HP-UX Trusted Computing Services A.02.00 Administrator's Guide

Using the TCS Sample OpenSSL Configuration File as a Standalone File
Copy the sample /opt/tcs/misc/engine_tpm.cnf file to the default value of the
EngineConfigFile parameter, or to an alternate location specified in the sshd configuration
file. The default value for EngineConfigFile is /opt/ssh/etc/server.cnf.
# cp /opt/tcs/misc/engine_tpm.cnf /opt/ssh/etc/server_info_for_tpm.cnf
Modifying the TCS Sample OpenSSL Configuration File
HP recommends that you use the sample OpenSSL configuration file as it is, without modifying
it. However, there are two entries you might need to change:
The value for dynamic_path. This specifies the location of the TPM OpenSSL engine library.
The default value is /opt/tcs/lib/hpux64/engines/libtpm.so.0. You must change
this if the sshd on your system requires a different library, as described in “Step 2:
Determining the TPM OpenSSL Engine Library for SSH” (page 57).
The name of the section that contains the engine directives, as specified by the
EngineConfigSection in the sshd configuration file. The default value for the section
name is server_conf, which also the default value for EngineConfigSection.
Merging the TCS Sample OpenSSL Configuration File with an Existing File
To merge the sample OpenSSL configuration file with an existing OpenSSL configuration file,
follow these steps:
1. Copy the following directive to the global section of the OpenSSL configuration file:
server_conf = tpm_def
The global section of the OpenSSL configuration file is at the beginning of the file, before
any named sections. Named sections are specified by the section name in square brackets.
The first named section of an OpenSSL configuration file is typically [ new_oids ] or
[ ca ].
2. Copy the remaining entries in the sample OpenSSL configuration file to any area below the
global section, such as the end of the OpenSSL configuration file.
3. Modify entries from the sample OpenSSL configuration file, if needed. See “Modifying the
TCS Sample OpenSSL Configuration File” (page 59).
Step 5: Distributing and Installing the SSH Server Public Key
If a client has the StrictHostKeyChecking directive set to yes, you must add the server's
public key file (output_file.pub) created in “Step 1: Creating a TCS RSA Key Pair for SSH”
(page 56) to the client, as described in the HP-UX Secure Shell documentation.
If a client has the StrictHostKeyChecking directive set to ask and the client already has a
public key installed for the server in the user known hosts file, the user receives a warning
message when he attempts to establish an SSH session and the SSH session fails. The message
starts with the text WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED and includes
instructions on how to fix this problem.
Step 6: Resetting the sshd Daemon
Force sshd to read the new modified configuration file. One method to do this is by stopping
and restarting the sshd daemon. For example:
# /sbin/init.d/secsh stop; /sbin/init.d/sechsh start
Examples
This section contains configuration examples for using SSH with TCS.
Step 5: Distributing and Installing the SSH Server Public Key 59