Entegrity DCE and DFS for HP Tru64 UNIX
Installation and Configuration Guide

Software Version 4.3.1

4 — Modifying Cell Configuration


[Previous] [Next] [Contents] [Index]


4.1 Overview of Cell Re-Configuration

Here is the menu you use to change the configuration of your cell.

NOTE: The operations in the following table require superuser (root) privileges.

Table 4-1: Modify Configuration Menu

Menu Option Description
1) Add Replica CDS Server / Remove Replica CDS Server

Creates or removes a replica of the master CDS server on the current machine. If your machine already has a replica of the master CDS server, the menu option shows "Remove Replica CDS Server."

2) Add Replica Security Server / Remove Replica Security Server

Creates or removes a replica of the master security server on the current machine. If the machine already has a replica of the master security server, the menu option shows "Remove Replica Security Server."

3) Add DTS Local Server / Change from DTS Local Server to DTS Clerk

Adds a DTS local server to the current machine. If your machine is already configured as a DTS Local Server, this menu option is Change from DTS Local Server to DTS Clerk. If so, you can choose that option to configure the current machine as a DTS Clerk.

4) Add DTS Global Server / Change from DTS Global Server to DTS Clerk

Adds a DTS global server to the current machine. If your machine is already configured as a DTS global Server, this menu option is Change from DTS Global Server to DTS Clerk. If so, you can choose that option to configure the current machine as a DTS Clerk.

5) Add Null Time Provider

Sets the time inaccuracy value but prevents DTS from setting the time. Choose this option if you do not want DTS to set the system time.

6) Add NTP Time Provider

Directs the current machine to get the time from an NTP server.

7) Enable Auditing/ Disable Auditing

Enables or disables DCE security auditing on the system.

8) Enable DCE SIA / Disable DCE SIA

Enables or disables DCE security integration architecture (SIA) on the system.

9) Enable Kerberos 5 / Disable Kerberos 5

Enables or disables MIT Kerberos 5 security services for telnet, rlogin, and rsh.

10) Configure LDAP Name Service

Configures LDAP (lightweight directory access protocol) name service.

11) Add LDAP Client Services / Remove LDAP Client Services

Add or remove the LDAP name service client; that is, to create internally the server, group, and profile entries in the LDAP name space like those entries that are used in CDS during the DCE client configuration.

12) Enable LDAP GDA / Disable LDAP GDA

Enables or disables Global Directory Agent (GDA) use of LDAP to find foreign cells.

13) Add PKSS Server / Remove PKSS Server

Enables or disables private key storage server (PKSS). Public key security technology includes a private key storage service where private decoding keys can be kept in security while not in use.

14) Register in X.500

Registers a DCE cell in X.500. This X.500 option displays only if X.500 is installed on the current machine.

R) Return to previous menu

Returns you to the DCE Setup Main Menu.

4.2 Adding a Replica CDS Server

If you want to create a replica of the master CDS server on your machine, you can do so on a system that has already been configured as a client, or on a system that has not yet been configured for DCE. The following example assumes no prior configuration.

Choose option 1 (Add Replica CDS Server) from the Modify Configuration Menu. The configuration utility asks whether to search the LAN for known cells within broadcast range of your system.

Would you like to search the LAN for known cells? (y/n) [y] :

If you know the name of your DCE cell, answer no. As prompted, supply the name of your DCE cell, your DCE hostname, and the hostname of your cell's master CDS server. You also need to specify whether your host can broadcast to the host where the master CDS server is installed.

Answer yes to view a list of available DCE cells. At the next prompt, supply the appropriate DCE cell name from the list.

You are asked to enter your DCE hostname:

Please enter your DCE hostname [myhost]:

The procedure then displays an alphabetical list of the cells within broadcast range of your system and asks you to enter the name of your DCE cell. After you enter the cell name, the procedure displays the following messages and asks whether the local system time is correct:

Gathering list of currently accessible cells

The following cells were discovered within broadcast range of this system:


buster_cell

kauai_cell

myhost_cell

tahoe_cell


Please enter the name of your DCE cell: myhost_cell.

Please enter your DCE hostname [myhost]

The procedure then displays an alphabetical list of the cells within 
broadcast range of your system.

        Stopping dced.

        Initializing dced (dced)...

        Starting dced (dced)...

        Starting CDS advertiser daemon (cdsadv)...

        Testing access to CDS server (please wait)...


        Attempting to locate security server

        Found security server

        Creating /opt/dcelocal/etc/security/pe_site file

        Checking local system time

        Looking for DTS servers in this LAN

        Found DTS server


    The local system time is: Wed Jul 12 11:31:52 1998


        Is this time correct?  (y/n):

Please check the time before you respond to this prompt.

Be sure that the correct time is displayed before you continue with the configuration. If the time is incorrect, specify n, and the procedure exits to the operating system to allow you to reset the system time. After you correct or verify the time, specify y, and the procedure continues with the following message (if you have DECnet/OSI installed and configured):

You seem to have DECnet/OSI installed on this system.  DECnet/OSI includes a 
distributed time synchronization service (DECdts), which does not currently 
support the DCE Distributed Time Service (DCE DTS) functionality.  The DCE 
DTS in this release provides full DECdts functionality.  This installation 
will stop DECdts and use DCE DTS instead.  For further clarification, please 
consult the Gradient DCE for Tru64 UNIX Product Guide. 


Even though DCE DTS will be used, it is possible to accept time from DECdts 
servers.


Should this node accept time from DECdts servers? (y/n) [n]:

Specify y to accept time from any DECnet/OSI DECdts server; however, time from this source is unauthenticated. If you specify n, this system accepts time only from DCE DTS servers.

Do you want this system to be a DTS Local Server (y/n/?) [n]:

If DECnet/OSI is not installed, this system must be configured as either a DTS clerk or a DTS server. For a complete description on the differences between DTS clerks and servers, please consult the section on how DTS works in the OSF DCE Administration Guide. Entegrity recommends that you configure three DTS servers per cell.

Do you want to use DCE Security Integration Architecture (SIA)? Answering yes configures security-sensitive commands such as login, su, telnet, ftp, and so on, to perform DCE authentication in addition to usual local security operations performed by these commands. For more information about DCE SIA, refer to the Entegrity DCE for Tru64 UNIX Product Guide. Answer y to the following:

Do you want to enable DCE SIA? (y/n) [n] :

After you respond the procedure stops the CDS advertiser and asks you to perform a dce_login operation.

        Stopping dcesetup...


This operation requires that you be authenticated as a member of the 
sec-admin group.  Please login.

You must perform a dce_login operation, as follows:

    Enter Principal Name:

    Password:

After you log in, the procedure configures the system as a client system and asks for a clearinghouse name:

    Configuring security client

      Creating /krb5/krb.conf file

      Adding kerberos5 entry to /etc/services

      Creating ktab entry for client

      Starting sec_client service (please wait).


    This machine is now a security client.


    Configuring CDS client

      Creating the cds.conf file

      Starting CDS advertiser daemon (cdsadv)...

      Testing access to CDS server (please wait).

      Creating hosts/myhost objects in name space

NOTE: You might get a message after the line "Adding kerberos5 entry to /etc/ services" that states the principals already exist under hosts/mycell. This message means that either another host exists with the same name or you are reconfiguring the same machine. You are prompted with the following question:

Do you wish to delete these principals (y/n/?): [y]

NOTE: You must delete the principals to continue with the configuration.

The procedure continues with the following messages and prompts:

    This machine is now a CDS client.


    Configuring DTS daemon as client (dtsd)

        Starting DTS daemon (dtsd)...


    This machine is now a DTS clerk.

    Configuring CDS replica server

      Adding CDS registry entries

      Creating the cds.conf file

      Starting CDS advertiser daemon (cdsadv)...

         cdsadv is already running

      Starting CDS server daemon (cdsd)...

When configuring the CDS server, the procedure asks:

What is the name for this clearinghouse? (Type '?' for help) [myhost_ch]:

Specify a name for this clearinghouse that is unique in this cell. The procedure displays the following messages and asks whether you want to replicate more directories.

    Creating clearinghouse files and replica for root directory...

    Initializing the name space for additional CDS server...

    Modifying acls on /.:/myhost_ch

    Modifying acls on /.:/hosts/myhost/cds-server

    Modifying acls on /.:/hosts/myhost/cds-gda


Do you wish to replicate more directories? (y/n/?):

The root directory from the CDS master server has just been replicated. You can replicate more directories if you want by answering y. Next, you are prompted for the name of a CDS directory to be replicated.

Enter the name of a CDS directory to be replicated (or '?' for help):

Enter the name of a CDS directory existing in the master CDS namespace that you want to replicate on this system. Type the directory name without the /.:/ prefix; it is added automatically. When you are done, press only the <Return > key. The procedure displays the following messages and asks whether you want to run the CVP.

        Starting Global Directory Agent daemon (gdad)...

        Starting Name Service Interface daemon (nsid)...


Do you want to run the DCE Configuration Verification Program? 

(y/n/?) [y]:

If your system is configured as a CDS Replica Server, this option will show "Remove Replica CDS Server" on the Modify Configuration Menu.

                  ***  Modify Configuration Menu  ***


        1) Remove Replica CDS Server

        2) Add Replica Security Server

        3) Add DTS Local Server

        4) Add DTS Global Server

        5) Add Null Time Provider

        6) Add NTP Time Provider

        7) Enable Auditing

        8) Enable DCE SIA

        9) Enable Kerberos 5

       10) Configure LDAP Name Service

       11) Add LDAP Client Service

       12) Enable LDAP GDA

       13) Add PKSS Server

       14) Register in X.500

        R) Return to previous menu


Please enter your selection (or '?' for help):

Choose this option if you wish to remove a CDS Replica Server from your DCE configuration. You will not affect the rest of your system's DCE configuration.

4.3 Adding Security Replica

If you want to add a replica security server to your system, choose option 2 (Add Replica Security Server) from the Modify Configuration Menu. When you choose this option, the procedure displays the following messages:

At each prompt, enter  <RETURN>  to take the default displayed in [braces] or 
enter '?' for help.


Press  <RETURN>  to continue:


Shutting down DCE services


DCE services stopped


Removing temporary local DCE databases and configuration files


Removing permanent local DCE databases and configuration files


    Starting client configuration

        Initializing dced (dced)...

        Starting dced (dced)...

        Gathering list of currently accessible cells


Please enter your DCE hostname [dcehost]:

After you enter your DCE hostname, the procedure displays an alphabetical list of cells it has found within broadcast range of your system. In many environments, the list will consist of only one name. Choose the name of the DCE cell that you want to join. If you do not know the name of the cell, consult your network administrator. Do not add the /.../ prefix to the cell name; the procedure automatically adds it.

Please enter the name of your DCE cell (or '?' for help) [ ]:

After you enter your cell name, the procedure continues, displaying information similar to the following, but dependent upon your configuration:

        Stopping dced (dced)...

        Initializing dced (dced)...

        Starting dced (dced)...

        Starting CDS advertiser daemon (cdsadv)...

        Testing access to CDS server (please wait)....


        Attempting to locate security server

        Found security server

        Creating /opt/dcelocal/etc/security/pe_site file

        Checking local system time

        Looking for DTS servers in this LAN

        Found DTS server

        Found DTS server

        Looking for DTS servers in this cell

        No DTS servers found in cell


    The local system time is: Wed Jul 12 11:38:14 1998


Is this time correct?  (y/n): y

Make sure you check that the correct time is displayed before you continue with the configuration. If the time is incorrect, specify n, and the procedure exits to the operating system to allow you to reset the system time. After you correct or verify the time, specify y, and the procedure continues with the following message (if you have DECnet/OSI installed and configured):

You seem to have DECnet/OSI installed on this system. DECnet/OSI includes a 
distributed time synchronization service (DECdts), which does not currently 
support the DCE Distributed Time Service (DCE DTS) functionality.  The DCE 
DTS in this release provides full DECdts functionality.  This installation 
will stop DECdts and use DCE DTS instead.  For further clarification, please 
consult the Gradient DCE for Tru64 UNIX Product Guide.


Even though DCE DTS will be used, it is possible to accept time from DECdts 
servers.


Should this node accept time from DECdts servers? (y/n) [n]:

Specify y to accept time from any DECnet/OSI DECdts server; however, time from this source is unauthenticated. If you specify n, this system accepts time only from DCE time servers. If you want to use DCE Security Integration Architecture (SIA), answer "Y" to the following:

Do you want to enable DCE SIA? (y/n) [n] :

After you respond to the prompt, the procedure stops the CDS advertiser and asks you to perform a dce_login operation, as follows:

        Stopping cdsadv...


This operation requires that you be authenticated as a member of the 
sec-admin group.  Please login.


					Enter Principal Name: cell_admin

					Password:

Obtain the password from your cell administrator. After you perform the dce_login operation, the procedure continues with the following messages:

    Configuring security client

        Creating /krb5/krb.conf file

        Adding kerberos5 entry to /etc/services

        Creating ktab entry for client

        Starting sec_client service (please wait).


    This machine is now a security client.

The procedure continues with the following messages and prompts.

    Configuring CDS client

        Creating the cds.conf file

        Starting CDS advertiser daemon (cdsadv)...

        Testing access to CDS server (please wait).

        Deleting known hosts/dcehost objects from name space

        Creating hosts/dcehost objects in name space


    This machine is now a CDS client.


    Configuring DTS daemon as client (dtsd)

        Starting DTS daemon (dtsd)...


    This machine is now a DTS clerk.


Enabling DCE SIA


 Configuring security replica server

The procedure will prompt you to enter the security replica name.

Enter the security replica name (without subsys/dce/sec) [dcehost]:

After you enter your security replica name, you are prompted to enter a keyseed. Enter several random characters.

*************************************************************

*   Starting the security server requires that you supply   *

*   a 'keyseed.'  When asked for a 'keyseed,' type some     *

*   random, alphanumeric keystrokes, followed by RETURN.    *

*   (You won't be required to remember what you type.)      *

*************************************************************


Enter keyseed for initial database master key:

The procedure continues, displaying information similar to the following, but dependent on your configuration:

        Modifying acls on /.:/sec/replist...

        Modifying acls on /.:/subsys/dce/sec...

        Modifying acls on /.:/sec...

        Modifying acls on /.:...

        Modifying acls on /.:/cell-profile...


        Starting security server daemon (secd)...


        Waiting for registry propagation...


Do you want to run the DCE Configuration Verification Program? (y/n/?) [y]:

If you type y to run the CVP at this time, you see the following display:

 Executing DIGITAL DCE V3.1 (Rev. 635) for Compaq Tru64 UNIX CVP (please 
wait)

 copyright (c) Digital Equipment Corporation. 1998. All Rights Reserved.


 Verifying...........


DIGITAL DCE V3.1 (Rev. 635) for Compaq Tru64 UNIX CVP completed successfully


Modifying system startup procedure...

The DCE components that you have configured are added to your system startup procedure so the daemons restart automatically whenever the system is rebooted. When the procedure completes it displays the DCE Setup Main Menu.

If your system is configured as a Security Replica Server, option in the Modify Configuration Menu shows "Remove Replica Security Server."

                  ***  Modify Configuration Menu  ***


        1) Add Replica CDS Server

        2) Remove Replica Security Server

        3) Change from DTS Local Server to DTS clerk

        4) Change from DTS Local Server to DTS Global Server 

        5) Add Null Time Provider

        6) Add NTP Time Provider

        7) Enable Auditing

        8) Enable DCE SIA

        9) Enable Kerberos 5

       10) Configure LDAP Name Service

       11) ADD LDAP Client Service

       12) Enable PKSS Server

       13) Enable Kerberos 5

        R) Return to previous menu


Please enter your selection (or '?' for help):

Choose option 2 if you wish to remove a Security Replica from your DCE configuration. Its removal does not affect the rest of your system's DCE configuration.

4.4 Adding a DTS Local Server

If you want to add a DTS server to your machine, you can do so on a system that has already been configured as a client, or on a system that has not yet been configured for DCE. The following example assumes no prior configuration.

Choose option 3 (Add DTS Local Server) from the Modify Configuration Menu. The procedure displays the following messages and asks you to enter your DCE hostname.

At each prompt, enter  <RETURN>  to take the default displayed in [braces] or 
enter '?' for help.


Press  <RETURN>  to continue:


 Shutting down DCE services


 DCE services stopped


 Removing temporary local DCE databases and configuration files


 Removing permanent local DCE databases and configuration files


    Starting client configuration

        Initializing dced (dced)...

        Starting dced (dced)...

        Gathering list of currently accessible cells


Please enter your DCE hostname [myhost]:

The procedure next displays an alphabetical list of the cells within broadcast range, then asks you to enter the name of your DCE cell.

Please enter the name of your DCE cell (or '?' for help) []:

Supply the name of the DCE cell. Type the cell name without the /.../ prefix; it is added automatically.

After you provide the cell name, depending on how your cell is configured, the following messages may be displayed:

        Starting CDS advertiser daemon (cdsadv)...

        Testing access to CDS server (please wait)....


        Attempting to locate security server

        Found security server

        Creating /opt/dcelocal/etc/security/pe_site file

        Checking local system time

        Looking for DTS servers in this LAN

        Found DTS server


    The local system time is: Thu Jul 13 10:32:25 1998


Is this correct?  (y/n):

Please check the time before you respond to this prompt.

If DECnet/OSI is installed on your system, the configuration utility displays the following message and then asks several questions about configuring a DCE Distributed Time Service server on your system.

You seem to have DECnet/OSI installed on this system. DECnet/OSI includes a 
distributed time synchronization service (DECdts), which does not currently 
support the DCE Distributed Time Service (DCE DTS) functionality. The DCE DTS 
in this release provides full DECdts functionality.  This installation will 
stop DECdts and use DCE DTS instead.  For further clarification, please 
consult the Gradient DCE for Tru64 UNIX Product Guide.


Even though DCE DTS will be used, it is possible to accept time from DECdts 
servers.


Should this node accept time from DECdts servers? (y/n) [n]:

If you want to use DCE Security Integration Architecture (SIA), answer y to the following:

Do you want to enable DCE SIA? (y/n) [n] :

Next, the procedure displays the following messages and asks you to log in. It also asks whether you want to run the CVP.

This operation requires that you be authenticated as a member of the 
sec-admin group.  Please login.


    Enter Principal Name: cell_admin

    Password:


    Configuring security client

        Creating /krb5/krb.conf file

        Adding kerberos5 entry to /etc/services

        Creating ktab entry for client

        Starting sec_client service (please wait).


    This machine is now a security client.


    Configuring CDS client

        Creating the cds.conf file

        Starting CDS advertiser daemon (cdsadv)...

        Testing access to CDS server (please wait).

        Creating hosts/myhost objects in name space

    This machine is now a CDS client.


    Configuring DTS daemon as server (dtsd)

        Stopping sec_client service...

        Starting sec_client service (please wait).

        Starting DTS daemon (dtsd)...

        Waiting for DTSdaemon to synchronize (please wait).

If your system is configured as a DTS Local Server, option 3 shows "Change from DTS Local Server to DTS clerk."

        ***  Modify Configuration Menu  ***


        1) Add Replica CDS Server

        2) Add Replica Security Server

        3) Change from DTS Local Server to DTS clerk

        4) Add DTS Global Server

        5) Add Null Time Provider

        6) Add NTP Time Provider

        7) Enable Auditing

        8) Enable DCE SIA

        9) Enable Kerberos 5

       10) Configure LDAP Name Service

       11) ADD LDAP Client Service

       12) Enable PKSS Server

       13) Enable Kerberos 5

        R) Return to previous menu


Please enter your selection (or '?' for help):

Choose option 3 if you wish to modify your configuration from a DTS Local Server to a DTS clerk. This operation does not affect the rest of your system's DCE configuration.

4.5 Adding a DTS Global Server

If you want to add a DTS Global Server to your system, choose option 4 (Add DTS Global Server) from the Modify Configuration Menu.

The configuration prompts you with the following messages:

At each prompt, enter  <RETURN>  to take the default displayed in [braces] or 
enter '?' for help.


Press  <RETURN>  to continue:


    Shutting down DCE services


    DCE services stopped


    Removing temporary local DCE databases and configuration files


    Removing permanent local DCE databases and configuration files


    Starting client configuration

        Initializing dced (dced)...

        Starting dced (dced)...

        Gathering list of currently accessible cells


Please enter your DCE hostname [dcehost]:

After you enter your DCE hostname, the procedure displays an alphabetical list of cells it has found within broadcast range of your system. In many environments, the list consists of only one name. Choose the name of the DCE cell that you want to join. If you do not know the name of the cell, consult your network administrator. Do not add the /.../ prefix to the cell name; the procedure automatically adds it.

Please enter the name of your DCE cell (or '?' for help) []:

If you enter a cell name that is not on the list of cell names, the procedure assumes you are performing a WAN configuration, and asks you to enter the hostname of the master CDS server for your cell.

After you enter your cell name, the procedure continues, displaying information similar to the following, but dependent upon your configuration:

        Starting CDS advertiser daemon (cdsadv)...

        Testing access to CDS server (please wait)....

        Attempting to locate security server

        Found security server

        Creating /opt/dcelocal/etc/security/pe_site file

        Checking local system time

        Looking for DTS servers in this LAN

        Found DTS server

        Found DTS server

        Looking for DTS servers in this cell

        No DTS servers found in cell


    The local system time is: Thu Jul 13 10:36:36 1998


Is this time correct?  (y/n):

Make sure you check that the correct time is displayed before you continue with the configuration. If the time is incorrect, specify n, and the procedure exits to the operating system to allow you to reset the system time. After you correct or verify the time, specify y, and the procedure continues with the following message (if you have DECnet/OSI installed and configured):

You seem to have DECnet/OSI installed on this system. DECnet/OSI includes a 
distributed time synchronization service (DECdts), which does not currently 
support the DCE Distributed Time Service (DCE DTS) functionality.  The DCE 
DTS in this release provides full DECdts functionality.  This installation 
will stop DECdts and use DCE DTS instead.  For further clarification, please 
consult the Gradient DCE for Tru64 UNIX Product Guide.


Even though DCE DTS will be used, it is possible to accept time from DECdts 
servers.


Should this node accept time from DECdts servers? (y/n) [n]:

Specify y to accept time from any DECnet/OSI DECdts server; however, time from this source is unauthenticated. If you specify n, this system accepts time only from DCE time servers.

Do you want to enable DCE SIA? (y/n) [n] :

After you respond to the prompt, the procedure stops the CDS advertiser and asks you to perform a dce_login operation, as follows:

This operation requires that you be authenticated as a member

of the sec-admin group.  Please login.


    Enter Principal Name: cell_admin

    Password:

Obtain the password from your cell administrator.

After you perform the dce_login operation, the procedure continues with the following messages:

    Configuring security client

        Creating /krb5/krb.conf file

        Adding kerberos5 entry to /etc/services

        Creating ktab entry for client

        Starting sec_client service (please wait).


    This machine is now a security client.


    Configuring CDS client

        Creating the cds.conf file

        Starting CDS advertiser daemon (cdsadv)...

        Testing access to CDS server (please wait).

        Deleting known hosts/dcehost objects from name space


      Creating hosts/dcehost objects in name space


    This machine is now a CDS client.


    Do you want to enable DCE SIA? (y/n/?) [n]: y

      Enabling DCE SIA


    Configuring DTS daemon as server (dtsd)

        Stopping sec_client service...

        Starting sec_client service (please wait).

        Starting DTS daemon (dtsd)...

        Waiting for DTS daemon to synchronize (please wait)..........



Do you want to run the DCE Configuration Verification Program? (y/n/?) [y]:

The DCE Configuration Verification Program (CVP) exercises the components of DCE that are running in this cell. It requires approximately 1 to 2 minutes to run.

If you type y to run the CVP at this time, you see the following display:

 Executing DIGITAL DCE V3.1 (Rev. 635) for Compaq Tru64 UNIX CVP (please 
wait)

 Copyright (c) Digital Equipment Corporation. 1998. All Rights Reserved.


 Verifying...........


 DIGITAL DCE V3.1 (Rev. 635) for Compaq Tru64 UNIX CVP completed successfully


Modifying system startup procedure...

The DCE components that you have configured are added to your system startup procedure so the daemons restart automatically whenever the system is rebooted. When the procedure is completed, the DCE Setup Main Menu is redisplayed.

If your system is configured as a DTS Global Server, option 4 shows "Change from DTS Global Server to DTS clerk."

        ***  Modify Configuration Menu  ***


        1) Add Replica CDS Server

        2) Add Replica Security Server

        3) Add DTS Local Server

        4) Change from DTS Global Server to DTS clerk

        5) Add Null Time Provider

        6) Add NTP Time Provider

        7) Enable Auditing

        8) Enable DCE SIA

        9) Enable Kerberos 5

       10) Configure LDAP Name Service

       11) Add LDAP Client Service

       12) Enable LDAP GDA

       13) Add PKSS Server

       14) Register in X.500

        R) Return to previous menu


Please enter your selection (or '?' for help):

Choose this option if you wish to modify your configuration from a DTS Global Server to a DTS Clerk.

When the procedure is completed, the Modify Configuration Menu redisplays.

4.6 Adding a Null Time Provider

The null time provider allows DTS to set the inaccuracy without setting the time or in any way modifying the host system time. Refer to the OSF DCE Administration Guide — Core Components volume for further information about getting time from Network Time Protocol (NTP) time sources.

If you want to add a null time provider to your system, choose option 5 (Add Null Time Provider) from the Modify Configuration Menu.

The configuration adds and starts the null time provider, displaying the following messages:

        Starting Null Time Provider (dts_null_provider)...


Press  <RETURN>  to continue:


Press <Return>. When the procedure is completed, the Modify Configuration Menu redisplays.

4.7 Adding an NTP Time Provider

If your site uses Network Time Protocol (NTP) to set system time, you can use those time signals to synchronize DTS. Briefly, one DTS server uses the NTP time provider software to synchronize with NTP. That DTS server synchronizes with other DTS servers using DTS time signals. Refer to the OSF DCE Administration Guide — Core Components volume for further information about getting time from NTP time sources.

If you want to add an NTP time provider to your system, choose option 6 (Add NTP Time Provider) from the Modify Configuration Menu.

The configuration adds and starts the null time provider, displaying the following messages:

    Starting NTP Time Provider (dts_ntp_provider)...


    Enter the hostname where the NTP server is running: 
dcedts.mylocation.mycompany.com


Press  <RETURN>  to continue:

Press <Return>. When the procedure is completed, the Modify Configuration Menu redisplays.

4.8 Enabling Auditing

DCE auditing facilities detect and record critical events in distributed applications. To enable DCE auditing facilities on your machine, choose option 7 (Enable Auditing) from the Modify Configuration Menu.

The procedure begins configuring the Audit daemon and prompts you to log in to the cell.

    Configuring Audit daemon (auditd)


This operation requires that you be authenticated as a member

of the sec-admin group.  Please login.


    Enter Principal Name:

    Password:

After you log in, the procedure creates default filters and completes configuring the Audit daemon.

        Creating default filters for security, dts, and audit


    Successfully configured Audit daemon


Press  <RETURN>  to continue:

If auditing was previously enabled on your system, option 7 displays as "Disable Auditing." Choose this option if you want to disable auditing on your system.

When the procedure is completed, the Modify Configuration Menu redisplays.

4.9 Configuring the Kerberos 5 Utilities

Entegrity DCE for Tru64 UNIX supports Kerberized and non-Kerberized ftp, rlogin, rsh, and telnet. Those utilities allow users and services to authenticate themselves to each other and thereby prevent intrusion into the system. The utilities check authentication by reference to a secure Kerberos server.

Choosing to use the Kerberos 5 utilities means that they are added to your system startup procedure to restart automatically whenever the system is rebooted.

Choose option 9 to modify your configuration to add the Kerberos 5 utilities ftp, rlogin, rsh, and telnet.

        ***  Modify Configuration Menu  ***


        1) Add Replica CDS Server

        2) Add Replica Security Server

        3) Add DTS Local Server

        4) Change from DTS Global Server to DTS clerk

        5) Add Null Time Provider

        6) Add NTP Time Provider

        7) Enable Auditing

        8) Enable DCE SIA

        9) Enable Kerberos 5

       10) Configure LDAP Name Service

       11) Add LDAP Client Service

       12) Enable LDAP GDA

       13) Add PKSS Server

       14) Register in X.500

        R) Return to previous menu


Please enter your selection (or '?' for help):

When the procedure is completed, the Modify Configuration Menu redisplays.

4.10 Configuring the LDAP Name Service

Configuring the LDAP name service involves three steps on the Modify Configuration Menu. Here, the first step defines to the system the extent of potential additional capabilities. If fully configured, LDAP provides a second path to access the X.500 directory service, requires less overhead than DAP, and provides support for the TCP/IP protocol.

Choose option 10 to add the LDAP name service to the configuration.

        ***  Modify Configuration Menu  ***


        1) Add Replica CDS Server

        2) Add Replica Security Server

        3) Add DTS Local Server

        4) Change from DTS Global Server to DTS clerk

        5) Add Null Time Provider

        6) Add NTP Time Provider

        7) Enable Auditing

        8) Enable DCE SIA

        9) Enable Kerberos 5

       10) Configure LDAP Name Service

       11) Add LDAP Client Service

       12) Enable LDAP GDA

       13) Add PKSS Server

       14) Register in X.500

        R) Return to previous menu


Please enter your selection (or '?' for help):

Next, to configure the LDAP name service, specify the location of the LDAP server and the distinguished name (DN) of your DCE cell as it shows in the LDAP name space.

You are prompted for necessary information in the following script. You can press "?" at the prompt for help.

Please enter the hostname of the ldap server [localhost]:

The LDAP server must be known to the network by a name.

Please enter the port number of the ldap server [389]:

If no other port number is specified, press <RETURN> to specify the default value, port 389.

Please enter the authentication dn to the ldap server:

Enter the distinguished name associated with the LDAP server to authenticate the LDAP server to DCE.

Please enter the password of the authentication dn:

Type again to confirm:

Please enter the cell dn in LDAP syntax []:

Enter the distinguished name of the cell.

Configuring LDAP client services

        Testing LDAP server access...


If you provide the wrong information, you see this message:

/usr/sbin/dcesetup: ldapsearch: not found


*** Error contacting the LDAP server


Please verify the LDAP configuration you provided is correct.


Press <RETURN> to continue:

When the procedure is completed, the Modify Configuration Menu redisplays.

4.11 Adding LDAP Client Service

The LDAP Client Service option adds or removes host-specific information in the LDAP namespace; that is, to create server, group, and profile entries for LDAP like those entries that are used in CDS during the DCE client configuration. Examples of such entries include everything under /.:/hosts/HOST_NAME.

Choose option 11 to configure LDAP Client Service.

        ***  Modify Configuration Menu  ***


        1) Add Replica CDS Server

        2) Add Replica Security Server

        3) Add DTS Local Server

        4) Change from DTS Global Server to DTS clerk

        5) Add Null Time Provider

        6) Add NTP Time Provider

        7) Enable Auditing

        8) Enable DCE SIA

        9) Enable Kerberos 5

       10) Configure LDAP Name Service

       11) Add LDAP Client Service

       12) Enable LDAP GDA

       13) Add PKSS Server

       14) Register in X.500

        R) Return to previous menu


Please enter your selection (or '?' for help):

When the procedure is completed, the Modify Configuration Menu redisplays.

4.12 Configuring LDAP Support for the Global Directory Assistant

After enabling LDAP and adding LDAP Client Service, it is necessary to connect LDAP to the global directory agent (GDA). Cross-cell directory service is controlled by a GDA, which looks up foreign cell information on behalf of the application in either the Domain Naming Service (DNS) or X.500 database. Applications can request directory services from either CDS or LDAP or both. LDAP is provided as an optional directory service that is independent of CDS and duplicates CDS functionality.

Choose option 12 to configure communication between LDAP and the GDA.

        ***  Modify Configuration Menu  ***


        1) Add Replica CDS Server

        2) Add Replica Security Server

        3) Add DTS Local Server

        4) Change from DTS Global Server to DTS clerk

        5) Add Null Time Provider

        6) Add NTP Time Provider

        7) Enable Auditing

        8) Enable DCE SIA

        9) Enable Kerberos 5

       10) Configure LDAP Name Service

       11) Add LDAP Client Service

       12) Enable LDAP GDA

       13) Add PKSS Server

       14) Register in X.500

        R) Return to previous menu


Please enter your selection (or '?' for help):

To complete the configuration of the LDAP name service, you need to specify the location of the LDAP server, and the distinguished name of your DCE cell as it displays in the LDAP name space. You are prompted for necessary information in the following dialog. You can always press "?" at the prompt for help.

Please enter the hostname of the ldap server [localhost]: cell

Please enter the port number of the ldap server [389]:

Please enter the authentication dn to the ldap server []:

Please enter the authentication dn to the ldap server []:

Please enter the password of the authentication dn:

Type again to confirm:


Please enter the cell dn in LDAP syntax []:

Re-starting Global Directory Agent daemon

        Stopping gdad [ pid: 22372 ] ...

        Starting Global Directory Agent daemon (gdad)...


LDAP is successfully enabled for gdad

When the procedure is completed, the DCE Setup Main Menu is redisplayed.

4.13 Adding a Private Key Storage Server

Setting up a Private Key Storage Server is an important part of an overall security plan. Entegrity DCE for Tru64 UNIX provides public key security technology as made available in OSF DCE Release 1.2.2. It is part of a security model that requires a public and a private key pair to lock or unlock information. The private keys are too long for memorization, hence the need for a secure place to store them.

Private keys are used most often at login. That presents a key management problem if the keys appear where they might be corrupted or stolen. Short of issuing smart cards, enabling the private key storage service provides the best assurance that messages encrypted under one of the key pairs can be decrypted using another pair without being intercepted and read in transit.

Choose option 13 to add a PKSS to your system.

        ***  Modify Configuration Menu  ***


        1) Add Replica CDS Server

        2) Add Replica Security Server

        3) Add DTS Local Server

        4) Change from DTS Global Server to DTS clerk

        5) Add Null Time Provider

        6) Add NTP Time Provider

        7) Enable Auditing

        8) Enable DCE SIA

        9) Enable Kerberos 5

       10) Configure LDAP Name Service

       11) Add LDAP Client Service

       12) Enable LDAP GDA

       13) Add PKSS Server

       14) Register in X.500

        R) Return to previous menu


Please enter your selection (or '?' for help):

NOTE: PKSS cannot be part of a replica.

This operation requires that you be authenticated as a member

of the sec-admin group.  Please login.


Enter Principal Name: 

Password:


        Configuring PKSS server...

          Starting pkssd


Press <RETURN> to continue:

When the procedure is completed, the Modify Configuration Menu is redisplayed.

4.14 Registering a Cell in X.500

To search for destinations in other cells requires connection with a directory service database. All cross-cell directory name searches are controlled by the global directory agent (GDA), which looks up foreign cell information on behalf of an application in either the Domain Naming Service (DNS) or X.500 database.

Choose option 14 to set up communications between your configured cell and the X.500 directory service.

        ***  Modify Configuration Menu  ***


        1) Add Replica CDS Server

        2) Add Replica Security Server

        3) Add DTS Local Server

        4) Change from DTS Global Server to DTS clerk

        5) Add Null Time Provider

        6) Add NTP Time Provider

        7) Enable Auditing

        8) Enable DCE SIA

        9) Enable Kerberos 5

       10) Configure LDAP Name Service

       11) Add LDAP Client Service

       12) Enable LDAP GDA

       13) Add PKSS Server

       14) Register in X.500

        R) Return to previous menu


Please enter your selection (or '?' for help):

If you select the Register in X.500 option, you next see the X.500 menu. It requires you to specify an object class for your cell.

Enter the X.500 object class corresponding to your cell name. For example, if your cell name is /.../c=mycountry /o=mycompany/ou=mylocation, the object class is Organizational Unit.

                1) Organizational Unit

                2) Organization

                3) Organization Role

                4) Country

                5) Locality

                6) Application Entity

                7) Application Process

                8) Group of Names

                9) Device

               10) Person

               11) Return to Main Menu


					 Please enter the object class for cell (or '?' for help):

Every entry in X.500 is classified according to the characteristics of the real world object that it represents. Before the cell entry can be created in the X.500 directory, you must specify the class of the entry.

For example, if you choose option 1, the organizational unit class is specified.

The superior entries must exist before the cell entry can be created. In the above example, c=mycountry/o=mycompany must exist prior to choosing the cell registration option.

If the cell entry exists, you are asked to confirm if the cell attribute information needs to be replaced.

Entegrity cell registration, which is compatible with OSF DCE GDS, saves the cell information in special CDS-Cell and CDS-Replicas attributes.

If the cell registration fails, the following error is displayed:

 *** Error: Unable to register cell information in X.500

Please refer to the dcesetup log file /opt/dcelocal/dcesetup.log for more information.

If the procedure is completed successfully, the Modify Configuration Menu is redisplayed.


[Previous] [Next] [Contents] [Index]


To make comments or ask for help, contact support@entegrity.com.

Copyright © 1997-2004 Entegrity Solutions Corporation & its subsidiaries