IBM Hub/Switch Installation Manual page 185

This command will generate a public key and an associated private key for the Data Server
with alias "hpss_ssmds". It will also generate a self-signed certificate for hpss_ssmds
which includes his public key. The key will be valid for 365 days. The keys and certificate
will be stored in the file "keystore.ds". This is the file the Data Server will read to obtain his
key and certificates when he first begins execution.
After typing this command, you will be prompted for the password for the keystore. It will
be echoed to the terminal, so don't do it while anybody is watching!
You will also be prompted for a password for the key itself. Individual keys within a
keystore are additionally protected by their own password, which may be different from
the keystore password. The Data Server expects the key password to be the same value as
the password to the keystore itself, so use the same one.
Anyone who must start the Data Server in normal security mode must know this
password. If the Data Server is started in low security mode, this password must be stored
on disk, as described in Section 3.8.3.3: Storing the Password to the Data Server's Keystore File
on page 186.
This is the only step in this section (3.8.3.2) which is necessary for the proper configuration
of the Data Server. The remaining steps in this section are necessary only for the
configuration of the hpssadm utility.
2. Obtain and record the fingerprint for the Data Server's certificate using the keytool utility:
% $JAVA_HOME/bin/keytool -keystore keystore.ds -list -v
This will list every key in the keystore (which should be just the one for the Data Server)
and its certificate fingerprint, a long number representing the certificate. This fingerprint
will be used like a checksum to verify the validity of the certificate as it is transferred to
hpssadm client machines.
3. Export the Data Server's certificate from the keystore:
% $JAVA_HOME/bin/keytool -keystore keystore.ds -export \
-alias hpss_ssmds -file /tmp/ds.cer
You will be prompted for the keystore password. Then the file "/tmp/ds.cer" will be created,
which will hold a binary representation of the Data Server's certificate.
The /tmp/ds.cer file is just a temporary file for transferring a copy of the Data Server's
certificate to the hpssadm utility's trusted store. You can name it anything you want and
remove it once you are finished with it.
On each machine from which the hpssadm utility will be executed:
1. Transfer the certificate file ds.cer to the hpssadm client machine.
Use the mechanism (ftp, etc.) of your choice. scp is recommended.
2. Import the Data Server's certificate into the trusted store on the hpssadm client machine. It
is a good idea to save the original trusted store file (cacerts) first:
% cd $JAVA_HOME/lib/security
HPSS Installation Guide
Release 4.5, Revision 2
September 2002
Chapter 3 System Preparation
185