Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software

Using the administrator key adm1.pvt for authorization, tar is invoked as a child process of

wliwrap. For details about the key signing and granting wmd, see Example B-2 (page 49).

You must restore the archive onto a file system with the same type of metadata storage as the

generated archive. Otherwise, WLI can not enforce the policies.

If the archive metadata storage type is unknown, execute the following to look for policy metadata

files:

% tar -vtf tartest.tar

rwxrwxrwx 0/0 0 Aug 8 02:32 2010 ./tartest/.$WLI_POLICY$/

rwxrwxrwx 0/0 2048 Aug 8 02:52 2010 ./tartest/.$WLI_POLICY$/tfile1

rw-r--r-- 0/3 2048 Aug 6 03:21 2010 ./tartest/.$WLI_POLICY$/tfile2

rw-r--r-- 0/3 2048 Aug 8 02:47 2010 ./tartest/.$WLI_POLICY$/tfile3

The archive contains metadata stored in regular files, not VxFS named streams.

To determine which policy protected files are already on the file system and the storage type,

locate the file system root directory and query the metadata storage type:

% bdf mydir

Filesystem kbytes used avail %used Mounted on

/dev/vg00/lvol4 5242880 85192 5117472 2% /tmp

% cat /tmp/'.$WLI_FSPARMS$'

wmdtype=pseudo

The file system and archive storage types match, and it is safe to proceed.

If the file system root directory does not contain a .$WLI_FSPARMS$ file, the file system cannot

contain policy protected files. If the file system has no policy protected files, the metadata storage

type is determined by the value of the wmdstoretype attribute set with wlisys, not the metadata

files restored from the archive. The user can set the correct storage type if necessary:

% wlisys -k adm1.pvt -s wmdstoretype=pseudo

The archive is now restored:

% wliwrap -k adm1.pvt -o wmd "/tar -xvf wrap.tar /tmp/tartest"

wliwrap: process capability wmd set

wliwrap: executing command: tar -xvf wrap.tar /tmp/tartest

x ./tartest/tfile1 1 blocks

x ./tartest/tfile2 1 blocks

x ./tartest/tfile3 1 blocks

x ./tartest/.$WLI_POLICY$/tfile1 4 blocks

x ./tartest/.$WLI_POLICY$/tfile2 4 blocks

x ./tartest/.$WLI_POLICY$/tfile3 4 blocks

Similar to Example B-2 (page 49), metadata files under .$WLI_SIGNATURE$ directories and

.$WLI_FSPARMS$ files can also be restored with the wliwrap command. Therefore, an entire

file system can be restored with this procedure.

Example B-4 Backup and restore without wliwrap

The alternative to temporarily granting wmd capability with wliwrap is to permanently grant

wmd with wlisign. This example describes how to create an archive containing policy protected

files with a backup command granted permanent wmd capability. The archive is then restored

with a restore command also granted permanent wmd capability.

For this example, the platform has VxFS 5.0.1 file systems installed and the wmdstoretype attribute

has value auto, set by the wlisys command. This combination implies that named data streams

are used to store policy protected metadata. Veritas NetBackup is then required to backup files

with named data streams. The bpbackup and bprestore commands are installed for backup

and restore operations respectively.

The commands are signed and granted wmd:

% wlisign -a -k adm1.pvt -o wmd /usr/openv/netbackup/bin/bpbackup

% wlisign -a -k adm1.pvt -o wmd /usr/openv/netbackup/bin/bprestore