ctsidmck Command

Purpose

Verifies the cluster security library identity mapping.

Syntax

ctsidmck -h-i │ { [ -dl-dm-dh ] -m security_mechanism network_ID }

Description

A system administrator can use the ctsidmck command to verify the mapping that would be obtained by the cluster security library (libct_sec) for a specific security network identifier.

The cluster security library establishes a security context through the exchange between a client of a trusted service and the trusted service server. During the creation of the security context, the cluster security library tries to map the client application's security network identity to an identity that may be present on the server node, called the mapped identity. The cluster security library uses the mapped identity later on the server in authorization functions such as access control verification. Whether the client application has a mapped identity on the server depends on whether the following identity mapping definition files are present on the server, and whether any of the entries within these files correspond to the security identity being used by the client application:
  • /usr/sbin/rsct/cfg/ctsec_map.global
  • /var/ct/cfg/ctsec_map.local
  • /var/ct/cfg/ctsec_map.global

The location of definitions within these files is important; entries at the head of the file are processed before entries positioned towards the end of the file. The definition rules also allow for wildcarding of entry information and for expansion of certain reserved words. If a definition is incorrectly specified within one of these files, the mapping result may not be as intended. Also, if a definition is positioned after another definition that can successfully map a security network identifier, the mapping result may not be as intended.

This command allows an administrator to verify that the correct identity mapping definition is used by the cluster security library to map a security network identity. This command is to be executed on the system that would act as the server. By specifying a security network identifier to this command on the server, the administrator can determine what the mapped identity for that security network identity would be on that system, and what entry was used from the identity mapping definition files to obtain this mapping.

Flags

-h
Writes the command's usage statement to standard output.
-i
Displays a list of the supported security mechanisms on this system. The command examines the cluster security library configuration on this node, obtains a list of supported security mechanisms, and displays this list. The mechanisms are listed by the mnemonic used by the cluster security library to refer to these mechanisms.
-d
Specifies the level of detail in the command output. One of three levels of detail is permitted:
  1. low (l): the command will only display the mapped identity for network_ID. This is the default detail level.
  2. medium (m): the command will display the mapped identity for network_ID, as well as the entry from the identity mapping definition files that yielded the map.
  3. high (h): the command will display every entry from the identity mapping definition files that is processed until a mapped identity for network_ID is found, or until all entries are processed.
-m security_mechanism
Specifies the security mechanism that was used to create the security network identifier provided by network_ID. security_mechanism is a mnemonic that would be used by the cluster security library to refer to this security mechanism. This flag must be specified when the -h and the -i flags are not provided.

Use the -i flag to display a list of the security mechanisms that this system supports.

Parameters

network_ID
Specifies the security network identifier to be mapped. This should be an identity that can be assumed by a client application of a trusted service.

Security

This command is executable only by the root system user and members of the system user group. It is intended for administrator use only, to verify the security configuration of the system. Because the output of the command could be used as a means for determining how to sabotage or circumvent system security, the permissions on this command should not be altered.

Exit Status

0
This command successfully found a mapped identity for network_ID.
3
This command detected a failure in the operation of the cluster security library mechanism pluggable module (MPM) corresponding to the security mechanism that was requested. ctsidmck was unable to search for a possible mapped identity for network_ID in this case. This failure may be accompanied by descriptive output indicating the nature of the MPM failure. Consult this output and perform any recommended actions.
4
The caller invoked this command incorrectly, omitting required flags and parameters, or using mutually-exclusive flags. ctsidmck terminated without trying to find a mapped identity for network_ID.
6
A memory allocation request failed during the operation of this command. ctsidmck was unable to search for a possible mapped identity for network_ID in this case.
21
This command was unable to locate any of the identity mapping definition files on the local system. ctsidmck was unable to search for a possible mapped identity for network_ID in this case. Verify that at least one identity mapping definition file exists on the system.
22
This command was unable to dynamically load the cluster security library mechanism pluggable module (MPM) corresponding to the security mechanism what was requested. The module may be missing, corrupted, or one of the shared libraries used by this module may be missing or corrupted. ctsidmck was unable to search for a possible mapped identity for network_ID in this case. This failure may be accompanied by descriptive output indicating the nature of the MPM failure. Consult this output and perform any recommended actions.
37
At least one of the identity mapping definition files on the system appears to be corrupted. The command was unable to search for a possible mapped identity for network_ID in this case. Verify that none of the identity mapping files are corrupted, truncated, or contain syntax errors.
38
The ctsidmck command cannott locate a mapped identity for network_ID. No entry within any of the identity mapping definition files yielded a mapped identity for the specified security network identifier.

Restrictions

This command works only on MSS-formatted key files.

Standard Output

The ctsidmck command writes any mapped identity found for the security network identifier to standard output. If a medium or high level of detail is requested, any definitions displayed by this command are also written to standard output.

When the -h flag is specified, this command's usage statement is written to standard output.

Standard Error

Descriptive information for any detected failure condition is written to standard error.

Examples

  1. To get a list of the security mechanisms that the local system supports, before verifying an identity map, enter:
    ctsidmck -i
  2. To get only the mapped identity for the RSCT host-based authentication (HBA) mechanism security network identity zathras@greatmachine.epsilon3.org, enter:
    ctsidmck -m unix zathras@greatmachine.epsilon3.org
  3. To see every identity mapping definition that the command checks while searching for a mapped identity for the HBA mechanism's security network identity glorfindel@rivendell.elvin.net@endor, enter:
    ctsidmck -d h -m unix glorfindel@rivendell.elvin.net@endor

Location

/usr/sbin/rsct/bin/ctsidmck
Contains the ctsidmck command

Files

/usr/sbin/rsct/cfg/ctsec_map.global
The default identity mapping definition file. This file contains definitions required by the RSCT cluster trusted services in order for these systems to execute properly immediately after software installation. This file is ignored if the cluster-wide identity mapping definition file /var/ct/cfg/ctsec_map.global exists on the system. Therefore, any definitions within this file should also be included in the cluster-wide identity mapping definition file, if that file exists.
/var/ct/cfg/ctsec_map.local
Local override to the cluster-wide identity mapping definitions. Definitions within this file are not expected to be shared between nodes within the cluster.
/var/ct/cfg/ctsec_map.global
Cluster-wide identity mapping definitions. This file is expected to contain identity mapping definitions that are common throughout the cluster. If this file exists on the system, the default identity mapping definition file is ignored. Therefore, if this file exists, it should also contain any entries that would also be found in the default identity mapping definition file.