wlipolicy.1 (2011 03)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

wlipolicy(1)

Optional WLI Product Required

wlipolicy(1)

NAME

wlipolicy - manage WLI ﬁle access policies

SYNOPSIS

wlipolicy -f {-a|-d} -k

privkey [-p src:val][-s] targetﬁle

wlipolicy -i {-a|-d} -k

privkey [-p src:val] -e execﬁle targetﬁle

wlipolicy -m -k old_owner_privkey [

-p src:val]

-c new_owner_pubkey targetﬁle

wlipolicy -n -k new_owner_privkey [

-p src:

val] -c old_owner_pubkey targetﬁle

wlipolicy -v -e execﬁle targetﬁle

wlipolicy -l targetﬁle

wlipolicy -h

DESCRIPTION

wlipolicy is used to create, modify, verify, and delete WLI ﬁle access policies. There are two policy

types:

•

file lock access control (FLAC) - When a FLAC policy is assigned to targetﬁle,it

cannot be modiﬁed, deleted or moved to a different location.

•

identity based access control (IBAC) - When an IBAC policy is assigned to a

targetﬁle, it can only be opened through a set of authorized executables that are identiﬁed

through their WLI signatures. for more information on signing executables, see wlisign(1).

A ﬁle cannot have both policy types. They are mutually exclusive. A ﬁle can have multiple IBAC policies

or one FLAC policy. For more information on policy types and signatures on authorized executables, see

wli(5).

All policy information is stored as metadata in accordance with the storage type speciﬁed with

wlisys (1M). Included in the policy metadata is a signature generated by privkey . Only privkey can be

used to modify or delete information within the policy. A ﬁle access policy for any regular ﬁle or directory

can be generated by a user with write permission to the ﬁle.

A ﬁle access policy can be modiﬁed or deleted with

wlipolicy only by using the same key that created

the policy. The key used to generate the policy effectively owns the policy. Key ownership for a ﬁle access

policy can be transferred to another key through a two step process:

• The current owner key is used to authorize the new public key as owner.

• The new owner private key is used to generate a signature that replaces the previous owner sig-

nature.

The

wlipolicy command is installed with the optional HP-UX Whitelisting (WLI) product.

Options

-a Adds a ﬁle access policy to targetﬁle. You can add a single FLAC policy or several

IBAC policies.

-c pubkey The new owning public key when used with the -m option. When used with the -n

option, the current owning public key.

-d Deletes a policy, either of type FLAC or IBAC, from targetﬁle. If the policy type is

IBAC, only the policy pertaining to execﬁle is deleted.

-e execfile Identiﬁes execﬁle as the signed executable binary in conjunction with the -v or -i

options.

-f A FLAC policy is to be added or deleted.

-h Displays wlipolicy command syntax

-i An IBAC policy is to be added or deleted.

-k privkey File containing an RSA private key. This option is required with the -a, -d, -m,

and -n options.

-l targetfile Lists details of the ﬁle access policies for targetﬁle.

HP-UX 11iv3: Sep 2010 Web Release − 1 − Hewlett-Packard Company 1

Summary of content (2 pages)

PAGE 1
wlipolicy(1) wlipolicy(1) Optional WLI Product Required NAME wlipolicy - manage WLI file access policies SYNOPSIS wlipolicy -f {-a|-d} -k privkey [-p src:val] [-s] targetfile wlipolicy -i {-a|-d} -k privkey [-p src:val] -e execfile targetfile wlipolicy -m -k old_owner_privkey [-p src:val] -c new_owner_pubkey targetfile wlipolicy -n -k new_owner_privkey [-p src:val] -c old_owner_pubkey targetfile wlipolicy -v -e execfile targetfile wlipolicy -l targetfile wlipolicy -h DESCRIPTION wlipolicy is used to cr
PAGE 2
wlipolicy(1) Optional WLI Product Required wlipolicy(1) -m Identifies the new owning public key for a file access policy. This is the first step in transferring ownership, and is authorized by the current owning key to relinquish ownership. -n Transfers key ownership of a file access policy by modifying policy metadata from ownership by the key identified with the -m option. This option is authorized by the new owning key. -p src :val The passphrase source for privkey .