Service Tool Description SERVICE TOOL NAME: DSNlink V1.2 for OpenVMS DESCRIPTION DSNlink for OpenVMS (DSNlink) is a key component of Advanced Elec- tronic Support. It facilitates two way communication between your computer system and the Digital Customer Support Center (CSC) host computer system. APPLICATIONS DSNlink has the following applications: Mail- You can send and receive electronic mail between your computer system and the DSNlink Host system with the DSNlink Mail application. You can use the mail application to: o Submit electronic service requests o Obtain service request status reports o Receive Digital Communiques o Obtain DSNlink installation kits electronically You activate DSNlink Mail by sending VMS mail to a special recipient address of the form DSN%xxxx, where xxxx is a special address that corresponds to one of your supported Digital products. Digital acknowledges the service request by sending you a VMS mail message. The message includes a service request sequence number for tracking purposes. This number can be used to send additional information about a specific service request. Electronic Service Request Submission- If you have a question, inquiry, or problem concerning a supported product you can use the Mail application to send an elec tronic service request to Digital. Your request is immediately acknowledged and a confirmation message is sent back to you. A Digital support specialist then uses DSNlink Mail to communicate with you about your request. Electronic Service Request Status- You can use the Mail application to get the current activity status on any service request that you have submitted, including service requests that are submitted by telephone. 1 Digital Communiques- As part of DSNlink, Digital offers you an on going information service. You are sent timely news about existing products, new products, and product updates via DSNlink Mail. These messages are divided into several topical categories. You decide which, if any, message categories that you want to receive. You also choose who receives these messages on your DSNlink system. The following mes- sage categories are available: o Flash Messages are used to quickly notify you of urgent product information, including software patches. o Information Messages are for general product information. o Marketing Messages are to let you know about new products and services, as well as update information for existing products and services. o Survey Messages are used to re quest your input on surveys con cerning Digital service and product quality. Electronic Kit Distribution- If you already have DSNlink installed on your system, you can request new releases of the installation kit using the Mail application. The installation kit is then automatically copied to your system. Interactive Text Search- This application enables you to interactively search Digital's product problem/solution databases for specific topics. Each of your supported products has a corresponding document database that you may access. This application gives you full text search capability, using either English or Boolean queries. Documents can then be extracted to a disk on your system, or mailed to any other DSNlink registered contact person's address. File Copy- The file copy application allows files that are of any VMS file type to be sent between your system and the Digital host system. Generally, you use the Mail applica tion to send text files. However, some files such as image files, error logs, compiler listings, or object files are more efficiently sent using the File Copy application. These files provide your Digital support specialist with diagnostic information to assist in the resolution of your service request. 2 Authorized Remote Login Access- The Authorized Remote Login Access application provides quicker diagnosis and resolution of hardware or software problems by allowing a Digital support specialist to directly log in to your system. This can only happen if you have authorized the login from a privileged account on the DSNlink Communications Node (DCN) and have established an account for the Digital support specialist to use. VTX- The DSNlink Videotex (VTX) application provides you with access to various applications and in formation databases that are available from your CSC. An example of an application is the DSNlink VTX Patch application. This application enables you to conveniently obtain software patches without having to submit an electronic service request. COMMUNICATIONS Your DSNlink system communicates with the Digital host system using a standard asynchronous modem and a telephone line. The DSNlink modem transport allows 32 simultaneous connections over a single telephone line. DSNlink uses a tollfree number provided by Digital. The DECnet transport is used with computer systems that are internal to Digital. HARDWARE REQUIREMENTS The hardware requirements for DSNlink are as follows: AXP, VAX, MicroVAX, VAXstation or VAXserver systems as specified in the Hardware and Software Requirements for DSNlink V1.2 for OpenVMS. Telephone Line Requirements To use DSNlink with the Modem Transport, you need a dedicated direct inward dial telephone line and oneof the supported modems referenced in the Hardware and Software Requirements for DSNlink V1.2 for OpenVMS. NOTE If you encounter any transmission problems with voice quality telephone lines and modems with speeds of 2400 bits per second (BPS) or greater,it is recommended that a data quality phone line be used. 3 SOFTWARE REQUIREMENTS o For VAX Systems: VMS Operating System Version 5.2 or greater. o For AXP Systems: OpenVMS AXP Version 1.0 or greater. o Use of DECnet is optional. For more information about the software environment for DSNlink for OpenVMS, see the Hardware and Software Requirements for DSNlink V1.2 for OpenVMS. 4 Hardware and Software Requirements SERVICE TOOL NAME: DSNlink V1.2 for OpenVMS HARDWARE REQUIREMENTS Processors Supported: AXP: DEC/10000 DEC/7000 DEC/4000 DEC/3000 DEC/2000 DEC/1000 VAX: VAX 9000 Model 200 Series VAX 9000 Model 400 Series VAXft 3000 Model 300 Series VAX 4000 Model 200 Series VAX 4000 Model 300 Series VAX 6000 Model 200 Series VAX 6000 Model 300 Series VAX 6000 Model 400 Series VAX 6000 Model 500 Series VAX 8200, VAX 8250, VAX 8300, VAX 8350, VAX 8500, VAX 8530, VAX 8550, VAX 8600, VAX 8650, VAX 8700, VAX 8800, VAX 8810, VAX 8820, VAX 8830, VAX 8840 VAX-11/730, VAX-11/750, VAX-11/780, VAX-11/785 MicroVAX: MicroVAX II, MicroVAX 2000, MicroVAX 3100, MicroVAX 3300, MicroVAX 3400, MicroVAX 3500, MicroVAX 3600, MicroVAX 3800, MicroVAX 3900 VAXstation:VAXstation II VAXstation II/GPX, VAXstation 2000, VAXstation 3100 Series, [1] VAXstation 3200, VAXstation 3500, VAXstation 3520, VAXstation 3540, VAXStation 4000 VLC VAXstation 4000 Model 60 5 VAXserver:VAXserver 3100, VAXserver 3300 VAXserver 3400, VAXserver 3500 VAXserver 3600, VAXserver 3602 VAXserver 3800, VAXserver 3900 VAXserver 4000 Model 300 VAXserver 6000-210/220 VAXserver 6000-310/320 VAXserver 6000-410/420 VAXserver 6000-510/520 [1]The Modified_Modular_Jack (MMJ) port does not provide full modem control and is not supported by DSNlink using the Modem Transport. Otherwise, VAXstation 3100 Series processors are supported in either a DSNlink for OpenVMS Application Node (DAN) configuration or as a DSNlink for OpenVMS Communications Node (DCN) con- figured with a DECserver with full modem control. NOTE The communication interface used by the DSNlink Communications Device must support FULL MODEM CONTROL. Also note that DMF32 terminal connection ports are not supported. Processors Not Supported VAX: VAX-11/725, VAX-11/782 MicroVAX: MicroVAX I VAXstation:VAXstation I, VAXstation 8000 Terminal Servers Supported DECserver Software Version 200/MC 3.1 or higher DECserver Software Version 500 with 2.0 or higher CXY08 linecard DECserver Software Version 550 with 2.0 or higher CXY08 linecard DECserver Software Version 700/MC 1.0 or higher 6 Disk Space Requirements During VAX: 6,000 blocks Instal- (3,072K bytes) lation AXP: 18,000 blocks (9,216K bytes) After VAX: 2,600 blocks Instal- (1,330K bytes) lation AXP: 7,800 blocks (3,990K bytes) These counts refer to the disk space required on the system disk. The sizes are approximate; actual sizes may vary depending on the system environment, configuration, and software options selected. Modem Selections 2400- Digital DF124-CA, Rev. 1.20 or higher baud Digital DF124-CM, Rev. 1.20 or higher modems: Digital DF242-CA,Rev. 1.50 or higher Hayes 2400 baud modems 9600- Digital DF296-DA, Rev. 1.22 or higher baud Digital DF196-DM, Rev. 1.22 or higher modems: Hayes 9600 baud modems DSNlink will usually work with an Hayes compatible modem that can be set up to do the following: o Dial a phone number in response to an ATDT command o Not echo the dial command o Raise the Data Set Ready (DSR) modem line signal at the time a connection is established with the modem on the other end, in- stead of continuously holding the signal high o Return a numeric response code to indicate a successful connec- tion no sooner than 0.5 sec after raising the DSR signal o Disable flow control, data com- pression, and error correction 7 Call 1-800-354-9000 for the latest information on how to set up DSNlink with one of these modems. NOTE If you encounter any trans- mission problems with voice quality telephone lines and modems with speeds of 2400 bits per second (BPS) or greater it is recommended that a data quality phone line be used. TELEPHONE LINE REQUIREMENTS A dedicated direct inward dial (DID) (PSTN) telephone line is required to communicate with your Digital Customer Support Center (CSC) DSNlink Host System. CLUSTER ENVIRONMENT This customer service tool is fully supported when installed on any valid and licensed, homogeneous VMScluster configuration. VMScluster configurations are fully described in the VMScluster Software Product Description (29.78.nn). SOFTWARE REQUIREMENTS VAX systems: VMS Operating System Version 5.2 or greater AXP systems: OpenVMS AXP Version 1.0 or greater OPTIONAL SOFTWARE o DECnet o VAX P.S.I. Version 4.2 or higher o VAX P.S.I. Access Version 4.2 or higher 8 GROWTH CONSIDERATIONS The minimum hardware/software requirements for any future version of this service tool may be different than the minimum requirements ments for the current version. DISTRIBUTION MEDIA Tape: VAX systems: 9-track 1600 BPI Magtape (PE), TK50 Streaming Tape EKD: Electronic Kit Distribution for upgrade Customers CDROM: AXP systems only ORDERING INFORMATION Contact your local Digital Account representative. If you are upgrading from an earlier version, send electronic mail to DSN%HELP to get an address list containing the most current kit and documentation. 9 Security in DSNlink for VMS: A Summary of Security Features OVERVIEW: DSNlink allows the electronic transfer of information between Digital and Digital's Customers. Because security is a recognized issue, Digital has provided a measure of security commensurate with the product attributes. This document describes these security features. INTRODUCTION: DSNlink provides an electronic, on-demand, point-to-point connection between a customer node and Digital for the exchange of information. This information generally applies to service, support questions, and requests. DSNlink uses standard dial-up and asynchronous terminal line interfaces connected to modems as its physical communications medium. Making a physical connection between the two DSNlink systems involves dialing the telephone number of the modem connected to your DSNlink Communication Node (DCN) system and establishing the DSNlink protocol between them. Transmission of data can then begin (see Figure 1). There are growing concerns with all aspects of security, especially when they involve electronic connections, (particularly modems) to other corporations or public networks. Therefore, DSNlink is designed to provide a level of security which directly addresses the attributes of the product; that is, a level of security which is effective but not overburdening. It is also understood that the potential risk of loss or corruption of data by virtue of any failure, malfunction or defect of any communications facilities or services of any third parties (e.g., common carriers) cannot be addressed within this product service. The remainder of this document discusses the definition of security as applied to DSNlink. 10 Figure 1. DSNlink Model ----------------------- DSNlink DSNlink Communication ------------------ Application Node Node | Modem | | Public Switched Telephone Network | | Modem | Digital's DSNlink Host Node 11 The Process of Connection: --- ------- -- ---------- The cornerstone of DSNlink is the DSN$NETWORK process which only runs on the DCN. A single DSN$NETWORK process services both incoming and outgoing DSNlink applications. When a DSNlink application requests a connection to a remote DSNlink application (for example, you want to submit a service request to Digital electronically), DSN$NETWORK: 1. Dials the telephone connected to the DSNlink modem, 2. Establishes the proper protocol with the remote DSNlink system, 3. Verifies the identity of both DSNlink partners, and 4. Begins the exchange of data. The DSNlink Application Node (DAN) is a node in a VAXcluster or DECnet network which executes DSNlink applications and communicates over a single DCN. The Telephone Connection --- --------- ---------- The DSN$NETWORK process allocates, assigns a software channel to, and issues a read request to the DSNlink Communications Device. As long as this process is active, outside users cannot login on this line because the terminal driver does not respond to unsolicited input. Once the communication has taken place DSNlink terminates the connection. DSNlink owns the communication line and will not respond to any input on the line which does not present the correct authentication, compression scheme and protocol. When DSN$NETWORK is not running, the terminal line is set to /NOTYPE_AHEAD which prevents unsolicited input on the line from starting a login sequence. In this state, the line appears to be inoperative to any user attempting to use it. Establishing the Protocol ------------ --- -------- The protocol used for the network and the application is proprietary to Digital. Thus, Digital ensures information about the protocol is not readily available to those who would want to decode transmissions and provides a measure of assurance that only DSNlink applications are communicating. A general application does not meet the protocol requirements and is therefore unable to use the DSNlink communications path. 12 Verifying the Identities --------- --- ---------- DSNlink performs an authentication check to ensure the remote system is in fact, another DSNlink node. This authentication is performed for each connection, and uses a signature and challenge technique. Both sides must calculate this authentication and agree on each side's identity . The authentication algorithm employs randomness in the exchange to prevent a replay attack. If this exchange is not successful the telephone line is hung up, and no further communications take place. Authentication exchange ensures the remote site is running DSNlink, as distributed by Digital, and has passed the authentication handshake. Authentication further assures unauthorized connections are not created. The connection must be between a known remote node (your DCN) and Digital. Incoming requests to Digital, after passing the authentication check, are further verified in Digital's databases so as to ensure only registered and authorized remote nodes (your systems) are allowed access. Accountability -------------- Log files of DSNlink activity are kept on both the remote node (your DCN) and Digital systems. The majority of these logs are kept in the directory assigned by the logical DSN$LOGS. A small subset of log files are kept in the requesting user's SYS$LOGIN directory. Digital logs all login transactions to your system (DCN), including the keystokes of the Digital support personnel. For information on the operation of processes related to DSNlink, the DSN SHOW commands and MONITOR utility can be used. These commands will display either network statistics or DSNlink batch job status. Control of Access to DSNlink ------- -- ------ -- ------- If your operations require only certain users to have access to DSNlink capabilities, control can be accomplished by setting Access Control Lists (ACL) on various DSNlink images. Refer to the Computer Based Instruction Course "Managing VMS System Security" or the "Guide to VMS System Security" for information on how to set an ACL on a file. For the exact name of the executables to protect, refer to the "DSNlink Manager's Guide". You may disable specific incoming DSNlink applications on the DCN by deassigning the logical for that application. For example, DEASSIGN/SYSTEM DSN$APPL_COPY will prevent DSNlink file copies. 13 Remote Logins ------ ------ The DSNlink AUTHORIZE command allows REMOTE_LOGIN which permits Digital support personnel remote terminal access to a DSNlink system. However, this process is under your direct control. Your application manager must first authorize DSNlink access for your specific node and time window, and then provide the Digital support personnel a valid username and password for the system which needs service. Remote Manipulation of Files ------ ------------ -- ----- Digital cannot directly execute any file copied to your system via the DSNlink network, without intervention on your node. All file specifications (directory, and quotas) are controlled and managed on your system. Also, Digital cannot implement a file transfer from your system back to Digital. This transfer must be initiated by your application manager, and thus provide control on your node. Use of Privilege --- -- --------- DSNlink images are installed using the VMS INSTALL Utility installation qualifiers as defined in Table 2. DSNlink was designed for use by the general user community, with management (registration, shutdown, etc.) by a defined subset. The setup for a general user account is included in the "DSNlink Installation Guide". Accounts which use DSNlink applications must have minimum parameter settings as defined in Table 1. DSNlink Management is dictated by the use of privileges, as indicated in Table 3. The DSN$NETWORK process uses the DECNET object number 0 with the name DSN on your system. The DSN$SERVER account is created as part of the DSNlink installation on the Communications Node (DCN) only. This account is where the DSN$NETWORK process is started and where all incoming DSNlink applications execute. Specific information about the DSN$SERVER account is presented in Figure 2. 14 Digital Security ------- -------- DSNlink applications on the Digital side have the same level of security as the installation on your node. However, Digital further protects the DSNlink host node in the following ways: o Digital host managers have detailed policies and procedures for handling customer data, with very strict processes for security violations. o The DSNlink Host systems are managed by experienced system managers with security training. o System managers are backed by sophisticated security tools to maintain and monitor the environment. Summary ------- Digital believes that it has taken appropriate precautions in the design and implementation of DSNlink to ensure an effective level of security to protect its customers' systems and its own systems from undesired third party access. Table 1. User Account Settings ------------------------------- Parameter Suggested Value/Setting DISUSER flag NODISUSER* DISMAIL flag NODISMAIL* RESTRICTED flag** NORESTRICTED* CAPTIVE flag NOCAPTIVE* DEFCLI flag DEFCLI* BYTLM 16000 PGFLQUOTA 10000 BIOLM 15 DIOLM 15 TQELM 10 ENQLM 30 FILLM 20 CLI DCL+ Authorized Privileges TMPMBX and NETMBX Default Privileges TMPMBX and NETMBX Access Restrictions None for BATCH access* ---- * Parameter is required for DSNlink COPY or DSNlink MAIL; DSNlink Interactive Text Search does not require setting. **Parameter RESTRICTED is a UAF flag added in VMS V5.2 15 Table 2. - VMS Install Utility Commands for DSNlink Images ---------------------------------------------------------- DSNlink Image VMS Install Qualifiers DSN$DECNET_SHARE.EXE /OPEN /HEADER /SHARED DSN$COPYQUESHR.EXE, DSN$COPYSHR.EXE, DSN$SHARE.EXE, DSN$REGSHR.EXE, DSN_MAILSHR.EXE, DSN$ITSSHR.EXE DSN$MAIN.EXE /OPEN/HEADER /SHARE /PRIV= SYSLCK DSN$NETWORK.EXE* /OPEN /HEADER /SHARED /PRIV=(SYSNAM, PRMMBX,NETMBX,SYSPRV,SYSLCK) * Installed only on DCN ---- Table 3. Privileges Required for DCN Management Commands ------------------------------------------------------- DSN Commands Privileges Required SHUTDOWN, CLEAR WORLD SHOW BATCH SYSPRV or OPER REGISTER SYSTEM UIC or SYSPRV or BYPASS AUTHORIZE WORLD, SYSPRV, SYSNAM 16 Figure 2. DSN$SERVER Account --------------------------- Username: DSN$SERVER Owner: DSN$NETWORK Account: DSN UIC: [500,1] ([DSN$SERVER]) CLI: DCL Tables: DCLTABLES Default: SYS$COMMON:[DSN] LGICMD: NL: Login Flags: Disctly Defcli Lockpwd Dismail Disreconnect Primary days: Mon Tue Wed Thu Fri Secondary days: Sat Sun Primary 000000000011111111112222 Secondary 000000000011111111112222 Day Hours 012345678901234567890123 Day Hours 012345678901234567890123 Network: ##### Full access ###### ##### Full access ###### Batch: ##### Full access ###### ##### Full access ###### Local: ----- No access ------ ----- No access ------ Dialup: ----- No access ------ ----- No access ------ Remote: ----- No access ------ ----- No access ------ Expiration: (none) Pwdminimum: 8 Login Fails: 0 Pwdlifetime: 90 00:00 Pwdchange: (pre-expired) Last Login: (none) (interactive), 13-DEC-1989 12:50 (non-inter) Maxjobs: 0 Fillm: 200 Bytlm: 80000 Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0 Maxdetach: 0 BIOlm: 230 JTquota: 2048 Prclm: 32 DIOlm: 200 WSdef: 200 Prio: 4 ASTlm: 240 WSquo: 1024 Queprio: 0 TQElm: 200 WSextent: 4096 CPU: (none) Enqlm: 500 Pgflquo: 100000 Authorized Privileges: TMPMBX NETMBX Default Privileges: TMPMBX NETMBX 17 GUIDELINES FOR USING DSNlink IN VMS ENVIRONMENTS DSNlink_for_OpenVMS: You may use the same DSNlink for OpenVMS kit for installing the software multiple times for use with different access numbers. Definition of Terms: OpenVMS systems where DSNlink is installed are called DSNlink nodes. A DSNlink Communications Node (DCN) has a DSNlink modem connected to it either directly or via a terminal server. VAXcluster and/or other nodes on the DECnet network which execute DSNlink applications and communicate over a single DCN are called DSNlink Application Nodes (DANs). Standalone System Example ----- telephone line Digital | DCN | ------- Modem -------/\/\------- Modem ------- DSNlink ----- Host Access #01234 For the customer with one access number who wants to install DSNlink on a standalone system, one software kit is required. 18 Homogeneous VAXcluster Example node | ------ ----- telephone line Digital node | Disk | -- | DCN | ---- Modem -----/\/\----- Modem --- DSNlink ------ ----- Host | Access #05678 node In this example, the DSNlink software is installed on the common system disk and operates as the DCN. Only one access number can be used and one software kit is required. 19 Network Example DECnet DECnet --------------------------------------------------------------------- | | | | DCN DAN DAN DAN Access #0345 Access #0456 Access #0567 Access #0678 | | modem | \ / telephone line \ | Digital DSNlink Host In this example, the DSNlink software is installed on all DANs and the DCN, with separate authorization codes for each access number. You may order one software kit and the CSC will send you four authorization codes, one for each access number. Summary of Guidelines 1. Only one software kit is required. The same kit can be used for multiple installations. Multiple kits are required only if you need more than one distribution medium (TK50, Magtape, or CD-ROM). Additional documentation sets can be ordered separately. 2. You will need one Access Number Authorization Code per access number that you wish to use. 3. Each DAN (including the DCN) may correspond to one CSC access number (support contract). 4. You can also install the same access number on multiple DANs. 5. You cannot have more than one access number per CPU or VAXcluster. 20