Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software
41424344454647484950
B Administration examples
Example B-1 Execute manual WLI configuration
The recovery key is authorized by root user:
# wliadm -i recov.pub -k recov.pvt
RSA key adm1.pvt is generated per HP recommendations and its public key extracted:
# openssl genrsa -aes256 -out adm1.pvt 2048
# openssl rsa -in adm1.pvt -out adm1.pub -pubout
RSA key adm1.pvt is granted WLI administrator authority by the recovery key:
# wliadm -n adm1.key1 -k recov.pvt adm1.pub
The public key extracted from adm1.pvt is adm1.pub. User root must know the passphrase
for recov.pvt, but does not know the passphrase for adm1.pvt. User adm1 is a user listed in
/etc/passwd, and knows the passphrase for adm1.pvt.
Because adm1.pvt has WLI administrator authority, it can authorize itself for all capabilities:
# wlicert -c adm1.key1 -o mem,wmd,dlkm,api -s -k adm1.pvt
Any user can visually verify this key as an administrator key with all capabilities:
% wlicert -l adm1.key1
The rng DLKM must be signed along with several others. The loaded DLKMs are listed and
signed (only rng signing displayed):
% kcmodule | grep loaded
% cd /usr/conf/mod
% wlisign -a -k /home/adm1/adm1.pvt rng
The system does not have Symantec NetBackup installed and therefore must have policy metadata
stored in files to create policy protected file backups:
% wlisys -s wmdstoretype=pseudo -k /home/adm1/adm1.pvt
Security guidelines specify only one WLI administrator key can be authorized. Because the WLI
security mode is restricted, the read/write protected portion of the WLI database can be read and
archived:
% tar -cvf wlikeydb.tar /etc/wli/keys
The security mode can now be switched to restricted:
% wlisyspolicy -s mode=restricted -k /home/adm1/adm1.pvt
All administrative commands are now executed for the immediate future. The WLI database
archive is now updated with the WLI database files having only write protection:
% tar -rvf wlikeydb.tar /etc/wli/certificates /etc/wli/*.conf
The system is now ready for shutdown and reboot.
Example B-2 Backing up policy protected files
HP recommends using wliwrap to backup and restore policy protected files and associated
metadata when restricted mode is in effect. To avoid granting permanent wmd capability to the
backup and restore commands, use wliwrap to enable wmd only for a single execution of a
command.
The user owns key adm1.pvt which was granted administrator authority in Example B-1
(page 49).
For this example, /usr/bin/tar is used for both backup and restore. Other HP-UX or vendor
product commands, such as cpio or commands included with Symantec NetBackup, can be
substituted for tar backup and restore operations.
49