Online Expert Day - HPE Data Storage - Live Now
April 24/25 - Online Expert Day - HPE Data Storage - Live Now
Read more
Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Protection settings

SOLVED
Go to solution
vmsserbo
Super Advisor

Protection settings

how to reset the protection on the target team07,08,09 drives.

What is the command?
18 REPLIES
Robert Gezelter
Honored Contributor
Solution

Re: Protection settings

Miles,

It is unlikely that you need to set the protections on the drives.

What is more likely is that the one or more directories are protected in such a way as to prevent write access from the account that you are using.

As I mentioned in your other posting, what does the output of DIRECTORY/SECURITY say on the directories?

- Bob Gezelter, http://www.rlgsc.com
vmsserbo
Super Advisor

Re: Protection settings

I guess I would have to find out what directories the user is using?
vmsserbo
Super Advisor

Re: Protection settings

Here is what the user is getting. Please give me the command to correct this, Thanks!

We need all directories on all three servers to be able to accept copies from TSTSTG. An example of some failures are shown bellow.

Jim

TSTSTG-1 >copy CLAIMS_ANALYSIS.EXE team07::$1$DUA4:[EXE]* /prot=w:rewd %COPY-E-OPENOUT, error opening TEAM07::$1$DUA4:[EXE]CLAIMS_ANALYSIS.EXE;81 as ou tput -RMS-E-CRE, ACP file create failed -SYSTEM-F-INVLOGIN, login information invalid at remote node %COPY-W-NOTCOPIED, DUA25:[X53.SYSTEST.EXE]CLAIMS_ANALYSIS.EXE;81 not copied

TSTSTG-1 >copy CLAIMS_ANALYSIS.EXE team08::prod_exe /prot=w:rewd %COPY-E-OPENOUT, error opening TEAM08::[]PROD_EXE.EXE; as output -RMS-E-CRE, ACP file create failed -SYSTEM-F-INVLOGIN, login information invalid at remote node %COPY-W-NOTCOPIED, DUA25:[X53.SYSTEST.EXE]CLAIMS_ANALYSIS.EXE;81 not copied

TSTSTG-1 >copy ready_byrd.com team08::USRDSK1:[BLS]* %COPY-E-OPENOUT, error opening TEAM08::USRDSK1:[BLS]READY_BYRD.COM;29 as output -RMS-E-CRE, ACP file create failed -SYSTEM-F-INVLOGIN, login information invalid at remote node %COPY-W-NOTCOPIED, USERS$DISK:[X53BYRD]READY_BYRD.COM;29 not copied

TSTSTG-1 >copy ready_byrd.com team08::prod_dcl:* /prot=w:rewd %COPY-E-OPENOUT, error opening TEAM08::PROD_DCL:[]READY_BYRD.COM;29 as output -RMS-E-CRE, ACP file create failed -SYSTEM-F-INVLOGIN, login information invalid at remote node %COPY-W-NOTCOPIED, USERS$DISK:[X53BYRD]READY_BYRD.COM;29 not copied

TSTSTG-1 >copy ready_byrd.com team08::prod_dcl:* %COPY-E-OPENOUT, error opening TEAM08::PROD_DCL:[]READY_BYRD.COM;29 as output -RMS-E-CRE, ACP file create failed -SYSTEM-F-INVLOGIN, login information invalid at remote node %COPY-W-NOTCOPIED, USERS$DISK:[X53BYRD]READY_BYRD.COM;29 not copied
TSTSTG-1 >copy ready_byrd.com team08::prod_dcl:*
Barry Alford
Frequent Advisor

Re: Protection settings

Since a username and password are not provided in the remote node specification (before the ::), you should have proxy accounts setup on the other nodes (TEAM07 and TEAM08).

Use AUTHORIZE to review the proxy accounts:
UAF> show/proxy *

If they do not exist, you can add them e.g.:
UAF> add/proxy *::TSTSTG TSTSTG/default
would allow a TSTSTG user on any other node (the *) to log into this node as user TSTSTG

If no proxies have ever been defined, you will need to create the proxy database (only once per node):
UAF> create/proxy
Heinz W Genhart
Honored Contributor

Re: Protection settings

Hi Miles

You could use OPCOM to find the directories with the 'wrong' protection

If not already done:

SET AUDIT/ENABLE=FILE=FAIL/ALARM
or/and
SET AUDIT/ENABLE=FILE=FAIL/AUDIT

Then do a

REPLY/ENABLE

and let the user try.

You will then see OPCOM Messages or you can find this messages also in SYS$MANAGER:OPERATOR.LOG

such a Message looks similar like this one

%%%%%%%%%%% OPCOM 4-AUG-2006 14:38:28.20 %%%%%%%%%%%
Message from user AUDIT$SERVER on OBELIX
Security alarm (SECURITY) and security audit (SECURITY) on OBELIX, system id: 1027
Auditable event: Object access
Event information: file access request (IO$_ACCESS or IO$_CREATE)
Event time: 4-AUG-2006 14:38:28.20
PID: 202091A6
Process name: GENI
Username: GENI
Process owner: [GENI]
Terminal name: FTA727:
Image name: DSA0:[SYS0.SYSCOMMON.][SYSEXE]TYPE.EXE
Object class name: FILE
Object owner: [1,1]
Object protection: SYSTEM:RWED, OWNER:RWED, GROUP:RE, WORLD:
File name: _DSA0:[VMS$COMMON.SYS$STARTUP]SYSTARTUP_VMS.DAT;52
File ID: (11753,2855,0)
Access requested: READ
Posix UID: -2
Posix GID: -2 (%XFFFFFFFE)
Sequence key: 2B408B73
Status: %SYSTEM-F-NOPRIV, insufficient privilege or object protection violation

I enabled Opcom (REPL/ENABLE) removed my privileges (SET PROC/PRIV=NOALL) and did a TYPE of a file with a protection, which does not allowed me to type the file (SYS$STARTUP:SYSTARTUP_VMS.DAT).

In the Opcom message you can find all the required informations to solve your problem. This works same for direcory files.

Hope that helps

Regards

Heinz
Ian Miller.
Honored Contributor

Re: Protection settings

I guess team08 etc have (or should have) a DECnet proxy defined for node TESTG. On team08 do
$ SET DEF SYS$SYSTEM
$ MCR AUTHORIZE SHOW/PROX TESTG::*

which username on team08 does the proxy refer to ? Is it ok?

You may find that enabling opcom messages on team08 before attempting the file copy will give useful infomation.

$ REPLY/ENABLE
____________________
Purely Personal Opinion
vmsserbo
Super Advisor

Re: Protection settings

This is what I got??

TEAM08> set def sys$system:
TEAM08> mcr authorize show/prox tststg::*
%SECSRV-E-NOSUCHPROXY, no proxy record matches your specification
vmsserbo
Super Advisor

Re: Protection settings

With destination only...
TSTSTG-1 >copy CLAIMS_ANALYSIS.EXE team08::prod_exe /prot=w:rewd %COPY-E-OPENOUT, error opening TEAM08::[]PROD_EXE.EXE; as output -RMS-E-CRE, ACP file create failed -SYSTEM-F-INVLOGIN, login information invalid at remote node %COPY-W-NOTCOPIED, DUA25:[X53.SYSTEST.EXE]CLAIMS_ANALYSIS.EXE;81 not copied

With destination + *...
TSTSTG-1 >copy CLAIMS_ANALYSIS.EXE team08::prod_exe:* /prot=w:rewd %COPY-E-OPENOUT, error opening TEAM08::PROD_EXE:[]CLAIMS_ANALYSIS.EXE;81 as outp ut -RMS-E-CRE, ACP file create failed -SYSTEM-F-INVLOGIN, login information invalid at remote node %COPY-W-NOTCOPIED, DUA25:[X53.SYSTEST.EXE]CLAIMS_ANALYSIS.EXE;81 not copied


How do I look at the operator log, I enabled it and I see nothing?
Barry Alford
Frequent Advisor

Re: Protection settings

Ok, I was confused with your nodenames and usernames.

On TEAM08 and TEAM09:
$ set def sys$system
$ mc authorize
UAF> create/proxy ! just in case
UAF> add TSTSTG:: /default
UAF>exit
$
The usernames on TEAM08/09, must have access to the directories you are copying to -- you may have to create them!

vmsserbo
Super Advisor

Re: Protection settings

I figured it out. It was a proxy I had to set up for the username

Thanks guys!
Chinraj Rajasekaran
Frequent Advisor

Re: Protection settings

Hi Miles,

The login information is invaliad in remote nodes team07,08,09.

So you need to grant proxy access on the remote nodes for the user from TSTSTG.
( i assume TSTSTG is nodename)

you need to login on each node team07,08,09
and run these commands to grant access.

For Example:
login to team07..

First check if proxy exists
$ set defa sys$system
$ mc auhtorize
UAF> show proxy *

If no proxy exists already

UAF> add/proxy *::(TSTTSGusername) ( team07username) /default

regards
Raj
Barry Alford
Frequent Advisor

Re: Protection settings

The reason the files are not copied is given by the error message:

"SYSTEM-F-INVLOGIN, login information invalid at remote node"

In order to copy files to another node, you need a valid account (username) on that node. You can also set up a proxy on the node to allow a user from one node to access another node as a local user:

e.g.
NODE1 username: user1
NODE2 username: user2

If I setup a proxy on NODE2:
UAF> add/proxy NODE1::user1 user2/default

then I can access files from NODE1/user1
as if I had logged into NODE2 with the username user2.

have you tried adding the proxies??

Chinraj Rajasekaran
Frequent Advisor

Re: Protection settings

MIles,

One more thing i forgot to mention...

you also need to grant NETWORK access on the remote nodes team07 for which you have set the proxy access for the user from TSTSTG node.


$ mc authorize
$ mod (team07username) /network

same..for oter nodes as well.
otherwise you can not access via network.

regards
Raj
Barry Alford
Frequent Advisor

Re: Protection settings

Chinraj Rajasekaran:

I think you are mistaken!


UAF> Help modfiy/net

MODIFY

/NETWORK

/NETWORK[=(range[,...])]

Specifies hours of access for network batch jobs. For a
description of how to specify the range, see the /ACCESS
qualifier. By default, network logins have no access
restrictions.

Jan van den Ende
Honored Contributor

Re: Protection settings

Barry,

that is only half of the truth!

An account with NO ACCESS RESTRICTIONS inludes full network access, but otherwise Raj pointed out how to GIVE network access. The default of this would be all days of the week, all hours of the day. The syntax you give can trim that as needed.

Either give an account /ACCESS, meaining no access restrictions, or specify each mode, eg /LOCAL /NODIALUP /BATCH ....
Each (including /ACCESS for all modes) can by time-restricted the way Barry specified.

And if you want to specify all but one, first specify /ACCESS[=..], and then specify the deviation with the differing params.

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
John Gillings
Honored Contributor

Re: Protection settings

Miles,

This thread worries me! The issue is an access problem, and your solution seems to be to open up access to the world.

If you're in a heavily secured network, this might be OK, but these days, that's highly unlikely.

Please have a read of "HP OpenVMS Guide to System Security". You need to design a security environment appropriate to your corporate policies and operational requirements.

That's not really something that can be done in a forum like this.

Consider an analogy... the front door on your house is secured with a numeric keypad. Your child has trouble getting in, so you ask a bunch of strangers in a public forum for the commands to tell the keypad to always let your child in.

What is wrong with this picture?

First, do you really trust them(us) to give advice that really is in YOUR best interests? At the very least, everyone reading the forum now knows that A) Your systems are insecure and B) how to access them. You may also have been "trojaned" (though, looking at the recommendations, they look reasonably safe).

OK, so I may be being paranoid, but when it comes to computer security, that's a REQUIREMENT!

;-)
A crucible of informative mistakes
Robert Gezelter
Honored Contributor

Re: Protection settings

Miles,

I agree with John. Security settings, especially as they relate to the installation and maintenance of production applications, is a critical security and integrity audit issue.

Opening up the system, via either protection relaxations or proxies, can be a fatal error.

Extreme caution and prudence is advised.

- Bob Gezelter, http://www.rlgsc.com
Barry Alford
Frequent Advisor

Re: Protection settings

Chinraj, Jan:

My apologies -- without appropriate /NETWORK access settings in the UAF, you do get the same error:

-RMS-E-FND, ACP file or directory lookup failed
-SYSTEM-F-INVLOGIN, login information invalid at remote node

I must learn not to be so hasty!

(0 points for this one!)