Filter
Top Products
Chapter 3 System Preparation
188 September 2002 HPSS Installation Guide
Release 4.5, Revision 2
2. The Data Server requires read FilePermission on its user authorization file, whose default
location is /var/hpss/ssm/hpssadm.config. The hpssadm utility requires read FilePermis-
sion for the user's keyfile file, the default location for which is /var/hpss/ssm/keytab
grant {
permission java.io.FilePermission "/var/hpss/-", "read";
};
The dash ("-") in the pathname in this example signifies that the permission is to be granted
to everything in the /var/hpss tree, recursively. Sites which wish to be more restrictive can
write a separate grant clause for each file or directory to which they want to allow access.
Java FilePermission is applied as an additional layer of protection on top of the local
operating system file protections, not as a replacement for them. If the Java permission is
not granted, the application will not be allowed to access the file, regardless of the local file
system permissions. If the Java permission is granted but the local file system permissions
deny access to the file, the application will not be allowed access.
3. The DataServer and the hpssadm utility may restrict theremote hosts withwhich they will
communicate by setting their SocketPermission.
According to the documentation, and upheld by some of our testing, you should not need
an explicit SocketPermission in the policy file just to listen on public ports nor to connect
to applications on the same or other hosts; that permission is supposed to be granted
implicitly. But we've foundsome implementations on which, evenwith the system security
and policy files set the same, the applications required that at least connect and listen
permission be granted explicitly from a policy file. So, partly for this reason, we include this
permission in the default policy files for both the Data Server and hpssadm.
The other reason we include this permission entry is that it can be restricted to a single host
or set of hosts and/or ports. The following example grants access to all hosts from the
ornl.gov domain:
grant {
permission java.net.SocketPermission
"*.ornl.gov:1024-",
"connect,accept,listen,resolve";
};
Sites which wish to operate under tighter security can set the Java security file so that only the
system wide policy file is recognized and specification of an alternate or additional policy file on
the Java command line is not allowed.
See the document on Java policy file syntax listed in Section 3.8.9.2: References on page 194 for more
information on settings policies.
3.8.5 Setting up the Client Authorization File
This file must exist in order for the Data Server to be initialized, but it may be empty if there is no
desire to use the hpssadm utility.