HP UX Whitelisting 9 Troubleshooting and known issues, 9.1 Software distributor issues, 9.2WLI reinstallation, 9.3Lost WLI administrator key or passphrase

9 Troubleshooting and known issues

9.1 Software distributor issues

Signing an ELF formatted binary adds a signature metadata section to the binary file. This action has the side effect of changing the file modification time and size. If the binary happens to be delivered as part of a product, the swverify command registers errors.

If error free swverify analysis on a product is important, sign and use a duplicate of the command whenever practical. If using a copy is not practical, the SD-UX product database can be updated with swmodify so that swverify errors are not reported.

For example, if /usr/bin/ssh and /usr/sbin/sshd are signed, clear the swverify error with the following:

%wlisign -a -k userkey1 /usr/bin/ssh

%wlisign -a -k userkey1 /usr/sbin/sshd

%swmodify -x files=’/usr/bin/ssh /usr/sbin/sshd” Secure_Shell.SECURE_SHELL

9.2WLI reinstallation

Residual file access policy and signature metadata from a previous installation can interfere with a WLI reinstallation. The metadata from a previous installation can prevent generation of new file access policies and signatures.

When WLI is removed by swremove, the WLI database must be deleted to allow a possible reinstallation to install and configure correctly. But WLI does not keep track of policies and signed files, and they are not removed when the product is removed.

This problem does not appear if WLI is upgraded to a later revision. The WLI database remains intact, and the manual configuration steps should not be executed for WLI upgrades.

•Minimize using administrator keys for generating policies and signatures. Removing authorization from administrator keys has more impact than from user keys.

9.3Lost WLI administrator key or passphrase

A new administrator key can always be authorized through wliadm if the recovery key is available and its passphrase is known. Always store the recovery key and passphrase safely. The recovery key is not useful except for authorizing administrator keys and you can store it apart from the system where it has authority.

WLI keys are wrapped (encrypted with a cipher and passphrase) by the OpenSSL genrsa subcommand. If the passphrase is lost, no procedure exists to recover or decrypt the wrapped private key. For security, delete an administrator key with unknown passphrase. To delete an administrator key with missing passphrase:

For more information about generating RSA keys and authorizing as WLI administrative keys, see “Key usage” (page 19) and wliadm(1).

9.4 WLI database corruption

The database can become corrupted if the underlying storage device sustains physical damage. If the files comprising the database lose their integrity, WLI can display unpredictable behavior. The WLI database needs to be restored from an archive.