HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software

If the tpmlist status command output does not indicate that TCS is running, see Chapter 9

(page 79).

Step 6: Backing Up TCS System Data Files and TPM Keys

HP recommends that you back up the TCS system data files and TPM keys immediately after

installation to enable you to recover keys and data if TPM hardware fails. To back up TCS system

data and TPM keys, complete the following steps:

1. Back up the files in the directory /etc/opt/tcs using any file backup utility.

2. Create a TPM key archive by entering the following command:

tpmadm backup filename=myBackupFile

Where myBackupFile is the name of the TPM key archive file to create.

For more information on backing up TCS system data and keys, see “Backing Up and Restoring

TCS System Data and Keys” (page 29).

Upgrading or Reinstalling TCS

If you already have TCS software on your system and are upgrading TCS, follow these steps:

1. Create backup copies of TCS system data files and TPM keys. You may need to restore these

files if you encounter problems during the upgrade procedure.

Back up the files in the directory /etc/opt/tcs using any file backup utility and create a

TPM key archive using the tpmadm backup command.

For more information about backup procedures, see “Backing Up and Restoring TCS System

Data and Keys” (page 29).

2. Prepare to remove the TCS software bundle. Check for connections to the tcsd TCP port

in the ESTABLISHED, CLOSED, or FIN_WAIT_2 state; connections in these states cause the

TCS software removal script to fail. By default, the tcsd port number is 30003.

Use the following command to determine if there are TCP connections to port 30003:

For example:

# netstat -an | grep 30003

tcp 0 0 127.0.0.1.30003 *.* LISTEN

tcp 0 0 127.0.0.1.61849 127.0.0.1.30003 ESTABLISHED

tcp 0 0 127.0.0.1.30003 127.0.0.1.61849 ESTABLISHED

netstat -an | grep 30003

In most cases, the processes owning these connections will be daemons that are using

OpenSSL with TPM-protected keys, such as stunnel, or the sshd daemon.

You can also use an open source utility, such as lsof, to determine the owner of sockets

with port number 30003. The lsof utility is not supported by HP, but is available for free

from the Porting and Archive Centre for HP-UX at http://hpux.cs.utah.edu.

You can use the following lsof command to determine the names and PIDs of the processes

using port 30003:

lsof -i:30003

For example:

# lsof -i:30003

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

tcsd 4525 tss 7u IPv4 0xe000000145571680 0t0 TCP localhost:30003)

tcsd 4525 tss 8u IPv4 0xe000000145887d00 0t0 TCP localhost:30003)

stunnel 10126 root 4u IPv6 0xe000000145bea680 0t0 TCP localhost:61849)

In this listing, the first entry corresponds to the listen socket used by tcsd. The next two

entries correspond the sockets for the TCP connection between stunnel and tcsd.

Terminating the stunnel process (kill -9 10126) closes the TCP connection.

Upgrading or Reinstalling TCS 25