Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software
21222324252627282930
5 Configuring
When WLI installation completes, the system reboots. The kernel rebuilt with WLI components
becomes active, enabling WLI services. By default, SD-UX configuration scripts execute following
the reboot. SD-UX configuration can optionally be postponed by the installer. Whether SD-UX
configuration completes during or following system initialization, a few manual steps are
necessary to bring WLI to a completely operational state. To take full advantage of WLI features,
perform the following tasks:
Authorize the recovery key
Authorize administrator keys
Identify and sign essential DLKMs
Back up the WLI database
Reboot with security mode set to restricted
5.1 Authorizing the recovery key
After WLI is installed and the server is rebooted, the wliadm command must be executed to
initialize database files and authorize the recovery key. Root user (user ID 0) authority is required
to execute the initialization command:
% wliadm -i <pub_key> -k <priv_key> [-p <src:val>]
where:
<pub_key> is the public key file extracted from <priv_key> in PEM format.
<priv_key>
is an OpenSSL-generated RSA key file in PEM format.
<src:val> is the passphrase source and value. If the -p option is not included, A prompt
appears for the passphrase at the /dev/tty device.
You can execute this command only once for each installation. The specified key becomes the
recovery key for WLI. The recovery key is a special key for granting administrator authority to
other RSA keys and should be stored safely. You can replace it by reinstalling WLI or restoring
the WLI database backup described in this section. After the recovery key is authorized, it can
grant WLI administrative capability to other keys. The recovery key is limited to granting
administrator capability.
5.2 Authorizing administrator keys
At least one administrator key is necessary to authorize the WLI administrator commands. To
simplify security maintenance, the number of authorized administrator keys should be minimal,
even though an unlimited amount is allowed. The recovery key generated in the previous
procedure must generate the first administrator key.
An administrator key can be used for all WLI operations, including granting itself capabilities.
For details on authorizing keys for WLI administration, see wliadm(1M). For details on granting
capabilities, see wlicert(1M).
HP recommends all administrator keys are authorized before the reboot because the database
file holding administrator keys cannot be backed up or restored after the system is rebooted with
WLI security mode set as restricted.
Root user (user ID 0) authority is not required to authorize a key for WLI administration. The
user must have read permission on the key and know the passphrase. To authorize an
administrator key:
% wliadm -n <user>.<instance> -k <priv_key> [-p <src:val>] <pub_key>
where:
<user> is the key identifier; user is a valid user ID.
5.1 Authorizing the recovery key 25