DSNlink Version 3.0 for OpenVMS Readme First 1-February-2001 Dear Customer, This letter contains a brief description of DSNlink Version 3.0 for OpenVMS[TM]. It also explains which save sets you need, how to download the appropriate save sets, and how to uncompress them. 1 DSNLINK HAS ENCRYPTION The major enhancement in DSNlink Version 3.0 is the addition of encryption. DSNlink Version 3.0 encrypts messages between your DSNlink system and Compaq with ciphers. A cipher is an encryption/decryption algorithm. These ciphers are in DSNlink Version 3.0: o Triple DES-a 168-bit block cipher (TDES) o DES-a 56-bit block cipher (DES) o RC4-a 128-bit stream cipher (RC4_128) o RC5-a 128-bit block cipher (RC5_128) The cipher is negotiated with the DSNlink host during the authentication process. The default cipher is Triple DES. DSNlink encrypts these communications between your system and the Compaq host: o Service request submissions, augmentations, and responses o Requests for lists of routing codes, open and closed service requests, and supported products o Interactive Text Search (ITS) sessions o DSNlink mail messages o Network Exerciser tests o Remote login sessions o System-Initiated Call Logging (SICL) service requests Your system may not have SICL, which is not included in DSNlink. SICL is part of the Compaq Analyze software, which uses DSNlink to send SICL service requests to the Compaq host. If you use the DECwindows Motif interface, there is no indica- tion that the communication was encrypted except for messages in the window where you started DSNlink. If you use the com- mand line interface, window messages list the encryption cipher and authentication method. Similar messages also appear in the server log files. Note that the DSNlink host must also run DSNlink Version 3.0 for two-way encryption to occur. Communications from your DSNlink Version 3.0 system to a host running DSNlink Version 2.2 will fail. The first connection failure is the Network Exerciser test that DSNlink attempts at the end of the installation procedure. For information on a workaround you can perform to allow unen- crypted communiations, see the DSNlink Version 3.0 for OpenVMS Release Notes. DSNlink NE Version 3.0 for OpenVMS (where "NE" means no encryp- tion), is a special kit for customers who cannot install DSNlink Version 3.0, which encrypts all communications. Although DSNlink NE Version 3.0 does not encrypt communications or contain en- cryption software, it does have all the new features and bug fixes that are in DSNlink Version 3.0. 2 IMPROVED AUTHENTICATION When either your system or the Compaq host initiates a connec- tion, the systems first perform authentication. The goal of the process is for the customer and host systems to verify their identities to each other before establishing a communication connection. The systems must successfully authenticate them- selves before either encrypted or nonencrypted messages are exchanged. Authentication has been enhanced with the addition of stronger, hash-based message authentication code (HMAC) functions. During the authentication process, DSNlink Version 3.0 combines a message with your authentication key and processes the result with industry-standard secure hash functions to generate a hash-based message authentication code (HMAC) for the digital signature. The HMAC algorithm follows RFC 2104 guidelines. The HMAC authentication methods in DSNlink Version 3.0 are: o MD5_V3 uses the MD5 cryptographic hash function to produce a 128-bit signature. o RMD160 uses the cryptographic hash function RIPEMD-160 to produce a 160-bit signature. o SHA1 uses the cryptographic hash function SHA-1 to produce a 160-bit signature. o SR160 uses both of the RIPEMD-160 and SHA-1 cryptographic hash functions to produce a 160-bit signature. The advantage of this method is that an adversary would have to break both the SHA-1 and RIPEMD-160 functions to break the signature. This is the default authentication method. The older MD5 authentication method, which produces a 128-bit signature, was used in earlier versions of DSNlink. Your DSNlink Version 3.0 system will use this method if the host system is running an earlier version of DSNlink. This method does not follow RFC 2104 guidelines and is not as secure as the HMAC methods mentioned above. 3 NEW AUTHENTICATION KEY Previously, DSNlink used only MD5 to authenticate all connec- tions. Both your system and the Compaq host had identical MD5 keys. In DSNlink Version 3.0, a key that is compatible with the HMAC functions is required for authentication. It is a single key for the SHA1, RMD160, and SR160 authentication methods. It has this location and file name format: DSN$KEYS:HMAC-DIGITAL-access_number If you install DSNlink Version 3.0, on a system with an earlier version of DSNlink, the installation renames the existing MD5- DIGITAL-access_number keys to HMAC-DIGITAL-access_number. The contents of the MD5 key are not changed, just the file name. If you install DSNlink Version 3.0, on a system without an earlier version of DSNlink, the installation prompts you for the authentication key. You can use the DSNlink authentication key from another of your DSNlink systems. If you have no previous versions of DSNlink, Compaq provides an authentication key for you to enter at the installation prompt for a key. If new or existing customers request an authentication key, the HMAC key they receive is 16 characters longer than the MD5 keys. Customers are encouraged to request the key because it is harder for an adversary to break. For more information, contact Compaq. 4 RESTRICTIONS ON DISTRIBUTION Exports of this product are subject to Section 740.17 of the U.S. Export Administration Regulations pertaining to "retail encryption" items eligible for U.S. License Exception ENC. By downloading this kit, you agree you will comply with those regulations. 5 HOW TO DOWNLOAD THE KIT FROM THE COMPAQ DSNLINK WEB SITE To download the kit from the DSNlink Web site: 1. Using a browser, go to the following Web address: http://www.support.compaq.com/dsnlink/kit_vms_v30.htm The Web page titled "The DSNlink Version 3.0 for OpenVMS Kit" displays. DSNlink and DSNlink NE Version 3.0 kits for both Alpha[TM] and VAX[TM] systems are available for downloading from this page. 2. Determine which save sets you need to download. See Section Section 6 of this readme file for details. Note that if you are installing this kit on a VAX that is in an OpenVMS Cluster with Alpha systems, the VAX save sets that you download also have images for the Alpha systems. Similarly, if you install on an Alpha, the save sets include the files necessary for any VAX systems in a cluster. 3. Download the appropriate save sets or an entire kit according to the instructions on the Web page. NOTE You can download these save sets to any operating sys- tem, but do not uncompress them until you have moved them to your OpenVMS VAX or Alpha system. See Section 7 of this readme file for instructions on uncom- pressing the save sets and preparing for installation. 6 WHICH SAVE SETS DO YOU NEED? Table 1 describes the DSNlink save sets, which are actually auto-extractible compressed files. ________________________________________________________________ Table 1: DSNlink_Save_Sets VAX Save Sets___________Alpha Save Sets_________Description_____ DSNLINK030.DCX_ DSNLINK030.DCX_ All save sets VAXEXE AXPEXE (A, B, C, D, E, and S) DSNLINK030.A_DCX_ DSNLINK030.A_DCX_ Installation VAXEXE AXPEXE files DSNLINK030.B_DCX_ DSNLINK030.B_DCX_ Files for both VAXEXE AXPEXE Alpha and VAX systems DSNLINK030.C_DCX_ DSNLINK030.C_DCX_ VAX images VAXEXE AXPEXE DSNLINK030.D_DCX_ DSNLINK030.D_DCX_ Alpha images VAXEXE AXPEXE DSNLINK030.E_DCX_ DSNLINK030.E_DCX_ VMS Version VAXEXE AXPEXE 5.5-2 images DSNLINK030.S_DCX_ DSNLINK030.S_DCX_ Documentation VAXEXE AXPEXE ________________________________________________________________ You can download a file that contains ALL savesets (DSNLINK030.DCX_ VAXEXE or DSNLINK030.DCX_AXPEXE) or download only those save sets that you need for your particular installation. If you prefer to download individual save sets, determine which save sets you need as follows: o To install DSNlink on a standalone Alpha system that is running OpenVMS Version 6.2, 7.1 or 7.2, download: DSNLINK030.A_DCX_AXPEXE DSNLINK030.B_DCX_AXPEXE DSNLINK030.D_DCX_AXPEXE DSNLINK030.S_DCX_AXPEXE o To install DSNlink on a standalone VAX system that is running OpenVMS Version 6.2, 7.1 or 7.2, download: DSNLINK030.A_DCX_VAXEXE DSNLINK030.B_DCX_VAXEXE DSNLINK030.C_DCX_VAXEXE DSNLINK030.S_DCX_VAXEXE o To install DSNlink on a standalone VAX system that is running VMS[TM] Version 5.5-2, download: DSNLINK030.A_DCX_VAXEXE DSNLINK030.B_DCX_VAXEXE DSNLINK030.E_DCX_VAXEXE DSNLINK030.S_DCX_VAXEXE VMS Version 5.5-2 is not supported on Alpha systems. o To install DSNlink on an OpenVMS Cluster of VAX and Alpha systems, you can install just once if you have a cluster common disk. For an OpenVMS Cluster of both VAX and Alpha systems, down- load these VAX save sets to install DSNlink on a VAX: DSNLINK030.A_DCX_VAXEXE DSNLINK030.B_DCX_VAXEXE DSNLINK030.C_DCX_VAXEXE DSNLINK030.D_DCX_VAXEXE DSNLINK030.S_DCX_VAXEXE For an OpenVMS Cluster of both VAX and Alpha systems, down- load these AXP save sets to install DSNlink on an Alpha: DSNLINK030.A_DCX_AXPEXE DSNLINK030.B_DCX_AXPEXE DSNLINK030.C_DCX_AXPEXE DSNLINK030.D_DCX_AXPEXE DSNLINK030.S_DCX_AXPEXE Section 7 explains what to do with these save sets after you have downloaded them. 7 AFTER YOU DOWNLOAD THE FILES, FOLLOW THESE INSTRUCTIONS If you downloaded individual save sets, you must uncompress each one and then restore the documentation save set (DSNLINK030.S). If you downloaded one of the files that contains all save sets (DSNLINK030.DCX_VAXEXE or DSNLINK030.DCX_AXPEXE), then you must uncompress that file, restore the individual save sets contained within it, and restore the documentation save set. To uncompress individual save sets and restore the documentation save set: 1. Uncompress each save set with the RUN command. For example: $ RUN DSNLINK030.A_DCX_VAXEXE The following messages appear: FTSV DCX auto-extractible compressed file for OpenVMS (VAX) FTSV V3.0 -- FTSV$DCX_VAX_AUTO_EXTRACT Copyright (c) Digital Equipment Corp. 1993 Options: [output_file_specification [input_file_specification]] The decompressor needs to know the filename to use for the decompressed file. If you don't specify any, it will use the original name of the file before it was compressed, and create it in the current directory. If you specify a directory name, the file will be created in that directory. Decompress into (file specification): (press Return) Opening and checking compressed file... Decompressing (press Ctrl-T to watch the evolution)... Creating decompressed file... Original file specification: DSNLINK030.A_DCX_VAXEXE Decompressed file specification: DISK$USER1:[DURANT.DSNLINK] DSNLINK030.A;1 Successful decompression, decompression report follows: File Size: 619.71 Blocks, 309.86 Kbytes, 317293 bytes Decompression ratio is 1 to 1.57 ( 56.85 % expansion ) Elapsed CPU time: 0 00:00:01.12 Elapsed time : 0 00:00:02.97 Speed : 19636.36 Blocks/min, 9818.18 Kbytes/min, 167563.64 bytes/sec 2. Restore the documentation save set, DSNLINK030.S. Optionally, you can first display the file names in the save set with this command: $ BACKUP/LIST DSNLINK030.S/SAVE To restore the files from the save set to a directory, enter this command: $ BACKUP/SELECT=*.*/LOG DSNLINK030.S/SAVE ddcu:[dir] Substitute your system's device name and directory for ddcu:[dir]. 3. Print or display the DSNlink Version 3.0 for OpenVMS Instal- lation Guide. This document is supplied in PostScript and text formats. The file names are: DSNLINK030_INSTALLATION_GUIDE.PS or DSNLINK030_INSTALLATION_GUIDE.TXT 4. Install DSNlink Version 3.0 using VMSINSTAL. 5. Complete the appropriate postinstallation tasks as described in the installation guide. To uncompress a file that contains multiple save sets (DSNLINK030.DCX_ VAXEXE or DSNLINK030.DCX_AXPEXE) and restore the individual save sets within it: 1. Use the RUN command to uncompress the file. As shown in the following example, this command decompresses the auto-extractible compressed file into a file called DSNLINK030.BCK. $ RUN DSNLINK030.DCX_AXPEXE . . . Decompress into (file specification): Opening and checking compressed file... Decompressing (press Ctrl-T to watch the evolution)... Creating decompressed file... Original file specification: DSNLINK030.BCK;1 Decompressed file specification: DISK$USER1:[DURANT.DSNLINK] DSNLINK030.BCK;1 Successful decompression, decompression report follows: File Size: 45718.56 Blocks, 22859.28 Kbytes, 23407902 bytes Decompression ratio is 1 to 1.58 ( 57.92 % expansion ) Elapsed CPU time: 0 00:00:46.66 Elapsed time : 0 00:00:49.59 Speed : 87350.20 Blocks/min, 43675.10 Kbytes/min, 745388.44 bytes/sec 2. Restore the save sets using the BACKUP command string as shown in the following example: $ BACKUP/LOG DSNLINK030.BCK/save DISK$USER1:[DURANT.DSNLINK]*.* %BACKUP-S-CREATED, created DISK$USER1:[DURANT.DSNLINK]DSNLINK030.A;1 %BACKUP-S-CREATED, created DISK$USER1:[DURANT.DSNLINK]DSNLINK030.B;1 %BACKUP-S-CREATED, created DISK$USER1:[DURANT.DSNLINK]DSNLINK030.C;1 %BACKUP-S-CREATED, created DISK$USER1:[DURANT.DSNLINK]DSNLINK030.D;1 %BACKUP-S-CREATED, created DISK$USER1:[DURANT.DSNLINK]DSNLINK030.E;1 %BACKUP-S-CREATED, created DISK$USER1:[DURANT.DSNLINK]DSNLINK030.S;1 Once you have completed these tasks, restore the documentation save set (DSNLINK030.S), as described in the previous procedure, print or display the DSNlink Version 3.0 for OpenVMS Instal- lation Guide, and install DSNlink Version 3.0 using VMSINSTAL according to the instructions in the guide. Thank you for using DSNlink. For further assistance, please contact your Customer Support Center. DSNlink Program Office Compaq Customer Support Center _________ Copyright 1989, 2000, 2001 Compaq Computer Corporation. Compaq, VAX, VMS, and the Compaq logo Registered in U.S. Patent and Trademark Office. Alpha and OpenVMS are trademarks of Compaq Information Technologies Group, L.P. in the United States and other countries. All other product names mentioned herein may be trademarks of their respective companies. Compaq shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is subject to change without notice.