Manualshelf

HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
61626364656667686970
Note the following evfs.conf characteristics:
Changes saved to the evfs.conf file are effective immediately. The evfs.conf file
is read each time an EVFS daemon or EVFS utility (evfspkey, evfsvol, evfsadm)
starts.
Statements in evfs.conf files cannot cross line boundaries and cannot contain line
continuation characters.
The parser recognizes spaces as delimiters between multiple
library[onfail:action] terms. Do not insert spaces within
library[onfail:action] terms.
Specifying the [onfail:action]qualifier is optional. If you do not specify it and key
access fails, EVFS stops processing and returns an error.
The following is an example of a pbe statement that configures EVFS to first attempt to use
TCS to encrypt and decrypt private keys. If that fails, EVFS uses its default PBE library:
pbe = /usr/lib/evfs/hpux64/libevfs_pbe.so[onfail:continue]
/opt/tcs/lib/libevfs_tcspbe.so.1
2. If any EVFS volumes is configured to be automatically enabled at boot time (if any /etc/
evfs/evfstab entries contain the boot_local keyword), you must configure TCS to be
enabled early in the boot cycle. To do this edit the following file:
/etc/rc.config.d/tcsconf
Set the TCS_EVFSENABLED variable to 1, as shown in the following entry:
TCS_EVFSENABLED=1
Backing Up and Migrating Keys
Key backup is a two step process for EVFS keys:
1. Back up the encrypted EVFS private keys. By default, these keys are stored in the /etc/
evfs/pkey directory. Back up (and restore) these files using traditional file-based utilities.
2. Back up and restore the TPM key hierarchy using the tpmadm command. For more
information see “Creating and Restoring TPM Key Backup Files” (page 31).
NOTE: Migration of EVFS TPM keys follows the same general procedure as a backup, followed
by a restore, on the target machine. However, if you are using EVFS passphrase files, you must
also create new passphrase files on the target system. To do this, you must know the value of
the passphrases on the source system. This issue is not specific to TCS. For more information,
see the HP-UX Encrypted Volumes and File Systems (EVFS) documentation available at http://
docs.hp.com/en/internet.html#Encrypted%20Volume%20and%20File%20System%20%28EVFS%29
Configuring EVFS with TCS for Serviceguard Clusters
The procedure to configure EVFS with TCS for Serviceguard clusters varies slightly from the
general procedure described in “Configuring Applications Protected by TCS on Serviceguard
Clusters” (page 70) because Serviceguard can enable EVFS volumes. To configure TCS key
protection on cluster-defined EVFS volumes, follow these steps:
1. Install TCS on all nodes in the cluster, as described in Chapter 2 (page 19).
2. Verify that the file used for TCS system persistent storage is not located on a shared volume.
Each node must have its own copy of the TCS system persistent storage file. The default
path for this file is /etc/opt/tcs/system.data.
If the /etc/opt/tcs/system.data file resides on a shared volume in your cluster, change
the path for the TCS system persistent storage file as follows:
64 Protecting EVFS Keys with TCS