On a cluster, all elements of the user authorization
data should exist in a common database. These authorization elements
include the system user authorization files (SYSUAF.DAT and its backup
SYSUAFALT.DAT), the rights database (RIGHTSLIST.DAT), the network
authorization file (NETPROXY.DAT) and its object database file (NETOBJECTS.DAT),
which are present on all OpenVMS systems, and optionally, the autologin
file, SYSALF.DAT.
A secure cluster requires that the authorization
data be synchronized across all nodes. If a site chooses to maintain
multiple versions of these files, then you must synchronize the data.
Each user should have the same UIC, group number, and set of identifiers
defined on every node. Coordination of privileges and access rights
is also critical. A shared disk is protected only as much as its least
protected node. If you maintain separate authorization files on each
node in the cluster, ensure that user privileges are common across
all copies of the system user authorization file (SYSUAF.DAT). “Fields in SYSUAF.DAT Requiring Synchronization” lists the fields
of SYSUAF.DAT that must be identical on each node.
Table 12-4 Fields in SYSUAF.DAT Requiring Synchronization
| Internal Name | $SETUAI Item Code |
|---|
UAF$R_DEF_CLASS | UAI$_DEF_CLASS |
UAF$Q_DEF_PRIV | UAI$_DEF_PRIV |
UAF$B_DIALUP_ACCESS_P | UAI$_DIALUP_ACCESS_P |
UAF$B_DIALUP_ACCESS_S | UAI$_DIALUP_ACCESS_S |
UAF$B_ENCRYPT | UAI$_ENCRYPT |
UAF$B_ENCRYPT2 | UAI$_ENCRYPT2 |
UAF$Q_EXPIRATION | UAI$_EXPIRATION |
UAF$L_FLAGS | UAI$_FLAGS |
UAF$B_LOCAL_ACCESS_P | UAI$_LOCAL_ACCESS_P |
UAF$B_LOCAL_ACCESS_S | UAI$_LOCAL_ACCESS_S |
UAF$B_NETWORK_ACCESS_P | UAI$_NETWORK_ACCESS_P |
UAF$B_NETWORK_ACCESS_S | UAI$_NETWORK_ACCESS_S |
UAF$B_PRIME_DAYS | UAI$_PRIMEDAYS |
UAF$Q_PRIV | UAI$_PRIV |
UAF$Q_PWD | UAI$_PWD |
UAF$Q_PWD2 | UAI$_PWD2 |
UAF$Q_PWD_DATE | UAI$_PWD_DATE |
UAF$Q_PWD2_DATE | UAI$_PWD2_DATE |
UAF$B_PWD_LENGTH | UAI$_PWD_LENGTH |
UAF$Q_PWD_LIFETIME | UAI$_PWD_LIFETIME |
UAF$B_REMOTE_ACCESS_P | UAI$_REMOTE_ACCESS_P |
UAF$B_REMOTE_ACCESS_S | UAI$_REMOTE_ACCESS_S |
UAF$R_MAX_CLASS | UAI$_MAX_CLASS |
UAF$R_MIN_CLASS | UAI$_MIN_CLASS |
UAF$W_SALT | UAI$_SALT |
UAF$L_UIC | Not applicable |
Use SYSMAN if you choose to create an autologin
file and maintain the file in the common authorization database with
your authorization files and rights database. On clustered systems,
the autologin file must include the cluster node name as a prefix
to the terminal name. For example, the terminal TTA0 on node WILLOW
would be represented as WILLOW$TTA0. See “Using the System Management Utility” for an overview of SYSMAN.
