Use the following procedure to sign and enroll a signing key on any database server that
requires secure boot and uses a locally built K-TAP. The Guardium® key
must be enrolled on the server before you install S-TAP®.
Before you begin
If your site uses secure boot, and you want to use a local K-TAP build, then you
can use the kernelModuleSigning.sh script to sign the locally built K-TAP module before
you install S-TAP and
K-TAP. The
kernelModuleSigning.shscript helps automate upgrading or installing a new
K-TAP.To
check whether secure boot is enabled on the server, run the following command
:
mokutil --sb-state
Response:
Secure boot disabled
- The procedure is not needed.
Secure boot enabled
- Complete this procedure to enroll the Guardium key.
Note: If
kernelModuleSigning.sh is not
included as part of your
S-TAP
package, then download
kernelModuleSigning.sh from
Fix
Central.
Procedure
- If your company already has a public/private signing key, use that signing key. If you do
not already have a signing key, use the following example to generate one.
Enter the
following code.
cat <<EOF >signfile.config
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3
string_mask = utf8only
prompt = no
[ req_distinguished_name ]
O =<Key - Example>
CN = Secure Boot Signing
emailAddress = <example@yourcompany.com>
[ v3 ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
basicConstraints = critical,CA:FALSE
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
EOF
Note: Replace the organization (O) and
emailAddress lines with your own information.
openssl req -config ./signfile.config -new -x509 -newkey rsa:4096 -nodes -days 3650 -outform DER -keyout signfile.priv -out signfile.der
openssl x509 --inform der --in signfile.der --text --noout > signfile.crt
- Use mokutil to enroll your new key in the secure boot cache on
database server and follow the instructions in the script.
For
example:
mokutil –import ./signfile.der
- Verify that you have access to the system console.
- Restart the system when possible.
- During the start-up process, press any key when the system returns the following prompt,
Press any key to perform MOK management.
- Under
Perform MOK Management
, select Enroll MOK.
- Click View key to see the certificate details, and then press Enter (or
choose Continue).
- At the system prompt Enroll the key(s)?, click
Yes.
- Enter the enrollment password (the password that you used with the mokutil
--import command in step).
- Select Reboot.
- Proceed with your standard shell or bundle S-TAP fresh
installation. You might need to upgrade afterward. When the installation starts, an error that is
similar to the following displays:
<13>Dec 5 16:25:37 guard_ktap_loader: Custom module ktap-112810-rhel-8-linux-x86_64-xCUSTOMxrh8u5x64t-4.18.0-372.26.1.el8_6.x86_64-x86_64-SMP.ko built for kernel 4.18.0-372.26.1.el8_6.x86_64.
<13>Dec 5 16:25:46 guard_ktap_loader: Cannot install ktap at this time, please contact IBM.
Could not start KTAP
<13>Dec 5 16:25:46 guard_ktap_loader: ktap module is not loaded at this time.
- Don't panic! Run the kernelModuleSigning.sh utility on the database
server where the S-TAP is running.
Follow the instructions that display on the screen to sign your locally built K-TAP module
(ktap*xCUSTOM*.ko) with the public and private signing keys.
After
signing the keys, the script walks you through the next steps to finish the
installation.
Results
Enter the following code to confirm that the key is available in the system keyring:
cat /proc/keys | grep -i <key_word_of_key>
A successful response is
similar to the following example:
# cat /proc/keys | grep -i 'Key-Example'
0c113cc5 I------ 1 perm 1f010000 0 0 asymmetri Key-Example: Secure Boot Signing:
6c0351ef68bb6fdd1d24501d461008d98d13b3ca: X509.rsa 8d13b3ca []