HP-UX Kernel Cryptographic Module 2.1 User Guide (766149-002, April 2014)

3 Configuring HP-UX KCM

The products integrated with HP-UX KCM must define the install-time and run-time dependency on

HP-UX KCM. This helps to install and load KCM automatically along with the product dependent

on HP-UX KCM.

NOTE:

• Before loading HP-UX KCM modules, ensure that the following paths are accessible:

◦ /stand/current/mod

◦ /usr/conf/mod

◦ /etc

• HP-UX KCM modules cannot be loaded as a static module as this is not a valid FIPS mode of

operation.

• In case a Kernel configuration containing KCM modules are saved (by using kconfig –s

), before loading the saved Kernel configuration, ensure that the KCM versions are consistent.

For example, HP-UX KCM 2.0 is installed in a system and the current Kernel configuration is

saved as ‘backup’. Later KCM is upgraded to 2.1 on the same system. If for some reason,

the system is booted with ‘backup’ Kernel configuration, then this leads to an inconsistent state

as ‘backup’ contains HP-UX KCM 2.0, whereas the current installed version of HP-UX KCM

is 2.1.

An example of defining dependency on HP-UX KCM is given below:

Install-time dependency:

myproduct.psf:

vendor

bundle

product

fileset

corequisites.HPUX-KCM.KCM.KCM-LIB,r>=A.02.01.00

corequisites.HPUX-KCM.KCM-FIPS.KCM-FIPS-LIB,r>=A.01.00.00

end

Run-time dependency:

myproduct.modmeta:

module myproduct {

. . .

dependency libkcm_pkcs11

. . .

}

Due to this run-time dependency, KCM is loaded first whenever a product dependent on HP-UX

KCM is loaded.