ctsvhbac Command

Purpose

Verifies the configuration for the RSCT host-based authentication (HBA) security mechanism on the local system.

Syntax

ctsvhbac [ [-d | -h | -m | -s ] | [ -e msgnum[,msgnum...] ] [ -l { 1 | 2 | 3 | 4 } | -b ] [ -p pubkeyfile ] [ -q pvtkeyfile ] [ -t thlfile ] ]

Description

The ctsvhbac command is a verification utility for the RSCT host-based authentication (HBA) security mechanism. Use the ctsvhbac command to verify that the local system has configuration and credential files and information, such as private keys and a trusted host list, ready for the HBA security mechanism to use.

This command performs the following series of tests on the configuration of the HBA security mechanism:

Verifies that the HBA mechanism configuration file is available and can be processed.
Verifies that the HBA private key file exists and can be processed.
Verifies that the HBA public key file exists and can be processed.
Verifies that the private and public keys for the local system are in pair, which means that the public key is known to be derived from the private key.
Verifies that the HBA trusted host list file exists and can be processed.
Checks the contents of the HBA trusted host list for all of the host names and network addresses supported by the local node, determining whether entries exist in the trusted host list file for them. If a host name or network address is found, the command verifies that the same public key value that was used in earlier tests is listed for the name or address.

The command user may specify the private key file, public key file, and trusted host list file to use in the command. By default, this information is extracted from the configuration file for the HBA security mechanism.

Flags

-b

Produces brief output. When this option is used, the command displays only summary output of the tests and any errors detected. Further details of any errors can be determined by reissuing this command without this option. If the -l option is specified, this option is ignored.

-d

Displays the list of probes required for successful execution of this command.

-e

Specifies a list of error messages that are not to be displayed by this command during its execution. One or more message numbers may be specified. Message numbers must be in the xxxx-yyy format. Multiple messages are to be separated by commas (,) with no white space characters.

-h

Displays a help message for this command.

-l

Allows the Cluster System Management (CSM) Probe Infrastructure to set the detail level of the output. Accepted levels are:

1: Verbose mode. Displays the command purpose summary and status information for all tests.
2: Displays the command purpose summary and any attention or error conditions detected in any tests.
3: Displays any attention or error conditions detected in any tests.
4: Silent mode. Displays errors detected during the tests.

-m

Displays a detailed description of the command and its purpose.

-p

Specifies the path name of the public key file that is to be used by the command. If this option is not specified, the command will use the public key file currently configured for the HBA security mechanism.

-q

Specifies the path name of the private key file that is to be used by the command. If this option is not specified, the command will use the private key file currently configured for the HBA security mechanism.

-s

Displays a summary of the purpose for the command.

-t

Specifies the path name of the trusted host list file that is to be used by the command. If this option is not specified, the command will use the trusted host list file currently configured for the HBA security mechanism.

Parameters

None.

Security

Permissions on the ctsvhbac command permit members of the bin user group to execute this command.

Exit Status

Exit status conforms to the CSM Probe Infrastructure conventions.

0

No problems detected. Any messages displayed either are informational or indicate only minor alerts. No administration intervention is required.

10

No problems were detected, but some items found warrant administrator attention. This exit status most commonly occurs if an IP address or host name supported by the local system is not listed in the trusted host list, or is listed with an incorrect public key value. For this exit status, the system administrator should examine the output to determine which conditions were detected, and whether they require corrective action.

To correct the most commonly reported conditions:

Ensure that any IP addresses or host names that are not in the trusted host list were purposely omitted. If not, update the trusted host list on the local system.
Repair any entries for local IP addresses and host names that use incorrect public keys.

20

One or more problems were detected. This exit status occurs for the following conditions:

The HBA security mechanism is configured incorrectly.
Public and private keys might not be in pair.
The trusted host list contains none of the IP address or host name values supported by the local system.

Unless these conditions are corrected, authentication requests using the HBA mechanism probably will not be successful on this system. For this exit status, the system administrator must examine the command output to identify and resolve reported problems. To correct reported problems, follow the problem-resolution advice listed in the command output.

127

Unexpected failure in this command. For this exit status, the administrator should verify that at least one network interface is both configured and active on this system.

Restrictions

Cluster security services supports its own host identifier format and trusted host list file format only.
Trusted host lists are modifiable using this command only.
Cluster security services does not provide an automated utility for creating, managing, and maintaining trusted host lists throughout the cluster. This is a procedure left to either the system administrator or the cluster management software.

Standard Output

When the -h flag is specified, this command's usage statement is written to standard output. When the -l flag is specified, the contents of the trusted host list file are written to standard output.

Standard Error

Descriptive information for any detected failure condition is written to standard error.

Examples

To verify the HBA security mechanism, enter:

ctsvhbac

Output would be similar to:

------------------------------------------------------------------------
Host Based Authentication Mechanism Verification Check

Private and Public Key Verifications

      Configuration file:  /usr/sbin/rsct/cfg/ctcasd.cfg
                  Status:  Available
                Key Type:  rsa512
                           RSA key generation method, 512-bit key

        Private Key file:  /var/ct/cfg/ct_has.qkf
                  Source:  Configuration file
                  Status:  Available
                Key Type:  rsa512
                           RSA key generation method, 512-bit key

         Public Key file:  /var/ct/cfg/ct_has.pkf
                  Source:  Configuration file
                  Status:  Available
                Key Type:  rsa512
                           RSA key generation method, 512-bit key

              Key Parity:  Public and private keys are in pair

Trusted Host List File Verifications

  Trusted Host List file:  /var/ct/cfg/ct_has.thl
                  Source:  Configuration file
                  Status:  Available

                Identity:  avenger.pok.ibm.com
                  Status:  Trusted host

                Identity:  9.117.10.4
                  Status:  Trusted host

                Identity:  localhost
                  Status:  Trusted host

                Identity:  127.0.0.1
                  Status:  Trusted host

Host Based Authentication Mechanism Verification Check completed

Location

/usr/sbin/rsct/bin/ctsvhbac: Contains the ctsvhbac command

Files

/usr/sbin/rsct/cfg/ctsec_map.global: The default identity mapping definition file. This file contains definitions required by the RSCT cluster trusted services in order for these systems to execute properly immediately after software installation. This file is ignored if the cluster-wide identity mapping definition file /var/ct/cfg/ctsec_map.global exists on the system. Therefore, any definitions within this file should also be included in the cluster-wide identity mapping definition file, if that file exists.
/var/ct/cfg/ctsec_map.local: Local override to the cluster-wide identity mapping definitions. Definitions within this file are not expected to be shared between nodes within the cluster.
/var/ct/cfg/ctsec_map.global: Cluster-wide identity mapping definitions. This file is expected to contain identity mapping definitions that are common throughout the cluster. If this file exists on the system, the default identity mapping definition file is ignored. Therefore, if this file exists, it should also contain any entries that would also be found in the default identity mapping definition file.