HP UX Whitelisting 3 Key usage, 3.1 Generating keys, rsa, rsa, <arg, <file, wliadm, genrsa, genrsa, where:, genrsa, openssl, openssl, /wli/pub.pem, /wli/ priv.pem

3 Key usage

WLI defines two key types. User keys can sign executable binaries and generate file access policies. Administrator keys have all the authority of user keys, but also can be used to authorize changes to the WLI database.

WLI depends on RSA keys for authorization of many of its command operations. A WLI command with the “1M” manpage designation means an administrator key is required to execute at least one command option, not the traditional root user (user ID 0). A “1” manpage indicates the command options can be authorized with a user key. Except for wliadm -i, WLI does not reference user or group ID for command operations.

Because an RSA private key contains all the information held within the corresponding public key, the term “key” is synonymous with “private key”. This terminology is common in cryptographic literature.

3.1 Generating keys

WLI administrator and user keys are generated with the openssl command tool installed on HP-UX as part of the OpenSSL product. For the highest level of security, a 2048 bit key length is recommended. Other supported key lengths are 512, 1024, and 1536 bits. Files with RSA keys in PEM format are required for WLI command operations that require keys.

The openssl command also provides several cipher options for passphrase encryption of RSA keys. The aes256 cipher is among the ciphers offered by OpenSSL. This cipher is the AES-256 cipher from the Advanced Encryption Standard chosen by the U.S. government in 2001 as a standard for encryption. The aes256 cipher is highly recommended but not required. Any cipher offered by OpenSSL is supported by WLI.

The genrsa subcommand creates an RSA private key. For a complete synopsis, see genrsa(1). The following is sufficient to generate keys for WLI:

%openssl genrsa [-passout <arg>] -<cipher>-out <file> <length> where:

<arg>	is the passphrase source and value if -passoutis used. If not supplied, the /dev/
	tty device prompts for it. For details, see openssl(1).
<cipher> is the algorithm for encrypting the private key.
<file>	is the file containing the generated private key. The default file format is PEM, the
	only RSA key file format recognized by WLI.

<length> is the number of bits in the generated private key.

If a passphrase is not specified with genrsa, the user is prompted to enter a passphrase. Using the cipher and length recommendations mentioned previously, an example of key creation key is:

%openssl genrsa -aes256 -out /wli/priv.pem 2048

The rsa subcommand displays the numerical components of an RSA key. To view the key created in the previous example:

%openssl rsa -in /wli/priv.pem -noout -text

A prompt appears for the passphrase in this example because it is not included. RSA protocol for encrypting and decrypting messages intends that the private key and its passphrase are secret quantities. WLI follows this convention.

The RSA public key is a subset of the information comprising the private key. For the key /wli/ priv.pem generated above, the public key /wli/pub.pem can be extracted with the following rsa subcommand:

%openssl rsa -in /wli/priv.pem -out /wli/pub.pem -pubout

3.1 Generating keys