| Previous | Contents | Index |
After you install the new security server version on a host where an older version security replica (master or slave) exists, that replica will operate with the new Security Server, but with the behavior of the older version server. Note that a server based on OSF DCE 1.1 or higher cannot create a new replica and operate it as an older version replica. Once OSF DCE Release 1.1 has been installed on all hosts that have security replicas, you must issue a single cell-wide command that simultaneously migrates all the replicas to operate at the level of DCE 1.1. At this point the cell will support new security features such as extended registry attributes.
Once you have migrated the security servers to DCE 1.1 or higher, it is not possible to create a replica on a host running an earlier version. |
If all of the Security Server replicas in your cell are based on OSF DCE Release 1.1, you can perform the final migration steps in this section.
If your cell is still running any Security Servers based on a DCE release prior to OSF DCE Release 1.1, do not complete the upgrade steps in this section. The upgrade steps will advance some security database attributes. Older servers cannot operate on newer version databases.
Once you have installed and configured DCE for OpenVMS Version 3.2 Security Servers in your cell, perform the following actions as cell administrator:
$ dcecp -c acl show -io /.:/cell_profile
|
$ dcecp -c registry modify -version secd.dce.1.1
|
$ dcecp -c registry show
|
If you have not updated all 1.0.3 security replicas to DCE 1.1, any original 1.0.3 replicas will be stopped when you move the registry version forward to DCE 1.1. You may want to verify that any original 1.0.3 replicas are no longer running. |
If you have installed and configured DCE for OpenVMS Version 3.2 CDS servers in your cell, you might need to perform additional steps to complete the upgrade process.
If you created a new DCE cell and, during the dcesetup process, you set the default directory version information for each CDS server to Version 4.0, you do not need to perform the migration steps in this section.
If your cell is still running any security or CDS servers based on a DCE release prior to OSF DCE Release 1.1, do not complete the upgrade steps in this section. The upgrade steps will advance some security database and CDS directory attributes. Older servers cannot operate on newer version databases or directories.
DCE for OpenVMS Version 3.0 (or equivalent) features, such as hierarchical cells and alias cells, will be available only when all of your cell's security and CDS servers are running DCE for OpenVMS Version 3.0 or higher and the upgrade steps have been completed. Refer to the HP DCE for OpenVMS Alpha and OpenVMS I64 Product Guide and to the OSF DCE documentation for descriptions of available features.
Once the necessary DCE servers have been upgraded to DCE software based on OSF DCE Release 1.1 or 1.2.2, you can perform the migration steps in this section. The migration steps will enable the use of hierarchical cells, alias cells, and delegation.
Directory version information can only be set forward. If you migrate a CDS server to OSF DCE 1.1 or 1.2.2 behavior, you cannot revert that server to 1.0.3 behavior. |
Once you have installed and configured DCE for OpenVMS Version 3.2 (or equivalent) security servers and CDS servers, perform the following actions as cell administrator:
$ dcecp -c clearinghouse modify/.:/dummy_ch -add "{CDS_UpgradeTo 4.0}"
$ dcecp -c clearinghouse verify chname
|
$ dcecp -c directory modify /.: -upgrade -tree |
The
-tree
option operates recursively on all subdirectories (in this example, it
operates on the entire cell). This command does not work unless all CDS
servers housing the affected directories are running DCE for OpenVMS
Version 3.0 or higher. This command can take a long time to execute
depending on the size of the namespace.
5.6 Running the DCE Configuration Verification Program
Once the DCE daemons are started, you can run the DCE Configuration Verification Program (CVP) to ensure that the DCE services are properly installed. The procedure prompts you with the following message:
Do you want to run the DCE Configuration Verification Program? (YES/NO/?)[Y]: |
If you enter Y or press RETURN, the procedure indicates that the CVP is running.
Executing DCE for OpenVMS Alpha V3.2 CVP (please wait)
Copyright (c) Hewlett-Packard Development Company 2005. All Rights Reserved.
Verifying
.
.
.
.
.
.
.
.
.
.
.
|
The CVP invokes tests of the 10 DCE RPC interfaces, printing a dot (.) as each test is successful. A completely successful test execution results in 10 dots printed in succession. When the CVP tests are completed successfully, you receive the following message:
DCE for OpenVMS V3.2 CVP completed successfully |
You can repeat the CVP whenever you want by choosing option 8 (Run Configuration Verification Program) from the DCE Setup Main Menu. |
After you run the CVP, the configuration procedure updates your system
startup procedure so that the daemons restart automatically whenever
the system is rebooted.
5.7 Error Recovery During Configuration
If the procedure encounters any errors during DCE system configuration, it displays error messages. Some errors are not fatal, and the procedure attempts to continue. Other errors are fatal, and the procedure terminates. If a fatal error is encountered while the procedure is starting the DCE daemons, the procedure attempts to stop any daemons that have already been started. This returns the system to its original state before you began the configuration.
If you receive an error message at any time while running the DCE System Configuration utility, you can get more detailed information about the cause of the error by examining the associated log file in SYS$MANAGER:DCE$SETUP.LOG. This log file contains a record of the operations invoked by the System Configuration utility the last time it was executed, and may help you diagnose the cause of the problem.
Sometimes the cause of an error is transitory and may not recur if you repeat the operation.
This chapter describes the steps you need to complete to modify a cell
configuration.
6.1 Modify Configuration Menu
The Modify Configuration Menu varies slightly depending on which components are currently enabled. If a component is enabled, the menu displays the option to disable it. If the component is disabled, the menu displays the option to enable it. In the following view, all options are disabled.
*** Modify Configuration Menu *** DCE for OpenVMS Alpha V3.2 1) Add Replica CDS Server 2) Add Replica Security Server 3) Change from DTS Global Server to DTS Local Server 4) Change from DTS Global Server to DTS clerk 5) Add Null Time Provider 6) Add NTP Time Provider 7) Enable Auditing 8) Enable DCE Integrated Login 9) Enable Kerberos 5 10) Configure LDAP Name Service 11) Add LDAP Client Service 12) Enable LDAP GDA 13) Register in X.500 0) Exit Return to previous menu ?) Help Display helpful information Please enter your selection: |
Table 6-1 provides descriptions of the options available on the DCE Modify Configuration Menu.
| Option | Description |
|---|---|
| Add Replica CDS Server | Adds a CDS Replica clearinghouse to the configuration on this host. The host must be an existing client or split cell configuration. |
| Add Replica Security Server | Adds a Security Replica to the configuration on this host. The host must be an existing client or split cell. |
| Change from DTS Global Server to DTS Local Server | Downgrades an existing DTS Global Server to a DTS Local Server on this host. |
| Change from DTS Global Server to DTS clerk | Downgrades an existing DTS Global Server to a DTS clerk on this host. |
| Add Null Time Provider | Adds a DTS Null Time Provider to the existing configuration on this host. |
| Add NTP Time Provider | Adds a DTS NTP Time Provider to the existing configuration on this host. |
| Enable Auditing | Enables the DCE auditing daemon to allow the capture and display of DCE audit trails. |
| Enable DCE Integrated Login | Provides support for Integrated Login, which combines the DCE and OpenVMS login procedures. See the HP DCE for OpenVMS Alpha and OpenVMS I64 Product Guide for information about Integrated Login. |
| Enable Kerberos 5 | Enable DCE on this host to coexist with other Kerberos 5 implementations. |
| Configure LDAP Name Service | Configure the LDAP Name Service on this host to allow DCE to utilize LDAP as a transport for Intercell communications and NSID. |
| Add LDAP Client Service | Adds host-specific information in the LDAP namespace; that is, creates server, group, and profile entries for LDAP like those entries that are used for CDS during the DCE client configuration. |
| Enable LDAP GDA | Enables DCE's Global Directory Agent (GDA) to use LDAP to perform cross-cell directory service operations. |
| Register in X.500 | Registers the host DCE information in the X.500 namespace, allowing the cell to use X.500 to perform cross-cell directory service operations. |
If you want to create a replica of the master CDS server on your machine, you can do so on a system that has already been configured as a client, or on a system that has not yet been configured for DCE. The following example assumes no prior configuration.
Choose option 1 (Add Replica CDS Server) from the Modify Configuration Menu. The configuration utility asks whether to search the LAN for known cells within broadcast range of your system.
Would you like to search the LAN for known cells? (YES/NO/?) [Y] :
|
If you know the name of your DCE cell, answer N. As prompted, supply the name of your DCE cell, your DCE host name, and the host name of your cell's master CDS server. You also need to specify whether your host can broadcast to the host where the master CDS server is installed.
Answer Y to see a list of available DCE cells. As prompted, supply your DCE host name. At the next prompt, supply the appropriate DCE cell name from the list.
You are asked to enter your DCE host name:
Please enter your DCE host name [myhost]:
|
The procedure then displays a list of the cells within broadcast range of your system and asks you to enter the name of your DCE cell. After you enter the cell name, the procedure displays the following messages and asks whether the local system time is correct:
Gathering list of currently accessible cells
The following cells were discovered within broadcast range of this system:
buster_cell
kauai_cell
myhost_cell
tahoe_cell
Please enter the name of your DCE cell: myhost_cell.
Please enter your DCE hostname [myhost]
Terminating RPC Services/DCE Security Client daemon (DCE$DCED) . . .
*** RPC (DCED) shutdown successful ***
Starting RPC & Security Client Services daemon (DCE$DCED) . . .
%RUN-S-PROC-ID, identification of created process is 238110C0
Starting CDS Name Service Advertiser daemon (DCE$CDSADVER) . . .
%RUN-S-PROC-ID, identification of created process is 238110C1
Starting CDS Name Service Client daemon (DCE$CDSCLERK) . . .
%RUN-S-PROC-ID, identification of created process is 238110C2
Testing access to CDS server (please wait)...
Attempting to locate security server
Found security server
Creating dce$local:[etc.security]pe_site.; file
Checking local system time
Looking for DTS servers in this LAN
Found DTS server
The local system time is: Wed Jul 12 11:31:52 1998
Is this time correct? (y/n):
|
Please check the time before you respond to this prompt.
Make sure you check that the correct time is displayed before you continue with the configuration. If the time is incorrect, answer N, and the procedure exits to the operating system to allow you to reset the system time. After you correct or verify the time, answer Y, and the procedure continues with the following message (if you have DECnet/OSI installed and configured):
You seem to have DECnet/OSI installed on this system. DECnet/OSI
includes a distributed time synchronization service (DECdts), which
does not currently support the DCE Distributed Time Service (DCE DTS)
functionality. The DCE DTS in this release provides full DECdts
functionality. This installation will stop DECdts and use DCE DTS
instead. For further clarification, please consult the HP DCE
for OpenVMS Alpha and OpenVMS I64 Product Guide.
|
Even though DCE DTS will be used, it is possible to accept time from DECdts servers.
Should this node accept time from DECdts servers? (YES/NO/?) [N]:
|
Answer Y to accept time from any DECnet/OSI DECdts server; however, time from this source is unauthenticated. If you answer N, this system accepts time only from DCE DTS servers.
Do you want this system to be a DTS Local Server (YES/NO/?) [N]:
|
If DECnet/OSI is not installed, this system must be configured as either a DTS clerk or a DTS server. For a complete description on the differences between DTS clerks and servers, please consult the section on how DTS works in the OSF DCE Administration Guide. HP recommends that you configure three DTS servers per cell.
After you respond, the procedure stops the CDS advertiser and asks you to perform a dce_login operation. After you log in, the procedure configures the system as a client system and asks for a clearinghouse name:
Starting CDS Name Service Server daemon (DCE$CDSD) . . .
%RUN-S-PROC-ID, identification of created process is 238110C3
|
When configuring the CDS server, the procedure asks:
What is the name for this clearinghouse? [myhost_ch]:
|
Specify a name for this clearinghouse that is unique in this cell. The procedure displays the following messages and asks whether you want to replicate more directories.
Initializing the name space for additional CDS server...
Modifying acls on /.:/myhost_ch
Modifying acls on /.:/hosts/myhost/cds-server
Modifying acls on /.:/hosts/myhost/cds-gda
Do you wish to replicate more directories? (YES/NO/?):
|
The root directory from the CDS master server has just been replicated. You can replicate more directories if you want by answering Y. Next, you are prompted for the name of a CDS directory to be replicated.
Enter the name of a CDS directory to be replicated:
|
Enter the name of a CDS directory existing in the master CDS namespace that you want to replicate on this system. Type the directory name without the /.:/ prefix; it is added automatically. When you are finished, press only the RETURN key. The procedure displays the following messages and asks whether you want to run the CVP.
If your system is already configured as a CDS Replica Server, this option will show "Remove Replica CDS Server" on the Modify Configuration Menu.
Choose this option if you want to remove a CDS Replica Server from your
DCE configuration. You will not affect the rest of your system's DCE
configuration.
6.3 Adding a Security Replica
If you want to add a replica security server to your system, choose option 2 (Add Replica Security Server) from the Modify Configuration Menu. When you choose this option, the procedure will configure the system as a DCE client system if it is not already so configured.
Once the client configuration has neared completion, or if the system is currently a DCE client, the following messages will be displayed:
Configuring security replica server (DCE$SECD)
|
The procedure will prompt you to enter the security replica name.
Enter the security replica name (without subsys/dce/sec) [dcehost]:
|
After you enter your security replica name, you are prompted to enter a keyseed. Enter several random characters.
********************************************************************
* Starting the security server requires that you supply *
* a 'keyseed.' When asked for a 'keyseed,' type some *
* random, alphanumeric keystrokes, followed by RETURN. *
* (You won't be required to remember what you type.) *
********************************************************************
Enter keyseed for initial database master key:
|
The procedure continues, displaying information similar to the following, but dependent on your configuration:
Modifying acls on /.:/sec/replist...
Modifying acls on /.:/subsys/dce/sec...
Modifying acls on /.:/sec...
Modifying acls on /.:...
Modifying acls on /.:/cell-profile...
Starting Security Service Server daemon (DCE$SECD) . . .
Waiting for registry propagation...
Do you want to run the DCE Configuration Verification Program? (y/n/?) [y]:
|
If your system is already configured as a Security Replica Server, option in the Modify Configuration Menu shows "Remove Replica Security Server".
Choose option 2 if you want to remove a Security Replica from your DCE configuration. Its removal does not affect the rest of your system's DCE configuration.
When the procedure is completed, the Modify Configuration Menu is
displayed again.
6.4 Adding/Removing a DTS Local Server
If you want to add a DTS server to your machine, you can do so on a system that has already been configured as a client, or on a system that has not yet been configured for DCE. Choose option 3 (Add DTS Local Server) from the Modify Configuration Menu.
If the system has not yet been configured for DCE, it will be configured as a DCE client.
Also choose option 3 if you want to modify your configuration from a
DTS Local Server to a DTS clerk. This operation does not affect the
rest of your system's DCE configuration.
6.5 Adding a DTS Global Server
If you want to add a DTS Global Server to your system, choose option 4 (Add DTS Global Server) from the Modify Configuration Menu.
If your system is already configured as a DTS Global Server, option 4 shows Change from DTS Global Server to DTS Clerk. Choose this option if you want to modify your configuration from a DTS Global Server to a DTS Clerk.
When the procedure is completed, the Modify Configuration Menu is displayed again.
| Previous | Next | Contents | Index |