ctsvhbar Command

Purpose

Returns the host name that the RSCT host-based authentication (HBA) security mechanism uses on the local node to verify credentials from a specified host.

Syntax

ctsvhbar [ [ -d | -h | -m | -s ] | [ -e msgnum[,msgnum...] ] [ -l { 1 | 2 | 3 | 4 } | -b ] {hostname | address} [hostname... | address...]

Description

The ctsvhbar command is a verification utility for the RSCT host-based authentication (HBA) security mechanism. Use this command when you need to determine which host name the HBA security mechanism uses to verify credentials from a remote system.

The HBA security mechanism might use either a host name or a network address value as part of the identification information within a credential, depending on the method chosen by the application. If the local system is to service requests from remote systems, at least one network address and host name for that remote system must appear in the trusted host list on the local system. To verify that the remote system can successfully authenticate the local system, system administrators use a combination of RSCT cluster security commands:

On both the local and remote system, issue the ctsvhbac command to verify that each system has a valid HBA security mechanism configuration.
On the local system, issue the ctsvhbal command to determine the values that the HBA security mechanism will use to identify this host to a remote system.
On the remote system, issue the ctsvhbar command, specifying the local system host name or IP address, to determine the value that the remote system will use to verify HBA credentials transmitted from the local system.
Compare the ctsvhbal and ctsvhbar command output to determine whether the two systems are using the same scheme for host-name resolution. If an exact host-name match does not appear in the output, repair the host-name resolution scheme, and repeat the steps above until both commands yield an exact match.

Completing these steps verifies successful authentication in one direction; in other words, the procedure verifies only that the remote system can authenticate requests from the local system. Because RSCT subsystems often use mutual authentication, system administrators also should verify that the local system can successfully authenticate the remote system. To complete the verification, the following additional steps are required:

On the remote system, issue the ctsvhbal command to determine the values that the HBA security mechanism will use to identify that host to the local system.
On the local system, issue the ctsvhbar command, specifying the remote system host name or IP address, to determine the value that the local system will use to verify HBA credentials transmitted from the remote system.
Compare the ctsvhbal and ctsvhbar command output to determine whether the two systems are using the same scheme for host-name resolution. If an exact host-name match does not appear in the output, repair the host-name resolution scheme, and repeat the steps above until both commands yield an exact match.

Completing these additional steps verifies successful authentication when traffic flows in the opposite direction, from the remote system to the local system.

For more detailed instructions and examples, see the cluster security topics in RSCT Administration Guide.

Flags

-b

Produces brief output. When this option is used, the command displays the host identities provided by the command user, the fully qualified host identities obtained for them, and any errors. If the -l option is specified, this option is ignored.

-d

Displays the list of probes required for successful execution of this command.

-e

Specifies a list of error messages that are not to be displayed by this command during its execution. One or more message numbers may be specified. Message numbers must be in the xxxx-yyy format. Multiple messages are to be separated by commas (,) with no white space characters.

-h

Displays a help message for this command.

-l

Allows the Cluster System Management (CSM) Probe Infrastructure to set the detail level of the output. Accepted levels are:

1: Verbose mode. Displays the command purpose summary and status information for all tests.
2: Displays the command purpose summary and any attention or error conditions detected in any tests.
3: Displays any attention or error conditions detected in any tests.
4: Silent mode. Displays errors detected during the tests.

-m

Displays a detailed description of the command and its purpose.

-s

Displays a summary of the purpose for the command.

Parameters

hostname: The host name of a remote system.
address: The network address of a remote system.

Security

Permissions on the ctsvhbar command permit members of the bin user group to execute this command.

Exit Status

Exit status conforms to the CSM Probe Infrastructure conventions.

0: No problems detected. Any messages displayed are informational. No administration intervention is required.
10: No problems were detected. The command was unable to resolve the host name or IP address provided by the command user. The command user should verify that the correct host name or IP address was used. If the correct name or address was used, the system administrator should verify that the host-name resolution scheme used by the local system permits that name or address to be resolved.
127: Unexpected failure in this command.

Restrictions

Cluster security services supports its own host identifier format and trusted host list file format only.
Trusted host lists are modifiable using this command only.
Cluster security services does not provide an automated utility for creating, managing, and maintaining trusted host lists throughout the cluster. This is a procedure left to either the system administrator or the cluster management software.

Standard Output

When the -h flag is specified, this command's usage statement is written to standard output. When the -l flag is specified, the contents of the trusted host list file are written to standard output.

Standard Error

Descriptive information for any detected failure condition is written to standard error.

Examples

To return the host name that the HBA security mechanism would use on the local node to verify credentials from the host identified by the host name zathras, you would enter:

ctsvhbar zathras

The output would look like this:

Host name or network address: zathras
Fully qualified host name
     used for authentication: zathras.ibm.com

To return the host name that the HBA security mechanism would use on the local node to verify credentials from the host identified by the network address 9.127.100.101, you would enter:

ctsvhbar 9.127.100.101

The output would look like this:

Host name or network address: 9.127.100.101
Fully qualified host name
     used for authentication: epsilon3.pok.ibm.com

To return the host name that the HBA security mechanism would use on the local node to verify credentials from both the host identified by the host name zathras, and the host identified by the network address 9.127.100.101, you would enter:

ctsvhbar zathras 9.127.100.101

The output would look like this:

Host name or network address: zathras
Fully qualified host name
     used for authentication: zathras.ibm.com
Host name or network address: 9.127.100.101
Fully qualified host name
     used for authentication: epsilon3.ibm.com

Location

/usr/sbin/rsct/bin/ctsvhbar: Contains the ctsvhbar command

Files

/usr/sbin/rsct/cfg/ctcasd.cfg: Default configuration for the ctcasd daemon
/var/ct/cfg/ctcasd.cfg: Configuration for the ctcasd daemon, which can be modified by the system administrator