Support User Manuals

IBM Hub/Switch Switch User Manual

Open as PDF

of 590

Chapter 3 System Preparation

HPSS Installation Guide September 2002 191

Release 4.5, Revision 2

3.8.8 Updating Expired SSL Certiﬁcates

When the Data Server certiﬁcate expires, the Data Server itself will be able to start up and execute,

but any hpssadm client attempting to connect to it will fail with the error "untrusted server cert

chain". A new certiﬁcate must be generated for the Data Server and disseminated to all the client

machines. To do this, follow these steps:

1. Check the keystore and the cacerts ﬁle to be sure the certiﬁcate has expired. On the host

where the Data Server executes, check the Data Server keystore:

% cd /var/hpss/ssm

% $JAVA_HOME/bin/keytool -keystore keystore.ds -list -v

On each host where an hpssadm client executes, check the cacerts ﬁle:

% cd $JAVA_HOME/lib/security

% $JAVA_HOME/bin/keytool -keystore cacerts -list -v

Look in the output for the Data Server certiﬁcate and its expiration date. If the certiﬁcate

has not expired, there is no need to continue with this procedure; pursue the problem

diagnosis steps in Chapter 13: HPSS Problem Diagnosis and Resolution (page 485) in the

HPSS Management Guide.

2. On the host where the Data Server executes, delete the keystore.ds ﬁle with the expired

certiﬁcate.

% cd /var/hpss/ssm

% rm keystore.ds

3. On each host where an hpssadm client executes, delete the expired certiﬁcate from the

cacerts ﬁle:

% cd $JAVA_HOME/lib/security

% $JAVA_HOME/bin/keytool -keystore cacerts -delete -alias \

hpss_ssmds

4. Recreate the keystore.ds ﬁle, export the certiﬁcate, and import it into the cacerts ﬁle on

every hpssadm client machine, using the original installation procedures in this chapter.

3.8.9 Background Information

3.8.9.1 Basic Security Technologies Relevant to the SSM Command Line Utility

This section is intended to provide an overview of the basic principles of the Java security policy,

public key encryption, SSL, and X.509 certiﬁcates as they are used in the SSM Data Server and

Command Line Utility. For a more thorough discussion of these technologies, see the references in

Section 3.8.9.2: References on page 194.

Java allows code to run under a Security Manager. This is basically a library that gets called any

time a security-related operation, such as an access of the local ﬁle system, is requested. The library

previous next