HP OpenVMS Systems Documentation

Content starts here

HP OpenVMS System Services Reference Manual


Previous Contents Index

On a given OpenVMS system, multiple authentication policies may be applicable. The system may be configured to augment the native (local OpenVMS) policy with alternatives pertaining to external environments, such as LAN Manager. Each policy, together with the operating environment to which it pertains, constitutes a domain of interpretation. Within a given domain, any entity, such as a user, that is subject to the applicable authentication policy, is referred to as a principal.

The $ACM service can be used to authenticate a principal, initiate a password change request on behalf of a principal, query information about a particular domain, or report event data within a particular domain.

The $ACM service completes asynchronously; that is, it returns to the caller after queuing the request, without waiting for the operation to complete.

To synchronize completion of an operation, use the Authentication and Credential Management and Wait ($ACMW) service. The $ACMW service is identical to $ACM in every way except that $ACMW returns to the caller after the operation has completed.

Modes of Operation

The typical authentication policy employs the traditional reusable password; however, various alternative mechanisms exist for forming stronger policies. Some of these mechanisms, such as challenge-response, require interaction. The $ACM service is designed to accommodate these mechanisms.

The authentication and change_password functions are capable of operating in a dialogue (iterative) mode to support different types of interactive authentication mechanisms. The query, event, and free_context functions only support the nondialogue (noniterative) mode of operation.

Nondialogue (Noniterative) Mode

The default nature of the $ACM service is to operate in a noniterative mode. All information needed to complete the request must be provided in a single call; otherwise, the request ultimately fails. This requires the caller to know beforehand what information is required to complete the request.

The following list summarizes the control flow for a typical nondialogue mode authentication request. For simplicity, the scenario assumes a single domain of interpretation with a traditional user name and password policy. Also, error processing is ignored.

  1. The caller of $ACM prompts the user for the principal name and password, builds an item list specifying the principal name and password, and then calls $ACM specifying the authenticate principal function, the item list with the principal name and password, and a zero address for the context argument.
  2. $ACM processes the request and ultimately returns control to the caller with the final status for the operation.

Dialogue (Iterative) Mode

The caller can use the interactive capabilities of the $ACM service for authentication and password change operations by specifying the ACME$_DIALOGUE_SUPPORT item code and a valid context argument. In this mode, ACME agents can request additional information from the caller to complete the request. In effect, the $ACM service is called in an iterative fashion until all information required to complete the request has been provided. The sequence of calls are linked together by passing the context argument returned in one call back in the next call.

In this scenario, when an ACME agent requires additional information, it builds an item set that describes the nature of the information. The item set is passed back to the caller in the communications buffer (see the description for the context argument regarding the format of the communications buffer) and the service returns with the ACME$_OPINCOMPL status. The caller processes each item set entry, gathers the requested information, and then passes it back to the ACME agent using the itmlst argument in the next call. The sequence continues until the call returns with a status code other than ACME$_OPINCOMPL.

The following list summarizes the control flow for a typical dialogue-mode authentication sequence. For simplicity, the scenario assumes a single domain of interpretation with a traditional user name and password policy. Also, error processing is ignored.

  1. Make an initial call to $ACM specifying the authenticate principal function code, an item list that merely contains the ACME$_DIALOGUE_SUPPORT item code, and a context argument that has been initialized to -1.
  2. $ACM builds a communications buffer containing an item set in the buffer requesting the principal name (user name), sets the context argument to reference the buffer, and returns control to the caller with a status code of ACME$_OPINCOMPL.
  3. The caller processes the item set, prompts for the principal name, builds an item list specifying the principal name, and then calls $ACM again specifying the authenticate principal function as before, the item list with the principal name, and a context argument that contains the buffer address returned in the previous call.
  4. $ACM validates the context argument, processes the username then builds another communications buffer to contain an item set list requesting the password, sets the context argument to reference the buffer, and returns control to the caller again with a status code of ACME$_OPINCOMPL.
  5. The caller processes the item set, prompts for the password, builds an item list specifying the password, and then calls $ACM again specifying the authenticate principal functions as before, the item list with the password, and a context argument that contains the buffer address returned in the previous call.
  6. $ACM validates the context argument again, clears it, and then completes the processing of the request, now that it has all the necessary information, and ultimately returns control to the caller with the final status for the operation.

Unprivileged callers (those running in user mode and not possessing SECURITY privilege) are limited by the number of iterative requests they can make in a dialogue sequence of calls. The default is set at 26 dialogue requests. The default can be overridden by defining the exec mode logical name ACME$DIALOGUE_ITERATIVE_LIMIT in the LNM$SYSTEM_TABLE logical name table. Valid values are 1 through 100.

Determining an ACME Name Based on an ACME ID

The identity of the ACME that supplied the ACME$L_ACME_STATUS contents is indicated in the ACMEID$V_ACME_NUM subfield of the ACMESB$L_ACME_ID field. This value is consistent for the duration of one boot of the system, but may have a different value on the next boot. The name of a particular ACME agent can be determined from the ACME ID by calling $ACM with function code ACME$_FC_QUERY and the following item list entries:

  • Special ACM Dispatch query---ID value zero:
    ITMCOD = ACME$_TARGET_DOI_ID
    BUFSIZ = 4
    BUFADR = Address of longword containing 0
  • Query ACME name based on ACME ID:
    ITMCOD = ACME$_QUERY_KEY_TYPE
    BUFSIZ = 4
    BUFADR = Address of longword containing ACME$K_QUERY_ACME_ID
  • Specify ACME ID value:
    ITMCOD = ACME$_QUERY_KEY_VALUE
    BUFSIZ = 4
    BUFADR = Address of longword containing the ACME_ID
  • Specify ACME name for the return value:
    ITMCOD = ACME$_QUERY_TYPE
    BUFSIZ = 4
    BUFADR = Address of longword containing ACME$K_QUERY_ACME_NAME
  • Specify the output buffer:
    ITMCOD = ACME$_QUERY_DATA
    BUFSIZ = ACME$K_MAXCHAR_DOI_NAME or (ACME$K_MAXCHAR_DOI_NAME*4) depending on whether function modifier ACME$M_UCS2_4 has been specified
    BUFADR = Address of buffer large enough to hold ACME$K_MAXCHAR_DOI_NAME bytes or (ACME$K_MAXCHAR_DOI_NAME*4) depending on whether function modifier ACME$M_UCS2_4 has been specified

Privileges and Restrictions

The $ACM service constitutes a trusted interface. It restricts operations that override the security policy applicable to a given domain of interpretation to those callers who are suitably privileged. The status returned in the ACMESB$L_STATUS field of the ACM Status Block for a failed authentication operation is typically nonspecific, so as not to reveal sensitive information to untrusted callers.

If the caller has the SECURITY privilege, the ACMESB$L_SECONDARY_STATUS field of the ACM Status Block may contain a detailed status that more accurately reflects the actual nature of the failure.

To specify the following function modifiers, the caller must have the SECURITY privilege:

ACME$M_NOAUDIT
ACME$M_NOAUTHORIZATION
ACME$M_FOREIGN_POLICY_HINTS

To specify the following function modifier, the caller must have the IMPERSONATE privilege:

ACME$M_OVERRIDE_MAPPING

To specify the following item code, the caller must have the SECURITY privilege:

ACME$_NEW_PASSWORD_SYSTEM

To specify the following item codes, the caller must have the IMPERSONATE privilege:

ACME$_ACCESS_PORT
ACME$_CHALLENGE_DATA
ACME$_REMOTE_HOST_ADDRESS
ACME$_REMOTE_HOST_ADDRESS_TYPE
ACME$_REMOTE_HOST_FULLNAME
ACME$_REMOTE_HOST_NAME
ACME$_REMOTE_USERNAME
ACME$_SERVICE_NAME

Condition Values Returned

SS$_NORMAL The service completed successfully.
SS$_ACCVIO The item list or an input buffer cannot be read in the access mode of the caller; or an output buffer, a return length buffer, or the I/O status block cannot be written in the access mode of the caller.
SS$_ARG_GTR_32_BITS A 64-bit address was passed in a context requiring a 32-bit address.
SS$_BADBUFADR The buffer address associated with an entry in the item list is inappropriate in the context of the call. The address may be invalid (for example, 0).
SS$_BADBUFLEN The buffer length associated with an entry in the item list is inappropriate in the context of the call. The length may be invalid (for example, 0) or outside the range of acceptable values.
SS$_BADCHAIN A chained item list is inaccessible, or the chain is circular.
SS$_BADCONTEXT The context argument does not specify a valid context buffer.
SS$_BADITMCOD A specified item code is invalid or out-of-range.
SS$_BADPARAM The item list contains an invalid item code.
SS$_BADRETLEN The return length address associated with an entry in the item list is inappropriate in the context of the call. The address may be invalid (for example, 0).
SS$_EXASTLM The astadr argument was specified and the process has exceeded its ASTLM quota.
SS$_EXQUOTA A process quota was exceeded.
SS$_ILLEFC The efn argument specifies an illegal event flag number.
SS$_ILLMODIFIER The func argument specifies function modifiers that are inappropriate in the context of the call.
SS$_INSFMEM Insufficient space exists for completing the request.
SS$_IVTIME An invalid value was specified for the ACME$_TIMEOUT_INTERVAL item code.
SS$_NOEXTAUTH External authentication is not available.
SS$_NOPRIV The caller does not have the necessary privileges to complete the requested operation.
SS$_TOOMUCHDATA The request size exceeds $ACM messaging constraints.
SS$_UNASEFC The efn argument specifies an unassociated event flag cluster.
SS$_UNSUPPORTED The func argument specifies an unsupported function.

Condition Values Returned in the ACM Status Block

ACME$_NORMAL The service completed successfully.
ACME$_ACCOUNTLOCK The account associated with specified principal name is disabled.
ACME$_AUTHFAILURE Authorization failed.
ACME$_BUFFEROVF An output item returned by the service is larger than the user buffer provided to receive the item; the item is truncated.
ACME$_DOIUNAVAILABLE The specified domain of interpretation is not processing requests.
ACME$_INCONSTATE The ACME server detected an internal consistency error.
ACME$_INSFDIALSUPPORT Caller dialogue capabilities specified with the ACME$DIALOGUE_SUPPORT item code are inadequate to meet the needs of one or more ACME agents.
ACME$_INTRUDER A record matching the request was found in the intrusion database.
ACME$_INVALIDCTX The context argument is not consistent with the itmlst argument.
ACME$_INVALIDPWD The specified password is invalid.
ACME$_INVITMSEQ The service encountered a query type or query key item code without a corresponding query data or query key value item code.
ACME$_INVMAPPING The OpenVMS user name to which the principal name was mapped is invalid.
ACME$_INVNEWPWD The new password provided during a change password request does not pass qualification checks.
ACME$_INVPERSONA The persona handle specified by the itmlst argument is invalid.
ACME$_INVREQUEST A parameter is invalid in the context of the request. This error code is returned when the caller either defaults or specifies ACME$_BATCH or the value zero (0) for ACME$_LOGON_TYPE.
ACME$_MAPCONFLICT An attempt was made to merge credentials for a principal name, which maps to an OpenVMS user name that differs from the one associated with existing credentials.
ACME$_NOACMECTX The service encountered an ACME-specific item code when no ACME context had been established.
ACME$_NOCREDENTIALS The ACME agent did not issue any credentials.
ACME$_NOEXTAUTH The specified principal name cannot be authenticated externally.
ACME$_NOPRIV The caller does not have the necessary privileges to complete the requested operation.
ACME$_NOSUCHDOI The specified domain of interpretation does not exist.
ACME$_NOSUCHUSER The specified principal name does not exist.
ACME$_NOTARGETCRED The persona does not contain credentials for the specified domain of interpretation.
ACME$_NOTAUTHORIZED Authorization failed due to account restrictions.
ACME$_OPINCOMPL Interaction is required to complete the request. The context buffer contains information describing how to proceed.
ACME$_PWDEXPIRED The password provided during an authentication request has expired and a new password is required to complete the request.
ACME$_TIMEOUT The server did not respond within the designated time-out interval.
ACME$_UNSUPPORTED The requested operation or an item code is not supported with the selected domain of interpretation.
Status Codes and Function Codes Table

Table SYS-13 lists status codes and their function codes:

Table SYS-13 Status Codes and Function Codes
  Function Codes
Status Codes Authenticate Principal Change Password Event Free Context Query Release Credentials
ACME$_ACCOUNTLOCK <> <>        
ACME$_AUTHFAILURE <> <>        
ACME$_BUFFEROVR <> <>        
ACME$_DOIUNAVAILABLE <> <> <> <>    
ACME$_INCONSTATE <> <> <> <> <> <>
ACME$_INSFDIALSUPPORT <> <>        
ACME$_INTRUDER <>          
ACME$_INVALIDCTX <> <> <>      
ACME$_INVALIDPWD <> <>        
ACME$_INVITMSEQ         <>  
ACME$_INVMAPPING <> <>        
ACME$_INVNEWPWD <> <>        
ACME$_INVPERSONA <>         <>
ACME$_INVREQUEST <> <> <> <>    
ACME$_MAPCONFLICT <> <>        
ACME$_NOACMECTX <> <> <> <> <> <>
ACME$_NOCREDENTIALS <>          
ACME$_NOEXTAUTH <> <>        
ACME$_NOPRIV <> <> <> <>   <>
ACME$_NORMAL <> <> <> <> <> <>
ACME$_NOSUCHDOI <> <> <> <>    
ACME$_NOSUCHUSER <> <>        
ACME$_NOTARGETCRED           <>
ACME$_NOTAUTHORIZED <>          
ACME$_OPINCOMPL <> <>        
ACME$_PWDEXPIRED <>          
ACME$_TIMEOUT <> <> <>   <>  
ACME$_UNSUPPORTED <> <> <>   <>  

+Required
++Either ID or Name Required

Key to Codes
<> ---Permitted

VMS ACME Use of Function Codes The VMS ACME use of the Event function is reserved to HP.

The VMS ACME does not support the Query function. VMS ACME-Specific Item Codes This section describes the $ACM item codes that are ACME-specific for the VMS ACME.

Table SYS-14 indicates which VMS ACME-specific Item Codes are applicable to the various Function Codes:

Table SYS-14 Function Codes and VMS Specific Item Codes
  Function Codes
Item Codes Authenticate Principal Change Password Event Free Context Query Release Credentials
ACMEVMS$_AUTOLOGIN_ALLOWED_FLAG <>          
ACMEVMS$_CLASS_DAYS (O) <>          
ACMEVMS$_CLASS_FLAGS (O) <>          
ACMEVMS$_CLASS_NUMBER (O) <>          
ACMEVMS$_CLASS_PRIMEDAY_LIMIT (O) <>          
ACMEVMS$_CLASS_SECONDARY_LIMIT (O) <>          
ACMEVMS$_CLASS_NAME (U,O) <>          
ACMEVMS$_CONFIRM_PASSWORD_1 (U) <> <>        
ACMEVMS$_CONFIRM_PASSWORD_2 (U) <> <>        
ACMEVMS$_CONFIRM_PASSWORD_SYS (U) <> <>        
ACMEVMS$_CREPRC_BASPRI (O) <>          
ACMEVMS$_CREPRC_IMAGE (O) <>          
ACMEVMS$_CREPRC_PRCNAM (O) <>          
ACMEVMS$_CREPRC_PRVADR (O) <>          
ACMEVMS$_CREPRC_QUOTA (O) <>          
ACMEVMS$_CREPRC_UIC (O) <>          
ACMEVMS$_GENPWD_COUNT <> <>        
ACMEVMS$_GENPWD_MANDATORY_FLAG <> <>        
ACMEVMS$_GENPWD_MAXLENGTH <> <>        
ACMEVMS$_GENPWD_MINLENGTH <> <>        
ACMEVMS$_OLD_CONNECTION_FLAG BC          
ACMEVMS$_OLD_DECWINDOWS_FLAG BC          
ACMEVMS$_OLD_HASHED_PASSWORD_1 BC          
ACMEVMS$_OLD_HASHED_PASSWORD_2 BC          
ACMEVMS$_OLD_LGI_PHASE BC          
ACMEVMS$_OLD_LGI_STATUS BC          
ACMEVMS$_OLD_PROCESS_NAME BC          
ACMEVMS$_UAI_* (O) <>          
ACMEVMS$_LOGINOUT_CLI_FLAG BC          
ACMEVMS$_LOGINOUT_CREPRC_FLAGS BC          
ACMEVMS$_NET_PROXY BC          
ACMEVMS$_PREAUTHENTICATION_FLAG IR          
ACMEVMS$_REQUESTOR_PID IR IR        
ACMEVMS$_REQUESTOR_UIC IR IR        
ACMEVMS$_REQUESTOR_USERNAME (U) IR IR        
ACMEVMS$_USES_SYSTEM_PASSWORD SR          

+Required
++Either ID or Name Required

Key to Codes
<> ---Permitted
IR---IMPERSONATE Privilege Required to override default values
SR---SECURITY Privilege Required
O---Output item code
U---Subject to Unicode Conversion
BC---Backward Compatibility---Reserved for HP support of historical interface


Previous Next Contents Index