This chapter describes the ACCESS-CONFIG commands you can use to examine, modify, and save configuration files for MultiNet Secure/IP.
To invoke the ACCESS-CONFIG utility:
$ MULTINET CONFIGURE /ACCESS
At any ACCESS-CONFIG prompt, type ? to list the available commands.
Online help for each ACCESS-CONFIG command is available through the HELP command. For details on configuring MultiNet Secure/IP, refer to Chapter 4 of the MultiNet for OpenVMS Installation and Administrator’s Guide.
Table 8-1 lists the commands you can use at the ACCESS-CONFIG prompt.
Table 8-1 ACCESS-CONFIG Command Summary (Continued)
|
Command |
Description |
|
Allows multiple address parameters to be added as a comma-separated list. |
|
|
Detaches the terminal from the calling process and reattaches it to another access. |
|
|
Saves the current configuration, if it has been modified, then quits. |
|
|
Reads in a configuration file. (Functionally equivalent to USE.) |
|
|
Displays help information. |
|
|
Transfers control to a configuration manager subsystem that contacts the NETCONTROL server on local or remote hosts. |
|
|
Starts a DCL subprocess. |
|
|
Exits and prompts to save the changes if you changed the configuration. |
|
|
Reloads MultiNet Secure/IP from the MULTINET:START_ACCESS.COM configuration file. |
|
|
Allows multiple address parameters to be removed. |
|
|
Writes the current configuration file. (Functionally equivalent to WRITE.) |
|
|
Sets MultiNet Secure/IP global parameters. |
|
|
Displays the current configuration of the local MultiNet Secure/IP software. If only the MultiNet Secure/IP Client is running, the Secure/IP Server information is suppressed. |
|
|
Executes a single DCL command, or, if entered without options, starts a subprocess with the same effect as PUSH. |
|
|
Displays the version and whether the configuration has been modified. |
|
|
Reads in a configuration file. (Functionally equivalent to GET.) |
|
|
Displays the version number. |
|
|
Writes the current configuration to a file. (Functionally equivalent to SAVE.) |
Most configuration changes rely on the SET command. After setting or changing parameters, ACCESS-CONFIG displays directions for the utilities that must be run as it exits. These directions are summarized in the following table.
|
If you change this parameter: |
Do the following: |
|
DECNET-LOGIN |
Restart the Client with @MULTINET:START_ACCESS. |
|
DECTERM-LOGIN |
Restart the Client with @MULTINET:START_ACCESS. |
|
DEFAULT-METHOD |
Reload the Server with MULTINET NETCONTROL ACCESS RELOAD. |
|
FTP-ENABLED |
Restart the Client with @MULTINET:START_ACCESS. |
|
LOCAL-DEVICES |
Restart the Client with @MULTINET:START_ACCESS. |
|
LOCAL-NETWORKS |
Reload the Server with MULTINET NETCONTROL ACCESS RELOAD. |
|
LOCAL-PASSWORDS |
Reload the Server with MULTINET NETCONTROL ACCESS RELOAD. |
|
MULTINET-LOGIN |
Restart the Client with @MULTINET:START_ACCESS. |
|
MUTUAL-AUTHENTICATION |
Restart the Client with @MULTINET:START_ACCESS. |
|
NETWORK-LOGIN |
Restart the Client with @MULTINET:START_ACCESS. |
|
SERVER-ADDRESS |
Restart the Client and Server with @MULTINET:START_ACCESS and @MULTINET:START_SERVER. |
|
SERVER-PORT |
Restart the Client and Server with @MULTINET:START_ACCESS and @MULTINET:START_SERVER. |
|
TELNET-ENABLED |
Restart the Client with @MULTINET:START_ACCESS. |
|
TICKET-LIFETIME |
Restart the Client with @MULTINET:START_ACCESS. |
|
USER-SKEY |
Reload the Server with MULTINET NETCONTROL ACCESS RELOAD. |
Note! After you make changes with ACCESS-CONFIG, you are prompted as to what to do to make the changes take effect.
Allows multiple address parameters to be added as a comma-separated list. Network parameters require a subnet mask, so use the format IP-NETWORK/NETWORK-MASK. You can use the keyword DEFAULT as the network mask. The mask will be derived from the given ip-network.
FORMAT
ADD [ local-networks ]
[ untrusted-hosts ]
[ server-addresses ]
PARAMETERS
local-networks
Specifies the address of the local network you want to add.
untrusted-hosts
Specifies the address of the untrusted hosts you want to add.
server-address
Specifies the address of the server you want to add.
EXAMPLE
$ MULTINET CONFIGURE /ACCESS
MultiNet Access Configuration Utility 5.3(n)
[Reading in configuration from MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>ADD LOCAL-NETWORKS 161.44.72.0/255/255/255/0
ACCESS-CONFIG>ADD UNTRUSTED-HOSTS 161.44.72.3,161.44.72.4
ACCESS-CONFIG>ADD SERVER-ADDRESS 161.44.72.1
[Writing configuration to MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>
Detaches the terminal from the calling process and reattaches it to another process. Use the SPAWN SHOW PROCESS /SUBPROCESSES command to list the names of the subprocesses. Use the DCL LOGOUT command to return to the original process. If the MULTINET_DISABLE_SPAWN logical is defined, ATTACH does not work.
FORMAT
ATTACH process-name
PARAMETER
process_name
Specifies the name of a process to which you want your terminal attached. Not all subprocesses can be attached; some testing may be required.
EXAMPLE
$ MULTINET CONFIGURE /ACCESS
MultiNet Access Configuration Utility 5.3(n)
[Reading in configuration from MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>SPAWN
$ MM
MM>SPAWN SHOW PROCESS /SUBPROCESSES
. . .
There are 3 processes in this job:
_TWA42:
PROC_1
PROC_2 (*)
MM>ATTACH _TWA42:
ACCESS-CONFIG>ATTACH PROC_1
MM>EXIT
$ LOGOUT
ACCESS-CONFIG>
This example shows how to create and exit attached subprocesses. The SPAWN command creates a subprocess. Then MM is invoked from that subprocess. Next, the SPAWN SHOW PROCESS
/SUBPROCESSES command lists all the active subprocesses: _TWA42: is ACCESS-CONFIG, PROC_1 is MM, and PROC_2 is SHOW PROCESS /SUBPROCESSES.
The ATTACH _TWA42: command hands control to ACCESS-CONFIG. The ATTACH PROC_1 command hands control to MM. When MM is exited, control returns to the first subprocess. Then LOGOUT returns control to ACCESS-CONFIG.
Saves the current configuration, if it has been modified, then quits.
FORMAT
EXIT
EXAMPLE
This example shows that when the configuration has not been changed, a message indicates that the configuration file has not been updated.
$ MULTINET CONFIGURE /ACCESS
MultiNet Access Configuration Utility 5.3(n)
[Reading in configuration from MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>EXIT
[Configuration not modified, so no update needed]
$
This example shows that when the configuration has been changed, a message indicates that the configuration file has been updated.
$ MULTINET CONFIGURE /ACCESS
MultiNet Access Configuration Utility 5.3(n)
[Reading in configuration from MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>command
ACCESS-CONFIG>EXIT
[Writing configuration to MULTINET:START_ACCESS.COM]
$
Reads in a configuration file. (Functionally equivalent to USE.) After using GET, you can use other ACCESS-CONFIG commands to display the new configuration.
FORMAT
GET config_file
PARAMETER
config_file
Specifies the name of an input configuration file.
EXAMPLE
This example reads in the MULTINET:NEW_CONFIG.CFG file.
$ MULTINET CONFIGURE /ACCESS
MultiNet Access Configuration Utility 5.3(n)
[Reading in configuration from MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>GET MULTINET:NEW_CONFIG.CFG
[Reading in configuration from MULTINET:NEW_CONFIG.CFG;1]
ACCESS-CONFIG>EXIT
Displays help information.
FORMAT
HELP [topics]
PARAMETER
topics
Specifies a space-delimited list of words beginning with a topic, which may be followed by subtopics. The default topic is HELP.
EXAMPLE
ACCESS-CONFIG>HELP
HELP
Invokes command help.
Format
HELP [topics]
Additional information available:
ATTACH Command_Summary EXIT GET HELP
NETCONTROL PUSH QUIT RELOAD SAVE SET
SHOW SPAWN STATUS USE VERSION WRITE
Topic?
Transfers control to a configuration manager subsystem that contacts the NETCONTROL server on local or remote hosts. Use NETCONTROL RELOAD to reload the MultiNet Secure/IP Server. After invoking NETCONTROL, issue commands to the NETCONTROL server to affect MULTINET_SERVER operations at the site.
FORMAT
NETCONTROL [host]
PARAMETERS
host
Specifies a host name. It defaults to the local host if no host is specified.
restrictions
The NETCONTROL server is normally protected from unauthorized access by a restriction list.
EXAMPLE
$ MULTINET CONFIGURE /ACCESS
MultiNet Access Configuration Utility 5.3(n)
[Reading in configuration from MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>NETCONTROL
Connected to NETCONTROL server on "127.0.0.1"
< FLOWERS.COM Network Control 5.3 (nnn) at Mon 18-August-2003 7:42am-PDT
ACCESS>? NETCONTROL command, one of the following:
ATTACH PUSH QUIT QUOTE SELECT SPAWN VERBOSE
or Command, one of the following:
DEBUG NOOP RELOAD VERSION
ACCESS>RELOAD
< ACCESS database reload done
ACCESS>QUIT
ACCESS-CONFIG>
This example reloads the ACCESS server. You can run MULTINET NETCONTROL from the DCL command line also:
$ MULTINET NETCONTROL
NETCONTROL>SELECT ACCESS
ACCESS>RELOAD
ACCESS>QUIT
Starts a DCL subprocess. To return control to ACCESS-CONFIG from the DCL command line, use the LOGOUT command. PUSH does not function if the MULTINET_DISABLE_SPAWN logical is defined.
FORMAT
PUSH
EXAMPLE
In this example, PUSH is used to go to the DCL command line to disable broadcasts. The LOGOUT command returns control to ACCESS-CONFIG.
$ MULTINET CONFIGURE /ACCESS
MultiNet Access Configuration Utility 5.3(n)
[Reading in configuration from MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>PUSH$ SET TERMINAL /NOBROADCAST
$ LOGOUT
ACCESS-CONFIG>
Exits and prompts to save the changes if the configuration has been modified.
FORMAT
QUIT
EXAMPLE
$ MULTINET CONFIGURE /ACCESS
MultiNet Access Configuration Utility 5.3(n)
[Reading in configuration from MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>QUIT
Configuration modified, do you want to save it ? [NO]NO
$
Reloads MultiNet Secure/IP from the MULTINET:START_ACCESS.COM configuration file.
FORMAT
RELOAD
EXAMPLE
$ MULTINET CONFIGURE /ACCESS
MultiNet Access Configuration Utility 5.3(n)
[Reading in configuration from MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>RELOAD
Connected to NETCONTROL server on "127.0.0.1"
< FNORD.IRIS.COM Network Control 5.3(nnn) at Mon 7-July-2003 7:42am-PDT
< ACCESS database reload done
ACCESS-CONFIG>
Allows removal of multiple address entries from a comma-separated list. Network parameters require a subnet mask, so use the format IP-NETWORK/NETWORK-MASK. You can use the keyword DEFAULT as the network mask. The mask will be derived from the given ip-network.
FORMAT
REMOVE [ local-networks ]
[ untrusted-hosts ]
[ server-addresses ]
PARAMETERS
local-networks
Specifies the address of the local network you want to remove.
untrusted-hosts
Specifies the address of the untrusted hosts you want to remove.
server-address
Specifies the address of the server you want to remove.
EXAMPLE
$ MULTINET CONFIGURE /ACCESS
MultiNet Access Configuration Utility 5.3(n)
[Reading in configuration from MULTINET:START_ACCESS.COM]|
ACCESS-CONFIG>REMOVE LOCAL-NETWORKS 161.44.72.0/255/255/255/0
ACCESS-CONFIG>REMOVE UNTRUSTED-HOSTS 161.44.72.3,161.44.72.4
ACCESS-CONFIG>REMOVE SERVER-ADDRESS 161.44.72.1
[Writing configuration to MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>
Writes the current configuration file. (Functionally equivalent to WRITE.)
FORMAT
SAVE [config_file]
PARAMETER
config_file
Specifies the name of the output configuration file. The default is the same file from which the configuration was read.
EXAMPLE
$ MULTINET CONFIGURE /ACCESS
MultiNet Access Configuration Utility 5.3(n)
[Reading in configuration from MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>SAVE
[Writing configuration to MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>
Sets MultiNet Secure/IP global parameters.
FORMAT
SET [ decnet-login]
[ decterm-login]
[ default-method]
[ ftp-enabled]
[ kerberos-principal]
[ local-devices]
[ local-networks]
[ local-passwords]
[ multinet-login]
[ mutual-authentication]
[ network-login]
[ server-address]
[ server-port]
[ telnet-enabled]
[ ticket-lifetime]
[ untrusted-host]
[ user-skey]
PARAMETERS
decnet-login
When DECNET-LOGIN is TRUE, plain text passwords (OpenVMS or Kerberos) are allowed when logging in via DECnet SET HOST. When DECNET-LOGIN is FALSE (the default), users must authenticate using their default authentication methods. A DECnet login occurs when a user gets a Username: prompt on an RTcu: device.
decterm-login
When DECTERM-LOGIN is TRUE (the default), plain text passwords are allowed when logging in on pseudo-terminals created with the CREATE /TERMINAL /DETACH /NOLOGGED_IN command. When DECTERM-LOGIN is FALSE, the system forces users to authenticate using their default authentication methods.
default-method
Specifies the default authentication method for non-local logins. This is a system-wide default that can be overridden on a per-user basis by the system manager.
Accepted values are:
• CRYPTOCARD — Assigns CRYPTOCard as the default for non-local logins.
• HP-PATHWAYS-SECURENET — Assigns HP Pathways SecureNet Key as the default for non-local logins.
• PLAINTEXT-PASSWORDS — Assigns plain text passwords as the default for non-local logins. You can then selectively enable alternate methods for each user who needs stronger authentication.
• SECURITY-DYNAMICS-SECURID — Assigns Security Dynamics SecurID Card as the default for non-local logins.
• BELLCORE-SKEY — Assigns S/KEY as the default for non-local users.
ftp-enabled
Controls whether the MultiNet FTP server should use MultiNet Secure/IP to authenticate FTP connections that originate outside the trusted local network. By default, the MultiNet FTP server uses MultiNet Secure/IP for all offsite connections. FTP-ENABLED is TRUE when you install MultiNet Secure/IP.
kerberos-principal
Specifies which service name is used as a principal for Kerberos authentication. The default is rcmd (which is also used by the TELNET and RLOGIN services).
local-devices
Specifies a set of OpenVMS device mnemonics (ddcu) that are directly connected to the host computer system and considered part of the TLN. Local device designations are a full set or a subset of OpenVMS device specifications (for example, FNORD$TXA1 or TT). You may list more than one device. If the device designation contains a node name, this device is only considered local on the specified node. If you do not set LOCAL-DEVICES, directly connected devices use the default authentication method for the associated user. Also, if LOCAL-PASSWORDS is disabled, LOCAL-DEVICES is ignored.
local-networks
Specifies which networks are considered part of the TLN. Identify networks by IP address. When specifying more than one address, separate each address with a comma. For example, 161.44.224.0, 161.44.225.0. By default, all networks on all known interfaces are considered local. If LOCAL-NETWORKS is defined, then only those networks explicitly listed are considered local. This parameter works with LOCAL-PASSWORDS. If LOCAL-PASSWORDS is disabled, the LOCAL-NETWORKS parameter is ignored.
CAUTION! If you define trusted local networks with the SET LOCAL-NETWORKS command, you must explicitly add the loopback network, 127.0.0/255.0.0. It is not implicitly included in your TLN.
local-passwords
When LOCAL-PASSWORDS is TRUE (the default), plain text passwords are allowed when logging in from a local network or local device. This parameter acts as a global switch that determines whether a trusted local network is in effect (SET LOCAL-PASSWORDS TRUE) or not (SET LOCAL-PASSWORDS FALSE).
multinet-login
Specifies a command procedure that will run before any others immediately after users authenticate themselves. The specified command procedure runs before SYSLOGIN and LOGIN.COM.
mutual-authentication
When MUTUAL-AUTHENTICATION is TRUE, the MultiNet Secure/IP Client requires Kerberos authentication with the MultiNet Secure/IP Server. Enable this parameter only if Kerberos is configured on the MultiNet Secure/IP Client and Server. Mutual authentication requires that both the client and server systems be properly configured for Kerberos, and that the client system have a valid MULTINET:KERBEROS.SRVTAB file with a host rcmd service key.
Because the version of MultiNet Secure/IP prior to V2.0 does not support mutual authentication, MultiNet Secure/IP Client V2.0 does not use mutual authentication when it communicates with earlier versions of Secure/IP Server, even if MUTUAL-AUTHENTICATION is TRUE. The default is FALSE.
network-login
When NETWORK-LOGIN is TRUE (the default), users are granted Kerberos ticket-getting tickets when they log in to the MultiNet Secure/IP Client using Kerberos passwords within the TLN.
server-address
Specifies the IP address(es) of the host(s) running the authentication server; that is, the nodes with the ACCESS service enabled. You can specify more than one IP address for redundancy. Separate multiple addresses with commas. For example, 161.44.224.70, 161.44.224.23. By default, the authentication server address is the loopback IP address 127.0.0.1. It directs each host to use itself when authenticating.
server-port
Specifies the privileged port number on which the authentication server listens. The default is port 702. The port number must be less than 1024.
telnet-enabled
Controls whether the MultiNet TELNET server should use MultiNet Secure/IP to authenticate TELNET connections that originate outside the trusted local network. The default is the TELNET server uses MultiNet Secure/IP for all offsite connections. TELNET-ENABLED is TRUE when you install MultiNet Secure/IP.
ticket-lifetime
Specifies the duration, in minutes, that a Kerberos ticket remains active for a user. This parameter overrides the ticket lifetime defined with the MULTINET KERBEROS DATABASE EDIT command (see the MultiNet for OpenVMS Administrator’s Reference). The parameter range is 1 to 1275 minutes (21.25 hours). The default duration is eight hours (480 minutes).
untrusted-host
Specifies the IP address of a host to be excluded from the trusted local network. For example, if there is a modem server connected within your trusted local network, you can exclude it with the UNTRUSTED-HOST parameter to force dial-in users to authenticate themselves via MultiNet Secure/IP.
user-skey
When USER-SKEY is TRUE (the default), users can use S/KEY without a system manager’s intervention. You can enable S/KEY by initializing a private S/KEY sequence using the MULTINET SKEY/INITIALIZE command. If disabled, an S/KEY sequence can only be used if a system manager creates a sequence for the user or modifies the user’s default method to "SKEY."
EXAMPLE
$ MULTINET CONFIGURE /ACCESS
MultiNet Access Configuration Utility 5.3(n)
[Reading in configuration from MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>SET DEFAULT-METHOD BELLCORE-SKEY
Displays the current configuration of the local MultiNet Secure/IP software. If only the MultiNet Secure/IP Client is running, the MultiNet Secure/IP Server information is suppressed.
FORMAT
SHOW
EXAMPLE
$ MULTINET CONFIGURE /ACCESS
MultiNet Access Configuration Utility 5.3(n)
[Reading in configuration from MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>SHOW
Secure/IP Server Parameters
---------------------------
Default Method: HP Pathways SecureNet Key
Allow Local Passwords: TRUE
Local Network(s): <default>
Untrusted Host(s): <none>
Allow user control of S/KEY TRUE
Allow key display (/SHOW): TRUE
Secure/IP Client Parameters
---------------------------
Telnet Enabled: FALSE
FTP Enabled: TRUE
Server Address(es): 127.0.0.1
Server Port: 702
LOGINOUT Parameters
-------------------
Require mutual authentication: FALSE
Local Device(s): <none>
Allow plaintext passwords, on:
Remote DECnet terminals (RT): FALSE
Pseudo-terminal devices (FT): TRUE
Attempt Network (Kerberos) Login: TRUE
Kerberos ticket lifetime (minutes): 480
MultiNet Login command procedure: MULTINET:MULTINET-LOGIN.COM
Executes a single DCL command, or, if entered without options, starts a subprocess with the same effect as PUSH. To return from DCL, use the LOGOUT command. SPAWN does not work if the MULTINET_DISABLE_SPAWN logical is defined.
FORMAT
SPAWN [command]
PARAMETER
command
Specifies a command to execute. If you omit the command, a DCL command line subprocess is created.
QUALIFIERS
Specifies an input file for the process you SPAWN.
/LOGICAL_NAMES
/NOLOGICAL_NAMES
Specifies that logical names and logical name tables are not copied to the subprocess.
Specifies that global and local symbols are not passed to the subprocess.
Specifies that control of the terminal is returned without waiting for the command to complete.
Do not use this qualifier with commands that have prompts or screen displays.
Specifies a file for the output of the command invoked with SPAWN. This qualifier only works when you enter a single command without creating a DCL subprocess.
EXAMPLES
This example displays terminal information, captures the output in a file, and displays the information with the TYPE command.
$ MULTINET CONFIGURE /ACCESS
MultiNet Access Configuration Utility 5.3(n)
[Reading in configuration from MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>SPAWN/OUTPUT=FOO. SHOW TERM
ACCESS-CONFIG>SPAWN TYPE FOO.
This example displays help information about ACCESS-CONFIG. Use the LOGOUT command to return control to ACCESS-CONFIG.
ACCESS-CONFIG>SPAWN @COMPROC
This example invokes a command procedure.
ACCESS-CONFIG>SPAWN
$ HELP MULTINET CONFIGURE /ACCESS
. . .
$ LOGOUT
ACCESS-CONFIG>
Displays the version and whether the configuration has been modified.
FORMAT
STATUS
EXAMPLE
$ MULTINET CONFIGURE /ACCESS
MultiNet Access Configuration Utility 5.3(n)
[Reading in configuration from MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>STATUS
This is the MultiNet Access configuration program Version 5.3(n)
The configuration file MULTINET:START_ACCESS.COM has not been modified.
ACCESS-CONFIG>
Reads in a configuration file. (Functionally equivalent to GET.) You can use other ACCESS-CONFIG commands to display the new configuration.
FORMAT
USE config_file
PARAMETER
config_file
Specifies the name of the configuration file to read in.
EXAMPLE
This example reads in the MULTINET:NEW_CONFIG.CFG file.
$ MULTINET CONFIGURE /ACCESS
MultiNet Access Configuration Utility 5.3(n)
[Reading in configuration from MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>USE MULTINET:NEW_CONFIG.CFG
[Reading in configuration from MULTINET:NEW_CONFIG.CFG;1]
ACCESS-CONFIG>EXIT
Displays the version number.
FORMAT
VERSION
EXAMPLE
$ MULTINET CONFIGURE /ACCESS
MultiNet Access Configuration Utility 5.3(n)
[Reading in configuration from MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>VERSION
This is the MultiNet Access configuration program Version 5.3(n)
Writes the current configuration to a file. (Functionally equivalent to SAVE.)
FORMAT
WRITE [config_file]
PARAMETER
config_file
Specifies a configuration file name. The default is the same file from which the configuration was read.
EXAMPLE
$ MULTINET CONFIGURE /ACCESS
MultiNet Access Configuration Utility 5.3(n)
[Reading in configuration from MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>WRITE
[Writing configuration to MULTINET:START_ACCESS.COM]
ACCESS-CONFIG>
