- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- MS to VMS ftp-sesson runaway
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2004 01:19 AM
08-12-2004 01:19 AM
Config:
4-node cluster, 2x ES40, 2x ES45, OpenVMS 7.3-2, patches up-to-date as of end july.
Citrix servers, Windows2000 SP3, Onnet ftp-client.
Accessing a VMS application from the desktop is implemented by:
User chooses the applic
Script gets the currently defined desktop printer, and formats DCL file to define SYS$PRINT to it.
Create file witch applic name.
FTP both files to users' VMS SYS$LOGIN
Telnet VMS; SYS$SYLOGIN defines printer & starts applic.
Occasionally, it happens that a users' account has to be changed manually (we try to do it all automated, but exceptions have the nasty habit to keep occurring).
Now, if somehow there comes a discrepancy between the users SYSUAF homedir specification and the actual directory (typo, oversight..), then effectively the SYS$LOGIN dir does not exist, and..
in a few minutes we have very unhappy Citrix administrators.
Obviously the FTP client gets in a loop of re-tries, using 100% of CPU, allocating sockets much faster as releasing them, and if not being cured quick enough, getting out of resources.
Anybody seen anything like it, and, more imported, cured it or found a good workaround?
Might be on VMS or on Windows, if it just helps!
Yes, I know, don't make such stupid errors, but for the foreseeable future we probably will remain humans, with human fallibility.
Jan
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2004 01:40 AM
08-12-2004 01:40 AM
Re: MS to VMS ftp-sesson runaway
Before at all when you'll see some unhappy Citrix administrator offer him some beer: don't solve but he may be more happy.
I'm joking with my funny english ;-)
Now seriously ..
User chooses the applic
Script gets the currently defined desktop printer, and formats DCL file to define SYS$PRINT to it.
Create file witch applic name.
FTP both files to users' VMS SYS$LOGIN
Telnet VMS; SYS$SYLOGIN defines printer & starts applic.
I understand
User is using a PC with printer connected to it. He has a menu running on Win2K SP3, choice an application; script starts writing a DCL file text then automatically send it to vms server using ftp (I guess user & passwork are stored in some file on PC).
After of this, open telnet emulator and process on vms execute his LOGIN (previous recevived by ftp) and make its job.
Do I understand well?
Antonio Vigliotti
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2004 01:56 AM
08-12-2004 01:56 AM
Re: MS to VMS ftp-sesson runaway
even your solution does not help:
The Citrix administrator does not drink any alcohol!
Your description of the situation show you understood it perfectly!
Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2004 02:07 AM
08-12-2004 02:07 AM
Re: MS to VMS ftp-sesson runaway
Wim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2004 02:13 AM
08-12-2004 02:13 AM
Re: MS to VMS ftp-sesson runaway
Citrix administrators lost a good beer.
I guess problem due to different access; 1.st access by ftp find an environment, 2.nd access find changed environment.
I have not enough information to find solution but I can suggest some hint: you could drive me in right way.
First you can make an unique access, avoid ftp only telnet; if you are using an emulator like powerterm you can execute any script (located on PC) to customize session; you could send any file using kermit protocol. This solution means change software on PC (I guess it's not a good idea).
You can check for access environment modifying SYLOGIN on server; you need make only a few update; you can execute any DCL statement during ftp session and interactive telnet session so I guess, perhaps, you could make some check.
I feel update SYLOGIN is your near solution.
Antonio Vigliotti
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2004 02:17 AM
08-12-2004 02:17 AM
Re: MS to VMS ftp-sesson runaway
some suggestions:
- write a little DCL procedure on your OpenVMS system to regularily (often enough) read SYSUAF and check whether the user-dirs exist.
- would a FTP DIR from the PC to the VMS system fail in the same way ? If not, try a DIR access first.
Volker.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2004 02:27 AM
08-12-2004 02:27 AM
Re: MS to VMS ftp-sesson runaway
Hope I got this right:
Clicking the icon means running .BAT file on PC:
get printer
Create DEF_SYS$PRINT.COM
Create
Create a FTP input file containg:
open
ASCII
PUT DEF_SYS$PRINT.COM
PUT
BYE
FTP -s:
TELNET
(end job)
(That would mean your user's account on VMS cannot be captive since FTP would not be possible!
LOGIN.COM (or any LGI_CMD...) would therefore be something like:
$ set noon
$ set no control_y
$ on warning exit ! I wouldn't suggest this, but just for completeness
$ if (some application is to be executed)
$! required since FTP will execute SYS$LOGIN
$ then
$ @def_sys$print
$ @
$ exit
$ else
$ (whatever)
$ endif
$exit
Am I right?
Since FTP will actually login (so SYLOGIN.COM and LGI_CMD according SYSUAF (or LOGIN.COM if empty) will run, you might find some clue in accounting.
Be sure the .BAT file exits if there is an error. It is quite possible that your FTP client will NOT return "error". Try it manually and see what happens.
Are you sure FTP hangs, and not TELNET?
Willem
OpenVMS Developer & System Manager
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2004 09:34 AM
08-12-2004 09:34 AM
Re: MS to VMS ftp-sesson runaway
1. If the script is actually hanging in FTP do:
a. The PC script needs to check that the FTP login was successful. On Windows XP, for a successful login, I get "230 User logged in." If FTP fails, it should be giving an error message. If it isn't that's a serious bug.
b. Use a DCL procedure to create PC user's VAX accounts. The procedure should create a directory name that matches the username.
If you still have problems, the problem is probably not with FTP but with the script.
2. We have a 24X7 operation with 2 sites. We have 2 VMS Sys Admins to cover both sites. When one of us is out of the area, we have 1 Sys Admin covering both sites. Your solution would have us sleep deprived. Our solution:
a. At our sites, we have a select printer menu option on the VAX side, the user selects the printer from the printer menu. Selecting a printer creates a DEFINE_PRINTER.COM file. In our solution an initial DEFINE_PRINTER.COM is copied to new customer user accounts. Customers can choose from a list of 38 network printers on the LAN. The printer selection remains the same until the customer changes it.
b. We also control access to the Applications on the VMS side.
Result: We don't have our Citrix Admins calling us.
Lawrence
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2004 12:09 AM
08-13-2004 12:09 AM
Re: MS to VMS ftp-sesson runaway
Thanks for responses so far.
first I'll try to answer most of your questions.
-the TCPIP suite on Citrix is Onnet, and that will not be changed. (we also would prefer reflexion or KEA or Powerterm or..., but until now and in the forseeable future we have no vote in that)
-Both the Citrix usernames and the VMS usernames are maintained by (the mutations to) the personnel system, in a way that synchronises the usernames. Any 'standard' user has the same username on the desktop and on VMS (and Unix, but that is not within current scope).
There are 10000+ user accounts defined (for legal reasons we are obliged to keep them around till 5 years after leaving!)
-Most users hardly know whether an application is PC, VMS, or Unix.
-There are 750+ network printers to choose from, spread over (at the moment) 58 buildings
-It proved VERY confusing for a lot of users if VMS output did not appear on the printer these chose (on the desktop), so we decided to transfer the PC choice to VMS.
-we have the unhappy inheritance that some VMS applications require different keyboard-mapping then others.
Initially a user wanting a VMS app was logged in to VMS, and got presented a menu.
Quite often users succeeded in specifying on the PC an app that required (and got) one keyboard mapping, and then in the VMS menu selected another app. Sometimes such user worked for more than an hour, and then failed to store his/her work, because THAT function was wrongly mapped.
So we changed that, and now, if a user chooses a VMS app on the desktop, we first use his current printer choice to create DEFINE_SYS$PRINT.COM, then create AUTOSTART_APPLICATION.VMS containing the name of the chosen app, get the current desktop username, and present a screen asking the VMS password. Using the PC username and the supplied password we ftp-copy the two generated files to the application name. DNS is so organised (and maintained) that this equates to (one of) the node(s) where the app is available. Next we telnet to it, again using the known username and password.
SYS$SYLOGIN executes DEFINE_SYS$PRINT if found, and (if in interactive mode) checks for AUTOSTART_APPLICATION.VMS. If found, and sufficiently recent, then the applic is invoked, and upon exit the user is logged out.
The trouble as found so far seems to be limited to the few accounts that are NOT maintainable by the personnel system (collegues from other Regions, related Services etc temporarily stationed with us).
Sometimes it DOES occur that the account and and the therein specified environment don't match, and THEN the PC script starts looping.
Volker, the sheer amount of accounts, and the relative tiny fraction of errors, prevent the continuous scanning of SYSUAF vs directories.
Antonio,
even the try to connect is unsuccessful, so no DCL functionality is available
Volker,
testing for the DIR fails for the same reason Antonio's suggestion does not work.
OOOkayyyy!
While writing these answers, I have also been able to snatch someone with enough knowledge and autorisations on the Citrix environment.
Interactively we were NOT able to get the loop, we get an error 505 - directory not found. Looks consistent.
Now we executed the (compiled version of the) script, on a 2 CPU server (no other users). The moment the script starts asking the password, the system starts using 50 % , or 100% of 1 cpu. Now give the password, system goes to 100% cpu use; full use of both cpu's by 2 processes, the script and FTP. Kill the FTP process, and it comes back immediately (obviously seconf ftp command). Kill FTP again, and NOW we get a nice telnet session! This does its SYS$LOGIN: files processing conditionally if existant, so we have a logged in session without chosen applic. At the first action that NEEDS SYS$LOGIN the session gets (correctly) logged out.
Upon inspection of the script source, we found that the error handling in case of failing FTP is missing!!
A developper with write access to that environment is not in today, but I have good hopes that things will get solved monday or tuesday.
I will then add a (hopefully final) report.
Thanks all for the idea's, also from our Citrix administrators!
Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2004 12:16 AM
08-13-2004 12:16 AM
Re: MS to VMS ftp-sesson runaway
Accounting status : 1
Normal successfull completion.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2004 02:05 AM
08-13-2004 02:05 AM
Re: MS to VMS ftp-sesson runaway
if connection failed (so you can't execute any dcl command) you could solve within anonymous account.
Yes, usually, anonymous is disabled but meet exactly your requirements.
PC script can send to server via ftp using anonymous user into common folder a file within filename as username. FTP never fails and never loops on PC.
Then telnet connection can execute any DCL command so you can take a big control over the process with any control you need.
And don't forget a bottle of coke to citrix administrators :-)
Antonio Vigliotti
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2004 02:20 AM
08-13-2004 02:20 AM
Re: MS to VMS ftp-sesson runaway
NO WAY!!!!
In less than a minute I can think of at least 3 ways to misuse it, and 2 more that things might go wrong unintentionally!!
Remember, this IS a site with security issues! (although, the frequent use of M$ stuff makes that hard to believe).
Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2004 02:43 AM
08-13-2004 02:43 AM
Re: MS to VMS ftp-sesson runaway
sure you need keep high level security!
However it's possible with anonymous too.
I think to some trick as RUN LOGINOUT/USER to check if user exist then blah blah.
So your ftp session always end without error.
I guess, for security reason, you can't post more information, so I can give you only some vague idea.
Antonio Vigliotti
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2004 03:03 AM
08-13-2004 03:03 AM
Re: MS to VMS ftp-sesson runaway
I try to be more precise.
I have an application like yours. External device connect to vms system, then login activate a specific process and after issue logout.
With a simple program, written in C, you can activate always when user is anonymous this process and it wait for some strings (example user and printer); on ftp side you can simply use quote command.
Then process can anser success or fail to ftp client on PC, and then blah blah.
Hope it's more understandable
Antonio Vigliotti
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2004 01:37 AM
08-16-2004 01:37 AM
SolutionStatus = 1 - yes, I could have figured that out. FTP = TCPIP = Unix = Interactive, so no error even if there'se something wrong: user should have seen that ;-(((( Batch: Which user?
Upon inspection of the script source, we found that the error handling in case of failing FTP is missing!!
Programmer is still around?
if Yes: Typically MS or X, not knowing co-opeeration... Educate (thouroughly) or get rid of him/her.
if no: Nothing's lost. Hwoever, be aware there may be more troublesome software around....
Willem
OpenVMS Developer & System Manager
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2004 02:04 AM
08-16-2004 02:04 AM
Re: MS to VMS ftp-sesson runaway
What about writing a simple network service which tests the user before FTP?
My idea is that you write a simple client for M$ which sends the username to a service on VMS. This service can be a procedure or a program, which tests the user and returns the status to the client. If all is OK you proceed with FTP and telnet. If not stop before FTP.
Bojan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2004 07:30 PM
08-16-2004 07:30 PM
Re: MS to VMS ftp-sesson runaway
Another "service" idea which is a litle more sophisticated but more clean. I dont know Citrix, so I dont know if it can be applied. On a stand alone PC this will work.
When starting the application on the PC, start a network service on a predefined port and simultaneously start the telnet session.
In the SYS$SYLOGIN find out the IP of the telnet client and connect to the service. Obtain the informations and define the needed logicals. Close the connection to the service (which will stop) and start the VMS application.
With this you get rid of FTP which was designed for file transfer, and (for me) file transfer is not the best solution for computer communications.
Bojan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2004 07:50 PM
08-16-2004 07:50 PM
Re: MS to VMS ftp-sesson runaway
use DECNet.
Willem
OpenVMS Developer & System Manager
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2004 08:42 PM
08-16-2004 08:42 PM
Re: MS to VMS ftp-sesson runaway
status update.
Since we had a decent suspect in the FTP transfer, we ran a lot of other tests we could think of. Any and all reasons for FTP PUT failure had the same result: runaway ftp process.
We have tried to add status checking to the tranfer, but (to my VMS-minded surprise, but our Windows people just shrugged at it) there is no way to react to the status. Obviously the retry loop is entered before the status can be picked up!
The Onnet ftp functions do NOT include a test for directory availability.
FTP GET also reports status; and we tricked that into a (very un-elegant) test.
The way our VMS user-environment is set up, EVERY user has a file with a fixed name in his SYS$LOGIN. Now, from the Citrix script, we do a FTP GET of this file into local scratch. AND.... THIS CAN be tested!!!
We tried various reasons of NOT being able to GET the file, and every test we could think of resulted in a status that we expected, and can REACT to.
So now, we do a ftp get, if successful we continue, and if not successful we generate a meaningful message, to be reported to the helpdesk. (should be very helpfull in correcting the problem).
The only potential problem I can hypothesize that will get through this trap is a valid SYS$LOGIN where the GET of the file succeeds, but where the owner has no write access.
We decided to run that risk.
So, it looks like "Problem Solved"
I still need to reply to the later suggestions.
Antonio:
the way via an anonymous access with username as param to check existence looks rather more complex, there will (at least!) be a lot of struggle to get it accepted by Security, and, biggest drawback, I thing IF the user validates, but errenously has an invalid SYS$LOGIN specification, we are still back at square one. Btw, many applications have the potential to fail at some point if SYS$LOGIN or SYS$SCRATH are not writable, so we'd find out rather sooner than later.
Willem:
Education IS a continuous process, and most of the M$ programmers ARE used to do programming in server ( = multi user ) environments. I have the definite impression that our group scores above average already.
Bojan:
well, essentially the little program you suggest is FTP GET...
Second suggestion:
"Find the FTP of the client and connect.."
but in the Citrix environment multiple sessions from multiple users are coming from the same server = same IP. Not going to work.
Well, thanks again for all suggestions!
Jan