proceed with the installation instructions in Chapter 4, "Installing HP DCE/9000." After completing the installation of HP DCE/9000 Version 1.
Before Installing HP DCE/9000 Version 1.8 Overview Overview The following is a brief overview of the HP DCE installation process: NOTE If you are performing an upgrade rather than a new installation, see Chapter 2, "Migrating to HP DCE 1.8". • Verify that hardware and software prerequisites are met at your site. • Plan where you will install various HP DCE filesets. • Load HP DCE software from media to a network distribution area. • Install filesets on individual systems.
Before Installing HP DCE/9000 Version 1.8 Prerequisites Prerequisites Hardware and Software Requirements Any HP system that you want to make a member of a cell must meet certain hardware and software requirements. The system requirements are: System Type HP 9000 Series 700 or Series 800. Operating System HP-UX 11i. Kernel Configuration See "Series 700 and 800 Kernel Parameter Recommendations" in this chapter for recommended kernel parameter settings.
Before Installing HP DCE/9000 Version 1.8 Prerequisites • maxfiles must be increased to a minimum of 256 for all systems. However, it is recommended that maxfiles be increased to a minimum of 1024 for all systems. • The default value for maxdsize is sufficient except in cases where you have many tens of thousands of users. At this point you should monitor the process size of your secd and cdsd. If the process size approaches the maxdsize value, maxdsize should be increased.
Before Installing HP DCE/9000 Version 1.8 Preinstallation Planning Preinstallation Planning In general, preinstallation planning involves deciding how many cells to configure at your site, which systems to include in each cell, and where to run DCE services (Security, CDS, DTS, and GDA). This section gives you some guidelines for making decisions prior to installation.
Before Installing HP DCE/9000 Version 1.8 Preinstallation Planning DNS name, contact the administrator in charge of the domain under which you want to name your cell. For more information on cell naming, see the OSF DCE Administration Guide - Core Services. For configuration information, see Chapter 5, "Configuring HP DCE". DCE Services This section outlines some considerations and restrictions on HP DCE/9000 Version 1.8 software that will help you map out the installation of your cell.
Before Installing HP DCE/9000 Version 1.8 Preinstallation Planning recovery from catastrophic problems. HP strongly recommends regular tape back ups of all CDS server databases, especially those containing any master replicas. Tape backups and restorations require the CDS server in question to be temporarily shut down. Most CDS problems, however, do not require resorting to tape backup. Directory replication provides continuous online backup for most failures, with faster recovery and less stale data.
Before Installing HP DCE/9000 Version 1.8 Preinstallation Planning HP DCE Installed Software The HP DCE/9000 Version 1.8 software is divided into products and filesets. Tables 3-1and 3-2 show the HP DCE 1.8 filesets, arranged according to product, and gives the approximate disk space requirement for each file set. Table 3-1includes the products that are bundled with HP-UX; Table 3-2 contains the products distributed on the Applications Release media.
Before Installing HP DCE/9000 Version 1.8 Preinstallation Planning Product Fileset Description KRB-Support KRB-SUPP-MAN Man Pages for none 8 Enhanced Kerberos Support Kerberos Support white none 361 paper Enhanced Kerberos DCE-Core.DCE-CORE 1081 support commands -RUN KRB-SUPP-NOTES KRB-SUPP-RUN Dependencies Product Fileset Description DCE-CoreAdmin DCE-ACCT-MGR HP Account Manager DCE-Core.DCE-CORE 1818 -RUN CDS Browser Tool DCE-Core.DCE-CORE 1582 -RUN DCE Configuration DCE-Core.
Before Installing HP DCE/9000 Version 1.8 Preinstallation Planning Product DCE-SEC-Server Fileset Description CDSS-ENG-A-MAN CDS Server Man PagesDCE-Core.MACR-EN 16 G-A-MAN Security Server DCE-Core.DCE-CORE 7801 -RUN DCE Security Server DCE-Core.MACR-EN 19 Man Pages G-A-MAN DCE-Security Server None 54 Notes DCE SEC Server Man None 16 Pages DCE CDS Notes None 54 SEC-SERVER SECS-ENG-A-MAN DCE-SEC-NOTES DCE-ENG-A-MAN DCE-CDS-NOTES Dependencies Approx.Size (Kb) a.
Installing HP DCE 1.8 4 Installing HP DCE 1.8 This chapter outlines the recommended procedures for installing and deinstalling HP DCE/9000 Version 1.8 software. If you are performing an upgrade rather than a new installation, see Chapter 2, "Migrating to HP DCE 1.8". The procedures outlined in this chapter use the graphical and textual user interface versions of the swcopy, swinstall, and swremove tools. You can also use these tools from a command line.
Installing HP DCE 1.8 Overview Overview Here is a brief overview of the installation steps: 1. Read Chapter 3, "Before Installing HP DCE 1.8". 2. Load HP DCE software from media to a network source area using swcopy. 3. Install filesets on individual systems using swinstall. NOTE Although HP DCE/9000 Version 1.8 can be installed on both the HP-UX 11i 32-bit and the 64-bit OS, HP DCE/9000 Version 1.8 (server)remains a 32-bit application. HP DCE/9000 Version 1.
Installing HP DCE 1.8 Loading HP DCE Software in a Network Source Area Loading HP DCE Software in a Network Source Area Before installation of HP DCE/9000 Version 1.8 software on a network, the software typically is transferred from the media on which it was shipped to a network source area, or depot. This section tells how to perform this transfer using the swcopy tool.
Installing HP DCE 1.8 Loading HP DCE Software in a Network Source Area NOTE If you are performing this install as a step in migrating a server system from a previous version of HP DCE, create a single depot containing the HP DCE 1.8 software and the DCE client software that is bundled with HP-UX 11i. See Chapter 2 for information on migrating from a previous HP DCE version. The target depot path is the pathname to the directory where you want the HP DCE software to be loaded.
Installing HP DCE 1.8 Installing Software Installing Software Installation Notes Once you have loaded HP DCE/9000 Version 1.8 software into a network distribution area, use the swinstall tool to install appropriate filesets on individual systems. CAUTION HP DCE 1.8 on HP-UX 11i does not support DFS. Do not install HP DCE 1.8 on any machine requiring a DFS server or client. If you plan to install HP DCE 1.8 over DFS, the installation of HP DCE 1.
Installing HP DCE 1.8 Installing Software 1. Log in to the target system as root. 2. Run swinstall: /usr/sbin/swinstall The swinstall tool has general and context sensitive help if you need assistance on making selections, or on entering appropriate values. Also, see the swinstall (1M) man page for more information. 3. In the Specify Source window, specify the source host and depot. 4. In the Software Selection window, select the products/bundles you want to install.
Configuring HP DCE Cells 5 Configuring HP DCE Cells This chapter describes how to choose a DCE cell configuration tool and how to use the tools to configure, destroy (unconfigure), start, and stop cells. Two tools are discussed, the DCE Configuration Manager, DCM, and the dce_config script. This chapter also discusses how to install DCE login utilities, how to set up intercell communication with DCE GDA, and how to configure MC/ServiceGuard.
Configuring HP DCE Cells Choosing a Cell Configuration Tool Choosing a Cell Configuration Tool HP DCE/9000 offers two cell configuration tools: a script-based tool, dce_config, and a SAM-based tool, DCM (DCE Configuration Manager). SAM (System Administration Manager) is an HP-UX menu-driven system administration program that includes several other system administration utilities, in addition to the DCE cell configuration component. DCM and dce_config DCM is essentially a graphical front-end to dce_config.
Configuring HP DCE Cells Choosing a Cell Configuration Tool • When DCM examines the cell, it initiates a "discovery" process to determine the status of the cell. If the cell is down, or critical DCE servers are down, the discovery process may fail and DCM will revert to the last successful configuration. • DCM does not ask if you want to create a LAN profile. • DCM does not permit you to enter the name of the clearinghouse when you create a CDS replica. It defaults to hostname.ch.
Configuring HP DCE Cells Configuring Cells with DCM Configuring Cells with DCM Overview of DCM Functionality DCM enables you to perform the following cell configuration tasks: • In a configured and running cell, if the primary DCE services (Initial CDS and Master Security) are running on HP systems (as opposed to other vendors' systems), you can configure additional HP DCE 1.5, 1.7, or 1.8 clients into the cell from any HP DCE 1.8 cell member system. • Create a cell of one or more systems.
Configuring HP DCE Cells Configuring Cells with DCM you to create prototype DCE cell configurations that can (and must) be tested for validity before actually being created. Important Security Warning CAUTION DCM uses standard UNIX remote login utilities to perform remote administration. This causes the cell administrator's password to be sent over the network whenever you perform a task on a remote system.
Configuring HP DCE Cells Configuring Cells with DCM 3. Select (double click on) DCE Cell Management. 4. Select (double click on) DCE Configuration Manager. In a configured and running cell, if the primary DCE services (Initial CDS and Master Security) are running on HP systems (as opposed to other vendors' systems), you can configure additional HP DCE 1.5, 1.7, or 1.8 clients into the cell from any HP DCE 1.8 cell member system.
Configuring HP DCE Cells Configuring Cells with DCM print button is not available. See the dthelpprint (1X) man page for more information.
Configuring HP DCE Cells Configuring Cells Using dce_config Configuring Cells Using dce_config The following procedures explain how to configure server and client systems using the menu-driven dce_config tool. The text shows the complete menu at its first occurrence; thereafter it shows only the menu name and current selection, prompts, and recommended input values (in boldface). As you perform each step, various status messages are displayed.
Configuring HP DCE Cells Configuring Cells Using dce_config on the system you want to configure. Initial Cell Configuration NOTE As of HP DCE 1.6, dce_config sets the DCEAUDITFILTERON environment variable to enable audit filtering, which limits the range of audit event types logged. It you want to disable or change the default settings provided by dce_config, you must do so before starting any server that provides data to the Audit Service.
Configuring HP DCE Cells Configuring Cells Using dce_config 1. Initial Cell Configuration 2. Additional Server Configuration 3. DCE Client 4. DFS Client 98. Return to previous menu 99. Exit selection: 2. From the DCE Configuration Menu, choose Initial Cell Configuration: DCE Configuration Menu (on hostname) selection: 1 (Initial Cell Configuration) S:****** Configuring initial cell. Initial Cell Configuration (on hostname) 1. Initial Security Server 2. Initial CDS Server 3. Initial DTS Server 98.
Configuring HP DCE Cells Configuring Cells Using dce_config S:****** Starting dced... S:****** Initializing dced... S:****** Since the glbd daemon was restarted and/or llbd and rpcd were replaced by the endpoint mapper, NCS applications may need to be restarted. 6. At the following prompt, enter any string and press < RETURN>. Enter keyseed for initial database master key: 7. dce_config prompts you to choose the Cell Administrator's principal name and password.
Configuring HP DCE Cells Configuring Cells Using dce_config steps 1 and 2 on that system, and continue with step 10 below. • If the CDS server is on the same system as the Security server, continue with step 9 below. CAUTION Do not configure an additional CDS Server or a replica of a CDS Server on the same system as your Security Server. Such a configuration is illegal and unsupported. 9.
Configuring HP DCE Cells Configuring Cells Using dce_config Time servers should be configured in any cell of more than one system. A minimum of three Time servers is recommended for any cell with three or more member systems. See the OSF DCE Administration Guide - Core Services for a discussion of the optimum placement of servers in a cell with gateway or WAN links. DTS servers may be configured on any system in the cell.
Configuring HP DCE Cells Configuring Cells Using dce_config For a discussion about the use of DTS global servers for time servers communicating between LANs, see the OSF DCE Administration Guide. Where appropriate, select the DTS global server: selection: 2 (DTS Global Server) Either selection starts the dts daemon ( dtsd). 13. Configure a DTS time provider on one of the time servers in a cell. The DTS null time provider configures a system to trust its own clock as an accurate source of time.
Configuring HP DCE Cells Configuring Cells Using dce_config appears: Enter the device name where the TP is connected: You have now completed configuration of the server systems. Configuring Additional CDS Servers Follow this procedure if you want to configure additional CDS servers: 1. From the DCE Configuration Menu, choose Additional Server Configuration: DCE Configuration Menu (on hostname) selection: 2 S:****** Configuring additional server.
Configuring HP DCE Cells Configuring Cells Using dce_config performance in multi-LAN cells. If you choose to have a LAN profile created, dce_config asks for the name of the local LAN. The name you provide is arbitrary, and is used by dce_config to store LAN profile information. Create LAN profile so clients and servers can be divided into profile groups for higher performance in a multi-lan cell? (n) n S:****** Starting cdsd... S:****** Waiting for registry propagation...
Configuring HP DCE Cells Configuring Cells Using dce_config Configuring Client Systems: Security, CDS, and DTS Before configuring clients, first configure your server systems. Then use this procedure to configure client systems. You must configure a CDS client on any Security server system that is not running a CDS server. To configure a client system, you need to know the name of the systems(s) running the Security server and the initial CDS server for the cell.
Configuring HP DCE Cells Configuring Cells Using dce_config dce_config asks for the name of a node with which it can synchronize the clock on this node: Enter < RETURN> to get the default (the master security machine in the cell). Enter a machine to synchronize with: (sec_server_node) Time on host is within specified tolerance (120 secs) of time on sec_server_node. S:****** Checking for active sec_client service... S:****** Starting sec_client service... S:****** This node is now a security client.
Configuring HP DCE Cells Configuring Cells Using dce_config intercell communication with GDA. 1. Start dce_config on the GDA server system. 2. From the DCE Configuration Menu, choose Additional Server Configuration: selection: 2 (Additional Server Configuration) 3. Choose GDA Server: selection: 7 (GDA Server) The system configures the GDA server and starts the GDA server daemon, gdad.
Configuring HP DCE Cells Configuring Cells Using dce_config sec_rep_node S:****** Modifying acls on /.:/sec/replist... S:****** Modifying acls on /.:/subsys/dce/sec... S:****** Modifying acls on /.:/sec... S:****** Modifying acls on /.: ... S:****** Modifying acls on /.:/cell-profile... 4. dce_config prompts for a key seed; enter any sequence of characters: Enter keyseed for initial database master key: Configuring the DCE Audit Service At HP DCE 1.4.
Configuring HP DCE Cells Configuring Cells Using dce_config can use the dce_config UNCONFIGURE option to remove Additional CDS Server or Replica Security Server systems from a cell. To remove a configured system (except a Master Security Server or Initial CDS Server system) from a cell, use the -UNCONFIGURE option on the DCE Main Menu. The UNCONFIGURE operation can be executed on any system in the cell. A prompt will ask for the name of the system to be unconfigured.
Configuring HP DCE Cells Configuring Cells Using dce_config dce_config deletes the registry entries and CDS entries for the client, then displays the DCE Main Menu. 6. You must now perform the REMOVE option on the client system. If you ran the UNCONFIGURE operation on a system other than the client, start dce_config on the client system. On the client system, select REMOVE from the DCE Main Menu: selection: 5 (REMOVE) 7.
Configuring HP DCE Cells Configuring Cells Using dce_config Attempting to stop all running DCE daemons... Successfully stopped all running DCE daemons... Attempting to remove all remnants of previous DCE configurations... Successfully removed all remnants of previous DCE configurations for all components... Re-initializing the dce_config environment 3. If you are unconfiguring an entire cell, repeat steps 1 and 2 on each cell member. 4.
Configuring HP DCE Cells Configuring Cells Using dce_config Table 5-1 dce_config Message Categories Priority Format Content SUMMARY S:****** VERBOSE V: DEBUG DEBUG: High-level summary of action being taken or action completed. Always logged to log file. Also logged to display unless DISPLAY_THRESHOLD is WARNING or ERROR. Low-level summary of actions being taken, user queries and responses, or actual commands executed that do not affect configuration or node state.
Configuring HP DCE Cells Configuring Cells Using dce_config execution of dce_config. Only ERROR: or WARNING: messages indicate actual occurrence of a problem. Component Scripts and Environment Variables for dce_config This section contains information useful for those who want to run dce_config from custom scripts.
Configuring HP DCE Cells Configuring Cells Using dce_config dce_config Environment Variables dce_config recognizes the following environment variables. If these environment variables are set and exported before dce_config is run in interactive mode, possible corresponding prompts for information will be skipped. • REMOTE_ADMIN: If you set the variable REMOTE_ADMIN to y (using a command such as "export REMOTE_ADMIN=y") before you run dce_config or dcm on an HP DCE 1.
Configuring HP DCE Cells Configuring Cells Using dce_config values, in priority order: ERROR, WARNING, SUMMARY, DETAIL, VERBOSE, DEBUG. • LOG_THRESHOLD: Minimum priority log messages from dce_config that are written to /var/opt/dce/config/dce_config.log. Default: DEBUG (all messages). ERROR, WARNING, and SUMMARY messages are always logged. Possible values, in priority order: ERROR, WARNING, SUMMARY, DETAIL, VERBOSE, DEBUG. • DEFAULT_MAX_ID: Maximum Unix ID value supported by DCE Security Registry.
Configuring HP DCE Cells Configuring Cells Using dce_config • HPDCE_DEBUG: Set to 1 starts daemons in the foreground. • KEYSEED: Key seed for initial database master key. • LAN_NAME: Internal name of the LAN (in the LAN profile) when using multiple LANs. Use when configuring a CDS server. • LOW_GID: Value at which the Registry Service will start assigning automatically-generate d GIDs. Default is the value of the highest currently used GID plus $GID_GAP.
Configuring HP DCE Cells Configuring Cells Using dce_config • TOLERANCE_SEC: Number of seconds client node system clock is allowed to differ from security server system clock before warning that clocks are not in sync and allowing input to synchronize. Default is 120 seconds. Note: Security and Cell Directory services require less than a 5 minute difference between any two nodes in the cell.
Configuring HP DCE Cells Note for Users of NCS-based Software Note for Users of NCS-based Software At HP-UX 11i, NCS has been obsoleted. Users of NCS-based software must take the following precautions when configuring HP DCE/9000: 1. Before configuring HP DCE/9000, stop any servers for NCS-based applications. 2. Stop glbd (via drm_admin "stop") if it is running. 3. Stop llbd (via kill(1)). 4. Configure HP DCE/9000. 5. If DCE is configured, proceed to step 6. If DCE is not configured, the script /sbin/init.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard Integrating DCE Services with MC/ServiceGuard MC/ServiceGuard is a Series 800 product that was introduced at HP-UX 10.0. MC/ServiceGuard provides an environment in which, if a node fails, services (applications) can be up and running again on another node very quickly.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard highly available for read operations, they do present a single point of failure for write operations. The Time Service, on the other hand, does not present the same level of vulnerability. Most mission critical installations will configure more than the minimum necessary time servers with multiple time providers. This being the case, the loss of a single time server is usually not critical.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard While it is possible to edit the contents of the binding vector before using it to register endpoints or add entries in the name space, few, if any, DCE server programs actually edit the binding vector. In addition, the DCE runtime does not re-determine the list of available IP addresses during the course of server execution, and, again, DCE servers do not, as a general rule, go through their initialization sequence a second time.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard Hardware Requirements for a DCE-MC/ServiceGuard Configuration By their very nature, DCE and DCE applications are distributed, and therefore depend heavily on network resources. Each node in the cluster should have multiple redundant LAN cards connected to multiple LANs. Also, all the normal hardware configuration guidelines outlined in Managing MC/ServiceGuard should be followed when planning for your hardware configuration.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard Supported Templates for MC/ServiceGuard Integration with DCE As part of the DCE product, HP DCE 1.8 provides a fileset (DCE-SGUARD) that contains a set of customizable ServiceGuard templates and scripts to integrate MC/ServiceGuard with DCE services. This set of templates includes the DCE processes dced, cdsadv, secd, and cdsd within a single package.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard rc.dcepkg.log—a log file that is created in the package directory during DCE package startup through MC/ServiceGuard, individual DCE services restart upon failure, and package failover.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard 5. Starting the ServiceGuard cluster 6. Starting the package on the ServiceGuard cluster The following subsections describe these steps in more detail. Configuring the ServiceGuard Cluster Before configuring DCE for integration with ServiceGuard, you must install ServiceGuard. Then, install the DCE software on the primary and secondary nodes separately. 1.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard For most installations, HP recommends that the three directory trees /krb5, /var/opt/dce, and /etc/opt/dce be set up as logical volumes after the DCE software has been installed, but before DCE has been configured on the ServiceGuard cluster. Before running the DCE initial configuration program, manually mount these logical volumes on shared disk to be accessed from the primary node. 4.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard 4. Create a control script for the package as follows: cmmakepkg -s /etc/cmcluster/pkg-name/rc.pkg-name chmod 755 /etc/cmcluster/pkg-name/rc.pkg-name Each package has a control script that starts and stops services for the package. 5. Modify the DCE Package information in the control script (rc.pkg-name) to include the logical volume name, IP address, service name, service and monitoring script names (for example: dce.start and dce.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard cmckeckconf -C /etc/cmcluster/cmclconfig.ascii \ -P /etc/cmcluster/pkg-name/pkg-name.conf NOTE This command fails if the ServiceGuard daemons are running. 3. Apply the configuration on the cluster. From the primary node, enter: cmapplyconf -v -f -C /etc/cmcluster/cmclconfig.ascii \ -P /etc/cmcluster/pkg-name/pkg-name.conf NOTE This command fails if the ServiceGuard daemons are running.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard Summary of DCE-MC/ServiceGuard Installation and Configuration The following steps summarize the process of installing and configuring DCE with MC/Service Guard. 1. Install the MC/ServiceGuard cluster. 2. Start the MC/ServiceGuard cluster. 3. Identify and mount the shared volumes manually from the primary node. 4. Identify the hostname and IP address to be dedicated for the DCE package. 5.
Configuring HP DCE Cells Integrating DCE Services with MC/ServiceGuard 116 Chapter 5
HP-UX Integrated Login 6 HP-UX Integrated Login This chapter describes the HP-UX Integrated Login product, which became available with HP-UX 10.0 and later releases. In addition, this chapter discusses how to use the HP-UX Integrated Login product with UNIX and other authentication technologies.
HP-UX Integrated Login Overview Overview At release 10.20, HP-UX made available a new HP-UX Integrated Login product that differs from the DCE-Integrated Login Utilities provided on HP-UX 9.x systems. Whereas DCE-Integrated Login Utilities are tightly coupled with DCE, HP-UX Integrated Login is designed to modularly combine UNIX login with various authentication technologies, including DCE. HP-UX Integrated Login combines UNIX login with other authentication technologies.
HP-UX Integrated Login Overview (/etc/passwd) to enhance the security of their machines. It also provides flexibility, as system administrators can vary the configurations of machines depending on desired levels of security. As an example, consider a DCE cell. One system in the cell might be configured to grant system access using the traditional UNIX mechanism, and then obtain DCE credentials as an additional technology.
HP-UX Integrated Login Deciding Whether to Use HP-UX Integrated Login Deciding Whether to Use HP-UX Integrated Login Use HP-UX Integrated Login: • If you want to use an authentication technology other than the traditional UNIX mechanism as the login technology using the DCE Security Services. • If you want to obtain additional credentials from other authentication technologies after machine access is granted via the login technology.
HP-UX Integrated Login Operation of Integrated Login Utilities Operation of Integrated Login Utilities The Integrated Login utilities are login, dtlogin, dtsession, su, rcp, remsh, and ftp. The passwd utility is also integrated to facilitate the manipulation of registries (such as the registries for technologies used by HP-UX Integrated Login.) The Secure Internet Services (SIS) version of ftp is not integrated.
HP-UX Integrated Login Activating HP-UX Integrated Login Activating HP-UX Integrated Login The script /usr/sbin/auth.adm is provided to activate HP-UX Integrated Login and configure a system authentication policy. Until activated, all Integrated Login utilities retain standard HP-UX behavior. auth.adm activates Integrated Login by creating an appropriate /etc/pam.conf file.
HP-UX Integrated Login Activating HP-UX Integrated Login configured. Parameters of different technologies can be specified by repeating the -p[arameter] option. The list of configurable parameters is as follows: TIMEOUT — Timeout (in seconds) on communications with authentication technology. Default values are: u-120 seconds dce—120 seconds WARNPWDEXP — Password expiration warning period (in days).
HP-UX Integrated Login Activating HP-UX Integrated Login and repeat step 2. 4. auth.adm performs the following actions during the activation process: • Verifies that the policy is an acceptable one. • Activates the login technology. • Activates the fallback technology. • Activates additional technologies. • Records the configured authentication policy in a policy file, /etc/auth.conf. This file triggers the Integrated Login utilities to enforce the authentication policy.
HP-UX Integrated Login Deactivating HP-UX Integrated Login Deactivating HP-UX Integrated Login To deactivate HP-UX Integrated Login and remove the authentication policy on a system, do the following: 1. Log in as root and issue the following command: /usr/sbin/auth.adm -u[ninstall] auth.adm restores the old version of /etc/pam.conf. 2. Inspect the file /var/adm/ilogin/auth.adm.log for ERROR messages. If there are ERROR messages, correct the error conditions and repeat step 1.
HP-UX Integrated Login Inquiring about Authentication Policy Inquiring about Authentication Policy To inquire about the authentication policy of a system running HP-UX Integrated Login, run the command: /usr/sbin/auth.adm -q[uery] [-f filename] The command will print the authentication policy to stdout, or -filename if -f filename is specified. You do not have to be root to run this option of the command.
HP-UX Integrated Login Notes, Cautions, and Warnings Notes, Cautions, and Warnings • HP-UX Integrated Login on 10.x is not an upgraded version of DCE-Integrated Login Utilities for 9.x systems. Its activation tool is /usr/sbin/auth.adm. You cannot use dce.login, the 9.x activation tool for DCE-Integrated Login, to activate HP-UX Integrated Login. • When changing passwords using passwd, the password format rules imposed by the login technology restrict the format of newly-entered passwords.
HP-UX Integrated Login Notes, Cautions, and Warnings passwd_export cron job. Such synchronization can only be achieved by separately modifying a user's DCE and HP-UX passwords to be the same. DCE passwords are global to a network, whereas the Commercial Security passwords are local to a single system. To change a password when using DCE with Commercial Security, first change it for HP-UX and DCE on one system.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login HP DCE/9000 provides support for integrating DCE with HP-UX Integrated Login. The binaries for this functionality are included in the AUTH-DCE file set.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login Integrated Login, consider the following: • The system environment must be stable. Therefore, DCE must be left configured and the DCE cell must be maintained. The network must remain reliable 24 hours a day. • All users of a system must have a DCE account, including users who are declared in passwd_override. • All account administration must be done through the DCE registry. • NIS access is disabled for password and group mapping.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login passwords can be up to 512 characters. • HP-UX Integrated Login utilities take longer to execute and require more system resources than the HP-UX equivalents. • For operations that do not require the user to enter a password, no DCE credentials are obtained. Examples include: - su when executed by root - rlogin when an .
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login /etc/passwd or in the repository based on the NSS configuration and appended to /etc/opt/dce/passwd_override. The activation process will automatically create an override entry for root; however, you must create override entries for any root aliases. • The passwd_override file can also be used to disable access to the local system for selected users or groups. See the passwd_override man page for details.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login • Does not create accounts from NIS information. However, you can run passwd_import on the source file used to generate the NIS map to import NIS information into DCE. You still have to mark valid and assign a password to each imported account.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login to run passwd_export in case the DCE registry is unavailable. If NSS-DCE is activated, auth.adm saves the current version of /etc/nsswitch.conf and creates a new version, which has the same semantics as the configuration policy. For example, if you are configuring integrated login with DCE as the primary login and UNIX as the fallback, then /etc/nsswitch.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login • Make sure the DCE Security Registry is not set up to hide exported passwords. When exported passwords are hidden, passwd_export does not export the encrypted passwords from the DCE Security Registry to /etc/ passwd. You can verify this property of the DCE Security Registry by running dcecp and issuing the command registry show at the prompt. You can disable hidden passwords by issuing the command registry modify -hidepwd no at the prompt.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login • The UNIX backend will fail for any username longer than 64 characters, which is the maximum length for a UNIX username. Specifically, this means that: ✓ If the primary login technology fails (for example, if secd is down) the UNIX backup technology will deny system access to users with long usernames. ✓ If secd is down, the UNIX backup technology will not allow users to use the su command to access accounts that have long usernames.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login Unconfiguring DCE from HP-UX Integrated Login To unconfigure DCE without deactivating HP-UX Integrated Login, perform the steps in the section "Activating HP-UX Integrated Login", and specify a different authentication policy. To unconfigure DCE and deactivate HP-UX Integrated Login, follow the steps in the section "Deactivating HP-UX Integrated Login.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login use the passwd command to change your password. • The HP-UX Integrated Login utilities may not work when the system disk is full or disk quotas are exceeded. DCE requires disk space for the creation of temporary files. • DCE credentials are not automatically removed when the user logs out. The administrator can set up a cron job to remove credentials when users log out as described in "Removing DCE Credentials" in Chapter 1.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login • DCE accounts are global to a DCE cell. If anonymous ftp is supported anywhere in the cell, the ftp account is known throughout the cell. In the case that you would like to explicitly disable anonymous ftp to a local machine, an override entry should be placed in the passwd_override file for the ftp user. (Typically, an entry in passwd_override is created by cutting and pasting the ftp entry from /etc/passwd into the passwd_override file.
HP-UX Integrated Login AFS and Kerberos Authentication AFS and Kerberos Authentication Support for AFS and Kerberos Authentication is not provided in this release of HP-UX Integrated Login.
Notes on Cell Administration 7 Notes on Cell Administration This chapter contains an overview of the diagnostic tools and administrative interfaces that are available in HP DCE/9000. In addition, it contains notes about other topics concerning cell administration.
Notes on Cell Administration Diagnostic Tool — dceping Diagnostic Tool — dceping HP DCE/9000 includes an HP-developed diagnostic tool, dceping. dceping provides information on the status of a client machine within its cell. The following is a brief description of dceping. dceping verifies that a local client can communicate with DCE and other services within a cell.
Notes on Cell Administration Enhanced CDS Browser Enhanced CDS Browser HP DCE/9000 supplies an enhanced version of the CDS Browser. The CDS Browser is a tool for viewing and editing the contents of a name space. It runs on workstations with windowing software based on the OSF/Motif user interface. The HP DCE/9000 CDS Browser provides a superset of the functionality available in the OSF-supplied CDS Browser. Documentation for the product is provided in the form of context-sensitive online help.
Notes on Cell Administration Enhanced CDS Browser • Log in to DCE Overview of Enhanced HP DCE CDS Browser Features Creating and Deleting Entries Menu options enable you to create and delete clearinghouse entries, directories, object entries, soft links, RPC entries, RPC group entries, RPC profile entries, and RPC server entries. The menu prompts for appropriate information for creation and deletion tasks and requires confirmation before deletions are performed.
Notes on Cell Administration Enhanced CDS Browser • Communication time-out limit • Cache data time-out limit You can also set defaults for these options, and can toggle confirmation of non-destructive dialogs. Manage Replica Locations You can create a replica of a directory, change the location of a master replica, display information about a replica, and delete a replica from a clearinghouse.
Notes on Cell Administration Enhanced CDS Browser CDS Browser Documentation CDS Browser Online Help Access to the documentation is available through the Help option in the CDS Browser menu bar and Help buttons in the CDS browser dialog boxes. CDS Browser Reference Page HP CDS Browser now supports X resources that permit you to customize or localize the HP CDS Browser. These attributes are described in the cdsbrowser (8) man page.
Notes on Cell Administration Administering CDS Administering CDS This section contains information on administering CDS that supplements the information in the OSF DCE Administration Guide -Core Services and OSF DCE Administration Reference. Deleting a Clearinghouse Before removing a CDS server clearinghouse, you must move or delete any directories having master replicas in the clearinghouse. If you do not do this, the clearinghouse removal operation fails, thereby preventing unintended loss of data.
Notes on Cell Administration Administering CDS resources. Symptoms usually include a cdsadv or cdsd crash with one of a variety of error messages (which may not directly indicate the source of the problem.) If a CDS problem is linked to a shortage of resources, stop DCE, free or configure more resources, and then restart DCE to bring the node back on-line in the cell. Clock Reversal Problems CAUTION Timestamps are used in the CDS database to establish the order of events in changes to the name space.
Notes on Cell Administration Establishing Intercell Communication Establishing Intercell Communication The information in this section supplements the information in the OSF DCE Administration Guide - Core Services, and describes how intercell communication should be configured in an HP-UX environment. Communication between DCE cells is facilitated by the gdad daemon, which implements the Global Directory Agent (GDA).
Notes on Cell Administration Establishing Intercell Communication should contain one or more NS (NameServer) records and associated A (Address) records. These records specify, in DNS "master" format, the name server(s) that gdad should query. The master format is described in the named (1M) man page. 2. If named.ca is not found or does not contain NS records, then gdad looks for name servers in /etc/resolv.conf. The format of resolv.conf is described in the resolver (4) man page. 3.
Notes on Cell Administration Establishing Intercell Communication records from that server's cache data. If the name server is frequently used to look up hostnames, it is likely that A records for "popular" hosts will be in cache. However, it is generally unwise to rely on a particular resource record being found in cache — this is not a recommended or supported configuration.
Notes on Cell Administration Establishing Intercell Communication There may be more than one TXT record for a cell; each clearinghouse in the cell has its own TXT record. Each TXT record appears on a single line (without the slashes that appear in this example). (You can also derive this information, though in a different format, using the dcecp directory show command.) 3. For each TXT record in the output of show cell, create a line in a text file similar to: cell.xyz.com. IN TXT "TXT_data hostname.xyz.
Notes on Cell Administration Establishing Intercell Communication -mypwd local_cell_admin_pwd NOTE As of HP DCE 1.6, intercell logins by members of trusted cells are disabled by default to protect against insecure intercell logins. (This differs from standard OSF DCE 1.1 behavior.) If you want to permit intercell logins, specify one or both of the following options to the dcecp registry connect command: -acctvalid — Marks the local cell account as a valid account.
Notes on Cell Administration Miscellaneous Notes Miscellaneous Notes This section contains miscellaneous information about HP DCE/9000 cell administration. • To better integrate HP DCE with existing HP-UX systems, HP has added new functionality to the passwd_export utility. Before exporting groups from the DCE registry to the /etc/group file, HP passwd_export looks for the file /etc/ opt/dce/sys.group and prepends any group information from that file to the new /etc/group file.
HP DCE Measurement Service 8 HP DCE Measurement Service This chapter describes the HP Distributed Measurement Service which permits you to monitor resource utilization of HP DCE 1.8 servers that run as root.
HP DCE Measurement Service Overview of DMS Overview of DMS DMS provides performance instrumentation for DCE servers and for the server side of applications that use DCE Remote Procedure Calls (RPCs). When DMS is enabled, it collects data about RPCs that execute in the target process. The collected data is actually displayed using HP GlancePlus.
HP DCE Measurement Service Overview of DMS DMS Prerequisite You must install HP GlancePlus on the system where you intend to run DMS. Enabling and Disabling DMS DMS operates in three different modes: • Disabled • Inactive (the default) • Active You disable DMS by setting the environment variable DMS_FORCEOFF to any value and exporting the variable. (The software checks that DMS_FORCEOFF exists, not that the variable has any particular value.
HP DCE Measurement Service Accessing DMS Data Accessing DMS Data After you start GlancePlus with the gpm command, you can select screens that display DCE metrics. Five HP GlancePlus screens display DCE metrics: • DCE Global Activities Window — Provides global status of DCE services on your system. • DCE Process List Window — Provides a list of all DCE processes on your system running with euid equal to root.
HP DCE Measurement Service Accessing DMS Data For a definition of any metric, select the metric name by clicking on it using the right mouse button; a pop-up help window appears containing the definition of the metric. DCE Process List Window The DCE Process List Window displays a list of all processes running on your system that are DCE servers. For each process displayed, several metrics are available by default.
HP DCE Measurement Service Accessing DMS Data the system is performing with that interface. You generate the DCE Operations report by selecting the "Reports" pull down in this window and then selecting "DCE Operations". DCE Operations Window The DCE Operations Window displays a list of the DCE operations the system is performing within a selected DCE interface. For each process displayed, several metrics are available by default.
