Configuring and Managing MPE/iX Internet Services HP e3000 MPE/iX Computer Systems Edition 6 Manufacturing Part Number : 32650-90906 E0802 U.S.A.
Notice The information contained in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for direct, indirect, special, incidental or consequential damages in connection with the furnishing or use of this material.
Contents 1. Introduction to Internet Services Overview of Internet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary of HP e3000 Internet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Configuring Telnet Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Editing the Services File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding Telnet Service to inetd Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Troubleshooting Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Troubleshooting remsh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Implementation Differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 7. Samba for MPE/iX Services Overview of Samba for MPE/iX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Introduction to Samba . . . .
Contents List of Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DNS and Electronic Mail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MX Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DNS BIND Troubleshooting Steps . . . . . . . . . .
Contents APXS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Testing a DSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample Module Code (mod_hw) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . mod_hw.c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents D. Server Configuration Migration E. Configure and Run Syslog/iX Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tables Table 1-1. Summary of HP e3000 Internet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Table 1-2. Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Table 2-1. The Internet Daemon Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Table 4-1. Files for bootpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tables 10
Figures Figure 7-1. HP e3000 Interoperating With Microsoft Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Figure 7-2. SMB Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Figure 7-3. SMB NegProt Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Figure 7-4. SMB Sesssetup Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figures 12
Preface This manual describes how to configure and operate Internet Services on the HP e3000. It is written for members of the system administration staff who have been assigned system manager (SM) or system supervisor (OP) capability and who are responsible for installing, configuring and managing system and network software. As such, it presumes a good understanding of networking concepts and familiarity with HP e3000 system operations.
1 Introduction to Internet Services The HP e3000 Internet Services consist of a set of programs that help the HP e3000 computer exchange information with other nodes on the internet. The Internet Services offered on the HP e3000 are a subset of the Internet Services available on the HP 9000, which were previously called the ARPA Services.
Introduction to Internet Services Overview of Internet Services Summary of HP e3000 Internet Services Table 1-1 Summary of HP e3000 Internet Services Service Description inetd The Internet daemon inetd is the master server for the group of Internet Services rather than an individual network service. You must install and configure inetd on your system to use the other services as listed below.
Introduction to Internet Services Overview of Internet Services • Configure one or more network interface link cards that support TCP/UDP/IP communications protocol. • Configure the Net Transport communications software which uses the TCP/UDP/IP protocol. The necessary software and at least one TCP/UDP/IP network interface card is delivered with each PA-RISC HP e3000 system. Internet Services runs on top of the Net Transport software and therefore runs over any type of link supported by Net Transport.
Introduction to Internet Services Overview of Internet Services 5. Check for any error messages, such as a module is missing, or a message telling you of a version mismatch, for example: Version levels differ in one or more modules. (NMERR 103) Internet Services for the HP e3000 overall version = ?.??.
Introduction to Internet Services Overview of Internet Services Installed Configuration Files If you install and configure all of the Internet Services according to the instructions in this manual, you will have the set of files described in Table 1-2. Table 1-2 Sample name Configuration Files MPE name space HFS name space Description SERVSAMP. NET.SYS SERVICES.NET.
Introduction to Internet Services Services File Services File The services file associates an official service name and alias with the port number and protocol that a service uses. You will edit the services file for each new service that you want to add to your system. The remaining chapters in this book, which describe the configuration of individual services, will assume that you know the following information. And, of course, you can refer back to this section as needed.
Introduction to Internet Services Services File 2. For the service that you are installing, check the file to see if it has the appropriate entry. (Each chapter in the remainder of this manual has this information.) If not, enter the line in the file using the “Editing Tips” section, next, as a guideline. NOTE For more information on FTP, refer to Installing and Managing HP ARPA File Transfer Protocol Network Manager’s Guide or HP ARPA File Transfer Protocol User’s Guide. 3.
Introduction to Internet Services Protocols File Protocols File The protocols file contains a list of protocols known to the system, plus the identification number and one or more aliases for each. It is unlikely that you will need to edit the protocols file, but you may need to install and link it. Creating and Linking Protocols File You may already have a protocols file installed on your system.
Introduction to Internet Services Protocols File Viewing Protocols File Use an MPE text editor to open the file. It is unlikely that you will need to edit the file, but you can look at it now to familiarize yourself with its contents. # This file associates protocol numbers with official protocol names and # aliases. This allows the user to refer to a protocol by a symbolic # name instead of a number.
Introduction to Internet Services Protocols File 24 Chapter 1
2 Internet Daemon The Internet daemon inetd is the master server (sometimes called a “superserver”) for the Internet Services. When it is running, inetd listens for connection requests for the services listed in its configuration file and, in response to such requests, starts the appropriate server. You, as system manager, determine which Internet Services are available to your users by editing the inetd configuration file.
Internet Daemon inetd Configuration File Internal Services Provided by inetd The Internet daemon provides several internal trivial services which are described here. Service Description echo Returns a character to the socket that sent it discard Discards all input from socket chargen Generates characters and sends them to a socket daytime Returns the current time in a format readable by people.
Internet Daemon inetd Configuration File The Internet daemon reads its configuration file on three occasions: • When inetd is started during normal system startup • When inetd is started following a network shutdown as opposed to a system shutdown • When you instruct an executing inetd to reread the configuration file after you have made changes to it that you wish to put into effect Creating and Linking inetd Configuration File You may already have a configuration file for inetd installed on your sys
Internet Daemon inetd Configuration File Adding New Services to inetd Configuration There are two steps required to add a new service to the suite of Internet Services offered on your system. First you enter a line of information for the specific service to the inetd configuration file. Then you have inetd reread its configuration file, which is sometimes called reconfiguring the Internet daemon.
Internet Daemon inetd Configuration File Editing Tips When you are editing the inetd configuration file, keep in mind these points: • If you find the line, but it has been “commented out” (that is, preceded by a pound sign,#), the service has not yet been enabled. To enable it, simply delete the pound sign and any spaces that precede the service name.
Internet Daemon inetd Security File Reading an entry from left to right, these fields are: Field Purpose service name The name of the service in the services file. socket type Either stream if the socket is a stream socket, or dgram if the socket is a datagram socket. protocol A valid protocol name, either tcp or udp, as entered in the protocols file. wait state One of two states, wait or nowait, that applies only to datagram sockets.
Internet Daemon inetd Security File 2. Create a symbolic link from /usr/adm/inetd.sec in the POSIX name space to INETDSEC.NET.SYS. Enter: :NEWLINK /usr/adm/inetd.sec, INETDSEC.NET.SYS 3. Check the security provisions of the file and change them, if necessary. Hewlett-Packard recommends that only MANAGER.SYS has write access to INETDSEC.NET.SYS, and write and purge access to /usr/adm/inetd.sec.
Internet Daemon inetd Security File Updating inetd Security File Each line in the inetd security file contains a service name, a permission field, and the IP addresses or domain names of the hosts and networks allowed to use that service on your host system. You can open the file to view the current security restraints or to change them. To do so: 1. Open the security file with an MPE text editor.
Internet Daemon inetd Security File Using Wildcard Characters You may use wildcard characters (*) in any of the fields of the address to specify permissions for a group of hosts or networks. This makes it more convenient to specify an entire network, since you will not need to specify each host in that network. The following sample entry, for example, allows all hosts with network addresses starting with a 10, as well as the single host whose address is 192.54.24.5 to use Telnet: telnet allow 10.* 192.54.
Internet Daemon Starting and Stopping inetd Using Range Character You may use the range indicator (-) in any of the fields of the address to specify which hosts or networks in a group are exempted from the permission assignment. This makes it more convenient to allow or deny a service for a subnet within the network you specify. The following sample entry, for example, denies hosts in subnets 3 through 5 of network 10 access to Telnet.
Internet Daemon Starting and Stopping inetd Passwords on JINETD When you stream the job file JINETD.NET.SYS, it logs on as MANAGER.SYS. As part of the installation of inetd, you must take care of any password requirements for this job. Two of the ways that you can do this include: • Add the MANAGER.SYS passwords directly to the job file, then alter the file security afterwards so that only MANAGER.SYS can read it. For example: :ALTSEC JINETD.NET.
Internet Daemon Using inetd Message Logging JOBNUM STATE IPRI JIN #J6667 SCHED 15 JLIST 10S PP SCHEDULED-INTRO 1/15/96 16:50 JOB NAME CHECKJOB,MANAGER.SYS 1 SCHEDULED JOB(S) 2. Issue the ABORTJOB command, specifying JINETD’s job number on the command line. For example, if JINETD were logged on as job number “6540”, you would enter: :ABORTJOB #J6540 NOTE If you have started inetd interactively, you use the -k option to kill (stop) it. To do so, enter INETD.NET.
Internet Daemon Using inetd Message Logging The syntax of the messages you will see appears here: <><><><> <>:<> Chapter 2 37
Internet Daemon Troubleshooting inetd Enable and Disable Connection Logging The same command turns connection logging on or off, depending upon its current state. So, for example, if message logging is currently disabled, enter the following command at the CI prompt to turn it on: :INETD.NET.SYS -1’’ Or, from the POSIX shell, enter the following command: $/etc/inetd -1 If message logging is enabled, use either the CI or POSIX command shown above to turn it off.
Internet Daemon Troubleshooting inetd Message Explanation /etc/inetd.conf: line number: nnn error There is an error on the line specified by nnn in the inetd configuration file. The Internet daemon skips this line, continues reading the rest of the file, and configures itself accordingly. To solve the problem, open the configuration file, edit the erroneous line, and save the corrected version. Then, tell inetd to reread the new version of INTEDCNF by issuing the inetd.net.
Internet Daemon Troubleshooting inetd Message Explanation service/protocol: Access denied to remote host (address) The remote host failed to pass the security test for the service indicated in the message. If this message appears frequently, it can indicate that someone is trying to repeatedly access your system, and failing. service/protocol: Connection from remote host (address) When connection logging is enabled, this message indicates a successful connection attempt to the specified service.
Internet Daemon Implementation Differences Message /usr/adm/inetd.sec: allow/deny field does not have a valid entry for service. Explanation The entry in the second column is not one of the keywords allow or deny. The inetd server ignores the entry and does not implement security for this service unless there is a subsequent entry in the inetd security file for this service that is correct.
Internet Daemon Implementation Differences 42 Chapter 2
3 Telnet Service With the release of version C.55.00 of MPE/iX, Telnet server functionality is available to HP e3000 customers. The Telnet server allows users on a remote system that supports the TCP/IP and Telnet protocols to log on and run applications on the HP e3000. The Telnet client, which was first made available on version C.50.00 of MPE/iX, gives users on an HP e3000 direct access to other systems that support Telnet and TCP/IP.
Telnet Service Overview of Telnet Service Overview of Telnet Service Telnet service consists of a Telnet client and a Telnet server. The Telnet server uses the standard virtual terminal protocol, originally developed by the Advanced Research Projects Agency (ARPA) to allow users on a remote node that supports the Telnet and TCP/IP protocols to log on and run applications on the host HP e3000.
Telnet Service Verifying Installation of Telnet Files Verifying Installation of Telnet Files If you have installed or updated to version C.60.00 of MPE/iX, use the following steps to verify that the Telnet software exists on your system: 1. If necessary, log on the system as MANAGER.SYS. 2. Run NMMAINT to verify that you have successfully installed the Telnet files. :NMMAINT,72 You will see information similar to the following. NMS Maintenance Utility 32098-20014 B.00.09 (C) Hewlett Packard Co.
Telnet Service Configuring Telnet Server Configuring Telnet Server To configure Telnet, you will edit two files: the services file, which lists the individual services that comprise the suite of Internet Services, and the inetd configuration file, which informs the Internet daemon about running Telnet on this system. Editing the Services File The services file associates official service names and aliases with the port number and protocol the services use.
Telnet Service Configuring Telnet Server For more detailed information about editing this file, read Chapter 2, “Internet Daemon.
Telnet Service Troubleshooting Telnet Troubleshooting Telnet This section explains the kinds of errors that may arise regarding the operation of Telnet. The Telnet client user will, in all but one case, be alerted about the problem directly; an error message will appear on the client’s terminal. You, as system manager of the host system may receive phone calls from client asking you to investigate the problem. Problem Explanation Unknown service This message will be written to $STDLIST for JINETD.NET.
Telnet Service Troubleshooting Telnet Problem Explanation The Telnet server cannot run an application The Telnet client successfully established a Telnet connection and logs on to the host system. But, when the user runs the application, the software behaves oddly or it produces error messages.
Telnet Service Implementation Differences Implementation Differences The implementation of Telnet on the HP e3000 does not use a separate telnetd server file similar to the tftpd or bootpd server. Instead, Telnet server functionality is provided by code that resides in NL.PUB.SYS on version C.60.00 of MPE/iX. As a result, the last column of the Telnet entry in the inetd configuration file is the word “internal.” For example: telnet stream tcp nowait MANAGER.
4 BOOTP Service The Internet Boot Protocol daemon, or bootpd, is used to boot LAN devices such as routers, printers, X-terminals, and diskless workstations. Nodes on the network use bootpd to get configuration information such as an IP address and a subnet mask and automatically boot the device. This chapter describes: • How to configure bootpd. • How to start bootpd once it has been configured. • Implementation differences between bootpd for MPE/iX and bootpd for HP-UX.
BOOTP Service Overview of bootpd Overview of bootpd The Bootstrap Protocol BOOTP allows a client system to get boot information such as its own IP address, the address of a BOOTP server, and the name of the file it needs to load into its memory and execute to boot the printer. The bootstrap operation happens in two phases. In the first phase, the BOOTP daemon bootpd determines the address of a BOOTP server and selects a boot file.
BOOTP Service Configuring bootpd bootpc 68/udp # Bootstrap protocol client 3. If the lines already exist in the file and they are preceded by a pound symbol (#), delete the symbol and any spaces before the service name to enable the service. 4. Save the file and exit the editor program. Adding BOOTP Server to inetd Configuration The configuration file for inetd determines which installed Internet Services are available to users.
BOOTP Service The bootpd Configuration File The bootpd Configuration File When bootpd is started, it reads a configuration file to find out information about clients and relays, then listens for boot request packets. By default, bootpd uses the configuration file /etc/bootptab, but you may specify another configuration file.
BOOTP Service The bootpd Configuration File • Name of the client’s system. • Type of network interface hardware (IEEE 802.3 or Ethernet). • Client’s hardware address. • Client’s assigned IP address. • IP address mask that identifies the network where the client resides. • Address of the gateway for the client’s local subnet. • Name of the boot file that the client will retrieve using TFTP.
BOOTP Service The bootpd Configuration File Tags Used in bootpd Configuration File You can use any of the following tags to enter client or relay data into the bootpd configuration file. Tag Description ba or ba=address Tells bootpd to broadcast the boot reply to the client. If you specify no value for ba, bootpd sends the boot reply on the configured broadcast address of each network interface on the server’s system.
BOOTP Service The bootpd Configuration File Tag Description Tnnn=generic-data A generic tag where nnn is an RFC1048 vendor field tag number. This allows bootpd to immediately take advantage of future extensions to RFC1048. The generic-data data can be represented as either a stream of hexadecimal numbers or as a quoted string of ASCII characters. The length of the generic data is automatically determined and inserted into the proper fields of the RFC1048-style boot reply.
BOOTP Service The bootpd Configuration File A relay entry can contain relay parameters for an individual system or for a group of systems. If a BOOTP client does not have an individual entry in the bootpd configuration file, bootpd searches the group relay entries and uses the first group relay entry that matches the BOOTP client.
BOOTP Service Starting bootpd Sample bootpd Configuration Files The two following examples show sample bootpd configuration files. The first examle shows the configuration for a simple network without gateways or subnets. # # # The first entry is the template for options common to all of the printers. # #global.defaults:\\ # hn:\\ # ht=ether:\\ # vm=rfc1048:\\ # # Now the actual entries for the individual printers are listed. # #printer1:\\ # tc=global.defaults:\\ # ha=08000903212F:\\ # ip=10.13.193.
BOOTP Service Starting bootpd Starting bootpd Under inetd If you are running bootpd with inetd, make certain that you have edited the inetd configuration file as explained earlier in this chapter. There is no special step required of you to start bootpd: When the Internet daemon is running, it will automatically invoke bootpd when it gets a connection request for that service. To find out how to start inetd, refer to Chapter 2, “Internet Daemon.
BOOTP Service Troubleshooting bootpd Troubleshooting bootpd The BOOTPQRY program is a diagnostic tool used to check the configuration of bootpd. It uses the supplied parameters to construct a boot request to send to a BOOTP server. It prints the contents of the boot reply, including the client’s Internet address, the name of a boot file, and the name and address of the server that sent the reply. BOOTPQRY formats and prints RFC1048 or CMU-style vendor information included in the reply.
BOOTP Service Implementation Differences # bootpquery 0800092175ff Received BOOTREPLAY from hpmpe992.cup.hp.com (15.19.134.20) hardware Address: 08:00:09:21:75:ff Hardware Type ethernet IP Address: 15.19.123.53 Boot file: (None) RFC1048 Vendor Information: Subnet Mask: 255.255.248.0 Log Server 15.19.134.
5 TFTP Service The Trivial File Transfer Protocol (TFTP) is a basic communications protocol used to transmit files between nodes on a network. It is implemented on top of the Internet User Datagram Protocol (UDP), so it can be used across networks that support UDP. On the HP e3000, the TFTP daemon tftpd transfers boot files to or from the host HP e3000 to remote nodes on the network. This permits a network device to get the information it needs to start itself.
TFTP Service Overview of tftpd Overview of tftpd TFTP is a simplified version of the File Transfer Protocol (FTP). The primary function of the TFTP daemon tftpd is to support the Bootstrap Protocol BOOTP, which allows network devices to get the information they need to boot, or start, themselves. Network devices commonly use TFTP to transmit boot files because TFTP is simple enough to be implemented in ROM.
TFTP Service Configuring tftpd 4. Save the file and exit the editor program. There are two options in the tftpd entry, [user] and [path], which are explained in the next two sections. For more detailed information about editing the configuration file, read Chapter 2, “Internet Daemon.” Specifying the TFTP User The Internet daemon runs tftpd as the user specified in the [user] parameter of its entry in the inetd configuration file. For example, this entry instructs inetd to run the TFTP server as USER.
TFTP Service Starting tftpd Specifying a Search Path As an option, you can use the [path…] parameter in the inetd configuration file entry to specify the list of files or directories that are available to TFTP clients. For example, if you would like to have the /tmp and /bin directories available to TFTP clients in addition to the home group of the TFTP user, edit the line to look like this: tftp dgram udp wait USER.
TFTP Service Troubleshooting tftpd Troubleshooting tftpd The following error messages may be generated by TFTP and logged with the syslog facility, if it is enabled. Message Explanation Unknown option ignored An invalid option was specified in the tftpd arguments. Remove or correct the arguments and restart tftpd. Invalid total time-out The value given for the -T option was either not a number or was a negative number. Correct the value and restart tftpd.
TFTP Service Troubleshooting tftpd 68 Chapter 5
6 REMSH Service The remote shell, or remsh, service is used to connect to a specified host and execute a command on that remote host. The remote shell or remsh is available with version C.60.00 of the MPE/iX operating system. This chapter describes: • How to configure the services file to allow remsh to run. • How to verify that remsh is available on the system. • How to run remsh • Implementation differences between remsh on MPE/iX and remsh for HP-UX.
REMSH Service Overview of remsh Service Overview of remsh Service The remote shell remsh, is the same service as rsh on BSD UNIX systems. The name was changed due to a conflict with the existing command rsh (restricted shell) on System V UNIX systems. Use remsh to connect to the remote system and execute a command on that remote system. Output from the remote command is sent to standard output for remsh, so the user can see the results of the command.
REMSH Service Configuring remsh Client 3. If the line already exists in the file and is preceded by a pound symbol (#), delete the # and any spaces before the service name to enable the service. 4. Save the file and exit the editor program.
REMSH Service Using remsh UNIX Configuration The remsh service does not prompt for user ID and passwords. That information is handled via the command line parameters and configuration on the UNIX host. See the “Using remsh” section for details on how the user id is determined and passed to the UNIX host. Password information is bypassed by use of a .rhosts in the remote user’s home directory or by use of the file /etc/hosts.equiv.
REMSH Service Using remsh version of the userID is USER.ACCOUNT, and the UNIX equivalent is user, it is unlikely that you will find a user on the remote system to match your id. We recommend that you always provide the -l remoteuser argument to remsh. The remotecommand is the command the user wishes to execute on the remote machine. This command may be a CI command, a program (that meets certain criteria) or a shell script. If remotecommand is not specified, remsh will terminate and provide a usage message.
REMSH Service Using remsh MPE/iX Examples To run remsh from MPE/iX prompt, type: run remsh.net.sys;info="remotehost -l remoteuser remotecommand" jhereg(PUB): run remsh.net.
REMSH Service Troubleshooting remsh Troubleshooting remsh remsh MPE/iX/X version won’t support rlogin or rexec functionality usage: remsh host -l login -n command Be sure to provide a command to execute. remshd Login incorrect. Probably invalid entry in remote .rhosts file. Be sure host name and user id are correct. User ID must be in uppercase. Be sure you provided a -l userid parameter or that the remote system has a userid that matches your MPE/iX logon.
REMSH Service Implementation Differences The HP-UX remsh client also allows rlogin and rexec functionality. Since the MPE/iX implementation was designed to address the needs of users attempting to access UNIX commands/scripts from stream jobs, we chose not to implement any feature needing interactive input with the remote system.
7 Samba for MPE/iX Services Samba for MPE/iX is a suite of programs which work together to allow clients to access a server’s file space and printers via the Server Message Block (SMB) file server. Samba for MPE/iX runs on MPE/iX shell operating system starting with the MPE/iX 6.0 release. It allows the MPE/iX shell operating system to act as a file and printer server for SMB clients which are, primarily, Windows for Workgroups, Windows 95, Windows NT, and other clients.
Samba for MPE/iX Services Overview of Samba for MPE/iX Overview of Samba for MPE/iX Samba for MPE/iX is a suite of programs which allow an HP e3000 running MPE/iX operating system to provide service using a Microsoft networking protocol called Server Message Block (SMB).
Samba for MPE/iX Services Overview of Samba for MPE/iX A general UNIX program that is part of the Samba suite has also been ported to MPE/iX shell operating system. This program allows MPE users to use an FTP-like interface to access filespace and printers on any other SMB servers. This capability enables these operating systems to act like a LAN server or Windows NT server. See Figure 7-1 for HP e3000 interoperating with the Microsoft platforms.
Samba for MPE/iX Services Overview of Samba for MPE/iX Major Components of Samba for MPE/iX Table 7-1 shows the major components of the Samba for MPE/iX suite. Table 7-1 Major Components SMBD The SMB server handles connections from clients, performing all the file, permission, and username authentication. NMBD The NetBIOS name server advertises Samba for MPE/iX on the network, and helps clients locate servers. SMBCLIENT Client program on MPE/iX host. SMB.
Samba for MPE/iX Services Overview of Samba for MPE/iX This file consists of sections and parameters. Each section in the configuration file corresponds to a service. The special sections are [global], [homes] and [printers]. The [global] section is used to set global configuration options that apply to the server as a whole. The [homes] section is designed to grant access to all users home directories and the entries in [printers] section correspond to the print services of the Samba for MPE/iX server.
Samba for MPE/iX Services Overview of Samba for MPE/iX The SMB messages can be categorized into four types of messages: session control, file, printer, and message. Session control messages start, authenticate, and terminate sessions. File command controls file access and printer command controls printer access. Message commands allow an application to send messages to or receive messages from another host. (For example, WinPopup messages).
Samba for MPE/iX Services Samba for MPE/iX Configuration File Options After the client has logged in, it then proceeds to connect to the file tree by sending a SMB Tree Connect command (TconX) to the server, see Figure 7-5. Here TconX stands for tree connect. The client sends a Tcon or SMB TconX specifying the network name of the share to which they want to connect, and if all is well, the server responds with a TID that the client will use in all future SMBs relating to that share.
Samba for MPE/iX Services Samba for MPE/iX Configuration File Options Global Configuration Options The global configuration options can be defined in the [Global] Section in the “smb.conf” file.
Samba for MPE/iX Services Samba for MPE/iX Configuration File Options The syntax of the username map file is simple. Each line consists of a MPE/iX-style name like manager.sys and a list of possible PC style username like webuser, separated by an equal sign. A sample username map in the user.map file is defined as follows. Example: manager.
Samba for MPE/iX Services Samba for MPE/iX Configuration File Options Default: debug level = 0 Login/Logout Commands preexec The preexec parameter allows you to specify a command to be run whenever the service is connected. Example: callci /usr/local/samba/lib/tellop tcon %S %u %m %I Generates the following example output to the console: 9:41 #J36/50/FROM/MGR.SAMBA/tcon on IPC$ by MGR.
Samba for MPE/iX Services Samba for MPE/iX Configuration File Options print command The print command parameter defines the shell command which Samba for MPE/iX will use to submit a print job. After Samba for MPE/iX has finished spooling a print job to the disk, it calls this command. After processing the file, this command must remove the spoolfile, unless you don’t mind spool files building up on your system.
Samba for MPE/iX Services Samba for MPE/iX Configuration File Options Controlling User Access Rights allow hosts Default: none deny hosts These parameters allow users to define a set of client IP addresses which will be granted access to service. If an “allow hosts option” is present, only hosts matching the pattern are allowed to access the service. If a “deny hosts option” exists, only hosts not matching the pattern will be granted access. Example: allow hosts = 192.1.2.
Samba for MPE/iX Services Samba for MPE/iX Configuration File Options Browser Option browseable This parameter controls whether this share is seen in the list of available shares in the browse list. Example: browseable = yes Default: browseable = yes Available This parameter lets you remove a service from availability. If available is no, all attempts to connect to the service will fail. Using this option preserves the service’s settings and is usually more convenient than commenting out the service.
Samba for MPE/iX Services Samba for MPE/iX Configuration File Options Controlling Read/Write Access guest ok If guest ok is true, then guest access will be allowed. The access rights of a client connecting as guest will be those of the username set in the “guest account.” Example: guest ok = yes Default: guest ok = no guest only If guest only is true, then access of service/share is only granted with the rights of usernames given in the “guest account” parameter.
Samba for MPE/iX Services Samba for MPE/iX Configuration File Options Configuring the Shares for File Sharing The PCs can access the server side filespaces using Samba for MPE/iX. Whenever the clients want to connect to the server, the server side validates the username and password, which are sent by the client, and grants access to the requests share if it is appropriate.
Samba for MPE/iX Services Samba for MPE/iX Configuration File Options Configuring a Printer Section for Printer Sharing The PCs can access the server side printer using Samba for MPE/iX. With printer sharing the client creates a file on the server directory associated with the printer, and then lets the server process trigger a configurable command to push the file into the MPE spooler.
Samba for MPE/iX Services Samba for MPE/iX Configuration File Options Add a printer, as shown in Figure 7-6. With printer sharing, the printers are accessible to HP e3000. Figure 7-6 ADD a Printer You can connect your server shares using the NT explorer, as shown in Figure 7-7.
Samba for MPE/iX Services Samba for MPE/iX Configuration File Options The menu tool includes a “map network drive” which brings up the small windows shown in Figure 7-7. You connect a network driver by typing in a share name with \\servername\sharename syntax in the “path” box.
Samba for MPE/iX Services Samba for MPE/iX Configuration File Options You can view the contents of the share from NT explorer, as shown in Figure 7-8. Click the share name at NT explorer window; it will list the files residing in this share.
Samba for MPE/iX Services Description and Usage of SWAT Description and Usage of SWAT Remote Configuration: Samba Web Administration Tool (SWAT). Before invoking SWAT: Before SWAT can be run, the following lines in the configuration files need to be updated. SWAT is available for guest users only. In the file SERVICES.NET.SYS, the following line should be added to include SWAT service: swat 901/tcp #SWAT Tool In the file INETDCNF.NET.
Samba for MPE/iX Services Description and Usage of SWAT SWAT can be used to open pages with links to online help and documentation, as shown in Figure 7-9. This is done from a remote location with the aid of a Web browser.
Samba for MPE/iX Services Description and Usage of SWAT SWAT is used to provide a Web interface to view and configure smb.conf. It provides the flexibility of altering the configuration file to reflect changes with respect to shares. View or configure Global Variables using SWAT as shown in Figure 7-10.
Samba for MPE/iX Services Description and Usage of SWAT Use SWAT to view the currently configured smb.conf file in abbreviated and full views, as shown in Figure 7-11.
Samba for MPE/iX Services Description and Usage of SWAT A snapshot of active connections, shares and open files can be provided by SWAT, as shown in Figure 7-12. The Server Status can be actively monitored by SWAT.
Samba for MPE/iX Services Starting and Stopping Samba for MPE/iX How to use SWAT: To use the SWAT interface, just point and click on any of the options on the front page banner. The following are the brief descriptions of what each link in the banner stands for: Home Samba help and documentation page Globals Link to global variable and configuration options Shares This link allows you to select the available shares for configuration or lets you create/delete shares from the record.
Samba for MPE/iX Services Starting and Stopping Samba for MPE/iX Verify Link Configuration The default assumes that LAN link configuration in NMMGR is SYSLINK. You need to run the following command to get the IP address and subnet mask of your HP e3000 system; you will need this information for future Samba for MPE/iX configuration file updates with the “interfaces” parameter. 1. Logon as manager.sys 2.
Samba for MPE/iX Services Starting and Stopping Samba for MPE/iX The following example displays when you run the command netcontrol status; net = lan1. NETWORK NAME: LAN1 NETWORK IP ADDRESS: $0F0DC750 15.13.188.80 NETWORK SUBNET MASK: $0FF000000 255.0.0.0 Add PM Capability To access share security modes, both samba and mgr.samba user accounts should have PM capabilities. 1. Logon as manager.sys 2. Add PM capability to samba account 3. Add PM capability to mgr.
Samba for MPE/iX Services Starting and Stopping Samba for MPE/iX Starting Samba for MPE/iX Under the INETD Control If you choose to run SMBD and NMBD processes under control of INETD, you should have new entries in SERVICES.NET.SYS and INETDCNF.NET.SYS. You will then have to create symbolic links to make SERVICES.NET.SYS link to /etc/services and INETDCNF.NET.SYS symbolic links to /etc/inetd.conf respectively. Perform the following steps: 1. Logon as manager.sys. 2. Copy SERVSAMP.NET.SYS file to SERVICES.
Samba for MPE/iX Services Starting and Stopping Samba for MPE/iX JOBNUM #J30 #J31 STATE EXEC EXEC JIN 10S 10S JLIST LP LP JOB NMBMON,MGR.SAMBA SMBMON,MGR.SAMBA 2. Use the following two commands to stop Samba for MPE/iX: :abortjob #smbjobnumber :abortjob #nmbjobnumber NOTE Clients connected and writing to files will loose data if an abortjob is done with clients active. Initial Test With smbclient Utility The smbclient utility provides access to SMB servers with an FTP-like user interface.
Samba for MPE/iX Services Starting and Stopping Samba for MPE/iX This command should display a list of available shares (services) that matches your configuration file. If NMBD is running, a list of workgroups and related computers that NMBD could find on your network/subnet will be displayed, see Figure 7-13.
Samba for MPE/iX Services Starting and Stopping Samba for MPE/iX shell/iX> smbclient \\\\\\sambadoc -N -c help This command should connect to the sambdoc share on your HP e3000 using -N to suppress password prompt and effectively become guest user and display the contents of on-line help screen of smbclient, see Figure 7-14. Figure 7-14 NOTE Chapter 7 smbclient for MPE/iX (2) All smbclient examples used the -c option to specify the command on the command line.
Samba for MPE/iX Services Starting and Stopping Samba for MPE/iX Initial Test From a PC Client at DOS Prompt You can open a DOS command window and issue the command line using the following commands for initial test from a PC client: C:\> net view\\servername This command, will display a list of available shares for the server, see Figure 7-15.
Samba for MPE/iX Services Samba for MPE/iX Share Level Security Mode Samba for MPE/iX Share Level Security Mode The process of user authentication depends whether Samba for MPE/iX is running in share level or user level. The “security” parameter in the configuration file is used to specify the share level or user level authentication. If the “security” parameter is set to “share,” Samba for MPE/iX will tell clients it is granting access under share mode security.
Samba for MPE/iX Services Samba for MPE/iX Server Security Mode Some particular issues with Samba for MPE/iX and Windows NT: one of the problems with Windows NT is that NT refuses to connect to a server that is in user level security mode and doesn’t support password encryption unless it first prompts the user for a password. This means that even if you have the same password on the NT box and the Samba for MPE/iX server, you will get prompted for a password.
Samba for MPE/iX Services New Functionalities New Functionalities New functionalities supported in Samba for MPE/iX 2.0.7. User-selectable name resolution order: The resolution of NetBIOS names into IP addresses can be done in several different ways (broadcast, lmhosts, DNS lookup, WINS). In the Samba for MPE/iX version 2.0.7, it is a new parameter that allows administrators to select the methods of name resolution, and the order in which such methods are applied, check “Global Configuration Options.
Samba for MPE/iX Services Troubleshooting Samba for MPE/iX Server 7jPC shows differences 7c7j shows differences 7j7c shows differences 7c refers to Samba for between between between MPE/i/X version 2.0.7 and PC side version 1.9.16p9 and 2.0.7 version 2.0.7 and 1.9.16p9 1.9.16p9. The resulting output can be used to judge filename conversion need. Example: Shell/iX> find /SAMBA/SHR/public | mapdiffs 7c: /SAMBA/SHR/public/New_20_Folder/my_24_file.java 7j: /SAMBA/SHR/public/New_20_Folder/my$file.
Samba for MPE/iX Services Troubleshooting Samba for MPE/iX Server Troubleshooting Procedures Please follow these tests for diagnosing your Samba for MPE/iX server. TEST 1: In the directory in which you store your smb.conf file, run the command testparm smb.conf. If it reports any errors, your smb.conf configuration file is faulty. TEST 2: On the client side; open MS-DOS prompt and run “ping SAMBAIXSERVER” from the PC and “ping CLIENTPC” from the HP e3000 system.
Samba for MPE/iX Services Troubleshooting Samba for MPE/iX Server This time try the same as the previous test, but try it via a broadcast to the default broadcast address. A number of NetBIOS/TCPIP hosts on the network should respond, although Samba for MPE/iX may not catch all of the responses in the short time it listens. You should see “got a positive name query response” messages from several hosts.
Samba for MPE/iX Services Troubleshooting Samba for MPE/iX Server TEST 10: Some other tests, along with the ones mentioned previously, might be useful. These tests can be done to check the behavior of the Samba for MPE/iX server with these security policies: 1. Configure Samba for MPE/iX in User security mode: • Map a PC username to a valid MPE/iX username.
Samba for MPE/iX Services Troubleshooting Samba for MPE/iX Server Using Logfiles of Samba for MPE/iX In case of problems, check for the job listings for useful error messages and also look into the Samba for MPE/iX log file /usr/local/samba/var/log.smb and log.nmb for hints. You can control the amount of log messages with the “debug level” directive inside the config file smb.conf. Increasing the log level to 3 or 4 can shed light on the cause of most problems.
8 DNS BIND/iX BIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS). It consists of a network of servers which provide a distributed database, including names and addresses of host machines. This information is accessible to client hosts which are running resolver software. This enables them to send queries to and receive replies from the servers. The resolver software runs on MPE/iX versions preceding 6.
DNS BIND/iX Introduction Introduction This section of the Configuring and Managing MPE/iX Internet Services manual assumes that the reader has prior experience with DNS BIND as implemented on other operating systems, or has familiarity with the concepts involved. There are a number of good textbooks available on this subject to which the reader is recommended — the following is a brief overview of a sophisticated system. The Domain Name System is a distributed and structured directory of information.
DNS BIND/iX Explanation of Terms • dnsquery — give all the DNS details and Mail exchange records Explanation of Terms BIND, which stands for Berkeley Internet Name Domain, is the most commonly used implementation of DNS. DNS is essentially a distributed data base, with control of the different elements of the data base maintained by individuals responsible for the domain served by that DNS server.
DNS BIND/iX Overview of DNS BIND/iX Overview of DNS BIND/iX In this implementation of BIND 8.1.1, the configuration and data files for the DNS server are found under the /BIND/PUB directory of the POSIX name space, though the DNS server is started by running a job from the MPE/iX name space — JNAMED.PUB.BIND which runs program NAMED.PUB.BIND.
DNS BIND/iX Server Configuration File named.conf /BIND/PUB/bin/ nslookup Interactive name server query utility. /BIND/PUB/bin/ dnsquery DNS server query tool. /BIND/PUB/bin/ host Host information lookup tool. /BIND/PUB/bin/ addr Address lookup tool. /BIND/PUB/bin/ named- bootconf.pl Perl script to assist in converting BIND 4.x named.boot to 8.x named.conf.
DNS BIND/iX Server Configuration File named.conf A template /BIND/PUB/etc/named.conf has been provided with the installation of DNS BIND/iX. You can use this file, following the commented instructions within it as a basis for your own /BIND/PUB/etc/named.conf.
DNS BIND/iX Server Configuration File named.conf Advanced users may need to refer to Appendix B, “BIND 8 Configuration File,” for a complete list of directives that can be configured for BIND 8. The following is the template /BIND/PUB/etc/named.conf file: options { directory “/BIND/PUB/etc”; // The following is the IP address of the MPE/iX system that is running NAMED. // YOU MUST CHANGE THIS TO BE YOUR OWN IP ADDRESS! listen-on { nnn.nnn.nnn.
DNS BIND/iX Data Files 1 2 3 4 5 IN IN IN IN IN PTR PTR PTR PTR PTR m1.india.hp.com. m2.india.hp.com. m3.india.hp.com. m4.india.hp.com. m5.india.hp.com. Configuring Slave Zones A sample configuration unit for a slave zone is shown here: zone “41.10.15.IN-ADDR.ARPA” { type slave; file “zone.15.10.41”; masters { 15.70.188.45; }; }; The IP address of the server that is primary for that domain is specified in the masters { } section of the configuration.
DNS BIND/iX Data Files ; Define localhost ; localhost IN A ; Set up hosts ; maxx IN IN A MX 127.0.0.1 5 204.251.17.241 nova.maxx.net. maxx.net. IN MX 5 nova.maxx.net. ; ; All mail for net delivered to nova ; ;* IN MX 10 nova.maxx.net. www IN CNAME nova.maxx.net. ftp IN CNAME nova.maxx.net. news IN CNAME nova.maxx.net. mail IN CNAME nova.maxx.net. ns IN CNAME nova.maxx.net. loghost IN CNAME nova.maxx.net. lucy IN A 204.251.17.242 linux IN CNAME lucy.maxx.net. lucy IN MX 10 lucy.maxx.net.
DNS BIND/iX Data Files 36000 3600 360000 36000 ; ; ; ; Refresh every 10 hours Retry after 1 hour Expire after 100 hours Minimum TTL is 10 hours ) The “serial” field was discussed earlier. The remaining four fields specify various time intervals (all values in seconds) used by the secondary name server: Refresh The time interval that must elapse between each poll of the primary by the secondary name server (here 36,000 seconds or 10 hours).
DNS BIND/iX Data Files The number (10 in this case) in the fourth field represents a preference value. If you define multiple MX records for a host, delivery is attempted to lower-preference value hosts first. The actual value isn’t important, only its relationship to other preference values. On larger LANs it’s a good idea to create backup e-mail servers.
DNS BIND/iX Data Files Address-to-Name Mapping Also called reverse mapping, the zone.ADDR db file allows resolvers to post queries armed with only the IP address of a host. This reverse mapping is used, for example, by Internet server software that prefers to log host names rather than less informative IP addresses. Address-to-name mapping data will be provided for a DNS server by PTR entries in its zone.ADDR files, one for every network served by this DNS server, and its zone.LOCAL file.
DNS BIND/iX Data Files G.ROOT-SERVERS.NET H.ROOT-SERVERS.NET I.ROOT-SERVERS.NET 99999999 99999999 99999999 IN IN IN A 192.112.36.4 A 128.63.2.53 A 192.36.148.17 Here, the dot (.) refers to the root domain and the 99999999 means a very long time-to-live value. The TTL value is no longer used for caching because the data isn’t discarded if it times out, but administrators generally keep it around because it does no harm.
DNS BIND/iX How to Run The DNS Server How to Run The DNS Server 1. Configure and start Syslog/iX see Appendix E, “Configure and Run Syslog/iX.” 2. Examine /BIND/PUB/etc/named.conf and customize for your own environment. 3. Configure the zone data files referenced in your /BIND/PUB/etc/named.conf. 4. Add your server’s IP address as the first nameserver entry in /etc/resolv.conf for all MPE and HPUX hosts that you wish to use this server for resolution queries. On MPE hosts, make sure that /etc/resolv.
DNS BIND/iX List of Utilities responding. Note that the resolver will only query subsequent name servers if there is no response, if the previous nameserver has already replied that it cannot resolve a query, no further lookup will be attempted. NOTE sortlist It is very important that you omit the leading zeros in the domain name resolver files. If you enter leading zeros here, the resolver routines will interpret the numbers as octal numbers.
DNS BIND/iX List of Utilities ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 12 ;; QUERY SECTION: ;; ., type = NS, class = IN ;; ANSWER SECTION: . 2d23h2m52s . 2d23h2m52s . 2d23h2m52s . 2d23h2m52s . 2d23h2m52s . 2d23h2m52s . 2d23h2m52s . 2d23h2m52s . 2d23h2m52s . 2d23h2m52s . 2d23h2m52s . 2d23h2m52s . 2d23h2m52s ;; ADDITIONAL SECTION: japan.cns.hp.com. 2d23h36s paloalto.cns.hp.com. 2d23h36s singapore.cns.hp.com. 2d23h35s andover.cns.hp.com. 2d23h35s atlanta.cns.hp.com. 2d23h36s bbnhs.
DNS BIND/iX DNS and Electronic Mail hpmdd58.india.hp.com. palsmtp.hp.com. palsmtp.hp.com. atlsmtp.hp.com. atlsmtp.hp.com. quasar.india.hp.com. cauvery.india.hp.com. valmiki.india.hp.com. sahana.india.hp.com. NOTE 1D 8H 8H 8H 8H 1D 1D 1D 1D IN IN IN IN IN IN IN IN IN A A A A A A A A A 15.70.168.58 156.153.255.242 156.153.255.226 156.153.255.210 156.153.255.202 15.10.45.114 15.10.40.5 15.17.112.100 15.10.43.
DNS BIND/iX DNS BIND Troubleshooting Steps 3. Detailed Problem Description: Historical information is very valuable... is this a new DNS BIND installation, or has the site suddenly started to experience problems? No matter what the history, you will need to find out and document the exact symptoms being experienced. It Used to Work: Find out if the DNS Administrator is aware of any configuration or network topology changes that could be tied to the recent DNS BIND problems.
DNS BIND/iX DNS BIND Troubleshooting Steps Look in the /etc/named.conf file and the directory directive will tell you where to look for these. They are prefixed with db or zone, so may look like these examples: db.cache, db.root, db.127.0.0,. db.cup, etc. 6. Configuration Validation: Once the configuration information is gathered, it’s time to sit down and wade through it all, looking for problems. By now you should have a good idea of how this DNS BIND topology fits together.
DNS BIND/iX DNS BIND Troubleshooting Steps 136 Chapter 8
9 HP WebWise MPE/iX Secure Web Server HP WebWise MPE/iX Secure Web Server offers secure encrypted communications between browser and server via the SSL and TLS protocols, as well as strong authentication of both the server and the browsers via X.509 digital certificates. The current release of the HP WebWise MPE/iX Secure Web Server is A.03.00 and is composed of: • Apache 1.3.
HP WebWise MPE/iX Secure Web Server System Requirements System Requirements The following software requirements must be met prior to installing HP WebWise MPE/iX Secure Web Server A.03.00: • MPE/iX 7.5 or later. • HP highly recommends installing the latest NSTxxxxx network transport patch. Support HP WebWise MPE/iX Secure Web Server A.03.00 is supported through the HP Response Center as part of MPE/iX FOS support.
HP WebWise MPE/iX Secure Web Server Product Overview and Feature Set Product Overview and Feature Set HP WebWise MPE/iX Secure Web Server offers secure encrypted communications between browser and server via the SSL and TLS protocols, as well as strong authentication of both the server and the browsers via X.509 digital certificates. HP WebWise MPE/iX Secure Web Server is A.03.00 and is composed of: • Apache 1.3.22 • Mod_ssl 2.8.5 SSL security add-ons for Apache • MM 1.1.
HP WebWise MPE/iX Secure Web Server Product Overview and Feature Set Flexible Encryption Cipher Configuration HP WebWise MPE/iX Secure Web Server permits you to configure a wide variety of encryption ciphers, ranging from high-grade domestic-only algorithms to algorithms suitable for export. Additional Log Files Two new log files, ssl_engine_log and ssl_request_log, allow you to log various events associated with secure web requests.
HP WebWise MPE/iX Secure Web Server Migrating from Previous Versions of Apache Migrating from Previous Versions of Apache The /APACHE/PUB/JHTTPD job stream file from previous versions of Apache is not compatible with HP WebWise MPE/iX Secure Web Server. You must manually create a new JHTTPD job stream file by using the WebWise /APACHE/PUB/JHTTPD.sample template. The /APACHE/PUB/conf/httpd.
HP WebWise MPE/iX Secure Web Server Migrating from WebWise A.01.00 Migrating from WebWise A.01.00 HP WebWise MPE/iX Secure Web Server version A.03.00 was designed to be a drop-in replacement for Apache, and does not attempt to upgrade or migrate any files from the WebWise A.01.00 /APACHE/SECURE/ directory tree. You must manually use the A.03.00 *.
HP WebWise MPE/iX Secure Web Server Bundled Modules Bundled Modules The following modules are statically linked into HP WebWise MPE/iX Secure Web Server (this list can be viewed by running HTTPD with the -l option: /APACHE/CURRENT/HTTPD -l): • mod_access • mod_actions • mod_alias • mod_asis • mod_auth • mod_auth_anon • mod_autoindex • mod_cern_meta • mod_cgi • mod_define • mod_digest • mod_dir • mod_env • mod_expires • mod_headers • mod_imap • mod_include • mod_info • m
HP WebWise MPE/iX Secure Web Server Bundled Modules • mod_unique_id • mod_userdir • mod_usertrack • mod_vhost_alias Version Identification To view the WebWise version, run the HTTPD program file with the -v option. Each WebWise release has an open source version number (for example, Apache 1.3.22) and an MPE/iX version number (i.e., A.03.00). shell/iX> ./HTTPD -v Server version: Apache 1.3.22 (HP MPE/iX WebWise A.03.
HP WebWise MPE/iX Secure Web Server Product Installation Architecture Product Installation Architecture Early versions of Apache for MPE/iX were installed under PUB.APACHE. Starting with Apache 1.3.14 and continuing with WebWise A.03.00, each web server version is installed in its own directory tree under the APACHE account and in a group named by its MPE/iX version. For example, WebWise A.03.00 has an MPE/iX version number of A.03.00 (VUUFF) so it resides in /APACHE/A0300 (/APACHE/VUUFF).
HP WebWise MPE/iX Secure Web Server Major Components Major Components HP WebWise MPE/iX Secure Web Server consists of a job stream (JHTTPD) which runs the server program (HTTPD), a set of configuration files, a complete set of online documentation, and miscellaneous utilities and scripts. The full set of WebWise distribution files is contained within the /APACHE/VUUFF directory tree, and customers should not modify any of these files.
HP WebWise MPE/iX Secure Web Server Major Components htdocs/ This subdirectory contains the content that will be visible to browser users accessing your web server. If a user specifies a URL of http://your.host.name/foo.html, HP WebWise MPE/iX Secure Web Server will return the file called /APACHE/PUB/htdocs/foo.html.
HP WebWise MPE/iX Secure Web Server Preparing HP e3000 for Network Access Preparing HP e3000 for Network Access Before an HP e3000 can act as a web server, it must be available for network access via TCP/IP. • Configure TCP/IP on the system. • Have a domain name associated with the system’s IP address. Apache communicates on the network using the HTTP Hypertext Transfer Protocol, which in turn, uses TCP/IP. NS Transport (the TCP/IP transport subsystem) is configured on the HP e3000 using NMMGR.
HP WebWise MPE/iX Secure Web Server Preparing HP e3000 for Network Access • Add one domain line that contains the DNS domain name for the domain to which your web server belongs. This domain name should not include the web server’s hostname (:NMMGR node name). • The DNS server listed on each nameserver line must contain both a valid “A” record and “PTR” record. The content of these records must agree with the actual hostname of the web server and the actual domain name in RESLVCNF.NET.SYS.
HP WebWise MPE/iX Secure Web Server Configuring the Software Configuring the Software Follow these steps to configure the software for WebWise. 1. :HELLO MGR.APACHE,PUB 2. :XEQ SH.HPBIN.SYS -L 3. $ cd /APACHE/PUB 4. $ cp JHTTPD.sample JHTTPD 5. $ cd conf 6. $ cp access.conf.sample access.conf 7. $ cp httpd.conf.sample httpd.conf 8. $ cp magic.sample magic 9. $ cp mime.types.sample mime.types 10. $ cp srm.conf.sample srm.conf 11. Edit the newly created httpd.
HP WebWise MPE/iX Secure Web Server Server Keys and Certificates Server Keys and Certificates This is a fairly large and complicated topic. You are STRONGLY ENCOURAGED to read about it in detail in the Mod_ssl Manual, Chapter 2 Introduction and Chapter 6 FAQ List, either at http://www.modssl.org/docs/2.8/ or the copy that comes with your HP WebWise MPE/iX Secure Web Server (/APACHE/CURRENT/htmanual/mod/mod_ssl/ssl_intro.html and ssl_faq.html) and is accessible from http://yourserver.yourdomain.com/manual/.
HP WebWise MPE/iX Secure Web Server Server Keys and Certificates 2. $ openssl genrsa -rand /SYS/PUB/HPSWINFO -des3 -out server.key 1024 unable to load ’random state’ 28199 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ................+++++ .................+++++ e is 65537 (0x10001) Enter PEM pass phrase:******** Verifying password - Enter PEM pass phrase:******** 3. $ openssl rsa -noout -text -in server.
HP WebWise MPE/iX Secure Web Server Server Keys and Certificates ed:e2:64:ee:e7:75:99:6e:c3:25:69:36:d5:14:3a: e1:20:60:04:a0:44:c0:8e:55:cd:bf:8a:18:97:aa: f7:f9:43:81:db:16:ea:c9:e2:1e:68:a9:f2:56:63: 2e:8f:56:60 4. $ chmod 400 server.key Create Your Certificate Signing Request (CSR) Next you need to use your private server key to create a CSR which identifies your company and your web server. This is the same identity that will be presented to your web browser users, so choose carefully.
HP WebWise MPE/iX Secure Web Server Server Keys and Certificates 49:7a:0a:29:b3:cd:78:ef:c0:2b:a9:3a:97:10:f3: 6c:df:87:61:d3:46:93:d8:6b Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: md5WithRSAEncryption 8f:5b:d3:45:ae:52:6a:66:36:23:09:0b:b9:d1:5c:2b:52:12: 00:98:78:97:39:5b:9d:f6:9f:82:b2:2c:3f:24:bb:e0:f0:47: 19:02:9d:3e:9f:32:d0:be:9a:54:3d:bc:c0:ed:63:67:cd:a3: eb:68:a1:2d:7a:0f:94:87:f0:a8:14:f6:45:cf:bd:a9:bc:13: 9a:4c:cc:fb:a7:ab:73:88:17:23:90:b3:49:58:7f:d5:02:55: f1:85:81:f8:e
HP WebWise MPE/iX Secure Web Server Server Keys and Certificates Your signed certificate will arrive in raw PEM format, which looks like this: -----BEGIN CERTIFICATE----MIICsTCCAhoCAQEwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlVTMREwDwYD VQQIEwhNeSBTdGF0ZTEQMA4GA1UEBxMHTXkgQ2l0eTETMBEGA1UEChMKTXkgQ29t cGFueTEWMBQGA1UECxMNTXkgQ29tcGFueSBDQTEeMBwGA1UEAxMVQ2VydGlmaWNh dGUgQXV0aG9yaXR5MR8wHQYJKoZIhvcNAQkBFhBjYUBteWNvbXBhbnkuY29tMB4X DTAwMDQxMzE4MzY0MVoXDTAxMDQxMzE4MzY0MVowgaAxCzAJBgNVBAYTAlVTMREw DwYDVQQIEwhNeSBTd
HP WebWise MPE/iX Secure Web Server Server Keys and Certificates Organizational Unit Name (eg, section) []:My Company CA Common Name (eg, YOUR name) []:Certificate Authority Email Address []:ca@mycompany.com 5. $ openssl x509 -noout -text -in ca.
HP WebWise MPE/iX Secure Web Server Server Keys and Certificates emailAddress :IA5STRING:’webmaster@www.mycompany.com’ Certificate is to be certified until Apr 13 18:36:41 2001 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: ../ssl.csr/server.crt <- CA cert ../ssl.csr/server.crt: OK 2. $ rm -fR ca.db.* 3. $ cd .. 4. $ mv ssl.csr/server.crt ssl.crt/server.crt 5.
HP WebWise MPE/iX Secure Web Server Server Keys and Certificates snakeoil-ca-rsa.crt ... e52d41d0.0 snakeoil-dsa.crt ... 5d8360e1.0 snakeoil-rsa.crt ... 82ab5372.0 zzyzx-ca-rsa.crt ... f28a2a0f.0 3. $ chmod 400 /APACHE/PUB/conf/ssl.
HP WebWise MPE/iX Secure Web Server Starting the Web Server Starting the Web Server Simply :STREAM JHTTPD.PUB.APACHE to start your web server. The server may spend as much as the first 5 minutes or so in a tight CPU loop generating temporary cryptographic keys before it will be ready to respond to browser requests. No records will be written to any of the log files in the logs/ directory during this time.
HP WebWise MPE/iX Secure Web Server Using the Web Server Using the Web Server Simply point your web browser to: • http://www.yourcompanyhere.com/ (for non-secure access; assumes a standard listening port of 80) • https://www.yourcompanyhere.com/ (for secure access; assumes a standard listening port of 443) Web server content located under the DocumentRoot of the secure virtual server is automatically secured when viewed with a https:// URL.
HP WebWise MPE/iX Secure Web Server Adding Content Adding Content There are several ways you can add content to your HP WebWise MPE/iX Secure Web Server: • Create additional files and directories below the DocumentRoot of /APACHE/PUB/htdocs. • Use the Alias configuration directive to point to content directories outside of the DocumentRoot. • Create symbolic links below the DocumentRoot of /APACHE/PUB/htdocs which point to content outside of the DocumentRoot subdirectory.
HP WebWise MPE/iX Secure Web Server Troubleshooting Troubleshooting Server Issues If the HP WebWise MPE/iX Secure Web Server job JHTTPD aborts, first check the $STDLIST spoolfile for any error messages, followed by the error_log, followed by the ssl_engine_log. If the HP WebWise MPE/iX Secure Web Server job appears to be running normally, but browser users are receiving error messages instead of data, check the access_log to see if the server is receiving their request.
HP WebWise MPE/iX Secure Web Server Performance Performance For best performance, files returned to the browser user should be in bytestream format. For example, .html, .htm, .shtml, .shtm, .txt, .gif, .jpeg, and .jpg files, should be in bytestream format instead of in MPE-type format. Bytestream files are more compatible with HP WebWise MPE/iX Secure Web Server and with other POSIX applications than are MPE-type files.
HP WebWise MPE/iX Secure Web Server Working with Dynamic Shared Objects (DSOs) Working with Dynamic Shared Objects (DSOs) DSOs are add-on modules that extend the functionality of Apache. These modules are self-contained code that can provide a wide-range of additional Apache capabilities such as custom authentication and authorization, custom logging, or creating new configuration directives. Users can create their own Apache modules or use those written by others.
HP WebWise MPE/iX Secure Web Server Creating Apache Modules Creating Apache Modules DSOs should be written in the C Programming language. DSOs written in C must be compiled on MPE/iX. Two ways that Apache module’s can be created are: 1. From a template, such as mod_example.c, or from an existing module. 2. With the apxs utility. A sample module, mod_hw, will be used to illustrate these two methods for creating a DSO module in C. The mod_hw structure is shown in Figure 9-1.
HP WebWise MPE/iX Secure Web Server Tools Tools There are a number of options available when choosing tools to build an Apache module for MPE/iX. Some of these tools are open source tools from the GNU Project, a provider of free software. The GNU tools are used on many operating system platforms for development of open source code, including MPE/iX. Module compilations on MPE/iX can be done with the GNU C compiler, gcc, or with the MPE/iX POSIX compiler, c89.
HP WebWise MPE/iX Secure Web Server Module Creation Using a Template Module Creation Using a Template Any existing Apache module can be used as a template for a new module. Mod_example.c is distributed with Apache in /APACHE/PUB/libexec and makes a useful template for a simple module. When compiled and linked as the shared library (NMXL) mod_example.so, this module is a fully working DSO. The module libexec/mod_example.so has already been pre-built.
HP WebWise MPE/iX Secure Web Server Module Creation Using a Template merge directive is necessary when functions are called across object boundaries such as mod_hw.o calling helloworld() in hw.o. The share option is needed when global data is shared between multiple object files. The share option is not actually needed by the sample code. The compile and link steps can be put in a Makefile to facilitate multiple builds of a module. As an example, refer to the section “Modified APXS Makefile (mod_hw)”.
HP WebWise MPE/iX Secure Web Server Module Creation Using the APXS Utility Module Creation Using the APXS Utility Modules can also be created using the bin/apxs utility “Apache eXtenSion” tool. Details on using apxs are found in the apx manual page, http://www.apache.org/docs/programs/apxs.html. Apxs is a Perl script and requires a working Perl interpreter on the HP e3000. The Perl interpreter is not distributed or supported as part of FOS but is available as freeware via http://jazz.external.hp.
HP WebWise MPE/iX Secure Web Server Linking Libraries into a DSO Linking Libraries into a DSO When a DSO requires external library functions, as does mod_hw, these can be resolved using either archive libraries or shared libraries. With archive libraries, external calls are resolved at link time and the functions are incorporated into your DSO. With shared libraries, external calls are resolved at run time. At run time, the loader searches the shared libraries for these external functions.
HP WebWise MPE/iX Secure Web Server Archive libraries Archive libraries Archive libraries may be either custom archive libraries (built by others) or system archive libraries. System archive libraries are “.a” files residing in /lib and /usr/lib. The following shows how to build hw.c as an archive library then link it into mod_hw.so: shell/iX> cd /APACHE/PUB/hw shell/iX> gcc -c -DMPE -D_POSIX_SOURCE -D_SOCKET_SOURCE -DNO_DBM_REWRITEMAP -DUSE_HSREGEX -DEAPI -DSHARED_MODULE -I/APACHE/PUB/include hw.
HP WebWise MPE/iX Secure Web Server Shared libraries Shared libraries Shared libraries (XLs) can also be used for resolving external function calls from a DSO. One method is to relink the Apache program with an XL list of the required shared libraries and to copy each shared library into MPE/iX namespace. Another method is to link a DSO using dependent libraries the (altxl option to the LinkEditor) and to copy each shared library into MPE/iX namespace.
HP WebWise MPE/iX Secure Web Server Shared libraries Here is a POSIX script that shows how libraries might be set up programmatically. It uses hw.o as the archive library, hw.a: shell/iX> cat xlbuild.sh #!/bin/sh # # set the location of Apache AP=/APACHE/PUB # # create the old libraries rm -f ${AP}/XLC ${AP}/XLM ${AP}/XLHW # # copy the latest versions cp /lib/libc.sl ${AP}/XLC cp /lib/libm.sl ${AP}/XLM # #create a custom XL callci "xeq linkedit.pub.sys ’buildxl xl=${AP}/XLHW’" callci "xeq linkedit.pub.
HP WebWise MPE/iX Secure Web Server Configuring Apache Modules Configuring Apache Modules Once a DSO has been compiled and linked, it needs to be configured. DSOs can be configured manually or they can be configured with apxs. Configuration consists of copying the DSO module to a known location then updating httpd.conf to find and execute the DSO. Manual Configuration By convention, DSOs written in C reside in /APACHE/PUB/libexec.
HP WebWise MPE/iX Secure Web Server Configuring Apache Modules :HELLO MGR.APACHE :XEQ SH.HPBIN.SYS -L shell/iX> cd hw shell/iX> make install /APACHE/PUB/bin/apxs -i -a -n ’hw’ mod_hw.so cp mod_hw.so /APACHE/PUB/libexec/mod_hw.so chmod 755 /APACHE/PUB/libexec/mod_hw.so [activating module ‘hw’ in /APACHE/PUB/conf/httpd.
HP WebWise MPE/iX Secure Web Server Testing a DSO Testing a DSO After configuration or at any time after modifying a DSO, restart Apache in order to load the module: shell/iX> cd /APACHE/PUB/logs shell/iX> kill -HUP ‘cat ./httpd.pid‘ or kill -TERM ‘cat httpd.pid`;callci stream ../JHTTPD To execute the mod_hw DSO, access the specified in the httpd.conf file. A DSO may be executed in a different way, depending on the DSO’s functionality: http://yourserver.
HP WebWise MPE/iX Secure Web Server Sample Module Code (mod_hw) Sample Module Code (mod_hw) This section contains source code for the sample DSO module discussed in the previous sections, mod_hw.so. The module source code consists of two files, mod_hw.c and hw.c. Mod_hw.c contains the module structure and hw.c contains a function called by mod_hw.c. mod_hw.c Mod_hw.c is a simple Apache module. It calls pow() (in the math library, /lib/libm) and helloworld() in hw.c.
HP WebWise MPE/iX Secure Web Server Sample Module Code (mod_hw) NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL /* /* /* /* /* /* /* /* /* /* /* [2] URI-to-filename translation [5] check/validate user_id [6] check user_id is valid *here* [4] check access by host address [7] MIME type checker/setter [8] fixups [9] logger [3] header parser process initialization process exit/cleanup [1] post read_request handling */ */ */ */ */ */ */ */ */ */ */ }; hw.
HP WebWise MPE/iX Secure Web Server Sample Module Code (mod_hw) APXS Default Makefile (mod_hw) This is the Makefile auto-generated by apxs -g -n hw. ## ## ## ## Makefile -- Build procedure for sample hw Apache module Autogenerated via ‘‘apxs -n hw -g’’. # the used tools APXS=apxs APACHECTL=apachectl # additional defines, includes and libraries #DEF=-Dmy_define=my_value #INC=-Imy/include/dir #LIB=-Lmy/lib/dir -lmylib # the default target all: mod_hw.so # compile the shared object file mod_hw.so: mod_hw.
HP WebWise MPE/iX Secure Web Server Sample Module Code (mod_hw) Make sure to use tabs (instead of spaces) when adding callci and gcc to the MakeFile. shell/iX> cat Makefile ## ## Makefile -- Build procedure for sample hw Apache module ## Autogenerated via ‘‘apxs -n hw -g’’.
HP WebWise MPE/iX Secure Web Server Sample Module Code (mod_hw) When creating DSOs, you must compile with the -DEAPI option. This will include the necessary EAPI header files. These header files are distributed with Apache 1.3.9 and later and reside in the /APACHE/PUB/include directory. DSOs created without -DEAPI may operate successfully but may generate a warning message in the error_log file.
HP WebWise MPE/iX Secure Web Server Stopping the Web Server Stopping the Web Server Perform the following steps in order to stop your web server in an orderly manner: 1. :HELLO MANAGER.SYS or :HELLO MGR.APACHE,PUB 2. :XEQ SH.HPBIN.SYS "-c ’kill $(cat /APACHE/PUB/logs/httpd.pid)’" :ABORTJOB should only be used as a last resort for stopping HP WebWise MPE/iX Secure Web Server. See Known Issues.
HP WebWise MPE/iX Secure Web Server Known Issues Known Issues 1. Using :ABORTJOB to stop HP WebWise MPE/iX Secure Web Server will result in leaked SVIPC semaphores. These semaphores are not expensive resources and HP WebWise MPE/iX Secure Web Server only uses a relative handful, but there is a finite number of semaphores allowed on a machine before you run out. The IPCS.HPBIN.SYS CI command file (NOT a shell script!) can be used to display SVIPC resources, and the IPCRM.HPBIN.
HP WebWise MPE/iX Secure Web Server Additional Documentation Additional Documentation • http://yourserver.yourdomain.com/manual/ (online documentation included with WebWise) • http://jazz.external.hp.com/src/webwise/ (HP WebWise) • http://www.apache.org/ (Apache opensource project) • http://www.modssl.org/ (Mod_ssl opensource project) • http://www.engelschall.com/sw/mm/ (a library of shared memory functions) • http://www.openssl.org/ (OpenSSL opensource project) • http://www.rsasecurity.
10 Sendmail for MPE/iX Previously available as unsupported freeware, Sendmail is now bundled into MPE/iX 7.5 FOS as a fully supported product which allows you to send and receive SMTP-based e-mail. The initial A.01.00 release of Sendmail for MPE/iX is based on the 8.12.1 Internet open source version from sendmail.org. The porting changes that were required to get Sendmail 8.12.1 running on MPE/iX have been incorporated into the 8.12.2 source code available from sendmail.org.
Sendmail for MPE/iX System Requirements and Patches System Requirements and Patches Sendmail has the following prerequisites: • MPE/iX 7.5 • HP highly recommends installing the latest NSTxxxxx network transport patch. • Sendmail uses the POSIX time functions in order to timestamp messages, and these functions depend on the TZ environment variable being set properly. The best place to set TZ is in your system logon UDC, i.e., SETVAR TZ "PST8PDT" (Pacific Time Zone example).
Sendmail for MPE/iX Product Overview and Feature Set Product Overview and Feature Set The feature set of Sendmail for MPE/iX is quite extensive; the following is only a partial list: • Send and receive SMTP-based e-mail from sessions and/or batch jobs. • Deliver local e-mail to mailboxes, files, or programs. • A vast selection of tunable performance parameters. • Highly flexible and extremely powerful configuration language. • Access control for accepting or rejecting incoming e-mail.
Sendmail for MPE/iX DNS Issues DNS Issues The number one cause of Sendmail installation problems is due to improper system naming and/or a lack of DNS entries describing your HP e3000. Please verify the following before you attempt to run Sendmail for the first time: • /bin/uname –n should report your HP e3000 hostname as a single token, i.e., “JAZZ” instead of "JAZZ.EXTERNAL.HP.COM". If you do not see a single token hostname, you must configure a proper hostname by using :NMMGR.
Sendmail for MPE/iX Firewall Issues Firewall Issues The number two cause of Sendmail installation problems is due to a firewall or other network security device blocking your HP e3000 from being able to send and receive packets on port 53 (DNS) and port 25 (SMTP). Sendmail uses port 53 (DNS) to resolve hostnames into IP addresses and IP addresses into hostnames.
Sendmail for MPE/iX Migration from Sendmail 8.9.1 Migration from Sendmail 8.9.1 Many HP e3000 machines have been running the unsupported freeware version of Sendmail 8.9.1 available from http://www.bixby.org/mark/sendmailix.html. The following considerations apply if you are migrating from 8.9.1 to 8.12.1: • The 8.9.1 daemon job stream file /SENDMAIL/PUB/JDAEMON is not modified during the installation of 8.12.1, and it is not compatible with the 8.12.1 distribution. You must use /SENDMAIL/CURRENT/JDAEMON.
Sendmail for MPE/iX Distribution Highlights Distribution Highlights All files reside in the SENDMAIL account in a version-specific group named vuuff (i.e., A0100 at initial release). A symbolic link named CURRENT points to the active version-specific group. If you install a newer version of this distribution on top of an existing installation, a new version-specific group will be created and the CURRENT symbolic link will be adjusted to point to the new group.
Sendmail for MPE/iX Distribution Highlights • /SENDMAIL/CURRENT/doc/op/op.ps Postscript copy of the Sendmail Installation and Operation Guide. READING THIS FILE IS HIGHLY RECOMMENDED! • /SENDMAIL/CURRENT/etc/profile POSIX shell profile used when logged onto the SENDMAIL account. • /SENDMAIL/CURRENT/etc/mail.
Sendmail for MPE/iX Distribution Highlights • /usr/sbin/smrsh All Sendmail runtime configuration files reside in the /etc/mail directory which is populated at installation time from /SENDMAIL/CURRENT/etc/mail.sample for any files that do not already exist. The /etc/mail directory contains the following files which must only be altered by the user SERVER.SENDMAIL: access The ASCII access database map used to accept or reject mail from selected domains.
Sendmail for MPE/iX Configuring Sendmail Configuring Sendmail The syslog daemon must be configured to log mail events before you attempt to run Sendmail. The FOS syslog daemon configuration file is /SYSLOG/PUB/syslog.conf, and the syslog daemon is started by streaming /SYSLOG/PUB/JSYSLOGD. The default syslog.conf file will log Sendmail messages to /tmp/syslog.log. Sendmail uses two configuration files æ /etc/mail/submit.
Sendmail for MPE/iX Configuring Sendmail In addition to the *.cf configuration files, some Sendmail features require the use of additional configuration files known as database maps. Database maps consist of ASCII key/value pairs that have been compiled into a binary database format. Maps are created by the makemap command, and can be modified by the editmap command. For example: 1. :HELLO SERVER.SENDMAIL 2. :XEQ SH.HPBIN.SYS -L 3. shell/iX> /bin/cat - >/etc/mail/access imaspammer.com REJECT :EOD 4.
Sendmail for MPE/iX Sending E-mail Sending E-mail The POSIX mailx command can be used to send simple e-mail messages via Sendmail. Mailx reads the file /etc/mailx.rc to determine which mail delivery program to use, and the Sendmail installation script modifies this file to specify that Sendmail shall be used. For more information about mailx, please see “man mailx” or the MPE/iX Shell & Utilities Reference Manual Vol. 1. To send a message interactively: 1. :XEQ SH.HPBIN.SYS -L 2.
Sendmail for MPE/iX Sending E-mail 2. shell/iX> /bin/cat - >message.txt To: someuser@some.host Cc: otheruser@other.host Bcc: secretuser@another.host Subject: hello world Hi, How is everybody doing? :EOD 3. shell/iX> /SENDMAIL/CURRENT/SENDMAIL -t
Sendmail for MPE/iX Receiving E-mail Receiving E-mail By default, Sendmail delivers to local mailboxes by appending new messages to the file /usr/mail/USER.ACCOUNT. Mailbox files will automatically be created if they do not already exist. Each user has direct filesystem read/write access to their own mailbox file. MPE usernames *must* be specified in uppercase when addressing e-mail. When the mailx program is run without any parameters, it checks to see if there is any new mail in your local mailbox file.
Sendmail for MPE/iX Receiving E-mail Message-ID: <3BDDF8C8.15625C@some.host> Date: Mon, 29 Oct 2001 16:48:08 -0800 From: John Doe X-Mailer: Mozilla 4.77 [en] (Win98; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Jane Doe Subject: test message Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi there! 6. ? delete 1 7.
Sendmail for MPE/iX The Aliases Database Map and .forward Files The Aliases Database Map and .forward Files The aliases database map /etc/mail/aliases describes user ID aliases used by Sendmail and is formatted as a series of lines of the form name: addr_1, addr_2, addr_3, . . . The name is the name to alias, and the addr_n are the aliases for that name. addr_n can be another alias, a local username, a local filename, a command, an include file, or an external e-mail address.
Sendmail for MPE/iX The Aliases Database Map and .forward Files This will cause Sendmail to deliver one copy of an email message to the user’s normal mailbox (\USER.ACCOUNT), and another copy of an email message will be piped to the Sendmail vacation autoresponder program. Access_db Feature The access database map allows you to accept or reject e-mail based on the message envelope and connecting mail server host name. For example: 1. :HELLO SERVER.SENDMAIL 2. :XEQ SH.HPBIN.SYS -L 3.
Sendmail for MPE/iX The Aliases Database Map and .forward Files For more information about the genericstable feature, please see /SENDMAIL/CURRENT/cf/README. Mailertable Feature The mailertable database map is used to override the default mail routing behavior in /etc/mail/sendmail.cf. You might find this useful if you needed to route e-mail for certain domains through specific e-mail relays. For example: 1. :HELLO SERVER.SENDMAIL 2. :XEQ SH.HPBIN.SYS -L 3. shell/iX> /bin/cat - >/etc/mail/mailertable .
Sendmail for MPE/iX MPE/iX Implementation Issues MPE/iX Implementation Issues The following Sendmail features have not been implemented on MPE/iX: • LDAP support • TLS/SSL encrypted e-mail transport • SASL secure authentication • Mail filtering • Optional chroot()-based security features • Optional nice()-based dispatching priority adjustments The following Sendmail features work a bit differently on MPE/iX than they do on other operating systems: • Sendmail programs that read terminal input b
Sendmail for MPE/iX Troubleshooting Troubleshooting • Always check syslog when you have problems with Sendmail! • If you don’t see any syslog events being logged: — If you are running third-party spooling software with an embedded syslog daemon, you must use that embedded daemon instead of Syslog/iX to capture Sendmail logging events. — Verify that the syslog daemon is running. — Verify that all files used by the syslog daemon have the correct file ownership and permissions.
Sendmail for MPE/iX Troubleshooting — You must always stop and restart the mail daemon when making *.cf configuration changes. — If you changed an ASCII database map file, you must run makemap or editmap to create the corresponding *.db binary database file. — If you changed the ASCII /etc/mail/aliases file, you must run newaliases to create the binary /etc/mail/aliases.db database file.
Sendmail for MPE/iX Syslog Message Formats Syslog Message Formats The following examples illustrate the types of syslog messages that Sendmail generates during normal operation. The MPE user USER.ACCT on the local HP e3000 with a hostname of myhost.mydomain.com has just submitted a new message with 1 recipient consisting of a message body size of 5 bytes: Feb 6 12:14:42 localhost sendmail[65622]: g16HEgik065622: from=USER.ACCT, size=5, class=0, nrcpts=1, msgid=<200202061714.g16HEgik065622@myhost.mydomain.
Sendmail for MPE/iX For Further Information For Further Information • The HP CSY Sendmail web page of http://jazz.external.hp.com/src/sendmail/. • The official Sendmail web site of http://www.sendmail.org/. • Information about unsupported freeware versions of Sendmail for MPE/iX can be found at http://www.bixby.org/mark/sendmailix.html. • Documentation files installed on your local machine with this distribution: — /SENDMAIL/CURRENT/doc/op/op.
Sendmail for MPE/iX For Further Information 208 Chapter 10
A Samba for MPE/iX Sample Comfiguration File The following is the sample configuration file samp-smb.cnf for Samba for MPE/iX that you can find in the /usr/local/samba/lib directory on the HP e3000 system: # Sample config file for Samba for MPE/iX 0.7 and later” # # # # Copy this file to /usr/local/samba/lib/smb.conf and adjust as needed.
Samba for MPE/iX Sample Comfiguration File # --------------------------------------------------------------------# GLOBAL section (general parms and defaults for other sections) [global] # you MUST supply IP address and subnet mask of your 3000 here interfaces = 12.34.56.78/255.0.0.
Samba for MPE/iX Sample Comfiguration File load printers = yes # the workgroup that your server belongs to workgroup = SambaIX # these can be used e.g.
Samba for MPE/iX Sample Comfiguration File # --------------------------------------------------------------------# PRINTERS section (optional but useful) # # # # # This section work in conjunction with the printcap file and allows to configure a large number of printer shares without having to add separate detailed sections for each of them. The printer names and optional aliases are listed in the printcap file and the config parms are defined here. Special printers can still be defined explicitly.
Samba for MPE/iX Sample Comfiguration File # --------------------------------------------------------------------# HOMES section (optional but sometimes useful) # # # # # This section provides access to user’s home directories without having to add a separate section for each of them. The share name is considered to be a valid user id and the path defaults to that user’s home directory. The share is created “on the fly” by using attributes from this section.
Samba for MPE/iX Sample Comfiguration File # --------------------------------------------------------------------# OTHER sections (explicit definitions of file or printer shares) # The writable shares are placed under an MPE group with space limit [temp] # multiple users share one server directory but independent file # ownership is maintained so that they might be able to “see” other # users’ files but still be unable to get read or write access comment = Shared temp space for non-guest users guest ok = n
Samba for MPE/iX Sample Comfiguration File guest ok = yes write ok = no path = /usr/local/samba/docs/htmldocs [sambaman] comment = Samba Man pages files (read only but guest allowed) guest ok= yes write ok = no path = /usr/local/samba/man Appendix A 215
Samba for MPE/iX Sample Comfiguration File 216 Appendix A
B BIND 8 Configuration File The following is a dummy configuration file example. This explains in brief what each configuration directive is useful for and its syntax. All the directives are not required for a typical BIND configuration. /* * This is a worthless, nonrunnable example of a named.conf file that has * every conceivable syntax element in use. We use it to test the parser. * It could also be used as a conceptual template for users of new features.
BIND 8 Configuration File * versions of BIND prior to 8.1 generate * this format for outbound zone * and require it on inbound transfers. * * many-answers As many RRs as will fit are put into * each DNS message. This format is * the most efficient, but is only known * to work with BIND 8. Patches to * BIND 4.9.5 named-xfer that enable it * to understand ‘many-answers’ will be * available. * * If you are going to be doing zone transfers to older servers, you * shouldn’t use ‘many-answers’.
BIND 8 Configuration File /* * Interval Timers */ clean-interval 60; interface-interval 60; statistics-interval 60; // // // // // // clean the cache of expired RRs every ‘clean-interval’ minutes scan for new or deleted interfaces every ‘interface-interval’ minutes log statistics every ‘statistics-interval’ minutes }; zone “master.demo.zone” { type master; file “master.demo.
BIND 8 Configuration File allow-query { can_query; }; allow-transfer { can_axfr; }; allow-update { 1.2.3.4; 5.6.7.8;servers. }; }; key sample_key { algorithm hmac-md5; secret “your secret here”; }; // for TSIG; supported by parser // but not yet implemented in the // rest of the server key key2 { algorithm hmac-md5; secret “ereh terces rouy”; }; server 1.2.3.
BIND 8 Configuration File * * * * * * }; * * * * * * * * * * * * */ }; channel null { file “/dev/null” // this is the bit bucket; // any logging to this channel // is discarded. channel default_stderr { file “”; // // // // // // writes to stderr this is illustrative only; there’s currently no way of saying “stderr” in the configuration language. i.e. don’t try this at home. severity info; * }; default_stderr only works before the server daemonizes (i.e.
BIND 8 Configuration File channel moderate_debug { severity debug 3; // level 3 debugging to file file “foo”; // foo print-time yes; // timestamp log entries print-category yes; // print category name print-severity yes; // print severity level /* * Note that debugging must have been turned on either * on the command line or with a signal to get debugging * output (non-debugging output will still be written to * this channel).
C BIND 8.1 Enhanced Features The following points are explained in this appendix. 1. BIND 8 highlights 2. BIND Configuration File Guide — Logging Statement 3. BIND Configuration File Guide — Zone Statement 4. BIND Configuration File Guide — Option Statement 5. Converting From BIND 4.9.
BIND 8.1 Enhanced Features BIND 8 Highlights }; ] [ category category_name { channel_name; [ channel_name; ... ] }; ] ... }; Definition and Usage The logging statement configures a wide variety of logging options for the nameserver. Its channel phrase associates output methods, format options and severity levels with a name that can then be used with the category phrase to select how various classes of messages are logged.
BIND 8.1 Enhanced Features BIND 8 Highlights If you are using syslog, then the syslog.conf priorities will also determine what eventually passes through. For example, defining a channel facility and severity as daemon and debug but only logging daemon.warning via syslog.conf will cause messages of severity information and notice to be dropped. If the situation were reversed, with named writing messages of only warning or higher, then syslog would print all messages it received from the channel.
BIND 8.1 Enhanced Features BIND 8 Highlights category default { default_syslog; default_debug; }; As an example, you want to log security events to a file, but you also want keep the default logging behavior.
BIND 8.1 Enhanced Features BIND 8 Highlights insist Internal consistency check failures. maintenance Periodic maintenance events. load Zone loading messages. response-checks Messages arising from response checking, such as “Malformed response ...”, “wrong ans. name ...”, “unrelated additional info ...”, “invalid RR type ...”, and “bad referral ...”.
BIND 8.1 Enhanced Features BIND 8 Highlights Definition and Usage (Zone Types) master The master copy of the data in a zone. slave A slave zone is a replica of a master zone. The masters list specifies one or more IP addresses that the slave contacts to update its copy of the zone. If file is specified, then the replica will be written to the file. Use of file is recommended, since it often speeds server startup and eliminates a needless waste of bandwidth.
BIND 8.1 Enhanced Features BIND 8 Highlights [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ fake-iquery yes_or_no; ] fetch-glue yes_or_no; ] host-statistics yes_or_no; ] multiple-cnames yes_or_no; ] notify yes_or_no; ] recursion yes_or_no; ] forward ( only | first ); ] forwarders { [ in_addr ; [ in_addr ; ...
BIND 8.1 Enhanced Features BIND 8 Highlights statistics-file The pathname of the file the server appends statistics to when it receives SIGILL signal (ndc stats). If not specified, the default is “named.stats”. Boolean Options auth-nxdomain If yes, then the AA bit is always set on NXDOMAIN responses, even if the server is not actually authoritative. The default is yes. Do not turn off auth-nxdomain unless you are sure you know what you are doing, as some older software won’t like it.
BIND 8.1 Enhanced Features BIND 8 Highlights forward This option is only meaningful if the forwarders list is not empty. A value of first, the default, causes the server to query the forwarders first, and if that doesn’t answer the question the server will then look for the answer itself. If only is specified, the server will only query the forwarders. forwarders Specifies the IP addresses to be used for forwarding. The default is the empty list (no forwarding).
BIND 8.1 Enhanced Features BIND 8 Highlights Name Checking The server can check domain names based upon their expected client contexts. For example, a domain name used as a hostname can be checked for compliance with the RFCs defining valid hostnames. Three checking methods are available: ignore No checking is done. warn Names are checked against their expected client contexts. Invalid names are logged, but processing continues normally. fail Names are checked against their expected client contexts.
BIND 8.1 Enhanced Features BIND 8 Highlights Query Address If the server doesn’t know the answer to a question, it will query other nameservers. query-source specifies the address and port used for such queries. If address is * or is omitted, a wildcard IP address (INADDR_ANY) will be used. If port is * or is omitted, a random unprivileged port will be used.
BIND 8.1 Enhanced Features BIND 8 Highlights NOTE stacksize 234 On some operating systems the server cannot set an unlimited value and cannot determine the maximum number of open files the kernel can support. On such systems, choosing unlimited will cause the server to use the larger of the rlim_max for RLIMIT_NOFILE and the value returned by sysconf (_SC_OPEN_MAX). If the actual kernel limit is larger than this value, use limit files to specify the limit explicitly.
BIND 8.1 Enhanced Features BIND 8 Highlights Periodic Task Intervals cleaning-interval The server will remove expired resource records from the cache every cleaning-interval minutes. The default is 60 minutes. If set to 0, no periodic cleaning will occur. interface-interval The server will scan the network interface list every interface-interval minutes. The default is 60 minutes. If set to 0, interface scanning will only occur when the configuration file is loaded.
BIND 8.
D Server Configuration Migration There is a host of configuration migration utility available now. If you want to convert 4.x named.boot files to 8.x named.conf files, there is a perl script, named-bootconf.pl available on the system. This perl script file resides in /BIND/PUB/bin directory. Explanation of configuration migration utilities; The named-bootconf.pl is a perl script. Perl is a scripting language, like a shell script, it runs under an interpreter environment on MPE.
Server Configuration Migration 238 Appendix D
E Configure and Run Syslog/iX How to Run Syslog/iX: 1. Log on as mgr.syslog. 2. Examine syslog.conf and customize for your own environment. 3. :stream JSYSLOGD.PUB.SYSLOG. 4. Stop Syslog/iX by issuing the command :ABORTJOB.## ## ## :TELL @.@ ## *.emerg * ## ## Write to the :CONSOLE ## *.alert /dev/console ## ## :TELL @.SYSLOG ## *.crit @.SYSLOG ## ## :TELL MANAGER.SYS ## *.err MANAGER.SYS ## ## Forward to syslogd on another host via UDP ## *.warning @some.host.running.syslogd ## ## Write to the :CONSOLE *.
Configure and Run Syslog/iX They are classified as follows: debug info error critical warning alert emergency Now these messages could also be sent to a particular user by using the “tell” option followed by the user name. They can also be sent to another machine by using “@machine name”.
Glossary A C address An identifier defined and used by a particular protocol and associated software to distinguish one node from another. client A node on the internetwork that asks to use one of the Internet Services on the host. For example, a Telnet client is the process that uses Telnet protocol to establish a virtual terminal on your system. address resolution In NS networks, the mapping of node names to IP addresses and the mapping of IP addresses to subnet addresses.
Glossary DTC Telnet Access Network Access software. A DTC/X.25 iX Network Link consists of two software modules: the X.25 iX System Access software (on the host) and the DTC/X.25 Network Access software (on the DTC). HOSTS.NET.SYS The host name data base file which associates Internet addresses with official host names and aliases. I DTC Telnet Access An HP product providing Telnet connections from HP 9000 and non-HP systems running ARPA standard Telnet services to the HP e3000.
Glossary NS 3000/iX Network Services L local host The host system you are currently working from. local node Same as host system. loopback The routing of messages from a node back to itself. N name space The set of possible names allowed in a given environment. The POSIX name space, which follows hierarchical file system syntax (i.e., \sys\pub\myfile) is distinct from the MPE/iX name space, which follows MPE naming rules (i.e., MYFILE.PUB.SYS).
Glossary NSDIR.NET.SYS NSDIR.NET.SYS The name of the active network directory file. See also network directory. RSLVSAMP.NET.SYS Sample initialization file for the domain name resolver. P RESLVCNF.NET.SYS An initialization file for the domain name resolver. It contains information needed by the network to determine how to resolve a domain name to an IP address. packets Encapsulated messages transmitted across a network or an internetwork.
Glossary X.25 T W TAC Telnet Access Card. A board within a DTC 48 or 72MX. WAN Wide Area Network. A data communications network of unlimited size, used for connecting localities, cities, and countries. TCP/IP Transmission Control Protocol/Internet Protocol. A set of rules that establishes and maintains connections between nodes on an internetwork.
Glossary X.
Index Symbols $STDLIST messages, 38 /etc directory, 18, 27 /etc/bootpd, 52 /etc/bootpquery, 52 /etc/bootptab, 19, 52, 54 /etc/hosts.equiv, 72 /etc/inetd, 26 /etc/inetd.conf, 19, 26, 46, 53, 64 /etc/protocols, 19 /etc/services, 70 /usr/adm/inetd.
Index makemap, 195 negprot, 82 newaliases, 200 sesssetup, 82 TconX, 83 command options for inetd, 36 comment, 89 config file, 84 configuration files bootpd, 19, 60 copying, 18 inetd, 19, 26 Internet daemon, 26 linking, 18 required, 19 samples, 18 configuring BOOTP server, 52, 62 Internet Services, 18 remsh client, 70 Telnet server, 46 TFTP server, 64 connection attempts, message syntax, 36 connection logging turning off, 38 turning on, 38 console messages, 35, 38 controlling access to the Internet Services,
Index fixed ASCII, 163 fixed ASCII (FA), 163 fixed binary, 163 fixed binary (FB), 163 FollowSymLinks, 161 G gateway addresses, 56 gcc, 166, 167 GNU, 166 GNU make, 166 GNU Project, 166 guest account, 88 guest ok, 90 guest only, 90 gw tag, 56 H ha tag, 56 hardware addresses, 56 hd tag, 56 helloworld(), 165, 168 home directory of bootfile, 56 ht tag, 56 hw, 167 hw.o, 167, 168 hw_module, 167 I implementation differences bootpd, 62 inetd, 41 remsh, 75 Telnet server, 50 tftpd, 67 INCNFSMP.NET.
Index job number for JINETD, 35 job passwords on JINETD.NET.SYS, 35 K -k command, 36 killing inetd, 36 known protocols, 19 L -l command, 36, 38 LAN devices, 51 ld, 166 legal characters, 111 libc, 168 libc.sl, 172 libm.
Index permissions in the inetd security file, 32 PN Priviledged Mode, 172 POSIX, 173 POSIX examples, 74 POSIX file names, 18, 27 POSIX make, 166 postexec, 86 pow(), 165, 168 preexec, 86 print command, 87 printcap name, 86 private key, 151, 155 private server key, 151 Privileged Mode (PM), 172 protocol bootstrap, 52, 64 TFTP, 63 UDP, 63 protocol field, 30 PROTOCOL.NET.SYS, 19 protocols, 15 protocols file, 19, 22 creating, 22 linking, 22 viewing, 23 PROTSAMP.NET.
Index TCP/UDP/IP, 17 Telnet file permissions, 45 operation, 44 verifying file installation, 45 Telnet Access Card (TAC), 43 Telnet access, using a DTC, 43 Telnet client overview, 43 Telnet errors, 48 Telnet information, online, 43 Telnet protocols, 43 Telnet server as an internal program, 50 configuring, 46 implemenation differences, 50 overview, 43 security checking on, 50 telnetd server file, 50 troubleshooting, 48 TELNET.ARPA.
