Hub/Switch Installation Guide
Chapter 3 System Preparation
HPSS Installation Guide September 2002 193
Release 4.5, Revision 2
you can pay to issue X.509 certificates to you. Certificates can also be created by individuals and
self-signed by the party owning the certificate. A program uses a file of these certificates as its
"trusted store", the set of certificates of parties it will trust.
Whereasadigitalsignatureconfirmsthattheissuingpartypossessestheprivatekeycorresponding
to a particular public key, a certificate confirms that some verification has been done as to the
identity of its owner. After all, anyone can generate a public/private key pair, publish the public
key,andclaimto beUserX orCompanyY.Acertificateprovesthatsomeverificationhasbeendone
(by thecertificateauthority)toinsure that the partyreallyis UserX or Company Y, andit bindsthe
party to his public key. If you pay a company like Verisign for a certificate, they contact you and
follow some procedures to ascertain that you really are who you claim to be.
The validity of a certificate itself can be verified by a checksum called a fingerprint. Before the
system administrator places a certificate in his trusted store, he checks its fingerprint against the
knownvalueforthatcertificate.ForcertificatesfromauthoritieslikeVerisign,thesefingerprintsare
published somewhere, like a web page. For self-signed certificates, the administrator gets the
fingerprintfromthecertificate owner/creator, whoofcourseshould besomeonetheadministrator
trusts.
When one program presents its certificate to a second program, the second program checks its
trusted store for the certificate. If it is there, then the second program assumes the first program is
reallywho heclaims tobe. More often, the certificate of thefirstprogramis notin thetrusted store,
but it is signed by a certificate authority whosecertificate IS in the trusted store. You can also have
chains of certificates: a certificate is signed by an authority whose certificate is signed by an
authority whose certificate is in the trusted store. So long as the second program can find a
certificate in thechain which is in histrusted store, hecan trustthecertificate owner. This chaining
ability was designed to allow systems to verify certificates from many arbitrary parties, without
having to import each of their certificates individually (which would involve manually verifying
their fingerprints).
SSL uses X.509 certificates to identify the server (in our case, the SSM Data Server) to the client (in
our case, the hpssadm utility). Then the client generates a secret piece of data and passes it to the
server using the server's public key. The client and server use this initial secret piece of data to
negotiate a new shared symmetric key, and then use the symmetric key for the remainder of the
session.
Java stores keys and certificates in files called keystores. The keystore file is password-protected;
even if you have read-access to the file, you can't get the key out unless you know this password.
SSL requires that the server be able to obtain his private key, so he must know this password. This
means that the server must be started manually and allow a user to type in this password, or that
thepasswordmust bestoredonline somewhere.TheSSM DataServer maybe executedeither way;
inLowSecurity mode, thepasswordtothe keystoreis storedon afile ontheData Server'smachine
andread by theDataServer atstartup time. InNormalSecurity mode,the Data Serverprompts for
the password at the beginning of execution.
The Data Server and the hpssadm utility are connected by two RMI (Java Remote Method
Invocation) sessions. In thefirst session,theData Server acts as theserver andhpssadm acts as the
client. This is the session on which all hpssadm requests, such as to start or stop servers, force
migrations, or lock devices are issued. It is also the session over which the hpssadm user's
password is transferred to the Data Server. This session uses SSL underneath RMI to encrypt the
entire connection, not just the password.
In the second session, the hpssadm utility acts as the server and the Data Server acts as the client.
This is the session used by the Data Server to send asynchronous data change notifications to the