HP UX Security Products and Features Software manual Key usage, Generating keys

Page 19

3 Key usage

WLI defines two key types. User keys can sign executable binaries and generate file access policies. Administrator keys have all the authority of user keys, but also can be used to authorize changes to the WLI database.

WLI depends on RSA keys for authorization of many of its command operations. A WLI command with the “1M” manpage designation means an administrator key is required to execute at least one command option, not the traditional root user (user ID 0). A “1” manpage indicates the command options can be authorized with a user key. Except for wliadm -i, WLI does not reference user or group ID for command operations.

Because an RSA private key contains all the information held within the corresponding public key, the term “key” is synonymous with “private key”. This terminology is common in cryptographic literature.

3.1 Generating keys

WLI administrator and user keys are generated with the openssl command tool installed on HP-UX as part of the OpenSSL product. For the highest level of security, a 2048 bit key length is recommended. Other supported key lengths are 512, 1024, and 1536 bits. Files with RSA keys in PEM format are required for WLI command operations that require keys.

The openssl command also provides several cipher options for passphrase encryption of RSA keys. The aes256 cipher is among the ciphers offered by OpenSSL. This cipher is the AES-256 cipher from the Advanced Encryption Standard chosen by the U.S. government in 2001 as a standard for encryption. The aes256 cipher is highly recommended but not required. Any cipher offered by OpenSSL is supported by WLI.

The genrsa subcommand creates an RSA private key. For a complete synopsis, see genrsa(1). The following is sufficient to generate keys for WLI:

%openssl genrsa [-passout <arg>] -<cipher>-out <file> <length> where:

<arg>

is the passphrase source and value if -passoutis used. If not supplied, the /dev/

 

tty device prompts for it. For details, see openssl(1).

<cipher> is the algorithm for encrypting the private key.

<file>

is the file containing the generated private key. The default file format is PEM, the

 

only RSA key file format recognized by WLI.

<length> is the number of bits in the generated private key.

If a passphrase is not specified with genrsa, the user is prompted to enter a passphrase. Using the cipher and length recommendations mentioned previously, an example of key creation key is:

%openssl genrsa -aes256 -out /wli/priv.pem 2048

The rsa subcommand displays the numerical components of an RSA key. To view the key created in the previous example:

%openssl rsa -in /wli/priv.pem -noout -text

A prompt appears for the passphrase in this example because it is not included. RSA protocol for encrypting and decrypting messages intends that the private key and its passphrase are secret quantities. WLI follows this convention.

The RSA public key is a subset of the information comprising the private key. For the key /wli/ priv.pem generated above, the public key /wli/pub.pem can be extracted with the following rsa subcommand:

%openssl rsa -in /wli/priv.pem -out /wli/pub.pem -pubout

3.1 Generating keys

19

Image 19
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File access policies Security featuresFile lock access controls Capabilities Identity-based access controls4 api Page WLI architecture Product overviewApplication API CommandsApplications WLI metadata files WLI database3 .$WLISIGNATURE$ Page Generating keys Key usageUser keys Administrator keysInstallation requirements Installing, removing, and upgradingInstalling WLI Removing WLI Upgrading WLI Page Authorizing the recovery key ConfiguringAuthorizing administrator keys Backing up the WLI database Signing DLKMsRebooting to restricted mode Page Signing an executable binary Enhancing security with WLICreating a Flac policy Enabling DLKMs to load during boot Removing a file access policyCreating an Ibac policy # kcmodule ciss=unused # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissWlisign -a -k adminpriv /usr/sbin/kcmodule Loading unsigned DLKMsPage Overview Backup and restore considerationsWLI database files Recommendations Policy protected and metadata filesWrite protected Read/write protected filesIbac policies Flac policiesMetadata files Page Administration HP Serviceguard considerationsWLI database Policy protected files Lost WLI administrator key or passphrase Troubleshooting and known issuesSoftware distributor issues WLI reinstallation# kcmodule wli=unused # shutdown -r Wlisyspolicy -s mode=maintenance -k adminkeySu root # rm -r /etc/wli # tar -xf /tmp/wlikeydb.tarContacting HP Support and other resourcesRelated information Websites Typographic conventionsUser input Times Page # su wliusr1 # make cleanInstructions # make allIbac add and delete program Flac add and delete programIbac add and delete program Page Administration examples Su root # wlisign -a -k adm1.pvt /usr/bin/tar Wlicert -s -c wli.admin1 -o wmd -k adm1.pvtWlisys -k adm1.pvt -s wmdstoretype=pseudo Tar -vtf tartest.tarBdf mydir Cat /tmp/.$WLIFSPARMS$Bprestore -f backuplist Bpbackup -f backuplistAuthorizing a user key Quick setup examplesConfiguring WLI Authorizing an administrator keyEnabling a Flac policy Testing a Flac policyFlac policies Creating a Flac policyIbac policies Removing an Ibac policy Disabling an Ibac policyASM GlossaryPage Index SymbolsIndex
Related manuals
Manual 130 pages 58.55 Kb