HP OpenVMS Systems Documentation

Compaq Availability Manager User's Guide

When you click Customize Windows NT... on the Customize menu of the Application window, the Availability Manager displays a Security page (Figure 7-14).

Figure 7-14 Windows Security Customization Page

To change the default password for the Data Analyzer to use to access Windows Data Collector nodes, enter a password of exactly 8 alphanumeric characters. Note that this password is case sensitive; any time you type it, you must use the original capitalization.

This password must also match the password for the Windows Data Collector node that you want to access. (See Section 7.6.3 for instructions for changing that password.)

When you are satisfied with your password, click OK. Exit and restart the Availability Manager for the password to take effect.

7.6.2 Changing Security Triplets on OpenVMS Data Collector Nodes

To change security triplets on an OpenVMS Data Collector node, you must edit the AMDS$DRIVER_ACCESS.DAT file, which is installed on all Data Collector nodes. The following sections explain what a security triplet is, how the Availability Manager uses it, and how to change it.

7.6.2.1 Understanding OpenVMS Security Triplets

A security triplet determines which nodes can access system data from an OpenVMS Data Collector node. The AMDS$DRIVER_ACCESS.DAT file on OpenVMS Data Collector nodes lists security triplets.

On OpenVMS Data Collector nodes, the AMDS$AM_CONFIG logical translates to the location of the default security file, AMDS$DRIVER_ACCESS.DAT. This file is installed on all OpenVMS Data Collector nodes.

A security triplet is a three-part record whose fields are separated by backslashes (\). A triplet consists of the following fields:

• A network address (hardware address or wildcard character)
• An 8-character alphanumeric password
  The password is not case sensitive (so the passwords "testtest" and "TESTTEST" are considered to be the same).
• A read, write, or control (R, W, or C) access verification code

The exclamation point (!) is a comment delimiter; any characters to the right of the comment delimiter are ignored.

Example

All Data Collector nodes in group FINANCE have the following AMDS$DRIVER_ACCESS.DAT file:

*\FINGROUP\R   ! Let anyone with FINGROUP password read
               !
2.1\DEVGROUP\W ! Let only DECnet node 2.1 with
               ! DEVGROUP password perform fixes (writes)

On each Data Collector node on which you want to change security, you must edit the AMDS$DRIVER_ACCESS.DAT file. The data in the AMDS$DRIVER_ACCESS.DAT file is set up as follows:

      Network address\password\access

Use a backslash character (\) to separate the three fields.

To edit the AMDS$DRIVER_ACCESS.DAT file, follow these steps:

1. Edit the network address.
   The network address can be either of the following:
   • Hardware address
     The hardware address field is the physical hardware address in the LAN adapter chip. It is used if you have multiple LAN adapters or are running the Compaq DECnet-Plus for OpenVMS networking software on the system (not the Compaq DECnet Phase IV for OpenVMS networking software).
     For adapters provided by Compaq, the hardware address is in the form 08-00-2B-xx-xx-xx, where the 08-00-2B portion is Compaq's valid range of LAN addresses as defined by the IEEE 802 standards, and the xx-xx-xx portion is chip specific.
     To determine the value of the hardware address on a node, use the OpenVMS System Dump Analyzer (SDA) as follows:

     $ ANALYZE/SYSTEM SDA> SHOW LAN

     
     These commands display a list of available devices. Choose the template device of the LAN adapter you will be using, and then enter the following command:

     SDA> SHOW LAN/DEVICE=xxA0

   • Wildcard address
     The wildcard character (*) allows any incoming triplet with a matching password field to access the Data Collector node. Use the wildcard character to allow read access and to run the console application from any node in your network.
     Because the Data Analyzer does not use this field, you should use the wildcard character in this field in the AMDS$CONSOLE_ACCESS.DAT file.
     Caution: Use of the wildcard character for write-access security triplets enables any person using that node to perform system-altering fixes.
2. Edit the password field.
   The password field must be an 8-byte alphanumeric field. The Availability Manager forces upper-case on the password, so "aaaaaaaa" and "AAAAAAAA" are essentially the same password to the Data Collector.
   The password field gives you a second level of protection when you want to use the wildcard address denotation to allow multiple modes of access to your monitored system.
3. Enter R, W, or C as an access code:
   • R means READONLY allowance for the Data Analyzer.
   • W means READ/WRITE allowance for the Data Analyzer. (WRITE implies READ.)
   • C means CONTROL allowance for the Data Analyzer. CONTROL allows you to manipulate objects from which data are derived. (CONTROL implies both WRITE and READ.)

The following security triplets are all valid; an explanation follows the exclamation point (!).

*\1decamds\r   ! Anyone with password "1decamds" can monitor
*\1decamds\w   ! Anyone with password "1decamds" can monitor or write
2.1\1decamds\r ! Only node 2.1 with password "1decamds" can monitor
2.1\1decamds\w ! Only node 2.1 with password "1decamds" can monitor and write
08-00-2b-03-23-cd\1decamds\w ! Allows a particular hardware address to write
08-00-2b-03-23-cd\1decamds\r ! Allows a particular hardware address to read node

OpenVMS Data Collector nodes accept more than one password. Therefore, you might have several security triplets in an AMDS$DRIVER_ACCESS.DAT file for one Data Collector node. For example:

*\1DECAMDS\R
*\KOINECLS\R
*\KOINEFIX\W
*\AVAILMAN\C

In this example, Data Analyzer nodes with the passwords 1DECAMDS and KOINECLS would be able to see the Data Collector data, but only the Data Analyzer node with the KOINEFIX password would be able to write or change information, including performing fixes, on the Data Collector node. The Data Analyzer node with the AVAILMAN password would be able to perform switched LAN fixes.

If you want, you can set up your AMDS$DRIVER_ACCESS.DAT file to allow anyone in the world to read from your system but allow only certain nodes to write or change process or device characteristics on your system.

The Availability Manager performs these steps when using security triplets to ensure security among Data Analyzer and Data Collector nodes:

1. A message is broadcast at regular intervals to all nodes within the LAN indicating the availability of a Data Collector node to communicate with a Data Analyzer node.
2. The node running the Data Analyzer receives the availability message and returns a security triplet that identifies it to the Data Collector, and requests system data from the Data Collector.
3. The Data Collector examines the security triplet to determine whether the Data Analyzer is listed in the AMDS$DRIVER_ACCESS.DAT file to permit access to the system.
   • If the AMDS$DRIVER_ACCESS.DAT file lists Data Analyzer access information, then the Data Provider and the Data Analyzer can exchange information.
   • If the Data Analyzer is not listed in the AMDS$DRIVER_ACCESS.DAT file or does not have appropriate access information, then access is denied and a message is logged to OPCOM. The Data Analyzer receives a message stating that access to that node is not permitted.

Table 7-3 describes how the Data Collector node interprets a security triplet match.

To change the Data Collector password in the Registry, follow these steps:

1. Click the Windows Start button. First click Programs and then Command Prompt.
2. Type regedit after the angle prompt (>).
   The system displays a screen for the Registry Editor, with a list of entries under My Computer.
3. On the list displayed, click HKEY_LOCAL_MACHINE .
4. Click SYSTEM.
5. Click CurrentControlSet.
6. Click Services.
7. Click damdrvr.
8. Click Parameters.
9. Double-click Read Password. Then type a new 8-character alphanumeric password, and click OK to make the change.
10. To store the new password, click Exit under File on the main menu bar.
11. On the Control Panel, click Services and then Stop for "PerfServ."
12. Again on the Control Panel, click Devices and then Stop for "damdrvr."
13. First restart damdrvr under "Devices" and then restart PerfServ under "Services."
    This step completes the change of your Data Collector password.

The CPU process states shown in the following table are displayed in the OpenVMS CPU Process States page (see Figure 3-7) and in the OpenVMS Process Information page (see Figure 3-19).