Use the following procedure to enroll the Guardium®
signing key on any database server that requires secure boot and uses the K-TAP that is
supplied by Guardium. The
Guardium key
must be enrolled on any servers before you install S-TAP.
Before you begin
Enrolling the key requires that you have root privileges and system
console access. The modules are signed by IBM, but you need to enroll the Guardium
signing key on to the secure boot-enabled system.Use the following command to
determine whether secure boot is enabled on the
server:
mokutil --sb-state
Response,
Secure boot disabled
- The procedure is not needed.
Secure boot enabled
- Complete this procedure to enroll the Guardium key.
About this task
You need to enroll the key the first time that you install a K-TAP with kernel
signing. Subsequent upgrades use the same key.
Procedure
- Obtain the correct installer script from either Fix Central
or from your Guardium representative, and extract guardium_module_signing.der
from the compressed file (located under a folder named
Kernel_Signing
).
- Copy the file with Guardium
signing key guardium_module_signing.der to a server where secure
boot is enabled.
Note: Check that the signing key file is correct for your server. For example, for SUSE 15, the key
is called guardium_module_signing_suse15.der.
- On the server, log in as root and enter the following command to enroll
the key:
mokutil --import guardium_module_signing.der
Note: Specify a password to enter when the system restarts. You are prompted for the password after
the BIOS POST, but before the kernel starts (in the EFI shim).
- Verify that you have access to the system console.
- Restart the system when possible.
- During the start-up process, press any key when the system returns the following prompt,
Press any key to perform MOK management.
- Under
Perform MOK Management
, select Enroll MOK.
- Click View key to see the certificate details, and then press Enter (or
choose Continue).
- At the system prompt Enroll the key(s)?, click
Yes.
- Enter the enrollment password (the password that you used with the mokutil
--import command in step 3).
- Select Reboot.
What to do next
Enter the following command to confirm the key's presence in the system
keyring.cat /proc/keys | grep Guardium
Example output,
06dd7037 I------ 2 perm 1f010000 0 0 asymmetri IBM Guardium Secure Boot Signing:
d0609780bff59335919e575279c9b20b6728ca93: X509.RSA 6728ca93