=:The OpenVMS Frequently Asked Questions(FAQ)C

The OpenVMS Frequently Asked Questions(FAQ)

r \ ^

4.5 Setting time on AlphaServer ES47, ES80, GS1280 console?

HTo set the time on an AlphaServer ES47, AlphaServer ES80 or AlphaServer GGS1280 series system, you must access the platform management utility. DIn particular, this is how OpenVMS obtains its system time on these systems.

"
)MBM - (PMU, Platform Management Utility) ) From SRM P00> enter {Esc} {Esc} MBM 6 CTRL/[ CTRL/[ MBM (MBM must be uppercase) 2 MBM> connect (to exit to SRM)

EThe serial PMU is a command line interface for a serial communicationG(MBM) port or to the telnet session. Commands entered on this line are Gforwarded to the PMU server, and the serial PMU is responsible for the following tasks:

Show the system configuration and provide the basic debugging capabilityD
Initiate the firmware update or load the test firmware version=
Power on or off, halt, or reset the system or partition3
The system partitioning and cabling functionsE
Displays of the health of hardware environment, including such G constructs as fans, power supplies and environmental and temperature values.$
Remote server management tasks/
The connection to the virtual SRM console

DUse an escape key sequence to enter the PMU. You can access the PMU Dthrough a modem or from a terminal emulator connected to the server management LAN.w

4.6 UTC vs GMT vs vs UT1/UT1/UT2 TDF? What are these acronyms?

FThe results of an international compromise---though some would say an Cinternational attempt to increase confusion---UTC is refered to as F"Coordinated Universal Time" (though not as CUT) in English Hand as "Temps Universel Coordinné" (though not as TUC) Din French. (No particular information exists to explain why UTC was Achosen over the equally nonsensical TCU, according to Ulysses T. =Clockmeister, one of the diplomats that helped establish the international compromise.)

DUniversal Time UT0 is solar time, UT1 is solar time corrected for a Cwobble in the Earth's orbit, and UT2 is UT1 corrected for seasonal Arotational variations in rotation due to the Earth's solar orbit.

HGMT---Greenwich Mean Time---is UT1. GMT is the time at the classic site @of the since-disbanded Royal Greenwich Observatory; at the most 6widely-known tourist attraction of Greenwich, England.

FUTC is based on an average across multiple atomic clocks, and is kept Awithin 0.9 seconds of GMT, through the insertion (or removal) of Aseconds. In other words, UTC matches GMT plus or minus up to 0.9 seconds, but UTC is not GMT.

FTDF is the Timezone Differential Factor, the interval of time between Cthe local time and UTC. Areas that celebrate daylight savings time G(DST) will see periodic changes to the TDF value, when the switch-over Hbetween daylight savings time and standard time occurs. The switch-over Eitself is entirely left to local governmental folks, and can and has Hvaried by political entity and politics, and the switch-over has varied )over the years even at the same location.

FIf your local OpenVMS system time is off by one hour (or whatever the Elocal DST change) for some or all applications, you probably need to @reset your local TDF. (For related details, please see sections kSection 4.3 and Section 10.22.1.)

BFurther discussions of history and politics, the Royal Observers' Eoutbuildings, and the compromise that left the English with the Time CStandard (the Prime Meridian) and the French with the standards forHDistance and Weight (the Metric System) are left to other sources. Some 2of these other sources include the following URLs:

Chapter 5
System Management Information

5.1 What is an installed image?

CThe term "install" has two distinct meanings in OpenVMS. The first Arelates to "installing a product", which is done with either the FSYS$UPDATE:VMSINSTAL.COM command procedure or the POLYCENTER Software BInstallation (PCSI) utility (PRODUCT command). The second meaning Erelates to the use of the INSTALL utility, which is what concerns us here.

FThe INSTALL utility is used to identify to OpenVMS a specific copy of Han image, either executable or shareable, which is to be given some set Eof enhanced properties. For example, when you issue the SET PASSWORD Dcommand, the image SYS$SYSTEM:SETP0.EXE is run. That image needs to 1have elevated privileges to perform its function.

DThe other important attribute is /SHARED. This means that shareable Gparts of the image (typically read-only code and data) are loaded into Hmemory only once and are shared among all users on a system. Executable Eimages can be installed /SHARED as well as shareable library images. G(The term "shareable" has dual meanings here, too. See the OpenVMS 6Programming Concepts Manual for further details.)

DIt's important to note that there is no such thing as "installing a Fshareable image with privileges". The INSTALL utility will let you do Git, but the privileges you specify will be ignored. To have a callable Croutine run with enhanced privileges that are not available to its Acaller, you must construct your routines as "user-written system Gservices" and install the shareable image with the /PROTECT qualifier. >See the OpenVMS Programming Concepts Manual for more Dinformation on user-written system services. Note also that in many Hcases the need to grant privileges to an image can be replaced with the ?use of the "Protected Subsystems" feature that grants a rights <identifier to an image. See the OpenVMS Guide to System 6Security for information on Protected Subsystems.c

5.2 Are there any known viruses for OpenVMS?

?Viruses and worms are common on personal computers because the Foperating systems involved, such as the Microsoft MS-DOS, Windows 95, DWindows 98 and Windows ME variants, do not particularly protect the Hoperating system or the file system against hostile action by programs. ?Microsoft Windows NT, Windows 2000 and Windows XP do implement @protections for specific configurations and do implement memory Eprotection models, but many users of these systems choose to operate Ewith full adminstrator access and thus the available protections are Fentirely defeated and entirely not relevent, and any program that can Gactivate itself or can cause the user to activate the code can subvert Dthe operating system and take over the hardware, at which point the Gmalicious code can do most anything it wishes, including hiding copies Bof itself in other programs or in the file system, redistributing Hitself via mail, IM, or network connections, or can be used as a zombie $in staging attacks on other systems.

CThis is less likely with multi-user systems such as OpenVMS, Unix, ?Linux, MVS and other platforms for various reasons. First, the Goperating system runs in a privileged mode in memory that is protected Hagainst modification by normal user programs. Any program cannot simply Gtake over the hardware as it can on operating systems without security Gand particularly without memory page protections. Secondly, multi-user Dsystems can be set up so that non-privileged programs cannot modify ?system programs and files on disk, and this is normal for most Finstallations. Both of these protection schemes mean that traditional Gviral infections don't work on these OSes. Third, typical applications Aand configurations tend to prevent the uncontrolled execution of Guntrusted code as part of received mail messages or web access; one of Gthe central vulnerabilities of the Microsoft Windows platform involves Bits intentionally easy ability to dynamically (and transparently) Dactivate code and macros that are embedded within mail messages and within data files.

BIt is possible for OpenVMS and other multi-user systems to become Ginfected by viruses or worms, but to do so, the program containing the Hvirus must be run from a user account that has amplified privileges. So >long as the system administrator is careful that only trusted Capplications are run from such accounts (and this is generally the Hcase) and so long as there are no OpenVMS system security breaches (due Ato malicious operator activity, OpenVMS errors, or errors within Ftrusted and privileged product packages) there is no of modifications Gto the operating system or other protected files from the virus or the worm.

FThe FAQ maintainer is aware of a few (and very old) DECnet worms that Ehave affected OpenVMS systems on DECnet networks, but is aware of no ,OpenVMS viruses that are loose in the field.

HTo protect against viruses and other attempts at system interference or Fmisuse, please follow the security recommendations in the OpenVMS HGuide to System Security. Additionally, you will want to keep your GOpenVMS ECOs current and you will want to apply all mandatory ECO kits and any security MUPsH for OpenVMS and OpenVMS products, and you will want to keep to OpenVMS C releases with Prior Version Support (PVS) or with Current Version : Support. (This is obviously a general system maintenance = recommendation, in addition to being a good system security I recommendation---new security features and capabilities are implemented F in more recent OpenVMS releases, for instance.) You may also want to G consider optional software products which can monitor your system for : intrusion or infection attempts. Computer Associates (CA):offers various products in this area, as to other vendors.

HRocksoft offers the Veracity data integrity tool (for info, send mail to demo@rocksoft.com). MD5 tools are also available.

HTools to scan OpenVMS file systems for Microsoft Windows infections are ;also available, including a commercial package from Sophos.GThese scanning tools are particularly useful for systems running Samba Gor Advanced Server (PATHWORKS), as these servers tend to have a higher Fpopulation of files intended for Microsoft Windows systems users, and Gas common virus and worm attacks can find and infect files on the file 'shares that these products can provide.BThese infections do not target OpenVMS itself, though the OpenVMS Gserver (and any other platform and any other server capable of storing Efiles for Windows systems) can silently host files containing common Microsoft Windows infections.j

5.3 Sources of OpenVMS security information?

7Where can I get information on OpenVMS system security?

5.4 How do I mount an ISO-9660 CD on OpenVMS?

5ISO-9660 support was added in the following releases:

OpenVMS VAX V6.0
OpenVMS AXP V1.5

HAn add-on ISO-9660 kit was also available for OpenVMS VAX V5.5, V5.5-1, FV5.5-2, and V5.5-2H4. This requires the installation of the F11CD kit Hfrom the InfoServer CD, from the Consolidated Distribution CD under the EInfoServer area, Customer Support Center kit CSCPAT #1071012, or the CF11CD ECO kit. (Upgrades to V6 and later are strongly recommended.)

BBy default, OpenVMS senses the specific type of media. If you are Dworking with dual-format media---media that uses both the ODS-2 and GISO-9660 formats on the same CD-ROM---then MOUNT will first detect and Cthen default to the ODS-2 format. If you wish to override this and ;explicitly mount the media using ISO-9660, use the command:

"
:$ MOUNT/MEDIA_FORMAT=CDROM device-name[:] [volume-label]

FIn most circumstances, you will not need nor will you want to include Ban explicit /MEDIA_FORMAT specification. For further information, Hplease refer to the OpenVMS MOUNT Utility Manual. Particularly note the Einformation on the MOUNT /MEDIA_FORMAT and /UNDEFINED_FAT qualifiers.

CThe MOUNT /UNDEFINED_FAT qualifier is of interest because ISO-9660 Gmedia can be mastered on a wide variety of operating system platforms, Hand these platforms do not necessarily support the semantics needed for Ffiles containing predefined record formats. The /UNDEFINED_FAT allows Fyou to specify the default attributes for files accessed from volumes using the ISO-9660 format.

+An example which works for most CD-ROMs is:

"
D$ MOUNT/MEDIA_FORMAT=CDROM/UNDEFINED_FAT=STREAM:2048 DUA0: FREEWARE

FThis particular MOUNT command forces access to the CD-ROM media using Gthe ISO-9660 volume structure, and the use of the MOUNT /UNDEFINED_FAT Fqualifier causes any file whose file attributes are "undefined" to be Dreturned with "stream" attributes with a maximum record length 2048.

EOn OpenVMS, the ISO-9660 format is (internally) considered to be the GODS-3 file structure, while the High Sierra extensions to the standard >are considered to be the ODS-4 file structure. The Rock Ridge 2extensions are not currently available on OpenVMS.

FFor details on ODS-1 and ODS-2 file specifications, see Kirby McCoy's GVMS File System Internals Manual (published by Digital Press, 'but potentially out of print), and see:

2http://pdp-11.trailing-edge.com/www/ods1.txt e
Look for the Freeware V5.0 directory ODS2 at ,http://www.hp.com/go/openvms/freeware/

5.5 How do I extract the contents of a PCSI kit?

@A growing number of OpenVMS products are being provided in PCSI F(POLYCENTER Software Installation) kits which are installed using the FPRODUCT INSTALL command. These are alternatives to or replacement for DVMSINSTAL kits which were BACKUP savesets. PCSI kits are not BACKUP <savesets and are structured differently from VMSINSTAL kits.

?If you want to extract product files from a PCSI kit, create a Fdirectory into which the kit should be expanded and use the following command:

"
5$ PRODUCT COPY prodname /SOURCE=[where-the-kit-is] - 4 /DEST=[destination-directory] /FORMAT=REFERENCE

?A PCSI kit file has a file specification of the following form:

"
$DEC-VAXVMS-FORTRAN-V0603-141-1.PCSI

GIn this example, "FORTRAN" is the "prodname". PCSI will expand the kit Hfiles into the directory you specify and subdirectories beneath such as G[SYSEXE], [SYSLIB], etc., reflecting the eventual destination of files Hfound there. Most of the actual product files (images, etc.) will be in Gthe subdirectories. In the top-level directory will be a file with the Efile type PCSI$DESCRIPTION that specifies where various files should Cgo. For more details, see the POLYCENTER Software Installation FDeveloper's Guide for OpenVMS, which can be found in the OpenVMS >documentation on the Consolidated Online Documentation CD-ROM.e

5.6 Emergency (Conversational) System Startup?

BIf you need to perform system management operations on an OpenVMS Hsystem and cannot access the system through normal means---the password Gon the SYSTEM username was forgetten and no other privileged usernames Dare available, or one or more core system product authorization key C(PAK) software licenses are unavailable or expired---then you must /perform a conversational (emergency) bootstrap.

Here are the steps:

Halt the system. Exactly how this is done depends on the specific F system model: Depending on the model, this can involve pressing the I [HALT] button, entering [CTRL/P] on the console, 8 or pressing the [BREAK] key on the console.C
At the console prompt, use a console command to boot into theBSYSBOOT utility. (SYSBOOT allows conversational changes to system Bparameters.) (The console syntax for the conversational bootstrap Cvaries by system model and by system architecture---this typically pinvolves specifying a flag with the lowest bit set. See Section 14.3.5 Hfor related details.) For example:
On VAX, use one of the following Hthree commands depending on the particular model of VAX system involved:
"
B/R5:1 B/1 @GENBOO
On Alpha:
"
b -flags 0,1
L
If your system has a non-zero system root (such as root SYSE, shown I here), you will have to use a console command such as the following:
On VAX:
"
B/E0000001 B/R5:E0000001 4@<console media procedure name varies widely>
On Alpha:
"
b -flags e,1
F
On IA-64, you can establish a boot alias for a conversational n bootstrap, as discussed in Section 14.3.5.1.
If your system has a H hardware password (various systems support a password that prevents E unauthorized access to the console), you will need to know theis F password and will need to enter it using the LOGIN command at the ? console. If you get an "Inv Cmd" error trying to perform a G conversational bootstrap, and you do not have the hardware console J password for the console LOGIN command, you are stuck---you will need H to call for hardware service in order to reset the hardware console H password. The syntax used for the console password mechanism varies.G
Once at the SYSBOOT prompt, request that OpenVMS read the system E startup commands directly from the system console, that the window D system (if any) not be started, and that OpenVMS not record these = particular parameter changes for subsequent system reboots:
"
SET/STARTUP OPA0: SET WINDOW_SYSTEM 0 SET WRITESYSPARAMS 0 CONTINUE
I
At the $ prompt, the system will now be accepting startup commands A directly from the console. Type the following two DCL commands:
"
$ SPAWN $ @SYS$SYSTEM:STARTUP
I
You should now see the dollar ($) prompt of DCL.
The result of H these two commands will be the normal system startup, but you will be B left logged in on the console, running under a fully privileged J username. Without the use of the SPAWN command, you would be logged out H when the startup completes.
Perform the task(s) required, such as @ resetting the password on the SYSTEM username as described in n Section 5.6.1 or registering one or more license product authorization Q keys (PAKs) as described in Section 5.6.2.E
Once you log out of this session, the system will complete the I startup and can be used normally. You can choose to reboot the system, but that is not necessary.

BSome system managers will suggest a method using the UAFALTERNATE Asystem parameter rather than the SET/STARTUP OPA0: command shown.GThis approach is not always available and is accordingly less commonly Drecommended, as there can easily be an alternate user authorization Edatabase (SYS$SYSTEM:SYSUAFALT.DAT) configured on the system. With a Hsystem manager that has configured an alternate SYSUAFALT.DAT file, the CUAFALTERNATE method will fail---well, assuming you do not know the Bpassword of a privileged username stored within SYSUAFALT.DAT, of course.

GThe UAFALTERNATE system parameter is used to trigger what is sometimes known as the console backdoor.EThe OPA0: system console is critical to system operations and system Esecurity, and will allow access when the SYSUAF system authorization Edatabase is unavailable or corrupted, when core product license PAKs ;are not registered, expired or disabled (NOLICENSE errors),. or in various other cases of system failures.EAll this is in addition to the role of the console in the display of Hcertain system-critical event messages. Access to the OPA0: console Chas a security exposure that is equivalent to direct access to the system hardware.

BWhen LOGINOUT detects an error (such as a SYSUAF corruption, by a Emissing SYSUAF, missing product licenses, or other trigger), it will Cprevent access to the OpenVMS system from all terminals except the system console.CThe OPA0: system console will be allowed access, and the resulting Dprocess will be fully privileged. Resetting the UAFALTERNATE system Gparameter---in the absence of an alternate SYSUAF system authorization Gdatabase---will cause the console backdoor to be opened simply because LOGINOUT cannot locateDSYS$SYSTEM:SYSUAFALT.DAT. When the authorization database cannot be 6located, access will be granted from the console only.

FFor further information on emergency startup and shutdown, as well as Cfor the official OpenVMS documentation on how to change the SYSTEM Fpassword from the console in an emergency, please see the OpenVMS >System Manager's Manual in the OpenVMS documentation set.

AFor information and recommendations on setting up OpenVMS system 6security, please see the NCSC Class C2 appendix of the=Guide to OpenVMS System Security manual, also in the OpenVMS documentation set.

FYou can also use the conversational bootstrap technique shown earlier E(the steps until SET/STARTUP) to alter various system parameters, as well. At the SYSBOOT,prompt, you can enter new parameters values:

"
SHOW MAXPROCESSCNT SET . 64 CONTINUE

EThe "." is a shorthand notation used for the last parameter examined within SYSGEN and SYSBOOT.

r Y \ ^

Contents

Index