wliadm.1m (2011 03)
wliadm(1M)
Optional WLI Product Required
wliadm(1M)
NAME
wliadm - manage WLI administrator keys
SYNOPSIS
wliadm -i pubkey -k privkey [-p src
:val]
wliadm -n user.instance
-k privkey [-p src:val][
-c | pubkey]
wliadm -d user.instance
-k privkey [-p src:val]
wliadm -h
DESCRIPTION
Immediately following installation of WLI, root user (user ID 0) must execute
wliadm with the -i option
to authorize the recovery key pair and complete the basic WLI configuration. For this operation, the
recovery public and private keys are pubkey and privkey , respectively. The recovery private key should
be stored safely. It is useful for recovering from loss of existing authorized keys.
The recovery private key can authorize an RSA key as a WLI administrator key using the
-n option. The
recovery key can only be used to authorize WLI administrator keys, does not have an associated
user.instance identifier, and cannot be deleted from the WLI database or replaced. For details on gen-
erating WLI keys, refer to wli (5), section KEY GENERATION.
An unlimited number of WLI administrator keys can be authorized following WLI initialization. Any
administrator private key can be used to authorize administrator keys or remove authorization from an
existing administrator key. The recovery private key is not able to remove key authorization.
A WLI administrator private key authorizes execution of WLI privileged commands wliadm (1M),
wlicert (1M), wlisys (1M), and wlisyspolicy (1M). The exception is wlitrace (1M) which requires root
authority and no administrator key. The extracted public key is imported into the WLI database for veri-
fying signatures generated with the administrator private key.
As with WLI user public keys, capabilities can be granted to the administrator public key after it has
been authorized with
wliadm. Refer to wlicert (1M) for details on granting capabilities .
The user.instance field is a unique identifier associated with each authorized administrator key pair. The
user portion must be a valid system username present in
/etc/passwd. The instance portion is an
alphanumeric string of the administrator’s choosing. The combined length of the user.instance field can-
not exceed 1024 bytes. To authorize a user key for WLI security features, see wlicert (1M).
The
wliadm command is installed with the optional HP-UX Whitelisting (WLI) product.
Options
-c The key has been previously authorized as a user key with wlicert (1M). This option
effectively transforms a user key into an administrator key.
-d user.instance The identifier for the administrator key to be deleted from the WLI database.
-h Displays wliadm command syntax.
-i pubkey Initializes WLI. This option is executed once, and only by the root user following
installation. pubkey is the public key extracted from privkey .
-k privkey With the -i option, this designates the recovery private key file. With the -n
option, this designates a previously authorized private key file or the recovery
private key file. With the -d option, this is an administrator private key file only.
-n user.instance The identifier to be associated with the administrator key being authorized.
-p src:val The passphrase source for privkey . Refer to wli (5) for this option.
RETURN VALUE
wliadm returns the following:
Failure A message and exit code of 1.
Success An exit code of 0.
EXAMPLES
Initialize WLI with user jack’s public and private keys, jackpub and jackpriv, respectively, as the
recovery key pair. The private key has passphrase stored in environment variable PASS. User jack
may or may not have root user authority:
HP-UX 11iv3: Sep 2010 Web Release − 1 − Hewlett-Packard Company 1