wlicert.1m (2011 03)
wlicert(1M)
Optional WLI Product Required
wlicert(1M)
NAME
wlicert - manage WLI public keys
SYNOPSIS
wlicert -i user.instance
-k privkey [-p src:val] pubkey
wlicert -d user.instance
-k privkey [-p src:val][
-f][-o capability ,...]
wlicert -c user.instance
-o capability ,... -s -k privkey [pubkey ]
wlicert -g [-c user.instance
|-ocapability ,...]
wlicert -l user.instance
wlicert -h
DESCRIPTION
wlicert provides the following services:
• Adds or removes WLI user key authorization for pubkey. When user keys are authorized, they
can be used to create enforceable file access policies, and can be granted WLI capabilities by WLI
administrator keys. User authorization requires that privkey is a WLI administrator private
key. For details on authorizing WLI administrator keys, see wliadm(1M).
• Adds capabilities to or removes them from pubkey , whether pubkey is a WLI user public key or
administrator public key. These services also require that privkey is a WLI administrator
private key.
• Retrieves WLI information for the authorized user or administrator key represented by
user.instance. The key must have been previously authorized by
wlicert or wliadm. privkey
is not required for information retrieval.
When pubkey is authorized as a user key, certain operations are enabled:
• WLI file access policies previously signed with the corresponding private key are enforceable by
WLI. All future file access policies signed with the private key are enforceable. For file access
policy descriptions, see wli (5). For file access policy descriptions, see wlipolicy (1).
• Executable binaries signed with the corresponding private key are verifiable at run time when
the WLI security mode is
restricted. This permits WLI to recognize a binary executable
signed with the private key, and allow the executable access when permitted by IBAC policies.
For more information on signing executables, see wlisign (1). For more information on enabling
WLI file access policies and setting the security mode value, see wlisyspolicy (1M).
• An executable binary signed and granted a capability with the private key from which pubkey
was extracted is permitted access to the resource protected by capability . The capability must
have been granted to pubkey . As with file access policies, resource protection by capability
enforcement only applies when the WLI security mode is
restricted. For more information
on enabling WLI file access policies and setting the security mode value, see wlisyspolicy (1M).
WLI capabilities are optionally granted to authorized user and administrator keys. For more information
on the available capabilities , see wli (5). There is no difference in
wlicert syntax for granting capabili-
ties to user or administrator public keys.
WLI key grants specified with
wlicert are persistent across system boot. This information is stored in
directory /etc/wli files and subdirectories. WLI generates internal access policies to protect the
/etc/wli directory and its contents from unauthorized access.
The user.instance field is an identifier created for the public key when it is authorized. It represents a
single WLI key pair and must be unique. The user portion must be a valid system user name. The
instance portion is an alphanumeric string chosen by the
wlicert executor. The combined maximum
length of user.instance is 1024 bytes.
Deletion of a public key will disable WLI verification of any executable signed by the corresponding
private key. If pubkey has WLI administrator authority, it cannot be deleted with
wlicert. Use
wliadm(1M) for deletion if pubkey has WLI administrator authority. Deletion of a user public key has
the following effects:
• The corresponding private key can still be used to generate file access policies signatures, but the
policies can no longer be enforced by WLI.
HP-UX 11iv3: Sep 2010 Web Release − 1 − Hewlett-Packard Company 1