HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software

CApath = /opt/openssl/certs

CAfile = /opt/openssl/certs/cacert.pem

# This client's certificate and private key.

cert = /opt/iexpress/stunnel/etc/myServer.cert

key = /opt/iexpress/stunnel/etc/myServerKeyblob

# Debug parameters

debug = 7

output = /opt/iexpress/stunnel/etc/stunnel.log

# Run in the foreground

foreground = no

# Load the built-in engine 'dynamic'

# and give it the path to the 0.9.7 TPM engine

engine=dynamic

engineCtrl=SO_PATH:/opt/tcs/lib/hpux32/engines/libtpm.so.0

# Identify the engine as 'tpm' and load and initialize it

engineCtrl=ID:tpm

engineCtrl=LOAD

engineCtrl=INIT

# Service-level configuration

[telnet-in]

# Use in server mode

client = no

accept = myServer.hp.com:6602

connect = localhost:23

engineNum = 1

Distributing and Installing Stunnel X.509 Certificates

In this example, each peer's certificate is stored in a separate file under the /opt/openssl/

certs directory and each certificate file name must be based on a hash value for the certificate

contents. The administrator uses the /opt/openssl/0.9.7misc/c_hash utility to determine

the hash value, and then installs the certificate file using the hash value for the file name:

myClient> /opt/openssl/0.9.7/misc/c_hash myServer.cert

f1d183e1.0 => myServer.cert

myClient> mv myServer.cert /opt/openssl/certs/f1d183e1.0

The administrator distributes the myClient.cert file to myServer and repeats the procedure.

Testing the Configuration

To test the configuration, the administrator starts stunnel on each system with the modified

configuration files. On myClient, the administrator enters the command telnet 127.0.0.1

6602. An Stunnel is established with myServer for the telnet session, and telnet displays

the system prompt for myServer.

Stunnel and Mail Example

In this example, TPM is used to protect Stunnel keys on a mail client (myClient) and the mail

server (myServer).

On the client, the mail application is configured to connect to TCP port 25 on the local host

(localhost:25) for outbound SMTP mail and to read mail from TCP port 110 of the local host

(localhost:110) using POP3.

On the mail server, no modifications are needed for the mail or POP3 server.

Creating and Distributing TPM-Protected Certificates

The procedures for creating and distributing the certificates are the same as the procedures in

“Stunnel and telnet Example” (page 45).

48 Using TCS RSA Keys with OpenSSL