ctcasd Daemon
Purpose
Provides and authenticates the credentials of the RSCT host-based authentication (HBA) and enhanced host-based authentication (HBA2) security mechanisms for the cluster security services.
Syntax
ctcasd [-b]
Description
The ctcasd daemon is used by the cluster security services library when the RSCT HBA security mechanism is configured and active within the cluster environment. The cluster security services use ctcasd when service requesters and service providers try to create a secured execution environment through a network connection. ctcasd is not used when service requesters and providers establish a secured execution environment through a local operating system connection such as a UNIX domain socket.
When a service requester and a service provider have agreed to use HBA authentication through the cluster security services, the cluster security services library uses ctcasd to obtain and authenticate HBA credentials. Cluster security services does not provide a direct interface to the daemon that can be invoked by user applications.
The ctcasd daemon can be started or stopped using system resource controller (SRC) commands.
During startup, the daemon obtains its operational parameters from the ctcasd.cfg configuration file. The daemon expects to find this file in the /var/ct/cfg/ directory. System administrators can modify the operational parameters in this file to suit their needs. If this file is not located, the daemon will use the default configuration stored in /opt/rsct/cfg/ctcasd.cfg.
RSCT HBA and HBA2 credentials are derived from the local node's private and public keys. These keys are located in files that are configured in ctcasd.cfg. These credentials are encrypted using the public key of the receiving node. Public keys for the nodes within the cluster are stored in a trusted host list file on each node. The location of this file is also defined in the ctcasd.cfg configuration file. The system administrator is responsible for creating and maintaining this trusted host list, as well as for synchronizing the lists throughout the cluster.
If the daemon detects that both the node's public and private key files are not present, ctcasd assumes that it is being started for the first time and creates these files. The daemon also creates the initial trusted host list file for this node. This file contains an entry for localhost and the host names and IP addresses associated with all AF_INET-configured and active adapters that the daemon can detect. Inadvertent authentication failures could occur if the public and private key files were accidentally or intentionally removed from the local system before the daemon was restarted. ctcasd creates new keys for the node that do not match the keys stored on the other cluster nodes. If RSCT HBA and HBA2 authentications suddenly fails after a system restart, this is a possible source of the failure.
Critical failures detected by the daemon that cause shutdown of the daemon are recorded to persistent storage. In AIX®-based clusters, records are created in the AIX error log and the system log. In Linux-based clusters, records are created in the system log.
Flags
- -b
- Starts the daemon in bootstrap mode. The daemon runs as a foreground process and is not controlled by the system resource controller (SRC).
Restrictions
- The ctcasd daemon does not encrypt the HBA identity credentials.
- Cluster security services supports its own file formats, private key formats, and public key formats only. Cluster security services does not support secured remote shell formats.
Implementation specifics
This daemon is part of the Reliable Scalable Cluster Technology (RSCT) cluster security services. It is shipped as part of the rsct.core.sec fileset for AIX.
Location
- /opt/rsct/bin/ctcasd
- Contains the ctcasd daemon
Files
- /opt/rsct/cfg/ctcasd.cfg
- Default configuration for the ctcasd daemon
- /var/ct/cfg/ctcasd.cfg
- Configuration for the ctcasd daemon, which can be modified by the system administrator
- /var/ct/cfg/ct_has.pkf
- Default location of the cluster security services public key file for the node
- /var/ct/cfg/ct_has.qkf
- Default location of the cluster security services private key file for the node
- /var/ct/cfg/ct_has.thl
- Default location of the cluster security services trusted host list for the node