HP OpenVMS Systems Documentation
Compaq ACMS for OpenVMS
If the ACMS$MGMT_HMMO process crashes, the following files will contain any error information that was available: SYS$SPECIFIC:[WBEM]ACMS$MGMT_HMMO.LOG;* SYS$SPECIFIC:[WBEM]ACMS$MGMT_HMMO.ERR;*.
If there are any new dump files you may want to examine the file to locate the problem source. SYS$SPECIFIC:[WBEM]*.DMP;*
If the problem is with WBEM$SERVER process, send the dump file to your Compaq support representative. If the problem is with the ACMS HMMO process, please have the following files ready for analysis in addition to a procedure that reproduces the situation:
This chapter describes how to manage the ACMS Remote Manager.
The ACMS Remote Manager runs on the same node as the ACMS run-time system but runs independently of it. The Remote Manager may be started and stopped at any time without affecting the ACMS run-time system. Similarly, the ACMS system can be started and stopped at any time without affecting the Remote Manager process. Remote management can be performed only on nodes where the Remote Manager has been started.
ACMS system managers configure the Remote Manager process (for example, which interfaces are enabled, what alarms to send) using a combination of the ACMSCFG utility (which provides initial configuration settings at process startup) and the ACMSMGR utility (to change settings once the process has started). Management consoles that support SNMP can also be used to configure and manage the Remote Manager.
Before the Remote Manager process can communicate with external
entities, either SNMP or RPC must be configured and running on the
appropriate nodes. See the Compaq ACMS for OpenVMS Version 4.4 Installation Guide for information about
configuring and starting SNMP and RPC.
4.2 Configuring Remote Manager Startup
Before the Remote Manager is started, the configuration file should contain the appropriate settings. Both the ACMS run-time system and the Remote Manager read the configuration file during startup. If the ACMS Central Controller (ACC) process cannot read the configuration file when starting up, it uses default values. If the Remote Manager cannot read the configuration file when starting up, it logs an error and exits.
By default, the configuration file is stored in SYS$SPECIFIC:ACMS$MGMT_CONFIG.ACM. This location can be changed using the systemwide logical ACMS$MGMT_CONFIG. Use the ACMSCFG utility to change values in this file. The ACMSCFG utility allows ACMS system managers to set:
The configuration file is created during postinstallation with a set of default values. ACMS system managers should review these settings prior to starting the Remote Manager to determine whether the settings are appropriate for the node on which the process will run. Use the ACMSCFG SHOW commands as follows to display the settings:
$ ACMSCFG SHOW INTERFACE $ ACMSCFG SHOW COLLECTION $ ACMSCFG SHOW PARAMETER $ ACMSCFG SHOW TRAP
Changes made to the ACMSCFG file are not automatically reflected in the running system. The ACMSCFG file is read during Remote Manager and ACMS system startup only. The Remote Manager process must be restarted in order for configuration file changes to the Parameter, Interface, and Trap tables to become active. The ACMS run-time system must be restarted in order for configuration file changes to the Collection table to become active. After the Remote Manager process has been started, you can use the ACMSMGR utility to make dynamic changes to the active system.
The ACMSCFG utility is a DCL command line tool that is invoked using a foreign command. The ACMSCFG utility accepts a number of command line arguments that determine what operations it should perform. The basic syntax for running the ACMSCFG utility is as follows:
ACMSCFG verb object qualifier
For example, to display the current data collection settings, you would use the following command:
$ ACMSCFG SHOW COLLECTION
You can get help on the available ACMSCFG commands and their syntax using the following command:
$ ACMSCFG HELP
You can define your own foreign command by using the following DCL command:
$ MYCOMMAND :== $SYS$SYSTEM:ACMS$MGMT_CONFIG_CMD
If you do this, you would substitute MYCOMMAND for ACMSCFG in the preceding examples.
When the ACMSCFG utility is started, it attempts to locate the
ACMS$MGMT_CONFIG.ACM file by translating the logical name
ACMS$MGMT_CONFIG. If that attempt fails, it looks in the default
location, SYS$SYSTEM:ACMS$MGMT_CONFIG. If that lookup fails, ACMSCFG
asks the user whether to create a new file. New files are created with
default values in the directory that the logical name ACMS$MGMT_CONFIG
translates to. If the logical name is not defined or does not include a
directory specification, the default directory location is the current
4.2.2 Displaying Current Values
Current ACMSCFG values can be displayed using the SHOW command, as follows:
ACMSCFG SHOW object
Valid SHOW objects are:
The values for each object type correspond directly to fields in management configuration tables. These tables are discussed in Chapter 9.
The following is an example SHOW command and its output:
SPARKS> ACMSCFG SHOW COLLECTION Entity Collect Collect Storage Storage Type Entity Name Class State Storage Location State Interval ------- ------------- ------- --------- ------------------ -------- --------- * * id enabled acms$mgmt_snapshot enabled 3600 * * config enabled acms$mgmt_snapshot disabled 3600 * * error enabled acms$mgmt_snapshot disabled 300
ACMSCFG values can be changed using one of three verbs:
$ ACMSCFG ADD COLLECTION/ENTITY=*/NAME=*/CLASS=RUNTIME
$ ACMSCFG DELETE COLLECTION/ENTITY=*/NAME=*/CLASS=RUNTIME
$ ACMSCFG SET COLLECTION/ENTITY=*/NAME=*/CLASS=RUNTIME/COLL_STATE=ENABLED
Each object has unique qualifiers that determine which values are to
change. Qualifiers are either mandatory or
optional. Mandatory qualifiers have
no default and must be specified by the user. Optional
qualifiers have default values and do not have to be specified. See
Chapter 10 for a complete description of the syntax for each command
and the qualifiers they support.
4.3 Starting and Stopping the Remote Manager
The following information discusses starting and stopping the ACMS
4.3.1 Remote Manager Startup
The Remote Manager is started as a detached process using the command procedure SYS$STARTUP:ACMS$MGMT_STARTUP, as follows:
You should run this file from the SYSTEM account during system startup. You can run the file either before or after the ACMS run-time system has been started. Alternatively, you can run it at any time from a privileged account.
During process startup, the Remote Manager reads the ACMSCFG file (located in SYS$SYSTEM:ACMS$MGMT_CONFIG.ACM or wherever the ACMS$MGMT_CONFIG logical points). If the file cannot be found and opened, the Remote Manager will not start.
The Remote Manager writes errors to the ACMS$MGMT_LOG file. This is a binary file that can be displayed using the ACMSMGR utility, as follows:
$ ACMSMGR SHOW LOG
The ACMSMGR utility generally performs operations on remote nodes. If the Remote Manager fails to start, it will not be accessible remotely. You will need to log in to the node on which it failed to start, and issue the following command:
$ ACMSMGR SHOW LOG/LOCAL
This command instructs the ACMSMGR utility to read the log file directly, bypassing the Remote Manager. See Chapter 11 for a complete description of the ACMSMGR utility, commands, and command syntax.
In addition to writing messages to the ACMS$MGMT_LOG file, the Remote Manager writes messages to SYS$OUTPUT if it cannot access the log file. You can have all messages written to SYS$OUTPUT by invoking the startup procedure with the LOG_TO_SYSOUT parameter, as follows:
$ @SYS$STARTUP:ACMS$MGMT_STARTUP LOG_TO_SYSOUT
The ACMS$MGMT_STARTUP procedure redirects SYS$OUTPUT for the Remote
Manager to a file called ACMS$MGMT_SERVER.OUT in the SYS$ERRORLOG
4.3.2 Remote Manager Shutdown
The Remote Manager is stopped using the ACMSMGR STOP MANAGER command, which has the following syntax:
ACMSMGR STOP MANAGER /NODE=node-name
The /NODE qualifier can be omitted if the ACMS$MGMT_SERVER_NODE logical is defined. If the /NODE qualifier is provided, it overrides the ACMS$MGMT_SERVER_NODE logical.
The Remote Manager can be stopped independently of the ACMS run-time system. Stopping the Remote Manager has no effect on the running ACMS system. Note, however, that simply stopping the Remote Manager does not stop any active data collections. Data collections can be stopped only by using ACMSMGR commands or from an SNMP management console that has access to the Remote Manager.
Note also that prior to issuing this command, the user must either have logged in to the Remote Manager, or the user must have a valid proxy (and proxy access must have been enabled). Regardless of how access is gained, the user must hold the ACMS$MGMT_OPER rights identifier on the node the Remote Manager is running in order to stop it. See Section 4.4 for a description of how to log in to the Remote Manager.
The ACMSMGR STOP MANAGER command executes asynchronously of the actual shutdown. That is, the command will complete (control will return to the user) before the shutdown has completed.
If the Remote Manager fails to shut down, it can be stopped by using the DCL command STOP/ID, which has the following syntax:
Determine the PID of the Remote Manager using the DCL command SHOW
SYSTEM, and then look for the process named ACMS$MGMT_SVR.
4.4 Logging In to the Remote Manager
The Remote Manager requires that each client is authenticated and that
each access attempt is authorized.
Authentication can be performed in one of two ways: either through an explicit login (using a valid OpenVMS user name and password) or through a valid ACMS proxy account.
The exception to this rule is SNMP access, which is controlled by the presence of the ACMS$SNMP account in the local rights database. Authentication for external entities that communicate with the Remote Manager through the SNMP protocol is allowed only when a valid OpenVMS account exists for the user ACMS$SNMP. If this account exists and has the appropriate rights identifier, the user ACMS$SNMP is considered to be an authenticated SNMP user. Authorization for SNMP users is treated the same as for any other user --- by OpenVMS rights identifier. See Section 4.4.2 for more information about authorization.
All access for an interface can be disabled by disabling the interface itself, either through the ACMSCFG utility prior to management startup, or through the ACMSMGR utility after Remote Manager startup.
The total number of users that can be simultaneously logged in to the Remote Manager (regardless of authentication mechanism) is controlled by the Remote Manager parameter MAX_LOGINS, which can be modified by the Remote Manager. (This parameter is not the same as the MAX_LOGINS ACMS system parameter in ACMSGEN.) When the number of users currently logged in is equal to the value of this parameter, new logins are rejected until some users have logged out, or until their credentials have expired. You can set the initial value of MAX_LOGINS with the ACMSCFG utility. You can change the value of MAX_LOGINS dynamically (but nondurably) with the ACMSMGR utility.
Attempts to log in to the Remote Manager are recorded in the Remote Manager log file if the SECURITY_AUDIT_LEVEL parameter is set for informational level logging (any odd value, up to and including F). By default, informational messages are not logged. See Section 4.7.1 for more information.
Use the SHOW USER command of the ACMSMGR utility to display a list of users currently logged in to the Remote Manager:
$ ACMSMGR SHOW USER
You must be authenticated in order to issue the SHOW USER command.
Login is performed using the ACMSMGR LOGIN command, which has the following syntax:
ACMSMGR LOGIN /USER=user-name /PASSWORD=password /NODE=node-name
The /USER qualifier can be omitted if the ACMS$MGMT_USER logical is defined. If the qualifier is provided, it overrides the ACMS$MGMT_USER logical. If neither the logical nor the qualifier is present, the ACMSMGR utility prompts the user for the user name.
If the /PASSWORD qualifier is not present, the ACMSMGR utility prompts the user for the password. There is no logical name for the password.
The /NODE qualifier can be omitted if the ACMS$MGMT_SERVER_NODE logical is defined. If it is provided, it overrides the ACMS$MGMT_SERVER_NODE logical. If neither the qualifier nor the logical name is provided, no login is attempted.
For each node to which a user logs in, a credentials file is created, either in the current directory or in the directory pointed to by the logical name ACMS$MGMT_CREDS_DIR. The credentials file contains encrypted security information (password is not stored in the file) and can be used by subsequent executions of the ACMSMGR utility. Credentials are specific to the process that created them and cannot be used by other processes. Prior to creating a new credentials file, any old credential files for the process are deleted.
Once a user has logged in to the Remote Manager, the user's credentials are valid for the duration of the credentials lifetime period, as specified by the parameter LOGIN_CREDS_LIFETIME. You can set the initial value of LOGIN_CREDS_LIFETIME with the ACMSCFG utility. You can change the value of LOGIN_CREDS_LIFETIME dynamically (but nondurably) with the ACMSMGR utility.
Once a user's credentials have expired, the user must log in to the
220.127.116.11 Proxy Accounts
Proxy access to the management server is supported if the logical name ACMS$MGMT_ALLOW_PROXY_ACCESS is defined on the Remote Manager node. The valid values for this logical name are: 1, T, t, Y, y, TRUE, and true. If the name is defined to be any other value or if the logical name is not defined, proxy access is disabled.
When proxy access is allowed, users do not need to explicitly log in to the Remote Manager with a user name and password, and no credentials file is created. See Section 18.104.22.168 for a description of how to log in with user name and password.
In order for a user to be granted proxy access, there must be an entry in the ACMSPROXY.DAT for the combination of node and user attempting access. See Compaq ACMS for OpenVMS Managing Applications for more information. The first time a user attempts to access a management function without having first logged in using user name and password, the Remote Manager looks for a valid ACMS proxy. If one is found, the OpenVMS account specified by the proxy is used for authorization.
The Remote Manager maintains a cache of users who have been logged in
by proxy. Records remain in the cache for the duration of the proxy
credentials' lifetime, as specified by the PROXY_CREDS_LIFETIME
parameter. You can set the initial value of PROXY_CREDS_LIFETIME with
the ACMSCFG utility. You can change the value of PROXY_CREDS_LIFETIME
dynamically (but nondurably) with the ACMSMGR utility. Proxy
credentials are automatically refreshed when they expire.
Authorization consists of ensuring that the user attempting access
holds the appropriate rights identifier on the node they are attempting
to access. There are four levels of access, each with its own
identifier, as described in the following sections.
22.214.171.124 Read Access (ACMS$MGMT_READ)
Read access allows users to perform the following functions:
Operate access allows users to issue the following commands:
Write access allows users to issue the following commands:
Needed in addition to operate access, update access allows users to update specific OpenVMS system parameters by issuing the following command:
You can control which interfaces are started or stopped by using either the ACMSCFG utility prior to Remote Manager startup or the ACMSMGR utility after Remote Manager startup. The Remote Manager supports two interfaces:
Either the RPC or SNMP interface should always be enabled. If both are disabled, there is no way to communicate with the Remote Manager.
For a more complete discussion of the available interfaces and their
attributes, see Section 9.7.
4.5.1 Using ACMSCFG to Enable or Disable Interfaces
Use the ACMSCFG utility to configure which interfaces should be enabled or disabled when the Remote Manager starts up.
Use the ACMSCFG SET INTERFACE command to enable or disable an interface. This command has the following syntax:
ACMSCFG SET INTERFACE /INTERFACE=interface-name /STATE=state
In this format:
Use the ACMSCFG SHOW INTERFACE command to determine the state of an interface in the configuration file:
$ ACMSCFG SHOW INTERFACE
Use the ACMSMGR utility to dynamically enable or disable an interface after the Remote Manager has already been started. Changes made with the ACMSMGR interface are not stored in the ACMSCFG file and are lost when the Remote Manager is stopped. Use the ACMSCFG utility to save changes to the ACMSCFG file.
An interface cannot disable itself. Since the ACMSMGR utility uses the RPC interface, it cannot be used to disable the RPC interface. To disable the RPC interface, either use the ACMSCFG utility and restart the Remote Manager, or use the SNMP interface.
ACMSMGR SET INTERFACE /INTERFACE=interface-name /STATE=state
In this format:
Use the ACMSMGR SHOW INTERFACE command to determine the state of an interface:
$ ACMSMGR SHOW INTERFACE