Manualshelf

HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
31323334353637383940
IMPORTANT: Re-establishing the TPM password renders all TPM key files unusable. However,
if you created a TPM key archive file using the tpmadm backup command, you can use this file
to migrate the existing Roaming Key (RK) and its descendent keys to the system after you
re-establish the TPM password.
Re-establishing the TPM password also requires you to reboot the system.
To re-establish the TPM password, follow these steps:
1. Locate a TPM key archive file, if possible. You can restore the contents of this file after you
re-establish the TPM password so you can access any keys or data protected by the current
RK.
2. Clear the TPM ownership using the EFI Shell. This requires you to reboot the system. See
“Clearing TPM Ownership” (page 71).
3. If you have a TPM key archive file created using the tpmadm backup command, you can
use the tpmadm restore command to migrate the backed-up keys to the system. The
tpmadm restore command restores the backed-up RK and encrypts it with the new SRK.
Both the tpmadm changepwd key=tpm command and the tpmadm takeownership command
require that you have enough privilege to write to the /etc/opt/tcs/passwd file. On most
systems, this requires superuser capability.
Restoring or Migrating the TPM
There are cases where TCS must be restored on, or migrated to, a system where ownership of
the TPM has not been taken. These cases include, but are not limited to the following:
The TPM was replaced because of a hardware failure.
The TPM was explicitly cleared through EFI.
Serviceguard is being configured on the system.
TCS is migrating to a new system.
The prerequisite for TPM restoration or migration is a TPM key archive file generated by the
tpmadm backup command. For more information, see “Creating and Restoring TPM Key Backup
Files” (page 31). This file contains the necessary information to restore TCS persistent storage.
To restore or migrate the TPM, follow these steps on the target system:
1. If TCS software is already installed, enter the following command to take TPM ownership:
swconfig -x mount_all_filesystems=false tcs
2. If TCS software is not installed, install TCS software. See “Step 3: Installing TCS Software”
(page 23).
3. Enter the following command to ensure ownership is taken:
tpmlist status
4. Enter the following command to restore the TPM to its previous state (or to migrate TPM
status):
tpmadm restore
5. Enter the following command to confirm the restoration or migration is successful:
tpmlist keys
6. Restore any TCS application keys or TPM-protected data, such as TCS RSA key pairs and
certificates generated from these keys.
34 Basic TCS Administration