HP Technology Forum 2006
Advanced OpenVMS
System Management
Techniques, Tools,
and Tricks
DJE Systems - http://www.djesys.com/
David J. Dachtera - djesys@earthlink.net
GET CONNECTED
People. Training. Technology.
© 2006 DJE Systems, All rights reserved
The information contained herein is subject to change without notice
This presentation is intended to be displayed or
printed in the “Notes View” so it reads like a text
book.
If you are viewing this as a “Slide View” .PDF
(Adobe Acrobat file), download the .PPT
(PowerPoint presentation) from:
http://www.djesys.com/vms/support/1065.ppt
Agenda
Logical names
Logical name tables
Logical name table search order
Modifying the search order
Logical name types
Single Translation
Search list
“Rooted” (Concealed) logical names
Lexical Function Caveat
F$TRNLNM() differs from F$LOGICAL()
Agenda
Logical names, cont’d
Cluster-wide logical names
Caveats
SYS$COMMON Notes
Caveats (VMS$COMMON)
Site-Specific Paths
Organizing local system management code
Agenda
Network Topics
TCP/IP
TCP/IP Services (fka UCX)
Multinet
TCPware
CMU/IP (VAX only)
DECnet
Access control
FAL logging
TCP/IP Services (fka UCX)
Access control
Agenda
Network Topics, cont’d
LAT
MOP
Remote Access
Remote procedures
Types
Security concerns
Network Alerts
OPCOM alerts for DECnet network access
OPCOM alerts for FTP network access
Agenda
System Startup
STARTUP phases
STARTUP parameters
Site-Specific startups
Logging SYSTARTUP_VMS.COM
Node-specific startups
Saving a crash dump at start-up time
DEFINE-ing Group Logicals
Soft-coding # of logins allowed at startup
SYSMAN and STARTUP
Conversational Boot, Minimal Startup
Agenda
System Shutdown
SHUTDOWN parameters
SHUTDOWN$xxxx logical names
AUTOGEN Shutdowns
AGEN$SHUTDOWN_TIME logical name
Cluster Shutdown
REMOVE_NODE, CLUSTER_SHUTDOWN
Agenda
AUTOGEN
MODPARAMS.DAT
Reports and outputs
Useful Tips and Tricks
An UPTIME command
Enhanced HELP/PAGE
Show logins (limit, current)
A “more” command for VMS
VMS disk “partitions” – Logical Disks
Agenda
OpenVMS Management Tools
StorageWorks Command Console (SWCC)
OpenVMS Management Station
AMDS
Accessibility Manager for Distributed Systems
Availability Manager
Similar to AMDS, but is a Java app - runs on MS-Windows
Agenda
OpenVMS Security
Essentials
UICs and File/Directory Protection
Access Control Lists (ACLs)
Access Control Entries (ACEs)
Rights Identifiers and ACEs
Propagating ACEs and Default Protections
Closing Comments, Q & A
Sources of Freeware for VMS
Disclaimer
Session 1065
OpenVMS
Logical Names
Logical Names
A form of symbol with limited or system-wide scope.
$ show logical sys$sysroot
"SYS$SYSROOT" = "DJAS01$DKA300:[SYS0.]" (LNM$SYSTEM_TABLE)
= "SYS$COMMON:"
1 "SYS$COMMON" = "DJAS01$DKA300:[SYS0.SYSCOMMON.]"
(LNM$SYSTEM_TABLE)
Logical Name Tables
LNM$SYSTEM_DIRECTORY
LNM$JOB_xxxxxxxx
LNM$GROUP_xxxxxx
LNM$SYSTEM_TABLE
DECW$LOGICAL_NAMES
LNM$PROCESS_DIRECTORY
Logical Name Tables
Search Order:
$ sh log/tab=* lnm$file_dev
"LNM$FILE_DEV" = "LNM$PROCESS"
(LNM$SYSTEM_DIRECTORY)
= "LNM$JOB"
= "LNM$GROUP"
= "LNM$SYSTEM"
= "DECW$LOGICAL_NAMES"
Logical Name Tables
Modifying the search order:
$ DEFINE/TABLE=LNM$PROCESS_DIRECTORY LNM$FILE_DEV LNM$PROCESS,LNM_PRIVATE,LNM$GROUP,LNM$SYSTEM,DECW$LOGICAL_NAMES
• Defines a new search list in supervisor mode.
− Some software will only use “trusted” logical names in certain directories or
those DEFINEd in an “inner’ (more privileged) mode.
Logical Names
Single translation
$ DEFINE lnm value
Search List
$ DEFINE lnm value,value[,…]
Concealed Logical Names
$ DEFINE lnm value/TRANS=CONCEAL
Rooted Logical Names
$ DEFINE lnm ddcu:[dir.]/TRANS=CONCEAL
Logical Names
Creating
$ DEFINE lnm value
$ ASSIGN value lnm
Deleting
$ DEASSIGN lnm
Logical Names
Access Modes
User
DEFINE/USER
Supervisor DEFINE (/SUPER is default)
Executive DEFINE/EXECUTIVE,
requires CMEXEC privilege.
Kernel
Can only be created by using
the $CRELNM system service,
requires CMKRNL privilege.
Executive and Kernel mode logical names are “trusted” since
privilege is required to create them.
Logical Names
Single Translation
$ DEFINE lnm value
Examples:
"LNM$PROCESS" = "LNM$PROCESS_TABLE" (LNM$PROCESS_DIRECTORY)
"LNM$JOB" = "LNM$JOB_80D27B00" (LNM$PROCESS_DIRECTORY)
"LNM$GROUP" = "LNM$GROUP_000030" (LNM$PROCESS_DIRECTORY)
"LNM$SYSTEM" = "LNM$SYSTEM_TABLE" (LNM$SYSTEM_DIRECTORY)
“SYS$LOGIN" = "DKA0:[DDACHTERA]" (LNM$JOB_80D27B00)
Logical Names
Search Lists
$ DEFINE lnm value,value[,…]
Examples:
$ sh log sys$sysroot
"SYS$SYSROOT" = "DJAS01$DKA300:[SYS0.]" (LNM$SYSTEM_TABLE)
= "SYS$COMMON:"
1 "SYS$COMMON" = "DJAS01$DKA300:[SYS0.SYSCOMMON.]" (LNM$SYSTEM_TABLE)
$ sh log user_exe
! Presenter’s environment, not provided by VMS.
"USER_EXE" = "USER_IMG:" (LNM$JOB_80D27B00)
= "USER_COM:"
= "SYS$SPECIFIC:[SYSEXE]"
= "SYS$COMMON:[SYSEXE]"
1 "USER_IMG" = "USER_ROOT:[EXE.ALPHA]" (LNM$JOB_80D27B00)
1 "USER_COM" = "USER_ROOT:[EXE]" (LNM$JOB_80D27B00)
Logical Names
Concealed Logical Names
$ DEFINE lnm value/TRANS=CONCEAL
Example:
$ sh log sys$sysdevice
"SYS$SYSDEVICE" = "DJAS01$DKA300:" (LNM$SYSTEM_TABLE)
$ sh log sys$sysdevice/full
"SYS$SYSDEVICE" [exec] = "DJAS01$DKA300:" [concealed,terminal]
(LNM$SYSTEM_TABLE)
Logical Names
“Rooted” Logical Names
$ DEFINE lnm ddcu:[dir.]/TRANS=CONCEAL
Examples:
$ show logical sys$specific,sys$common,user_root
"SYS$SPECIFIC" = "DJAS01$DKA300:[SYS0.]" (LNM$SYSTEM_TABLE)
"SYS$COMMON" = "DJAS01$DKA300:[SYS0.SYSCOMMON.]" (LNM$SYSTEM_TABLE)
"USER_ROOT" = "DKA0:[DDACHTERA.]" (LNM$JOB_80D27B00)
Logical Names
Using rooted logical names
Examples:
$ show logical sys$sysroot,user_root,user_com,user_img
"SYS$SYSROOT" = "DJAS01$DKA300:[SYS0.]" (LNM$SYSTEM_TABLE)
= "SYS$COMMON:"
1 "SYS$COMMON" = "DJAS01$DKA300:[SYS0.SYSCOMMON.]" (LNM$SYSTEM_TABLE)
"USER_ROOT" = "DKA0:[DDACHTERA.]" (LNM$JOB_80D27B00)
"USER_COM" = "USER_ROOT:[EXE]" (LNM$JOB_80D27B00)
"USER_IMG" = "USER_ROOT:[EXE.ALPHA]" (LNM$JOB_80D27B00)
Logical Names & Lexicals
Beware:
F$LOGICAL() (deprecated) differs from
F$TRNLNM().
F$LOGICAL() uses hard-coded search list
internally: Process, Job, Group, System.
F$TRNLNM() uses LNM$FILE_DEV
Cluster-Wide Logical Names
•
New in V7.2.
•
Defined in table LNM$SYSCLUSTER
•
LNM$SYSTEM is now a search list:
$ show log/tab=* lnm$system
"LNM$SYSTEM" = "LNM$SYSTEM_TABLE" (LNM$SYSTEM_DIRECTORY)
= "LNM$SYSCLUSTER"
1 "LNM$SYSCLUSTER" = "LNM$SYSCLUSTER_TABLE" (LNM$SYSTEM_DIRECTORY)
Cluster-Wide Logical Names
Caveat (pre-V8.2):
•
There is no /CLUSTER qualifier for DEFINE,
ASSIGN or DEASSIGN.
• Use /TABLE=LNM$SYSCLUSTER
Cluster-Wide Logical Names
Caveat (all versions):
•
The LNM$SYSCLUSTER table is synchronized
across cluster nodes by a process which may or
may not have been started by the time the
LNM$SYSCLUSTER table is needed.
− See the notes in SYLOGICALS.COM
Logical Names
Notes:
VMS$COMMON usually not found in system logical
names.
It IS possible to have a system with a missing or
corrupted VMS$COMMON.
OpenVMS upgrades will fail.
Difficult to recover.
Running in this condition is not supported.
Logical Names
Leave OpenVMS-provided logical names alone.
ReDEFINE-ing things like SYS$SYSROOT can
jeopardize support position or system certification
(Healthcare, etc.)
If any of these are reDEFINEd, do it at the /PROCESS
level, not system-wide. Make sure to leave the system
account “pristine”.
Logical Names
Leave OpenVMS-provided logical names alone.
Probably okay to do this in a privileged account other
than SYSTEM.
If these are needed at SYSTARTUP_VMS time, invoke a
proc. to do the DEFINEs, invoke the proc.’s that need the
local logical names, then clean up using
DEASSIGN/PROCESS.
Logical Names
It is possible to organize your site-specific
procedures and keep them separated from the
OpenVMS files without reDEFINE-ing any logical
names provided by OpenVMS.
Logical Names
OpenVMS Logical Names:
Usually contain a “$” (dollar sign).
User (Site-Specific) Logical Names
Avoid “$” – use underscore:
SYS_MANAGER
SYS_BACKUP
SYS_OPERATOR
SYS_HELP
SYS_ROOT
Logical Names
$ sho log sys_*
(LNM$PROCESS_TABLE)
(LNM$JOB_80D128C0)
(LNM$GROUP_000030)
(LNM$SYSTEM_TABLE)
"SYS_BACKUP" = "SYS_ROOT:[BACKUP]"
"SYS_HELP" = “SYS_ROOT:[SYSHLP]"
"SYS_MANAGER" = "SYS_ROOT:[SYSMGR]"
"SYS_OPERATOR" = "SYS_ROOT:[OPERATOR]”
“SYS_ROOT“ = “SYS$SYSDEVICE:[XYZCORP.]”
= ”SYS$SYSROOT:”
Logical Names
Site-specific logical names for system
management can be organized in their own logical
name tables.
User Logical name table can be added to
LNM$FILE_DEV, but don’t do that system-wide –
DEFINE things /PROCESS.
See the earlier example of how to modify the LNM$FILE_DEV
search list for a process.
/PROCESS is the default for DEFINE and ASSIGN if not
specified.
Logical Names
None of us is immortal.
Remember to document your customizations
THOROUGHLY!
If you get hit by a bus today, will someone else be able to come in
and understand what you’ve done?
Session 1065
OpenVMS
Networking
Networking
Network stacks for OpenVMS:
•
TCP/IP
•
DECnet
− Phase IV
− Phase V (DECnet/OSI)
Utilities:
•
LANCP (works without DECnet)
•
SET HOST/MOP (Phase V - NET$CCR)
Networking - TCP/IP
TCP/IP Services for OpenVMS
Formerly known as UCX (Ultrix Connection)
Developed, sold and supported by HP, shared code base
with Tru64 TCP/IP
Management interface somewhat weak.
Some features (like adding secondary name server and setting up
NTP) require editing config. files manually. Access to non-volatile
Database is inconsistent: sometimes SET CONFIG, sometimes
SET/PERMANENT.
Networking - TCP/IP
TCP/IP Services for OpenVMS
V5.4 “High Performance Kernel” was optional – optimized
for SMP.
V5.5 uses this exclusively.
Networking TCP/IP
TCPware
Native to and developed on OpenVMS (originally on
VAX/VMS, ported to Alpha).
Developed, sold and supported by Process Software,
Inc.
Proprietary Management Interface, now similar to
Multinet in some ways.
Slightly more functionality than (UCX), performs better
than Multinet and UCX).
Networking - TCP/IP
Multinet
Developed from BSD V4.3 code by TGV, Inc. on
VAX/VMS, ported to Alpha. Now developed, sold and
supported by Process Software, Inc.
Proprietary Management Interface.
Functionality similar to TCPware.
Networking - TCP/IP
Multinet
Performance is less than TCPware.
Uses Direct I/O – generates a lot of Interrupts. By
contrast, current UCX uses Buffered I/O.
Sites with high transaction volumes may need to
consider this.
Networking - TCP/IP
CMU/IP
Freeware, a bit old.
Originally developed by TEK, released to Carnegie
Mellon Univ. C.S. department - became freeware.
VAX only - no known Alpha port.
TCP/IP-V4 only.
Networking - DECnet
Developed by Digital for PDP-11, migrated to VAX,
ported to Alpha and I64.
Phase-IV is in use widely.
Phase V used where it is needed. Also known as
DECnet-Plus or DECnet/OSI.
Networking - DECnet
DECnet Phase IV
Very SysAdmin friendly, but takes some getting used to.
“Set it and forget it” - easily configured, does not issue a
lot of OPCOM messages unless there is trouble on the
line(s).
Specification was published, still publicly available on the
web. Google is your friend.
Networking - DECnet
DECnet Phase IV
Permanent database
DEFINE commands in NCP
Volatile database
SET commands in NCP
Networking - DECnet
DECnet Phase IV
Provides MOP Remote Console
CONNECT command in NCP
Provides MOP downline load, upline dump
LOAD and TRIGGER commands in NCP
Provides for remote management of other nodes.
SET EXECUTOR NODE command in NCP, requires privilege and
remote password.
Networking - DECnet
DECnet Phase V (DECnet-Plus)
More complicated to manage - management paradigm
follows the OSI seven-layer model.
Circuits are built from the bottom up, following the OSI
seven-layer model.
Management is performed using NCL (Network Control
Language).
Non-volatile database is .NCL files - no “permanent”
database.
Networking - DECnet
DECnet Phase V (DECnet-Plus)
OPCOM messages are more plentiful and more verbose
than Phase IV.
Allows for diagnosis of trouble in each layer.
Provides some features not available in Phase IV.
Complete specification is not published.
Networking - DECnet
Access Control
− Set up proxy records in
SYS$SYSTEM:NET$PROXY.DAT using the AUTHORIZE
program.
− Enable proxy access in NCP (Phase-IV): incoming,
outgoing.
• Incoming proxy access, if disabled, defaults to the access control
info of the target object instead of the source node/user.
Networking - DECnet
Access Control
− Create the proxy database if it doesn’t already exist. Use
AUTHORIZE, CREATE/PROXY
− Set up proxy records in Authorize.
− Enable proxy access in NCL (Phase-V): See the SET
SESSION CONTROL statements.
Networking - DECnet
FAL Logging
•
Two Logical Names:
− FAL$LOG
− FAL$OUTPUT
Networking - DECnet
FAL Logging
•
FAL$LOG
In SYLOGIN or the DECnet object file:
$ DEFINE FAL$LOG “1/disable=8”
This is an unsupported feature
“1”: file name and file type access information
“disable=8” disables “Poor Man’s Routing”:
$ dir node1::node2::node3::
Networking - DECnet
FAL Logging
•
FAL$LOG, cont’d
Produces copious output - use with discretion.
•
FAL$OUTPUT
Can be used to specify the name of the log file to create
in place of SYS$OUTPUT
$ DEFINE FAL$OUTPUT FAL.LOG
Networking - UCX
Access Control
•
Trusted Relationships
− Enable “R” services between nodes without having
passwords traverse the network as clear text.
− Should be used between nodes on inside networks only
(inside the firewall), and then very judiciously.
Networking - UCX
Access Control
•
Trusted Relationships
No .RHOSTS or HOSTS.EQUIV files.
Use the ADD PROXY command in TCPIP$UCP.
Not well documented:
To make new proxies take effect, issue this command to
TCPIP$UCP:
$ TCPIP
TCPIP> SET TCP/SIGNAL
Networking - LAT
LAT - Local Area Transport
•
Robust, Efficient
− Can package data for multiple sessions at the same
MAC address into common packets.
•
Not routable
− No routable info in the network layer
•
DEC-proprietary (licensed)
− Specification published under license
Networking - LAT
LAT Control Program (LATCP)
•
Management interface for LAT
•
Controls services broadcast by an OpenVMS node
•
Used to create, manage and delete LTA devices on
OpenVMS nodes.
Networking MOP
Maintenance Operation Protocol
•
Not routable
− No routable info in the network layer
•
DEC-proprietary (licensed)
− Specification published under license
•
Remote Console facility
•
Downline load, upline dump.
Networking MOP
Maintenance Operation Protocol
•
User interfaces - Remote Console:
− NCP (DECnet Phase IV)
CONNECT NODE
CONNECT VIA circuit_id PHYS ADDR mac_addr
− LANCP
CONNECT NODE name/DEVICE=enet_dev:
− SET HOST/MOP (DECnet Phase V)
SET HOST/MOP node_name
SET HOST/MOP/ADDR=mac_addr/CIRC=xxxx
Networking MOP
Maintenance Operation Protocol
•
User interfaces - Downline Load, Upline dump:
− NCP (DECnet Phase IV)
DEFINE/SET NODE name –
ADDRESS xx.xxxxHARDWARE ADDRESS xx-xx-xx-xx-xx-xx –
SERVICE CIRCUIT xxx-n –
LOAD FILE filespec –
SECONDARY LOADER filespec –
DUMP FILE filespec
Networking MOP
Maintenance Operation Protocol
•
User interfaces - Downline Load:
− LANCP
DEFINE NODE name /ADDRESS=xx-xx-xx-xx-xx-xx/FILE=filespec
• Mostly for use in booting LAVc nodes
• LANCP does not provide for upline dump
Networking - Remote Access
Types of remote Access:
•
DECnet
− SET HOST (CTERM)
− Remote File Access (FAL)
− NML (NCP SET EXECUTOR NODE)
•
LAT
− Connect (from terminal server or PC w/LAT)
− SET HOST/LAT
Networking - Remote Access
Types of remote Access, cont’d:
•
TCP/IP:
− TELNET
− Rshell / Rexec
− Rlogin
− RCP
− SSH, SFTP, etc.
Networking - Remote Proc.’s
Types of Remote Procedures:
•
DECnet
− DECnet objects
− SUBMIT/REMOTE, PRINT/REMOTE
•
TCP/IP
− RPC (Remote Procedure Call)
− Secure Socket Layer (SSL)
Networking - Remote Proc.’s
Security Concerns
•
DECnet objects like TASK
•
Unsecured accounts by any access method.
(This is not a security presentation.)
Network Alerts
OPCOM Alerts for network access
•
SET AUDIT/ENABLE=CONNECTION
− DECnet (Phase IV)
− $IPC
− SYSMAN
•
SET AUDIT/ENABLE=LOGIN=
− ALL, BATCH, DETACHED, DIALUP, LOCAL, NETWORK,
REMOTE, SUBPROCESS
Network Alerts
Additional OPCOM Alerts for FTP
•
Add commands to the DCL proc. associated with
the FTP service.
− Example: MULTINET:FTP_SERVER.COM
•
Can be as general or specific needed.
•
See the documentation and example code for your
TCP/IP stack.
Session 1065
System Startup
Procedure
System Startup
Default /STARTUP procedure:
•
SYS$SYSTEM:STARTUP.COM
•
Set using SYSBOOT, SYSGEN or SYSMAN.
System Startup
STARTUP Phases:
•
In SYS$STARTUP:VMS$VMS.DAT
− RMS Indexed file
− Changes to this area of the startup are *NOT* supported
by HP.
System Startup
STARTUP Phases:
$ TY SYS$STARTUP:VMS$VMS.DAT
BASEENVIRON DVMS$BASEENVIRON-050_VMS.COM
E*BASEENVIRON DVMS$BASEENVIRON-050_SMISERVER.COM
E*BASEENVIRON
E*BASEENVIRON
E*BASEENVIRON
E*CONFIG
E*CONFIG
E*CONFIG
E*CONFIG
E*CONFIG
DVMS$BASEENVIRON-050_LIB.COM
DDECDTM$STARTUP.COM
DLICENSE_CHECK.EXE
DVMS$CONFIG-050_VMS.COM
DVMS$CONFIG-050_ERRFMT.COM
DVMS$CONFIG-050_CACHE_SERVER.COM
DVMS$CONFIG-050_CSP.COM
DVMS$CONFIG-050_OPCOM.COM
E*CONFIG
E*CONFIG
DVMS$CONFIG-050_AUDIT_SERVER.COM
DVMS$CONFIG-050_JOBCTL.COM
E*CONFIG
E*CONFIG
DVMS$CONFIG-050_LMF.COM
DVMS$CONFIG-050_SHADOW_SERVER.COM
E*CONFIG
E*DEVICES
DVMS$CONFIG-050_SECURITY_SERVER.COM
DVMS$DEVICE_STARTUP.COM
E*INITIAL
E*INITIAL
E*INITIAL
E*LPBEGIN
E*PRECONFIG
E*PRECONFIG
DVMS$INITIAL-050_VMS.COM
DVMS$INITIAL-050_LIB.COM
CVMS$INITIAL-050_CONFIGURE.COM
DVMS$LPBEGIN-050_STARTUP.COM
DIPC$STARTUP.COM
DVMS$SPIRALOG_STARTUP.COM
E*
System Startup Phases, Files
INITIAL
DEVICES
SYCONFIG
SYLOGICALS
SYPAGSWPFILES
PRECONFIG
CONFIG
SYSECURITY
BASEENVIRON
LPBEGIN
SYSTARTUP_VMS
LPMAIN
LPBETA
END
System Startup Phases, Files
INITIAL
DEVICES
SYCONFIG
These files are always
SYLOGICALS
executed, even during a
SYPAGSWPFILES
“MIN”-imum boot.
PRECONFIG
CONFIG
SYSECURITY
BASEENVIRON
LPBEGIN
SYSTARTUP_VMS
LPMAIN
LPBETA
END
System Startup
Site-Specific STARTUPs:
•
In SYS$MANAGER path
•
SYSTARTUP_VMS.COM in V6 and later
•
SYSTARTUP_V5.COM in V5.x
•
SYSTARTUP.COM in V4 and earlier.
System Startup
STARTUP Parameters:
•
STARTUP_P1
− blank - Normal System Startup
− “MIN” - Minimal Startup
• No SYSTARTUP_VMS but
• Most of the other SY*.COM proc.’s will still be run.
System Startup
STARTUP Parameters:
•
STARTUP_P2
− blank - Normal System Startup
− “1”, “YES” or “TRUE” - Verify on
•
STARTUP_P3 thru _P8
− Reserved for future use
System Startup
SYSTARTUP_VMS :
•
Author prefers to keep procedure modular for
easier maintenance, invoke modules from
SYSTARTUP_VMS:
$ SET NOON
.
.
.
$ @MOUNT_DISKS
$ @DEFINE_GROUP_LOGICALS
System Startup
SYSTARTUP_VMS :
•
Author prefers to keep procedure modular for
easier maintenance, invoke node-specific proc.’s
from SYSTARTUP_VMS:
$ FSP = F$SEARCH( “SYS$MANAGER:SYSTARTUP.COM” )
$ IF FSP .NES. “” THEN @&FSP
− Avoids redundant, cut-and-paste code.
System Startup
SYSTARTUP_VMS :
•
Logging SYSTARTUP_VMS:
$ SET NOON
$ DEFINE SYS$OUTPUT SYS$MANAGER:SYSTARTUP_VMS.LOG
.
.
.
$ DEASSIGN SYS$OUTPUT
System Startup
SYSTARTUP_VMS :
•
Logging SYSTARTUP_VMS:
Caveat: May not work with some application startups
Example: MiSys (Sunquest) FlexiLAB
» (MUMPS application, runs in InterSystems’s Cache’ RDB
environment)
» Expects a response to a prompt, chokes on the log file as
SYS$OUTPUT.
System Startup
Saving/reporting a crash dump at System Startup
time:
$ ANALYZE/CRASH_DUMP SYS$SYSTEM:SYSDUMP.DMP
COPY ddcu:<dir>:SAVEDUMP.DMP
! copy to wherever is convenient.
SET OUTPUT SYS$MANAGER:SYSDUMP.LIS ! Set this as you like
READ/EXEC
! READ SYS$SYSTEM:SYSDEF
! For VAX
READ SYS$LOADABLE_IMAGES:SYSDEF
! For Alpha
SHOW CRASH
SHOW
SHOW
SHOW
SHOW
EXIT
STACK /ALL
SUMMARY
PROCESS /PCB /PHD /REGISTERS
SYMBOL /ALL
System Startup
Saving/reporting a crash dump at System Startup time:
COPY in SDA only copies the portion of the dump file that was actually
written during the last dump.
The result is usually much smaller than the actual dump file, unless the
dump file is too small.
$ ANALYZE/CRASH_DUMP SYS$SYSTEM:SYSDUMP.DMP
COPY ddcu:<dir>:SAVEDUMP.DMP
SET OUTPUT SYS$MANAGER:SYSDUMP.LIS
READ/EXEC
! READ SYS$SYSTEM:SYSDEF
READ SYS$LOADABLE_IMAGES:SYSDEF ! For Alpha
SHOW CRASH
SHOW STACK /ALL
SHOW SUMMARY
SHOW PROCESS /PCB /PHD /REGISTERS
SHOW SYMBOL /ALL
EXIT
! copy to wherever is convenient.
! Set this as you like
! For VAX
System Startup
DEFINE-ing Group Logicals at Startup:
− SET up a DCL procedure to DEFINE (or assign) the
needed logicals using /GROUP and whatever access
mode is appropriate.
− Invoke that procedure as a detached process at system
startup time.
System Startup
DEFINE-ing Group Logicals at Startup:
Example:
$ RUN SYS$SYSTEM:LOGINOUT.EXE/UIC=[300,1]/INPUT=GROUP_300_LOGICALS.COM/OUTPUT=GROUP_300_LOGICALS.LOG
The UIC specified does not need to exist in the UAF.
System Startup
DEFINE-ing Group Logicals at Startup:
Alternate Example:
$ RUN SYS$SYSTEM:LOGINOUT.EXE/UIC=[300,1]/INPUT=NLA0:/OUTPUT=NLA0:
− The UIC specified does not need to exist in the UAF.
− The example creates the LNM$GROUP_000300 table.
− Logical names can then be created in that table by any
suitably privileged process.
System Startup
Setting logins at Startup:
•
Global DCL symbol (STARTUP process) is set up
during SYS$STARTUP:VMS$BASEENVIRON050_VMS.COM:
$startup$interactive_logins == 64
System Startup
Setting logins at Startup, cont’d:
•
Global DCL symbol (STARTUP process) is used in
SYS$STARTUP:VMS$LPBEGIN050_STARTUP.COM:
$set logins/interactive='startup$interactive_logins
System Startup
Setting logins at Startup, cont’d:
•
Change the value of startup$interactive_logins
during SYSTARTUP_VMS:
$ startup$interactive_logins == -
F$GETSYI( “IJOBLIM” )
System Startup
Setting logins at Startup, cont’d:
$ startup$interactive_logins == F$GETSYI( “IJOBLIM” )
Notes:
•
Set the desired value for IJOBLIM in
MODPARAMS and run AUTOGEN, or change the
CURRENT value using SYSMAN or SYSGEN.
Change takes effect on next boot.
System Startup
Setting logins at Startup, cont’d:
$ startup$interactive_logins == F$GETSYI( “IJOBLIM” )
Notes, cont’d:
•
IJOBLIM is a dynamic parameter. The SET
LOGINS/INTERACTIVE command displays or
varies its value. See the HELP.
System Startup
Setting logins at Startup, cont’d:
SET LOGINS/INTERACTIVE caveat:
•
Largely undocumented, little known fact: until this
command is issued for the first time after a reboot,
the job controller will not create interactive
processes.
•
If used in SYSTARTUP_VMS, it may enable logins
before the system is ready for users to log in.
System Startup
Setting logins at Startup, cont’d:
SET LOGINS/INTERACTIVE caveat:
•
DO NOT USE THIS COMMAND IN
SYSTARTUP_VMS!!!
•
…or any proc. that it invokes!!!
•
Use the global DCL symbol instead
(STARTUP$INTERACTIVE_LOGINS).
System Startup - VMS Files
•
Must never be changed unless software
documentation or VMS support instructs you to do
so.
•
May be replaced when VMS or layered products
are upgraded.
•
May use deprecated lexical functions (like
F$LOGICAL()), or may contain misspelled function
names (like F$GETSYS(), DCL sees only
F$GETS).
System Startup - VMS Files
•
Site-specific startups are usually found in the
SYS$MANAGER path.
Session 1065
SYSMAN and
STARTUP
SYSMAN & STARTUP
SYSMAN can be used to modify the “user” portion
of the startup database.
− Two database files used by SYSMAN:
STARTUP$STARTUP_VMS
Used for the VMS startup
DO NOT MODIFY !!!
STARTUP$STARTUP_LAYERED
When you add an item using SYSMAN it goes here.
SYSMAN & STARTUP
SYSMAN can be used to modify the “user” portion
of the startup database.
− Not as flexible the traditional method using
SYSTARTUP_VMS.
− Not as widely used. Incoming SysAdmins may be unware
of previous modifications to the startup database using
SYSMAN.
− Allows for specifying that some startup procedures run in
BATCH, in-line (DIRECT) or in sub-processes (SPAWN).
SYSMAN & STARTUP
− Allows for entering startup items that run after
SYSTARTUP_VMS.
• SYSTARTUP_VMS is invoked during the LPBEGIN phase.
• Valid phases for SYSMAN STARTUP entries are LPBEGIN,
LPMAIN, LPBETA and END.
• Premature logins are possible if SYSTARTUP_VMS enables
logins before startups in later phases (LPMAIN, LPBETA or END)
have run.
Session 1065
Conversational Boot,
Minimum Startup
Conversational Boot
HP Integrity Servers
Shell> set vms_flags “x,1”
Most Current Alphas, VAX 7000:
>>> boot –fl x,1
Conversational Boot
VAX 6000
>>> BOOT boot_profile/R5=1
>>> BOOT boot_profile/R5=x0000001
Older small VAXes
>>> B/R5:1 or B/R5:x0000001
VAX 8000’s
See the manual
Minimum Boot
>>> b –fl 10,1
SYSBOOT> SET STARTUP_P1 “MIN”
SYSBOOT> CONTINUE
Use SET WRITESYSPARAMS 0 before CONTINUE for a
one-time minimum boot.
Session 1065
System Shutdown
Procedure
System Shutdown
$ @SYS$SYSTEM:SHUTDOWN
− Prompts interactively for parameters
− Parameters can also be specified on the command line
that invokes the procedure.
• See the SHUTDOWN and REBOOT symbols in
SYS$MANAGER:LOGIN.TEMPLATE
System Shutdown
SYS$SYSTEM:SHUTDOWN.COM
Parameters:
P1 = Minutes to final shutdown
P2 = Reason for Shutdown
P3 = Spin down disk volumes? (Y/N)
P4 = Invoke SYSHUTDWN.COM? (Y/N)
P5 = When will system be rebooted?
P6 = Should auto. reboot be performed? (Y/N)
P7 = Options (SAVE_FEEDBACK, etc.)
• P5 and P6 are reverse order to the prompts.
Site-Specific Shutdown Proc.
SYSHUTDWN.COM
Found in the SYS$MANAGER path.
System Shutdown
SYS$SYSTEM:SHUTDOWN.COM
Logical Names
SHUTDOWN$MINIMUM_MINUTES
Default value for minutes to final shutdown.
AGEN$SHUTDOWN_TIME
Used by AUTOGEN as minutes to final SHUTDOWN or REBOOT.
SHUTDOWN$INFORM_NODES
Cluster nodes to receive REPLY messages from SHUTDOWN
SHUTDOWN$VERIFY
Allows SET VERIFY to be in effect during SHUTDOWN
Shutdown Options
REBOOT_CHECK
SAVE_FEEDBACK
DISABLE_AUTOSTART
POWER_OFF
Shutdown Options
REBOOT_CHECK
•
Performs a basic check for the existence of files
needed to reboot the system.
•
Not comprehensive - cannot detect a damaged
boot block, corrupted bootstrap image, etc.
Shutdown Options
SAVE_FEEDBACK
•
Saves some vital statistics about the system that
can be used by AUTOGEN after the system comes
back up.
•
Same as the SAVPARAMS phase of AUTOGEN.
Shutdown Options
DISABLE_AUTOSTART
•
Use this if needed to prevent AUTOSTART queues
on this node from failing over to this node from
another node.
Shutdown Options
POWER_OFF
•
If the system console supports it, request that the
machine power itself down once VMS has been
SHUTDOWN.
Shutdown Options - Clusters
•
REMOVE_NODE for all but the last node.
− Node exits the cluster gracefully.
•
CLUSTER_SHUTDOWN for the last cluster node
to be shutdown.
− If used on all nodes, each node waits for other nodes to
reach the point of exiting the cluster, then proceeds to
shutdown (“dissolves” the cluster).
Every Shutdown
•
Author recommends you always specify option
REBOOT_CHECK for all nodes.
•
Has been helpful in preventing some nasty
surprises.
Session 1065
AUTOGEN
AUTOGEN
SYS$UPDATE:AUTOGEN.COM
•
DCL procedure supplied by OpenVMS as an aid in
tuning the OpenVMS system.
•
Not a replacement for diligent system
management.
AUTOGEN
•
Applies changes to the default system parameters
as specified in the file
SYS$SYSTEM:MODPARAMS.DAT
•
Is invoked during installs and upgrades, sometimes
more than once.
•
Can be used to help size the swap and page files.
AUTOGEN - MODPARAMS
SYS$SYSTEM:MODPARAMS.DAT
•
This is where changes to the default values are
made so they persist from one AUTOGEN to the
next.
•
Entries look like this:
parameter_name = needed_value
MIN_parameter_name = needed_value
MAX_parameter_name = needed_value
ADD_ parameter_name = needed_value
AUTOGEN - MODPARAMS
parameter_name = needed_value
•
Provides a hard-coded value for the parameter.
SCSNODE = “ALPHAONE”
GBLPAGES = 121589
•
AUTOGEN calculations do not over-ride hardcoded values.
AUTOGEN - MODPARAMS
MIN_parameter_name = minimum_value
•
Provides a minimum value for the parameter.
MIN_GBLPAGES = 121589
•
AUTOGEN may calculate and use a higher value,
but will always use the MIN_ if it calculates a lower
value.
AUTOGEN - MODPARAMS
MAX_parameter_name = maximum_value
•
Provides a maximum value for the parameter.
MAX_GBLPAGES = 12158900
•
AUTOGEN may calculate and use a lower value,
but will always use the MAX_ if it calculates a
higher value.
AUTOGEN - MODPARAMS
ADD_parameter_name = addtl_value
•
Provides an addition to the default value for the
parameter.
ADD_GBLPAGES = 81920
•
AUTOGEN can use feedback to calculate a new
value, then adds the specified value to the
calculated value.
AUTOGEN - Phases
SAVPARAMS
GETDATA
- Collects Feedback
- Collects all other data
GENPARAMS
TESTFILES
GENFILES
SETPARAMS
- Generates new parameters
- Calculates new sys file sizes
- Generates new system files
- Creates new boot param.’s
SHUTDOWN
REBOOT
- Shutdown the system
- Reboot the system
HELP
- Displays AUTOGEN info
AUTOGEN - Phases
SAVPARAMS
Saves dynamic feedback from the running system.
Same as SAVE_FEEBACK option of SHUTDOWN.
AUTOGEN - Phases
GETDATA
Collects all data to be used in AUTOGEN
calculations.
Includes existing feedback data if it is not over 30
days old.
Includes MODPARAMS info.
AUTOGEN - Phases
GENPARAMS
Performs calculations and generates the new system
parameters (but does not yet set them into the “Current”
parameters).
Creates the new list of installed images based on the state
of the currently running system.
AUTOGEN - Phases
TESTFILES
Calculates new page and swap file sizes, but does not
apply any changes.
AUTOGEN - Phases
GENFILES
Generates new swap and page files based on AUTOGEN
calculations.
Use entries in MODPARAMS to override:
DUMPFILE=0
SWAPFILE=0
PAGEFILE=0
AUTOGEN - Phases
SETPARAMS
Creates the new boot-time (“current”) parameters.
Changes take effect on the next boot.
AUTOGEN - Phases
SHUTDOWN
Shutdown the system and leave it ready for a manual boot
or other console-level operations.
AUTOGEN - Phases
REBOOT
Reboot the system using the newly generated parameters
and/or system files.
AUTOGEN - Phases
HELP
Display HELP information for how to use AUTOGEN.
Useful to output this to a file:
$ @SYS$UPDATE:AUTOGEN/OUTPUT=AGEN_HELP.LIS HELP
AUTOGEN - Phases
Typical uses:
See if current MODPARAMS settings are suitable:
$ @SYS$UPDATE:AUTOGEN SAVPARAMS TESTFILES
Generate new system parameters for next boot:
$ @SYS$UPDATE:AUTOGEN SAVPARAMS SETPARAMS
AUTOGEN using previously saved feedback:
$ @SYS$UPDATE:AUTOGEN GENPARAMS SETPARAMS
AUTOGEN - Phases
Typical uses:
AUTOGEN ignoring feedback:
$ @SYS$UPDATE:AUTOGEN GENPARAMS SETPARAMS NOFEEDBACK
AUTOGEN using previously saved feedback, if it is
valid:
$ @SYS$UPDATE:AUTOGEN GENPARAMS SETPARAMS - CHECK_FEEDBACK
AUTOGEN - Report
SYS$SYSTEM:AGEN$PARAMS.REPORT
• Generated on each run of AUTOGEN during the
GENPARAMS phase.
• Indicates any MODPARAMS errors detected by AUTOGEN.
• Indicates the results of AUTOGEN calculations and
resulting changes to system parameters.
AUTOGEN - Logging
AUTOGEN issues useful information on SYS$OUTPUT,
also.
Some SysAdmins find this useful:
$ @SYS$UPDATE:AUTOGEN/OUT=AGEN.LOG start_phase end_phase
Session 1065
Useful Tips
and Tricks
Useful Tips and Tricks
An “uptime” command:
$ SHOW SYSTEM/NOPROCESS
$ UPT*TIME :== SHOW SYSTEM/NOPROCESS
A HELP enhancement, ala “man | less”:
$ HELP/PAGE=SAVE=64
$ MAN :== HELP/PAGE=SAVE=64
Useful Tips and Tricks
A simple command to show usage:
$ SHL :== PIPE SHOW USERS/FULL | (READ SYS$PIPE P9 ; -
WRITE SYS$OUTPUT P9 ; READ SYS$PIPE P9 ; WRITE SYS$OUTPUT P9 ; -
SET LOGINS)
Useful Tips and Tricks
A simple command to show usage:
$ SHL
OpenVMS User Processes at 13-JUL-2006 20:22:50.09
Total number of users = 1, number of processes = 3
%SET-I-INTSET, login interactive limit = 64, current interactive value = 1
Useful Tips and Tricks
A MORE command:
$ ipt := sys$input
$ if f$trnlnm( "sys$pipe" ) .nes. "" then $ ipt := sys$pipe
$ if p1 .eqs. "" then p1 = ipt
$ if f$type( more_pages ) .eqs. "" then $ more_pages = 64
$ type/page=save='more_pages' &p1
$ exit
Useful Tips and Tricks
VMS Disk “Partitions” – Logical Disks
» Actual devices which use a container file or a specified
range of blocks on a disk to provide logical disk devices.
» Need to install the LD V8 or later kit
» See HELP LD after installing.
» Available for V7.3-2 and later (Alpha and I64 only).
Useful Tips and Tricks
VMS Disk “Partitions” – Logical Disks
Can be useful with disk storage arrays which are not easily
reconfigured. For example: EMC Symmetrix, DMX, etc.
Example
(Small Alpha with direct-attached RZ29B, 4.3GB SCSI disk):
$ ld connect dka100:/lbn=(start=0,count=3145728) lda1/allo=1
$ ld connect dka100:/lbn=(start=3145728,count=3145728) lda3
$ ld connect dka200:/lbn=(start=0,count=3145728) lda2
$ ld connect dka200:/lbn=(start=3145728,count=3145728) lda4
$ moun/noassi/syst dsa1/shad=($1$lda1,$1$lda2) shadow1 shadow1
$ moun/noassi/syst dsa2/shad=($1$lda3,$1$lda4) shadow2 shadow2
Session 1065
OpenVMS System
Management Tools
System Management Tools
Supplied as no-charge additional software,
licensed with OpenVMS.
•
StorageWorks Command Console
(SWCC)
•
OpenVMS Management Station
(“TNT” or “Argus”)
•
Accessibility Manager for Distributed Systems
(AMDS), Availability Manager
Session 1065
StorageWorks
Command Console
StorageWorks Cmd Console
•
Provides MS/Win GUI for management of
StorageWorks storage array controllers.
− HSJ (CI)
− HSZ (SCSI)
− HSG (FC-SF)
•
Uses TCP/IP to communicate with server agent on
OpenVMS.
•
Behaves like other “Explorer” software.
StorageWorks Cmd Console
Limitations:
•
PC’s IP address must back-translate
− DHCP is o.k. so long as DNS is updated when address
lease is obtained / renewed.
•
Does not work over WAN unless PC’s DNS name
is “visible” outside of firewall and firewall allows the
TCP ports.
•
OpenVMS server agent will only run on one node
of a cluster.
StorageWorks Cmd Console
Limitations, cont’d:
•
Unit names and storage-set names are assigned
randomly and arbitrarily.
− Some names can be changed manually using the CLI.
•
Can hold onto the virtual console so that other
access means are denied:
− SET HOST/DUP, SET HOST/SCSI
StorageWorks Cmd Console
Limitations, cont’d:
•
Disks falling into the Failed Set are detected and
reported as warnings; however, CLI messages are
not passed through to the GUI - you must still
connect to the CLI to get them.
− “Other controller restarted”
− Cache battery alerts
StorageWorks Cmd Console
Limitations, cont’d:
•
No provisions for running HSx utilities and
diagnostics.
•
No performance data available via the GUI - use
the CLI to run VTDPY.
StorageWorks Cmd Console
Management Considerations
•
PCs must be authorized to access OpenVMS
server agent. Use the SWCC configuration utility
supplied with the OpenVMS-side software.
•
Controllers and/or controller pairs must be set up
using the SWCC configuration utility supplied with
the OpenVMS-side software.
StorageWorks Cmd Console
Management Considerations
•
HSZ and HSG controller pairs present only a single
virtual device for remote access - cannot connect
to an individual controller by name using the CLI
window.
•
You will still need to access the physical console
terminal port from time to time, as when a
controller fails out of the pair.
StorageWorks Cmd Console
StorageWorks Cmd Console
StorageWorks Cmd Console
StorageWorks Cmd Console
StorageWorks Cmd Console
StorageWorks Cmd Console
StorageWorks Cmd Console
StorageWorks Cmd Console
StorageWorks Cmd Console
StorageWorks Cmd Console
StorageWorks Cmd Console
StorageWorks Cmd Console
StorageWorks Cmd Console
StorageWorks Cmd Console
StorageWorks Cmd Console
StorageWorks Cmd Console
StorageWorks Cmd Console
StorageWorks Cmd Console
StorageWorks Cmd Console
Session 1065
OpenVMS
Management
Station
OpenVMS Mgt Station
Provides an MS/Win GUI for management of some
areas of OpenVMS:
•
User records and identifiers
•
OpenVMS storage
•
Printer (but not batch) queues.
•
Uses TCP/IP to communicate between Windows
client and OpenVMS Server.
OpenVMS Mgt Station
Considerations:
•
No interfaces for application-specific user setups.
•
Provides only for “traditional” OpenVMS printer
queues - no provisions for TCP/IP considerations.
•
V3.0 is still available for Alpha/NT. Later versions
are Intel only.
OpenVMS Mgt Station
Considerations:
•
Runs on W/NT and W2K, W/98, and W/95, but
needs Internet Explorer V3.02 or later to provide
some support.
•
V3.2 Server needs OpenVMS V6.2 or later.
OpenVMS Mgt Station
OpenVMS Mgt Station
OpenVMS Mgt Station
Set up Wizard
OpenVMS Mgt Station
Set up Wizard
OpenVMS Mgt Station
Set up Wizard
OpenVMS Mgt Station
Set up Wizard
OpenVMS Mgt Station
Set up Wizard
OpenVMS Mgt Station
OpenVMS Mgt Station
Logon to a managed system
OpenVMS Mgt Station
Accounts Window
OpenVMS Mgt Station
Account
Detail
OpenVMS Mgt Station
Printers and other Symbiont Queues
OpenVMS Mgt Station
Detail of Printers / Symbiont Queues
OpenVMS Mgt Station
OpenVMS Storage
OpenVMS Mgt Station
OpenVMS Storage Detail
OpenVMS Mgt Station
•
OpenVMS Server reads OMS configuration when it
starts.
•
Storage configured in OMS and not yet MOUNTed
gets MOUNTed (if enabled).
•
Symbiont queues configured in OMS and not yet
STARTed get STARTed.
OpenVMS Mgt Station
•
OpenVMS Server builds a DCL procedure that can
be used to MOUNT your storage, even if the server
cannot be started for whatever reason:
TNT$EMERGENCY_MOUNT.COM
OpenVMS Mgt Station
Can be useful to ease certain system management
tasks that would otherwise require the use of
command-line utilities, but is not a replacement for
those utilities.
OpenVMS Mgt Station
Download URL:
http://www.openvms.compaq.com/openvms/products/argus/download.html
(http://h71000.www7.hp.com/openvms/products/argus/download.html)
Session 1065
Accessibility Manager for
Distributed Systems
(AMDS) and
Availability Manager
AMDS
Provides DECwindows interface for
system or cluster management, some
performance monitoring.
•
Warnings can be issued when performance metrics
go out of spec. - you determine the thresholds for
your environment.
•
Can (maybe) be used to “un-hang” a cluster (force
quorum adjustment).
AMDS
Considerations:
•
Uses a proprietary, non-routable network protocol.
•
For optimum availability management, needs to run
on a separate OpenVMS workstation (not a cluster
member).
•
AMDS workstation must be on same LAN segment
as cluster nodes or protocol must be bridged
between segments.
AMDS
Considerations:
•
AMDS workstation can be accessed remotely (X
on Linux, Solaris or *BSD; Reflection/X or Exceed,
etc. on MS Win; DECwindows on OpenVMS).
AMDS
Licensing:
AMDS license is now included in the OpenVMS
base license (as of AMDS V7.1).
Software Kit:
On the OpenVMS binary CD.
On the OpenVMS website.
Architectures
VAX
Alpha
AMDS
Startup Procedure:
$ @SYS$STARTUP:AMDS$STARTUP
Specify START as the first parameter.
AMDS
Logical Names:
Defined in AMDS$SYSTEM:AMDS$LOGICALS.COM
AMDS$GROUP_NAME is the node information display group,
default is DECAMDS
Define a group name for each cluster
AMDS$DEVICE defines the network device to use if multiple LAN
connections are present.
Availability Mgr
Availability Manager
•
An MS Windows tool (W/NT, W2K. W/XP)
•
Does not require an X-server on the PC.
•
Uses the same non-routable protocol as AMDS similar restrictions.
•
Could be accessed remotely using PCAnywhere,
or maybe Citrix or remote desktop.
Availability Mgr
Availability Manager
•
A Java app. – needs GHz!
•
A “console PC” running Windows 2003 Server on
the same LAN segment as the cluster can be
accessed by Terminal Services from Windows/XP
Professional.
•
VMS software is available for I64.
AMDS
AMDS Screen shots follow.
Many display objects can be selected to “drill
down” for more information.
AMDS
AMDS
AMDS
AMDS
AMDS
AMDS
AMDS
Session 1065
OpenVMS
Security Elements
OpenVMS Security Elements
An OpenVMS system is only as secure as the
SysAdmin makes it.
Understanding and using the elements of
OpenVMS Security is the best way to help ensure
the security and integrity of an OpenVMS system.
OpenVMS Security Elements
Points to remember:
TELNET and FTP sessions are not encrypted,
passwords are sent as clear text. Use Secure Shell
and Secure FTP for best security.
LAT and DECnet are not encrypted, passwords are
sent as clear text.
OpenVMS Security Elements
User Identification Codes
[group,user]
Similar to UN*X UIDs, except digits are always
octal.
Users belong to only one UIC group. Use Rights
Identifiers to grant additional access.
OpenVMS Security Elements
Protection Masks
Based on the UIC.
Four classes of permission:
System
Owner
Group
World
UN*X only has Owner, Group, World
OpenVMS Security Elements
Levels of Permission in each class:
Files
Read - Open read only
Write - Open write only
Execute - Run (if it’s a program/proc.)
Delete - Delete the file
(Requires write access to parent directory.)
OpenVMS Security Elements
Levels of Permission in each class:
Directories
Read - List files
Write - Create/delete files
Execute - Traverse the directory
(Look up files)
Delete - Delete the directory
(Requires Write access to parent).
OpenVMS Security Elements
Levels of Permission in each class:
Devices
READ
WRITE
LOGICAL I/O
PHYSICAL I/O
OpenVMS Security Elements
Levels of Permission in each class:
Queues
READ - Display queue, jobs
MODIFY - Modify queue, jobs
SUBMIT - SUBMIT/PRINT jobs
DELETE - Delete jobs or the queue
OpenVMS Security Elements
Access Control Lists
Specify access control beyond the UIC based
protections.
Consist of access control entries.
OpenVMS Security Elements
Access Control Entries
Associate access control with UICs or Rights
Identifiers
Levels of access:
READ
DELETE
WRITE
CONTROL
EXECUTE
Object owner always has CONTROL
OpenVMS Security Elements
Rights Identifiers
Created using AUTHORIZE.
Can be associated with a resource (disk file - to
control disk quotas).
GRANTed to or REVOKEd from users using
AUTHORIZE.
Can be dynamic – non-privileged users can
acquire and release using SET RIGHTS_LIST in
DCL.
OpenVMS Security Elements
Propagating ACEs, Default Protections
Set an ACE on a directory with the DEFAULT
attribute.
Default Protection ACE is set on a directory.
Will be applied to new files, or use SET
SECURITY/DEFAULT to propagate to existing files.
OpenVMS Security Elements
Set ACEs in the proper sequence
First matching ACE determines access.
Enter ACEs from least restrictive to most
restrictive. EDIT/ACL can be helpful.
ACL takes priority over UIC based protection mask.
Session 1065
Closing Comments,
Q&A
Freeware Sources
− The OpenVMS Freeware CDs are online at the
OpenVMS website.
− The DFWCUG DECUS CD-ROM Archive:
ftp://ftp.montagar.com/decus/
Freeware Sources
− OpenVMS FAQ
http://www.hp.com/go/openvms/faq
− DJE Systems OpenVMS Freeware archive:
http://www.djesys.com/freeware/vms/
Session 1065
Thanks for coming!
Disclaimer: All information is correct to the best of
the author’s knowledge.
Please fill out the evaluation forms, if available.
