Manualshelf

HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
51525354555657585960
RK. The tpmcreate utility can also save a copy of the public key in SSH format or extract and
save a copy of a public key from a previously created key blob.
TPM OpenSSL Engine Libraries
The sshd daemon included with HP-UX Secure Shell versions A.05.00.029 and later is enabled
to load a TPM OpenSSL engine at runtime. The TPM OpenSSL engine provides an interface to
the TSPI library, which performs RSA encryption functions using the TPM.
The specific TPM OpenSSL engine library required for sshd is determined by the version of the
OpenSSL libcrypto library and compiler data model used by sshd, as described in “Step 2:
Determining the TPM OpenSSL Engine Library for SSH” (page 57).
Requirements
The sshd daemon must be HP-UX Secure Shell version A.05.00.029 or later. There are no
requirements for SSH clients.
Configuring SSH Servers to Use TCS Keys
To configure SSH servers to use TCS keys, follow these steps:
1. Use the tpmcreate utility to create a TCS RSA key pair. This step is described in “Step 1:
Creating a TCS RSA Key Pair for SSH” (page 56).
2. Determine the appropriate TPM OpenSSL engine library file for your sshd daemon. This
step is described in “Step 2: Determining the TPM OpenSSL Engine Library for SSH”
(page 57).
3. Modify the sshd configuration file to use the TPM-protected RSA private key and to read
engine information from an OpenSSL configuration file. The main information you configure
in the sshd configuration file is the location of the TPM-protected key pair and the location
of the OpenSSL configuration file. This step is described in “Step 3: Modifying the sshd
Configuration File” (page 57).
4. Install and modify an OpenSSL configuration file for the sshd daemon. The main information
you configure in the OpenSSL configuration file is the location of the TPM OpenSSL engine
library. This step is described in “Step 4: Installing and Modifying the OpenSSL Configuration
File” (page 58).
5. Distribute and install the SSH server certificate on client nodes if required by your SSH
management policy. This step is described in “Step 5: Distributing and Installing the SSH
Server Public Key” (page 59).
6. Reset the sshd daemon to force it to use the new configuration file. This step is described
in “Step 6: Resetting the sshd Daemon” (page 59).
Sample Configuration Files
TCS includes the following sample configuration files to help you configure SSH to use TCS:
/etc/opt/tcs/sshd_config.sample
This is a sample sshd configuration file with information needed to use the TPM OpenSSL
engine.
/etc/opt/tcs/openssl.cnf
This is a sample OpenSSL configuration file with TPM OpenSSL library information.
Step 1: Creating a TCS RSA Key Pair for SSH
To create a TCS RSA key pair for the SSH server, use the tpmcreate utility. In most cases, you
can use the following syntax:
tpmcreate -s output_file
56 Using TCS RSA Keys with HP-UX Secure Shell