Hpss server security acls – IBM RELEASE 7.3 User Manual

obtained from the foreign site's administrator. An example would be:
"ldap://theirldapserver.foreign.com/cn=FOREIGNREALM.FOREIGN.COM"

•

Deleting a trusted foreign realm

To delete an entry for a trusted foreign realm, use the following hpss_ldap_admin command:

trealm delete [-id <realmID>] [-name <realmName>]

Any of the arguments listed can be supplied to select the trusted realm entry that will be deleted.

2.2. HPSS Server Security ACLs

Beginning with release 6.2, HPSS uses a table of access control information stored in the DB2
configuration database to control access to HPSS servers. This is the AUTHZACL table. HPSS
software uses the configured authentication mechanism (e.g. Kerberos) to determine a caller's identity via
credentials provided by the caller, then uses the configured authorization mechanism to retrieve the
details of the caller that determine the access granted. Once the identity and authorization information
have been obtained, each HPSS server grants or denies the caller's request based on the access control list
information stored in the database.

The default ACLs for each type of server are as follows:

Core Server:

r—-c--- user ${HPSS_PRINCIPAL_FTPD}
rw—c--- user ${HPSS_PRINCIPAL_DMG}
rw-c-dt user ${HPSS_PRINCIPAL_MPS}
r--c--- user ${HPSS_PRINCIPAL_NFSD}
rw-c-d- user ${HPSS_PRINCIPAL_SSM}
r--c--- user ${HPSS_PRINCIPAL_FS}
------t any_other

Gatekeeper:

rw----- user ${HPSS_PRINCIPAL_CORE}
rw-c--- user ${HPSS_PRINCIPAL_SSM}
r-----t any_other

Location Server:

r--c--t user ${HPSS_PRINCIPAL_SSM}
r-----t any_other

Mover:

rw-c--t user ${HPSS_PRINCIPAL_SSM}
r-----t any_other

PVL:

rw---dt user ${HPSS_PRINCIPAL_CORE}

HPSS Management Guide

November 2009

Release 7.3 (Revision 1.0)

25