Manualshelf

HP-UX Trusted Computing Services A.01.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
31323334353637383940
Note: key 00000000-0000-0000-0000-000000000001 can not be deleted.
Note: key 00000000-0000-0000-0000-000000000002 can not be deleted.
Are you sure you want to delete the above 146 key(s)? (y|n): y
Deleting key 142: 8a7ed68e-5ece-4d71-9ec1-429bdf9960f1 ...
Deleting key 143: 411957a5-9279-491c-a903-95dab264f239 ...
Deleting key 144: 5f5308b3-031e-4097-85e7-f5e875ef8b31 ...
Deleting key 145: 8609a773-f862-41ce-8c5b-51c1f524972f ...
Deleting key 146: 9715a011-9d6d-4199-aa84-1d3695c07407 ...
Number of keys deleted: 146
Key Deletion
As a security precaution, by design, direct deletion of the SRK, the RK, or the SK using the tpmadm
deletekeys command is not permitted. Deletion of other keys using tpmadm deletekeys
by any user succeeds.
The tpmadm addkey key={sk|rk} command creates a new SK or RK. If an SK or RK already
exists, the tpmadm addkey key={sk|rk} command attempts to delete them first. The deletion
succeeds only if the user is root. For improved security, tcsd only allows a root user to delete
the SRK, the RK, or the SK. Similarly, the tpmadm restore command attempts to delete the
existing RK before migrating the new RK from the backup file. The deletion succeeds only if the
user is root on HP-UX.
NOTE: This deletion is allowed only if the user is successfully identified to tcsd. For this to
take place, the system must be running the identd service. If identd is not running, an attempt
to overwrite these top-level keys fails (for example, as part of an tpmadm restore operation).
Configuring Products Protected by HP-UX TCS on Serviceguard Clusters
Configuring HP-UX TCS key protection for software products that are part of Serviceguard
packages is a straightforward process. Unlike HP-UX TCS-protected products, HP-UX TCS itself
does not require explicit inclusion in the cluster or package definition scripts. If HP-UX TCS is
installed within an existing cluster with products that are or will be HP-UX TCS-protected, the
cluster and package definitions will not be affected. For HP-UX TCS key protection in a cluster,
a portion of the TPM key hierarchy must be identical across all nodes. For more information on
the TPM key hierarchy, see “TPM Key Hierarchy” (page 10).
Since HP-UX TCS is logically independent of Serviceguard configuration files, cluster configuration
issues such as concurrent volume activation and concurrent file system access are not pertinent
to HP-UX TCS. HP-UX TCS does not place any restrictions on Serviceguard features or the
products that are manifested in package definition scripts.
After HP-UX TCS is installed on all nodes, the backup and restore facility, available as part of
the tpmadm command, can be used to propagate the necessary key hierarchy throughout the
cluster. Following HP-UX TCS installation on all cluster nodes, as described in Chapter 2 (page 13),
the procedure is to configure the product for HP-UX TCS on a single node. Once a single node
is configured, a key hierarchy is established that the product needs to access files or other resources
available across the cluster. For keys in the hierarchy stored by HP-UX TCS, the tpmadm command
is all that is needed for the propagation. For keys in the hierarchy stored outside HP-UX TCS,
Key Deletion 35