Operating System - OpenVMS
1829901 Members
3222 Online
109993 Solutions
New Discussion

MS to VMS ftp-sesson runaway

 
SOLVED
Go to solution
Jan van den Ende
Honored Contributor

MS to VMS ftp-sesson runaway

We are occasionally experiencing very annoying ftp behavior.

Config:
4-node cluster, 2x ES40, 2x ES45, OpenVMS 7.3-2, patches up-to-date as of end july.
Citrix servers, Windows2000 SP3, Onnet ftp-client.
Accessing a VMS application from the desktop is implemented by:
User chooses the applic
Script gets the currently defined desktop printer, and formats DCL file to define SYS$PRINT to it.
Create file witch applic name.
FTP both files to users' VMS SYS$LOGIN
Telnet VMS; SYS$SYLOGIN defines printer & starts applic.

Occasionally, it happens that a users' account has to be changed manually (we try to do it all automated, but exceptions have the nasty habit to keep occurring).
Now, if somehow there comes a discrepancy between the users SYSUAF homedir specification and the actual directory (typo, oversight..), then effectively the SYS$LOGIN dir does not exist, and..
in a few minutes we have very unhappy Citrix administrators.
Obviously the FTP client gets in a loop of re-tries, using 100% of CPU, allocating sockets much faster as releasing them, and if not being cured quick enough, getting out of resources.

Anybody seen anything like it, and, more imported, cured it or found a good workaround?
Might be on VMS or on Windows, if it just helps!

Yes, I know, don't make such stupid errors, but for the foreseeable future we probably will remain humans, with human fallibility.

Jan
Don't rust yours pelled jacker to fine doll missed aches.
18 REPLIES 18
Antoniov.
Honored Contributor

Re: MS to VMS ftp-sesson runaway

Jan,
Before at all when you'll see some unhappy Citrix administrator offer him some beer: don't solve but he may be more happy.
I'm joking with my funny english ;-)
Now seriously ..

User chooses the applic
Script gets the currently defined desktop printer, and formats DCL file to define SYS$PRINT to it.
Create file witch applic name.
FTP both files to users' VMS SYS$LOGIN
Telnet VMS; SYS$SYLOGIN defines printer & starts applic.

I understand
User is using a PC with printer connected to it. He has a menu running on Win2K SP3, choice an application; script starts writing a DCL file text then automatically send it to vms server using ftp (I guess user & passwork are stored in some file on PC).
After of this, open telnet emulator and process on vms execute his LOGIN (previous recevived by ftp) and make its job.

Do I understand well?

Antonio Vigliotti

Antonio Maria Vigliotti
Jan van den Ende
Honored Contributor

Re: MS to VMS ftp-sesson runaway

Antonio,

even your solution does not help:
The Citrix administrator does not drink any alcohol!

Your description of the situation show you understood it perfectly!

Jan
Don't rust yours pelled jacker to fine doll missed aches.
Wim Van den Wyngaert
Honored Contributor

Re: MS to VMS ftp-sesson runaway

VMS to VMS and NT to VMS both work as expected.

Wim
Wim
Antoniov.
Honored Contributor

Re: MS to VMS ftp-sesson runaway

Wow,
Citrix administrators lost a good beer.

I guess problem due to different access; 1.st access by ftp find an environment, 2.nd access find changed environment.
I have not enough information to find solution but I can suggest some hint: you could drive me in right way.

First you can make an unique access, avoid ftp only telnet; if you are using an emulator like powerterm you can execute any script (located on PC) to customize session; you could send any file using kermit protocol. This solution means change software on PC (I guess it's not a good idea).

You can check for access environment modifying SYLOGIN on server; you need make only a few update; you can execute any DCL statement during ftp session and interactive telnet session so I guess, perhaps, you could make some check.
I feel update SYLOGIN is your near solution.

Antonio Vigliotti
Antonio Maria Vigliotti
Volker Halle
Honored Contributor

Re: MS to VMS ftp-sesson runaway

Jan,

some suggestions:

- write a little DCL procedure on your OpenVMS system to regularily (often enough) read SYSUAF and check whether the user-dirs exist.

- would a FTP DIR from the PC to the VMS system fail in the same way ? If not, try a DIR access first.

Volker.
Willem Grooters
Honored Contributor

Re: MS to VMS ftp-sesson runaway

Jan,

Hope I got this right:
Clicking the icon means running .BAT file on PC:

get printer
Create DEF_SYS$PRINT.COM
Create .COM
Create a FTP input file containg:

open


ASCII
PUT DEF_SYS$PRINT.COM
PUT .COM
BYE

FTP -s:
TELNET
(end job)

(That would mean your user's account on VMS cannot be captive since FTP would not be possible!
LOGIN.COM (or any LGI_CMD...) would therefore be something like:

$ set noon
$ set no control_y
$ on warning exit ! I wouldn't suggest this, but just for completeness
$ if (some application is to be executed)
$! required since FTP will execute SYS$LOGIN
$ then
$ @def_sys$print
$ @.com
$ exit
$ else
$ (whatever)
$ endif
$exit

Am I right?

Since FTP will actually login (so SYLOGIN.COM and LGI_CMD according SYSUAF (or LOGIN.COM if empty) will run, you might find some clue in accounting.

Be sure the .BAT file exits if there is an error. It is quite possible that your FTP client will NOT return "error". Try it manually and see what happens.

Are you sure FTP hangs, and not TELNET?

Willem
Willem Grooters
OpenVMS Developer & System Manager
Lawrence Czlapinski
Trusted Contributor

Re: MS to VMS ftp-sesson runaway

Jan,
1. If the script is actually hanging in FTP do:
a. The PC script needs to check that the FTP login was successful. On Windows XP, for a successful login, I get "230 User logged in." If FTP fails, it should be giving an error message. If it isn't that's a serious bug.
b. Use a DCL procedure to create PC user's VAX accounts. The procedure should create a directory name that matches the username.

If you still have problems, the problem is probably not with FTP but with the script.

2. We have a 24X7 operation with 2 sites. We have 2 VMS Sys Admins to cover both sites. When one of us is out of the area, we have 1 Sys Admin covering both sites. Your solution would have us sleep deprived. Our solution:
a. At our sites, we have a select printer menu option on the VAX side, the user selects the printer from the printer menu. Selecting a printer creates a DEFINE_PRINTER.COM file. In our solution an initial DEFINE_PRINTER.COM is copied to new customer user accounts. Customers can choose from a list of 38 network printers on the LAN. The printer selection remains the same until the customer changes it.
b. We also control access to the Applications on the VMS side.
Result: We don't have our Citrix Admins calling us.
Lawrence
Jan van den Ende
Honored Contributor

Re: MS to VMS ftp-sesson runaway

Ok all,

Thanks for responses so far.
first I'll try to answer most of your questions.

-the TCPIP suite on Citrix is Onnet, and that will not be changed. (we also would prefer reflexion or KEA or Powerterm or..., but until now and in the forseeable future we have no vote in that)
-Both the Citrix usernames and the VMS usernames are maintained by (the mutations to) the personnel system, in a way that synchronises the usernames. Any 'standard' user has the same username on the desktop and on VMS (and Unix, but that is not within current scope).
There are 10000+ user accounts defined (for legal reasons we are obliged to keep them around till 5 years after leaving!)
-Most users hardly know whether an application is PC, VMS, or Unix.
-There are 750+ network printers to choose from, spread over (at the moment) 58 buildings
-It proved VERY confusing for a lot of users if VMS output did not appear on the printer these chose (on the desktop), so we decided to transfer the PC choice to VMS.
-we have the unhappy inheritance that some VMS applications require different keyboard-mapping then others.
Initially a user wanting a VMS app was logged in to VMS, and got presented a menu.
Quite often users succeeded in specifying on the PC an app that required (and got) one keyboard mapping, and then in the VMS menu selected another app. Sometimes such user worked for more than an hour, and then failed to store his/her work, because THAT function was wrongly mapped.
So we changed that, and now, if a user chooses a VMS app on the desktop, we first use his current printer choice to create DEFINE_SYS$PRINT.COM, then create AUTOSTART_APPLICATION.VMS containing the name of the chosen app, get the current desktop username, and present a screen asking the VMS password. Using the PC username and the supplied password we ftp-copy the two generated files to the application name. DNS is so organised (and maintained) that this equates to (one of) the node(s) where the app is available. Next we telnet to it, again using the known username and password.
SYS$SYLOGIN executes DEFINE_SYS$PRINT if found, and (if in interactive mode) checks for AUTOSTART_APPLICATION.VMS. If found, and sufficiently recent, then the applic is invoked, and upon exit the user is logged out.

The trouble as found so far seems to be limited to the few accounts that are NOT maintainable by the personnel system (collegues from other Regions, related Services etc temporarily stationed with us).
Sometimes it DOES occur that the account and and the therein specified environment don't match, and THEN the PC script starts looping.

Volker, the sheer amount of accounts, and the relative tiny fraction of errors, prevent the continuous scanning of SYSUAF vs directories.

Antonio,
even the try to connect is unsuccessful, so no DCL functionality is available

Volker,
testing for the DIR fails for the same reason Antonio's suggestion does not work.



OOOkayyyy!

While writing these answers, I have also been able to snatch someone with enough knowledge and autorisations on the Citrix environment.
Interactively we were NOT able to get the loop, we get an error 505 - directory not found. Looks consistent.
Now we executed the (compiled version of the) script, on a 2 CPU server (no other users). The moment the script starts asking the password, the system starts using 50 % , or 100% of 1 cpu. Now give the password, system goes to 100% cpu use; full use of both cpu's by 2 processes, the script and FTP. Kill the FTP process, and it comes back immediately (obviously seconf ftp command). Kill FTP again, and NOW we get a nice telnet session! This does its SYS$LOGIN: files processing conditionally if existant, so we have a logged in session without chosen applic. At the first action that NEEDS SYS$LOGIN the session gets (correctly) logged out.
Upon inspection of the script source, we found that the error handling in case of failing FTP is missing!!
A developper with write access to that environment is not in today, but I have good hopes that things will get solved monday or tuesday.

I will then add a (hopefully final) report.

Thanks all for the idea's, also from our Citrix administrators!

Jan
Don't rust yours pelled jacker to fine doll missed aches.
Jan van den Ende
Honored Contributor

Re: MS to VMS ftp-sesson runaway

And I forgot to answer Willem:

Accounting status : 1
Normal successfull completion.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Antoniov.
Honored Contributor

Re: MS to VMS ftp-sesson runaway

Jan,
if connection failed (so you can't execute any dcl command) you could solve within anonymous account.
Yes, usually, anonymous is disabled but meet exactly your requirements.
PC script can send to server via ftp using anonymous user into common folder a file within filename as username. FTP never fails and never loops on PC.
Then telnet connection can execute any DCL command so you can take a big control over the process with any control you need.

And don't forget a bottle of coke to citrix administrators :-)

Antonio Vigliotti
Antonio Maria Vigliotti
Jan van den Ende
Honored Contributor

Re: MS to VMS ftp-sesson runaway

Antonio:
NO WAY!!!!

In less than a minute I can think of at least 3 ways to misuse it, and 2 more that things might go wrong unintentionally!!

Remember, this IS a site with security issues! (although, the frequent use of M$ stuff makes that hard to believe).

Jan
Don't rust yours pelled jacker to fine doll missed aches.
Antoniov.
Honored Contributor

Re: MS to VMS ftp-sesson runaway

Jan,
sure you need keep high level security!
However it's possible with anonymous too.
I think to some trick as RUN LOGINOUT/USER to check if user exist then blah blah.
So your ftp session always end without error.
I guess, for security reason, you can't post more information, so I can give you only some vague idea.

Antonio Vigliotti
Antonio Maria Vigliotti
Antoniov.
Honored Contributor

Re: MS to VMS ftp-sesson runaway

Jan,
I try to be more precise.
I have an application like yours. External device connect to vms system, then login activate a specific process and after issue logout.
With a simple program, written in C, you can activate always when user is anonymous this process and it wait for some strings (example user and printer); on ftp side you can simply use quote command.
Then process can anser success or fail to ftp client on PC, and then blah blah.

Hope it's more understandable

Antonio Vigliotti
Antonio Maria Vigliotti
Willem Grooters
Honored Contributor
Solution

Re: MS to VMS ftp-sesson runaway

Jan,

Status = 1 - yes, I could have figured that out. FTP = TCPIP = Unix = Interactive, so no error even if there'se something wrong: user should have seen that ;-(((( Batch: Which user?


Upon inspection of the script source, we found that the error handling in case of failing FTP is missing!!


Programmer is still around?
if Yes: Typically MS or X, not knowing co-opeeration... Educate (thouroughly) or get rid of him/her.
if no: Nothing's lost. Hwoever, be aware there may be more troublesome software around....

Willem
Willem Grooters
OpenVMS Developer & System Manager
Bojan Nemec
Honored Contributor

Re: MS to VMS ftp-sesson runaway

Jan,

What about writing a simple network service which tests the user before FTP?

My idea is that you write a simple client for M$ which sends the username to a service on VMS. This service can be a procedure or a program, which tests the user and returns the status to the client. If all is OK you proceed with FTP and telnet. If not stop before FTP.

Bojan
Bojan Nemec
Honored Contributor

Re: MS to VMS ftp-sesson runaway

Jan,

Another "service" idea which is a litle more sophisticated but more clean. I dont know Citrix, so I dont know if it can be applied. On a stand alone PC this will work.

When starting the application on the PC, start a network service on a predefined port and simultaneously start the telnet session.

In the SYS$SYLOGIN find out the IP of the telnet client and connect to the service. Obtain the informations and define the needed logicals. Close the connection to the service (which will stop) and start the VMS application.

With this you get rid of FTP which was designed for file transfer, and (for me) file transfer is not the best solution for computer communications.

Bojan
Willem Grooters
Honored Contributor

Re: MS to VMS ftp-sesson runaway

Another solution (but knowing the environment, talking de deaf ears (like we say in NL):

use DECNet.

Willem
Willem Grooters
OpenVMS Developer & System Manager
Jan van den Ende
Honored Contributor

Re: MS to VMS ftp-sesson runaway

Ok,

status update.

Since we had a decent suspect in the FTP transfer, we ran a lot of other tests we could think of. Any and all reasons for FTP PUT failure had the same result: runaway ftp process.
We have tried to add status checking to the tranfer, but (to my VMS-minded surprise, but our Windows people just shrugged at it) there is no way to react to the status. Obviously the retry loop is entered before the status can be picked up!
The Onnet ftp functions do NOT include a test for directory availability.
FTP GET also reports status; and we tricked that into a (very un-elegant) test.
The way our VMS user-environment is set up, EVERY user has a file with a fixed name in his SYS$LOGIN. Now, from the Citrix script, we do a FTP GET of this file into local scratch. AND.... THIS CAN be tested!!!
We tried various reasons of NOT being able to GET the file, and every test we could think of resulted in a status that we expected, and can REACT to.

So now, we do a ftp get, if successful we continue, and if not successful we generate a meaningful message, to be reported to the helpdesk. (should be very helpfull in correcting the problem).

The only potential problem I can hypothesize that will get through this trap is a valid SYS$LOGIN where the GET of the file succeeds, but where the owner has no write access.
We decided to run that risk.

So, it looks like "Problem Solved"


I still need to reply to the later suggestions.


Antonio:
the way via an anonymous access with username as param to check existence looks rather more complex, there will (at least!) be a lot of struggle to get it accepted by Security, and, biggest drawback, I thing IF the user validates, but errenously has an invalid SYS$LOGIN specification, we are still back at square one. Btw, many applications have the potential to fail at some point if SYS$LOGIN or SYS$SCRATH are not writable, so we'd find out rather sooner than later.

Willem:
Education IS a continuous process, and most of the M$ programmers ARE used to do programming in server ( = multi user ) environments. I have the definite impression that our group scores above average already.

Bojan:
well, essentially the little program you suggest is FTP GET...

Second suggestion:
"Find the FTP of the client and connect.."
but in the Citrix environment multiple sessions from multiple users are coming from the same server = same IP. Not going to work.


Well, thanks again for all suggestions!


Jan
Don't rust yours pelled jacker to fine doll missed aches.