B Administration examples

Example B-1 Execute manual WLI configuration

The recovery key is authorized by root user:

#wliadm -i recov.pub -k recov.pvt

RSA key adm1.pvt is generated per HP recommendations and its public key extracted:

#openssl genrsa -aes256 -out adm1.pvt 2048

#openssl rsa -in adm1.pvt -out adm1.pub -pubout

RSA key adm1.pvt is granted WLI administrator authority by the recovery key:

#wliadm -n adm1.key1 -k recov.pvt adm1.pub

The public key extracted from adm1.pvt is adm1.pub. User root must know the passphrase for recov.pvt, but does not know the passphrase for adm1.pvt. User adm1 is a user listed in /etc/passwd, and knows the passphrase for adm1.pvt.

Because adm1.pvt has WLI administrator authority, it can authorize itself for all capabilities:

#wlicert -c adm1.key1 -o mem,wmd,dlkm,api -s -k adm1.pvt

Any user can visually verify this key as an administrator key with all capabilities:

%wlicert -l adm1.key1

The rng DLKM must be signed along with several others. The loaded DLKMs are listed and signed (only rng signing displayed):

%kcmodule grep loaded

%cd /usr/conf/mod

%wlisign -a -k /home/adm1/adm1.pvt rng

The system does not have Symantec NetBackup installed and therefore must have policy metadata stored in files to create policy protected file backups:

%wlisys -s wmdstoretype=pseudo -k /home/adm1/adm1.pvt

Security guidelines specify only one WLI administrator key can be authorized. Because the WLI security mode is restricted, the read/write protected portion of the WLI database can be read and archived:

%tar -cvf wlikeydb.tar /etc/wli/keys

The security mode can now be switched to restricted:

%wlisyspolicy -s mode=restricted -k /home/adm1/adm1.pvt

All administrative commands are now executed for the immediate future. The WLI database archive is now updated with the WLI database files having only write protection:

%tar -rvf wlikeydb.tar /etc/wli/certificates /etc/wli/*.conf

The system is now ready for shutdown and reboot.

Example B-2 Backing up policy protected files

HP recommends using wliwrap to backup and restore policy protected files and associated metadata when restricted mode is in effect. To avoid granting permanent wmd capability to the backup and restore commands, use wliwrap to enable wmd only for a single execution of a command.

The user owns key adm1.pvt which was granted administrator authority in Example B-1 (page 49).

For this example, /usr/bin/tar is used for both backup and restore. Other HP-UX or vendor product commands, such as cpio or commands included with Symantec NetBackup, can be substituted for tar backup and restore operations.

49

Page 48 Page 50
Page 49
Image 49
HP UX Security Products and Features Software manual Administration examples
Page 48 Page 50
Top Page Image Contents