Saturday, November 19, 2016

DECNET: Connecting Two Digital DEC OpenVMS Servers on Different Internet Hosts to HECNET via a Single Bridge (Multi-Host DECNET Bridge Configuration for HECNET)


DECnet forever! My SIMH OpenVMS VAXen - QCOCAL (1.550) VAX Server 3900 Series in Washington DC and CLOUDY (1.551) VAX 11/780 in Kitchener, Ontario, Canada talk to the HECnet primary router MIM (1.13) - a real PDP-11 in Uppsala, Sweden running RSX-11M-PLUS and, through it, to numerous VAXen and PDPs across the world.


My first SIMH VAX Server 3900 series has been up now for almost a year. I call it "QCOCAL", in memory of a real VAX I used during my stint with Digital Equipment Corporation. The new QCOCAL lives inside a Centos 7 virtual machine on my DELL PowerEdge 2950 in the basement of our house in the Washington, DC metro area. It is connected to HECnet - the global hobbyist DECnet, using the DECnet bridge program written by Johnny Billquist.

Having recently procured a couple of Virtual Private Servers, I installed a second SIMH VAX-11/780 on one of them, calling the VAX "CLOUDY" (because it lives inside a cloud VPS). The VPS is hosted in a data-center in Kitchener, Ontario, Canada.

A view of just internet connectivity of the servers and the simulated VAXen looks like Diagram 1. The NICs of the Linux host servers are bridged and then tun/tap taps are used to connect the SIMH Vaxen. This is because the SIMH simulator grabs the entire configured NIC and we cannot really let it have the host's NIC all for itself (more information see "CHAPTER 3: Creating a TUN/TAP Pseudo Network Device and Bridging to the Host Network Interface").

Diagram 1 - internet connection schematic of two VAX servers to HECnet

To facilitate DECnet protocol communication, the DECnet Bridge program grabs DECnet packets from the ethernet taps (i.e. tap0, tap1), encapsulates them in UDP packets and sends them over the internet connections to be converted back into DECnet packets on the other side. Conceptually, it looks like diagram 2.

Diagram 2: DECnet Bridge connecting VAX Servers over Internet to HECnet 

Here is the network configuration of the SIMH host sanyalnet-openvms-vax.freeddns.org which is also LAN accessible as dormarth.sanyalnet.lan (CentOS 6) for QCOCAL:

[root@dormarth ~]# hostname
dormarth.sanyalnet.lan
[root@dormarth ~]# ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 08:00:27:a1:81:b6 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::a00:27ff:fea1:81b6/64 scope link
       valid_lft forever preferred_lft forever
3: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 5e:e0:9a:25:cc:41 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5ce0:9aff:fe25:cc41/64 scope link
       valid_lft forever preferred_lft forever
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 08:00:27:a1:81:b6 brd ff:ff:ff:ff:ff:ff
    inet 10.42.2.2/24 brd 10.42.2.255 scope global br0
    inet6 fe80::a00:27ff:fea1:81b6/64 scope link
       valid_lft forever preferred_lft forever
[root@dormarth ~]# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.42.2.0       0.0.0.0         255.255.255.0   U         0 0          0 br0
0.0.0.0         10.42.2.1       0.0.0.0         UG        0 0          0 br0


and QCOCAL (OpenVMS 7.3) itself :


$ SHOW NETWORK /FULL

The following network services are available at this time:

Product:  DECnet                Manufacturer:  Digital Equipment Corporation
Node:  QCOCAL                   Address(es):  1.550
Network Type:  DNA V            Interface(s):  net 0

Node 0 
at 2016-11-19-23:45:48.385+00:00Iinf

Identifiers

    Name                              = LOCAL:.QCOCAL
    Address                           = 
       {
          (
          [ DNA_CMIP-MICE ] ,
          [ DNA_SessionControlV3 , number = 19 ] ,
          [ DNA_OSItransportV1 , 'DEC0'H ] ,
          [ DNA_OSInetwork , 49::00-01:AA-00-04-00-26-06:21 (LOCAL:.QCOCAL) ]
          ) ,
          (
          [ DNA_CMIP-MICE ] ,
          [ DNA_SessionControlV2 , number = 19 ] ,
          [ DNA_OSItransportV1 , 'DEC0'H ] ,
          [ DNA_IP , 0.0.0.0 ]
          ) ,
          (
          [ DNA_CMIP-MICE ] ,
          [ DNA_SessionControlV3 , number = 19 ] ,
          [ DNA_NSP ] ,
          [ DNA_OSInetwork , 49::00-01:AA-00-04-00-26-06:20 (LOCAL:.QCOCAL) ]
          )
       }

Status

    UID                               = 06E08000-DF79-11D4-8001-AA0004000104
    State                             = On
    Functions Enabled                 = 
       {
          Address Watcher ,
          CMIP Listener
       }
    ID                                = AA-00-27-FD-99-EC

Characteristics

    Version                           = T5.0.3
    Implementation                    = 
       {
          [
          Name = OpenVMS VAX ,
          Version = "V7.3    "
          ] ,
          [
          Name = Compaq DECnet-Plus for OpenVMS ,
          Version = "V7.3 30-DEC-2000 00:04:42.43"
          ]
       }
    Script Location                   = <Default value>
    Maximum Listeners                 = 0
    Listener Template                 = <Default value>
    Secondary Names                   = 
       {
       }

Counters

    Creation Time                     = 2016-05-14-17:20:11.690+00:00Iinf
    Renames                           = 8
    Changes of ID                     = 108
    IDROM Check Failures              = 0
    Changes of Address                = 0


Node 0 Session Control Port *
at 2016-11-19-23:45:49.115+00:00Iinf

command failed due to:
 no such object instance


Node 0 Session Control
at 2016-11-19-23:45:50.025+00:00Iinf

Counters

    Creation Time                     = 2016-11-19-09:42:57.390+00:00Iinf
    Access Control Violations         = 0
    Backtranslation Deletions         = 0
    Deleted Maintained Objects        = 0
    Dangling Links                    = 0
    Verification Failures             = 0


Product:  TCP/IP                Manufacturer:  Compaq Computer Corporation
Node:  sanyalnet-vax.sanyalnet.lan Address(es):  10.42.2.5
Network Type:  TCP/IP           Interface(s):   

  Compaq TCP/IP Services for OpenVMS VAX Version V5.1
  on a VAXserver 3900 Series running OpenVMS V7.3    

                              
                            Port                       Remote
Device_socket  Type    Local  Remote  Service           Host

  bg3         DGRAM      520       0                   *
  bg10        STREAM      21       0  FTP              *
  bg14        DGRAM      123       0  NTP              *
  bg15        DGRAM      123       0  NTP              *
  bg16        DGRAM      123       0  NTP              *
  bg25        STREAM      25       0  SMTP             *
  bg29        STREAM      23       0  TELNET           *
  bg54        DGRAM      750       0                   *
  bg55        DGRAM       88       0                   *
  bg57        STREAM     749       0                   *
  bg58        DGRAM      464       0                   *
  bg65        STREAM    3333       0  NOTES            *
  bg69        STREAM      80       0                   *
  bg2196      DGRAM    49883       0                   *
  bg2200      DGRAM    49885       0                   *
  bg4031      STREAM      23   53896  TELNET           10.100.0.1
  bg5686      STREAM      23   46942  TELNET           123.120.100.141

Communication Parameters

Local host:      sanyalnet-vax          Domain:   sanyalnet.lan

                                 Maximum     Current        Peak
Proxies                               20
  

Remote Terminal
  Large buffers:           0
  UCBs:                    0
  Virtual term:     disabled

Similarly, here is the Linux network configuration of the CentOS 7 server that hosts CLOUDY:

[root@sanyalnet-cloud-vps2 openvms]# ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000
    link/ether 00:50:56:a4:55:80 brd ff:ff:ff:ff:ff:ff
3: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP qlen 500
    link/ether 62:cb:23:2b:ad:77 brd ff:ff:ff:ff:ff:ff
4: tap1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP qlen 500
    link/ether be:61:88:db:42:78 brd ff:ff:ff:ff:ff:ff
5: tap2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master br0 state DOWN qlen 500
    link/ether c2:4b:67:23:11:5d brd ff:ff:ff:ff:ff:ff
6: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 00:50:56:a4:55:80 brd ff:ff:ff:ff:ff:ff
    inet 64.137.228.122/24 brd 64.137.228.255 scope global br0
       valid_lft forever preferred_lft forever
[root@sanyalnet-cloud-vps2 openvms]# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         64.137.228.1    0.0.0.0         UG        0 0          0 br0
64.137.228.0    0.0.0.0         255.255.255.0   U         0 0          0 br0


And the network configuration on CLOUDY itself:

$ SHOW NETWORK/FULL

The following network services are available at this time:

Product:  DECnet                Manufacturer:  Digital Equipment Corporation
Node:  CLOUDY                   Address(es):  1.551
Network Type:  DNA V            Interface(s):  net 0

Node 0 
at 2016-11-20-00:04:46.390+00:00Iinf

Identifiers

    Name                              = LOCAL:.CLOUDY
    Address                           = 
       {
          (
          [ DNA_CMIP-MICE ] ,
          [ DNA_SessionControlV3 , number = 19 ] ,
          [ DNA_OSItransportV1 , 'DEC0'H ] ,
          [ DNA_OSInetwork , 49::00-01:AA-00-04-00-27-06:21 (LOCAL:.CLOUDY) ]
          ) ,
          (
          [ DNA_CMIP-MICE ] ,
          [ DNA_SessionControlV2 , number = 19 ] ,
          [ DNA_OSItransportV1 , 'DEC0'H ] ,
          [ DNA_IP , 0.0.0.0 ]
          ) ,
          (
          [ DNA_CMIP-MICE ] ,
          [ DNA_SessionControlV3 , number = 19 ] ,
          [ DNA_NSP ] ,
          [ DNA_OSInetwork , 49::00-01:AA-00-04-00-27-06:20 (LOCAL:.CLOUDY) ]
          )
       }

Status

    UID                               = 06E08000-DF79-11D4-8001-AA0004002706
    State                             = On
    Functions Enabled                 = 
       {
          Address Watcher ,
          CMIP Listener
       }
    ID                                = 08-00-2B-80-15-C8

Characteristics

    Version                           = T5.0.3
    Implementation                    = 
       {
          [
          Name = OpenVMS VAX ,
          Version = "V7.3    "
          ] ,
          [
          Name = Compaq DECnet-Plus for OpenVMS ,
          Version = "V7.3 30-DEC-2000 00:04:42.43"
          ]
       }
    Script Location                   = <Default value>
    Maximum Listeners                 = 0
    Listener Template                 = <Default value>
    Secondary Names                   = 
       {
       }

Counters

    Creation Time                     = 2016-11-17-05:26:45.540+00:00Iinf
    Renames                           = 6
    Changes of ID                     = 23
    IDROM Check Failures              = 0
    Changes of Address                = 0


Node 0 Session Control Port SCL$PORT$12010012
at 2016-11-20-00:04:47.870+00:00Iinf

Identifiers

    Name                              = SCL$PORT$12010012

Status

    Client                            = Session Control Application 42
    Local End User Address            = number = 42
    Transport Port                    = NSP Port NSP$PORT_00010013
    Direction                         = Incoming
    Remote End User Address           = UIC = [0,0]SANYAL
    Node Name Sent                    = <Default value>
    Version Sent                      = V2
    Outgoing Network Priority         = 0
    Incoming Network Priority         = 0
    Process Identifier                = "00000113"

Counters

    Creation Time                     = 2016-11-20-00:04:07.930+00:00Iinf


Node 0 Session Control
at 2016-11-20-00:04:48.910+00:00Iinf

Counters

    Creation Time                     = 2016-11-19-01:40:49.410+00:00Iinf
    Access Control Violations         = 0
    Backtranslation Deletions         = 0
    Deleted Maintained Objects        = 0
    Dangling Links                    = 0
    Verification Failures             = 0


Product:  TCP/IP                Manufacturer:  Compaq Computer Corporation
Node:  sanyalnet-cloudy-vax.gama-digital.com Address(es):  64.137.228.85
Network Type:  TCP/IP           Interface(s):   

  Compaq TCP/IP Services for OpenVMS VAX Version V5.1
  on a VAX-11/780 running OpenVMS V7.3    

                              
                            Port                       Remote
Device_socket  Type    Local  Remote  Service           Host

  bg7         STREAM      21       0  FTP              *
  bg11        DGRAM      123       0  NTP              *
  bg12        DGRAM      123       0  NTP              *
  bg13        DGRAM      123       0  NTP              *
  bg16        STREAM      25       0  SMTP             *
  bg18        STREAM      23       0  TELNET           *

Communication Parameters

Local host:      sanyalnet-cloudy-vax   Domain:   gama-digital.com

                                 Maximum     Current        Peak
Proxies                               20
  

Remote Terminal
  Large buffers:           0
  UCBs:                    0
  Virtual term:     disabled


BRINGING IT ALL TOGETHER: DECnet BRIDGE SETUP

Diagram 3: HECnet multi-host bridge configuration:
Connecting two OpenVMS Servers over DECnet and over a single bridge to HECnet 
DECnet end-node QCOCAL (1:550) is hosted on sanyalnet-openvms-vax.freeddns.org which runs the DECnet bridge process in multi-host configuration, listening on port 4711 and bridging in
  1. HECnet itself via psilo.update.uu.se on port 4711, and
  2. sanyalnet-cloud-vps2.freeddns.org on port 4712 which runs it's own bridge to DECnet end-node CLOUDY (1.551).
The bridge process is launched with the command line "bridge -p 4711" specifying the listening port, and here is the bridge.conf configuration file:


CLOUDY (1.551) is hosted on sanyalnet-cloud-vps2.freeddns.org which runs the DECnet bridge process listening on port 4712 and bridging to sanyalnet-openvms-vax.freeddns.org on port 4711 which in turn bridges in the HECnet network as well as QCOCAL. The DECnet bridge here is launched using the command line "bridge -p 4712" and the bridge.conf is simple:


DECnet forever!


Monday, November 14, 2016

OpenVMS Log Files Remote Logging to Unix/Linux SYSLOG Facility RSYSLOG

OpenVMS 7.3 on VAX logs on a remote Linux RSYSLOG syslog server
I gather all the logs I can from my many hobbyist servers and systems in a central place on one of my Virtual Private Servers running a rsyslog logger daemon on CentOS 7.

I wanted to add my QCOCAL hobbyist OpenVMS 7.3 VAX system logs to this central syslog server on my VPS.

Fortunately, all the work has already been done by Doug O'Neal from Homewood Academic Computing at Johns Hopkins University, whose SYSLOGD.C program pretty much worked out of the box.

The only tweak I made to Doug's SYSLOGD.C is to support a second OpenVMS Logical "SYSLOGD_PORT" to specify the UDP port number of my remote RSYSLOG Linux server, since I am not running it on the standard port (514). This is in addition to the "SYSLOGD_SERVER" Logical already supported by Doug's code.

Both Logicals need to be defined in the SYSTEM Logical Table LNM$SYSTEM_TABLE. Something like the following three lines in the OpenVMS startup file (SYS$MANAGER:SYSTARTUP_VMS.COM for my OpenVMS 7.3 VAX installation) suffice to start the VMS SYSLOG client at boot time;

$ define/system syslogd_server "64.137.248.212" ! IP address sanyalnet-cloud-vps.freeddns.org
$ define/system syslogd_port "65514"            ! UDP Port that remote syslogd is listening on
$ run/detached/process_name=syslogd/input=nl:/output=nl:/error=nl: DUA0:[TOOLS.SYSLOGD]SYSLOGD.EXE

Below is the SYSLOGD.C source code originally by Doug with the minor modifications by me. All credit to Doug O'Neal. This code compiles fine on my installation of Compaq C V6.4-005 on OpenVMS VAX V7.3 and I suspect it will on other versions, including OpenVMS ALPHA per Doug's comments at the top of the code. To build a binary,

$ CC  SYSLOGD
$ LINK  SYSLOGD

Some warning and informationals are generated by the compiler and linker, but nothing to stop SYSLOGD.EXE from being generated and used.

You can also download the source and OpenVMS VAX V7.3 binary executable from my FAL area on QCOCAL over HECNET or over the internet from QCOCAL served by WASD.

Making it secure


The OpenVMS SYSLOGD facility sends log content to the remote RSYSLOG server with no encryption, in cleartext over UDP. This is totally insecure - any rookie hacker could sniff the packets and learn a lot about what is going on with our OpenVMS server.

We need to make the transmission of the logs to the remote server secure.

Fortunately, I have recently setup a secure tunnel for logging to my remote central log server from my other hobbyist servers, as described in this post. This makes it really easy to secure OpenVMS log transmissions to the central server.

First, I identified a syslog server on the local LAN that is already configured as a secure tunnel (stunnel) client to my central log server. I decided to use the same Linux host (10.42.2.2) that is running the SIMH OpenVMS VAX for this purpose. It is directly and quickly accessible from the SIMH VAX (10.42.2.5) because the SIMH VAX network link is just a tun/tap bridge on the same server.

I opened up /etc/rsyslog.conf on this SIMH host Linux server, and uncommented the following lines to allow rsyslog to accept logger connections over network.

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

The TCP syslog reception port did not really need to be opened up for this rsyslog daemon to accept log entries over UDP from SYSLOGD.EXE on OpenVMS VAX, but may come in useful for later projects.

A restart of the rsyslog daemon on the Linux host is required after editing /etc/rsyslog.conf:

# service rsyslog restart

Then I logged into the OpenVMS VAX server and modified the OpenVMS SYSLOGD startup commands to point to the Linux SIMH host instead of the remote syslog server:

$ define/system syslogd_server "10.42.2.2"      ! IP address of the host this SIMH VAX is running on
$ define/system syslogd_port "514"              ! UDP Port of the host rsyslog server

SYSLOG then needs to be restarted on OpenVMS VAX:

$ show system
$ stop/id=<id of SYSLOGD>
$ run/detached/process_name=syslogd2vps/input=nl:/output=nl:/error=nl: DUA0:[TOOLS.SYSLOGD]SYSLOGD.EXE

Going back to the Linux host, an examination of the logs now reveals the VAX Server is sending logs here:

OpenVMS VAX SYSLOGD,EXE logging to rsyslog logger daemon running on it's own SIMH VAX linus host

And here is the fun part. Since this rsyslog daemon is already configured to use stunnel to send logs securely to the remote server, the logs from OpenVMS VAX are also forwarded to the remote syslogd daemon over the same secure tunnel.

Sure enough, checking my remote VPS central syslog server log, I see the OpenVMS VAX logs dutifully forwarded by the local SIMH host Linux box.

syslog entries on central rsyslog linux server from OpenVMS VAX forwarded by SIMH VAX Linux host over stunnel secure tunnel



Friday, November 11, 2016

Yet another OpenVMS DCL Command Procedure to Crawl and Report HECNET the Hobbyist DECNET in HTML served by WASD - OpenVMS VAX 7.3

"What is HECnet?

HECnet is a DECnet that connects different people who play around with different machines that have the DECnet protocol suite. The network should not be regarded as a serious networking setup, nor should it be expected to work 24/7. It's a hobby project between people who think it's fun to create a DECnet network.

HECnet is basically a DECnet phase IV network. Currently, the main router is a PDP-11 running RSX-11M-PLUS. The machine is located in Uppsala, Sweden.

The connectivity between nodes can be anything that works. The current connectivity is with an ethernet bridge between sites, DECnet over IP using Multinet on VMS or RSX, and DECnet over IP on Cisco. Other solutions that have been used are a virtual serial async. connection talking DDCMP. Other possibilities are GRE and DECnet over IP." - read more at http://www.update.uu.se/~bqt/hecnet.html

DECNET Architecture Network Stack

A DCL command procedure to copy over the latest list of HECNET nodes. Execute this using
$ @HECNET-NODENAMES-UPDATE.COM


The DCL script HECNET-SCAN.COM to crawl HECNET and generate the HTML pages. You can run this by itself for testing, or invoke this periodically (once a day or once a week) from a scheduled batch queue job.


The scheduled Batch Queue job for scheduled runs of the above command script. To enable, use the DCL command procedure HECNET-SCAN-BATCH.COM:
$ @HECNET-SCAN-BATCH.COM





Sunday, November 6, 2016

Install WASD OpenVMS Web Server | A Simple Minimal HTTP Server Configuration on Digital DEC OpenVMS VAX 7.3

WASD 11.0.2 Web Server on DEC Digital VAX 3900 OpenVMS VAX 7.3


This is what I did to bring up a minimal WASD web server on my VAX running OpenVMS 7.3. I did manage to have my website run from a separate user account than WASD and even link to my FAL$SERVER directory for HTTP access in addition to DECNET access to my FAL server.


Preparation


First, follow this post to install CPQ-VAXVMS-SSL-V0101-B-1.PCSI-DCX_VAXEXE and VMSPORTS-VAXVMS-ZLIB-V0102-8-1.ZIP. You should go ahead and follow the entire post to install CURL for OpenVMS VAX 7.3 anyway, CURL is a pretty useful tool to have on your VAX. The SSL version this obtained will remain unused by WASD but the installer will proceed. The installer will use ZLIB.

Then head to the WASD VMS Web Services Download Page and download the latest version for WASD for OpenVMS VAX 7.3. I downloaded the latest version at the time of writing: WASD1102.ZIP. You can also grab it from QCOCAL over HECNET or now by internet, thanks to WASD, from here.

Create a new directory WASD_ROOT on a device with at least 630,000 blocks free. I created DUA2:[WASD_ROOT], and this post is written to reflect that. Adjust according to your needs.

Unzip the downloaded installation ZIP file into the new directory and run the install command file using @INSTALL. Follow the prompts and answer questions taking cues from a log the installation procedure I captured and saved here to build and install the initial working configuration of WASD.

When the install.com procedure completes, start up WASD using @DUA2:[WASD_ROOT.STARTUP]STARTUP.COM and point a web-browser on another computer on your subnet to your VAX. You should see the default WASD web-site with no further configuration needed for the out-of-the-box installation. Use CTRL-Y to exit as instructed.

Set up a different http server root


Create another new directory to hold your web-site and a top-level web server document root under that. I first created DUA2:[WEBROOT] and then a [.HTML] directory under it. Set global read and execute permissions on this directory using

$ SET FILE/PROT=(W:RE) DUA2:[000000]WEBROOT.DIR
$ SET FILE/PROT=(W:RE) DUA2:[000000.WEBROOT.HTML]

Add a simple test HTML file under DUA2:[WEBROOT.HTML]INDEX.HTML - this will be returned to your browser after configuration is complete. The following INDEX.HTML will do fine as your initial test page:

<html><head><title>WASD OpenVMS/VAX</title></head><body><p>TEST</p><p><a href="/falserver/">FAL AREA ON THIS VAX &raquo;</a></p></body></html>

Copy over the EXAMPLE configuration files to DUA2:[WASD_ROOT.LOCAL]:

$ COPY DUA2:[WASD_ROOT.EXAMPLE]*.CONF DUA2:[WASD_ROOT.LOCAL]

Then change to the .LOCAL directory.


Setup Local Configuration of WASD


In the .LOCAL directory, edit WASD_CONFIG_MAP.CONF  and delete all lines. Add the following few lines only.





Edit WASD_CONFIG_GLOBAL.CONF and replace with the following contents. This is intended to bolster security by turning off scripting support, narrowing allowed default HTML files to index.html, enable reverse DNS lookup, add missing MIME types for directory displays etc. (DIFF with the .EXAMPLE version of WASD_CONFIG_GLOBAL.CONF to see the differences).


Edit  WASD_CONFIG_SERVICE.CONF and enable only HTTP port 80 on the WAN address for our minimal installation.



No other configuration files need to be manipulated for our minimal WASD web server configuration.

Configure Logicals and Startup at Boot

Define the following two logicals manually for now:

$ DEFINE /SYSTEM /EXEC /TRANSLATION=CONCEALED WEB_ROOT DUA2:[WEBROOT.HTML.]
$ define /system/exec /TRANSLATION=CONCEALED falserver dua2:[fal$server.]

Also add them to system boot-time startup definitions. Edit your SYS$MANAGER:SYSTARTUP_VMS.COM and add the following where you define your site-specific startup scripts:

$! Start up the web server
$ DEFINE /SYSTEM /EXEC /TRANSLATION=CONCEALED WEB_ROOT DUA2:[WEBROOT.HTML.]
$ define /system/exec /TRANSLATION=CONCEALED falserver dua2:[fal$server.]
$ @DUA2:[WASD_ROOT.STARTUP]STARTUP.COM
$!

Note: Since you already installed the SSL and ZLIB applications at the beginning, you should already have the following startup commands executing before starting the WASD web server:

$ @sys$startup:ssl$startup.com
$ @sys$startup:gnv$zlib_startup.com

Also, my FAL directory is at DUA2:[FAL$SERVER] and that is what the falserver logical above reflects. Obviously you need to adjust for your FAL Server location.

Important: Do not miss the dot before the closing square brackets in the logicals. As a quick test, commands like DIR WEB_ROOT:[000000] and DIR FALSERVER:[000000] need to resolve to the directories correctly. Examples of what I get:

DUA2:[WASD_ROOT.LOCAL] DIR WEB_ROOT:[000000]  

Directory WEB_ROOT:[000000]

DIGITAL.PNG;1       FAVICON.ICO;1       HTML.TAR;1          INDEX.HTML;22      
STYLES.DIR;1        

Total of 5 files.
DUA2:[WASD_ROOT.LOCAL] DIR FALSERVER:[000000]

Directory FALSERVER:[000000]

INFO.TXT;1          INTRUSIONS.TXT;11   INTRUSIONS.TXT;10   INTRUSIONS.TXT;9   
KRB.DIR;1           NET$SERVER.LOG;48   NODENAMES.DAT;172   NODENAMES.DAT;171  
SOFTWARE-DOWNLOADS.DIR;1                

Total of 9 files.


Stop WASD and restart it:

$ @DUA2:[WASD_ROOT.STARTUP]SHUTDOWN.COM
$ @DUA2:[WASD_ROOT.STARTUP]STARTUP.COM

Again point a web-browser (remember to Shift+Reload on your browser to force a fresh non-cached request) on another computer on your subnet to your VAX. You should now see tiny test html page. Clicking on the FAL AREA link should show the files in your FAL$SERVER directory.

Troubleshooting


The only stumble I had was with file and directory permissions. If you get "ERROR 403  -  The requested action is not permitted." or "ERROR 404  -  The requested resource could not be found." errors, remember WASD needs to be able to reach and read the HTML files for your website in a different account, as well as FAL area files, and make sure they at least have READ privileges for the World:

$ SET FILE/PROT=(W:R) DUA2:[WEBROOT...]*.*
$ SET FILE/PROT=(W:R) DUA2:[FAL$SERVER...]*.*

WASD writes its httpd Access Log to the .LOG directory wasd_root:[log]. Example:

DUA2:[WASD_ROOT.LOCAL] dir wasd_root:[log]

Directory WASD_ROOT:[LOG]

.WWW_HIDDEN;1       LOCALHOST_80_20161031_ACCESS.LOG;1      README.HTML;1      
SANYALNET-VAX-SANYAL_80_20161031_ACCESS.LOG;1               

Total of 4 files.

The WASD install script created two accounts - one to run the WASD server process, and a "nobody" account to run scripts from. In addition, I created the WEBROOT account as the root html directory. I modified the account expiration and password lifetimes so that their passwords do not expire. I also made the WEBROOT account captive with no NETMBX privilege - the only purpose of this account is to be a holding place for HTML files served by WASD web-server. Here are the account characteristics I see:

DUA2:[WASD_ROOT.LOG] cd sys$system
SYS$SYSROOT:[SYSEXE] mc authorize
UAF> show http$server /full

Username: HTTP$SERVER                      Owner:  WASD Server
Account:                                   UIC:    [77,1] ([HTTP$SERVER])
CLI:      DCL                              Tables: DCLTABLES
Default:  DUA2:[HTTP$SERVER]
LGICMD:   LOGIN.COM
Flags:  DisNewMail DisMail
Primary days:   Mon Tue Wed Thu Fri        
Secondary days:                     Sat Sun
Primary   000000000011111111112222  Secondary 000000000011111111112222
Day Hours 012345678901234567890123  Day Hours 012345678901234567890123
Network:  ##### Full access ######            ##### Full access ######
Batch:    ##### Full access ######            ##### Full access ######
Local:    -----  No access  ------            -----  No access  ------
Dialup:   -----  No access  ------            -----  No access  ------
Remote:   -----  No access  ------            -----  No access  ------
Expiration:            (none)    Pwdminimum:  6   Login Fails:     0
Pwdlifetime:         90 00:00    Pwdchange:      (pre-expired) 
Last Login:            (none) (interactive),  6-NOV-2016 09:18 (non-interactive)
Maxjobs:         0  Fillm:       300  Bytlm:      5000000
Maxacctjobs:     0  Shrfillm:      0  Pbytlm:           0
Maxdetach:       0  BIOlm:      2000  JTquota:       4000
Prclm:         100  DIOlm:      1000  WSdef:         1000
Prio:            4  ASTlm:      2000  WSquo:         4000
Queprio:         0  TQElm:       100  WSextent:     20000
CPU:        (none)  Enqlm:       500  Pgflquo:     500000
Authorized Privileges: 
  NETMBX    TMPMBX
Default Privileges: 
  NETMBX    TMPMBX
Identifier                         Value           Attributes
  WASD_HTTP_SERVER                 %X80010003      
UAF> 
UAF> show http$nobody /full

Username: HTTP$NOBODY                      Owner:  WASD Scripting
Account:                                   UIC:    [76,1] ([HTTP$NOBODY])
CLI:      DCL                              Tables: DCLTABLES
Default:  DUA2:[HTTP$NOBODY]
LGICMD:   LOGIN.COM
Flags:  DisNewMail DisMail
Primary days:   Mon Tue Wed Thu Fri        
Secondary days:                     Sat Sun
Primary   000000000011111111112222  Secondary 000000000011111111112222
Day Hours 012345678901234567890123  Day Hours 012345678901234567890123
Network:  ##### Full access ######            ##### Full access ######
Batch:    -----  No access  ------            -----  No access  ------
Local:    -----  No access  ------            -----  No access  ------
Dialup:   -----  No access  ------            -----  No access  ------
Remote:   -----  No access  ------            -----  No access  ------
Expiration:            (none)    Pwdminimum:  6   Login Fails:     0
Pwdlifetime:         90 00:00    Pwdchange:      (pre-expired) 
Last Login:            (none) (interactive),  5-NOV-2016 01:33 (non-interactive)
Maxjobs:         0  Fillm:       300  Bytlm:       500000
Maxacctjobs:     0  Shrfillm:      0  Pbytlm:           0
Maxdetach:       0  BIOlm:      2000  JTquota:       4000
Prclm:         100  DIOlm:      1000  WSdef:         1000
Prio:            4  ASTlm:      2000  WSquo:         4000
Queprio:         0  TQElm:       100  WSextent:     20000
CPU:        (none)  Enqlm:       500  Pgflquo:     500000
Authorized Privileges: 
  NETMBX    TMPMBX
Default Privileges: 
  NETMBX    TMPMBX
Identifier                         Value           Attributes
  WASD_HTTP_NOBODY                 %X80010004      
UAF> 
UAF> 
UAF> show webroot /full    

Username: WEBROOT                          Owner:  WEB ROOT HTML FILES
Account:  WEBROOT                          UIC:    [200,236] ([WEBROOT])
CLI:      DCL                              Tables: DCLTABLES
Default:  DUA2:[WEBROOT]
LGICMD:   LOGIN
Flags:  Captive
Primary days:   Mon Tue Wed Thu Fri        
Secondary days:                     Sat Sun
No access restrictions
Expiration:            (none)    Pwdminimum:  6   Login Fails:     0
Pwdlifetime:           (none)    Pwdchange:      (pre-expired) 
Last Login:  5-NOV-2016 01:51 (interactive),            (none) (non-interactive)
Maxjobs:         0  Fillm:       300  Bytlm:        32768
Maxacctjobs:     0  Shrfillm:      0  Pbytlm:           0
Maxdetach:       0  BIOlm:        40  JTquota:       4096
Prclm:           2  DIOlm:        40  WSdef:          256
Prio:            4  ASTlm:        40  WSquo:          512
Queprio:         0  TQElm:        40  WSextent:      1024
CPU:        (none)  Enqlm:       200  Pgflquo:      32768
Authorized Privileges: 
Default Privileges: 
UAF> 
UAF> exit
%UAF-I-NOMODS, no modifications made to system authorization file
%UAF-I-NAFNOMODS, no modifications made to network proxy database
%UAF-I-RDBNOMODS, no modifications made to rights database
SYS$SYSROOT:[SYSEXE]

There are some fabulous folks at the comp.os.vms newsgroup that are always ready to help. For example, this post came in extremely useful for me when I was struggling with HTTP 403 errors.