HP OpenVMS Systems Documentation
HP TCP/IP Services for OpenVMS
With profiling enabled, you can compare performance data of when PPE is enabled and disabled. Assuming that you have a test that sufficiently saturates the TCP/IP CPU, complete the following steps to produce data sets that can be easily compared:
$ SYSCONFIG -r INET PROFILING=1
$ SYSCONFIG -r INET PPE_ENABLE=0
$ MONITOR MODES/CPU=xx ! xx = TCP/IP CPU
$ TCPMON /CSV=PPE_COMPARISON.CSV /DISPLAY [/SHOW=INET]
$ SYSCONFIG -r INET PPE_ENABLE=1
$ SYSCONFIG -r INET PROFILING=0
FTP Anonymous Light can be used for restricting user access to a particular set of directories. A system administrator who wants to restrict an OpenVMS user's FTP access to a particular set of directories must set the TCPIP$FTP_ANONYMOUS_LIGHT parameter for that user.
Setting this parameter restricts the FTP operations for the user to a set of directories indicted by TCPIP$FTP_ANONYMOUS_DIRECTORIES. The TCPIP$FTP_ANONYMOUS_LIGHT can be defined in LOGIN.COM.
To restrict the FTP access for all users, the parameter must be defined using a system-wide logical. FTP Anonymous Light users must specify the correct password to log in. By default, when an anonymous user is prompted for the identity, any password is accepted. Optionally, the system administrator can also set TCPIP$FTP_ANONYMOUS_WELCOME to display a message upon successful login.
The following example illustrates how FTP Anonymous Light works:
"TCPIP$FTP_ANONYMOUS_DIRECTORY" = "TCPIP$ENETINFO1:[UCX]" = "TCPIP$ENETINFO1:[UCX_AXP]" = "TCPIP$ECO:" = "TCPIP$PATCH:" = "COMMON_SYSDISK:[FAL$SERVER]" = "TCPIP$INTERNAL:" "TCPIP$FTP_ANONYMOUS_LIGHT" = "1" "TCPIP$FTP_ANONYMOUS_LOG" = "SYS$LOGIN:TCPIP$FTP_ANONYMOUS.LOG" "TCPIP$FTP_ANONYMOUS_WELCOME" = "FTP Anonymous Light demo" ftp plane.tcpip.zko.hp.com 220 plane.tcpip.zko.hp.com FTP Server (Version 5.6) Ready. Connected to plane.zko.hp.com. Name (plane.zko.hp.com:test): 331 Username test requires a Password Password: 230-FTP Anonymous Light demo 230 Guest login OK, access restrictions apply. FTP> cd sys$system 550 insufficient privilege or file protection violation (1) FTP> cd tcpip$eco 250-CWD command successful. 250 New default directory is TCPIP$ENETINFO1:[TCPIP$ENGINEERING_CHANGE_ORDERS](2) FTP> cd sys$login 250-CWD command successful. 250 New default directory is WORK4$:[TEST] FTP> bye 221 Goodbye.
|(1)||This directory is not included in TCPIP$FTP_ANONYMOUS_DIRECTORY, so access is restricted|
|(2)||This directory is included in TCPIP$FTP_ANONYMOUS_DIRECTORY, so access is allowed|
An output similar to the following is saved in the log file:
20-JUN-2008 05:21:45.64 Anonymous Light User:test from Host:22.214.171.124 20-JUN-2008 05:22:39.61 Anonymous Light User:test status:00010001 CWD dir:TCPIP$ENETINFO1:[TCPIP$ENGINEERING_CHANGE_ORDERS] 20-JUN-2008 05:23:13.49 Anonymous Light User:test status:00010001 CWD dir:WORK4$:[TEST] 20-JUN-2008 05:23:19.15 Anonymous Light User:test status:00000000 RETR file:WORK4$:[TEST]A.TXT;30 20-JUN-2008 05:23:26.07 Anonymous Light User:test logged out
Although the system administrator does not specify the directory, SYS$LOGIN is always added to TCPIP$FTP_ANONYMOUS_DIRECTORY. As a result, the Anonymous Light users will always have access to their SYS$LOGIN.
At some instances, the system administrator may not want the user to
access their SYS$LOGIN. To prevent the user from accessing the
SYS$LOGIN, the system administrator must define
TCPIP$FTP_ANONYMOUS_NOSYSLOGIN for that particular user. This parameter
is useful when a user has changed the directory in LOGIN.COM and when
the system administrator does not want to grant access to SYS$LOGIN.
126.96.36.199 Access restrictions for FTP operations
The FTP Anonymous Light feature restricts user access to a particular set of directories. To increase the system administrator's flexibility, a new set of parameters can be defined to restrict user operations.
The FTP server checks for the existence of the following four parameters:
If the parameter is defined, the FTP server will reject all.
These new access restrictions are applicable in addition to any restrictions implied by the protections of the underlying files, directories, volumes, and devices.
If TCPIP$FTPD_NOLIST is defined, the usage of wildcards is not allowed in FTP operations. This is necessary to prevent FTP users from obtaining a list of the files in the directory by attempting to retrieve or delete all the files. Table 1-2 lists the FTP restriction logicals that are used to control their operation:
|Client command||FTP Logical|
For example, if the System Administrator does not want a user to delete files through FTP, set TCPIP$FTPD_NODELETE for that user.
The following example illustrates how to set the TCPIP$FTPD_NODELETE and TCPIP$FTPD_NOLIST:
"TCPIP$FTPD_NODELETE" = "1" "TCPIP$FTPD_NOLIST" = "1" $ ftp plane.tcpip.zko.hp.com 220 plane.tcpip.zko.hp.com FTP Server (Version 5.6) Ready. Connected to plane.zko.hp.com. Name (plane.zko.hp.com:test): test 331 Username test requires a Password Password: 230-FTP Anonymous Light demo 230 Guest login OK, access restrictions apply. FTP> directory * 200 PORT command successful. 550 Cannot execute LIST command, Access denied. (1) %TCPIP-E-FTP_NOSUCHFILE, no such file * FTP> delete a.txt 550 Cannot execute DEL command, Access denied.(2) FTP> bye 221 Goodbye.
|(1)||The DIRECTORY command is not allowed because a wildcard present in the command and TCPIP$FTPD_NOLIST is defined.|
|(2)||The DELETE command is not allowed because the TCPIP$FTPD_NODELETE logical is set.|
FTP restriction logicals can be used in conjunction with FTP Anonymous Light to restrict user access through FTP, helping to mitigate a risk to the system that has been problematic for system administrators.
|TCPIP$CONFIG||1.2.1||Interface Configuration Menu is enhanced.|
|LPD configurable port||1.2.2||LPR/LPD port can be configured.|
|FTP over SSL||1.2.3||FTP software is enhanced to use the security features provided by SSL.|
|SMTP cluster ability||1.2.4||SMTP is made cluster aware.|
|SMTP ASCII file configuration||1.2.5||Supports the SMTP configurable fields.|
|SMTP Persistent receiver||1.2.6||The SMTP receiver process is made persistent.|
|POP ASCII file configuration||1.2.7||Supports the POP configurable fields.|
|POP server support for external authentication||1.2.8||Supports the POP server for external authentication.|
With support for IP as the cluster interconnect (IPCI), Interface Configuration Menu now supports the following:
Assuming that the cluster members share the same TCPIP$CONFIGURATION database, each cluster member can be configured from the same console. This only affects the TCPIP$CONFIGURATON database; it is not possible to manage the active addresses on a remote cluster member.
An output similar to the following is displayed for the TCPIP$CONFIG Interface * Address Configuration menu from one of the node in a cluster:
HP TCP/IP Services for OpenVMS Interface & Address Configuration Menu Hostname Details: Configured=kirra-g0, Active=kirra-g0 Configuration options: 0 - Set The Target Node (Current Node: KIRRA) 1 - IE0 Menu (EIA0: TwistedPair 1000mbps) 2 - 188.8.131.52/23 kirra-g0 Configured,Active 3 - 184.108.40.206/23 kirra-g1 Configured,Active-Standby 4 - 220.127.116.11/23 hogwarts-nfs Configured,Active-Standby 5 - 18.104.22.168/23 ns1 Configured,Active-Standby 6 - IE1 Menu (EIB0: TwistedPair 1000mbps) 7 - 22.214.171.124/23 kirra-g1 Configured,Active 8 - 126.96.36.199/23 kirra-g0 Configured,Active-Standby 9 - 188.8.131.52/23 hogwarts-nfs Configured,Active-Standby 10 - 184.108.40.206/23 ns1 Configured,Active-Standby I - Information about your configuration [E] - Exit menu Enter configuration option: 0 (1) Enter name of node to manage [KIRRA]: GRYFFI (2) Enter system device for GRYFFI [$1$DGA62:]: (3) Enter system root for GRYFFI [SYS0]: (4) HP TCP/IP Services for OpenVMS Interface & Address Configuration Menu Hostname Details: Configured=gryffindor-e0 Configuration options: 0 - Set The Target Node (Current Node: GRYFFI - $1$DGA62:[SYS0.]) 1 - IE0 Menu (EIA0: TwistedPair 100mbps) 2 - 220.127.116.11/23 gryffindor-e0 Configured 3 - 18.104.22.168/23 gryffindor-e1 Configured 4 - 22.214.171.124/23 hogwarts-nfs Configured 5 - 126.96.36.199/23 ns1 Configured 6 - IE1 Menu (EIB0: TwistedPair 100mbps) 7 - 188.8.131.52/23 gryffindor-e1 Configured 8 - 184.108.40.206/23 gryffindor-e0 Configured 9 - 220.127.116.11/23 hogwarts-nfs Configured 10 - 18.104.22.168/23 ns1 Configured I - Information about your configuration [E] - Exit menu Enter configuration option:
|(1)||If node GRYFFI is another cluster member that shares the same TCPIP$CONFIGURATION database, to manage the interfaces and addresses on node GRYFFI, select option "0".|
|(2)||Enter the SCSNODE name of the other node in the cluster to manage. In this case, it is GRYFFI.|
|(3)||To support the management of IPCI, it is necessary to confirm the system root on the remote node. The remote cluster member's system device is determined using SYSMAN.|
|(4)||The remote clusters member's system root is determined using SYSMAN. The new TCPIP$CONFIG window now displays the configuration on node GRYFFI. Changes to this screen will affect node GRYFFI's permanent TCP/IP configuration only.|
LPR/LPD provided by TCP/IP services for OpenVMS 5.6 and prior versions
connects directly to port 515 on a remote server and sends the data as
specified in the RFC 1179. With TCP/IP services for OpenVMS 5.7, this
remote port is made configurable. A system manager can choose any
22.214.171.124 Configuring the remote port
In the printcap file, TCPIP$PRINTCAP.DAT, for each printer entry, a new field, rt is added, which can be used to configure remote port.
LOOP_BOGUS_P_1|loop_bogus_p_1:\ :lf=/TCPIP$LPD_ROOT/000000/LOOP_BOGUS_P_1.LOG:\ :lp=LOOP_BOGUS_P_1:\ :rm=qtvtcp.digitalindiasw.net:\ :rp=bogus_p_1:\ :rt#2333:\ :sd=/TCPIP$LPD_ROOT/LOOP_BOGUS_P_1:
field in the printer entry in TCPIP$PRINTCAP.DAT, the LPD jobs is sent
over an SSH encrypted tunnel. You can configure SSH port forwarding to
establish a tunnel from port (rt) on a system to an LPD receiver port
(default is 515 or any other port on which LPD service is configured
manually) on another system where the LPD receiver is listening. For
sample LPD/LPR configurations, see Appendix A.
1.2.3 FTP over SSL
The Transport Layer Security/Secure Socket Layer (TLS/SSL) feature
enables the FTP software to use the security features provided by SSL.
When this feature is enabled, FTP provides a secured FTP session and a
secure file transfer. FTP over SSL is compliant with RFC 4217 and RFC
126.96.36.199 Configuring an FTP server for SSL
To configure an FTP server and to allow the FTP server to handle incoming client connections which are over SSL, the certificates and keys must be copied at the following location:
Certificate file : SSL$CERTS:SERVER.CRT Key file: SSL$KEYS:SERVER.KEY
The key and certificate file of the server must be placed in this
directory and must be named as SERVER.CRT and SERVER.KEY. During the
FTP server startup, if it does not find either the key or the
certificate file in the required location, the FTP server will not
188.8.131.52 Using FTP client in an SSL environment
You can use FTP over SSL to connect to the server by invoking the client using the following commands:
$FTP /SSL <server>
$FTP FTP> CONNECT /SSL <server>
If you connect to the server using the /SSL qualifier, both the control and data connection use SSL by default. By default, the PROT P command is sent by the client to the server indicating that the data connection will use SSL.
If you want the data connection communication to happen in clear text, you can issue the PROT C command on the FTP client CLI.
ftp> PROT C
The OpenVMS FTP client and server also supports the Clear Command Channel (CCC) mode of operation. The CCC mode can be used in NAT environments that need a clear command channel to setup NAT for FTP/SSL. An FTP Client issues the CCC command to indicate to the server that the command channel must not be encrypted. Note that the data channel will remain encrypted. As a result, the file transfer will continue to be secured by SSL.
For example, if you want the control connection to not be encrypted, execute the CCC command at the FTP client CLI:
The CCC command can be issued only after logging into the FTP server with a valid username and password.
If you want to use the copy operation in FTP, COPY/FTP , the syntax is as follows:
copy /ftp/ssl=(data,ccc) <src system> <dst system>
If you do not want the data connection to be encrypted, specify NODATA in the preceding command instead of DATA.
If you want
(by default), specify
, else specify
184.108.40.206 Considerations during configuration
AUTH command will fail, session will continue in plain text.
SMTP provided by TCP/IP Services for OpenVMS is cluster aware. It
exploits the high availability and load balancing features of a
cluster. The name of the generic queue is now TCPIP$SMTP, without the
node name as the suffix. This is a common SMTP generic queue for all
nodes in the cluster.
The following configurable parameters can be found in the TCPIP$SMTP.CONF file:
The SMTP configuration files, the SMTP home directory and the MAIL box must be placed in a disk that is visible to all nodes in the cluster.
TCPIP$SMTP.CONF can also be used to configure the trace and debug parameters, but the precedence will be changed.
The existing configuration based on logical names and TCPIP> SET CONFIGURATION SMTP is obsolete. The SMTP rollover tool, TCPIP$SMTP_V57_ROLLOVER.EXE, can be used to upgrade the TCP/IP software to Version 5.7. Up on upgrade, the SMTP startup procedure will automatically change over to new ASCII file based configuration method. It creates the TCPIP$SMTP.CONF file in the TCPIP$SMTP_COMMON directory. Up on successful rollover, SYS$MANAGER:TCPIP$SMTP_V57_ROLLOVER.FLG is created.
Include the appropriate SMTP parameters in this file. The configuration template file, TCPIP$SMTP.CONF_TEMPLATE, contains the description of all SMTP configurable parameters and its usage.
Only the debug and tracing logicals will take higher precedence, and the other logical will be ignored.