Manuals / Brands / Computer Equipment / Printer / HP / Computer Equipment / Printer

HP LCS60 srvtab, pupu, srvtab, /etc/opt/dk/srvtab, /etc/opt/dk/srvtab

1 432

Download 432 pages, 2.48 Mb

srvtab

The granting and denial of access privileges by the CommKit Host Interface on a called LCS60 is controlled entirely by the server table on the called LCS60. An incorrect or incomplete server table can cause serious security problems by allowing unauthorized access to system files and resources.

This section describes the facilities available through the /etc/opt/dk/srvtab server table and provides the user with several suggestions to make the network connections more secure. A high degree of security is ensured by editing server table files.

Caution: The sample /etc/opt/dk/srvtab files distributed with the CommKit Software are not intended to be used as provided and do not provide the customer with a high degree of security as the default. The customer must customize the example server table files to achieve the desired level of security.

Server Table

The directory /etc/opt/dk/srvtab and associated files (referred to as the server table) are used to validate incoming call requests and map them into processes on the called host. The server table can be tailored to restrict the types of calls permit- ted. All incoming calls must be mapped by means of the server table; there are no privileged calls that can bypass this procedure.

The server table is a directory containing files whose names correspond to the names of requested services. For example, /etc/opt/dk/srvtab/pupu is the name of the file used for the file transfer service, pupu.

Comments are indicated by a # character in the first column and are ignored during call validation and mapping. Use comments to describe the function of mapping lines. You may also use comments to disable mapping lines without removing them from the file.

Mapping lines in srvtab table consist of six tab-separated fields:

A Appendix

Issue 3

A-1

Contents

Page Page Table of Contents Table of Contents IP Address Assignment by the LCS60 Hardware Features Network Security Copy Protection Page Page Page Page Page Page Page Page Figures Figure F-8: Figure F-9: Figure F-10: Figure F-11: Figure F-12: Tables Page Screens 9-4: 9-5: 9-6: 9-7: Screen 9-8: Service Menu Feature Description Page Page Page Document Organization Feature Description Hardware Installa tion General Software Reference Documentation Note: Page Overview Page LAN Protocols Domain Name Server (DNS) Resolver resolver Simple Network Management Protocol (SNMP) Supported Traps and MIBs Routing Information Protocol (RIP) routed Figure 1-1:LCS60 as an AppleTalk Router LCS60 (AppleTalk Router) ARAPPPPELAP CommKit Host Interface Ethernet IPX Virtual Network Assignment Figure 1-3:IPX Virtual Network Remote Access Protocols tcpsock File Transfer uucp socket service TCP Service Ports ftp, telnet ftp, telnet Van Jacobson TCP/IP Header Compression Compressed IPX Header (CIPX) Multiple IP Subnetworks Multiple IP Subnetworks Figure 1-4:IP Routing with the LCS60 Library, morse, Techs, Eng Library dkserver uname nodename Figure 1-5:IP Address Assignment Is this Incoming Call IP address out Y of range IP address privately IP Address Assignment by the LCS60 Hardware Features Network Security Copy Protection Page Manual Pages Table 1-1:Online Manual Pages ifconfig Customer Assistance 2 Hardware Installation Configuration of the Lucent Technologies Data Switch – LCS60 Power and Grounding Verify LCS60 Console Connection Verify Fiber Connection Page Table 2-1:Controls and Indicators Controls Location Switch Site Preparation Site Preparation Table 2-2: Specifications LCS60 Network Interface for Ethernet Fiber Interface Connect and disconnect cables ONLY when the power is off Cautions: Do not run signal cables next to, or parallel with, AC power cables Use power outlets with adequate protective grounding Table 2-3:Required Additional Equipment *Formerly AT&T FL2P-P Assembly Installing the LCS60 Figure 2-1:Mounting the LCS60 Cabinet WALL MOUNT RACK MOUNT TABLE TOP MOUNT Page Table 2-4:System Console (and Port) Configuration Serial Port Optioning (DTE/DCE) Table 2-5: MVME712M Module Optioning Non-DefaultOptioning no jumpers Figure 2-2:MVME712M Header Locations and Factory Jumper Placements Table 2-6: RS-232Interface Pin Designation Function Direction Figure 2-3:System Console Connections – Direct Terminal Screen 2-1:TY Configuration Dialogue Screen 2-1: continued Screen 2-2:MSM Configuration Dialogue Screen 2-2: continued Figure 2-4:System Console Connections – through a Data Switch Data Switch Figure 2-5:System Console Connections – through Modems Figure 2-6:System Console Connections – through StarKeeper II NMS Routing the Optical Fiber Cable Installing the CPM-HSModule and Optical Fiber Cable Page Dialogues Enter Group Name group This must be the same as the LCS60 node name level Enter local local Enter mnemonic address This is the IP network security group name. The first address entered must be the the same as the node name that is assigned to the LCS60 when the LCS60, itself, is subsequently configured from the LCS60's system console. Up to four comment hardware type connect-time number of channels connect time billing Figure 2-7:LCS60 Rear Panel AC Connections Power-DownProcedures /etc/shutdown -g0 -y Reboot ctrl-d start dkhost LAN Connections Page General LCS60 Software Configuration Page Figure 3-1:Example Network Page Initial Setup nodename, datetime, softwarekey Step passwd root Figure 3-2:initsetup Screen 3-1:LCS60 Top Directory sysV68 Top config init lcsadm config softwarekey Page Table 3-1:Protocol and Services Commands ⎜ Service Command Notes Configure Protocols and Gateway Services — srvsetup Figure 3-3:srvsetup protocol, maxsessions, ipas, ipx, atalkas, etherif Configure Protocols and Gateway Services — srvsetup Page Page Page Page Page Page Page Page Page Page Page Configure Default Route, DNS, and SNMP The following optional commands allow you to: Define a default route Define the Domain Name Server Define an SNMP manager Configure Default Route, DNS, and SNMP holmes dftroute Page Page Starting the LCS60 config backup Configuration Changes viewnets show, types summary Table 3-2:Configuration Commands – Config Directory Administrative and Maintenance Commands Table 3-3:Administrative/Maintenance Commands – Config Directory Description _Operation console Page PPP – Configuration and Page LCS60 Configuration and Connection for PPP Service Figure 4-1:Example Network – PPP Service etherif, ipas Figure 4-2:Configuring PPP Service for IP, IPX, and AppleTalk 4. Enter the lcsadm interface 5. Add the PPP service: Enter protocol from Config> or config protocol from Top Add tcpip. Add atalk and ipx as required tcpip atalk Add ppp Screen 4-1: Continued 8. Configure reserved IP addresses (ipas) for those users who require them: Enter ipas at the Top>Config># prompt or config ipas at Top User login Id IP Address Assignment by the LCS60 Screen 4-2:Configure Reserved IP Address – Example Screen 4-2:continued on next page Screen 4-2: Continued config ipx Screen 4-3:Configure IPX Parameters – Example Screen 4-3: Continued Page 10. Configure the AppleTalk network/zone (atalkas): config atalkas Screen 4-4:Configure AppleTalk Virtual Network – Example Screen 4-4:continued on next page Screen 4-4: Continued config etherif Screen 4-5:Configure the Ethernet Interface – Example Screen 4-5:continued on next page Screen 4-5: Continued 12. From the Top directory, enter start all stop ppp -qN: telnet, rlogin -eN -Con -Coff Page hartnell Page Page Page ∙ ping ∙ ipxping ∙ atping ∙ netstat ∙ ipxnetstat Page SLIP – Configuration and Page LCS60 Configuration and Connection for SLIP Service Figure 5-1:Example Network – SLIP Service protocol, maxsessions, ipas, etherif Figure 5-2:Configuring SLIP Service 5. Set up IP network security groups (ipas): Screen 5-1:Configure IP Network Security Group – Example Screen 5-1:continued on next page Screen 5-1: Continued 6. Configure IP addresses (ipas) for those users that require them: Screen 5-2:Configure Reserved IP Address – Example Screen 5-2:continued on next page Screen 5-2: Continued 7. Configure the Ethernet interface (etherif): Screen 5-3:Configure the Ethernet Interface – Example Screen 5-3:continued on next page Screen 5-3: Continued 8. From the Top directory, enter start all stop slip -mN -qN -vN mlkway/earth/morse.slip Page Page Page The following screen shows how to obtain call trace information for SLIP For SLIP connection errors, refer to Appendix C slip.log ∙ping ∙ netstat Page ARAP – Configuration and Page LCS60 Configuration and Connection for ARAP Service Figure 6-1:Example Network – ARAP Service protocol, maxsessions, atalkas LCS60 Configuration and Connection for ARAP Service Figure 6-2:Configuring ARAP Service 3. Add the ARAP service: Enter protocol from Config, or config protocol from the Top directory Add atalk (as required) Screen 6-1:Configure AppleTalk Virtual Network – Example Screen 6-1: Continued stop arap Page Page ∙ atlog Page Gateway Services – Page LCS60 Configuration and Connection for Gateway Service Figure 7-1:Example Network – Gateway Services protocol, maxsessions, etherif protocol, etherif Figure 7-2:Gateway Services Configuration asytcp config srvports socket start tcpip Screen 7-1:Gateway Service Configuration – Example Screen 7-1:continued on next page Screen 7-1: Continued Page Page Access to Gateway Services – Dialstrings When using more than one option, the options must be separated by a colon (:) -e<off⎪char Allows the user to turn the telnet local escape key off or set it to something other than the default of Ctrl-] Page -eoff User Information .telnet telnet..moon telnet..154.12.26.1 telnet..moon.lab.att.com brown.telnet moon brown.telnet..moon mlkway/earth/watson Data Switch to LCS60 to LAN /usr/lib/uucp/Systems cannot area exch 60name nuucp uucp "g LAN to LCS60 to Data Switch topper watson Example UUCP Service Using SunOS name Example UUCP Service Using NCR YYYY ZZZZZZZZ /usr/etc/rfsaddr -h"60name Refer to Chapter 8 for complete LCS60 administration The following screens show a variety of port commands: The following screen shows a typical trace: Table 7-1:Gateway Services – Log Files ⎜ Log File Information Directory 8 Administration Generic vs. Variable Files Local and Remote Modes Backup/Restore (Tape) – Local Mode Centralized Backup/Restore – Remote Mode Access to Backup/Restore Functions – Clients and Basics Logging On strongly urged Note: root Page dkhost lcsadm Interface lcsadm Interface Figure 8-1:lcsadm Interface Directory Structure help start Screen 8-1:Top Directory top Synopsis lcsadm config protocol dkhost routed ⎪ asytcp ⎪ tcpasy ⎪ arap ⎪ all] Table 8-1:Start/stop Command Dependencies kill tcpasy asytcp slip, ppp arap trace -nv][-w Name types Synopsis types Screen 8-3:Ports Directory disable or enable flush show [-c[v]][-w filename] [port#, ...] disable enable flush service-type [service-type ...] The flush command resets statistics for a service type This command requires root permission show [service-type ...] The show command lists statistics on configured services log [level] log show [service-type] This command gives information about the specified ser ser vice type. Entering show without arguments will display vice type Screen 8-7:Config Directory addhost/delhost or addnet/delnet addhost or addnet Name datetime Synopsis datetime Name subnet Synopsis subnet Name backup Synopsis backup Page Page viewhosts or viewnets viewhosts and host names of all hosts on a specific network or on all networks that are currently in the network database as Typical Administrative Tasks Typical Administrative Tasks The following screen shows how to check the status of all sessions Page Page Backup and Restore Operations Note: Release 1 or 2 backups cannot be used on Release 3 systems Screen 8-8:LCS60 Backup and Restore Configuration Menu To Back Up to Tape lcsadm config backup Screen 8-9:Backup/Restore Menu Screen 8-10:Tape Backup Management Menu copy all strongly urged To Restore from Tape start COMPLETE Password To List the Contents of a Tape Security — Authorizing Clients and Servers Screen 8-11:Centralized Backup/Restore Menu – Server Defining Backup/Restore Servers on a Client Screen 8-12:Centralized Backup Server Definition Menu Changing a Client to a Server Defining Backup/Restore Clients on the Server Screen 8-13:Centralized Backup Client Definition Menu Select option 1 to begin the dialogue to add the client. See the example below: Changing a Server to a Client Backup or Restore Functions From a Client Screen 8-14:Centralized Backup Operations Menu Table 8-2:Backup/Restore Functions From a Server Screen 8-15:Centralized Backup Operations Menu – Server yymmddhhmm A restore from server example follows: Creating a Tape Screen 8-16:Tape Backup Management Menu – Server Network Access Password Option useradd passwd Network Access Password Option Note: The password will not echo on the screen usermod Screen 8-17: TCP-to-AsyncGateway with Network Access Password userdel Status statlcs Status Note: If dkdaemon is DOWN, you must stop dkhost and then start dkhost Error Messages Console Error Messages dkhs dkux Hardware Error Messages dkhs Server Error Messages x.yyy yyy dkuidtab Note: morse REQUEST DENIED ERROR EXIT ARGS dkmgr DKKEY Table 8-3:Log Files ⎜ Log File ⎜ adial.log Dialer information ⎜ arap.log Page 9 Maintenance After the Dump is Completed inet /etc/shutdown ioi Seagate ST5660N Reload System Software bo 0 40 COREunix Screen 9-1:How to Enter System Responses Note: If you have not inserted the tape the following will be displayed Page Page Page Do not enter 'bo 0 0 -d /dev/rmt/ctape1 one Screen 9-2:UFS Utility Fixes Maintenance Tape Installation Remove the tape once you have completed the installation Screen 9-3:inet Package Removal pkginfo lcs60 lcs60p Screen 9-4:LCS60 Application Software Installation Screen 9-4: continued 3. Remove the cartridge tape from the tape drive 4. Reboot the LCS60 as shown below: Page After the screen above is displayed, complete the installation by: 1. Logging on as root Removing the LCS60 Application Software stop all Removing the LCS60 Application Software Screen 9-5:LCS60 Application Software Removal – R2.0 Example Upgrade 1. As root from the Console login, stop all services (lcsadm stop all) lcsadm stop all pkgrm lcs60p Error: information for "lcs60p" was not found Remote Upgrade client Remote Upgrade config upgrade will automatically remove it #pkgadd -d /var/spool/pkg /etc/shutdown -g0 Processor Board Firmware Update env 197-Bug Processor Board Firmware Update ⎜ 0D Page Screen 9-6:set and env Commands Processor Diagnostics - MVME197 Figure 9-1:Faceplates Processor Diagnostics - MVME197 197-Diag Use the sd command to return to the debugger prompt and then reboot as shown: VMEDKHS Diagnostics If you receive these error messages: 1. Check the cabling: If the error message is still displayed, check the VMEDKHS board in the LCS60 VMEDKHS Diagnostics 2. Check the VMEDKHS board: Log into the system console and enter stop dkhost from the lcsadm interface stop dkhost Quit the lcsadm interface and enter dkdiag -a -n5 -i0 from the root prompt res cpm # Verify that the CPM-HSis active as shown in Screen 9-7(display conn mod #) display conn mod # Connection Verification Figure 9-2:Verifying Connections, Example Network LCS60 to Data Switch Connected Host Verification (dkcu) dkcu mlkway/earth/watson LCS60 to Data Switch Verification – Loopback Test (dkcu) dkcu mlkway/earth/morse LCS60 to Local Ethernet Host Verification (ping) /usr/etc/ping Memory Dump Caution: Do not use the memory status menu Memory Dump Screen 9-8:Service Menu 6. At the Service Menu, enter 6 to dump memory to tape 7. Continue with the dialogue below; use Return to select defaults: 9. The system will respond as shown: cd /stand echo unix ⎪ cpio -oBc >/dev/rmt/ctape1 A Originating Group Security Page srvtab /etc/opt/dk/srvtab /etc/opt/dk/srvtab pupu srvtab area/exchange/group[!][.user] .user area/exchange/group lc/sporty/hotrod camaro ⎜ File Service ⎜ hyphen null (generally login) login Table A-1:Server Table Flags Table A-1:continued on next page A-4 cannot A-5 Table A-2:User ID Mapping Options program field execv /usr/lbin/program A-6 Table A-3:Program Arguments Specification A-7 Table A-3: Continued A-8 Modifications to the Server Table Server Table Validation and Matching Page B StarKeeper II NMS Page Configuration of the StarKeeper II NMS cnmsadm help version SKsh SYSADM SHUTSK /usr/bin/displaypkg cat $INPUT/L60.name /usr/bin/installpkg B-3 STARTSK L60 mlkway/earth/morse yes conn sync Alarms to StarKeeper II NMS Description: lcs60statD Action lcm manager start cd / ; /etc/shutdown start routed inetinit tlid sh /etc/init.d/ipas dkitrc restart start atalk cd /; /etc/shutdown ipxd stop ipx start ipx sapd Page C User Error Messages Page Cable Error Message If the cable is disconnected the following error message will be displayed: Outgoing Call Error Messages For example, consider the following entry and error message: The error messages are described below: Address too long All channels busy All trunk channels busy Auto dialer failed to initiate call. Try again Bad Parameter Could not complete your call. Try again Destination not recognized Dial to vlp error Dialed number is busy Dialer error Dkserver: Can't push your streams module Dkserver: Invalid protocol requested Dkserver: Dksrvtab not readable. Call System Administrator Dkserver: Can't chroot. Call System Administrator Dkserver: Can't set/get circuit parameters: Call System Administrator Dkserver: Call on a busy device or call collision, try again Endpoint hung up Facility not subscribed Hop count exceeded Insufficient CIR at module Invalid or missing phone number Mismatched GOS endpoints Network congestion--Callforward error. Try again later Network congestion--Callinitiation failure. Try again Network hung up Network routing error No answer from dialed number No carrier tone was detected No diagnostic channel Receive window too small Remote node not answering Server already exists Server not answering Service mismatch Incoming Error Messages <IP address> is out of range <IP address> is reserved slip is busy <IP address> is busy dkserver <dkserver name> does not have an IP network configured ipaserrno=<error number slip is temporarily disabled may have only one -soption, got <dkserver name> and <name from user missing -s%h option in dksrvtab(4) 'slip' file -s%h mtu=<MTU size>, must satisfy 296 <= mtu can not request both dynamic IP address and IP address <IP address Software Installation – Fujitsu or Seagate ST5660N Drive Page UNIX System Software Installation UNIX System Software Installation If you have a Seagate ST11200N drive, refer to Chapter 9 for UNIX Sys tem Software Installation; if you a have a Fujitsu drive or a Seagate ST5660N, continue with the instructions below 6. Enter bo 0 40 COREunix at the 197-Bug> prompt. This will generate ins ed /etc/scsifmt.info D-3 Note: Separate the fields above using tabs only; spaces are not allowed Write and quit the file Ctrl-D D-4 D-5 D-6 D-7 Page E Manual Pages Page Page Page ATLOG ATLOG (1M) atlog [-d loglevel] [-t enprz0] -ten /usr/adm/lcs/atmgr.log ATNETSTAT (1M) ATNETSTAT atnetstat -<i⎪r⎪z> [-nv] -i atnetstat Gateway Distance /usr/etc/lcs/atmgr /etc/lcs/atalkas.cf /usr/etc/atnetstat ATPING (1M) ATPING atping atping net.0 /usr/etc/atping DKCU (1C) DKCU dkcu DKEXPORT=TERM,LINES,COLUMNS dkcu ˜ %put ˜ %break ˜ %take stty tabs Multiple Interfaces DKMAINT (1M) DKMAINT dkmaint – r – i interface [ – c channel ] [ – v ] dkmaint /opt/dk/sbin FTP FTP (1) user account passwd allbinary append ascii bell bye case cdup form carriage-control non-print glob hash macdel mname macls [mname] mdelete mdir mkdir nmap ntrans prompt proxy quote arg recv reget rename rhelp rmdir rstatus [file] runique send system tenex trace type ebcdic Page IFCONFIG IFCONFIG (1M) ifconfig broadcast addr down metric n mtu mtu Maximum Transmission Unit netmask mask IFSTAT IFSTAT (1M) ifstat [-adfstz] [-l , ifstat /etc/ifstat.conf curses IFTRACE (1M) IFTRACE iftrace gdpbhrtn Page IPXNETSTAT (1M) IPXNETSTAT ipxnetstat [-ir[dv] ] [-p rip ⎪ ipx] [interval] ipxnetstat /etc/lcs/ipxas.cf IPXPING IPXPING (1M) ipxping packetsize interval NETSTAT (1) NETSTAT netstat [-AainrsSv] [-p protocol] [interval] can't open NSLOOKUP (1) NSLOOKUP NOTE: finger set query=A Quit server host lserver host set [no]aaonly ALL type query SOA PTR CNAME set timeout set retry set domain set defname PING (1M) PING ping struct timeval PULL PULL (1C) pull - L Long Names /etc/opt/dk/dkhosts PUSH PUSH (1C) push push lxho9 a/b c a/d/e /tmp/one push lxho9 - /tmp/two <<! a/b Note Page ROUTE (1M) ROUTE route flush [<net⎪host>] route add net add host add network del host del network done STATLCS (1M) STATLCS statlcs [-t] statlcs /usr/etc/statlcs TELNET (1) telnet [-ec] [-8][host [port]] ˜linemode escape crmod eight escape c linemode localecho negotiate WONT echo exopl sga options ayt brk nop F User Information Connection (via Modem) Client Software Configuration All users: Users with a NAC security server: All Users Screen F-1:CCL Script – Example F-3 Screen F-1: Continued @ORIGINATE @ANSWER note “Dialing ˆ 1” write “ATDTˆ1” ask USERID, Password DESTINATION nj/exch/system.ppp @HANGUP CCL and Modem Hints PPP Service Examples Page Page Page Screen F-2:Sample LCS60 dialup.scr Screen F-2:continued on next page F-10 Screen F-2: Continued slang comscrpt F-11 Figure F-3:PC/TCP Example Screens Figure F-4:PC/TCP Session Configuration Screen Example File New Open Configure Port Save As Connect AppleTalk Status Page Notes: Figure F-7:IP Address Screen Page SLIP Service Examples 1. Under the Custom window, select Interface and add a SLIP interface Figure F-10:Custom Interface Window 2. Under the Custom Setup window (Figure F-11),configure the following: F-19 Figure F-11:Custom Setup Window Figure F-12:Login Settings Window Screen F-3:slip.ini File Fragment ARAP Service Example Remote Only Remote Access Client Guest Remote Access Setup Page Guest Registered User Figure F-15:ARAP Remote Access Setup – Modem Example Figure F-16:ARAP Remote Access Status Screen – Example Page G Glossary Page Glossary ARA ARAP call address CCL HDLC IETF internet IP Network Group RIP RFC router SLIP SNMP Ethernet Interface (etherif) alias aliases subnet ted net DNS Resolver (dns) Define Service Sessions (maxsessions) session parameter value User login id Network Address Frame Type ethernet, 802.2 Enable, 8-bit character mode inactivity timeout show trace Session Directory Show ARAP Xmit(Bytes) Xmit(Pkts) Recv(Bytes) Recv Errs BadF Rej Show Async/TCP Char Mode Time Idle Time Show PPP Receive Errors Len Alloc Show PPP – Link, IP, IPX, AppleTalk Max Config ACCM Magic Proto Comp Addr Comp Peer Addr Class Imp ID AT Comp Route Proto Broadcast Remote User Trace Async/TCP Local Address morse-e0.23 Foreign Address Trace PPP Trace SLIP Dest Address Ports Directory Show Statistics Reset Show Configurations Tcpws Nohup 2way SID-Type Idle Wait Page Manager Directory Pid # Total Ses. Cfg Total Ses. Used Total Servers Inuse Startup Time Server Name (#) I Index Page Index