Question & Answer
Question
How do I add a trusted binary into the AIX trusted signature database?
Answer
The Trusted Execution (TE) feature provides you with a runtime file integrity verification mechanism. Every trusted file is associated with a unique cryptographic hash and a digital signature.
The cryptographic hash of the default set of trusted files is generated by using the SHA-256 algorithm, and the digital signature that is generated by the AIX build environment and packaged as part of AIX installation file sets, and stored in the Trusted Software Database (/etc/security/tsd/tsd.dat).
You can add new entries for custom or third-party applications to the Trusted Software Database, by generating new keys with OpenSSL tools, then signing the entries.
1. Make sure that openssl is installed.
# lslpp -L openssl.base | head -3
Fileset Level State Type Description (Uninstaller)
-------------------------------------------------------------------------
openssl.base 1.0.2.800 C F Open Secure Socket Layer
# echo "version" | openssl
OpenSSL> OpenSSL 1.0.2h 3 May 2016
2. Create a private key in the PEM format:
# openssl genrsa -out /etc/security/TSDprivkey.pem 2048
Generating RSA private key, 2048 bit long modulus
............................................+++
............................................+++
e is 65537 (0x10001)
# ls -l /etc/security/TSD*
-rw-r--r-- 1 root system 1675 Feb 24 01:42 /etc/security/TSDprivkey.pem
# cat /etc/security/TSDprivkey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA4G9C9HNy6n+jfAzMx3pr9UhzWFxdd1E49D+fIpD4v++ncANEGPOMkDVTHlLjqZdyUDhax2Vc37SjBZBvYNX+KGjqqk/tbHr6QixF0+VdmOf2kBGi
9JA2SjwWfVOxBYNZR4/KbD5cDvPaDpSbDxAZoeaF8Ws7p/Ko6c+qGBNzTv2IuUTxbaxptGOkIH1DmtD1k8EsznbwP8RaRB3BHmZ4YLXYg9fc7U88ZNh3A17JiY2PDlk
KUQ/O4nqqTviAfBg0U8XHhs8ZXZqqu/zOboXMI8vYLiBChnD7lecy/a9N1HWSNTUdnU5+n96oKO6r7ZGoWp36QY1SWqaOBR/U6IbbwIDAQABAoIBAG/yz6EDnUSfGjc
Fileset Level State Type Description (Uninstaller)
-------------------------------------------------------------------------
openssl.base 1.0.2.800 C F Open Secure Socket Layer
# echo "version" | openssl
OpenSSL> OpenSSL 1.0.2h 3 May 2016
2. Create a private key in the PEM format:
# openssl genrsa -out /etc/security/TSDprivkey.pem 2048
Generating RSA private key, 2048 bit long modulus
............................................+++
............................................+++
e is 65537 (0x10001)
# ls -l /etc/security/TSD*
-rw-r--r-- 1 root system 1675 Feb 24 01:42 /etc/security/TSDprivkey.pem
# cat /etc/security/TSDprivkey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA4G9C9HNy6n+jfAzMx3pr9UhzWFxdd1E49D+fIpD4v++ncANEGPOMkDVTHlLjqZdyUDhax2Vc37SjBZBvYNX+KGjqqk/tbHr6QixF0+VdmOf2kBGi
9JA2SjwWfVOxBYNZR4/KbD5cDvPaDpSbDxAZoeaF8Ws7p/Ko6c+qGBNzTv2IuUTxbaxptGOkIH1DmtD1k8EsznbwP8RaRB3BHmZ4YLXYg9fc7U88ZNh3A17JiY2PDlk
KUQ/O4nqqTviAfBg0U8XHhs8ZXZqqu/zOboXMI8vYLiBChnD7lecy/a9N1HWSNTUdnU5+n96oKO6r7ZGoWp36QY1SWqaOBR/U6IbbwIDAQABAoIBAG/yz6EDnUSfGjc
<snipped>
-----END RSA PRIVATE KEY-----
3. Create the corresponding certificate in DER format (valid for 3650 days, or 10 years):
# openssl req -new -x509 -key /etc/security/TSDprivkey.pem -outform DER -out /etc/security/TSDcertificate.der -days 3650
-----END RSA PRIVATE KEY-----
3. Create the corresponding certificate in DER format (valid for 3650 days, or 10 years):
# openssl req -new -x509 -key /etc/security/TSDprivkey.pem -outform DER -out /etc/security/TSDcertificate.der -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:EG
State or Province Name (full name) [Some-State]:Cairo
Locality Name (eg, city) []:Maadi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC
Organizational Unit Name (eg, section) []:XYZ
Common Name (e.g. server FQDN or YOUR name) []:Mash
Email Address []:mash@abc.com
# ls -l /etc/security/TSD*
-rw-r--r-- 1 root system 971 Feb 24 01:57 /etc/security/TSDcertificate.der
-rw-r--r-- 1 root system 1675 Feb 24 01:42 /etc/security/TSDprivkey.pem
4. Convert the private key format from PEM to DER:
# openssl pkcs8 -inform PEM -in /etc/security/TSDprivkey.pem -topk8 -nocrypt -outform DER -out /etc/security/TSDprivkey.der
# ls -l /etc/security/TS*
-rw-r--r-- 1 root system 971 Feb 24 01:57 /etc/security/TSDcertificate.der
-rw-r--r-- 1 root system 1217 Feb 24 01:58 /etc/security/TSDprivkey.der
-rw-r--r-- 1 root system 1675 Feb 24 01:42 /etc/security/TSDprivkey.pem
5. Invoke the trustchk to include an entry for file /usr/bin/mash.sh:
# trustchk -s /etc/security/TSDprivkey.der -v /etc/security/TSDcertificate.der -a /usr/bin/mash.sh
6. Query the binary from TSD:
# trustchk -q /usr/bin/mash.sh
/usr/bin/mash.sh:
type = FILE
owner = root
group = system
mode = 755
size = 49
hash_value = 555a170628541b0a6e90ba5eb87457d4252f39dc3a4b86d6eaed3f19a4f395e0
cert_tag = 00d62b779f949f4779
signature = bb9c0f88d88302c85eb662c535d83f6d5270ccda4e50dc759abe2b10bba5b700a2b6b3832848e64b56a93c0d2f4c959dcc325f22e598971f294d8b48034baec597c05903ca6e63117c71d75fb8a0ae9bf51dca7a922ca566cf98dc20edb0199cee92974153fec4e9d0cbd9328a120cba6b1504a16b178f62b8a690d6d8d3db1b774539b717a1fd0201e047a16c3389a7b8086976a599035668b77a0a669c1e24d3f1c19d1064167335f6605a95a83b109a679a2e5402397acead96d4afad46f149ebd25b9159b86b81a5d9549125374cba19e6e6c15327df96a5dc38773bdf827745246e240ce738566162f095519393f2782d2828e1b936bed662fb29020001
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:EG
State or Province Name (full name) [Some-State]:Cairo
Locality Name (eg, city) []:Maadi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC
Organizational Unit Name (eg, section) []:XYZ
Common Name (e.g. server FQDN or YOUR name) []:Mash
Email Address []:mash@abc.com
# ls -l /etc/security/TSD*
-rw-r--r-- 1 root system 971 Feb 24 01:57 /etc/security/TSDcertificate.der
-rw-r--r-- 1 root system 1675 Feb 24 01:42 /etc/security/TSDprivkey.pem
4. Convert the private key format from PEM to DER:
# openssl pkcs8 -inform PEM -in /etc/security/TSDprivkey.pem -topk8 -nocrypt -outform DER -out /etc/security/TSDprivkey.der
# ls -l /etc/security/TS*
-rw-r--r-- 1 root system 971 Feb 24 01:57 /etc/security/TSDcertificate.der
-rw-r--r-- 1 root system 1217 Feb 24 01:58 /etc/security/TSDprivkey.der
-rw-r--r-- 1 root system 1675 Feb 24 01:42 /etc/security/TSDprivkey.pem
5. Invoke the trustchk to include an entry for file /usr/bin/mash.sh:
# trustchk -s /etc/security/TSDprivkey.der -v /etc/security/TSDcertificate.der -a /usr/bin/mash.sh
6. Query the binary from TSD:
# trustchk -q /usr/bin/mash.sh
/usr/bin/mash.sh:
type = FILE
owner = root
group = system
mode = 755
size = 49
hash_value = 555a170628541b0a6e90ba5eb87457d4252f39dc3a4b86d6eaed3f19a4f395e0
cert_tag = 00d62b779f949f4779
signature = bb9c0f88d88302c85eb662c535d83f6d5270ccda4e50dc759abe2b10bba5b700a2b6b3832848e64b56a93c0d2f4c959dcc325f22e598971f294d8b48034baec597c05903ca6e63117c71d75fb8a0ae9bf51dca7a922ca566cf98dc20edb0199cee92974153fec4e9d0cbd9328a120cba6b1504a16b178f62b8a690d6d8d3db1b774539b717a1fd0201e047a16c3389a7b8086976a599035668b77a0a669c1e24d3f1c19d1064167335f6605a95a83b109a679a2e5402397acead96d4afad46f149ebd25b9159b86b81a5d9549125374cba19e6e6c15327df96a5dc38773bdf827745246e240ce738566162f095519393f2782d2828e1b936bed662fb29020001
Related Information
[{"Product":{"code":"SWG10","label":"AIX"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
Was this topic helpful?
Document Information
Modified date:
20 October 2023
UID
isg3T1024935