IBM Hub/Switch 3.8.3 Conguring SSL, 3.8.3.1 Installing the Security Provider

Chapter 3 System Preparation

HPSS Installation Guide September 2002 183

Release 4.5, Revision 2

Youwill be prompted for the password, WHICH WILL BE ECHOED AS YOU TYPE IT,so

make sure you are working from a location where the password cannot be compromised.

Typein the default password ("changeit"). The utility should list the certiﬁcates in the ﬁle.

4. Change the password with the-storepasswd option of the keytool command. In this

example, the new password is "XXXXXX". Again, we are changing the password for the

cacerts ﬁle; do this for each trusted store ﬁle, substituting the correct ﬁle name for the "-

keystore" option:

$JAVA_HOME/bin/keytool -keystore cacerts -storepasswd \

-new XXXXXX

5. Verify that the password was changed properly by listing the ﬁle again:

$JAVA_HOME/bin/keytool -keystore cacerts -list

Again,your password will be echoed as you type it, so be sure no one can read your screen.

This change should be performed on the Data Server host machine and on any host from which

hpssadm will be executed.

The installation instructions for Java 1.3.0 also include directions for changing this password.

See thekeytool man page with your Java installation for more information on using the keytool

utility.

3.8.3 Conﬁguring SSL

SSL (Secure Sockets Layer) must be conﬁgured for the Data Server even if thehpssadm utility is

not executed, because the Data Server reads its private key as part of its initialization, even if he

subsequently never needs it for any hpssadm client. The steps below which are necessary for the

Data Server are distinguished from those necessary only forhpssadm.

SSL is used to encrypt the transmission of the user's DCE user name and password from the

hpssadmutility to the Data Server. In fact, the entire session by which the hpssadm utility submits

commands to the Data Server is encrypted with SSL.

Beaware, however, that there is a second session between the Data Server and the hpssadm utility.

This second, independent session is the one by which the Data Server sends the hpssadm client

asynchronous notiﬁcations of changes in HPSS statuses, such as a notice that a server has gone

downor a device opstate has changed. No password information is transmitted across this session,

and it is not encrypted.

Thissection explains how to conﬁgure the Java SSL extension and the Data Server for use with SSL.

3.8.3.1 Installing the Security Provider

Inorder for Java to access the SSL extension, the SSL provider must be installed. To do this, add the

provider to the Java security ﬁle

$JAVA_HOME/lib/security/java.security