IBM RELEASE 7.3 Chapter 2. Security and Syst em Access 2.1. Security Services, 2.1.1. Security Services Co nfiguration

Chapter 2. Security and Syst em Access2.1. Security Services

As of release 6.2, HPSS no longer uses DCE security services. The new approach to security divides

services into two APIs, known as mechanisms, each of which has multiple implementations.

Configuration files control which implementation of each mechanism is used in the securit y realm

(analogous to a DCE cell) for an HPSS system. Security mechanisms are implemented in shared object

libraries and are described to HPSS by a configuration file. HPSS programs that need to use the

mechanism dynamically link the library to the program when the program starts.

The first type of mechanism is the authentication mechanism. This API is used to acquire credentials

and to verify the credentials of clients. Authentication verifies that a client really is who he claims to be.

The second type of mechanism is the authorization mechanism. Once a client's identity has been

verified, this API is used to obtain the authorization details associated wit h the client such as uid, gid,

group membership, etc., that are used to determine the privileges accorded to the client and the resources

to which it has access.

2.1.1. Security Services Co nfiguration

Ordinarily, the configuration files that control HPSS's access to security services are set up either by the

installation tool, mkhpss, or by the metadata conversion tools. This section is provided purely for

reference. Each of the files below is stored by default in /var/hpss/etc .

•auth.conf, authz.conf

These files define which shared libraries provide implementations of the aut hentication and

authorization mechanisms, respectively. They are plain text files that have the same format. Each

line is either a comment beginning with # or consists of two fields separated by whitespace: the

path to a shared library and the name of the function used to initialize the s ecurity interface.

•site.conf

This file defines security realm options. This is a plain text fi le in which each line is a comment

beginning with # or is made up of the following fields, separated by whitespace:

·<siteName> - the name of the local security site. This is usually just the realm name in

lowercase.

·<realmName> - the name of the local security realm. If using Kerberos authentication, this is

the name of the Kerberos realm. For UNIX authentication, it can be any non-empty string. By

convention, it is usually the fully qualified hostname.

·<realmID> - the numeric identifier of the local security realm. If using Kerberos

authentication and this is a preexisting site going through conversion, this value is the same as

the DCE cross cell ID which is a unique number assigned to each site. A new site setting up a

new HPSS system will need to contact an HPSS support representative to obtain a unique

value.

·<authzMech> - the name of the authorization mechanism to be used by this HPSS system.

HPSS Management Guide November 2009

Release 7.3 (Revision 1.0) 21