HP OpenVMS Systems Documentation
Compaq PATHWORKS for OpenVMS
To make sure that the server starts automatically each time you boot your OpenVMS system:
$ START/NETWORK DECNET . . . $ @SYS$STARTUP:PWRK$STARTUP
Before starting the server in an OpenVMS Cluster, the server software must be installed and configured on each cluster member on which the server is to run. If you installed and configured the PATHWORKS Advanced Server on multiple members of the same OpenVMS Cluster, Compaq recommends that you use the SYSMAN utility to start the server manually and simultaneously on all cluster members.
To start the server on all cluster members at the same time, make sure you are logged in to the SYSTEM account on one of the server nodes, then run SYSMAN as indicated in the second column of Table 5-3, Starting the Server in an OpenVMS Cluster, according to the result you want to achieve, as listed in the first column.
|Desired Result||Command to Enter|
|Start the SYSMAN utility||$ RUN SYS$SYSTEM:SYSMAN|
|Define the OpenVMS Cluster members on which to start the server (in this example, SPEEDY, SPIN, and SPAN)||
SYSMAN> SET ENVIRONMENT -
|Start the PATHWORKS Advanced Server on all the nodes you defined in the previous command||SYSMAN> DO @SYS$STARTUP:PWRK$STARTUP|
|Exit the SYSMAN utility||SYSMAN> EXIT|
If you are using the STARTUP feature of the SYSMAN utility to start Advanced Server, you must pass a P1 parameter of " " (null or space). For example:
For more information on using the SYSMAN utility's STARTUP feature, refer to the OpenVMS System Management Utilities Reference Manual.
If the PATHWORKS Advanced Server startup does not complete successfully, check the SYLOGIN.COM procedure. Make sure that only commands that should be executed by detached processes are executed during the PATHWORKS Advanced Server startup.
In SYLOGIN.COM, you can use the DCL lexical function F$MODE or F$GETJPI
to conditionalize DCL commands, such as $SET TERM/INQUIRE, that should
be executed only by nondetached processes, so that they are not
executed during the PATHWORKS Advanced Server startup. Refer to the OpenVMS DCL Dictionary
for more information.
5.4 Stopping the PATHWORKS Advanced Server
The following sections describe when and how to stop the PATHWORKS Advanced Server.
5.4.1 When to Stop the PATHWORKS Advanced Server
You can stop the server at any time for any reason, which can include the following:
To stop the server, enter the following command:
For a cluster server, enter:
$ @SYS$STARTUP:PWRK$SHUTDOWN CLUSTER
Before shutting down the OpenVMS operating system, Compaq recommends
stopping the server.
5.4.3 How to Stop the PATHWORKS Advanced Server on System Shutdown
To stop the server as part of an orderly system shutdown, add the shutdown command to the site-specific system shutdown procedure. In addition, prior to shutting down the server, announce the planned shutdown to connected users by using the ADMINISTER SEND/USERS command, as in the following example, which alerts all users connected to server WOODMAN:
LANDOFOZ\\TINMAN> SEND/USERS/SERVER=WOODMAN "Shutdown @ 1pm today!!!"
Compaq provides numerous command procedures that, for example, provide shortcuts for invoking certain server management commands and procedures. You can see a list of these commands by examining the contents of the file SYS$MANAGER:PWRK$DEFINE_COMMANDS.COM.
You can define these Advanced Server management commands automatically when you log in to the account that you use to manage the Advanced Server. To define Advanced Server commands at login, edit the LOGIN.COM file of the privileged account to add the following line:
The OpenVMS operating system Versions 7.1 and higher provide support for external authentication. PATHWORKS Advanced Server participates with the OpenVMS operating system to allow PATHWORKS Advanced Server domain users to log in to the OpenVMS operating system using their PATHWORKS Advanced Server domain user names and passwords. The PATHWORKS Advanced Server externally authenticates the login request.
External authentication can provide automatic password synchronization between an OpenVMS account and a corresponding Advanced Server domain account. Users who have both OpenVMS and PATHWORKS Advanced Server domain user accounts can avoid maintaining two different passwords. If the domain account password is changed, the OpenVMS LOGINOUT program sets the OpenVMS account password to the domain account password the next time the user logs in to the OpenVMS account. If the user changes the OpenVMS password with the DCL SET PASSWORD command, the the SET PASSWORD command sends the password change to the Advanced Server external authenticator. For synchronization to succeed, an Advanced Server domain controller must be available and the domain account password must meet OpenVMS syntax requirements.
When you start the Advanced Server, external authentication is automatically enabled for user accounts that are flagged for external authentication in the SYSUAF. (To enable external authentication, PWRK$ACME_STARTUP.COM defines bit 0 of the SYS$SINGLE_SIGNON logical to the value 1. You can disable external authentication by changing the default value of this bit. For information on disabling external authentication and about defining the other bits in the SYS$SINGLE_SIGNON logical, see Section 5.6.5, Disabling External Authentication.)
For more information about enabling external authentication on OpenVMS, refer to the OpenVMS Guide to System Security.
No additional configuration is necessary on cluster members running the Advanced Server to enable the Advanced Server to participate in the external authentication process. However, to use external authentication in an Advanced Server cluster, all cluster members should be configured to use external authentication, so that externally authenticated users can log on to the cluster through any node in the cluster. A cluster member that is not running the complete Advanced Server can be configured to authenticate logon requests from network users if it has access to external authentication software on a shared cluster system disk. If it does not have access to external authentication software on a shared cluster system disk, you can enable external authentication on that system by copying only the external authentication images to the system disk, following the steps given in Section 5.6.1, Setting Up External Authentication in OpenVMS Clusters.
To provide external authentication on the system, perform the following steps:
At least one node in the cluster must run the complete Advanced Server software.
$ DEFINE/SYSTEM/EXE SYS$SINGLE_SIGNON 1 $ @SYS$STARTUP:PWRK$ACME_STARTUP.COM
$ DEFINE/SYSTEM/EXE PWRK$ACME_SERVER scsnode1_name[,scsnode2_name,...]
For information about enabling Authentication and Credential Management
(SYS$ACM) for authenticating users and determining the user security
profile for OpenVMS and Windows NT, refer to the OpenVMS Connectivity Developer's Guide
(included in the OpenVMS Documentation CD-ROM).
5.6.1 Setting Up External Authentication in OpenVMS Clusters
If you are running PATHWORKS Advanced Server in an OpenVMS Cluster, Compaq recommends that all cluster members be configured to be able to process OpenVMS logon requests for network users.
As noted in the preceding section, when the Advanced Server is started on a system, external authentication is enabled automatically for user accounts flagged for external authentication in the SYSUAF. A cluster member that is not running the complete Advanced Server can authenticate logon requests from network users if it has access to external authentication software on a shared cluster disk. Note that external authentication is not supported on OpenVMS systems prior to V7.1. Therefore, to ensure that external authentication works properly on the cluster, Compaq recommends that you make sure all systems in the cluster are running OpenVMS V7.1 or later.
If the cluster member does not have access to external authentication software on a shared cluster disk, you can enable external authentication on that system by copying just the external authentication images onto that system.
If the cluster member has a shared system disk, skip step 1 below and perform the remaining steps. If the cluster member does not have a shared system disk, perform all steps.
|File||Destination on VAX Node|
|File||Destination on Alpha V7.1 Node|
$ DEFINE/SYSTEM/EXE SYS$SINGLE_SIGNON 1 $ DEFINE/SYSTEM/EXE PWRK$ACME_SERVER scsnode1_name[,scsnode2_name,...] $ @SYS$STARTUP:ACME_STARTUP.COM
If you specify a subset of the Advanced Server member nodes, in order for external authentication requests to be processed properly, the Advanced Server should be running (available) on at least one of those specified cluster members. Otherwise, even if another Advanced Server member node not specified in the list is currently running, the requests will not be processed.
To allow users to be externally authenticated over DECnet-Plus for
OpenVMS, set the OpenVMS system parameter NET_CALLOUTS to 255. This
enables Advanced Server user ID mapping and authentication for network
5.6.3 Configuring the Server Capacity for External Authentication
By default, the Advanced Server can support up to 10 simultaneous external authentication logon requests (signons). You can modify this maximum to suit the Advanced Server requirements, using the Configuration Manager. To start the Configuration Manager, enter the following command:
The basic server parameters include the number of simultaneous activations for users with external authentication.
For more information about using the Configuration Manager, refer to
the Compaq PATHWORKS for OpenVMS (Advanced Server) Server Administrator's Guide.
5.6.4 Bypassing External Authentication When the Network Is Down
External authentication cannot occur if a network connection is required and the network is down. However, as a temporary solution, privileged users can enter the /LOCAL_PASSWORD qualifier after the OpenVMS user name at the login prompt, to specify local authentication. Be sure to specify the OpenVMS user name and password when using the /LOCAL_PASSWORD qualifier.
Because using the /LOCAL_PASSWORD qualifier effectively overrides the security policy established by the system manager, it is allowed only when the user's account has SYSPRV as an authorized privilege. This allows the system manager to gain access to the system when the network is down. When Bit 1 of the equivalence string is set in the SYS$SINGLE_SIGNON logical name, nonprivileged users who are normally externally authenticated can log in locally (the /LOCAL_PASSWORD qualifier need not be specified).
For more information about the /LOCAL_PASSWORD qualifier for the login
command line, refer to the OpenVMS Guide to System Security. (For OpenVMS Version 7.1
systems, refer to the OpenVMS System Management Utilities Reference Manual in the OpenVMS Version 7.1
5.6.5 Disabling External Authentication
If you want to disable external authentication, then before starting the Advanced Server, define the SYS$SINGLE_SIGNON logical to a value of 0, as in the following example:
$ DEFINE/SYSTEM/EXECUTIVE SYS$SINGLE_SIGNON 0
For more information about SYS$SINGLE_SIGNON and disabling external
authentication on OpenVMS, refer to the OpenVMS Guide to System Security.
5.7 Installing Optional Server Administration Tools
The PATHWORKS Advanced Server provides optional client-based server administration tools that allow you to manage the server from Windows 95, Windows 98, Windows for Workgroups, or Windows NT clients. These tools are available in the PWUTIL share after installing, configuring and starting the server.
The SRVTOOLS directory in the PWUTIL share contains a subdirectory for each type of client computer. Refer to the README.TXT file in the appropriate subdirectory for instructions on installing the software on the client computer.