Linux-UNIX: Enrolling a K-TAP signing key

Use the following procedure to enroll the Guardium® signing key on any database server that requires secure boot and uses the K-TAP that is supplied by Guardium. The Guardium key must be enrolled on any servers before you install S-TAP.

Before you begin

Enrolling the key requires that you have root privileges and system console access. The modules are signed by IBM, but you need to enroll the Guardium signing key on to the secure boot-enabled system.
Use the following command to determine whether secure boot is enabled on the server:
mokutil --sb-state
Response,
  • Secure boot disabled - The procedure is not needed.
  • Secure boot enabled - Complete this procedure to enroll the Guardium key.

About this task

You need to enroll the key the first time that you install a K-TAP with kernel signing. Subsequent upgrades use the same key.

Procedure

  1. Obtain the correct installer script from either Fix Central or from your Guardium representative, and extract guardium_module_signing.der from the compressed file (located under a folder named Kernel_Signing).
  2. Copy the file with Guardium signing key guardium_module_signing.der to a server where secure boot is enabled.
    Note: Check that the signing key file is correct for your server. For example, for SUSE 15, the key is called guardium_module_signing_suse15.der.
  3. On the server, log in as root and enter the following command to enroll the key:
    mokutil --import guardium_module_signing.der
    Note: Specify a password to enter when the system restarts. You are prompted for the password after the BIOS POST, but before the kernel starts (in the EFI shim).
  4. Verify that you have access to the system console.
  5. Restart the system when possible.
    1. During the start-up process, press any key when the system returns the following prompt, Press any key to perform MOK management.
    2. Under Perform MOK Management, select Enroll MOK.
    3. Click View key to see the certificate details, and then press Enter (or choose Continue).
    4. At the system prompt Enroll the key(s)?, click Yes.
    5. Enter the enrollment password (the password that you used with the mokutil --import command in step 3).
    6. Select Reboot.

What to do next

Enter the following command to confirm the key's presence in the system keyring.
cat /proc/keys | grep Guardium
Example output,
06dd7037 I------ 2 perm 1f010000 0 0 asymmetri IBM Guardium Secure Boot Signing: 
d0609780bff59335919e575279c9b20b6728ca93: X509.RSA 6728ca93