HP-UX Trusted Computing Services A.02.
© Copyright 2008 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents About This Document.........................................................................................................9 Intended Audience.................................................................................................................................9 New and Changed Information in This Edition.....................................................................................9 Typographic Conventions...................................................................
Removing TCS......................................................................................................................................26 3 Basic TCS Administration............................................................................................29 TPM Administration Utilities...............................................................................................................29 Backing Up and Restoring TCS System Data and Keys..................................................
Determining the TPM OpenSSL Engine Library.......................................................................46 Stunnel Configuration File.........................................................................................................46 Stunnel TPM Key Information..............................................................................................46 Stunnel TPM Engine Information.........................................................................................
Using the tpmlist keys Command to List Keys........................................................................67 Using the tpmlist keyinfo Command to List Detailed Key Information................................68 Using the tpmadm deletekeys Command to Delete Keys.........................................................68 Deleting Keys.............................................................................................................................69 Modifying tcsd Operating Parameters.......
List of Figures 1-1 1-2 1-3 1-4 1-5 7-1 9-1 Trusted Platform Module (TPM)...................................................................................................11 TCS Architecture...........................................................................................................................12 TPM Key Hierarchy.......................................................................................................................15 TCS Chain of Protection................................
List of Tables 3-1 5-1 B-1 8 TCS File Permissions.....................................................................................................................30 TPM OpenSSL Engine Files...........................................................................................................44 Supported TSPI APIs.....................................................................................................................
About This Document This document describes how to install, configure, and troubleshoot HP-UX Trusted Computing Services (TCS) on HP-UX 11i v3 platforms. Intended Audience This document is intended for system and network administrators responsible for installing, configuring, and managing HP-UX TCS. Administrators are expected to have knowledge of operating system concepts, commands, and configuration. Familiarity with Trusted Platform Modules is helpful but not required. This document is not a tutorial.
CAUTION A caution calls attention to important information that if not understood or followed results in data loss, data corruption, or damage to hardware or software. An important provides essential information to explain a concept or to complete a task. A note contains additional information to emphasize or supplement important points of the main text.
1 Trusted Computing Systems Overview Technology Overview HP-UX Trusted Computing Services (TCS) provides software support for the Trusted Platform Module (TPM) chip on HP-UX Integrity servers. The TPM is a low cost, embedded security chip available for selected ZX2-based Integrity servers that provides hardware-enforced key management.
The TCS application level software stack is a modified version of TrouSerS. Trousers is a Common Public License (CPL) licensed Trusted Computing Group Software Stack (TSS) that enables multiple applications to simultaneously access and use the TPM without requiring the applications to explicitly synchronize access. TCS complies with the TSS 1.1 Golden specification. Architecture Figure 1-2 illustrates the architecture of the TCS stack.
local and remote TSS applications. It provides a single entry point for user-space processes to logically access the TPM. The tcsd daemon includes the following components that perform core Trusted Platform Support Service functions: • • • The Context Manager allows multiple applications to access the TPM simultaneously by maintaining a separate context for each application and transparently handling any needed context switching. The Key and Credential Manager stores keys and authorization data.
TPM for additional security, and the encrypted data can be decrypted only on the system with the same TPM. TCS on-demand encryption utilities use the TPM key infrastructure; no additional key administration is needed. TCS RSA Key Utility and TPM OpenSSL Engine The TCS RSA key utility, tpmcreate, creates RSA key pairs that are bound to the local TPM; the private RSA key is protected by the TPM.
Figure 1-3 TPM Key Hierarchy System Root Key (SRK) System Specific Key (SK) Roaming Key (RK) tpmencrypt tpmdecrypt tpmencrypt tpmdecrypt “- d” Keys Keys Sy s te m P e rs is ten t Sto rag e tpmcreate Keys EVFS Keys Ex te rn al Sto ra g e Most of the keys provided by TPM are asymmetric key pairs. An asymmetric key pair is composed of a public key and a private key. The keys are related so that data encrypted by the public key can be decrypted only by the private key.
Storage Root Key (SRK) The Storage Root Key (SRK) is the root or top key in the TPM key hierarchy. The SRK is an asymmetric key pair that TPM generates when the operator takes ownership of the TPM during the initial TCS installation procedure. The private key component of the SRK is stored in TPM internal memory and never leaves the TPM. To access data or a key encrypted by the SRK public key, the encrypted data or key is loaded into the TPM and decrypted directly by the TPM.
the data with tpmdecrypt. Users can also specify a tpmencrypt option so that no authorization information is required to decrypt the data. TCS RSA Key Pairs A TCS RSA key pair is an asymmetric RSA key pair, protected by the TPM; the private key is encrypted by the RK, so it can be utilized only within the TPM. TCS RSA key pairs are generated using the tpmcreate utility. You can also use tpmcreate to encrypt or wrap an existing RSA private key with the RK.
The TSPI library also includes routines that encrypt, decrypt, or sign data using a key protected by the RK, such as a TCS application key. When these routines are used to decrypt data, the following events occur (Figure 1-5): 1. The data is loaded into the TPM with the TCS application key blob and the RK key blob. 2. The TPM uses its internal SRK private key to extract and decrypt the RK private key from the RK key blob. 3.
2 Installing TCS This chapter describes how to install, upgrade, reinstall, and remove TCS. This chapter addresses the following topics: • “Installing TCS” (page 19) • “Upgrading or Reinstalling TCS” (page 25) • “Removing TCS” (page 26) Installing TCS TCS is supported only on HP-UX servers with TPM hardware. The TPM must be present and enabled for the configuration phase of TCS to complete successfully.
NOTE: The EFI Boot Manager screens on your system may vary from those shown depending on your system type and firmware version. 20 3. From the Security Configuration menu, select Set Trusted Platform Module State and press Enter. 4. From the Set Trusted Platform Module State menu, select Y and press Enter to initiate the TPM enablement process.
5. A menu appears asking if you want to reset the system. Select Y and press Enter.
6. After initiating a system reset, verify that the TPM is enabled by selecting Set Trusted Platform Module from the Security Configuration Menu and pressing Enter. The Set Trusted Platform Module window appears with Current Setting: Enabled if the TPM is enabled. Enter N. Enabling the TPM from the EFI Shell To enable the TPM from the EFI Shell, follow these steps: 1.
2. Verify that the TPM is enabled by entering the following command at the EFI shell prompt: secconfig For example: Shell> secconfig SYSTEM SECURITY CONFIGURATION TPM: Enabled Step 2: Acquiring TCS Software TCS software is available free of charge at HP Software Depot. To download TCS, follow these steps: 1. Go to HP Software Depot at http://www.software.hp.com 2. 3. 4. 5. 6. 7. Search for TCS (keyword TCS) and read the information on the TCS release web page.
NOTE: The TPM driver is a Dynamically Loadable Kernel Module (DLKM) and does not require a reboot. However, after the first load of the TPM driver, the TPM device still appears as unclaimed until a new ioscan command is issued. This is expected behavior. If the installation requires a reboot, a separate ioscan command is not needed because the TPM device is claimed by the DLKM driver at boot time.
If the tpmlist status command output does not indicate that TCS is running, see Chapter 9 (page 79). Step 6: Backing Up TCS System Data Files and TPM Keys HP recommends that you back up the TCS system data files and TPM keys immediately after installation to enable you to recover keys and data if TPM hardware fails. To back up TCS system data and TPM keys, complete the following steps: 1. 2. Back up the files in the directory /etc/opt/tcs using any file backup utility.
3. Remove the current TCS software by entering the following command: swremove TCS 4. 5. 6. 7. Download the new version of TCS software, as described in “Step 2: Acquiring TCS Software” (page 23). Use swinstall to install the software, with deferred configuration. This procedure is described in “Step 3: Installing TCS Software” (page 23) and “Deferring TCS Configuration” (page 24). If necessary, restore the backup copies of the /etc/opt/tcs/passwd and /etc/opt/ tcs/system.data files.
1. 2. 3. The files in the /etc/opt/tcs/ directory are deleted. These files contain the TPM password and the TCS encryption keys. If TCS is configured for EVFS, the removal script exits with an error and reminds you to unconfigure TCS for EVFS before removing TCS. The removal script stops tcsd, unloads the TPM device driver, and removes all file sets for the TCS bundle.
3 Basic TCS Administration This chapter contains information on basic TCS administrative tasks for day-to-day operation. For information on advanced administrative tasks see Chapter 8 (page 67).
Creating a TPM key archive backs up only the TPM keys in system persistent storage. It does not back up the TPM password or the tcsd configuration file. A TPM key archive is encrypted with a user-specified secret and can be used on a platform with a different TPM if the user knows the secret. Administrators can use a TPM key archive file to migrate TPM keys to another system and for key redundancy in an HP Serviceguard cluster.
Creating and Restoring TPM Key Backup Files Use the tpmadm backup and tpmadm restore commands to back up and restore the Roaming Key (RK) and its descendent keys that are stored in the system persistent storage. You can also use these commands to migrate these keys to another system. Backing Up TPM Keys The tpmadm backup command creates a TPM key archive with a copy of all TPM keys under the RK in system persistent storage.
Enabled: Ownable: Owner clear: Force clear: yes yes disabled disabled The tpmlist status command requires TPM owner authorization; you must specify the TPM password if one is set. See “Specifying the TPM Password” (page 32). Specifying Secret Passphrases Many TCS utilities use a required or optional passphrase to encrypt output. For example, the tpmadm utility uses a passphrase, or secret, to encrypt and decrypt the TPM key archive file.
Maximum TPM Password Length The maximum length for the TPM password is 8 characters. Administering the TPM Password After installation, you can keep the automatically generated TPM password, or you can reset the password to something you can easily remember using the tpmadm changepwd command. You can also delete the password file. Changing the TPM Password The TCS installation script sets the TPM password to a random string.
IMPORTANT: Re-establishing the TPM password renders all TPM key files unusable. However, if you created a TPM key archive file using the tpmadm backup command, you can use this file to migrate the existing Roaming Key (RK) and its descendent keys to the system after you re-establish the TPM password. Re-establishing the TPM password also requires you to reboot the system. To re-establish the TPM password, follow these steps: 1. 2. 3. Locate a TPM key archive file, if possible.
4 Using TCS On-Demand Encryption Utilities This chapter describes the TCS utilities for on-demand encryption and decryption. It addresses the following topics: • “Overview” (page 35) • “Using the tpmencrypt Utility” (page 36) • “Using the tpmdecrypt Utility” (page 36) Overview You can use a number of solutions for protecting files on HP-UX. One solution, EVFS, enables you to encrypt entire volumes of sensitive information.
in volumes or files are opened without direct human intervention by applications such as databases. EVFS also includes a key management infrastructure that enables administrators to create keys with different capabilities and provides a key recovery service. By comparison, the TCS on-demand encryption and decryption feature provides a simple method for users to encrypt and decrypt a file or group of files as needed by running command-line utilities.
The tpmdecrypt utility restores the file or files to the path specified as the input location in the tpmencrypt run string. In this example, it restores the file foo in the current directory.
5 Using TCS RSA Keys with OpenSSL This chapter describes how to use TCS to protect RSA private keys used with OpenSSL applications.
An OpenSSL certificate request created for a TCS RSA key pair is no different than any other certificate request. The Certificate Authority (CA) that creates and signs the certificate does not have to use TCS. • Runtime loading with minimal or no source code changes The TPM OpenSSL engines are compiled binaries that an application can dynamically load using the OpenSSL engine interface.
The specific TPM OpenSSL engine file required for an application is determined by the to the OpenSSL version and the compiler data model used, as described in “Step 2: Determining the TPM OpenSSL Engine File for an Application” (page 44). For more information about OpenSSL engines, see engine(3).
“Obtaining a Certificate Using Keys Created with tpmcreate” (page 42) describes this procedure. • Use an existing RSA key pair and security certificate or create an RSA key pair and security certificate as you would without TCS, then use tpmcreate to protect the existing RSA private key with TPM. This method does not require a specific version of the openssl command and enables you to use existing key pairs and certificates.
# /opt/openssl/0.9.8/bin/openssl req -new -keyform engine -engine tpm \ -key myClientKeyblob -md5 -out myClient_csr.pem -outform PEM engine "tpm" set. You are about to be asked to enter information that will be incoporated into your certificate request. : : NOTE: Some applications, such as Stunnel, recommend that you to create the certificate with the common name (CN) attribute of the distinguished name (DN) set to the host's fully-qualified domain name (FQDN).
4. Use the tpmcreate -w command to protect the private key with the TPM. In most cases, you can use the following syntax: tpmcreate [-k key_size] -w input_file output_file The input_file must contain an RSA key pair in PEM format. The -k key_size option specifies the input private key size. You do not have to specify this option if the private key is 2048 bits. The private key is encrypted by the TCS Roaming Key (RK). To specify a passphrase, use the -a option.
Determining the Compiler Data Model If you do not know the compiler data model used to compile an application, use the file command to report the object file type.
myClient> /opt/openssl/0.9.8/bin/openssl req -new -keyform engine \ -engine tpm -key myClientKeyblob -md5 -out myClient_csr.pem \ -outform PEM When prompted for the CN, specify the FQDN for myClient (myClient.hp.com). On myServer, create a TCS RSA key pair (myServerKeyblob) and a certificate request (myServer_csr.pem): myServer> tpmcreate myServerKeyblob myServer> /opt/openssl/0.9.8/bin/openssl req -new -keyform engine -engine tpm \ -key myServerKeyblob -md5 -out myServer_csr.
# /opt/iexpress/stunnel/etc/stunnel.conf # stunnel configuration for a TPM-protected client # Need random data for session keys, etc RNDfile = /dev/urandom # Chroot if need to reduce stunnel's access into the local filesystems. # chroot = /var/chroot/stunnel/ # PID is created inside the chroot location. pid = /tmp/stunnel.pid # Authentication - '3' means a signed certificate from the session peer must be # presented and verified by the CA.
CApath = /opt/openssl/certs CAfile = /opt/openssl/certs/cacert.pem # This client's certificate and private key. cert = /opt/iexpress/stunnel/etc/myServer.cert key = /opt/iexpress/stunnel/etc/myServerKeyblob # Debug parameters debug = 7 output = /opt/iexpress/stunnel/etc/stunnel.log # Run in the foreground foreground = no # Load the built-in engine 'dynamic' # and give it the path to the 0.9.7 TPM engine engine=dynamic engineCtrl=SO_PATH:/opt/tcs/lib/hpux32/engines/libtpm.so.
Stunnel Configuration on myClient for Mail Clients On the mail client (myClient), the Stunnel configuration file is similar to the file listed in “Stunnel Configuration File on myClient for telnet” (page 46), with the following service option entries: [smtp-client] # Use in client mode client = yes accept = localhost:25 connect = myServer.hp.com:25 engineNum = 1 [pop3-client] # Use in client mode client = yes accept = localhost:110 connect = myServer.hp.
[pop3-client] # Use in client mode client = yes accept = localhost:110 connect = myServer.hp.com:110 engineNum = 1 Stunnel Configuration File on myServer for Mail Services On the mail server (myServer), the Stunnel configuration file is similar to the file listed in “Stunnel Configuration File on myServer for telnet” (page 47), with the following service option entries: # Service-level configuration for SMTP server [smtp-server] # Use in server mode client = no accept = myServer.hp.
engineCtrl=LOAD engineCtrl=INIT # Service-level configuration for SMTP server [smtp-server] # Use in server mode client = no accept = myServer.hp.com:25 connect = localhost:25 engineNum = 1 # Service-level configuration for POP3 server [pop3] # Use in server mode client = no accept = myServer.hp.com:110 connect = localhost:110 engineNum = 1 Stunnel and Secure LDAP Example In this example, a Lightweight Directory Access Protocol (LDAP) client uses Stunnel to connect to a secure LDAP server.
connect = myServer.hp.com:636 engineNum = 1 In addition, the verify option is set to 1 (verify peer certificate if present) based on the assumption that the LDAP server does not send a certificate to the client. For example: verify = 1 The complete Stunnel configuration file on myClient is as follows. Changes made for TPM and certificates are shown in bold. # /opt/iexpress/stunnel/etc/stunnel.
defined in RFC 2255 and can include additional components, such as the LDAP directory base.
6 Using TCS RSA Keys with HP-UX Secure Shell This chapter describes how to use TCS RSA keys for HP-UX Secure Shell server authentication.
RK. The tpmcreate utility can also save a copy of the public key in SSH format or extract and save a copy of a public key from a previously created key blob. TPM OpenSSL Engine Libraries The sshd daemon included with HP-UX Secure Shell versions A.05.00.029 and later is enabled to load a TPM OpenSSL engine at runtime. The TPM OpenSSL engine provides an interface to the TSPI library, which performs RSA encryption functions using the TPM.
This command creates two files: output_file and output_file.pub. The output_file file contains a key blob with an RSA key pair; the private key is encrypted by the TPM RK. The output_file.pub contains the public key in SSH v2 format. You will need the output_file.pub file to manually distribute the server's public key if any SSH clients have StrictHostKeyChecking set to yes. For more information, see “Step 5: Distributing and Installing the SSH Server Public Key” (page 59).
EngineConfigSection Specifies the name of the section within the OpenSSL configuration file that contains the engine directives necessary to load and initialize the TPM OpenSSL engine. Default: server_conf. HP recommends that you use the default value, which matches the value used in /etc/opt/tcs/ openssl.cnf, the OpenSSL configuration file included with TCS.
Using the TCS Sample OpenSSL Configuration File as a Standalone File Copy the sample /opt/tcs/misc/engine_tpm.cnf file to the default value of the EngineConfigFile parameter, or to an alternate location specified in the sshd configuration file. The default value for EngineConfigFile is /opt/ssh/etc/server.cnf. # cp /opt/tcs/misc/engine_tpm.cnf /opt/ssh/etc/server_info_for_tpm.
SSH User Session On the SSH server, the administrator creates a TPM-protected SSH server key pair: # tpmcreate -s /etc/opt/tcs/mySSHKeyblob The administrator uses the elfdump and file utilities to determine the TPM OpenSSL engine library for sshd: # elfdump -L /usr/sbin/sshd | grep libcrypto 2 Needed libcrypto.so.0 # file /usr/sbin/sshd /usr/sbin/sshd: ELF-64 executable object file - IA64 Based on Table 5-1 (page 44), this sshd binary needs the library /opt/tcs/lib/hpux64/engines/libtpm.so.0.
7 Protecting EVFS Keys with TCS This chapter describes how to use TCS to protect HP-UX Encrypted Volume and File System (EVFS) private keys. This chapter addresses the following topics: • “Overview” (page 61) • “Configuring EVFS to Use TCS ” (page 62) • “Backing Up and Migrating Keys” (page 64) • “Configuring EVFS with TCS for Serviceguard Clusters” (page 64) Overview You can use TCS to protect EVFS private keys.
Figure 7-1 EVFS Encryption Keys EVFS Volume Encryption Metadata (EMD) Key Records Volume Encryption Key User 1’s Public Key Encrypts the Volume Encryption Key User 1’s Private Key Decrypts the Volume Encryption Key Encrypted Data Volume Encryption Key Encrypts/Decrypts the Data TCS EVFS Key Protects the User Private Key “my_passphrase” Authorizes Access to the TCS EVFS Key Stored Passphrase: “my_passphrase” System-specific data encrypts “my_passphrase” When a user performs an EVFS operation that
On systems with EVFS v1.1, it changes the pbe entry to: pbe = /usr/lib/evfs/hpux64/libevfs_pbe.so[onfail:continue] /opt/tcs/lib/libevfs_tcspbe.so.1 These statements configure EVFS to use the TCS library to encrypt and decrypt EVFS private keys. On systems with EVFS v1.1, EVFS will attempt to use its default PBE library if it cannot decrypt the private key using the TCS library. This configuration enables EVFS to use both TPM-protected private keys and software private keys.
Note the following evfs.conf characteristics: • • • • Changes saved to the evfs.conf file are effective immediately. The evfs.conf file is read each time an EVFS daemon or EVFS utility (evfspkey, evfsvol, evfsadm) starts. Statements in evfs.conf files cannot cross line boundaries and cannot contain line continuation characters. The parser recognizes spaces as delimiters between multiple library[onfail:action] terms. Do not insert spaces within library[onfail:action] terms.
a. b. c. d. Open the /etc/opt/tcs/tcsd.conf file for editing. Set the value of the system_ps_file option to the new file pathname. The file cannot reside on a shared volume. Save your changes and close the /etc/opt/tcs/tcsd.conf file. Stop tcsd by entering the following command: /sbin/init.d/tcs stop. e. Restart tcsd by entering the following command: /sbin/init.d/tcs start f. 3. 4. 5. 6. 7. Copy the modified /etc/opt/tcs/tcsd.
TCS-protected EVFS private keys, which are stored in /etc/evfs/pkey by default. You will also enable and test the EVFS volumes using the TCS-protected keys. The procedure for configuring EVFS for use with Serviceguard is described in the appendix Using EVFS with Serviceguard of the Encrypted Volume and File System v1.0 Administrator's Guide. 11. Start the cluster packages as described in the Serviceguard documentation.
8 Advanced TCS Administration You can perform the majority of day-to-day TCS management tasks of the TPM with a few simple commands, as described in Chapter 3 (page 29). However, the TCS management commands also support options for advanced administration. A selection of these command options are described in this chapter.
Key UUID: Parent Key UUID: ded330fd-6386-41f6-b94b-10d6c84c5422 00000000-0000-0000-0000-000000000003 Number of keys found: 1 For more information, see tpmlist(1m). Using the tpmlist keyinfo Command to List Detailed Key Information The tpmlist keyinfo command lists detailed information about a particular key. You must specify the UUID by number, or using the keywords srk, sk, or rk. In the following example, tpmlist keyinfo lists details for the RK.
Deleting Keys As a security precaution, the tpmadm deletekeys command does not delete the SRK, the RK, or the SK. The tpmadm deletekeys command does not require superuser capabilities and does not require the TPM password. This enables non-superusers to delete user-created keys in system persistent storage. The only method to delete the SRK is by clearing TPM ownership, which requires EFI access. This procedure is described in “Clearing TPM Ownership” (page 71).
Configuring Applications Protected by TCS on Serviceguard Clusters TCS does not require explicit inclusion in Serviceguard cluster or package definition scripts. If TCS is installed on all nodes in an existing cluster with products that are or will be TCS-protected, you do not have to modify the cluster or package definitions. For key protection in a cluster, a portion of the TPM key hierarchy must be identical across all nodes.
4. On the configuration node, create TCS application keys and any related data files that use the keys. For example, if you are using a TCS RSA key pair, create the key pair and security certificate. NOTE: Do not create TCS application keys on the other nodes. These keys will be unusable after you migrate the RK from the configuration node to the other nodes. 5. Create a TPM key archive file using the tpmadm backup command.
• • Use the EFI Boot Manager Use the command line in the EFI shell CAUTION: Do not clear TPM ownership on HP-UX unless absolutely necessary (for example, if you lose the TPM password). Clearing TPM ownership: • Requires two system reboots. • Deletes the SRK and RK and clears any existing TPM secrets. All TCS application keys become unusable, and any data or keys encrypted by a TCS application key become unusable.
6. A menu appears asking if you want to clear the TPM. Select Y and press Enter. 7. A menu appears asking if you want to continue. Select Y and press Enter.
8. A menu appears asking if you want to reset the system. Select Y and press Enter. The system will reboot. 9. As the system boots, access the EFI Boot Manager. 10. From the Boot Menu in the EFI utility, select Security Configuration and press Enter. 11. From the Set Trusted Platform Module State menu, select Y and press Enter. This will enable the TPM.
12. A menu appears asking if you want to reset the system. Select Y and press Enter. 13. After the system reboots, enter the following commands to unconfigure and reconfigure TCS: swconfig -u TCS; swconfig TCS 14. Enter the following command to verify that the TPM is enabled and TCS is operating: tpmlist status The output will show the following values if TPM is enabled and TCS is operating: Owned: Activated: Enabled: Ownable: Owner clear: Force clear: yes yes yes yes disabled disabled 15.
16. If you have a TPM key archive file created before you cleared TPM ownership, you can use the tpmadm restore command to restore the previous RK and migrate its descendent keys. For example: # tpmadm backup filename=/tmp/tpmKeyArchive Clearing TPM Ownership Using the EFI Shell To clear TPM ownership using the EFI shell, follow these steps: 1. 2. Locate a TPM key archive file created using the tpmadm backup command, if possible.
10. After the system reboots, enter the following commands to unconfigure and reconfigure TCS: swconfig -u TCS; swconfig TCS If the TCS_EVFSENABLED flag is set (TCS_EVFSENABLED=1) in the /etc/rc.config.d/ tcsconf file, you must set it 0 before entering the swconfig -u TCS command. 11.
9 TCS Troubleshooting and Known Issues This chapter describes potential TCS problems. It addresses the following topics: • • • • • “Troubleshooting tcsd” (page 79) “Troubleshooting TCS Operation with EVFS” (page 84) “The tpmadm restore Command Fails” (page 85) “TCS Commands Fail When Run as a Nonprivileged User” (page 85) “Reporting Problems” (page 85) Troubleshooting tcsd The main entry point for applications accessing the TPM is through tcsd, which is closely tied to the TPM driver.
For example: crw-rw---- 4. 5. 6. 1 tss tss 135 0x000000 Jun 23 10:08 /dev/tpm Confirm that the TPM is installed and enabled. See Chapter 2 (page 19). If needed, reboot the system to clear a transient TPM failure. If the error persists after a system reboot, you might need to replace the TPM. Verify the ownership and permissions for the /etc/opt/tcs directory and the file used for TCS system persistent storage (the default is /etc/opt/tcs/system.data).
Action Some possible reasons for this message include: • You are trying to use the openssl option -keyform dynamic and -engine tpm with a version of openssl prior to 0.9.8. You can verify the openssl version by entering the following command: openssl version You might need to specify the full path to the 0.9.8 version (for example, /opt/openssl/ 0.9.8/bin/openssl). If OpenSSL 0.9.
2008.07.18 09:42:17 LOG3[13057:1]: error stack: 25070067 : error:25070067:DSO su pport routines:DSO_load:could not load the shared library 2008.07.18 09:42:17 LOG3[13057:1]: ENGINE_ctrl_cmd_string: 25066067: error:25066 067:DSO support routines:DLFCN_LOAD:could not load the shared library Action Verify the library specified in the engineCtrl=SO_PATH statement in the Stunnel configuration file.
If you do not see similar start up messages, verify the following items: • • • The HP-UX Secure Shell version. You must have version A.05.00.029, or later. The sshd configuration file. At a minimum, this file must include the EngineHostRSAKey keyword with the path to the key blob created using tpmcreate. For more information, see “Step 3: Modifying the sshd Configuration File” (page 57). The OpenSSL configuration file. By default, sshd will attempt to use /opt/ssh/etc/ server.
debug1: key_load_engine_private() done: type debug1: engine key load attempted, index: #0 Could not load host key: /opt/foo/sshblob Disabling protocol version 2. Could not load host key sshd: no hostkeys available -- exiting. This message indicates a problem opening the OpenSSL configuration file specified by the parameter EngineConfigFile in the sshd configuration file. Verify the filename specified by EngineConfigFile. • debug1: sshd version OpenSSH_5.0p1+sftpfilecontrol-v1.
The tpmadm restore Command Fails The tpmadm restore command can fail for the following reasons: • You are not superuser. The tpmadm restore command attempts to delete the existing RK before migrating the new RK from the TPM key archive file, and the deletion succeeds only if the user has superuser capabilities. • You entered an incorrect TPM password or secret. Verify that the TPM password and secret used are the correct length.
5. 86 contract, you can still obtain support services for a fee, based on the amount of time required to solve your problem. If you are asked to supply any information pertaining to the problem, gather the requested information and submit it.
A Product Specifications This appendix contains product specifications. TCS Files and Directories The following sections list the product files and directories included with the TCS installation. The /opt/tcs Directory The /opt/tcs/ directory contains the following directories and files for TCS code execution and configuration: /opt/tcs/bin/ Binary files: the TPM and TCS utilities and the tcsd daemon. C header files for use with the TSS APIs.
B TSPI APIs The authoritative Trusted Computing Group (TCG) Transport Service Provider Interface (TSPI) reference document (TSS specification) is available at the TCG website: http://www.trustedcomputinggroup.org The current version of TCS contains version 0.2.8 of the TrouSerS stack implementation. A good source of sample TSPI code is located at the TrouSerS website: http://trousers.sourceforge.net/ Table B-1 lists the TSPI (TrouSerS) APIs and indicates if they are supported with TCS.
Table B-1 Supported TSPI APIs (continued) TSPI Function Supported Tspi_Context_GetKeyByUUID Yes Tspi_Context_GetKeyByPublicInfo Yes Tspi_Context_GetRegisteredKeysByUUID Yes Notes Tspi_Policy Tspi_SetAttribUint32 Yes Tspi_GetAttribUint32 Yes Tspi_SetAttribData Yes Tspi_GetAttribData Yes Tspi_Policy_SetSecret Yes Tspi_Policy_FlushSecret Yes Tspi_Policy_AssignToObject Yes Tspi_TPM 90 Tspi_SetAttribUint32 Yes Tspi_GetAttribUint32 Yes Tspi_SetAttribData Yes Tspi_GetAttribData Yes
Table B-1 Supported TSPI APIs (continued) TSPI Function Supported Tspi_TPM_GetRandom Yes Tspi_TPM_StirRandom Yes Tspi_TPM_AuthorizeMigrationTicket Yes Tspi_TPM_GetEvent Yes Tspi_TPM_GetEvents Yes Tspi_TPM_GetEventLog Yes Tspi_TPM_Quote Yes Tspi_TPM_PcrExtend Yes Tspi_TPM_PcrRead Yes Tspi_TPM_DirWrite Yes Tspi_TPM_DirRead Yes Tspi_ChangeAuth Yes Tspi_GetPolicyObject Yes Notes Tspi_Key Tspi_SetAttribUint32 Yes Tspi_GetAttribUint32 Yes Tspi_SetAttribData Yes Tspi_GetAttribDat
Table B-1 Supported TSPI APIs (continued) TSPI Function Supported Notes Tspi_Data Tspi_SetAttribUint32 Yes Tspi_GetAttribUint32 Yes Tspi_SetAttribData Yes Tspi_GetAttribData Yes Tspi_Data_Bind Yes Tspi_Data_Unbind Yes Tspi_Data_Seal Yes Tspi_Data_Unseal Yes Tspi_ChangeAuth Yes Tspi_ChangeAuthAsym No Tspi_GetPolicyObject Yes Not implemented.
C Sample TSS Application This sample program creates and registers a new key in TSS. The new key encrypts an ASCII string. The results are displayed in the output. The Makefile.hpux and example.c files are located in the /opt/tcs/src/example/ directory. The make –f Makefile.hpux command compiles both 32-bit and 64-bit versions of example.c. Example of Makefile.hpux: CC=cc INC=/opt/tcs/include LIBS=-L/usr/lib -ltspi -lcrypto CFLAGS=-Ae -I$(INC) -DHPUX -g all: example example64 example: example.
if(parseOptions(argc, argv) != 0) { goto out; } // Ensure that data to be 'binded' is no larger than our keysize if(strlen(secret) > 256) { fprintf(stderr, "Error: Secret to be bound to TPM is too large.\n Please limit the secret to 256 characters\n"); } // Start a TSS session tResult = Tspi_Context_Create(&hContext); if (tResult != TSS_SUCCESS) { fprintf(stderr, "Tspi_Context_Create failed.
// Adjust new key flags if authorization is required if(password) { keyInitFlags |= TSS_KEY_AUTHORIZATION; } // Create the Key Object (in software) tResult = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY, keyInitFlags, &hKey); if (tResult != TSS_SUCCESS) { fprintf(stderr, "Tspi_Context_CreateObject failed.
TSS_OBJECT_TYPE_ENCDATA, dataInitFlags, &hEncData); if (tResult != TSS_SUCCESS) { fprintf(stderr, "Tspi_Context_CreateObject failed. Error: %s\n", Trspi_Error_String(tResult)); goto out_close; } // Set blob password to NULL tResult = Tspi_GetPolicyObject(hEncData, TSS_POLICY_USAGE, &hPolicy); if (tResult != TSS_SUCCESS) { fprintf(stderr, "Tspi_GetPolicyObject failed.
password = optarg; break; case 'h': host = optarg; break; case 's': secret = optarg; break; case '?': default: if (isprint (optopt)) fprintf (stderr, "Unknown option `-%c'.\n", optopt); else fprintf (stderr, "Unknown option character `\\x%x'.\n", optopt); usage(); return 1; } return 0; } TSS_UUID * uuidGen(TSS_HTPM hTPM){ TSS_RESULT tResult; TSS_UUID *uuid; tResult = Tspi_TPM_GetRandom(hTPM, sizeof(TSS_UUID), (BYTE **)&uuid); if (tResult != TSS_SUCCESS) { fprintf(stderr, "Tspi_TPM_GetRandom failed.
Glossary AES Advanced Encryption Standard. A symmetric key block encryption algorithm suitable for encrypting large amounts of data. API Application Programming Interface. The definition of a set of functions that a library supports. asymmetric key cryptography See public key cryptography.. CA Certificate Authority. A trusted third party that authenticates users and issues security certificates.
TCG Trusted Computing Group. An industry standards group that defines open standards for hardware-enabled trusted computing using a TPM. It also defines the related TSS APIs. TCS application key A key generated and used by a TCS utility (tpmcreate, tpmencrypt, tpmdecrypt), or by an application modified to use TCS, such as EVFS. TCS application keys are protected by the RK. TCS RSA key pair An asymmetric RSA key pair protected by the TPM. TCS RSA key pairs are generated by the tpmcreate utility.
Index A administering TCS, 29–34, 67 AES (Advanced Encryption Standard), 99 asymmetric keys, 15 B external key storage, 15 F files permissions and owners for TCS data, 30 used by TCS, 87 backing up TCS data, 25, 29 system data, 30 TPM keys, 31 I C key blob defined, 16 key hierarchy, 14 key storage, 15 keys deleting, 68 specifying for SSH, 57 specifying for Stunnel, 46 TPM backing up, 31 detailed information, 68 listing, 67 restoring, 31 CA (Certificate Authority) defined, 99 certificate creating req
maximum length, 33 re-establishing, 33 restoring file for, 33 specifying, 32 POP3 example with Stunnel and TCS, 48 port number modifying for tcsd, 69 preshared keys definition, 99 private key protecting an existing, 44 R reinstalling TCS, 25 removing TCS, 26 restoring TPM keys, 31 restoring TCS data, 30 RK defined, 16 listing, 67 listing detailed information, 68 Roaming Key (see RK) RSA cryptography, 99 S secret, 32 (see also passphrase) specifying, 32 Secure Shell (see SSH) Serviceguard configuring with
tpmlist keyinfo command, 68 tpmlist keys command, 67 tpmlist status command, 24 U upgrading TCS, 25 user persistent storage, 15 V verifying TCS, 24 103