wlicert.1m (2011 03)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

wlicert(1M)

Optional WLI Product Required

wlicert(1M)

• An executable signed with the corresponding private key will not be recognized as an authorized

exectutable for run-time access to IBAC-protected ﬁles.

• The capabilities granted to an executable signed with the corresponding private key will be dis-

abled.

The

wlicert command is installed with the optional HP-UX Whitelisting (WLI) product.

Options

-c user.instance The identiﬁer user.instance is used in conjunction with

-g or -s

to retrieve granted

capabilities or have capabilities granted.

-d user.instance When used in conjunction with the

-o option, the speciﬁed capabilities are

removed. If the

-o option is omitted, the public key is deleted from the WLI data-

base.

-g Retrieves capabilities granted to user.instance, or retrieves all users having the

designated capabilities .

-h Displays wlicert command syntax.

-i user.instance Authorizes pubkey as a WLI user key. The public key is identiﬁed by user.instance

for subsequent

wlicert operations.

-k privkey A PEM formatted, RSA private key belonging to a WLI administrator. This option

is not required with the -g or -l options.

-l user.instance Lists details of the public key identiﬁed by user.instance.

-o {capabilities } A comma-separated list of WLI capabilities granted to the public key identiﬁed by

user.instance . There are four legitimate values:

mem ability to read/write from/to /dev/mem and /dev/kmem

wmd ability to link/unlink metadata to/from a ﬁle

dlkm ability to load dlkm modules

api ability to invoke libwliapi.so functions

See wli(5) for detailed descriptions of capabilities .

-p src :val The passphrase source for privkey . For more information on passphrase syntax, see

wli(5).

-s Assigns the capabilities speciﬁed with -o to user.instance.

RETURN VALUE

wlicert returns the following:

Failure A message and exit code of 1.

Success An exit code of 0.

EXAMPLES

List the capabilities of the public key identiﬁed by jack.mempub:

% wlicert -g -c jack.mempub

Authorize jack’s RSA key as a WLI user key. The public key, jackpub.pem, is imported into the WLI

database. WLI does not store private keys or their passwords. The WLI administrator’s private key is

held in ﬁle /sec/privkey.pem and its passphrase is held in ﬁle /sec/privpass

% wlicert -i jack.smith -k /sec/privkey.pem

-p file:/sec/privpass jackpub.pem

Assign capability api to user jack’s public key jackpub. This allows programs, signed with api capa-

bility by jack, to execute function calls to libwliapi.so. The WLI administrator’s private key is held

in ﬁle /sec/privkey.pem and its passphrase ("hi there") is read from stdin:

% echo "hi there" | wlicert -s -c jack.smith

-k /sec/privkey.pem -p fd:0 -o api

AUTHOR

wlicert was developed by HP.

2 Hewlett-Packard Company − 2 − HP-UX 11iv3: Sep 2010 Web Release