Hub/Switch Installation Guide
Chapter 3 System Preparation
192 September 2002 HPSS Installation Guide
Release 4.5, Revision 2
call returnssilently if it determines the code is allowedthe requested access, and otherwise throws
an exception, which halts the program.
Applet code runs under a security manager (usually) because most browsers implement one. The
security managerwon'tlettheapplet doanything notallowed bythe policyfile(s). Appletsarenot
allowed to install security managers; browsers do it first thing, anyway, and nobody can install a
second one in a running program
Applications don't have to run under a security manager. If they choose to run under a security
manager, then, like applets, they can do only what the policy file(s) allow. Code must have
java.lang.RuntimePermission setSecurityManager in order to set the security manager, or else it
gets the default Security Manager.
By default,the java.security filelets you pass additional javapolicy file oncommand line; this can
be disabled in java.security by changing
policy.allowSystemProperty=true
to false:
policy.allowSystemProperty=false
By default, the java.security file specifies system wide and user policy files; this, too, can be
changed in the file.
SSL providesthe SSM Data Server and the hpssadm utility a secure encrypted channel over which
to transport the hpssadm user's password. SSL requires the use of two kinds of keys, symmetric
and public, and of X.509 certificates.
A key is a number used with an encryption algorithm to encrypt or decrypt data.
Anythingencryptedwithasymmetrickeycanbedecryptedonlybythesamesymmetrickey.Iftwo
parties have access to the same symmetric key, they can use it to shared encrypted information.
Public keys are created in pairs consisting of a public key and a private key. Anything encrypted
withthepublic keycan bedecryptedonly withthe privatekey, and viceversa,anything encrypted
with the private key can be decrypted only with the public key. In general, a user is the only one
who has access to his own private key, but he makes his public key known to everybody. Then
anybody can encrypt data for him in his public key, and he is the only one who can decrypt it.
Symmetric key encryption is faster than public key encryption, but public key encryption is easier
tomanage,becauseyoudon'thavetodistributeand protectasharedkeytoall thepartiesinvolved.
The private key is retained by one party and protected; the public key is distributed to everyone
and need not be protected.
A digital signature is an encrypted piece of data used to validate the identity of the sender. Digital
signaturesarecreated byhavinga partyencrypt some knownpieceof datain his privatekey. Then
anybodycandecryptthedatausinghispublickey,andifthedecryptionworksproperly,theyknow
the signature is validand only thetrue party could have sent it, since he's the onlyone with access
to the private key.
AnX.509certificateisadigitallysigned electronicdocumentidentifyingaparty.Itincludes,among
other things, a name representing the party, a representation of his public key, and a digital
signature of some certificate authority. A certificate authority is a company, like Verisign, whom