B Administration examples
Example
The recovery key is authorized by root user:
#wliadmRSA key adm1.pvt is generated per HP recommendations and its public key extracted:
#openssl genrsaRSA key adm1.pvt is granted WLI administrator authority by the recovery key:
#wliadmThe public key extracted from adm1.pvt is adm1.pub. User root must know the passphrase for recov.pvt, but does not know the passphrase for adm1.pvt. User adm1 is a user listed in /etc/passwd, and knows the passphrase for adm1.pvt.
Because adm1.pvt has WLI administrator authority, it can authorize itself for all capabilities:
#wlicertAny user can visually verify this key as an administrator key with all capabilities:
%wlicertThe rng DLKM must be signed along with several others. The loaded DLKMs are listed and signed (only rng signing displayed):
%kcmodule grep loaded%cd /usr/conf/mod%wlisignThe system does not have Symantec NetBackup installed and therefore must have policy metadata stored in files to create policy protected file backups:
%wlisysSecurity guidelines specify only one WLI administrator key can be authorized. Because the WLI security mode is restricted, the read/write protected portion of the WLI database can be read and archived:
%tarThe security mode can now be switched to restricted:
%wlisyspolicyAll administrative commands are now executed for the immediate future. The WLI database archive is now updated with the WLI database files having only write protection:
%tarThe system is now ready for shutdown and reboot.
Example
HP recommends using wliwrap to backup and restore policy protected files and associated metadata when restricted mode is in effect. To avoid granting permanent wmd capability to the backup and restore commands, use wliwrap to enable wmd only for a single execution of a command.
The user owns key adm1.pvt which was granted administrator authority in Example
For this example, /usr/bin/tar is used for both backup and restore. Other
49