Provides and authenticates UNIX-identity-based credentials for the cluster security services.
ctcasd [b]
The ctcasd daemon is used by the cluster security services library when UNIX-identity-based authentication is configured and active within the cluster environment. The cluster security services uses ctcasd when service requesters and service providers try to create a secured execution environment through a network connection. ctcasd is not used when service requesters and providers establish a secured execution environment through a local operating system connection such as a UNIX domain socket.
When a service requester and a service provider have agreed to use UNIX-identity-based authentication through the cluster security services routines sec_get_auth_methods and sec_reconcile_auth_methods, the cluster security services library uses ctcasd to obtain and authenticate UNIX credentials. Cluster security services calls the daemon during the processing of the cluster security services routines sec_start_sec_context, sec_receive_sec_context, and sec_complete_sec_context. Cluster security services does not provide a direct interface to the daemon that can be invoked by user applications.
The ctcasd daemon can be started or stopped using system resource controller (SRC) commands.
During startup, the daemon obtains its operational parameters from the ctcasd.cfg configuration file. The daemon expects to find this file in the /var/ct/cfg/ directory. System administrators can modify the operational parameters in this file to suit their needs. If this file is not located, the daemon will use the default configuration stored in /usr/sbin/rsct/cfg/ctcasd.cfg.
UNIX-identity-based credentials are derived from the local node's private and public keys. These keys are located in files that are configured in ctcasd.cfg. These credentials are encrypted using the public key of the receiving node. Public keys for the nodes within the cluster are stored in a trusted host list file on each node. The location of this file is also defined in the ctcasd.cfg configuration file. The system administrator is responsible for creating and maintaining this trusted host list, as well as for synchronizing the lists throughout the cluster.
If the daemon detects that both the node's public and private key files are not present, ctcasd assumes that it is being started for the first time and create these files. The daemon also creates the initial trusted host list file for this node, which contains an entry for localhost and the host names associated with all AF_INET-configured adapters that the daemon can detect. This may cause inadvertent authentication failures if the public and private key files were accidentally or intentionally removed from the local system before the daemon was restarted. ctcasd creates new keys for the node that do not match the keys stored on the other cluster nodes. If UNIX-identity-based authentication suddenly fails after a system restart, this is a possible source of the failure.
Critical failures detected by the daemon that cause shutdown of the daemon are recorded to persistent storage. In AIX-based clusters, records are created in the AIX error log and the system log.
Commands: ctskeygen
Files: ctcasd.cfg