HP-UX Trusted Computing Services A.01.00 Administrator's Guide

each product has specific guidelines for key propagation according to how and where the keys
are stored.
The following procedure illustrates the configuration of HP-UX TCS key protection for EVFS
volumes. EVFS provides key-protected encrypted volumes and is supported on active/passive
cluster configurations. To enable HP-UX TCS key protection on cluster-defined EVFS volumes,
follow these steps:
1. In the most general case, you can define separate EVFS volumes locally on a node and as
part of a cluster. For locally defined EVFS volumes, set TCS_EVFSENABLED=1 in
/etc/rc.config.d/tcsconf. Since cluster-defined volumes are not listed in /etc/fstab,
this does not affect Serviceguard volume enablement and disablement. If there are no locally
defined EVFS volumes on a node, set TCS_EVFSENABLED=0.
2. If not already created, create the EVFS volumes planned for the Serviceguard package. EVFS
volume creation on Serviceguard is described in the Encrypted Volume and File System v1.0
Administrator's Guide available at:
http://docs.hp.com/en/internet.html#Encrypted%20Volume%20and%20File%20System%20%28EVFS%29
Consult this document for details on EVFS volume creation and administration.
3. Review the material in Chapter 6 (page 29) of this guide. Other products vary in their
implementation of HP-UX TCS key protection, but are likely to be similar. On a single node,
follow the instructions in Chapter 6 (page 29) for imparting HP-UX TCS key protection on
all EVFS volumes. These instructions are identical for both locally defined and cluster-defined
EVFS volumes.
4. Configure the cluster-defined EVFS volumes as part of one or more packages on a single
node, then propagate the package definitions throughout the cluster. This step is described
in the Encrypted Volume and File System v1.0 Administrator's Guide, Appendix C. At the
completion of this step, use the cmapplyconf command to define the cluster packages.
The key hierarchy stored outside of HP-UX TCS is also propagated throughout the cluster.
The underlying storage volumes, whether managed by LVM, VxVM, CVM or by another
storage manager, become accessible throughout the cluster.
5. Create a backup file containing the HP-UX TCS-stored portion of the key hierarchy used by
HP-UX TCS throughout the cluster. For EVFS, this portion consists of the RK only. On the
single node where HP-UX TCS key protection for EVFS is configured, create an HP-UX TCS
backup file. For example:
# tpmadm backup filename=/tmp/primback.tcsdb tpm_passwd=password secret=secret
Where password is specific to the node and secret is specific to the backup file
/tmp/primback.tcsdb.
6. Copy the backup file to all other nodes within the cluster and restore it into each node's local
HP-UX TCS key database, /etc/opt/tcs/system.data. For example:
# tpmadm restore filename=/tmp/primback.tcsdb tpm_passwd=password secret=secret
Where password is specific to each node and secret is identical to that used for backup
creation.
Be aware that the contents of a local HP-UX TCS key database are replaced except for the
SRK. Following this step, all nodes within the cluster must have identical content in their
HP-UX TCS key database, except for the unique SRK.
7. Review and test EVFS volume accessibility throughout the cluster. On each node, the key
subtree /etc/evfs/pkey has the same content for cluster-defined EVFS volumes, as it
does for EVFS volumes that are not configured for HP-UX TCS protection. Because the key
hierarchy is now identical across all nodes, all operations (such as enabling and disabling
of volumes) behave the same way as they do without HP-UX TCS protection.
8. Start the cluster packages.
36 Advanced HP-UX TCS Administration