HP TCP/IP Services for OpenVMS
Management

14.6.6.1 Solving Timeout Problems with SNMP Subagents

If queries from a client to an OpenVMS SNMP server are consistently timing out, consider solutions on either the client or server side. For information about checking the client side, refer to the HP TCP/IP Services for OpenVMS SNMP Programming and Reference guide.

On the server:

Adjust the default timeout value for master agent/subagent communication by redefining the system logical TCPIP$ESNMP_DEFAULT_TIMEOUT, as described in Table 14-5.
Analyze the performance of slow areas of subagent code to improve the speed of those areas.
Split up one subagent into multiple subagents, each handling a subset of the original OID tree.
Adjust the timeout for individual subagents using esnmp_init() , as described in the HP TCP/IP Services for OpenVMS SNMP Programming and Reference guide.

Before making extensive modifications to either the client or the server, consider analyzing the network load for congestion problems.

14.6.7 Disabling SNMP OPCOM Messages

To disable OPCOM messages for SNMP, enter the following command sequence:

TCPIP> SET SERVICE SNMP /LOG=NOALL TCPIP> DISABLE SERVICE SNMP TCPIP> ENABLE SERVICE SNMP

Be aware that when you disable OPCOM messages, you may be suppressing information that is useful for solving problems.

Part 4
Configuring Network Applications

Part 4 describes how to set up popular networking end-user applications and includes the following chapters:

Chapter 15, Configuring and Managing TELNET, describes how to set your host as a TELNET server, allowing users on remote hosts to establish login sessions.
Chapter 16, Configuring and Managing FTP, describes how to set up your host as a FTP server, allowing users on remote hosts to transfer files.
Chapter 17, Remote (R) Commands, describes how to set up the server implementations of the popular Berkeley Remote (R) commands that enable remote file copying (RCP), remote logins (RLOGIN), remote command execution (RSH and REXEC), and remote management of magnetic tape and CD-ROM (RMT/RCD) drives.
Chapter 18, Configuring and Managing SMTP, Chapter 19, Configuring and Managing the POP Server, and Chapter 20, Configuring and Managing the IMAP Server, describe how to configure and manage the components that allow users to send and receive internet electronic mail.
Chapter 21, Configuring XDMCP-Compatible X Displays, describes how to configure an XDMCP-compatible X display using the TCP/IP Services XDM server.

Chapter 15
Configuring and Managing TELNET

The TCP/IP Services product includes and implementation of the TELNET end-user application.

This chapter describes how to set up your host as a TELNET server.

For information about using TELNET, see the HP TCP/IP Services for OpenVMS User's Guide. For information about using the TELNET print symbiont, see Chapter 25.

This chapter describes:

How to manage the TELNET service ( Section 15.1)
How to solve TELNET problems ( Section 15.2)

15.1 Managing TELNET

Managing TELNET includes the following tasks:

Setting up user accounts
Creating and deleting sessions
Displaying login messages

15.1.1 TELNET Startup and Shutdown

The TELNET service can be shut down and started independently of TCP/IP Services. This is useful when you change parameters or logical names that require the service to be restarted.

The following files are provided:

SYS$STARTUP:TCPIP$TELNET_STARTUP.COM allows you to start up TELNET independently.
SYS$STARTUP:TCPIP$TELNET_SHUTDOWN.COM allows you to shut down TELNET independently.

To preserve site-specific parameter settings and commands, create the following files. These files are not overwritten when you reinstall TCP/IP Services:

SYS$STARTUP:TCPIP$TELNET_SYSTARTUP.COM can be used as a repository for site-specific definitions and parameters to be invoked when TELNET is started.
SYS$STARTUP:TCPIP$TELNET_SYSHUTDOWN.COM can be used as a repository for site-specific definitions and parameters to be invoked when TELNET is shut down.

15.1.2 Managing TELNET with Logical Names

Table 15-1 lists the logical names you can use in managing the TELNET service.

Table 15-1 TELNET Logical Names
Logical Name Description

TCPIP$TELNET_NO_REM_ID Disables the intrusion detection mechanism used by DECnet network login logicals SYS$REM_ID, SYS$REM_NODE, SYS$NODE_FULLNAME. When this logical is set to TRUE, the SYS$REM* logicals are not set, thus bypassing intrusion-detection on logins. By default, this logical is not set.

TCPIP$TELNET_TRUST_LOCATION Disables all login attempts from port 8 on this server, regardless of the target user name. The location specified by the client is used to set the SYS$REM* logical names. The result is the TELNET server trusts the client's location string. This setting is not recommended since it allows clients to log in from various locations, avoiding the limit on invalid logins. By default, this logical is not set.

TCPIP$TELNET_VTA Enables TELNET virtual terminals. Set the logical to TRUE to enable virtual terminals on TELNET connections. Set the logical to FALSE to disable them. For example:
$ DEFINE/SYSTEM/EXEC
TCPIP$TELNET_VTA "TRUE"

**Table 15-1 TELNET Logical Names**
Logical Name	Description
TCPIP$TELNET_NO_REM_ID	Disables the intrusion detection mechanism used by DECnet network login logicals SYS$REM_ID, SYS$REM_NODE, SYS$NODE_FULLNAME. When this logical is set to TRUE, the SYS$REM* logicals are not set, thus bypassing intrusion-detection on logins. By default, this logical is not set.
TCPIP$TELNET_TRUST_LOCATION	Disables all login attempts from port 8 on this server, regardless of the target user name. The location specified by the client is used to set the SYS$REM* logical names. The result is the TELNET server trusts the client's location string. This setting is not recommended since it allows clients to log in from various locations, avoiding the limit on invalid logins. By default, this logical is not set.
TCPIP$TELNET_VTA	Enables TELNET virtual terminals. Set the logical to TRUE to enable virtual terminals on TELNET connections. Set the logical to FALSE to disable them. For example: $ DEFINE/SYSTEM/EXEC TCPIP$TELNET_VTA "TRUE"

15.1.3 Setting Up User Accounts

Hosts typically run a TELNET server with TELNET client software. Users on client hosts need valid accounts on server hosts before using TELNET to establish a remote session.

If your local host is to be a TELNET server, create OpenVMS accounts for remote users. You can create several individual accounts or one account that many remote users will share.

15.1.4 Creating and Deleting Sessions

You can create and delete TELNET sessions from within a command procedure or interactively. Enter the DCL command TELNET with the /CREATE_SESSION or /DELETE_SESSION qualifier. These qualifiers have the same function as the following commands:

TELNET> CREATE_SESSION host port dev-unit

TELNET> DELETE_SESSION dev-unit

For example:

$ TELNET /CREATE_SESSION TS405 2002 902

You can create a TELNET device that times out after a specified idle period then reconnects when data is written to it. Use the /TIMEOUT qualifier to specify the idle time and the reconnection interval, as described in the following table:

Qualifier Description

/TIMEOUT Creates a TELNET device that has the following connection attributes:

NOIDLE---The connection is broken when the device is finally deassigned. The device will automatically reconnect when data is written to it.
IDLE---Specifies the idle time for the device (in the format hh:mm:ss). Note that the time has a granularity of 1 second. If the device is idle for at least the specified amount of time, then the connection will be broken. "Idle" means that the device has neither received nor sent any data for the idle period.
NORECONNECTION---The device does not automatically retry reconnections if they fail.
RECONNECTION---When data is written to the device and it is not connected, this value determines the interval between reconnection attempts. For example, if an application writes to a TN with a RECONNECTION value of 0:1:00 and the first connection attempt fails, subsequent connection attempts will be made in 1-minute intervals.

/NOTIMEOUT Creates a TELNET device that breaks the connection when the device is finally deassigned (the last channel assignment is deassigned).

Qualifier	Description
/TIMEOUT	Creates a TELNET device that has the following connection attributes: NOIDLE---The connection is broken when the device is finally deassigned. The device will automatically reconnect when data is written to it. IDLE---Specifies the idle time for the device (in the format hh:mm:ss). Note that the time has a granularity of 1 second. If the device is idle for at least the specified amount of time, then the connection will be broken. "Idle" means that the device has neither received nor sent any data for the idle period. NORECONNECTION---The device does not automatically retry reconnections if they fail. RECONNECTION---When data is written to the device and it is not connected, this value determines the interval between reconnection attempts. For example, if an application writes to a TN with a RECONNECTION value of 0:1:00 and the first connection attempt fails, subsequent connection attempts will be made in 1-minute intervals.
/NOTIMEOUT	Creates a TELNET device that breaks the connection when the device is finally deassigned (the last channel assignment is deassigned).

15.1.5 Displaying Login Messages

To display login and logout messages at the operator's console and log file, enter:

TCPIP> SET SERVICE TELNET /LOG=(LOGIN,LOGOUT)

15.1.6 TELNET Client (TN3270)

IBM 3270 Information Display System (IDS) terminal emulation (TN3270) lets users make connections to hosts that use IBM 3270 model terminals.

TN3270 has default IBM 3270 IDS function assignments for DIGITAL keyboards. In addition, users can make their own assignments and might ask you for help. TCP/IP Services provides EBCDIC-to-DMCS and DMCS-to-EBCDIC translation tables you can customize. Appendix B describes how to customize and rebuild these translation tables.

For more information about using TN3270, enter the following DCL command:

$ HELP TN3270

15.1.7 Configuring and Managing the Kerberos TELNET Server

Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. Kerberos uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. The TCP/IP TELNET service uses Kerberos to make sure the identity of any user who requests access to a remote host is authentic.

TCP/IP Services supports Kerberos security for TELNET connections, providing a Kerberos TELNET server and a Kerberos TELNET client.

Before you can use the Kerberos TELNET client, the OpenVMS Security Client software must be configured on the OpenVMS system. For more information about installing and configuring the OpenVMS Security Client software, see the HP Open Source Security for OpenVMS, Volume 3: Kerberos manual.

It is assumed that anyone using the Kerberos security features in TCP/IP has expert knowledge of Kerberos.

Note

Encryption is not supported in this version of TCP/IP Services.

For information about using the Kerberos TELNET client, refer to the HP TCP/IP Services for OpenVMS User's Guide.

15.1.7.1 Configuring the Kerberos TELNET Server

TCP/IP Services supports a separate Kerberos TELNET server, in addition to the standard TCP/IP TELNET server.

You can enable the TELNET server with Kerberos support by selecting the Kerberos TELNET server from the TCPIP$CONFIG.COM command procedure, as described in the HP TCP/IP Services for OpenVMS Installation and Configuration guide.

15.1.7.2 Connecting to the Kerberos TELNET Server

The Kerberos TELNET server uses port 2323. Specify this port on the TELNET command line. For example:

$ TELNET/AUTHENTICATE terse.mbs.com /PORT=2323 %TELNET-I-TRYING, Trying ... 17.21.205.153 %TELNET-I-SESSION, Session 01, host terse.mbs.com, port 2323 -TELNET-I-ESCAPE, Escape character is ^] Welcome to OpenVMS (TM) Alpha Operating System, Version V7.3 Username:

15.1.8 Kerberos Principal Names

Before you use the Kerberos TELNET client, make sure the local host name is fully qualified in the local hosts database. Kerberos realms form principal names using fully-qualified domain names. For example, terse.mbs.com is a fully qualified domain name; terse is a simple host name.

HP TCP/IP Services for OpenVMS is usually configured so that the host name is entered in the hosts database as a simple host name. That is, on host TERSE, the TCP/IP management command SHOW HOST TERSE returns terse , not terse.mbs.com .

To correct a mismatch between the Kerberos realm and the TCP/IP Services configurations, follow these steps from a privileged account at a time when system usage is low:

Find the host's numeric address. For example:

$ TCPIP TCPIP> SHOW HOST terse LOCAL database Host address Host name 15.28.311.11 terse

Remove the simple host name. For example:
TCPIP> SET NOHOST terse/CONFIRM
Use the SET HOST command to associate the fully qualified domain name with the IP address, as shown in the following example:
TCPIP> SET host "terse.mbs.com"/ADDRESS=15.28.311.11 - _TCPIP> /ALIAS=("TERSE.MBS.COM", "terse", "TERSE")
Specify the /ALIAS qualifier to ensure that applications can handle host names in uppercase and lowercase.

Confirm that the first name returned is fully qualified.

TCPIP> SHOW HOST terse LOCAL database Host address Host name 15.28.311.11 terse.mbs.com, TERSE.MBS.COM, terse, TERSE

15.2 Solving TELNET Problems

To improve TELNET performance, try modifying some of the internet parameters. These changes might also decrease the use of system resources.

15.2.1 TELNET Characteristics That Affect Performance

The settings for the TELNET systemwide characteristics might affect TCP/IP Services and TELNET performance. To display the TELNET systemwide characteristics, enter:

TCPIP> SHOW SERVICE TELNET /FULL

The command generates a display similar to the following:

Service: TELNET State: Enabled Port: 23 Protocol: TCP Address: 0.0.0.0 Inactivity: 1 User_name: Process: not defined Limit:30 Active: 1 Peak: 4 File: not defined Flags: Listen Priv Rtty Socket Opts: Keepalive Receive: 3000 Send: 3000 Log Opts: Actv Dactv Conn Error Logi Logo Mdfy Rjct Addr File: not defined Security Reject msg: not defined Accept host: 0.0.0.0 Accept netw: 0.0.0.0

15.2.2 Requests That Cannot Be Satisfied

The TELNET server sends the following error message for a TELNET login request that cannot be satisfied:

SS$_EXQUOTA

This error is due to insufficient local resources, such as:

Too many sessions
To determine whether this is the cause of the problem, check to see whether the maximum number of concurrent sessions has been exceeded. Enter the following TCP/IP management command:
TCPIP> SHOW SERVICE TELNET
If the maximum number of concurrent sessions has been exceeded, the display shows:
PEAK=limit
To increase the number of allowed sessions, enter the following command:
TCPIP> SET SERVICE TELNET /LIMIT=n
Insufficient OpenVMS nonpaged pool
To determine whether this is the cause of the problem, check to see whether the OpenVMS nonpaged pool is insufficient for servicing a new TELNET connection. If so, monitor the server.
To improve any of the parameters, redefine the logical names.
Excessive OpenVMS login sessions
To determine whether this is the cause of the problem, check to see whether the limit for maximum OpenVMS sessions has been exceeded. If the current value is not appropriate, redefine it.

Verify that the CHANNELCNT parameter (in SYSGEN) is larger than the number of simultaneous TELNET and RLOGIN sessions that you plan to support.

Chapter 16
Configuring and Managing FTP

The File Transfer Protocol (FTP) software transfers files between "nontrusted" hosts. Nontrusted hosts require user name and password information for remote logins.

The TCP/IP Services product includes an implementation of the FTP end-user applications.

This chapter describes:

How to manage the FTP service ( Section 16.1)
How to solve FTP problems ( Section 16.2)

For information on using FTP, see the HP TCP/IP Services for OpenVMS User's Guide.

16.1 Managing FTP

Managing FTP consists of the the following tasks:

Enabling and disabling FTP
Starting and Stopping FTP
Configuring anonymous FTP
Defining FTP logical names
Monitoring FTP with FTP log files

16.1.1 Enabling and Disabling FTP

After FTP is configured by TCPIP$CONFIG, the postinstallation configuration procedure, it is started automatically when TCP/IP Services is started. To disable FTP when TCP/IP Services starts, use the SET CONFIGURATION NOSERVICE command.

See the HP TCP/IP Services for OpenVMS Management Command Reference for descriptions of the SET SERVICE and SET CONFIGURATION SERVICE commands.

16.1.2 FTP Startup and Shutdown

The FTP service can be shut down and started independently from TCP/IP Services. This is useful when you change parameters or logical names that require the service to be restarted.

The following command procedures are provided:

SYS$STARTUP:TCPIP$FTP_STARTUP.COM allows you to start FTP independently.
SYS$STARTUP:TCPIP$FTP_SHUTDOWN.COM allows you to shut down FTP independently.

To preserve site-specific parameter settings and commands, create the following files. These files are not overwritten when you reinstall TCP/IP Services:

SYS$STARTUP:TCPIP$FTP_SYSTARTUP.COM can be used as a repository for site-specific definitions and parameters to be invoked when FTP is started.
SYS$STARTUP:TCPIP$FTP_SYSHUTDOWN.COM can be used as a repository for site-specific definitions and parameters to be invoked when FTP is shut down.

16.1.3 Configuring Anonymous FTP

Anonymous FTP is an FTP session in which a user logs in to the remote server using the user name ANONYMOUS and, by convention, the user's real user name as the password.

On the local FTP server, local users can access files without password authentication. Remote users do not require an account. File access is controlled by regular OpenVMS access restrictions.

When you use TCPIP$CONFIG to establish an ANONYMOUS account, a new account is created with the UIC [ANONY,ANONYMOUS] (by default, [3376,xx]), user name ANONYMOUS, account ANONY, default directory SYS$SYSDEVICE:[ANONYMOUS], and the following types of login access:

network full access

batch no access

local no access

dialup no access

local no access

The usual OpenVMS file protection codes restrict file access for inbound anonymous FTP sessions to this directory, its subdirectories, and files with an owner attribute of [ANONY,ANONYMOUS].

When the ANONYMOUS account has been created, a remote FTP client can:

Copy files to and from GUEST$PUBLIC.
From the ANONYMOUS$USER directory:
- Delete files
- Create directories
- Delete directories
- Rename files
- Rename directories

You can set up guest and public directories for bulletin board or group interest. Make sure the directory protections are set to read-only or read/write, as needed.

In the following example, UNIX user ubird connects to the ANONYMOUS account on OpenVMS host TRAGOPAN. TRAGOPAN asks for ubird 's password, which is not echoed. In response to this request, the user should supply the local system user name for identification purposes.

% ftp tragopan Connected to tragopan.asian.pheasant.edu. 220 tragopan.asian.pheasant.edu FTP Server (Version 5.1) Ready. Name (tragopan:wings): ANONYMOUS 331 Guest login ok, send ident as password. Password: CARIBBEAN 230 Guest login ok, access restrictions apply. Welcome to HP TCP/IP Services for OpenVMS on internet host TRAGOPAN Date 24-JUN-2000 FTP>

16.1.3.1 Concealed File Systems

The FTP server processes each command individually as it receives the command and displays a reply based on the command parameters. A reply can include a file specification that displays part of the server file system.

16.1.3.2 Setting Up Anonymous FTP

Complete the following steps to set up anonymous FTP access on your system:

Use the TCPIP$CONFIG procedure to create an account named ANONYMOUS with the password GUEST.
To create the ANONYMOUS user account, select Optional Components from the main menu, then select Setup Anonymous FTP Account and Directories.
Set user account access restrictions NOLOCAL, NOBATCH, NOREMOTE, and NODIALUP.
Optionally, create public directories and assign to them the devices names GUEST$PUBLIC and ANONYMOUS$USER. HP neither creates nor recommends the use of these directories. If you create these directories, be careful to set protections on them to allow read access only (for GUEST$PUBLIC) and use other security measures to protect the ANONYMOUS$USER directory.
Create a welcome banner.
When an anonymous user logs in, FTP informs the user of the account's restrictions. You can use the TCPIP$FTP_ANONYMOUS_WELCOME logical name add more information to the welcome text for anonymous users.
Define this logical using the following format:
$ DEFINE/SYSTEM/EXEC TCPIP$FTP_ANONYMOUS_WELCOME "Anonymous User Account"
Specify the file name and location for the log files generated by FTP sessions.
Use the TCPIP$FTP_ANONYMOUS_LOG logical name. If you do not define TCPIP$FTP_ANONYMOUS_LOG, FTP puts the files in SYS$SYSDEVICE:[TCPIP$FTP]TCPIP$FTP_ANONYMOUS.LOG.
Set this logical when the FTP server is not running. For example, to shut down the FTP server, define the file name and location of the log file, and then restart the server, enter the following commands:
$ @SYS$STARTUP:TCPIP$FTP_SHUTDOWN.COM $ DEFINE/SYSTEM TCPIP$FTP_ANONYMOUS_LOG dev:[directory]filename $ @SYS$STARTUP:TCPIP$FTP_STARTUP.COM
Where dev:[directory]filename is a complete directory and file name specification.
Specify a user name for the anonymous FTP account. Define the logical name TCPIP$FTP_ANONYMOUS_ALIAS. See Table 16-1 for more information.

Contents

Index

network	full access
batch	no access
local	no access
dialup	no access
local	no access

HP TCP/IP Services for OpenVMSManagement