Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software
31323334353637383940
7.2.1 Write protected
WLI does not inhibit reading of write protected files. Files in this class can be read and backed
up in accordance with the file ownership and permission bits. Files in this class are:
/etc/wli/certificates/*
/etc/wli.wlicert.conf
/etc/wli/wlisys.conf
/etc/wli/wlisyspolicy.conf
For backup procedures, these files can be treated the same as other directories and regular files.
Restoration of backup archives for these files is only recommended if the WLI database is
corrupted. WLI protects against writes to these file locations in restricted mode. If the WLI database
is corrupted, the entire database should be restored from the most recent archive, for internal
consistency.
For an example of the procedure for restoring files in this class using wmd capability, see
“Administration examples” (page 49).
7.2.2 Read/write protected files
Files in this class have WLI read and write protection. Even with wmd capability granted to a
command, these files cannot be backed up or restored. Files in this class are:
/etc/wli/keys/*
These files include encrypted administrator keys that are read/write protected for security reasons.
HP recommends that all WLI administrator keys are generated during initialization, followed
by a backup, while the system is in maintenance mode. Authorizing new administrator keys
should be very uncommon. Only the wliadm command updates keys in this class.
Except for files in this class, backups can be generated in restricted mode. The recovery key, or
any administrator key can have its passphrase changed without affecting the WLI database.
7.2.3 Recommendations
Avoid adding and deleting administrator keys as much as possible because this obsoletes
a WLI database backup. A backup archive can only be refreshed in maintenance mode if
administrator keys are added or deleted. Only the wliadm command can add or delete
administrator keys.
Refresh WLI database backups when the wlisys, wlisyspolicy, and wlicert commands are
executed. Updates from these commands can be backed up in restricted mode.
Do not attempt to restore a WLI database backup in restricted mode. Restoring a WLI Database
is only possible in maintenance mode. Backup in restricted mode should only be considered
as a disaster recovery operation.
Do not restore a WLI Database on a system different than the one for which the archive was
created. Restoring a WLI database backup on a different system results in unpredictable
behavior and WLI failure.
Do not partially restore a WLI database. Restore the archive entirely to maintain its internal
consistency. The database maintains internal relationships between different files that must
be intact for WLI to operate correctly.
7.3 Policy protected and metadata files
Files in this class include files with access protection policies and files created by WLI to store
metadata. The WLI protections are in effect only in restricted mode. For more detail on backing
up and restoring policy protected files and metadata, see Example B-2 (page 49) and Example B-3
(page 50). For more detail on backing up policy protected files and metadata without wliwrap,
Example B-4 (page 51).
34 Backup and restore considerations