____________________________________________________ DEC SecurityGate Installation Guide Version 1.1 Order Number: AA-PHA2B-TE August 11, 1992 The DEC SecurityGate Installation Guide explains how to install DEC SecurityGate software. This product represents the current state-of-the-art in security validation at the time of announcement. However, no system can provide complete security by itself. Customers are advised to follow industry- recognized security practices and not rely solely upon a security enhancing product to provide protection from computer misuse, loss of data, or loss of service. Revision/Update Information: This is Version 1.1 of a new manual. This manual supersedes any previous versions or drafts. Operating System and Version: VMS Version 5.2 or higher Software Version: DEC SecurityGate Version 1.1 _________________________________________________________________ First Printing, July 1991 ------------- The information in this document is subject to change without notice and should not be construed as a commitment by Digital Equipment Corporation. Digital Equipment Corporation assumes no responsibility for any errors that may appear in this document. The software described in this document is furnished under a license and may be used or copied only in accordance with the terms of such license. No responsibility is assumed for the use or reliability of software or equipment that is not supplied by Digital Equipment Corporation or its affiliated companies. Restricted Rights: Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013. ------------- © Digital Equipment Corporation 1992. All rights reserved. Printed in U.S.A. ------------- The Reader's Comments form at the end of this document requests your critical evaluation to assist in preparing future documentation. The following are trademarks of Digital Equipment Corporation: DEC SecurityGate, DEC, DECnet, VAX, VAXcluster, VAX/VMS, and the DIGITAL logo. This document was prepared with VAX DOCUMENT, Version 1.2. _________________________________________________________________ Contents Preface................................................... v 1 Preparing to Install DEC SecurityGate 1.1 Pre-installation Tasks........................ 1-1 1.2 Installation Considerations................... 1-2 1.3 Examining the DEC SecurityGate Installation Kit........................................... 1-3 1.4 Accessing the Online Release Notes............ 1-3 1.5 Network Communication Warning................. 1-4 1.6 Installation Procedure Requirements........... 1-4 1.7 VMS License Management Facility............... 1-5 1.8 VAXcluster Configuration...................... 1-5 1.9 Checking and Setting the SCSSYSTEMID System Parameter..................................... 1-6 2 Installing DEC SecurityGate 2.1 Stopping the Installation..................... 2-1 2.2 Getting Help During Installation.............. 2-1 2.3 Running the Installation Procedure............ 2-1 2.4 Post-Installation Procedure................... 2-7 3 Post-Installation Information 3.1 Configuring Other Nodes with DSG in VAXcluster Installations................................. 3-1 3.2 Process Symbol Table Restoration.............. 3-2 3.3 Running the Installation Verification Procedure..................................... 3-2 4 Installation Problems 4.1 General Error Conditions...................... 4-1 4.2 DSG-Specific Error Conditions................. 4-2 4.2.1 No DECnet License Failure................. 4-2 4.2.2 No DECnet Routing License Failure......... 4-2 4.2.3 SCSSYSTEMID System Parameter Not Set...... 4-3 4.2.4 Incorrect Version of VMS Failure.......... 4-4 4.2.5 Insufficient Disk Space Failure........... 4-4 4.2.6 IVP Failure............................... 4-4 4.3 Determining and Reporting Problems............ 4-5 iii 5 DEC SecurityGate Files, Directories, and Logical Names 5.1 Files and Directories......................... 5-1 5.2 DEC SecurityGate Logical Names................ 5-1 6 Sample Installation Index iv _________________________________________________________________ Preface This manual describes how to install the DEC SecurityGate software. Intended Audience This manual assumes that the person installing DEC SecurityGate has experience in basic system management, experience in basic network management, and a working knowledge of VMS installation procedures and practices. In addition, the installer of DEC SecurityGate software must have: o access to the the system manager account and full privileges o knowledge of the system and network configuration prior to installation of DEC SecurityGate o knowledge of how DSG is intended to interact with the system and network configuration o understanding of the DSG product and the DSG installation procedure Structure of This Document This manual contains the following chapters and an index: Chapter 1 Discusses the preparations and requirements necessary for installing DEC SecurityGate. Chapter 2 Contains a step-by-step description of how to install DEC SecurityGate. Chapter 3 Describes the tasks you need to perform after installing the DEC SecurityGate software, but before you use it. Chapter 4 Addresses problems that may occur during installation. Chapter 5 Provides a list of DSG files, directories, and logical names. v Chapter 6 Provides a sample installation. Related Documents For further information on topics covered in this manual, refer to the following manuals: o The DEC SecurityGate User's Guide describes the configuration, management, and use of DEC SecurityGate. o The Guide to DECnet-VAX Networking describes various DECnet-VAX concepts and operations. o The VMS Backup Utility Manual describes how to back up your system disk before you install DEC SecurityGate. o The Guide to VMS Software Installation describes how to install software using the VMS operating system. For information about special features and limitations of this release, see the Release Notes located in the file SYS$HELP:NSG$011.RELEASE_NOTES. Conventions______________________________________________________ Convention____Meaning______________________________________ This symbol indicates that you press a key on the terminal. The symbol indicates that you must press the key labeled Ctrl while you simultaneously press another key, usually an alphabetic-character key. A vertical series of periods, or ellipsis, . indicates that a portion of a code example is . not shown because it is not important to the . topic being discussed. . . . A horizontal ellipsis indicates that additional parameters, values, or information can be entered. [] In installation procedure prompts, square ______________brackets_enclose_default_values._____________ Maintenance Updates Digital may periodically issue maintenance updates of DEC SecurityGate. Each update will consist of an installation kit. Install this kit as described in this document or in any documentation that accompanies the maintenance update. vi Each time a maintenance update is released, the version number changes. For example, if the current version is 1.0, the version number of the first maintenance update is 1.1. In addition, the maintenance update usually includes changes to the release notes. The release notes describe the changes that have been made to the DEC SecurityGate since the previous release. The updated release notes are provided in hardcopy and online forms. You can access the online release notes before you install DEC SecurityGate and at any time after the product is installed. For information about getting the online release notes before DEC SecurityGate is installed, refer to Chapter 1 of this manual. ________________________ Note ________________________ Since installing this product adds another layer of protection to a network, plan on notifying the personnel involved in troubleshooting your network that this product is installed. ______________________________________________________ vii 1 _________________________________________________________________ Preparing to Install DEC SecurityGate This chapter discusses the preparations and requirements necessary for installing the DEC SecurityGate. Read this section before you begin the installation. A prerequisite to performing a DSG installation is that you (or someone that you have direct access to) have the following qualifications: _ a familiarity with VMS installation procedures and practices _ a working knowledge of basic system and network management _ an understanding of how to operate the system hardware 1.1 Pre-installation Tasks This section lists the things you'll need to do before beginning the installation of DEC SecurityGate. Be sure to perform the tasks described in this section. Many of the items listed in this section are explained in detail in the following sections of this chapter. Before beginning the installation, you must perform the following tasks: _ Get access to the the system manager account. _ Get full privileges if you do not already have them. (Refer to Section 1.6.) _ Examine the installation kit. (Refer to Section 1.3.) _ Read the DEC SecurityGate Cover Letter and DEC SecurityGate Release Notes. (Refer to Section 1.4.) _ Have the Product Authorization Key (PAK) (shipped with DSG) available. _ Create a backup of your system disk. (Refer to Section 1.6.) _ Verify that you are installing DSG on a routing node. (MCR NCP SHOW EXECUTOR CHARACTERISTICS) _ Get the device name of the device on which you plan to mount the media. (SHOW DEVICE M command shows all magnetic tape devices.) _ Check the date and time on your system and assure correctness. Preparing to Install DEC SecurityGate 1-1 Preparing to Install DEC SecurityGate 1.1 Pre-installation Tasks _ Be sure that the SCSSYSTEMID is set correctly. (Refer to Section 1.9.) _ Make sure there is sufficient free disk space on the system. (Refer to Section 1.6.) 1.2 Installation Considerations This section lists the things you'll need to consider before beginning the installation of DEC SecurityGate. Be sure to read and understand the points made in this section. Many of the items listed in this section are explained in detail in the following sections of this chapter. Before beginning the installation, you'll need to know the following things: o Understand the following topics: _ What is your system and network configuration? _ What are the basics of the DSG product? (Refer to DEC SecurityGate User's Guide).) _ What is the desired effect on network communication you want to achieve by installing DEC SecurityGate? _ How does DEC SecurityGate work in a VAXcluster environment? (Refer to Section 1.8.) _ What are the DSG installation procedure requirements and does your system meet them? (Refer to Section 1.6.) _ What immediate effects will the DSG installation have upon your system's network communication? (Refer to Section 1.5.) o Answer the following installation-specific questions: _ Do you have the PAK information, and when will you register the software license? (Refer to Section 1.7.) _ Are you installing on a clean system, or one already running DSG? _ Is this the only routing node to be configured? (if in a VAXcluster) _ What are the network circuits and what will each be designated, "Inside" or "Outside"? It is recommended that you thoroughly read all of the installation steps in Chapter 2 and be prepared to answer all questions that are asked in these steps before starting the installation procedure. 1-2 Preparing to Install DEC SecurityGate Preparing to Install DEC SecurityGate 1.3 Examining the DEC SecurityGate Installation Kit 1.3 Examining the DEC SecurityGate Installation Kit Examine your DEC SecurityGate installation kit thoroughly to be sure you have received all the parts that are supposed to be in the kit. The DEC SecurityGate installation kit is made up of the following things: o DEC SecurityGate media, which includes: _ DEC SecurityGate software _ DEC SecurityGate online help _ DEC SecurityGate online release notes o DEC SecurityGate documentation set, which includes: _ DEC SecurityGate Cover Letter _ DEC SecurityGate Release Notes _ DEC SecurityGate Installation Guide _ DEC SecurityGate User's Guide Your Bill of Materials specifies the number and contents of your media and other parts of the kit. Be sure to check the contents of your kit against the Bill of Materials. If your kit is damaged, or if you find that parts of it are missing, call your Digital representative. 1.4 Accessing the Online Release Notes The DEC SecurityGate kit provides online release notes that you can choose either to display or to print during the installation procedure. ________________________ Note ________________________ The prompt to display or print the release notes appears in the installation procedure only when you invoke VMSINSTAL with the N option. ______________________________________________________ To access the release notes before you install DEC SecurityGate, follow the installation procedure up to Step 4 in Section 2.3, Running the Installation Procedure - at this point you can choose to read or print the release notes. Then, you can discontinue the installation procedure. Note: Although the release notes file installed by VMSINSTAL has a unique name for each maintenance update, take care not to delete previous versions of that file. You may later want to refer to past versions. To read the release notes after the installation, display or print the file SYS$HELP:NSG$011.RELEASE_NOTES. Preparing to Install DEC SecurityGate 1-3 Preparing to Install DEC SecurityGate 1.5 Network Communication Warning 1.5 Network Communication Warning After successful installation and startup of the DEC SecurityGate software on a routing node, network communication remains open. That is, simply installing DSG does not automatically protect your system; network communication remains the same as it was before you installed DEC SecurityGate. The installation procedure does install a set of default rules in the DSG database. When you start the DEC SecurityGate Control Program for the first time, these rules are activated. However, these default rules allow all network commumication. Refer to the DEC SecurityGate User's Guide for information about default rules. To use DSG, you must create and load your own access rules which define your security environment. To set your own rules for network communication, refer the DEC SecurityGate User's Guide. 1.6 Installation Procedure Requirements Before you can install DEC SecurityGate software, you must have the following privileges and resources: o Privileges - You must have either the SETPRV privilege, or CMKRNL, WORLD and SYSPRV privileges. Use the VMS SHOW PROCESS/PRIVILEGE command to determine what privileges you currently possess. o Operating system components - VMS Version 5.2 (or later), including SYS.STB o Time - The installation takes approximately 10 to 20 minutes, depending on the type of your media and your system configuration. o Disk space - Installing DEC SecurityGate requires a certain amount of free storage disk space during and after the installation. You will need a minimum of 1400 free blocks on your system disk. The installation procedure checks your system's free space during the installation-if there is not enough free space, the installation is aborted. Prior to installation, you should check to assure that your system has the minimum amount of free space needed to perform the installation. To determine the number of free disk blocks on the current system disk, enter the following command at the DCL prompt: $ SHOW DEVICE SYS$SYSDEVICE o Backup copy of your system disk - Digital recommends that you back up your system disk before installing any software on the operating system. Use the backup procedures that have been established at your site. For 1-4 Preparing to Install DEC SecurityGate Preparing to Install DEC SecurityGate 1.6 Installation Procedure Requirements details on performing a system disk backup, see the VMS Backup Utility Manual. o DECnet - You must have a valid DECnet-VAX Phase IV ("full function") router license and DECnet must be running. This license must be installed on the same system where you will be installing DSG. o VMS Version - You must be running VMS Version 5.2 or higher in order to install DEC SecurityGate. If you are not running a version of VMS that meets this requirement, the DEC SecurityGate installation procedure will abort. 1.7 VMS License Management Facility The VMS License Management Facility is available with Version 5.0 of the VMS operating system. Since you are installing a DEC SecurityGate layered product on VMS 5.2 or higher, you must register and load your software license. The license registration information you need is contained in the Product Authorization Key (PAK) that is shipped with the DEC SecurityGate layered product. The PAK is a paper certificate that contains information about the license that authorizes you to run a particular piece of software. It is best to register and load your DEC SecurityGate layered product license before you perform the installation. You can use the VMSLICENSE command procedure to install and load the PAK. During the installation, you are asked if you have registered the DEC SecurityGate layered product license and loaded the appropriate authorization key. If you have not already done so, you are able to complete the installation, but you will not be able to run the DEC SecurityGate layered product software. Once you perform the license registration and load an authorization key, you can use the DEC SecurityGate layered product. 1.8 VAXcluster Configuration The DEC SecurityGate software checks both inbound and outbound DECnet-VAX packets going through the DEC SecurityGate router node and packets addressed to this node. But since it does not check packets originating at the router node, anyone logged into the routing node can communicate uninhibited by the DEC SecurityGate software. Therefore, the node on which you run the DEC SecurityGate software cannot be a VAXcluster member connected to outside network lines if you filter outbound traffic. In this case, install DEC SecurityGate software only on a nonclustered routing node. Preparing to Install DEC SecurityGate 1-5 Preparing to Install DEC SecurityGate 1.8 VAXcluster Configuration The following figures illustrate how to configure a DEC SecurityGate routing node if you want to restrict outbound network communication on a VAXcluster system. Figure 1-1 shows the DSG router correctly configured outside of the VAXcluster. Figure 1-2 shows the DSG router incorrectly configured within the VAXcluster. Refer to Section 3.1, for further information about configuring VAXcluster installations. 1.9 Checking and Setting the SCSSYSTEMID System Parameter DEC SecurityGate will not be able to translate node names in its area if SCSSYSTEMID is not set correctly. Correct operation of DEC SecurityGate requires that this parameter be set to the node's DECnet address. You can determine if this parameter is set by issuing the following DCL command: $ WRITE SYS$OUTPUT F$GETSYI ("NODE_AREA") This command will display the system identification number. If the displayed number is zero, the SCSSYSTEMID System Parameter has not been set and you must set it. Refer to the VMS System Generation Utility Manual for information about setting this parameter. 1-6 Preparing to Install DEC SecurityGate 2 _________________________________________________________________ Installing DEC SecurityGate This section contains a step-by-step description of how to install DEC SecurityGate software. The DEC SecurityGate installation procedure consists of a series of questions and informational messages. The instructions in this section assume that you have read and performed the instructions in Chapter 1. A complete sample installation dialogue, which shows the flow of the installation procedure without explanatory text, is provided in Chapter 6. 2.1 Stopping the Installation To abort the installation procedure at any time, press Ctrl/Y. When you press Ctrl/Y, the installation procedure deletes all files it has created up to that point and exits. You can then start the installation again. 2.2 Getting Help During Installation If you need help during the installation procedure, you can enter a (?) in answer to a question. Additional information about the topic will be displayed. If the installation procedure fails, or if you have problems during the installation, turn to Chapter 4, Installation Problems for additional information and help. 2.3 Running the Installation Procedure This section provides a step-by-step explanation of the installation procedure. It contains excerpts from the DEC SecurityGate layered product installation procedure as it appears on the screen, with explanatory text where necessary. A sample installation procedure without explanatory text is provided in Chapter 6. Step 1 - Log in to the system account. You must run the installation from a privileged account, such as the SYSTEM account. Log in to the SYSTEM account: Username: SYSTEM Password: Installing DEC SecurityGate 2-1 Installing DEC SecurityGate 2.3 Running the Installation Procedure Step 2 - Invoke VMSINSTAL. To start the installation procedure, invoke VMSINSTAL. Use the following syntax: $ @SYS$UPDATE:VMSINSTAL NSG device-name OPTIONS N device-name is the name of the device on which you plan to mount the media. For example, MTA0 is the device name for tape drive 0 on controller A. OPTIONS N is an optional parameter that indicates that you want to be prompted to display or print the release notes. Digital strongly recommends that you include the OPTIONS N parameter and read the release notes before proceeding with the installation. VMSINSTAL has several other options; for information, see the Guide to VMS Software Installation. Note that VMSINSTAL presents slightly different messages depending on the version of VMS that you are running. When you invoke VMSINSTAL, it checks the following: o Whether you are logged in to the SYSTEM account o Whether you have adequate quotas for installation o Whether there are any users logged in to the system If VMSINSTAL detects any of these conditions, it gives you the opportunity to stop the installation procedure by asking if you want to continue. If you want to stop the installation, press the Return key. $ @SYS$UPDATE:VMSINSTAL NSG ddcu: OPTIONS N VAX/VMS Software Product Installation Procedure V5.3 It is dd-mmm-yyyy at hh:mm. Enter a question mark (?) at any time for help. * Are you satisfied with the backup of your system disk [YES]? Be sure you have a recent backup of your system disk before continuing. Step 3: Insert the first installation kit volume. You must mount distribution media in numerical order. The installation procedure prompts you to mount the volumes. Please mount the first volume of the set on ddcu:. * Are you ready? Y The following products will be processed: NSG V1.1 Beginning installation of NSG V1.1 at hh:ss %VMSINSTAL-I-RESTORE, Restoring product saveset A ... 2-2 Installing DEC SecurityGate Installing DEC SecurityGate 2.3 Running the Installation Procedure If you need information about mounting the distribution media, refer to the Guide to VMS Software Installation. Step 4: Select a release notes option. This step applies only if you specified OPTIONS N in step 2. Release notes included with this kit are always copied to SYS$HELP Additional Release Notes Options: 1. Display release notes 2. Print release notes 3. Both 1 and 2 4. None of the above * Select option [2]: o If you select option 1, VMSINSTAL displays the release notes on your screen immediately. o If you select option 2, the default, VMSINSTAL prompts you for a print queue name. o If you select option 3, the installation procedure prints and then displays the release notes. o If you select option 4, the installation procedure does not display or print the release notes. VMI$ROOT:[SYSUPD.NSG011]NSG$011.RELEASE_NOTES;1 * Queue name [SYS$PRINT]: Either type a queue name, or press the Return key to indicate the default output print device, SYS$PRINT. Next, VMSINSTAL displays the following prompt: * Do you want to continue the installation [NO]?:Y %VMSINSTAL-I-RELMOVED, Product's release notes have been moved to SYS$HELP. If you type NO or press Return, VMSINSTAL stops the installation. If you typed YES, you see the following information on the screen: Copyright (c) Digital Equipment Corporation, 1992 All Rights Reserved. Unpublished rights reserved under the copyright laws of the United States. The software contained on this media is proprietary to and embodies the confidential technology of Digital Equipment Corporation. Possession, use, duplication or dissemination of the software and media is authorized only pursuant to a valid written license from Digital Equipment Corporation. Installing DEC SecurityGate 2-3 Installing DEC SecurityGate 2.3 Running the Installation Procedure Step 5: Confirm PAK registration. The installation procedure next asks if the product authorization key is loaded. If the key is not loaded, the IVP will not run. LICENSE AND PRODUCT AUTHORIZATON KEY If a product license has not been installed on this system, the VMS License Management Utility (LICENSE) should be used to register and load a Product Authorization Key (PAK). Product: SECURITYGATE Producer: DEC Version: V1.1 Release Date: 1-June-1992 * Does this product have an authorization key registered and LOADED? Y Step 6: Select file purging option. The files in SYS$SYSTEM and SYS$HELP containing previous releases of DEC SecurityGate are replaced during the installation with the new release, but the old release is not automatically purged. Purging is recommended. In response to the purging prompt, press Return to purge the files, or type NO to keep them. * Do you want to purge files replaced by this installation [YES]? Step 7: Choose whether the IVP will run after installation. You can decide whether to run the Installation Verification Procedure after the software is installed. Note that you can run the IVP at any time after software installation to confirm that the executable files are in the correct location. * Do you want to run the IVP after the installation [YES]?) Step 8: Define the network circuit locations. You must define the communication circuits attached to the DEC SecurityGate node on which you are installing the software the first time you install DEC SecurityGate. Define these circuits as being either inside or outside the security domain you are setting up. Circuits must be defined so default access rules that allow network communication are activated when you start DEC SecurityGate software running. The installation procedure displays the network circuits and then queries you about the location of each. CREATING THE PASS ALL FILTER RULES 2-4 Installing DEC SecurityGate Installing DEC SecurityGate 2.3 Running the Installation Procedure You will now be asked to designate the network circuits connected to your node as either INSIDE or OUTSIDE your routing domain. It is important that you properly designate each circuit so this installation procedure can create a default set of "Pass All" access rules which will allow message traffic to pass uninhibited through this routing node. These "Pass All" access rules will be invoked when this product is first started on your system if, as is the normal case, you have not yet had the opportunity to invoke the rule making software to create filter rules specifically suited to your system. * Are you prepared to designate each of the circuits [YES]? Y The following circuits are attached to your system Known Circuit Volatile Summary as of dd-mmm-yyyy hh:mm:ss Circuit State Loopback Adjacent Name Routing Node QNA-0 on QNA-1 on Is QNA-0 an [I]nside or [O]utside circuit? I Is QNA-1 an [I]nside or [O]utside circuit? O Step 9: Specify NML Server Account UIC The installation procedure next prompts you for the NML Server Account UIC. DEC SecurityGate depends on the NML object to translate node names to DECnet addresses. To allow NML to access the SYS$SYSTEM:NETNODE_LOCAL.DAT and SYS$SYSTEM:NETNODE_REMOTE.DAT files, DEC SecurityGate grants read access to the NML Server. You must enter the UIC identifier of the NML Server account to allow this access to be granted. * Enter NML Server account UIC [[376,371]]: No further questions will be asked during this installation procedure. Step 10: Files Created or Modified During Installation The installation procedure next lists the files that are installed. This installation will add the following files: SYS$LOADABLE_IMAGES:NSDRIVER.EXE SYS$SYSTEM:NSG$ACP.EXE SYS$SYSTEM:NSG$EXE.EXE SYS$STARTUP:NSG$STARTUP.COM SYS$STARTUP:NSG$REAL_STARTUP.COM SYS$STARTUP:NSG$CONFIG.COM SYS$HELP:NSG$HELP.HLB SYS$HELP:NSG$011.RELEASE_NOTES SYS$TEST:NSG$IVP.COM Installing DEC SecurityGate 2-5 Installing DEC SecurityGate 2.3 Running the Installation Procedure %VMSINSTAL-I-MOVEFILES, Files will now be moved to their target directories... Step 11 - Read post-installation instructions. The post-installation instructions are now displayed. You will not be able to carry out these instructions until after the installation procedure is completed; however, you can read them now if you wish. Refer to Section 2.4, Post- Installation Procedure for information about performing the tasks described in these instructions. POST INSTALLATION INSTRUCTIONS After this installation procedure is complete, you must perform several manual operations to start the DEC SecurityGate. You must edit your system startup procedure (SYS$STARTUP:SYSTARTUP_V5.COM) to invoke the DEC SecurityGate startup procedure, SYS$STARTUP:NSG$STARTUP.COM. For proper DEC SecurityGate operation, NSG$STARTUP.COM must be executed before DECnet has been started. This node is now configured to run DEC SecurityGate. You must invoke SYS$STARTUP:NSG$CONFIG.COM on any other cluster node which will run the DEC SecurityGate product **BEFORE** NSG$STARTUP.COM is invoked on that node. Refer to the Installation Guide for more details. ------------------------------------------------------------------------------ IMPORTANT: If you are installing on a node which is already running DEC SecurityGate, then you MUST reboot the system to begin using the new version. ------------------------------------------------------------------------------ Step 12: Run the IVP. The IVP (Installation Verification Procedure) is run automatically at this time if you answered "Yes" to Step 7. Beginning the DEC SecurityGate V1.1 Installation Verification Procedure The DEC SecurityGate V1.1 Installation Verification Procedure completed successfully Installation of NSG V1.1 completed at hh:mm VMSINSTAL procedure done at hh:mm If you answered "No" to Step 7, and you would like to run the IVP, you can now run this procedure. The IVP can be run at any time after the installation. To run the IVP command procedure, enter the following command: $ @SYS$TEST:NSG$IVP.COM The IVP informational messages will be displayed. Refer to Section 3.3 for a full description of the IVP. 2-6 Installing DEC SecurityGate Installing DEC SecurityGate 2.3 Running the Installation Procedure Step 13 - Perform Post-Installation Steps You must now perform the DSG post-installation tasks. These steps are described in Section 2.4. Be sure to perform these steps, the DEC SecurityGate software should not be started or used until post-installation steps are completed. 2.4 Post-Installation Procedure The DEC SecurityGate installation procedure has now been completed. However, you still need to perform the following post-installation steps before you can run the DEC SecurityGate Control Program and set up your access rules. Perform all steps except for any which explicitly states that it does not apply to your system. Post-Install Step 1 - Edit system startup procedure Add the following line to the SYS$STARTUP:SYSTARTUP_ V5.COM file, immediately before the line that executes SYS$MANAGER:STARTNET.COM. $SPAWN/NOWAIT @SYS$STARTUP:NSG$STARTUP This command spawns a process that will execute the SYS$STARTUP:NSG$STARTUP.COM file. Post-Install Step 2 - Run DSG startup procedure (for new installations only) Skip this step if this is a re-installation of DSG (your node was already running DSG when you installed this version). In this case, go to Step 3. Run the DSG startup procedure, SYS$STARTUP:NSG$STARTUP.COM. Enter the following command: $@SYS$STARTUP:NSG$STARTUP Post-Install Step 3 - Reboot the system (for installations already running DSG) Skip this step if this is a new installation of DSG. (In this case, you should have already performed Step 2.) Reboot the system. You must reboot your system in order to begin using the new version of DEC SecurityGate which you have just installed. This step applies only to nodes which are already running DSG. Post-Install Step 4 - Configure other DSG routers (VAXcluster installations only) Skip this step if you are not installing DSG in a VAXcluster. Installing DEC SecurityGate 2-7 Installing DEC SecurityGate 2.4 Post-Installation Procedure If this is a VAXcluster installation with multiple routers in the cluster, you can configure other routing nodes to serve as DEC SecurityGate nodes without repeating the installation procedure. Perform the instructions in Section 3.1, Configuring Other Nodes with DSG in VAXcluster Installations to configure each additional DEC SecurityGate routing node in the cluster. Return to the next step after you have finished. Post-Install Step 5 - Read Chapter 3 Now you should turn to Chapter 3, Post-Installation Information for further post-installation information. This section contains optional steps which you may want to perform. Return to this point in the instructions after you have read Chapter 3. Post-Install Step 6 - Turn to DEC SecurityGate User's Guide This is the end of the installation procedure. You must next begin the procedure to set up and configure the DEC SecurityGate. Turn to Chapter 2, "Setting Up the DEC SecurityGate Database", in the DEC SecurityGate User's Guide. _______________________ Warning _______________________ Although you have reached the end of the installation procedure and DEC SecurityGate is now installed and running on your system, DEC SecurityGate is not yet restricting network access to your system. DEC SecurityGate is installed with a "default database" which allows all network communications. To restrict access to your system, you must perform the instructions in Chapter 2, "Setting Up the DEC SecurityGate Database", in the DEC SecurityGate User's Guide. ______________________________________________________ 2-8 Installing DEC SecurityGate 3 _________________________________________________________________ Post-Installation Information This chapter contains post-installation information which may be of use after you have finished installing DEC SecurityGate. 3.1 Configuring Other Nodes with DSG in VAXcluster Installations Once you have installed the DEC SecurityGate software on a node within a VAXcluster system, you may configure other routing nodes within the cluster to serve as DEC SecurityGate nodes without repeating the installation. Perform the following operations for each of the additional routing nodes in the cluster: 1. Load the licenses on the nodes that are to run the software. Use the following command on each node that is to run DEC SecurityGate: $ LICENSE LOAD SECURITYGATE For more information about the LICENSE LOAD command, see the VMS License Management Utility Manual. 2. Execute NSG$CONFIG.COM on any other nodes you wish to configure as DEC SecurityGate nodes. This command procedure copies the startup procedure (NSG$REAL_STARTUP.COM) to SYS$SPECIFIC:[SYS$STARTUP]NSG$STARTUP.COM. During cluster startup, only the nodes that have executed NSG$CONFIG.COM can serve as DEC SecurityGate nodes. Note that NSG$CONFIG.COM needs to be executed only once on each router node. 3. Edit the system startup procedure. Use the following command: Modify SYS$STARTUP:SYSTARTUP_V5.COM to spawn a process to execute the file SYS$STARTUP:NSG$STARTUP.COM before DECnet has started. Add the following line to the file SYS$STARTUP:SYSTARTUP_V5.COM immediately before the line that executes SYS$MANAGER:STARTNET.COM. SPAWN/NOWAIT @SYS$STARTUP:NSG$STARTUP 4. Execute the startup procedure NSG$STARTUP.COM to start DEC SecurityGate without rebooting. Post-Installation Information 3-1 Post-Installation Information 3.2 Process Symbol Table Restoration 3.2 Process Symbol Table Restoration Note that VMSINSTAL deletes or changes entries in the process symbol tables during the installation. Therefore, if you are going to continue using the system account, and you want to restore those symbols, log out and log in again. To prevent this problem, before installation you can spawn a process and invoke VMSINSTAL from this process. Log out of this process after the installation, so that your symbols are still defined correctly. 3.3 Running the Installation Verification Procedure DEC SecurityGate provides an Installation Verification Procedure (IVP) which verifies that the DSG executable files are in the correct location. You can run the IVP at any time you wish to ensure the integrity of installed files-for example, when system problems occur. Normally the IVP is run at installation time as a part of the installation procedure. To run the IVP command procedure, enter the following command: $@SYS$TEST:NSG$IVP.COM If the Installation Verification Procedure fails for any reason, the following message is displayed: +---------------------------------------------+ | The DEC SecurityGate V1.1 | | Installation Verification Procedure failed. | +---------------------------------------------+ If you receive this message during the IVP, contact your Digital Customer Service Center for assistance. 3-2 Post-Installation Information 4 _________________________________________________________________ Installation Problems This chapter contains information which may be useful if you have problems during or after the installation procedure. There is further help available in the "Troubleshooting" section of the DEC SecurityGate User's Guide. 4.1 General Error Conditions If the installation procedure fails for any reason, the following message is displayed: %VMSINSTAL-E-INSTFAIL, The installation of NSG V1.1 has failed. One or more of the following conditions can cause an error during the installation: o Insufficient system virtual page count parameter o Insufficient AST quota o Insufficient buffered I/O byte count o Insufficient subprocess quota o Insufficient open file quota o Insufficient process paging file quota o Insufficient process working set quota o Insufficient system maximum working set For descriptions of the error messages generated by these conditions and the proper responses, refer to the VMS System Messages and Recovery Procedures Reference Manual and the Guide to Setting Up a VMS System. If any of these conditions exist, take the appropriate action; the response to an error condition is described in the error message. You may need to change a system parameter or increase an authorized quota value. If the installation has failed, restart the installation procedure described in Section 2.3, Running the Installation Procedure, beginning at Step 2. Installation Problems 4-1 Installation Problems 4.2 DSG-Specific Error Conditions 4.2 DSG-Specific Error Conditions This section describes the errors that can occur if the installation procedure fails due to a DSG-specific installation problem. One or more of the following conditions can cause this type of error during the installation: o No DECnet license (refer to Section 4.2.1) o No DECnet routing license (refer to Section 4.2.2) o SCSSYSTEMID system parameter not set (refer to Section 4.2.3) o Incorrect version of VMS (refer to Section 4.2.4) o Insufficient disk space to complete installation (refer to Section 4.2.5) o IVP Failure (refer to Section 4.2.6) If any of these conditions exist, take the appropriate action. These error conditions and responses are described in the following sections of this chapter, as indicated. If the installation has failed, restart the installation procedure described in Section 2.3, Running the Installation Procedure, beginning at Step 2. 4.2.1 No DECnet License Failure If you do not have a DECnet license installed on the node where you are installing DSG, the following error message occurs: This node does not have a DECnet license. DEC SecurityGate is ONLY supported on a DECnet Routing Node. * Do you want to continue with the installation [Yes]: DEC SecurityGate operation is not supported on a node without a DECnet license. You must install a DECnet Routing License and configure this node as a DECnet Routing node before using DEC SecurityGate. You can either stop the installation and install your DECnet license at this time, or continue with the installation and install your DECnet license after completing the installation. 4.2.2 No DECnet Routing License Failure If you do not have a DECnet routing license installed on the node where you are installing DSG, the following error message occurs: 4-2 Installation Problems Installation Problems 4.2 DSG-Specific Error Conditions This node has only a DECnet End Node license. DEC SecurityGate is ONLY supported on a DECnet Routing Node. * Do you want to continue with the installation [Yes]: DEC SecurityGate operation is not supported on a DECnet End Node. You must install a DECnet Routing License and configure this node as a DECnet Routing node before using DEC SecurityGate. You can either stop the installation and install your DECnet routing license at this time, or continue with the installation and install your DECnet routing license after completing the installation. 4.2.3 SCSSYSTEMID System Parameter Not Set If the SCSSYSTEMID System Parameter has not been set on the node where you are installing DSG, the following error message is displayed: The SCSSYSTEMID System Parameter has not been set on this node. DEC SecurityGate will not be able to translate node names in its area if SCSSYSTEMID is not set correctly. Correct operation of DEC SecurityGate requires that this parameter must be set to the node's DECnet address. You may set this parameter after the installation has completed. It must be set before starting DEC SecurityGate. * Do you want to continue with the installation [Yes]: You can either stop the installation and set the SCSSYSTEMID System Parameter at this time, or continue with the installation and set the SCSSYSTEMID System Parameter after completing the installation. To correct this error condition, set the SCSSYSTEMID System Parameter to the DEC SecurityGate node's system identification number. The system identification number is calculated as follows: (DECnet area number * 1024) + DECnet node number For example, if your system had a DECnet address of 2.42, you would determine the system identification number as follows: (2 * 1024) + 42 = 2090. If the SCSSYSTEMID parameter is not set correctly, DEC SecurityGate will not be able to translate node names in its area. You may set this parameter after the installation has completed. It must be set before starting DEC SecurityGate. Refer to the VMS System Generation Utility Manual for complete information about setting this parameter. Installation Problems 4-3 Installation Problems 4.2 DSG-Specific Error Conditions 4.2.4 Incorrect Version of VMS Failure You must be running VMS Version 5.2 or higher in order to install DEC SecurityGate. If you are not running a version of VMS that meets this requirement, the DEC SecurityGate installation procedure will abort and display the following error message: This kit requires VMS V5.2 (or later) for correct installation. Please install VMS V5.2 (or later) before installing DEC SecurityGate. Before you can continue with the installation of DEC SecurityGate, you need to install or upgrade your system to the minimum version of VMS. 4.2.5 Insufficient Disk Space Failure DEC SecurityGate requires a certain amount of free storage disk space during and after the installation. You need a minimum of 1400 free blocks on your system disk. The installation procedure checks your system's free space during the installation, if there is not enough free space, the installation is aborted and the following error message is displayed: System disk does not contain enough free blocks to install DEC SecurityGate. If this error occurs, you must make enough room on your system to accomodate the DSG installation. First, check to see how much additional free space you need to create to perform the installation. To determine the number of free disk blocks on the current system disk, enter the following command at the DCL prompt: $ SHOW DEVICE SYS$SYSDEVICE Next, take whatever steps necessary to create the needed amount of free disk blocks. Finally, re-enter the above command to assure that your system now has the minimum amount of free space required to perform the installation. 4.2.6 IVP Failure If you perform the Installation Verification Procedure after the installation, and the Installation Verification Procedure fails for any reason, the following message is displayed: +---------------------------------------------+ | The DEC SecurityGate V1.1 | | Installation Verification Procedure failed. | +---------------------------------------------+ If you receive this message during the IVP, contact your Digital Customer Service Center for assistance. 4-4 Installation Problems Installation Problems 4.3 Determining and Reporting Problems 4.3 Determining and Reporting Problems If an error occurs while you are installing or using DEC SecurityGate, and you believe that the error is caused by a problem with DEC SecurityGate, take one of the following actions: o If you have a Self-Maintenance Software Agreement, you can submit a Software Performance Report (SPR). o If you purchased DEC SecurityGate within the last 90 days and this is a nonconformance problem, you can submit a Software Performance Report (SPR). If you find an error in the DEC SecurityGate documentation, fill out and submit a Reader's Comments form which comes with the documentation. If you report a documentation error, specify the title of the document and the section and page number where the error was found. ________________________ Note ________________________ If it is necessary to contact Digital's CSC (Customer Support Center) for support questions about your network, you must advise the CSC that you have DEC SecurityGate installed on your routing node. ______________________________________________________ Installation Problems 4-5 5 _________________________________________________________________ DEC SecurityGate Files, Directories, and Logical Names 5.1 Files and Directories o Files in SYS$LOADABLE_IMAGES NSDRIVER.EXE -Pseudo-device driver o Files in SYS$SYSTEM NSG$ACP.EXE -ACP for driver NSG$EXE.EXE -DSG Control Program o Files in SYS$STARTUP NSG$STARTUP.COM -Dummy startup file at installation NSG$REAL_STARTUP.COM -Real startup file NSG$CONFIG.COM -Copies "real" startup file to NSG$STARTUP.COM o Files in SYS$MANAGER NSG$AUDIT_FILE.DAT -Audit event file NSG$DATABASE.DAT-Rules database NSG$ERROR.LOG-ACP error output file o Files_in_SYS$HELP NSG$HELP.HLB-DEC SecurityGate online help file NSG$011.RELEASE_NOTES-DEC SecurityGate Release Notes o Files in SYS$TEST NSG$IVP.COM - DEC SecurityGate Installation Verification Procedure 5.2 DEC SecurityGate Logical Names o "NSG$AUDIT_FILE" translates to "SYS$MANAGER:NSG$AUDIT_FILE.DAT" o "NSG$DATABASE" translates to "SYS$MANAGER:NSG$DATABASE.DAT" DEC SecurityGate Files, Directories, and Logical Names 5-1 6 _________________________________________________________________ Sample Installation This section contains a sample installation of DEC SecurityGate. Please note that this is only a sample. Your installation may differ slightly from the sample that is provided, depending upon several factors. In addition, sometimes the installation procedure is modified slightly in maintenance updates of this product. Username: SYSTEM Password: $ @SYS$UPDATE:VMSINSTAL NSG011 ddcu: VAX/VMS Software Product Installation Procedure V5.3 It is dd-mmm-yyyy at hh:mm. Enter a question mark (?) at any time for help. * Are you satisfied with the backup of your system disk [YES]? Please mount the first volume of the set on ddcu:. * Are you ready? YES The following products will be processed: NSG V1.1 Beginning installation of NSG V1.1 at hh:mm %VMSINSTAL-I-RESTORE, Restoring product save set A ... Release notes included with this kit are always copied to SYS$HELP. Additional Release Notes Options: 1. Display release notes 2. Print release notes 3. Both 1 and 2 4. None of the above * Select option [2]: * Queue name [SYS$PRINT]: * Do you want to continue the installation [NO]? YES %VMSINSTAL-I-RELMOVED, The product's release notes have been successfully moved to SYS$HELP. Copyright (c) Digital Equipment Corporation, 1992 All Rights Reserved. Unpublished rights reserved under the copyright laws of the United States. Sample Installation 6-1 Sample Installation The software contained on this media is proprietary to and embodies the confidential technology of Digital Equipment Corporation. Possession, use, duplication or dissemination of the software and media is authorized only pursuant to a valid written license from Digital Equipment Corporation. LICENSE AND PRODUCT AUTHORIZATON KEY If a product license has not been installed on this system, the VMS License Management Utility (LICENSE) should be used to register and load a Product Authorization Key (PAK). Product: SECURITYGATE Producer: DEC Version: V1.1 Release Date: 1-June-1992 * Does this product have an authorization key registered and loaded? YES * Do you want to purge files replaced by this installation [YES]? YES * Do you want to run the IVP after the installation [YES]? YES CREATING THE PASS ALL FILTER RULES You will now be asked to designate the network circuits connected to your node as either INSIDE or OUTSIDE your routing domain. It is important that you properly designate each circuit so this installation procedure can create a default set of "Pass All" access rules which will allow message traffic to pass uninhibited through this routing node. These "Pass All" access rules will be invoked when this product is first started on your system if, as is the normal case, you have not yet had the opportunity to invoke the rule making software to create filter rules specifically suited to your system. * Are you prepared to designate each of the circuits [YES]? YES The following circuits are attached to your system Known Circuit Volatile Summary as of dd-mmm-yyyy hh:mm:ss Circuit State Loopback Adjacent Name Routing Node QNA-0 on QNA-1 on Is QNA-0 an [I]nside or [O]utside circuit? OUTSIDE Is QNA-1 an [I]nside or [O]utside circuit? INSIDE DEC SecurityGate depends on the NML object to translate node names to DECnet addresses. To allow NML to access the SYS$SYSTEM:NETNODE_LOCAL.DAT and SYS$SYSTEM:NETNODE_REMOTE.DAT files, DEC SecurityGate grants read access to the NML Server. You must enter the UIC identifier of the NML Server account to allow this access to be granted. * Enter NML Server account UIC [[376,371]]: 6-2 Sample Installation Sample Installation No further questions will be asked during this installation procedure. This installation will add the following files: SYS$LOADABLE_IMAGES:NSDRIVER.EXE SYS$SYSTEM:NSG$ACP.EXE SYS$SYSTEM:NSG$EXE.EXE SYS$STARTUP:NSG$STARTUP.COM SYS$STARTUP:NSG$REAL_STARTUP.COM SYS$STARTUP:NSG$CONFIG.COM SYS$HELP:NSG$HELP.HLB SYS$HELP:NSG$011.RELEASE_NOTES SYS$TEST:NSG$IVP.COM %VMSINSTAL-I-MOVEFILES, Files will now be moved to their target directories... POST INSTALLATION INSTRUCTIONS After this installation procedure is complete, you must perform several manual operations to start the DEC SecurityGate. You must edit your system startup procedure (SYS$STARTUP:SYSTARTUP_V5.COM) to invoke the DEC SecurityGate startup procedure, SYS$STARTUP:NSG$STARTUP.COM. For proper DEC SecurityGate operation, NSG$STARTUP.COM must be executed before DECnet has been started. This node is now configured to run DEC SecurityGate. You must invoke SYS$STARTUP:NSG$CONFIG.COM on any other cluster node which will run the DEC SecurityGate product **BEFORE** NSG$STARTUP.COM is invoked on that node. Refer to the Installation Guide for more details. ------------------------------------------------------------------------------ IMPORTANT: If you are installing on a node which is already running DEC SecurityGate, then you MUST reboot the system to begin using the new version. ------------------------------------------------------------------------------ Beginning the DEC SecurityGate V1.1 Installation Verification Procedure The DEC SecurityGate V1.1 Installation Verification Procedure completed successfully Installation of NSG V1.1 completed at hh:mm VMSINSTAL procedure done at hh:mm Sample Installation 6-3 _________________________________________________________________ Index C IVP failure, 4-4 _______________________________ Conventions, vi M______________________________ D Messages, 2-5 _______________________________ DECnet license error, 4-2 N______________________________ Disk space, 1-4 NSG$CONFIG.COM, 3-1 Disk space error, 4-4 NSG$ROOT, 2-4 E______________________________ O Errors _______________________________ DSG-specific, 4-2 Operating system components general, 4-1 required, 1-4 Options H selecting, 2-4 _______________________________ Options N, 2-2, 2-3 Help, 1-3 Help during installation, 2-1 P______________________________ I PAK, 2-4 _______________________________ Privileges required Installation to install, 1-4 files created or modified, Problems 2-5 installation, 4-1 help, 2-1 reporting, 4-5 Installation problems, 4-1 Product Authorization Key Installation Verification see PAK Procedure (IVP), 2-6, 3-2 Index-1 SPR R______________________________ See Software Performance Release notes Report choosing options, 2-3 Starting installation, 1-1, reading before installation, 1-2, 2-1 1-3 Startup command procedures, Requirements for installation 2-7, 3-1 associated software, 1-1, 1-2 Step-by-step installation, 2-1 disk space, 1-4 Stopping installation, 2-1 operating system components, SYS$HELP, 2-4 1-4 SYS$STARTUP:STARTUP_V5.COM, privileges, 1-4 2-7, 3-1 system, 1-4 time, 1-4 U______________________________ Updates, vi S______________________________ Sample installation session, V______________________________ 6-1 VAXcluster environment, 1-5, SCSSYSTEMID parameter error, 3-1 4-3 VMSINSTAL, 1-1, 1-2, 2-1 Software VMS version error, 4-4 distribution kit, 1-3 mounting, 2-2 W problems, 4-5 _______________________________ Software Performance Report, Warning, 1-4 4-5 Index-2