=:The OpenVMS Frequently Asked Questions(FAQ)C

The OpenVMS Frequently Asked Questions(FAQ)

r \ ^

5.23 How do I delete (timeout) idle processes?

EThere is no such command integrated within OpenVMS, though there are H(optional) timers available within certain terminal servers and similar Hdevices, and there is an integrated time-of-day mechanism that provides ,control over when a user can access OpenVMS.

CAs for available tools, there are DECUS, freeware, and third-party Ctools known variously as "idle process killers" (IPK) or G"terminal timeout" programs, as well as various other names. 9Examples include: Saiga Systems Hitman, Watchdog, MadGoatDWatcher (via the MadGoat site or the OpenVMS Freeware), Kblock, the CNetworking Dynamics tool known as Assassin, and the Zap tool. Also @available is the XLNperformance system management utility, from XLNsystems.

9A related package (for DECwindows sessions) is xtermlock.

HIf the forgetful users are in an application menu environment, the menu 7can potentially be extended to provide this capability.p

5.24 Do I need a PAK for the DECevent (HP Analyze) tool?

ADECevent and HP (Compaq) Analyze are available to customers with Gsupport contracts. The PAK is required only for the advanced functions Fof DECevent, the basic bits-to-text translation of the error log does Gnot require a license PAK. Ignore the prompt, in other words. (The PAK Fshould be available to you if you have a hardware support contract or Fwarrantee, and the PAK enables the use of the advanced error analysis /and notification capabilities within DECevent.)

;Please see the following website for details and downloads: Analyze)

-http://www.compaq.com/support/svctools/

5.25 INITIALIZE ACCVIO and ANSI tape label support?

CA change was made (back in 1988) to (as it was then known) VAX/VMS DV5.1-1 that added support for the then-new ANSI X3.27-1987 magnetic Etape label standard. Prior to the ANSI X3.27-1987 standard, the date Ffield in the ANSI HDR1 record permits dates only as far as the end of HYear 1999. With ANSI X3.27-1987, dates through Year 1999 and dates from !Years 2000 to 2099 are permitted.

BVersions of INIT.EXE and MTAACP.EXE from VAX/VMS releases prior toHV5.1-1 will potentially have problems properly processing ANSI magnetic tapes when Y2KFand later dates are involved---the DCL INITIALIZE command is known to +encounter access violation (ACCVIO) errors.

DThe available solutions include upgrades, or setting the date back. EDirect initialization of the tape with the new headers (via $qio) is Galso clearly possible, though the limitation within the old MTAACP.EXE 2magtape ACP image is not nearly so easy to bypass.d

5.26 How do I recover from INSVIRMEM errors?

=Prior to OpenVMS Alpha V7.0 and on all OpenVMS VAX releases, GVIRTUALPAGECNT and PGFLQUOTA limit the amount of virtual address space "that is available to each process.

CFurther limiting the amount of address space is the size of system Hspace (S0 and S1 space). On OpenVMS Alpha versions prior to V7.0 and on Dall OpenVMS VAX releases, VIRTUALPAGECNT and MAXPROCESSCNT together Gdetermine the size of the page table data structures that occupy large @tracts of system space. When no system virtual address space is Gavailable for the stuff that needs it---this includes the page tables, Bnon-paged pool, and various other structures---then the values of 5VIRTUALPAGECNT and MAXPROCESSCNT cannot be increased.

EIn OpenVMS Alpha V7.0 and later, the page table data structures have Hbeen moved out of S0 and S1 space and into page table space. In OpenVMS GAlpha V7.2 and later, certain large data structures found in non-paged Bpool (eg: lock management structures) have been moved into 64-bit Espace, thus freeing up room in non-paged pool and in S0 and S1 space F(where non-paged pool resides) while also permitting much larger data structures.~

5.27 How can I prevent a serial terminal line from initiating a login?

(In SYSTARTUP_VMS.COM, issue the command:

"
+$ SET TERMINAL/NOTYPEAHEAD/PERMANENT ddcu:

DThis will prevent any unsolicited terminal input on ddcu:, and this Gunsolicited input is what triggers JOB_CONTROL to start up LOGINOUT on Fthe terminal. Once LOGINOUT starts up on the serial line, you can see Ginteresting behaviour (eg: audits, process creations, etc) as LOGINOUT Ftries to "chat" with whatever device is hooked onto the remote end of the serial terminal line.k

5.28 How does PCSI use the image BUILD_IDENT field?

FThe (undocumented) build ident field in an OpenVMS Alpha image header Eis 16 bytes long, and is used as a counted string of 0-15 characters G(ie, as an .ASCIC string, a string with the character count in byte 0) @and was originally introduced to provide information for use by FVMSINSTAL patch kits to determine whether an image should be replaced or not.

FStarting with OpenVMS Alpha V7.1-2, OpenVMS Engineering uses the PCSI Cutility to package and install ECO kits for OpenVMS. PCSI uses the Hgeneration attribute (a 32-bit unsigned integer) specified for files in Bthe product description file (PDF) of a PCSI kit as the basis for Eperforming file conflict detection and resolution. When a product is Finstalled, PCSI modifies the build ident field of Alpha image headers Hto store an encoded form of the generation number. It also looks at the ?build ident field of previously installed images to obtain the Egeneration information for those files as input to the file conflict ?processing algorithm. (Only images have this field, obviously.)

FPCSI interprets the build ident field of a previously installed image as follows:

if the string length is 15, the 5th character is a hyphen, and the J last ten characters are a ten digit number with leading zeros, then the ? last ten characters are treated as a valid generation number.I
for V7.1-2 through V7.2-1, inclusive, if the above test fails, the 9 information is obtained from the PCSI product database.F
in releases after V7.2-1 and with current PCSI ECO kits, if the J above test fails, an invalid generation number is treated as 0000000000 I so that the ECO kit will simply replace the image rather than assuming the PCSI database is in error.

DSo, what will you see in the image identification displayed via the ANALYZE/IMAGE command?

CFor an image that has been built as part of an OpenVMS Engineering Esystem build, you will generally see a build ID string in the format H"X6TE-SSB-0000"---X6TE is the build number for the OpenVMS Alpha V7.2-1 Erelease. This id format is used within the OpenVMS system build, and Dcan generally only be seen associated with images that have not yet been processed via PCSI.

HDuring the installation of V7.2-1, PCSI will modify the image header to Ghave a build ident string of "X6TE-0050120000". During installation of Gan ECO kit containing this image with a generation number of 50130052, @for example, PCSI would determine that 50130052 is greater than F50120000, and will replace the existing image on the target disk with 1the version of the image included in the ECO kit.u

5.29 How can I tell what software (and version) is installed?

AThere is unfortunately no consistent nor single way to make this ?determination---this is one of the reasons that a move to PCSI installations is underway.

AOn OpenVMS Alpha, you can use VMSINSTAL.HISTORY and PRODUCT SHOW ?PRODUCT to determine what packages have been installed via the 'VMSINSTAL and PCSI tools, respectively.

?To see which OpenVMS Alpha ECO kits have been applied, look in DVMSINSTAL.HISTORY on OpenVMS Alpha prior to V7.1-2, and use PRODUCT 4SHOW PRODUCT/FULL on OpenVMS Alpha V7.1-2 and later.

HOn OpenVMS VAX, you can use PRODUCT SHOW PRODUCT and (for software that Cis installed via VMSINSTAL on V7.3 and later) in VMSINSTAL.HISTORY.

EFor products installed on OpenVMS VAX prior to V7.3 using VMSINSTAL, >there is no reliable way to determine what products have been Finstalled. If the product provides a RELEASE_NOTES file (as many do), 7you can look for the list of these files via DIRECTORY ESYS$HELP:*.RELEASE_NOTES. Again, this approach is NOT reliable: some Ekits do not provide release notes, some system managers will install Honly the release notes, some system managers will delete release notes, 7and release notes for multiple versions can be present.

DOn most packages, you can generally use ANALYZE/IMAGE on one of the Ccore images, looking at the image identification area. Some of the *product-specific mechanisms available are:

DQS DQS$VERSION logical name
C CC/VERSION
C++ CXX/VERSION'
TCP/IP TCPIP SHOW VERSION command

5.30 What file checksum tools are available for OpenVMS?

GThe undocumented DCL command CHECKSUM is the usual means, and provides >a rather simple-minded checksum suitable to detect basic file Hcorruptions. For information and an OpenVMS version of the MD5 checksum tool, see:

Bhttp://www.support.compaq.com/svctools/md5-instructions.html

AThe OpenVMS Alpha ECO (patch) kit checksums available at the ECO @website are determined using the following DCL command sequence:

"
#$ CHECKSUM kitname.pcsi-dcx_axpexe $ SHOW SYMBOL CHECKSUM$CHECKSUM

lSee Section 5.17 for information on acquiring OpenVMS ECO (patch) kits.p

5.31 What (and where) is the OpenVMS Management Station?

DFor information and current kits for the OpenVMS Management Station E(OMS), a PC-based tool that permits you to manage an OpenVMS system, please see:

;http://www.openvms.compaq.com/openvms/products/argus/

5.32 How to determine current disk fragmentation level?

AThe HP OpenVMS Disk File Optimizer (DFO) defragmentation package <provides a fragmentation monitoring tool, and a DFO product Hauthorization key (PAK) is not required for the fragmentation reporting tool:

"
$ DEFRAG SHOW/VOLUME ddcu:

HThe DFU tool available on the OpenVMS Freeware can generate a report on the disk fragmentation:

"
DFU> REPORT ddcu:

u

5.33 SYSBOOT-I-FILENOTLOC, Unable to locate SYS$CPU_ROUTINES?

?A message at the OpenVMS Alpha bootstrap such as the following:

"
B%SYSBOOT-I-FILENOTLOC, Unable to locate SYS$CPU_ROUTINES_1C02.EXE =%SYSBOOT-E-LDFAIL, failed to load execlet, status = 00000910

Eindicates that the particular OpenVMS Alpha release does not contain @support for the target platform. In this case, OpenVMS does not Erecognize Alpha family 1C member 02 as a supported platform. A later Dversion of OpenVMS might support the platform, or there might be no Hsupport on any release. Ensure that you have the most current firmware, =and review the minimum version requirements for the platform.

GThe execlet load failure and other similar bootstrap status values can :often be decoded using either of the following techniques:

"
$ exit %x910 #%SYSTEM-W-NOSUCHFILE, no such file $ $ x = f$message(%x910) $ show symbol x + X = "%SYSTEM-W-NOSUCHFILE, no such file" $

AAlso see Section 14.4.4.1.{

5.34 How can I customize the DCPS device control for a new printer?

HTo customize DCPS for an otherwise unsupported printer, you can try the following sequence:

Extract the most closely-associated setup modules from the existing B device control library, DCPS$DEVCTL.TLB. (For instance, you can G probably extract and use the HP LaserJet 4000 series definitions for J the HP LaserJet 4050 series. Each printer will vary, please consult the 8 printer documentation for specifics and requirements.)<
rename each extracted setup module to a corresponding:
"
LPS$$UNRECOGNIZED_*
I
Insert all of the above-renamed setup modules into a newly-created 5 device control library specific to the new printer:
"
$ LIBRARY/TEXT/CREATE - ) SYS$COMMON:[SYSLIB]HP4050_DEVCTL.TLB LPS$$UNRECOGNIZED*
L
The above assumes the filename HP4050_DEVCTL.TLB, alter as required.C

Set up your DCPS startup procedures to include a search-list logical name such as:

"
-$ DEFINE/SYSTEM/EXECUTIVE DCPS_HP4050_LIB - % SYS$LIBRARY:HP4050_DEVCTL.TLB, - SYS$LIBRARY:DCPS$DEVCTL.TLB

C

Supply DCPS_HP4050_LIB as the library parameter in the queue D startup for this printer, this is the P3 parameter to the command 1 procedure SYS$STARTUP:DCPS$EXECUTION_QUEUE.COM.J
The HP4050_DEVCTL library may/will need to be recreated and modules E re-edited and replaced with each DCPS upgrade, particularly if any E modules are updated in the original library. You will also want to B determine if the upgraded version of DCPS directly supports the particular printer.E
To customize the processing of file extensions within DCPS (to G enable or disable graybar output, for instance), use the information available in:
"
6SYS$LIBRARY:DCPS$FILE_EXTENSION_DATA_TYPE.DAT_DEFAULT

!to create your own site-specific:

"
.SYS$LIBRARY:DCPS$FILE_EXTENSION_DATA_TYPE.DAT

;Also see Section 5.15.y

5.35 Why do $GETDEV MOUNTCNT and SHOW DEVICE mount counts differ?

FMOUNTCNT returns the local mount count, while SHOW DEVICE returns the cluster-wide mount count.m

5.36 What software is needed for Postscript printers?

HThe NorthLake PrintKit (www.nls.com) and DECprint Supervisor (DCPS) are =common choices for support of Postscript printers on OpenVMS.

?You may also require the installation of an IP transport stack.

{Also please see Section 15.2.2 and Section 15.2.3.n

5.37 How do I remove a PCSI-installed patch (ECO) kit?

1You cannot PRODUCT REMOVE a PCSI patch (ECO) kit.

EIn order to remove an ECO kit, PCSI would have to have copies of all Hthe other version of the files from all other patches and products that Fpreviously were installed. This can clearly involve a large number of Afiles and a large archive of old file versions and a substantial ?quantity of disk space. While removal is clearly theoretically *possible, it is not currently implemented.

DThe following is the supported mechanism to remove a PCSI patch kit.

Execute a PRODUCT SHOW PRODUCT product-name. /FULL command. The F "maintenance" column (132 column width) shows the patches 8 that have been installed. Keep a copy of this listing.:
Acquire kits for all of the maintenance kits listed.I
Re-install the prior FULL version of the product. This will remove B all patch kits, setting to product back to "original" condition.G
Re-install all the patches in the list from step 1, except those 4 patches which you have determined you do not want.

8The above information also applies to PCSI PARTIAL kits.u

5.38 SYSINIT-E, error mounting system device, status=0072832C

<This message can arise during an OpenVMS system bootstrap...

"
D%MOUNT-F-DIFVOLMNT, different volume already mounted on this device

9For details and further information, use the DCL command:

"
$ HELP/MESSAGE /STATUS=%X72832C

\

5.39 Resolving License PAK Problems?

HThe PAK release date, the PAK termination date, and the PAK version are Hthe usual culprits when a license product authorization key (PAK) check failure occurs.

FThe PAK termination date is the date when the license PAK will expire.

HThe PAK release date is the date of the most recent release date of the Gsoftware package that will be permitted by the particular license PAK. F(The release date check is analogous to a product version check.) The HPAK version indicates the most recent product version that is permitted by the license.

DHaving multiple license PAKs registered (and active) can also cause Aproblems if an expired PAK gets loaded. You will want to DISABLE ,license PAKs you do not wish to have loaded.

EOther problems include a failure to register each PAK in all license Gdatabases throughout a multiple-system-disk cluster, with a consistent Cset of /INCLUDE lists specified across each of the duplicated PAKs.

AAdditionally, you could have an invalid LMF$LICENSE logical name Bdefined. (If no LMF$LICENSE logical name is defined, the standard @license database named SYS$SYSTEM:LMF$LICENSE.LDB will be used.)

HYou can display license failures by defining the following logical name:

"
1$ DEFINE/SYS/EXEC LMF$DISPLAY_OPCOM_MESSAGE TRUE

CEnable your terminal as a license operator (REPLY/ENABLE=LICENSE), Ddefine the LMF$DISPLAY_OPCOM_MESSAGE logical name, and then try the Cfailing operation again. You should see one or more OPCOM messages displayed.

HIf you have the LMF$DISPLAY_OPCOM_MESSAGE logical name defined, you can D(will?) see spurious license check failures---various products will Dcheck for multiple licenses, and a few products will check for PAKs Ethat either have not yet been or will not be issued. Once you figure Eout which license has failed, you will want to deassign this logical name.

Note

DThat there are no license check failures does not indicate Cthat the particular product or operation or use is permissible per ?applicable licensing agreements. Please consult the applicable Hagreement(s) for licensing-related information and requirements.

HTo register a license PAK on a DECwindows system when DECwindows cannot Bstart (because of an expired license or other licensing problem), kfollow the steps outlined in section Section 5.6 up through the use of Bthe AUTHORIZE command. In place of the AUTHORIZE command, use the econsole to register the license PAKs. Also see Section 12.5 for *licensing and troubleshooting information.

AFor information on licensing and on the numbers of license units Frequired for various products and various platforms, the License Unit *Requirements Table (LURT) is available at:

3http://www.compaq.com/products/software/info/

5.40 Changing the OpenVMS Version Number?

HFool your friends, baffle your enemies, run the OpenVMS version of your choice!

On OpenVMS Alpha systems:

"
#$ SET DEFAULT SYS$COMMON:[SYS$LDR] $ RUN SYSVER REPLACE V9.9 WRITE $ EXIT

On OpenVMS VAX systems:

"
#$ set default SYS$COMMON:[SYS$LDR] &$ copy SYS.EXE SYS.EXE_IN-CASE-I-FAIL $ patch SYS.EXE define sys$gq_version=800044b8 set mode ascii !examine sys$gq_version !examine sys$gq_version+4 "deposit sys$gq_version = "V9.9" "deposit sys$gq_version+4 = " " update exit $ Exit

'Then reboot the system at your leisure.r

5.41 How to prevent users from choosing obvious passwords?

GTo prevent users from selecting obvious passwords on OpenVMS, you will Bwant to use the reserved password (password screening) mechanism. @Effectively, you merge your list of reserved passwords into the Fexisting reserved words database maintained by OpenVMS. (You can also Fthen require all users to reset their passwords---via the pre-expired Fpassword mechanism---thus forcing users to select new passwords.) For Fdetails on the password screening mechanism, of the reserved password Edatabase (VMS$PASSWORD_DICTIONARY.DATA), and details of how to merge Dyour list of prohibited passwords into the database, please see the Fassociated chapter in the OpenVMS security manual. For details of the Cpassword expiration mechanism, see the AUTHORIZE command qualifier /PWDEXPIRED.

@You can also implement a site-specific password filter with the Einformation provided in the back of the OpenVMS Programming Concepts Dmanual. The password filter permits you to establish particular and Hsite-specific password requirements. For details, please see the system parameter LOAD_PWD_POLICY=and the programming concepts manual, and see the examples in ESYS$EXAMPLES:. (Examples and documentation on V7.3 and later reflect Cboth platforms, the examples are found only on OpenVMS VAX kits on Dearlier releases. The capabilities have existed on both the VAX and #Alpha platforms for some time now.)

CTo verify current passwords, you can also use a technique known to Fsystem crackers as the "dictionary attack"---the mechanism that makes Ethis attack somewhat more difficult on OpenVMS is the hashing scheme >used on OpenVMS, and the file protections used for the SYSUAF Hauthorization database. Given a dictionary of words and the unprotected Ccontents of the SYSUAF file, a search for obvious passwords can be =performed. Interestingly, a "dictionary attack" also has the Eunfortunate side-effect of exposing the password to the user---while Hthis is clearly the goal of a system cracker, authorized privileged and Cnon-privileged system users should not know nor have access to the %(cleartext) passwords of other users.

EAccordingly, OpenVMS does not store the cleartest password. Further, HOpenVMS uses a password hashing algorithm, not an encryption algorithm. HThis means that storage of a cleartext password is deliberated avoided, Fand the cleartext value is deliberately very difficult to obtain. The Bhash is based on a Purdy Polynomial, and the hash itself includes Guser-specific values in addition to the password, values that make the 1results of the password hash unique to each user.

FRegardless of the use of a password hashing scheme, if a copy of your Dpassword file should become available to a system cracker, you will 9want to force all users to use new passwords immediately.

EIf you should require a user to verify a password, use the username, Cthe user's salt value (this value is acquired via $getuai) and the Fuser's specified cleartext password, and compare the resulting hashed @value (using a call to $hash_password) against the saved hashed Fpassword value (this value also acquired via $getqui). For reasons of Esecurity, avoid saving a cleartext password value in any data files, Aand do not maintain the cleartext password in memory longer than ;required. (Use of $ACM on V7.3-1 and later is recommended.)

DKerberos authentication (client and server) is available on OpenVMS HV7.3 and later. Integration of Kerberos support into various Compaq and &into third-party products is expected.

GExternal authentication is available in V7.3-1 and later, with support =for user-written external authentication in V7.3-2 and later.

DIf you are simply looking for OpenVMS access and the SYSTEM and all Cother privileged passwords are forgotten or otherwise unavailable, hplease see section Section 5.6 and/or the OpenVMS documentation set.

AAlso please see the C2 guidelines in the OpenVMS security manual.

r Y \ ^

Contents

Index