This can be "unix" or "ldap".
· <authzURL> - a string used by the authorization mechanism to locate the security data for
this realm. This should be "unix" for UNIX authorization, and for LDAP it should be an
LDAP URL used to locate the entry for the security realm in an LDAP directory.
2.1.2. Security Mechanisms
HPSS 7.1 supports UNIX and Kerberos mechanisms for authentication. It supports LDAP and UNIX
mechanisms for authorization.
2.1.2.1. UNIX
UNIX-based mechanisms are provided both for authentication and authorization. These can draw either
from the actual UNIX user and group information on the current host or from a separately maintained set
of files used only by HPSS. This behavior is controlled by the setting of the variable
HPSS_UNIX_USE_SYSTEM_COMMANDS in /var/hpss/etc/env.conf. If this variable is set to any non-
empty value other than FALSE, the actual UNIX user and group data will be used. Otherwise, local files
created and maintained by the following HPSS utilities will be used. Consult the man pages for each
utility for details of its use.
• hpss_unix_keytab - used to define "keytab" files that can be used to acquire credentials
recognized by the UNIX authentication mechanism.
• hpss_unix_user - used to manage users in the HPSS password file (/var/hpss/etc/passwd).
• hpss_unix_group - used to manage users in the HPSS groups file (/var/hpss/etc/group).
• hpss_unix_passwd - used to change passwords of users in the HPSS password file.
• hpss_unix_keygen - used to create a key file containing a hexadecimal key. The key is used
during UNIX authentication to encrypt keytab passwords. The encryption provides an extra layer
of protection against forged passwords.
Keep in mind that the user and group databases must be kept synchronized across all nodes in an HPSS
system. If using the actual UNIX information, this can be accomplished using a service such as NIS. If
using the HPSS local files, these must manually be kept in synchronization across HPSS nodes.
2.1.2.2. Kerberos 5
The capability to use MIT Kerberos authentication is provided in HPSS 7.1, however, IBM
Service Agreements for HPSS do not provide support for problem isolation nor fixing defects
(Level 2 and Level 3 support) in MIT Kerberos. Kerberos maintenance/support must be site-
provided.
Kerberos 5 is an option for the authentication mechanism. When this option is used, the local realm
name is taken to be the name of a Kerberos realm. The Kerberos security services are used to obtain and
verify credentials.
HPSS Management Guide November 2009
Release 7.3 (Revision 1.0) 22