Before you install the Purveyor Encrypt WebServer, be sure you have the software requirements listed in this section.
One of the following operating systems is required:
You also need to ensure that TCP/IP is installed and running. Purveyor for OpenVMS supports the following TCP/IP suites:
Purveyor is available on the following distribution media:
Contact your sales representative for details about the availability of other media types.
Purveyor requires approximately 5 MB of disk space for installation. You install Purveyor by using the standard OpenVMS VMSINSTAL command procedure. A summary of the installation is:
Purveyor uses a License Management Facility (LMF) Product Authorization Key (PAK) for licensing. There are two product names for licensing: "PURVEYOR-NA" (North American version) and "PURVEYOR." The North American version of Purveyor (for the US and Canada) must use the PURVEYOR-NA license, and non-North American areas can use either version. The producer is "PSC." The LMF PAK information is included on a separate piece of paper with your WebServer.
$ @SYS$UPDATE:VMSLICENSE
See Figure 35 for an example of a Purveyor license installation. In the example, the North American version is used. Note that this is not a valid license.
Figure 35 Sample VMS License Command Procedure
VMS License Management Utility Options:
1. REGISTER a Product Authorization Key
2. AMEND an existing Product Authorization Key
3. CANCEL an existing Product Authorization Key
4. LIST the Product Authorization keys
5. MODIFY an existing Product Authorization Key
6. DISABLE an existing Product Authorization Key
7. DELETE an existing Product Authorization Key
8. COPY am existing Product Authorization Key
9. MOVE an existing Product Authorization Key
10. ENABLE an existing Product Authorization Key
11. SHOW the licenses loaded on this node
12. SHOW the unit requirements for this node
99. EXIT this procedure
Type ‘?’ at any prompt for a description of the information
requested. Press Ctrl/Z at any prompt to exit this procedure.
Enter one of the above choices [1]
ISSUER: PSC
AUTHORIZATION NUMBER: 12345
PRODUCT NAME: PURVEYOR-NA
PRODUCER: PSC
NUMBER OF UNITS: 0
VERSION:
PRODUCT RELEASE DATE:
KEY TERMINATION DATE: 1-NOV-1999
AVAILABILITY TABLE CODE: F
ACTIVITY TABLE CODE:
KEY OPTIONS:
PRODUCT TOKEN:
HARDWARE I.D.:
CHECKSUM: 4-PLBH-PHLM-GFNE-LOOL
|
This sample is an invalid license. Do not use it on your system. |
Before installation, you need to mount the TK50 or CD-ROM device. Physically load the TK50 or CD-ROM distribution media onto the appropriate device.
If you are installing Purveyor from the TK50 distribution media, do not logically mount the device. VMSINSTAL does this later during installation.
If you are installing Purveyor from the CD-ROM media, see Table 17.
Table 17 Mounting the CD-ROM Media
|
To mount the CD-ROM… |
Enter the command… |
|
And allow access from multiple users in a VMScluster |
MOUNT/CLUSTER device volume-label Example:
|
|
On a standalone system or to prevent access from multiple users in a VMScluster |
MOUNT device volume-label Example:
|
To install the Purveyor Encrypt WebServer, make sure you have the correct kit for your location. The North American product kit is for the US and Canada, and you must install the PURVEYOR-NA license before you install the PURVEYOR021 Kit.
For all other areas, you must install the PURVEYOR license before you install the PURVEYOR_EX021 Kit.
You use Digital Equipment Corporation’s VMSINSTAL program for OpenVMS layered products to install Purveyor. VMSINSTAL prompts you for any information it needs. Most prompts require either a yes or no answer.
You can abort the installation if you find that there are other users on the system or if you are dissatisfied with your system disk backup.
|
|
Make sure you are logged into the system manager’s account. |
To invoke VMSINSTAL, enter the following command:
$ @SYS$UPDATE:VMSINSTAL product kit-location
product is either PURVEYOR021 for the US/Canadian version or PURVEYOR_EX021 for the non-US version.
kit-location is the device and directory on which the distribution media is mounted.
For CD-ROM distribution, enter DEVICE:[PURVEYOR021.KIT].
For TK50 distribution, enter the device name of the device on which you loaded the TK50.
See Figure 36 for a sample installation of a North American kit on an OpenVMS VAX V6.2 machine. During the installation, when you are prompted for the common file area, specify the complete device and directory specification. For example, if you want to install the Purveyor files on SYS$SYSDEVICE, enter SYS$SYSDEVICE:[000000]. Do not specify the PURVEYOR directory; that is always added to what you specify. Purveyor installs both the VAX and Alpha executables into this common area to accommodate mixed-architecture clusters.
Figure 36 Sample Installation
$ @sys$update:vmsinstal purveyor021 sys$manager
VAX/VMS Software Product Installation Procedure V6.2
It is 6-AUG-1999 at 17:31.
Enter a question mark (?) at any time for help.
* Are you satisfied with the backup of your system disk [YES]?
* Where will the distribution volumes be mounted: sys$sysdevice:[mis.smith]
Enter the products to be processed from the first distribution volume set.
* Products: purveyor021
* Enter installation optins you wish to use (none):
The following products will be processed:
PURVEYOR V2.1
Beginning installation of PURVEYOR V2.1 at 17:32
%VMSINSTAL-I-RESTORE, Restoring product save set A ...
Purveyor(TM) Encrypt WebServer for OpenVMS Version 2.1
Copyright (c) 1995 - 1999 by Process Software Corporation.
Refer to Part III of the Purveyor Encrypt WebServer for OpenVMS
Administrator’s Guide for details on installing Purveyor.
************************************WARNING*********************************************
Purveyor Encrypt (North American) WebServer for OpenVMS export
restriction:
Except for export to Canada for use in Canada by Canadian citizens, the
software and any underlying technology may not be exported outside the
United States or to any foreign entity or "foreign person" as defined by
U.S. government regulations, including without limitation, anyone who is
not a citizen, national or lawful permanent resident of the United
States. By installing or using the software, you are agreeing to the
foregoing and you are warranting that you are not a "foreign person" or
under control of a foreign person.
****************************************************************************************
* Do you agree to the foregoing condition [NO]: yes
Purveyor requires a Product Authorization Key (PAK) be registered and
loaded.
A valid PAK does not appear to be loaded. Please register and load the
Purveyor PAK immediately after the installation completes. Purveyor
will not run without a valid PAK registered and loaded.
To register and load a PAK, use @SYS$UPDATE:VMSLICENSE.
You can specify the directory where you want the Purveyor common
files installed. The default location for the Purveyor common files
is SYS$COMMON. A [.PURVEYOR] subdirectory will be created in the
directory you specify.
Please specify the complete device and directory specification. For
example, if you want to install the Purveyor files on SYS$DEVICE,
you should enter SYS$SYSDEVICE:[000000]. You should NOT specify the
PURVEYOR directory as that is always added to what you specify.
* Where do you want to install the Purveyor common files [SYS$COMMON:[000000]]:
Your system will now be updated to include Purveyor Encrypt WebServer
for OpenVMS. This will take a short while.
%VMSINSTAL-I-RESTORE, Restoring product save set B ...
%VMSINSTAL-I-RESTORE, Restoring product save set C ...
%VMSINSTAL-I-SYSDIR, This product creates system disk directory
PURVEYOR_ROOT:[PURVEYOR].
%VMSINSTAL-I-SYSDIR, This product creates system disk directory PURVEYOR_ROOT:[PURVEYOR.HELP].
%VMSINSTAL-I-SYSDIR, This product creates system disk directory
PURVEYOR_ROOT:[PURVEYOR.ICONS].
%VMSINSTAL-I-SYSDIR, This product creates system disk directory
PURVEYOR_ROOT:[PURVEYOR.RSM].
%VMSINSTAL-I-SYSDIR, This product creates system disk directory PURVEYOR_ROOT:[PURVEYOR.SECURITY].
%VMSINSTAL-I-SYSDIR, This product creates system disk directory
PURVEYOR_ROOT:[PURVEYOR.SAMPLES].
%VMSINSTAL-I-SYSDIR, This product creates system disk directory
PURVEYOR_ROOT:[PURVEYOR.SAMPLES.SCRIPTS.SEARCH].
To complete the installation, follow the steps described in Part
III of the Purveyor Encrypt WebServer for OpenVMS Administrator’s
Guide.
%VMSINSTALL-I-MOVEFILES, Files will now be moved to their target directories . . .
Installation of PURVEYOR V2.1 completed at 17:39
Enter the products to be processed from the next distribution volume set.
* Products:
VMSINSTAL PROCEDURE DONE AT 17:39
During installation, the directories specified in Table 18 are created.
|
Directory |
Logical |
Contents |
|
PURVEYOR |
.COM and .EXE files. | |
|
PURVEYOR_HELP |
HTML and GIF files for online help. This directory is set up as a virtual path (~help). You can set up access control on this directory if you do not want users using the online help. Feel free to remove this virtual path (using Remote Server Management). | |
|
PURVEYOR_ICONS |
Icons for directory browsing. This directory is set up as a virtual path (~icons) that is used to reference the icons. | |
|
PURVEYOR_RSM |
Remote Server Management files | |
|
PURVEYOR_SAMPLES |
Sample home pages and scripts. This directory is set up as a virtual path (~samples) that can be used to reference the sample documents. Feel free to remove this virtual path (using Remote Server Management). | |
|
PURVEYOR_SECURITY |
Files that contain the definition for the encryption requirements. |
|
|
The ~icons virtual path is a special path and should not be changed. If you change the location of this directory and directory browsing is enabled, the necessary icons might not be found when needed. |
To set up your server for the highest security, carefully review the CGIs and DLLs to ensure there are no loopholes present that unauthorized users could use to access Purveyor and the Remote Server Management. After your initial setup, it is recommended that you disable RSM and close down DLLs and CGI; this prevents users from accessing RSM.
It is also recommended that you use a firewall with your Web server.
You need to create a worker account to provide the specific authorization needed by the workers. This authorization allows for a stricter level of security by limiting the worker account access to the resources on the system. It is highly recommended that you create an account instead of allowing the default, which is to use the account from which Purveyor started (that account must be a highly-privileged account).
Certain requirements are necessary when you create the user account:
See Figure 37 for a template of the recommended worker account.
|
|
If you specify a worker account during setup, you must create this account using the VMS AUTHORIZE utility. This user must have read access to the configuration database file and the directory that contains the file. Write access is required to use Remote Server Management. A good place to put the configuration database file is in the worker account's login directory. |
Figure 37 Example Worker Account
SYSUAF> SHOW HTTPD Username: HTTPD OWNER: HTTPD Account: HTTPD UIC: [1002,10] ([HTTPD]) CLI: DCL Tables: DCLTABLES Default: DISK$SYS_LOGIN:[LOGIN.HTTPD] LGICMD: LOGIN Flags: DisMail Primary days: Mon Tue Wed Thu Fri Secondary days: Sat Sun Primary 000000000011111111112222 Secondary 000000000011111111112222 Day Hours 012345678901234567890123 Day Hours 012345678901234567890123 Network: ----- No access ------ ----- No access ------ Batch: ----- No access ------ ----- No access ------ Local: ----- No access ------ ----- No access ------ Dialup: ----- No access ------ ----- No access ------ Remote: : ----- No access ------ ----- No access ------ Expiration: (none) Pwdminimum: 6 Login Fail;s: 0 Pwdlifetime: (none) Pwdchange: 1-JUL-1996 10:49 Last Login: (none) (interactive), 14-JUL-1996 17:03 (non-interactive) Maxjobs: 0 Fillm: 128 Bytlm: 60000 Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0 Maxdetach: 0 BIOlm: 48 Jtquota: 4096 Prclm: 12 DIOlm: 18 Wsdef: 1024 Prio: 4 ASTlm: 256 Wsquo: 1024 Queprio: 0 TQElm: 20 Wsextent: 16384 CPU: (none) Enqlm: 2048 Pgflquo: 75000 Authorized Privileges: NETMBX TMPMBX Default Privileges: NETMBX TMPMBX
Configure your Purveyor WebServer locally, not on a LAN, to control access. It is recommended that you install and configure Purveyor on a system that does not have any development software installed for security reasons.
To configure your Purveyor server,
log in to the system manager’s account (if you
are not already) and invoke the setup
command procedure. Enter:
$ @PURVEYOR:PURVEYOR_SETUP
This command produces the menu options shown in Figure 38.
|
|
You can abort the setup procedure by entering CTRL-Z at any prompt. |
Figure 38 Purveyor Setup Menu
Initialize - Initialize or create the database with defaults
Modify - Modify values to allow Remote Server Management
Access - Control Remote Server Management access
Exit - Exit
Selection [EXIT]:
You can specify one of the options by entering a unique string to identify your choice (abbreviations are acceptable). The default choice is Exit.
Purveyor requires a configuration database. This is an ASCII text file that stores all of the configuration information. The database needs to be created and initialized.
The Modify option allows you to change the parameters presented during initialization.
|
|
The Modify option does not display the actual values from the configuration database when presenting the defaults. |
The Access option allows you to modify the Directory Access Control (.VAC) file. The VAC specifies the users that can access a virtual path (for example, ~rsm). You can use the Access option to disable RSM totally or enable specific users to use RSM.
The Exit option leaves the setup procedure.
Enter I and press the enter key to select initialize. The following prompt appears:
Database file to be initialized []:
Enter the complete file specification (i.e., pathname) of the configuration database. Purveyor checks to see if the file exists and, if it does, prompts you whether to initialize it (this deletes all information in the database and starts over).
After you initialize the file, or after Purveyor does not find the file, you are prompted to enter a location for Purveyor:
TCP/IP Address/Host Name on which to accept connections [0]:
Specify either the name of the host (for example, zeta) or the Internet address (for example, 192.42.95.1) where Purveyor is located. The default (0) allows connections to any valid local internet address. You must use 0 if you plan on using virtual servers. Next, you receive the following prompt:
TCP/IP Port on which to accept connections [80]:
Specify the port number to listen for
incoming connections. The default is port 80. Next, you
receive the following prompt:
Worker Process Username []:
Enter a valid OpenVMS username for the Worker Process. See the previous section for details on why and how to do this. When you specify a worker account, you are given a warning to remind you of the access needed for this account. Next, you receive the following prompt:
Enable Remote Server Management [YES]:
|
|
Most of the server configuration can be done only through Remote Server Management. It is important that RSM be enabled at least initially to set up the server. Once configured, you can disable RSM by using the Modify option from PURVEYOR_SETUP nd answering NO to this question. |
Enter YES (the default) to allow access to Remote Server Management. A NO answer disables Remote Server Management and completes the setup procedure. To enable Remote Server Management once you have disabled it, you need to run PURVEYOR_SETUP again. When you answer YES, the following prompt appears:
The following Remote
Server Management .VAC file exists:
<contents of the VAC file>
REPLACE all, APPEND at end, or USE as is [REPLACE]:
|
|
For information on access control, see the chapter entitled Purveyor Security: Access Control. |
REPLACE discards the existing contents of the .VAC file; APPEND adds new information to the end of the .VAC file; and USE makes no changes to the file. If you choose APPEND, remember that the order of entries in the .VAC file is very important. Basically, for now, all you need to do is make sure you are allowed access to Remote Server Management so you can continue configuring the system. If you specify USE, you receive information messages that the configuration database you specified is being initialized and changes are being applied. If you specify REPLACE or APPEND, the following prompt appears:
Realm Name for user being granted access [Default]:
Enter the realm name for the user being granted access. A realm is simply a collection of users and groups. The default realm name is Default. If you enter a realm, you are prompted whether to use an existing realm or if you want to create a new realm, and whether you want to change the virtual server to use this new realm. Then, you receive the following prompt:
Username being granted access []:
Enter the name of the user you want to have access to Remote Server Management. The user’s name must be present in the Default realm (see the section Users). This must be a Purveyor username, which are distinct and separate from OpenVMS usernames. Next, you receive the following prompt:
Password for username access:
Enter the user’s password. You are prompted to enter the password again for verification:
Verify Password:
Type the password again. Next, you receive the following prompt:
IP address for access [*]:
Enter the address that the user will use, or enter an asterisk (*; the default) to accept the user from any address. After you enter the address, you receive some informational messages stating what modifications are being done to the configuration database you specified.
|
|
Purveyor reads the configuration database file when it starts and then periodically checks it for changes (about every ten minutes) and reloads the database if it was modified. If you made any changes with PURVEYOR_SETUP, you need to shut down and restart Purveyor so the changes take effect immediately. |
Encryption of HTTP transactions is now supported by Purveyor through implementation of the Secure Socket Layer Protocol version 2.0 (SSL). The SSL provides transaction security at the transport level of TCP/IP.
The SSL uses public key encryption methods, such as RSA, to negotiate and certify a server and then uses a fast symmetric bulk cipher, such as RC4, to encrypt the data stream. Using the SSL, the Purveyor Encrypt WebServer can deliver:
You configure your WebServer for encryption by using the Remote Server Management. Table 19 summarizes how to configure Purveyor for encryption using the RSM. For details about each step, refer to the specified part of the RSM section in this chapter.
Table 19 Configuring Purveyor for Encryption
|
In Step |
You take this action… |
And refer to… |
|
1 |
Create the private and public key pair. |
Key Creation part of the RSM section |
|
2 |
Obtain the key certificate from a Certificate Authority |
Key Creation part of the RSM section and Appendix A. |
|
3 |
Assign the private key and certificate pair to a virtual server. |
Virtual Server part of the RSM section |
|
4 |
Set the SSL port. |
Main Setting part of the RSM section |
|
5 |
Set the password used to decrypt the private key file. |
Main Setting part of the RSM section |
|
6 |
Set the security access controls you want (this is optional) |
Access Control part of the RSM section |
To test the SSL functionality, a test key and certificate are provided with the Purveyor kit. These files are installed in the Purveyor directory (PURVEYOR:) with the following names:
The password for this private key is test. TEST.CRT is signed internally for testing purposes and is not signed by any Certificate Authority.
This test key is for testing purposes only and must never be used to transmit sensitive information.
You need to start Purveyor from the system manager’s account in order to continue the configuration using Remote Server Management (RSM):
$ @PURVEYOR:PURVEYOR_STARTUP configuration-file
configuration-file is the location and filename of the configuration database file as specified in the initial setup.
|
|
You must be running TCP/IP on your system before you start Purveyor. |
Purveyor is now running as your server.
Once you have tested and set up Purveyor completely, you need to edit the system startup file so Purveyor starts each time the system starts.
Add a line similar to the following to the system startup file:
$ @device :[directory] PURVEYOR_STARTUP configuration-file
device:[directory] is the location where Purveyor is installed (the default is SYS$COMMON:[PURVEYOR]) and configuration-file is the complete file specification for the configuration database.
|
|
You must place the line starting Purveyor after the lines that start the TCP/IP networking software. |
To stop all Purveyor WebServers running on the system, type the following at the command line prompt:
$ @PURVEYOR:PURVEYOR_SHUTDOWN
