Manualshelf

HP-UX Whitelisting A.01.02 Administrator Guide (766164-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Whitelisting
11121314151617181920
6. Enter your registration information. Read and accept the Terms and Conditions and the Software
License Agreement. Click Next.
7. Click Download.
8. Save the HP-UX WhiteList Infrastructure bundle as a local file on your system. Use the file name
/tmp/<wli-depotname>.depot, for example.
9. Verify the depot file is saved on your system with the following command:
# swlist -d @ /tmp/<wli-depotname>.depot
10. Install the bundle:
# swinstall -x autoreboot=true -s /tmp/<wli-depotname>.depot WhiteListInf
11. Verify the installation:
# swverify WhiteListInf
If WLI is installed correctly on the system, the swverify command includes the following text in
the reported data:
Verification succeeded
WLI relies on the OpenSSL product for RSA key generation, but the OpenSSL product is not required
for installation. The latest version of OpenSSL is recommended, but any version installable on
HP-UX 11iv3 is sufficient. You can download the latest version from:
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=OPENSSL11I
OpenSSL installs by default with every HP-UX OE release, but might have been removed or not
installed with the OE. To determine the OpenSSL version and verify its content, enter:
# swlist OpenSSL
# swverify OpenSSL
Removing WLI
The administrator must consider creating a backup of policy protected files, signed binaries, and
metadata files. If reinstallation is planned, keys used for generating policies and signatures are
recognized by WLI if the keys are authorized following reinstallation.
WLI does not track access policies assigned to files and signatures generated on binaries. File and
signature metadata becomes transparent once the kernel is rebuilt without the WLI component.
WLI metadata does not impact file access or command execution once WLI is removed.
The presence of old metadata can inhibit new policy and signature generation if WLI is reinstalled.
If reinstallation is planned, HP recommends backup and removal of all known signatures and
policies.
To remove WLI, use the following procedure:
1. Check if WLI is enabled:
%kcmodule wli
If the state is not static, go to step 5, else continue.
2. Retrieve the security attributes for WLI:
% wlisyspolicy -g
If protection mode is restricted, change to maintenance.
3. Skip this step if protection mode is maintenance.
To set protection mode to maintenance:
% wlisyspolicy -s mode=maintenance -k <admin_private_key>
where:
<admin_private_key> is a WLI administrator private key. A prompt appears for the
key passphrase.
18 Installing, removing, and upgrading