Using the administrator key adm1.pvt for authorization, tar is invoked as a child process of wliwrap. For details about the key signing and granting wmd, see Example B-2 (page 49).

You must restore the archive onto a file system with the same type of metadata storage as the generated archive. Otherwise, WLI can not enforce the policies.

If the archive metadata storage type is unknown, execute the following to look for policy metadata files:

%tar -vtf tartest.tar

rwxrwxrwx

0/0 0

Aug

8

02:32 2010

./tartest/.$WLI_POLICY$/

rwxrwxrwx

0/0 2048

Aug

8

02:52 2010

./tartest/.$WLI_POLICY$/tfile1

rw-r--r--

0/3

2048

Aug

6

03:21

2010

./tartest/.$WLI_POLICY$/tfile2

rw-r--r--

0/3

2048

Aug

8

02:47

2010

./tartest/.$WLI_POLICY$/tfile3

The archive contains metadata stored in regular files, not VxFS named streams.

To determine which policy protected files are already on the file system and the storage type, locate the file system root directory and query the metadata storage type:

% bdf mydir

Filesystem

kbytes

used

avail

%used

Mounted on

/dev/vg00/lvol4

5242880

85192

5117472

2%

/tmp

%cat /tmp/'.$WLI_FSPARMS$'

wmdtype=pseudo

The file system and archive storage types match, and it is safe to proceed.

If the file system root directory does not contain a .$WLI_FSPARMS$ file, the file system cannot contain policy protected files. If the file system has no policy protected files, the metadata storage type is determined by the value of the wmdstoretype attribute set with wlisys, not the metadata files restored from the archive. The user can set the correct storage type if necessary:

%wlisys -k adm1.pvt -s wmdstoretype=pseudo

The archive is now restored:

%wliwrap -k adm1.pvt -o wmd "/tar -xvf wrap.tar /tmp/tartest"

wliwrap: process capability wmd set

wliwrap: executing command: tar -xvf wrap.tar /tmp/tartest x ./tartest/tfile1 1 blocks

x ./tartest/tfile2 1 blocks x ./tartest/tfile3 1 blocks

x ./tartest/.$WLI_POLICY$/tfile1 4 blocks x ./tartest/.$WLI_POLICY$/tfile2 4 blocks x ./tartest/.$WLI_POLICY$/tfile3 4 blocks

Similar to Example B-2 (page 49), metadata files under .$WLI_SIGNATURE$ directories and

.$WLI_FSPARMS$ files can also be restored with the wliwrap command. Therefore, an entire file system can be restored with this procedure.

Example B-4 Backup and restore without wliwrap

The alternative to temporarily granting wmd capability with wliwrap is to permanently grant wmd with wlisign. This example describes how to create an archive containing policy protected files with a backup command granted permanent wmd capability. The archive is then restored with a restore command also granted permanent wmd capability.

For this example, the platform has VxFS 5.0.1 file systems installed and the wmdstoretype attribute has value auto, set by the wlisys command. This combination implies that named data streams are used to store policy protected metadata. Veritas NetBackup is then required to backup files with named data streams. The bpbackup and bprestore commands are installed for backup and restore operations respectively.

The commands are signed and granted wmd:

%wlisign -a -k adm1.pvt -o wmd /usr/openv/netbackup/bin/bpbackup

%wlisign -a -k adm1.pvt -o wmd /usr/openv/netbackup/bin/bprestore

51

Page 50 Page 52
Page 51
Image 51
HP UX Security Products and Features Software manual Tar -vtf tartest.tar, Bdf mydir, Cat /tmp/.$WLIFSPARMS$
Page 50 Page 52
Top Page Image Contents