Planning and Configuring HP-UX DCE 1.9 HP-UX 11i v2 September 2004 Second Edition Manufacturing Part Number : B3190-90076 E 0505 U.S.A. © Copyright 1997-2005 Hewlett-Packard Company. All Rights Reserved.
Legal Notices The information contained in this document is subject to change without notice. Hewlett- Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.
1 About this document This document describes features of HP Distributed Computing Environment (DCE) Version 1.9 specific to Hewlett-Packard. For features of standard DCE, see the Open Software Foundation (OSF) documentation.
About this document • Chapter 1 provides an overview of HP-UX DCE 1.9; it includes information about new features, limitation, interoperability and compatibility, changes at the next release, and documentation. Chapter 1 also includes information about DCE Account Manager, Cell Monitor, and the Password Management Server. • Chapter 2 describes how to migrate from HP-UX DCE 1.7, to HP-UX DCE 1.9. • Chapter 3 describes hardware and software prerequisites and pre installation planning for HP-UX DCE 1.9.
About HP-UX DCE Version 1.9 2 About HP-UX DCE Version 1.9 HP-UX DCE Version 1.9 makes the functionality of OSF DCE Version 1.2.1 available on HP systems running HP-UX 11i v2. HP-UX DCE 1.9 also includes new functionality and bug fixes.
About HP-UX DCE Version 1.9 HP-UX DCE Core Services Software HP-UX DCE Core Services Software HP-UX DCE server Version 1.9 (see “Product Bundle Numbers” on page 8 for product number information) is based on OSF DCE Version 1.2.1 source code, with bug fixes and value-added functionality. HP-UX DCE Client comes with HP-UX core. This section describes the contents of this release of HP-UX DCE Server version 1.9. High-Level Features of HP-UX DCE 1.9 Following are the high-level features of HP-UX DCE 1.
About HP-UX DCE Version 1.9 HP-UX DCE Core Services Software • The DCE cell diagnostic tool dceping. • An enhanced version of the OSF CDS browser (cdsbrowser), which has been ported to Release 6 of the X11 Windows system and the Common Desktop Environment (CDE). The browser is accessible through SAM. See the CDS Browser online help (accessible via the CDS Browser Help menu) for details. • Two sets of tools for developing DCE applications are available as separately priced options.
About HP-UX DCE Version 1.9 HP-UX DCE Core Services Software New Features in HP-UX DCE 1.9 Following are the new features in HP-UX DCE 1.9: • Support for IPF platform • Kernel-threaded DCE servers • Capacity Expansion Features Removed From HP-UX DCE 1.9 The following features have been removed from HP-UX DCE 1.9: • Tracing facility • Support for development with Concert Multi Thread Architecture (CMA) threads Version Identification Version information for individual HP-UX DCE Version 1.
About HP-UX DCE Version 1.9 Limitations of HP-UX DCE 1.9 Limitations of HP-UX DCE 1.9 Following are limitations of HP-UX DCE 1.9: • The tool passwd_import, which imports user account information from /etc/passwd files to the Registry database, does not import the passwords themselves. Therefore, after you have used passwd_import to create skeletal DCE accounts in the Registry database, you must use the dcecp tool to add passwords to those accounts.
About HP-UX DCE Version 1.9 Interoperability and Compatibility Interoperability and Compatibility This section describes the interoperability of this release with various implementations of OSF DCE, and its compatibility with previous versions of HP-UX DCE, and with DCE-related technologies. Binary Compatibility with Previous HP-UX DCE Releases HP-UX DCE 1.9 supports binary compatibility with HP-UX DCE 1.2.1 and later releases. Applications linked with the archived HP-UX DCE 1.2, 1.2.1, 1.3.1, 1.4, 1.4.
About HP-UX DCE Version 1.9 Interoperability and Compatibility • DCM can be run from any HP-UX DCE Version 1.9 system within the cell. • The HP version of dce_config is based on the OSF version, but contains enhancements specific to HP systems. Kerberos Authentication Protocol Compatibility The DCE Security authentication service implements Kerberos Version 5. DCE Security does not provide backward compatibility support for Kerberos Version 4.
About HP-UX DCE Version 1.9 Interoperability and Compatibility If a customer has an environment where they are supporting differentversions of Kerberos clients, they can set the port number for V5 Release 1.0 clients explicitly in the [realms] section of the /etc/krb5.conf file: kdc = host:88 Support for Secure Internet Services The DCE KDC is used by the Secure Internet Services, also known as the Secure Remote Utilities, that are shipped as part of the InternetSrvcs product on HP-UX 11i v2.
About HP-UX DCE Version 1.9 Notes, Cautions and Warnings Regarding This Release Notes, Cautions and Warnings Regarding This Release Security and Remote Login Utilities You can use standard UNIX remote login utilities (remsh, rlogin, telnet) to perform remote DCE cell administration. However, these utilities expose the cell administrator's password to network attackers whenever you perform a task on a remote system.
About HP-UX DCE Version 1.9 Notes, Cautions and Warnings Regarding This Release Support for POSIX 1003.1c Threads CMA applications have to be migrated from Draft 4 of the POSIX threads standard to the final, ratified 1003.1c standard for kernel threads. This migration will result in source incompatibility, and it is recommended that application developers plan for this transition. HP plans to preserve binary compatibility. However, developers can prepare for this change as follows: 1.
About HP-UX DCE Version 1.9 Notes, Cautions and Warnings Regarding This Release Setting LANG and NLSPATH Environment Variables English-language users of HP-UX DCE 1.9 should set the NLSPATH environment variable to include /usr/lib/nls/C/%N or should set NLSPATH to include /usr/lib/nls/%L/%N and LANG to C. Users who want to use another language should set the NLSPATH environment variable to include / usr/lib/nls/%L/%N and LANG to their preferred language.
About HP-UX DCE Version 1.9 Manuals Available for this Version Manuals Available for this Version This chapter describes the documentation for HP-UX DCE Version 1.9 on HP-UX 11i v2. HP-UX DCE 1.9 Documentation • The following sections list the various documents available for HP-UX DCE 1.9. • HP-UX DCE Version 1.9 Release Notes (B3190-90077) • HP-UX DCE Version 1.
About HP-UX DCE Version 1.9 Manuals Available for this Version NOTE Use the following command to display the dts_update manpage: man dts_update HP-UX DCE Online Help HP-UX DCE 1.9 offers a DCE Online Help feature that provides information about various aspects of HP-UX DCE. DCE Online Help is integrated into the HP Help System, so you can access it from the CDE Front Panel help icon. NOTE This feature is supported on X-based displays only; it is not available on ASCII terminals.
About HP-UX DCE Version 1.9 HP-UX DCE Administration Tools HP-UX DCE Administration Tools The administration tools are Account Manager, Distributed COnfiguration Manager (DCM), and the HP CDS Browser. The Account Manager provides a graphical interface for creating objects in the DCE registry and for administering the DCE registry.
About HP-UX DCE Version 1.9 HP-UX DCE Administration Tools Start the Account Manager with the following command: /opt/dce/bin/acctmgr If you want to perform privileged operations (such as registry modifications) with the Account Manager, you must run the Account Manager as the DCE cell_admin principal. The Account Manager can also be started as follows from SAM: 1. Log in as root. 2. Execute sam from a shell prompt. 3. Select (double click on) DCE Cell Management. 4.
About HP-UX DCE Version 1.9 HP-UX DCE Administration Tools 3. If the retrieval of large lists degrades Account Manager performance, you may wish to assist the Account Manager by retrieving the list during an off-time using the dcecp command and saving the list to a file. This file could be generated automatically (for example, nightly by a cron job).
About HP-UX DCE Version 1.9 HP Password Management Server HP Password Management Server A Password Management Server implements policies for password strength. Sites can implement site-specific policies by writing their own Password Management Server, and attaching appropriate Extended Registry Attributes (ERAs) to the principals that are subject to these policies. A Password Management Server must implement the interface described in dce/rsec_pwd_mgmt.idl.
About HP-UX DCE Version 1.9 HP Password Management Server Unlike the other sample applications, where you are encouraged to generate a new UUID when you make modifications, you must not make changes to rsec_pwd_mgmt.idl. secd is linked with the client stub for the rsec_pwd_mgmt interface so changing the interface UUID will cause communication problems between secd and your Password Management Server.
About HP-UX DCE Version 1.9 HP Password Management Server The example Password Management Server does not support values 1 or 2 for pwd_SecureWare_chk, since these use proprietary SecureWare algorithms. If a principal is configured with a pwd_SecureWare_chk value of 1 or 2, the principal will be unable to change passwords, and the logfile /var/ opt/dce/security/pwd_strength.log will report that the pwd_SecureWare_chk level is not supported.
About HP-UX DCE Version 1.
Migrating to HP-UX DCE 1.9 HP Password Management Server 3 Migrating to HP-UX DCE 1.9 This chapter discusses migration procedures and compatibility issues for migrating to HP-UX DCE 1.9 running on HP-UX 11i v2.
Migrating to HP-UX DCE 1.9 Migration Paths Migration Paths Users can directly migrate from HP-UX DCE version 1.8 to HP-UX DCE 1.9. Earlier versions of HP-UX DCE need to be migrated to HP-UX DCE 1.8 first, before migrating to HP-UX DCE 1.9. This section provides migration information for HP-UX DCE 1.8. For information on migrating earlier HP-UX DCE versions to HP-UX DCE 1.8, refer Planning and Configuring HP DCE 1.8 (B3190-90074).
Migrating to HP-UX DCE 1.9 Contents of HP-UX DCE Client and Server Contents of HP-UX DCE Client and Server The subsets of HP-UX DCE 1.9 commonly referred to in this document and elsewhere as client and server consist of the following DCE components: Client Server dced cdsd cdsadv secd dtsd gdad NOTE Chapter 3 At HP-UX DCE 1.4x, dced replaced rpcd and sec_clientd; and cdsclerk functionality was incorporated in cdsadv.
Migrating to HP-UX DCE 1.9 Migrating an HP-UX DCE 1.8 Server on HP-UX 11i v1 to HP-UX DCE 1.9 on HP-UX 11i v2 September 2004 Migrating an HP-UX DCE 1.8 Server on HP-UX 11i v1 to HP-UX DCE 1.9 on HP-UX 11i v2 September 2004 See Managing HP-UX Software with SD-UX and the swcopy (1M), swinstall (1M) and swremove (1M) manpages for complete information on all aspects of HP-UX installation.
Migrating to HP-UX DCE 1.9 Migrating an HP-UX DCE 1.8 Server on HP-UX 11i v1 to HP-UX DCE 1.9 on HP-UX 11i v2 September 2004 7. Restart DCE using the dce_config START command from the dce_config main menu or using DMC.
Migrating to HP-UX DCE 1.9 Migrating HP-UX DCE 1.9 on HP-UX 11i v2 to HP-UX 11i v2 September 2004 Migrating HP-UX DCE 1.9 on HP-UX 11i v2 to HP-UX 11i v2 September 2004 See Managing HP-UX Software with SD-UX and the swcopy (1M), swinstall (1M) and swremove (1M) manpages for complete information on all aspects of HP-UX installation. Migrating a System Without Retaining Cell Configuration If you are migrating HP-UX DCE 1.9 to HP-UX DCE 1.
Before Installing HP-UX DCE Version 1.9 Migrating HP-UX DCE 1.9 on HP-UX 11i v2 to HP-UX 11i v2 September 2004 4 Before Installing HP-UX DCE Version 1.9 This chapter describes prerequisites and pre installation considerations for installing HP-UX DCE Version 1.9 software. You should read this chapter before installing HP-UX DCE Version 1.9 software. After reading this chapter, proceed with the installation instructions in Chapter 5, “Installing HP-UX DCE 1.
Before Installing HP-UX DCE Version 1.9 Overview Overview The following is a brief overview of the HP-UX DCE installation process: NOTE If you are performing an upgrade rather than a new installation, see Chapter 3, “Migrating to HP-UX DCE 1.9,” on page 25. • Verify that hardware and software prerequisites are met at your site. • Plan where you will install various HP-UX DCE filesets. • Load HP-UX DCE software from media to a network distribution area. • Install filesets on individual systems.
Before Installing HP-UX DCE Version 1.9 Prerequisites Prerequisites System Requirements The following sections discuss the hardware, disk space, operating system, and other requirements that must be considered before installing HP-UX DCE 1.9. Hardware Requirements You require an HP Integrity server or HP-UX 9000 server. Disk Space Requirements Following are the disk space requirements for installing HP-UX DCE 1.
Before Installing HP-UX DCE Version 1.9 Prerequisites Kernel parameter tuning is highly application dependent. It is expected that you might need to modify your kernel parameters based upon your specific applications needs. Distribution Media The HP-UX DCE Version 1.9 software is shipped on CD-ROM only. Refer Managing HP-UX Software With SD-UX for more information on distribution media.
Before Installing HP-UX DCE Version 1.9 Pre installation Planning Pre installation Planning In general, pre installation planning involves deciding how many cells to configure at your site, which systems to include in each cell, and where to run DCE services (Security, CDS, DTS, and GDA). This section gives you some guidelines for making decisions prior to installation.
Before Installing HP-UX DCE Version 1.9 Pre installation Planning Security Services Security server software is contained in the DCE-SEC-Server product. The system(s) running the security server should be reliably accessible and physically secure. They should also have enough disk space to hold a registry database that could expand significantly over time as the number of users increases.
Before Installing HP-UX DCE Version 1.9 Pre installation Planning See the OSF DCE Administration Guide -- Core Services for more information about DCE Distributed Time Services. At this release, intercell time synchronization is not supported. HP-UX DCE Installed Software The HP-UX DCE Version 1.9 software is divided into products and filesets. Tables Table 4-1 and Table 4-2 show the HP-UX DCE 1.9 filesets, arranged according to product, and gives the approximate disk space requirement for each file set.
Before Installing HP-UX DCE Version 1.9 Pre installation Planning Table 4-1 Product DCE-Core Tools Integrated Login Table 4-2 Product DCE-CoreAdmin DCE-C-Tools 38 HP-UX DCE Version 1.9 Products and Filesets—Core HP-UX Fileset Description Dependencies Approx. Size (Kb) DCEC-ENG-A-MAN DCE Core manpages DCE-Core.MACR-ENG-A-MA N 869 MACR-ENG-A-MAN DCE Manpage Macros none 23 DCE-BPRG Basic IDL, Includes, & Archive Libraries DCE-Core.
Before Installing HP-UX DCE Version 1.9 Pre installation Planning Table 4-2 Product DCE-CDS-Server DCE-SEC-Server HP-UX DCE Version 1.9 Products and Filesets—Applications Release Fileset Description Dependencies Approx. Size (Kb) CDS-SERVER CDS Server DCE-Core.DCE-C ORE-RUN 1468 CDSS-ENG-A-MAN CDS Server Manpages DCE-Core.MACRENG-A-MAN 16 SEC-SERVER Security Server DCE-Core.DCE-C ORE-RUN 7279 SECS-ENG-A-MAN DCE Security Server Manpages DCE-Core.MACRENG-A-MAN 197 a.
Before Installing HP-UX DCE Version 1.
Installing HP-UX DCE 1.9 Pre installation Planning 5 Installing HP-UX DCE 1.9 This chapter outlines the recommended procedures for installing and uninstalling HP-UX DCE Version 1.9 software. If you are performing an upgrade rather than a new installation, see Chapter 3, “Migrating to HP-UX DCE 1.9,” on page 25. The procedures outlined in this chapter use the graphical and textual user interface versions of the swcopy, swinstall, and swremove tools. You can also use these tools from a command line.
Installing HP-UX DCE 1.9 Overview Overview Here is a brief overview of the installation steps: 1. Verify that you meet the system requirements for installing HP-UX DCE 1.9. See “System Requirements” on page 33 2. Decide where you will install HP-UX DCE. 3. Install filesets on individual systems using swinstall.
Installing HP-UX DCE 1.9 Loading HP-UX DCE Software in a Network Source Area Loading HP-UX DCE Software in a Network Source Area Before installation of HP-UX DCE Version 1.9 software on a network, the software typically is transferred from the media on which it was shipped to a network source area, or depot. This section tells how to perform this transfer using the swcopy tool. Before loading HP-UX DCE, you should be aware of the following: • If you are installing HP-UX DCE 1.
Installing HP-UX DCE 1.9 Loading HP-UX DCE Software in a Network Source Area 7. Load the software into the depot. Select Copy from the Actions menu. If your software media was shipped with a codeword certificate, follow the instructions on the certificate to obtain a codeword before you load the software into the depot. Before you load software that requires a codeword, you must enter a valid codeword and hardware ID.
Installing HP-UX DCE 1.9 Installing Software Installing Software Installation Notes Once you have loaded HP-UX DCE Version 1.9 software into a network distribution area, use the swinstall tool to install appropriate filesets on individual systems. The installation procedure invokes swinstall on each target system in a cell. When installation is complete, you can begin cell configuration, see Chapter 6, “Configuring HP-UX DCE Cells,” on page 47.
Installing HP-UX DCE 1.
Configuring HP-UX DCE Cells Installing Software 6 Configuring HP-UX DCE Cells This chapter tells how to choose a DCE cell configuration tool and how to use the tools to configure, destroy (unconfigure), start, and stop cells. Two tools are discussed, the DCE Configuration Manager (DCM) and the dce_config script. This chapter also discusses how to install DCE login utilities, how to set up intercell communication with DCE GDA, and how to configure MC/ServiceGuard. To configure HP-UX DCE 1.
Configuring HP-UX DCE Cells Choosing a Cell Configuration Tool Choosing a Cell Configuration Tool HP-UX DCE 1.9 offers two cell configuration tools: a script-based tool, dce_config, and a SAM-based tool, DCM (DCE Configuration Manager). SAM (System Administration Manager) is an HP-UX menu-driven system administration program that includes several other system administration utilities, in addition to the DCE cell configuration component.
Configuring HP-UX DCE Cells Configuring Cells with DCM Configuring Cells with DCM Overview of DCM Functionality DCM enables you to perform the following cell configuration tasks: • In a configured and running cell, if the primary DCE services (Initial CDS and Master Security) are running on HP systems (as opposed to other vendors' systems), you can configure additional HP-UX DCE 1.2, 1.2.1, 1.3.1, 1.4, 1.4.1, 1.4.2, 1.5, 1.6,1.7, or 1.9 clients into the cell from any HP-UX DCE 1.9 cell member system.
Configuring HP-UX DCE Cells Configuring Cells with DCM Requirements for Running DCM If you choose to configure your cell with DCM, you should verify that the systems in your cell meet the following requirements: • All systems from which you want to perform cell configuration tasks must have SAM installed. • All systems must have the host name of each node (the administrative node and cell members) in their .rhosts and /etc/hosts.equiv files. The .
Configuring HP-UX DCE Cells Configuring Cells with DCM You can print individual help topics within DCM online help using the Print button on a help topic screen. You can use the -dthelpprint command at a shell prompt to print the entire help volume. The full pathname of the DCM help volume is: /opt/dce/lib/dcm/C/help/dceconf.sdl On ASCII terminals, you can only use the dthelpprint command; the print button is not available. See the dthelpprint (1X) manpage for more information.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config Configuring Cells Using dce_config The following procedures explain how to configure server and client systems using the menu-driven dce_config tool. The text shows the complete menu at its first occurrence; thereafter it shows only the menu name and current selection, prompts, and recommended input values. As you perform each step, various status messages are displayed. This document shows only the prompts; it may not show all status messages.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config When planning a DCE cell, note that you must configure a CDS client on any Security server system that is not running a CDS server. You must also configure a Time client on any system that is not running a Time server. Be sure to configure these clients only after you have configured all servers. Client configuration is discussed in "Configuring Client Systems: Security, CDS, and DTS" later in this chapter. 1.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config S:****** The current highest UNIX ID for persons is N. Enter the starting point to be used for UNIX IDs that are automatically generated by the Secu rity Ser-vice when a principal is added using "rgy_edit ": ( N+100) < RETURN> S:****** The current highest UNIX ID for groups is N.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config When dce_config is first run on a system, the HP-UX environment variable TZ is read to determine the HP-UX local time zone. dce_config then automatically selects a matching DCE local time zone and creates the link for /etc/opt/dce/zoneinfo/localtime. A different time zone can be chosen: see the localtime (5) manpage for details.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config selection: 1 (NULL time provider) or selection: 2 (NTP time provider) or selection: 3 (spectracom time provider) If you select the NTP time provider, the following prompt appears: Enter the host name where the NTP server is running: If you select the spectracom time provider, the following prompt appears: Enter the device name where the TP is connected: You have now completed configuration of the server systems.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config 5. After starting the CDS client daemon, dce_config prompts for the name of the CDS clearinghouse. Enter a name of your choice. What is the name for this clearinghouse? hostname_ch S:****** Modifying ACLs on /.:/host_ch... 6. dce_config asks if more directories should be replicated.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config What is the name of a Security Server running in the cell you wish to join? sec_server_node S:****** Starting dced... S:****** Initializing dced... 6. After starting and initializing the Security client daemon, dce_config asks for the name of a node with which it can synchronize the clock on this node: Enter < RETURN> to get the default (the master security machine in the cell).
Configuring HP-UX DCE Cells Configuring Cells Using dce_config selection: 2 (Additional Server Configuration) 2. From the Additional Server Configuration Menu, choose Replica Security Server: Additional Server Configuration (on hostname) selection: 8 (Replica Security Server) S******:Configuring Security Replication S:****** starting slave security server (secd)... The default name for the replica is subsys/dce/sec/$HOSTNAME.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config To remove a configured system (except a Master Security Server or Initial CDS Server system) from a cell, use the -UNCONFIGURE option on the DCE Main Menu. The UNCONFIGURE operation can be executed on any system in the cell. A prompt will ask for the name of the system to be unconfigured. The UNCONFIGURE option removes the target machine from the cell Security database and the CDS name space.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config If you want to remove and reconfigure a client, first unconfigure and remove the client from the cell, then reconfigure the client. You may remove and reconfigure a client without reconfiguring the other members of a cell. NOTE You cannot use the dce_config UNCONFIGURE option to remove a Master Security Server or Initial Directory Server system from a cell. You must either use the DCM to do this, or reconfigure the entire cell.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config Table 6-1 Priority dce_config Message Categories (Continued) Format Content VERBOSE V: Low-level summary of actions being taken, user queries and responses, or actual commands executed that do not affect configuration or node state. Logged to log file unless LOG_THRESHOLD is DETAIL or higher. Not logged to display unless DISPLAY_THRESHOLD is VERBOSE or lower.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config • dce_com_env: Sets common DCE environment variables. • dce_com_utils: Common internal routines used by DCE utilities. • dce_config_env: Sets common environment variables used by dce_config. • dce_config_utils: Common internal routines used by dce_config. • /sbin/init.d/dce[start | stop]: Starts or stops HP-UX DCE daemons. Cannot be run remotely; must be run on DCE client or server node. • /etc/rc.config.d/dce: Read by /sbin/init.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config • DOMAIN_NAME: The name of the host's Internet domain for use in a fully qualified host name. Used as a default when configuring a Kerberos client if /etc/resolv.conf does not already contain a domain name. It is appended to the host name to get the fully qualified name in this format: host_name.domain_name (for example: if DOMAIN_NAME=foo.bar.com and host name=abc, the fully qualifiedhost name will be abc.foo.bar.com).
Configuring HP-UX DCE Cells Configuring Cells Using dce_config • SYNC_CLOCKS: Set to y to synchronize client clock with that of the security server; n otherwise. If not set, and clocks are out of sync by more than $TOLERANCE_SEC, user is prompted for whether to synchronize. This variable is irrelevant if CHECK_TIME is set to n.
Configuring HP-UX DCE Cells Note for Users of NCS-based Software Note for Users of NCS-based Software At HP-UX 11.0, NCS has been obsoleted. Users of NCS-based software must take the following precautions when configuring HP-UX DCE 1.9: 1. Before configuring HP-UX DCE 1.9, stop any servers for NCS-based applications. 2. Stop glbd (via drm_admin "stop") if it is running. 3. Stop llbd (via kill(1)). 4. Configure HP-UX DCE 1.9. 5. If DCE is configured, proceed to step 6.
Configuring HP-UX DCE Cells Integrating DCE Services with MC/ServiceGuard Integrating DCE Services with MC/ServiceGuard MC/ServiceGuard is a Series 800 product that was introduced at HP-UX 10.0. MC/ServiceGuard provides an environment in which, if a node fails, services (applications) can be up and running again on another node very quickly.
Configuring HP-UX DCE Cells Integrating DCE Services with MC/ServiceGuard • Normal DCE programming practice assumes that all IP addresses on the host should be used for endpoints for exported services. The DCE runtime determines the available IP addresses on the node during the execution of any of the rpc_server_use_* routines. These routines are used in every DCE server to select the protocols over which the server will provide services.
Configuring HP-UX DCE Cells Integrating DCE Services with MC/ServiceGuard An alternative configuration is the individual core server failover. In this configuration, the DCE cluster includes a primary host and several smaller hosts. Each of the smaller hosts can perform one or more of the functions normally performed by the primary host.
Configuring HP-UX DCE Cells Integrating DCE Services with MC/ServiceGuard Planning for the DCE Package When planning for a DCE-MC/ServiceGuard installation, keep the following considerations in mind: • Enough disk space to hold the DCE installation, log files, and core files should be allocated in the logical volumes assigned to the package. See Chapter 3 of this manual for recommendations regarding disk space requirements.
Configuring HP-UX DCE Cells Integrating DCE Services with MC/ServiceGuard Configuring DCE Perform the following steps to configure DCE on your system if the ServiceGuard is running: 1. Create a volume group for the DCE data file (for example: /dev/vgdce). 2. Manually activate the volume group to be accessed from the primary node (for example: vgchange -a e /dev/vgdce). 3. Identify the filesystems and logical volumes for the package filesystem definition. These should reside in the shared disk.
Configuring HP-UX DCE Cells Integrating DCE Services with MC/ServiceGuard 6. Copy the standard DCE configuration file to your package directory. Enter the following command: cp /etc/rc.config/dce /etc/cmcluster/pkg-name/dce 7. Modify the configuration file /etc/cmcluster/pkg-name/dce to restrict IP address to package IP address. To do this, set the environment variable RPC_SUPPORTED_NETADDRS. 8. Create the package startup script using dce.start as a sample template.
Configuring HP-UX DCE Cells Integrating DCE Services with MC/ServiceGuard cmmodpkg -n host pkg-name Refer Managing MC/ServiceGuard (B3936-90003)for procedures on using SAM to administer MC/ServiceGuard clusters and packages. Summary of DCE-MC/ServiceGuard Installation and Configuration The following steps summarize the process of installing and configuring DCE with MC/Service Guard. 1. Install the MC/ServiceGuard cluster. 2. Start the MC/ServiceGuard cluster. 3.
Configuring HP-UX DCE Cells Integrating DCE Services with MC/ServiceGuard 74 Chapter 6
HP-UX Integrated Login Integrating DCE Services with MC/ServiceGuard 7 HP-UX Integrated Login This chapter describes the HP-UX Integrated Login product. In addition, this chapter discusses how to use the HP-UX Integrated Login product with UNIX and other authentication technologies.
HP-UX Integrated Login Overview Overview HP-UX Integrated Login combines UNIX login with other authentication technologies. It provides a generic interface which login applications can use to interface with various user-authentication technologies. NOTE Connection initiated via Secure Internet Services (SIS) will not result in DCE credentials on the server.
HP-UX Integrated Login Deciding Whether to Use HP-UX Integrated Login Deciding Whether to Use HP-UX Integrated Login Use HP-UX Integrated Login: • If you want to use an authentication technology other than the traditional UNIX mechanism as the login technology. For this release, this means using DCE Security Services. • If you want to obtain additional credentials from other authentication technologies after machine access is granted via the login technology.
HP-UX Integrated Login Operation of Integrated Login Utilities Operation of Integrated Login Utilities The Integrated Login utilities are login, dtlogin, dtsession, su, and ftpd. The passwd utility is also integrated to facilitate the manipulation of registries (such as the registries for technologies used by HP-UX Integrated Login.) The Secure Internet Services (SIS) version of ftpd is not integrated.
HP-UX Integrated Login Activating HP-UX Integrated Login Activating HP-UX Integrated Login The script /usr/sbin/auth.adm is provided to activate HP-UX Integrated Login and configure a system authentication policy. Until activated, all Integrated Login utilities retain standard HP-UX behavior. auth.adm activates Integrated Login by creating an appropriate /etc/pam.conf file.
HP-UX Integrated Login Activating HP-UX Integrated Login /usr/sbin/auth.adm -install -l dce -b ux Configuration is set to log in the user upon successful password verification by DCE. If DCE is not available, login is effected via /etc/passwd. Note that this strategy works only if the HP-UX and DCE passwords are identical: /usr/sbin/auth.adm -install -l ux -a dce Configuration is set to log in the user upon successful password verification by /etc/passwd.
HP-UX Integrated Login Deactivating HP-UX Integrated Login Deactivating HP-UX Integrated Login To deactivate HP-UX Integrated Login and remove the authentication policy on a system, do the following: 1. Log in as root and issue the following command: /usr/sbin/auth.adm -u[ninstall] auth.adm restores the old version of /etc/pam.conf. 2. Inspect the file /var/adm/ilogin/auth.adm.log for ERROR messages. If there are ERROR messages, correct the error conditions and repeat step 1.
HP-UX Integrated Login Inquiring about Authentication Policy Inquiring about Authentication Policy To inquire about the authentication policy of a system running HP-UX Integrated Login, run the command: /usr/sbin/auth.adm -q[uery] [-f filename] The command will print the authentication policy to stdout, or -filename if -f filename is specified. You do not have to be root to run this option of the command.
HP-UX Integrated Login Notes, Cautions, and Warnings Notes, Cautions, and Warnings • When changing passwords using passwd, the password format rules imposed by the login technology restrict the format of newly-entered passwords. A new password that is acceptable to the login technology might be rejected by an additional technology which has more stringent password format rules.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login HP-UX DCE 1.9 provides support for integrating DCE with HP-UX Integrated Login. The binaries for this functionality are included in the AUTH-DCE file set.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login • The passwd utility manipulates the DCE registry. It will fail if the DCE network registry cannot be reached. The passwd command synchronously changes the DCE registry, supporting the password generation and password strength checking features provided by HP-UX DCE Version 1.9 servers. However, if DCE is configured as an additional technology, you cannot use passwd to change a DCE password that is required to be generated.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login • If necessary, use the /etc/opt/dce/sys.group and/etc/opt/dce/group_override files to override the entries in /etc/group. Use group_override to override /etc/group entries that have an account in the DCE Registry; use sys.group for those that do not. The default /etc/opt/dce/sys.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login • Starts ilogind (the integrated login daemon) and adds it to the startup list. The DCE backend to PAM (PAM-DCE), as well as the DCE backend to NSS (NSS-DCE), communicate with ilogind, which in turn communicates with secd (the DCE Security daemon) to perform security functions. ilogind was introduced at HP-UX DCE 1.6.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login • Set up a cron job to export information from the DCE Security Registry to /etc/passwd. You are asked, during the activation process, whether or not to set up such a cron job. With your approval, a passwd_export cron job is set up. If NSS-DCE is activated, this cron job is run once every day. Otherwise, it is run once every hour. You can adjust this frequency by using the crontab(1) command.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login Unconfiguring DCE from HP-UX Integrated Login To unconfigure DCE without deactivating HP-UX Integrated Login, perform the steps in the section "Activating HP-UX Integrated Login", and specify a different authentication policy. To unconfigure DCE and deactivate HP-UX Integrated Login, follow the steps in the section "Deactivating HP-UX Integrated Login.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login DCE and Anonymous FTP If you are using the HP-UX Integrated Login utilities on a system that supports anonymous ftp, be aware of the following: • An ftp account must exist in the DCE registry. This account need not be password-validated for DCE use, but it must exist.
HP-UX Integrated Login AFS and Kerberos Authentication AFS and Kerberos Authentication Support for AFS and Kerberos Authentication is not provided in this release of HP-UX Integrated Login.
HP-UX Integrated Login AFS and Kerberos Authentication 92 Chapter 7
Notes on Cell Administration AFS and Kerberos Authentication 8 Notes on Cell Administration This chapter contains an overview of the diagnostic tools and administrative interfaces that are available in HP-UX DCE 1.9. In addition, it contains notes about other topics concerning cell administration.
Notes on Cell Administration Diagnostic Tool — dceping Diagnostic Tool — dceping HP-UX DCE 1.9 includes an HP-developed diagnostic tool, dceping. dceping provides information on the status of a client machine within its cell. The following is a brief description of dceping. dceping verifies that a local client can communicate with DCE and other services within a cell.
Notes on Cell Administration Enhanced CDS Browser Enhanced CDS Browser HP-UX DCE 1.9 supplies an enhanced version of the CDS Browser. The CDS Browser is a tool for viewing and editing the contents of a name space. It runs on workstations with windowing software based on the OSF/Motif user interface. The HP-UX DCE 1.9 CDS Browser provides a superset of the functionality available in the OSF-supplied CDS Browser. Documentation for the product is provided in the form of context-sensitive online help.
Notes on Cell Administration Enhanced CDS Browser Editing CDS ACL Entries Menu options allow you to control user access to the following CDS components: • Clearinghouses • Directories • Object entries • Soft links You can view, edit, or delete CDS permissions on specified components. The CDS permissions are read, write, insert, delete, test, control, and administer.
Notes on Cell Administration Enhanced CDS Browser Default Action on Double Clicking The HP-UX DCE 1.9 CDS Browser provides additional "default" actions for double clicking on CDS entries. For example, double clicking on group or profile entries causes the group or profile editor to appear; double clicking on an object, rpc_entry, or soft link entry accesses the Attribute List window. Double clicking on a directory entry expands or collapses the directory.
Notes on Cell Administration Administering CDS Administering CDS This section contains information on administering CDS that supplements the information in the OSF DCE Administration Guide -Core Services and OSF DCE Administration Reference. Deleting a Clearinghouse Before removing a CDS server clearinghouse, you must move or delete any directories having master replicas in the clearinghouse. If you do not do this, the clearinghouse removal operation fails, thereby preventing unintended loss of data.
Notes on Cell Administration Establishing Intercell Communication Establishing Intercell Communication The information in this section supplements the information in the OSF DCE Administration Guide - Core Services, and describes how intercell communication should be configured in an HP-UX environment. Communication between DCE cells is facilitated by the gdad daemon, which implements the Global Directory Agent (GDA).
Notes on Cell Administration Establishing Intercell Communication For example, a CDS server for a cell named "cell.cells.xyz.com" could be running on a machine called "machine.xyz.com". If gdad cannot find at least one name server that can answer queries for both "cell.cells.xyz.com" and "machine.xyz.com", it will not be able to obtain a single response containing all needed data.
Notes on Cell Administration Establishing Intercell Communication Where: TXT_data is the TXT data from cdscp show cell (note that this data must be entered on a single line), and hostname.xyz.com is the full domain name of the CDS server system that maintains that clearinghouse. The quotation marks are literal, and the absolute name of the host must be used (in this case) without the trailing dot. 4. In the same text file, create a line for each different hostname.xyz.
Notes on Cell Administration Miscellaneous Notes Miscellaneous Notes This section contains miscellaneous information about HP-UX DCE 1.9 cell administration. • To better integrate HP-UX DCE with existing HP-UX systems, HP has added new functionality to the passwd_export utility. Before exporting groups from the DCE registry to the /etc/group file, HP passwd_export looks for the file /etc/opt/dce/sys.group and prepends any group information from that file to the new /etc/group file.
