These standalone utilities are intended for administrators.
ctcfgset - Server Configuration File Encoding Utility
The ctcfgset utility converts the standard ASCII-text configuration file, ctsrvr.cfg, into an encoded settings file, ctsrvr.set. The utility takes as its argument the name of a configuration file, ctsrvr.cfg, to be converted into a tamper-proof settings file, ctsrvr.set (an encrypted file restricted to administrators at certain FairCom installations). This creates an optional tamper-proof version of the server configuration file, referred to as the "settings" file. Because entries in the settings file cannot be overridden, users cannot alter important aspects of the server configuration.
Operational Model:
- Standalone
Usage:
ctcfgset ctsrvr.cfg
ctcmdset - Authentication File Encoding Utility
Creates an encoded password file from a text file by encoding a *.cfg file into a *.set file. The file to be processed should have an extension of .cfg.
Operational Model:
- Standalone
Usage:
ctcmdset [filename].cfg
The plain text form of the file should be:
; User Id
USERID ADMIN
; User Password
PASSWD <pass>
Note: Each line must end with a line-feed (Enter) for the password to be encoded correctly.
Master Password Verification Options
FairCom DB advanced encryption (AES, Blowfish, Twofish, 3DES) requires a master password to protect encrypted file access. Before starting FairCom DB for the first time with Advanced Encryption enabled, the Administrator must use the ctcpvf utility to create the master password verification file. Each time FairCom DB starts, it prompts for the master password to allow it to open encrypted files.
ctcpvf creates the master password verification file. It accepts optional parameters: filename (the file name to create) and password (the master password). If the parameters are not given, ctcpvf will prompt for the required information.
Usage
ctcpvf [-c <cipher>] [-f <filename>] [-k <key>] [-s <store>]
Where:
- -c <cipher> - Use encryption cipher <cipher>. Supported ciphers: aes256 and aes128. Default is aes256.
- -f <filename> - Create password verification file <filename>. Default is ctsrvr.pvf.
- -k <key> - Use <key> as the master key.
- -s [<store>] - Store key in encrypted file <store>. Default is ctsrvr.fkf.
- -syslevel - Create encrypted store file with system-level encryption: all user accounts on the system can decrypt it.
Note: If you don't use the -syslevel switch, you must run the FairCom Server under the same user account that was used to run the ctcpvf utility that created the master key store file. Using the ‑syslevel switch creates the master key store file so that it can be opened by any user account on that machine, which allows you to run the FairCom Server under any user account on the system. (See Advanced encryption master key store encrypted at system level on Windows.)
Note: FairCom DB looks for the file ctsrvr.pvf in the server binary area, so this file name should be specified. ctcpvf.exe creates the ctsrvr.pvf file in that same directory where it is run (e.g., the tools directory). On launch, the server looks for ctsrvr.pvf in the server directory, so ctsrvr.pvf needs to be moved or copied to the server directory.
Key Store Option
By default, this master key must be presented to FairCom DB on startup as prompted. However, this prompted interaction is not always possible. Consider the case of a failover strategy for business continuity, or the case where no single person should ever know the complete key as keys are built from random secure key generators. FairCom DB supports a key store file to provide this key value at startup.
The ctcpvf utility -s option is used to select the master key length, and to write the master key to an encrypted keystore file <store>.
The FairCom DB configuration option MASTER_KEY_FILE specifies the key store file, <store>, from which FairCom DB reads the master encryption key. On Linux and Unix systems, the master key is stored AES encrypted in a file on disk, with permissions set such that only the user that created the file can read it (permissions are set to 400). For complete security, it is important to use file system access safeguards to fully protect this key store file.
Non-server applications must set the environment variable CTREE_MASTER_KEY_FILE=<keystore> to enable using a key store rather than prompting for the master password at FairCom DB initialization.
Note: The key file (or user key on Linux and Unix) is encrypted using AES. The encryption is intended to only prevent casual inspection of the data when the file's contents are viewed. The permissions on the file are the defense against an unauthorized user reading the file. The Windows master key approach uses the Microsoft DPAPI to encrypt data with user credentials, and only that user can decrypt the file. Unix support is a bit weaker in this regard as it relies on file permissions, which can potentially be changed such that another user could read and decrypt the key.
Advanced encryption master key store encrypted at system level on Windows
FairCom DB supports creating an advanced encryption master key store encrypted at the system level on Windows. Prior to this revision, the encrypted master key store file created by the ctcpvf utility on Windows could only be decrypted by the user account that created the file. This made it difficult to set up a Windows service that is using the LocalSystem account to be able to read the encrypted master key store file. (The ctcpvf utility had to be run as LocalSystem when creating the master key store.)
An option has been added to the ctcpvf utility to create the encrypted store using system-level encryption, meaning that any user account on the system can decrypt the file. Use the ctcpvf utility's ‑syslevel option to use this feature. Example:
ctcpvf -k mymasterkey -s ctsrvr.fkf -syslevel
This option has been added to the ctadmn utility's "Change advanced encryption master password" option. Example:
Enter the name of the filename list file >> files.txt
Enter the current advanced encryption master password >> ****************
Enter the new advanced encryption master password >> ******************
Please confirm the new master password by entering it again:
Enter the new advanced encryption master password >> ******************
Enter the encryption level [U]ser or [S]ystem for the encrypted store >> u
Changing master password for the specified files...
Successfully changed the advanced encryption master password.
See ctadmn.c for an example showing how to call the SECURITY() function with mode of SEC_CHANGE_ADVENC_PASSWD to change the master key. If you want to create the master key encrypted store using the system-level encryption option, OR in the ctENCMODsysl bit to the options field of the ctENCMOD structure whose address you pass to SECURITY().
Note: This support was added on the Windows platform only.
ctfchk - File Checksum Utility
ctfchk is a standalone c-tree utility that calculates the checksum on all active records in a fixed-length c-tree data file. It reads active records from a fixed-length c-tree data file in physical order and outputs a checksum and active record count. The utility uses the CRC-32 algorithm to compute the checksum.
This utility can be used to compare the record contents of two fixed-length data files. Two c-tree data files that contain the same active record images in the same order will generate identical checksums. Two c-tree data files whose active record contents differ will generate different checksums (subject to the limitations of the CRC-32 algorithm).
Operational Model:
- Standalone
Usage
ctfchk <filename> [-skpchk] [-logcrc] [-logbyt]
[-logrec <record number>] [-opencrpt]
Where:
- -logcrc - Output the current CRC after each active record is read.
- -logbyt - Output the offset of each active record.
- -logrec <record_number> - Output the contents of the specified record. The first active record in the file in physical order is record 1.
- -opencrpt - Permits the utility to open a file whose update flag is set.
When the file is already opened by another instance (Server, for instance), trying to open it to calculate the checksum will fail with error FCRP_ERR (14, File Corrupt at Open). If the -opencrpt option is added, the utility tries to open the file using the ctOPENCRPT filemode. If this second open attempt succeeds, the utility outputs the following message and proceeds to calculate the checksum of all active records in the file:
NOTE: This file's update flag is set. Opened file using ctOPENCRPT mode.
cthghtrn - Displays the high-water mark for transactions
This utility displays the high-water transaction marks within an index file. This would be typically used when the FairCom Server transaction mark number gets too large.
Operational Model:
- Standalone
Usage
cthghtrn [-<page size in bytes (e.g., -1024)>] <file name> [-nonzero]
Where:
- -nonzero - outputs only the non-zero transaction high water mark values.
Examples
cthghtrn custmast.idx
cthghtrn -4096 custmast.idx
See also
- ctclntrn Utility - Clean Transaction Mark in the FairCom DB Developer's Guide.
ctredirect - IFIL Update Utility for Redirected Filenames
Updates IFIL Filenames for redirection to alternate locations.
The Redirect feature is used to allow a file originating in one directory structure to be repositioned into another directory location following autorecovery, dynamic dump restore, or replication. As a result, if the IFIL resource of the file contained a path, this path would be incorrect after the file was redirected to the new location. To support copying c-tree files from one directory location to another (on the same system or on a different system) and accessing them in their new location, it is necessary to update any filename paths in a c-tree data file's IFIL resource.
ctredirect is used to update the file names contained in the IFIL resource of the specified files. ctredirect accepts as command-line options the name of a text file containing the list of files whose IFIL resources are to be updated and the name of a text file containing the filename redirection rules.
A comment may be placed in the redirection rules file by starting the line with a semi-colon (;).
Note: The rules must match the path in the IFIL resource, which may differ from the path used to open the file. The rules must precisely match the path in the IFIL resource, which may differ from the path used to open the file, therefore you may not use wild cards.
Operational Model:
- Standalone
Usage
ctredirect -f <filenamelist> -r <redirectlist> -n <sect>
Where:
- -f <filenamelist> - Name of a text file containing the names of c-tree data files whose IFIL resources are to be updated.
- -r <redirectlist> - Name of a text file containing the redirection rules. The rules are in the format: <current path> <new path> (see the example below).
- -n <sect> - Node sector size. The default is 64, corresponding to the server default PAGE_SIZE of 8192.
Example
Consider the current directory contains the data files customer.dat and inventory.dat, and their IFIL resources specify the path /export/home/users/marketing/data for the data and index files.
The current directory contains the file myfiles.txt listing the following file names:
customer.dat
inventory.dat
The current directory also contains the file myrules.txt containing the following redirection rules:
/export/home/users/marketing/data /export/home2/users/support/data
ctredirect is then called to change the paths in the IFIL resource of these two data files:
./ctredirect -f myfiles.txt -r myrules.txt
Updating the file paths in the IFIL resources of the specified files...
[ OK ] customer.dat
[ OK ] inventory.dat
Successfully changed IFIL resource for all specified files