[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference bulova::decw_jan-89_to_nov-90

Title:DECWINDOWS 26-JAN-89 to 29-NOV-90
Notice:See 1639.0 for VMS V5.3 kit; 2043.0 for 5.4 IFT kit
Moderator:STAR::VATNE
Created:Mon Oct 30 1989
Last Modified:Mon Dec 31 1990
Last Successful Update:Fri Jun 06 1997
Number of topics:3726
Total number of notes:19516

3072.0. "Using cluster alias in Session Security db" by MSBCS::SKI () Thu Jul 12 1990 17:23

    I am having a problem with the Session Security on my workstations.

    I have a cluster called CHIPRA (alias) with a workstation called BLOTTO
    and another cluster called MSBCS (alias) with a workstation called MSBIS.
    Both clusters/workstations are running same VMS V5.3-2 and DECwindows V2.

    (Now, before someone jumps up and yells "You can't use the alias," please
    read a little further.)

    My problem seems to be specificly with the CHIRPA alias; the MSBCS alias
    works perfectly for me when displaying to either workstations.

    When I set security like this (using the cluster alias's):
    	DECNET MSBCS SKI
    	DECNET CHIRPA SKI

    I get the following results:
    	can    display to BLOTTO from any node on MSBCS  cluster.
    	can    display to MSBIS  from any node on MSBCS  cluster.
    	cannot display to BLOTTO from any node on CHIRPA cluster.
    	cannot display to MSBIS  from any node on CHIRPA cluster.

    I get this classic error when I cannot display:
    	CHIRPA> SET DISPLAY/CREATE/NODE=BLOTTO
    	CHIRPA> RUN SYS$SYSTEM:DECW$PAINT
    	Xlib:  connection to "BLOTTO::0.0" refused by server
    	Xlib:  Client is not authorized to access server
    	X Toolkit Error: Can't Open display
    	%DWT-F-DWTABORT, xtoolkit fatal error

    The VMS DECwindows User's Guide states that the nodename you specify
    in the DECwindows security db must be an individual node name and not
    a cluster alias.  This is obviously a bogus statement since it does work
    for the MSBCS cluster alias 100% of the time.

    I suspect I should be able to 'fix' the CHIRPA alias by doing a
    NCP> SET OBJECT _something_ ALIAS OUTGOING ENABLED
    or some similar voodoo, but I have no idea what object to modify.

    Of course I could always just forget about the alias and specify
    all the specific nodes individually, but that's not what I want;
    besides, it's very messy, IMHO.

    So my ultimate question is:
    How do I get the CHIRPA alias to work like the MSBCS alias?
T.RTitleUserPersonal
Name		DateLines
3072.1You can use cluster aliases, but at a priceSTAR::VATNEPeter Vatne, VMS DevelopmentThu Jul 12 1990 18:5722
It turns out that cluster aliases can be used with DECwindows, but
at a fairly hefty performance cost.  The object name you are looking
for is X$X0.  Therefore, the command you need is something like:

NCP> SET OBJECT X$X0 ALIAS OUTGOING ENABLED

If you do this, then any connection originating from any node in
the cluster will identify itself as being from the cluster, and
not from an individual node.  This simplifies the security setup.
However, events and replies returned from the server get sent to
the cluster router, which in turn forwards the packets to the
originating node.  This results in significant overhead.

Since we don't document how cluster aliases can be enabled, the
statement in the VMS DECwindows User's Guide that the nodename
must be an individual node name and not a cluster alias still stands.
If you do something unsupported like setting the cluster alias, then
of course you can expect the behavior to not match the documentation.

I suspect what has happened is that someone enabled the alias on
MSBCS, but not on CHIRPA.  Go ahead and set the alias, and let us
know if the performance is acceptable to you.
3072.2I really hope I'm wrong about this...IO::MCCARTNEYJames T. McCartney III - DTN 381-2244 ZK02-2/N24Fri Jul 13 1990 11:228
But doesn't enabling alias effectively double the network traffic
per event? Sounds like a really high price. In an environment like 
most of Digital's larger sites -- where we're already running out
of time on the wire -- this doesn't seem worth it. Especially if 
all it "saves" is having to type a few additional entries in a table.

James
3072.3MSBCS::SKIFri Jul 13 1990 13:1917
>> But doesn't enabling alias effectively double the network traffic
>> per event?

    I must admit I do not know; even our local DataComm guy doesn't
    know.  Is there anyone out there who can give a definitive answer
    on this?

>> this doesn't seem worth it.  Especially if 
>> all it "saves" is having to type a few additional entries in a table.

    Agreed.  If this turns out to be the case, then I certainly won't
    enable the aliases.

    So far I have not noticed a difference in response times between
    the cluster using the alias and the cluster which is not.
    However, I might just be getting lucky, or perhaps the part of
    the network I am in isn't too heavily used.
3072.4You've hit it right on the headSTAR::VATNEPeter Vatne, VMS DevelopmentFri Jul 13 1990 13:218
>But doesn't enabling alias effectively double the network traffic
>per event? Sounds like a really high price. In an environment like 
>most of Digital's larger sites -- where we're already running out
>of time on the wire -- this doesn't seem worth it. Especially if 
>all it "saves" is having to type a few additional entries in a table.

This is exactly my point about "a fairly hefty performance cost",
and the main reason we don't document cluster alias support.
3072.5That settles itMSBCS::SKIFri Jul 13 1990 13:263
    Well then, I'm off to kill the alias.

    Thanks muchly!
3072.6Alias performance tutorialSTAR::BECKPaul Beck - VMS DevelopmentTue Aug 07 1990 14:4421
As a postscript to this discussion (I haven't followed this conference for a
long time), a word from the horse's mouth (the designer of cluster alias):

There are two reasons why performance using an alias is degraded relative to
using a specific node name. First is routing: every packet to or from the alias
must pass through at least one router (in the cluster) and sometimes two
(add the designated router if the packet originates off-LAN). This means that
the packet appears on the Ethernet 2-3 times.

The second factor is packet size: if both sender and receiver are on the same
Ethernet, DECnet will optimize the buffer size used from the default 576 to
1498. When an alias is in use, one of the nodes is off-LAN (the alias node, 
which is not a real node). We can't fake this, because the same bit that tells
DECnet to optimize the buffer size is used to tell on-LAN endnodes to bypass
the router and address the node directly. Since there is no node on the Ethernet
with the alias' hardware address, this would prevent communications.

So with an alias, smaller buffer sizes are used, tripling the number of [large]
packets in use. (This effect is primarily of interest for traffic like file
transfers; interactive traffic which doesn't involve packets larger than 576
bytes would not see this effect).