ACME Developer’s ReadMe ========================= Copyright (c) 2010 Hewlett-Packard Company, L.P Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under Vendor’s standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. Intel and Itanium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group. Table of Contents ==================== 1.0 Abstract 2.0 Revision History 3.0 Kit Details 4.0 References 5.0 Read before installation 6.0 Installing the ACMELOGIN and LDAP ACME PCSI Kits 7.0 Removing ACMELOGIN and ACMELDAP_STD PCSI Kits 8.0 Optional ACME agent SDK components 8.1 Building the ACME Agent and Persona Extension Examples 8.2 ACMEUTIL Utility 9.0 Known Problems 1.0 Abstract =============== The ACMELOGIN PCSI kit on OpenVMS Alpha or Integrity Version 8.3 and earlier contains production versions of LOGINOUT.EXE and SETP0.EXE (SET PASSWORD) images that utilize the SYS$ACM system service for user authentication and password changes. When these images are used, login and password change requests are sent to the SYS$ACM service and handled by the ACME_SERVER process's authentication agents. Since these images use SYS$ACM, they will use the authentication policies provided by the ACME agents that have been configured on your system. Production version of an LDAP ACME agent is also available on OpenVMS Alpha or Integrity Version 8.3 and above that provides "standard" LDAP authentication for user login and password-change operations using an LDAPv3--compliant directory server. 2.0 Revision History ====================== Date Modification ----------- ------------ 05-MAR-2007 New version of V831H1_ACMELDAP_STD kit (version 1.3) to support Active Directory password changes. 22-JAN-2009 Remove LOGIN kits and Alpha kits to make kit I64 only, LOGIN, ALPHA and I64 ACMELDAP kits now ship as separate kits. 4-Feb-2010 Updated to accommodate the OpenVMS Version 8.4 enhancements 3.0 Kit details =================== SYS$UPDATE: ACME_DEV_KITS.BCK, which contains the ACMELOGIN, ACMELDAP_STD and LOGIN kits. 4.0 References =================== - ACME Developer's Guide (PDF version available at SYS$HELP:ACME_DEV_GUIDE.PDF). This guide is useful, if you are writing a new ACME agent. - OpenVMS Guide to System security (Provided with the OS documentation set) - You can refer the sections, "Enabling External Authentication" and "Authentication and Credentials Management Extensions (ACME) Subsystem" - HP OpenVMS System Services Reference Manual (Refer to SYS$ACM system service) - ACME LDAP documentation at SYS$HELP: ACMELDAP_STD_CONFIG_INSTALL.PDF or SYS$HELP:ACMELDAP_STD_CONFIG_INSTALL.TXT (or the older documentation on ACME LDAP_STD at SYS$HELP:LDAPACME$README-STD.TXT) - ACMEUTIL Utility - Examples in C source code for an ACME agent and associated persona extension Note: The ACMEUTIL and the example ACME agent are unsupported components for evaluating custom ACME agents. 5.0 Read before installing =========================== - The PCSI patch kits that provide modified versions of LOGINOUT.EXE and SETP0.EXE, and LDAP ACME agent, must only be installed on the version of OpenVMS Alpha or Integrity servers that shipped these kits. - The SYS$SINGLE_SIGNON logical name used to control operations with the standard non-sys$acm enabled LOGINOUT.EXE image have no effect with the new LOGINOUT.EXE and SYS$ACM. The new features are controlled by UAF flags and the SECURITY_POLICY system parameter as described in the OpenVMS Guide to System Security (see section "Enabling External Authentication" and "Authentication and Credentials Management Extensions (ACME) Subsystem" of Chapter 7). - To know more about the difference between the sys$acm and non-sys$acm enabled LOGINOUT.EXE and SETP0.EXE images, external authentication, and ACME, see the latest OpenVMS Guide to System Security provided with OpenVMS documentation set (see section "Enabling External Authentication" and "Authentication and Credentials Management Extensions (ACME) Subsystem" of Chapter 7). 6.0 Installing the ACMELOGIN and ACME LDAP PCSI Kits ====================================================== To install the ACMELOGIN and ACMELDAP_STD kits, perform the following steps: 1. Restore the PCSI kits by executing the following command: $ BACKUP/VERIFY/LOG SYS$UPDATE:ACME_DEV_KITS.BCK/SAVE - _$ [destination_directory]*.* Check if the following files have been restored: - HP-I64VMS-_ACMELOGIN-VXXXX--4.PCSI or - DEC-AXPVMS-_ACMELOGIN-VXXXX--4.PCSI Where is the version of the OpenVMS operating system version and "XXXX" is the version of ACMELOGIN kit. For example, V84_ACMELOGIN_V0106. The ACMELOGIN kit contains the sys$acm-enabled LOGINOUT.EXE and SETP0.EXE. - HP-I64VMS-_ACMELDAP_STD-VXXXX--4.PCSI or - DEC-AXPVMS-_ACMELDAP_STD-VXXXX--4.PCSI This kit is not provided with OpenVMS Version 8.4 and later and the files are already part of the operating system. The ACMELDAP_STD kit contains an LDAP ACME agent that provides "standard" LDAP authentication for user login and password-change operations using an LDAPv3-compliant directory server. - HP-I64VMS-_LOGIN-VXXXX--4.PCSI or - DEC-AXPVMS-_LOGIN_STD-VXXXX--4.PCSI The LOGIN kit contains the non-sys$acm-enabled LOGINOUT.EXE and SETP0.EXE, which is shipped by default as part of your operating system. The following obsolete files might also be present in the SYS$UPDATE:ACME_DEV_KITS.BCK: - HP-I64VMS-V83_ACMELDAP-V0100--4.PCSI (ACMELDAP V1.0 patch kit Alpha) - DEC-AXPVMS-V83_ACMELDAP-V0100--4.PCSI (ACMELDAP V1.0 patch kit I64) - ACME_LDAP_DOCS.BCK - PWRK$MSV1_0_ACMESHR_ALPHA.EXE - PWRK$MSV1_0_ACMESHR_IA64.EXE - PWRK_ACME_ECO5_V83_FT.BCK 2. Install sys$acm-enabled LOGINOUT.EXE and SETP0.EXE using the following command: $ PRODUCT INSTALL/SAVE ACMELOGIN 3. Check the image identification using the following commands: $ ANALYZE/IMAGE/INTER SYS$COMMON:[SYSEXE]LOGINOUT.EXE $ ANALYZE/IMAGE/INTER SYS$COMMON:[SYSEXE]SETP0.EXE You must get LOGIN98 as a part of the "Image file identification:" field. It is recommended to login to the system using any user account to test after installing the ACMELOGIN kit. 4. Install ACMELDAP_STD kit on OpenVMS Version 8.3 or 8.3-1H1 using the following command, if you need to user authentication done by looking up against an LDAP Directory server. $ PRODUCT INSTALL/SAVE ACMELDAP_STD After installation, for information on setting up the LDAP persona extension and configuring the LDAP ACME agent, see the documentation of the LDAP ACME agent at SYS$HELP:ACMELDAP_STD_CONFIG_INSTALL.PDF or SYS$HELP:ACMELDAP_STD_CONFIG_INSTALL.TXT (or the older documentation on ACME LDAP_STD at SYS$HELP:LDAPACME$README-STD.TXT) 7.0 Removing ACMELOGIN and ACMELDAP_STD PCSI Kits =================================================== The ACMELOGIN and ACMELDAP_STD kits can be removed using the PRODUCT UNDO PATCH command. If other patch kits have been installed after the installation of the ACMELOGIN or ACMELDAP kit, those kits will have to be removed before removing the ACMELOGIN or ACMELDAP_STD kit. Another way to removing the sys$acm enabled images of LOGINOUT.EXE and SETP0.EXE (provided with ACMELOGIN kit), is to install the LOGIN patch kit. The LOGIN patch kit contains the non-sys$acm enabled images of LOGINOUT.EXE and SETP0.EXE. Downloading and Installing the _LOGIN patch kit available from ITRC website will also replace the LOGINOUT.EXE and SETP0.EXE with the non-sys$acm versions. Do note that, after installing the LOGIN patch kit (which contains non sys$acm enabled LOGINOUT.EXE and SETP0.EXE), you will not be able to login into the system using LDAP authentication. However, the LDAP ACME might still be configured and you have to explicitly edit the SYS$MANAGER:ACME$START.COM and comment specific lines relevant to LDAP ACME from this file. 8.0 Optional ACME agent SDK components =========================================== This section of the document includes information for writing a custom ACME agent using optional ACME agent SDK components. You may ignore this section of the document if you are running the new LOGINOUT.EXE and SETP0.EXE images with the standard LDAP ACME agent or other standard ACME agents. 8.1 Building the ACME Agent and Persona Extension Examples ====================================================================== Source code for the ACME agent and persona extension examples is available in SYS$EXAMPLES. The DEC C compiler is required to build these examples. Instructions for building the ACME agent and persona extension examples are provided in SYS$EXAMPLES:ACME_EXAMPLE_README.TXT. 8.2 ACMEUTIL Utility ================================== The ACMEUTIL utility is a useful tool for testing ACME agent behavior before installing the ACMELOGIN kit. ACMEUTIL is a SYS$ACM program that supports dialogue and non-dialogue mode operation and provides a trace facility for debugging. ACMEUTIL is located in SYS$EXAMPLES and must be built from the source code using the ACMEUTIL.COM procedure. The ACMEUTIL_SETUP.COM file installs the DCL command line definitions for ACMEUTIL (see comments for entire DCL syntax). Once built, you can use the utility as follows: $ ACME AUTHORIZE/DIALOG=(INPUT,NOECHO)/TRACE Dialogue flags = 00000003 Queuing AUTHENTICATION Request Request completed Service status = 1 ACMESB structure at address 7AE1A688 ...l_status 074A8640 ...l_secondary_status 074A8640 ...l_acme_id 00000000 ...l_acme_status 00000000 . . . Note: The ACMEUTIL utility does not change the "noecho" terminal attribute. Therefore, prompts for passwords and other items marked for "noecho" will be echoed at the terminal. 9.0 Known Problems: ====================== The DECwindows login interface is partially operational. A few password exception handling functions, which are operational during DECwindows login, are not completely functional during generated password processing and password history validation.