Secure Sockets Layer (SSL) is the open standard security protocol for the secure transfer of sensitive information over the Internet. HP SSL Version 1.3 is based on OpenSSL 0.9.7e. (The previous version of HP SSL was based on OpenSSL 0.9.7d.)

Support for HP SSL is provided on OpenVMS I64, OpenVMS Alpha, and OpenVMS VAX.

HP SSL Version 1.3 is now included in the OpenVMS operating system as a SIP (system integrated product) instead of as a layered product. Version 1.3 also includes the bug fixes included in OpenSSL 0.9.7e. These features are described in the following list:

• SSL as SIP (System Integrated Product)
  SSL for OpenVMS is now installed automatically when you install or upgrade to OpenVMS Version 8.3. You no longer need to install the PCSI file separately.
• Bug Fixes in OpenSSL 0.9.7e
  The major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e are as follows:
  • Fixed race condition when CRLs are checked in a multithreaded environment.
  • Added Delta CRL to extension code.
  • Fixed s3_pkt.c so alerts are sent properly.
  • Reduced chances of duplicate issuer name and serial numbers (in violation of RFC3280) using the OpenSSL certificate creation utilities.

HP SSL addresses these three fundamental security concerns about communication over the Internet and other TCP/IP networks:

• SSL server authentication --- Allows a user to confirm a server's identity. SSL-enabled client software can use standard techniques of public-key cryptography to check whether a server's certificate and public ID are valid and have been issued by a Certificate Authority (CA) listed in the client's list of trusted CAs. Server authentication is used, for example, when a PC user is sending a credit card number to make a purchase on the web and wants to check the receiving server's identity.
• SSL client authentication --- Allows a server to confirm a user's identity. Using the same techniques as those used for server authentication, SSL-enabled server software can check whether a client's certificate and public ID are valid and have been issued by a Certificate Authority (CA) listed in the server's list of trusted CAs. Client authentication is used, for example, when a bank is sending confidential financial information to a customer and wants to check the recipient's identity.
• An encrypted SSL connection --- Requires all information sent between a client and a server to be encrypted by the sending software and decrypted by the receiving software, thereby providing a high degree of confidentiality. Confidentiality is important for both parties to any private transaction. In addition, all data sent over an encrypted SSL connection is protected with a mechanism that automatically detects whether data has been altered in transit.

For more detailed information, refer to HP Open Source Security for OpenVMS, Volume 2: HP SSL for OpenVMS.

For information about downloading the latest version of HP SSL for OpenVMS, see the following Web site:

For additional information about OpenSSL, see the OpenSSL Web site at the following location:

New item codes have been added for several system services. More information about some item codes has been added as well. These topics are discussed in the following sections.

5.11.1 $GETDVI: New Item Codes and Item Code Information

OpenVMS Version 8.3 contains the new item codes and item code information described in the following sections.

5.11.1.1 New $GETDVI Item Codes

New $GETDVI item codes are the following:

DVI$_DEVICE_MAX_IO_SIZE DVI$_FC_HBA_FIRMWARE_REV DVI$_LAN_ALL_MULTICAST_MODE DVI$_LAN_AUTONEG_ENABLED DVI$_LAN_DEFAULT_MAC_ADDRESS DVI$_LAN_FULL_DUPLEX DVI$_LAN_JUMBO_FRAMES_ENABLED DVI$_LAN_LINK_STATE_VALID DVI$_LAN_LINK_UP DVI$_LAN_MAC_ADDRESS DVI$_LAN_PROMISCUOUS_MODE DVI$_LAN_PROTOCOL_NAME DVI$_LAN_PROTOCOL_TYPE DVI$_LAN_SPEED DVI$_MAILBOX_BUFFER_QUOTA DVI$_MAILBOX_INITIAL_QUOTA DVI$_PREFERRED_CPU_BITMAP DVI$_VOLUME_PENDING_WRITE_ERR DVI$_VOLUME_RETAIN_MAX DVI$_VOLUME_RETAIN_MIN DVI$_VOLUME_SPOOLED_DEV_CNT DVI$_VOLUME_WINDOW

5.11.1.2 $GETDVI Item Code Information

For item codes that return a string data type, failure to pass in a buffer that is large enough to hold the returned data results in silent data truncation. When $GETDVI completes, HP recommends that you check the returned length field of an item list descriptor for each item code that can return a string.

If the returned length is equal to the size of the buffer allocated to hold the returned data, the data might have been truncated. In that case, call $GETDVI iteratively with a larger buffer until the length of the returned data is less than the size of the buffer allocated.

Unless the description of an item code specifies otherwise, HP recommends that you use a buffer of 32 bytes to hold the returned string. $GETDVI pads the unused portion of the buffer with null characters.

5.11.2 $GETJPI New Item Code

The $GETJPI system service contains the new JPI$_DEADLOCK_WAIT item code.

5.11.3 $GETSYI New Item Codes

The $GETSYI system service contains the following new item codes:

SYS$_ACTIVE_CPU_BITMAP SYI$_AVAIL_CPU_MASk SYI$_BOOT_DEVICE SYI$_IO_PRCPU_BITMAP SYI$_POWERED_CPU_BITMAP

5.11.4 $GETDVI, $GETJPI, $GETLKI, $GETQUI, and $GETSYI Service Information

HP strongly recommends the use of the EFN$C_ENF "no event flag" value as the event flag if you are not using an event flag to externally synchronize with the completion of this system service call. The $EFNDEF macro defines EFN$C_ENF. For more information, see the HP OpenVMS Programming Concepts Manual.

5.11.5 $GETUAI New Item Codes

The $GETUAI system service contains the following new item codes:

UAI$V_DISPWDSYNCH UAI$V_VMSAUTH

5.11.6 Additional Changes to System Services

Entries have been added or changed in $IO_FASTPATH and $PROCESS_AFFINITY related to the new CPU namespace project. Other additions and changes have been made to $SET_PROCESS_PROPERTIESW related to system service logging.

For more detailed information, see the HP OpenVMS System Services Reference Manual.

5.12 Traceback Facility

A callable interface that symbolizes program locations now exists on both OpenVMS Alpha and OpenVMS for Integrity servers. Previously, this interface was only available on OpenVMS for Integrity servers.

On Alpha systems, the new interface is called TBK$ALPHA_SYMBOLIZE, which is similar to the TBK$I64_SYMBOLIZE routine on Integrity server systems.

The Integrity server routine interface (TBK$I64_SYMBOLIZE) has changed from the previous release to match the Alpha routine interface (TBK$ALPHA_SYMBOLIZE) available in this release. This change is backwards-compatible; that is, the former interface is no longer documented but is supported for programs that currently use it.

Both interfaces support callers in USER, SUPER and EXEC mode. Previously on OpenVMS for Integrity servers, only USER mode callers were supported.

For complete information on the Traceback symbolize routines for Integrity servers and Alpha, see the HP OpenVMS Utility Routines Manual.

This chapter provides a description of the InfoServer utility feature now supported on OpenVMS Alpha as well as OpenVMS for Integrity servers. This chapter includes a comparison between the InfoServer hardware and InfoServer application and a reference for the InfoServer utility commands.

6.1 InfoServer Utility Overview

The InfoServer application allows you to create a service for a virtual disk device on the local area network.

Virtual disk devices include the following:

• DVD drives
• Certain disk drives: SCSI and Fibre Channel
• CD drives
• Partitions (the equivalent of container files)

Comparison of InfoServer Hardware and the InfoServer Application

The new InfoServer application on OpenVMS differs from previous InfoServer hardware in a number of important ways. Some of the most notable are the following:

• The use of DCL-style command syntax
• The requirement that a device must be mounted before you can create a service for it
• Support for creating services for DVD drives
• No support for tape devices
• No support for CD-R (CD-recordable) drives.
• No automount support

You can use the InfoServer utility commands to do the following:

• Create and delete services for virtual disk devices on a local area network
• Save a list of active InfoServer services
• Modify the attributes of existing services
• Display information about servers and the nodes connected to services
• Display service-specific information about one or more services
• Start the LASTport/disk server and set various server and cache characteristics.

You can invoke the InfoServer in the following ways:

• Use the RUN command
  To invoke the InfoServer using the RUN command, enter the following at the DCL command prompt:

  $ RUN SYS$SYSTEM:ESS$INFOSERVER

  
  The system responds by displaying the InfoServer utility prompt. You can then enter an InfoServer command. For example:

  InfoServer> SHOW SERVER

  
  After the InfoServer executes the command, the system continues to display the InfoServer> prompt until you exit the utility.

• Define the InfoServer as a foreign command
  You can define the InfoServer as a foreign command by entering the following at the DCL prompt or in a startup or login command file:

  $ InfoServer :== $ESS$INFOSERVER

  
  After you execute the login command file, you can enter the INFOSERVER command at the DCL prompt to invoke the utility:

  $ INFOSERVER

  
  Note the following:

  • If you use InfoServer as a foreign command and also enter an InfoServer command, the utility terminates after it executes the command and returns you to the DCL command prompt. For example:

    $ InfoServer SHOW SERVER $

  • If you use InfoServer as a foreign command without specifying an InfoServer command, the utility displays the InfoServer> prompt, at which point you can enter commands. For example:

    $ InfoServer InfoServer> SHOW SERVER

To exit the InfoServer utility, enter the EXIT command at the InfoServer> prompt or press Ctrl/Z.

For information about the InfoServer utility, enter the HELP command at the InfoServer> prompt.

6.1.2 InfoServer Commands

The following sections describe and provide examples of InfoServer commands.

CREATE SERVICE

Creates a service for a specified device or partition.

Usage rules:

• All devices must be mounted systemwide to prevent them from being dismounted when a process logs out.
• A device that has read/write service must be mounted /FOREIGN so that it is not visible to OpenVMS.
• A device that has read-only service must be mounted with either the /NOWRITE qualifier or the /FOREIGN qualifier so that no one can change it locally.
• A partition can be served off a disk that is mounted for either read-only or read/write access to OpenVMS.
• Support for partitions is limited in this release.

Format

CREATE SERVICE serviceName device-or-partitionName

Parameter

serviceName

The name by which the service is known to the local area network. The service name can consist of alphanumeric characters and dollar signs ($). It can be 255 characters or fewer in length.

device-or-partitionName

The device or partition name is the name of the OpenVMS disk device or partition as it is to be known to the local area network. The name of the device or partition that you enter must have been created previously.

Explanations of device and partition names follow.

• Device names
  Devices served to the local area network are OpenVMS disk devices; use OpenVMS device names when you specify an InfoServer device name. Note that the device name must either match exactly the name that the SHOW SERVICES command displays or must contain wildcards.
  In the InfoServer utility, wildcards, where supported, are the same as those used in OpenVMS. The percent (%) character matches exactly one character. The asterisk (*) character matches zero or more characters.
  A disk specification must end with a colon.
• Partition names
  Partitions are container files that are served to the network. As such, they have OpenVMS file names with a default file type of .ESS$PARTITION. Partition names, including the device, directory, and file name, can be no more than 242 characters in length.
  Support for partitions is limited in this version. HP strongly suggests that you use LD devices to support partitioned hard drives. See the DCL command LD HELP for more information.

Qualifiers

/CLASS=className

Specifies a subset of the complete LASTport Disk (LAD) name space.

The purpose of class names is to subdivide name spaces so that clients see only those names that are meaningful to them. The use of class names also allows two services to have the same name and not conflict with one another.

For example, you can use different class names for different on-disk structures that several client systems use. You might use SERVICEA/CLASS=ODS-2 for some client systems and SERVICEA/CLASS=ISO_9660 for other client systems. The service has the same name (SERVICEA), but the class names are different.

The class name you use depends on the client systems that will connect to the service being created. The default class name is ODS_2. For example, OpenVMS systems use the ODS_2 name space when attempting to mount an InfoServer device. Note that OpenVMS clients can solicit only those services that are in the ODS_2 service class.

Valid class names are the following:

V2.0 Names understood by PCSA MS-DOS Clients Unformatted Virtual disk has no format MSDOS MSDOS virtual disks ODS_2 VMS virtual disks UNIX UNIX virtual disks ISO_9660 ISO 9660 CD format HIGH_SIERRA MS-DOS CD format APPLE Macintosh HFS format SUN Sun format

/ENCODED_PASSWORD=hexstring

The SAVE command creates this qualifier. Because passwords are not stored in plain text, the hashed password value is written out as part of the SAVE operation so that the service can be recreated without revealing the password.

Note that if you edit the command procedure that the SAVE command creates and change the service name, the encoded password value is no longer valid. You need to set another password on the service using the /PASSWORD qualifier.

/PASSWORD=passwordString

/NOPASSWORD (default)

Specifies an optional service access control password. The client system must specify the password to access the service.

The password string can be up to 39 alphanumeric ASCII characters in length. If no password is specified, the client system is not required to provide a password to access the service.

The text password is hashed and stored in encrypted form in memory with the other service information.

/RATING=DYNAMIC

/RATING=STATIC=value

Clients use the service rating to select a service in the case of multiple matching services. The service with the highest service rating is selected.

The system adjusts the dynamic service rating based on load. You can also set a static rating between 0 and 65535. The system does not adjust static ratings.

One use of static ratings is to migrate clients from one copy of a service to another. If you set a static rating of 0 on services you want to migrate clients away from, no new clients will connect to a 0-rated service; instead, they will connect to higher-rated services. When all current clients have disconnected from a service, you can safely delete it.

/READAHEAD (default)

/NOREADAHEAD

When a disk read is required to fill a cache block, the /READAHEAD qualifier specifies that the read is to be from the first block requested to the end of the bucket boundary. Readahead can speed up sequential operations by preloading disk blocks that are needed into the cache.

If you specify both the /READAHEAD and the /READBEHIND qualifiers, any block requested within a cache bucket causes the entire bucket range of blocks to be read into the cache.

/READBEHIND

/NOREADBEHIND (default)

When a disk read is required to fill a cache block, the /READBEHIND qualifier specifies that the read is to include all blocks from the beginning of the cache bucket boundary up to and including the requested blocks.

If you specify both the /READAHEAD and the /READBEHIND qualifiers, any block requested within a cache bucket causes the entire bucket range of blocks to be read into the cache.

/READERS=number (default is READERS=1000)

/NOREADERS

Specifies the maximum number of simultaneous client connections allowed for read access. The default is 1000 readers. A value of 0 indicates write-only access.

If a client requests read-only or read/write access to a service, the system counts this as one reader.

/WRITERS

/NOWRITERS (default)

Specifies that the service is to allow access to a single writer.

Examples

$ SHOW DEVICE MOVMAN$DQA0:/full
 
Disk MOVMAN$DQA0:, device type Compaq  CRD-8322B, is online, file-oriented 
    device, shareable, served to cluster via MSCP Server, error logging is 
    enabled. 
 
 Error count                 0    Operations completed 
 Owner process              ""    Owner UIC                  [SYSTEM] 
 Owner process ID     00000000    Dev Prot        S:RWPL,O:RWPL,G:R,W 
 Reference count             0    Default buffer size             512 
 Total blocks         16515072    Sectors per track                63 
 Total cylinders         16384    Tracks per cylinder              16
 

 
$ MOUNT/SYSTEM dqa0 OVMSIPS11
Volume is write locked
OVMSIPS11 mounted on _MOVMAN$DQA0:
 
$ InfoServer
InfoServer> CREATE SERVICE VMS_SIPS_V11 _MOVMAN$DQA0:
%INFOSRVR-I-CRESERV, service VMS_SIPS_V11 [ODS-2] created for
_MOVMAN$DQA0:.
 
 
      

This example shows how to create a service for a CD device:

• The SHOW DEVICE.../FULL command displays a complete list of information about the _MOVMAN$DQA0 CD.
• The MOUNT/SYSTEM command mounts the OVMSIPS11 volume on the _MOVMAN$DQA0: CD.
• The InfoServer CREATE SERVICE command creates the VMS_SIPS_V11 service on the _MOVMAN$DQA0 CD.

$ LD CREATE KIT1/SIZE-100000
$ DIRECTORY KIT1
Directory DKB0:[DISKS] 
 
KIT1.DSK;1       100000/100008   29-APR-2005 14:14:43.49 
 
Total of 1 file, 100000/100008 blocks.
$ LD CONNECT KIT1
%LD-I-UNIT, Allocated device is MOVMAN$LDA1:
 $ CREATE SERVICE TEST_KIT_1 MOVMAN$LDA1:
%INFOSRVR-I-CRESERV, service TEST_KIT_1 [ODS-2] created for 
 _MOVMAN$LDA1:
 
 
      

This example shows how to create a service for a logical disk (LD) device:

• The LD CREATE KIT1 command creates a contiguous file, KIT1, that can be used as a logical disk.
• The DIRECTORY KIT1 command provides information about KIT1.
• The LD CONNECT KIT1 connects the logical disk file, KIT1, to the logical disk device MOVMAN$LDA1:.
• The INITIALIZE command formats the MOVMAN$LDA1: LD device.
• The MOUNT command makes the LD device available for processing.
• The CREATE SERVICE command creates the TEST_KIT_1 service on the _MOVMAN$LDA1 LD device.

DELETE SERVICE

Deletes one or more services.

Format

DELETE SERVICE serviceName [device-or-partitionName]

Parameters

serviceName

The name by which the service is known to the local area network. The service name can consists of alphanumeric characters and dollar signs ($). It can be up to and include 255 characters. Wildcards are permitted.

In the InfoServer utility, wildcards, where supported, are those used in OpenVMS. The percent (%) character matches exactly one character. The asterisk (*) character matches zero or more characters.

device-or-partitionName

The device or partition name is the name of the OpenVMS disk device or partition as it is to be known to the local area network. The name of the device or partition that you enter must have been created previously.

Explanations of device and partition names follow.

• Device names
  Devices served to the local area network are OpenVMS disk devices; use OpenVMS device names when you specify an InfoServer device name. Note that the device name must either match exactly the name that the SHOW SERVICES command displays or must contain wildcards.
  In the InfoServer utility, wildcards, where supported, are those used in OpenVMS. The percent (%) character matches exactly one character. The asterisk (*) character matches zero or more characters.
  A disk specification must end with a colon.
• Partition names
  Partitions are container files that are served to the network. As such, they have OpenVMS file names with a default file type of .ESS$PARTITION. Partition names, including the device, directory, and file name, can be no more than 242 characters in length.
  The partition name can be used to further identify the specific service selected.
  Support for partitions is limited in this version. HP strongly suggests that you use LD devices to support partitioned hard drives. See the DCL command LD HELP for more information.

Qualifiers

/CLASS=className

Specifies a subset of the complete LASTport Disk (LAD) name space.

The purpose of class names is to subdivide name spaces so that clients see only those names that are meaningful to them. The use of class names also allows two services to have the same name and not conflict with one another.

For example, you can use different class names for different on-disk structures that several client systems use. You might use SERVICEA/CLASS=ODS-2 for some client systems and SERVICEA/CLASS=ISO_9660 for other client systems. The service has the same name, SERVICEA, but the class names are different.

The class name you use depends upon the client systems that will connect to the service being created. The default class name is ODS_2. For example, OpenVMS systems use the ODS_2 name space when attempting to mount an InfoServer device. Note that OpenVMS clients can solicit only those services that are in the ODS_2 service class.

Valid class names are the following:

V2.0 Names understood by PCSA MS-DOS Clients Unformatted Virtual disk has no format MSDOS MSDOS virtual disks ODS_2 VMS virtual disks UNIX UNIX virtual disks ISO_9660 ISO 9660 CD format HIGH_SIERRA MS-DOS CD format APPLE Macintosh HFS format SUN Sun format

/CONFIRM (default)

/NOCONFIRM

Confirm the deletion of a service. If there are any connections, even though /NOCONFIRM has been entered, the system forces a confirmation.

Controls whether a request is issued before each delete operation to confirm that the operation should be performed on that service. The following responses are valid:

YES NO QUIT TRUE FALSE Ctrl/Z 1 0 ALL Return (key)

Usage notes:

• You can use any combination of uppercase and lowercase letters for word responses. Word responses can be abbreviated to one or more letters (for example, T, TR, or TRU for TRUE); however, these abbreviations must be unique.
• Affirmative answers are YES, TRUE, and 1. Negative answers include NO, FALSE, 0, and pressing Return.
• Entering QUIT or pressing Ctrl/Z indicates that you want to stop processing the command at that point.
• When you respond by entering ALL, the command continues to process, but no further prompts are displayed.

/DISCONNECT

/NODISCONNECT (default)

Overrides the default prompting for confirmation if you attempt to delete a service that has sessions connected to it. If a service has connected sessions and the /DISCONNECT qualifier is not supplied, you are prompted to confirm service deletion.

To delete services without being prompted at all, specify both the /NOCONFIRM and /DISCONNECT qualifiers.

Example

$ SHOW SERVICES
Service Name         [Service Class] Device or File 
-------------------- --------------- -------------------------- 
HUDSON               [ODS-2]         _MOVERS$LDA1: [ 1 Connection] 
BAFFIN               [ODS-2]         _MOVERS$LDA1: 
FUNDY                [ODS-2]         _MOVERS$LDA1: 
3 services found.
 
$ DELETE SERVICE HUDSON
Service HUDSON has 1 session connected! 
Delete service HUDSON [ODS-2] for _MOVERS$LDA1:? [N]:
 
 
      

The first command displays three services, including one session connection. The second command deletes the HUDSON service. It displays messages indicating that HUDSON had one session connected and that this service has been deleted.