7.Click Download.

8.Save the HP-UX WhiteList Infrastructure bundle as a local file on your system. Use the file name /tmp/<wli-depotname>.depot, for example.

9.Verify the depot file is saved on your system with the following command:

#swlist -d @ /tmp/<wli-depotname>.depot

10.Install the bundle:

#swinstall -x autoreboot=true -s /tmp/<wli-depotname>.depot WhiteListInf

11.Verify the installation:

#swverify WhiteListInf

If WLI is installed correctly on the system, the swverify command includes the following text in the reported data:

Verification succeeded

WLI relies on the OpenSSL product for RSA key generation, but the OpenSSL product is not required for installation. The latest version of OpenSSL is recommended, but any version installable on HP-UX 11iv3 is sufficient. You can download the latest version from:

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=OPENSSL11I

OpenSSL installs by default with every HP-UX OE release, but might have been removed or not installed with the OE. To determine the OpenSSL version and verify its content, enter:

%swlist OpenSSL

%swverify OpenSSL

4.3Removing WLI

The administrator should consider creating a backup of policy protected files, signed binaries, and metadata files. If reinstallation is planned, keys used for generating policies and signatures are recognized by WLI if the keys are authorized following reinstallation.

WLI does not track access policies assigned to files and signatures generated on binaries. File and signature metadata becomes transparent once the kernel is rebuilt without the WLI component. WLI metadata does not impact file access or command execution once WLI is removed.

The presence of old metadata can inhibit new policy and signature generation if WLI is reinstalled. If reinstallation is planned, HP recommends backup and removal of all known signatures and policies.

To remove WLI, use the following procedure:

1.Retrieve the security attributes for WLI:

%wlisyspolicy -g

If protection mode is restricted, change to maintenance.

2.Skip this step if protection mode is maintenance. To set protection mode to maintenance:

%wlisyspolicy -s mode=maintenance -k <admin_private_key> where:

<admin_private_key> is a WLI administrator private key. A prompt appears for the key passphrase.

3.If allow security downgrade is deferred, a reboot is required for protection mode to switch to maintenance. Following reboot of the system, verify that protection mode is maintenance:

% wlisyspolicy -g

22 Installing, removing, and upgrading

Page 21 Page 23
Page 22
Image 22
HP UX Security Products and Features Software manual Removing WLI
Page 21 Page 23
Top Page Image Contents