The ability to execute functions within this library is a resource protected by WLI. As with other resources protected by WLI, access must explicitly be granted through WLI using authorized RSA keys.

2.1.1.2 Applications

Enforcement of WLI file access policies and resource restrictions is imposed on all applications and commands. Application binaries and files have no requirements for modification or relinking.

A user may restrict application access to local files and directories through WLI commands. Applications are permitted access to files and resources protected by WLI through WLI commands.

When the WLI security mode is restricted, access policies on all local regular files and directories are enforced. All user applications, including those invoked by root user (uid 0), are not permitted to override access restrictions imposed by WLI.

WLI also provides the security mode maintenance. This mode is unsecure and only recommended when the system is inaccessible to all but administration personnel. WLI policy enforcement and resource protection are not enabled in this mode.

WLI uses FIPS 140-2 certified OpenSSL 1.1.2 archive libcrypto.a, based on OpenSSL A.00.09.07m. This archive is stored at /opt/openssl/fips/0.9.7/lib/hpux64/ libcrypto.a when included with an OpenSSL version such as A.00.09.08l.003. For more information about FIPS 140-2 (Federal Information Processing Standard 140-2), see http:// www.openssl.org/docs/fips.

Because functions from this archive are statically linked into WLI commands, the archive is not required to be present on platforms where WLI is installed. WLI uses libcrypto.a functions to parse RSA key files generated by all OpenSSL versions. The OpenSSL license is stored at /opt/ wli/OpenSSL.LICENSE as part of the WLI installation.

2.1.1.3 Stackable file system module

The HP-UX Stackable File System allows modification of the kernel file system stack through inclusion of one or more executable modules that conform to the VFS interface. A module can be inserted into the file system stack between the VFS layer and one or more file system type modules such as VxFS (JFS) or HFS.

Modifing existing filesystem type modules is not necessary; the kernel is relinked and rebooted. When the relinked kernel becomes active, the inserted module becomes a component in the file system stack.

When WLI installs, its file system module is inserted between VFS and the local file system type modules that handle local data storage. When a file is opened by an application for read or write access, the WLI file system module causes the open() to fail if a WLI policy on the file would be violated.

2.1.1.4 Policy enforcement manager

This component enforces WLI file access rules. Only the following access policy types are provided:

A FLAC policy limits access to a specific WLI-signed binary executable.

An IBAC policy limits access to a designated set of executables.

A WLI administrator key may also allow access to specific system resources protected by WLI, such as the /dev/mem and /dev/kmem special files.

WLI maintains a database of file access policies and resource restrictions generated by users and administrators. This database is referenced by the Policy Enforcement Manager from within the kernel domain. The Policy Enforcement Manager is called by the WLI file system module to determine if a restriction imposed by WLI should prevent access.

2.1 WLI architecture 15