Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software
31323334353637383940
9 Troubleshooting and known issues
9.1 Software distributor issues
Signing an ELF formatted binary adds a signature metadata section to the binary file. This action
has the side effect of changing the file modification time and size. If the binary happens to be
delivered as part of a product, the swverify command registers errors.
If error free swverify analysis on a product is important, sign and use a duplicate of the
command whenever practical. If using a copy is not practical, the SD-UX product database can
be updated with swmodify so that swverify errors are not reported.
For example, if /usr/bin/ssh and /usr/sbin/sshd are signed, clear the swverify error
with the following:
% wlisign -a -k userkey1 /usr/bin/ssh
% wlisign -a -k userkey1 /usr/sbin/sshd
% swmodify -x files=/usr/bin/ssh /usr/sbin/sshd Secure_Shell.SECURE_SHELL
9.2 WLI reinstallation
Residual file access policy and signature metadata from a previous installation can interfere with
a WLI reinstallation. The metadata from a previous installation can prevent generation of new
file access policies and signatures.
When WLI is removed by swremove, the WLI database must be deleted to allow a possible
reinstallation to install and configure correctly. But WLI does not keep track of policies and
signed files, and they are not removed when the product is removed.
This problem does not appear if WLI is upgraded to a later revision. The WLI database remains
intact, and the manual configuration steps should not be executed for WLI upgrades.
Consider the following habits for administrators and users:
Minimize using administrator keys for generating policies and signatures. Removing
authorization from administrator keys has more impact than from user keys.
Remove policies and signatures when no longer needed.
9.3 Lost WLI administrator key or passphrase
A new administrator key can always be authorized through wliadm if the recovery key is
available and its passphrase is known. Always store the recovery key and passphrase safely. The
recovery key is not useful except for authorizing administrator keys and you can store it apart
from the system where it has authority.
WLI keys are wrapped (encrypted with a cipher and passphrase) by the OpenSSL genrsa
subcommand. If the passphrase is lost, no procedure exists to recover or decrypt the wrapped
private key. For security, delete an administrator key with unknown passphrase. To delete an
administrator key with missing passphrase:
% wliadm -d <user>.<instance> -k <recovery_key>
For more information about generating RSA keys and authorizing as WLI administrative keys,
see “Key usage” (page 19) and wliadm(1).
9.4 WLI database corruption
The database can become corrupted if the underlying storage device sustains physical damage.
If the files comprising the database lose their integrity, WLI can display unpredictable behavior.
The WLI database needs to be restored from an archive.
9.1 Software distributor issues 39