Purpose
Returns the host name that the
RSCT host-based authentication (HBA) security mechanism uses on the
local node to verify credentials from a specified host.
Syntax
ctsvhbar [ [ -d | -h | -m | -s ]
| [ -e msgnum[,msgnum...] ] [ -l { 1 | 2 | 3 | 4 } | -b ] {hostname | address} [hostname... | address...]
Description
The ctsvhbar command is a verification utility for the RSCT host-based
authentication (HBA) security mechanism. Use this command when you
need to determine which host name the HBA security mechanism uses
to verify credentials from a remote system.
The HBA security
mechanism might use either a host name or a network address value
as part of the identification information within a credential, depending
on the method chosen by the application. If the local system is to
service requests from remote systems, at least one network address
and host name for that remote system must appear in the trusted host
list on the local system. To verify that the remote system can successfully
authenticate the local system, system administrators use a combination
of RSCT cluster security commands:
- On both the local and remote system, issue the ctsvhbac command to verify that each system has a valid HBA security
mechanism configuration.
- On the local system, issue the ctsvhbal command to determine the values that the HBA security mechanism
will use to identify this host to a remote system.
- On the remote system, issue the ctsvhbar command, specifying the local system host name or IP address, to
determine the value that the remote system will use to verify HBA
credentials transmitted from the local system.
- Compare the ctsvhbal and ctsvhbar command output to determine whether the two
systems are using the same scheme for host-name resolution. If an
exact host-name match does not appear in the output, repair the host-name
resolution scheme, and repeat the steps above until both commands
yield an exact match.
Completing these steps verifies successful authentication
in one direction; in other words, the procedure verifies only that
the remote system can authenticate requests from the local system.
Because RSCT subsystems often use mutual authentication, system administrators
also should verify that the local system can successfully authenticate
the remote system. To complete the verification, the following additional
steps are required:
- On the remote system, issue the ctsvhbal command to determine the values that the HBA security mechanism
will use to identify that host to the local system.
- On the local system, issue the ctsvhbar command, specifying the remote system host name or IP address, to
determine the value that the local system will use to verify HBA credentials
transmitted from the remote system.
- Compare the ctsvhbal and ctsvhbar command output to determine whether the two
systems are using the same scheme for host-name resolution. If an
exact host-name match does not appear in the output, repair the host-name
resolution scheme, and repeat the steps above until both commands
yield an exact match.
Completing these additional steps verifies successful authentication
when traffic flows in the opposite direction, from the remote system
to the local system.
For more detailed instructions and examples,
see the cluster security topics in RSCT Administration Guide.
Flags
- -b
- Produces brief output. When this option is used, the command
displays the host identities provided by the command user, the fully
qualified host identities obtained for them, and any errors. If the -l option is specified, this option is ignored.
- -d
- Displays the list of probes required for successful execution
of this command.
- -e
- Specifies a list of error messages that are not to be displayed
by this command during its execution. One or more message numbers
may be specified. Message numbers must be in the xxxx-yyy format.
Multiple messages are to be separated by commas (,) with no white
space characters.
- -h
- Displays a help message for this command.
- -l
- Allows the Cluster System Management (CSM) Probe Infrastructure
to set the detail level of the output. Accepted levels are:
- 1
- Verbose mode. Displays the command purpose summary and status
information for all tests.
- 2
- Displays the command purpose summary and any attention or error
conditions detected in any tests.
- 3
- Displays any attention or error conditions detected in any tests.
- 4
- Silent mode. Displays errors detected during the tests.
- -m
- Displays a detailed description of the command and its purpose.
- -s
- Displays a summary of the purpose for the command.
Parameters
- hostname
- The host name of a remote system.
- address
- The network address of a remote system.
Security
Permissions on the ctsvhbar command permit members of the bin user group to execute this command.
Exit Status
Exit status conforms to the
CSM Probe Infrastructure conventions.
- 0
- No problems detected. Any messages displayed are informational.
No administration intervention is required.
- 10
- No problems were detected. The command was unable to resolve the
host name or IP address provided by the command user. The command
user should verify that the correct host name or IP address was used.
If the correct name or address was used, the system administrator
should verify that the host-name resolution scheme used by the local
system permits that name or address to be resolved.
- 127
- Unexpected failure in this command.
Restrictions
- Cluster security services supports its own host identifier format
and trusted host list file format only.
- Trusted host lists are modifiable using this command only.
- Cluster security services does not provide an automated utility
for creating, managing, and maintaining trusted host lists throughout
the cluster. This is a procedure left to either the system administrator
or the cluster management software.
Standard Output
When the -h flag is specified, this command's usage statement is written
to standard output. When the -l flag is
specified, the contents of the trusted host list file are written
to standard output.
Standard Error
Descriptive information
for any detected failure condition is written to standard error.
Examples
To return the host name that the
HBA security mechanism would use on the local node to verify credentials
from the host identified by the host name
zathras, you would enter:
ctsvhbar zathras
The output would look like this:
Host name or network address: zathras
Fully qualified host name
used for authentication: zathras.ibm.com
To return the host name that the HBA security
mechanism would use on the local node to verify credentials from the
host identified by the network address
9.127.100.101, you would enter:
ctsvhbar 9.127.100.101
The output would look like this:
Host name or network address: 9.127.100.101
Fully qualified host name
used for authentication: epsilon3.pok.ibm.com
To return the host name that the HBA security mechanism would
use on the local node to verify credentials from both the host identified
by the host name
zathras, and the host identified
by the network address
9.127.100.101, you
would enter:
ctsvhbar zathras 9.127.100.101
The output would look like this:
Host name or network address: zathras
Fully qualified host name
used for authentication: zathras.ibm.com
Host name or network address: 9.127.100.101
Fully qualified host name
used for authentication: epsilon3.ibm.com
Location
- /usr/sbin/rsct/bin/ctsvhbar
- Contains the ctsvhbar command
Files
- /usr/sbin/rsct/cfg/ctcasd.cfg
- Default configuration for the ctcasd daemon
- /var/ct/cfg/ctcasd.cfg
- Configuration for the ctcasd daemon,
which can be modified by the system administrator