HP HP-UX DCE Setup and Install

Planning and Configuring HP DCE 1.7

First Edition

B3190-90073

E1197

November 1997

Printed in: U.S.A.

© Copyright 1997 Hewlett-Packard Company. All Rights Reserved.

Notice

The information contained in this document is subject to change without
notice.

HEWLETT-PACKARD MAKES NO WARRANTY OF ANY KIND WITH
REGARD TO THIS MATERIAL INCLUDING BUT NOT LIMITED TO
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or for incidental or consequential
damages in connection with the furnishing, performance or use of this
material.

Hewlett-Packard assumes no responsibility for the use or reliability of its
software on equipment that is not furnished by Hewlett-Packard.

This document contains proprietary information which is protected by
copyright. All rights reserved. No part of this document may be
photocopied, reproduced or translated to another language without the
prior written consent of Hewlett-Packard Company.

RESTRICTED RIGHTS LEGEND
Use, duplication, or disclosure by the U.S. Government is subject to

restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in
Technical Data and Computer Software clause at DFARS 252.2277013.

Hewlett-Packard Company 3000 Hanover Street Palo Alto, CA 94304
U.S.A.

Rights for non-DOD U.S. Government Departments and Agencies are as
set forth in FAR 52.22719(c)(1,2).

UNIX is a registered trademark in the United States and other
countries, licensed exclusively through X/Open Company Limited.

ii

Contents

1. About HP DCE/9000 Version 1.7

HP DCE/9000 Core Services Software . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

OSF DCE Components Included in This Release. . . . . . . . . . . . . . . . 1-2

HP DCE/9000 Features Added by Hewlett-Packard . . . . . . . . . . . . . 1-3

Features Added at Previous Releases of HP DCE. . . . . . . . . . . . . . 1-3

Features Added at HP DCE 1.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Features Removed at HP DCE 1.6 and 1.7 . . . . . . . . . . . . . . . . . . . 1-6

Version Identification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6

Cell Configuration and Diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Common Desktop Environment (CDE) and Online Help. . . . . . . . . . 1-7

DES and DES-Hidden Versions of this Release . . . . . . . . . . . . . . . . . 1-7

Limitations of This Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

Limitations of OSF DCE 1.2.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

HP DCE 1.6 and 1.7 Limitations on OSF DCE 1.2.1

Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

System Utilities Not Integrated with DCE Security . . . . . . . . . . . . . 1-9

Interoperability and Compatibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Binary Compatibility with Previous HP DCE Releases. . . . . . . . . . 1-10

Source Code Compatibility with Previous HP DCE Releases . . . . . 1-11

Interoperability with Other Implementations of OSF DCE . . . . . . 1-11

Interoperability of the DES and DES-Hidden Versions. . . . . . . . . . 1-12

Kerberos Authentication Protocol Compatibility . . . . . . . . . . . . . . . 1-13

DCE Support for Kerberos Applications and Configuration

Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

Remote Services File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

Support for Secure Internet Services . . . . . . . . . . . . . . . . . . . . . . . . 1-14

DCE GSS-API Interoperability with MIT and Third-Party

Kerberos Implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15

Notes, Cautions and Warnings Regarding This Release. . . . . . . . . . . 1-16

dcecp host Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Security and Remote Login Utilities. . . . . . . . . . . . . . . . . . . . . . . . . 1-16

iii

Contents

Security and Credential Lifetime. . . . . . . . . . . . . . . . . . . . . . . . . . . .1-16

ANSI C Requirement for HP DCE/9000 . . . . . . . . . . . . . . . . . . . . . .1-17

dce_login -r Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-17

Removing DCE Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-17

HP-UX Integrated Login Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . .1-18

The DCE Audit Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-18

Setting LANG and NLSPATH Environment Variables . . . . . . . . . .1-19

dcecp in Local Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-19

dcecp secval Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-20

HP DCE/9000 Interoperability with SharedPrint/UX . . . . . . . . . . .1-20

k5dcelogin Limitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-20

Features Planned for a Future Release . . . . . . . . . . . . . . . . . . . . . . . .1-21

Future Support for POSIX 1003.1c Threads . . . . . . . . . . . . . . . . . . .1-21

HP DCE 1.7 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-22

Printed Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-22

Online Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-23

Online Release Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-23

Man Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-24

HP DCE Online Help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-24

Accessing DCE Online Help From CDE. . . . . . . . . . . . . . . . . . . . .1-25

Embedded Online Help for HP DCE Cell Administration

Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-25

HP DCE Administration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-26

HP DCE Account Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-26

HP DCE Account Manager Documentation. . . . . . . . . . . . . . . . . .1-26

Installing the Account Manager . . . . . . . . . . . . . . . . . . . . . . . . . . .1-26

Running the Account Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . .1-27

Tips for New Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-28

Managing Very Large Cells with Account Manager . . . . . . . . . . .1-28

Account Manager Limitations and Exceptions . . . . . . . . . . . . . . .1-29

iv

Contents

HP Password Management Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31

Example Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31

Build Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-32

Administrative Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-32

2. Migrating to HP DCE 1.7

Migration Paths. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Contents of HP DCE Client and Server . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Migration Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

Migrating the Cell Directory Service from HP DCE 1.3.1 . . . . . . . . . . 2-6

Migrating Remote Administration of dced from HP DCE 1.3.1 . . . . . 2-7

Migrating from HP DCE 1.2, 1.2.1 or 1.4.2 on HP-UX 9.x

to HP DCE 1.7 on HP-UX 11.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Migrating an HP DCE 1.3.1 or 1.4 Client on HP-UX 10.01

to HP DCE 1.7 on HP-UX 11.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9

Migration Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9

Migrating an HP DCE 1.4.1 Client on HP-UX 10.10

to HP DCE 1.7 on HP-UX 11.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Migration Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Migrating an HP DCE 1.4 Server on HP-UX 10.01

to HP DCE 1.7 on HP-UX 11.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11

Migration Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11

Migrating a System Without Retaining Cell Configuration. . . . . 2-11

Migrating a System and Preserving Current Cell

Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11

Migrating an HP DCE 1.4.1 Server on HP-UX 10.10 to HP DCE 1.7 on

HP-UX 11.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13

Migration Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13

Migrating a System Without Retaining Cell Configuration. . . . . 2-13

v

Contents

Migrating a System and Preserving Current Cell

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-13

Migrating an HP DCE 1.5 Server on HP-UX 10.20

to HP DCE 1.7 on HP-UX 11.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-15

Migration Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-15

Migrating a System Without Retaining Cell Configuration . . . . .2-15

Migrating a System and Preserving Current Cell

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-15

Migrating an HP DCE 1.6 Server on HP-UX 10.30

to HP DCE 1.7 on HP-UX 11.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-17

Migration Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-17

Migrating a System Without Retaining Cell Configuration . . . . .2-17

Migrating a System and Preserving Current Cell

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-17

3. Before Installing HP DCE/9000 Version 1.7

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-2

Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-3

Hardware and Software Requirements . . . . . . . . . . . . . . . . . . . . . . . .3-3

Series 700 and 800 Kernel Parameter Recommendations . . . . . . . . .3-3

Distribution Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-4

Network Distribution Area. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-4

Preinstallation Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-5

Determining Cell Boundaries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-5

Intercell Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-5

DCE Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-6

Client Core Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-6

Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-6

Cell Directory Service Configuration . . . . . . . . . . . . . . . . . . . . . . . .3-7

Time Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-7

HP DCE Installed Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-8

vi

Contents

4. Installing HP DCE 1.7

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Loading HP DCE Software in a Network Source Area . . . . . . . . . . . . . 4-3

Software Loading Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3

Installing Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

Installation Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

Installation Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6

5. Configuring HP DCE Cells

Choosing a Cell Configuration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

DCM and dce_config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

Advantages of DCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

Limitations of DCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

Configuring Cells with DCM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

Overview of DCM Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

Important Security Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5

Requirements for Running DCM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5

Running DCM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5

Online Help for DCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6

Printing the DCM Online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6

Configuring Cells Using dce_config. . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7

Starting dce_config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7

Initial Cell Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

Configuring Additional CDS Servers . . . . . . . . . . . . . . . . . . . . . . . . 5-13

Notes on Configuring Additional CDS Servers . . . . . . . . . . . . . . . 5-14

Configuring Client Systems: Security, CDS, and DTS . . . . . . . . . . . 5-15

Configuring GDA Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17

Creating a Security Server Replica. . . . . . . . . . . . . . . . . . . . . . . . . . 5-17

Configuring the DCE Audit Service . . . . . . . . . . . . . . . . . . . . . . . . . 5-18

vii

Contents

Removing Systems from the Cell . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-19

Removing and Reconfiguring the DCE Daemons . . . . . . . . . . . . . . .5-20

dce_config Error and Message Logging. . . . . . . . . . . . . . . . . . . . . .5-21

Additional Notes About Log Messages . . . . . . . . . . . . . . . . . . . . . . .5-23

Component Scripts and Environment Variables for dce_config. . .5-24

dce_config Component Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . .5-24

dce_config Environment Variables. . . . . . . . . . . . . . . . . . . . . . . .5-25

Note for Users of NCS-based Software . . . . . . . . . . . . . . . . . . . . . . . . .5-29

Integrating DCE Services with

MC/ServiceGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-30

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-30

Planning Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-31

Planning for a DCE-MC/ServiceGuard Installation . . . . . . . . . . . . .5-32

Hardware Requirements for a DCE-MC/ServiceGuard

Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-33

Implementation Alternatives for a DCE-MC/ServiceGuard

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-33

Supported Templates for MC/ServiceGuard Integration

with DCE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-34

Planning for the DCE Package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-35

DCE Configuration for Integration with ServiceGuard . . . . . . . . . .5-36

Configuring the ServiceGuard Cluster. . . . . . . . . . . . . . . . . . . . . .5-36

Configuring DCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-37

Configuring the Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-38

Distributing the Package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-39

Starting the ServiceGuard Cluster. . . . . . . . . . . . . . . . . . . . . . . . .5-39

Starting the Package on the ServiceGuard Cluster. . . . . . . . . . . .5-39

Summary of DCE-MC/ServiceGuard Installation

and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-40

viii

Contents

6. HP-UX Integrated Login

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

Deciding Whether to Use HP-UX Integrated Login . . . . . . . . . . . . . . . 6-4

Operation of Integrated Login Utilities . . . . . . . . . . . . . . . . . . . . . . . . . 6-5

Activating HP-UX Integrated Login. . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6

Deactivating HP-UX Integrated Login. . . . . . . . . . . . . . . . . . . . . . . . . . 6-9

Inquiring about Authentication Policy. . . . . . . . . . . . . . . . . . . . . . . . . 6-10

Notes, Cautions, and Warnings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11

Integrating DCE with HP-UX Integrated Login . . . . . . . . . . . . . . . . . 6-13

Overview of HP-UX Integrated Login Features. . . . . . . . . . . . . . . . 6-13

Deciding Whether to Integrate DCE with HP-UX Integrated

Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14

Operation of the HP-UX Integrated Login Utilities. . . . . . . . . . . . . 6-14

Preparing to Integrate DCE with HP-UX Integrated Login . . . . . . 6-15

Configuring HP-UX Integrated Login with DCE . . . . . . . . . . . . . . . 6-17

Configuring ux as a Fallback Technology for DCE. . . . . . . . . . . . . . 6-19

Unconfiguring DCE from HP-UX Integrated Login. . . . . . . . . . . . . 6-21

Notes, Cautions, and Warnings About Using HP-UX

Integrated Login with DCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21

DCE and Anonymous FTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23

AFS and Kerberos Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24

ix

Contents

7. Notes on Cell Administration

Diagnostic Tool — dceping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-2

Enhanced CDS Browser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-3

Features of the HP DCE/9000 CDS Browser. . . . . . . . . . . . . . . . . . . .7-3

Overview of Enhanced HP DCE CDS Browser Features . . . . . . . . . .7-4

Creating and Deleting Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-4

Showing CDS Entry Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-4

Editing CDS ACL Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-4

Editing DCE Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-4

Manage Replica Locations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-5

Log in to DCE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-5

User Interface Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-5

Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-5

Default Action on Double Clicking . . . . . . . . . . . . . . . . . . . . . . . . . .7-5

CDS Browser Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-6

CDS Browser Online Help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-6

CDS Browser Reference Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-6

Administering CDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-7

Deleting a Clearinghouse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-7

Skulking Directories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-7

Known CDS Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-8

Resource Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-8

Clock Reversal Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-8

Establishing Intercell Communication. . . . . . . . . . . . . . . . . . . . . . . . . .7-9

Specifying DNS Servers that GDA Should Query. . . . . . . . . . . . . . . .7-9

Choosing DNS Servers for GDA to Query . . . . . . . . . . . . . . . . . . .7-10

Creating DNS Resource Records for a DCE Cell. . . . . . . . . . . . . . . .7-11

Establishing Peer-to-Peer Trust. . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-12

Miscellaneous Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-14

x

Contents

8. HP DCE Measurement Service

Overview of DMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2

DMS Restriction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2

DMS Prerequisite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

Enabling and Disabling DMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

Performance Considerations of DMS . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

DMS Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

Accessing DMS Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4

DCE Global Activity Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4

DCE Process List Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

DCE Process Activity Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

DCE Interface Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

DCE Operations Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6

xi

Contents

xii

About this document

This document describes features of HP DCE/9000 V ersion 1.7 specific to
Hewlett-Packard. For features of standard DCE, see the OSF
documentation.

This book is organized as follows:

• Chapter 1 provides an overview of HP DCE 1.7; it includes
information about new features, limitation, interoperability and
compatibility, changes at the next release, and documentation.
Chapter 1 also includes information about DCE Account Manager,
Cell Monitor, and the Password Management Server.

• Chapter 2 describes how to migrate from HP DCE 1.2, 1.2.1, 1.3.1,

1.4, 1.4.1, 1.4.2, 1.5 or 1.6 to HP DCE 1.7.

• Chapter 3 describes hardware and software prerequisites and
preinstallation planning for HP DCE 1.7.

• Chapter 4 describes installing HP DCE, including the products and
file sets that make up HP DCE 1.7.

• Chapter 5 describes configuring HP DCE Cells; Chapter 5 also
describes how to configure MC/ServiceGuard with HP DCE.

• Chapter 6 describes HP-UX integrated login and how to integrate it
with HP DCE.

• Chapter 7 describes diagnostic tools for cell administration, the
enhanced CDS browser, administrating CDS, establishing intercell
communication, and miscellaneous notes about cell administration.

• Chapter 8 describes the HP DCE Measurement Service (DMS).

xiii

xiv

1 About HP DCE/9000 Version 1.7

HP DCE/9000 Version 1.7 (HP DCE 1.7) makes the functionality of
OSF DCE Version 1.2.1 available on HP 9000 Series 700 and Series 800
systems running HP-UX 11. HP DCE 1.7 also includes new functionality
and bug fixes.

1-1

About HP DCE/9000 Version 1.7

HP DCE/9000 Core Services Software

HP DCE/9000 Core Services Software

HP DCE/9000 Version 1.7 is based on OSF DCE Version 1.2.1 source
code, with bug fixes and value-added functionality. This section describes
the contents of this release.

OSF DCE Components Included in This
Release

This release includes the following OSF DCE components:

• Remote Procedure Call (RPC) Facility, supporting both
connection-oriented (TCP/IP) and connectionless (UDP/IP) transport
protocols.

• User-space Threads, based on Draft 4 of POSIX 1003.4a, Threads

Extension for Portable Operating Systems.

• Cell Directory Service (CDS), including CDS server replication.

• Access to the CDS name space through the X/Open Directory Service
(XDS) and X/Open Object Management (XOM) services. The OSF
DCE 1.0.3 versions of the XDS, XOM, and dua libraries are a part of
libdce, and the necessary XDS and XOM header files are provided.

• Security Service, including security server replication and additional
security server replication functionality, and the Audit Service.

• Distributed Time Service (DTS); this release supports ntp, null, and
Spectracom DTS time providers; it also supports global time servers
and DCE time zones.

• Global Directory Agent (GDA), using the Berkeley Internet Naming
Daemon (BIND).

The DCE application library is provided as both a shared library
(libdce.sl) and an archive library (libdce.a). If you use the shared
library, a DCE application can share a single copy of the library with
other DCE applications that are running on the same host. If you use the
archive library, each application binary will contain its own copy of DCE
routines that it either directly or indirectly calls.

1-2 Planning and Configuring HP DCE 1.7

About HP DCE/9000 Version 1.7

HP DCE/9000 Core Services Software

NOTE At HP DCE 1.7, both libdce and libcma were versioned for

compatibility reasons. libdce.1 and libcma.1 are the latest patched HP
DCE 1.5 libraries. libdce.2 and libcma.2 support HP DCE 1.7 on
HP-UX 11.0. Shared applications built on HP DCE 1.6 may have to
recompile to run on HP DCE 1.7.

Hewlett-Packard strongly recommends the use of shared libraries when
building DCE applications. In our opinion, the advantages of shared
libraries — smaller executable size, reduced memory requirement, and
the ability to make use of forthcoming improvements to libdce without
rebuilding or relinking binaries — outweigh the modest performance
penalty HP has measured when testing a high-volume transaction
processing application linked with DCE shared libraries.

HP DCE/9000 Features Added by
Hewlett-Packard

Features Added at Previous Releases of HP DCE

HP DCE 1.7 supports the following features that were added to
HP DCE/ 9000:

• The HP DCE Account Manager (HP DCE 1.4 and later releases)
provides a graphical interface for creating and administering the
DCE registry. The Account Manager requires a bit-mapped display.
There is no ASCII terminal support. Online help is provided for the
Account Manager. See “HP DCE Account Manager” later in this
chapter for more information on the Account Manager.

• The HP DCE Cell Monitor (HP DCE 1.4 and HP DCE1.5 only)
provides a graphical display of the status of each node in a DCE cell.

• DCM, the DCE Configuration Manager (HP DCE 1.4 and later
releases) allows you to configure the nodes in a DCE cell. This tool is
accessible via SAM (the HP-UX System Administration Manager)
and is documented in online help.

• A set of HP-UX Integrated login utilities that authenticate users via
the DCE Security Registry instead of via /etc/passwd and

/etc/group. HP DCE/9000 includes improvements to login, dtlogin,
su, passwd, telnet, and rlogin, as well as new HP-UX Integrated

versions of ftpd and dtsession and enhanced support for CDE/PAM.
See Chapter 6 for more information about these utilities.

Planning and Configuring HP DCE 1.7 1-3

About HP DCE/9000 Version 1.7

HP DCE/9000 Core Services Software

• The DCE cell diagnostic tool dceping.

• An enhanced version of the OSF CDS browser (cdsbrowser), which
has been ported to Release 6 of the X11 Windows system and the
Common Desktop Environment (CDE). The browser is accessible
through SAM. See the CDS Browser online help (accessible via the
CDS Browser Help menu) for details.

• Two sets of tools for developing DCE applications are available as
separately priced options to HP DCE/9000. For DCE application
development in C, HP DCE/9000 Application Development Tools
includes a modified IDL compiler (I2DL), tracing and logging facility,
error reporting facility, and sample applications. For DCE application
development in C++, HP DCE/9000 Object-Oriented DCE (HP
OODCE) includes an IDL++ compiler, tracing and logging facility,
C++ class library, sample applications, include files, and modified
header files for C++ application development.

• cdsclerk (new at HP DCE 1.5) no longer runs as separate processes.

cdsclerk functionality has been merged into the cdsadv process.
cdsadv, therefore, is now the only HP DCE CDS client process.

• HP’s dced (new at HP DCE 1.5) supports the new -r option. This
option starts dced in remote-update mode, which allows DCE cell
administration tasks to be performed by an administrator on a
remote machine. In order to help prevent attacks, the dced default
behavior is to disallow any remote administration.

• HP has enhanced the dcecp registry connect command with two
new options that support intercell login:

-acctvalid Marks the local cell account as a
valid account. A valid local cell
account allows users from the
foreign cell to login to nodes in the
local cell. The default is invalid.

-facctvalid Marks the foreign cell account as a
valid account. A valid foreign cell
account allows users from the local
cell to login to nodes in the foreign
cell. The default is invalid.

1-4 Planning and Configuring HP DCE 1.7

About HP DCE/9000 Version 1.7

HP DCE/9000 Core Services Software

See “Establishing Peer-to-peer Trust” in Chapter 7 for more
information on these important new options.

• HP has added a new -r option, which refreshes a user’s credentials, to

dce_login. Users are encouraged to use dce_login -r rather than
kinit to refresh their credentials, since dce_login -r uses the more

secure DCE Third-party preauthentication protocol, whereas kinit
uses the less secure Kerberos 5 Timestamps protocol.

• HP has changed the default behavior of its configuration tools to

automatically enable audit filtering. In addition, the default behavior
of secd has been changed to enable audit filtering at start-up, and a
new secd option, -noauditfilters, had been added to disable audit
filtering. See “Configuring the DCE Audit Service” in Chapter 5, and
the online secd man page for more information.

• HP DCE Measurement Service (DMS) to monitor resource utilization

and performance of HP DCE 1.6 servers.

• Support for large uids.

• Support for context-switching 64-bit machine registers in DCE

threads ( libcma and libdce).

• Support for MC/ServiceGuard.

• Support for Secure Remote Utilities (Secure Internet Services) in the

InternetSrvcs product.

Features Added at HP DCE 1.7

The following features are new at HP DCE 1.7:

• NSS-DCE: a DCE module for the Name Service Switch (see

“Integrating DCE with HP-UX Integrated Login” in Chapter 6 for
more information).

• DCE support for Kerberos V5 applications through creation of

configuration and keytab files.

• All integrated login utilities, including ftpd, now use the Pluggable

Authentication Module (PAM). There are no longer any separate
.auth binaries.

In addition, HP DCE 1.7 contains numerous bug fixes.

Planning and Configuring HP DCE 1.7 1-5

About HP DCE/9000 Version 1.7

HP DCE/9000 Core Services Software

Features Removed at HP DCE 1.6 and 1.7

The following features were removed at HP DCE 1.6:

• Distributed File Service (see “Installation Notes” in Chapter 4 for
information about unconfiguring DFS before installing HP DCE 1.6).

• Global Directory Service.

• HP DCE Cell Monitor.

• The DCE cell diagnostic tool dceval.

The following feature was removed at HP DCE 1.7:

• Network Computing System (NCS) Version 1.5.1 compatibility (see
“Note for Users of NCS-based Software” in Chapter 5 for important
HP DCE/9000 configuration information).

Version Identification

V ersion information for individual HP DCE/9000 V ersion 1.7 components
may be obtained via the /opt/dce/bin/dce_version utility. This utility
prints the version of the installed DCE and can also retrieve what
strings (see what (1)) from HP DCE/9000 programs and libraries. See the

dce_version man page for information on how to use dce_version.

Cell Configuration and Diagnostics

HP DCE supplies two configuration tools with this release:

• dce_config is the cell configuration tool provided by OSF, with
substantial modifications by Hewlett-Packard.

• DCM, the DCE Configuration Manager, provides a SAM interface to
cell management.

• HP’s DCE cell validation and diagnostic tool dceping.

1-6 Planning and Configuring HP DCE 1.7

About HP DCE/9000 Version 1.7

HP DCE/9000 Core Services Software

Common Desktop Environment (CDE) and
Online Help

As of HP-UX 10.20 and later releases, the default environment is the
Common Desktop Environment (CDE). (HP VUE was available with
releases of HP-UX earlier than 10.30.) All HP DCE 1.7 online help and
context-sensitive help works in CDE. If you print HP DCE 1.7 online
help and context-sensitive help from CDE, the text is not formatted as it
is on the screen; only text is printed (graphics are not printed).

DES and DES-Hidden Versions of this Release

The DCE Security component uses the Data Encryption Standard (DES)
algorithm as its default encryption algorithm. Because the United States
State Department restricts the export of DES software, HP supplies
three binary versions of the dced daemon and the DCE library
(libdce.1, libdce.2, and libdce.a):

• The U.S./Canada version is available only to HP customers in the
United States and Canada. The U.S./Canada version of libdce
supports use of DES to encrypt RPC argument values, via the
“privacy” authentication level, and the use of DES to encrypt gssapi
messages, via the gss_seal “confidentiality requested” flag. The
U.S./Canada version of dced supports secure remote key table
management.

• The Export version is available to all HP customers. The Export
version of libdce disables the “privacy” authentication level in RPC,
the gss_seal “confidentiality requested” flag, and all program entry
points to DES routines. The Export version of dced does not support
secure remote key table management.

If an application uses the Export version of the DCE library and specifies
the “privacy” level or “confidentiality requested”, the library returns an
error at run time. This restriction does not apply to the U.S./Canada
version of this release.

See the dced (1M) man page for more information about remote key table
management support in the two versions of the daemon.

NOTE Users of the Export version of HP DCE 1.7 should start dced with the -c

option. See the dced man page for more information.

Planning and Configuring HP DCE 1.7 1-7

About HP DCE/9000 Version 1.7

Limitations of This Release

Limitations of This Release

Some of the limitations described in this section reflect limitations of
OSF DCE 1.2.1; others are limitations specific to this release.

Limitations of OSF DCE 1.2.1

Following are limitations of OSF DCE 1.2.1:

• The tool passwd_import, which imports user account information
from /etc/ passwd files to the Registry database, does not import the
passwords themselves. Therefore, after you have used
passwd_import to create skeletal DCE accounts in the Registry
database, you must use the dcecp tool to add passwords to those
accounts. This information is particularly important to customers
who plan on using the HP-UX Integrated login tools (login, etc.) with
DCE.

• Transitive trust path generation and evaluation, as described in
sections 33.1.2 and 33.1.4 of the OSF DCE Administration Guide —
Core Components is not supported.

• Cell alias/rename is partially supported: creation of cell aliases
(dcecp cellalias create) is supported; renaming of cells
(dcecp cellalias set) is not supported. Disregard Sections 21.6.2 and

21.6.3 of the OSF DCE Administration Guide — Core Components.

• Cell alias names are not automatically propagated across cell
boundaries. Use of cell aliases across cell boundaries is supported
when the cell alias name is manually registered in the security name
space.

HP DCE 1.6 and 1.7 Limitations on OSF DCE

1.2.1 Functionality

The following OSF DCE 1.2.1 functionality is not supported in HP DCE

1.6 or 1.7:

• Distributed File Service

• Global Directory Service

1-8 Planning and Configuring HP DCE 1.7

About HP DCE/9000 Version 1.7

Limitations of This Release

System Utilities Not Integrated with DCE
Security

The following utilities are not integrated with DCE Security:

• cron

• at

• rexecd

• lp

Planning and Configuring HP DCE 1.7 1-9

About HP DCE/9000 Version 1.7

Interoperability and Compatibility

Interoperability and Compatibility

This section describes the interoperability of this release with various
implementations of OSF DCE, and its compatibility with previous
versions of HP DCE, and with DCE-related technologies.

Binary Compatibility with Previous HP DCE
Releases

Applications built on HP-UX 10.30 with HP DCE 1.6 may need to
recompile due to the versioning of libdce and libcma in HP-UX 11.0.
HP DCE 1.7 supports binary compatibility with HP DCE 1.2.1 and later
releases. Applications linked with the archived HP DCE 1.2, 1.2.1, 1.3.1,

1.4, 1.4.1, 1.4.2, and 1.5 libdce are fully compatible with applications

built with HP DCE 1.7 libraries. These applications can share login
contexts and credentials without loss of data.

Binary compatibility for statically-linked HP DCE 1.2, 1.2.1, 1.3.1, 1.4,

1.4.1, 1.4.2, and 1.5 applications can be disabled, resulting in minor

performance gains and slightly smaller credentials files. By default,
binary compatibility is enabled when HP DCE 1.7 is installed and
configured. Y ou may disable binary compatibility on a per -host basis with
the following commands:

#ps -ef|grep dced
#kill <dced PID#>
#/opt/dce/sbin/dced -r
#ps -ef|grep dced
#kill -SIGUSR1 <dced pid#>
#dcecp -local
dcecp> acl mod hostdata -change
{user hosts/$HOST/self criI} -local
dcecp> acl mod hostdata -io -change
{users hosts/$HOST/self cdprw} -local
dcecp> quit
#kill -SIGUSR1 <dced pid#>
dcecp>
dcecp> hostvar set -secbinarycompat off

To enable binary compatibility after it has been disabled, do the
following:

1. Issue the command:

dcecp> hostvar set -secbinarycompat on

1-10 Planning and Configuring HP DCE 1.7

About HP DCE/9000 Version 1.7

Interoperability and Compatibility

2. Stop and restart DCE daemons.

3. If using Integrated Login, log out and log in.
If a statically-linked HP DCE 1.2, 1.2.1, 1.3.1, 1.4, 1.4.1, 1.4.2, or 1.5

application purges a login context (via sec_login_purge_context)
which an HP DCE 1.7 application had created or refreshed, one of the
credential files will not be deleted from the disk. This file is located in
/var/opt/dce/security/creds. The file name will consist of the
unique credential cache ID associated with the login context and a
“.data.db” suffix. Administrators may remove this file manually if
they wish.

For information about the U.S./Canada version of HP DCE, see the
HP DCE/9000 Version 1.7 U.S./Canda Version Release Note.

Source Code Compatibility with Previous
HP DCE Releases

There are no known source code incompatibilities between HP DCE 1.7
and previous releases.

Interoperability with Other Implementations
of OSF DCE

This release has been tested to ensure interoperability with the
implementations of OSF DCE on the platforms listed in Table 1-1:

Table 1-1 HP DCE Interoperability With Other Platforms and DCE

Implementations

Platform Operating

System

Digital Alpha Digital UNIX

3.2-2
IBM RS6000 AIX 4.1.4.0 AIX DCE 2.1 1.1
Sun SPARC

station

Planning and Configuring HP DCE 1.7 1-11

SunOS 5.4
Solaris 2.4

DCE
Implementation

Digital DCE V 1.3
(Rev 51)

Transarc DCE 1.1 1.1

OSF DCE
Version

1.0.3

About HP DCE/9000 Version 1.7

Interoperability and Compatibility

Platform Operating

System

Dell 450/ME 486 Microsoft

DOS 5.0
Microsoft
Windows 3.0

Dell 450/ME 486 Digital

Windows NT

Dell 450/ME 486 IBM OS/2 2.1 IBM DCE 1.1 1.1

Hewlett-Packard’s DCE configuration tools are not guaranteed to
interoperate with other vendor’s DCE implementations. In particular:

• The DCE Configuration Manager, DCM, will configure any other HP
DCE/9000 Version 1.4x Series 700/800 system. It will also configure
versions 1.6, 1.5, 1.3.1, 1.2, and 1.2.1 of HP DCE/9000, but some
operations may not be supported.

• DCM will discover a cell in its entirety, including non-HP systems
provided the non-HP systems have been correctly configured in the
CDS name space. (DCM cannot configure non-HP systems.)

• DCM may be run from any DCE/9000 Version 1.7 system within the
cell.

DCE
Implementation

Gradient DCE

1.0.2a, 1.0.3

Digital DCE V 1.3 1.0.3

OSF DCE
Version

1.0.2, 1.0.3

• HP’s version of dce_config is based on the OSF version, but contains
enhancements specific to HP systems.

Interoperability of the DES and DES-Hidden
Versions

The DES and DES-hidden versions of this release are interoperable with
the following limitation: DES-based application servers or clients that
specify the “privacy” RPC data protection level or the gss_seal
“confidentiality requested” flag are not interoperable with servers or
clients based on the DES-hidden version.

1-12 Planning and Configuring HP DCE 1.7

About HP DCE/9000 Version 1.7

Interoperability and Compatibility

Neither DES nor DES-hidden versions of DCE are interoperable with
any DCE version that has been built with the DES code omitted (instead
of hidden). Some DCE ports from other vendors were built in this way in
order to meet U.S. export requirements. If you are running a DCE port
from another vendor, check with that vendor for details.

Kerberos Authentication Protocol
Compatibility

The DCE Security authentication service implements Kerberos Version

5. DCE Security does not provide backward compatibility support for
Kerberos Version 4.

DCE Support for Kerberos Applications and
Configuration Notes

HP DCE 1.7 makes available enhanced configuration features specific to
Kerberos Version 5. Configuration withdce_config has been updated to
do the following for either a security server or client:

• Create a host principal, account and keytab entry for secure BSD
remote utilities.

• Create the file /etc/krb5.conf for use by Kerberos V5 Beta 5-7 and
Release 1.0 applications.

• Create the file /krb5/krb.realms for Kerberos V5 B4 applications.

• Add the entries klogin, kshell, ekshell, and eklogin as well as
kerberos5 and kerberos-sec to /etc/services.

• Link the /etc/krb5.keytab file, which is the default keytab used by
Kerberos V5 Release 1.0 clients, to the /krb5/v5srvtab file, which is
the default keytab used by DCE clients. The file/etc/v5srvtab, which
is the default keytab file used by Kerberos V5 Beta clients, is also
linked to the /krb5/srvtab file.

The host principal uses a fully qualified host name. To construct this
name, dce_config appends the Internet domain name to the host name
in the format: host_name.domain_name. F or example, when the domain
name is ch.hp.com, and the host name is fred, the fully qualified host
name is fred.ch.hp.com.

Planning and Configuring HP DCE 1.7 1-13

About HP DCE/9000 Version 1.7

Interoperability and Compatibility

When configuring either a security server or client, dce_config checks
the file /etc/resolv.conf for the Internet domain name. If the domain
name is not found in this file, then the user is prompted to enter a
domain name.

Before running dce_config, you can choose to set the environment
variable DOMAIN_NAME to provide the domain name during
configuration. Other environment variables used by dce_config are
described in the section “Component Scripts and Environment Variables
for dce_config” in Chapter 5.

An example of a standard domain name is ch.apollo.hp.com.
A DCE principal name takes the form:
/.../cellname/host/fully_qualified_hostname
Configuration for secure remote utilities may require the additional step

of adding entries to inetd.conf.

Remote Services File

The following describes the service and port settings in /etc/services for
the different versions of Kerberos. Kerberos V5 Release 1.0 expects the
service "kerberos" to use port 88. However, older versions of Kerberos
(V4) expect the "kerberos" service to use port 750. For this reason,

dce_config does not set/reset the service "kerberos" in /etc/services.
dce_config does set the following in /etc/services:

kerberos5 88 udp kdc for V5 Beta 5-7 applications
kerberos-sec 88 udp kdc for V5 Release 1.0 applications

If a customer has an environment where they are supporting different
versions of Kerberos clients, they can set the port number for V5 Release

1.0 clients explicitly in the [realms] section of the /etc/krb5.conf file:
kdc = host:88
For related and more detailed information, see the whitepaperUsing HP

DCE 9000 Security with Kerberos Applications in

/opt/dce/newconfig/RelNotes/krbWhitePaper.ps.

Support for Secure Internet Services

The DCE KDC is used by the Secure Internet Services, also known as the
Secure Remote Utilities, that are shipped as part of the InternetSrvcs
product on HP-UX 11.0. The kerberized utilities include rlogin,

1-14 Planning and Configuring HP DCE 1.7

About HP DCE/9000 Version 1.7

Interoperability and Compatibility

remshd, rcp, ftp, and telnet services. A new command, k5dcelogin,
has been added to DCE in support of these utilities. When ticket
forwarding is requested, k5dcelogin promotes a principal's Kerberos V5
credentials to DCE credentials. Refer to documentation on Secure
Internet Services for configuration information.

DCE GSS-API Interoperability with MIT and
Third-Party Kerberos Implementations

The GSS-API has been updated to conform to the latest Kerberos and
GSS-API standards, while other changes accomodate the
non-conformance of older DCE and MIT GSS-API implementations.

Planning and Configuring HP DCE 1.7 1-15

About HP DCE/9000 Version 1.7

Notes, Cautions and Warnings Regarding This Release

Notes, Cautions and Warnings
Regarding This Release

dcecp host Command

All of the operations of the dcecp host command are implemented. See
the host (8dce) man page for syntax and details.

Security and Remote Login Utilities

You can use standard UNIX remote login utilities (remsh, rlogin,
telnet) to perform remote DCE cell administration. However, these

utilities expose the cell administrator’s password to network attackers
whenever you perform a task on a remote system. If a network attacker

obtains the password, the security of the cell’s DCE services is
compromised. The most secure way to perform cell administration is to
log in locally to each system you want to administer. The use of Secure
Internet Services (SIS) does not provide better security for the purpose of
remote DCE cell administration.

Security and Credential Lifetime

DCE credentials consist of Kerberos tickets shared by principals and the
security server. The security server encrypts the tickets with a server
key. Usually, the credential lifetime for a Kerberos ticket is a defined
expiration time.

Hewlett-Packard recommends using Kerberos tickets with a defined
expiration time and changing the server keys frequently. Using tickets
with an infinite lifetime makes it difficult to automatically change server
keys without invalidating the outstanding tickets. It also defeats the
automatic key garbage collection, which the
sec_key_mgmt_change_key operation performs.

1-16 Planning and Configuring HP DCE 1.7

About HP DCE/9000 Version 1.7

Notes, Cautions and Warnings Regarding This Release

ANSI C Requirement for HP DCE/9000

Hewlett-Packard supports only the ANSI C compiler for building HP
DCE applications. Hewlett-Pac kard cannot provide support for problems
with HP DCE applications that were not compiled using the ANSI C
compiler.

This restriction also applies to applications on HP-UX 10.x systems built
using the HP-UX user-space threads library (libcma).

dce_login -r Option

Starting with HP DCE 1.4, the -r option, which refreshes a user’s
credentials, was added to dce_login. Users are encouraged to use

dce_login -r rather than kinit to refresh their credentials, since
dce_login -r uses the more secure DCE Third-party preauthentication

protocol, whereas kinit uses the less secure Kerberos 5 Timestamps
protocol.

Removing DCE Credentials

A user’s DCE credentials (stored in the directory
/var/opt/dce/security/creds) are not automatically removed by exiting
a shell or logging out. Unless you plan to leave background processes
running that require your DCE credentials, you should manually remove
your credentials before logging out by running the kdestroy utility. This
will make the system more secure by decreasing the opportunity for
someone to maliciously gain access to your network credentials.

The kdestroy command has been modified to allow destruction of
credentials older than a specified number of hours. kdestroy -e
exp-period may be run manually or regularly as a cron job to purge older
credential files. See the kdestroy (1) man page for syntax and usage
information.

Credentials are automatically removed at system boot.

Planning and Configuring HP DCE 1.7 1-17

About HP DCE/9000 Version 1.7

Notes, Cautions and Warnings Regarding This Release

HP-UX Integrated Login Utilities

Most systems will require the transfer of account information from
/etc/passwd to the DCE Security Registry before the system will be
useful.

The script /usr/sbin/auth.adm is supplied to activate the integrated
login utilities once your system has been set up with the needed
accounts. See Chapter 6 for more information about using the
/usr/sbin/auth.adm script.

Do not use the auth.adm script to activate the HP-UX Integrated login
utilities until after you have set up the accounts necessary for your site
in the DCE security service registry.

The DCE Audit Service

The DCE Audit Service was first released with HP DCE 1.4.x; the DCE
Audit Service provides auditing capabilities for DCE Security and Time
services.

By default, all audit events are disabled (not logged). As part of the
default DCE configuration start-up, the DCEAUDITFILTERON
environment variable is set. When set, the DCEAUDITFILTERON
environment variable specifies that audit event filtering must be utilized
to enable logging the desired set of audit events.

To enable auditing, the auditd server process must be started on any
system where auditing is desired. As part of the standard DCE
configuration start-up for auditd, a set of audit filters is specified for the
Security, DTS and auditd server processes. (Y ou can modify these filters
as necessary for your site.).

You will need to do some planning to determine the degree of audit
proper for your site, and to allow for disk space overhead for your audit
logs. If you want to do some auditing, such as logging and tracking
modifications to the security registry database, audit filtering is highly
recommended. By using audit filtering, it is possible to change the types
of events being audited dynamically, without needing to restart the
servers for the changes to take effect.

1-18 Planning and Configuring HP DCE 1.7

About HP DCE/9000 Version 1.7

Notes, Cautions and Warnings Regarding This Release

Administrators should periodically monitor the size of the Security audit
logs on the Security server machines. Each audit trail log consists of two
files — the actual trail log file and the associated index file. These logs
are in:

/var/opt/dce/security/sec_audit_trail
/var/opt/dce/security/sec_audit_trail.md_index

Other older audit logs may also be present. These can be found under the
same directory, but have a date and time stamp format inserted into the
name. As an example:

sec_audit_trail.1995-08-31-15-19-52
sec_audit_trail.1995-08-31-15-19-52.md_index

For detailed information on the DCE Audit Service, see the OSF DCE
Administration Guide and Reference. For Audit Service configuration

information see Chapter 5 of this manual.

Setting LANG and NLSPATH Environment
Variables

English-language users of HP DCE/9000 should set the NLSPATH
environment variable to include /usr/lib/nls/C/%N or should set
NLSPATH to include /usr/lib/nls/%L/%N and LANG to C. Users who
want to use another language should set the NLSPATH environment
variable to include / usr/lib/nls/%L/%N and LANG to their preferred
language. See the environ (5) and locale (1) man pages for details on
LANG and NLSPATH syntax.

dcecp in Local Mode

When you run dcecp in “local” mode (that is, when you start dcecp with
the local option) on a host with dced in partial-service mode, there is a
possibility that a dcecp ‘acl modify -add’ command will not work. The
interactive dcecp session may hang or a Bus Error may be returned.
One workaround for this condition is to run dcecp in normal mode on a
host that is running dced, also in normal mode, and then execute dcecp
again. Alternatively, you can quit out of local mode between acl modify

-add commands, as follows:

dcecp -local
dcecp> acl modify -local foo1 -add ...
dcecp> quit
dcecp -local
dcecp> acl modify -local foo2 -add ...
dcecp> quit

Planning and Configuring HP DCE 1.7 1-19

About HP DCE/9000 Version 1.7

Notes, Cautions and Warnings Regarding This Release

dcecp secval Change

At HP DCE 1.6, dcecp’s secval activate and secval deactivate
commands became asynchronous. They return before the actual change
takes place within dced. Therefore, you should use the secval status
command to verify the state change. Prior to HP DCE 1.6, secval
activate and secval deactivate were synchronous and did not return
until the actual state change finished in dced. Although future
HP DCE/9000 releases may reimplement synchronous secval activate
and deactivate commands, the verification by secval status is still
recommended.

HP DCE/9000 Interoperability with
SharedPrint/UX

SharedPrint/UX 1.3 or earlier will not operate with HP DCE/9000.

k5dcelogin Limitation

There is a limitation in the k5dcelogin command when called by rlogin

-f to log in to the local node.

If you already have Kerberos credentials on the local node when using
rlogin -f to log in, then when you exit or log out, your local Kerberos
credentials will be deleted. This is a limitation in k5dcelogin, where the
local credentials are deleted on completion of the process.

The workaround is to use rlogin without the -f option when logging in to
the local node. When you use rlogin -f to log in to a remote node,
k5dcelogin deletes the credentials on the remote system once you exit
the remote system; this is intended behavior.

1-20 Planning and Configuring HP DCE 1.7

About HP DCE/9000 Version 1.7

Features Planned for a Future Release

Features Planned for a Future Release

This section describes OSF DCE and HP DCE features that will be
supported in future releases of HP DCE.

• 64-bit libraries to support DCE 64-bit application development

• Kernel-threaded (POSIX 1003.1c) DCE

• LDAP NSI version for 10.20 and 11.0

• Improved scalibility, robustness, and availability

• Improved administration and configuration

Future Support for POSIX 1003.1c Threads

CMA applications are likely to migrate from Draft 4 of the POSIX
threads standard to the final, ratified 1003.1c standard for kernel
threads. This migration will result in source incompatibility, and it is
recommended that application developers plan now for this transition.
HP plans to preserve binary compatibility. However, developers can
prepare for this change as follows:

1. Isolate new threads API usage to macros or wrapper APIs.

2. Minimize the use of signals, and use only POSIX semantics when
programming with signals.

For example, we recommed that thjreaded applications use only the
functions sigaction(), sigprocmask(), and sigwait().

Planning and Configuring HP DCE 1.7 1-21

About HP DCE/9000 Version 1.7

HP DCE 1.7 Documentation

HP DCE 1.7 Documentation

Documentation for HP DCE 1.7 consists of printed and online materials.
For a complete list of documentation, including part numbers, see the
HP DCE/9000 Version 1.7 Release Note.

Printed Documentation

The printed documentation for HP DCE 1.7 consists of HP DCE 1.7
manuals, the OSF DCE documentation set, and two books by O’Reilly
and Associates.

The following manuals are written by Hewlett-Packard:

• Planning and Configuring HP DCE 1.7 (B3190-90073) describes the
HP changes and additions to OSF DCE 1.2.1; it also describes
installing and configuring HP DCE 1.7 and how to migrate from
previous releases of HP DCE to HP DCE 1.7. This document
describes both HP DCE 1.7 clients and servers.

• HP DCE/9000 Version 1.7 for HP-UX 11.0 Release Note
(B3190-90072) describes the HP DCE 1.7 documentation set, known
problems with HP DCE 1.7, limitations of HP DCE 1.7, required
patches (if any), and similar information.

• HP DCE/9000 Version 1.7 U.S./Canada Software for HP-UX 11.0
Release Note (B3864-90006) describes the US/Canada version of HP
DCE 1.7.

• HP DCE/9000 Version 1.7 Application Development Tools for HP-UX

11.0 Release Note (B3193-90022) describes two optional products that
comprise the HP DCE 1.7 Application Development Tools for HP-UX

11.0. The DCE-C-Tools product assists in the development of HP DCE

1.7 programs written in C. The DCE-OO-Tools product assists in the
development of object-oriented programs written in C++.

The OSF DCE documentation set published by Prentice-Hall includes
the following manuals:

• Introduction to OSF DCE (B3190-90046)

• OSF DCE Command Reference (B3190-90063)

1-22 Planning and Configuring HP DCE 1.7

About HP DCE/9000 Version 1.7

HP DCE 1.7 Documentation

• OSF DCE Administration Guide Volume 2 — Core Components
(B3190-90048)

• OSF DCE DFS Administration Guide and Reference (B3190-90049)

• The OSF DCE Application Development Reference (B3190-90037)

• OSF DCE Application Development Guide Volume 1 — Introduction
and Style Guide (B3190-90038)

• OSF DCE Application Development Guide Volume 2 — Core
Components (B3190-90039)

• OSF DCE Application Development Guide Volume 3 — Directory
Services (B3190-90040)

The following books are published by O’Reilly & Associates:

• Understanding DCE (B3190-90018)

• Guide to Writing DCE Applications (B3190-90029)

For general information on installing software on HP-UX 11.0 systems,
see Installing HP-UX 11.0 and Updating HP-UX 10.x to 11.0
(B2355-90153).

For general information about programming with CMA threads on
HP-UX 11.0, see Programming with Threads on HP-UX (B2355-90060).

Online Documentation

The online documentation for HP DCE 1.7 consists of release notes, man
pages, HP DCE online help, and embedded online help for the HP DCE
Cell Administration tools.

Online Release Notes

An online version of the U.S./Canada release note (HP DCE/9000
Version 1.7 U.S./Canada Software for HP-UX 11.0 Release Note) is

provided in the directory /opt/dce/ newconfig/RelNotes. This directory
also contains the release note for the HP DCE client software
(HP DCE/9000 Version 1.7 Client Software for HP-UX 11.0 Release
Note.) The client software release note is provided online only.

Planning and Configuring HP DCE 1.7 1-23

About HP DCE/9000 Version 1.7

HP DCE 1.7 Documentation

Man Pages

Reference pages describing DCE commands and calls are available
online in the form of man pages.

There are two styles of man page headers:

• “OSF” or “Open Software Foundation” - This header means that the
man page originates from OSF and has not been changed by HP.

• “HP DCE” - This header means that the man page either originates
from HP or is an OSF man page that HP has changed.

HP DCE man pages are in the following directories:

/opt/dce/share/man
/opt/dce/usr/man
/usr/share/man

To read DCE man pages by using the man command, include the path
names listed above in your MANPATH shell environment variable.

NOTE Use the following command to display the dts_update man page:

man dts_update

HP DCE Online Help

HP DCE/9000 offers a DCE Online Help feature that provides
information about various aspects of HP DCE. DCE Online Help is
integrated into the HP Help System, so you can access it from the CDE
Front Panel help icon.

NOTE This feature is supported on X-based displays only; it is not available on

ASCII terminals.
This version of HP DCE/9000 Online Help contains the following kinds of

help:

• Guide to HP DCE/9000 hardcopy documentation. Provides a list of
the manuals available for HP DCE/9000.

• Access to HP DCE/9000 Man Pages.

NOTE The main menu of the Help Manager lists the HP DCE/9000 Application

Development Tools Release Notes and HP DCE Sample Applications.
These help topics are available only if the HP DCE/9000 Application
Development Tools optional product is installed.

1-24 Planning and Configuring HP DCE 1.7

About HP DCE/9000 Version 1.7

HP DCE 1.7 Documentation

Accessing DCE Online Help From CDE

You can access the DCE Online Help from the Front Panel or from a
shell.

To access the DCE Online Help from the Front Panel, follow these steps:

1. Click on the Front Panel help icon (the “ ?”). A “Welcome to Help
Manager” help window appears.

2. In the Help Manager window, click on the “HP DCE/9000, Version

1.7” product-family title. A list of the HP/DCE 9000 help volumes
appears.

3. To display a help volume, click on its title.

To access the DCE Online Help from a shell prompt, enter this command:

/usr/dt/bin/dthelpview -h DCEwelcome

This displays an introductory help window that has hyperlinks to all of
the other help volumes in the HP DCE Online Help system.

Note that you can press the F1 key in any help window to get help on
using the help system.

Embedded Online Help for HP DCE Cell
Administration Tools

The HP DCE DCM, Account Manager, and CDS Browser tools are
provided with online help.

HP DMS also has context-sensitive help as provided by HP GlancePlus.

Planning and Configuring HP DCE 1.7 1-25

About HP DCE/9000 Version 1.7

HP DCE Administration Tools

HP DCE Administration Tools

The administration tools are Account Manager, DCM (the Distributed
Configuration Manager), and the HP CDS Browser. The Account
Manager provides a graphical interface for creating objects in the DCE
registry and for administering the DCE registry. HP’s DCE
Configuration Manager provides a graphical interface for configuring a
DCE cell; the HP DCE CDS Browser provides a graphical display for
browsing and editing the CDS name space.

All of the HP DCE Administration Tools have extensive online help.
You can invoke the HP DCE Account Manager and the HP CDS Browser

from SAM by selecting the DCE Cell Management icon.

HP DCE Account Manager

The Account Manager provides a graphical user interface for managing
the DCE Registry. With the Account Manager, you can:

• Create and manage users (principals with or without accounts)

• Create and manage groups and organizations

• Manage Registry Policy (Registry IDs, Tic kets, P assword and Account
policy)

• Create and manage Registry Attribute Types (Extended Registry
Attributes)

• Manage ACLs (Access Control Lists) on the above

HP DCE Account Manager Documentation

Documentation for the Account Manager is provided as online help.
You may also want to view the dcecp man pages. To read the DCE man

pages with the man command, you must include /opt/dce/usr/man in
your MANPATH shell environment variable.

Installing the Account Manager

The Account Manager is included in the DCE-ACCT-MGR fileset. You
must install this fileset on each system on which you want to run the
Account Manager.

1-26 Planning and Configuring HP DCE 1.7

About HP DCE/9000 Version 1.7

HP DCE Administration Tools

NOTE The Account Manager requires a bit-mapped display; it does not run on

ASCII terminals. Also, small bit-mapped displays (such as some PC
displays), which may cut off portions of dialog boxes, are unsupported.

Running the Account Manager

If you are running the Account Manager locally, you do not need to set
the DISPLAY environment variable ($DISPLAY). If you are running the
Account Manager from a remote machine, however, use the following
command to set the DISPLAY environment variable to the local
machine:

export DISPLAY=localhostname:0.0

If $DISPLAY is not set, the following warning displays:

Warning: You are viewing the Account Manager using a remote X
display. Passwords and other confidential information will pan
over the network in clear text, and may be seen by network pirates.
You may wish to exit the Account Manager and run it from a local X
display.

Start the Account Manager with the following command:

/opt/dce/bin/acctmgr

If you want to perform privileged operations (such as registry
modifications) with the Account Manager, you must run the Account
Manager as the DCE cell_admin principal.

The Account Manager can also be started as follows from SAM:

1. Log in as root.

2. Execute sam from a shell prompt.

3. Select (double click on) DCE Cell Management.

4. Select (double click on) DCE Account Manager.

Planning and Configuring HP DCE 1.7 1-27

About HP DCE/9000 Version 1.7

HP DCE Administration Tools

Tips for New Users

• Log into DCE before starting the Account Manager, or use the Login
option from within the Account Manager.

• Establish your preferences in the Options “Preferences” dialog box
when you initially start the Account Manager.

If you are administering a very large cell, read “Managing V ery Large
Cells with Account Manager” below.

• It is recommended that you bring up the Assistant from the File
menu when you initially start the Account Manager, and iconize it
when not in use.

• Where possible, use batch operations and profiles to automate
time-consuming repetitive tasks, such as adding multiple users that
have similar characteristics.

Managing Very Large Cells with Account Manager

DCE interfaces can be slow to retrieve lists for very large DCE
deployments (For example, if the DCE registry is managing many
thousands of users). The performance of the Account Manager will be
affected in this case. To aid the Account Manager’s performance for very
large deployments, take the following steps:

1. In the Options/Preferences dialog, enable the option to “Display

-User/Group/Org/Attribute_Type List as Text instead of Icons.”
The Account Manager requires major resources to map very large

lists into iconic display, and this option is needed to bypass that step.

2. In the Options/Preferences dialog, disable the option to “Display

-User/Group/Org/Attribute_Type List at Start Up”. This step should
be done if any of the following are true:

• You know the names of the objects you want to manage.

• You will manage only a subset of objects (for example, users in a

certain group).

• You will ask the Account Manager to read in the list of objects to

manage from a file (see #3 below).

In this step, the first time that you navigate the Account Manager to
an object management screen (for example, User Management), the
list will be empty.

1-28 Planning and Configuring HP DCE 1.7

About HP DCE/9000 Version 1.7

HP DCE Administration Tools

Then proceed as follows:

• If you know the names of the objects to manage, select the
appropriate Action. You will be prompted to enter the object name
or names.

• If you wish to read in names from a file, or retrieve a partial listing
(such as all users in group XXX), select Options/Specify List.

3. If the retrieval of large lists degrades Account Manager performance,
you may wish to assist the Account Manager by retrieving the list
during an off-time using the dcecp command and saving the list to a
file. This file could be generated automatically (for example, nightly
by a cron job).

Here is a sample script to retrieve and sort the DCE users list:

dcecp -c "principal catalog -simplename" | sort > usrlist

Once the list has been retrieved, you can read in the list to the
Account Manager display from a file. In this case, you must first do
step 2 above to set the Preferences dialog; if you do not set the
Preferences dialog, the Account Manager will automatically begin to
retrieve all objects when you navigate to an object area. Then you
navigate to the object area, for example, User Management. To load
the list from the local file, select Options/Specify List. In the Specify
Users List dialog, select the option “From File” to read in the list.

Account Manager Limitations and Exceptions

The following are limitations and exceptions to Account Manager at HP
DCE 1.6 and 1.7:

• User inputs for defining and attaching Registry Attribute types may
cause improper tool operation if the inputs contain the following
special characters:

{ left curly brace
} right curly brace
[ left square bracket

Planning and Configuring HP DCE 1.7 1-29

About HP DCE/9000 Version 1.7

HP DCE Administration Tools

] right square bracket
“ double quotation mark
\ backslash

For other inputs (for example , defining user names and group names),
the quote and backslash may cause problems. An example of an
illegitimate iname is: \dos\dir.

• The Account Manager is not internationalized.

• Descriptive text for Registry Attribute Types is currently limited to
three lines of text. The tool provides no way to view descriptions
which occupy more than three lines.

• A profile that is created from a View operation (such as “View User”)
does not correctly handle an alias name. As a workaround, create
profiles including aliases only from Add operation dialogs.

• Cross-cell administration is not supported.

• Importation of user account information from /etc/passwd is not
supported.

• If a profile directs the removal of a group or organization member, the
list of members is retrieved prior to removal, even if preferences state
that lists should not be automatically retrieved.

1-30 Planning and Configuring HP DCE 1.7

About HP DCE/9000 Version 1.7

HP Password Management Server

HP Password Management Server

A Password Management Server implements policies for password
strength. Sites can implement site-specific policies by writing their own
Password Management Server, and attaching appropriate Extended
Registry Attributes (ERAs) to the principals that are subject to these
policies.

A Password Management Server must implement the interface described
in dce/rsec_pwd_mgmt.idl.

In order to be configurable by dce_config or DCM, the Password
Management Server must conform to the following guidelines:

• There must be only one Password Management Server per cell.

• The Password Management Server must execute on the same
machine as the master DCE Security Server.

• The binary must be named pwd_strengthd.

• The binary must be located in /opt/dce/sbin.

• There must be a single option, -v, on the command line.

• The server must log any information it generates to
/var/opt/dce/security/pwd_strengthd.log.

• The server must export its interfaces to CDS in
/.:/subsys/dce/pwd_mgmt/pwd_strength.

• The server must use keytab file in /krb5/pwd_strength_tab.

• The server must use principal name and CDS entry name of
pwd_strength.

• The server must not depend on any other environment variables or
files that must be configured.

Example Sources

Password Management Server sources are supplied in
/opt/dce/share/hpexam. These are the sources used to build the
Password Management Server supplied with the HP DCE release.

Planning and Configuring HP DCE 1.7 1-31

About HP DCE/9000 Version 1.7

HP Password Management Server

Certain files that contain proprietary SecureWare algorithms have been
omitted, but stubs are supplied that allow the resulting server to build.
Note that certain values of the pwd_SecureWare_chk ERA
(specifically, values 1 and 2) are unsupported, and will result in failures
to pass strength checking if you attempt to use the example server as
described in the documentation. The logfile entry will report that the

pwd_SecureWare_chk level is not supported.

Build Process

The source code directory for pwd_mgmt and the files in it are installed
write protected. To build this application, copy the files into a private,
writable directory you create. This way the original files will continue to
be available for you or others to consult.

cd to the private, writable directory where you copied the source files
and type:

make -f Makefile.example

Your system’s /bin/make command should successfully build the client
and server programs using the Makefile provided, if modified as above.

Unlike the other sample applications, where you are encouraged to
generate a new UUID when you make modifications, you must not make
changes to rsec_pwd_mgmt.idl. secd is linked with the client stub for
the rsec_pwd_mgmt interface so changing the interface UUID will
cause communication problems between secd and your Password
Management Server.

Administrative Setup

The dce_config and pwd_config files supplied with this DCE release
are set up to configure and start up a Password Management Server that
conforms to the guidelines listed above.

In order to have the policies implemented by any Password Management
Server apply to a given principal, the administrator must attach
instances of the following two Extended Registry Attributes to the
principal’s node in the DCE Registry:

pwd_val_type

The pwd_val_type attribute controls the type of password management
that applies to a given principal. The values are:

1-32 Planning and Configuring HP DCE 1.7

About HP DCE/9000 Version 1.7

HP Password Management Server

0 — Check passwords entered by this principal using the DCE Registry
policy only.

1 — Check passwords entered by this principal using the Password
Management Server.

2 — Principal may either choose a password (which is then checked with
the Password Management Server), or can use a password that has been
generated by the Password Management Server (no additional strength
checking is done).

3 — Principal must use a password generated by the Password
Management Server.

The HP Account Manager can facilitate the administration of ERAs.

pwd_mgmt_binding attribute

The pwd_mgmt_binding attribute specifies the binding to the
Password Management Server that will be used for this principal. In
future releases, more than one Password Management Server may be
supported, but for now, the value of the pwd_mgmt_binding attribute
must always be:

{pwd_mgmt_binding {{dce /.:/pwd_strength pktprivacy secret name} \
{/.:/subsys/dce/sec/pwd_mgmt/pwd_strength}}} \

pwd_SecureWare_chk

HP’s default implementation of the Password Management Server uses
an additional Extended Registry Attribute to control the level of strength
checking algorithm that will be applied to a given principal. The values
are:

0 — Use DCE Registry algorithm only (such as, depending on DCE
registry policies, check password length, blanks, alphanumeric).

1 — In addition to checking against the DCE Registry algorithm, use a
proprietary SecureWare algorithm that verifies the password meets
certain tests for non-triviality (not a circular shift of the principal’s name
or its reverse, contains at least 2 alphanumeric characters, contains at
least one non-alphanumeric character).

2 — In addition to the two previous checks, use a proprietary
SecureWare algorithm that verifies the password is not a word (and is
not a palindrome, does not contain the same characters as any group or
principal name in the DCE Registry, and is not found in the spell
program’s dictionary).

Planning and Configuring HP DCE 1.7 1-33

About HP DCE/9000 Version 1.7

HP Password Management Server

If a principal does not have an instance of pwd_SecureWare_chk
attached, then the Password Management Server uses the DCE Registry
algorithm only.

The example Password Management Server does not support values 1 or
2 for pwd_SecureWare_chk, since these use proprietary SecureWare
algorithms. If a principal is configured with a pwd_SecureWare_chk
value of 1 or 2, the principal will be unable to change passwords, and the
logfile /var/ opt/dce/security/pwd_strength.log will report that the
pwd_SecureWare_chk level is not supported.

An example of a dcecp command for configuring a principal with these
attributes is:

dcecp -c principal modify esmerelda -add { \
{pwd_val_type 1} \
{pwd_mgmt_binding { \
{dce /.:/pwd_strength pktprivacy secret name} \
{/.:/subsys/dce/sec/pwd_mgmt/pwd_strength} \
} \
} \
{pwd_SecureWare_chk 0} \ }

You must set the minimum length of the password using the DCE
Registry policies:

dcecp -c registry modify -change {pwdminlen 6}

Examples of other DCE Registry password policy attributes in dcecp
syntax are:

{pwdalpha no}
{pwdspaces no}
{pwdexpdate none}
{pwdlife unlimited effective 5 days}
Only the pwdminlen, pwdalpha, and pwdspaces attributes are

checked by the Password Management Server; the DCE Registry checks
the remaining attributes itself.

1-34 Planning and Configuring HP DCE 1.7

2 Migrating to HP DCE 1.7

This chapter discusses migration procedures and compatibility issues for
migrating to HP DCE 1.7 running on HP-UX 11.0.

2-1

Migrating to HP DCE 1.7

Migration Paths

Migration Paths

HP DCE 1.7 supports four direct migration paths from HP-UX 10.01,

10.10, 10.20, and 10.30 to HP-UX 11.0. Earlier versions of HP DCE that
run on versions of HP-UX before 10.01 can also be migrated to HP DCE

1.7, but not directly. The direct migraton paths are listed in Table 2-1.

Table 2-1 Supported Migration Paths to HP DCE Version 1.7

From To

HP DCE Version Running on HP DCE Version Running on

1.3.1 or 1.4 client HP-UX 10.01 1.7 HP-UX 11.0

1.4 server HP-UX 10.01 1.7 HP-UX 11.0

1.4.1 server HP-UX 10.10 1.7 HP-UX 11.0

1.4.1 client HP-UX 10.10 1.7 HP-UX 11.0

1.5 server HP-UX 10.20 1.7 HP-UX 11.0

1.5 client HP-UX 10.20 1.7 HP-UX 11.0

1.6 server HP-UX 10.30 1.7 HP-UX 11.0

1.6 client HP-UX 10.30 1.7 HP-UX 11.0

NOTE HP DCE 1.7 does not support direct migration from versions of HP DCE

that run on HP-UX 9.x (HP DCE 1.2, 1.2.1, and 1.4.2). However, you can
migrate from these versions by first migrating to HP DCE 1.3.1 or 1.4 on
HP-UX 10.01 and then migrating that system to HP DCE 1.7 on HP-UX

11.0.
If you have HP DCE/9000 Version 1.3.1, 1.4, 1.4.1, 1.5, or 1.6 installed,

you can save your existing cell configuration and databases, install HP
DCE/9000 Version 1.7, and then restore your former cell configuration.
Or, you can discard your previous cell configuration and database
information, update your systems to HP DCE 1.7, and configure a new
cell from scratch. Both procedures are detailed in this chapter.

2-2 Planning and Configuring HP DCE 1.7

Migrating to HP DCE 1.7

Migration Paths

NOTE HP DCE 1.6 and 1.7 do not support the Distributed File Service (DFS).

Therefore, if your earlier version of HP DCE had DFS installed and
configured, you will be notified during the HP DCE installation that DFS
is no longer supported and has been disabled. Do not migrate to HP DCE

1.6 or 1.7 if you plan to support DFS.

NOTE HP DCE 1.6 and 1.7 do not support the Global Directory Service.

Planning and Configuring HP DCE 1.7 2-3

Migrating to HP DCE 1.7

Contents of HP DCE Client and Server

Contents of HP DCE Client and Server

The subsets of HP DCE 1.7 commonly referred to in this document and
elsewhere as client and server consist of the following DCE components:

Client Server

dced cdsd
cdsadv secd
dtsd gdad

NOTE At HP DCE 1.4x, dced replaced rpcd and sec_clientd; and cdsclerk

functionality was incorporated in cdsadv.

2-4 Planning and Configuring HP DCE 1.7

Migrating to HP DCE 1.7

Migration Compatibility

Migration Compatibility

This section covers the compatibility of HP DCE 1.2, 1.2.1, 1.3.1, 1.4,

1.4.1, 1.4.2, 1.5, and 1.6 with HP DCE Version 1.7.

• Because HP DCE 1.7, clients and servers are binary compatible with
HP DCE 1.5 and previous releases, your systems can be migrated to
HP DCE 1.7 in any order over a period of time. However, do not move
the Security Registry to “dce1.1” mode before all your security servers
have been updated to HP DCE 1.7.

• DCM (SAM DCE Configuration Manager) and the dce_config utility
can be used to configure a mixed-version cell.

• Because of minor changes to the dce_config utility at HP DCE 1.4,
scripts that were written to use the HP DCE 1.2, 1.2.1, or 1.3.1
dce_config may have to be modified to work with HP DCE 1.4 and
later releases of dce_config.

NOTE DFS is not currently available on HP-UX 10.30 (DCE 1.6) or HP-UX 11.0

(DCE 1.7). If you are running DFS in your cell and plan on continuing to
run DFS, do not migrate any DFS server or client systems to HP-UX

10.30 (DCE 1.6) or HP-UX 11.0 (DCE 1.7).

Planning and Configuring HP DCE 1.7 2-5

Migrating to HP DCE 1.7

Migrating the Cell Directory Service from HP DCE 1.3.1

Migrating the Cell Directory Service
from HP DCE 1.3.1

NOTE This section applies only to migrating from HP DCE 1.3.1 to HP DCE 1.7

(because HP DCE 1.3.1 is based on OSF DCE 1.0.3).
Y ou should be aw are of the following CDS considerations when migrating

to HP DCE 1.7:

• Installation of HP DCE 1.7 automatically attempts to preserve any
CDS defined cached servers from previous configurations of HP DCE.
However, if a newly migrated HP DCE 1.7 node returns warnings
about being unable to locate a CDS server, it may be necessary to
manually specify the server location with a dcecp cdscache create
command.

• To make full use of HP DCE 1.7 features, the directory version
number of the root directory must be manually advanced to 4.0 after
all CDS servers in the cell have been upgraded to HP DCE 1.7. (To
determine the current directory version number, use the dcecp

directory show /.: command, and look for the
CDS_DirectoryVersion attribute.)

The procedure for doing this is discussed in “Managing CDS
Directories - Upgrading the Directory Version on a Directory”, in the
OSF DCE Administration Guide — Core Components. This procedure
makes use of the following dcecp commands:

dcecp> directory modify /.: -add {CDS_UpgradeTo 4.0}
dcecp> directory synchronize /.:
dcecp> clearinghouse verify /.:/clearinghouse_name
dcecp> directory synchronize /.:

Note that the dcecp clearinghouse verify command must be run
for every clearinghouse in the cell, and must be run directly on the
CDS server node hosting each clearinghouse. The command will not
work from a remote node.

2-6 Planning and Configuring HP DCE 1.7

Migrating to HP DCE 1.7

Migrating Remote Administration of dced from HP DCE 1.3.1

Migrating Remote Administration of
dced from HP DCE 1.3.1

When migrating from HP DCE 1.3.1, a cell administrator must create
the subsys/dce/dced-admin group before installing HP DCE/9000

1.4.x, 1.5, 1.6, and 1.7. Otherwise, the remote administration of dced
will be disabled. To create this group log in as cell_admin, and execute
the following dcecp commands:

dcecp> group create subsys/dce/dced-admin
dcecp> group add subsys/dce/dced-admin -member\ cell_admin
dcecp> acl modify /.:/sec/group/subsys/dce/dced-admin\

-add {group acct-admin rctDnfmM}

Planning and Configuring HP DCE 1.7 2-7

Migrating to HP DCE 1.7

Migrating from HP DCE 1.2, 1.2.1 or 1.4.2 on HP-UX 9.x to HP DCE 1.7 on HP-UX 11.0

Migrating from HP DCE 1.2, 1.2.1 or 1.4.2
on HP-UX 9.x to HP DCE 1.7 on HP-UX

11.0

You must perform this migration in two steps, as follows:

1. Migrate to HP DCE 1.3.1 or HP DCE 1.4 on HP-UX 10.01.
Step 1 is described in the appropriate version of Planning and

Configuring HP DCE and the related release notes.

2. Migrate the system created in step 1 to HP DCE 1.7 on HP-UX 11.0.
Step 2 is described in this chapter.

For information about migrating from HP-UX 9.x to HP-UX 10.x, see
Upgrading from HP-UX 9.x to 10.x ( B3782-90073).

2-8 Planning and Configuring HP DCE 1.7

Migrating to HP DCE 1.7

Migrating an HP DCE 1.3.1 or 1.4 Client on HP-UX 10.01 to HP DCE 1.7 on HP-UX 11.0

Migrating an HP DCE 1.3.1 or 1.4 Client
on HP-UX 10.01 to HP DCE 1.7 on HP-UX

11.0

This section describes the procedure for migrating an HP DCE 1.3.1 or

1.4 client on HP-UX 10.01 to HP DCE 1.7 on HP-UX 11.0.
See Managing HP-UX Software with SD-UX and the swcopy (1M),

swinstall (1M), and swremove (1M) man pages for complete information
on all aspects of HP-UX installation.

For information about migrating from HP-UX 10.x to HP-UX 11.0, see
Installing HP-UX 11.0 and Updating HP-UX 10.x to 11.0 (B2355-90153).

Migration Procedure

HP highly recommends that you do a system backup before starting to do
an update.

To migrate an HP DCE 1.3.1 or 1.4 client-only system to HP DCE 1.7,
perform the following steps:

1. Stop DCE on the system using dce_config STOP; DFS will not run
on HP DCE 1.6 or 1.7; if DFS is running, ignore any warnings
concerning running processes.

2. Upgrade the system from HP-UX 10.01 to HP-UX 11.0.

3. Restart DCE; DCE client software is bundled with HP-UX 10.01 and
later releases.

Planning and Configuring HP DCE 1.7 2-9

Migrating to HP DCE 1.7

Migrating an HP DCE 1.4.1 Client on HP-UX 10.10 to HP DCE 1.7 on HP-UX 11.0

Migrating an HP DCE 1.4.1 Client on
HP-UX 10.10 to HP DCE 1.7 on HP-UX

11.0

See Managing HP-UX Software with SD-UX and the swcopy (1M),
swinstall (1M) and swremove (1M) for complete information on all

aspects of HP-UX installation.
For information about migrating from HP-UX 10.x to HP-UX 11.0, see

Installing HP-UX 11.0 and Updating HP-UX 10.x to 11.0 (B2355-90153).

Migration Procedure

HP highly recommends that you do a system backup before starting to do
an update.

To migrate an HP DCE 1.4 client-only system to HP DCE 1.7, perform
the following steps:

1. Stop DCE on the system using dce_config STOP; DFS will not run
on HP DCE 1.6 or 1.7; if DFS is running, ignore any warnings
concerning running processes.

2. Upgrade the system from HP-UX 10.10 to HP-UX 11.0.

3. Restart DCE; DCE client software is bundled with HP-UX 10.01 and
later releases.

2-10 Planning and Configuring HP DCE 1.7

Migrating to HP DCE 1.7

Migrating an HP DCE 1.4 Server on HP-UX 10.01 to HP DCE 1.7 on HP-UX 11.0

Migrating an HP DCE 1.4 Server on
HP-UX 10.01 to HP DCE 1.7 on
HP-UX 11.0

This section describes the procedure for migrating an HP DCE 1.4 server
on HP-UX 10.01 to HP DCE 1.7 on HP-UX 11.0.

See Managing HP-UX Software with SD-UX and the swcopy (1M),
swinstall (1M) and swremove (1M) man pages for complete information
on all aspects of HP-UX installation.

For information about migrating from HP-UX 10.x to HP-UX 11.0, see
Installing HP-UX 11.0 and Updating HP-UX 10.x to 11.0 (B2355-90153).

Migration Procedures

HP highly recommends that you do a system backup before starting to do
an update.

Migrating a System Without Retaining Cell
Configuration

If you are migrating an HP DCE 1.4 server on HP-UX 10.01 to HP DCE

1.7 on HP-UX 11.0, but you do not want to preserve your existing cell
configuration:

1. Stop the cell using dce_config STOP at each cell member or run
DCM from SAM to stop the entire cell.

2. Use dce_config REMOVE or run the DCE Configuration Manager
from SAM to remove the cell databases.

3. Upgrade the system from HP-UX 10.01 to HP-UX 11.0.

4. Install HP DCE 1.7 server software as described in Chapter 4, and
reconfigure DCE.

Migrating a System and Preserving Current Cell
Configuration

If you are migrating an HP DCE 1.4 server on HP-UX 10.01 to HP DCE

1.7 on HP-UX 11.0, and you want to preserve your existing cell

configuration, perform the following steps:

Planning and Configuring HP DCE 1.7 2-11

Migrating to HP DCE 1.7

Migrating an HP DCE 1.4 Server on HP-UX 10.01 to HP DCE 1.7 on HP-UX 11.0

1. If you are migrating a security server system, stop secd using the
dcecp -c registry stop replica-name command.

2. Stop DCE on the system, using the dce_config STOP command from
the main menu; DFS will not run on HP DCE 1.6 or 1.7; if DFS is
running, ignore any warnings concerning running processes.

CAUTION Hewlett-Packard recommends that you create a single network source

area (depot) containing HP-UX 11.0 and HP DCE 1.7 server software, so
that you can simultaneously install HP-UX 11.0 and HP DCE 1.7. If you
do not install HP-UX 11.0 and HP DCE 1.7 at the same time, your old
HP DCE 1.4 servers will be automatically started when your system
reboots after HP-UX 11.0 installation completes. This is an unsupported
configuration.

3. Prepare the network source area (depot) using swcopy. The depot
should contain both HP-UX 11.0 and HP DCE 1.7 software.

4. Upgrade the system from HP-UX 10.01 to HP-UX 11.0. If you
installed from a unified network source area as recommended above,
installation of HP DCE 1.7 is complete.

NOTE If you did not install from a unified network source area, you must

continue with Steps 5 through 7.

5. Perform this step only if you did not install HP-UX from a unified
network source area as recommended above. Stop DCE on the
system, using the dce_config STOP command from the main menu.

6. Perform this step only if you did not install HP-UX from a unified
network source area as recommended above.

Install HP DCE 1.7 as described in Chapter 4.

7. Perform this step only if you did not install HP-UX from a unified
network source area as recommended above.

Restart DCE using the dce_config START command from the
dce_config main menu or using DCM.

2-12 Planning and Configuring HP DCE 1.7

Migrating to HP DCE 1.7

Migrating an HP DCE 1.4.1 Server on HP-UX 10.10 to HP DCE 1.7 on HP-UX 11.0

Migrating an HP DCE 1.4.1 Server on
HP-UX 10.10 to HP DCE 1.7 on HP-UX

11.0

See Managing HP-UX Software with SD-UX and the swcopy (1M),
swinstall (1M) and swremove (1M) man pages for complete information

on all aspects of HP-UX installation.
For information about migrating from HP-UX 10.x to HP-UX 11.0, see

Installing HP-UX 11.0 and Updating HP-UX 10.x to 11.0 (B2355-90153).

Migration Procedures

HP highly recommends that you do a system backup before starting to do
an update.

Migrating a System Without Retaining Cell
Configuration

If you are migrating an HP DCE 1.4.1 server on HP-UX 10.10 to HP DCE

1.7 on HP-UX 11.0, but you do not want to preserve your existing cell
configuration:

1. Stop the cell using dce_config STOP at each cell member or run
DCM from SAM to stop the entire cell.

2. Use dce_config REMOVE or run the DCM from SAM to remove the
cell databases.

3. Upgrade the system from HP-UX 10.10 to HP-UX 11.0.

4. Install HP DCE 1.7 software as described in Chapter 4, and
reconfigure DCE.

Migrating a System and Preserving Current Cell
Configuration

If you are migrating an HP DCE 1.4.1 server on HP-UX 10.10 to HP DCE

1.7 on HP-UX 11.0, and you want to preserve your existing cell

configuration, perform the following steps:

Planning and Configuring HP DCE 1.7 2-13

Migrating to HP DCE 1.7

Migrating an HP DCE 1.4.1 Server on HP-UX 10.10 to HP DCE 1.7 on HP-UX 11.0

1. If you are migrating a security server system, stop secd using the
dcecp -c registry stop replica-name command.

2. Stop DCE on the system, using the dce_config STOP command
from the main menu; DFS will not run on HP DCE 1.6 or 1.7; if DFS
is running, ignore any warnings concerning running processes.

CAUTION Hewlett-Packard recommends that you create a single network source

area (depot) containing HP-UX 11.0 and HP DCE 1.7 software, so you
can simultaneously install HP-UX 11.0 and HP DCE 1.7. If you do not
install HP-UX 11.0 and HP DCE 1.7 at the same time, your old HP DCE

1.4.1 servers will be automatically started when your system reboots

after HP-UX 11.0 installation completes. This is an unsupported
configuration.

3. Prepare the network source area (depot) using swcopy. The depot
should contain both HP-UX 11.0 and HP DCE 1.7 software.

4. Upgrade the system from HP-UX 10.10 to HP-UX 11.0. If you
installed from a unified network source area as recommended above,
installation of HP DCE 1.7 is complete.

NOTE If you did not install from a unified network source area, you must

continue with Steps 5 through 7.

5. Perform this step only if you did not install HP-UX from a unified
network source area as recommended above.

Stop DCE on the system, using the dce_config STOP command
from the main menu.

6. Perform this step only if you did not install HP-UX from a unified
network source area as recommended above.

Install HP DCE 1.7 as described in Chapter 4.

7. Perform this step only if you did not install HP-UX from a unified
network source area as recommended above.

Restart DCE using the dce_config START command from the
dce_config main menu or using DMC.

2-14 Planning and Configuring HP DCE 1.7

Migrating to HP DCE 1.7

Migrating an HP DCE 1.5 Server on HP-UX 10.20 to HP DCE 1.7 on HP-UX 11.0

Migrating an HP DCE 1.5 Server on
HP-UX 10.20 to HP DCE 1.7 on HP-UX

11.0

See Managing HP-UX Software with SD-UX and the swcopy (1M),
swinstall (1M) and swremove (1M) man pages for complete information

on all aspects of HP-UX installation.
For information about migrating from HP-UX 10.x to HP-UX 11.0, see

Installing HP-UX 11.0 and Updating HP-UX 10.x to 11.0 (B2355-90153).

Migration Procedures

HP highly recommends that you do a system backup before starting to do
an update.

Migrating a System Without Retaining Cell
Configuration

If you are migrating an HP DCE 1.5 server on HP-UX 10.20 to HP DCE

1.7 on HP-UX 11.0, but you do not want to preserve your existing cell
configuration:

1. Stop the cell using dce_config STOP at each cell member or run
DCM from SAM to stop the entire cell.

2. Use dce_config REMOVE or run the DCM from SAM to remove the
cell databases.

3. Upgrade the system from HP-UX 10.20 to HP-UX 11.0.

4. Install HP DCE 1.7 software as described in Chapter 4, and
reconfigure DCE.

Migrating a System and Preserving Current Cell
Configuration

If you are migrating an HP DCE 1.5 server on HP-UX 10.20 to HP DCE

1.7 on HP-UX 11.0, and you want to preserve your existing cell

configuration, perform the following steps:

Planning and Configuring HP DCE 1.7 2-15

Migrating to HP DCE 1.7

Migrating an HP DCE 1.5 Server on HP-UX 10.20 to HP DCE 1.7 on HP-UX 11.0

1. If you are migrating a security server system, stop secd using the
dcecp -c registry stop replica-name command.

2. Stop DCE on the system, using the dce_config STOP command from
the main menu; DFS will not run on HP DCE 1.6 or 1.7; if DFS is
running, ignore any warnings concerning running processes.

CAUTION Hewlett-Packard recommends that you create a single network source

area (depot) containing HP-UX 11.0 and HP DCE 1.7 software, so you
can simultaneously install HP-UX 11.0 and HP DCE 1.7. If you do not
install HP-UX 11.0 and HP DCE 1.7 at the same time, your old HP DCE

1.5 servers will be automatically started when your system reboots after

HP-UX 11.0 installation completes. This is an unsupported
configuration.

3. Prepare the network source area (depot) using swcopy. The depot
should contain both HP-UX 11.0 and HP DCE 1.7 software.

4. Upgrade the system from HP-UX 10.20 to HP-UX 11.0. If you
installed from a unified network source area as recommended above,
installation of HP DCE 1.7 is complete.

NOTE If you did not install from a unified network source area, you must

continue with Steps 5 through 7.

5. Perform this step only if you did not install HP-UX from a unified
network source area as recommended above.

Stop DCE on the system, using the dce_config STOP command from
the main menu.

6. Perform this step only if you did not install HP-UX from a unified
network source area as recommended above.

Install HP DCE 1.7 as described in Chapter 4.

7. Perform this step only if you did not install HP-UX from a unified
network source area as recommended above.

Restart DCE using the dce_config START command from the
dce_config main menu or using DMC.

2-16 Planning and Configuring HP DCE 1.7

Migrating to HP DCE 1.7

Migrating an HP DCE 1.6 Server on HP-UX 10.30 to HP DCE 1.7 on HP-UX 11.0

Migrating an HP DCE 1.6 Server on
HP-UX 10.30 to HP DCE 1.7 on HP-UX

11.0

See Managing HP-UX Software with SD-UX and the swcopy (1M),
swinstall (1M) and swremove (1M) man pages for complete information

on all aspects of HP-UX installation.
For information about migrating from HP-UX 10.x to HP-UX 11.0, see

Installing HP-UX 11.0 and Updating HP-UX 10.x to 11.0 (B2355-90153).

Migration Procedures

HP highly recommends that you do a system backup before starting to do
an update.

Migrating a System Without Retaining Cell
Configuration

If you are migrating an HP DCE 1.6 server on HP-UX 10.30 to HP DCE

1.7 on HP-UX 11.0, but you do not want to preserve your existing cell
configuration:

1. Stop the cell using dce_config STOP at each cell member or run
DCM from SAM to stop the entire cell.

2. Use dce_config REMOVE or run the DCM from SAM to remove the
cell databases.

3. Upgrade the system from HP-UX 10.30 to HP-UX 11.0.

4. Install HP DCE 1.7 software as described in Chapter 4, and
reconfigure DCE.

Migrating a System and Preserving Current Cell
Configuration

If you are migrating an HP DCE 1.6 server on HP-UX 10.30 to HP DCE

1.7 on HP-UX 11.0, and you want to preserve your existing cell

configuration, perform the following steps:

Planning and Configuring HP DCE 1.7 2-17

Migrating to HP DCE 1.7

Migrating an HP DCE 1.6 Server on HP-UX 10.30 to HP DCE 1.7 on HP-UX 11.0

1. If you are migrating a security server system, stop secd using the
dcecp -c registry stop replica-name command.

2. Stop DCE on the system, using the dce_config STOP command from
the main menu; DFS will not run on HP DCE 1.6 or 1.7; if DFS is
running, ignore any warnings concerning running processes.

CAUTION Hewlett-Packard recommends that you create a single network source

area (depot) containing HP-UX 11.0 and HP DCE 1.7 software, so you
can simultaneously install HP-UX 11.0 and HP DCE 1.7. If you do not
install HP-UX 11.0 and HP DCE 1.7 at the same time, your old HP DCE

1.6 servers will be automatically started when your system reboots after

HP-UX 11.0 installation completes. This is an unsupported
configuration.

3. Prepare the network source area (depot) using swcopy. The depot
should contain both HP-UX 11.0 and HP DCE 1.7 software.

4. Upgrade the system from HP-UX 10.30 to HP-UX 11.0. If you
installed from a unified network source area as recommended above,
installation of HP DCE 1.7 is complete.

NOTE If you did not install from a unified network source area, you must

continue with Steps 5 through 7.

5. Perform this step only if you did not install HP-UX from a unified
network source area as recommended above.

Stop DCE on the system, using the dce_config STOP command from
the main menu.

6. Perform this step only if you did not install HP-UX from a unified
network source area as recommended above.

Install HP DCE 1.7 as described in Chapter 4.

7. Perform this step only if you did not install HP-UX from a unified
network source area as recommended above.

Restart DCE using the dce_config START command from the
dce_config main menu or using DMC.

2-18 Planning and Configuring HP DCE 1.7

3 Before Installing HP DCE/9000

Version 1.7

This chapter describes prerequisites and preinstallation considerations
for installing HP DCE/9000 Version 1.7 (HP DCE 1.7) software.

You should read this chapter before installing HP DCE/9000 Version 1.7
software. After reading this chapter, proceed with the installation
instructions in Chapter 4, “Installing HP DCE/9000.”

After completing the installation of HP DCE/9000 Version 1.7 software,
you must configure a DCE cell if you have not done so already.
Information on HP DCE/9000 cell configuration may be found in Chapter
5, “Configuring HP DCE.”

3-1

Before Installing HP DCE/9000 Version 1.7

Overview

Overview

The following is a brief overview of the HP DCE installation process:

NOTE If you are performing an upgrade rather than a new installation, see

Chapter 2, “Migrating to HP DCE 1.7”.

• V erify that hardware and software prerequisites are met at your site.

• Plan where you will install various HP DCE filesets.

• Load HP DCE software from media to a network distribution area.

• Install filesets on individual systems.

• If necessary, remove unwanted filesets using swremove.

3-2 Planning and Configuring HP DCE 1.7

Before Installing HP DCE/9000 Version 1.7

Prerequisites

Prerequisites

Hardware and Software Requirements

Any HP system that you want to make a member of a cell must meet
certain hardware and software requirements. The system requirements
are:

System Type HP 9000 Series 700 or Series 800.
Operating

System HP-UX 11.0.
Kernel

Configuration See “Series 700 and 800 Kernel Parameter

Recommendations” in this chapter for recommended
kernel parameter settings.

You can check and, if necessary, change these values
via SAM (the HP-UX System Administration
Manager).

Memory A minimum 32 Mb of memory is recommended for

client-only systems; 64 Mb for server systems.

Swap Space A minimum 50 Mb of swap space is recommended for

client-only systems; at least 100 Mb is recommended
for systems running one or more DCE servers. Device
swap is strongly recommended over file system swap.

File System HP DCE/9000 must be installed on a long-name file

system. If you have a short-name file system, you must
first run convertfs(1m) to convert your file system to
long names.

Series 700 and 800 Kernel Parameter
Recommendations

Hewlett-Packard has found that the default kernel parameter values for
a 11.0 system installed with Runtime bundles are sufficient for running
HP DCE 1.7 clients and servers under normal conditions (small cells
with hundreds of users) with the following exceptions:

Planning and Configuring HP DCE 1.7 3-3

Before Installing HP DCE/9000 Version 1.7

Prerequisites

• maxfiles must be increased to a minimum of 256 for all systems.

• The default value for maxdsize is sufficient except in cases where
you have many tens of thousands of users. At this point you should
monitor the process size of your secd and cdsd. If the process size
approaches the maxdsize value, maxdsize should be increased.

Kernel parameter tuning is highly application dependent. It is expected
that you might need to modify your kernel parameters based upon your
specific applications needs.

Distribution Media

The HP DCE/9000 Version 1.7 software is shipped on CD-ROM only.
The HP DCE/9000 Version 1.7 International Client software is shipped

bundled with HP-UX 11.0. The domestic version of the client is available
on the HP-UX 11.0 AR and is codeword-protected. To obtain a codeword,
follow the instructions on the codeword certificate that was shipped with
the CD-ROM disc.

The HP DCE/9000 V ersion 1.7 Server software is available on the HP-UX

11.0 AR CD-ROM and is also codeword-protected.

See the Managing HP-UX Software With SD-UX for more information on
distribution media.

Network Distribution Area

The first part of the installation procedure involves loading software
from distribution media to a network distribution area or depot. The
drive where the distribution media is loaded must be connected to a
system that has sufficient disk space available. To calculate the disk
space required, refer to Tables 3-1 and 3-2 at the end of this chapter.

3-4 Planning and Configuring HP DCE 1.7

Before Installing HP DCE/9000 Version 1.7

Preinstallation Planning

Preinstallation Planning

In general, preinstallation planning involves deciding how many cells to
configure at your site, which systems to include in each cell, and where to
run DCE services (Security, CDS, DTS, and GDA). This section gives you
some guidelines for making decisions prior to installation.

Determining Cell Boundaries

Before installation you should map the boundaries of your cell by listing
the systems that will compose your cell. You may find it practical or
necessary to divide your site into more than one cell.

Consider the following factors when determining the cell boundaries:

• A major criterion for determining cell boundaries is to include
principals that share a common purpose, require access to a common
set of shared resources, and can share a common administrative
domain.

• Multiple cells require more administrative overhead in setting up and
maintenance.

• If you decide to create more than one cell at your site, you must
determine appropriate cell names to support intercell
communication. See “Intercell Communications” for more
information.

Intercell Communications

To implement intercell communications, you must start at least one
Global Directory Agent (GDA) daemon per cell. You can start a GDA
daemon when you configure your cell, as described in Chapter 5,
“Configuring HP DCE”.

In addition, you must name your cells according to Domain Name
Service (DNS) convention. When a query cannot be resolved within a
cell, GDA passes the query to a DNS server. The following is an example
of a cell name using the DNS format:

/…/xyz.abc.com

Planning and Configuring HP DCE 1.7 3-5

Before Installing HP DCE/9000 Version 1.7

Preinstallation Planning

If your site is connected to the Internet and you want to obtain a unique
DNS name, contact the administrator in charge of the domain under
which you want to name your cell.

For more information on cell naming, see the OSF DCE Administration
Guide — Core Services.

For configuration information, see Chapter 5, “Configuring HP DCE”.

DCE Services

This section outlines some considerations and restrictions on HP
DCE/9000 Version 1.7 software that will help you map out the
installation of your cell.

Client Core Services

Core Services are contained in the DCE-Core product. This product must
be installed on every system in your cell.

Security Services

Security server software is contained in the DCE-SEC-Server product.
The system(s) running the security server should be reliably accessible
and physically secure. They should also have enough disk space to hold a
registry database that could expand significantly over time as the
number of users increases. HP has found the following guidelines to be
sufficient:

For each principal: 1440 bytes of physical memory

330 bytes of disk space

For each account: 1580 bytes of physical memory

240 bytes of disk space

More information about DCE Security Services may be found in the
OSF DCE Administration Guide — Core Services.

3-6 Planning and Configuring HP DCE 1.7

Before Installing HP DCE/9000 Version 1.7

Preinstallation Planning

Cell Directory Service Configuration

In configuring CDS servers and clients, pay careful attention to the HP
DCE/ 9000 hardware requirements for the DCE product. (See “Hardware
and Software Requirements” in this chapter.) Appropriate kernel
configuration, memory, disk, and especially swap space are essential to
the proper functioning of the CDS subsystem.

Tape backups of the CDS server database are extremely important for
recovery from catastrophic problems. HP strongly recommends regular
tape back ups of all CDS server databases, especially those containing
any master replicas. Tape backups and restorations require the CDS
server in question to be temporarily shut down.

Most CDS problems, however, do not require resorting to tape backup.
Directory replication provides continuous online backup for most
failures, with faster recovery and less stale data. This makes directory
replication highly desirable for all DCE cells. Every cell should configure
at least two CDS servers, and read-only replicas of all directories should
be created on the backup server. In this configuration, backup is
continuous, and recovery only involves switching the role of the servers.

Multiple CDS servers can be configured for specific purposes in the cell.
Multiple CDS servers with read-only replicas of all directories in the
name space should always be present for backup and recovery purposes.
Performance considerations may also make the configuration of other
CDS servers desirable. For instance, administrators of very busy cells or
cells with large numbers of nodes should consider adding additional CDS
servers to share the name space processing load. Similarly,
administrators of cells with groups of nodes separated by WAN links
should consider providing a local CDS server for each group to enhance
performance. Administrators with very large cells may want to partition
the name space among several CDS servers, replicating only the locally
used directories, to distribute the storage overhead of the name space.

Each of these CDS configuration strategies is documented in the
OSF DCE Administration Guide — Core Services.

Time Services

A minimum of three DTS servers is recommended for any cell with three
or more member systems. If you use an external time provider, you can
have only one of these running in a cell.

Planning and Configuring HP DCE 1.7 3-7

Before Installing HP DCE/9000 Version 1.7

Preinstallation Planning

If you are running AFS, be sure to run the AFS daemon (afsd) with the

-nosettime option. Otherwise, afsd periodically resets the system’s
time. Also be sure that no other software that sets the time (like ntp or
timed) is running on the systems in the cell.

See the OSF DCE Administration Guide —- Core Services for more
information about DCE Distributed Time Services.

At this release, intercell time synchronization is not supported.

HP DCE Installed Software

The HP DCE/9000 Version 1.7 software is divided into products and
filesets. Tables 3-1 and 3-2 show the HP DCE 1.7 filesets, arranged
according to product, and gives the approximate disk space requirement
for each file set. Table 3-1 includes the products that are bundled with
HP-UX; Table 3-2 contains the products distributed on the Applications
Release media. Note that the information in Tables 3-1 and 3-2 is also
available from swinstall.

Note the following:

• You must install DCE-Core on every system in your cell.

• The swcopy and swinstall tools check for adequate disk space
before they install software.

Table 3-1 HP DCE/9000 Version 1.7 Products and Filesets—Core HP-UX

Approx.

Product Fileset Description Dependencies

DCE-Core DCE-CORE-DTS DCE Distributed

Time Service
DCE-CORE-HELP DCE Online Help none 153
DCE-CORE-NOTES DCE release

notes
DCE-CORE-RUN DCE Core Client DCE-Core.DCE-

3-8 Planning and Configuring HP DCE 1.7

DCE-Core.DCE­CORE-RUN

none 469

CORE-SHLIB

847

13336

Size

(Kb)

Before Installing HP DCE/9000 Version 1.7

Preinstallation Planning

Product Fileset Description Dependencies

Approx.

Size
(Kb)

DCE-CORE-SHLIB DCE and Threads

Shared Libraries

DCE-JPN-E-MSG Japanese

localized
message catalogs

DCE-JPN-S-MSG Japanese

localized
message catalogs

DCEC-ENG-A-MAN DCE Core Man

Pages

MACR-ENG-A-MAN DCE Man Page

Macros

Integrated Login AUTH-COMMON Integrated Login

Common Portion

AUTH-DCE HP DCE

Authentication

KRB-Support KRB-SUPP-MAN Man Pages for

Enhanced
Kerberos Support

none 10802

none 381

none 381

DCE-Core.MACR­ENG-A-MAN

none 23

none 353

DCE-Core.DCE­CORE-RUN
Integrated|Logon.
AUTH-COMMON

none 8

869

253

KRB-SUPP-NOTES Kerberos

Support white
paper

KRB-SUPP-RUN Enhanced

Kerberos support
commands

Planning and Configuring HP DCE 1.7 3-9

none 361

DCE-Core.DCE­CORE-RUN

1081

Before Installing HP DCE/9000 Version 1.7

Preinstallation Planning

Table 3-2 HP DCE/9000 Version 1.7 Products and Filesets—Applications

Release

Approx.

Product Fileset Description Dependencies

Size
(Kb)

DCE-CoreAdmin DCE-ACCT-MGR HP Account

Manager

DCE­CDSBROWSER

CDS Browser

Tool

DCE-CONFIG-MGR DCE

Configuration

Manager

DCE-CORE-DIAG DCE Diagnostic

Tools

DCE-SGUARD

a

DCE -

MC/ServiceGuard

Integration

Templates

DCE-CoreTools DCE-BPRG Basic IDL,

Includes, &

Archive

Libraries

DCEP-ENG-A-MAN DCE Basic Tools

Man Pages

THD-ENG-A-MAN Threads Man

Pages

DCE-Core.DCE-

1818

CORE-RUN
DCE-Core.DCE-

1558

CORE-RUN
DCE-Core.DCE-

1094

CORE-RUN

DCE-Core.DCE-

256

CORE-RUN
none 67

DCE-Core.DCE-

10015

CORE-RUN

none 1870

DCE-Core.MACR-

177

ENG-A-MAN

DCE-C-Tools DCE-C-TOOLS HP DCE C

none 2034

Application Tools

DCE-TOOLS-LIB HP DCE

Programming

DCE-CoreTools.
DCE-BPRG

Libraries

DCE-CDS-Server CDS-SERVER CDS Server DCE-Core.DCE-

CORE-RUN

3-10 Planning and Configuring HP DCE 1.7

195

1468

Before Installing HP DCE/9000 Version 1.7

Preinstallation Planning

Product Fileset Description Dependencies

Approx.

Size
(Kb)

CDSS-ENG-A-MAN CDS Server Man

Pages

DCE-Domestic DCE-DOM-BPRG DCE Domestic

Programming
Libs

DCE-DOM-NOTES DCE Domestic

Release Notes

DCE-DOM-RUN DCE Domestic

runtime

DCE-DOM-SHLIB DCE Domestic

Library

DCE-OO-Tools DCE-OO-HELP HP OODCE

Online Help

DCE-OO-TOOLS HP OODCE

Application Tools

DCE-SEC-Server SEC-SERVER Security Server DCE-Core.DCE-

DCE-Core.MACR­ENG-A-MAN

DCE-CoreTools.
DCE-BPRG

none 12

DCE-Domestic.
DCE-DOM­SHLIB
DCE-Core.DCE-C
ORE-SHLIB

DCE-Core.DCE­CORE-SHLIB

none 1511

DCE-C-Tools.DCE

-TOOLS-LIB

CORE-RUN

16

6820

324

9491

4048

7279

SECS-ENG-A-MAN DCE Security

Server Man
Pages

a. Provided as a customizable set of templates and scripts to integrate DCE services with

the MC/ServiceGuard product. See “Integrating DCE Services with MC/ServiceGuard”
in Chapter 5 for more information.

Planning and Configuring HP DCE 1.7 3-11

DCE-Core.MACR­ENG-A-MAN

197

Before Installing HP DCE/9000 Version 1.7

Preinstallation Planning

3-12 Planning and Configuring HP DCE 1.7

4 Installing HP DCE 1.7

This chapter outlines the recommended procedures for installing and
deinstalling HP DCE/9000 Version 1.7 software.

If you are performing an upgrade rather than a new installation, see
Chapter 2, “Migrating to HP DCE 1.7”.

The procedures outlined in this chapter use the graphical and textual
user interface versions of the swcopy, swinstall, and swremove tools.
You can also use these tools from a command line.

See the manual Managing HP-UX Software With SD-UX and the swcopy
(1M), swinstall (1M) and swremove (1M) man pages for more information
on all aspects of installation.

After installing HP DCE/9000 V ersion 1.7 software , you must configure a
DCE cell if you have not done so already. Information on cell
configuration is in Chapter 5, “Configuring DCE Cells.”

4-1

Installing HP DCE 1.7

Overview

Overview

Here is a brief overview of the installation steps:

1. Read Chapter 3, “Before Installing HP DCE 1.7”.

2. Load HP DCE software from media to a network source area using
swcopy.

3. Install filesets on individual systems using swinstall.

NOTE Although HP DCE/9000 Version 1.7 can be installed on both the HP-UX

11.0 32-bit and the 64-bit OS, HP DCE/9000 Version 1.7 remains a 32-bit

application. HP DCE/9000 Version 1.7 does not support development of
64-bit DCE applications.

4-2 Planning and Configuring HP DCE 1.7

Installing HP DCE 1.7

Loading HP DCE Software in a Network Source Area

Loading HP DCE Software in a Network
Source Area

Before installation of HP DCE/9000 Version 1.7 software on a network,
the software typically is transferred from the media on which it was
shipped to a network source area, or depot. This section tells how to
perform this transfer using the swcopy tool.

Before loading HP DCE, you should be aware of the following:

• If you are installing HP DCE/9000 on a single system, and your
system has access to a media device, you can choose to install
software directly from media. If you want to do this, proceed to
“Installing Software” in this chapter.

• If your software was shipped with a codeword certificate, you must
obtain a codeword from Hewlett-Packard before you load the software
into a depot. To obtain a codeword, follow the instructions on the
codeword certificate that was shipped with the CD-ROM disk.

Software Loading Procedure

This section outlines the steps you must follow to load HP DCE 1.7
software into a network source area using the swcopy graphical or
textual user interface.

See Managing HP-UX Software With SD-UX, as well as the swcopy (1M)
man page, for detailed information on the general process of creating a
net work source area, and on the swcopy command-line interface. Also,
the swcopy graphical user interface has general and context sensitive
help if you need assistance in making selections, or in entering
appropriate values.

Perform the following steps to load HP DCE 1.7 software into a network
source area:

1. Load media into the drive.

2. Log in as root.

3. Start /usr/sbin/swcopy.

4. Specify the target depot path in the “Select Target Depot Path” popup
window.

Planning and Configuring HP DCE 1.7 4-3

Installing HP DCE 1.7

Loading HP DCE Software in a Network Source Area

NOTE If you are performing this install as a step in migrating a server system

from a previous version of HP DCE, create a single depot containing the
HP DCE 1.7 software and the DCE client software that is bundled with
HP-UX 11.0. See Chapter 2 for information on migrating from a previous
HP DCE version. The target depot path is the pathname to the directory
where you want the HP DCE software to be loaded. As a general rule,
you should accept the HP-UX default /var/spool/sw.

5. Specify the source hostname and source depot path in the “Specify
Source” popup window.

The source hostname is the name of the machine on which the media
device is mounted; the source depot path is the device pathname.

When you have specified these fields, a list of the products and
bundles available in that source depot (i.e., on the media) is displayed
in the “Software Selection” window.

6. Select the DCE products to load.
After you select (double-click on) the DCE bundle, a list of the DCE

products is displayed. Mark all the listed DCE products for loading.

7. Load the software into the depot.
Select “Copy” from the Actions menu.
If your software media was shipped with a codeword certificate, follow

the instructions on the certificate to obtain a codeword before you
load the software into the depot. Before you load software that
requires a codeword, you must enter a valid codeword and hardware
ID. If a codeword is not required for your software , answer “no” to the
question “Do you want to enter your authorized codeword to access
the protected software?”.

4-4 Planning and Configuring HP DCE 1.7

Installing HP DCE 1.7

Installing Software

Installing Software

Installation Notes

Once you have loaded HP DCE/9000 Version 1.7 software into a network
distribution area, use the swinstall tool to install appropriate filesets on
individual systems.

CAUTION HP DCE 1.7 on HP-UX 11.0 does not support DFS. Do not install HP

DCE 1.7 on any machine requiring a DFS server or client. If you plan to
install HP DCE 1.7 over DFS, the installation of HP DCE 1.7 will remove
DFS from your system and allow the installation to complete without
error.

The installation procedure invokes swinstall on each target system in a
cell. When installation is complete, you can begin cell configuration,
which is described in Chapter 5, “Configuring DCE Cells”.

Before you begin, make sure that you have the following information.

• You must know the root password for each system in your cell.

• If the system is a functioning DCE server or client, stop the DCE
software.

• Know the name of your network source system, as well as the source
depot path name.

• You must install HP DCE/9000 Version 1.7 on a long-name file
system. If you have a short-name file system, use the convertfs(1m)
utility to convert it to long names.

• If you plan to do remote installation, you must be able to log in to the
remote system using a utility like telnet, rlogin, or remsh. You
cannot do a “push” installation to a remote system over a network file
system such as NFS or AFS.

Planning and Configuring HP DCE 1.7 4-5

Installing HP DCE 1.7

Installing Software

Installation Procedure

Perform the following steps to install HP DCE 1.7 software from a
network source area:

1. Log in to the target system as root.

2. Run swinstall:

/usr/sbin/swinstall

The swinstall tool has general and context sensitive help if you need
assistance on making selections, or on entering appropriate values.
Also, see the swinstall (1M) man page for more information.

3. In the Specify Source window, specify the source host and depot.

4. In the Software Selection window, select the products/bundles you
want to install.

If you are doing an upgrade, and you want to match the software
currently on the target system, select “Match What Target Has” from
the Actions Menu.

5. Select “Install” from the Actions menu.

6. Check the swinstall log file and resolve any problems.
Press the “Logfile” button in the Install Analysis popup window. Look

for messages that begin with ERROR, WARNING, or NOTE.
Refer to Managing HP-UX Software with SD-UX for information on

resolving install problems.

7. Install the software.
Press the OK button in the Install Analysis popup window to proceed

with installation.
After you install the HP DCE/9000 Version 1.7 software on all the

systems in your cell that are to be updated, you can begin to configure
your cell. See Chapter 5, “Configuring DCE Cells”, for information on
cell configuration.

4-6 Planning and Configuring HP DCE 1.7

5 Configuring HP DCE Cells

This chapter tells how to choose a DCE cell configuration tool and how to
use the tools to configure, destroy (unconfigure), start, and stop cells.
Two tools are discussed, the DCE Configuration Manager, DCM, and the
dce_config script.

This chapter also discusses how to install DCE login utilities, how to set
up intercell communication with DCE GDA, and how to configure
MC/ServiceGuard.

To configure HP DCE/9000 software, you must have previously installed
HP DCE. See Chapter 3, “Before Installing HP DCE/9000 Version 1.7”
for planning information; see Chapter 4, “Installing HP DCE 1.7” for
installation information.

NOTE If you are configuring DCE on systems running NCS-based software

(such as NetLS, OmniBack, HP MPower, and Shared Print/UX), first
read “Note for Users of NCS-based Software” in this chapter.

5-1

Configuring HP DCE Cells

Choosing a Cell Configuration Tool

Choosing a Cell Configuration Tool

HP DCE/9000 offers two cell configuration tools: a script-based tool,
dce_config, and a SAM-based tool, DCM (DCE Configuration Manager).
SAM (System Administration Manager) is an HP-UX menu-driven
system administration program that includes several other system
administration utilities, in addition to the DCE cell configuration
component.

DCM and dce_config

DCM is essentially a graphical front-end to dce_config. However, in
addition to the ease-of-use that a graphical interface confers, DCM has
some important functional differences that offer advantages over
running dce_config. Therefore, we recommend that you use DCM, and
not dce_config, to configure cells in almost all cases. (See “Limitations
of DCM,” the next subsection, for further details.)

Advantages of DCM

Some of the advantages of DCM are:

• DCM has a template mode that allows you to create prototype
configurations that can be tested before actually creating them.

• DCM checks systems before performing the configuration.

• DCM prevents you from creating an invalid configuration.

• DCM allows you to configure all HP DCE/9000 Version 1.2, 1.2.1,

1.3.1, 1.4, 1.4.1, 1.4.2, 1.5, 1.6, and 1.7 systems in your cell remotely,
from a single administrative node. However, DCM does not configure
and may not discover all aspects of other vendors’ system
configuration.

• DCM remembers the last successful configuration. This information
is used only when the cell is “down” or critical DCE servers are not
running.

• DCM includes complete online documentation.

5-2 Planning and Configuring HP DCE 1.7

Configuring HP DCE Cells

Choosing a Cell Configuration Tool

Limitations of DCM

While using DCM is completely compatible with using the dce_config
script, there are a few limitations to DCM, as follows.

• When DCM examines the cell, it initiates a “discovery” process to
determine the status of the cell. If the cell is down, or critical DCE
servers are down, the discovery process may fail and DCM will revert
to the last successful configuration.

• DCM does not ask if you want to create a LAN profile.

• DCM does not permit you to enter the name of the clearinghouse
when you create a CDS replica. It defaults to hostname.ch. It also,
therefore, does not ask if more directories should be replicated.

Planning and Configuring HP DCE 1.7 5-3

Configuring HP DCE Cells

Configuring Cells with DCM

Configuring Cells with DCM

Overview of DCM Functionality

DCM enables you to perform the following cell configuration tasks:

• In a configured and running cell, if the primary DCE services (Initial
CDS and Master Security) are running on HP systems (as opposed to
other vendors’ systems), you can configure additional HP DCE 1.2,

1.2.1, 1.3.1, 1.4, 1.4.1, 1.4.2, 1.5, 1.6, or 1.7 clients into the cell from
any HP DCE 1.7 cell member system.

• Create a cell of one or more systems. DCM provides a “template”
mode that simplifies cell creation.

• User authentication of cell configuration operations.

• Add and remove client systems (systems running DCE client software
only) to an existing cell from any system in the cell.

• Add replicated security servers to an existing cell.

• Add additional CDS servers to an existing cell. You can add new
systems to the cell as CDS servers, or reconfigure existing cell
members as CDS servers.

• Add or modify local or global DTS servers or DTS clients in the cell
and modify ntp, spectracom, or null DTS time providers in the cell.

• Add or remove GDA servers on existing cell nodes.

• Stop all DCE daemons on all cell members or selected cell members.

• Restart all DCE daemons on all cell members or selected cell
members.

• Destroy (unconfigure) an existing cell.

At the heart of DCM is an object list screen that displays a list of all cell
members and their attributes. The attributes include a cell member’s
name, and the DCE services (if any) configured on the member. You
perform tasks on selected cell members by selecting (highlighting) the
desired members in the list and then selecting the appropriate actions
from an Actions menu.

5-4 Planning and Configuring HP DCE 1.7

Configuring HP DCE Cells

Configuring Cells with DCM

By using the List menu, you can switch to a template mode that allows
you to create prototype DCE cell configurations that can (and must) be
tested for validity before actually being created.

Important Security Warning

CAUTION DCM uses standard UNIX remote login utilities to perform remote

administration. This causes the cell administrator’s password to be sent
over the network whenever you perform a task on a remote system. If
someone is very closely monitoring the network traffic, they could obtain
the password and the security of the cell’s DCE services will be
compromised. Note, however, that using DCM is no more or less secure
than using standard UNIX remote login utilities directly. (Secure
Internet Services (SIS) do not provide better security for the purpose of
remote DCE cell administration.)

Requirements for Running DCM

If you choose to configure your cell with DCM, you should verify that the
systems in your cell meet the following requirements:

• All systems from which you want to perform cell configuration tasks
must have SAM installed.

• All systems must have the host name of each node (the
administrative node and cell members) in their .rhosts and
/etc/hosts.equiv files. The .rhosts file must be located in the root
user’s home directory, usually the / directory. For more information
about .rhosts files, see Using ARPA Services (B1014-90006), and the
remsh (1) and hosts.equiv (4) man pages.

• All systems that you want to administer via DCM must be running
HP DCE/9000 Version 1.2 , 1.2.1, 1.3.1, 1.4, 1.4.1, 1.4.2, 1.5, 1.6, or

1.7. DCM does not configure and may not “discover” all aspects of
other vendors’ system configuration.

Running DCM

To run DCM:

1. Log in as root.

2. Execute sam from a shell prompt.

Planning and Configuring HP DCE 1.7 5-5

Configuring HP DCE Cells

Configuring Cells with DCM

3. Select (double click on) DCE Cell Management.

4. Select (double click on) DCE Configuration Manager.
In a configured and running cell, if the primary DCE services (Initial

CDS and Master Security) are running on HP systems (as opposed to
other vendors’ systems), you can configure additional HP DCE 1.2,

1.2.1, 1.3.1, 1.4, 1.4.1, 1.4.2, 1.5, 1.6, or 1.7 clients into the cell from
any HP DCE 1.7 cell member system.

Online Help for DCM

Comprehensive, context-sensitive online help is provided for DCM, as it
is for all functional areas of SAM. Consult the online help for details
about using DCM; detailed information about DCM is not provided here
or in a separate manual.

NOTE The DCM online help assumes a basic familiarity with DCE terms and

concepts, as described in the manual Introduction to DCE.
To access the DCM online help, select (single click on) the DCE

Configuration Manager icon in SAM. Then press F1. Alternatively,
open (double click on) DCE Configuration Manager, and then select
“Introduction to Cell Configuration.”

For informatoin about using the SAM online help system, use the Help
pulldown menu on the SAM screen.

Printing the DCM Online Help

You can print the DCM online help from CDE. The help, however, is not
formatted as it is on the screen: only text is printed (graphics are not
printed).

You can print individual help topics within DCM online help using the
Print button on a help topic screen.

You can use the -dthelpprint command at a shell prompt to print the
entire help volume. The full pathname of the DCM help volume is:

/opt/dce/lib/dcm/C/help/dceconf.sdl

On ASCII terminals, you can only use the dthelpprint command; the
print button is not available. See the dthelpprint (1X) man page for more
information.

5-6 Planning and Configuring HP DCE 1.7

Configuring HP DCE Cells

Configuring Cells Using dce_config

Configuring Cells Using dce_config

The following procedures explain how to configure server and client
systems using the menu-driven dce_config tool. The text shows the
complete menu at its first occurrence; thereafter it shows only the menu
name and current selection, prompts, and recommended input values (in
boldface).

As you perform each step, various status messages are displayed. This
document shows only the prompts; it may not show all status messages.

Note that this section assumes a basic familiarity with DCE terms and
concepts, as described in the manual Introduction to DCE.

The following sections include complete information on configuring cells
using the dce_config script.

Starting dce_config

1. Log in as root on the system you want to configure.

2. Run dce_config.
The DCE Main Menu is displayed.

DCE Main Menu (on hostname)

1. CONFIGURE -configure and start DCE daemons

2. START -re-start DCE daemons

3. STOP -stop DCE daemons

4. UNCONFIGURE -remove a host from CDS and SEC data-bases

5. REMOVE -stop DCE daemons and remove data files created by DCE
daemons

99.EXIT
selection:

NOTE dce_config is not capable of configuring (but is capable of

unconfiguring) systems remotely. System configuration must be done
locally on each client/server system. When running dce_config, you
must always log in on the system you want to configure.

Planning and Configuring HP DCE 1.7 5-7

Configuring HP DCE Cells

Configuring Cells Using dce_config

Initial Cell Configuration

NOTE As of HP DCE 1.6, dce_config sets the DCEAUDITFILTERON

environment variable to enable audit filtering, which limits the range of
audit event types logged. It you want to disable or change the default
settings provided by dce_config, you must do so before starting any
server that provides data to the Audit Service. See “Configuring the DCE
Audit Service” in this chapter and “The DCE Audit Service” in
Chapter 1.

NOTE HP DCE 1.6 and 1.7 do not support DFS. Therefore, you can ignore

references to DFS that still appear in configuration menus. If you choose
DFS Client from the DCE Configuration Menu, for example, a message
displays that the bits are not loaded.

When creating an HP DCE cell, servers must be configured before
clients. First configure a Security server, then a CDS server, a Time
server, and finally a single Time provider. Then you may configure
clients.

When planning a DCE cell, note that you must configure a CDS client on
any Security server system that is not running a CDS server. You must
also configure a Time client on any system that is not running a Time
server. Be sure to configure these clients only after you have configured
all servers.

Client configuration is discussed in “Configuring Client Systems:
Security, CDS, and DTS” later in this chapter.

1. From the DCE Main Menu, choose CONFIGURE:

DCE Main Menu (on hostname)

selection: 1 (CONFIGURE)

DCE Configuration Menu (on hostname)

1. Initial Cell Configuration

2. Additional Server Configuration

3. DCE Client

4. DFS Client

5-8 Planning and Configuring HP DCE 1.7

Configuring HP DCE Cells

Configuring Cells Using dce_config

98. Return to previous menu

99. Exit

selection:

2. From the DCE Configuration Menu, choose Initial Cell Configuration:

DCE Configuration Menu (on hostname)
selection: 1 (Initial Cell Configuration)

S:****** Configuring initial cell.

Initial Cell Configuration (on hostname)

1. Initial Security Server

2. Initial CDS Server

3. Initial DTS Server

98. Return to previous menu

99. Exit
selection:

3. Configure the Security Server:

Initial Cell Configuration
selection: 1 (Security Server)

S:****** Configuring initial Security Server

4. If this is your very first cell configuration, or if you have previously
run REMOVE, answer n to the following question. If you are
reconfiguring a cell, answer y:

Do you want to first remove all remnants of previous DCE
configurations for all components (y/n)? You should do so only
if you plan on reconfiguring all existing DCE components now:
(n)

5. Enter a cell name:

Enter the name of your cell (without /…), xyz.abc.com
S:****** Stopping rpcd...

S:****** Starting dced...
S:****** Initializing dced...
S:****** Since the glbd daemon was restarted and/or
llbd and rpcd were replaced by the endpoint
mapper, NCS applications may need to be
restarted.

6. At the following prompt, enter any string and press < RETURN>.

Enter keyseed for initial database master key:

Planning and Configuring HP DCE 1.7 5-9

Configuring HP DCE Cells

Configuring Cells Using dce_config

7. dce_config prompts you to choose the Cell Administrator’s principal
name and password. The default principal name for the Cell
Administrator is cell_admin:

Enter desired principal name for the Cell
Administrator:(cell_admin)
Enter desired password for the Cell Administrator:

8. dce_config prompts you for the starting point for UNIX user and
group IDs that will be generated by the DCE Security Service. This
step prevents the DCE Security Service from generating IDs that are
already in use by your system. Type < RETURN> to choose the
default value, or enter a value of your choice:

S:****** The current highest UNIX ID for persons is
N. Enter the starting point to be used for UNIX IDs
that are automatically generated by the Secu rity Ser­vice when a principal is added using “rgy_edit “:
( N+100) < RETURN>

S:****** The current highest UNIX ID for groups is N.
Enter the starting point to be used for UNIX IDs that
are automatically generated by the Security Service
when a group is added using “rgy_edit “: ( N+100)
< RETURN>

dce_config then starts up secd and initializes the registry database.

S:****** Starting secd…
S:****** Checking for active sec_client service...
S:****** Starting sec_client service...
S:****** Initializing the registry database…

This system is now configured as the master Security server. You
must now create a CDS server, either on this system or on another
system:

• If the CDS server for this cell will be on another system, repeat

steps 1 and 2 on that system, and continue with step 10 below.

• If the CDS server is on the same system as the Security server,

continue with step 9 below.

CAUTION Do not configure an additional CDS Server or a replica of a CDS Server

on the same system as your Security Server. Such a configuration is
illegal and unsupported.

9. From the Initial Cell Configuration menu, choose Initial CDS Server:

selection: 2 (Initial CDS Server)
Initial Cell Configuration (on hostname)

5-10 Planning and Configuring HP DCE 1.7

Configuring HP DCE Cells

Configuring Cells Using dce_config

This routine starts up cdsadv and cdsd, initializes the name space,
and sets ACLs for all new name space entries.

S:****** Configuring initial CDS Server…
S:****** Please wait for user authentication and
authorization…
S:****** Checking for active sec_client service...

10.dce_config asks whether it should create a LAN profile for use in
dividing clients and servers into profile groups for higher
performance in multi-LAN cells. If you choose to have a LAN profile
created, dce_config asks for the name of the local LAN. The name
you provide is arbitrary, and is used by dce_config to store LAN
profile information.

Create LAN profile so clients and servers can be
divided into profile groups for higher performance in
a multi-lan cell? (n) y

What is the name of the LAN? lan_250
S:****** Starting cdsadv...

S:****** Starting cdsd...
S:****** Creating LAN profile…
S:****** Setting ACLs for all new namespace
entries...

This system is now configured as a CDS server. You must now create
a DTS server, either on this system or on another system.

Time servers should be configured in any cell of more than one
system. A minimum of three Time servers is recommended for any
cell with three or more member systems. See the OSF DCE
Administration Guide — Core Services for a discussion of the
optimum placement of servers in a cell with gateway or WAN links.
DTS servers may be configured on any system in the cell.

When dce_config is first run on a system, the HP-UX environment
variable TZ is read to determine the HP-UX local time zone.
dce_config then automatically selects a matching DCE local time
zone and creates the link for / etc/opt/dce/zoneinfo/localtime. A
different time zone can be chosen: see the localtime (5) man page for
details.

To configure a DTS server on this system, or on another system:

• If the DTS server for this cell will be on another system, repeat

steps 1 and 2 on that system, and continue with step 11 below.

• If the DTS server will be on this system, continue with step 11

below.

Planning and Configuring HP DCE 1.7 5-11

Configuring HP DCE Cells

Configuring Cells Using dce_config

11.From the Initial Cell Configuration menu, choose Initial DTS Server:

selection: 3
S:****** Configuring initial DTS services

S:******Please wait for user authentication and
authorization...
S:****** Checking for active sec_client service...

DTS Configuration Menu

1. DTS Local Server

2. DTS Global Server (only in multi-LAN cells.)

3. DTS Clerk

4. DTS Time Provider

98. Return to previous menu

99. Exit
selection:

12.For servers on the same LAN, select the DTS Local Server:

selection: 1 (DTS Local Server)

For a discussion about the use of DTS global servers for time servers
communicating between LANs, see the OSF DCE Administration
Guide. Where appropriate, select the DTS global server:

selection: 2 (DTS Global Server)

Either selection starts the dts daemon ( dtsd).

13.Configure a DTS time provider on one of the time servers in a cell.
The DTS null time provider configures a system to trust its own clock

as an accurate source of time. The DTS ntp provider obtains an
accurate source of time from some other system outside the cell. The
spectracom time provider uses a local hardware device as a time
provider. See the OSF DCE Administration Guide for more
information on time providers.

14.Select the DTS Time Provider:

selection: 4 (DTS Time Provider)

The following menu is displayed:

DTS Time Provider Menu

1. Configure a NULL time provider

2. Configure a NTP time provider

3. Configure a Spectracom time provider

98. Return to previous menu

99. Exit
selection:

5-12 Planning and Configuring HP DCE 1.7

Configuring HP DCE Cells

Configuring Cells Using dce_config

15.Select NULL, NTP, or SPECTRACOM:

selection: 1 (NULL time provider)

or

selection: 2 (NTP time provider)

or

selection: 3 (spectracom time provider)

If you select the NTP time provider, the following prompt appears:

Enter the host name where the NTP server is running:

If you select the spectracom time provider, the following prompt
appears:

Enter the device name where the TP is connected:

You have now completed configuration of the server systems.

Configuring Additional CDS Servers

Follow this procedure if you want to configure additional CDS servers:

1. From the DCE Configuration Menu, choose Additional Server
Configuration:

DCE Configuration Menu (on hostname)
selection: 2
S:****** Configuring additional server.

S:****** Please wait for user authentication and
authorization.

NOTE When configuring a multi-system cell, dce_config checks that system

times are within 120 seconds of each other.

2. The Additional Server Configuration menu appears. Choose
Additional CDS Server:

Additional Server Configuration Menu
selection: 1 (Additional CDS Server(s))
S:****** Configuring additional CDS server

A CDS server must have already been configured.

3. dce_config prompts for the name of an existing CDS server. If the
cell has more than one CDS server, choose one:

Planning and Configuring HP DCE 1.7 5-13

Configuring HP DCE Cells

Configuring Cells Using dce_config

What is the name of a CDS server in this cell (if
there is more than one, enter the name of the server
to be cached if necessary)? cds_server_node

S:****** Checking for active sec_client service...
S:****** Starting cdsadv...

4. dce_config asks whether it should create a LAN profile for use in
dividing clients and servers into profile groups for higher
performance in multi-LAN cells. If you choose to have a LAN profile
created, dce_config asks for the name of the local LAN. The name
you provide is arbitrary, and is used by dce_config to store LAN
profile information.

Create LAN profile so clients and servers can be
divided into profile groups for higher performance in
a multi-lan cell? (n) n

S:****** Starting cdsd...
S:****** Waiting for registry propagation...
S:****** Initializing the name space for additional

CDS server...
Modifying ACLs on /.:/hosts/hostname/cds-server

5. After starting the CDS client daemon, dce_config prompts for the
name of the CDS clearinghouse. Enter a name of your choice.

What is the name for this clearinghouse? hostname_ch
S:****** Modifying ACLs on /.:/host_ch…

6. dce_config asks if more directories should be replicated. If you
answer y, dce_config prompts for a list of directories to be
replicated:

Should more directories be replicated? (n) y
Enter a list of directories to be replicated, sepa­rated by spaces, and terminated by <RETURN>

Notes on Configuring Additional CDS Servers

Immediately after configuring an additional CDS server, you should,
while logged in as cell_admin, skulk the root directory using the
following command:

dcecp -c directory synchronize /.:

5-14 Planning and Configuring HP DCE 1.7

Configuring HP DCE Cells

Configuring Cells Using dce_config

This will initiate the propagation of a consistent copy of the changed root
directory information to all the CDS servers, and will prevent problems
which might arise from use of inconsistent information before this
propagation. The use of several CDS servers may increase the time
required to complete the propagation of this information.

Configuring Client Systems: Security, CDS,
and DTS

Before configuring clients, first configure your server systems. Then use
this procedure to configure client systems.

You must configure a CDS client on any Security server system that is
not running a CDS server . To configure a client system, you need to know
the name of the systems(s) running the Security server and the initial
CDS server for the cell.

If you are using DTS as your time synchronization mechanism, you must
configure a DTS clerk (client) on any system that is not running a DTS
server.

You must have the following information to configure a client:

• The host name of any security server in the cell

• The cell administrator’s principal name and password

• The host name of a CDS server in the cell

1. Start dce_config on the system that you want to configure with DCE
client(s).

2. Enter the DCE Configuration Menu:

DCE Main Menu
selection: 1 (CONFIGURE)

3. Run the client configuration routine:

DCE Configuration Menu
selection: 3 (DCE Client)

4. dce_config asks if you want to remove all remnants of previous DCE
configurations. If you are configuring this system for the first time or
have previously run Remove, answer n. Otherwise, answer y.

Planning and Configuring HP DCE 1.7 5-15

Configuring HP DCE Cells

Configuring Cells Using dce_config

5. Enter the host name of your cell’s security server:

What is the name of a Security Server running in the
cell you
wish to join? sec_server_node
S:****** Starting dced...
S:****** Initializing dced...

6. After starting and initializing the Security client daemon,
dce_config asks for the name of a node with which it can synchronize
the clock on this node: Enter < RETURN> to get the default (the
master security machine in the cell).

Enter a machine to synchronize with:
(sec_server_node) <RETURN>

Time on host is within specified tolerance (120 secs)
of time on sec_server_node.
S:****** Checking for active sec_client service...
S:****** Starting sec_client service...
S:****** This node is now a security client.
S:****** Starting cdsadv...

7. Enter the name of the cell CDS server. If the cell has more than one
CDS server, choose one:

What is the name of a CDS server in this cell (if
there is more than one, enter the name of the server
to be cached if necessary)? cds_server_host

Create LAN profile so clients and servers can be
divided into profile groups for higher performance in
a multi-lan cell? (n) n

S:****** This node is now a CDS client.

8. After configuring the CDS client, dce_config asks how the node
should be configured for DTS. If you are using DTS as your time
synchronization mechanism, you must configure a DTS clerk (client)
on any system that is not running a DTS server.

Should this machine be configured as a DTS Clerk, DTS
Local Server, or DTS Global Server? (default is DTS
Clerk) (clerk, local, global, none) <RETURN>

S:****** Starting dtsd...
S:****** This node is now a DTS clerk

Configuration of the Security, CDS and DTS client system is now
complete.

5-16 Planning and Configuring HP DCE 1.7