HPE Community
Operating System - HP-UX
1843980 Members
1905 Online
110226 Solutions
New Discussion

Re: TCB (ie trusted) urgent query

 
SOLVED
Go to solution
Becke
Super Advisor

‎01-19-2006 11:40 AM

‎01-19-2006 11:40 AM

TCB (ie trusted) urgent query


Hi Guys,

I have a problem, I would like to know how to enable trusted (ie tcb) on our HP-UX DR machine which is running HP version 10.20.

Is there an option to enable tcb when you first intsall an operating system??

My other query is if the trusted is enabled on a system does it always refer to '/tcb/files/auth' directory, i need to know this because I'm trying to restore a password file which contains user's password from a trusted system to a DR machine which is a non trusted system and I need to enable tcb on my DR machine so it can refer to the same directory ie '/tcb/files/auth', and restore user's password.

Please let me know this is extremely urgent.

Thanks for your help

Regards,
Raf
0 Kudos
5 REPLIES 5
Mel Burslan
Honored Contributor

‎01-19-2006 12:11 PM

‎01-19-2006 12:11 PM

Solution

Re: TCB (ie trusted) urgent query

I have not touched a version 10.20 system for years and when I was managing one, we did not use trusted computing. So, I am not sure if there is an option to convert to trusted on this platform.

If there is, try doing it the proper way by using sam:

Select Auditing and Security.
Select â System Security Policiesâ .

You will receive a dialog window allowing you to convert the server. Respond yes.

Hope this helps.
________________________________
UNIX because I majored in cryptology...
0 Kudos
Patrick Wallek
Honored Contributor

‎01-19-2006 12:14 PM

‎01-19-2006 12:14 PM

Re: TCB (ie trusted) urgent query

You can convert 10.20 to trusted. You can do it via SAM, as previous said, or via command line with:

# /usr/lbin/tsconvert

There is not an option to convert to trusted during the installation. It has to be done afterward.

Yes, trusted systems ALWAYS use the /tcb directory structure.
0 Kudos
Becke
Super Advisor

‎01-19-2006 12:30 PM

‎01-19-2006 12:30 PM

Re: TCB (ie trusted) urgent query


Hi Patrick and Mel,

Thank you so much guys for your quick response and help, this has nearly resolved my problem.

There is one more thing i need to clarify with you guys, as I need to enable tcb on our DR machine which I don't have access to at this stage. I have couple of more questions below

1. On my dev machine tcb is not enabled if I enabled tcb via sam, would it impact users currently working on the system?

2. As i will be performing the DR exercise on the DR machine, once I will enable the tcb via sam on the DR machine, would it it be O.K to restore the /etc/passwd file and /tcb/files/auth directory from production machine to a DR machine, so when user's login they can use their same password, please let me know about this, its extremely urgent..

We have really got a great team here guys, thanks for your help again, I have already assign points to you guys...I will look forward to hearing from you to completely resolve my problem.....

Kind Regards,
Raf

0 Kudos
Bill Hassell
Honored Contributor

‎01-19-2006 03:01 PM

‎01-19-2006 03:01 PM

Re: TCB (ie trusted) urgent query

As mentioned in your previous posting, you can convert the DR system while it is running. And yes, you can copy the /etc/passwd and /etc/group files and the /tcb directory from the 10.20 to 10.20 system, probably with no compatibility issues.

HOWEVER, this assmues that the two systems have IDENTICAL entries in the current passwd files. The passwd (and group) files contain the user and group ID numbers and names which are created for each new user. Then all file and directories in that new user directory now have the ownership based on that user. If the 10.01 and 10.20 system do not have identical entries, then some users will see their files owned by someone else or see numbers rather than names listed for their files.

So compare the two /etc/passwd and /etc/group files. If they are different, you have to work on adding/deleting users in such a way that they match. Then a brute force copy of the files should work OK. (but make sure you have a backup plan for the DR machine)


Bill Hassell, sysadmin
0 Kudos
Becke
Super Advisor

‎01-19-2006 05:37 PM

‎01-19-2006 05:37 PM

Re: TCB (ie trusted) urgent query

Thanks a lot Bill and everyone else, I have resolved my problem through your help.

Thanks for your elaboration Bill, actually my production machine is a legacy system will be going sometime in the future..

last year I was managed to perform the successful DR on version 10.20, I was unable to restore the system from 10.01 mksysb as 10.01 was compatible with the DR machine's hardware, so therefore I have installed version 10.20 on the DR machine and got the applications going successfully.

However last year i didn't restore user's password from the trusted production machine to DR as it wasn't trusted at that stage, I have only restored /etc/passwd file and /etc/group file from production to DR machine which is running os version 10.20.

But I'm going to perform another DR and the DR machine is not here on-site, its kept at vendor place.

Bill your help has clarified my questions, as we have a dev machine here and trusted wasn't enabled on it, I have enabled the tcb database onit and worked out everything.

I will only be restoring /tcb/files/auth directory from production to DR machine and I presume in doing this it won't break anything else and user's will be able to use their same password at the DR site when perform their application test, and that is the whole point why I wanted to restore users password and enable tcb....

Thanks to all of you guys for your prompt help.. I have assigned points and i will now close this thread...

I have learned quite alot in HP from you guys as my main platform is AIX.......

we have an excellent team here.

Regards,
Raf
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.