HP OpenVMS Guide to System Security > Chapter 12 Security in a Network Environment

Specifying Routing Initialization Passwords

  Table of Contents

  Glossary

  Index

Point-to-point connections are connections over synchronous and asynchronous lines. For point-to-point connections, especially over dialup lines, you can use routing initialization passwords to verify that the initiating node is authorized to form a connection with your node. Each end of a point-to-point circuit can establish a verifier to transmit to the other node and specify a verifier expected from the other node. Before the link is established, each node verifies that it received the expected verifier from the other node.

Passwords are usually optional for point-to-point connections but are required for dynamic asynchronous connections. To provide for increased security when a remote node requests a dynamic asynchronous connection (which is normally maintained only for the duration of a telephone call), the node requesting the dynamic connection supplies a password, but the node receiving the login request is prevented from revealing a password to the requesting node. The network address, node name, and password of the requesting node has to match the local system's routing authorization data.

Establishing a Dynamic Asynchronous Connection

A dynamic asynchronous DECnet connection is a temporary connection between two nodes, normally over a telephone line through the use of modems. The line at each end of the connection can be switched from a terminal line to a dynamic asynchronous DECnet line. Configuration of dynamic asynchronous lines is performed automatically by DECnet during establishment of a dynamic connection. A dynamic asynchronous connection is normally maintained only for the duration of a telephone call.

NOTE: A dynamic asynchronous connection to an OpenVMS node can be initiated from any node that supports the DECnet asynchronous DDCMP protocol.

On an OpenVMS node, you can perform steps 1 and 2 of the dynamic asynchronous connection process before you turn on the network at your node (step 3). The later steps of the process (starting with step 4) must occur when the line is being switched to DECnet.

Follow the steps outlined below to establish a dynamic asynchronous DECnet connection. This procedure assumes the local OpenVMS node is originating the connection and switching the terminal line on for DECnet use. The connection must be to an OpenVMS node on which you have an account with NETMBX privilege. The steps also indicate the actions that the system manager at the remote OpenVMS node must perform in order for the dynamic asynchronous DECnet link to be established successfully.

  1. Log in to the SYSTEM account and enter the following commands interactively (or include them in the SYS$MANAGER:SYSTARTUP_VMS.COM command procedure before you boot the system). These commands load the asynchronous driver NODRIVER (NOA0) and install DYNSWITCH software on your system.

    $ RUN SYS$SYSTEM:SYSGEN
    SYSGEN> CONNECT NOA0/NOADAPTER
    SYSGEN> EXIT
    $ INSTALL:=$SYS$SYSTEM:INSTALL
    $ INSTALL/COMMAND
    INSTALL> CREATE SYS$LIBRARY:DYNSWITCH/SHARE -
    _ /PROTECT/HEADER/OPEN

    INSTALL> EXIT

    The system manager of the remote OpenVMS node must also enter these commands.

    Additionally, the system manager at the remote OpenVMS node must enter the commands given below. These commands enable the use of virtual terminals for the terminal line that is to be switched, and set the DISCONNECT characteristic for the terminal line. (The virtual terminal capability permits the process to continue running if the physical terminal you are using becomes disconnected.)

    $ RUN SYS$SYSTEM:SYSGEN
    SYSGEN> CONNECT VTA0/NOADAPTER/DRIVER=TTDRIVER
    SYSGEN> EXIT
    $ SET TERMINAL/EIGHT_BIT/PERMANENT/MODEM/DIALUP -
    _$ /DISCONNECT device-name:

    Device-name is the name of the terminal port to which the dynamic asynchronous connection is made.

  2. Establish the required transmit password at the originating end of the dynamic asynchronous dialup link. The transmit password is the password sent to the remote node during connection startup. Use NCP to enter a command to define the transmit password for the remote node. The password can contain one to eight alphanumeric characters and should not contain any spaces. Specify the following commands:

    $ RUN SYS$SYSTEM:NCP
    NCP> DEFINE NODE node-id TRANSMIT PASSWORD password
    NCP> EXIT

    Node-id is the name of the remote node with which your node is forming a connection.

    In the following example, the node name of your local node is LOCALA, the transmit password is PASSA, and the remote node with which you are creating a dynamic asynchronous dialup link is REMOTC:

    $ RUN SYS$SYSTEM:NCP
    NCP> DEFINE NODE REMOTC TRANSMIT PASSWORD PASSA
    NCP> EXIT

    For each remote node with which you will create a dynamic asynchronous DECnet dialup link, you must define a transmit password in a separate command.

    The system manager for the node at the other end of the connection must define that same password as a receive password for your node (the password expected to be received from your node). The remote system manager should also specify the parameter INBOUND ROUTER or INBOUND ENDNODE, to indicate the type of node (router or end node) that is expected to initiate the dynamic connection. These are the commands the remote manager should enter:

    $ RUN SYS$SYSTEM:NCP
    NCP> DEFINE NODE node-id -
    _ RECEIVE PASSWORD password INBOUND node-type

    NCP> EXIT

    For example, if your node LOCALA is an end node and your transmit password is PASSA, the manager at REMOTC should issue the following command:

    $ RUN SYS$SYSTEM:NCP
    NCP> DEFINE NODE LOCALA RECEIVE PASSWORD PASSA INBOUND ENDNODE
    NCP> EXIT
  3. Ensure that DECnet is running on both nodes for the remaining steps. If you have not already done so, turn on the network by entering the following command (and request that the remote system manager also do so):

    $ @SYS$MANAGER:STARTNET

    If the network was already running before you began the dynamic asynchronous connection procedure, enter these commands to cause the permanent database entry to be entered in the volatile database:

    $ RUN SYS$SYSTEM:NCP
    NCP> SET NODE node-id ALL
    NCP> EXIT
  4. The remaining steps can be performed by any OpenVMS user with NETMBX privilege. Log in to your local OpenVMS system, and enter the following DCL command on your terminal to cause your process to function as a terminal emulator (which makes the remote terminal appear to be a local terminal connection):

    SET HOST/DTE device-name:

    Device-name is the name of your local terminal port that is connected to the modem. If both systems use modems with autodial capabilities, you can optionally include the /DIAL qualifier on the SET HOST/DTE command to cause automatic dialing of the modem on the remote node, as follows:

    SET HOST/DTE/DIAL=number device-name:
  5. If you are not using automatic dialing, dial in to the remote node manually.

  6. Once the dialup connection is made and you receive the remote OpenVMS system welcome message, log in to your account on the remote node.

  7. While logged in to your account on the remote node, enter the following command to cause the line to be switched to a DECnet line automatically:

    $ SET TERMINAL/PROTOCOL=DDCMP/SWITCH=DECNET

    The following message indicates that the DECnet link is being established:

    %REM-S-END - control returned to local-nodename::
    $

    To check whether the communications link has come up, specify the following command on the local system:

    $ RUN SYS$SYSTEM:NCP
    NCP> SHOW KNOWN CIRCUITS
    NCP> EXIT

    The resulting display should list a circuit identified by the mnemonic TT or TX, depending on the asynchronous device installed on the line, and indicate that it is in the ON state.

    When the DCL prompt appears on your terminal screen, you can begin to communicate with the remote node over the asynchronous DECnet connection.

  8. As an alternative to switching the terminal line to a DECnet line automatically (as described in previous step 7), you can switch the line manually. If you originate a dynamic connection to an OpenVMS node from a node that is not running OpenVMS software, manual switching is required; from an OpenVMS system, it is optional. If you are originating the connection from a node that is not running OpenVMS software, follow system-specific procedures to log in to the remote OpenVMS node by means of terminal emulation.

    Once you are logged in to the remote node, two steps are required to perform manual switching:

    1. Using your account on the remote OpenVMS node, specify the SET TERMINAL command described in step 7, but add the /MANUAL qualifier:

      $ SET TERMINAL/PROTOCOL=DDCMP/SWITCH=DECNET/MANUAL

      You receive the following message from the remote node indicating the remote system is switching its line to DECnet use:

      %SET-I-SWINPRG The line you are currently logged over is becoming
      a DECnet line
    2. You should exit from the terminal emulator and switch your line manually to a DECnet line. The procedure depends on the specific operating system on which you are logged in.

      The following example shows how an OpenVMS user originating a dynamic connection would perform this procedure:

      • Exit from the terminal emulator by pressing the backslash (\ ) key and the Ctrl key simultaneously on your OpenVMS system.

      • Enter the following command to switch your terminal line to a DECnet line manually:

        $ SET TERMINAL/PROTOCOL=DDCMP TTA0:

        TTA0 is the name of the terminal port on the local node.

      • Enter NCP commands to turn on the line and circuit connected to your terminal port TTA0 manually, as in the following example:

        $ RUN SYS$SYSTEM:NCP
        NCP> SET LINE TT-0-0 RECEIVE BUFFERS 4 -
        _ LINE SPEED 2400 STATE ON

        NCP> EXIT

        Asynchronous DECnet is then started on the local OpenVMS node.

  9. You can terminate the dynamic asynchronous link in one of two ways:

    • Break the telephone connection.

    • Run NCP and turn off either the asynchronous line or circuit. The two commands you can use are as follows:

      $ RUN SYS$SYSTEM:NCP
      NCP> SET LINE dev-c-u STATE OFF
      NCP> SET CIRCUIT dev-c-u STATE OFF
      NCP> EXIT

      If either of the above NCP commands is entered at the remote node, the line returns to terminal mode immediately. If the command is entered at the local (originating) OpenVMS node, the remote line and circuit remain on for approximately four minutes and then the line returns to terminal mode.

Figure 12-2 “A Typical Dynamic Asynchronous Connection” shows the establishment of a dynamic asynchronous connection. The commands that must be entered at each end of the connection are shown in Example 12-3 “Sample Commands for a Dynamic Asynchronous Connection”.

Figure 12-2 A Typical Dynamic Asynchronous Connection

A Typical Dynamic Asynchronous Connection

Example 12-3 Sample Commands for a Dynamic Asynchronous Connection

Commands issued at both the local OpenVMS node (LOCALA)
and the remote OpenVMS node (REMOTC):
$ RUN SYS$SYSTEM:SYSGEN
SYSGEN> CONNECT NOA0/NOADAPTER
SYSGEN> EXIT
$ INSTALL:=$SYS$SYSTEM:INSTALL
$ INSTALL/COMMAND
INSTALL> CREATE SYS$LIBRARY:DYNSWITCH/SHARE/PROTECT/HEADER/OPEN
INSTALL> EXIT
Commands issued at the remote node (REMOTC):
$ RUN SYS$SYSTEM:SYSGEN
SYSGEN> CONNECT VTA0/NOADAPTER/DRIVER=TTDRIVER
SYSGEN> EXIT
$ SET TERMINAL/EIGHT_BIT/PERMANENT/MODEM/DIALUP/DISCONNECT TTB0:
$ RUN SYS$SYSTEM:NCP
NCP> DEFINE NODE LOCALA RECEIVE PASSWORD PASSA INBOUND ENDNODE
NCP> SET NODE LOCALA ALL
NCP> EXIT
Commands issued at the local node (LOCALA):
$ RUN SYS$SYSTEM:NCP
NCP> DEFINE NODE REMOTC TRANSMIT PASSWORD PASSA
NCP> SET NODE REMOTC ALL
NCP> EXIT
$ SET HOST/DTE/DIAL=8556543 TTA0:
! After dialing in automatically to REMOTC,
! log in to your account on REMOTC.
$ SET TERMINAL/PROTOCOL=DDCMP/SWITCH=DECNET
%REM-S-END - control returned to LOCALA:
$