1. Securing Systems and Attached Devices in Oracle Solaris 11.4
  2. Protecting Oracle Solaris System Integrity
  3. Using Trusted Platform Module
  4. Initializing and Backing Up TPM on Oracle Solaris Systems
  5. How to Enable PKCS #11 Consumers to Use TPM as a Secure Keystore

How to Enable PKCS #11 Consumers to Use TPM as a Secure Keystore

To perform this procedure, you must install and enable TPM on the system. Ensure that the tcsd daemon is also running.

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. (Optional) If the TPM PKCS #11 token provider has not been installed, install that provider.

    Note:

    To see if this step needed, check that the pkcs11_tpm.so provider is included when you run the cryptoadm list command. 

    # pkg install pkcs11_tpm
# cryptoadm install provider='/usr/lib/security/$ISA/pkcs11_tpm.so'
  2. Verify that the TPM device is installed.
    # ls -alF /dev/tpm
lrwxrwxrwx 1 root 39 Dec 27 2011 /dev/tpm -> ../devices/pci@0,0/isa@1/tpm@1,1670:tpm
  3. Enable the tcsd daemon.
    # svcadm enable tcsd
  4. (Optional) If no TPM owner has been installed, initialize the TPM.

    Note:

    To see if this step is needed, run the tpmadm status command. 

    # tpmadm init
  5. Initialize the personal TPM-protected token storage area.
    $ pktool inittoken currlabel=TPM

    Note:

    All individual users must perform this step.

  6. Set the token PIN for the security officer.
    $ pktool setpin token=tpm/TPM usertype=so
  7. Set the user's PIN.
    $ pktool setpin token=tpm/TPM
  8. Generate keys and certificates that use the TPM device by specifying the token name that was used when the token was initialized.
    $ pktool gencert token=tpm/TPM -i
$ pktool list token=tpm/TPM

    Any existing applications that already use the Cryptographic Framework in libpkcs11 can use the TPM token for their operations by making the applications select the TPM token device for the sessions.

Example 2-2 Enabling PKCS #11 Consumers to Use TPM

In this example, the TPM token is first assigned a new name. All subsequent actions on the token refer to the new name.

$ pktool inittoken currlabel=TPM newlabel=JanDoeTPM
$ pktool setpin token=tpm/JanDoeTPM so
$ pktool gencert token=tpm/JanDoeTPM -i
$ pktool list token=tpm/JanDoeTPM