ct_has.pkf File

Purpose

Default location for the local node's cluster security services public key file.

Description

The /var/ct/cfg/ct_has.pkf file is the default location where the ctcasd daemon will expect to find the local node's public key file. The public key is stored in a proprietary binary format.

The ctcasd.cfg file permits the system administrator to specify an alternate location for this file. The ctskeygen -p command permits the administrator to create this file in an alternate location. If an alternate location is used, the file must meet all the criteria listed in the Security section of this man page. The file must not be recorded to a read-only file system, because this will prohibit the system administrator for modifying the contents of this file in the future.

If the ctcasd daemon cannot locate this file during its startup, it will check for the presence of the ct_has.qkf file. If both files are missing, the daemon assumes that it is being started for the first time after installation, and create an initial private and public key file for the node. The daemon also creates the initial trusted host list file for this node. This file contains an entry for localhost and the host names (or IP addresses) associated with all AF_INET-configured adapters that the daemon can detect. This may cause inadvertent authentication failures if the public and private key files were accidentally or intentionally removed from the local system before the daemon was restarted. ctcasd will create new keys for the node, which will not match the keys stored on the other cluster nodes. If UNIX-identity-based authentication suddenly fails after a system restart, this is a possible source of the failure.

If the public key file is missing but the private key file is detected, the daemon concludes that the local node is misconfigured and terminates. A record is made to persistent storage to indicate the source of the failure.

Security

This file is readable to all users on the local system. Write permission is not granted to any system user.

By default, this file is stored in a locally-mounted file system. The ctcasd.cfg file permits system administrators to change the location of the file. Should system administrators use a different location, it is the administrator's responsibility to assure that the file is always accessible to the local node, and that all users from this local node can read the file. If the storage location does not meet these criteria, users and applications will be unable to authenticate to trusted services using UNIX-identity-based authentication.

If the system administrator chooses to place this file in a networked file system, the administrator must assure that no two nodes are attempting to use the same physical file as their own public key file. Because public keys differ between nodes, if two nodes attempt to use the same public key file, at least one of them will always obtain the incorrect value for its public key. This will cause applications and users from that node to fail authentication to trusted services within the cluster.

Restrictions

Cluster security services supports only its own private and public key formats and file formats. Secured Remote Shell formats are currently unsupported. Settings for the HBA_USING_SSH_KEYS attribute are ignored.

Examples

This example shows the default contents of the configuration file:
TRACE= ON
	TRACEFILE= /var/ct/IW/log/ctsec/ctcasd/trace
	TRACELEVELS= _SEC:Info=1,_SEC:Errors=1
	TRACESIZE= 1003520
	RQUEUESIZE=
	MAXTHREADS=
	MINTHREADS=
	THREADSTACK= 131072
	HBA_USING_SSH_KEYS= false
	HBA_PRVKEYFILE=
	HBA_PUBKEYFILE=
	HBA_THLFILE=
	HBA_KEYGEN_METHOD= rsa512
	SERVICES=hba CAS
After modification, the contents of the configuration file might look like this:
TRACE= ON
	TRACEFILE= /var/ct/IW/log/ctsec/ctcasd/trace
	TRACELEVELS= _SEC:Perf=1,_SEC:Errors=8
	TRACESIZE= 1003520
        RQUEUESIZE= 64
        MAXTHREADS= 10
        MINTHREADS= 4
        THREADSTACK= 131072
	HBA_USING_SSH_KEYS= false
        HBA_PVTKEYFILE= /var/ct/cfg/qkey
        HBA_PUBKEYFILE= /var/ct/cfg/pkey
        HBA_THLFILE= /var/ct/cfg/thl
        HBA_KEYGEN_METHOD= rsa512
	SERVICES= hba CAS

Location

/var/ct/cfg/ct_has.pkf
Contains the ct_has.pkf file

Files

/usr/sbin/rsct/cfg/ctcasd.cfg
Default location of the ctcasd.cfg file