openpts Command
Purpose
Allows enrolling and certifying a remote system.
Syntax
openpts [-i [-f ] | [-v] | -r | -D] [-h ] [-V] [-u] [-l username] [-p port] [-c configfile] host
Description
The openpts command allows the system (the verifier) to connect to a remote host (the collector) to determine whether the collector has performed a trusted boot. A machine is considered to have performed trusted boot when the contents of the collector's trusted platform module (TPM) is interrogated for consistency against a reference set of measurements (reference manifest) maintained by the verifier. To acquire the set of reference measurements, the verifier must first enroll the collector by using the -i option. After enrollement, the verifier can attest the collector with the default -v option that compares the current values represented in the integrity report against the reference set. The success or failure of this operation is reported to you along with the reason of failure. Examples of operations that may cause a failed certification include booting from a different device, changing the boot flags, and modifying the boot image.
If updates are pending to the state of the collector (for example, an OS upgrade that affects the next boot operation) these updates are reported during an attestation. The user is prompted to accept or reject the new values. Updates can be automatically accepted by using the -u option. The attestation request uses secure shell (SSH) as the communication mechanism between the collector and the verifier. The openpts command uses parameters such as -l for ssh command username and -p for port.
Flags
| Item | Description |
|---|---|
| -c configfile | Specifies the configuration file to use. The default is ~/.openpts/openpts.conf. |
| -D | Displays the configuration settings of the target and all the options. |
| -h | Displays the command usage information. |
| -i [-f] | Enrolls a new collector partition or forces the enrollment of an existing collector. |
| -l username | Specifies the ssh command username. |
| -p port | Specifies the ssh command port number. |
| -r | Removes all information about a target system. |
| -u | Allow the command to accept updates to the manifest from the collector without prompting the yes option. The default is no. |
| -v (default) | Verifies a collector against its existing reference manifest. |
| -V | Displays the information in verbose mode. Multiple -V options increase the verbosity. This is used for debugging the data. |
Files
| Item | Description |
|---|---|
| ~/.openpts/ | This directory is the default location for all configuration and remote host information. |
| ~/.openpts/openpts.conf | The configuration of the verifier. |
| ~/.openpts/uuid | The UUID file of the verifier. |
| ~/.openpts/UUID/ir.xml | The last integrity report received from the remote host. |
| ~/.openpts/UUID/newrm_uuid | The UUID file of the new reference manifest (for example, for the next boot operation after a system update). |
| ~/.openpts/UUID/policy.conf | The policy to verify the properties of a remote host. |
| ~/.openpts/UUID/rm_uuid | The UUID file of the reference manifest. |
| ~/.openpts/UUID/UUID/rmN.xml | The reference manifests of the remote host. |
| ~/.openpts/UUID/target.conf | The configuration of the remote host. |
| ~/.openpts/UUID/vr.properties | The platform properties of the remote host derived from the integrity report. |