Document revision date: 15 October 2001

To make sure that the server starts automatically each time you boot your OpenVMS system:

1. Edit the system startup file, SYS$STARTUP:SYSTARTUP_VMS.COM.
2. Add the @SYS$STARTUP:PWRK$STARTUP command to the file below all lines that start network transports. For example:

   $ START/NETWORK DECNET . . . $ @SYS$STARTUP:PWRK$STARTUP

Before starting the server in an OpenVMS Cluster, the server software must be installed and configured on each cluster member on which the server is to run. If you installed and configured the PATHWORKS Advanced Server on multiple members of the same OpenVMS Cluster, Compaq recommends that you use the SYSMAN utility to start the server manually and simultaneously on all cluster members.

To start the server on all cluster members at the same time, make sure you are logged in to the SYSTEM account on one of the server nodes, then run SYSMAN as indicated in the second column of Table 5-3, Starting the Server in an OpenVMS Cluster, according to the result you want to achieve, as listed in the first column.

Table 5-3 Starting the Server in an OpenVMS Cluster

Desired Result	Command to Enter
Start the SYSMAN utility	$ RUN SYS$SYSTEM:SYSMAN
Define the OpenVMS Cluster members on which to start the server (in this example, SPEEDY, SPIN, and SPAN)	SYSMAN> SET ENVIRONMENT - _SYSMAN> NODE=(SPEEDY,SPIN,SPAN)
Start the PATHWORKS Advanced Server on all the nodes you defined in the previous command	SYSMAN> DO @SYS$STARTUP:PWRK$STARTUP
Exit the SYSMAN utility	SYSMAN> EXIT

PATHWORKS Advanced Server processes are detached processes. During startup, all detached processes must execute the site-specific system login procedure (by default, SYS$MANAGER:SYLOGIN.COM).

If the PATHWORKS Advanced Server startup does not complete successfully, check the SYLOGIN.COM procedure. Make sure that only commands that should be executed by detached processes are executed during the PATHWORKS Advanced Server startup.

In SYLOGIN.COM, you can use the DCL lexical function F$MODE or F$GETJPI to conditionalize DCL commands, such as $SET TERM/INQUIRE, that should be executed only by nondetached processes, so that they are not executed during the PATHWORKS Advanced Server startup. Refer to the OpenVMS DCL Dictionary for more information.

5.4 Stopping the PATHWORKS Advanced Server

The following sections describe when and how to stop the PATHWORKS Advanced Server.

5.4.1 When to Stop the PATHWORKS Advanced Server

You can stop the server at any time for any reason, which can include the following:

• When you want to change server parameters
• As part of an orderly system shutdown
• As needed to troubleshoot server problems

To stop the server, enter the following command:

$ @SYS$STARTUP:PWRK$SHUTDOWN

For a cluster server, enter:

$ @SYS$STARTUP:PWRK$SHUTDOWN CLUSTER

Before shutting down the OpenVMS operating system, Compaq recommends stopping the server.

5.4.3 How to Stop the PATHWORKS Advanced Server on System Shutdown

To stop the server as part of an orderly system shutdown, add the shutdown command to the site-specific system shutdown procedure. In addition, prior to shutting down the server, announce the planned shutdown to connected users by using the ADMINISTER SEND/USERS command, as in the following example, which alerts all users connected to server WOODMAN:

LANDOFOZ\\TINMAN> SEND/USERS/SERVER=WOODMAN "Shutdown @ 1pm today!!!"

5.5 How to Define PATHWORKS Advanced Server Commands When You Log In

Compaq provides numerous command procedures that, for example, provide shortcuts for invoking certain server management commands and procedures. You can see a list of these commands by examining the contents of the file SYS$MANAGER:PWRK$DEFINE_COMMANDS.COM.

You can define these Advanced Server management commands automatically when you log in to the account that you use to manage the Advanced Server. To define Advanced Server commands at login, edit the LOGIN.COM file of the privileged account to add the following line:

$ @SYS$MANAGER:PWRK$DEFINE_COMMANDS

5.6 Setting Up External Authentication

The OpenVMS operating system Versions 7.1 and higher provide support for external authentication. PATHWORKS Advanced Server participates with the OpenVMS operating system to allow PATHWORKS Advanced Server domain users to log in to the OpenVMS operating system using their PATHWORKS Advanced Server domain user names and passwords. The PATHWORKS Advanced Server externally authenticates the login request.

External authentication can provide automatic password synchronization between an OpenVMS account and a corresponding Advanced Server domain account. Users who have both OpenVMS and PATHWORKS Advanced Server domain user accounts can avoid maintaining two different passwords. If the domain account password is changed, the OpenVMS LOGINOUT program sets the OpenVMS account password to the domain account password the next time the user logs in to the OpenVMS account. If the user changes the OpenVMS password with the DCL SET PASSWORD command, the the SET PASSWORD command sends the password change to the Advanced Server external authenticator. For synchronization to succeed, an Advanced Server domain controller must be available and the domain account password must meet OpenVMS syntax requirements.

When you start the Advanced Server, external authentication is automatically enabled for user accounts that are flagged for external authentication in the SYSUAF. (To enable external authentication, PWRK$ACME_STARTUP.COM defines bit 0 of the SYS$SINGLE_SIGNON logical to the value 1. You can disable external authentication by changing the default value of this bit. For information on disabling external authentication and about defining the other bits in the SYS$SINGLE_SIGNON logical, see Section 5.6.5, Disabling External Authentication.)

For more information about enabling external authentication on OpenVMS, refer to the OpenVMS Guide to System Security.

No additional configuration is necessary on cluster members running the Advanced Server to enable the Advanced Server to participate in the external authentication process. However, to use external authentication in an Advanced Server cluster, all cluster members should be configured to use external authentication, so that externally authenticated users can log on to the cluster through any node in the cluster. A cluster member that is not running the complete Advanced Server can be configured to authenticate logon requests from network users if it has access to external authentication software on a shared cluster system disk. If it does not have access to external authentication software on a shared cluster system disk, you can enable external authentication on that system by copying only the external authentication images to the system disk, following the steps given in Section 5.6.1, Setting Up External Authentication in OpenVMS Clusters.

To provide external authentication on the system, perform the following steps:

1. Install one of the following:
   • The PATHWORKS Advanced Server
   • The standalone PATHWORKS external authentication software

   Note At least one node in the cluster must run the complete Advanced Server software.

   
   For more information, see Chapter 2, Installing the PATHWORKS Advanced Server.
2. Set the appropriate OpenVMS user accounts to allow external authentication (in SYSUAF). For more information, refer to the OpenVMS Guide to System Security.
3. If the PATHWORKS Advanced Server is installed, start the server and external authentication will be enabled for all user accounts allowing external authentication.
   If the standalone PATHWORKS external authentication software is installed, perform the following:
   1. Add the following lines to your SYSTARTUP_VMS.COM file:

      $ DEFINE/SYSTEM/EXE SYS$SINGLE_SIGNON 1 $ @SYS$STARTUP:PWRK$ACME_STARTUP.COM

      
      In a cluster, add these preceding two lines plus the following in a node-specific system startup file (not clusterwide), or if using a shared system startup file such as SYS$COMMON:[SYSMGR]SYLOGICALS.COM, ensure that you conditionalize the DEFINE command based on the node name (that is, using the lexical function F$GETSYI).

      $ DEFINE/SYSTEM/EXE PWRK$ACME_SERVER scsnode1_name[,scsnode2_name,...]

      
      Each scsnodex_name is an equivalence name, which is the SCSNODE name of a cluster member running an Advanced Server that can be used to process external authentication requests. You can include all, or a subset of, the names of the Advanced Server member nodes. This allows you to specify the order in which the requesting host contacts the hosts running the complete Advanced Server software for an authentication request. If the first node in the list does not respond, the requesting host asks the next host, and so forth.

   
   For more information, refer to the OpenVMS Guide to System Security and Section 5.6.1.
4. Establish host mapping between PATHWORKS Advanced Server domain user accounts and the corresponding OpenVMS user accounts, if necessary. For more information, refer to the Compaq PATHWORKS for OpenVMS (Advanced Server) Server Administrator's Guide.
5. If your Advanced Server is participating in an OpenVMS Cluster, set up external authentication on all cluster members. For more information, see Section 5.6.1, Setting Up External Authentication in OpenVMS Clusters.
6. If you want to change the default domain used for external authentication, set the system logical PWRK$ACME_DEFAULT_DOMAIN accordingly. (The local server's domain is the default domain for users when external authentication is established: if a user does not specify a domain name at login, the system uses the default domain for authentication.) For more information, refer to the Compaq PATHWORKS for OpenVMS (Advanced Server) Server Administrator's Guide.
7. If establishing external authentication for users in trusted domains, add the name of the trusted domain(s) to the LANMAN.INI parameter HostMapDomains. For more information, refer to the Compaq PATHWORKS for OpenVMS (Advanced Server) Server Administrator's Guide.

For information about enabling Authentication and Credential Management (SYS$ACM) for authenticating users and determining the user security profile for OpenVMS and Windows NT, refer to the OpenVMS Connectivity Developer's Guide (included in the OpenVMS Documentation CD-ROM).

5.6.1 Setting Up External Authentication in OpenVMS Clusters

If you are running PATHWORKS Advanced Server in an OpenVMS Cluster, Compaq recommends that all cluster members be configured to be able to process OpenVMS logon requests for network users.

As noted in the preceding section, when the Advanced Server is started on a system, external authentication is enabled automatically for user accounts flagged for external authentication in the SYSUAF. A cluster member that is not running the complete Advanced Server can authenticate logon requests from network users if it has access to external authentication software on a shared cluster disk. Note that external authentication is not supported on OpenVMS systems prior to V7.1. Therefore, to ensure that external authentication works properly on the cluster, Compaq recommends that you make sure all systems in the cluster are running OpenVMS V7.1 or later.

If the cluster member does not have access to external authentication software on a shared cluster disk, you can enable external authentication on that system by copying just the external authentication images onto that system.

If the cluster member has a shared system disk, skip step 1 below and perform the remaining steps. If the cluster member does not have a shared system disk, perform all steps.

1. If the member node that is not running the PATHWORKS Advanced Server is running OpenVMS Alpha Version 7.2-1 or later or OpenVMS VAX V7.2 or later, install the standalone PATHWORKS external authentication software on that member node from the PATHWORKS for OpenVMS (Advanced Server) software kit, as described in Chapter 2, Installing the PATHWORKS Advanced Server.
   If the member node that is not running the PATHWORKS Advanced Server is running OpenVMS VAX Version 7.1, copy the following external authentication files from any system disk where the complete PATHWORKS Advanced Server is installed to the location indicated on the VAX node:

   File	Destination on VAX Node
   SYS$LIBRARY:PWRK$ACME_MODULE_VAX.EXE	SYS$COMMON:[SYSLIB]
   SYS$STARTUP:PWRK$ACME_STARTUP.COM	SYS$COMMON:[SYS$STARTUP]

   
   If the member node that is not running the PATHWORKS Advanced Server is running OpenVMS Alpha Version 7.1, then copy the following external authentication files from any system disk where the complete PATHWORKS Advanced Server is installed to the location indicated on the Alpha node:

   File	Destination on Alpha V7.1 Node
   SYS$LIBRARY:PWRK$ACME_MODULE_ALPHA.EXE	SYS$COMMON:[SYSLIB]
   SYS$STARTUP:PWRK$ACME_STARTUP.COM	SYS$COMMON:[SYS$STARTUP]

2. Add the following lines in a node-specific system startup file (not clusterwide), or if using a shared system startup file such as SYS$COMMON:[SYSMGR]SYLOGICALS.COM, ensure that you conditionalize the DEFINE command based on the node name (that is, using the lexical function F$GETSYI).

   $ DEFINE/SYSTEM/EXE SYS$SINGLE_SIGNON 1 $ DEFINE/SYSTEM/EXE PWRK$ACME_SERVER scsnode1_name[,scsnode2_name,...] $ @SYS$STARTUP:ACME_STARTUP.COM

   
   In the second line, each scsnodex_name is an equivalence name, which is the SCSNODE name of a cluster member running an Advanced Server that can be used to process external authentication requests. You can include all, or a subset of, the names of the Advanced Server member nodes. This allows you to specify the order in which the requesting host contacts the hosts running the complete Advanced Server software for an authentication request. If the first node in the list does not respond, the requesting host asks the next host, and so forth.

   Note If you specify a subset of the Advanced Server member nodes, in order for external authentication requests to be processed properly, the Advanced Server should be running (available) on at least one of those specified cluster members. Otherwise, even if another Advanced Server member node not specified in the list is currently running, the requests will not be processed.

3. Invoke the SYS$STARTUP:PWRK$ACME_STARTUP command procedure during system startup.
4. Set appropriate OpenVMS user accounts on all cluster members to allow external authentication, and if necessary, set up host mapping between the OpenVMS user accounts and the Advanced Server user accounts. For more information about enabling OpenVMS user accounts for external authentication, refer to the OpenVMS Guide to System Security. For more information about setting up host mapping, refer to the Compaq PATHWORKS for OpenVMS (Advanced Server) Server Administrator's Guide. (For OpenVMS V7.1 systems, refer to the OpenVMS V7.1 New Featuers Manual.)

To allow users to be externally authenticated over DECnet-Plus for OpenVMS, set the OpenVMS system parameter NET_CALLOUTS to 255. This enables Advanced Server user ID mapping and authentication for network logins.

5.6.3 Configuring the Server Capacity for External Authentication

By default, the Advanced Server can support up to 10 simultaneous external authentication logon requests (signons). You can modify this maximum to suit the Advanced Server requirements, using the Configuration Manager. To start the Configuration Manager, enter the following command:

$ ADMINISTER/CONFIGURATION

The basic server parameters include the number of simultaneous activations for users with external authentication.

For more information about using the Configuration Manager, refer to the Compaq PATHWORKS for OpenVMS (Advanced Server) Server Administrator's Guide.

5.6.4 Bypassing External Authentication When the Network Is Down

External authentication cannot occur if a network connection is required and the network is down. However, as a temporary solution, privileged users can enter the /LOCAL_PASSWORD qualifier after the OpenVMS user name at the login prompt, to specify local authentication. Be sure to specify the OpenVMS user name and password when using the /LOCAL_PASSWORD qualifier.

Because using the /LOCAL_PASSWORD qualifier effectively overrides the security policy established by the system manager, it is allowed only when the user's account has SYSPRV as an authorized privilege. This allows the system manager to gain access to the system when the network is down. When Bit 1 of the equivalence string is set in the SYS$SINGLE_SIGNON logical name, nonprivileged users who are normally externally authenticated can log in locally (the /LOCAL_PASSWORD qualifier need not be specified).

For more information about the /LOCAL_PASSWORD qualifier for the login command line, refer to the OpenVMS Guide to System Security. (For OpenVMS Version 7.1 systems, refer to the OpenVMS System Management Utilities Reference Manual in the OpenVMS Version 7.1 documentation.

5.6.5 Disabling External Authentication

If you want to disable external authentication, then before starting the Advanced Server, define the SYS$SINGLE_SIGNON logical to a value of 0, as in the following example:

$ DEFINE/SYSTEM/EXECUTIVE SYS$SINGLE_SIGNON 0

For more information about SYS$SINGLE_SIGNON and disabling external authentication on OpenVMS, refer to the OpenVMS Guide to System Security.

5.7 Installing Optional Server Administration Tools

The PATHWORKS Advanced Server provides optional client-based server administration tools that allow you to manage the server from Windows 95, Windows 98, Windows for Workgroups, or Windows NT clients. These tools are available in the PWUTIL share after installing, configuring and starting the server.

The SRVTOOLS directory in the PWUTIL share contains a subdirectory for each type of client computer. Refer to the README.TXT file in the appropriate subdirectory for instructions on installing the software on the client computer.

Refer to the Windows NT Server documentation or use online Help for more information about how to use Windows NT Server administration tools.

	privacy and legal statement
6555PRO_007.HTML