wlipolicy.1 (2011 03)
wlipolicy(1)
Optional WLI Product Required
wlipolicy(1)
-m Identifies the new owning public key for a file access policy. This is the first step in
transferring ownership, and is authorized by the current owning key to relinquish
ownership.
-n Transfers key ownership of a file access policy by modifying policy metadata from
ownership by the key identified with the
-m option. This option is authorized by the
new owning key.
-p src:val The passphrase source for privkey . For more information on passphrase source
syntax, see wli (5).
-s A cryptographic fingerprint of targetfile is generated and stored. The fingerprint
will then be verified by WLI before access is allowed on targetfile.
-v Verifies the integrity of policy metadata for targetfile. When used in conjunction
with the
-e option, execfile access to targetfile is also verified.
RETURN VALUE
wlipolicy returns the following:
Failure A message and a non-zero exit code.
Success An exit code of 0.
EXAMPLES
Add a FLAC policy to file myfile1 with private key keys/vusr.pvt
and corresponding public key
keys/vusr.pub. The private key passphrase is held by environment variable
PASS.
% wlipolicy -f -a -k keys/vusr.pvt -p env:PASS -c keys/vusr.pub
myfile1
Add an IBAC policy to file myfile with private key keys/vusr.pvt
and corresponding public key
keys/vusr.pub. The passphrase is contained in file
mypass. The signed executable is mybin.
% wlisign -a -k keys/vusr.pvt -p file:mypass -c keys/vusr.pub mybin
% wlipolicy -i -a -k keys/vusr.pvt -p file:mypass
-c keys/vusr.pub -e mybin myfile
Transfer ownership of all file access policies for
myfile1 to the user with public key fredpub and
private key
fredpriv. The current owner’s private key is
joepriv with the corresponding public key
joepub. Allow the private key passphrase to be prompted for through /dev/tty for both keys.
% wlipolicy -m -c fredpub -k joepriv myfile1
% wlipolicy -n -c joepub -k fredpriv myfile1
Verify the integrity of policy metadata for joefile and verify that executable
joebin is able to access
file
joefile.
% wlipolicy -v -e joebin joefile
Display the policy metadata for joefile.
% wlipolicy -l joefile
AUTHOR
wlipolicy was developed by HP.
FILES
/etc/wli/certificates WLI database file containing authorized public keys
SEE ALSO
wlicert(1), wlisign(1), wlisyspolicy(1M), wli(5).
HP-UX Whitelisting A.00.01.10 Administrator Guide at:
http://www.hp.com/go/hpux-security-docs.
2 Hewlett-Packard Company − 2 − HP-UX 11iv3: Sep 2010 Web Release