ct_has.qkf File

Purpose

Default location for the cluster security services private key file for the local node.

Description

The /var/ct/cfg/ct_has.qkf file is the default location where the ctcasd demon expects to find the local node's private key file. The private key is stored in a proprietary binary format.

The ctcasd.cfg file permits the system administrator to specify an alternate location for this file. The ctskeygen -q command permits the administrator to create this file in an alternate location. If an alternate location is used, the file must meet all the criteria listed in the Security section of this man page. The file must not be recorded to a read-only file system, because this will prohibit the system administrator for modifying the contents of this file in the future

If the ctcasd daemon cannot locate this file during its startup, it will check for the presence of the ct_has.pkf file. If both files are missing, the daemon will assume that it is being started for the first time after installation, and create an initial private and public key file for the node. The daemon also creates the initial trusted host list file for this node. This file contains an entry for localhost and the host names (or IP addresses) associated with all AF_INET-configured adapters that the daemon can detect. This may cause inadvertent authentication failures if the public and private key files were accidentally or intentionally removed from the local system before the daemon was restarted. ctcasd will create new keys for the node, which will not match the keys stored on the other cluster nodes. If UNIX-identity-based authentication suddenly fails after a system restart, this is a possible source of the failure.

If the private key file is missing but the public key file is detected, the daemon concludes that the local node is not configured accurately and terminates. A record is made to persistent storage to indicate the source of the failure.

Security

This file is readable and accessible only to the root user. Access to all other users is not provided.

By default, this file is stored in a locally mounted file system. The ctcasd.cfg file permits system administrators to change the location of the file. Should system administrators use a different location, it is the administrator's responsibility to assure that the file is always accessible to the local node, and that only the root user from this local node can access the file. If the storage location does not meet these criteria, the security of the node and the cluster should be considered compromised.

Restrictions

Cluster security services supports only its own private and public key formats and file formats. Secured Remote Shell formats are currently unsupported. Settings for the HBA_USING_SSH_KEYS attribute are ignored.

Examples

This example shows the default contents of the configuration file:
TRACE= ON
	TRACEFILE= /var/ct/IW/log/ctsec/ctcasd/trace
	TRACELEVELS= _SEC:Info=1,_SEC:Errors=1
	TRACESIZE= 1003520
	RQUEUESIZE=
	MAXTHREADS=
	MINTHREADS=
	THREADSTACK= 131072
	HBA_USING_SSH_KEYS= false
	HBA_PRVKEYFILE=
	HBA_PUBKEYFILE=
	HBA_THLFILE=
	HBA_KEYGEN_METHOD= rsa512
	SERVICES=hba CAS
After modification, the contents of the configuration file might look like this:
TRACE= ON
	TRACEFILE= /var/ct/IW/log/ctsec/ctcasd/trace
	TRACELEVELS= _SEC:Perf=1,_SEC:Errors=8
	TRACESIZE= 1003520
        RQUEUESIZE= 64
        MAXTHREADS= 10
        MINTHREADS= 4
        THREADSTACK= 131072
	HBA_USING_SSH_KEYS= false
        HBA_PVTKEYFILE= /var/ct/cfg/qkey
        HBA_PUBKEYFILE= /var/ct/cfg/pkey
        HBA_THLFILE= /var/ct/cfg/thl
        HBA_KEYGEN_METHOD= rsa512
	SERVICES= hba CAS

Location

/usr/sbin/rsct/bin/ct_has.qkf
Location of the ct_has.qkf file.

Files

/usr/sbin/rsct/cfg/ctcasd.cfg
Default location of the ctcasd.cfg file