unix.map File

Purpose

Defines the operating system identity used for service provider applications on the node by the UNIX host-based authentication (HBA) security mechanism.

Description

Applications that use the cluster security services library must obtain an identity from the security mechanisms supported by the library. These identities are specific to the individual security mechanisms supported by cluster security services. Because cluster security services supports multiple security mechanisms and multiple applications, the cluster security services library must be informed of which identity to use for an application when interacting with a specific security mechanism on its behalf.

The default security mechanism used by the cluster security services library is the HBA mechanism. The unix.map file defines the identities used by the core cluster applications when interacting with the HBA mechanism. The cluster security services library expects to locate this file in /var/ct/cfg/unix.map (preferred) or /opt/rsct/cfg/unix.map (default).

This file is ASCII-text formatted, and can be modified with a standard text editor. However, this file should not be modified unless the administrator is instructed to do so by the cluster softwre service provider. If this configuration file is to be modified, the default /opt/rsct/cfg/unix.map file should not be modified directly. Instead, the file should be copied to /var/ct/cfg/unix.map, and modifications should be made to this copy. The default configuration file should never be modified.

All entries within this file use the following format:

SERVICE:service_name:user_name_running_the_service

Attribute: Definition
SERVICE: Required keyword
service_name: Specifies the name commonly used to refer to the application. For example, this could be the name used by the system resource controller to refer to this application.
user_name_running_the_service: Specifies the operating system user identity used to execute the application process. It is the owner identity that would be seen for the application process in the ps command output.

Security

The default identity mapping definition file /opt/rsct/cfg/ctsec_map.global is readable by all system users, but permissions prevent this file from being modified by any system user.
When creating the override identity mapping definition files /var/ct/cfg/ctsec_map.global and /var/ct/cfg/ctsec_map.local, make sure that the files can be read by any system user, but that they can only be modified by the root user or other restrictive user identity not granted to normal system users.
By default, these files reside in locally-mounted file systems. While it is possible to mount the /var/ct/cfg directory on a networked file system, this practice is discouraged. If the /var/ct/cfg/ctsec_map.local file were to reside in a networked file system, any node with access to that networked directory would assume that these definitions were specific to that node alone when in reality they would be shared.

Restrictions

This file should not be modified unless the administrator is instructed to do so by the cluster softwre service provider. Incorrect modification of this file will result in authentication failures for the applications listed in this file and possibly their client applications. If this configuration file is to be modified, the default /opt/rsct/cfg/unix.map file should not be modified directly. Instead, the file should be copied to /var/ct/cfg/unix.map, and modifications should be made to this copy. The default configuration file should never be modified.

Examples

This example shows the default contents of the configuration file:

SERVICE:ctrmc:root
SERVICE:rmc:root
SERVICE:ctloadl:loadl
SERVICE:ctdpcl:root
SERVICE:ctpmd:root

Location

/var/ct/cfg/unix.map: Contains the unix.map file

Files

/opt/rsct/cfg/unix.map: Default location of the unix.map file