Configuring the ctcasd daemon on a node

Edit online

When using host based authentication (HBA) or enhanced host based authentication (HBA2) as a security method, cluster security services uses the ctcasd daemon to provide and authenticate operating system identity based credentials.

The ctcasd daemon obtains its operational parameters from a configuration file (ctcasd.cfg). This configuration filesets the operational environment for the daemon, including:

How many threads to create
What key generation method to use in preparing host public and private keys
Where the key files and trusted host list files reside on the node
How long credentials should be considered valid after their creation
Whether execution tracing should be enabled

When cluster security services are installed on a node, a default configuration file is installed in /opt/rsct/cfg/ctcasd.cfg. This is an ASCII text file that contains configurable parameters and their associated default values. This default configuration file should not be modified. If you want to change the ctcasd configuration on a node to, for example, improve the performance of the daemon by altering the thread limits, use the following procedure:

Copy the /opt/rsct/cfg/ctcasd.cfg file to /var/ct/cfg/ctcasd.cfg.
```
cp /opt/rsct/cfg/ctcasd.cfg /var/ct/cfg/ctcasd.cfg
```

Using an ASCII text editor, modify the new ctcasd.cfg file in /var/ct/cfg. The contents of the file will look similar to the following:

TRACE= ON
TRACEFILE= /var/ct/IW/log/ctsec/ctcasd/trace 
TRACELEVELS= _SEC:Info=1,_SEC:Errors=1
TRACESIZE= 1003520
RQUEUESIZE=
MAXTHREADS=
MINTHREADS=
THREADSTACK= 131072
HBA_USING_SSH_KEYS= false
HBA_PRVKEYFILE=
HBA_PUBKEYFILE=
HBA_THLFILE=
HBA_KEYGEN_METHOD= rsa512
HBA_CRED_TIMETOLIVE=
HBA2_CRED_CTX_LIFETIME= -1
HBA2_CRED_TIMETOLIVE= 300
HBA2_NONCE_FILEMIN=
SERVICES=hba CAS

The keywords listed in this file will set the configurable parameters for the ctcasd daemon on this node. Table 1 describes the configurable parameters.

Table 1. Keyword descriptions for the ctcasd daemon configuration file
Keyword	Description
TRACE	Indicates whether or not tracing of the ctcasd daemon is enabled. Valid values are "on" and "off". When tracing is enabled, the TRACEFILE, TRACELEVELS, and TRACESIZE keywords specify the location, level, and size of the trace file generated. Setting the CT_TR_TRACE environment variable overrides any setting specified using the TRACE keyword in the ctcasd.cfg file. For more information about tracing the ctcasd daemon, see the Troubleshooting RSCT guide.
TRACEFILE	When tracing of the ctcasd daemon is enabled, this indicates the location of the trace file. If this value is not set, the default location is /var/ct/IW/log/ctsec/ctcasd/trace. The default directory /var/ct/IW/log/ctsec/ctcasd will be created automatically by the ctcasd daemon. However, if you use the TRACEFILE keyword to specify another location, you must ensure that the directory you specify exists. If it does not, the default location will be used instead, and an error will be logged in the trace. Setting the CT_TR_FILENAME environment variable overrides any setting specified using the TRACEFILE keyword in the ctcasd.cfg file.
TRACELEVELS	When tracing of the ctcasd daemon is enabled, the level of the trace. The _SEC category traces execution of the ctcasd daemon. Valid values are: _SEC:Info=0 no tracing _SEC:Info=1 trace minimum information messages _SEC:Info=4 trace additional information messages _SEC:Info=8 trace all information messages _SEC:Errors=0 no tracing for errors _SEC:Errors=1 trace all errors causing domain termination _SEC:Errors=2 trace all call errors _SEC:Errors=4 trace failed requests _SEC:Errors=8 trace all errors
	The _SEU category traces processing within the unix host based authentication (HBA) MPM that can be invoked from the ctcasd daemon. Valid values are: _SEU:Info=1 trace all informational messages _SEU:Errors=1 trace all errors _SEU:API=1 trace all entries and exits from HBA MPM interfaces _SEU:API=8 trace entries, exits, and parameters from HBA MPM interfaces
	The _SEH category traces processing within the hba2 enhanced host based authentication (HBA2) MPM that can be invoked from the ctcasd daemon. Valid values are: _SEH:Info=1 trace basic informational messages _SEH:Info=2 trace informational messages with more detail _SEH:Info=8 trace all informational messages _SEH:Errors=1 trace all errors _SEH:API=1 trace all entries and exits from HBA2 MPM interfaces _SEH:API=8 trace entries, exits, and parameters from HBA2 MPM interfaces
	The _SEI category traces processing within the native identity mapping functions that can be invoked from the ctcasd daemon. Valid values are: _SEI:Error=1 trace all errors _SEI:API=1 trace all entries and exits from the native identity mapping interfaces _SEI:API=8 trace entries, exits, and parameters from the native identity mapping interfaces _SEI:Mapping=1 reports the identity mapping rule employed to obtain a mapped identity _SEI:Mapping=2 reports the identity obtained through the identity mapping procedure _SEI:Mapping=8 combines the results of _SEI:Mapping levels 1 and 2 _SEI:Milestone=1 indicates major processing checkpoints in the identity mapping process _SEI:Milestone=8 traces details of major processing checkpoints in the identity mapping process _SEI:Diag=1 traces diagnostic information for the IBM® Support Center
	The trace settings can be combined by using a comma to separate each setting. For example: `TRACELEVELS= _SEC:Info=8,_SEC:Errors=8` If not specified, the default is _SEC:Info=1, _SEC:Errors=1. Setting the CT_TR_TRACE_LEVELS environment variable overrides any setting specified using the TRACELEVELS keyword in this file. For more information about tracing the ctcasd daemon, see the Troubleshooting RSCT guide.
TRACESIZE	When tracing of the ctcasd daemon is enabled, this indicates the size of the trace file. The minimum size is 4096, and the number specified will be rounded up to the nearest 4096 multiple. If not specified, the default trace-file size is 1003520. Setting the CT_TR_SIZE environment variable overrides any setting specified using the TRACESIZE keyword in the ctcasd.cfg file. For more information about tracing the ctcasd daemon, see the Troubleshooting RSCT guide.
RQUEUESIZE	Indicates the maximum length permitted for the daemon's internal run queue. If this value is not set, a default value of 64 is used.
MAXTHREADS	The limit to the number of working threads that the daemon may create and use at any given time (the “high water mark”). If this value is not set, a default value of 10 is used.
THREADSTACK	Sets the internal memory used by the daemon for thread stack space. The value is expressed in bytes. If no value is specified, the default system thread stack size is used. You should not modify this value unless instructed to do so by the IBM Support Center.
MINTHREADS	The number of idle threads that the daemon will retain if the daemon is awaiting further work (the “low water mark”). If this value is not, set, a default value of 4 is used.
HBA_USING_SSH_KEYS	Indicates if the daemon is making use of Secured Remote Shell keys. Acceptable values are true and false. If no value is provided, a default value of false is used. Secured Remote Shell keys are not supported in the current release.
HBA_PRVKEYFILE	Provides the full path name of the file that contains the local node's private key. The directories in the path must exist. If they do not exist, the ctcasd daemon will terminate. If this value is not set, the default location of /var/ct/cfg/ct_has.qkf is used.
HBA_PUBKEYFILE	Provides the full path name of the file that contains the local node's public key. The directories in the path must exist. If they do not exist, the ctcasd daemon will terminate. If this value is not set, the default location of /var/ct/cfg/ct_has.pkf is used.
HBA_THLFILE	Provides the full path name of the file that contains the local node's trusted host list. If any directory in the path does not exist, the ctcasd daemon will start without creating a trusted host list. If this value is not set, the default location of /var/ct/cfg/ct_has.thl is used.
HBA_KEYGEN_METHOD	Indicates the method to be used by ctcasd to generate the private and public keys of the local node if the files containing these keys do not exist. Acceptable values are those that can be provided as arguments to the ctskeygen -m command. If no value is provided for this attribute, the default value of rsa1024 is used. However, if the NIST compliance is enabled, this value is overridden with the value that you specified for the -m option of the chsecmode command.
HBA_CRED_TIMETOLIVE	Sets the life span of host based authentication (HBA) credentials (credentials created and verified using the unix mnemonic MPM). The credential life span dictates the period of time after a credential is created that the HBA mechanism should consider the credential valid. Setting a credential life span enables the HBA mechanism to detect outdated credentials and refuse authentication to applications presenting such credentials. If no value is specified for this keyword (the default), then credentials will not be checked for expiration. For more information on using this keyword, see the Configuring credential life span.
HBA2_CRED_CTX_LIFETIME	Sets the expiration time for a security context that is established using the enhanced host based authentication (HBA2) mechanism. Once the security context is established, the context will remain valid for the length of time specified by this parameter. After this amount of time passes, the client and server applications will need to re-establish the security context. If no value is specified for this parameter, the HBA2 MPM will use a default value of 43 200 seconds (12 hours). The default ctcasd.cfg file sets this value to `-1`, indicating that security contexts established using the HBA2 MPM will not expire.
HBA2_CRED_TIMETOLIVE	Sets the life span of enhanced host based authentication (HBA2) credentials (credentials created and verified using the hba2 mnemonic MPM). The credential life span dictates the period of time after a credential is created that the HBA2 mechanism should consider the credential valid. Setting a credential life span enables the HBA2 mechanism to detect outdated credentials and refuse authentication to applications presenting such credentials. If no value is specified for this keyword, then credential tracking is not performed and credentials will not be checked for expiration. The default ctcasd.cfg file sets this value to 300 seconds (5 minutes). For more information on using this keyword, see the Configuring credential life span.
HBA2_NONCE_FILEMIN	Indicates the minimum number of credential identities retained by the enhanced host based authentication (HBA2) mechanism between executions of the ctcasd daemon. Whenever the HBA2 MPM authenticates a credential, the identity information for that credential is stored and used in subsequent authentication attempts to detect repeat uses of the same credential. The ctcasd daemon creates a file and reserves enough file system space so that the HBA2 MPM can store the minimum number of credential identities. When the ctcasd daemon starts, it reads the contents of this file into memory and uses it in subsequent authentication checks using the HBA2 MPM. This permits ctcasd and the HBA2 MPM to check for re-used credentials from prior executions of the daemon if the ctcasd daemon has been shut down. If no value is specified for this parameter, the ctcasd daemon uses a default value of `4096`.
SERVICES	Lists the internal library services that the daemon supports. Do not modify this entry unless instructed to do so by the IBM Support Center.

Stop and restart the ctcasd daemon. Be aware that, while the daemon is offline, authentication will not be possible. To stop the daemon, issue the command:
```
stopsrc -s ctcas
```
To restart the daemon, issue the command:
```
startsrc -s ctcas
```