Default location for the local node's cluster security services trusted host list file.
The /var/ct/cfg/ct_has.thl file is the default location where the ctcasd daemon expects to find the local node's trusted host list file. The contents of this file are stored in a proprietary binary format.
The trusted host list maps each host identity within the peer domain or management domain to the host's cluster security services public key. The ctcasd daemon uses this list to determine which nodes on the network are trusted, and to locate the public keys for these nodes in order to decrypt UNIX-identity-based credentials transmitted from another host within the cluster. If a host is not listed in a node's trusted host list, or if the public key recorded for that host is incorrect, the host will not be able to authenticate to that node using UNIX-identity-based authentication.
The ctcasd.cfg file permits the system administrator to specify an alternate location for this file. If an alternate location is used, the file must meet all the criteria listed in the Security section of this man page. The file must not be recorded to a read-only file system, because this will prohibit the system administrator for modifying the contents of this file in the future.
If the ctcasd daemon cannot locate this file during its startup, it will check for the presence of the ct_has.pkf file. If both files are missing, the daemon will assume that it is being started for the first time after installation, and create an initial private and public key file for the node. The daemon also creates the initial trusted host list file for this node. This file contains an entry for localhost, along with the IP addresses and the host names associated with all AF_INET-configured adapters that the daemon can detect. This may cause inadvertent authentication failures if the public and private key files were accidentally or intentionally removed from the local system before the daemon was restarted. The ctcasd daemon creates new keys for the node, which will not match the keys stored on the other cluster nodes. If UNIX-identity-based authentication suddenly fails after a system restart, this is a possible source of the failure.
This file is readable by all users on the local system. Write access is not provided to any system user.
By default, this file is stored in a locally-mounted file system. The ctcasd.cfg file permits system administrators to change the location of the file. If the system administrator uses a different location, it is the administrator's responsibility to make sure the file is always accessible to the local node, and that all users from this local node can access the file. If the storage location does not meet these criteria, users and applications will be unable to authenticate to trusted services using UNIX-identity-based authentication.
If the system administrator chooses to place this file in a networked file system, the administrator must assure that no two nodes are attempting to use the same physical file as their own trusted host list file, or that the file does not contain an entry for localhost. By default, the trusted host list contains an entry for localhost, which maps the local system's public key to this value. If multiple hosts share the same trusted host list file, attempts by users or applications to contact localhost for trusted services may fail because the entry maps to an incorrect public key value.
TRACE= ON
TRACEFILE= /var/ct/IW/log/ctsec/ctcasd/trace
TRACELEVELS= _SEC:Info=1,_SEC:Errors=1
TRACESIZE= 1003520
RQUEUESIZE=
MAXTHREADS=
MINTHREADS=
THREADSTACK= 131072
HBA_USING_SSH_KEYS= false
HBA_PRVKEYFILE=
HBA_PUBKEYFILE=
HBA_THLFILE=
HBA_KEYGEN_METHOD= rsa512
SERVICES=hba CAS
TRACE= ON
TRACEFILE= /var/ct/IW/log/ctsec/ctcasd/trace
TRACELEVELS= _SEC:Perf=1,_SEC:Errors=8
TRACESIZE= 1003520
RQUEUESIZE= 64
MAXTHREADS= 10
MINTHREADS= 4
THREADSTACK= 131072
HBA_USING_SSH_KEYS= false
HBA_PVTKEYFILE= /var/ct/cfg/qkey
HBA_PUBKEYFILE= /var/ct/cfg/pkey
HBA_THLFILE= /var/ct/cfg/thl
HBA_KEYGEN_METHOD= rsa512
SERVICES= hba CAS