HP UX Security Products and Features Software manual Configuring, Authorizing the recovery key

Page 25

5 Configuring

When WLI installation completes, the system reboots. The kernel rebuilt with WLI components becomes active, enabling WLI services. By default, SD-UX configuration scripts execute following the reboot. SD-UX configuration can optionally be postponed by the installer. Whether SD-UX configuration completes during or following system initialization, a few manual steps are necessary to bring WLI to a completely operational state. To take full advantage of WLI features, perform the following tasks:

Authorize the recovery key

Authorize administrator keys

Identify and sign essential DLKMs

Back up the WLI database

Reboot with security mode set to restricted

5.1Authorizing the recovery key

After WLI is installed and the server is rebooted, the wliadm command must be executed to initialize database files and authorize the recovery key. Root user (user ID 0) authority is required to execute the initialization command:

%wliadm -i<pub_key> -k<priv_key> [-p<src:val>]

where:

<pub_key> is the public key file extracted from <priv_key> in PEM format.

<priv_key> is an OpenSSL-generated RSA key file in PEM format.

<src:val> is the passphrase source and value. If the -poption is not included, A prompt appears for the passphrase at the /dev/tty device.

You can execute this command only once for each installation. The specified key becomes the recovery key for WLI. The recovery key is a special key for granting administrator authority to other RSA keys and should be stored safely. You can replace it by reinstalling WLI or restoring the WLI database backup described in this section. After the recovery key is authorized, it can grant WLI administrative capability to other keys. The recovery key is limited to granting administrator capability.

5.2 Authorizing administrator keys

At least one administrator key is necessary to authorize the WLI administrator commands. To simplify security maintenance, the number of authorized administrator keys should be minimal, even though an unlimited amount is allowed. The recovery key generated in the previous procedure must generate the first administrator key.

An administrator key can be used for all WLI operations, including granting itself capabilities. For details on authorizing keys for WLI administration, see wliadm(1M). For details on granting capabilities, see wlicert(1M).

HP recommends all administrator keys are authorized before the reboot because the database file holding administrator keys cannot be backed up or restored after the system is rebooted with WLI security mode set as restricted.

Root user (user ID 0) authority is not required to authorize a key for WLI administration. The user must have read permission on the key and know the passphrase. To authorize an administrator key:

%wliadm -n<user>.<instance> -k<priv_key> [-p<src:val>] <pub_key> where:

<user>

is the key identifier; user is a valid user ID.

5.1 Authorizing the recovery key

25

Page 24 Page 26
Image 25
Page 24 Page 26
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File access policies Security featuresFile lock access controls Capabilities Identity-based access controls4 api Page WLI architecture Product overviewApplication API CommandsApplications WLI metadata files WLI database3 .$WLISIGNATURE$ Page Generating keys Key usageUser keys Administrator keysInstallation requirements Installing, removing, and upgradingInstalling WLI Removing WLI Upgrading WLI Page Authorizing the recovery key ConfiguringAuthorizing administrator keys Backing up the WLI database Signing DLKMsRebooting to restricted mode Page Signing an executable binary Enhancing security with WLICreating a Flac policy Enabling DLKMs to load during boot Removing a file access policyCreating an Ibac policy Wlisign -a -k adminpriv /usr/sbin/kcmodule # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissLoading unsigned DLKMs # kcmodule ciss=unusedPage Overview Backup and restore considerationsWLI database files Write protected Policy protected and metadata filesRead/write protected files RecommendationsIbac policies Flac policiesMetadata files Page Administration HP Serviceguard considerationsWLI database Policy protected files Software distributor issues Troubleshooting and known issuesWLI reinstallation Lost WLI administrator key or passphraseSu root # rm -r /etc/wli Wlisyspolicy -s mode=maintenance -k adminkey# tar -xf /tmp/wlikeydb.tar # kcmodule wli=unused # shutdown -rContacting HP Support and other resourcesRelated information Websites Typographic conventionsUser input Times Page Instructions # make clean# make all # su wliusr1Ibac add and delete program Flac add and delete programIbac add and delete program Page Administration examples Su root # wlisign -a -k adm1.pvt /usr/bin/tar Wlicert -s -c wli.admin1 -o wmd -k adm1.pvtBdf mydir Tar -vtf tartest.tarCat /tmp/.$WLIFSPARMS$ Wlisys -k adm1.pvt -s wmdstoretype=pseudoBprestore -f backuplist Bpbackup -f backuplistConfiguring WLI Quick setup examplesAuthorizing an administrator key Authorizing a user keyFlac policies Testing a Flac policyCreating a Flac policy Enabling a Flac policyIbac policies Removing an Ibac policy Disabling an Ibac policyASM GlossaryPage Index SymbolsIndex
Related manuals
Manual 130 pages 58.55 Kb
Top Page Image Contents