HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software

myClient> /opt/openssl/0.9.8/bin/openssl req -new -keyform engine \

-engine tpm -key myClientKeyblob -md5 -out myClient_csr.pem \

-outform PEM

When prompted for the CN, specify the FQDN for myClient (myClient.hp.com).

On myServer, create a TCS RSA key pair (myServerKeyblob) and a certificate request

(myServer_csr.pem):

myServer> tpmcreate myServerKeyblob

myServer> /opt/openssl/0.9.8/bin/openssl req -new -keyform engine -engine tpm \

-key myServerKeyblob -md5 -out myServer_csr.pem -outform PEM

When prompted for the CN, specify the FQDN for myServer (myServer.hp.com).

Submit the certificate requests to the CA. The CA uses the following commands used to create

and sign the certificates. Note that the CA does not use the TPM engine and no special options

are required to process the certificate requests.

# openssl ca -out myClient.cert -infiles myClient_csr.pem

# openssl ca -out myServer.cert -infiles myServer_csr.pem

Determining the TPM OpenSSL Engine Library

The what string for stunnel shows that it uses OpenSSL version A.00.09.07m.001 (0.9.7). The

file command shows that it was compiled using a 32-bit data model. According to Table 5-1

(page 44), the correct engine library is /opt/tcs/lib/hpux32/engines/libtpm.so.0.

Stunnel Configuration File

The Stunnel configuration files for myClient and myServer are listed in “Stunnel Configuration

File on myClient for telnet” (page 46) and “Stunnel Configuration File on myServer for

telnet” (page 47). Port 6602 is an arbitrarily selected port number that was previously unused.

On the client, Stunnel is configured to forward local packets for port 6602 to port 6602 on the

server, which is also an Stunnel endpoint. On the server, Stunnel is configured to redirect remote

packets received on port 6602 server to the local telnetd daemon (port 23).

Stunnel TPM Key Information

The client Stunnel configuration file contains the following statements to specify the location of

the TPM-protected key file and the local system certificate that uses the TPM-protected private

key. The syntax is the same for an installation without TCS.

# This client's certificate and private key.

cert = /opt/iexpress/stunnel/etc/myClient.cert

key = /opt/iexpress/stunnel/etc/myClientKeyblob

The Stunnel configuration on the server contains similar statements.

Stunnel TPM Engine Information

The client and server Stunnel configuration files include the following new statements to load

the engine dynamic, and then load the TPM engine from the specified TCS library and initialize

the engine:

engine=dynamic

engineCtrl=SO_PATH:/opt/tcs/lib/hpux32/engines/libtpm.so.0

engineCtrl=ID:tpm

engineCtrl=LOAD

engineCtrl=INIT

Stunnel Configuration File on myClient for telnet

The Stunnel configuration file on myClient is as follows. Changes made for TPM and certificates

are shown in bold. The file /opt/iexpress/stunnel/etc/myClientKeyblob contains the

key pair created using tpmcreate.

46 Using TCS RSA Keys with OpenSSL