Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software
21222324252627282930
7. Click Download.
8. Save the HP-UX WhiteList Infrastructure bundle as a local file on your system. Use the file
name /tmp/<wli-depotname>.depot, for example.
9. Verify the depot file is saved on your system with the following command:
# swlist -d @ /tmp/<wli-depotname>.depot
10. Install the bundle:
# swinstall -x autoreboot=true -s /tmp/<wli-depotname>.depot WhiteListInf
11. Verify the installation:
# swverify WhiteListInf
If WLI is installed correctly on the system, the swverify command includes the following text
in the reported data:
Verification succeeded
WLI relies on the OpenSSL product for RSA key generation, but the OpenSSL product is not
required for installation. The latest version of OpenSSL is recommended, but any version
installable on HP-UX 11iv3 is sufficient. You can download the latest version from:
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=OPENSSL11I
OpenSSL installs by default with every HP-UX OE release, but might have been removed or not
installed with the OE. To determine the OpenSSL version and verify its content, enter:
% swlist OpenSSL
% swverify OpenSSL
4.3 Removing WLI
The administrator should consider creating a backup of policy protected files, signed binaries,
and metadata files. If reinstallation is planned, keys used for generating policies and signatures
are recognized by WLI if the keys are authorized following reinstallation.
WLI does not track access policies assigned to files and signatures generated on binaries. File
and signature metadata becomes transparent once the kernel is rebuilt without the WLI
component. WLI metadata does not impact file access or command execution once WLI is
removed.
The presence of old metadata can inhibit new policy and signature generation if WLI is reinstalled.
If reinstallation is planned, HP recommends backup and removal of all known signatures and
policies.
To remove WLI, use the following procedure:
1. Retrieve the security attributes for WLI:
% wlisyspolicy -g
If protection mode is restricted, change to maintenance.
2. Skip this step if protection mode is maintenance.
To set protection mode to maintenance:
% wlisyspolicy -s mode=maintenance -k <admin_private_key>
where:
<admin_private_key> is a WLI administrator private key. A prompt appears for the
key passphrase.
3. If allow security downgrade is deferred, a reboot is required for protection mode to switch to
maintenance. Following reboot of the system, verify that protection mode is maintenance:
% wlisyspolicy -g
22 Installing, removing, and upgrading