<instance> <priv_key> <src:val>

is the key identifier; instance is a string chosen by an administrator.

is the recovery key or previously authorized administrator key.

is the passphrase source and value. If the -poption is not included, a prompt appears for the passphrase at the /dev/tty device.

<pub_key> is the public key being authorized for WLI administrator authority.

Changing administrator key passphrases does not impact WLI database files. Generating a new WLI database backup following passphrase changes to user or administrator keys is not necessary.

5.3 Signing DLKMs

WLI protects a system against rogue DLKMs in restricted mode. For a DLKM to be loaded by the system during boot, it must be signed with wlisign using an authorized key. The signing key does not require dlkm capability. The signature permits the DLKM to be authenticated by WLI before it is loaded.

One essential DLKM that loads during boot is the Kernel Random Number Generator, /usr/ conf/mod/rng. Before setting WLI to restricted mode and rebooting the system, it is necessary to sign this DLKM. If /home/jane/jane.priv is a key with WLI administration authority, the following procedure allows /usr/conf/mod/rng to load and initialize during boot:

IMPORTANT: This procedure must be performed as root user. Root user authority is required to load and unload DLKMs.

1.Unload the DLKM:

#kcmodule rng=unused

2.Sign the DLKM:

#wlisign -a -k /home/jane/jane.priv /usr/conf/mod/rng

3.Load the DLKM:

#kcmodule rng=best

where:

 

jane

is a valid user ID.

jane.priv

is the key identifier.

priv

is an arbitrary string chosen by the administrator.

It is important that the DLKM is reloaded after signing. Repeat these steps for all DLKMs loaded during boot. A root user needs to repeat these steps if usr/conf/mod/rng is replaced by software update.

5.4 Backing up the WLI database

After all administrator keys are authorized, HP recommends backing up the WLI database while the security mode is maintenance. A backup of administrator key files is not possible after WLI is operational in restricted mode. For details of the WLI database, see Section 2.2 (page 16). For more information about backup, see Section 7.1 (page 33). To backup the WLI database in maintenance mode:

%tar -cf wli.tar /etc/wli

For this example, tar is used. Proprietary backup utilities or cpio also work.

No procedure changes are required for restoring a database backup in maintenance mode.

In restricted mode, a database backup cannot be restored because of read/write protection on administrator key storage.

26 Configuring

Page 26
Image 26
HP UX Security Products and Features Software manual Signing DLKMs, Backing up the WLI database