search cancel

Error loading PIM / PAMSC on Linux running in Secure Boot mode

book

Article ID: 201507

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC) CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

When the PIM / PAMSC seos kernel module fails to load in a Linux which is running in Secure Boot mode follow below steps

Cause

Secure Boot is using a MOK (Machine Owner Key) which basically is securing the boot process by only allowing approved OS components and drivers to load. 

Environment

Release : 14.1

Component : PAM SERVER CONTROL ENDPOINT WINDOWS

Resolution

The OS kernel should contain the public key of the module getting inserted as part of trust chain, So the first step in doing this is to add the public key into the kernel system key database,

Every time the PAMSC kernel module loads, the OS kernel checks the signature of the module using the relevant public key.

 

Following steps are necessary for adding PAMSC public key into the secured kernel key database.

  1. import public key present in the installation directory to the MOK list 


# cd /opt/CA/PAMSC/bin/

# mokutil --import  BroadcomInc.der

input password:

input password again:


This command will ask for a new password of your choice which is required during MOK enrollment    

Note, to avoid issues, use a password consisting of alpha - numeric characters only



  1. Confirm the key is added without any error and restart the machine into Firmware

  1. During the secured efi boot up MOK key enrollment request will be noticed by shim.efi



    You will need to enter the password you previously associated with this request and confirm the enrollment. Your public key is added to the MOK list, which is persistent.
  1. After reboot, verify if the key is in the database by using this command

# mokutil -l

Search for PAMSC or Broadcom strings in the key list to confirm the key is loaded. 

  1. if the key is loaded, you can run seload to start PIM / PAMSC

Attachments