Do you intend to run MIT Kerberos 5 services on this machine? (YES/NO/?) [N]

Do you want to configure the LDAP name service? (YES/NO/?) [N]:

Do you want to configure gdad to use LDAP? (YES/NO/?) [N]:

*********************************************************************** * Starting the security server requires that you supply * * a `keyseed.' When asked for a `keyseed,' type some * * random, alphanumeric keystrokes, followed by RETURN. * * (You won't be required to remember what you type.) * *********************************************************************** Enter keyseed for initial database master key:

Please type new password for cell_admin (or `?' for help): Type again to confirm:

You have completed creating a cell.

5.3 Configuring Your System as a DCE Client with Run-Time Services

If you want to add your system to an existing cell, choose option 1 (Configure this system as a DCE Client) from the Configuration Choice Menu. This option configures the run-time services subset on your system.

When you choose option 1, the procedure displays the following messages:

Starting DCE client configuration . . . At each prompt, enter your response. You may enter RETURN for the default response, displayed in [brackets], or `?' for help. Entering a CONTROL-Z will terminate this configuration request. Press RETURN to continue . . . Removing temporary local DCE databases and configuration files Removing permanent local DCE databases and configuration files Starting client configuration Initializing RPC & Security Client Services daemon (DCE$DCED) . . . %RUN-S-PROC-ID, identification of created process is 2380A9A6 Starting RPC & Security Client Services daemon (DCE$DCED) . . . % RUN-S-PROC-ID, identification of created process is 238110A8

The configuration utility asks whether to search the LAN for known cells within the broadcast range of your system.

Would you like to search the LAN for known cells? (YES/NO/?) [Y]:

If you know the name of your DCE cell, answer N. As prompted, supply the name of your DCE cell, your DCE host name, and the host name of your cell's master CDS server. You also need to specify whether your host can broadcast to the host where the master CDS server is installed.

Answer Y to see a list of available DCE cells. As prompted, supply your DCE host name. At the next prompt, supply the appropriate DCE cell name from the list.

Gathering list of currently accessible cells (please wait) Please enter your DCE hostname [dcehost]: The following cells were discovered within broadcast range of this system: Buster-cell Kauai-cell Myhost-cell Tahoe-cell Please enter the name of your DCE cell [buster-cell]:

If you do not know the name of the cell you want to join, consult your network administrator. Do not add the /.../ prefix to the cell name; the procedure automatically adds it.

The prompt might contain a cell name that is the last configured cell name for this host or the first cell name from the alphabetical list of available cells. If you enter a cell name that is not on the list of cell names, the procedure assumes you are performing a WAN configuration, and asks you whether the CDS server is located on the same LAN or subnet.

Is the CDS Master Server within broadcast range (YES/NO/?) [N]:

After you enter your cell name, the procedure continues, displaying information similar to the following, but dependent on your configuration:

Terminating RPC Services/Dce Security Client daemon (DCE$DCED) . . . *** RPC (DCED) shutdown successful *** Starting RPC & Security Client Services daemon (DCE$DCED) . . . % RUN-S-PROC-ID, identification of created process is 238110B0 Starting CDS Name Service Advertiser daemon (DCE$CDSADVER) . . . % RUN-S-PROC-ID, identification of created process is 238110B1 Starting CDS Name Service Client daemon (DCE$CDSCLERK) . . . % RUN-S-PROC-ID, identification of created process is 238110B2 Could not find security master using dcecp registry show Attempting to locate security server Found security server Creating dce$local:[etc.security]pe_site.; file Checking local system time Looking for DTS servers in the LAN profile Looking for Global DTS servers in this cell Found DTS server The local system time is: Wed October 13 12:01:14 1999 Is this time correct? (y/n):

Make sure you check that the correct time is displayed before you continue with the configuration. If the time is incorrect, answer N, and the procedure exits to the operating system to allow you to reset the system time. After you correct or verify the time, answer Y, and the procedure resumes.

If DECnet/OSI is installed on your system, the configuration utility displays the following message and then asks several questions about configuring a DCE Distributed Time Service server on your system.

You seem to have DECnet/OSI installed on this system. DECnet/OSI includes a distributed time synchronization service (DECdts), which does not currently support the DCE Distributed Time Service (DCE DTS) functionality. The DCE DTS in this release provides full DECdts functionality. This installation will stop DECdts and use DCE DTS instead. For further clarification, please consult the HP DCE for OpenVMS Alpha and OpenVMS I64 Product Guide.

Even though DCE DTS will be used, it is possible to accept time from DECdts servers.

Should this node accept time from DECdts servers? (YES/NO/?) [N]:

Answer Y to accept time from any DECnet/OSI DECdts server; however, time from this source is unauthenticated. If you answer N, this system accepts time only from DCE time servers.

If DECnet/OSI is not installed on your system, the configuration utility omits the previous DECdts questions and instead, asks:

Do you need the Distributed Time Service (YES/NO/?) [Y]:

Answer Y to configure the host as a DTS client.

The configuration utility asks if you want to run the MIT Kerberos 5 services on this machine. An answer of Y runs the configuration utility.

Do you intend to run MIT Kerberos 5 services on this machine? (YES/NO/?) [N]:

After you respond to the prompt, the procedure stops the CDS advertiser and clerk and asks you to perform a dce_login operation, as follows:

Terminating CDS Name Service Advertiser daemon (DCE$CDSADVER) . . . Terminating CDS Name Service Client daemon (DCE$CDSCLERK) . . . Please enter the principal name to be used [cell_admin]: Please enter the password for principal "cell_admin" (or ? for help):

Obtain the password from your system administrator. After you perform the dce_login operation, the procedure begins configuring the security client software. If this system was previously configured as a DCE client or your cell has another host with the same name, the configuration utility also displays a list of client principals that already exist for this system and asks whether to delete the principals. You must delete these principals to continue with the configuration.

Configuring security client Creating Dce$Specific:[krb5]krb.conf The following principal(s) already exist under /hosts/dcehost/: /./buster-cell/hosts/dcehost/self Do you wish to delete these principals? (YES/NO/?) [Y]: Deleting client principals Creating ktab entry for client Terminating RPC & Security Client Services daemon (DCE$DCED) . . . Starting RPC & Security Client Services daemon (DCE$DCED) . . . %RUN-S-PROC-ID, identification of created process is 238110B3 Starting sec_client service (please wait). This machine is now a security client. Press <RETURN> to continue . . . Configuring CDS client Creating the cds.conf file Starting CDS Name Service Advertiser daemon (DCE$CDSADVER) . . . %RUN-S-PROC-ID, identification of created process is 238110B4 Starting CDS Name Service Client daemon (DCE$CDSCLERK) . . . %RUN-S-PROC-ID, identification of created process is 238110B5 Testing access to CDS server (please wait). Logging in to DCE using principal "cell_admin" . . . Checking TCP/IP local host database address of "dcehost". Please wait . . . Configuring client host objects in cell namespace . . . Creating /.:/hosts/dcehost objects in name space Checking TCP/IP local host database for address of "dcehost". Please wait . . .

If your cell uses multiple LANs, you are prompted as follows:

Please enter the name of your LAN [1.2.3]:

If your LAN has not been defined in the namespace, you are asked whether you want to define it. The configuration procedure then continues:

This machine is now a CDS client. Stopping sec_client service... Starting sec_client service (please wait). Modifying acls on /.:/hosts/dcehost/config secval xattrschema srvrexec keytab keytab/self hostdata hostdata/dce_cf.db hostdata/cell_name hostdata/pe_site hostdata/cds_attributes hostdata/cds_globalnames hostdata/host_name hostdata/cell_aliases hostdata/post_processors hostdata/svc_routing hostdata/cds.conf hostdata/passwd_override hostdata/group_override hostdata/krb.conf srvrconf Logging in to DCE using principal "cell_admin" . . . Configuring DTS daemon as client (DCE$DTSD) Starting Distributed Time Service daemon (DCE$DTSD) . . . %RUN-S-PROC-ID, identification of created process is 238110B5 This machine is now a DTS clerk. Do you want to run the DCE Configuration Verification Program? (YES/NO/?) [Y]:

The DCE Configuration Verification Program (CVP) exercises the components of DCE that are running in this cell. It requires approximately 1 to 2 minutes to run.

If you type y to run the CVP at this time, you see the following display:

Executing DCE for OpenVMS Alpha V3.2 CVP (please wait) Copyright (c) Hewlett-Packard Development Company 2005. All Rights Reserved. . . . . . . . . . . . DCE for OpenVMS Alpha V3.2 CVP completed successfully

When the procedure is completed, the DCE Setup Main Menu is displayed again.

5.4 Split Server Configuration (Adding a Master CDS Server)

This section discusses a split server installation in which a new cell and the master Security Server are created on one system and the master CDS Server is configured on another system. The master CDS Server maintains the master replica of the cell root directory.

A split server configuration has four phases:

• Begin creating the new cell and master Security Server on one system.
• Begin creating the master CDS Server on another system.
• Complete creating the new cell and master Security on the first system.
• Complete creating the master CDS Server on the second system.

This is the first phase of a split server configuration. Begin this phase by creating the new cell on the machine where the master security server will reside. Choose option 2 (Create a new DCE cell) from the Configuration Choice Menu. Answer the prompts appropriately for the cell name and host name. Then answer N at the following prompt:

Do you wish to configure myhost as a CDS server? (YES/NO/?) [Y]: N

Proceed through the rest of the configuration answering the remaining questions as shown in section 5.1, until you get to the following:

******************************************************************************* * This system has now been configured as a security server. * * Since you chose not to configure this system as a CDS server, * * you must now configure another system as the Master CDS Server * * for this cell (Option 1 on the dcesetup Main Menu, Option 3 on * * the Configuration Choice Menu.) * * * * When the Master CDS server has been installed and configured, * * press the <RETURN> key to continue configuring this system. * *******************************************************************************

Go to the machine where you will configure the master CDS Server.

5.4.2 Creating a Master CDS Server on Another System

This is the second phase of a split server configuration. You must have created a new cell and begun configuring the security server on another machine. Log on to the system on which you want to install the CDS master server, and choose option 3 (Add Master CDS Server) from the Configuration Choice Menu.

Answer the following prompts:

Please enter the name of your DCE cell []: Please enter your DCE hostname [myhost2]:

The procedure asks:

Will there be any DCE pre-R1.1 CDS servers in this cell? (YES/NO/?) [N]:

If your cell will be running any CDS servers based on OSF DCE Release 1.0.3a or lower, you should answer Y. The configuration utility sets the directory version number to 3.0 for compatibility with pre-R1.1 servers. This disables the use of OSF DCE Release 1.1 features such as alias cells, CDS delegation ACLs, and so on.

If all CDS servers in your cell will be based on DCE for OpenVMS Version 3.0 or higher (or an equivalent DCE version based on OSF DCE Release 1.1 or higher) answer N. The configuration utility sets the directory version number to 4.0 for compatibility with DCE for OpenVMS (Version 3.0 or OSF DCE Release 1.1 or higher) CDS servers. This enables the use of OSF DCE Release 1.1 features such as alias cells, CDS delegation ACLs, and so on. Once the directory version is set to 4.0, you cannot set it back to 3.0.

The procedure configures accordingly and prompts you to enter the host name of the security server that you just configured.

What is the hostname of the Security Server for this cell? []:

The configuration procedure continues, and requests additional client information as described in section 5.2. The procedure configures the requested services, and then prompts you to complete the configuration of the security server on the other machine before continuing:

****************************************************************************** * This system has now been configured as the Master CDS Server. * * * * Before continuing, complete the configuration of the Security * * Server... * ****************************************************************************** Press <RETURN> to continue:

Return to the system on which you configured the security server.

5.4.3 Completing the Security Server Configuration

This is the third phase of a split server configuration. You must have created a new cell and begun configuring the Security Server on one machine. Then you created a master CDS Server on another machine. Now you will complete the Security Server configuration on the first machine.

Return to the system on which you configured the Security Server and press the RETURN key. The following prompt is displayed:

What is the hostname of the Master CDS Server for this cell [ ]:

The configuration procedure proceeds as described in the section Overview of New Cell Configuration.

Once the Security Server configuration is complete, return to the host on which you are configuring the master CDS Server and complete the installation.

5.4.4 Completing the CDS Master Server Configuration

This is the fourth and final phase of a split server configuration. You must have created a new cell and begun configuring the security server on one machine. Then you created a master CDS server on another machine. You completed the security server configuration on the first machine. Now you will complete the CDS master server configuration.

Completion of this phase consists of running the configuration verification program:

Do you want to run the DCE Configuration Verification Program? (YES/NO/?) [Y]:

You can run the CVP now by answering Y, or you can run the CVP at a later time by answering N. The procedure completes the configuration and returns to the DCE Setup Main Menu. Choose option 2 (Show DCE configuration and active daemons) from the DCE Setup Main Menu to verify your configuration choices.

5.5 Migrating Your Cell

Some DCE cells may be running security or CDS servers on hosts with different versions of DCE. This might happen because a cell has DCE software from multiple vendors, each supplying upgrades at different times. Or perhaps upgrading all the hosts simultaneously is not feasible.

DCE for OpenVMS Version 3.2 security servers and CDS servers can interoperate with older servers (based on OSF DCE Release 1.0.3a, 1.0.2, and so on). However, new DCE security features associated with OSF DCE Release 1.1 and DCE Release 1.2.2 will generally not be available until all security server replicas in your cell are based on OSF DCE Release 1.1 and 1.2.2. Additionally, new CDS capabilities will not be available until all security servers and some or all CDS servers are based on OSF DCE Release 1.1 and 1.2.2.

If your cell contains older versions of Security or CDS Servers, you will need to migrate (gradually upgrade) older servers until all of them are running DCE server software based on OSF DCE Release 1.1 and 1.2.2. Once all Security or CDS Servers have been upgraded, you must perform some additional steps so that your servers can provide the new security and CDS capabilities.

Security Servers and CDS Servers use separate procedures to complete migration. Security Migration provides the instructions for completing Security server migration. CDS migration provides the instructions for completing CDS Server migration.