HP OpenVMS Systems Documentation

HP TCP/IP Services for OpenVMS

HP TCP/IP Services for OpenVMS
Management

Contents

Index

15.1.7.2 Connecting to the Kerberos TELNET Server

The Kerberos TELNET server uses port 2323. Specify this port on the TELNET command line. For example:

$ TELNET/AUTHENTICATE terse.mbs.com /PORT=2323

%TELNET-I-TRYING, Trying ... 17.21.205.153
%TELNET-I-SESSION, Session 01, host terse.mbs.com, port 2323
-TELNET-I-ESCAPE, Escape character is ^]

 Welcome to OpenVMS (TM) Alpha Operating System, Version V7.3

Username:

15.1.8 Kerberos Principal Names

Before you use the Kerberos TELNET client, make sure the local host name is fully qualified in the local hosts database. Kerberos realms form principal names using fully-qualified domain names. For example, terse.mbs.com is a fully qualified domain name; terse is a simple host name.

HP TCP/IP Services for OpenVMS is usually configured so that the host name is entered in the hosts database as a simple host name. That is, on host TERSE, the TCP/IP management command SHOW HOST TERSE returns terse , not terse.mbs.com .

To correct a mismatch between the Kerberos realm and the TCP/IP Services configurations, follow these steps from a privileged account at a time when system usage is low:

Find the host's numeric address. For example:

$ TCPIP
TCPIP> SHOW HOST terse

     LOCAL database

Host address    Host name

15.28.311.11   terse

Remove the simple host name. For example:
TCPIP> SET NOHOST terse/CONFIRM
Use the SET HOST command to associate the fully qualified domain name with the IP address, as shown in the following example:
TCPIP> SET host "terse.mbs.com"/ADDRESS=15.28.311.11 - _TCPIP> /ALIAS=("TERSE.MBS.COM", "terse", "TERSE")
Specify the /ALIAS qualifier to ensure that applications can handle host names in uppercase and lowercase.

Confirm that the first name returned is fully qualified.

TCPIP> SHOW HOST terse

     LOCAL database

Host address    Host name

15.28.311.11   terse.mbs.com, TERSE.MBS.COM, terse, TERSE

15.2 Solving TELNET Problems

To improve TELNET performance, try modifying some of the internet parameters. These changes might also decrease the use of system resources.

15.2.1 TELNET Characteristics That Affect Performance

The settings for the TELNET systemwide characteristics might affect TCP/IP Services and TELNET performance. To display the TELNET systemwide characteristics, enter:

TCPIP> SHOW SERVICE TELNET /FULL

The command generates a display similar to the following:


Service: TELNET
  State:  Enabled
 Port: 23  Protocol:  TCP  Address:  0.0.0.0
 Inactivity:  1  User_name: Process:  not defined
 Limit:30  Active: 1  Peak:  4
 File: not defined
 Flags:  Listen Priv Rtty
 Socket Opts:  Keepalive
 Receive: 3000  Send:  3000

 Log Opts:  Actv Dactv Conn Error Logi Logo Mdfy Rjct Addr

 File:  not defined

 Security
 Reject msg:  not defined
 Accept host: 0.0.0.0
 Accept netw: 0.0.0.0

15.2.2 Requests That Cannot Be Satisfied

The TELNET server sends the following error message for a TELNET login request that cannot be satisfied:

SS$_EXQUOTA

This error is due to insufficient local resources, such as:

Too many sessions
To determine whether this is the cause of the problem, check to see whether the maximum number of concurrent sessions has been exceeded. Enter the following TCP/IP management command:
TCPIP> SHOW SERVICE TELNET
If the maximum number of concurrent sessions has been exceeded, the display shows:
PEAK=limit
To increase the number of allowed sessions, enter the following command:
TCPIP> SET SERVICE TELNET /LIMIT=n
Insufficient OpenVMS nonpaged pool
To determine whether this is the cause of the problem, check to see whether the OpenVMS nonpaged pool is insufficient for servicing a new TELNET connection. If so, monitor the server.
To improve any of the parameters, redefine the logical names.
Excessive OpenVMS login sessions
To determine whether this is the cause of the problem, check to see whether the limit for maximum OpenVMS sessions has been exceeded. If the current value is not appropriate, redefine it.

Verify that the CHANNELCNT parameter (in SYSGEN) is larger than the number of simultaneous TELNET and RLOGIN sessions that you plan to support.

Chapter 16
Configuring and Managing FTP

The File Transfer Protocol (FTP) software transfers files between "nontrusted" hosts. Nontrusted hosts require user name and password information for remote logins.

The TCP/IP Services product includes an implementation of the FTP end-user applications.

This chapter describes:

How to manage the FTP service ( Section 16.1)
How to solve FTP problems ( Section 16.2)

For information on using FTP, see the HP TCP/IP Services for OpenVMS User's Guide.

16.1 Managing FTP

Managing FTP consists of the the following tasks:

Enabling and disabling FTP
Starting and Stopping FTP
Configuring anonymous FTP
Defining FTP logical names
Monitoring FTP with FTP log files

16.1.1 Enabling and Disabling FTP

After FTP is configured by TCPIP$CONFIG, the postinstallation configuration procedure, it is started automatically when TCP/IP Services is started.

To stop any new connections without losing existing connections, disable the FTP server interactively using the SET NOSERVICE command. This is useful before shutting down FTP, as described in Section 16.1.2.

To disable FTP when TCP/IP Services starts, use the SET CONFIGURATION NOSERVICE command.

See the HP TCP/IP Services for OpenVMS Management Command Reference for descriptions of the SET SERVICE and SET CONFIGURATION SERVICE commands.

16.1.2 FTP Startup and Shutdown

The FTP service can be shut down and started independently from TCP/IP Services. This is useful when you change parameters or logical names that require the service to be restarted.

The following command procedures are provided:

SYS$STARTUP:TCPIP$FTP_STARTUP.COM allows you to start FTP independently.
SYS$STARTUP:TCPIP$FTP_SHUTDOWN.COM allows you to shut down FTP independently.

To preserve site-specific parameter settings and commands, create the following files. These files are not overwritten when you reinstall TCP/IP Services:

SYS$STARTUP:TCPIP$FTP_SYSTARTUP.COM can be used as a repository for site-specific definitions and parameters to be invoked when FTP is started.
SYS$STARTUP:TCPIP$FTP_SYSHUTDOWN.COM can be used as a repository for site-specific definitions and parameters to be invoked when FTP is shut down.

16.1.3 Configuring Anonymous FTP

Anonymous FTP is an FTP session in which a user logs in to the remote server using the user name ANONYMOUS and, by convention, the user's real user name as the password.

On the local FTP server, local users can access files without password authentication. Remote users do not require an account. File access is controlled by regular OpenVMS access restrictions.

When you use TCPIP$CONFIG to establish an ANONYMOUS account, a new account is created with the UIC [ANONY,ANONYMOUS] (by default, [3376,xx]), user name ANONYMOUS, account ANONY, default directory SYS$SYSDEVICE:[ANONYMOUS], and the following types of login access:

network	full access
batch	no access
local	no access
dialup	no access
local	no access

The usual OpenVMS file protection codes restrict file access for inbound anonymous FTP sessions to this directory, its subdirectories, and files with an owner attribute of [ANONY,ANONYMOUS].

When the ANONYMOUS account has been created, a remote FTP client can:

Copy files to and from GUEST$PUBLIC.
From the ANONYMOUS$USER directory:
- Delete files
- Create directories
- Delete directories
- Rename files
- Rename directories

You can set up guest and public directories for bulletin board or group interest. Make sure the directory protections are set to read-only or read/write, as needed.

In the following example, UNIX user ubird connects to the ANONYMOUS account on OpenVMS host TRAGOPAN. TRAGOPAN asks for ubird 's password, which is not echoed. In response to this request, the user should supply the local system user name for identification purposes.

% ftp tragopan

Connected to tragopan.asian.pheasant.edu.
220 tragopan.asian.pheasant.edu FTP Server (Version 5.1) Ready.

Name (tragopan:wings): ANONYMOUS

331 Guest login ok, send ident as password.
Password: CARIBBEAN

230  Guest login ok, access restrictions apply.

        Welcome to HP TCP/IP Services for OpenVMS
        on internet host TRAGOPAN    Date 24-JUN-2000
FTP>

16.1.3.1 Concealed File Systems

The FTP server processes each command individually as it receives the command and displays a reply based on the command parameters. A reply can include a file specification that displays part of the server file system.

16.1.3.2 Setting Up Anonymous FTP

Complete the following steps to set up anonymous FTP access on your system:

Use the TCPIP$CONFIG procedure to create an account named ANONYMOUS with the password GUEST.
To create the ANONYMOUS user account, select Optional Components from the main menu, then select Setup Anonymous FTP Account and Directories.
Set user account access restrictions NOLOCAL, NOBATCH, NOREMOTE, and NODIALUP.
Optionally, create public directories and assign to them the devices names GUEST$PUBLIC and ANONYMOUS$USER. HP neither creates nor recommends the use of these directories. If you create these directories, be careful to set protections on them to allow read access only (for GUEST$PUBLIC) and use other security measures to protect the ANONYMOUS$USER directory.
Create a welcome banner.
When an anonymous user logs in, FTP informs the user of the account's restrictions. You can use the TCPIP$FTP_ANONYMOUS_WELCOME logical name add more information to the welcome text for anonymous users.
Define this logical using the following format:
$ DEFINE/SYSTEM/EXEC TCPIP$FTP_ANONYMOUS_WELCOME "Anonymous User Account"
Specify the file name and location for the log files generated by FTP sessions.
Use the TCPIP$FTP_ANONYMOUS_LOG logical name. If you do not define TCPIP$FTP_ANONYMOUS_LOG, FTP puts the files in SYS$SYSDEVICE:[TCPIP$FTP]TCPIP$FTP_ANONYMOUS.LOG.
Set this logical when the FTP server is not running. For example, to shut down the FTP server, define the file name and location of the log file, and then restart the server, enter the following commands:
$ @SYS$STARTUP:TCPIP$FTP_SHUTDOWN.COM $ DEFINE/SYSTEM TCPIP$FTP_ANONYMOUS_LOG dev:[directory]filename $ @SYS$STARTUP:TCPIP$FTP_STARTUP.COM
Where dev:[directory]filename is a complete directory and file name specification.
Specify a user name for the anonymous FTP account. Define the logical name TCPIP$FTP_ANONYMOUS_ALIAS. See Table 16-1 for more information.

16.1.4 Managing FTP with Logical Names

Table 16-1 lists the logical names that you can use to manage the FTP server. After you define a logical name, you must stop and start the FTP server for the new setting to take effect.

**Table 16-1 FTP Logical Names**
Logical Name	Description
TCPIP$FTP_ALLOW_ADDR_REDIRECT	Allows active-mode connections from an IP address other than the server's. By default, such connections are not allowed, thereby preventing unauthorized data connections from unknown servers.
TCPIP$FTP_ALLOW_PORT_REDIRECT	Allows passive-mode connections from ports other than port 20. By default, such connections are not allowed, preventing unauthorized data connections from unknown servers.
TCPIP$FTP_ANONYMOUS_ALIAS	Defines an equivalence list (up to 10 entries) of the login names of users with access to the ANONYMOUS account. These users share the same access rights and restrictions. If you do not define this logical name, the default is ANONYMOUS as the only login name. The following command shows how to create an equivalence list with the names THOMAS, JONES, and SMITH. These users can log in to the ANONYMOUS account without a password. $ DEFINE/SYSTEM/EXEC TCPIP$FTP_ANONYMOUS_ALIAS - _$ THOMAS,JONES,SMITH
TCPIP$FTP_ANONYMOUS_DIRECTORY	Defines public directories accessible by the anonymous FTP user.
TCPIP$FTP_ANONYMOUS_LOG	Defines the location of the anonymous log file. The default is SYS$SYSDEVICE:[TCPIP$FTP].
TCPIP$FTP_ANONYMOUS_WELCOME	Allows you to specify text that is displayed to anonymous users at connect time, after the login sequence. For more information, see Section 16.1.3.2.
TCPIP$FTP_CONVERT_FILE	Define this logical name as TRUE or FALSE. If defined as TRUE, the FTP server converts files to variable with fixed-length control (VFC) formatted files before transfer. With the VFC file, users retain the Record Management Services (RMS) formatting information of their files. For more information about RMS, refer to the OpenVMS Record Management Services Reference Manual. If TCPIP$FTP_CONVERT_FILE is defined as FALSE, there is no conversion, and RMS formatting information is lost after the file transfer.
TCPIP$FTPD_ALLOW_ADDR_REDIRECT	Allows passive-mode connections from an IP address other than the client's. By default, such connections are not allowed, thereby preventing unauthorized data connections from unknown clients.
TCPIP$FTPD_ALLOW_PORT_REDIRECT	Allows passive-mode connections from a privileged port. By default, such connections are not allowed, preventing unauthorized data connections from unknown clients.
TCPIP$FTPD_DIR_RECURSIVE	Enables recursive directory listings for the `ls` and `dir` commands.
TCPIP$FTPD_IDLETIMEOUT	Defines the maximum time interval that FTP child processes can remain idle before FTP closes them. TCP/IP Services terminates the FTP process if no control or data connection activity exists for the specified time. The default idle time is 15 minutes. This feature can help to improve system performance. Specify the value as hh:mm:ss.
TCPIP$FTPD_KEEPALIVE	Enables the FTP server to detect idle and broken FTP connections. Define this logical on the server host by entering: TCPIP> DEFINE /SYSTEM/EXEC TCPIP$FTPD_KEEPALIVE 1
TCPIP$FTPD_LOG_CLIENT_ACTIVITY	Activates logging of session-specific information, requests, and responses. The log file created is SYS$LOGIN:TCPIP$FTP_SERVER.LOG.
TCPIP$FTPD_NO_FILESIZE_HINT	If defined, the FTP client does not display the file size hint.
TCPIP$FTP_FILE_ALQ	Specifies the number of blocks to be preallocated by Record Management Services (RMS) to a disk when a file is created.
TCPIP$FTP_FILE_DEQ	Specifies the number of blocks to be added when RMS automatically extends the file.
TCPIP$FTP_HELP	Specifies an alternate HELP file. By default, the command HELP FTP reads the data in SYS$HELP:TCPIP$FTP_HELP.HLB. This logical allows you to specify an alternate HELP file, useful for getting information in a non-English language. For example, to define an alternate HELP library file, enter the following command: $ DEFINE/SYSTEM TCPIP$FTP_HELP dev:[directory]filename.HLB where dev:[directory]filename.HLB specifies the alternate HELP library file.
TCPIP$FTP_KEEPALIVE	Enables the FTP client to detect idle and broken FTP connections. Define this logical name in the system logical name table, as follows: $ DEFINE /SYSTEM/EXEC TCPIP$FTP_KEEPALIVE 1
TCPIP$FTP_NO_VERSION	If defined, FTP does not send file version numbers when you enter the `mget` and the `ls` commands to a host that is not an OpenVMS host. Define this logical name in the system logical name table, as follows: $ DEFINE /SYSTEM/EXEC TCPIP$FTP_NO_VERSION 1
TCPIP$FTP_RAW_BINARY	With this logical name turned on, FTP transfers files in block I/O mode if the server and client are in binary (image) mode. To activate this feature, define the logical name as TRUE. An FTP end-user can override your FALSE definition with the FTP PUT /RAW command.
TCPIP$FTP_SERVER	Defines the name and location of the TCPIP$FTP_SERVER.LOG file. By default, the log file is stored in the directory pointed to by SYS$LOGIN. For example, to specify a different directory, enter the following command:
$ DEFINE /SYSTEM TCPIP$FTP_SERVER dev:[directory]filename.log
TCPIP$FTP_SERVER_ANNOUNCE	Allows you to specify text that is displayed to users when they connect, before the login sequence. The following example shows how to specify a prelogin announcement: $ DEFINE/SYSTEM/EXEC TCPIP$FTP_SERVER_ANNOUNCE "FTP Ready" To activate this change, shut down the FTP server and restart it, as described in Section 16.1.2.
TCPIP$FTP_SERVER_LOG_CLIENT_BY_ADDRESS	Specifies that the FTP server will be using IP addresses instead of host names.
TCPIP$FTP_SERVER_NAME_SERVICE_RETRY	Specifies the number of times the BIND resolver should attempt to contact a BIND server if the first attempt fails. This logical name has no effect if the FTP server is using IP addresses instead of host names (that is, the logical name TCPIP$FTP_SERVER_LOG_CLIENT_BY_ADDRESS is defined).
TCPIP$FTP_SERVER_NAME_SERVICE_TIMEOUT	Specifies the number of seconds for the timeout interval. For more information, refer to the description of the SET NAME_SERVICE/TIMEOUT command in the HP TCP/IP Services for OpenVMS Management Command Reference manual. This logical name has no effect if the FTP server is using IP addresses instead of host names (that is, the logical name TCPIP$FTP_SERVER_LOG_CLIENT_BY_ADDRESS is defined).
TCPIP$FTP_STREAMLF	If defined, the FTP server and client create files as RMS STREAM_LF files. The default is variable-length files.
TCPIP$FTP_SERVER_GENERIC_READY_MESSAGE	If defined, the FTP server will not display specific service information when users connect. For example, when this logical name is not defined: NODE> FTP FTPSERVER/USER=auser/PASS=mypassword 220 ftpserver.node.com FTP Server (Version 5.4) Ready. Connected to ftpserver.mysys.myco.com. 331 Username AUSER requires a Password 230 User logged in. FTP> When this logical name is defined, the following is displayed when users connect: $ FTP FTPSERVER/USER=auser/PASS=mypassword 220 FTP server ready Connected to ftpserver.mysys.myco.com. 331 Username AUSER requires a Password 230 User logged in. FTP> You must restart the FTP service after changing the setting of this logical name.
TCPIP$FTP_WNDSIZ	Sets the size of the TCP send and receive transmission windows. Specify a decimal number for the number of bytes.