COM, Registry, and Events for
HP OpenVMS Developer's Guide


Previous Contents Index


Chapter 5
COM for OpenVMS Security

COM V1.1-A and higher for OpenVMS supports NTLM (NT LAN Manager) authentication for controlling access to COM objects.

Processes that execute client and server applications must obtain Windows credentials in order to be authenticated. Processes created automatically by DCOM$RPCSS to execute server applications obtain Windows credentials based on the Registry settings for the server being launched. Interactive processes that are used to execute client and server applications must obtain Windows credentials by running the NTA$LOGON utility (see Section 8.2).

This chapter applies to COM for OpenVMS in authenticated mode. See Appendix E for information about running COM for OpenVMS in an unauthenticated environment.

This chapter discusses the following topics:

5.1 System Configuration

NTLM authentication on OpenVMS is implemented in three major components of the operating system (see Section 4.10).

The ACME server, RPC, and SSPI are installed as part of the OpenVMS operating system and require no special configuration. Advanced Server for OpenVMS must be installed as a layered product and must be configured to support NTLM authentication for COM applications (see Section 4.4).

After installing Advanced Server for OpenVMS, you must create Windows domain accounts that will be used to execute COM applications. You must also map the Windows domain accounts to OpenVMS accounts.

The Advanced Server ADMINISTER utility is used to create Windows domain accounts. For example, to create the Windows domain account NTUSER1, use the following command:



$ ADMINISTER ADD USER NTUSER1 /PASSWORD="pppppp" /FLAG=NOPWDEXPIRED 

The password is case sensitive, so it is enclosed in quotation marks in order to maintain case. A password without quotation marks is converted to uppercase. By default, Windows domain accounts are created with the password pre-expired, thus forcing the user to change the password at the first login. The NOPWDEXPIRED flag overrides this default.

A hostmap entry defines the association between a Windows user account and a local OpenVMS user account. When OpenVMS authenticates a Windows user, OpenVMS uses the hostmap entry to map the OpenVMS user account to the Windows user account and build the local OpenVMS user profile and the Windows NT user profile. If no hostmap entry exists, OpenVMS uses the Windows user account name as the local OpenVMS user account name.

Use the HP Advanced Server for OpenVMS ADMINISTER utility to define hostmap information. For example, to map the Windows domain account NTUSER1 to the OpenVMS account VMSUSER1, use the following command:



$ ADMINISTER ADD HOSTMAP NTUSER1 VMSUSER1 

If the OpenVMS account does not already exist, you must create the account using the OpenVMS Authorize utility (AUTHORIZE). The OpenVMS account must have the EXTAUTH flag set, or the IGNORE_EXTAUTH flag (bit 11, %X0800) must be set in the SECURITY_POLICY SYSGEN parameter (see Section 5.1). This policy allows the OpenVMS system manager to control which OpenVMS user accounts can be used with Windows authentication. For example, to set the EXTAUTH flag for an OpenVMS account VMSUSER1, use the following command. For example:



$ AUTHORIZE == "$AUTHORIZE" 

$ AUTHORIZE MODIFY VMSUSER1 /FLAG=EXTAUTH 

5.1.1 LOGINOUT.EXE Use of External Authentication

The EXTAUTH flag also directs LOGINOUT.EXE to use external authentication to authenticate an OpenVMS user during the login process (that is, local, dialup, remote, interactive, and network logins). When you set the EXTAUTH flag, LOGINOUT.EXE uses external authentication, not the OpenVMS SYSUAF.DAT record, to verify the user name and password.

LOGINOUT external authentication always requires that you set the EXTAUTH flag in the SYSUAF account record. Unlike NTA$LOGON and authenticated RPC, you cannot override this requirement using the IGNORE_EXTAUTH flag.

5.1.2 DCE Integrated Login Restriction

A site cannot use both external authentication and the older LGI-callout feature on the same system. If you have an LGI-callout image installed, external authentication is disabled for login purposes. Because DCE integrated login uses the LGI-callout mechanism, OpenVMS does not allow logins using Windows-based external authentication if DCE integrated login is enabled.

5.2 Cross-Domain Configuration

You can run a COM application on a system in one domain and have the application authenticated by a system in a second domain.

To configure authentication across Windows domains, you must do the following:

  1. Set up trust relationships between domains.
    For more information, see the HP Advanced Server for OpenVMS Server Administrator's Guide.
  2. Set up the HostMapDomains parameter on HP Advanced Server for OpenVMS domains (see Example 5-1).
    For more information, see the HP Advanced Server for OpenVMS Server Administrator's Guide.
  3. Set up account hostmap entries between the Windows user account and a local OpenVMS user account.

Example 5-1 shows how you can set up the HostMapDomains parameter. In this example, there are two domains: DOMAIN_1 and DOMAIN_2 . Domain DOMAIN_2 is running HP Advanced Server for OpenVMS; domain DOMAIN_1 is a Windows domain. The commands in Example 5-1 introduce DOMAIN_2 to DOMAIN_1 .

Example 5-1 Sample: Setting Up HostMapDomains


SYSJANE$ show sym regutl 

  REGUTL == "$SYS$SYSTEM:PWRK$REGUTL.EXE" 

SYSJANE$ regutl 

REGUTL> SET PARAM /CREATE VMSSERVER HOSTMAPDOMAINS DOMAIN_1 

REGUTL> SHOW VALUE * HOSTMAPDOMAINS 

Key: SYSTEM\CurrentControlSet\Services\AdvancedServer\UserServiceParameters 

Value: HostmapDomains 

Type: String 

Current Data: DOMAIN_1 

5.3 Acquiring Windows Credentials

After the Windows domain account and the OpenVMS account have been set up as described in Section 5.1, you can log in to the OpenVMS account using the usual OpenVMS login procedures. You can then acquire Windows credentials using the NTA$LOGON utility. For example:



$ NTA$LOGON == "$NTA$LOGON" 

$ NTA$LOGON NTUSER1 "pppppp" 

In this format, pppppp is the password you specified when you created the Windows domain account. The password is enclosed in quotation marks to preserve case. A password without quotation marks is converted to lowercase. If the user name or password is not specified on the command line, the program prompts the user for the required input (see Section 8.2).

To acquire Windows credentials using NTA$LOGON , you must be logged in to the OpenVMS account to which the Advanced Server account is hostmapped. If not are not logged in, you must have the IMPERSONATE privilege and use the NTA$LOGON /OVERRIDE_MAPPING option. For example:



$ NTA$LOGON == "$NTA$LOGON" 

$ NTA$LOGON /OVERRIDE_MAPPING NTUSER2 "pppppp" 

To determine whether a process has Windows credentials, use the NTA$LOGON utility with the /LIST switch. For example:



$ NTA$LOGON == "$NTA$LOGON" 

$ NTA$LOGON /LIST 

5.4 Application Security

The COM security model allows the creation of secure distributed applications. COM security can be enabled by using settings in the OpenVMS Registry and by using COM security APIs and interfaces. There are two primary areas of security that can be applied to COM applications: launch security and activation security.

Launch security and activation security have system default settings; application-specific settings override these defaults. The settings are stored in the Registry and are maintained by using the DCOMCNFG utility on Windows and by using the DCOMCNFG option of DCOM$SETUP.COM on OpenVMS. The COM API CoInitializeSecurityEx can be used from within an application to enhance or override the Registry settings.

5.4.1 Launch Security

Launch security determines which Windows domain accounts can be used to create, or "launch" server processes. The launch security settings are referenced when a COM request is received on a system that will result in the launching of a server process to satisfy the request. These settings can explicitly or implicitly allow or disallow a user request to launch a server. The DCOM$RPCSS process authenticates the incoming request to determine the identity of the client. If DCOM$RPCSS determines that it needs to launch a server process to satisfy the request, DCOM$RPCSS allows or disallows the launching of the server based on the identity of the client and the launch security settings.

5.4.2 Activation Security

Activation security determines which Windows domain accounts can be used to execute method calls in server applications. The activation security settings are referenced when a COM request is received on a system for a method call in an existing server process. The server process authenticates the incoming request to determine the identity of the client. The server process allows or disallows the execution of the method call based on the identity of the client and the activation security settings.

5.4.3 Server Process Identity

A server process created by DCOM$RPCSS on OpenVMS is a detached process that has an OpenVMS identity and follows all the OpenVMS security rules for a detached process. In addition, it has a network identity that is used to enforce the COM security model (see Section 5.5).

COM servers create separate server threads to execute each client request. These server threads have their own OpenVMS identity and network identity, based on the identity of the client. When a server thread is executing a request on behalf of a client, it is the thread's identities, not the process' identities, that are used to enforce security.

5.4.4 Domain Issues

Two systems running COM client and server applications can exist in one of three possible domain configurations:

The ability for servers and DCOM$RPCSS to authenticate client requests are affected by the domain configurations. When both systems are in the same domain or when the systems are in separate but trusted domains there is no problem authenticating. The trusted domain configuration is a bit more complex and requires that the trusts and mappings be configured correctly but once configured, there is no trouble authenticating (see Section 5.2).

Systems in separate, nontrusted domains or systems not in any domain cannot be authenticated using the normal mechanisms. To run authenticated COM applications between such systems, you must pass authentication information (user name and password) from the client to the server. COM provides this capability in the CoCreateInstanceEx API. The pServerInfo parameter of the CoCreateInstanceEx API allows you to specify a user name and password to be used for authentication on the remote server system. The user name and password are part of the COAUTHIDENTITY structure, within the COAUTHINFO structure within the COSERVERINFO structure, that is passed as the pServerInfo parameter to CoCreateInstanceEx.

Section C.3 shows how you can authenticate a remote client that is neither in the server's domain nor in a domain that has a trust with the server's domain.

The current NTLM security implementation on OpenVMS does not support this feature for COM client applications on OpenVMS. This feature is supported for COM clients on Windows that communicate with COM servers on OpenVMS. To run COM client applications on OpenVMS where the server is not in the same domain or in a trusted domain, you must disable authentication for the application, as described in Section 5.4.5.

5.4.5 Disabling Authentication

Under certain conditions, you may want to disable authentication between a client and server applications. This feature disables many of the security features of COM and of the operating system and should not be used in an environment where security is required. There are two ways to disable authentication for COM applications:

The server must be configured to run with a specific NTLM account identity. Since the client will not be authenticated, there is no way for the server to run with a client's identity. To configure a server to run with a specific NTLM identity, use DCOMCNFG and change the application properties to select the NTLM account.

5.4.6 Access Denied Problems (80070005)

The most common security error a COM application will encounter is access denied (error status value 80070005). The following is a list of the most common causes of this error:

5.5 Server Run-Time Environment

When DCOM$RPCSS launches a server in response to a client request for a COM object, DCOM$RPCSS creates a detached process and executes either the server image or server command file in the context of the detached process. The image or command file that is executed is determined by the value of the Registry key HKEY_CLASSES_ROOT\CLSID\{iid}\LocalServer32, where iid is the unique identifier of the COM object.

The run-time environment of the detached process is as follows:


Chapter 6
COM for OpenVMS Utilities for Application Development and Deployment

This chapter describes how to configure your OpenVMS system (and, optionally, your Windows system) to develop and deploy COM applications. It describes the following COM for OpenVMS utilities:

This chapter also includes information about configuring OpenVMS and Windows systems to interoperate.

Before you begin

Before you configure COM for OpenVMS on your OpenVMS system, you must install and configure required components and install COM for OpenVMS. See Chapter 4 for information about these steps.

6.1 DCOM$SETUP Utility

DCOM$SETUP is a collection of tools to help a system manager configure the COM for OpenVMS system environment.

DCOM$SETUP Conventions and Requirements

6.2 Running DCOM$SETUP

To run DCOM$SETUP , enter @SYS$STARTUP:DCOM$SETUP at the OpenVMS system prompt.

The system displays the OpenVMS COM Tools menu.

Figure 6-1 DCOM$SETUP OpenVMS COM Tools Menu




--------------------------------------------------------- 

                         OpenVMS COM Tools 

 

           1) DCOMCNFG, COM Configuration Properties 

           2) GUIDGEN, Globally Unique Identifier Generator 

           3) Populate the Registry database for COM 

           4) Start the COM server 

           5) Stop the COM server 

           6) Register a COM application 

           7) Create the DCOM$GUEST account and directory 

           8) Configure the DCOM$RPCSS accounts 

 

           H) Help 

           E) Exit 

 

Please enter your choice: 

--------------------------------------------------------- 

To choose an option, enter the option number. The options are as follows:

6.2.1 Creating and Configuring DCOM$RPCSS Accounts

To display these functions, choose option 8 from the OpenVMS COM Tools menu. The system displays the following:



--------------------------------------------------------- 

Configure the COM for OpenVMS Service Control Manager (DCOM$RPCSS) accounts 

 

   1) Create the DCOM$RPCSS account in both the SYSUAF database and the 

      Advanced Server for OpenVMS SAM database. The password you specify 

      for the new DCOM$RPCSS user is stored in a protected file. 

 

   2) Update the DCOM$RPCSS user password in the COM for OpenVMS Service 

      Control Manager password file. 

 

   E) Exit 

 

Please enter your choice: 

--------------------------------------------------------- 

Enter one of the following:

6.2.2 Starting and Stopping the COM Server (DCOM$RPCSS Process)

COM for OpenVMS requires that the COM server process ( DCOM$RPCSS ) always be running. The DCOM$RPCSS process on OpenVMS provides the same functions for the COM run-time environment that the RPCSS process provides on Microsoft Windows, including the following:

To start DCOM$RPCSS , either use DCOM$SETUP option 4 ("Start") (see Section 6.2) or call the COM for OpenVMS startup procedure directly from SYS$STARTUP:DCOM$STARTUP . See Section 4.13 for information on starting COM for OpenVMS.

To stop DCOM$RPCSS on your system, either use the DCOM$SETUP option 5 ("Stop") (see Section 6.2) or call the COM for OpenVMS shutdown procedure directly from SYS$STARTUP:DCOM$SHUTDOWN . See Section 4.14 for information on shutting down COM for OpenVMS.

6.2.3 Registering an Application

The following example shows how to register the COM for OpenVMS "Simple" application included on the COM for OpenVMS kit. You can use the resulting Windows file to register the server on a Windows system as long as the application is available on your Windows system.

To build the "Simple" application on a Windows system, see and execute the instructions in the README-SIMPLE.TXT file in DCOM$EXAMPLES:[SIMPLE] .

Note

You must build and compile the application before you can register it. For complete details, see the step-by-step example in DCOM$EXAMPLES:[SIMPLE] included in the COM for OpenVMS kit.

Use the following procedure:

  1. From the DCOM$SETUP menu, enter 6 or REGISTER .
  2. Answer the questions as follows:

    Note

    The "Simple" application already has a CLSID.

    Example 6-1 Sample" Simple" Application Registration on OpenVMS

    
    Enter server type (1. In-Proc  2. Out-Proc): 2 [Return] 
    
    Enter Local Path (device:[directory]filename.ext): DKA0:[SMITH]SSERVER.EXE [Return] 
    
    Enter Application Name (<RETURN> to assign default): COM Simple Server [Return] 
    
    Does the server have a CLSid {GUID} (Yes/No) [N]: Y [Return] 
    
    Enter the CLSid (i.e. {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}: 
    
       {5e9ddec7-5767-11cf-beab-00aa006c3606} [Return] 
    
     
    
    Verify Application Information: 
    
     
    
             Application Name: COM SIMPLE SERVER 
    
             Local Path: DKA0:[SMITH]SSERVER.EXE 
    
             Application ID: {5E9DDEC7-5767-11CF-BEAB-00AA006C3606} 
    
     
    
    Is the information correct (Yes/No) [Y]: [Return] 
    
    Register application (Yes/No)? [Y]: [Return] 
    
     
    
    SETUP-I-NEWFILES, The following files have been created: 
    
     
    
          DKA0:[SMITH]SSERVER.REG_NT 
    
          DKA0:[SMITH]SSERVER.REG_VMS 
    
     
    
    SETUP-I-SRVIN, Server has been registered 
    
    Press RETURN to continue: [Return] 
    
    

To register the "Simple" application on a Windows system, use the following procedure:

  1. Copy all the files in the DCOM$EXAMPLES:[SIMPLE] directory to your Windows system.
  2. Rename SSERVER.REG_NT to SSERVER.REG .
  3. Edit the file to point to the local server path.
    For example, replace DEVICE:\SSERVER with C:\SSERVER .
  4. Run the Install.bat program to add the necessary keys to the Windows registry.

Example 6-2 shows the contents of SSERVER.REG_NT .

Example 6-2 Contents of SSERVER.REG_NT


REGEDIT 

HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\ = DCOM server application SSERVER 

HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LaunchPermission = Y 

HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LocalServer32 = DEVICE:\SSERVER 

To reregister the "Simple" application on an OpenVMS system, enter the following command at the system prompt:



$ @SSERVER.REG_VMS

Example 6-3 shows the contents of the SSERVER.REG_VMS command procedure:

Example 6-3 Contents of SSERVER.REG_VMS


$ Set noon 

$ regcp :=  $regcp 

$ crekey := $regcp create key 

$ creval := $regcp create value 

$ modval := $regcp modify value 

$ lisval := $regcp list value 

$ crekey HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606} 

$ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606} - 

              /data="DCOM server application SSERVER" /type=sz 

$ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}/name="AppID" - 

              /data="{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}" /type=sz 

$ crekey HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LaunchPermission 

$ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LaunchPermission - 

              /data="Y" /type=sz 

$ crekey HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LocalServer32 

$ creval HKEY_CLASSES_ROOT\CLSID\{5E9DDEC7-5767-11CF-BEAB-00AA006C3606}\LocalServer32 - 

              /data="DKA0::[SMITH]SSERVER.EXE" /type=sz 

$ 

6.3 Running DCOM$CNFG

DCOM$CNFG is a utility to help COM developers configure and manage COM for OpenVMS applications on OpenVMS. Use the DCOM$CNFG utility to query information and manipulate properties of COM for OpenVMS applications.

To use the DCOM$CNFG utility, choose option 1 from the DCOM$SETUP menu.

Note

Before running the DCOM$CNFG utility, you must:
  • Have OpenVMS Registry Read access to read application properties, and Write access to modify application properties.
  • Ensure that the ACME server is running on the current system. The ACME server must be running to view and change application security properties. For more information, see Table 4-1.
  • Acquire Windows security credentials before you can change an application identity. For more information, see Section 8.2.

The system displays the DCOM$CNFG Main menu.

Figure 6-2 DCOM$CNFG Main Menu




--------------------------------------------------------- 

                DCOM$CNFG Main 

 

   1 - Applications List 

   2 - System-wide Default Properties 

   3 - System-wide Default Security 

 

   (E to Exit) 

   (H for Help) 

 

   Enter <CTRL-Z> or 'E' to return to the previous menu at any time 

 

   Please enter your choice: 

--------------------------------------------------------- 

The options are as follows:

6.3.1 The DCOM$CNFG Application List Submenu

To display this submenu, from the DCOM$CNFG Main menu, choose option 1.

The system displays the Applications List submenu.

Figure 6-3 Applications List Submenu




--------------------------------------------------------- 

                Applications List 

 

   Index    Name 

    1      Inside COM, Chapter 11 Example 

    2      application 2

    3      application 3

    .      ... 

    .      ... 

    .      ... 

 

  (E to Exit to previous menu) 

  (H for Help) 

 

  Please enter Index number to select an Application: 

--------------------------------------------------------- 

Enter a number to select an application. You can then view or configure its properties.

This option displays the Application Properties submenu.

Note

The system stores the Application Properties (Location, Security, and Identity) (see Figure 6-4) in a special key in the OpenVMS Registry that is associated with each application. You cannot change the Application Properties until you create this special key using the DCOM$CNFG utility. The DCOM$CNFG utility creates this special key when the utility discovers a newly registered application. In this case, the DCOM$CNFG user must have acquired Windows security credentials for an account that is a member of the Administrator group. Otherwise, the key will not be created. For more information about acquiring Windows credentials, see Section 8.2).

Use the following procedure to manage the Application Properties:

  1. Register the application.
  2. Do either of the following:
    • Acquire Windows security credentials for an account that is a member of the Administrator group and then run DCOM$CNFG.
    • Have a system administrator with the appropriate credentials run DCOM$CNFG.
  3. Run DCOM$CNFG from your own account to manage the properties.

Figure 6-4 Application Properties Submenu




------------------------------------------------------------------ 

               Application Properties 

 

   General Properties of this DCOM Application 

 

   Application name:  Inside COM, Chapter 11 Example 

   Application id:    {0C092C2C-882C-11CF-A6BB-0080C7B2D682} 

   Application type:  local server 

   Local path:        DISK1:[SMITH.DISPATCH_SAMPLE1]CMPNT.EXE 

   Type Library:      {D3011EE1-B997-11CF-A6BB-0080C7B2D682} 

   version: 1.0  DISK1:[SMITH.DISPATCH_SAMPLE1]Server.tlb 

 

   1 - Location    Machine to run application 

   2 - Security    Security permissions for application 

   3 - Identity    User account to use to run application 

 

   (E to Exit to previous menu) 

   (H for Help) 

 

   Please enter Application Property you wish to change: 

------------------------------------------------------------------ 

If the system cannot find the type library file or if the type library is unaccessible, the system displays an error message next to the type library file name.

The options are as follows:

The system uses the systemwide default security values unless you specify a different setting.

The system displays the Application Security submenu.

Figure 6-6 Application Security Submenu




--------------------------------------------------------- 

                Application Security 

 

   Application name:  Inside COM, Chapter 11 Example 

   Current Access permissions:  Custom 

   Current Launch permissions:  Custom 

   Current Configuration permissions:  Default 

 

   1 - Use Default Access permission 

   2 - Edit Custom Access permission 

   3 - Use Default Launch permission 

   4 - Edit Custom Launch permission 

   5 - Use Default Configuration permission 

   6 - Edit Custom Configuration permission 

 

   (E to Exit to previous menu) 

   (H for Help) 

 

   Please enter your choice: 

--------------------------------------------------------- 

The options are as follows:

6.3.2 Registry Value Permissions Submenus

To display this submenu:

  1. From the DCOM$CNFG menu, choose option 1.
  2. From the Applications List submenu, choose any application.
  3. From the Application Properties submenu, choose option 2.
  4. From the Application Security submenu, choose option 2 or 4.

Figure 6-7 Registry Value Permissions Submenu




--------------------------------------------------------- 

                Registry Value Permissions 

 

   Application name: Inside COM, Chapter 11 Example 

   Registry Value: LaunchPermission 

   Owner: Administrator 

 

   Index    Name                           Type of Access 

     1      OPENVMS_DCOM\USER1                Deny 

     2      BUILTIN\Administrators            Allow 

     3      Everyone                          Allow 

     4      NT AUTHORITY\SYSTEM               Allow 

     5      OPENVMS_DCOM\USER2                Allow 

 

        (Index Number to Delete or Modify Access) 

        (A to Add to list) 

 

        (E to Exit to previous menu) 

        (H for Help) 

 

        Please enter your choice: 

--------------------------------------------------------- 

The options are as follows:

Figure 6-8 Edit Registry Value Permissions Submenu




--------------------------------------------------------- 

                Edit Registry Value Permissions 

 

        Application name: Inside COM, Chapter 11 Example 

        Registry Value: AccessPermission 

        Owner: Administrator 

 

        Name: OPENVMS_DCOM\USER1 

        Type of Access: Deny 

 

        1 - Delete entry from list 

        2 - Change Access 

 

        (E to Exit to previous menu) 

        (H for Help) 

 

        Please enter your choice: 

--------------------------------------------------------- 

The options are as follows:

6.3.3 Registry Key Permissions Submenus

To display this submenu:

  1. From the DCOM$CNFG menu, choose option 1.
  2. From the Applications List submenu, choose any application.
  3. From the Application Properties submenu, choose option 2.
  4. From the Application Security submenu, choose option 6.

Figure 6-10 Registry Key Permissions Submenu




--------------------------------------------------------- 

                Registry Key Permissions 

 

   Application name: Inside COM, Chapter 11 Example 

   Registry Key: Inside COM, Chapter 11 Example 

   Owner: Administrator 

 

   Index    Name                     Type of Access 

 

   1     BUILTIN\Administrators      Full Control 

   2     NT AUTHORITY\SYSTEM         Full Control 

   3     CREATOR OWNER               Full Control 

   4     Everyone                    Special Access 

   5     OPENVMS_DCOM\USER1          Read 

 

   (Index Number to Delete or Modify Access) 

   (A to Add to list) 

 

   (E to Exit to previous menu) 

   (H for Help) 

 

   Please enter your choice: 

--------------------------------------------------------- 

The options are as follows:

Figure 6-11 Edit Registry Key Permissions Submenu




--------------------------------------------------------- 

                Edit Registry Key Permissions 

 

   Application name: Inside COM, Chapter 11 Example 

   Registry Key: Inside COM, Chapter 11 Example 

   Owner: Administrator 

 

   Name: BUILTIN\Administrators 

   Type of Access: Full Control 

 

   1 - Delete entry from list 

   2 - Allow Full Control 

   3 - Allow Read Access 

   4 - Set/View Special Access 

 

   (E to Exit to previous menu) 

   (H for Help) 

 

   Please enter your choice: 

--------------------------------------------------------- 

The options are as follows:

Figure 6-12 Special Access Registry Key Permissions Submenu




--------------------------------------------------------- 

                Special Access Registry Key Permissions 

 

   Application name: Inside COM, Chapter 11 Example 

   Registry Key: Inside COM, Chapter 11 Example 

 

   Name: Everyone 

 

   Type of Access                          Current Value 

 

   0 - Query Value                           Yes 

   1 - Set Value                             Yes 

   2 - Create Subkey                         Yes 

   3 - Enumerate Subkeys                     Yes 

   4 - Notify                                Yes 

   5 - Create Link                           No 

   6 - Delete                                Yes 

   7 - Write DACL                            No 

   8 - Write Owner                           No 

   9 - Read Control                          Yes 

 

   (E to Exit to previous menu) 

   (H for Help) 

 

   Please enter your choice: 

--------------------------------------------------------- 

The options are as follows:

Figure 6-13 Add Registry Key Permissions Submenu




--------------------------------------------------------- 

                Add Registry Key Permissions 

 

   Application name: Inside COM, Chapter 11 Example 

   Registry Key: Inside COM, Chapter 11 Example 

   Owner: Administrator 

 

   1 - Add Specific User or Group 

   2 - Add Everyone 

   3 - Add NT AUTHORITY\System 

   4 - Add BUILTIN\Administrators 

 

   (E to Exit to previous menu) 

   (H for Help) 

 

   Please enter your choice: 

--------------------------------------------------------- 

The options are as follows:

6.3.4 Application Identity Submenu

To display this submenu:

  1. From the DCOM$CNFG menu, choose option 1.
  2. From the Applications List submenu, choose any application.
  3. From the Application Properties submenu, choose option 3.

The system displays the Application Identity submenu.

Figure 6-14 Application Identity Submenu




--------------------------------------------------------- 

                Application Identity 

 

   Which user account do you want to use to run this application? 

 

   Application name:  Inside COM, Chapter 11 Example 

   Current Identity:  NTLM Account OPENVMS_DCOM\USER2 

 

   1 - Launching User 

   2 - NTLM Account 

   3 - OpenVMS Username 

   4 - OpenVMS DCOM Guest Account 

 

   (E to Exit to previous menu) 

   (H for Help) 

 

   Please enter account you wish to use: 

--------------------------------------------------------- 

The options are as follows:

6.3.5 The DCOM$CNFG System-wide Default Properties Submenu

To display this submenu, from the DCOM$CNFG Main menu, choose option 2.

The system displays the System-wide Default Properties submenu.

Figure 6-15 System-wide Default Properties Submenu




--------------------------------------------------------- 

            System-wide Default Properties 

 

   1 - Enable Distributed COM on this computer (Yes/No) 

              Current value: Yes 

   2 - Default Authentication Level 

   3 - Default Impersonation Level 

 

 

   (E to Exit to previous menu) 

   (H for Help) 

 

   Please enter your choice: 

--------------------------------------------------------- 

The options are as follows:

6.3.6 System-wide Default Security Submenu

To display this submenu, from the DCOM$CNFG Main Menu, choose option 3.

The system displays the System-wide Default Security submenu.

Figure 6-18 System-wide Default Security Submenu




------------------------------------------------------------------ 

                System-wide Default Security 

 

        1 - Access Permissions Default 

        2 - Launch Permissions Default 

        3 - Configuration Permissions Default 

 

        (E to Exit to previous menu) 

        (H for Help) 

 

        Please enter your choice: 

------------------------------------------------------------------ 

The options are as follows:

When you first install the system, by default only Administrator and System accounts have application launch and access permissions. HP recommends that you do not change these default settings. Typically you modify an individual application's launch and access security to grant or deny permissions to Everyone , various Groups , or even specific users. HP recommends this technique over adjusting the machinewide default security settings that affect all applications.

6.4 Registering In-Process Servers: DCOM$REGSVR32 Utility

All COM components (implemented as either an out-of-process server or as an in-process server) must be registered in the OpenVMS Registry before you can use them.

Out-of-process servers, which are implemented as executable programs ( .EXE files), usually contain code to register and unregister the components contained within them. The advantage an out-of-process server has over an in-process server is that you can run the executable and automatically create the necessary registry keys.

In-process servers, which are usually implemented as dynamic link libraries ( .DLL files) on Windows or as shareable images on OpenVMS, also contain code to register and unregister the components within them automatically. However, these in-process servers cannot be run the same way as an executable image because they do not contain a main entry point. As a result, you must manually register the components contained within a .DLL , or create a command procedure to perform the registration.

Microsoft provides the REGSVR32 utility that you can use to register the components contained within a DLL. REGSVR32 takes as a command line argument the following:

When registering a DLL's components, REGSVR32 searches the specified DLL for the DllRegisterServer symbol and, if found, calls it. When unregistering a DLL, REGSVR32 calls DllUnregisterServer . This means that all in-process components that you want to register automatically must include these two entry points in their export files.

To facilitate the registration of components contained within shareable images on OpenVMS systems, HP created the DCOM$REGSVR32 utility. The DCOM$REGSVR32 utility does the same things that the Microsoft REGSVR32 utility does. Any shareable images that contain components to be registered must also include the DllRegisterServer and DllUnregisterServer universal symbols in their symbol vectors. Both the DCOM$REGSVR32 and the REGSVR32 utilities use the same command line syntax.

During the COM for OpenVMS installation, the system places the DCOM$REGSVR32.EXE file in the SYS$SYSTEM directory.

Before you use the DCOM$REGSVR32 utility, you must define a symbol that allows the utility to accept foreign command lines. For example:



$ regsvr32 :== $DCOM$REGSVR32 

You can use either method to activate the utility, and register or unregister components contained in shareable images.

To display help for DCOM$REGSVR32, enter the following:



$ regsvr32 -? 

Table 6-1 summarizes the DCOM$REGSVR32 command line options.

Table 6-1 DCOM$REGSVR32 Command Line Options
Switch Use
-?, /? Display help file (this table).
shareable-image-name Register the specified shareable image name.
-u or /u image-name Unregister the specified shareable image name.

Note

The DCOM$REGSVR32 utility requires that the shareable image name contain a full directory specification.

Example 6-4 demonstrates how to register an in-process component (contained within a shareable image) using the DCOM$REGSVR32 utility.

Example 6-4 Registering a Component Using the DCOM$REGSVR32 Utility


$ regsvr32 USER$DISK:[SEYMOUR.DISPATCH_SAMPLE1]CMPNT$SHR.EXE 

Class factory:          Create self. 

DllRegisterServer:      Registering Server DLL 

Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682} 

Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}\InProcServer32 

Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}\ProgID 

Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}\VersionIndependentProgID 

Creating key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682}\TypeLib 

Creating key InsideCOM.Chap11 

Creating key InsideCOM.Chap11\CLSID 

Creating key InsideCOM.Chap11\CurVer 

 

Creating key InsideCOM.Chap11.1 

Creating key InsideCOM.Chap11.1\CLSID 

Class factory:          Destroy self. 

Example 6-5 demonstrates how to unregister an in-process component (contained within a shareable image) using the DCOM$REGSVR32 utility.

Example 6-5 Unregistering a Component Using the DCOM$REGSVR32 Utility


$ regsvr32 /u USER$DISK:[SEYMOUR.DISPATCH_SAMPLE1]CMPNT$SHR.EXE 

 

Class factory:          Create self. 

DllUnregisterServer:    Unregistering Server DLL 

Deleting key InProcServer32 

Deleting key ProgID 

Deleting key VersionIndependentProgID 

Deleting key TypeLib 

Deleting key LocalServer32 

Deleting key CLSID\{0C092C2C-882C-11CF-A6BB-0080C7B2D682} 

Deleting key CLSID 

Deleting key CurVer 

Deleting key InsideCOM.Chap11 

Deleting key CLSID 

Deleting key InsideCOM.Chap11.1 

Class factory:          Destroy self. 


Previous Next Contents Index