Planning and Configuring HP-UX DCE 2.0 HP-UX 11i v3 Third Edition Manufacturing Part Number: 5991-7712 February 2007 U.S.A. © Copyright 1997-2007 Hewlett-Packard Company. All Rights Reserved.
Legal Notices Copyright 2007 Hewlett-Packard Company, L.P. Confidential Computer Software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.11 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
1 About this document This document describes features of HP Distributed Computing Environment (DCE) Version 2.0 specific to Hewlett-Packard. For features of standard DCE, see the Open Software Foundation (OSF) documentation.
About this document This book is organized as follows: 4 • Chapter 1 provides an overview of HP-UX DCE 2.0; it includes information about new features, limitation, interoperability and compatibility, changes at the next release, and documentation. • Chapter 2 describes how to migrate from HP-UX DCE 1.9, to HP-UX DCE 2.0. • Chapter 3 describes hardware and software prerequisites and pre installation planning for HP-UX DCE 2.0.
About HP-UX DCE Version 2.0 2 About HP-UX DCE Version 2.0 HP-UX DCE Version 2.0 makes the functionality of OSF DCE Version 1.2.1 available on HP systems running HP-UX 11i v3. HP-UX DCE 2.0 also includes new functionality and bug fixes. IMPORTANT Chapter 2 HP-UX DCE Server is not available on HP-UX 11i v3. This product will still be supported on HP-UX 11i v1 and 11i v2.
About HP-UX DCE Version 2.0 HP-UX DCE Core Services Software HP-UX DCE Core Services Software HP-UX DCE server Version 2.0 is based on OSF DCE Version 1.2.1 source code, with bug fixes and value-added functionality. HP-UX DCE Client comes with HP-UX core. This section describes the contents of this release of HP-UX DCE Server version 2.0. High-Level Features of HP-UX DCE 2.0 Following are the high-level features of HP-UX DCE 2.
About HP-UX DCE Version 2.0 HP-UX DCE Core Services Software Table 2-1 • A set of HP-UX Integrated login utilities that authenticate users using the DCE Security Registry instead of using /etc/passwd and /etc/group. HP-UX DCE 2.0 includes improvements to login, dtlogin, su, passwd, telnet, and rlogin, as well as new HP-UX Integrated versions of ftpd and dtsession and enhanced support for CDE/PAM. See Chapter 6, “Configuring HP-UX DCE Cells,” on page 47 for more information about these utilities.
About HP-UX DCE Version 2.0 HP-UX DCE Core Services Software • Support for large UIDs. • Support for context-switching 64-bit machine registers in DCE threads (libcma and libdcekt). • Support for HP Serviceguard. DCE Features Not Supported by OSF DCE 1.2.1 Cell renaming is documented but not supported by OSF DCE 1.2.1 (or by HP-UX DCE 2.0). Transitive trust between hierarchical cells is documented but not supported by OSF DCE 1.2.1 (or by HP DCE 2.0). New Features in HP-UX DCE 2.
About HP-UX DCE Version 2.0 HP-UX DCE Core Services Software • The following new filesets are available on HP-UX 11i v3 operating systems running on Itanium: — DCE-Core: ❏ DCE-Core.DCE-IA64-SHLIB — DCE-Core Tools: NOTE ❏ DCE-CoreTools.DCE-TLS-NOTES ❏ DCE-CoreTools.DCE-BPRG ❏ DCE-CoreTools.DCEP-ENG-A-MAN HP now ships ELF-32 IA binaries on IA systems. Earlier, PA-RISC PA binaries were shipped on IA systems. Products and Filesets Removed From HP-UX DCE 2.
About HP-UX DCE Version 2.0 HP-UX DCE Core Services Software Cell Configuration and Diagnostics HP-UX DCE supplies the dce_config cell configuration tool provided by OSF, with substantial modifications by Hewlett-Packard. Common Desktop Environment (CDE) and Online Help The default environment is the Common Desktop Environment (CDE). All HP-UX DCE 2.0 online help and context-sensitive help works in CDE. If you print HP-UX DCE 2.
About HP-UX DCE Version 2.0 Limitations of HP-UX DCE 2.0 Limitations of HP-UX DCE 2.0 Following are limitations of HP-UX DCE 2.0: Chapter 2 • The tool passwd_import, which imports user account information from /etc/passwd files to the Registry database, does not import the passwords themselves. Therefore, after you have used passwd_import to create skeletal DCE accounts in the Registry database, you must use the dcecp tool to add passwords to those accounts.
About HP-UX DCE Version 2.0 Interoperability and Compatibility Interoperability and Compatibility This section describes the interoperability of this release with various implementations of OSF DCE, and its compatibility with previous versions of HP-UX DCE, and with DCE-related technologies. Binary Compatibility with Previous HP-UX DCE Releases HP-UX DCE 2.0 supports binary compatibility with HP-UX DCE 1.2.1 and later releases. Applications linked with the archived HP-UX DCE 1.2, 1.2.1, 1.3.1, 1.4, 1.4.
About HP-UX DCE Version 2.0 Interoperability and Compatibility If a statically-linked HP-UX DCE 1.2, 1.2.1, 1.3.1, 1.4, 1.4.1, 1.4.2, 1.5, 1.6, or 1.7 application purges a login context (using sec_login_purge_context) which an HP-UX DCE 2.0 application has created or refreshed, one of the credential files will not be deleted from the disk. This file is located in /var/opt/dce/security/creds. The file name consists of the unique credential cache ID associated with the login context and a .data.db suffix.
About HP-UX DCE Version 2.0 Interoperability and Compatibility NOTE DCE Client and KRB5 Client files are not compatible with each other. The host principal uses a fully qualified host name. To construct this name, dce_config appends the Internet domain name to the host name in the format: host_name.domain_name. For example, when the domain name is ch.hp.com, and the host name is fred, the fully qualified host name is fred.ch.hp.com.
About HP-UX DCE Version 2.0 Interoperability and Compatibility kdc = host:88 Support for Secure Internet Services The DCE KDC is used by the Secure Internet Services, also known as the Secure Remote Utilities, that are shipped as part of the InternetSrvcs product on HP-UX 11i v2. The kerberized utilities include rlogin, remshd, rcp, ftp, and telnet services. A new command, k5dcelogin, has been added to DCE in support of these utilities.
About HP-UX DCE Version 2.0 Notes, Cautions and Warnings Regarding This Release Notes, Cautions and Warnings Regarding This Release Security and Remote Login Utilities You can use standard UNIX remote login utilities (remsh, rlogin, telnet) to perform remote DCE cell administration. However, these utilities expose the cell administrator's password to network attackers whenever you perform a task on a remote system.
About HP-UX DCE Version 2.0 Notes, Cautions and Warnings Regarding This Release dce_login -r Option Starting with HP-UX DCE 1.4, the -r option, which refreshes a user's credentials, was added to dce_login. Users are encouraged to use dce_login -r rather than kinit to refresh their credentials, since dce_login -r uses the more secure DCE Third-party pre authentication protocol, whereas kinit uses the less secure Kerberos 5 Timestamps protocol.
About HP-UX DCE Version 2.0 Notes, Cautions and Warnings Regarding This Release HP-UX Integrated Login Utilities Most systems require the transfer of account information from /etc/passwd to the DCE Security Registry before the system can be useful. The /usr/sbin/auth.adm script is supplied to activate the integrated login utilities once your system has been set up with the needed accounts. See Chapter 6, “Configuring HP-UX DCE Cells,” on page 47 for more information about using the /usr/sbin/auth.
About HP-UX DCE Version 2.0 Notes, Cautions and Warnings Regarding This Release • /var/opt/dce/security/sec_audit_trail • /var/opt/dce/security/sec_audit_trail.md_index Other older audit logs may also be present. These can be found under the same directory, but have a date and time stamp format inserted into the name. As an example: sec_audit_trail.1995-08-31-15-19-52sec_audit_trail.1995-08-3115-19-52.
About HP-UX DCE Version 2.0 Notes, Cautions and Warnings Regarding This Release dcecp secval Change At HP-UX DCE 1.6, dcecp's secval activate and secval deactivate commands became asynchronous. They return before the actual change takes place within dced. Therefore, you should use the secval status command to verify the state change. Prior to HP-UX DCE 1.6, secval activate and secval deactivate were synchronous and did not return until the actual state change finished in dced. HP-UX DCE 2.
About HP-UX DCE Version 2.0 Manuals Available for this Version Manuals Available for this Version This chapter describes the documentation for HP-UX DCE Version 2.0 on HP-UX 11i v3. HP-UX DCE 2.0 Documentation The following sections list the various documents available for HP-UX DCE 2.0. • HP-UX DCE Version 2.0 Release Notes (5991-7713) • HP-UX DCE Version 2.
About HP-UX DCE Version 2.0 Manuals Available for this Version To read DCE manpages by using the man command, include the path names listed above in your MANPATH shell environment variable. NOTE Use the following command to display the dts_update manpage: man dts_update HP-UX DCE Online Help HP-UX DCE 2.0 offers a DCE Online Help feature that provides information about various aspects of HP-UX DCE. NOTE This feature is supported on X-based displays only; it is not available on ASCII terminals.
About HP-UX DCE Version 2.0 Manuals Available for this Version 2. In the Help Manager window, click on the "HP-UX DCE/9000, Version 1.6" product-family title. A list of the HP-UX DCE help volumes appears. NOTE The HP-UX DCE help volumes have not been updated since HP-UX DCE version 1.6. 3. To display a help volume, click on its title. An introductory help window opens, which has hyperlinks to all of the other help volumes in the HP-UX DCE Online Help system.
About HP-UX DCE Version 2.
Migrating to HP-UX DCE 2.0 Manuals Available for this Version 3 Migrating to HP-UX DCE 2.0 This chapter discusses migration procedures and compatibility issues for migrating to HP-UX DCE 2.0 running on HP-UX 11i v3.
Migrating to HP-UX DCE 2.0 Migration Paths Migration Paths Users can directly migrate from HP-UX DCE version 1.9 to HP-UX DCE 2.0. Earlier versions of HP-UX DCE need to be migrated to HP-UX DCE 1.9 first, before migrating to HP-UX DCE 2.0.
Migrating to HP-UX DCE 2.0 Contents of HP-UX DCE Client and Server Contents of HP-UX DCE Client and Server Following are the components included in HP-UX DCE 2.0: NOTE Chapter 3 • dced • cdsadv • dtsd At HP-UX DCE 1.4x, dced replaced rpcd and sec_clientd; and cdsclerk functionality was incorporated in cdsadv.
Migrating to HP-UX DCE 2.0 Migrating HP-UX DCE 1.9 on HP-UX 11i v2 to HP-UX DCE 2.0 on HP-UX 11i v3 Migrating HP-UX DCE 1.9 on HP-UX 11i v2 to HP-UX DCE 2.0 on HP-UX 11i v3 See Managing HP-UX Software with SD-UX and the swcopy (1M), swinstall (1M) and swremove (1M) manpages for complete information on all aspects of HP-UX installation. Migrating a System Without Retaining Cell Configuration If you are migrating HP-UX DCE 1.9 to HP-UX DCE 2.
Migrating to HP-UX DCE 2.0 Migrating HP-UX DCE 1.9 on HP-UX 11i v2 to HP-UX DCE 2.0 on HP-UX 11i v3 3. Prepare the network source area (depot) using swcopy. The depot should contain both HP-UX 11i v3 and the HP-UX DCE 2.0 software. 4. Upgrade the system from HP-UX 11i v2 to HP-UX 11i v3. If you installed from a unified network source area as recommended above, installation of HP-UX DCE 2.0 is complete.
Migrating to HP-UX DCE 2.0 Migrating HP-UX DCE 1.9 on HP-UX 11i v2 to HP-UX DCE 2.
Before Installing HP-UX DCE Version 2.0 Migrating HP-UX DCE 1.9 on HP-UX 11i v2 to HP-UX DCE 2.0 on HP-UX 11i v3 4 Before Installing HP-UX DCE Version 2.0 This chapter describes prerequisites and pre installation considerations for installing HP-UX DCE Version 2.0 software. You should read this chapter before installing HP-UX DCE Version 2.0 software. After reading this chapter, proceed with the installation instructions in Chapter 5, “Installing HP-UX DCE 2.
Before Installing HP-UX DCE Version 2.0 Overview Overview The following is a brief overview of the HP-UX DCE installation process: NOTE 32 If you are performing an upgrade rather than a new installation, see Chapter 3, “Migrating to HP-UX DCE 2.0,” on page 25. • Verify that hardware and software prerequisites are met at your site. • Plan where you will install various HP-UX DCE filesets. • Load HP-UX DCE software from media to a network distribution area.
Before Installing HP-UX DCE Version 2.0 Prerequisites Prerequisites System Requirements The following sections discuss the hardware, disk space, operating system, and other requirements that must be considered before installing HP-UX DCE 2.0. Hardware Requirements You require an HP Integrity server or HP-UX 9000 server. Disk Space Requirements Following are the disk space requirements for installing HP-UX DCE 2.
Before Installing HP-UX DCE Version 2.0 Prerequisites You can check and, if necessary, change the kernel parameters, the swap space, or both, using HP SMH (the HP System Management Homepage). See “Kernel Parameter Recommendations” on page 34 NOTE • HP-UX DCE 2.0 must be installed on a long-name file system. If you have a short- name file system, you must first run convertfs(1m) to convert your file system to long names.
Before Installing HP-UX DCE Version 2.0 Pre installation Planning Pre installation Planning In general, pre installation planning involves deciding how many cells to configure at your site, which systems to include in each cell, and where to run DCE services (Security, CDS, DTS, and GDA). This section gives you some guidelines for making decisions prior to installation.
Before Installing HP-UX DCE Version 2.0 Pre installation Planning If you are running AFS, be sure to run the AFS daemon (afsd) with the -nosettime option. Otherwise, afsd periodically resets the system's time. Also be sure that no other software that sets the time (like ntp or timed) is running on the systems in the cell. See the OSF DCE Administration Guide -- Core Services for more information about DCE Distributed Time Services. At this release, intercell time synchronization is not supported.
Before Installing HP-UX DCE Version 2.0 Pre installation Planning Table 4-1 Product DCE-Core Tools Integrated Login Chapter 4 HP-UX DCE 2.0 Filesets on a PA-RISC System- Core HP-UX Fileset Description Dependencies DCE-Core.DCE-CORE-SHLIB PA libdce* (CMA version) and libcma* libraries. It also contains 32bit PA libdcekt.1 none DCE-Core.DCE-JPN-E-MSG Japanese localized message catalogs none DCE-Core.DCE-JPN-S-MSG Japanese localized message catalogs none DCE-Core.
Before Installing HP-UX DCE Version 2.0 Pre installation Planning Table 4-1 Product Table 4-2 HP-UX DCE 2.0 Filesets on a PA-RISC System- Core HP-UX Fileset Description IntegratedLogin.ILOGINPA-DCE Contains ilogind Dependencies none HP-UX DCE Version 2.0 Products and Filesets on an Integrity System—Core HP-UX Product Fileset Description DCE-Core DCE-Core.DCE-COR-64 SLIB 64bit PA libraries(libdce kt.1) on IA m/c none DCE-Core.DCE-CORE-D TS DCE Core Time Services DCE-Core.
Before Installing HP-UX DCE Version 2.0 Pre installation Planning Table 4-2 Product DCE-Core Tools Integrated Login Chapter 4 HP-UX DCE Version 2.0 Products and Filesets on an Integrity System—Core HP-UX (Continued) Fileset Description Dependencies DCE-Core.DCE-IA64-S HLIB IA version of libdcekt.so.1( both 32 and 64) none DCE-Core.DCE-JPN-EMSG Japanese localized message catalogs none DCE-Core.DCE-JPN-SMSG Japanese localized message catalogs none DCE-Core.
Before Installing HP-UX DCE Version 2.0 Pre installation Planning Table 4-2 Product 40 HP-UX DCE Version 2.0 Products and Filesets on an Integrity System—Core HP-UX (Continued) Fileset Description IntegratedLogin.ILO GIN-IA-DCE Contains IA version of libpam_dce and libnss_dce libraries Dependencies • DCE.Core-DCE.DCE-CORE-RUN • DCE-Core.DCE-IA64-SHLIB • IntegratedLogin.
Installing HP-UX DCE 2.0 Pre installation Planning 5 Installing HP-UX DCE 2.0 This chapter outlines the recommended procedures for installing and uninstalling HP-UX DCE Version 2.0 software. If you are performing an upgrade rather than a new installation, see Chapter 3, “Migrating to HP-UX DCE 2.0,” on page 25. The procedures outlined in this chapter use the graphical and textual user interface versions of the swcopy, swinstall, and swremove tools. You can also use these tools from a command line.
Installing HP-UX DCE 2.0 Overview Overview Here is a brief overview of the installation steps: 1. Verify that you meet the system requirements for installing HP-UX DCE 2.0. See “System Requirements” on page 33 2. Decide where you will install HP-UX DCE. 3. Install filesets on individual systems using swinstall.
Installing HP-UX DCE 2.0 Loading HP-UX DCE Software in a Network Source Area Loading HP-UX DCE Software in a Network Source Area Before installation of HP-UX DCE Version 2.0 software on a network, the software typically is transferred from the media on which it was shipped to a network source area, or depot. This section tells how to perform this transfer using the swcopy tool. Before loading HP-UX DCE, you should be aware of the following: • If you are installing HP-UX DCE 2.
Installing HP-UX DCE 2.0 Loading HP-UX DCE Software in a Network Source Area NOTE If you are performing this install as a step in migrating a server system from a previous version of HP-UX DCE, create a single depot containing the HP-UX DCE 2.0 software and the DCE client software that is bundled with HP-UX 11i v3. See Chapter 3, “Migrating to HP-UX DCE 2.0,” on page 25 for information on migrating from a previous HP-UX DCE version.
Installing HP-UX DCE 2.0 Installing Software Installing Software Installation Notes Once you have loaded HP-UX DCE Version 2.0 software into a network distribution area, use the swinstall tool to install appropriate filesets on individual systems. The installation procedure invokes swinstall on each target system in a cell. When installation is complete, you can begin cell configuration, see Chapter 6, “Configuring HP-UX DCE Cells,” on page 47.
Installing HP-UX DCE 2.0 Installing Software If you are doing an upgrade, and you want to match the software currently on the target system, select Match What Target Has from the Actions Menu. 5. Select Install from the Actions menu. 6. Check the swinstall log file and resolve any problems. Press the Logfile button in the Install Analysis popup window. Look for messages that begin with ERROR, WARNING, or NOTE. Refer to Managing HP-UX Software with SD-UX for information on resolving install problems. 7.
Configuring HP-UX DCE Cells Installing Software 6 Configuring HP-UX DCE Cells This chapter tells how to how to use the ewwe script to configure, destroy (unconfigure), start, and stop cells. To configure HP-UX DCE 2.0 software, you must have previously installed HP-UX DCE. See Chapter 4, “Before Installing HP-UX DCE Version 2.0,” on page 31 for planning information; see Chapter 5, “Installing HP-UX DCE 2.0,” on page 41 for installation information.
Configuring HP-UX DCE Cells Choosing a Cell Configuration Tool Choosing a Cell Configuration Tool HP-UX DCE 2.0 offers two cell configuration tools: a script-based tool, dce_config, and an SMH-based tool, DCM (DCE Configuration Manager). HP SMH (System Management Homepage) is an HP-UX menu-driven system administration program that includes several other system administration utilities, in addition to the DCE cell configuration component.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config Configuring Cells Using dce_config The following procedures explain how to configure server and client systems using the menu-driven dce_config tool. The text shows the complete menu at its first occurrence; thereafter it shows only the menu name and current selection, prompts, and recommended input values. As you perform each step, various status messages are displayed. This document shows only the prompts; it may not show all status messages.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config Initial Cell Configuration NOTE From HP-UX DCE 1.6 onwards, dce_config sets the DCEAUDITFILTERON environment variable to enable audit filtering, which limits the range of audit event types logged. It you want to disable or change the default settings provided by dce_config, you must do so before starting any server that provides data to the Audit Service.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config DCE Configuration Menu (on hostname) 1. Initial Cell Configuration 2. Additional Server Configuration 3. DCE Client4. DFS Client 98. Return to previous menu 99. Exit selection: 2. From the DCE Configuration Menu, choose Initial Cell Configuration: DCE Configuration Menu (on hostname)selection: 1 (Initial Cell Configuration) S:****** Configuring initial cell.Initial Cell Configuration (on hostname) 1. Initial Security Server 2.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config Enter keyseed for initial database master key: 7. dce_config prompts you to choose the Cell Administrator's principal name and password. The default principal name for the Cell Administrator is cell_admin: Enter desired principal name for the Cell Administrator:(cell_admin) Enter desired password for the Cell Administrator: 8.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config CAUTION Do not configure an additional CDS Server or a replica of a CDS Server on the same system as your Security Server. Such a configuration is illegal and unsupported. 9. From the Initial Cell Configuration menu, choose Initial CDS Server: selection: 2 (Initial CDS Server) Initial Cell Configuration (on hostname) This routine starts up cdsadv and cdsd, initializes the name space, and sets ACLs for all new name space entries.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config When dce_config is first run on a system, the HP-UX environment variable TZ is read to determine the HP-UX local time zone. dce_config then automatically selects a matching DCE local time zone and creates the link for /etc/opt/dce/zoneinfo/localtime. A different time zone can be chosen: see the localtime (5) manpage for details.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config The DTS null time provider configures a system to trust its own clock as an accurate source of time. The DTS ntp provider obtains an accurate source of time from some other system outside the cell. The spectracom time provider uses a local hardware device as a time provider. See the OSF DCE Administration Guide for more information on time providers. 14.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config You must configure a CDS client on any Security server system that is not running a CDS server. To configure a client system, you need to know the name of the system(s) running the Security server and the initial CDS server for the cell. If you are using DTS as your time synchronization mechanism, you must configure a DTS clerk (client) on any system that is not running a DTS server.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config Time on host is within specified tolerance (120 secs) of time on sec_server_node. S:****** Checking for active sec_client service... S:****** Starting sec_client service... S:****** This node is now a security client. S:****** Starting cdsadv... 7. Enter the name of the cell CDS server.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config NOTE If you want to enable auditing, you must explicitly start the audit daemon by selecting 9 (Auditing) from the dce_config "Additional Server Configuration" menu. Not starting the audit daemon is functionally equivalent to setting DCEAUDITOFF, effectively disabling auditing.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config 2. Select UNCONFIGURE from the DCE Main Menu: DCE Main Menu (on hostname) selection: 4 (UNCONFIGURE) S:****** Attempting to unconfigure a node from the cell name space... 3. Enter the host name of the client: Enter hostname of node to be unconfigured: hostname 4. The system explains that unconfiguring a node will remove the node's ability to operate in a cell, and asks if you want to continue: Do you wish to continue (y/n)? y 5.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config If you want to remove and reconfigure a client, first unconfigure and remove the client from the cell, then reconfigure the client. You may remove and reconfigure a client without reconfiguring the other members of a cell. NOTE You cannot use the dce_config UNCONFIGURE option to remove a Master Security Server or Initial Directory Server system from a cell. You must either use the DCM to do this, or reconfigure the entire cell.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config Log messages have different priorities, based on content, which determine both where the messages are logged and how they are formatted. Table 6-1 describes log message types (in priority order from highest to lowest), their format, and their content. Table 6-1 Priority dce_config Message Categories Format Content ERROR ERROR: Result of an operation that was not as expected, and is probably fatal.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config Additional Notes About Log Messages ERROR messages—if dce_config is being run using a here-document (dce_config<< input_file) or when using dce_config -e config.env -c config.cmd, the environment variable EXIT_ON_ERROR should be set to y and exported to prevent errors from causing the here-document to get out of sync with dce_config. (Also, CHECK_TIME should be set to n and exported when running dce_config from a here-document.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config • dce.unconfig hostname: Removes DCE client on hostname from the Security and Directory service databases. Should be run before reconfiguring DCE on a client system. • dce_com_env: Sets common DCE environment variables. • dce_com_utils: Common internal routines used by DCE utilities. • dce_config_env: Sets common environment variables used by dce_config. • dce_config_utils: Common internal routines used by dce_config. • /sbin/init.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config 64 • CHECK_TIME: Set to y to have time checked and possibly synchronized; n otherwise. Default is y. If dce_config is executed with a here-document, CHECK_TIME should be set to n since time checking uses a telnet command that causes input from the here-document to be lost. • CONFIG_PROTSEQ: Communication protocol used for some dce_config operations.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config Chapter 6 • DTS_TZ: Determines the time zone rule (details are system dependent). For example, the user selects the time zone by using and setting DTS_TZ. • EXIT_ON_ERROR: Set to y to exit from dce_config if a fatal error is encountered. Default is n. This can prevent a here-document from getting out-of-sync with dce_config.
Configuring HP-UX DCE Cells Configuring Cells Using dce_config is updated to include DCED_SWITCHES= -r. You can also set REMOTE_ADMIN in the config.env file if you run dce_config noninteractively. 66 • REMOVE_PREV_INSTALL: Set to y to remove all remnants of previous DCE installations for all components before installing a security server. Use only in installing the security server software. Default is n.
Configuring HP-UX DCE Cells Integrating DCE Services with HP Serviceguard Integrating DCE Services with HP Serviceguard HP Serviceguard provides an environment in which, if a node fails, services (applications) can be up and running again on another node very quickly. This section provides background information on HP Serviceguard, and explains detailed planning and configuration steps necessary to utilize HP Serviceguard to increase the availability of the DCE core services.
Configuring HP-UX DCE Cells Integrating DCE Services with HP Serviceguard The Security and Naming services replicate only their read operations. That is, while a client can choose between any of the replicas to obtain information, it must go to a specific replica — the master replica — to perform a write operation. The master replica is then responsible for informing the other (read-only) replicas of the change.
Configuring HP-UX DCE Cells Integrating DCE Services with HP Serviceguard the server will provide services. A side effect of this call is that the list of IP addresses supported by the node is established for use later when determining the binding vector. When this vector is obtained by a server main routine and registered in the endpoint map, the endpoint map will contain entries for every IP address identified earlier during the rpc_server_use_* call.
Configuring HP-UX DCE Cells Integrating DCE Services with HP Serviceguard Planning for a DCE-HP Serviceguard Installation Planning for a package that includes one or more DCE servers is primarily a process of identifying the disk and network resources necessary for the operation of the server. Hardware Requirements for a DCE-HP Serviceguard Configuration By their very nature, DCE and DCE applications are distributed, and therefore depend heavily on network resources.
Configuring HP-UX DCE Cells Integrating DCE Services with HP Serviceguard Supported Templates for HP Serviceguard Integration with DCE As part of the DCE product, HP-UX DCE 2.0 provides a fileset (DCE-SGUARD) that contains a set of customizable Serviceguard templates and scripts to integrate HP Serviceguard with DCE services. This set of templates includes the DCE processes dced, cdsadv, secd, and cdsd within a single package.
Configuring HP-UX DCE Cells Integrating DCE Services with HP Serviceguard dce.monitor—DCE Service monitor, which Serviceguard launches to monitor DCE daemons. First, the DCE service monitor checks to see if the server is running, and, if it is not, the DCE service monitor starts it. Then, the DCE service monitor goes into a loop and checks to ensure that the server process is running. Finally, the DCE service monitor performs a DCE level ping on the server interface. rc.dcepkg.
Configuring HP-UX DCE Cells Integrating DCE Services with HP Serviceguard DCE Configuration for Integration with ServiceGuard Following are the steps to integrate DCE Configuration with ServiceGuard: 1. Configure the ServiceGuard cluster 2. Configure DCE 3. Configure the package 4. Distribute the package 5. Start the ServiceGuard cluster 6. Start the package on the ServiceGuard cluster The following subsections describe these steps in more detail.
Configuring HP-UX DCE Cells Integrating DCE Services with HP Serviceguard Configuring DCE Perform the following steps to configure DCE on your system if the ServiceGuard is running: 1. Create a volume group for the DCE data file (for example: /dev/vgdce). 2. Manually activate the volume group to be accessed from the primary node (for example: vgchange -a e /dev/vgdce). 3. Identify the filesystems and logical volumes for the package filesystem definition. These should reside in the shared disk.
Configuring HP-UX DCE Cells Integrating DCE Services with HP Serviceguard 1. Create a directory for the DCE package name as follows: mkdir /etc/cmcluster/pkg-name.conf 2. Generate and modify the package configuration script for DCE as follows: cmmakepkg -p /etc/cmcluster/pkg-name/pkg-name.conf This command creates a template for pkg-name. 3. Edit this template for the DCE package by supplying the necessary information (for example: PACKAGE_NAME, NODE_NAME). Use the sample file dcepkg.conf for reference.
Configuring HP-UX DCE Cells Integrating DCE Services with HP Serviceguard Distributing the Package To distribute the package follow these steps: 1. Distribute the package configuration and control scripts across the nodes. From the primary node, enter; rcp -r /etc/cmcluster/pkg-name \secondary_node:/etc/cmcluster/pkg-name 2. Verify that the configuration scripts are correct. From the primary node, enter: cmckeckconf -C /etc/cmcluster/cmclconfig.ascii \ -P /etc/cmcluster/pkg-name/pkg-name.
Configuring HP-UX DCE Cells Integrating DCE Services with HP Serviceguard Starting the Package on the Serviceguard Cluster Configured packages are started automatically on their primary nodes when the Serviceguard cluster is started. Packages on the Serviceguard cluster can be halted manually. To restart a package, use SMH or follow these steps. 1. To restart the package on a specified host, enter: cmrunpkg -n host pkg-name 2.
Configuring HP-UX DCE Cells Integrating DCE Services with HP Serviceguard 78 Chapter 6
HP-UX Integrated Login Integrating DCE Services with HP Serviceguard 7 HP-UX Integrated Login This chapter describes the HP-UX Integrated Login product. In addition, this chapter discusses how to use the HP-UX Integrated Login product with UNIX and other authentication technologies. NOTE Chapter 7 This chapter includes information about the HP-UX DCE server. However, DCE Server is not available on HP-UX 11i v3. Use the information in this section to integrate DCE 2.
HP-UX Integrated Login Overview Overview HP-UX Integrated Login combines UNIX login with other authentication technologies. It provides a generic interface which login applications can use to interface with various user-authentication technologies. NOTE Connection initiated via Secure Internet Services (SIS) will not result in DCE credentials on the server.
HP-UX Integrated Login Overview DCE credentials as an additional technology. Another system might, for greater security, have DCE configured as the login technology, using UNIX login only as a fallback technology. Use of HP-UX Integrated Login is optional. All integrated utilities retain standard HP-UX behavior until HP-UX Integrated Login is activated. If you wish to use HP-UX Integrated Login, carefully read and follow the instructions in this chapter.
HP-UX Integrated Login Deciding Whether to Use HP-UX Integrated Login Deciding Whether to Use HP-UX Integrated Login Use HP-UX Integrated Login: 82 • If you want to use an authentication technology other than the traditional UNIX mechanism as the login technology. For this release, this means using DCE Security Services. • If you want to obtain additional credentials from other authentication technologies after machine access is granted via the login technology.
HP-UX Integrated Login Operation of Integrated Login Utilities Operation of Integrated Login Utilities The Integrated Login utilities are login, dtlogin, dtsession, su, and ftpd. The passwd utility is also integrated to facilitate the manipulation of registries (such as the registries for technologies used by HP-UX Integrated Login.) The Secure Internet Services (SIS) version of ftpd is not integrated.
HP-UX Integrated Login Activating HP-UX Integrated Login Activating HP-UX Integrated Login The script /usr/sbin/auth.adm is provided to activate HP-UX Integrated Login and configure a system authentication policy. Until activated, all Integrated Login utilities retain standard HP-UX behavior. auth.adm activates Integrated Login by creating an appropriate /etc/pam.conf file.
HP-UX Integrated Login Activating HP-UX Integrated Login -p tech_name:param=value[:param=value] specifies the values of parameters applicable to an authentication technology being configured. Parameters of different technologies can be specified by repeating the -p[arameter] option. The list of configurable parameters is as follows: TIMEOUT — Time-out (in seconds) on communications with authentication technology.
HP-UX Integrated Login Activating HP-UX Integrated Login 3. Inspect the file /var/adm/ilogin/auth.adm.log for ERROR messages. If there are ERROR messages, correct the error conditions and repeat step 2. 4. auth.adm performs the following actions during the activation process: • Verifies that the policy is an acceptable one. • Activates the login technology. • Activates the fallback technology. • Activates additional technologies.
HP-UX Integrated Login Deactivating HP-UX Integrated Login Deactivating HP-UX Integrated Login To deactivate HP-UX Integrated Login and remove the authentication policy on a system, do the following: 1. Log in as root and issue the following command: /usr/sbin/auth.adm -u[ninstall] auth.adm restores the old version of /etc/pam.conf. 2. Inspect the file /var/adm/ilogin/auth.adm.log for ERROR messages. If there are ERROR messages, correct the error conditions and repeat step 1.
HP-UX Integrated Login Inquiring about Authentication Policy Inquiring about Authentication Policy To inquire about the authentication policy of a system running HP-UX Integrated Login, run the command: /usr/sbin/auth.adm -q[uery] [-f filename] The command will print the authentication policy to stdout, or -filename if -f filename is specified. You do not have to be root to run this option of the command.
HP-UX Integrated Login Notes, Cautions, and Warnings Notes, Cautions, and Warnings • When changing passwords using passwd, the password format rules imposed by the login technology restrict the format of newly-entered passwords. A new password that is acceptable to the login technology might be rejected by an additional technology which has more stringent password format rules.
HP-UX Integrated Login Notes, Cautions, and Warnings DCE passwords are global to a network, whereas the Commercial Security passwords are local to a single system. To change a password when using DCE with Commercial Security, first change it for HP-UX and DCE on one system. This can be done in one step with the passwd command, provided the new password chosen is acceptable to both HP-UX and DCE.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login HP-UX DCE 2.0 provides support for integrating DCE with HP-UX Integrated Login. The binaries for this functionality are included in the AUTH-DCE file set.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login Deciding Whether to Integrate DCE with HP-UX Integrated Login If you want to configure DCE as the login technology with HP-UX Integrated Login, consider the following: • The system environment must be stable. Therefore, DCE must be left configured and the DCE cell must be maintained. The network must remain reliable 24 hours a day. • All users of a system must have a DCE account, including users who are declared in passwd_override.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login • Unlike user root, the cell administrator must provide cell_admin's password when using the HP-UX Integrated passwd to change other users' passwords in the DCE Security Registry. • User passwords are limited to 128 characters for ftp; otherwise, passwords can be up to 512 characters. • HP-UX Integrated Login utilities take longer to execute and require more system resources than the HP-UX equivalents.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login • Decide whether to activate the DCE backend to the Name Service Switch (NSS-DCE) so that getpw* and getgr* calls access the DCE registry for user information. (See the previous section, "Operation of the HP-UX Integrated Login Utilities," for further information.) • Create entries in /etc/opt/dce/passwd_override for any accounts (such as printing or backup services) that require access to your system, but not to the DCE cell.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login When using passwd_import to set up accounts from /etc/passwd, be aware that passwd_import: • Creates accounts for all entries in /etc/passwd but marks the accounts invalid. After using passwd_import, the cell administrator must use dcecp to assign a password to each account and to mark each account as valid. • Does not create accounts from NIS information.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login in turn communicates with secd (the DCE Security daemon) to perform security functions. ilogind was introduced at HP-UX DCE 1.6. During this process, you are asked whether or not you want to activate the DCE backend to the Name Service Switch (NSS-DCE) so that getpw* and getgr* calls access the DCE registry for user information.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login Activation terminates with an error message when any of these steps fails. Configuring ux as a Fallback Technology for DCE You can configure ux as a fallback technology to allow system access when DCE, as a login technology, is not available (DCE down or network problem).
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login Users who configure DCE as the primary login and UNIX as the backup technology should be aware that the UNIX backend is useful as a backup only for names and passwords that meet UNIX requirements, restrictions, and semantics.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login • DCE allows cell_admin to change the password of any other principal. However, UNIX does not allow this behavior. Therefore, if a user logs in as cell_admin and tries to change another user's password, the following message will display: Password successfully changed in DCE registryPermission denied. As shown in the preceding message, the password has been changed in DCE, but not in /etc/passwd.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login 100 • If the passwd_export cron job has been set up and DCE becomes unavailable, the cron job will fail and generate an e-mail error message. To stop these error messages, remove the cron job by unconfiguring DCE from HP-UX Integrated Login after you stop or remove DCE.
HP-UX Integrated Login Integrating DCE with HP-UX Integrated Login • By default, the HP-UX DCE 1.9 Security Server disables logins for principals whose passwords have expired, and intervention by cell_admin is required before the principal can log in. If you want to allow a principal to log in with an expired password, attach an instance of the passwd_override ERA to that principal.
HP-UX Integrated Login AFS and Kerberos Authentication AFS and Kerberos Authentication Support for AFS and Kerberos Authentication is not provided in this release of HP-UX Integrated Login.
HP-UX Integrated Login Miscellaneous Notes Miscellaneous Notes This section contains miscellaneous information about HP-UX DCE 2.0 cell administration. Chapter 7 • To better integrate HP-UX DCE with existing HP-UX systems, HP has added new functionality to the passwd_export utility. Before exporting groups from the DCE registry to the /etc/group file, HP passwd_export looks for the file /etc/opt/dce/sys.group and prepends any group information from that file to the new /etc/group file.
HP-UX Integrated Login Miscellaneous Notes 104 Chapter 7
