HP-UX Whitelisting Version A.01.02 Release Notes (766165-001,March 2014)
Table Of Contents
% wliadm -i <pub_key> -k <priv_key> [-p <src:val>]
where:
<pub_key> is the public key file extracted from <priv_key> in PEM format.
<priv_key> is an OpenSSL-generated RSA key file in PEM format.
<src:val> is the passphrase source and value. If the -p option is not included, A prompt
appears for the passphrase at the /dev/tty device.
You can execute this command only once for each installation. The specified key becomes the
recovery key for WLI. The recovery key is a special key for granting administrator authority to other
RSA keys and must be stored safely. You can replace it by reinstalling WLI or restoring the WLI
database backup described in this section. After the recovery key is authorized, it can grant WLI
administrative capability to other keys. The recovery key is limited to granting administrator
capability.
Authorizing administrator keys
At least one administrator key is necessary to authorize the WLI administrator commands. To
simplify security maintenance, the number of authorized administrator keys must be minimal, even
though an unlimited amount is allowed. The recovery key generated in the previous procedure
must generate the first administrator key.
An administrator key can be used for all WLI operations, including granting itself capabilities. For
details on authorizing keys for WLI administration, see wliadm(1M). For details on granting
capabilities, see wlicert(1M).
HP recommends all administrator keys are authorized before the reboot because the database file
holding administrator keys cannot be backed up or restored after the system is rebooted with WLI
security mode set as restricted.
Root user (user ID 0) authority is not required to authorize a key for WLI administration. The user
must have read permission on the key and know the passphrase. To authorize an administrator
key:
% wliadm -n <user>.<instance> -k <priv_key> [-p <src:val>] <pub_key>
where:
<user> is the key identifier; user is a valid user ID.
<instance> is the key identifier; instance is a string chosen by an administrator.
<priv_key> is the recovery key or previously authorized administrator key.
<src:val> is the passphrase source and value. If the -p option is not included, a prompt
appears for the passphrase at the /dev/tty device.
<pub_key> is the public key being authorized for WLI administrator authority.
Changing administrator key passphrases does not impact WLI database files. Generating a new
WLI database backup following passphrase changes to user or administrator keys is not necessary.
Signing DLKMs
WLI protects a system against rogue DLKMs in restricted mode. For a DLKM to be loaded by
the system during boot, it must be signed with wlisign using an authorized key. The signing key
does not require dlkm capability. The signature permits the DLKM to be authenticated by WLI
before it is loaded.
One essential DLKM that loads during boot is the Kernel Random Number Generator, /usr/conf/
mod/rng. Before setting WLI to restricted mode and rebooting the system, it is necessary to
sign this DLKM. If /home/jane/jane.priv is a key with WLI administration authority, the
following procedure allows /usr/conf/mod/rng to load and initialize during boot:
Authorizing administrator keys 11