ctsvhbal Command

The HBA security mechanism might use either a host name or a network address value as part of the identification information within a credential, depending on the method chosen by the application. If the local system is to service requests from remote systems, at least one network address and host name for that remote system must appear in the trusted host list on the local system. To verify that the remote system can successfully authenticate the local system, system administrators use a combination of RSCT cluster security commands:

1. On both the local and remote system, issue the ctsvhbac command to verify that each system has a valid HBA security mechanism configuration.
2. On the local system, issue the ctsvhbal command to determine the values that the HBA security mechanism will use to identify this host to a remote system.
3. On the remote system, issue the ctsvhbar command, specifying the local system host name or IP address, to determine the value that the remote system will use to verify HBA credentials transmitted from the local system.
4. Compare the ctsvhbal and ctsvhbar command output to determine whether the two systems are using the same scheme for host-name resolution. If an exact host-name match does not appear in the output, repair the host-name resolution scheme, and repeat the steps above until both commands yield an exact match.

Completing these steps verifies successful authentication in one direction; in other words, the procedure verifies only that the remote system can authenticate requests from the local system. Because RSCT subsystems often use mutual authentication, system administrators also should verify that the local system can successfully authenticate the remote system. To complete the verification, the following additional steps are required:

• On the remote system, issue the ctsvhbal command to determine the values that the HBA security mechanism will use to identify that host to the local system.
• On the local system, issue the ctsvhbar command, specifying the remote system host name or IP address, to determine the value that the local system will use to verify HBA credentials transmitted from the remote system.
• Compare the ctsvhbal and ctsvhbar command output to determine whether the two systems are using the same scheme for host-name resolution. If an exact host-name match does not appear in the output, repair the host-name resolution scheme, and repeat the steps above until both commands yield an exact match.

Completing these additional steps verifies successful authentication when traffic flows in the opposite direction, from the remote system to the local system.

-b

Produces brief output. When this option is used, the command displays only the host identities found for the local system and any errors detected. If the -l option is specified, this option is ignored.

-d

Displays the list of probes required for successful execution of this command.

-e

Specifies a list of error messages that are not to be displayed by this command during its execution. One or more message numbers may be specified. Message numbers must be in the xxxx-yyy format. Multiple messages are to be separated by commas (,) with no white space characters.

-h

Displays a help message for this command.

-l

Allows the Cluster System Management (CSM) Probe Infrastructure to set the detail level of the output. Accepted levels are:

1

Verbose mode. Displays the command purpose summary and status information for all tests.

2

Displays the command purpose summary and any attention or error conditions detected in any tests.

3

Displays any attention or error conditions detected in any tests.

4

Silent mode. Displays errors detected during the tests.

-m

Displays a detailed description of the command and its purpose.

-s

Displays a summary of the purpose for the command.

Exit status conforms to the CSM Probe Infrastructure conventions.

0

No problems detected. Any messages displayed are informational. No administration intervention is required.

10

No problems were detected, but the local system is unable to authenticate itself to any remote systems. The local system does not have any active network interfaces, which is a configuration that RSCT permits. For this exit status, however, the system administrator should verify that this configuration is appropriate.

20

One or more problems were detected. Host-name resolution mechanisms that the local system uses are unable to obtain host names of network interfaces that the local system supports. Unless this condition is corrected, authentication requests using the HBA mechanism probably will not be successful on this system. For this exit status, the system administrator should follow the problem-resolution advice listed in the command output.

127

Unexpected failure in this command.

To display the possible identities that the local system may use to identify itself in HBA credentials, enter:

ctsvhbal

Output would be similar to:

ctsvhbal: The Host Based Authentication (HBA) mechanism identities for 
the local system are:

                  Identity:  zathras.pok.ibm.com

                  Identity:  9.127.100.101  

ctsvhbal: At least one of the above identities must appear in the 
trusted host list on the node where a service application resides in order 
for client applications on the local system to authenticate successfully. 
Ensure that at least one host name and one network address identity from the 
above list appears in the trusted host list on the service systems used by 
applications on this local system.