HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software

Action

Some possible reasons for this message include:

• You are trying to use the openssl option -keyform dynamic and -engine tpm with

a version of openssl prior to 0.9.8. You can verify the openssl version by entering the

following command:

openssl version

You might need to specify the full path to the 0.9.8 version (for example, /opt/openssl/

0.9.8/bin/openssl). If OpenSSL 0.9.8 is not installed on your system, you must install

it or use the method described in “Wrapping an Existing Certificate Private Key with

tpmcreate” (page 43).

• The TPM OpenSSL engine library is not properly installed on your system. Verify that the

symbolic link /usr/lib/hpux32/engines/libtpm.so.1 points to /opt/tcs/hpux32/

engines/libtpm.so.1.

Message: unable to load Private Key

The openssl utility displays messages similar to the following:

unable to load Private Key

16533:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:642:Expecting: ANY PRIVATE KEY

Action

Some possible reason for this message include:

• You are trying to use the openssl req command with a key pair created using tpmcreate,

but you did not specify the -keyform dynamic and -engine tpm options. You must

specify these options if you are using a key pair created using tpmcreate.

• You are trying to use the openssl req command with the -keyform dynamic and

-engine tpm options with a key pair that was not created using tpmcreate. If you are

not using keys created by the tpmcreate command, omit the -keyform dynamic and

-engine tpm options. After you create the certificate request, you can use the tpmcreate

-w command to protect the private key.

Troubleshooting TCS Operation with Stunnel

When using TCS with Stunnel, stunnel displays messages similar to the following when it

starts:

2008.07.16 05:27:02 LOG7[14832:1]: Enabling support for engine 'dynamic'

2008.07.16 05:27:02 LOG7[14832:1]: Executing engine control command SO_PATH:/opt/tcs/lib/hpux32/engines/libtpm.so.0

2008.07.16 05:27:02 LOG7[14832:1]: Executing engine control command ID:tpm

2008.07.16 05:27:02 LOG7[14832:1]: Executing engine control command LOAD

2008.07.16 05:27:02 LOG7[14832:1]: Initializing engine 1

2008.07.16 05:27:02 LOG7[14832:1]: Engine 1 initialized

2008.07.16 05:27:02 LOG7[14832:1]: Certificate: /opt/stunnel/myTPM.cert

2008.07.16 05:27:02 LOG7[14832:1]: Certificate loaded

2008.07.16 05:27:02 LOG7[14832:1]: Key file: /opt/stunnel/myKeyBlob

2008.07.16 05:27:02 LOG7[14832:1]: Private key loaded

Some common error messages that might occur are listed in the sections that follow.

Message: could not load the shared library

Stunnel cannot load the TPM OpenSSL engine library and displays messages similar to the

following:

2008.07.18 09:42:17 LOG7[13057:1]: Enabling support for engine 'dynamic'

2008.07.18 09:42:17 LOG7[13057:1]: Executing engine control command SO_PATH:/opt

/tcs/lib/hpux32/engines/libtpm.so.0

2008.07.18 09:42:17 LOG7[13057:1]: Executing engine control command ID:tpm

2008.07.18 09:42:17 LOG7[13057:1]: Executing engine control command LIST_ADD:2

2008.07.18 09:42:17 LOG7[13057:1]: Executing engine control command LOAD

2008.07.18 09:42:17 LOG3[13057:1]: error stack: 260B6084 : error:260B6084:engine

routines:DYNAMIC_LOAD:dso not found

Troubleshooting TCS Operation with OpenSSL 81