HP UX Whitelisting 5.3 Signing DLKMs, 5.4 Backing up the WLI database, dlkm, jane, priv, where:, wlisign, /dev/tty, jane.priv, 2.Sign the DLKM:, 3.Load the DLKM:

Changing administrator key passphrases does not impact WLI database files. Generating a new WLI database backup following passphrase changes to user or administrator keys is not necessary.

5.3 Signing DLKMs

WLI protects a system against rogue DLKMs in restricted mode. For a DLKM to be loaded by the system during boot, it must be signed with wlisign using an authorized key. The signing key does not require dlkm capability. The signature permits the DLKM to be authenticated by WLI before it is loaded.

One essential DLKM that loads during boot is the Kernel Random Number Generator, /usr/ conf/mod/rng. Before setting WLI to restricted mode and rebooting the system, it is necessary to sign this DLKM. If /home/jane/jane.priv is a key with WLI administration authority, the following procedure allows /usr/conf/mod/rng to load and initialize during boot:

IMPORTANT: This procedure must be performed as root user. Root user authority is required to load and unload DLKMs.

It is important that the DLKM is reloaded after signing. Repeat these steps for all DLKMs loaded during boot. A root user needs to repeat these steps if usr/conf/mod/rng is replaced by software update.

5.4 Backing up the WLI database

After all administrator keys are authorized, HP recommends backing up the WLI database while the security mode is maintenance. A backup of administrator key files is not possible after WLI is operational in restricted mode. For details of the WLI database, see Section 2.2 (page 16). For more information about backup, see Section 7.1 (page 33). To backup the WLI database in maintenance mode:

No procedure changes are required for restoring a database backup in maintenance mode.

In restricted mode, a database backup cannot be restored because of read/write protection on administrator key storage.

26 Configuring