/etc/nscontrol.conf File

Purpose

Contains configuration information of some name services.

Description

The /etc/nscontrol.conf file is a stanza file, with each stanza name representing a database name. You can use the lssec command and the chsec commands to manage the /etc/nscontrol.conf file. The stanza controls the following stanza names and library subroutines:

Stanza Name	RBAC and Domain RBAC library subroutines
authorizations	getauthattr, getauthattrs, putauthattr, putauthattrs
roles	getroleattr, getroleattrs, putroleattr, putroleattrs
privcmds	getcmdattr, getcmdattrs, putcmdattr, putcmdattrs
privdevs	getdevattr, getdevattrs, putdevattr, putdevattrs
privfiles	getpfileattr, getpfileattrs, putpfileattr, putpfileattrs

The below stanzas are for EFS Library subroutines and for Remote EFS Keystore support:

efsusrkeystore
efsgrpkeystore
efsadmkeystore

The below stanzas are for Trusted Execution Library subroutines and for Trusted Execution Remote Signature and Policy database support:

tsddat
tepolicies

You can specify the following attributes:

Item	Description
secorder	A comma-separated list of module names that library subroutines use in searching and updating a database. The following module names are valid: files Specifies the local module, namely the database files from the /etc/security directory. This is the default value. For EFS Keystore /var/efs/<users/groups>/<username/groupname>/keystore directory. LDAP Specifies the LDAP module. You must configure the system as an LDAP client. A search operation is performed on each module in the order that is specified until a matching entry is found. A failure is returned if no match is found from all of the modules. A modification operation is performed on the first entry match. A creation operation is performed on the first module in the list only. You can override the value of the secorder attribute by calling the setsecorder subroutine in an application program, or by using the -R module option on commands that support the option.
databasename	Specifies the database names to consider with database operations. The databasename attribute is used for Trusted Execution Databases, such as the Trusted Signature Database and the TE policy Database. While the LDAP search operation is performed these names are used as a part of Distinguished Names (DN).

Item

Description

secorder

A comma-separated list of module names that library subroutines use in searching and updating a database. The following module names are valid:

files: Specifies the local module, namely the database files from the /etc/security directory. This is the default value. For EFS Keystore /var/efs/<users/groups>/<username/groupname>/keystore directory.
LDAP: Specifies the LDAP module. You must configure the system as an LDAP client.

A search operation is performed on each module in the order that is specified until a matching entry is found. A failure is returned if no match is found from all of the modules. A modification operation is performed on the first entry match. A creation operation is performed on the first module in the list only.

You can override the value of the secorder attribute by calling the setsecorder subroutine in an application program, or by using the -R module option on commands that support the option.

databasename

Specifies the database names to consider with database operations. The databasename attribute is used for Trusted Execution Databases, such as the Trusted Signature Database and the TE policy Database. While the LDAP search operation is performed these names are used as a part of Distinguished Names (DN).

You can specify the following attribute for EFS stanzas:

Item	Description
Searchorder	A comma-separated list of module names that library subroutines use in searching and updating a database. The following module names are valid: files Specifies the local module, namely the database files from the /var/efs/<users/groups>/<username/groupname>/keystore directory. LDAP Specifies the LDAP module. You must configure the system as an LDAP client. A search operation is performed on each module in the order that is specified until a matching entry is found. A failure is returned if no match is found from all of the modules. A modification operation is performed on the first entry match. A creation operation is performed on the first module in the list only. You can override the value of the searchorder attribute by using the -R module option on commands that support the option.

Item

Description

Searchorder

A comma-separated list of module names that library subroutines use in searching and updating a database. The following module names are valid:

files: Specifies the local module, namely the database files from the /var/efs/<users/groups>/<username/groupname>/keystore directory.
LDAP: Specifies the LDAP module. You must configure the system as an LDAP client.

You can override the value of the searchorder attribute by using the -R module option on commands that support the option.

Files

Item	Description
/etc/security/domains	Contains domain definitions.
/etc/security/domobjs	Contains domain objects and their associated security settings.
/etc/security/authorizations	Contains the user-defined authorizations.
/etc/security/roles	Contains role definitions.
/etc/security/privcmds	Contains privileged command names and their associated security settings.
/etc/security/privdevs	Contains privileged device names and their associated security settings.
/etc/security/privfiles	Contains authorization lists for privileged configuration files that the trvi editor can access.
/etc/security/tsd/tsd.dat	Contains trusted signature database.
/etc/security/tsd/tepolicies.dat	Contains trusted execution policies for the system.
/var/efs	Contains all the EFS Keystores.

Security

This files grants read and write access to the root user. Access for other users and groups depends on the security policy for the system.

Examples

An example of the authorizations stanza follows:
```
authorizations:
        secorder = files,LDAP
```
This entry states that the search for an authorization is done in the local /etc/security/authorizations database first. If no matching entry is found, further search is done in the LDAP database.
An example of the domains stanza follows:
```
domains:
        secorder = files,LDAP
```
This entry states that the domain is searched in the local /etc/security/domains database first. If no matching entry is found, in the LDAP database is searched.
An example of the TE Signature Database stanza follows:
```
tsddat:
			secorder = LDAP,files
			databasename = TSD_v1
```
Note: In case of tsddat stanza and tepolicies stanza the secorder files, LDAP is not a valid use case.
An example of the efsusrkeystore stanza follows:
```
efsusrkeystore:
        secorder = LDAP,files
```