HP-UX Whitelisting A.01.02 Administrator Guide (766164-001, March 2014)
IMPORTANT: This procedure must be performed as root user. Root user authority is required to
load and unload DLKMs.
1. Unload the DLKM:
# kcmodule rng=unused
2. Sign the DLKM:
# wlisign -a -k /home/jane/jane.priv /usr/conf/mod/rng
3. Load the DLKM:
# kcmodule rng=best
where:
jane is a valid user ID.
jane.priv is the key identifier.
priv is an arbitrary string chosen by the administrator.
It is important that the DLKM is reloaded after signing. Repeat these steps for all DLKMs loaded
during boot. A root user needs to repeat these steps if usr/conf/mod/rng is replaced by software
update.
Backing up the WLI database
After all administrator keys are authorized, HP recommends backing up the WLI database while
the security mode is maintenance. A backup of administrator key files is not possible after
WLI is operational in restricted mode. For details of the WLI database, see Section (page 13).
For more information about backup, see Section (page 26). To backup the WLI database in
maintenance mode:
% tar -cf wli.tar /etc/wli
For this example, tar is used. Proprietary backup utilities or cpio also work.
No procedure changes are required for restoring a database backup in maintenance mode.
In restricted mode, a database backup cannot be restored because of read/write protection
on administrator key storage.
Rebooting to restricted mode
WLI installs and configures when security mode is set to maintenance. This mode disables
all WLI file and resource protection, allowing the installer to complete all the previous steps.
After all administrator keys are authorized and a WLI database backup is generated, the system
can be rebooted for WLI to operate in restricted mode:
% wlisyspolicy -s mode=restricted -k <wli_admin_key>
The following must be executed by root user:
# shutdown -r
Following reboot, WLI is completely operational in the secure restricted mode.
22 Configuring