HP-UX Trusted Computing Services A.02.00 Administrator's Guide

a. Open the /etc/opt/tcs/tcsd.conf file for editing.
b. Set the value of the system_ps_file option to the new file pathname. The file cannot
reside on a shared volume.
c. Save your changes and close the /etc/opt/tcs/tcsd.conf file.
d. Stop tcsd by entering the following command:
/sbin/init.d/tcs stop.
e. Restart tcsd by entering the following command:
/sbin/init.d/tcs start
f. Copy the modified /etc/opt/tcs/tcsd.conf file to the other cluster nodes and
repeat steps d and e on all cluster nodes.
3. (Optional) EVFS volumes enabled using Serviceguard do not require you to set
TCS_EVFSENABLED=1 in the /etc/rc.config.d/tcsconf file (Serviceguard enables
these volumes late in the boot process). If Serviceguard will enable all EVFS volumes (the
/etc/fstab file will contain no entries for EVFS volumes), you can reset the
TCS_EVFSENABLED option to 0.
4. Select one node, such as the primary node, to be the configuration node. You will create
most of the configuration data on this node and propagate the data to the remaining nodes.
5. On the configuration node, configure EVFS to use TCS if you have not already done so. For
instructions, see “Configuring EVFS to Use TCS ” (page 62).
6. On the configuration node, create user keys for EVFS and create the EVFS volumes that will
be used in the Serviceguard package. This procedure is described in the Encrypted Volume
and File System Administrator's Guide.
7. Create a TPM key archive file using the tpmadm backup command.
For example:
# tpmadm backup filename=/tmp/tpmKeyArchive
The tpmadm utility prompts you for the TPM password if it cannot get the password from
the TPM password file (/etc/opt/tcs/passwd) or the TPM_PASSWD environment variable.
It also prompts you for a secret to protect the TPM key archive file if the TCS_PASS
environment variable is not set.
NOTE: Make a note of the secret; you will need it to restore the TPM key archive file.
8. Copy the TPM key archive file to the other cluster nodes.
9. On the other cluster nodes, use the tpmadm restore command to install the RK from the
configuration node. The tpmadm utility backs up and removes the RK and keys currently
in system persistent storage. It then encrypts the RK from the imported file with the SRK
on the local TPM and registers the descendent keys with the local TPM.
For example:
tpmadm restore filename=/tmp/tpmKeyArchive
The tpmadm utility prompts you for the local TPM password if it cannot get the password
from the TPM password file (/etc/opt/tcs/passwd) or the TPM_PASSWD environment
variable. It also prompts you for the secret used to protect the TPM key archive file when it
was created if the TCS_PASS environment variable is not set.
Following this step, all nodes in the cluster have the same value for the RK, but each copy
is encrypted with the local SRK.
10. On the configuration node, configure EVFS for use with Serviceguard. This includes
configuring EVFS user keys, EVFS volumes, configuring the EVFS volumes in Serviceguard
packages, and propagating the EVFS and Serviceguard configuration files throughout the
cluster. As part of this procedure, you also propagate the EVFS key database, including the
Configuring EVFS with TCS for Serviceguard Clusters 65