Manualshelf

HP-UX Whitelisting A.01.02 Administrator Guide (766164-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Whitelisting
31323334353637383940
B Administration examples
Example 1 Execute manual WLI configuration
The recovery key is authorized by root user:
# wliadm -i recov.pub -k recov.pvt
RSA key adm1.pvt is generated per HP recommendations and its public key extracted:
# openssl genrsa -aes256 -out adm1.pvt 2048
# openssl rsa -in adm1.pvt -out adm1.pub -pubout
RSA key adm1.pvt is granted WLI administrator authority by the recovery key:
# wliadm -n adm1.key1 -k recov.pvt adm1.pub
The public key extracted from adm1.pvt is adm1.pub. User root must know the passphrase for
recov.pvt, but does not know the passphrase for adm1.pvt. User adm1 is a user listed in
/etc/passwd, and knows the passphrase for adm1.pvt.
Because adm1.pvt has WLI administrator authority, it can authorize itself for all capabilities:
# wlicert -c adm1.key1 -o mem,wmd,dlkm,api -s -k adm1.pvt
Any user can visually verify this key as an administrator key with all capabilities:
% wlicert -l adm1.key1
The rng DLKM must be signed along with several others. The loaded DLKMs are listed and signed
(only rng signing displayed):
% kcmodule | grep loaded
% cd /usr/conf/mod
% wlisign -a -k /home/adm1/adm1.pvt rng
The system does not have Symantec NetBackup installed and therefore must have policy metadata
stored in files to create policy protected file backups:
% wlisys -s wmdstoretype=pseudo -k /home/adm1/adm1.pvt
Security guidelines specify only one WLI administrator key can be authorized. Because the WLI
security mode is restricted, the read/write protected portion of the WLI database can be
read and archived:
% tar -cvf wlikeydb.tar /etc/wli/keys
The security mode can now be switched to restricted:
% wlisyspolicy -s mode=restricted -k /home/adm1/adm1.pvt
All administrative commands are now executed for the immediate future. The WLI database archive
is now updated with the WLI database files having only write protection:
% tar -rvf wlikeydb.tar /etc/wli/certificates /etc/wli/*.conf
The system is now ready for shutdown and reboot.
40 Administration examples