Manualshelf

HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
41424344454647484950
4. Use the tpmcreate -w command to protect the private key with the TPM. In most cases,
you can use the following syntax:
tpmcreate [-k key_size] -w input_file output_file
The input_file must contain an RSA key pair in PEM format.
The -k key_size option specifies the input private key size. You do not have to specify
this option if the private key is 2048 bits.
The private key is encrypted by the TCS Roaming Key (RK). To specify a passphrase, use
the -a option. Specify the secret for the passphrase as described in “Specifying Secret
Passphrases” (page 32).
In the following example, the file myServerkey.pem contains an RSA key pair in PEM
format and the user creates the TPM-protected key blob myServerKeyblob:
# tpmcreate -w myServerkey.pem myServerKeyblob
HP recommends that you delete the original, unprotected RSA key file after you create the
file with the TPM-protected key pair.
Step 2: Determining the TPM OpenSSL Engine File for an Application
The TPM OpenSSL engine library file you load for a binary application is determined by the
OpenSSL version and the compiler data model (32 bit or 64 bit). Table 5-1 lists the TPM OpenSSL
engine files.
Table 5-1 TPM OpenSSL Engine Files
Data ModelOpenSSL VersionLibrary File
32-bit0.9.7
/usr/lib/hpux32/engines/libtpm.so.0
32-bit0.9.8
/usr/lib/hpux32/engines/libtpm.so.1
64-bit0.9.7
/usr/lib/hpux64/engines/libtpm.so.0
64-bit0.9.8
/usr/lib/hpux64/engines/libtpm.so.1
Determining the OpenSSL Version of an Application
If you do not know the OpenSSL version used by a binary application, you can use the what
utility to see if the binary includes an OpenSSL version string. For example:
# what /usr/sbin/stunnel
/opt/iexpress/sbin/stunnel:
$Stunnel A.10.00-4.20.001 $
$OpenSSL A.00.09.07m.001 $
$OpenSSL A.00.09.07m.001 $
In this example, stunnel uses OpenSSL version A.00.09.07m.001, a release of OpenSSL version
0.9.7.
You can also use the elfdump utility to see if the binary uses the shared library version of the
OpenSSL libcrypto file, which provides the OpenSSL engine functions. If it does, you can use
the reported version number to determine the OpenSSL version number. For example:
# elfdump -L /usr/sbin/sshd | grep libcrypto
2 Needed libcrypto.so.0
The libcrypto library version numbers correspond to the OpenSSL versions as follows:
libcrypto.so.0 OpenSSL 0.9.7 (use the appropriate libtpm.so.0 library)
libcrypto.so.1 OpenSSL 0.9.8 (use the appropriate libtpm.so.1 library)
44 Using TCS RSA Keys with OpenSSL