Administrator's Guide
3 Key usage
WLI defines two key types. User keys can sign executable binaries and generate file access policies.
Administrator keys have all the authority of user keys, but also can be used to authorize changes
to the WLI database.
WLI depends on RSA keys for authorization of many of its command operations. A WLI command
with the “1M” manpage designation means an administrator key is required to execute at least
one command option, not the traditional root user (user ID 0). A “1” manpage indicates the
command options can be authorized with a user key. Except for wliadm -i, WLI does not
reference user or group ID for command operations.
Because an RSA private key contains all the information held within the corresponding public
key, the term “key” is synonymous with “private key”. This terminology is common in
cryptographic literature.
3.1 Generating keys
WLI administrator and user keys are generated with the openssl command tool installed on
HP-UX as part of the OpenSSL product. For the highest level of security, a 2048 bit key length
is recommended. Other supported key lengths are 512, 1024, and 1536 bits. Files with RSA keys
in PEM format are required for WLI command operations that require keys.
The openssl command also provides several cipher options for passphrase encryption of RSA
keys. The aes256 cipher is among the ciphers offered by OpenSSL. This cipher is the AES-256
cipher from the Advanced Encryption Standard chosen by the U.S. government in 2001 as a
standard for encryption. The aes256 cipher is highly recommended but not required. Any cipher
offered by OpenSSL is supported by WLI.
The genrsa subcommand creates an RSA private key. For a complete synopsis, see genrsa(1).
The following is sufficient to generate keys for WLI:
% openssl genrsa [-passout <arg>] -<cipher> -out <file> <length>
where:
<arg> is the passphrase source and value if -passout is used. If not supplied, the /dev/
tty device prompts for it. For details, see openssl(1).
<cipher>
is the algorithm for encrypting the private key.
<file>
is the file containing the generated private key. The default file format is PEM, the
only RSA key file format recognized by WLI.
<length>
is the number of bits in the generated private key.
If a passphrase is not specified with genrsa, the user is prompted to enter a passphrase. Using
the cipher and length recommendations mentioned previously, an example of key creation key
is:
% openssl genrsa -aes256 -out /wli/priv.pem 2048
The rsa subcommand displays the numerical components of an RSA key. To view the key
created in the previous example:
% openssl rsa -in /wli/priv.pem -noout -text
A prompt appears for the passphrase in this example because it is not included. RSA protocol
for encrypting and decrypting messages intends that the private key and its passphrase are secret
quantities. WLI follows this convention.
The RSA public key is a subset of the information comprising the private key. For the key /wli/
priv.pem generated above, the public key /wli/pub.pem can be extracted with the following
rsa subcommand:
% openssl rsa -in /wli/priv.pem -out /wli/pub.pem -pubout
3.1 Generating keys 19