Chapter 3 System Preparation186 September 2002 HPSS Installation GuideRelease 4.5, Revision 2% cp cacerts cacerts.ORIG% $JAVA_HOME/bin/keytool -keystore cacerts -import \-file /tmp/ds.cer -alias hpss_ssmdsThe keytool utility will print out the information about the certificate, including thefingerprints, and will ask whether the certificate should be trusted. Compare the owner,issuer, and fingerprints carefully with those obtained from the original certificate in step 2.If they match, answer "yes". If they do NOT match, DO NOT import the certificate at all; ithas been corrupted in transit.If you confirm that you want the certificate added as trusted, the utility should respondthat the certificate was added to the keystore.This cacerts file is the file the hpssadm client will use to verify the Data Server's certificate.The /tmp/ds.cer file is just a temporary file for transmitting a copy of the Data Server'scertificate. It may be named anything you like, and may be removed once you have usedit to import the certificate into the hpssadm trusted store.3.8.3.3 Storing the Password to the Data Server's Keystore FileThis step is necessary for the proper configuration of the Data Server.When the Data Server is executed in Low Security mode, the password to its keystore file must bestored in a file on the Data Server host. This is one reason it is so important to secure this machine.This file must be protected against access by any user except root, and the Data Server must beexecuted as root. Low Security mode is the only mode in which the Data Server may be startedautomatically from a script, without human intervention.The default name for the file to store the password is/var/hpss/ssm/keystore.ds.pwThis name can be changed in the hpss_env file by setting theHPSS_SSMDS_KEYSTORE_PASSWORD variable as desired.To run the Data Server in Normal Security mode, set theHPSS_SSMDS_KEYSTORE_PASSWORD variable in the hpss_env file to the string "PROMPT".Then, rather than reading the password from a file, the Data Server will prompt the user for thepassword when it begins execution. If you always run in Normal Security mode, you do not needto store the password to the Data Server's keystore anywhere in a file, but neither can you start itautomatically from a script.3.8.4 Configuring the Java Security Policy FileA Java security policy file is required for the Data Server. If the hpssadm utility is used, it must haveits own Java security policy file.Versions of Java beginning with 1.2 allow you to fine tune many permissions given to particularcode by means of system wide, user, and application specific policy files, and by providing forapplications to run under the Java Security Manager. If the application is not executed with a
