System Management Information $ RUN SYS$SYSTEM:AUTHORIZE UAF> rename/ident oldgroupid newgroupid UAF> rename/ident olduserid newuserid If you should find yourself missing an identifier for a particular user, you can add one for the user's UIC using a command such as: UAF> add/ident/value=uic=[group,user] newuserid The UIC user identifier text is assigned when the username is created, and is the text of the username. The UIC group group identifier is assigned when the first username is created in the UIC group, and the text is based on the account name specified for the first user created in the group. The value of this identifier is [groupnumber, 177777]. To add a missing group identifier, use an asterisk as follows: UAF> add/ident/value=uic=[group,*] newgroupid You may find cases where an identifier is missing from time to time, as there are cases where the creation of a UIC group name identifier might conflict with an existing username, or a user identifier might conflict with an existing group identifier. When these conflicts arise, the AUTHORIZE utility will not create the conflicting group and/or user identifier when the username is created. You can can add and remove user-specified identifiers, but you should avoid changing the numeric values associated with any existing identifiers. You should also avoid reusing UICs or identifiers when you add new users, as any existing identifiers that might be present on objects in the system from the old user will grant the same access to the new user. Please see the security manual for details. __________________________________________________________ 5.10 What are the OpenVMS version upgrade paths? 5-15 System Management Information _____________________________ 5.10.1 OpenVMS Alpha Upgrade (or Update) Paths From V1.0, you can upgrade to V1.5. From V1.5, or V1.5-1H1, you can upgrade to V6.1. From V6.1, you can upgrade to V6.2. From V6.1, or V6.2, you can upgrade to V7.0. From V6.1, V6.2, V6.2-1H(1,2,3), or V7.0, you can upgrade to V7.1. From V6.2, you can update to V6.2-1H1, V6.2-1H2, or V6.2-1H3. From V6.2, V6.2-1H(1,2,3), V7.1, V7.1-1H(1,2), or V7.2, to V7.2-1. From V6.2, ... or V7.2, to V7.2-1H1, to 7.3. From V7.1, you can update to V7.1-1H(1,2), ... to V7.2-1H1, to 7.3. From V7.3, V7.2-2, V7.2-1H1, V7.2-1, and V7.1-2, you can upgrade to V7.3-1 or to V7.3-2. From V7.3-1, you can upgrade to V7.3-2 or to V8.2. From V7.3-2, you can upgrade to V8.2. Some typical OpenVMS Alpha upgrade (or update) paths are: 5-16 System Management Information V1.0 -> V1.5 -> V6.1 -> (V6.2, V7.0, V7.1, V7.2, V7.3) V1.5-1H1 -> V6.1 -> (V6.2, V7.0, V7.1, V7.2, V7.3) V6.2 -> V6.2-1H3 V6.2 -> V7.2-1 V6.2 -> V7.3 V6.2-1H(1,2,3) -> V7.1 V6.2-1H(1,2,3) -> V7.2-1 V7.1 -> V7.1-2 V7.1 -> V7.2-1 V7.1-1H(1,2) -> V7.1-2 V7.1-1H(1,2) -> V7.2-1 V7.1-2 -> V7.3-1 V7.2 -> V7.2-1H1 V7.2 -> V7.3 -> V7.3-1 V7.2-1 -> (V7.3, V7.3-1) V7.2-2 -> (V7.3, V7.3-1, V7.3-2) V7.3 -> (V7.3-1, V7.3-2) V7.3-1 -> (V7.3-2, V8.2) V7.3-2 -> V8.2 Note that OpenVMS Alpha V7.0 does not include support for hardware and/or configurations first supported in OpenVMS Alpha V6.2-1H1, V6.2-1H2, or V6.2-1H3; one must upgrade to OpenVMS VAX V7.1, or later. One cannot update directly to a V6.2-1Hx Limited Hardware Release (LHR) from any release prior to the baseline V6.2 release. The same prohibition holds for performing updates directly to V7.1-1Hx from any release prior to V7.1-this is not supported, and does not produce the expected results. The LHR kits can, however, be directly booted and can be directly installed, without regard to any operating system that might be present on the target disk. OpenVMS Alpha updates for LHRs (through V7.1-1Hx) require the use of VMSINSTAL for the update. These LHR releases use PCSI for the installation, but not for the update. Non-LHR releases use PCSI for installs and upgrades. 5-17 System Management Information OpenVMS Alpha V7.1-2 and later use PCSI for LHRs and for OpenVMS upgrades and for all OpenVMS ECO kit installations; V7.1-2 and later use upgrades and not updates. VMSINSTAL OpenVMS ECO kits (updates) are not used on OpenVMS Alpha V7.1-2 and later; prior to V7.1-2, VMSINSTAL-based ECO (update) kits are used for OpenVMS. _____________________________ 5.10.2 OpenVMS I64 Upgrade Paths OpenVMS I64 V8.2 is the first production release. OpenVMS I64 V8.0 and V8.1 were intended for early adopters of OpenVMS on Integrity servers, and are not considered to be production releases. To utilize OpenVMS I64 V8.2, you must perform a full installation of V8.2. No supported upgrade path (to V8.2) is available from previous releases; there is no upgrade from OpenVMS I64 E8.2, nor from the earlier V8.1 or V8.0 releases. Future OpenVMS I64 releases are expected to provide a traditional PCSI-based upgrade path from specified previous releases of OpenVMS I64, analogous to the long-standing tradition of OpenVMS Alpha upgrades. _____________________________ 5.10.3 OpenVMS VAX Release Upgrade Paths From V5.0 through V5.4- 3 inclusive, one can upgrade to V5.5. From V5.5, V5.5-1, or V5.5- 2HW, one can upgrade to V5.5-2. From V5.5, V5.5-1, or V5.5-2, one can upgrade to V6.0. From V5.5-2, V5.5- 2H4, or V6.0, one can upgrade to V6.1. From V6.0, or V6.1, one can upgrade to V6.2. From V6.1, or V6.2, one can upgrade to V7.0. From V6.1, V6.2, or V7.0, one can upgrade to V7.1. From V6.1, one can upgrade to V7.3 (with VAXBACK ECO for V6.1). 5-18 System Management Information Some typical OpenVMS VAX upgrade paths are: V5.x -> V5.5 -> V6.0 -> V6.2 -> (V7.1, V7.2, V7.3) V5.5-2HW -> V5.5-2 V5.5-2, or V5.5-2H4 -> V6.1 -> (V6.2, V7.0, or V7.1) V6.1 -> V6.1 with VAXBACK ECO -> (V7.2, V7.3) V6.2 -> V7.2 V6.2 -> V7.3 Note that OpenVMS VAX V6.0 does not include support for hardware and/or configurations first added in OpenVMS VAX V5.5-2H4, one must upgrade to OpenVMS VAX V6.1. Note that OpenVMS VAX V5.5-2HW is a pre-release version of V5.5-2. Any system running it should be upgraded to V5.5-2, or later. If you attempt a direct upgrade from OpenVMS VAX V6.1 to V7.2 or later without having first applied the VAXBACK ECO kit to your V6.1 system, you will receive an error message: %BACKUP-E-INVRECTYP, invalid record type in save set and the upgrade will fail. Acquire and apply the VAXBACK ECO kit for OpenVMS VAX V6.1. OpenVMS VAX V6.2 and later do not require an application of an ECO for an upgrade to V7.2 and later. _____________________________ 5.10.4 OpenVMS Cluster Rolling Upgrade Paths Rolling Upgrades require multiple system disks. Rolling upgrades permit the OpenVMS Cluster to remain available while individual systems are being upgraded to a new OpenVMS release. OpenVMS Cluster rolling upgrades for both OpenVMS VAX and OpenVMS Alpha may (will) have different, or additional upgrade requirements, and have requirements around which versions of OpenVMS can coexist in a OpenVMS Cluster than what is listed here. See the OpenVMS Upgrade and Installation Manual for the particular release, and the OpenVMS Software Product Descriptions for OpenVMS and for OpenVMS Cluster software: 5-19 System Management Information o http://h18000.www1.hp.com/info/spd/ OpenVMS typically uses SPD 25.01.xx, SPD 41.87.xx, and SPD 82.35.xx. for further details on the rolling upgrade, and for support information. The documentation for older releases of OpenVMS VAX includes various platform- specific manuals, manuals that include instructions that are specific to installing and upgrading on the platform. _____________________________ 5.10.5 OpenVMS Product Version and Support Information For information on Prior Version Support (PVS) and Mature Product Support (including information on support end dates for OpenVMS and various layered products), please see: o http://www.hp.com/hps/os/os_pvs.html o http://www.hp.com/hps/os/os_ovms.html o http://www.hp.com/go/openvms/ For information on the supported and required versions of layered products, and the minimum required layered product versions for various configurations, please see the Software Rollout Report (SWROLL), available at: o http://h71000.www7.hp.com/openvms/os/swroll/ For additional related information, see Section 2.6.1. For information on the release history of OpenVMS, including information on the code names of various releases and the major features: o http://www.openvms.compaq.com/openvms/os/openvms- release-history.html Additional release history information, as well as a variety of other trivia, is available in the VAX 20th anniversary book: o http://www.openvms.compaq.com/openvms/20th/vmsbook.pdf 5-20 System Management Information _____________________________ 5.10.6 OpenVMS Alpha and I64 Upgrade Terminology OpenVMS Alpha and OpenVMS I64 use the POLYCENTER Software Product Install Utility, occasionly refered to as SPIU and rather more commonly known as PCSI. PCSI is a component of the OpenVMS operating system, and is available on OpenVMS VAX, OpenVMS Alpha, and OpenVMS I64. The following terms apply to OpenVMS Alpha and to OpenVMS I64 Upgrades and Installations using PCSI: o Update Typically used for Limited Hardware Releases (LHR) releases. Performed via VMSINSTAL. Applies only to the OpenVMS release that the LHR is based on, or to an intermediate LHR. (eg: V7.1-1H2 applies only to V7.1-1H1 and to V7.1, not to any other releases.) LHRs within a series are cumulative, containing all files and features of previous LHRs in the same series. VMSINSTAL-based Updates and VMSINSTAL-based ECO kits are not generally used to upgrade OpenVMS on releases of OpenVMS Alpha V7.1-2 and later, nor are thse used on OpenVMS I64; only PCSI-based Upgrades and Installs are used. VMSINSTAL remains available for other uses and other products; for upgrades and installations of products other than OpenVMS itself. o Upgrade Performed via PCSI. Upgrades can typically be applied directly to a release-specific range of earlier OpenVMS releases. The product release documentation specifies the prior OpenVMS releases; if your release is not one of the specified releases, you will have to perform one or more additional upgrades (through intermediate OpenVMS releases) to reach one of the prerequisite releases. o Install Performed via PCSI. With an installation, no existing version of the operating system is assumed present, nor are any files from any copy of the operating system might be present preserved, and the 5-21 System Management Information entire contents of the target disk are destroyed via a disk initialization. o Preserve Performed via PCSI. Otherwise similar to an installation, this option skips the disk reinitialization. User files on the target disk are preserved. Any existing operating system files on the target disk are clobbered. o LHR Limited Hardware Release. LHRs are specific to and are targeted at new hardware configurations, and are not shipped to customers with support contracts. At least one LHR kit must be specifically acquired when purchasing new hardware, new hardware that is not (yet) supported by any mainline (non-LHR) release. LHRs have an "H" in the OpenVMS version string, indicating a "Hardware" release. You will not generally want to continue using an LHR once a subsequent OpenVMS release is available; you will want to upgrade off the LHR at your earliest convenience. For minimum OpenVMS versions for various platforms, see Section 2.12. __________________________________________________________ 5.11 Why do I have a negative number in the pagefile reservable pages? Seeing a negative number in the reservable pages portion of the SHOW MEMORY/FULL command can be normal and expected, and is (even) documented behaviour. A pagefile with a negative number of reservable pages is overcommitted, which is generally goodness assuming that every process with reserved pages does not try to occupy all of the reserved pagefile space at the same time. To understand how the pagefile reservation process works, think about how a traditional bank operates when accepting customer deposits and making loans. It's the same idea with the pagefile space. There is less money in the bank vault than the total deposits, because much 5-22 System Management Information of the money has been loaned out to other customers of the bank. And the behaviour parallels that of the pagefile down to the problems that a "run on the bank" can cause for banking customers. (Though there is no deposit insurance available for pagefile users.) If all of the running applications try to use the reserved space, the system manager will need to enlarge the pagefile or add one or more additional pagefules. To determine if the pagefile is excessively overcommitted, watch for "double overcommitment"- when the reservable space approaches the negatation of the available total space-and watch that the total amount of free space available in the pagefile remains adequate. If either of these situations arises, additional pagefile storage is required. Additional pagefile information: Additional pagefiles can typically be created and connected on a running OpenVMS system. New processes and new applications will tend to use the new pagefile, and existing applications can be restarted to migrate out of the more congested pagefiles. Pagefiles are generally named PAGEFILE.SYS, and multiple pagefiles are generally configured on separate disk spindles to spread the paging I/O load across the available disk storage. When multiple pagefiles are present on recent OpenVMS versions, each pagefile file should be configured to be approximately the same total size as the other pagefiles. For additional information on pagefile operations and related commands, see the system management and performance management manuals in the OpenVMS documentation set. With OpenVMS V7.3 and later, the displays have been changed and these negative values are no longer visible. 5-23 System Management Information __________________________________________________________ 5.12 Do I have to update layered products when updating OpenVMS? The Software Public Rollout Reports for OpenVMS list the current and future availability of HP software products shipping on the OpenVMS Software Products Library kits (CDROM consolidations) for OpenVMS Alpha and/or OpenVMS VAX. Specifically, the required minimum versions for product support are listed. Comprehensive Public Rollout Information, listing previous product versions as well as currently shipping versions, has been compiled into a separate set of reports. The product information is grouped to show Operating System support. You may or may not be able to use older versions of local applications, third-party products, and various HP OpenVMS layered products with more recent versions of OpenVMS. User-mode code is expected to be upward compatible. Code executing in a privileged processor mode-typically either executive or kernel mode-may or may not be compatible with more recent OpenVMS versions. These Software Rollout (SWROLL) Reports are updated regularly. Please see: o http://h71000.www7.hp.com/openvms/os/swroll/ For related information, see Section 2.6.1. __________________________________________________________ 5.13 How do I change the volume label of a disk? Dismount the disk, and mount it privately. If the disk is mounted by more than one node in an OpenVMS Cluster, dismount it from all other nodes. If this disk is an OpenVMS system disk, shut down all other nodes that are bootstrapped from this disk. Issue the SET VOLUME/LABEL command, specifying the new label. 5-24 System Management Information On OpenVMS V6.0 and later, issue the following PCSI command to reset the label information stored within the PCSI database to reflect the new disk volume label: $ PRODUCT REGISTER VOLUME old-label device Locate any references in the system startup (typically including the disk MOUNT commands) and any DISK$label references in application files, and change the references appropriately. If this is a system disk (for the host or for a satellite), also check the DECnet MOP or LANCP boot database, as well as any references to the disk created by CLUSTER_CONFIG*.COM. If Compaq Analyze is in use, check the system startup procedures for the Compaq Analyze tool. Certain versions of Compaq Analyze will record specific disk volume labels within the startup procedures. Remount the disk appropriately. __________________________________________________________ 5.14 How can I set up a shared directory? To set up a shared directory-where all files created in the directory are accessible to the members of specified group of users-you can use an access control list (ACL) and an identifier. The following also shows how to set up a resource identifier, which further allows the disk resources to be charged to the specified identifier rather than each individual user. (If you don't want this, then omit the attributes option on the identifier creation and omit the entry added in the disk quota database. Add an identifier using the AUTHORIZE utility: ADD/IDENTIFER/ATTRIBUTES=RESOURCE groupidentifier Grant the identifier to each user in the group using AUTHORIZE: GRANT/IDENTIFIER groupidentifier username 5-25 System Management Information If disk quotas are in use, add an entry via SYSMAN for each disk: DISKQUOTA ADD groupidentifier/PERMQUOTA=pq/OVERDRAFT=od/DEVICE=ddcu: Set the shared directory to have an ACL similar to the following using the SET SECURITY (V6.0 and later) or SET ACL (versions prior to V6.0) command: (DEFAULT_PROTECTION,S:RWED,O:RWED,G,W) (IDENTIFIER=groupidentifier,OPTIONS=DEFAULT,ACCESS=READ+WRITE+EXECUTE+DELETE) (IDENTIFIER=groupidentifier,ACCESS=READ+WRITE+EXECUTE+DELETE) (CREATOR,ACCESS=READ+WRITE+ACCESS+DELETE) If there are files already resident in the directory, set their protections similarly. (The OPTIONS=DEFAULT, DEFAULT_PROTECTION, and CREATOR ACEs apply to directories.) The default protection mask is used to establish the default file protection mask, this mask does not prevent the users holding the specified groupidentifier from accessing the file(s), as they can access the file via the explicit identifier granting access that is present in the ACL. For further information, see the OpenVMS Guide to System Security Manual, specifically the sections on ACLs and identifiers, and resource identifiers. __________________________________________________________ 5.15 Why do I get extra blank pages on my HP Printer? For information on configuring telnet print symbiont, on device control libraries such as SYSDEVCTL.TLB, and for ways of dealing with the extra blank pages that can arise on various HP printers, please see the OpenVMS Ask The Wizard area, starting particularly with topic (1020): o http://www.hp.com/go/openvms/wizard/ For additional information on the OpenVMS Ask The Wizard (ATW) area and for a pointer to the available ATW Wizard.zip archive, please see Section 3.9. 5-26 System Management Information There are a variety of discussions of this and of related printing topics in the Ask The Wizard area, in addition to topic (1020). Also see Section 5.34. __________________________________________________________ 5.16 Drivers and Configuration of New Graphics Controllers? This section contains information on various graphics controllers supported by OpenVMS Alpha, and specifically information on where and how to obtain device drivers for specific early OpenVMS releases- device drivers for controllers are integrated into and shipped with OpenVMS Alpha, but versions of these device drivers are sometimes made available for specific earlier OpenVMS releases. _____________________________ 5.16.1 The ELSA GLoria Synergy On OpenVMS Alpha V7.1-2, V7.2, and V7.2-1, acquire the appropriate GRAPHICS PCSI kit, and all prerequisite OpenVMS ECO kits: o VMS712_GRAPHICS-V0300 or later o VMS72_GRAPHICS-V0100 or later o VMS712_GRAPHICS-V0300 or later The ELSA GLoria Synergy is the PBXGK-BB; the PowerStorm 3D10T. Please ensure you have the most current ECOs for this and other graphics controllers installed; check for and install the current GRAPHICS kit. (See Section 4.2.2 for some unexpectedly related details.) On OpenVMS Alpha V7.2-1, the files necessary for this graphics controller are located in the distribution CD-ROM directory: DISK$ALPHA0721:[ELSA.KIT] Also check for any available (later) ECO kits. 5-27 System Management Information An earlier kit (ALP4D20T01_071) (for V7.1, V7.1- 1H1, and V7.1-1H2) was once available, but has been superceded and is not recommended. Use of V7.1-2 or later (and use of one the above GRAPHICS kits as required) is typically the best approach. OpenVMS V7.2-2 and later mainline releases directly support the controller. Additional information is available in topics (3419) and (5448) in the Ask The Wizard area: o http://www.hp.com/go/openvms/wizard/ For additional information on the OpenVMS Ask The Wizard (ATW) area and for a pointer to the available ATW Wizard.zip archive, please see Section 3.9. Support for the ELSA GLoria Synergy is integrated into all current OpenVMS Alpha releases. _____________________________ 5.16.2 PowerStorm 300, PowerStorm 350 The PowerStorm 300 is the PBXGD-AC, while the PowerStorm 350 is the PBXGD-AE. For support of the PowerStorm 300 and PowerStorm 350 graphics controllers, acquire and install the following available ECO kits: For OpenVMS Alpha V7.1-2: o DEC-AXPVMS-VMS712_P350-V0100-4 or later o DEC-AXPVMS-VMS712_GRAPHICS-V0300-4 or later For OpenVMS Alpha V7.2-1: o DEC-AXPVMS-VMS721_P350-V0100-4 or later o DEC-AXPVMS-VMS721_GRAPHICS-V0300-4 or later Support for the PowerStorm 300 and PowerStorm 350 series graphics controllers is integrated into current OpenVMS Alpha releases. 5-28 System Management Information _____________________________ 5.16.3 PowerStorm 3D30, PowerStorm 4D20 PowerStorm 3D30 (PBXGB-AA), PowerStorm 4D20 (PBXGB- CA) information is available in Ask The Wizard topics including topic (2041): o http://www.hp.com/go/openvms/wizard/ For additional information on the OpenVMS Ask The Wizard (ATW) area and for a pointer to the available ATW Wizard.zip archive, please see Section 3.9. _____________________________ 5.16.4 Radeon 7500 Install the current GRAPHICS ECO kit for OpenVMS Alpha V7.2-2 or V7.3-1 for support of the Radeon 7500 series PCI and AGP graphics controllers. Support for this controller (without an ECO kit) is first integrated into and available in OpenVMS Alpha V7.3-2. (Please do always install the most current GRAPHICS ECO kit whenever one is available, however.) __________________________________________________________ 5.17 How can I acquire OpenVMS patches, fixes, and ECOs? You can acquire and download kits containing OpenVMS fixes (ECOs) for various releases, as well as related support information, via: o http://www.itrc.hp.com/ o ftp://ftp.itrc.hp.com/openvms_patches/ Some systems with Internet firewalls may/will have to use passive mode FTP to access the above sites. Assuming recent/current versions of the TCP/IP Services package, the DCL FTP command necessary is: $ DIRECTORY/FTP/ANONYMOUS/PASSIVE ftp.itrc.hp.com:: You can subscribe to an email notification list at the ITRC site. 5-29 System Management Information For a list of OpenVMS ECO kits recently released, you can use: o http://Eisner.DECUS.org/conferences/OpenVMS-patches_ new_1.HTML You can also sign up for ECO kit email notifications (Digest or individual notifications) directly from HP at: o http://www1.service.digital.com/patches/mailing- list.html Examples and ECO kit installation instructions are included in the cover letter. For available ECO kits, cover letters and other associated documentation, look in: o http://www.itrc.hp.com/ o ftp://ftp.itrc.hp.com/openvms_patches/ For additional information, please see Section 5.17. Do NOT attempt to install a VMSINSTAL-based OpenVMS ECO kit on OpenVMS Alpha V7.1-2 and later. While VMSINSTAL itself remains available, it is not used for OpenVMS Alpha ECO kits starting in OpenVMS Alpha V7.1-2. OpenVMS Alpha V7.1-2 and later use PCSI for OpenVMS ECO kits. See Section 5.30 for information on ECO kit checksums. __________________________________________________________ 5.18 How do I move the queue manager database? To move the location of the queue database, the SYS$QUEUE_MANAGER.QMAN$QUEUES and SYS$QUEUE_ MANAGER.QMAN$JOURNAL files, to a disk that is fast(er), has plenty of free space, and that is not heavily used. If the queue database is on a (busy) OpenVMS system disk, you can and probably should move it off the system disk to another disk spindle. 5-30 System Management Information To move the queue database: 1 Checkpoint the journal file. This reduces the file size to the in-memory database size. This will cause the noted delay. $ RUN SYS$SYSTEM:JBC$COMMAND JBC$COMMAND> DIAG 0 7 2 Stop the queue manager $ STOP/QUEUE/MANAGER/CLUSTER 3 Backup the .QMAN$QUEUES and .QMAN$JOURNAL files from the present location for safety. $ backup SYS$COMMON:[SYSEXE]SYS$QUEUE_MANAGER.QMAN$* DISK:[DIR] 4 Create a new directory for the queue database. Insure that this disk is accessible to all nodes that can run the queue manager. If the /ON list for the queue manager is "/ON=(*)", the disk must be available to all nodes in the cluster $ CREATE/DIR fast_disk:[qman] 5 Copy the .QMAN$QUEUES and .QMAN$JOURNAL files to the new directory $ copy SYS$COMMON:[SYSEXE]SYS$QUEUE_MANAGER.QMAN$* fast_disk:[qman] 6 Delete the old queue database. $ DELETE SYS$COMMON:[SYSEXE]SYS$QUEUE_MANAGER.QMAN$*;* 7 Restart the queue manager pointing to the new location $ START/QUEUE/MANAGER fast_disk:[qman] __________________________________________________________ 5.19 How do I delete an undeletable/unstoppable (RWAST) process? "Undeleteable" jobs are usually "undeleteable" for a reason-this can track back to insufficient process quotas, to a kernel-mode error in OpenVMS or a third- party device driver, or to other odd problems. 5-31 System Management Information These undeletable jobs typically become of interest because they are holding onto a particular resource (eg: tape drive, disk drive, communications widget) that you need to use... If the particular device supports firmware, ensure that the device firmware is current - TQK50 controllers are known for this when working with old firmware. (That, and the infamous "MUA4224" firmware bug.) If this device has a driver ECO kit available, acquire and apply it... If the particular relevant host component has an ECO, acquire and apply it. Useful tools include SDA (to see what might be going on) and DECamds (which increase and thus potentially fix quota-related problems). (nb: Applications with quota leaks will obviously not stay fixed.) If the stuck application is BACKUP, ensure you have the current BACKUP ECO and are directly following the V7.1 or (better) V7.2 or later process quota recommendations for operator BACKUP accounts. Quota details are in the OpenVMS System Manager's Manual. If the firmware and ECO levels are current, the best approach is to take a system crashdump, and pass a copy of the dump file along to whomever is maintaining the device driver for the particular device/widget/driver involved, with any details on how you got into this situation. (The reboot involved with taking the crashdump will obviously clear the problem.) There was some kernel-mode code (typically for OpenVMS VAX) that can reset the device ownership field, but that is rather obviously only an interim solution- the real fix is avoiding the loss of the IRP, the process quota leak, or whatever else is "jamming up" this particular process... 5-32 System Management Information __________________________________________________________ 5.20 How do I reset the error count(s)? The system reboot is the only supported approach, but it is obviously undesirable in various situations-there is presently no supported mechanism to reset error counts once the error(s) have been logged. As for an unsupported approach-and be aware of the potential for causing a system crash... To reset the error count, one needs to determine the system address of the error count field. For a device, this is at an offset within the device's UCB structure. On VAX, the field is at an offset symbolically defined as UCB$W_ERRCNT. On Alpha, this field's offset is symbolically defined as UCB$L_ERRCNT. The former is a word in size; the latter is a longword. (Could it be that Alpha devices are more error prone? ;) You now need to locate the system address of the UCB$%_ ERRCNT field of the device you wish to reset. Enter SDA. In the following, you will see designations in {} separated by a /. The first item in braces is to be used on the VAX and the second item should be used on an Alpha. (ie. {VAX/Alpha}) $ ANALYZE/SYSTEM SDA> READ SYS${SYSTEM/LOADABLE_IMAGES}:SYSDEF.STB SDA> SHOW DEVICE ! device designation of device with error SDA> EVALUATE UCB+UCB${W/L}_ERRCNT Hex = hhhhhhhh Decimal = -dddddddddd UCB+offset Record the hexadecimal value 'hhhhhhhh' returned. You can now exit from SDA and $ RUN SYS$SHARE:DELTA or do what I prefer to do, issue the following: SDA> SPAWN RUN SYS$SHARE:DELTA On both VAX and Alpha, the DELTA debugger will be invoked and will ident- ify itself. On Alpha, there will be an Alpha instruction decoded. For those unfamiliar with DELTA, it does not have a prompt and only one error message-Eh? (Well, for sake of argument, there might be another error produced on the console if you're not careful-aka. a system crash!) 5-33 System Management Information If you are on a VAX, enter the command: [W If you are on Alpha, enter the command: [L These set the prevailing mode to word and longword respectively. Remem- ber the UCB${W/L)_ERRCNT differences? Now issue the command 1;M DELTA will respond with 00000001 You are now poised to ZAP the error count field. To do so you need to en- ter the system address and view its contents. The format of the command to do this is of the form: IPID:hhhhhhhh/ For an IPID, use the IPID of the SWAPPER process. It is always: 00010001 Thus, to ZAP the error count, you would enter: 00010001:hhhhhhhh/ When you enter the / SDA will return the content of the address hhhhhhhh. This should be the error count (in hexadecimal) of the device in question. If it is not, you did something wrong and I'd suggest you type a carriage return and then enter the command EXIT to get out of DELTA. Regroup and see where your session went awry. If you entered your address correctly and the error count was returned as in the following example, you can proceed. 00010001:80D9C6C8/0001 ! output on VAX 1 error 00010001:80D9C6C8/00000001 ! output on Alpha 1 error You can now ZAP the error count by entering a zero and typing a carriage return. For example: 00010001:80D9C6C8/0001 0 ! output on VAX 1 error 00010001:80D9C6C8/00000001 0 ! output on Alpha 1 error Now type the command EXIT and a carriage return. Alternatively, reboot the system. 5-34 System Management Information __________________________________________________________ 5.21 How do I find out if the tape drive supports compression? For various SCSI-based MK-class magnetic tape devices: $ Devdepend2 = F$GETDVI("$n$MKcxxx:","DEVDEPEND2") $ Comp_sup = %X00200000 $ Comp_ena = %X00400000 $ IF (Devdepend2.AND.Comp_sup).EQ.Comp_sup THEN - WRITE SYS$OUTPUT "Compression supported" $ IF (Devdepend2.AND.Comp_ena).EQ.Comp_ena THEN - WRITE SYS$OUTPUT "Compression enabled" __________________________________________________________ 5.22 Can I copy SYSUAF to another version? To VAX? To Alpha? The format of the SYSUAF.DAT, RIGHTSLIST, and associated files are upward-compatible, and compatible across OpenVMS VAX and OpenVMS Alpha systems. (This compatibility is a a basic requirement of mixed- version OpenVMS Cluster configurations and OpenVMS upgrades-for specific support information, please see the OpenVMS Cluster rolling upgrade and mixed-version requirements.) That said, it's the contents of the SYSUAF and RIGHTSLIST files that will make this more interesting. The same basic steps necessary for moving RIGHTSLIST and SYSUAF files to another node are rather similar to the steps involved in merging these files in an OpenVMS Cluster-see the appendix of the OpenVMS Cluster documentation for details of merging files. (You might not be merging the contents of two (or more) files, but you are effectively merging the contents of the files into the target system environment.) Considerations: o applications often hold SYSUAF or RIGHTSLIST open, meaning a system reboot is often the best way to activate new files. o the meanings of the RESTRICTED and CAPTIVE flags settings on the UAF entries have changed over time. 5-35 System Management Information o the new NET$PROXY.DAT file that is initially created based on the contents of the NETPROXY.DAT during the OpenVMS VAX V6.1 upgrade and during the OpenVMS Alpha V6.2 upgrade. This file is maintained in parallel with NETPROXY.DAT. o the RIGHTSLIST identifier values and UIC values that end up scattered around the target system must be rationalized with the contents of the new RIGHTSLIST and SYSUAF files. The lattermost case-resolving the identifier values- is often the most interesting and difficult part. If you find that an identifier value (or identifier name) from the source RIGHTSLIST collides with that of an identifier existing on the target system, you must first determine if the two identifiers perform the same function. In most cases, they will not. As such, you will have to find and chance all references to the identifier value(s) (or name(s)) to resolve the "collision". If you encounter a collision, changing both of the identifier binary values (or names) involved in the collision to new and unique values can prevent security problems if you should miss a couple of identifiers embedded somewhere on the target system during the whole conversion process-rather than the wrong alphanumeric value for the identifier being displayed, you'll simply see the binary format for the identifier displayed, and no particular access will be granted. And any DCL commands or such that reference the old alphanumeric name will fail, rather than silently (and potentially erroneously) succeeding. Similar requirements exist for UIC values, as these too tend to be scattered all over the system environment. Like the binary identifier values, you will find UIC values associated with disks, ACLs, queues, and various other structures. 5-36 System Management Information For a list of the various files shared in an OpenVMS Cluster and that can be involved when relocating an environment from one node to another (or merging environments into an OpenVMS Cluster), please see the SYLOGICALS.TEMPLATE file included in OpenVMS V7.2 and later releases. Procedures to extract the contents of a (potentially corrupt) queue database are provided on the OpenVMS Freeware (V5) and can be used to combine two queue databases together while shuffling files between OpenVMS Cluster hosts. For related discussions of splitting a cluster into two or for removing a node from cluster (political divorce, etc), see topics (203), (767), (915) and others in the Ask The Wizard area: o http://www.hp.com/go/openvms/wizard/ For additional information on the OpenVMS Ask The Wizard (ATW) area and for a pointer to the available ATW Wizard.zip archive, please see Section 3.9. __________________________________________________________ 5.23 How do I delete (timeout) idle processes? There is no such command integrated within OpenVMS, though there are (optional) timers available within certain terminal servers and similar devices, and there is an integrated time-of-day mechanism that provides control over when a user can access OpenVMS. As for available tools, there are DECUS, freeware, and third-party tools known variously as "idle process killers" (IPK) or "terminal timeout" programs, as well as various other names. Examples include: Saiga Systems Hitman, Watchdog, MadGoat Watcher (via the MadGoat site or the OpenVMS Freeware), Kblock, the Networking Dynamics tool known as Assassin, and the Zap tool. Also available is the XLNperformance system management utility, from XLNsystems. A related package (for DECwindows sessions) is xtermlock. 5-37 System Management Information If the forgetful users are in an application menu environment, the menu can potentially be extended to provide this capability. __________________________________________________________ 5.24 Do I need a PAK for the DECevent (HP Analyze) tool? DECevent and HP (Compaq) Analyze are available to customers with support contracts. The PAK is required only for the advanced functions of DECevent, the basic bits-to-text translation of the error log does not require a license PAK. Ignore the prompt, in other words. (The PAK should be available to you if you have a hardware support contract or warrantee, and the PAK enables the use of the advanced error analysis and notification capabilities within DECevent.) Please see the following website for details and downloads: Analyze) o http://www.compaq.com/support/svctools/ __________________________________________________________ 5.25 INITIALIZE ACCVIO and ANSI tape label support? A change was made (back in 1988) to (as it was then known) VAX/VMS V5.1-1 that added support for the then- new ANSI X3.27-1987 magnetic tape label standard. Prior to the ANSI X3.27-1987 standard, the date field in the ANSI HDR1 record permits dates only as far as the end of Year 1999. With ANSI X3.27-1987, dates through Year 1999 and dates from Years 2000 to 2099 are permitted. Versions of INIT.EXE and MTAACP.EXE from VAX/VMS releases prior to V5.1-1 will potentially have problems properly processing ANSI magnetic tapes when Y2K and later dates are involved-the DCL INITIALIZE command is known to encounter access violation (ACCVIO) errors. The available solutions include upgrades, or setting the date back. Direct initialization of the tape with the new headers (via $qio) is also clearly possible, though the limitation within the old MTAACP.EXE magtape ACP image is not nearly so easy to bypass. 5-38 System Management Information __________________________________________________________ 5.26 How do I recover from INSVIRMEM errors? Prior to OpenVMS Alpha V7.0 and on all OpenVMS VAX releases, VIRTUALPAGECNT and PGFLQUOTA limit the amount of virtual address space that is available to each process. Further limiting the amount of address space is the size of system space (S0 and S1 space). On OpenVMS Alpha versions prior to V7.0 and on all OpenVMS VAX releases, VIRTUALPAGECNT and MAXPROCESSCNT together determine the size of the page table data structures that occupy large tracts of system space. When no system virtual address space is available for the stuff that needs it-this includes the page tables, non-paged pool, and various other structures-then the values of VIRTUALPAGECNT and MAXPROCESSCNT cannot be increased. In OpenVMS Alpha V7.0 and later, the page table data structures have been moved out of S0 and S1 space and into page table space. In OpenVMS Alpha V7.2 and later, certain large data structures found in non-paged pool (eg: lock management structures) have been moved into 64-bit space, thus freeing up room in non-paged pool and in S0 and S1 space (where non-paged pool resides) while also permitting much larger data structures. __________________________________________________________ 5.27 How can I prevent a serial terminal line from initiating a login? In SYSTARTUP_VMS.COM, issue the command: $ SET TERMINAL/NOTYPEAHEAD/PERMANENT ddcu: This will prevent any unsolicited terminal input on ddcu:, and this unsolicited input is what triggers JOB_CONTROL to start up LOGINOUT on the terminal. Once LOGINOUT starts up on the serial line, you can see interesting behaviour (eg: audits, process creations, etc) as LOGINOUT tries to "chat" with whatever device is hooked onto the remote end of the serial terminal line. 5-39 System Management Information __________________________________________________________ 5.28 How does PCSI use the image BUILD_IDENT field? The (undocumented) build ident field in an OpenVMS Alpha image header is 16 bytes long, and is used as a counted string of 0-15 characters (ie, as an .ASCIC string, a string with the character count in byte 0) and was originally introduced to provide information for use by VMSINSTAL patch kits to determine whether an image should be replaced or not. Starting with OpenVMS Alpha V7.1-2, OpenVMS Engineering uses the PCSI utility to package and install ECO kits for OpenVMS. PCSI uses the generation attribute (a 32-bit unsigned integer) specified for files in the product description file (PDF) of a PCSI kit as the basis for performing file conflict detection and resolution. When a product is installed, PCSI modifies the build ident field of Alpha image headers to store an encoded form of the generation number. It also looks at the build ident field of previously installed images to obtain the generation information for those files as input to the file conflict processing algorithm. (Only images have this field, obviously.) PCSI interprets the build ident field of a previously installed image as follows: o if the string length is 15, the 5th character is a hyphen, and the last ten characters are a ten digit number with leading zeros, then the last ten characters are treated as a valid generation number. o for V7.1-2 through V7.2-1, inclusive, if the above test fails, the information is obtained from the PCSI product database. o in releases after V7.2-1 and with current PCSI ECO kits, if the above test fails, an invalid generation number is treated as 0000000000 so that the ECO kit will simply replace the image rather than assuming the PCSI database is in error. So, what will you see in the image identification displayed via the ANALYZE/IMAGE command? 5-40 System Management Information For an image that has been built as part of an OpenVMS Engineering system build, you will generally see a build ID string in the format "X6TE-SSB-0000"-X6TE is the build number for the OpenVMS Alpha V7.2-1 release. This id format is used within the OpenVMS system build, and can generally only be seen associated with images that have not yet been processed via PCSI. During the installation of V7.2-1, PCSI will modify the image header to have a build ident string of "X6TE-0050120000". During installation of an ECO kit containing this image with a generation number of 50130052, for example, PCSI would determine that 50130052 is greater than 50120000, and will replace the existing image on the target disk with the version of the image included in the ECO kit. __________________________________________________________ 5.29 How can I tell what software (and version) is installed? There is unfortunately no consistent nor single way to make this determination-this is one of the reasons that a move to PCSI installations is underway. On OpenVMS Alpha, you can use VMSINSTAL.HISTORY and PRODUCT SHOW PRODUCT to determine what packages have been installed via the VMSINSTAL and PCSI tools, respectively. To see which OpenVMS Alpha ECO kits have been applied, look in VMSINSTAL.HISTORY on OpenVMS Alpha prior to V7.1-2, and use PRODUCT SHOW PRODUCT/FULL on OpenVMS Alpha V7.1-2 and later. On OpenVMS VAX, you can use PRODUCT SHOW PRODUCT and (for software that is installed via VMSINSTAL on V7.3 and later) in VMSINSTAL.HISTORY. For products installed on OpenVMS VAX prior to V7.3 using VMSINSTAL, there is no reliable way to determine what products have been installed. If the product provides a RELEASE_NOTES file (as many do), you can look for the list of these files via DIRECTORY SYS$HELP:*.RELEASE_NOTES. Again, this approach is NOT reliable: some kits do not provide release notes, some system managers will install only the release notes, 5-41 System Management Information some system managers will delete release notes, and release notes for multiple versions can be present. On most packages, you can generally use ANALYZE/IMAGE on one of the core images, looking at the image identification area. Some of the product-specific mechanisms available are: o DQS DQS$VERSION logical name o C CC/VERSION o C++ CXX/VERSION o TCP/IP TCPIP SHOW VERSION command __________________________________________________________ 5.30 What file checksum tools are available for OpenVMS? The undocumented DCL command CHECKSUM is the usual means, and provides a rather simple-minded checksum suitable to detect basic file corruptions. For information and an OpenVMS version of the MD5 checksum tool, see: o http://www.support.compaq.com/svctools/md5- instructions.html The OpenVMS Alpha ECO (patch) kit checksums available at the ECO website are determined using the following DCL command sequence: $ CHECKSUM kitname.pcsi-dcx_axpexe $ SHOW SYMBOL CHECKSUM$CHECKSUM See Section 5.17 for information on acquiring OpenVMS ECO (patch) kits. __________________________________________________________ 5.31 What (and where) is the OpenVMS Management Station? For information and current kits for the OpenVMS Management Station (OMS), a PC-based tool that permits you to manage an OpenVMS system, please see: o http://www.openvms.compaq.com/openvms/products/argus/ 5-42 System Management Information __________________________________________________________ 5.32 How to determine current disk fragmentation level? The HP OpenVMS Disk File Optimizer (DFO) defragmentation package provides a fragmentation monitoring tool, and a DFO product authorization key (PAK) is not required for the fragmentation reporting tool: $ DEFRAG SHOW/VOLUME ddcu: The DFU tool available on the OpenVMS Freeware can generate a report on the disk fragmentation: DFU> REPORT ddcu: __________________________________________________________ 5.33 SYSBOOT-I-FILENOTLOC, Unable to locate SYS$CPU_ROUTINES? A message at the OpenVMS Alpha bootstrap such as the following: %SYSBOOT-I-FILENOTLOC, Unable to locate SYS$CPU_ROUTINES_1C02.EXE %SYSBOOT-E-LDFAIL, failed to load execlet, status = 00000910 indicates that the particular OpenVMS Alpha release does not contain support for the target platform. In this case, OpenVMS does not recognize Alpha family 1C member 02 as a supported platform. A later version of OpenVMS might support the platform, or there might be no support on any release. Ensure that you have the most current firmware, and review the minimum version requirements for the platform. The execlet load failure and other similar bootstrap status values can often be decoded using either of the following techniques: $ exit %x910 %SYSTEM-W-NOSUCHFILE, no such file $ $ x = f$message(%x910) $ show symbol x X = "%SYSTEM-W-NOSUCHFILE, no such file" $ Also see Section 14.4.4.1. 5-43 System Management Information __________________________________________________________ 5.34 How can I customize the DCPS device control for a new printer? To customize DCPS for an otherwise unsupported printer, you can try the following sequence: o Extract the most closely-associated setup modules from the existing device control library, DCPS$DEVCTL.TLB. (For instance, you can probably extract and use the HP LaserJet 4000 series definitions for the HP LaserJet 4050 series. Each printer will vary, please consult the printer documentation for specifics and requirements.) o rename each extracted setup module to a corresponding: LPS$$UNRECOGNIZED_* o Insert all of the above-renamed setup modules into a newly-created device control library specific to the new printer: $ LIBRARY/TEXT/CREATE - SYS$COMMON:[SYSLIB]HP4050_DEVCTL.TLB LPS$$UNRECOGNIZED* The above assumes the filename HP4050_DEVCTL.TLB, alter as required. o Set up your DCPS startup procedures to include a search-list logical name such as: $ DEFINE/SYSTEM/EXECUTIVE DCPS_HP4050_LIB - SYS$LIBRARY:HP4050_DEVCTL.TLB, - SYS$LIBRARY:DCPS$DEVCTL.TLB o Supply DCPS_HP4050_LIB as the library parameter in the queue startup for this printer, this is the P3 parameter to the command procedure SYS$STARTUP:DCPS$EXECUTION_QUEUE.COM. o The HP4050_DEVCTL library may/will need to be recreated and modules re-edited and replaced with each DCPS upgrade, particularly if any modules are updated in the original library. You will also want to determine if the upgraded version of DCPS directly supports the particular printer. 5-44 System Management Information o To customize the processing of file extensions within DCPS (to enable or disable graybar output, for instance), use the information available in: SYS$LIBRARY:DCPS$FILE_EXTENSION_DATA_TYPE.DAT_DEFAULT to create your own site-specific: SYS$LIBRARY:DCPS$FILE_EXTENSION_DATA_TYPE.DAT Also see Section 5.15. __________________________________________________________ 5.35 Why do $GETDEV MOUNTCNT and SHOW DEVICE mount counts differ? MOUNTCNT returns the local mount count, while SHOW DEVICE returns the cluster-wide mount count. __________________________________________________________ 5.36 What software is needed for Postscript printers? The NorthLake PrintKit (www.nls.com) and DECprint Supervisor (DCPS) are common choices for support of Postscript printers on OpenVMS. o http://www.nls.com/ o http://www.openvms.compaq.com/openvms/Print/print_ sw_prods.html You may also require the installation of an IP transport stack. Also please see Section 15.2.2 and Section 15.2.3. __________________________________________________________ 5.37 How do I remove a PCSI-installed patch (ECO) kit? You cannot PRODUCT REMOVE a PCSI patch (ECO) kit. In order to remove an ECO kit, PCSI would have to have copies of all the other version of the files from all other patches and products that previously were installed. This can clearly involve a large number of files and a large archive of old file versions and a substantial quantity of disk space. While removal is clearly theoretically possible, it is not currently implemented. 5-45 System Management Information The following is the supported mechanism to remove a PCSI patch kit. 1 Execute a PRODUCT SHOW PRODUCT product-name. /FULL command. The "maintenance" column (132 column width) shows the patches that have been installed. Keep a copy of this listing. 2 Acquire kits for all of the maintenance kits listed. 3 Re-install the prior FULL version of the product. This will remove all patch kits, setting to product back to "original" condition. 4 Re-install all the patches in the list from step 1, except those patches which you have determined you do not want. The above information also applies to PCSI PARTIAL kits. __________________________________________________________ 5.38 SYSINIT-E, error mounting system device, status=0072832C This message can arise during an OpenVMS system bootstrap... %MOUNT-F-DIFVOLMNT, different volume already mounted on this device For details and further information, use the DCL command: $ HELP/MESSAGE /STATUS=%X72832C __________________________________________________________ 5.39 Resolving License PAK Problems? The PAK release date, the PAK termination date, and the PAK version are the usual culprits when a license product authorization key (PAK) check failure occurs. The PAK termination date is the date when the license PAK will expire. The PAK release date is the date of the most recent release date of the software package that will be permitted by the particular license PAK. (The release date check is analogous to a product version check.) 5-46 System Management Information The PAK version indicates the most recent product version that is permitted by the license. Having multiple license PAKs registered (and active) can also cause problems if an expired PAK gets loaded. You will want to DISABLE license PAKs you do not wish to have loaded. Other problems include a failure to register each PAK in all license databases throughout a multiple-system- disk cluster, with a consistent set of /INCLUDE lists specified across each of the duplicated PAKs. Additionally, you could have an invalid LMF$LICENSE logical name defined. (If no LMF$LICENSE logical name is defined, the standard license database named SYS$SYSTEM:LMF$LICENSE.LDB will be used.) You can display license failures by defining the following logical name: $ DEFINE/SYS/EXEC LMF$DISPLAY_OPCOM_MESSAGE TRUE Enable your terminal as a license operator (REPLY/ENABLE=LICENSE), define the LMF$DISPLAY_ OPCOM_MESSAGE logical name, and then try the failing operation again. You should see one or more OPCOM messages displayed. If you have the LMF$DISPLAY_OPCOM_MESSAGE logical name defined, you can (will?) see spurious license check failures-various products will check for multiple licenses, and a few products will check for PAKs that either have not yet been or will not be issued. Once you figure out which license has failed, you will want to deassign this logical name. Note That there are no license check failures does not indicate that the particular product or operation or use is permissible per applicable licensing agreements. Please consult the applicable agreement(s) for licensing-related information and requirements. 5-47 System Management Information To register a license PAK on a DECwindows system when DECwindows cannot start (because of an expired license or other licensing problem), follow the steps outlined in section Section 5.6 up through the use of the AUTHORIZE command. In place of the AUTHORIZE command, use the console to register the license PAKs. Also see Section 12.5 for licensing and troubleshooting information. For information on licensing and on the numbers of license units required for various products and various platforms, the License Unit Requirements Table (LURT) is available at: o http://www.compaq.com/products/software/info/ __________________________________________________________ 5.40 Changing the OpenVMS Version Number? Fool your friends, baffle your enemies, run the OpenVMS version of your choice! On OpenVMS Alpha systems: $ SET DEFAULT SYS$COMMON:[SYS$LDR] $ RUN SYSVER REPLACE V9.9 WRITE $ EXIT On OpenVMS VAX systems: $ set default SYS$COMMON:[SYS$LDR] $ copy SYS.EXE SYS.EXE_IN-CASE-I-FAIL $ patch SYS.EXE define sys$gq_version=800044b8 set mode ascii !examine sys$gq_version !examine sys$gq_version+4 deposit sys$gq_version = "V9.9" deposit sys$gq_version+4 = " " update exit $ Exit Then reboot the system at your leisure. 5-48 System Management Information __________________________________________________________ 5.41 How to prevent users from choosing obvious passwords? To prevent users from selecting obvious passwords on OpenVMS, you will want to use the reserved password (password screening) mechanism. Effectively, you merge your list of reserved passwords into the existing reserved words database maintained by OpenVMS. (You can also then require all users to reset their passwords- via the pre-expired password mechanism-thus forcing users to select new passwords.) For details on the password screening mechanism, of the reserved password database (VMS$PASSWORD_DICTIONARY.DATA), and details of how to merge your list of prohibited passwords into the database, please see the associated chapter in the OpenVMS security manual. For details of the password expiration mechanism, see the AUTHORIZE command qualifier /PWDEXPIRED. You can also implement a site-specific password filter with the information provided in the back of the OpenVMS Programming Concepts manual. The password filter permits you to establish particular and site- specific password requirements. For details, please see the system parameter LOAD_PWD_POLICY and the programming concepts manual, and see the examples in SYS$EXAMPLES:. (Examples and documentation on V7.3 and later reflect both platforms, the examples are found only on OpenVMS VAX kits on earlier releases. The capabilities have existed on both the VAX and Alpha platforms for some time now.) To verify current passwords, you can also use a technique known to system crackers as the "dictionary attack"-the mechanism that makes this attack somewhat more difficult on OpenVMS is the hashing scheme used on OpenVMS, and the file protections used for the SYSUAF authorization database. Given a dictionary of words and the unprotected contents of the SYSUAF file, a search for obvious passwords can be performed. Interestingly, a "dictionary attack" also has the unfortunate side- effect of exposing the password to the user-while this is clearly the goal of a system cracker, authorized privileged and non-privileged system users should not 5-49 System Management Information know nor have access to the (cleartext) passwords of other users. Accordingly, OpenVMS does not store the cleartest password. Further, OpenVMS uses a password hashing algorithm, not an encryption algorithm. This means that storage of a cleartext password is deliberated avoided, and the cleartext value is deliberately very difficult to obtain. The hash is based on a Purdy Polynomial, and the hash itself includes user-specific values in addition to the password, values that make the results of the password hash unique to each user. Regardless of the use of a password hashing scheme, if a copy of your password file should become available to a system cracker, you will want to force all users to use new passwords immediately. If you should require a user to verify a password, use the username, the user's salt value (this value is acquired via $getuai) and the user's specified cleartext password, and compare the resulting hashed value (using a call to $hash_password) against the saved hashed password value (this value also acquired via $getqui). For reasons of security, avoid saving a cleartext password value in any data files, and do not maintain the cleartext password in memory longer than required. (Use of $ACM on V7.3-1 and later is recommended.) Kerberos authentication (client and server) is available on OpenVMS V7.3 and later. Integration of Kerberos support into various Compaq and into third- party products is expected. External authentication is available in V7.3-1 and later, with support for user-written external authentication in V7.3-2 and later. If you are simply looking for OpenVMS access and the SYSTEM and all other privileged passwords are forgotten or otherwise unavailable, please see section Section 5.6 and/or the OpenVMS documentation set. Also please see the C2 guidelines in the OpenVMS security manual. 5-50 System Management Information __________________________________________________________ 5.42__Please_help_me_with_the OpenVMS BACKUP utility? 5.42.1 Why isn't BACKUP/SINCE=BACKUP working? If you are seeing more files backed up than previously, you are seeing the result of a change that was made to ensure BACKUP can perform an incrementation restoration of the files. In particular, if a directory file modification date changes, all files underneath it are included in the BACKUP, in order to permit incremental restoration should a directory file get renamed. _____________________________ 5.42.1.1 Why has OpenVMS gone through the agony of this change? When a directory is renamed, the modified date is changed. When the restoration needs to restore the directory and its contents, and the restoration should not result in the restoration of the older directory name when a series of incremental BACKUPs are restored. Thus an incremental BACKUP operation needs to pick up all of the changes. Consider performing an incremental restoration, to test the procedures. This testing was how OpenVMS Engineering found out about the problem that was latent with the old BACKUP selection scheme-the old incremental BACKUP scheme would have missed restoring any files under a renamed directory. Hence the change to the selection mechanisms mentioned in Section 5.42.1. _____________________________ 5.42.1.2 Can you get the old BACKUP behaviour back? Yes, please see the /NOINCREMENTAL qualifier available on recent OpenVMS versions (and ECO kits). Use of this qualifier informs BACKUP that you are aware of the limitations of the old BACKUP behaviour around incremental disk restorations. 5-51 System Management Information _____________________________ 5.42.2 What can I do to improve BACKUP performance? Use the documented commands in the manual for performing incremental BACKUPs. Use the documented incremental procedures. Don't try to use incremental commands in a non-incremental context. Also consider understanding and then using /NOALIAS, which will likely be a bigger win than will anything to do with the incremental BACKUPs, particularly on system disks and any other disks with directory aliases. See the OpenVMS V6.2 release notes for additional details. _____________________________ 5.42.3 Why is BACKUP not working as expected? First, PLEASE READ THE BACKUP MANUAL. Second, PLEASE GET THE CURRENT BACKUP ECO KIT. Third, PLEASE SET THE PROCESS QUOTAS PER THE DOCUMENTATION. BACKUP has a very complex interface, and there are numerous command examples and extensive user documentation available. For a simpler user interface for BACKUP, please see the documentation for the BACKUP$MANAGER tool. As for recent BACKUP changes, oddities, bugs, etc: o A change made in OpenVMS V6.2 WILL cause more files to be included into a file-based BACKUP saveset using /SINCE=BACKUP as all files underneath any directory with a sufficiently recent (selected) date will be included in the saveset. This change was deliberate and intentional, and was mandated by the need to provide a functional incremental restoration. Without the inclusion of these apparently-extra files, an incremental saveset can NOT be reliably restored. 5-52 System Management Information o As part of the OpenVMS V6.2 change, the /SINCE command-without the specification of the =BACKUP keyword-selected more files than it should have. This is a bug. This bug has been remedied in the OpenVMS BACKUP source code and in some of (all of?) the BACKUP ECO kits. When working with BACKUP, you will want to: o Ensure you have your process quotas set per the recommendations in the OpenVMS System Management documentation. Deviation from these values can and will lead to access violation (ACCVIO) and other untoward behaviour. o Get the current BACKUP ECO kit and install it BEFORE you attempt to troubleshoot any problems. o Learn about the /NOINCREMENTAL (new) and /NOALIAS (V6.2 and later) command qualifiers. The former qualifier returns to the pre-V6.2 behaviour of the /SINCE file selection mechanism, while the latter (specified with /IMAGE) reduces the replication of files on system disks and other disks with file alias and directory alias entries. Both of these can reduce the numbers of files that will be selected and thus included into the saveset. Learn what /IGNORE=INTERLOCK means. This command probably does not provide what you think it does- those file system interlocks that this command is ignoring were implemented for a reason, after all. Ignoring these interlocks can lead to missed data and potentially to corruptions to individual files stored within the output saveset, corruptions that may or may not be reported. For details on this BACKUP command qualifier, please see the Ask The Wizard topic (2467). When working with the BACKUP callable API: o Build your applications with the most current BACKUP API available. Changes made to the V7.1-2 and V7.2 API were incompatible with the V7.1 and V7.2-1 and later APIs, and this incompatibility was repaired via a BACKUP ECO kit. Do NOT build your application 5-53 System Management Information with the versions of the BACKUP API that shipped with V7.1-2 and V7.2, as these are incompatible with the BACKUP API constants that were used on other versions. _____________________________ 5.42.4 How do I fix a corrupt BACKUP saveset? BACKUP savesets can be corrupted by FTP file transfers and by tools such as zip (particularly when the zip tool has not been asked to save and restore OpenVMS file attributes or when it does not support OpenVMS file attributes), as well as via other means of corruptions. If you have problems with the BACKUP savesets after unzipping them or after an FTP file transfer, you can try restoring the appropriate saveset attributes using the tool: $ @RESET_BACKUP_SAVESET_FILE_ATTRIBUTES.COM This tool is available on the OpenVMS Freeware (in the [000TOOLS] directory). The Freeware is available at various sites-see the Freeware location listings elsewhere in the FAQ-and other similar tools are also available from various sources. In various cases, a SET FILE/ATTRIBUTES command can also be used. As the parameters of this command must be varied as the target BACKUP saveset attributes vary, this approach is not recommended. Also see the "SITE VMS", /FDL, and various other file- attributes options available in various FTP tools. (Not all available FTP tools support any or all of these options.) Browser downloads (via FTP) and incorrect (binary or ascii FTP transfer modes) are notorious for causing RMS file corruptions and particularly BACKUP saveset corruptions. You can sometimes help encourage the browser to select the correct FTP transfer type code (via RFC1738): o ftp://host/urlname.ext;type=i ! request ftp image/binary transfer 5-54