Hub/Switch Installation Guide

ManualsBrandsIBM ManualsSwitchHub/Switch

181

182

183

184

185

186

187

188

189

190

Chapter 3 System Preparation

188 September 2002 HPSS Installation Guide

Release 4.5, Revision 2

2. The Data Serverrequiresread FilePermission on its userauthorization ﬁle,whose default

location is /var/hpss/ssm/hpssadm.conﬁg. The hpssadm utility requires read FilePermis-

sion for the user's keyﬁle ﬁle, the default location for which is /var/hpss/ssm/keytab

grant {

permission java.io.FilePermission "/var/hpss/-", "read";

};

Thedash ("-")in thepathname inthis examplesigniﬁes thatthe permissionis tobe granted

to everything in the /var/hpss tree, recursively. Sites which wish to be more restrictive can

write a separate grant clause for each ﬁle or directory to which they want to allow access.

Java FilePermission is applied as an additional layer of protection on top of the local

operating system ﬁle protections, not as a replacement for them. If the Java permission is

notgranted,the applicationwillnotbe allowedto accesstheﬁle, regardless ofthelocal ﬁle

system permissions. Ifthe Java permission isgranted but the localﬁle system permissions

deny access to the ﬁle, the application will not be allowed access.

3. TheDataServerandthehpssadm utilitymayrestricttheremotehostswithwhichtheywill

communicate by setting their SocketPermission.

Accordingto the documentation, and upheld by some ofour testing, youshould not need

an explicit SocketPermission in the policy ﬁle just to listen on public ports nor to connect

to applications on the same or other hosts; that permission is supposed to be granted

implicitly.Butwe'vefoundsomeimplementationsonwhich,evenwiththesystemsecurity

and policy ﬁles set the same, the applications required that at least connect and listen

permissionbegrantedexplicitlyfromapolicyﬁle.So,partlyforthisreason,weincludethis

permission in the default policy ﬁles for both the Data Server and hpssadm.

Theother reasonweinclude thispermission entryis thatit canbe restrictedtoa singlehost

or set of hosts and/or ports. The following example grants access to all hosts from the

ornl.gov domain:

grant {

permission java.net.SocketPermission

"*.ornl.gov:1024-",

"connect,accept,listen,resolve";

};

Sites which wish to operate under tighter security can set the Java security ﬁle so that only the

system wide policy ﬁle is recognized and speciﬁcation of an alternate or additional policy ﬁle on

the Java command line is not allowed.

Seethedocumenton Javapolicy ﬁle syntax listedinSection 3.8.9.2:Referencesonpage194 formore

information on settings policies.

3.8.5 Setting up the Client Authorization File

This ﬁle must exist in order for the Data Server to be initialized, but it may be empty if there is no

desire to use the hpssadm utility.