ctstrtcasd Utility

Purpose

Serves as the launch utility of the ctcasd daemon for the cluster security services.

Description

The ctstrtcasd utility is started by the cluster security services to start the ctcasd daemon. This utility is provided as a set-user-identity-on-execution binary file, providing the clients of cluster security services the ability to start the ctcasd daemon through the system resource controller (SRC).

The ctcasd daemon is used by the cluster security services library when the RSCT host-based authentication (HBA) or enhanced host-based authentication (HBA2) security mechanism is configured and active within the cluster environment. The cluster security services use ctcasd when service requesters and service providers try to create a secured execution environment.

When a service requester and a service provider agree to use the RSCT HBA or HBA2 mechanism through the cluster security services, the cluster security services library uses ctcasd to obtain and authenticate the RSCT HBA or HBA2 credentials. The cluster security services do not provide a direct interface to the daemon that can be started by user applications.

The ctcasd daemon is registered with the SRC as the ctcas subsystem. This subsystem is not activated by the SRC until the cluster security services receive a request for the RSCT HBA or HBA2 mechanism. SRC subsystems can be activated only by the system superuser. To allow the cluster security services to process HBA or HBA2 requests for any system user, the cluster security services must be able to activate the ctcas subsystem for normal system users as well as the system superuser if the service is not already active. To grant normal system users this ability, the cluster security services start the ctstrtcasd utility to start the ctcas subsystem if the service is not active. This utility temporarily grants the clients of cluster security services sufficient privilege to start the ctcas subsystem.

Flags

-a

Verifies that the ctcas subsystem is operational and can process requests from the cluster security services after it is started.

-v

Specifies that the ctstrtcasd utility shows status information to standard output and error information to standard error in verbose mode.

Standard output

When the -v flag is specified, the status information of this command is written to the standard output.

Standard error

When the -v flag is specified, the error information of this command is written to the standard error.

Security

The ctstrtcasd utility, a set-user-identity-on-execution binary file, is owned by the root system user. This special permission and ownership are required to temporarily grant the clients of the cluster security service the ability to start the ctcas subsystem if it is not already active on the system. Without this permission and ownership, some clients of cluster security services might not be able to start the ctcasd daemon to handle cluster security services requests, which can result in authentication failures.

See the "Diagnosing cluster security services problems" chapter of the RSCT: Diagnosis Guide for more information about the ownership and permissions required for this utility.

Restrictions

This utility is only intended for use by the cluster security services library or as directed by an IBM® service representative.

Implementation specifics

This utility is part of the Reliable Scalable Cluster Technology (RSCT) cluster security services. It is shipped as part of the rsct.core.sec fileset for AIX® and rsct.core Linux® package.

Location

/opt/rsct/bin/ctstrtcasd