HP UX Security Products and Features Software manual Policy protected files

Page 38

WLI installation and configuration on the cluster is now complete. Following reboot of all nodes, WLI is operational in restricted mode. To maintain the WLI database consistently and ensure product failovers will be successful, HP recommends the following procedure:

1.Execute WLI administrative commands wliadm, wlicert, wlisys, and wlisyspolicy identically on all nodes. This ensures the WLI database that includes all authorized user keys, granted capabilities and associations is uniform.

2.After WLI is initialized and configured, the WLI databases on different nodes contains different information if administrative commands are not identically executed across the cluster.

3.To minimize the need to switch WLI to restricted mode, avoid using wliadm. Deleting and adding administrator keys requires refreshment of an archive in maintenance mode, whereby all WLI restrictions are not enforced.

4.Minimize the use of WLI administrative commands and the total time taken to execute these commands across nodes. The WLI database differs between nodes while WLI administrator command operations are in progress. This could adversely affect product failover and multi-node product behavior.

5.If a failover occurs, the WLI database on the primary node can be unavailable for updates. Before failback of any applications, you must update the recovered node with all WLI commands executed after the failure.

8.2.2Policy protected files

WLI policy enforcement must appear consistent across all nodes. To ensure file access policies are enforced with the same results across all nodes, HP recommends performing the following tasks:

Examine product failover scripting for instances of non shared files protected by WLI file access policies. An example might be configuration data residing under /etc. Because user keys can generate polices on non shared files, the policies must be verified as identical across all nodes to avoid potential failover problems.

Sign binary executables identically across all nodes using the same keys. If the commands are on shared storage file systems for failover or on CFS for multinode applications, only one copy of the binary executable is necessary for all nodes.

Generate file access policies identically across all nodes on nonshared file systems. A file access policy for a file residing in a file system on shared media, such as a member of the HP StorageWorks EVA family, is enforced on all nodes.

Verify user IDs (/etc/passwd entries) and group IDs (/etc/group entries) are consistent across all nodes. File permissions and ownership restrictions are not affected by WLI and can cause file access variations across nodes on WLI protected nodes.

38 HP Serviceguard considerations

Page 37 Page 39
Image 38
Page 37 Page 39
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File lock access controls Security featuresFile access policies Identity-based access controls Capabilities4 api Page Product overview WLI architectureCommands Application APIApplications WLI database WLI metadata files3 .$WLISIGNATURE$ Page Key usage Generating keysAdministrator keys User keysInstalling WLI Installing, removing, and upgradingInstallation requirements Removing WLI Upgrading WLI Page Authorizing administrator keys ConfiguringAuthorizing the recovery key Signing DLKMs Backing up the WLI databaseRebooting to restricted mode Page Creating a Flac policy Enhancing security with WLISigning an executable binary Creating an Ibac policy Removing a file access policyEnabling DLKMs to load during boot Loading unsigned DLKMs # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissWlisign -a -k adminpriv /usr/sbin/kcmodule # kcmodule ciss=unusedPage WLI database files Backup and restore considerationsOverview Read/write protected files Policy protected and metadata filesWrite protected RecommendationsMetadata files Flac policiesIbac policies Page WLI database HP Serviceguard considerationsAdministration Policy protected files WLI reinstallation Troubleshooting and known issuesSoftware distributor issues Lost WLI administrator key or passphrase# tar -xf /tmp/wlikeydb.tar Wlisyspolicy -s mode=maintenance -k adminkeySu root # rm -r /etc/wli # kcmodule wli=unused # shutdown -rRelated information Support and other resourcesContacting HP User input Typographic conventionsWebsites Times Page # make all # make cleanInstructions # su wliusr1Flac add and delete program Ibac add and delete programIbac add and delete program Page Administration examples Wlicert -s -c wli.admin1 -o wmd -k adm1.pvt Su root # wlisign -a -k adm1.pvt /usr/bin/tarCat /tmp/.$WLIFSPARMS$ Tar -vtf tartest.tarBdf mydir Wlisys -k adm1.pvt -s wmdstoretype=pseudoBpbackup -f backuplist Bprestore -f backuplistAuthorizing an administrator key Quick setup examplesConfiguring WLI Authorizing a user keyCreating a Flac policy Testing a Flac policyFlac policies Enabling a Flac policyIbac policies Disabling an Ibac policy Removing an Ibac policyGlossary ASMPage Symbols IndexIndex
Related manuals
Manual 130 pages 58.55 Kb
Top Page Image Contents