HP UX Security Products and Features Software manual Instructions, # make all, # su wliusr1

Page 45

Alibwliapi example

This example demonstrates how libwliapi functions add and delete WLI file access policies.

A.1 Instructions

This example requires an authorized WLI administrator key.

<admin_key>

WLI administrator's private key

<admin_pass>

Passphrase for <admin_key>

1.Copy the makefile and source files below to a test directory.

2.% su root

3.The makefile builds executables, adds user wliusr1, and generates ukey.pvt

# make all

4.# wlicert -i wliusr1.inst1 -k <admin_key> -p pass:<admin_pass> ukey.pub

5.# wlicert -c wliusr1.inst1 -s -k <admin_key> -p pass:<admin_pass> -o api

6.# su wliusr1

7.% wlisign -a -k ukey.pvt -p pass:mypasswd -o api api_flac_test

8.% wlisign -a -k ukey.pvt -p pass:mypasswd -o api api_ibac_test

9.% api_flac_test

10.% api_ibac_test

Cleanup:

1.# wlicert -d wliusr1.inst1 -k <admin_key> -p pass:<admin_pass>

2.# make clean

A.2 makefile

#Makefile for exercising libwliapi functions SHELL = /bin/sh

CC = cc LD = ld CFLAGS = +DD64

INCLUDES = -I/opt/wli/include -I/usr/include/openssl

#make secure binaries

LDOPTS = +noenvvar +nodefaultrpath +b/opt/wli/lib

LDPATH = -L/opt/wli/lib

#LIBS = -lwliapi -lsec -lcrypto LIBS = -lwliapi -lcrypto

COMPILE = $(CC) $(CFLAGS) $(INCLUDES)

.c.o:

$(COMPILE) -c $< -o $@

all: user_setup progs

progs: api_flac_test api_ibac_test

api_flac_test: api_flac_test.o

$(LD) -o $@ api_flac_test.o $(LDOPTS) $(LDPATH) $(LIBS) echo "flac test file" >flac_test

api_ibac_test: api_ibac_test.o

$(LD) -o $@ api_ibac_test.o $(LDOPTS) $(LDPATH) $(LIBS) echo "ibac test file" >ibac_test

ukey.pvt:

openssl genrsa -aes256 -passout pass:mypasswd -out ukey.pvt 2048

ukey.pub: ukey.pvt

A.1 Instructions

45

Page 44 Page 46
Image 45
Page 44 Page 46
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page Security features File access policiesFile lock access controls Capabilities Identity-based access controls4 api Page WLI architecture Product overviewApplication API CommandsApplications WLI metadata files WLI database3 .$WLISIGNATURE$ Page Generating keys Key usageUser keys Administrator keysInstalling, removing, and upgrading Installation requirementsInstalling WLI Removing WLI Upgrading WLI Page Configuring Authorizing the recovery keyAuthorizing administrator keys Backing up the WLI database Signing DLKMsRebooting to restricted mode Page Enhancing security with WLI Signing an executable binaryCreating a Flac policy Removing a file access policy Enabling DLKMs to load during bootCreating an Ibac policy Wlisign -a -k adminpriv /usr/sbin/kcmodule # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissLoading unsigned DLKMs # kcmodule ciss=unusedPage Backup and restore considerations OverviewWLI database files Write protected Policy protected and metadata filesRead/write protected files RecommendationsFlac policies Ibac policiesMetadata files Page HP Serviceguard considerations AdministrationWLI database Policy protected files Software distributor issues Troubleshooting and known issuesWLI reinstallation Lost WLI administrator key or passphraseSu root # rm -r /etc/wli Wlisyspolicy -s mode=maintenance -k adminkey# tar -xf /tmp/wlikeydb.tar # kcmodule wli=unused # shutdown -rSupport and other resources Contacting HPRelated information Typographic conventions WebsitesUser input Times Page Instructions # make clean# make all # su wliusr1Ibac add and delete program Flac add and delete programIbac add and delete program Page Administration examples Su root # wlisign -a -k adm1.pvt /usr/bin/tar Wlicert -s -c wli.admin1 -o wmd -k adm1.pvtBdf mydir Tar -vtf tartest.tarCat /tmp/.$WLIFSPARMS$ Wlisys -k adm1.pvt -s wmdstoretype=pseudoBprestore -f backuplist Bpbackup -f backuplistConfiguring WLI Quick setup examplesAuthorizing an administrator key Authorizing a user keyFlac policies Testing a Flac policyCreating a Flac policy Enabling a Flac policyIbac policies Removing an Ibac policy Disabling an Ibac policyASM GlossaryPage Index SymbolsIndex
Top Page Image Contents