ct_has.thl File

Edit online

Purpose

Default location for the local node's cluster security services trusted host list file.

Description

The /var/ct/cfg/ct_has.thl file is the default location where the ctcasd daemon expects to find the local node's trusted host list file. The contents of this file are stored in a proprietary binary format.

The trusted host list maps each host identity within the peer domain or management domain to the host's cluster security services public key. The ctcasd daemon uses this list to determine which nodes on the network are trusted, and to locate the public keys for these nodes in order to decrypt UNIX-identity-based credentials transmitted from another host within the cluster. If a host is not listed in a node's trusted host list, or if the public key recorded for that host is incorrect, the host will not be able to authenticate to that node using UNIX-identity-based authentication.

The ctcasd.cfg file permits the system administrator to specify an alternate location for this file. If an alternate location is used, the file must meet all the criteria listed in the Security section of this man page. The file must not be recorded to a read-only file system, because this will prohibit the system administrator for modifying the contents of this file in the future.

If the ctcasd daemon cannot locate this file during its startup, it will check for the presence of the ct_has.pkf file. If both files are missing, the daemon will assume that it is being started for the first time after installation, and create an initial private and public key file for the node. The daemon also creates the initial trusted host list file for this node. This file contains an entry for localhost, along with the IP addresses and the host names associated with all AF_INET-configured adapters that the daemon can detect. This may cause inadvertent authentication failures if the public and private key files were accidentally or intentionally removed from the local system before the daemon was restarted. The ctcasd daemon creates new keys for the node, which will not match the keys stored on the other cluster nodes. If UNIX-identity-based authentication suddenly fails after a system restart, this is a possible source of the failure.

Security

This file is readable by all users on the local system. Write access is not provided to any system user.

By default, this file is stored in a locally-mounted file system. The ctcasd.cfg file permits system administrators to change the location of the file. If the system administrator uses a different location, it is the administrator's responsibility to make sure the file is always accessible to the local node, and that all users from this local node can access the file. If the storage location does not meet these criteria, users and applications will be unable to authenticate to trusted services using UNIX-identity-based authentication.

If the system administrator chooses to place this file in a networked file system, the administrator must assure that no two nodes are attempting to use the same physical file as their own trusted host list file, or that the file does not contain an entry for localhost. By default, the trusted host list contains an entry for localhost, which maps the local system's public key to this value. If multiple hosts share the same trusted host list file, attempts by users or applications to contact localhost for trusted services may fail because the entry maps to an incorrect public key value.

Restrictions

  • Cluster security services supports only its own private and public key formats and file formats.
  • Cluster security services does not provide an automated utility for creating, managing, and maintaining trusted host lists throughout the cluster. This is a procedure left to either the system administrator or the cluster management software.

Examples

This example shows the default contents of the configuration file: 
TRACE= ON
	TRACEFILE= /var/ct/IW/log/ctsec/ctcasd/trace
	TRACELEVELS= _SEC:Info=1,_SEC:Errors=1
	TRACESIZE= 1003520
	RQUEUESIZE=
	MAXTHREADS=
	MINTHREADS=
	THREADSTACK= 131072
	HBA_USING_SSH_KEYS= false
	HBA_PRVKEYFILE=
	HBA_PUBKEYFILE=
	HBA_THLFILE=
	HBA_KEYGEN_METHOD= rsa512
	SERVICES=hba CAS
After modification, the contents of the configuration file might look like this: 
TRACE= ON
	TRACEFILE= /var/ct/IW/log/ctsec/ctcasd/trace
	TRACELEVELS= _SEC:Perf=1,_SEC:Errors=8
	TRACESIZE= 1003520
        RQUEUESIZE= 64
        MAXTHREADS= 10
        MINTHREADS= 4
        THREADSTACK= 131072
	HBA_USING_SSH_KEYS= false
        HBA_PVTKEYFILE= /var/ct/cfg/qkey
        HBA_PUBKEYFILE= /var/ct/cfg/pkey
        HBA_THLFILE= /var/ct/cfg/thl
        HBA_KEYGEN_METHOD= rsa512
	SERVICES= hba CAS

Location

/opt/rsct/bin/ct_has.thl
Location of the ct_has.thl file.

Files

/opt/rsct/cfg/ctcasd.cfg
Default location of the ctcasd.cfg file