This document describes the new features and changes introduced with Version 5.6 of the HP TCP/IP Services for OpenVMS software product.
Revision/Update Information: This is a new document.
Software Version: HP TCP/IP Services for OpenVMS Version 5.6
Operating Systems: OpenVMS I64 Version 8.3 OpenVMS I64 Version 8.2.1 OpenVMS Alpha Version 8.3 OpenVMS Alpha Version 8.2
Hewlett-Packard Company Palo Alto, California
© Copyright 2006 Hewlett-Packard Development Company, L.P.
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Intel and Itanium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
UNIX is a registered trademark of The Open Group.
Printed in the US
The HP TCP/IP Services for OpenVMS documentation is available on CD-ROM.
Contents |
The HP TCP/IP Services for OpenVMS product is the HP implementation of the TCP/IP protocol suite and Internet services for OpenVMS Alpha and OpenVMS Industry Standard 64 for Integrity Servers (I64) systems. This document describes the latest release of the HP TCP/IP Services for OpenVMS product.
TCP/IP Services provides a comprehensive suite of functions and applications that support industry-standard protocols for heterogeneous network communications and resource sharing.
For installation instructions, see the HP TCP/IP Services for OpenVMS Installation and Configuration manual.
The release notes provide version-specific information that supersedes the information in the documentation set. The features, restrictions, and corrections in this version of the software are described in the release notes. Always read the release notes before installing the software.
These release notes are intended for experienced OpenVMS and UNIX® system managers and assume a working knowledge of OpenVMS system management, TCP/IP networking, TCP/IP terminology, and some familiarity with the TCP/IP Services product.
These release notes are organized into the following chapters:
Table 1 lists the documents available with this version of TCP/IP Services.
Manual | Contents |
---|---|
HP TCP/IP Services for OpenVMS Concepts and Planning |
This manual provides conceptual information about TCP/IP networking on
OpenVMS systems, including general planning issues to consider before
configuring your system to use the TCP/IP Services software.
This manual also describes the other manuals in the TCP/IP Services documentation set and provides a glossary of terms and acronyms for the TCP/IP Services software product. |
HP TCP/IP Services for OpenVMS Release Notes | The release notes provide version-specific information that supersedes the information in the documentation set. The features, restrictions, and corrections in this version of the software are described in the release notes. Always read the release notes before installing the software. |
HP TCP/IP Services for OpenVMS Installation and Configuration | This manual explains how to install and configure the TCP/IP Services product. |
HP TCP/IP Services for OpenVMS User's Guide | This manual describes how to use the applications available with TCP/IP Services such as remote file operations, e-mail, TELNET, TN3270, and network printing. |
HP TCP/IP Services for OpenVMS Management | This manual describes how to configure and manage the TCP/IP Services product. |
HP TCP/IP Services for OpenVMS Management Command Reference | This manual describes the TCP/IP Services management commands. |
HP TCP/IP Services for OpenVMS Management Command Quick Reference Card | This reference card lists the TCP/IP management commands by component and describes the purpose of each command. |
HP TCP/IP Services for OpenVMS UNIX Command Equivalents Reference Card | This reference card contains information about commonly performed network management tasks and their corresponding TCP/IP management and UNIX command formats. |
HP TCP/IP Services for OpenVMS ONC RPC Programming | This manual presents an overview of high-level programming using open network computing remote procedure calls (ONC RPC). This manual also describes the RPC programming interface and how to use the RPCGEN protocol compiler to create applications. |
HP TCP/IP Services for OpenVMS Guide to SSH | This manual describes how to configure, set up, use, and manage the SSH for OpenVMS software. |
HP TCP/IP Services for OpenVMS Sockets API and System Services Programming | This manual describes how to use the Berkeley Sockets API and OpenVMS system services to develop network applications. |
HP TCP/IP Services for OpenVMS SNMP Programming and Reference | This manual describes the Simple Network Management Protocol (SNMP) and the SNMP application programming interface (eSNMP). It describes the subagents provided with TCP/IP Services, utilities provided for managing subagents, and how to build your own subagents. |
HP TCP/IP Services for OpenVMS Tuning and Troubleshooting | This manual provides information about how to isolate the causes of network problems and how to tune the TCP/IP Services software for the best performance. It also provides information about using UNIX network management utilities on OpenVMS. |
HP TCP/IP Services for OpenVMS Guide to IPv6 | This manual describes the IPv6 environment, the roles of systems in this environment, the types and function of the different IPv6 addresses, and how to configure TCP/IP Services to access the IPv6 network. |
For additional information about HP OpenVMS products and services, visit the following World Wide Web address:
http://www.hp.com/go/openvms |
For a comprehensive overview of the TCP/IP protocol suite, refer to the book Internetworking with TCP/IP: Principles, Protocols, and Architecture, by Douglas Comer.
HP welcomes your comments on this manual. Please send comments to either of the following addresses:
Internet | openvmsdoc@hp.com |
Postal Mail |
Hewlett-Packard Company
OSSG Documentation Group, ZKO3-4/U08 110 Spit Brook Rd. Nashua, NH 03062-2698 |
For information about how to order additional documentation, visit the following World Wide Web address:
http://www.hp.com/go/openvms/doc/order |
In the product documentation, the name TCP/IP Services means any of the following:
In addition, please note that all IP addresses are fictitious.
The following conventions are used in the documentation.
Ctrl/ x | A sequence such as Ctrl/ x indicates that you must hold down the key labeled Ctrl while you press another key or a pointing device button. |
PF1 x | A sequence such as PF1 x indicates that you must first press and release the key labeled PF1 and then press and release another key or a pointing device button. |
[Return] |
In examples, a key name enclosed in a box indicates that you press a
key on the keyboard. (In text, a key name is not enclosed in a box.)
In the HTML version of this document, this convention appears as brackets, rather than a box. |
... |
A horizontal ellipsis in examples indicates one of the following
possibilities:
|
.
. . |
A vertical ellipsis indicates the omission of items from a code example or command format; the items are omitted because they are not important to the topic being discussed. |
( ) | In command format descriptions, parentheses indicate that you must enclose choices in parentheses if you specify more than one. |
[ ] | In command format descriptions, brackets indicate optional choices. You can choose one or more items or no items. Do not type the brackets on the command line. However, you must include the brackets in the syntax for OpenVMS directory specifications and for a substring specification in an assignment statement. |
| | In command format descriptions, vertical bars separate choices within brackets or braces. Within brackets, the choices are optional; within braces, at least one choice is required. Do not type the vertical bars on the command line. |
{ } | In command format descriptions, braces indicate required choices; you must choose at least one of the items listed. Do not type the braces on the command line. |
bold type | Bold type represents the introduction of a new term. It also represents the name of an argument, an attribute, or a reason. |
italic type | Italic type indicates important information, complete titles of manuals, or variables. Variables include information that varies in system output (Internal error number), in command lines (/PRODUCER= name), and in command parameters in text (where dd represents the predefined code for the device type). |
UPPERCASE TYPE | Uppercase type indicates a command, the name of a routine, the name of a file, or the abbreviation for a system privilege. |
Example | This typeface indicates code examples, command examples, and interactive screen displays. In text, this type also identifies URLs, UNIX commands and pathnames, PC-based commands and folders, and certain elements of the C programming language. |
- | A hyphen at the end of a command format description, command line, or code line indicates that the command or statement continues on the following line. |
numbers | All numbers in text are assumed to be decimal unless otherwise noted. Nondecimal radixes---binary, octal, or hexadecimal---are explicitly indicated. |
This chapter describes new features of TCP/IP Services Version 5.6 as well as behavioral enhancements.
TCP/IP Services Version 5.6 is supported on OpenVMS Alpha and OpenVMS Industry Standard 64 for Integrity Servers (I64) systems only. On VAX systems, use TCP/IP Services Version 5.3. To use TCP/IP Services Version 5.6, you must upgrade to OpenVMS Version 8.2 or higher. |
For information about installing and configuring TCP/IP Services, see the HP TCP/IP Services for OpenVMS Installation and Configuration guide.
Table 1-1 lists the new features of TCP/IP Services Version 5.6 and the sections that describe them.
Feature | Section | Description |
---|---|---|
BIND 9 Resolver | 1.1 | This release includes a new version of the BIND resolver. |
DNS/BIND V9.3 Server | 1.2 | This release includes an updated BIND server codebase. |
Integrate Tru64 BL26 Updates | 1.3 | This release incorporates several critical bug fixes in the Tru64 UNIX-based kernel and management utilities. |
NFS Client TCP Support | 1.4 | The NFS client joins the server in offering the ability to run over TCP. |
NFS Server Support for Integrity | 1.5 | The NFS server is now operational and supported on the OpenVMS I64 platform. |
NFS Symbolic Link Support | 1.6 | The NFS server now recognizes symbolic links and can create them as necessary. |
NTP Security Update (SSL) | 1.7 | New NTP features offer cryptographic security. |
SMTP Multiple Domains in a Zone | 1.8 | SMTP now recognizes more than one domain name for direct local delivery. |
SSH Upgrade with Kerberos Support | 1.9 | Several improvements have been made to SSH. |
TELNET Upgrade with Kerberos Support | 1.10 | The TELNET server and client are now supported with the upgraded Kerberos version that ships with OpenVMS V8.3. |
TELNET Server Device Limit | 1.11 | The TELNET server is no longer limited to 9999 sessions for TN devices. |
IPv6 Support for LPD and TELNETSYM | 1.12 | Both LPD and TELNETSYM printing software now allow you to print via the IPv6 transport. |
FTP Performance Enhancements for VMS Plus Mode | 1.13 | The FTP service has been streamlined. |
Improved Interface Configuration in TCPIP$CONFIG | 1.14 | The menu-driven process of defining local interfaces and IP addresses has been significantly reworked to provide better support for failSAFE IP. |
Added TSIG-based Authentication Support to the Load Broker | 1.15 | Added TSIG-based authentication support to the Load Broker. |
This release includes a new version of the BIND resolver that brings
several API updates including thread-safety for the getaddrinfo() and
getnameinfo() routines. It also brings new features, including the
ability to resolve DNS entries via the IPv6 transport. This represents
a major upgrade from V5.5 and other recent releases, which provided
resolver functionality based on BIND8.
1.2 DNS/BIND V9.3 Server
This release updates the BIND server to Version 9.3.1, which brings
several incremental improvements related to security and stability.
1.3 Integrate Tru64 BL26 Updates
Several critical bug fixes in the Tru64 UNIX-based kernel and
management utilities were incorporated.
1.4 NFS Client TCP Support
The NFS client joins the server in offering the ability to run over
TCP, in addition to the more-traditional UDP mode of operation. This
can be useful when mounting filesystems across a Wide Area Network or
traversing a firewall.
1.5 NFS Server Support for Integrity
This release includes NFS Server Support for OpenVMS I64 platforms.
1.6 NFS Symbolic Link Support
The NFS server now recognizes symbolic links and can create them as
necessary.
1.7 NTP Security Update (SSL)
New NTP features offer cryptographic security, enhancing the protection
against an attacker trying to compromise the accuracy of your system
clock. For more information, see Appendix A.
1.8 SMTP Multiple Domains in a Zone
During periods of organizational transition such as mergers, it is
common for more than one domain name to be in use on a corporate
intranet. SMTP will now recognize more than one domain name.
1.9 SSH Upgrade with Kerberos Support
TCP/IP Services for OpenVMS 5.6 introduces SSH support for Kerberos, the popular network authentication protocol from Massachusetts Institute of Technology. SSH password authentication method has been enhanced to support Kerberos. Three new SSH authentication methods based on Kerberos are now supported:
The kerberos-2@ssh.com and kerberos-tgt-2@ssh.com authentication methods are proprietary, not specified by an IETF draft or RFC, and as such are supported only by the SSH implementations based on software from SSH Communications Inc. Tru64 UNIX support also these two authentication methods.
The gssapi-with-mic authentication method is based on an IETF draft (GSSAPI Authentication and Key Exchange for the Secure Shell Protocol). As a public domain specification, it is supported by a broader range of SSH implementations including those based on OpenSSH. TCP/IP Services does not implement the key exchange part of the "GSSAPI Authentication and Key Exchange for the Secure Shell Protocol" draft. It implements only the user authentication portion of this specification.
The SSH server in this version of TCP/IP Services supports Kerberos for
OpenVMS Version V2.1 and higher. For more information about Kerberos
for OpenVMS, refer to the HP Open Source Security for OpenVMS, Volume 3: Kerberos manual.
1.9.1 Forwarding of Credentials
Kerberos provides the ability for applications like SSH to forward credentials from client host to server host, obviating the need for the user to re-enter their Kerberos password each time they use a Kerberized application. For example, with credentials forwarding a user on HOSTA could issue a kinit command, connect with SSH from HOSTA to HOSTB and then, once logged into HOSTB, they could connect on to HOSTC without issuing a kinit command in their user process on HOSTB. They only entered the kinit command on HOSTA and their credentials "followed" them to their session on HOSTB and then on to their session on HOSTC.
The -f option on the SSH command indicates that a forwardable TGT is to be produced.
The Kerberized application must also support credentials forwarding. The kerberos-tgt-2 supports credentials being forwarded from the client to the server process.
The kerberos-2 method does not support forwarding of the user's Kerberos credentials to the process on the SSH server host. An application that uses Kerberos from the process on the server side requires the user to enter another kinit command.
The gssapi-with-mic method supports forwarding of the user's Kerberos credentials to the user's process on the SSH server. However, the OpenVMS SSH server does not support this feature. Therefore, when connecting to the OpenVMS SSH server using gssapi-with-mic authentication, the user's Kerberos credentials from the client will not be propagated to the user's process on the server.
Any use of a Kerberized application from the server side process requires the user to issue another kinit command in that process. |
For information about how to enable SSH server support for Kerberos, see the HP TCP/IP Services for OpenVMS Guide to SSH.
The following example illustrates how to obtain a forwardable TGT.
!!! User issues kinit with -f to get a forwardable TGT. !!! In this example the Kerberos principal user name is lower case and !!! the realm is uppercase. SYSA> kinit -f "smith" Password for smith@SYSA.XYZ.COM: !!! Connect to system "sysb" forcing use of kerberos-tgt-2 authentication !!! method. SYSA> ssh -o"AllowedAuthentications kerberos-tgt-2@ssh.com" smith@sysb Authentication successful. Welcome to HP OpenVMS Industry Standard 64 Evaluation Release V8.2 !!! We've been allowed in. A klist -f (-f for "full") shows that we have a !!! TGT without having issued a kinit command on SYSB. SYSB> klist -f Ticket cache: FILE:WORK10$:[SMITH.KRB.SYSB.TMP]KRB5CC_1480589921 Default principal: smith@SYSA.XYZ.COM Valid starting Expires Service principal 09/22/05 14:18:53 09/23/05 00:17:16 krbtgt/SYSA.XYZ.COM@SYSA.XYZ.COM Flags: FfT Kerberos 4 ticket cache: krb$user:[tmp]k4_tkt_cache33488912 KRB$KLIST: You have no tickets cached !!! Now use ssh to connect back to sysa but this time use the simpler !!! kerberos-2 authentication method. SYSB> ssh -o"AllowedAuthentications kerberos-2@ssh.com" smith@sysa Authentication successful. UNAUTHORIZED ACCESS PROHIBITED OpenVMS AXP (TM) Operating System, Version V8.2 !!! We have been allowed in but have no TGT created for us because we !!! used kerberos-2: SYSA> klist -f KRB$KLIST: No credentials cache found (ticket cache FILE:krb$user:[tmp]krb5cc_33488912) Kerberos 4 ticket cache: krb$user:[tmp]k4_tkt_cache33488912 KRB$KLIST: You have no tickets cached |
Next | Contents |