Filter
Top Products
Chapter 3 System Preparation
192 September 2002 HPSS Installation Guide
Release 4.5, Revision 2
call returns silently if it determines the code is allowed the requested access, and otherwise throws
an exception, which halts the program.
Applet code runs under a security manager (usually) because most browsers implement one. The
security manager won't let the applet do anything not allowed by the policy file(s). Applets are not
allowed to install security managers; browsers do it first thing, anyway, and nobody can install a
second one in a running program
Applications don't have to run under a security manager. If they choose to run under a security
manager, then, like applets, they can do only what the policy file(s) allow. Code must have
java.lang.RuntimePermission setSecurityManager in order to set the security manager, or else it
gets the default Security Manager.
By default, the java.security file lets you pass additional java policy file on command line; this can
be disabled in java.security by changing
policy.allowSystemProperty=true
to false:
policy.allowSystemProperty=false
By default, the java.security file specifies system wide and user policy files; this, too, can be
changed in the file.
SSL provides the SSM Data Server and the hpssadm utility a secure encrypted channel over which
to transport the hpssadm user's password. SSL requires the use of two kinds of keys, symmetric
and public, and of X.509 certificates.
A key is a number used with an encryption algorithm to encrypt or decrypt data.
Anything encrypted with a symmetrickey can be decrypted onlyby the same symmetric key. If two
parties have access to the same symmetric key, they can use it to shared encrypted information.
Public keys are created in pairs consisting of a public key and a private key. Anything encrypted
with the public key can be decrypted only with the private key, and vice versa, anything encrypted
with the private key can be decrypted only with the public key. In general, a user is the only one
who has access to his own private key, but he makes his public key known to everybody. Then
anybody can encrypt data for him in his public key, and he is the only one who can decrypt it.
Symmetric key encryption is faster than public key encryption, but public key encryption is easier
to manage, because you don't have to distribute and protect a shared key to all the parties involved.
The private key is retained by one party and protected; the public key is distributed to everyone
and need not be protected.
A digital signature is an encrypted piece of data used to validate the identity of the sender. Digital
signatures are created by having a party encrypt some known piece of data in his private key. Then
anybody can decrypt the data using his publickey, andif the decryptionworks properly, they know
the signature is valid and only the true party could have sent it, since he's the only one with access
to the private key.
An X.509 certificate is a digitally signed electronic document identifying a party. It includes, among
other things, a name representing the party, a representation of his public key, and a digital
signature of some certificate authority. A certificate authority is a company, like Verisign, whom