Chapter 3 System Preparation
188 September 2002 HPSS Installation Guide
Release 4.5, Revision 2
2. TheData Server requires read FilePermission on its user authorization file, whose default
location is/var/hpss/ssm/hpssadm.config. The hpssadm utility requires readFilePermis-
sion for the user's keyfile file, the default location for which is/var/hpss/ssm/keytab
grant {
permission java.io.FilePermission "/var/hpss/-", "read";
};
Thedash ("-") in the pathname in this example signifies that the permission is to be granted
toeverything in the /var/hpss tree, recursively. Sites which wish to be more restrictive can
write a separate grant clause for each file or directory to which they want to allow access.
JavaFilePermission is applied as an additional layer of protection on top of the local
operating system file protections, not as a replacement for them. If the Java permission is
notgranted, the application will not be allowed to access the file, regardless of the local file
systempermissions. If the Java permission is granted but the local file system permissions
deny access to the file, the application will not be allowed access.
3. TheData Server and the hpssadm utility may restrict the remote hosts with which they will
communicate by setting theirSocketPermission.
Accordingto the documentation, and upheld by some of our testing, you should not need
anexplicit SocketPermission in the policy file just to listen on public ports nor to connect
to applications on the same or other hosts; that permission is supposed to be granted
implicitly.But we've found some implementations on which, even with the system security
and policy files set the same, the applications required that at leastconnect and listen
permissionbe granted explicitly from a policy file. So, partly for this reason, we include this
permission in the default policy files for both the Data Server and hpssadm.
Theother reason we include this permission entry is that it can be restricted to a single host
or set of hosts and/or ports. The following example grants access to all hosts from the
ornl.gov domain:
grant {
permission java.net.SocketPermission
"*.ornl.gov:1024-",
"connect,accept,listen,resolve";
};
Sites which wish to operate under tighter security can set the Java security file so that only the
system wide policy file is recognized and specification of an alternate or additional policy file on
the Java command line is not allowed.
Seethe document on Java policy file syntax listed in Section 3.8.9.2: References on page 194 for more
information on settings policies.
3.8.5 Setting up the Client Authorization File
This file must exist in order for the Data Server to be initialized, but it may be empty if there is no
desire to use thehpssadm utility.