Chapter 3 System Preparation188 September 2002 HPSS Installation GuideRelease 4.5, Revision 22. The Data Server requires read FilePermission on its user authorization file, whose defaultlocation is /var/hpss/ssm/hpssadm.config. The hpssadm utility requires read FilePermis-sion for the user's keyfile file, the default location for which is /var/hpss/ssm/keytabgrant {permission java.io.FilePermission "/var/hpss/-", "read";};The dash ("-") in the pathname in this example signifies that the permission is to be grantedto everything in the /var/hpss tree, recursively. Sites which wish to be more restrictive canwrite a separate grant clause for each file or directory to which they want to allow access.Java FilePermission is applied as an additional layer of protection on top of the localoperating system file protections, not as a replacement for them. If the Java permission isnot granted, the application will not be allowed to access the file, regardless of the local filesystem permissions. If the Java permission is granted but the local file system permissionsdeny access to the file, the application will not be allowed access.3. The Data Server and the hpssadm utility may restrict the remote hosts with which they willcommunicate by setting their SocketPermission.According to the documentation, and upheld by some of our testing, you should not needan explicit SocketPermission in the policy file just to listen on public ports nor to connectto applications on the same or other hosts; that permission is supposed to be grantedimplicitly. But we've found some implementations on which, even with the system securityand policy files set the same, the applications required that at least connect and listenpermission be granted explicitly from a policy file. So, partly for this reason, we include thispermission in the default policy files for both the Data Server and hpssadm.The other reason we include this permission entry is that it can be restricted to a single hostor set of hosts and/or ports. The following example grants access to all hosts from theornl.gov domain:grant {permission java.net.SocketPermission"*.ornl.gov:1024-","connect,accept,listen,resolve";};Sites which wish to operate under tighter security can set the Java security file so that only thesystem wide policy file is recognized and specification of an alternate or additional policy file onthe Java command line is not allowed.See the document on Java policy file syntax listed in Section 3.8.9.2: References on page 194 for moreinformation on settings policies.3.8.5 Setting up the Client Authorization FileThis file must exist in order for the Data Server to be initialized, but it may be empty if there is nodesire to use the hpssadm utility.
