This chapter takes you through the VMS Authentication Manager (VAM) product installation procedure and certain post-installation tasks. It is for the OpenVMS system manager, administrator, or technician responsible for product installation.
To prepare for installation, see Chapter 1, Before You Begin.
|
Note: Once you have installed VAM, you need to reinstall it after you have done a major OpenVMS upgrade.
|
To install VAM:
1. Load the software.
2. Run the VMSINSTAL procedure.
3. Install other products, if needed, and perform post-installation tasks.
VAM is available for download from the Process Software FTP site. Information on downloading the software will be supplied to licensed customers by Process Software.
The VAM software must be installed from the system manager’s account.
If you install VAM on a VMS cluster that has a common system disk, install the software on only one node in the cluster. Be sure to configure VAM on all systems in a VMS cluster that has a common system disk, even though it only needs to be installed once.
VAM is installed by invoking VMSINSTAL, the OpenVMS installation program for layered products. VMSINSTAL prompts you for any information it needs.
$ @sys$update:vmsinstal VAM031 dka100:
OpenVMS Software Product Installation Procedure V8.4
It is 26-May-2022 at 14:09.
Enter a question mark (?) at any time for help.
* Are you satisfied with the backup of your system disk [YES]? y
The following products will be processed:
VAM V3.1
Beginning installation of VAM V3.1 at 14:09
%VMSINSTAL-I-RESTORE, Restoring product save set A ...
VMS Authentication Module (R)
ALL RIGHTS RESERVED UNDER THE COPYRIGHT LAWS OF THE UNITED STATES
This licensed material is the valuable property of Process Software.
Its use, duplication, or disclosure is subject to the restrictions set
forth in the License Agreement.
Other use, duplication or disclosure, unless expressly provided for in
the license agreement, is unlawful.
* What device do you want to install VMS Authentication Module on [SYS$SYSDEVICE:]: y
* Do you want to purge files replaced by this installation [YES]? y
The installation will now proceed with no further questions.
*******************************************************************
To complete this installation, you must refer to the documentation
and the Release Notes for post-installation instructions.
*******************************************************************
%VMSINSTAL-I-MOVEFILES, Files will now be moved to their target directories...
Installation of VAM V3.1 completed at 14:09
Adding history entry in VMI$ROOT:[SYSUPD]VMSINSTAL.HISTORY
Creating installation data file: VMI$ROOT:[SYSUPD]VAM031.VMI_DATA
VMSINSTAL procedure done at 14:10
$
No special preparation is required after installing VAM on one node of a VMScluster with a common system disk.
VAM has no files which can be shared between cluster systems of different architectures.
The following sections describe the post-installation setup required to enable the various forms of authentication. Specific configuration of the authentication methods (e.g., LDAP and RADIUS) are covered in subsequent chapters.
For both the VAM callable module and the VAM OpenVMS LOGINOUT callouts, the file install_device:[VAM]VAM_CONFIG.TEMPLATE must be copied (if it doesn’t already exist) to install_device:[VAM]VAM_CONFIG.DAT. This file contains the configurable options for VAM, and may be edited as needed by the system manager.
|
Note: If you are planning on configuring VAM LDAP or RADIUS to use the VMS ACME system, refer to Chapter 6, Using VAM with ACME for additional required steps.
|
The following files must have at least the following protection and ownership. Failure to have these protections will result in authentication attempts failing.
VAM_CONFIG.DAT [SYSTEM] (RWED,RWED,,)
SDCONF.REC [SYSTEM] (RWED,RWED,,)
To use the VAM callable module, the system manager must add the line
@install_device:[VAM]VAM_STARTUP
to the SYSTARTUP_VMS.COM file.
Beyond that, no further configuration on the client system is required.
The user will be responsible for using the provided VAM API to integrate VAM into the desired application(s).
The OpenVMS system requires further configuration to enable the LOGINOUT callouts.
· Edit VAM:VAM_CONFIG.DAT and set the appropriate configuration keywords as desired.
· The dynamic SYSGEN parameter LGI_CALLOUTS must be set to "1": Note that the LGI_CALLOUTS parameter is reset to “0” each time VMS is booted, so it must be reset after each system boot.
· Next, the system manager must determine which authentication methods (LDAP and/or RADIUS) users are to be required to use. See chapters 3 and 4 for information on configuring the LGI callouts for these methods.
|
Note: Including the LGI parameter on the VAM_STARTUP command line will enable both the VAM LGI callouts and the VAM callable module.
|
The following keywords, found in VAM:CONFIG.DAT, are used to control access using the OpenVMS LOGINOUT callouts.
LGI_AUTH_METHODS
Contains a priority-ordered list of the authentication methods to be used. For example, “LDAP,RADIUS” will cause the VAM LGI interface to attempt first LDAP and then RADIUS authentication when called.
FALLTHROUGH_TO_VMS
If set to 1, allows VAM to fall through to using normal VMS authentication if the LDAP and/or RADIUS servers are all unreachable.
PROMPT_FOR_FT_PWD
If set to 0 and when the FALLTHROUGH_TO_VMS keyword is set to 1, the password entered during the LDAP or RADIUS authentication attempt will be used to authenticate against the local VMS User Authentication File (UAF). If set to 1 (the default), the user will be prompted for a VMS password to authenticate locally using the VMS UAF.
These logical names are defined on all VAM systems. They are defined in VAM:VAM_SPECIFIC_STARTUP.COM when the VAM_STARTUP command procedure is executed.
VAM
This logical points to the install_device:[VAM] directory.
VAM_ROOT
This logical points to install_device:[VAM.]. It may be used, for example, to specify the log file directory: VAM_ROOT:[LOG].
VAM_LOG
This logical points to the install_device[VAM.LOG] directory.
The following logical names are used to affect logging for the VAM software. The logicals are located in the VAM_SPECIFIC_STARTUP command procedure and are normally commented out. This logging is used to debug VAM installations, and should generally be used only when recommended by Process Software.
VAM_LOGFILE
This logical determines the location and name of the file used to log VAM transactions and errors.
VAM_CURRENT_TRACE_LEVEL
This logical determines the level of detail in the VAM log. The level is a combination of the following bit masks:
TRACE_EXECUTION (1) - traces general steps the VAM module is performing.
TRACE_EXECUTION_DEEP (2) - verbose tracking of the VAM module processing.
TRACE_INFO (4) - Tracks informational messages generated by the VAM module
TRACE_ERROR (8) - Logs errors encountered by the VAM module