Chapter 5 HPSS Infrastructure Configuration248 September 2002 HPSS Installation GuideRelease 4.5, Revision 2-random \-registryu For each entry in /krb5/hpssclient.keytab do:% dcecp -c keytab add \/.:/hosts/$HPSS-CDS_HOST/config/keytab/hpssclient.keytab \-member \-random \-registrywhere refers to an entry in the keytab file; e.g., hpss_ssm, and$HPSS_CDS_HOST refers to the CDS machine host name; e.g., hydra.3. See the discussion immediately following this step! Propagate the resulting keytab files toevery HPSS server machine. Note that the most secure mechanism for performing this is“footnet”. If FTP is used, be sure to specify the “bin” option. The keytab files on everyHPSS system should have the following ownership and permissions set:/krb5/hpss.keytabs hpss hpss rw- rw- ---/krb5/hpssclient.keytab hpss hpss rw- rw- ---It is strongly recommended that both keytab files be generated on a single HPSS server machineand securely propagated to every other HPSS server machine; however, a customer may prefer tocreate appropriate keytab files which contain only the entries required for a specific HPSS servermachine. This, however, is strongly discouraged because it can create a “Catch 22” condition inwhich the encryption keys on one or more HPSS systems cannot be set to match the keys stored inthe DCE Registry!If a customized keytab file is used on every different HPSS server system, steps 1 and 2 above mustbe performed on each system.If the key for a server on one machine is changed, do not change the key on another machine sincethis will de-synchronize the entry on the first system changed!
