HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software

Configuring Applications Protected by TCS on Serviceguard Clusters

TCS does not require explicit inclusion in Serviceguard cluster or package definition scripts. If

TCS is installed on all nodes in an existing cluster with products that are or will be TCS-protected,

you do not have to modify the cluster or package definitions. For key protection in a cluster, a

portion of the TPM key hierarchy must be identical across all nodes.

Because TCS does not have to be included in Serviceguard configuration files, cluster configuration

issues such as concurrent volume activation and concurrent file system access do not affect TCS.

TCS does not place any restrictions on Serviceguard features or the products that are started or

monitored in package definition scripts.

To configure applications that use TCS in Serviceguard packages, your topology must meet the

following criteria:

• TCS must be installed on all cluster nodes.

• Each node must have its own, unique copy of the TCS system persistent storage directory.

The default path for the TCS system persistent storage directory is /etc/opt/tcs/

system.data. This file cannot exist on a shared volume. If necessary, you can modify the

tcsd configuration file to specify an alternate path for the TCS system persistent storage

directory as described in the following procedure.

• The value of the Roaming Key (RK) private key must be the same on all cluster nodes, but

each node will have its own copy of the RK private key, and each copy will be encrypted

with the node's unique System Root Key (SRK). To meet this requirement, use the tpmadm

backup and tpmadm recovery commands as described in the following procedure.

• If an application uses data or key files protected by TCS but stored outside of TCS storage,

such as OpenSSL and EVFS, you must manually propagate these files to all the nodes in the

cluster. Each application has specific guidelines for key propagation according to how and

where the keys are stored.

The general procedure for configuring TCS-protected applications for Serviceguard is described

in the following procedure and can be used without modification for most applications. The

specific procedure for configuring EVFS with TCS for Serviceguard differs slightly because EVFS

volumes can be enabled by Serviceguard; this procedure is described in “Configuring EVFS with

TCS for Serviceguard Clusters” (page 64).

1. Install TCS on all nodes in the cluster, as described in Chapter 2 (page 19).

2. Verify that the file used for TCS system persistent storage is not located on a shared volume.

Each node must have its own copy of the TCS system persistent storage file. The default

path for this file is /etc/opt/tcs/system.data.

If the /etc/opt/tcs/system.data file resides on a shared volume in your cluster, change

the path for the TCS system persistent storage file as follows:

a. Open the /etc/opt/tcs/tcsd.conf file for editing.

b. Set the value of the system_ps_file option to the new file pathname. The file cannot

reside on a shared volume.

c. Save your changes and close the /etc/opt/tcs/tcsd.conf file.

d. Stop tcsd by entering the following command:

/sbin/init.d/tcs stop.

e. Restart tcsd by entering the following command:

/sbin/init.d/tcs start

f. Copy the modified /etc/opt/tcs/tcsd.conf file to the other cluster nodes and

repeat steps d and e on all cluster nodes.

3. Select one node to be the configuration node. You will create TCS application keys on this

node and migrate the keys to the other nodes from this node. You can use the primary node

as the configuration node.

70 Advanced TCS Administration