author | pkidd <patrick.kidd@oracle.com> |
Wed, 10 Aug 2016 08:37:03 -0700 | |
branch | s11u3-sru |
changeset 6600 | edaab2464fbb |
parent 777 | e2e604cdbd6a |
child 5029 | 77413b29eb5a |
permissions | -rw-r--r-- |
777
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
1 |
--- man/man8/tcsd.8.in 2010-01-28 08:27:51.000000000 -0800 |
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
2 |
+++ man/man8/tcsd.8.in 2012-04-16 17:46:52.763527000 -0700 |
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
3 |
@@ -51,10 +51,11 @@ |
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
4 |
There are two types of access control for the \fBtcsd\fR, access to the |
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
5 |
daemon's socket itself and access to specific commands internal to the |
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
6 |
\fBtcsd\fR. Access to the \fBtcsd\fR's port should be controlled by the system |
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
7 |
-administrator using firewall rules. If using iptables, the following rule |
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
8 |
-will allow a specific host access to the tcsd: |
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
9 |
- |
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
10 |
-# iptables -A INPUT -s $IP_ADDRESS -p tcp --destination-port @TCSD_DEFAULT_PORT@ -j ACCEPT |
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
11 |
+administrator using firewall rules. |
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
12 |
+If port = 0 in /etc/security/tcsd.conf, \fBtcsd\R uses a UNIX Domain socket. |
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
13 |
+Otherwise, \fBtcsd\fR uses a TCP port. |
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
14 |
+By default the TCP port, when enabled, is accessible only from localhost, |
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
15 |
+unless "remote_ops" in tcsd.conf is not empty. |
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
16 |
|
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
17 |
Access to individual commands internal to the tcsd is configured by the |
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
18 |
\fBtcsd\fR configuration file's "remote_ops" directive. Each function call |
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
19 |
@@ -74,12 +75,32 @@ |
259
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
20 |
the TCS and stays valid across application lifetimes, \fBtcsd\fR restarts and |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
21 |
system resets. Data registered in system PS stays valid until an application |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
22 |
requests that it be removed. User PS files are by default stored as |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
23 |
-/var/tpm/user.{pid} and the system PS file by default is /var/tpm/system.data. |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
24 |
-The system PS file is initially created when ownership of the TPM is first |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
25 |
-taken. |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
26 |
+/var/user/$USERNAME/tpm/userps/user.data and the system PS file by default is |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
27 |
+/var/tpm/system/system.data. The system PS file is initially created when |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
28 |
+ownership of the TPM is first taken. |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
29 |
+.PP |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
30 |
+\fB/var/tpm/system/system.data\fR |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
31 |
+.ad |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
32 |
+.RS 4n |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
33 |
+Contains the system PS (persistent storage) data controlled by the TCS. By default, |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
34 |
+the SRK key is installed in PS and does not require owner authorization to use. If the |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
35 |
+TPM has previously been provisioned and owner-auth is required to load the SRK, |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
36 |
+then the /var/tpm/system/system.data.auth file should be moved to |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
37 |
+/var/tpm/system/system.data before starting the TCS (See NOTES). |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
38 |
+.RE |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
39 |
+.sp |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
40 |
+.PP |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
41 |
+\fB/var/tpm/system/system.data.auth\fR |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
42 |
+.ad |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
43 |
+.RS 4n |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
44 |
+This is the default PS data file to use if the TPM has been previously |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
45 |
+configured to require owner-auth to access the SRK. Copy this file |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
46 |
+to /var/tpm/system/system.data prior to starting the TCS if owner-auth is |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
47 |
+needed, otherwise this file can be ignored. |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
48 |
+.RE |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
49 |
|
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
50 |
.SH "CONFIGURATION" |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
51 |
-\fBtcsd\fR configuration is stored by default in /etc/tcsd.conf |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
52 |
+\fBtcsd\fR configuration is stored by default in /etc/security/tcsd.conf |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
53 |
|
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
54 |
.SH "DEBUG OUTPUT" |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
55 |
If TrouSerS has been compiled with debugging enabled, the debugging output |
777
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
56 |
@@ -88,8 +109,9 @@ |
259
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
57 |
.SH "DEVICE DRIVERS" |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
58 |
.PP |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
59 |
\fBtcsd\fR is compatible with the IBM Research TPM device driver available |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
60 |
-from http://www.research.ibm.com/gsal/tcpa and the TPM device driver available |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
61 |
-from http://sf.net/projects/tmpdd |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
62 |
+from http://www.research.ibm.com/gsal/tcpa and the TPM device driver for |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
63 |
+Linux available from http://sf.net/projects/tmpdd. It is also compatible |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
64 |
+with the TPM device driver for Solaris which is available in the driver/crypto/tpm package. |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
65 |
|
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
66 |
.SH "CONFORMING TO" |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
67 |
.PP |
777
e2e604cdbd6a
7123028 Problem with crypto/tss
Dan Anderson <dan.anderson@oracle.com>
parents:
259
diff
changeset
|
68 |
@@ -98,7 +120,23 @@ |
259
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
69 |
|
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
70 |
.SH "SEE ALSO" |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
71 |
.PP |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
72 |
-\fBtcsd.conf\fR(5) |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
73 |
+\fBtcsd.conf\fR(5), \fBsvcadm\fR(1M), \fBsmf\fR(5) |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
74 |
+ |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
75 |
+.SH "NOTES" |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
76 |
+.sp |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
77 |
+.LP |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
78 |
+The \fBtcsd\fR service is managed by the service management facility, \fBsmf\fR(5), under |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
79 |
+the service identifier: |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
80 |
+.sp |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
81 |
+.in +2 |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
82 |
+.nf |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
83 |
+svc:/application/security/tcsd:default |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
84 |
+.fi |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
85 |
+.in -2 |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
86 |
+.sp |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
87 |
+.LP |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
88 |
+Administrative actions on this service, such as enabling, disabling, or requesting restart, can be |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
89 |
+performed using \fBsvcadm\fR(1M). The service's status can be queried using the \fBsvcs\fR(1) command. |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
90 |
|
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
91 |
.SH "AUTHOR" |
520697a05dde
7045320 Move trousers from SFW to Userland
Wyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
parents:
diff
changeset
|
92 |
Kent Yoder |