ctscfg Command

Edit online

Purpose

Lists and modifies the contents of the cluster security services configuration file.

Syntax (ctscfg -a)

ctscfg -a { -c MPM_code } { -n MPM_name } { -o MPM_object_module } { -p MPM_priority } [ -f i │ u │ z ] [ -l ] [-h]

Syntax (ctscfg -d)

ctscfg -d { -c MPM_code | -n MPM_name } [-l] [-h]

ctscfg -u { { -c MPM_code } | { -n MPM_name } } { { -f i │ u │ z } | { -p MPM_priority } } [-l] [-h]

ctscfg -l

ctscfg -h

Description

The ctscfg command lists and modifies the contents of the cluster security services configuration file, ctsec.cfg. This file provides configuration information about the authentication methods that cluster security services can use for client-server authentication. Each authentication method is handled by a mechanism pluggable module (MPM). Each MPM configuration is defined by a one-line entry in the ctsec.cfg file. The entry contains information about:

the priority of the MPM when cluster security services choose the authentication method for the client-server authentication
the numeric code of the MPM, which is unique among all of the MPMs in the configuration file
the mnemonic of the MPM, which is unique among all of the MPMs in the configuration file
the name of the binary module that implements the functions of the MPM
miscellaneous flags used by cluster security services mechanism abstract layer (MAL) when handling the MPM

Cluster security services include a default ctsec.cfg file in the /opt/rsct/cfg/ directory. The ctscfg command does not modify this default configuration file. Instead, ctscfg makes a copy (if one does not exist already) of the default ctsec.cfg file and copies it to the /var/ct/cfg/ directory. If a working copy of this file does exist already and there is enough space, the previous version is recorded to /var/ct/cfg/ctsec.cfg.bak.

Using this command, system administrators can create an "empty" security subsystem configuration, where no security MPMs are configured. In this configuration, all parties are to be considered not authentic.

Flags

-a

Adds a new configuration entry for a new MPM to the working copy of the ctsec.cfg file in the /var/ct/cfg/ directory. If there is no working copy in that directory, ctscfg creates a working copy and modifies it. A configuration entry must include the MPM priority, numeric code, mnemonic, binary object, and, optionally, any flags. This flag requires the -c, -n, -o, and -p flags.

-c MPM_code

Specifies the code to be used by the security subsystem to refer to this MPM. MPM_code must be expressed as a hexadecimal value in the form of "0xvalue" ("0x1a" or "0x9F", for example). This flag is required by the -a and -d flags.

-d

Removes an existing entry for a security MPM from the working copy of the ctsec.cfg file in /var/ct/cfg. If there is no working copy in that directory, ctscfg creates a working copy and modifies it. The -c flag or the -n flag must be specified to indicate which entry is to be removed.

-f i │ u │ z

Specifies the flags required by the security subsystem when adding an MPM to the configuration file. This option is required by the -a flag if the MPM has any miscellaneous flags or by the -u flag if the invoker intends to update the MPM flags. The MAL supports these miscellaneous flags:

i: Instructs MAL to initialize the MPM upon loading it in the virtual memory of the process.
u: Instructs MAL that it is safe to unload the MPM when it is no longer required.
z: Specifies the authorization method used for that MPM. An MPM with the same mnemonic as the authorization method must also exist and be configured in ctsec.cfg.

The flags must be specified with no space between them (-f iuz, for example).

-l

Lists the contents of the working ctsec.cfg file. If this option is specified with -a, -d, or -u, the resulting configuration is listed.

-n MPM_name

Specifies the mnemonic to be used for the security MPM. The mnemonic must be a short string value (mymech, for example). This flag is required by the -a and -d flags.

-o MPM_object_module

Specifies the location of the MPM, including the full path subdirectory. The MPM must exist as a file. If a symbolic link is used, the symbolic link must reference an existing file. The path must be expressed as an absolute path (/usr/lib/mymech, for example). This flag is required by the -a flag.

-p MPM_priority

Specifies the priority associated with this security mechanism pluggable module (MPM). Lower values have a higher priority. Priority values do not need to be consecutive, but no two MPMs can share priority. Negative values and a zero value are not permitted for a priority. This option is required by the -a flag and the -u flag if the invoker intends to update the MPM priority.

-u

Updates an existing configuration entry of an MPM in the working copy of the ctsec.cfg file in /var/ct/cfg. If there is no working copy in that directory, ctscfg creates a working copy and modifies it. The configuration entry must be specified by either the MPM numeric code or mnemonic. The only fields that can be updated are the MPM priority and flags. This flag requires the -c flag or the -n flag (in order to identify the configuration entry to modify) and -f flag or the -p flag (to specify the new values used for updating the selected configuration entry).

-h

Writes the command usage statement to standard output.

Standard output

When the -h flag is specified, this command usage statement is written to standard output.

Standard error

Descriptive information for any detected failure condition is written to standard error.

Exit status

0: The command completed successfully.
4: Flag error. One or more of the flags provided is not valid or is missing a value.
21: Configuration error. The MAL configuration file content is not valid or is corrupted.
30: Lock error. An error occurred during the locking of the MAL configuration file.
36: Permission error. The invoker does not have permission to list or modify the MAL configuration file.
105: File error. An error occurred during the reading or writing of the MAL configuration file.

Files

/var/ct/cfg/ctsec.cfg: Working copy of the MAL configuration file
/var/ct/cfg/ctsec.cfg.bak: Backup of the working copy of the MAL configuration file

Security

This command lists and modifies the MAL configuration file. The default version of the MAL configuration file that is installed by RSCT is protected using the file system permission bit mask of 444 (that is, read-only for everybody). Administrators who create a working copy of this file must preserve the permission bit mask in order to maintain the security of the system.

This command uses the working copy of the MAL configuration file in /var/ct/cfg/. If there is no such working copy, the command creates a file with the same ownership and permission bit mask as the default configuration file. If the invoker of the command has no permission to do that, the command returns a permission error.

Implementation specifics

This command is part of the Reliable Scalable Cluster Technology (RSCT) cluster security services. It is shipped as part of the rsct.core.sec fileset for AIX®.

Location

/opt/rsct/bin/ctscfg

Examples

To list the contents of the working copy of the ctsec.cfg file, either in /opt/rsct/cfg/ or in /var/ct/cfg/, enter:
```
/opt/rsct/bin/ctscfg -l
```
To add the HBA2 MPM to the working copy of the ctsec.cfg file in /var/ct/cfg/, enter:
```
/opt/rsct/bin/ctscfg -a -n hba2 -p 2 -c 0x2 -o /opt/rsct/lib/hba2.mpm -f i
```
This adds the following record to the working copy of the ctsec.cfg file in /var/ct/cfg/:
```
1      hba2        0x00002     /usr/lib/hba2.mpm       i
```
To delete the UNIX MPM from the working copy of the ctsec.cfg file in /var/ct/cfg/, enter:
```
/opt/rsct/bin/ctscfg -d -n unix
```
To update the HBA2 MPM with the UNIX MPM as the new authorization method in the working copy of the ctsec.cfg file in /var/ct/cfg/, enter:
```
/opt/rsct/bin/ctscfg -u -n hba2 -f iz [unix]
```
To update the priority of the HBA2 MPM to a value of 2 in the working copy of the ctsec.cfg file in /var/ct/cfg/, enter:
```
/opt/rsct/bin/ctscfg -u -n hba2 -p 2
```