[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]
Commands Reference, Volume 1
ctsidmck Command
Purpose
Verifies the cluster security library
identity mapping.
Syntax
ctsidmck -h | -i | { [ -dl | -dm | -dh ] -m security_mechanism network_ID }
Description
A system administrator can use the ctsidmck command to verify
the mapping that would be obtained by the cluster security library (libct_sec) for a specific security network identifier.
The cluster security library establishes a security context through the sec_start_sec_context, sec_receive_sec_context, and sec_complete_sec_context exchange between a client of a trusted service and the trusted service
server. During the creation of the security context, the cluster security
library tries to map the client application's security network identity to
an identity that may be present on the server node, called the mapped identity.
The cluster security library uses the mapped identity later on the server
in authorization functions such as access control verification. Whether or
not the client application has a mapped identity on the server depends on whether
the following identity mapping definition files are present on the server,
and whether any of the entries within these files correspond to the security
identity being used by the client application:
- /usr/sbin/rsct/cfg/ctsec_map.global
- /var/ct/cfg/ctsec_map.local
- /var/ct/cfg/ctsec_map.global
The location of definitions within these files is important; entries at
the head of the file are processed before entries positioned towards the end
of the file. The definition rules also allow for wildcarding of entry information
and for expansion of certain reserved words. If a definition is incorrectly
specified within one of these files, the mapping result may not be as intended.
Also, if a definition is positioned after another definition that can successfully
map a security network identifier, the mapping result may not be as intended.
ctsidmck allows an administrator to verify that the correct identity mapping
definition is used by the cluster security library to map a security network
identity. This command is to be executed on the system that would act as the
server. By specifying a security network identifier to this command on the
server, the administrator can determine what the mapped identity for that
security network identity would be on that system, and what entry was used
from the identity mapping definition files to obtain this mapping.
Flags
- -h
- Writes the command's usage statement to standard output.
- -i
- Displays a list of the supported security mechanisms on this system.
The command examines the cluster security library configuration on this node,
obtains a list of supported security mechanisms, and displays this list.
The mechanisms are listed by the mnemonic used by the cluster security library
to refer to these mechanisms.
- -d
- Specifies the level of detail in the command output. One of three levels
of detail is permitted:
- low (l): the command will only display the mapped identity for network_ID. This is the default detail level.
- medium (m): the command will display the mapped identity for network_ID, as well as the entry from the identity mapping definition
files that yielded the map.
- high (h): the command will display every entry from the identity
mapping definition files that is processed until a mapped identity for network_ID is found, or until all entries are processed.
- -m security_mechanism
- Specifies the security mechanism that was used to create the security
network identifier provided by network_ID. security_mechanism is a mnemonic that would be used by the cluster security library to
refer to this security mechanism. This flag must be specified when the -h and the -i flags are not provided.
Use the -i flag to display a list of the security mechanisms that this system supports.
Parameters
- network_ID
- Specifies the security network identifier to be mapped. This should
be an identity that can be assumed by a client application of a trusted service.
Security
This command is executable only by the root system user and members of
the system user group. It is intended for administrator use only, to verify
the security configuration of the system. Because the output of the command
could be used as a means for determining how to sabotage or circumvent system
security, the permissions on this command should not be altered.
Exit Status
- 0
- ctsidmck successfully found a mapped identity for network_ID.
- 3
- The command detected a failure in the operation of the cluster security
library mechanism pluggable module (MPM) corresponding to the security mechanism
what was requested. The command was unable to search for a possible mapped
identity for network_ID in this case. This failure may be accompanied
by descriptive output indicating the nature of the MPM failure. Consult this
output and perform any recommended actions.
- 4
- The caller invoked the command incorrectly, omitting required options
and arguments, or using mutually exclusive options. The command terminated
without attempting to find a mapped identity for network_ID.
- 6
- A memory allocation request failed during the operation of the command.
The command was unable to search for a possible mapped identity for network_ID in this case.
- 21
- The command was unable to locate any of the identity mapping definition
files on the local system. The command was unable to search for a possible
mapped identity for network_ID in this case. Verify that at least
one identity mapping definition file exists on the system.
- 22
- The command was unable to dynamically load the cluster security library
mechanism pluggable module (MPM) corresponding to the security mechanism what
was requested. The module may be missing, corrupted, or one of the shared
libraries used by this module may be missing or corrupted. The command was
unable to search for a possible mapped identity for network_ID in
this case. This failure may be accompanied by descriptive output indicating
the nature of the MPM failure. Consult this output and perform any recommended
actions.
- 37
- At least one of the identity mapping definition files on the system
appears to be corrupted. The command was unable to search for a possible mapped
identity for network_ID in this case. Verify that none of the identity
mapping files are corrupted, truncated, or contain syntax errors.
- 38
- ctsidmck could not locate a mapped identity for network_ID.
No entry within any of the identity mapping definition files yielded a mapped
identity for the specified security network identifier.
Restrictions
This command works only on MSS-formatted key files.
Standard Output
ctsidmck writes any mapped identity found for the security network
identifier to standard output. If a medium or high level of detail is requested,
any definitions displayed by this command are also written to standard output.
When the -h flag is specified, this command's usage statement is written to standard
output.
Standard Error
Descriptive information for any detected failure condition is written to
the standard error.
Examples
- To obtain a list of the security mechanisms supported by the local system
prior to verifying an identity map, enter:
ctsidmck -i
- To obtain only the mapped identity for the UNIX host-based authentication
mechanism's security network identity zathras@greatmachine.epsilon3.org, enter:
ctsidmck -m unix zathras@greatmachine.epsilon3.org
- To see every identity mapping definition that is checked by the command
while searching for a mapped identity for the Kerberos version 5 security
identifier glorfindel@rivendell.elvin.net@endor, enter:
ctsidmck -d h -m krb5 glorfindel@rivendell.elvin.net@endor
Location
- /usr/sbin/rsct/bin/ctsidmck
- Contains the ctsidmck command
Files
- /usr/sbin/rsct/cfg/ctsec_map.global
- The default identity mapping definition file. This file contains definitions
required by the RSCT cluster trusted services in order for these systems to
execute properly immediately after software installation. This file is ignored
if the cluster-wide identity mapping definition file /var/ct/cfg/ctsec_map.global exists on the system. Therefore, any definitions within this file should
also be included in the cluster-wide identity mapping definition file, if
that file exists.
- /var/ct/cfg/ctsec_map.local
- Local override to the cluster-wide identity mapping definitions. Definitions
within this file are not expected to be shared between nodes within the cluster.
- /var/ct/cfg/ctsec_map.global
- Cluster-wide identity mapping definitions. This file is expected to
contain identity mapping definitions that are common throughout the cluster.
If this file exists on the system, the default identity mapping definition
file is ignored. Therefore, if this file exists, it should also contain any
entries that would also be found in the default identity mapping definition
file.
Related Information
Commands: ctskeygen
Files: ctcasd.cfg
[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]