HP TCP/IP Services for OpenVMS

Previous Contents Index Solving Timeout Problems with SNMP Subagents

If queries from a client to an OpenVMS SNMP server are consistently timing out, consider solutions on either the client or server side. For information about checking the client side, refer to the HP TCP/IP Services for OpenVMS SNMP Programming and Reference guide.

On the server:

Before making extensive modifications to either the client or the server, consider analyzing the network load for congestion problems.

14.6.7 Disabling SNMP OPCOM Messages

To disable OPCOM messages for SNMP, enter the following command sequence:


Be aware that when you disable OPCOM messages, you may be suppressing information that is useful for solving problems.

Part 4
Configuring Network Applications

Part 4 describes how to set up popular networking end-user applications and includes the following chapters:

Chapter 15
Configuring and Managing TELNET

The TCP/IP Services product includes and implementation of the TELNET end-user application.

This chapter describes how to set up your host as a TELNET server.

For information about using TELNET, see the HP TCP/IP Services for OpenVMS User's Guide. For information about using the TELNET print symbiont, see Chapter 25.

This chapter describes:

15.1 Managing TELNET

Managing TELNET includes the following tasks:

15.1.1 TELNET Startup and Shutdown

The TELNET service can be shut down and started independently of TCP/IP Services. This is useful when you change parameters or logical names that require the service to be restarted.

The following files are provided:

To preserve site-specific parameter settings and commands, create the following files. These files are not overwritten when you reinstall TCP/IP Services:

15.1.2 Managing TELNET with Logical Names

Table 15-1 lists the logical names you can use in managing the TELNET service.

Table 15-1 TELNET Logical Names
Logical Name Description
TCPIP$TELNET_NO_REM_ID Disables the intrusion detection mechanism used by DECnet network login logicals SYS$REM_ID, SYS$REM_NODE, SYS$NODE_FULLNAME. When this logical is set to TRUE, the SYS$REM* logicals are not set, thus bypassing intrusion-detection on logins. By default, this logical is not set.
TCPIP$TELNET_TRUST_LOCATION Disables all login attempts from port 8 on this server, regardless of the target user name. The location specified by the client is used to set the SYS$REM* logical names. The result is the TELNET server trusts the client's location string. This setting is not recommended since it allows clients to log in from various locations, avoiding the limit on invalid logins. By default, this logical is not set.
TCPIP$TELNET_VTA Enables TELNET virtual terminals. Set the logical to TRUE to enable virtual terminals on TELNET connections. Set the logical to FALSE to disable them. For example:


15.1.3 Setting Up User Accounts

Hosts typically run a TELNET server with TELNET client software. Users on client hosts need valid accounts on server hosts before using TELNET to establish a remote session.

If your local host is to be a TELNET server, create OpenVMS accounts for remote users. You can create several individual accounts or one account that many remote users will share.

15.1.4 Creating and Deleting Sessions

You can create and delete TELNET sessions from within a command procedure or interactively. Enter the DCL command TELNET with the /CREATE_SESSION or /DELETE_SESSION qualifier. These qualifiers have the same function as the following commands:

TELNET> CREATE_SESSION host port dev-unit


For example:


You can create a TELNET device that times out after a specified idle period then reconnects when data is written to it. Use the /TIMEOUT qualifier to specify the idle time and the reconnection interval, as described in the following table:
Qualifier Description
/TIMEOUT Creates a TELNET device that has the following connection attributes:
  • NOIDLE---The connection is broken when the device is finally deassigned. The device will automatically reconnect when data is written to it.
  • IDLE---Specifies the idle time for the device (in the format hh:mm:ss). Note that the time has a granularity of 1 second. If the device is idle for at least the specified amount of time, then the connection will be broken. "Idle" means that the device has neither received nor sent any data for the idle period.
  • NORECONNECTION---The device does not automatically retry reconnections if they fail.
  • RECONNECTION---When data is written to the device and it is not connected, this value determines the interval between reconnection attempts. For example, if an application writes to a TN with a RECONNECTION value of 0:1:00 and the first connection attempt fails, subsequent connection attempts will be made in 1-minute intervals.
/NOTIMEOUT Creates a TELNET device that breaks the connection when the device is finally deassigned (the last channel assignment is deassigned).

15.1.5 Displaying Login Messages

To display login and logout messages at the operator's console and log file, enter:


15.1.6 TELNET Client (TN3270)

IBM 3270 Information Display System (IDS) terminal emulation (TN3270) lets users make connections to hosts that use IBM 3270 model terminals.

TN3270 has default IBM 3270 IDS function assignments for DIGITAL keyboards. In addition, users can make their own assignments and might ask you for help. TCP/IP Services provides EBCDIC-to-DMCS and DMCS-to-EBCDIC translation tables you can customize. Appendix B describes how to customize and rebuild these translation tables.

For more information about using TN3270, enter the following DCL command:

$ HELP TN3270 

15.1.7 Configuring and Managing the Kerberos TELNET Server

Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. Kerberos uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. The TCP/IP TELNET service uses Kerberos to make sure the identity of any user who requests access to a remote host is authentic.

TCP/IP Services supports Kerberos security for TELNET connections, providing a Kerberos TELNET server and a Kerberos TELNET client.

Before you can use the Kerberos TELNET client, the OpenVMS Security Client software must be configured on the OpenVMS system. For more information about installing and configuring the OpenVMS Security Client software, see the HP Open Source Security for OpenVMS, Volume 3: Kerberos manual.

It is assumed that anyone using the Kerberos security features in TCP/IP has expert knowledge of Kerberos.


Encryption is not supported in this version of TCP/IP Services.

For information about using the Kerberos TELNET client, refer to the HP TCP/IP Services for OpenVMS User's Guide. Configuring the Kerberos TELNET Server

TCP/IP Services supports a separate Kerberos TELNET server, in addition to the standard TCP/IP TELNET server.

You can enable the TELNET server with Kerberos support by selecting the Kerberos TELNET server from the TCPIP$CONFIG.COM command procedure, as described in the HP TCP/IP Services for OpenVMS Installation and Configuration guide. Connecting to the Kerberos TELNET Server

The Kerberos TELNET server uses port 2323. Specify this port on the TELNET command line. For example:

$ TELNET/AUTHENTICATE terse.mbs.com /PORT=2323 
%TELNET-I-TRYING, Trying ... 
%TELNET-I-SESSION, Session 01, host terse.mbs.com, port 2323 
-TELNET-I-ESCAPE, Escape character is ^] 
 Welcome to OpenVMS (TM) Alpha Operating System, Version V7.3 

15.1.8 Kerberos Principal Names

Before you use the Kerberos TELNET client, make sure the local host name is fully qualified in the local hosts database. Kerberos realms form principal names using fully-qualified domain names. For example, terse.mbs.com is a fully qualified domain name; terse is a simple host name.

HP TCP/IP Services for OpenVMS is usually configured so that the host name is entered in the hosts database as a simple host name. That is, on host TERSE, the TCP/IP management command SHOW HOST TERSE returns terse , not terse.mbs.com .

To correct a mismatch between the Kerberos realm and the TCP/IP Services configurations, follow these steps from a privileged account at a time when system usage is low:

  1. Find the host's numeric address. For example:

    $ TCPIP 
    TCPIP> SHOW HOST terse 
         LOCAL database 
    Host address    Host name 
    15.28.311.11   terse 

  2. Remove the simple host name. For example:


  3. Use the SET HOST command to associate the fully qualified domain name with the IP address, as shown in the following example:

    TCPIP> SET host "terse.mbs.com"/ADDRESS=15.28.311.11 - 
    _TCPIP> /ALIAS=("TERSE.MBS.COM", "terse", "TERSE") 

    Specify the /ALIAS qualifier to ensure that applications can handle host names in uppercase and lowercase.

  4. Confirm that the first name returned is fully qualified.

    TCPIP> SHOW HOST terse 
         LOCAL database 
    Host address    Host name 
    15.28.311.11   terse.mbs.com, TERSE.MBS.COM, terse, TERSE 

15.2 Solving TELNET Problems

To improve TELNET performance, try modifying some of the internet parameters. These changes might also decrease the use of system resources.

15.2.1 TELNET Characteristics That Affect Performance

The settings for the TELNET systemwide characteristics might affect TCP/IP Services and TELNET performance. To display the TELNET systemwide characteristics, enter:


The command generates a display similar to the following:

Service: TELNET 
  State:  Enabled 
 Port: 23  Protocol:  TCP  Address: 
 Inactivity:  1  User_name: Process:  not defined 
 Limit:30  Active: 1  Peak:  4 
 File: not defined 
 Flags:  Listen Priv Rtty 
 Socket Opts:  Keepalive 
 Receive: 3000  Send:  3000 
 Log Opts:  Actv Dactv Conn Error Logi Logo Mdfy Rjct Addr 
 File:  not defined 
 Reject msg:  not defined 
 Accept host: 
 Accept netw: 

15.2.2 Requests That Cannot Be Satisfied

The TELNET server sends the following error message for a TELNET login request that cannot be satisfied:


This error is due to insufficient local resources, such as:

Verify that the CHANNELCNT parameter (in SYSGEN) is larger than the number of simultaneous TELNET and RLOGIN sessions that you plan to support.

Chapter 16
Configuring and Managing FTP

The File Transfer Protocol (FTP) software transfers files between "nontrusted" hosts. Nontrusted hosts require user name and password information for remote logins.

The TCP/IP Services product includes an implementation of the FTP end-user applications.

This chapter describes:

For information on using FTP, see the HP TCP/IP Services for OpenVMS User's Guide.

16.1 Managing FTP

Managing FTP consists of the the following tasks:

16.1.1 Enabling and Disabling FTP

After FTP is configured by TCPIP$CONFIG, the postinstallation configuration procedure, it is started automatically when TCP/IP Services is started. To disable FTP when TCP/IP Services starts, use the SET CONFIGURATION NOSERVICE command.

See the HP TCP/IP Services for OpenVMS Management Command Reference for descriptions of the SET SERVICE and SET CONFIGURATION SERVICE commands.

16.1.2 FTP Startup and Shutdown

The FTP service can be shut down and started independently from TCP/IP Services. This is useful when you change parameters or logical names that require the service to be restarted.

The following command procedures are provided:

To preserve site-specific parameter settings and commands, create the following files. These files are not overwritten when you reinstall TCP/IP Services:

16.1.3 Configuring Anonymous FTP

Anonymous FTP is an FTP session in which a user logs in to the remote server using the user name ANONYMOUS and, by convention, the user's real user name as the password.

On the local FTP server, local users can access files without password authentication. Remote users do not require an account. File access is controlled by regular OpenVMS access restrictions.

When you use TCPIP$CONFIG to establish an ANONYMOUS account, a new account is created with the UIC [ANONY,ANONYMOUS] (by default, [3376,xx]), user name ANONYMOUS, account ANONY, default directory SYS$SYSDEVICE:[ANONYMOUS], and the following types of login access:
network full access
batch no access
local no access
dialup no access
local no access

The usual OpenVMS file protection codes restrict file access for inbound anonymous FTP sessions to this directory, its subdirectories, and files with an owner attribute of [ANONY,ANONYMOUS].

When the ANONYMOUS account has been created, a remote FTP client can:

You can set up guest and public directories for bulletin board or group interest. Make sure the directory protections are set to read-only or read/write, as needed.

In the following example, UNIX user ubird connects to the ANONYMOUS account on OpenVMS host TRAGOPAN. TRAGOPAN asks for ubird 's password, which is not echoed. In response to this request, the user should supply the local system user name for identification purposes.

% ftp tragopan 
Connected to tragopan.asian.pheasant.edu. 
220 tragopan.asian.pheasant.edu FTP Server (Version 5.1) Ready. 
Name (tragopan:wings): ANONYMOUS 
331 Guest login ok, send ident as password. 
Password: CARIBBEAN 
230  Guest login ok, access restrictions apply. 
        Welcome to HP TCP/IP Services for OpenVMS  
        on internet host TRAGOPAN    Date 24-JUN-2000 
FTP> Concealed File Systems

The FTP server processes each command individually as it receives the command and displays a reply based on the command parameters. A reply can include a file specification that displays part of the server file system. Setting Up Anonymous FTP

Complete the following steps to set up anonymous FTP access on your system:

  1. Use the TCPIP$CONFIG procedure to create an account named ANONYMOUS with the password GUEST.
    To create the ANONYMOUS user account, select Optional Components from the main menu, then select Setup Anonymous FTP Account and Directories.
  2. Set user account access restrictions NOLOCAL, NOBATCH, NOREMOTE, and NODIALUP.
  3. Optionally, create public directories and assign to them the devices names GUEST$PUBLIC and ANONYMOUS$USER. HP neither creates nor recommends the use of these directories. If you create these directories, be careful to set protections on them to allow read access only (for GUEST$PUBLIC) and use other security measures to protect the ANONYMOUS$USER directory.
  4. Create a welcome banner.
    When an anonymous user logs in, FTP informs the user of the account's restrictions. You can use the TCPIP$FTP_ANONYMOUS_WELCOME logical name add more information to the welcome text for anonymous users.
    Define this logical using the following format:


  5. Specify the file name and location for the log files generated by FTP sessions.
    Set this logical when the FTP server is not running. For example, to shut down the FTP server, define the file name and location of the log file, and then restart the server, enter the following commands:

    $ DEFINE/SYSTEM TCPIP$FTP_ANONYMOUS_LOG dev:[directory]filename

    Where dev:[directory]filename is a complete directory and file name specification.

  6. Specify a user name for the anonymous FTP account. Define the logical name TCPIP$FTP_ANONYMOUS_ALIAS. See Table 16-1 for more information.

Previous Next Contents Index