HP OpenVMS Systems Documentation

TCP/IP Services software includes the PATHWORKS Internet Protocol (PWIP) driver and the PWIP ancillary control process (PWIP_ACP).

The PWIP driver allows OpenVMS systems that are running both the Compaq PATHWORKS/Advanced Server and the TCP/IP Services software to communicate with personal computers running PATHWORKS client software. It also enables the DECnet-over-TCP/IP feature, which is included with the DECnet-Plus for OpenVMS Version 6.0 and later software. For more information about DECnet over TCP/IP, see the DECnet-Plus for OpenVMS documentation.

1.2.1 Starting and Stopping the PWIP Driver

The PWIP driver can be shut down and started independently. The following files are provided:

• SYS$STARTUP:TCPIP$PWIP_DRIVER_STARTUP.COM allows you to start up the PWIP driver.
• SYS$STARTUP:TCPIP$PWIP_DRIVER_SHUTDOWN.COM allows you to shut down the PWIP driver.

To preserve site-specific parameter settings and commands, create the following files. These files are not overwritten when you reinstall TCP/IP Services.

• SYS$STARTUP:TCPIP$PWIP_DRIVER_SYSTARTUP.COM can be used as a repository for site-specific definitions and parameters to be invoked when the PWIP driver is started.
• SYS$STARTUP:TCPIP$PWIP_DRIVER_SYSHUTDOWN.COM can be used as a repository for site-specific definitions and parameters to be invoked when the PWIP driver is shut down.

To start the PWIP driver, run TCPIP$CONFIG or enter the following command:

$ @SYS$STARTUP:TCPIP$PWIP_DRIVER_STARTUP.COM

To shut down the connection to the PWIP driver, enter the following command:

$ @SYS$STARTUP:TCPIP$PWIP_DRIVER_SHUTDOWN.COM

You will need to set up accounts for local users, coordinate the establishment of corresponding accounts on remote systems, and create accounts for remote users who will be accessing server components on the local host.

When creating accounts for remote users, you can create one account for all remote users, an account for groups of remote users, or accounts for individual users. The strategy you use depends on your organization, system resources, and security needs.

Certain product components (for example, LPD, RSH, RLOGIN, and NFS) act as servers for remote clients. You control access to your system and to these services by giving remote users proxy identities. A proxy identity maps a user account on one host to an account on another host. The information you provide with each entry, along with the privileges you set for the account, lets you specifically grant or deny access to your system.

The configuration procedure TCPIP$CONFIG creates a proxy database file called TCPIP$PROXY. You add proxies to this database with the ADD PROXY command. The TCP/IP Services product allows two types of proxies:

• Communication proxy
  A communication proxy provides an identity for remote users of RSH, RLOGIN, RMT/RCD, and LPD. For each host, be sure to define the host name and any aliases. Proxy entries are case sensitive. Be sure to use the appropriate case when adding entries for remote users. Enter the ADD PROXY command as follows:

  TCPIP> ADD PROXY user /HOST=host /REMOTE_USER=user

  
  You can use wildcards when adding proxy entries for users on remote systems. For example, the following command provides the identity STAFF to any user on the remote host STAR:

  TCPIP> ADD PROXY STAFF /HOST=STAR /REMOTE_USER=*

• NFS proxy
  NFS proxies provide identities for users of NFS client, NFS server, and PC-NFS. In addition to host and user information, NFS proxies provide UNIX identities with UID/GID pairs. NFS proxies can specify access to the NFS client or the NFS server, or both.
  For example, the following command provides the OpenVMS identity CHESTER for a local NFS client user with the UID/GID pair 23/34.

  TCPIP> ADD PROXY CHESTER /NFS=OUTGOING /UID=23 /GID=34 /HOST="orbit"

  
  This user can access remote files from the NFS server orbit .

See the Compaq TCP/IP Services for OpenVMS Management Command Reference manual for a complete description of the ADD PROXY command. For a more complete discussion about UNIX style identities and how the NFS server and client use the proxy database, see Chapter 20.

1.4 Configuring a TCP/IP Cluster

If your host is part of an OpenVMS Cluster, you can use a cluster alias to represent the entire cluster or selected host members. In this case, the network sees the cluster as a single system with one name. Alternatively, you can configure clustering using a DNS alias, as described in Chapter 5.

Incoming requests are switched among the cluster hosts at the end of each cluster time interval (specified with the SET COMMUNICATION command).

A remote host can use the cluster alias to address the cluster as a single host or the host name of the cluster member to address a cluster member individually.

All of the TCP/IP services support automatic failover and can be run on multiple nodes in an OpenVMS Cluster. For example, if more than one host in the cluster is running the NFS server, the cluster can appear to the NFS client as a single host. For more information about configuring a specific service for cluster failover, refer to the chapter in this manual that discusses the particular service.

1.4.1 Setting Up an ARP-Based Cluster

Compaq strongly recommends using the configuration procedure TCPIP$CONFIG to configure a TCP/IP cluster. If you cannot run TCPIP$CONFIG, configure a TCP/IP cluster by completing the following steps:

1. Create the interfaces for all cluster members.
2. Interactively specify an ARP-based cluster alias (for example, ALLOFUS). Enter:

   TCPIP> SET INTERFACE QE0 /CLUSTER=ALLOFUS /C_NETWORK=255.255.0.0 - _TCPIP> /C_BROADCAST=128.44.55.0

3. Make these settings permanent in the configuration database. Enter:

   TCPIP> SET CONFIGURATION INTERFACE QE0 /CLUSTER=ALLOFUS - _TCPIP> /C_NETWORK=255.255.0.0 /C_BROADCAST=128.44.55.0

   
   The interface changes take effect the next time the product starts up.
4. Add the cluster host name or the cluster IP address to the database of the host. Enter the same information you use with the SET INTERFACE command.
5. Change the interface parameters (specified with the SET INTERFACE command) only after deleting and re-creating an interface.
6. Set the cluster timer with the SET COMMUNICATION or SET CONFIGURATION COMMUNICATION command. For example, enter:

   TCPIP> SET COMMUNICATION /CLUSTER_TIMER=30

7. Optionally, direct traffic to a specific host by entering the following command:

   TCPIP> SET COMMUNICATION /CLUSTER_TIMER=0

   
   The host owns the cluster alias as long as there are active TCP connections using the alias until you either bring down the system or delete the network interface.

The auxiliary server is the TCP/IP Services implementation of the UNIX internet daemon ( inetd ). In addition to standard inetd functions, the auxiliary server provides access control and event logging.

The auxiliary server listens continuously for incoming requests and acts as a master server for programs specified in its configuration file. The auxiliary server reduces the load on the system by invoking services only as they are needed.

1.5.1 How the Auxiliary Server Works

The auxiliary server listens for connections on the internet addresses of the services that its configuration file (TCPIP$SERVICES.DAT) specifies. When a connection is found, it invokes the server daemon for the service requested. Once a server is finished, the auxiliary server continues to listen on the socket.

When it receives a request, the auxiliary server dynamically creates a network process, obtaining user account information from one or all of the following sources:

• TCP/IP Services proxy account
• Services database
• Remote client
• Local OpenVMS user authorization file (UAF)

In addition, users requesting services at the client can include their user account information as part of the command line.

Once a process is created, the auxiliary server starts the requested service. All services except RLOGIN and TELNET must have access to their default device and directories and to the command procedures within them.

1.5.1.1 Rejecting Client Requests

The auxiliary server rejects client requests for the following reasons:

• The maximum number of simultaneous processes for the requested service has been reached.
• The request is from a host that is marked for rejection.
• There is a problem with the target account or directory.

The postinstallation configuration procedure, TCPIP$CONFIG, creates an entry in the services database (TCPIP$SERVICE.DAT) for each service you configure. If you need to modify your initial configuration, run TCPIP$CONFIG or use the SET SERVICE command.

The configuration file TCPIP$SERVICE.DAT includes information about the service name, the socket and protocol type associated with the service, the user name under which the service should run, and any special options for the service program.

Before you activate a service manually, configure the auxiliary server as follows:

1. Use the OpenVMS Authorize utility to create a restricted user account for the process. Use the following qualifiers when creating the account:
   • /NOINTERACTIVE
   • /NOBATCH
   • /NOREMOTE
   • /FLAGS=(RESTRICTED,NODISUSER,NOCAPTIVE)
   
   For more information about creating restricted accounts, see the OpenVMS system security documentation.
2. Provide user account information that can be used when the network process is created. Plan your requirements carefully before setting privileges, quotas, and priorities to user accounts.
3. Provide the network process name.
   The auxiliary server builds the network process name from the character string in the services database. Enter this string with the SET SERVICE command:

   TCPIP> SET SERVICE service /PROCESS_NAME=process

   Note For TELNET and RLOGIN, the process name is set by either the system or users.

4. Set the maximum number of server processes that can run simultaneously. This number should not exceed the maximum number of sockets allowed on the system. To set the maximum number of processes that can connect to a service at the same time, enter the following TCP/IP management command:

   TCPIP> SET SERVICE service-name /LIMIT=n

   
   In this command, service-name is the name of the service to which the connections will be limited, and n is the number of connections that will be accepted by the service at one time.
   To activate the change, disable the service using the DISABLE SERVICE command, and then enable it using the ENABLE SERVICE command.
5. Make sure that the protections in the systemwide SYLOGIN.COM file are set appropriately. If they are not, enter the following DCL command:

   $ SET PROTECTION=(W:RE) SYS$MANAGER:SYLOGIN.COM

6. To ensure that the services database has an entry for each service offered, enter the SHOW SERVICE command.

The services you configured are enabled during the TCP/IP Services startup procedure. Afterwards, to initialize (enable) a service, enter the following command:

TCPIP> ENABLE SERVICE

The ENABLE SERVICE command immediately changes the running system. The SET CONFIGURATION ENABLE SERVICE command causes the services to be enabled the next time TCP/IP Services starts up.

To specify the type of socket, include the /PROTOCOL qualifier on the SET SERVICE command line. For example, to specify stream sockets, enter /PROTOCOL=TCP. To specify datagram sockets, enter /PROTOCOL=UDP.

The auxiliary server can set socket options for a requested service either before or during data communications. Some available options are:

• KEEPALIVE (for TCP communications)
• BROADCAST (for UDP communications)

To set the socket options, include the /SOCKET_OPTIONS qualifier on the SET SERVICE command.

1.6.1 Setting Up Event Logging

Event logging can help you manage the software. By default, user-defined services do not log events, but you can enable event logging for all or selected configured services. You can configure the product to log events to the operator's console, a log file, or both. To set up event logging, enter the following command:

SET SERVICE service-name /LOG_OPTIONS=ALL

For a list of all the logging options, see the SET SERVICE command description in the Compaq TCP/IP Services for OpenVMS Management Command Reference manual.

Some product components provide additional event logging capabilities. See individual component chapters for more information.

OpenVMS systems running TCP/IP Services communicate with other internet hosts over a variety of physical media. Because TCP/IP is independent of the underlying physical network, IP addresses are implemented in the network software, not the network hardware. (See the Compaq TCP/IP Services for OpenVMS Software Product Description for a complete list of supported media.)

This chapter reviews key concepts and describes:

• How to configure network controllers ( Section 2.2)
• How to configure network interfaces ( Section 2.3)

A network controller is the hardware connection between a computer system and a physical network. Controllers perform the packet channeling to and from the physical medium of your network, usually a cable.

The network interface is a logical network controller --- a software component that communicates with your network software and the network controller.

For each interface, you can enable or disable the interface, set the subnet mask, and assign IP and broadcast addresses.

2.2 Configuring Network Controllers

TCP/IP Services automatically recognizes network controllers at startup. If you need to change the configuration (remove, modify, or add new network controllers to your system) after installing and configuring the product, follow the installation and configuration instructions that come with your hardware; then run TCPIP$CONFIG again. The TCP/IP Services software will recognize the new controller immediately, and will create new interfaces the next time the software starts up.

The TCP/IP Services product supports one local software interface for loopbacks and one or more physical network interfaces for each physical network controller.

The configuration procedure initially configures your network interfaces. Use the following commands if you need to redefine an interface or configure serial lines. See Chapter 3 for more information about configuring serial lines.

• SET INTERFACE
• SET NOINTERFACE
• SET CONFIGURATION INTERFACE
• SET CONFIGURATION NOINTERFACE

To display information, use the SHOW INTERFACE command; to disable an interface, use the SET NOINTERFACE command.

Interface names include the following information:

• One letter indicating the interface type
  Interface types indicate the type of controller. The following table shows the letters you can use to indicate each type of controller:

  For this controller	Use this interface type
  ATM	I, L
  Ethernet	B, C, D, F, I, N, O, Q, R, S, W, X, Z
  FDDI	A, C, F, Q, R, W
  Token Ring	C, R
  PPP/SLIP	S
  Local (loopback)	L

• One letter indicating the interface class

  For this controller	Use this interface class
  ATM	F
  Ethernet	E
  FDDI	F
  Token Ring	T
  PPP	P
  Serial	L
  X25	X
  Local (loopback)	O

• An integer indicating the controller number. Controller numbers are decimal numbers in the range of 0 through 25, corresponding to OpenVMS hardware controller letters A through Z. The default is 0.

Primary interfaces for Ethernet controllers have names in the range SE, SE0, SE1, SE2, ...SE24, SE25.

Interfaces for PPP controllers have names in the range PP, PP0, PP1, ...PP998, PP999.

Interfaces for local (loopback) controllers have names in the range LO, LO0, LO1, ...L08, L09

An IP address consists of a network number and a host number. The network mask is the part of the host field of the IP address the identifies the network. Every host on the same network must have the same network mask. To specify the network mask, use the /NETWORK_MASK qualifier.

TCP/IP Services calculates the default by setting:

• The bits representing the network fields to 1
• The bits representing the host field to 0

You can also divide the host field into a site-specific network and host field.

2.3.3 Specifying Additional IP Addresses

To establish an additional IP address for an interface, define a network alias. This can be useful when changing network numbers and you want to continue to accept packets addressed to the old interface, or for setting up a host with a single interface to act as a router between subnets. Network aliases can be added in two functionally identical ways:

• Associate multiple addresses to an existing interface.
  You can use the ifconfig utility to associate multiple addresses with an existing interface. There is no limit to the number of aliases that can be created, and ranges of network addresses can be easily created. You should include the ifconfig command in SYS$STARTUP:TCPIP$SYSTARTUP.COM to ensure the network aliases are re-created whenever TCP/IP Services is restarted.
  For example, assume interface WF0 exists with a network address of 10.10.1.100 and a 24-bit subnet mask. To add an alias with an address of 10.10.2.100 with a 24-bit subnet mask, follow these steps:
  1. Define foreign commands:

     $ @SYS$MANAGER:TCPIP$DEFINE_COMMANDS.COM

  2. Display the current interfaces. Use quotation marks to preserve case. For example:

     $ netstat -n "-I" wf0 Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll WF0 4470 <Link> 0:0:f8:bd:bc:22 3049700 0 2976912 0 0 WF0 4470 10.10.1 10.10.1.100 3049700 0 2976912 0 0

  3. Add the network alias:

     $ ifconfig wf0 alias 10.10.2.100/24

  4. Display the current interfaces. For example:

     $ netstat -n "-I" wf0 Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll WF0 4470 <Link> 0:0:f8:bd:bc:22 3049700 0 2976912 0 0 WF0 4470 10.10.1 10.10.1.100 3049700 0 2976912 0 0 WF0 4470 10.10.2 10.10.2.100 3049700 0 2976912 0 0

  
  A range of network addresses can be associated with an interface by using the aliaslist parameter to the ifconfig command. For more information, enter the following command:

  TCPIP> HELP IFCONFIG PARAMETERS

• Configure a pseudo-interface.
  A pseudo-interface can be created to associate another network address with the same physical interface also. Use the SET INTERFACE TCP/IP Services management command to create a pseudo-interface. See Section 4.4.3 for more information.