DCE for DIGITAL UNIX Installation and Configuration Guide July 1998 Software Version: DCE for DIGITAL UNIX Version 3.0 Operating System/ and Version: DIGITAL UNIX Version 4.0 or higher Table of Contents Preface Chapter 1: Installing DCE for DIGITAL UNIX Overview of License Registration Installation Prerequisites Hardware Requirements Software Requirements Disk Space Requirements Priviledges Required Performing a System Backup Re-Installing DCE Over an Older Version Choosing Subsets to Install Installation Steps Choices to Make as Loading and Installing Ends Error Recovery During Installation Chapter 2: How to Configure A DCE Cell Overview of the DCE Cell Creating a Cell Joining a Cell Defining a Cell Name Defining a Hostname Intercell Naming Using the dcestartup Utility Configuring LDAP, NSI, and GDA Kerberos 5 Security for telnet, rlogin, rsh Kerberized Network Tools Installation Modifying the Registry Uninstalling the Kerberos Tools Creating a Private Key Storage Server Chapter 3: Configuring DCE Overview of New Cell Configuration Configuring Your System as a DCE Client with Runtime Services Split Server Configuration (Adding a Master CDS Server) Creating a New Cell and Master Security Server Creating a Master CDS Server on Another System Completing the Security Server Configuration Completing the CDS Master Server Configuration Using SIA Local Security Mechanisms Turning On DCE SIA Turning Off DCE SIA Security Migrating Your Cell Security Migration CDS Migration Running the DCE Configuration Verification Program Error Recovery During Configuration Chapter 4: Modifying Cell Configuration Overview of Cell Re-Configuration Adding a Replica CDS Server Adding Security Replica Adding a DTS Local Server Adding a DTS Global Server Adding a Null Time Provider Adding an NTP Time Provider Enabling Auditing Configuring the Kerberos 5 Utilities Configuring the LDAP Name Service Adding LDAP Client Service Configuring LDAP Support for the Global Directory Assistant Adding a Private Key Storage Server Registering a Cell in X.500 Preface The DCE for DIGITAL UNIX Installation and Configuration Guide provides users of the DIGITALT Distributed Computing Environment (DCE) with supplemental information necessary to use DIGITAL DCE Version 3.0 on DIGITAL UNIXT systems. This guide is intended to be used with the documents listed under Associated Documents. DCE for DIGITAL UNIX Version 3.0 is a layered product on the DIGITAL UNIX Version 4.0 operating system. It is a compatible upgrade of Version 2.1. This guide describes how to install and configure the Digital Equipment CorporationT DCE Version 3.0 on DIGITAL UNIX Version 4.0 systems. The installation procedure creates DIGITAL DCE file directories subordinate to the /usr/opt directory and loads DCE software subsets. DIGITAL DCE Version 3.0 consists of a full DCE implementation as defined by The Open Group (TOG). This software includes these components: o Remote Procedure Call (RPC) o Cell Directory Service (CDS) o Distributed Time Service (DTS) o DCE Security o DCE Distributed File Service (DFS, based on DCE Release 1.1) o Lightweight Directory Access Protocol (LDAP) Intended Audience The audience for this guide includes the following: o Experienced programmers who want to write client/server applications. o Experienced programmers who want to port existing applications to DCE. o System managers who manage the distributed computing environment. Users who want to run distributed applications. Document Structure This guide is organized into the following chapters: Chapter 1 describes preinstallation requirements to consider prior to initiating the steps of the installation procedure with the command, setld -l. Chapter 2 provides at a high-level overview the concepts used in configuring DCE. Chapter 3 explains the configuration procedure, which begins with the command, dcesetup. Chapter 4 presents ways to change DCE after you have installed it and you have decided to alter its installation or configuration. Associated Documents The following DCE for DIGITAL UNIX technical documentation is provided for online viewing using a Web browser: DCE for DIGITAL UNIX Installation and Configuration Guide _ Describes how to install DCE and configure and manage your DCE cell. DCE for DIGITAL UNIX Product Guide _ Provides supplemental documentation for DCE for DIGITAL UNIX value-added features. DCE for DIGITAL UNIX Reference Guide _ Provides supplemental reference information for DCE for DIGITAL UNIX value-added features. DCE for DIGITAL UNIX DFS Configuration Guide _ Describes how to configure the optional DCE Distributed File Service (DFS). The following OSF DCE Release 1.2.2 technical documentation is provided for online viewing using a Web browser: Introduction to OSF DCE _ Contains a high-level overview of DCE technology including its architecture, components, and potential use. OSF DCE Administration Guide - Introduction _ Describes the issues and conventions concerning DCE as a whole system and provides guidance for planning and configuring a DCE system. OSF DCE Administration Guide - Core Components _ Provides specific instructions on how core components should be installed and configured. OSF DCE Application Development Guide - Introduction and Style Guide _ Serves as a starting point for application developers to learn how to develop DCE applications. OSF DCE Application Development Guide - Core Components _ Provides information on how to develop DCE applications using core DCE components such as RPC and security. OSF DCE Application Development Guide - Directory Services _ Contains information for developers building applications that use DCE Directory Services. OSF DCE Application Development Reference _ Provides reference information for DCE application programming interfaces. OSF DCE Command Reference _ Describes commands available to system administrators. For information on how to order printed documentation, refer to the Read Before Installing DCE for DIGITAL UNIX Version 3.0. Conventions The following conventions are used in this guide: UPPERCASE and lowercase -- the operating system differentiates between lowercase and uppercase characters. Literal strings that appear in text, examples, syntax descriptions, and function definitions must be typed exactly as shown. Bold -- boldface type in interactive examples indicates typed user input. Italics -- italic type indicates variable values, placeholders, and function argument names. special type -- indicates system output in interactive and code examples. % -- the default user prompt is your system name followed by a right angle bracket (>). In this manual, a percent sign (%) is used to represent this prompt. # -- a number sign (#) represents the superuser prompt. Ctrl/x -- this symbol indicates that you hold down the Ctrl key while pressing the key or mouse button that follows the slash. -- refers to the key on your terminal or workstation that is labeled with Return or Enter. ========================================== Chapter 1: Installing DCE for DIGITAL UNIX ========================================== Overview of License Registration DIGITAL DCE includes support for the DIGITAL UNIX License Management Facility (LMF). You must register a License Product Authorization Key (License PAK) in the License Database (LDB) for some of the subsets you want to install. The License PAK is shipped along with the kit if you ordered the license and media together; otherwise, it is shipped separately to a location specified by your license order. You need a PAK for each of the following subsets: o DCE Security Server V3.0 (DCESEC300) o DCE Cell Directory Service Server V3.0 (DCECDS300) o DCE Application Developer's Kit V3.0 (DCEADK300) You do not need to register a License PAK for the DCE Runtime Services (DCERTS300). If you are installing prerequisite or optional software along with this kit, review the PAK status and install the PAKs for any prerequisite or optional software before you install this kit. To register a license under the DIGITAL UNIX system, follow these steps: 1. Log in as superuser. 2. Edit the empty PAK template. At the prompt, enter: # lmf register 3. On the template, enter the license PAK information. Note: Using lmf register puts you into the vi editor. For complete information on using the DIGITAL UNIX License Management Facility, see the DIGITAL UNIX Guide to Software Licensing or the lmf(8) reference page. The installation procedure displays a message warning you if you do not install the correct PAK. For example, the following message informs you that you need to register the PAK for the DCE Cell Directory Service Server V3.0 (DCECDS300): DCECDS300 includes support for the License Management Facility. A Product Authorization Key (PAK) is necessary for the use of this product. Installation Prerequisites Follow this sequence for installing DCE and creating a cell with servers and clients: 1. Install the DCE software. 2. Create a cell. 3. Configure a client after you create your cell. You can stop the installation procedure at any time by pressing . Note that files created up to that point are not deleted. You must delete the created files manually. Hardware Requirements To perform the installation, you need the following hardware: o A DIGITAL Alpha machine, minimum 96 MB memory o A CD-ROM drive for reading the distribution media You must know how to load the CD-ROM provided with the software distribution kit on the appropriate drive. See the Compact Disc User's Guide for more information. Software Requirements To perform the installation, you need a system with the DIGITAL UNIX Version 4.0 operating system installed. To determine the version number of your operating system, enter the following command: # more /etc/motd Before installing DCE, you must install the following subsets provided with the operating system: o Document Preparation Tools (OSFDCMT) - This subset is a prerequisite for using the DCE reference pages (manpages); it includes text- processing tools and several macro packages. o Software Development Environment (OSFPGMR) - This subset is a prerequisite if you want to build DCE applications with the Application Developer's Kit subset; it contains include files required by DCE applications. o Standard Header Files (OSFINCLUDE) - This subset is a prerequisite if you want to build DCE applications with the Application Developer's Kit subset; it contains header files required by DCE applications. Disk Space Requirements The table below lists the disk storage requirements for the subsets installed with the DCE kit. Disk Space Requirements for DCE Subsets Subset Name Disk Space (in Megabytes) DCERTS300 22 DCECDS300 2 DCESEC300 7 DCEADK300 5 DCEMAN300 2 DCEADKMAN300 5 DCEDFS300 5 DCEDFSBIN300 8 DCEDFSUTL300 2 DCEDFSMAN300 3 DCEDFSNFSSRV200 1 TOTAL (for all subsets) 62 An initial DCE server configuration (consisting of dced, cdsd, cdsadv, two cdsclerks, secd, and dtsd) consumes 50 MB of swap space. A DCE client configuration (consisting of dced, cdsadv, one cdsclerk, and dtsd) consumes 25 MB of swap space. Large cell configurations may require additional swap and disk space. Priviledges Required You must have superuser (root) privileges on the system on which you are installing DIGITAL DCE. Performing a System Backup DIGITAL recommends that you back up your system disk before installing any software. Use the backup procedures established at your site. For details on backing up a system disk, see your DIGITAL UNIX documentation. To back up DCE databases from an existing configuration, back up the files in /opt/dcelocal. Re-Installing DCE Over an Older Version Before reinstalling either the current version or a new version of the DCE for DIGITAL UNIX software, perform the following steps: If you are installing this software on a system that has previously installed DCE software, you must first remove the existing DCE software's subsets from the system. To determine whether any existing subsets have been installed, enter the following command: # setld -i | grep DCE If a subset is installed, you see a display similar to the following: DCECDS300 installed DCE CDS Server V3.0 If the subset has not been installed, the word installed does not appear in the middle column. Delete any existing DCE subsets as follows: # setld -d subset-id [subset-id...] where subset-id is the subset name and version number. For example, to delete the Runtime Services subset, enter this command where xxx is the subset version number: # setld -d DCERTSxxx Re-execute the setld command to reinstall the DCE kit where kit_location is the directory containing the DCE subsets: # setld -l If you do not want to delete your current DCE configuration, answer n when the installation procedure displays the following prompt: Directory /opt/dcelocal exists. It may contain the DCE databases. Do you want to delete the old DCE databases? (y/n/?) [n]: Choosing Subsets to Install DIGITAL DCE includes the following installation subsets: o DCE DFS Base OFS Services V3.0 (DCEDFS300)-- The DCEDFS (runtime) subset has to be installed to use the DCE Distributed File Service. o DCE DFS Kernel Binaries V3.0 (DCEDFSBIN300)-- The DCEDFSBIN subset must be installed to use DCE/DFS.DCE DFS NFS-DFS Secure Gateway Server V3.0 (DCEDFSNFSSRV300)The DCEDFSNFSSRV subset must be installed to use the NFS-DFS Secure Gateway Server. o DCE DFS Utilities and Debugging Tools V3.0 (DCEDFSUTIL300) -- This subset is optional. These are primarily diagnostic programs and are not part of normal use. They do not need to be installed to use DCE/DFS, although they can make it easier to diagnose problems or run DCE/DFS tests. o DCE DFS Utilities and Debugging Tools V3.0 (DCEDFSUTIL300)-- This subset is optional. These are primarily diagnostic programs and are not part of normal use. They do not need to be installed to use DCE/DFS, although they can make it easier to diagnose problems or run DCE/DFS tests. o DCE Runtime Services V3.0 (DCERTS300)-- This subset consists of base services required for the runtime execution of DCE applications. These services include the RPC runtime and DTS clerk and server. The CDS clerk, the security client, the PC Nameserver Proxy Agent, XDS runtime, (nsid), and various administrative utilities are also included in this subset. You must install this subset on all systems on which you want to run DCE applications. o DCE Security Server V3.0 (DCESEC300)-- This subset provides secure communications and controlled access to resources in a distributed environment. It includes the registry/KDC/Privilege server (secd) and security administration tools (sec_admin). o DCE CDS Server V3.0 (DCECDS300) -- This subset provides a directory service for naming and locating users, applications, files, and systems within a DCE cell. This subset includes the CDS server and the Global Directory Agent (GDA). o DCE Application Developer's Kit V3.0 (DCEADK300)-- This subset includes the RPC IDL compiler, XDS interface to CDS, and other tools required for developing DCE applications. o DCE Command Manual Pages V3.0 (DCEMAN300)(optional) -- This subset consists of online reference (manpages) pages for managing DCE. o DCE Application Developer's Kit Manual Pages V3.0 (DCEADKMAN300) (optional) -- This subset consists of online application development reference pages (manpages) for programming reference information. See the DCE for DIGITAL UNIX Product Guide for more information about the subsets included in this kit. Installation Steps Before performing the following instructions, obtain a copy of the DCE software, install the correct Licensed Product Authorization Keys (PAKs), and place the software kit on the system to be configured. Note: Databases can be saved and reused from V2.0 to V3.0. The installation procedure asks whether you want to delete them or not. To make sure databases are saved, do not use clean or clobber when performing the installation. Also, databases in V1.3 format can be converted to V2.0 format. If you want to stop the installation at any point, press ; however, you must then delete any subsets that have been created up to that point. To delete the subsets, perform the following steps: Log in as superuser (login name root) to the system on which you are installing the DIGITAL DCE software. Note: Users can customize the command line prompt. If you are installing this software on a system which contains previously installed DCE software, you must first remove the existing DCE software's subsets from the system. To determine whether any existing subsets have been installed, enter the following command: # setld -i | grep DCE | grep installed If a subset is installed, you see a display similar to the following: DCECDS310 installed DCE CDS Server V3.0 If the subset is not installed, the word installed does not appear in the middle column. To remove the existing DCE subsets, use the following syntax: # setld -d subset-id [subset-id...] where subset-id is the subset name and version number. For example, to delete the Runtime Services subset, enter this command where xxx is the subset version number: # setld -d DCERTSxxx After deleting any previous versions of DCE software, you can load the subsets in the DCE software either by changing directories to where the software is placed, then entering the setld command OR you can enter the setld command followed by the location where the software is placed, as in the following examples: # cd # setld -l The kit location is /share/project/dce/build/decdce3.0/DCE300_kit OR # setld -l # setld -l /share/project/dce/build/decdce3.0/DCE300_kit After several seconds, the installation procedure displays the names of the optional subsets and prompts you to specify the subsets that you want to install. The subsets listed below are optional: There may be more optional subsets than can be presented on a single screen. If this is the case, you can choose subsets screen by screen or all at once on the last screen. All of the choices you make will be collected for your confirmation before any subsets are installed. 1) DCE Application Developers Kit V3.0 2) DCE Application Developers Manual Pages V3.0 3) DCE Cell Directory Server V3.0 4) DCE Command Reference Manual Pages V3.0 5) DCE DFS Base V3.0 6) DCE DFS Kernel Binaries V3.0 7) DCE DFS Man Pages V3.0 8) DCE DFS NFS-DFS Secure Gateway Server V3.0 9) DCE DFS Utilities/Debug V3.0 10) DCE Runtime Services V3.0 11) DCE Security Server V3.0 Or you may choose one of the following options: 12) ALL of the above 13) CANCEL selections and redisplay menus 14) EXIT without installing any subsets Enter your choices or press RETURN to redisplay menus. Choices (for example, 1 2 4-6):12 Load the subsets that you want to install. Note: For a minimum cell configuration, choose options 3, 10, and 11. If you specify more than one at the prompt, separate each number with a space, not a comma. Next, the installation procedure lets you verify your choice. For example, if you enter 12 in response to the previous prompt, you see the following display: You are installing the following optional subsets: DCE Application Developers Kit V3.0 DCE Application Developers Manual Pages V3.0 DCE Cell Directory Server V3.0 DCE Command Reference Manual Pages V3.0 DCE DFS Base V3.0 DCE DFS Kernel Binaries V3.0 DCE DFS Man Pages V3.0 DCE DFS NFS-DFS Secure Gateway Server V3.0 DCE DFS Utilities/Debug V3.0 DCE Runtime Services V3.0 DCE Security Server V3.0 Is this correct? (y/n):y If the subsets displayed are those you want to install, enter y. The installation procedure then checks the system space. Checking file system space required to install selected subsets: File system space checked OK. 11 subset(s) will be installed. The installation procedure displays the subsets being installed. Loading 1 of 11 subset(s).... DCE Runtime Services V3.0 Copying from (disk) Working... Fri Mar 13 07:19:26 EST 1998 Verifying Loading 2 of 11 subset(s).... DCE Security Server V3.0 Copying from (disk) Verifying Loading 3 of 11 subset(s).... DCE Cell Directory Server V3.0 Copying from (disk) Verifying Loading 4 of 11 subset(s).... DCE Application Developers Kit V3.0 Copying from (disk) Working.... Fri Feb 13 07:19:26 EST 1998 Verifying Loading 5 of 11 subset(s).... DCE Command Reference Manual Pages V3.0 Copying from (disk) Verifying Loading 6 of 11 subset(s).... DCE Application Developers Manual Pages V3.0 Copying from (disk) Working.... Fri Mar 13 07:19:26 EST 1998 Verifying Loading 7 of 11 subset(s).... DCE DFS Base V3.0 Copying from (disk) Verifying Loading 8 of 11 subset(s).... DCE DFS Kernel Binaries V3.0 Copying from (disk) Verifying Loading 9 of 11 subset(s).... DCE DFS Utilities/Debug V3.0 Copying from (disk) Verifying Loading 10 of 11 subset(s).... DCE DFS Man Pages V3.0 Copying from (disk) Verifying Loading 11 of 11 subset(s).... DCE DFS NFS-DFS Secure Gateway Server V3.0 Copying from (disk) Verifying 11 of 11 subset(s) installed successfully. Configuring "DCE Runtime Services V3.0" (DCERTS300) Copyright (c) Digital Equipment Corporation, 1993, 1994, 1995, 1996 All Rights Reserved. Unpublished rights reserved under the copyright laws of the United States. Possession, use, or copying of the software and media is authorized only pursuant to a valid written license from Digital Equipment Corporation. RESTRICTED RIGHTS LEGEND Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in Subparagraph (c)(1)(ii) of DFARS 252.227-7013, or in FAR 52.227-19, as applicable. Choices to Make as Loading and Installing Ends At the end of the installation procedure, the screen displays the following message and asks_if you have existing DCE databases from a previous configuration_whether you want to delete them: ============================================================= Beginning configuration of DCE Version 3.0. You will be asked a few questions before configuration can proceed. Online help is available where the prompt contains a "?" choice. ============================================================= If DCE was installed previously, the following message displays: Directory /opt/dcelocal exists. It may contain the DCE databases. Do you want to delete the old DCE databases? (y/n/?) [n]:y You might have existing DCE local databases. These databases can contain information from your previous DCE configuration. This information includes your cell name, the cell namespace database, security credentials, and the DCE services you used in the previous configuration. If you type n (the default), you preserve the old DCE configuration. If you type y, you delete the old configuration and the following message and prompt displays: The existing DCE databases will be removed upon the successful completion of installation of DCERTS300. Also, if you type y, the configuration procedure automatically creates local copies of files in the DCE permanent file system and other files and directories required to run the DCE services. The installation procedure prompts you to choose a directory under which these local files are to be located: IMPORTANT: For SECURITY reasons, you may want to make sure that the location you will type now is native to this host; i.e., is not NFS mounted! Please enter the location for new DCE local databases, or press for the default location [/var]: You can specify the default or enter another directory name; the directory is created if it does not already exist. The entire directory tree initially requires about 100 KB of disk space; it requires more space as you use the DCE services. The installation procedure now completes installation of the subsets. There will be no more questions asked for the remainder of the configuration. The installation process takes about 15 minutes. When the installation is completed, the screen displays this message: =================================================================== Installation of all the requested DCE subsets is completed. You have installed the DCE software which requires further action to configure and start it. To do so please invoke "/usr/sbin/dcesetup" and select option 1 (Configure DCE services) from the main menu. =================================================================== To verify that the subsets you selected have been installed, enter the following command: # setld -i | grep DCE | grep installed Error Recovery During Installation If errors occur during the installation, the system displays failure messages. Errors can occur during the installation if any of the following conditions exist: o The prerequisite software version is incorrect. o The system parameter values (such as disk space) for this system are insufficient for successful installation. o A previous DCE version is installed on the system. If the installation fails because of insufficient disk space, the setld procedure displays an error message similar to the following: There is not enough file system space for subset DCERTS300 DCERTS300 will not be loaded. If the usr file system is read-only during installation, the procedure displays the following error message: Warning: The usr filesystem is not writable. Therefore links from it to the permanent filesystem will not be made. When the DIGITAL UNIX system displays this message, the installation of the shared DCE library fails. In this case, the DCE services can not be configured or started because they rely on the shared DCE library. You should reinstall with a writable usr file system. If you encounter errors from the setld utility during the installation, see the Diagnostics section of the setld(8) reference page for an explanation of the error and the appropriate action to take. If an error occurs while you are using DIGITAL DCE, and you believe the error is caused by a problem with the product, take the approproiate action as follows: o If you have a basic or DECsupport Software Agreement, call your Customer Support Center (CSC). The CSC provides telephone support for high-level advisory and remedial assistance. o If you have a Self-Maintenance Software Agreement, you can submit a Software Performance Report (SPR). o If you purchased DIGITAL DCE within the last 90 days and you think the problem is caused by a software error, you can submit an SPR. ====================================== Chapter 2: How to Configure A DCE Cell ====================================== Overview of the DCE Cell A cell is the basic DCE unit. It is a group of networked systems and resources that share common DCE services. Usually, the systems in a cell are in the same geographic area, but cell boundaries are not limited by geography. A cell can contain from one to several thousand systems. The boundaries of a cell are typically determined by its purpose, as well as by security, administrative, and performance considerations. A DCE cell is a group of systems that share a namespace under a common administration. The configuration procedure allows you to configure your system as a DCE client, create a new DCE cell, add a master Cell Directory Service (CDS) server, add a replica CDS server, and add a Distributed Time Service (DTS) local server. When you create a new cell, you automatically configure a Security server. You do not need to create a DCE cell if you are using only the DCE Remote Procedure Call (RPC) and if your applications use only explicit RPC string bindings to provide the binding information that connects server to clients. If there are other systems in your network already using DCE services, it is possible there may be an existing cell that your system can join. If you are not sure, consult with your network administrator to find out which DCE services may already be in use in your network. At a minimum, a cell configuration includes the DCE Cell Directory Service, the DCE Security Service, and the DCE Distributed Time Service. One system in the cell must provide a DCE Directory Service server to store the cell namespace database. You can choose to install both the Cell Directory server and the Security server on the system from which you invoked the procedure, or you can split the two servers and put them on different systems. Note: You must run the installation and configuration procedures on the system where you are creating a cell before you install and configure DCE on the systems that are joining that cell. Creating a Cell All DCE systems participate in a cell. If you are installing DCE and there is no cell to join, the first system on which you install the software is also the system on which you create the cell. Remember that this system is also the DCE Security server. You can also make this system your Cell Directory server. When you create a cell, you must name it. The cell name must be unique across your global network. The name is used by all cell members to indicate the cell in which they participate. The configuration procedure provides a default name that is unique and is easy to remember. If you choose a name other than the default, the name must be unique. If you want to ensure that separate cells can communicate, the cell name must follow BIND or X.500 naming conventions. Joining a Cell Once the first DCE system is installed and configured and a cell is created, you can install and configure the systems that join that cell. During configuration, you need the name of the cell you are joining. Ask your network administrator for the cell name. Defining a Cell Name You need to define a name for your DCE cell that is unique in your global network and is the same on all systems that participate in this cell. The DCE naming environment supports two kinds of names: global names and local names. All entries in the DCE Directory Service have a global name that is universally meaningful and usable from anywhere in the DCE naming environment. All Directory Service entries also have a cell-relative name that is meaningful and usable only from within the cell in which that entry exists. If you plan to connect this cell to other DCE cells in your network either now or in the future, it is important that you choose an appropriate name for this cell. You cannot change the name of the cell once the cell has been created. If you are not sure how to choose an appropriate name for your DCE cell, consult the section on global names in the OSF DCE Administration Guide - Introduction. Before you can register the cell in X.500, you must ensure that the DIGITAL X.500 Base kit and the DEC X.500 API kit is installed on your CDS server. It is also recommended X.500 administration subset (DXDADXIM) be installed. Optionally, you can install the DEC X.500 Administration Facility kit for debugging and general administrative support. DIGITAL recommends that you use the following convention to create DCE cell names: the Internet name of your host system followed by the suffix _cell, and then followed by the Internet address of your organization. For example, if the Internet name of your system is myhost, and the internet address of your organization is smallco.bigcompany.com, your cell name, in DCE name syntax, would be myhost_cell.smallco.bigcompany.com. This convention has the following benefits: o The Internet name of your host is unique in your network, so if this convention is followed by all DCE users in your network, your cell name will also be unique. o It clearly identifies the system on which the writable copy of the root directory of the cell namespace is located. It does not prohibit intercell communication with outside organizations. It is easy to remember. o If there is already a cell name defined in a previously existing DCE system configuration, do not change it unless you are removing this system from the cell in which it is currently a member and you are joining a different cell. When the configuration procedure prompts you for the name of your DCE cell, type the cell name without the /.../ prefix; the prefix is added automatically. For example, if the full global name selected for the cell, in DCE name syntax, is /.../myhost_cell.smallco.bigcompany.com, enter myhost_cell.smallco.bigcompany.com. Defining a Hostname You need to define a name for your system that is unique within your DCE cell. You should use the default hostname, which is the Internet hostname (the name specified before the first dot (.)). The following example shows the default hostname derived from the Internet name of myhost.mycompany.com. Please enter your DCE host name [myhost]: Intercell Naming This section provides tips on defining a cell name in the Domain Name System (DNS). Names in DNS are associated with one or more data structures called resource records. The resource records define cells and are stored in a data file, called /etc/namedb/hosts.db. The data file is used by the BIND name daemon (named). To create a cell entry, you must edit the data file and create two resource records for each CDS server that maintains a replica of the cell namespace root. The following example shows a cell called ruby.axpnio.dec.com. The cell belongs to the BIND domain axpnio.dec.com. Host alo010.axpnio.dec.com is the master CDS server for the ruby.axpnio.dec.com cell. The BIND server must be authoritative for the domains of the cell name. The BIND master server requires the following entries in its /etc/namedb/hosts.db file: alo010.axpnio.dec.com. IN A 25.0.0.149 ruby.axpnio.dec.com. IN MX 1 alo010.axpnio.dec.com. ruby.axpnio.dec.com. IN TXT "1 c8f5f807-487c-11cc-b499- \ 08002b32b0ee Master /.../ruby.axpnio.dec.com/alo010_ch c84946a6-487c-11cc-b499-08002b32b0ee alo010.axpnio.dec.com" Note: TXT records must span only one line. The third entry above incorrectly occupies four lines to show the information included in the TXT record. You need to do whatever is required with your text editor of choice to ensure this. Widening your window helps. You should also ensure that the quotes are placed correctly, and that the hostname is at the end of the record. The information to the right of the TXT column in the Hesiod Text Entry (that is, 1 C8f5f807-48...) comes directly from the cdscp show cell /.: as dns command. For example, to obtain the information that goes in the ruby.axpnio.dec.com text record (TXT), you would go to a host in the ruby cell, and enter the cdscp show cell /.: as dns command. Then, when the system displays the requested information, cut and paste this information into the record. This method ensures that you do not have any typing errors. To ensure that the records that you have entered are valid, issue a kill -1 command, which causes the named daemon to read in the new hosts.db file. Next, execute the following nslookup command to obtain the host address: alo001.axpnio.dec.com> nslookup Default Server: localhost Address: 127.0.0.1 Using the dcestartup Utility The dcestartup command begins the configuration program. The default responses to prompts in the configuration procedure are based on your existing configuration, if you have one. Otherwise, defaults appropriate for the most common DCE system configurations are provided. At each prompt, press to take the default displayed in brackets, type a question mark (?) for help, or supply the requested information. After you install the DCE software, it displays the following message, prompting you to begin the configuration procedure: You have installed the DCE software which requires further action to configure and start it. To do so please invoke "/usr/sbin/dcesetup" and select option 1 (Configure DCE services) from the main menu. from the main menu. You must be logged in as root to configure your DCE system. When you invoke dcesetup, the DCE Setup Main Menu is displayed. # /usr/sbin/dcesetup *** DCE Setup Main Menu *** Version V3.0 (Rev. 635) 1) Configure Configure DCE services on this system 2) Show Show DCE configuration and active daemons 3) Stop Terminate all active DCE daemons 4) Start Start all DCE daemons 5) Restart Terminate and restart all DCE daemons 6) Clean Terminate all active DCE daemons and remove all temporary local DCE databases 7) Clobber Terminate all active DCE daemons and remove all permanent local DCE databases 8) CVP Run Configuration Verification Program 9) Version Show DCE Version number X) Exit Please enter your selection: Note: If you will be creating a new cell or adding a CDS server, choose option 3 (Terminate all active DCE daemons) to stop the DCE daemons in a controlled manner. Be sure to back up your security and CDS databases before proceeding if this has not already been done. Choose option 1 (Configure DCE services on this system), to view the Configuration Choice Menu. *** Configuration Choice Menu *** 1) Configure this system as a DCE Client 2) Create a new DCE cell 3) Add Master CDS Server 4) Configure DCE Distributed File Service (DFS) 5) Modify DCE cell configuration 6) Configure this system for RPC only R) Return to previous menu Please enter your selection (or '?' for help): 1 For information on how to configure a DCE cell or add a client, see Chapter 3, Configuring the DCE Environment. For information on modifying an existing configuration, see Chapter 4, Modifying Cell Configuration. Configuring LDAP, NSI, and GDA The Lightweight Directory Access Protocol (LDAP) provides access to the X.500 directory service without the overhead of the full Directory Access Protocol (DAP). The simplicity of LDAP, along with the powerful capabilities it inherits from DAP, makes it the defacto standard for Internet directory services and for TCP/IP. Inside a cell, a directory service is accessed mostly through the name service interface (NSI) implemented as part of the runtime library. Cross-cell directory service is controlled by a global directory agent (GDA), which looks up foreign cell information on behalf of the application in either the Domain Naming Service (DNS) or X.500 database. Once that information is obtained, the application contacts the foreign CDS in the same way as the local CDS. Once LDAP is configured, applications can request directory services from either CDS or LDAP or both. LDAP is provided as an optional directory service that is independent of CDS and duplicates CDS functionality. LDAP is for customers looking for an alternative to CDS that offers TCP/IP and internet support. With LDAP directory service available, GDA can look up foreign cell information by communicating through LDAP to either an LDAP-aware X.500 directory service or a standalone LDAP directory service, in addition to DNS and DAP. Note that DCE for DIGITAL UNIX does not automatically install LDAP. Prior to installing DCE, a DCE administrator must obtain LDAP software and install it as an LDAP server in the environment. Next, a DCE administrator must choose LDAP during the DCE installation and configuration procedure and intentionally configure LDAP directory service for a cell. Kerberos 5 Security for telnet, rlogin, rsh The DCE authentication service is based on Kerberos 5. The Kerberos Key Distribution Center (KDC) is part of the DCE security server secd. The authorization information that is created by the DCE for DIGITAL UNIX privilege server is passed in the Kerberos 5 ticket's authorization field. Kerberized Network Tools Communication with remote machines across a network creates risks. A very major risk is to the security of passwords. Transmitting a user's password in clear text can compromise an account. It allows unauthorized individuals to intercept the packets on the network. The Kerberized network tools, rsh, telnet, rlogin are set up to prevent the risk of interception. Security is achieved through a standard client-server authentication protocol implemented in the telnet and telnetd processes. This protocol is extensively outlined in RFC 1510 with its application to the telnet protocol outlined in RFC 1416. In the following discussion the "client" refers to the telnet executable and the "server" refers to telnetd. The "authentication" process proceeds as follows: A user sends a request to the authentication server (AS) requesting "credentials" via the dce_login process. The AS provides these credentials in the form of a login context. The user issues a kinit -f command to mark the "tickets" within the context as forwardable. During the telnet session, the client and server "negotiate" the authentication mode. When the mode is successfully negotiated the server requests and the client sends the user's authentication packet. Once the server successfully authenticates the packet issued by the client, the user is granted appropriate rights on the remote machine. At this point the client and server can negotiate an encryption policy so that the network traffic is encrypted in a mutually understood encryption algorithm. The steps for using the Kerberized tools are: 1. Do a dce_login. (To use the tools a user must have a DCE account.) 2. Execute a kinit -f to mark tickets as forwardable. 3. For telnet, a user must set autologin. This can be done in an initialization file, '.telnetrc,' with 'set autologin'. Installation The loading process places the executables in the /opt/dcelocal/bin directory. When the installation of the tools is confirmed, the setup process modifies the /etc/services file to indicate to the inetd daemon that the Kerberized telnetd and rlogind daemons are located in the /opt/dcelocal/bin directory. Original non-Kerberized executables are not removed from the system. The administrator has the responsibility for moving them or storing them. The administrator is also responsible for placing executables in a location appropriate for users to access. The installation procedure does not automatically move the Kerberized client executables from the /etc/dcelocal/bin directory to an accessed directory. The installation procedure modifies the /etc/initd.conf file so that telnetd, rlogind and rshd processes use the Kerberos enabled daemons. The rlogin, rsh and telnet client executables are not installed, however. Their installation is the responsibility of the system administrator. After the installation of the software is complete, the inetd daemon must undergo a restart for the changes to the configuration file (/etc/initd.conf) to take effect. To find out more information about the kcfg program, execute two commands. To display individual command switches and their arguments: kcfg -? If that doesn't work with your shell, try an alternative entry, 'kcfg - \?' It tells the shell to pass a question mark to the executable as opposed to resolving the '?' character as a regular expression. To display a short description of the command and what it does: kcfg -h This provides information on the configuration file management, principal registration, and service configuration. Note: The dcesetup configuration script sets all tickets as forwardable, a default value. If tickets are not set as forwardable, the Kerberos Distribution Center (KDC) server does not provide authentication and authorization information to the telnet process. The command, kinit -f, marks tickets as forwardable. Modifying the Registry All machines within a cell that use the Kerberos-enabled rtools need to check and possibly modify the registry and the krb5 configuration with the kcfg executable. To make sure that Kerberos version 4 interoperates with Kerberos version 5, an administrator can execute 'kcfg -k' to change the /krb5/krb.conf entries into two separate files, /krb5/krb.conf and /krb5/krb.realms. This command needs to be executed on each machine in the cell. The registry must contain a principal entry that describes the host machine of the KDC server. This principal entry is of the form host/. The principal and the associated keytable entry can be created with 'kcfg -p'. This verifies that the host entry exists; if not, it creates the host entry. Note: A potential problem that can defeat the installation and operation of the rtools is to be found in the different ways 'hostname' is determined. The kcfg command uses the function gethostname() to create the host prinicpal entry in the registry. The gethostname() function acquires the hostname as it is configured with the hostname command at startup. The telnet process gets 'hostname' using the gethostbyname() function, which gets the hostname out of either the /etc/hosts file or the DNS/BIND database. Difficulties arise, for example, if the hostname is configured at startup as 'mycomputer' but is registered in /etc/hosts and the bind database as 'mycomputer.here.com'. If the telnet process looks for the host server, it looks for 'host/mycomputer.here.com'. If the kcfg process configures the host entry in the registry, it configures 'host/mycomputer'. Uninstalling the Kerberos Tools To reverse the installation of the Kerberized tools, go to the Modify Configuration Menu and choose Option 9, Disable Kerberos. Then go to the configuration file, /etc/initd.conf and, if necessary, remove all references to the tools. Creating a Private Key Storage Server DCE for DIGITAL UNIX adds public key security technology as provided in OSF DCE Release 1.2.2. It refers to a security model that works by requiring a public and a private key pair to lock or unlock information. Private keys are too long for memorization, hence the requirement for secure storage. A private key storage server (PKSS) can be enabled during installation to store users' software-generated private keys. Private keys are used most often at login. That presents a key management problem if the keys appear where they might be corrupted or stolen. Short of issuing smart cards, enabling the private key storage service provides the best assurance that messages encrypted under one of the key pairs can be decrypted using another pair without being intercepted and read in transit. =========================== Chapter 3: Configuring DCE =========================== Overview of New Cell Configuration The following steps explain how to create a cell and configure the Security server and CDS server on the same system. To begin your initial cell creation and server configuration, log in as root and invoke dcesetup (/usr/sbin/dcesetup). If you are not logged in as root, the dcesetup utility can perform only the Show and Version choices. The dcesetup utility displays the following menu: *** DCE Setup Main Menu *** Version V3.0 (Rev. 635) 1) Configure Configure DCE services on this system 2) Show Show DCE configuration and active daemons 3) Stop Terminate all active DCE daemons 4) Start Start all DCE daemons 5) Restart Terminate and restart all DCE daemons 6) Clean Terminate all active DCE daemons and remove all temporary local DCE databases 7) Clobber Terminate all active DCE daemons and remove all permanent local DCE databases 8) CVP Run Configuration Verification Program 9) Version Show DCE Version number X) Exit Please enter your selection: Note: For troubleshooting during configuration, open an additional window after you invoke dcesetup, and enter the following command: # tail -f /opt/dcelocal/dcesetup.log This window allows you to track the configuration procedure as it executes. The file dcesetup.log captures most configuration errors. If you are not logged in as root, the log file is named /tmp/dcesetup .username.log. If you are creating a new cell or adding a CDS server, choose option 3 (Terminate all active DCE daemons) to stop the DCE daemons in a controlled manner. Be sure to back up your security and CDS databases before proceeding if this has not been done. Choose option 1 from the DCE Setup Main Menu to configure DCE services on your system. You must have system privileges to modify the DCE system configuration. The procedure displays the following menu: *** Configuration Choice Menu *** 1) Configure this system as a DCE Client 2) Create a new DCE cell 3) Add Master CDS server 4) Configure DCE Distributed File Service (DFS) 5) Modify DCE Cell Configuration 6) Configure this system for RPC only R) Return to previous menu Please enter your selection (or '?' for help): Choose option 2 to create a new DCE cell. At each prompt, you can press to take the default displayed in brackets or enter a question mark (?) for help. When prompted, select a cell name and hostname; the name is used again when you configure DCE client systems. The configuration utility asks if you want to configure the host as a CDS server. Answer yes to configure the CDS and security servers on the same system. Answer no to perform a split server installation in which you configure the security server on the current host and the CDS server on a different host. If you answered yes to configure the CDS and security servers on the same system, the utility asks: Will there be any DCE pre-R1.1 CDS servers in this cell? (y/n/?) [n]: If your cell will be running any CDS servers based on OSF DCE Release 1.0.3a or lower (equivalent to DCE for DIGITAL UNIX Version 1.3b or lower), you should answer yes. The configuration utility sets the directory version number to 3.0 for compatibility with pre-R1.1 servers. This setting disables the use of OSF DCE Release 1.1 features such as cell aliasing, CDS delegation ACLs, and so on. If all CDS servers in your cell will be based on DCE for DIGITAL UNIX Version 2.0 (or higher) and based on OSF DCE Release 1.1 (or higher), answer no. The configuration utility sets the directory version number to 4.0 for compatibility with DCE for DIGITAL UNIX Version 2.0 (or higher) CDS servers (OSF DCE Releases 1.1 and 1.2.2). This enables the use of OSF DCE Release 1.1 features such as cell aliasing, CDS delegation ACLs, and so on, and OSF DCE Release 1.2.2 features. Once the directory version is set to 4.0, you cannot set it back to 3.0. For more information, refer to Chapter 5. You are prompted to confirm the system time; it is important that you check the current time before you respond. If DECnet/OSI is installed on your system, the configuration utility displays the following message and then asks several questions about configuring a DCE Distributed Time Service server on your system. You seem to have DECnet/OSI installed on this system. DECnet/OSI includes a distributed time synchronization service (DECdts), which does not currently support the DCE Distributed Time Service (DCE DTS) functionality. The DCE DTS in this release provides full DECdts functionality. This installation will stop DECdts and use DCE DTS instead. For further clarification, please consult the DCE for DIGITAL UNIX Product Guide. Even though DCE DTS will be used, it is possible to accept time from DECdts servers. Should this node accept time from DECdts servers? (y/n) [n]: Do you want this system to be a DTS Server (y/n/?) [y]: Do you want this system to be a DTS Global Server (y/n/?) [n]: Does this cell use multiple LANs? (y/n/?) [n]: Answer the questions appropriately. The configuration utility asks whether you want to run this system as a PKSS server. Answering yes configures the system to run as a PKSS server. Do you want this system to be a PKSS server (y/n/?) [y] The dcesetup configuration utility asks whether you want to enable DCE SIA (Security Integration Architecture). The default answer is no. Answering yes configures security-sensitive commands such as login, su, telnet, ftp, and so on, to perform DCE authentication in addition to usual local security operations performed by these commands. For more information about DCE SIA, refer to the DCE for DIGITAL UNIX Product Guide. Do you want to enable DCE SIA? (y/n/?) [n]: The configuration utility asks if you want to run the MIT Kerberos 5 services on this machine. A yes answer runs the configuration utility and (optionally) installs the `Kerberized' version of telnet, rsh, and rlogin on the system. Do you intend to run MIT Kerberos 5 services on this machine? [y] The configuration utility asks if you want to configure the LDAP name service on this system. A yes answer prompts the question, "Do you want to configure the system as an LDAP client?" and requires that you enter further information regarding LDAP services. Do you want to configure the LDAP name service? (y/n/?) [n] The configuration utility asks if you want to configure gdad to use LDAP. (gdad is the daemon for Global Directory Agent.) Do you want to configure gdad to use LDAP? (y/n/?) [n] Next, the screen displays your selections and asks whether to save them as your DCE system configuration. Answer y. After the gda daemon is started, you are prompted to run the DCE Configuration Verification Program (CVP). Press to start the CVP. After the procedure runs the CVP, the procedure automatically updates the system startup procedure so the daemons restart automatically whenever the system is rebooted. To verify that all requested services are configured, choose option 2 (Show DCE configuration and active daemons) from the DCE Setup Main Menu. The screen displays all configured DCE services and active DCE daemons. You have completed creating a cell. Configuring Your System as a DCE Client with Runtime Services If you want to add your system to an existing cell, choose option 1 (Configure this system as a DCE Client) from the Configuration Choice Menu. This option configures the runtime services subset on your system. Note: During initial DCE client configuration, the client software may have problems locating the Cell Directory Service server if the Internet protocol netmask for your client machine is not consistent with the netmask used by other machines operating on the same LAN segment. You might need to consult with your network administrator to determine the correct value to use as a netmask on your network. When you choose option 1, the procedure displays the following messages: At each prompt, enter to take the default displayed in [braces] or enter '?' for help. Press to continue: Shutting down DCE services DCE services stopped Removing temporary local DCE databases and configuration files Removing permanent local DCE databases and configuration files Starting client configuration Initializing dced (dced)... Starting dced (dced)... The configuration utility asks whether to search the LAN for known cells within broadcast range of your system. Would you like to search the LAN for known cells? (y/n) [y] : If you know the name of your DCE cell, answer no. As prompted, supply the name of your DCE cell, your DCE hostname, and the hostname of your cell's master CDS server. You also need to specify whether your host can broadcast to the host where the master CDS server is installed. Answer yes to see a list of available DCE cells. As prompted, supply your DCE hostname. At the next prompt, supply the appropriate DCE cell name from the list. Gathering list of currently accessible cells Please enter your DCE hostname [dcehost]: The following cells were discovered within broadcast range of this system: buster_cell kauai_cell myhost_cell tahoe_cell Please enter the name of your DCE cell (or '?' for help) [buster_cell]: myhost_cell If you do not know the name of the cell you wish to join, consult your network administrator. Do not add the /.../ prefix to the cell name; the procedure automatically adds it. The prompt might contain a cell name which is the last configured cell name for this host or the first cell name from the alphabetical list of available cells. If you enter a cell name that is not on the list of cell names, the procedure assumes you are performing a WAN configuration, and asks you to enter the hostname of the master CDS server for your cell. After you enter your cell name, the procedure continues, displaying information similar to the following, but dependent upon your configuration: Stopping dced... Initializing dced (dced)... Starting dced (dced)... Starting CDS advertiser daemon (cdsadv)... Testing access to CDS clerk (please wait)..... Attempting to locate security server Found security server Creating /opt/dcelocal/etc/security/pe_site file Checking local system time Looking for DTS servers in this LAN Found DTS server The local system time is: Wed Mar 11 12:01:14 1998 Is this time correct? (y/n): Make sure you check that the correct time is displayed before you continue with the configuration. If the time is incorrect, specify n, and the procedure exits to the operating system to allow you to reset the system time. After you correct or verify the time, specify y, and the procedure resumes. If DECnet/OSI is installed on your system, the configuration utility displays the following message and then asks several questions about configuring a DCE Distributed Time Service server on your system. You seem to have DECnet/OSI installed on this system. DECnet/OSI includes a distributed time synchronization service (DECdts), which does not currently support the DCE Distributed Time Service (DCE DTS) functionality. The DCE DTS in this release provides full DECdts functionality. This installation will stop DECdts and use DCE DTS instead. For further clarification, please consult the DCE for DIGITAL UNIX Product Guide. Even though DCE DTS will be used, it is possible to accept time from DECdts servers. Should this node accept time from DECdts servers? (y/n) [n]: Specify y to accept time from any DECnet/OSI DECdts server; however, time from this source is unauthenticated. If you specify n, this system accepts time only from DCE time servers. If DECnet/OSI is not installed on your system, the configuration utility omits the previous DECdts questions and instead, asks: Do you need the Distributed Time Service (y/n/?) [y]: Answer y to configure the host as a DTS client. If you want to use DCE Security Integration Architecture (SIA), specify "Y" to the following: Do you want to enable DCE SIA? (y/n/?) [n]: After you respond to the prompt, the procedure stops the CDS advertiser and asks you to perform a dce_login operation, as follows: Stopping dcesetup... This operation requires that you be authenticated as a member of the sec-admin group. Please login. Enter Principal Name: cell_admin Password: Obtain the password from your system administrator. After you perform the dce_login operation, the procedure begins configuring the security client software. If this system was previously configured as a DCE client or your cell has another host with the same name, the configuration utility also displays a list of client principals that already exist for this system and asks whether to delete the principals. You must delete these principals to continue with the configuration. Configuring security client Creating /krb5/krb.conf file Adding kerberos5 entry to /etc/services The following principal(s) already exist under /hosts/dcehost/: hosts/dcehost/self Do you wish to delete these principals? (y/n/?) [y]: Deleting client principals Creating ktab entry for client Stopping dced... Initializing dced (dced)... Starting dced (dced)... Starting sec_client service (please wait). This machine is now a security client. If your cell uses multiple LANs, you are prompted with the next question: Please enter the name of your LAN (or '?' for help) []: If your LAN has not been defined in the namespace, you are asked whether you want to define it. The configuration utility asks whether you want to configure gdad to connect to LDAP. Do you want to configure gdad to use LDAP? (y/n/?) [n]: The procedure configures the requested services, and then prompts you to complete the configuration of the security server on the other machine before continuing: Configuring CDS client Creating the cds.conf file Starting CDS advertiser daemon (cdsadv)... Testing access to CDS server (please wait). Deleting known hosts/dcehost objects from name space Creating hosts/dcehost objects in name space This machine is now a CDS client. Stopping sec_client service... Starting sec_client service (please wait). Modifying acls on /.:/hosts/dcehost/config secval xattrschema srvrexec keytab keytab/self hostdata hostdata/dce_cf.db hostdata/cell_name hostdata/pe_site hostdata/cds_attributes hostdata/cds_globalnames hostdata/host_name hostdata/cell_aliases hostdata/post_processors hostdata/svc_routing hostdata/cds.conf hostdata/passwd_override hostdata/group_override hostdata/krb.conf srvrconf Configuring DTS daemon as client (dtsd) Starting DTS daemon (dtsd)... Waiting for DTS daemon to synchronize (please wait) This machine is now a DTS clerk. Configuring Kerberos and telnetd. Enabling DCE SIA.... Do you want to run the DCE Configuration Verification Program? (y/n) [y]: The DCE Configuration Verification Program (CVP) exercises the components of DCE that are running in this cell. It requires approximately 1 to 2 minutes to run. If you type y to run the CVP at this time, you see the following display: Executing DIGITAL DCE V3.0 (Rev. 635) for DIGITAL UNIX CVP (please wait) Copyright (c) Digital Equipment Corporation. 1998. All Rights Reserved. Verifying........... DIGITAL DCE V3.0 (Rev. 635) for DIGITAL UNIX CVP completed successfully Modifying system startup procedure... The DCE components that you have configured are added to your system startup procedure so the daemons restart automatically whenever the system is rebooted. When the procedure is completed, the DCE Setup Main Menu is redisplayed. If the client system and a CDS server are on the same subnet, the client can automatically locate the CDS server. In this case, the client configuration is complete. However, if the client system does not share a subnet with a CDS server, you must manually enter a CDS server's location information into the client's CDS cache. Press X to exit dcesetup. Then enter CDS server location information into the client's CDS cache. # dcecp -c cdscache create -binding : where is the simple name of the cached server machine. is a CDS server's protocol sequence. is the Internet Protocol address of . For example: # dcecp -c cdscache create pelican \ -binding ncacn_ip_tcp:16:20.15.25 Split Server Configuration (Adding a Master CDS Server) This section discusses a split server installation in which a new cell and the master security server are created on one system and the master CDS server is configured on another system. The master CDS server maintains the master replica of the cell root directory. A split server configuration has four phases: 1. Begin creating the new cell and master security server on one system. 2. Begin creating the master CDS server on another system. 3. Complete creating the new cell and master security on the first system. 4. Complete creating the master CDS server on the second system. Creating a New Cell and Master Security Server This is the first phase of a split server configuration. Begin this phase by creating the new cell on the machine where the master security server will reside. Choose option 2 (Create a new DCE cell) from the Configuration Choice Menu. Answer the prompts appropriately for the cellname and hostname. Then answer n at the following prompt: Do you wish to configure myhost as a CDS server? (y/n/?) [y]: n Verify the system time at the following message and prompt: ********************************************************* * If the system clocks on the machines running the * * security and CDS servers differ more than one or two * * minutes from other systems in the cell, configuration * * anomalies can occur. Since this system's time will be * * used as a reference, please make sure that the system * * time is correct. * ********************************************************* System time for : Wed Jun 12 13:39:24 EDT 1998 Is this correct? (y/n/?): Make sure you validate the time before you specify y. If the system time is incorrect, answer n; the configuration procedure exits to the operating system to allow you to correct the system time. You can then reconfigure. Do you need the Distributed Time Service? (y/n/?) [y]: If you will be using any distributed applications that depend on synchronized time, type y or press to participate in the Distributed Time Service (DTS). The DECnet/OSI DECdts daemon (dtssd) and the DCE DTS daemon (dtsd) are incompatible and cannot be used on the same host. If your machine is running DECnet/OSI, the configuration procedure next displays the following message: You seem to have DECnet/OSI installed on this system. DECnet/OSI includes a distributed time synchronization service (DECdts), which does not currently support the DCE Distributed Time Service (DCE DTS) functionality. The DCE DTS in this release provides full DECdts functionality. This installation will stop DECdts and use DCE DTS instead. For further clarification, please consult the DCE for DIGITAL UNIX Product Guide. Even though DCE DTS will be used, it is possible to accept time from DECdts servers. Should this node accept time from DECdts servers? (y/n) [n]: Specify y to accept time from any DECdts server; however, time from this source is unauthenticated. If you specify n, this system accepts time only from DCE time servers. Do you want this system to be a DTS Server (y/n/?) [y]: Do you want this system to be a DTS Global Server (y/n/?) [n]: If DECnet/OSI is not installed, this system must be configured as either a DTS clerk or a DTS server. Briefly, there should be three DTS servers per cell. The configuration utility asks if you want to run this system as a PKSS server. Answering yes configures the system to run as a PKSS server. Do you want this system to be a PKSS Server (y/n/?) [y]: Next, the procedure asks whether to enable DCE Security Integration Architecture (SIA). Do you want to enable DCE SIA? (y/n/?) [n]: Next, the configuration utility asks if you want to to run the MIT Kerberos 5 services on this machine. A yes answer will run the Kerberos config utility and (optionally) install the 'kerberized' version of telnet on the system. Do you intend to run MIT Kerberos 5 services on this machine [y] : The utility asks if you want to configure the LDAP name service on this system. A yes answer prompts a query to ask if you want to configure the system as a LDAP client and ask if you would enter further information regarding the LDAP services you want. Do you want to configure the LDAP name service? (y/n/?) [n]: The configuration utility asks whether you want to configure gdad to use LDAP. Do you want to configure gdad to use LDAP? (y/n/?) [n]: After you respond to the last prompt, the following messages are displayed: DCE Cellname: myhost_cell DCE Hostname: myhost Use myhost as a CDS Server? No Use myhost as the Security Server? Yes Use dhaka as a DTS Local Server? Yes Use myhost as the PKSS Server? Yes Enable Kerberos 5 services? Yes Enable DCE SIA? No Enable LDAP GDA? No Configure myhost as an LDAP client? No Do you want to save this as your DCE system configuration? (y/n/?) [y]: Answer no to change your selections. Answer yes to accept your selections. The procedure configures myhost as a Security server and then prompts you to enter a keyseed value (enter several random keystrokes): ************************************************************* * Starting the security server requires that you supply * * a 'keyseed.' When asked for a 'keyseed,' type some * * random, alphanumeric keystrokes, followed by RETURN. * * (You won't be required to remember what you type.) * ************************************************************* Enter keyseed for initial database master key: You are prompted to enter and then confirm the cell_admin password. Remember this password. Please type new password for cell_admin (or '?' for help): Type again to confirm: The procedure configures more services and then pauses for you to configure the master CDS server on another system. ******************************************************************** This system has now been configured as a security server. Since you chose not to configure this system as a CDS server, you must now configure another system as the Master CDS Server for this cell (Option 1 on the dcesetup Main Menu, Option 3 on the Configuration Choice Menu.) When the Master CDS server has been installed and configured, * press the key to continue configuring this system. * ******************************************************************** Go to the machine where you will configure the master CDS server. Creating a Master CDS Server on Another System This is the second phase of a split server configuration. You must have created a new cell and begun configuring the security server on another machine. Log on to the system on which you want to install the CDS master server, and choose option 3 (Add Master CDS Server) from the Configuration Choice Menu. The following messages are displayed: ****************************************************************** * If the system clocks on the machines running the security * * and CDS servers differ more than one or two minutes from * * other systems in the cell, configuration anomalies can occur. * * Since this system's time will be used as a reference, please * * make sure that the system time is correct. * ****************************************************************** System time for cdshost.abc.dec.com: Wed Jun 12 13:52:28 EDT 1998 Is this correct? (y/n/?) Verify the correct time before answering yes. Answer the following prompts: Please enter the name of your DCE cell []: Please enter your DCE hostname [myhost2]: The procedure asks: Will there be any DCE pre-R1.1 CDS servers in this cell? (y/n/?) [n]: If your cell will be running any CDS servers based on OSF DCE Release 1.0.3a or lower, you should answer yes. The configuration utility sets the directory version number to 3.0 for compatibility with pre-R1.1 servers. This disables the use of OSF DCE Release 1.1 features such as cell aliasing, CDS delegation ACLs, and so on. If all CDS servers in your cell will be based on DCE for DIGITAL UNIX Version 2.0 or higher (or an equivalent DCE version based on OSF DCE Release 1.1) answer no. The configuration utility sets the directory version number to 4.0 for compatibility with DCE for DIGITAL UNIX (Version 2.0 or higher OSF DCE Release 1.1) CDS servers. This enables the use of OSF DCE Release 1.1 features such as cell aliasing, CDS delegation ACLs, and so on. Once the directory version is set to 4.0, you cannot set it back to 3.0. The procedure configures accordingly and prompts you to enter the hostname of the security server that you just configured. What is the hostname of the Security Server for this cell? []: The procedure continues with the following messages: Creating /opt/dcelocal/etc/security/pe_site file *********************************************************** * Ensure the opt/dcelocal/etc/security/pe_site file * * matches that on the server. * *********************************************************** Note: If the procedure cannot find the IP address for the host, you will be prompted for the address. Usually, when the procedure cannot find the IP address of the host, it indicates that you may have misspelled the name. The procedure displays the following messages and asks you to perform a dce_login operation. Creating /krb5/krb.conf file Adding kerberos5 entry to /etc/services This operation requires that you be authenticated as a member of the sec-admin group. Please login. Enter Principal Name: cell_admin Password: The procedure continues, asking the same questions as when you configured the Security server. Do you need the Distributed Time Service? (y/n/?) [y]: If your machine is running DECnet/OSI, the configuration procedure next displays the following message: You seem to have DECnet/OSI installed on this system. DECnet/OSI includes a distributed time synchronization service (DECdts), which does not currently support the DCE Distributed Time Service (DCE DTS) functionality. The DCE DTS in this release provides full DECdts functionality. This installation will stop DECdts and use DCE DTS instead. For further clarification, please consult the DCE for DIGITAL UNIX Product Guide. Even though DCE DTS will be used, it is possible to accept time from DECdts servers. Should this node accept time from DECdts servers? (y/n) [n]: Specify y to accept time from any DECnet/OSI DECdts server; however, time from this source is unauthenticated. If you specify n, this system accepts time only from DCE DTS servers. The procedure next asks whether you want your system to be a DTS local server: Do you want this system to be a DTS Local Server (y/n/?) [y]: If you answer y, this machine becomes a DTS local server; if you answer n, this machine does not become a DTS local server, and you should configure some other system as the DTS server. DIGITAL recommends that you configure three DTS servers per cell. Next, the procedure asks whether your cell uses multiple LANs. Does this cell use multiple LANs? (y/n/?) [n]: If your cell uses multiple LANs, you are prompted with the next question: Please enter the name of your LAN (or '?' for help) []: If your LAN has not been defined in the namespace, you are asked whether you want to define it. The procedure configures the requested services, and then prompts you to complete the configuration of the security server on the other machine before continuing: ******************************************************************** * This system has now been configured as the Master CDS Server. * * * * Before continuing, complete the configuration of the Security * * Server... * ******************************************************************** Press to continue: Return to the system on which you configured the security server. Completing the Security Server Configuration This is the third phase of a split server configuration. You must have created a new cell and begun configuring the security server on one machine. Then you created a master CDS server on another machine. Now you will complete the security server configuration on the first machine. Return to the system on which you configured the security server and press the key. The following prompt is displayed: What is the hostname of the Master CDS Server for this cell [ ]: Provide the hostname of the system you just configured as the master CDS server for this cell. After you enter the hostname of the master CDS server, the following prompt is displayed: Can myhost broadcast to cds_master_server? (y/n/?) [y]: If you respond n to this prompt, the procedure asks you to specify the IP address of the CDS server. You can find the IP address either by performing a grep operation for the hostname in the /etc/host file, or by performing an nslookup operation for the hostname. Once it has been determined that myhost can broadcast to cds_master_server, the procedure displays the following messages and asks whether you want to run the configuration verification program. This operation requires that you be authenticated as a member of the sec-admin group. Please login. Enter Principal Name: cell_admin Password: Configuring CDS client Creating the cds.conf file Starting CDS advertiser daemon (cdsadv)... Testing access to CDS server (please wait).... Creating hosts/myhost objects in name space Configuring DTS daemon as server (dtsd) Stopping sec_client service... Starting sec_client service (please wait). Starting DTS daemon (dtsd)... Waiting for DTS daemon to synchronize (please wait) If you enabled DCE SIA, the procedure also displays the following message: Enabling DCE SIA The procedure asks whether you want to run the configuration verification program: Do you want to run the DCE Configuration Verification Program? (y/n) [y]: You can run the CVP now by answering y, or you can run the CVP at a later time by answering n. The procedure completes the configuration and returns to the DCE Setup Main Menu. Choose option 2 (Show DCE configuration and active daemons) from the DCE Setup Main Menu to verify your configuration choices. Return to the host on which you are configuring the master CDS server and complete the installation. Completing the CDS Master Server Configuration This is the fourth and final phase of a split server configuration. You must have created a new cell and begun configuring the security server on one machine. Then you created a master CDS server on another machine. You completed the security server configuration on the first machine. Now you will complete the CDS master server configuration. Completion of this phase consists of running the configuration verification program: Do you want to run the DCE Configuration Verification Program? (y/n) [y]: You can run the CVP now by answering y, or you can run the CVP at a later time by answering n. The procedure completes the configuration and returns to the DCE Setup Main Menu. Choose option 2 (Show DCE configuration and active daemons) from the DCE Setup Main Menu to verify your configuration choices. Using SIA An SIA configuration file, /etc/sia/matrix.conf, selects the appropriate configured security mechanism. This configuration file contains entries for a set of siad routines. The operating system is provided with a default matrix.conf file that contains only BSD entries. Layered products that choose to use another security mechanism must modify this configuration file. Depending on how matrix.conf is set up on the local system (DIGITAL recommends that you place the DCE entries in front of the BSD entries), the SIA layer calls the corresponding siad routines in each of the configured mechanisms in order. Therefore, the siad_ses_init routine from DCE is called before the routine from BSD if the matrix.conf file includes the following line: siad_ses_init=(DCE,/usr/shlib/libdcesiad.so),(BSD,libc.so) Local Security Mechanisms The DIGITAL UNIX operating system provides two local security mechanisms: Berkeley Standard Distribution (BSD) security and C2 class security. The default DIGITAL UNIX configuration has BSD security enabled. Turning On DCE SIA At the initial installation and configuration, DCE SIA is turned on by default. At another time, turning it on requires an explicit choice. To turn on DCE SIA security, choose option 8 (Enable DCE SIA) from the Modify Configuration Menu. After you choose this option, dcesetup executes the shell script /opt/dcelocal/etc/sec_insert_dce_entries.sh to perform the following operations: Checks whether KRB5CCNAME exists in the /usr/lib/X11/xdm/xdm-config file on the local system. If it does exist, the script continues to step 3. If it does not exist, the script saves the original xdm-config file with the name xdm-config.sav n (where n is the next available number). Note: You are responsible for deleting all the .sav* files created by enabling or disabling DCE SIA. Adds KRB5CCNAME to the /usr/lib/X11/xdm/xdm-config file, so that the console login preserves the credential handle, KRB5CCNAME, after a successful login to DCE. Checks whether DCE entries exist in the matrix.conf file. If DCE entries exist, the script ends; if no entries exist, the script performs steps 4 and 5. Saves the original matrix.conf file with the name matrix.conf.sav n (where n is the next available number) in the /etc/sia directory. Inserts DCE entries for all siad routines in the matrix.conf file. For example, before modification, the entry might look as follows: siad_init=(BSD,libc.so) After modification, the new entry looks as follows: siad_init=(DCE,/usr/shlib/libdcesiad.so),(BSD,libc.so) where libdcesiad.so, installed by DCE, is a shared library containing all the DCE siad routines. Turning Off DCE SIA Security To turn off DCE SIA security, choose option 8 (Disable DCE SIA) from the Modify Configuration Menu. After you choose this option, dcesetup executes the /opt/dcelocal/etc/sec_remove_dce_entries.sh shell script to perform the following operations: Checks whether KRB5CCNAME exists in the /usr/lib/X11/xdm/xdm-config file on the local system. If it does not exist, the script continues to step 3. If it does exist, the script saves the original xdm-config file with the name xdm-config.sav n (where n is the next available number). Removes KRB5CCNAME in /usr/lib/X11/xdm/xdm-config. Checks whether DCE entries exist in the matrix.conf file. If they do not, the script ends; if they do exist, the script performs steps 4 and 5. Saves the matrix.conf file with the name matrix.conf.sav n (where n is the next available number) in the /etc/sia directory. (The script saves the existing configuration file instead of reusing the prior one that had DCE SIA turned off, in case other layered products have added their security mechanisms in the interim.) Note: You are responsible for deleting all the .sav*files created by enabling or disabling DCE SIA. Removes DCE entries from all siad routines in the matrix.conf file. For example, before modification, the entry might look as follows: siad_init=(DCE,/usr/shlib/libdcesiad.so),(BSD,libc.so) After modification, the new entry looks as follows: siad_init=(BSD,libc.so) Migrating Your Cell Some DCE cells may be running security or CDS servers on hosts with different versions of DCE. This might happen because a cell has DCE software from multiple vendors, each supplying upgrades at different times. Or perhaps upgrading all the hosts simultaneously is not feasible. DCE for DIGITAL UNIX Version 2.0 (or higher) security servers and CDS servers can interoperate with older servers (based on OSF DCE Release 1.0.3a, 1.0.2, and so on). However, new DCE security features associated with OSF DCE Release 1.1 and DCE Release 1.2.2 will generally not be available until all security server replicas in your cell are based on OSF DCE Release 1.1 and 1.2.2. Additionally, new CDS capabilities will not be available until all security servers and some or all CDS servers are based on OSF DCE Release 1.1 and 1.2.2. If your cell contains older versions of security or CDS servers, you will need to migrate (gradually upgrade) older servers until all of them are running DCE server software based on OSF DCE Release 1.1 and 1.2.2. Once all security or CDS servers have been upgraded, you must perform some additional steps so that your servers can provide the new security and CDS capabilities. Security servers and CDS servers use separate procedures to complete migration. Security Migration provides the instructions for completing Security server migration. CDS Migration provides the instructions for completing CDS server migration. Security Migration After you install the new security server version on a host where an older version security replica (master or slave) exists, that replica will operate with the new security server, but with the behavior of the older version server. Note that a server based on OSF DCE 1.1 or higher. cannot create a new replica and operate it as an older version replica. Once OSF DCE Release 1.1 has been installed on all hosts that have security replicas, you must issue a single cell-wide command that simultaneously migrates all the replicas to operate at the level of DCE 1.1. At this point the cell will support new security features such as extended registry attributes. Note: Once you have migrated the security servers to DCE 1.1 or higher, it is not possible to create a replica on a host running an earlier version. If all of the Security server replicas in your cell are based on OSF DCE Release 1.1, you can perform the final migration steps in this section. If your cell is still running any security servers based on a DCE release prior to OSF DCE Release 1.1, do not complete the upgrade steps in this section. The upgrade steps will advance some security database attributes. Older servers cannot operate on newer version databases. Once you have installed and configured DCE for DIGITAL UNIX Version 3.0 Security servers in your cell, perform the following actions as cell administrator: Ensure that at lease one security replica can write to the cell profile. Use the following operation to check the cell-profile ACL for: user:dce- rgy:rw-t---. # dcecp -c acl show -io /.:/cell-profile On all Security servers, set the server version to: secd.dce.1.1. # dcecp -c registry modify -version secd.dce.1.1 Verify that the version has been set to secd.dce.1.1. # dcecp -c registry show Note: If you have not updated all 1.0.3 security replicas to DCE 1.1, any original 1.0.3 replicas will be stopped when you move the registry version forward to DCE 1.1. You may wish to verify that any original 1.0.3 replicas are no longer running. CDS Migration If you have installed and configured DCE for DIGITAL UNIX Version 3.0 CDS servers in your cell, you might need to perform additional steps to complete the upgrade process. If you created a new DCE cell and, during the dcesetup process, you set the default directory version information for each CDS server to Version 4.0, you do not need to perform the migration steps in this section. If your cell is still running any security or CDS servers based on a DCE release prior to OSF DCE Release 1.1, do not complete the upgrade steps in this section. The upgrade steps will advance some security database and CDS directory attributes. Older servers cannot operate on newer version databases or directories. DCE for DIGITAL UNIX Version 3.0 (or equivalent) features such as hierarchical cells and cell aliasing features will be available only when all of your cell's security and CDS servers are running DCE for DIGITAL UNIX Version 2.0 or higher and the upgrade steps have been completed. Refer to the DCE for DIGITAL UNIX Product Guide and to the OSF DCE documentation for descriptions of available features. Once the necessary DCE servers have been upgraded to DCE software based on OSF DCE Release 1.1 or 1.2.2, you can perform the migration steps in this section. The migration steps will enable the use of hierarchical cells, cell aliasing, and delegation. Note: Directory version information can only be set forward. If you migrate a CDS server to OSF DCE 1.1 or 1.2.2 behavior, you cannot revert that server to 1.0.3 behavior. Once you have installed and configured DCE for DIGITAL UNIX Version 3.0 (or equivalent) security servers and CDS servers, perform the following actions as cell administrator: If you have not done so, perform the security migration steps in Security Migration. For all CDS clearinghouses manually update the CDS_UpgradeTo attribute to 4.0. The following two operations ensure that new directories created in this clearinghouse will receive the correct directory version number: # dcecp -c clearinghouse modify chname \ -add \{CDS_UpgradeTo 4.0 \} # dcecp -c clearinghouse verify chname Manually upgrade all older directory version information to 4.0 as follows: # dcecp -c directory modify /.: -upgrade -tree The -tree option operates recursively on all subdirectories (in this example, it operates on the entire cell). This command does not work unless all CDS servers housing the affected directories are running DCE for DIGITAL UNIX Version 2.0. This command can take a long time to execute depending on the size of the namespace. Running the DCE Configuration Verification Program Once the DCE daemons are started, you can run the DCE Configuration Verification Program (CVP) to ensure that the DCE services are properly installed. The procedure prompts you with the following message: Do you want to run the DCE Configuration Verification Program?(y/n)[y]: If you type y or press , the procedure indicates that the CVP is running. Executing DIGITAL DCE V3.0 (Rev.635) for DIGITAL UNIX CVP (please wait) Copyright (c) Digital Equipment Corporation. 1998. All Rights Reserved. Verifying........... The CVP invokes tests of the 10 DCE RPC interfaces, printing a dot (.) as each test is successful. A completely successful test execution results in 10 dots printed in succession. When the CVP tests are completed successfully, you receive the following message: DIGITAL DCE V3.0 (Rev. 635) for DIGITAL UNIX CVP completed successfully Note: You can repeat the CVP whenever you want by choosing option 8 (Run Configuration Verification Program) from the DCE Setup Main Menu. After you run the CVP, the configuration procedure updates your system startup procedure so that the daemons restart automatically whenever the system is rebooted. Error Recovery During Configuration If the procedure encounters any errors during DCE system configuration, it displays error messages. Some errors are not fatal, and the procedure attempts to continue. Other errors are fatal, and the procedure terminates. If a fatal error is encountered while the procedure is starting the DCE daemons, the procedure attempts to stop any daemons that have already been started. This returns the system to its original state before you began the configuration. If you receive an error message at any time while running the DCE System Configuration utility, you can get more detailed information about the cause of the error by examining the associated log file in /opt/dcelocal/dcesetup.log. (If dcesetup is run without root privileges, the log file will be located in tmp/dcesetup.username.log.) This log file contains a record of the operations invoked by the System Configuration utility the last time it was executed, and may help you diagnose the cause of the problem. Sometimes the cause of an error is transitory and may not recur if you repeat the operation. Use the command /usr/sbin/dcesetup restart to retry if errors are encountered during the startup of the DCE daemons. For more information about this command, see the DCE for DIGITAL UNIX Product Guide. ======================================= Chapter 4: Modifying Cell Configuration ======================================= Overview of Cell Re-Configuration Here is the menu you use to change the configuration of your cell. Note: The operations in the following table require superuser (root) privileges. Modify Configuration Menu 1) Add Replica CDS Server / Remove Replica CDS Server Creates or removes a replica of the master CDS server on the current machine. If your machine already has a replica of the master CDS server, the menu option shows "Remove Replica CDS Server." 2) Add Replica Security Server / Remove Replica Security Server Creates or removes a replica of the master security server on the current machine. If the machine already has a replica of the master security server, the menu option shows "Remove Replica Security Server." 3) Add DTS Local Server / Change from DTS Local Server to DTS Clerk Adds a DTS local server to the current machine. If your machine is already configured as a DTS Local Server, this menu option is Change from DTS Local Server to DTS Clerk. If so, you can choose that option to configure the current machine as a DTS Clerk. 4) Add DTS Global Server / Change from DTS Global Server to DTS Clerk Adds a DTS global server to the current machine. If your machine is already configured as a DTS global Server, this menu option is Change from DTS Global Server to DTS Clerk. If so, you can choose that option to configure the current machine as a DTS Clerk. 5) Add Null Time Provider Sets the time inaccuracy value but prevents DTS from setting the time. Choose this option if you do not want DTS to set the system time. 6) Add NTP Time Provider Directs the current machine to get the time from an NTP server. 7) Enable Auditing/ Disable Auditing Enables or disables DCE security auditing on the system. 8) Enable DCE SIA / Disable DCE SIA Enables or disables DCE security integration architecture (SIA) on the system. 9) Enable Kerberos 5 / Disable Kerberos 5 Enables or disables MIT Kerberos 5 security services for telnet, rlogin, and rsh. 10) Configure LDAP Name Service Configures LDAP (lightweight directory access protocol) name service. 11) Add LDAP Client Services / Remove LDAP Client Services Add or remove the LDAP name service client; that is, to create internally the server, group, and profile entries in the LDAP name space like those entries that are used in CDS during the DCE client configuration. 12) Enable LDAP GDA / Disable LDAP GDA Enables or disables Global Directory Agent (GDA) use of LDAP to find foreign cells. 13) Add PKSS Server / Remove PKSS Server Enables or disables private key storage server (PKSS). Public key security technology includes a private key storage service where private decoding keys can be kept in security while not in use. 14) Register in X.500 Registers a DCE cell in X.500. This X.500 option displays only if X.500 is installed on the current machine. R) Return to previous menu Returns you to the DCE Setup Main Menu. Adding a Replica CDS Server If you want to create a replica of the master CDS server on your machine, you can do so on a system that has already been configured as a client, or on a system that has not yet been configured for DCE. The following example assumes no prior configuration. Choose option 1 (Add Replica CDS Server) from the Modify Configuration Menu. The configuration utility asks whether to search the LAN for known cells within broadcast range of your system. Would you like to search the LAN for known cells? (y/n) [y] : If you know the name of your DCE cell, answer no. As prompted, supply the name of your DCE cell, your DCE hostname, and the hostname of your cell's master CDS server. You also need to specify whether your host can broadcast to the host where the master CDS server is installed. Answer yes to view a list of available DCE cells. At the next prompt, supply the appropriate DCE cell name from the list. You are asked to enter your DCE hostname: Please enter your DCE hostname [myhost]: The procedure then displays an alphabetical list of the cells within broadcast range of your system and asks you to enter the name of your DCE cell. After you enter the cell name, the procedure displays the following messages and asks whether the local system time is correct: Gathering list of currently accessible cells The following cells were discovered within broadcast range of this system: buster_cell kauai_cell myhost_cell tahoe_cell Please enter the name of your DCE cell: myhost_cell. Please enter your DCE hostname [myhost] The procedure then displays an alphabetical list of the cells within broadcast range of your system. Stopping dced.. Initializing dced (dced)... Starting dced (dced)... Starting CDS advertiser daemon (cdsadv)... Testing access to CDS server (please wait)... Attempting to locate security server Found security server Creating /opt/dcelocal/etc/security/pe_site file Checking local system time Looking for DTS servers in this LAN Found DTS server The local system time is: Wed Jul 12 11:31:52 1998 Is this time correct? (y/n): Please check the time before you respond to this prompt. Be sure that the correct time is displayed before you continue with the configuration. If the time is incorrect, specify n, and the procedure exits to the operating system to allow you to reset the system time. After you correct or verify the time, specify y, and the procedure continues with the following message (if you have DECnet/OSI installed and configured): You seem to have DECnet/OSI installed on this system. DECnet/OSI includes a distributed time synchronization service (DECdts), which does not currently support the DCE Distributed Time Service (DCE DTS) functionality. The DCE DTS in this release provides full DECdts functionality. This installation will stop DECdts and use DCE DTS instead. For further clarification, please consult the DCE for DIGITAL UNIX Product Guide. Even though DCE DTS will be used, it is possible to accept time from DECdts servers. Should this node accept time from DECdts servers? (y/n) [n]: Specify y to accept time from any DECnet/OSI DECdts server; however, time from this source is unauthenticated. If you specify n, this system accepts time only from DCE DTS servers. Do you want this system to be a DTS Local Server (y/n/?) [n]: If DCEnet/OSI is not installed, this system must be configured as either a DTS clerk or a DTS server. For a complete description on the differences between DTS clerks and servers, please consult the section on how DTS works in the OSF DCE Administration Guide. DIGITAL recommends that you configure three DTS servers per cell. Do you want to use DCE Security Integration Architecture (SIA)? Answering yes configures security-sensitive commands such as login, su, telnet, ftp, and so on, to perform DCE authentication in addition to usual local security operations performed by these commands. For more information about DCE SIA, refer to the DCE for DIGITAL UNIX Product Guide. Answer y to the following: Do you want to enable DCE SIA? (y/n) [y] : After you respond the procedure stops the CDS advertiser and asks you to perform a dce_login operation. Stopping dcesetup... This operation requires that you be authenticated as a member of the sec-admin group. Please login. You must perform a dce_login operation, as follows: Enter Principal Name: Password: After you log in, the procedure configures the system as a client system and asks for a clearinghouse name: Configuring security client Creating /krb5/krb.conf file Adding kerberos5 entry to /etc/services Creating ktab entry for client Starting sec_client service (please wait). This machine is now a security client. Configuring CDS client Creating the cds.conf file Starting CDS advertiser daemon (cdsadv)... Testing access to CDS server (please wait). Creating hosts/myhost objects in name space Note: You might get a message after the line "Adding kerberos5 entry to /etc/services" that states the principals already exist under hosts/mycell. This message means that either another host exists with the same name or you are reconfiguring the same machine. You are prompted with the following question: Do you wish to delete these principals (y/n/?): [y] Note: You must delete the principals to continue with the configuration. The procedure continues with the following messages and prompts: This machine is now a CDS client. Configuring DTS daemon as client (dtsd) Starting DTS daemon (dtsd)... This machine is now a DTS clerk. Configuring CDS replica server Adding CDS registry entries Creating the cds.conf file Starting CDS advertiser daemon (cdsadv)... cdsadv is already running Starting CDS server daemon (cdsd)... When configuring the CDS server, the procedure asks: What is the name for this clearinghouse? (Type '?' for help) [myhost_ch]: Specify a name for this clearinghouse that is unique in this cell. The procedure displays the following messages and asks whether you want to replicate more directories. Creating clearinghouse files and replica for root directory... Initializing the name space for additional CDS server... Modifying acls on /.:/myhost_ch Modifying acls on /.:/hosts/myhost/cds-server Modifying acls on /.:/hosts/myhost/cds-gda Do you wish to replicate more directories? (y/n/?): The root directory from the CDS master server has just been replicated. You can replicate more directories if you want by answering y. Next, you are prompted for the name of a CDS directory to be replicated. Enter the name of a CDS directory to be replicated (or '?' for help): Enter the name of a CDS directory existing in the master CDS namespace that you want to replicate on this system. Type the directory name without the /.:/ prefix; it is added automatically. When you are done, press only the key. The procedure displays the following messages and asks whether you want to run the CVP. Starting Global Directory Agent daemon (gdad)... Starting Name Service Interface daemon (nsid)... Do you want to run the DCE Configuration Verification Program? (y/n/?) [y]: If your system is configured as a CDS Replica Server, this option will show "Remove Replica CDS Server" on the Modify Configuration Menu. *** Modify Configuration Menu *** 1) Remove Replica CDS Server 2) Add Replica Security Server 3) Add DTS Local Server 4) Add DTS Global Server 5) Add Null Time Provider 6) Add NTP Time Provider 7) Enable Auditing 8) Enable DCE SIA 9) Enable Kerberos 5 10) Configure LDAP Name Service 11) Add LDAP Client Service 12) Enable LDAP GDA 13) Add PKSS Server 14) Register in X.500 R) Return to previous menu Please enter your selection (or '?' for help): Choose this option if you wish to remove a CDS Replica Server from your DCE configuration. You will not affect the rest of your system's DCE configuration. Adding Security Replica If you want to add a replica security server to your system, choose option 2 (Add Replica Security Server) from the Modify Configuration Menu. When you choose this option, the procedure displays the following messages: At each prompt, enter to take the default displayed in [braces] or enter '?' for help. Press to continue: Shutting down DCE services DCE services stopped Removing temporary local DCE databases and configuration files Removing permanent local DCE databases and configuration files Starting client configuration Initializing dced (dced)... Starting dced (dced)... Gathering list of currently accessible cells Please enter your DCE hostname [dcehost]: After you enter your DCE hostname, the procedure displays an alphabetical list of cells it has found within broadcast range of your system. In many environments, the list will consist of only one name. Choose the name of the DCE cell that you want to join. If you do not know the name of the cell, consult your network administrator. Do not add the /.../ prefix to the cell name; the procedure automatically adds it. Please enter the name of your DCE cell (or '?' for help) [ ]: After you enter your cell name, the procedure continues, displaying information similar to the following, but dependent upon your configuration: Stopping dced (dced)... Initializing dced (dced)... Starting dced (dced)... Starting CDS advertiser daemon (cdsadv)... Testing access to CDS server (please wait).... Attempting to locate security server Found security server Creating /opt/dcelocal/etc/security/pe_site file Checking local system time Looking for DTS servers in this LAN Found DTS server Found DTS server Looking for DTS servers in this cell No DTS servers found in cell The local system time is: Wed Jul 12 11:38:14 1998 Is this time correct? (y/n): y Make sure you check that the correct time is displayed before you continue with the configuration. If the time is incorrect, specify n, and the procedure exits to the operating system to allow you to reset the system time. After you correct or verify the time, specify y, and the procedure continues with the following message (if you have DECnet/OSI installed and configured): You seem to have DECnet/OSI installed on this system. DECnet/OSI includes a distributed time synchronization service (DECdts), which does not currently support the DCE Distributed Time Service (DCE DTS) functionality. The DCE DTS in this release provides full DECdts functionality. This installation will stop DECdts and use DCE DTS instead. For further clarification, please consult the DCE for DIGITAL UNIX Product Guide. Even though DCE DTS will be used, it is possible to accept time from DECdts servers. Should this node accept time from DECdts servers? (y/n) [n]: Specify y to accept time from any DECnet/OSI DECdts server; however, time from this source is unauthenticated. If you specify n, this system accepts time only from DCE time servers. If you want to use DCE Security Integration Architecture (SIA), answer "Y" to the following: Do you want to enable DCE SIA? (y/n) [y] : After you respond to the prompt, the procedure stops the CDS advertiser and asks you to perform a dce_login operation, as follows: Stopping cdsadv... This operation requires that you be authenticated as a member of the sec-admin group. Please login. Enter Principal Name: cell_admin Password: Obtain the password from your cell administrator. After you perform the dce_login operation, the procedure continues with the following messages: Configuring security client Creating /krb5/krb.conf file Adding kerberos5 entry to /etc/services Creating ktab entry for client Starting sec_client service (please wait). This machine is now a security client. The procedure continues with the following messages and prompts. Configuring CDS client Creating the cds.conf file Starting CDS advertiser daemon (cdsadv)... Testing access to CDS server (please wait). Deleting known hosts/dcehost objects from name space Creating hosts/dcehost objects in name space This machine is now a CDS client. Configuring DTS daemon as client (dtsd) Starting DTS daemon (dtsd)... This machine is now a DTS clerk. Enabling DCE SIA Configuring security replica server The procedure will prompt you to enter the security replica name. Enter the security replica name (without subsys/dce/sec) [dcehost]: After you enter your security replica name, you are prompted to enter a keyseed. Enter several random characters. ************************************************************* * Starting the security server requires that you supply * * a 'keyseed.' When asked for a 'keyseed,' type some * * random, alphanumeric keystrokes, followed by RETURN. * * (You won't be required to remember what you type.) * ************************************************************* Enter keyseed for initial database master key: The procedure continues, displaying information similar to the following, but dependent on your configuration: Modifying acls on /.:/sec/replist... Modifying acls on /.:/subsys/dce/sec... Modifying acls on /.:/sec... Modifying acls on /.:... Modifying acls on /.:/cell-profile... Starting security server daemon (secd)... Waiting for registry propagation... Do you want to run the DCE Configuration Verification Program? (y/n/?) [y]: If you type y to run the CVP at this time, you see the following display: Executing DIGITAL DCE V3.0 (Rev. 635) for DIGITAL UNIX CVP (please wait) copyright (c) Digital Equipment Corporation. 1998. All Rights Reserved. Verifying........... DIGITAL DCE V3.0 (Rev. 635) for DIGITAL UNIX CVP completed successfully Modifying system startup procedure... The DCE components that you have configured are added to your system startup procedure so the daemons restart automatically whenever the system is rebooted. When the procedure completes it displays the DCE Setup Main Menu. If your system is configured as a Security Replica Server, option in the Modify Configuration Menu shows "Remove Replica Security Server". *** Modify Configuration Menu *** 1) Add Replica CDS Server 2) Remove Replica Security Server 3) Change from DTS Local Server to DTS clerk 4) Change from DTS Local Server to DTS Global Server 5) Add Null Time Provider 6) Add NTP Time Provider 7) Enable Auditing 8) Enable DCE SIA 9) Enable Kerberos 5 10) Configure LDAP Name Service 11) ADD LDAP Client Service 12) Enable PKSS Server 13) Enable Kerberos 5 R) Return to previous menu Please enter your selection (or '?' for help): Choose option 2 if you wish to remove a Security Replica from your DCE configuration. Its removal does not affect the rest of your system's DCE configuration. Adding a DTS Local Server If you want to add a DTS server to your machine, you can do so on a system that has already been configured as a client, or on a system that has not yet been configured for DCE. The following example assumes no prior configuration. Choose option 3 (Add DTS Local Server) from the Modify Configuration Menu. The procedure displays the following messages and asks you to enter your DCE hostname. At each prompt, enter to take the default displayed in [braces] or enter '?' for help. Press to continue: Shutting down DCE services DCE services stopped Removing temporary local DCE databases and configuration files Removing permanent local DCE databases and configuration files Starting client configuration Initializing dced (dced)... Starting dced (dced)... Gathering list of currently accessible cells Please enter your DCE hostname [myhost]: The procedure next displays an alphabetical list of the cells within broadcast range, then asks you to enter the name of your DCE cell. Please enter the name of your DCE cell (or '?' for help) []: Supply the name of the DCE cell. Type the cell name without the /.../ prefix; it is added automatically. After you provide the cell name, depending on how your cell is configured, the following messages may be displayed: Starting CDS advertiser daemon (cdsadv)... Testing access to CDS server (please wait).... Attempting to locate security server Found security server Creating /opt/dcelocal/etc/security/pe_site file Checking local system time Looking for DTS servers in this LAN Found DTS server The local system time is: Thu Jul 13 10:32:25 1998 Is this correct? (y/n): Please check the time before you respond to this prompt. If DECnet/OSI is installed on your system, the configuration utility displays the following message and then asks several questions about configuring a DCE Distributed Time Service server on your system. You seem to have DECnet/OSI installed on this system. DECnet/OSI includes a distributed time synchronization service (DECdts), which does not currently support the DCE Distributed Time Service (DCE DTS) functionality. The DCE DTS in this release provides full DECdts functionality. This installation will stop DECdts and use DCE DTS instead. For further clarification, please consult the DCE for DIGITAL UNIX Product Guide. Even though DCE DTS will be used, it is possible to accept time from DECdts servers. Should this node accept time from DECdts servers? (y/n) [n]: If you want to use DCE Security Integration Architecture (SIA), answer y to the following: Do you want to enable DCE SIA? (y/n) [y] : Next, the procedure displays the following messages and asks you to log in. It also asks whether you want to run the CVP. This operation requires that you be authenticated as a member of the sec-admin group. Please login. Enter Principal Name: cell_admin Password: Configuring security client Creating /krb5/krb.conf file Adding kerberos5 entry to /etc/services Creating ktab entry for client Starting sec_client service (please wait). This machine is now a security client. Configuring CDS client Creating the cds.conf file Starting CDS advertiser daemon (cdsadv)... Testing access to CDS server (please wait). Creating hosts/myhost objects in name space This machine is now a CDS client. Configuring DTS daemon as server (dtsd) Stopping sec_client service... Starting sec_client service (please wait). Starting DTS daemon (dtsd)... Waiting for DTSdaemon to synchronize (please wait). If your system is configured as a DTS Local Server, option 3 shows "Change from DTS Local Server to DTS clerk". *** Modify Configuration Menu *** 1) Add Replica CDS Server 2) Add Replica Security Server 3) Change from DTS Local Server to DTS clerk 4) Add DTS Global Server 5) Add Null Time Provider 6) Add NTP Time Provider 7) Enable Auditing 8) Enable DCE SIA 9) Enable Kerberos 5 10) Configure LDAP Name Service 11) ADD LDAP Client Service 12) Enable PKSS Server 13) Enable Kerberos 5 R) Return to previous menu Please enter your selection (or '?' for help): Choose option 3 if you wish to modify your configuration from a DTS Local Server to a DTS clerk. This operation does not affect the rest of your system's DCE configuration. Adding a DTS Global Server If you want to add a DTS Global Server to your system, choose option 4 (Add DTS Global Server) from the Modify Configuration Menu. The configuration prompts you with the following messages: At each prompt, enter to take the default displayed in [braces] or enter '?' for help. Press to continue: Shutting down DCE services DCE services stopped Removing temporary local DCE databases and configuration files Removing permanent local DCE databases and configuration files Starting client configuration Initializing dced (dced)... Starting dced (dced)... Gathering list of currently accessible cells Please enter your DCE hostname [dcehost]: After you enter your DCE hostname, the procedure displays an alphabetical list of cells it has found within broadcast range of your system. In many environments, the list consists of only one name. Choose the name of the DCE cell that you want to join. If you do not know the name of the cell, consult your network administrator. Do not add the /.../ prefix to the cell name; the procedure automatically adds it. Please enter the name of your DCE cell (or '?' for help) []: If you enter a cell name that is not on the list of cell names, the procedure assumes you are performing a WAN configuration, and asks you to enter the hostname of the master CDS server for your cell. After you enter your cell name, the procedure continues, displaying information similar to the following, but dependent upon your configuration: Starting CDS advertiser daemon (cdsadv)... Testing access to CDS server (please wait).... Attempting to locate security server Found security server Creating /opt/dcelocal/etc/security/pe_site file Checking local system time Looking for DTS servers in this LAN Found DTS server Found DTS server Looking for DTS servers in this cell No DTS servers found in cell The local system time is: Thu Jul 13 10:36:36 1998 Is this time correct? (y/n): Make sure you check that the correct time is displayed before you continue with the configuration. If the time is incorrect, specify n, and the procedure exits to the operating system to allow you to reset the system time. After you correct or verify the time, specify y, and the procedure continues with the following message (if you have DECnet/OSI installed and configured): You seem to have DECnet/OSI installed on this system. DECnet/OSI includes a distributed time synchronization service (DECdts), which does not currently support the DCE Distributed Time Service (DCE DTS) functionality. The DCE DTS in this release provides full DECdts functionality. This installation will stop DECdts and use DCE DTS instead. For further clarification, please consult the DCE for DIGITAL UNIX Product Guide. Even though DCE DTS will be used, it is possible to accept time from DECdts servers. Should this node accept time from DECdts servers? (y/n) [n]: Specify y to accept time from any DECnet/OSI DECdts server; however, time from this source is unauthenticated. If you specify n, this system accepts time only from DCE time servers. Do you want to enable DCE SIA? (y/n) [y] : After you respond to the prompt, the procedure stops the CDS advertiser and asks you to perform a dce_login operation, as follows: This operation requires that you be authenticated as a member of the sec-admin group. Please login. Enter Principal Name: cell_admin Password: Obtain the password from your cell administrator. After you perform the dce_login operation, the procedure continues with the following messages: Configuring security client Creating /krb5/krb.conf file Adding kerberos5 entry to /etc/services Creating ktab entry for client Starting sec_client service (please wait). This machine is now a security client. Configuring CDS client Creating the cds.conf file Starting CDS advertiser daemon (cdsadv)... Testing access to CDS server (please wait). Deleting known hosts/dcehost objects from name space Creating hosts/dcehost objects in name space This machine is now a CDS client. Do you want to enable DCE SIA? (y/n/?) [n]: Enabling DCE SIA Configuring DTS daemon as server (dtsd) Stopping sec_client service... Starting sec_client service (please wait). Starting DTS daemon (dtsd)... Waiting for DTS daemon to synchronize (please wait).......... Do you want to run the DCE Configuration Verification Program? (y/n/?) [y]: The DCE Configuration Verification Program (CVP) exercises the components of DCE that are running in this cell. It requires approximately 1 to 2 minutes to run. If you type y to run the CVP at this time, you see the following display: Executing DIGITAL DCE V3.0 (Rev. 635) for DIGITAL UNIX CVP (please wait) Copyright (c) Digital Equipment Corporation. 1998. All Rights Reserved. Verifying........... DIGITAL DCE V3.0 (Rev. 635) for DIGITAL UNIX CVP completed successfully Modifying system startup procedure... The DCE components that you have configured are added to your system startup procedure so the daemons restart automatically whenever the system is rebooted. When the procedure is completed, the DCE Setup Main Menu is redisplayed. If your system is configured as a DTS Global Server, option 4 shows "Change from DTS Global Server to DTS clerk". *** Modify Configuration Menu *** 1) Add Replica CDS Server 2) Add Replica Security Server 3) Add DTS Local Server 4) Change from DTS Global Server to DTS clerk 5) Add Null Time Provider 6) Add NTP Time Provider 7) Enable Auditing 8) Enable DCE SIA 9) Enable Kerberos 5 10) Configure LDAP Name Service 11) Add LDAP Client Service 12) Enable LDAP GDA 13) Add PKSS Server 14) Register in X.500 R) Return to previous menu Please enter your selection (or '?' for help): Choose this option if you wish to modify your configuration from a DTS Global Server to a DTS Clerk. When the procedure is completed, the Modify Configuration Menu redisplays. Adding a Null Time Provider The null time provider allows DTS to set the inaccuracy without setting the time or in any way modifying the host system time. Refer to the OSF DCE Administration Guide - Core Components volume for further information about getting time from Network Time Protocol (NTP) time sources. If you want to add a null time provider to your system, choose option 5 (Add Null Time Provider) from the Modify Configuration Menu. The configuration adds and starts the null time provider, displaying the following messages: Starting Null Time Provider (dts_null_provider)... Press to continue: Press . When the procedure is completed, the Modify Configuration Menu redisplays. Adding an NTP Time Provider If your site uses Network Time Protocol (NTP) to set system time, you can use those time signals to synchronize DTS. Briefly, one DTS server uses the NTP time provider software to synchronize with NTP. That DTS server synchronizes with other DTS servers using DTS time signals. Refer to the OSF DCE Administration Guide - Core Components volume for further information about getting time from NTP time sources. If you want to add an NTP time provider to your system, choose option 6 (Add NTP Time Provider) from the Modify Configuration Menu. The configuration adds and starts the null time provider, displaying the following messages: Starting NTP Time Provider (dts_ntp_provider)... Enter the hostname where the NTP server is running: dcedts.lkg.dec.com Press to continue: Press . When the procedure is completed, the Modify Configuration Menu redisplays. Enabling Auditing DCE auditing facilities detect and record critical events in distributed applications. To enable DCE auditing facilities on your machine, choose option 7 (Enable Auditing) from the Modify Configuration Menu. The procedure begins configuring the Audit daemon and prompts you to log in to the cell. Configuring Audit daemon (auditd) This operation requires that you be authenticated as a member of the sec-admin group. Please login. Enter Principal Name: Password: After you log in, the procedure creates default filters and completes configuring the Audit daemon. Creating default filters for security, dts, and audit Successfully configured Audit daemon Press to continue: If auditing was previously enabled on your system, option 7 displays as "Disable Auditing". Choose this option if you want to disable auditing on your system. When the procedure is completed, the Modify Configuration Menu redisplays. Configuring the Kerberos 5 Utilities DCE for DIGITAL UNIX supports kerberized and non-kerberized rlogin, rsh, and telnet. Those utilities allow users and services to authenticate themselves to each other and therby prevent intrusion into the system. The utilities check authentication by reference to a secure Kerberos server. Choosing to use the Kerberos 5 utilities means that they are added to your system startup procedure to restart automatically whenever the system is rebooted. Choose option 9 to modify your configuration to add the Kerberos 5 utilities rlogin, rshell, and telnet. *** Modify Configuration Menu *** 1) Add Replica CDS Server 2) Add Replica Security Server 3) Add DTS Local Server 4) Change from DTS Global Server to DTS clerk 5) Add Null Time Provider 6) Add NTP Time Provider 7) Enable Auditing 8) Enable DCE SIA 9) Enable Kerberos 5 10) Configure LDAP Name Service 11) Add LDAP Client Service 12) Enable LDAP GDA 13) Add PKSS Server 14) Register in X.500 R) Return to previous menu Please enter your selection (or '?' for help): When the procedure is completed, the Modify Configuration Menu redisplays. Configuring the LDAP Name Service Configuring the LDAP name service involves three steps on the Modify Configuration Menu. Here, the first step defines to the system the extent of potential additional capabilities. If fully configured, LDAP provides a second path to access the X.500 directory service, requires less overhead than DAP, and provides support for the TCP/IP protocol. Choose option 10 to add the LDAP name service to the configuration. *** Modify Configuration Menu *** 1) Add Replica CDS Server 2) Add Replica Security Server 3) Add DTS Local Server 4) Change from DTS Global Server to DTS clerk 5) Add Null Time Provider 6) Add NTP Time Provider 7) Enable Auditing 8) Enable DCE SIA 9) Enable Kerberos 5 10) Configure LDAP Name Service 11) Add LDAP Client Service 12) Enable LDAP GDA 13) Add PKSS Server 14) Register in X.500 R) Return to previous menu Please enter your selection (or '?' for help): Next, to configure the LDAP name service, specify the location of the LDAP server and the distinguished name (DN) of your DCE cell as it shows in the LDAP name space. You are prompted for necessary information in the following script. You can press '?' at the prompt for help. Please enter the hostname of the ldap server [localhost]: The LDAP server must be known to the network by a name. Please enter the port number of the ldap server [389]: If no other port number is specified, press to specify the default value, port 389. Please enter the authentication dn to the ldap server: Enter the distinguished name associated with the LDAP server to authenticate the LDAP server to DCE. Please enter the password of the authentication dn: Type again to confirm: Please enter the cell dn in LDAP syntax []: Enter the distinguised name of the cell. Configuring LDAP client services Testing LDAP server access... If you provide the wrong information, you see this message: /usr/sbin/dcesetup: ldapsearch: not found *** Error contacting the LDAP server Please verify the LDAP configuration you provided is correct. Press to continue: When the procedure is completed, the Modify Configuration Menu redisplays. Adding LDAP Client Service The LDAP Client Service option adds or removes host-specific information in the LDAP namespace; that is, to create server, group, and profile entries for LDAP like those entries that are used in CDS during the DCE client configuration. Examples of such entries include everything under /.:/hosts/HOST_NAME. Choose option 11 to configure LDAP Client Service. *** Modify Configuration Menu *** 1) Add Replica CDS Server 2) Add Replica Security Server 3) Add DTS Local Server 4) Change from DTS Global Server to DTS clerk 5) Add Null Time Provider 6) Add NTP Time Provider 7) Enable Auditing 8) Enable DCE SIA 9) Enable Kerberos 5 10) Configure LDAP Name Service 11) Add LDAP Client Service 12) Enable LDAP GDA 13) Add PKSS Server 14) Register in X.500 R) Return to previous menu Please enter your selection (or '?' for help): When the procedure is completed, the Modify Configuration Menu redisplays. Configuring LDAP Support for the Global Directory Assistant After enabling LDAP and adding LDAP Client Service, it is necessary to connect LDAP to the global directory agent (GDA). Cross-cell directory service is controlled by a GDA, which looks up foreign cell information on behalf of the application in either the Domain Naming Service (DNS) or X.500 database. Applications can request directory services from either CDS or LDAP or both. LDAP is provided as an optional directory service that is independent of CDS and duplicates CDS functionality. Choose option 12 to configure communication between LDAP and the GDA. *** Modify Configuration Menu *** 1) Add Replica CDS Server 2) Add Replica Security Server 3) Add DTS Local Server 4) Change from DTS Global Server to DTS clerk 5) Add Null Time Provider 6) Add NTP Time Provider 7) Enable Auditing 8) Enable DCE SIA 9) Enable Kerberos 5 10) Configure LDAP Name Service 11) Add LDAP Client Service 12) Enable LDAP GDA 13) Add PKSS Server 14) Register in X.500 R) Return to previous menu Please enter your selection (or '?' for help): To complete the configuration of the LDAP name service, you need to specify the location of the LDAP server, and the distinguished name of your DCE cell as it displays in the LDAP name space. You are prompted for necessary information in the following dialog. You can always press '?' at the prompt for help. Please enter the hostname of the ldap server [localhost]: cell Please enter the port number of the ldap server [389]: Please enter the authentication dn to the ldap server []: Please enter the authentication dn to the ldap server []: Please enter the password of the authentication dn: Type again to confirm: Please enter the cell dn in LDAP syntax []: Re-starting Global Directory Agent daemon Stopping gdad [ pid: 22372 ] ... Starting Global Directory Agent daemon (gdad)... LDAP is successfully enabled for gdad When the procedure is completed, the DCE Setup Main Menu is redisplayed. Adding a Private Key Storage Server Setting up a Private Key Storage Server is an important part of an overall security plan. DCE for DIGITAL UNIX provides public key security technology as made available in OSF DCE Release 1.2.2. It is part of a security model that requires a public and a private key pair to lock or unlock information. The private keys are too long for memorization, hence the need for a secure place to store them. Private keys are used most often at login. That presents a key management problem if the keys appear where they might be corrupted or stolen. Short of issuing smart cards, enabling the private key storage service provides the best assurance that messages encrypted under one of the key pairs can be decrypted using another pair without being intercepted and read in transit. Choose option 13 to add a PKSS to your system. *** Modify Configuration Menu *** 1) Add Replica CDS Server 2) Add Replica Security Server 3) Add DTS Local Server 4) Change from DTS Global Server to DTS clerk 5) Add Null Time Provider 6) Add NTP Time Provider 7) Enable Auditing 8) Enable DCE SIA 9) Enable Kerberos 5 10) Configure LDAP Name Service 11) Add LDAP Client Service 12) Enable LDAP GDA 13) Add PKSS Server 14) Register in X.500 R) Return to previous menu Please enter your selection (or '?' for help): Note: PKSS cannot be part of a replica. This operation requires that you be authenticated as a member of the sec-admin group. Please login. Enter Principal Name: Password: Removing PKSS server... Shutting down pkssd Press to continue: When the procedure is completed, the Modify Configuration Menu is redisplayed. Registering a Cell in X.500 To search for destinations in other cells requires connection with a directory service database. All cross-cell directory name searches are controlled by the global directory agent (GDA), which looks up foreign cell information on behalf of an application in either the Domain Naming Service (DNS) or X.500 database. Choose option 14 to set up communications between your configured cell and the X.500 directory service. *** Modify Configuration Menu *** 1) Add Replica CDS Server 2) Add Replica Security Server 3) Add DTS Local Server 4) Change from DTS Global Server to DTS clerk 5) Add Null Time Provider 6) Add NTP Time Provider 7) Enable Auditing 8) Enable DCE SIA 9) Enable Kerberos 5 10) Configure LDAP Name Service 11) Add LDAP Client Service 12) Enable LDAP GDA 13) Add PKSS Server 14) Register in X.500 R) Return to previous menu Please enter your selection (or '?' for help): If you select the Register in X.500 option, you next see the X.500 menu. It requires you to specify an object class for your cell. Enter the X.500 object class corresponding to your cell name. For example, if your cell name is /.../c=mycountry /o=mycompany/ou=mylocation, the object class is Organizational Unit. 1) Organizational Unit 2) Organization 3) Organization Role 4) Country 5) Locality 6) Application Entity 7) Application Process 8) Group of Names 9) Device 10) Person 11) Return to Main Menu Please enter the object class for cell (or '?' for help): Every entry in X.500 is classified according to the characteristics of the real world object that it represents. Before the cell entry can be created in the X.500 directory, you must specify the class of the entry. For example, if you choose option 1, the organizational unit class is specified. The superior entries must exist before the cell entry can be created. In the above example, c=mycountry/o=mycompany must exist prior to choosing the cell registration option. If the cell entry exists, you are asked to confirm if the cell attribute information needs to be replaced. DIGITAL cell registration, which is compatible with OSF DCE GDS, saves the cell information in special CDS-Cell and CDS-Replicas attributes. If the cell registration fails, the following error is displayed: *** Error: Unable to register cell information in X.500 Please refer to the dcesetup log file /opt/dcelocal/dcesetup.log for more information. If the procedure is completed successfully, the Modify Configuration Menu is redisplayed.