Chapter 3 System Preparation
HPSS Installation Guide September 2002 185
Release 4.5, Revision 2
Thiscommand will generate a public key and an associated private key for the Data Server
with alias "hpss_ssmds". It will also generate a self-signed certificate for hpss_ssmds
which includes his public key. The key will be valid for 365 days. The keys and certificate
willbe stored in the file "keystore.ds". This is the file the Data Server will read to obtain his
key and certificates when he first begins execution.
Aftertyping this command, you will be prompted for the password for the keystore. It will
be echoed to the terminal, so don't do it while anybody is watching!
You will also be prompted for a password for the key itself. Individual keys within a
keystore are additionally protected by their own password, which may be different from
thekeystore password. The Data Server expects the key password to be the same value as
the password to the keystore itself, so use the same one.
Anyone who must start the Data Server in normal security mode must know this
password. Ifthe Data Server is started in low security mode, this password must be stored
ondisk, as described in Section 3.8.3.3: Storing the Password to the Data Server's Keystore File
on page 186.
Thisis the only step in this section (3.8.3.2) which is necessary for the proper configuration
of the Data Server. The remaining steps in this section are necessary only for the
configuration of the hpssadm utility.
2. Obtainand record the fingerprint for the Data Server's certificate using the keytool utility:
% $JAVA_HOME/bin/keytool -keystore keystore.ds -list -v
This will list every key in the keystore (which should be just the one for the Data Server)
and its certificate fingerprint, a long number representing the certificate. This fingerprint
will be used like a checksum to verify the validity of the certificate as it is transferred to
hpssadm client machines.
3. Export the Data Server's certificate from the keystore:
% $JAVA_HOME/bin/keytool -keystore keystore.ds -export \
-alias hpss_ssmds -file /tmp/ds.cer
Youwill be prompted for the keystorepassword. Then the file "/tmp/ds.cer" will be created,
which will hold a binary representation of the Data Server's certificate.
The /tmp/ds.cer file is just a temporary file for transferring a copy of the Data Server's
certificate to the hpssadm utility's trusted store. You can name it anything you want and
remove it once you are finished with it.
On each machine from which thehpssadm utility will be executed:
1. Transfer the certificate fileds.cer to the hpssadm client machine.
Use the mechanism (ftp, etc.) of your choice. scp is recommended.
2. Importthe Data Server's certificate into the trusted store on the hpssadm client machine. It
is a good idea to save the original trusted store file (cacerts) first:
% cd $JAVA_HOME/lib/security