===================================================== README ADDENDA FOR DCE 3.1 FOR AIX (C) COPYRIGHT International Business Machines Corp. 1999 All Rights Reserved Licensed Materials - Property of IBM US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. This file contains additional changes and updates to the README file shipped with Distributed Computing Environment (DCE) Version 3.1 for AIX. ===================================================== Contents A.1 Installation, Uninstallation, Migration, and Configuration A.1.1 Uninstalling "ldap" or "dce.web" A.1.2 DCE WebSecure/Admin and Migration from AIX DCE 2.2 A.1.3 AIX Cached Servers Migration A.1.4 Uninstall Fails because dceweb Servers are Configured A.1.5 dceweb Migration and Invalid /opt/dcelocal/web/etc/servers File Entries A.1.6 Migrating DCE WebSecure/Admin in DCE 2.1 to DCE 3.1 A.1.7 dceweb Configuration Same Server Name Limitation A.1.8 Maximum Cellname Limitation A.1.9 Duplicate and Obsolete Filesets Listed on SMIT Installation Menus A.1.10 Problem Configuring an idms Server on a Newly Configured Machine A.2 Security A.2.1 Setting "maxtktrenew" and "maxtktlife" Attributes A.2.2 Intercell and Password Strength Server A.2.3 Password Strength Server "mindiff", "histexpire", and "histsize" Rules A.2.4 New DCE Audit Actions with the Event Management Service A.2.5 Enhanced Password Strength Server Command Line Options A.3 I18N Considerations for Web Administration and Web Secure A.3.1 Running DCE Web Admin in code page 850 with Netscape A.3.2 Starting Web Secure from the Command Line A.3.3 Changing the Active Locale for DCE Web Administration A.3.4 "asciiview" Command is English Only ===================================================== A.1 Installation, Uninstallation, Migration, and Configuration ===================================================== A.1.1 Uninstalling "ldap" or "dce.web" If LPPs "ldap" and "dce.web" are both installed on the same system, a resulting sysck: 3001-036 WARNING may be displayed. The installs are still good however, message problems can arise if either LPP is uninstalled leaving the other installed. It is first recommended that if the LPPs "ldap" and "dce.web" are installed on the same AIX system that they not be removed. If removing either LPP is necessary, it is recommended that the message fileset for the remaining LPP be force installed after uninstall of the other lpp has completed. This will restore the needed message file /usr/lib/nls/msg/en_US/dcehtml.cat. The message filesets to be force installed are ldap.msg. (ldap) or dce.msg..web.admin.rte (dce.web), where is the language (locale) setting for your system. For example, if on a US English system both ldap and dce.web are installed, they both will share the message file /usr/lib/nls/msg/en_US/dcehtml.cat. If the LPP package dce.web is then removed, the /usr/lib/nls/msg/en_US/dcehtml.cat file will also be removed leaving ldap without this needed message file. To avoid ldap message problems the customer is advised to force install the fileset ldap.msg.en_US. This restores message file and ownership to ldap. In the other case, ldap is removed and dce.web remains. The dce.web LPP package will be left without /usr/lib/nls/msg/en_US/dcehtml.cat. Restoring the file and ownership is done by force installing dce.msg.en_US.web.admin.rte. ===================================================== A.1.2 DCE WebSecure/Admin and Migration from AIX DCE 2.2 If you had DCE WebSecure/Admin Netscape (dceweb) servers configured in AIX DCE 2.2, then your dceweb servers must be migrated to the current release before they will be functional. An attempt will be made to migrate the dceweb configuration information when any of the following commands are run: * migrate.dceweb * start.dce * stop.dce * config.dce * unconfig.dce Also, if the specific dceweb server you are trying to configure or unconfigure has not been successfully migrated, an attempt will be made to migrate the dceweb configuration information when any of the following commands are run: * mkdceweb * rmdceweb In order for a specific previously configured DCE WebSecure/Admin Netscape server to be functional, the following conditions must be met: * The Netscape server in question must be running. * DCE must be running. * The DCE WebSecure/Admin configuration data for the server must be migrated. * The Netscape server in question must have been stopped and re-started after the configuration data was migrated. The migrate.dceweb process will stop and re-start any DCE WebSecure/Admin Netscape server that it was able to successfully migrate. It is recommended that you run migrate.dceweb and resolve any problems that are encountered (if any) before attempting to start DCE. ===================================================== A.1.3 AIX Cached Servers Migration When migrating an AIX DCE system which has an intercell connection established by use of cdscp define cached server, the config.dce command must be used after installing the new level of DCE and before using start.dce in order to preserve knowledge of the cached server. The -cds_replica_list option should be used to specify the cds servers. This is a quoted list that can have multiple servers separated by spaces, and either the hostname or the IP address can be used in this list. For example, config.dce -cds_replica_list "server1 server2" By running this command, the list of cds servers is preserved outside of the cds cache. This information will be used to update the cds cache each time DCE is restarted. The -cds_replca_list option can be used at any time to update the list of cds servers. The config.dce command will do a define cached server for each new cds server. When servers are removed, the cache will not be updated until the cache is cleaned up. If this step isn't done, the intercell connection can be reinstated by repeating the original cdscp define cached server command. ===================================================== A.1.4 Uninstall Fails because dceweb Servers are Configured If during AIX DCE 3.1 uninstall you get a message stating that it won't uninstall because you have dceweb servers configured, but you don't think that you have any dceweb servers configured, do the following: 1. Look in the file /opt/dcelocal/web/etc/servers for the dceweb server entries. A dceweb server entry should look like: my_server admin Enterprise 3.62 /usr/netscape/suitespot 2. If there are proper server entries in the file, use "rmdceweb" to unconfigure each server that is shown. 3. If there are entries in the file that don't look like they should (for example, not enough fields in the line), remove them. 4. If there are no entries left in the file, erase it. After doing these steps, you should be able to uninstall AIX DCE 3.1. ===================================================== A.1.5 dceweb Migration and Invalid /opt/dcelocal/web/etc/servers File Entries If the dceweb 2.2 configuration program put an "invalid" (meaning there was a /n in the Netscape version field) entry in the servers file for a server, then that server was unconfigured with the dceweb 2.2 configuration program, it will leave "bad" data in the file that migrate.dceweb can't process. Because of this, even though all of the dceweb servers that are configured have been migrated, the migration program will continue to run every time dce is started or stopped. To fix this problem, the user can either remove the offending line from the servers file, or erase /opt/dcelocal/web/etc/mig.loc. ===================================================== A.1.6 Migrating DCE WebSecure/Admin in DCE 2.1 to DCE 3.1 There is a situation where a DCE WebSecure/Admin server can be configured and working, but all the information pertaining to the server was not stored in the /opt/dcelocal/web/etc/servers file. Because of this, some previously configured DCE WebSecure/Admin servers may not be migrated up to the DCE 3.1 level. Check the /opt/dcelocal/web/etc/servers file to see if all of your configured servers are listed. An entry in the servers file should look like: my_server admin Enterprise 3.62 /netscape/suitespot The first field is the server name. The second is the DCE WebSecure/Admin type (secure for secure only, admin for admin/secure). The third field is the Netscape server type (Enterprise or FastTrack). The fourth field is the Netscape version number. The last field is the server's Netscape home directory. If you are looking at this file before migration has been performed, some of these lines may be split. DO NOT ATTEMPT TO FIX THESE SPLIT LINES! The servers file should only be modified by DCE programs (unless otherwise directed by DCE documentation). If any of your previously configured DCE WebSecure/Admin servers are not listed, do the following: 1. For each missing dceweb server, run the following as root: add_dceweb_entry For example, add_dceweb_entry my_server admin /netscape/suitespot 2. After all entries have been successfully added to the servers file, run the DCE WebSecure/Admin migration program, migrate.dceweb. The add_dceweb_entry program will do the following: * If the server entry already exists in the /opt/dcelocal/web/etc/servers file, the entry will be displayed. * If the server entry was successfully added to the servers file, the new entry will be displayed. * If an error occurred, the program will display the data that is causing the program along with three question marks (???). The add_dceweb_entry program is only intended to add entries to the servers file. It will not update entries that are already there. ===================================================== A.1.7 dceweb Configuration Same Server Name Limitation When two or more Netscape versions are installed (for example, Enterprise and FastTrack) and the same server name is used with more than one Netscape version (for example, server1), DCE can only configure one of the servers. ===================================================== A.1.8 Maximum Cellname Limitation The maximum cellname that can be used when configuring a DCE cell will be calculated based on the maximum filename size of 255. The largest filename that is created by DCE is #_ch.checkpoint<10 digit number>. Due to this limitation, the cellname size will be calculated as (229 - ). This limit will be enforced when the Security Master server, or an Initial or Additional CDS Server is configured. The maximum cellname size of 255 will be enforced when configuring a client, or any other servers into an existing cell. ===================================================== A.1.9 Duplicate and Obsolete Filesets Listed on SMIT Installation Menus Several DCE filesets were renamed in the 3.1 release. When an upgrade installation is done, filesets are installed based on what is currently installed. Since the filesets were renamed, filesets with the new names are not found on the system. To allow upgrades, "dummy" filesets with the old names were created. These filesets simply corequisite the filesets with the new names. They do not install any files. When installing through SMIT using the install latest or install all menus, you will see two of the same fileset listed. One of these is the real fileset with a new fileset name, the other is the "dummy" fileset. The "dummy" fileset will have "FOR UPGRADES" in the fileset description. For example, dce.client.core.rte has been renamed to dce.client.rte. There is a "dummy" fileset named dce.client.core.rte. The description that you will see for the dce.client package will be: (Notice that there are two entries for "DCE Client Services". One contains "- FOR UPGRADES". This is the "dummy" fileset.) dce.client + 3.1.0.0 DCE Client Administrative Tools + 3.1.0.0 DCE Client CDS Tools + 3.1.0.0 DCE Client Configuration Tools + 3.1.0.0 DCE Client RPC Tools + 3.1.0.0 DCE Client Security Tools + 3.1.0.0 DCE Client Services + 3.1.0.0 DCE Client Services - FOR UPGRADES + 3.1.0.0 DCE Client Time Tools + 3.1.0.0 DCE Client Time Zones + 3.1.0.0 DCE SMIT Client Tools + 3.1.0.0 DCE Threads Compatibility Library + 3.1.0.0 DCE Web Secure The "dummy" fileset options do not have to be selected. They are there for use by the update all menu. Once DCE is installed, the "dummy" filesets do not need to be on the system. Most of them will be removed by other filesets. Sometimes, a few might be left on the system. The order in which they are installed may cause some of them to be left. They can be left on the system or removed, it is up to you. This is the list of "dummy" filesets. These filesets existed in previous DCE releases. They have either been renamed or merged with other filesets in the DCE 3.1 release. dce.client.core.rte dce.compat.cds.smit dce.compat.client.core.smit dce.compat.security.smit dce.compat.sysmgmt.ems.smit dce.compat.sysmgmt.snmpagt.smit dce.compat.web.admin.smit dce.msg.Es_ES.client.core.rte dce.msg.Es_ES.compat.cds.smit dce.msg.Es_ES.compat.client.core.smit dce.msg.Es_ES.compat.security.smit dce.msg.Es_ES.compat.sysmgmt.ems.smit dce.msg.Es_ES.compat.sysmgmt.snmpagt.smit dce.msg.Es_ES.pthreads.rte dce.msg.Es_ES.web.admin.rte dce.msg.Es_ES.web.secure.rte dce.msg.Ja_JP.client.core.rte dce.msg.Ja_JP.compat.cds.smit dce.msg.Ja_JP.compat.client.core.smit dce.msg.Ja_JP.compat.security.smit dce.msg.Ja_JP.compat.sysmgmt.ems.smit dce.msg.Ja_JP.compat.sysmgmt.snmpagt.smit dce.msg.Ja_JP.pthreads.rte dce.msg.Ja_JP.web.admin.rte dce.msg.Ja_JP.web.secure.rte dce.msg.Zh_TW.client.core.rte dce.msg.Zh_TW.compat.cds.smit dce.msg.Zh_TW.compat.client.core.smit dce.msg.Zh_TW.compat.security.smit dce.msg.Zh_TW.compat.sysmgmt.ems.smit dce.msg.Zh_TW.compat.sysmgmt.snmpagt.smit dce.msg.Zh_TW.pthreads.rte dce.msg.Zh_TW.web.admin.rte dce.msg.Zh_TW.web.secure.rte dce.msg.en_US.client.core.rte dce.msg.en_US.compat.cds.smit dce.msg.en_US.compat.client.core.smit dce.msg.en_US.compat.security.smit dce.msg.en_US.compat.sysmgmt.ems.smit dce.msg.en_US.compat.sysmgmt.snmpagt.smit dce.msg.en_US.pthreads.rte dce.msg.en_US.web.admin.rte dce.msg.en_US.web.secure.rte dce.msg.es_ES.client.core.rte dce.msg.es_ES.compat.cds.smit dce.msg.es_ES.compat.client.core.smit dce.msg.es_ES.compat.security.smit dce.msg.es_ES.compat.sysmgmt.ems.smit dce.msg.es_ES.compat.sysmgmt.snmpagt.smit dce.msg.es_ES.pthreads.rte dce.msg.es_ES.web.admin.rte dce.msg.es_ES.web.secure.rte dce.msg.ja_JP.client.core.rte dce.msg.ja_JP.compat.cds.smit dce.msg.ja_JP.compat.client.core.smit dce.msg.ja_JP.compat.security.smit dce.msg.ja_JP.compat.sysmgmt.ems.smit dce.msg.ja_JP.compat.sysmgmt.snmpagt.smit dce.msg.ja_JP.pthreads.rte dce.msg.ja_JP.web.admin.rte dce.msg.ja_JP.web.secure.rte dce.msg.ko_KR.client.core.rte dce.msg.ko_KR.compat.cds.smit dce.msg.ko_KR.compat.client.core.smit dce.msg.ko_KR.compat.security.smit dce.msg.ko_KR.compat.sysmgmt.ems.smit dce.msg.ko_KR.compat.sysmgmt.snmpagt.smit dce.msg.ko_KR.pthreads.rte dce.msg.ko_KR.web.admin.rte dce.msg.ko_KR.web.secure.rte dce.msg.zh_TW.client.core.rte dce.msg.zh_TW.compat.cds.smit dce.msg.zh_TW.compat.client.core.smit dce.msg.zh_TW.compat.security.smit dce.msg.zh_TW.compat.sysmgmt.ems.smit dce.msg.zh_TW.compat.sysmgmt.snmpagt.smit dce.msg.zh_TW.pthreads.rte dce.msg.zh_TW.web.admin.rte dce.msg.zh_TW.web.secure.rte dce.web.admin.rte dce.web.secure.rte ===================================================== A.1.10 Problem Configuring an idms Server on a Newly Configured Machine Occasionally the configuration of an idms server fails to create an idmsd keytab. The keytable entry can not be created until dced has completed its initialization. One of the following can be done: * After configuring rpc, sec_cl, sec_srv (or sec_rep), and the cds_cl, wait a few minutes before configuring idms. (you should only need to wait 1-5 minutes) * Edit /opt/dcelocal/etc/usrstime.tcl and modify the time that config.dce will wait for the keytable create to complete successfully. Change the value of wait_for_keytab_to_work from 90 to some larger amount of time in seconds. * If config.dce fails during the configuration of idms, run "unconfig.dce idms", wait for a few moments and rerun the "config.dce idms" command again. (you should only need to wait 1-5 minutes) ===================================================== A.2 Security ===================================================== A.2.1 Setting "maxtktrenew" and "maxtktlife" Attributes When you use the dcecp "account modify" command to set the value of the "maxtktrenew" or "maxtktlife" attributes of a user's account, you may receive the error "msgID=0x17122084 Invalid data record". This may occur if you are setting either of these two account attributes for the first time, even when you specify valid values for these attributes. To set the "maxtktrenew" or "maxtktlife" attribute on an account for the first time, you must specify both attributes on the dcecp "account modify" command. Once both attributes have been set for the account, you can then use dcecp to modify either of them individually. ===================================================== A.2.2 Intercell and Password Strength Server To use intercell and password generation, the full canonical binding and the foreign cell name needs to specified in the pwd_mgmt_binding ERA for users with a pwd_val_type ERA of 2 or 3. For example, in the local cell you can specify: dcecp -c principal modify -add {pwd_mgmt_binding {{ dce /...//pwd_strengthd pktprivay secret name} /...//subsys/dce/pwd_mgmt/pwd_strengthd}} This command will direct to the password generation in the instead of the default local cell whenever password generation is requested. For more information on intercell connections or Password Strength Server Requirements consult the IBM DCE 3.1 for AIX and Solaris: Administration Guide - Core Components. ===================================================== A.2.3 Password Strength Server "mindiff", "histexpire", and "histsize" Rules The rules for "mindiff", "histexpire", and "histsize" comparing the new password against the current password require that one password change on the password strength server must have already occurred before the rules are successful. The checking routines retrieve the current password from the password strength history database. If the current password was not changed using the password strength server, it does not exist in the history database. In this case, the new password will be compared to blank and the operation may not be successful. ===================================================== A.2.4 New DCE Audit Actions with the Event Management Service When modifying and creating audit filters for the audit service, a new action, "ems", can be specified in filter guides. If "ems" is specified as an action in a filter guide, the audit event will be sent to the event management service. ===================================================== A.2.5 Enhanced Password Strength Server Command Line Options This version of DCE provides a new enhanced Password Strength Server. Several command line options that were available on the Password Strength Server in previous DCE versions are now obsolete. These options are: +/-all_spaces +/-alpha_num -min_len Although these options continue to work on the enhanced server for compatibility purposes, you should avoid using them. Instead, the enhanced server can read similar password rules from the registry and use them to check user passwords. This can be done by setting registry-wide or organization-specific password policies, using the dcecp commands "registry modify" and "organization modify". To set the password minimum length you should set the "minlen" value in the IBM_pwd_comp_rules ERA. For more information and examples on how to set password rules for users with the enhanced Password Strength Server, consult the IBM DCE 3.1 for AIX and Solaris: Administration Guide - Core Components documentation. ===================================================== A.3 I18 Considerations for Web Administration and Web Secure ===================================================== A.3.1 Running DCE Web Admin in code page 850 with Netscape Perform the following steps to change the Netscape browser font to code page 850: - From Edit, Preferences, Appearance, Fonts, select User-Defined for the Encoding and ibm-850 for the fonts. - From View, Character Set, select User-Defined. ===================================================== A.3.2 Starting Web Secure from the Command Line For some Asian locales, you can not start a Netscape Web server, such as DCE Web Secure, from the command line in an aixterm. If you plan to configure or start DCE Web Secure from the command line, use a dtterm, not an aixterm. Alternatively, use the Netscape Server Administration page, rather than the command line, to manage DCE Web Secure. ===================================================== A.3.3 Changing the Active Locale for DCE Web Administration First stop Web Secure, change its locale, and restart it. For example, from the command line, you might use commands similar to these: >/usr/netscape/suitespot/httpd-/stop >export LC_ALL= >/usr/netscape/suitespot/httpd-/start Next, stop and start the Netscape Browser and access DCE Web Administration. ===================================================== A.3.4 "asciiview" Command is English Only The "asciiview" command does not work for languages other than English. To view a 3270-format document in another language: - change to the appropriate directory, /usr/lpp/dcedoc/3270/ using an editor such as vi, - browse booklist to identify the correct document, - view the selected document using any plain text editor, such as vi. =====================================================