Default location for the cluster security services private key file for the local node.
The /var/ct/cfg/ct_has.qkf file is the default location where the ctcasd demon expects to find the local node's private key file. The private key is stored in a proprietary binary format.
The ctcasd.cfg file permits the system administrator to specify an alternate location for this file. The ctskeygen -q command permits the administrator to create this file in an alternate location. If an alternate location is used, the file must meet all the criteria listed in the Security section of this man page. The file must not be recorded to a read-only file system, because this will prohibit the system administrator for modifying the contents of this file in the future
If the ctcasd daemon cannot locate this file during its startup, it will check for the presence of the ct_has.pkf file. If both files are missing, the daemon will assume that it is being started for the first time after installation, and create an initial private and public key file for the node. The daemon also creates the initial trusted host list file for this node. This file contains an entry for localhost and the host names (or IP addresses) associated with all AF_INET-configured adapters that the daemon can detect. This may cause inadvertent authentication failures if the public and private key files were accidentally or intentionally removed from the local system before the daemon was restarted. ctcasd will create new keys for the node, which will not match the keys stored on the other cluster nodes. If UNIX-identity-based authentication suddenly fails after a system restart, this is a possible source of the failure.
If the private key file is missing but the public key file is detected, the daemon concludes that the local node is not configured accurately and terminates. A record is made to persistent storage to indicate the source of the failure.
This file is readable and accessible only to the root user. Access to all other users is not provided.
By default, this file is stored in a locally mounted file system. The ctcasd.cfg file permits system administrators to change the location of the file. Should system administrators use a different location, it is the administrator's responsibility to assure that the file is always accessible to the local node, and that only the root user from this local node can access the file. If the storage location does not meet these criteria, the security of the node and the cluster should be considered compromised.
Cluster security services supports only its own private and public key formats and file formats. Secured Remote Shell formats are currently unsupported. Settings for the HBA_USING_SSH_KEYS attribute are ignored.
TRACE= ON
TRACEFILE= /var/ct/IW/log/ctsec/ctcasd/trace
TRACELEVELS= _SEC:Info=1,_SEC:Errors=1
TRACESIZE= 1003520
RQUEUESIZE=
MAXTHREADS=
MINTHREADS=
THREADSTACK= 131072
HBA_USING_SSH_KEYS= false
HBA_PRVKEYFILE=
HBA_PUBKEYFILE=
HBA_THLFILE=
HBA_KEYGEN_METHOD= rsa512
SERVICES=hba CASTRACE= ON
TRACEFILE= /var/ct/IW/log/ctsec/ctcasd/trace
TRACELEVELS= _SEC:Perf=1,_SEC:Errors=8
TRACESIZE= 1003520
RQUEUESIZE= 64
MAXTHREADS= 10
MINTHREADS= 4
THREADSTACK= 131072
HBA_USING_SSH_KEYS= false
HBA_PVTKEYFILE= /var/ct/cfg/qkey
HBA_PUBKEYFILE= /var/ct/cfg/pkey
HBA_THLFILE= /var/ct/cfg/thl
HBA_KEYGEN_METHOD= rsa512
SERVICES= hba CAS