HP-UX Whitelisting (WLI) Version A.01.

03
Release Notes

Abstract
This document provides information about the new product HP-UX Whitelisting Version A.01.03. This document is intended
for anyone who installs and uses HP-UX Whitelisting. The information in this document assumes that you have experience with
administering an HP-UX operating system.

HP Part Number: 766165-002

Published: March 2015
Edition: 1
© Copyright 2010, 2015 Hewlett-Packard Development Company, L.P.
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial
Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under
vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products
and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as
constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express
warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions contained herein.
Contents
HP secure development lifecycle......................................................................4
1 About this product......................................................................................5
Features and benefits................................................................................................................5
File access policies ..............................................................................................................5
Capabilities........................................................................................................................6
RSA key parsing.......................................................................................................................6
2 What is new in Whitelisting A.01.03.............................................................7
3 Installing WLI.............................................................................................8
Installation requirements............................................................................................................8
Installation procedure................................................................................................................8
4 Configuring.............................................................................................10
Enabling WLI.........................................................................................................................10
Authorizing the recovery key....................................................................................................10
Authorizing administrator keys..................................................................................................11
Signing DLKMs......................................................................................................................11
Backing up the WLI database..................................................................................................12
Rebooting to restricted mode....................................................................................................12
5 Troubleshooting and known issues..............................................................13
Software distributor issues........................................................................................................13
WLI reinstallation....................................................................................................................13
Lost WLI administrator key or passphrase ..................................................................................13
WLI database corruption.........................................................................................................13
HP Serviceguard....................................................................................................................14
6 Support and other resources......................................................................15
Contacting HP........................................................................................................................15
Before you contact HP........................................................................................................15
HP contact information.......................................................................................................15
Subscription service............................................................................................................15
Related information.................................................................................................................16
Typographic conventions.........................................................................................................16
7 Documentation feedback...........................................................................18
Support policy for HP-UX.........................................................................................................18

Contents 3
HP secure development lifecycle
Starting with HP-UX 11i v3 March 2013 update release, HP secure development lifecycle provides
the ability to authenticate HP-UX software. Software delivered through this release has been digitally
signed using HP's private key. You can now verify the authenticity of the software before installing
the products, delivered through this release.
To verify the software signatures in signed depot, the following products must be installed on your
system:
• B.11.31.1303 or later version of SD (Software Distributor)
• A.01.02.00 or later version of HP-UX Whitelisting (WhiteListInf)
To verify the signatures, run: /usr/sbin/swsign -v –s <depot_path>. For more information,
see Software Distributor documentation at http://www.hp.com/go/sd-docs.

NOTE: Ignite-UX software delivered with HP-UX 11i v3 March 2014 release or later supports
verification of the software signatures in signed depot or media, during cold installation.
For more information, see Ignite-UX documentation at http://www.hp.com/go/ignite-ux-docs.

4
1 About this product
HP-UX Whitelisting (WLI) offers file and system resource protection based on RSA encryption
technology on HP Integrity servers running HP-UX 11i v3. WLI is complementary to the traditional
UNIX discretionary access controls (DAC) based on user, group, and file permissions. The more
granular DAC access control list (ACL) permissions available on VxFS and HFS file systems are
likewise not affected.
WLI is also complementary to other HP-UX security mechanisms such as Role-Based Access Control
(RBAC) and Compartments. HP-UX RBAC, based on role assignment to users, provides services
that allow non-root users to perform tasks requiring root user privilege. HP-UX Compartments restrict
user applications by limiting their access to resources not configured within specific compartments.
In contrast to user file ownership and user role assignment, WLI file and resource access is based
on RSA key ownership. RSA keys are instrumental in granting resource access privileges, referred
to as capabilities in WLI literature, and assigning file access policies. With WLI enforcement in
effect, file and resource access is associated with RSA keys and user ID is not a factor. WLI
restrictions on file and resource access apply equally to root and non-root users.
WLI maintains a database that recognizes two types of RSA keys. User keys can assign file access
policies and sign binary executables for inclusion in file access policies. Administrator keys have
the authority of user keys, plus authority to add user and administrator key recognition to the WLI
database, allow access to restricted resources, and set WLI configuration attributes. A set of
commands is provided that execute only for keys recognized by the WLI database. A subset of
these commands requires administrator key recognition to execute.
WLI relies on HP-UX OpenSSL for RSA key generation. WLI requires that private keys are passphrase
protected. The key owner is responsible for safely storing private keys and changing passphrases.
WLI does not retain private key location or passphrase information. Key recognition and signature
verification are accomplished by retrieving public keys and their relationships from the WLI database
during run-time operations.
WLI contains the following:
• A statically linked kernel component for generating and enforcing file access policies and
resource restrictions.
• User commands for specifying file access policies and signing binary executables for inclusion
in file access policies. User commands require an authorized user key for execution.
• Administrator commands for authorizing user and administrator keys, granting resource access
privileges, and setting configuration attributes. Administrator commands require an authorized
administrator key to execute.
• A set of manpages providing a WLI overview, and descriptions of WLI commands and
configuration files.
• A shared library, libwliapi.so, which provides programmable functions for creating,
deleting, and verifying access on WLI file access policies.

Features and benefits

WLI provides the following features and benefits.

File access policies

WLI restricts access to files residing on VxFS (aka JFS), HFS, and NFS file systems through file
access policies. Both WLI user and administrator keys can authorize generation of file access
policies. Enforcement of file access policies can be enabled or disabled only through administrator

Features and benefits 5

 keys. WLI grants file access only to executables that meet policy requirements, regardless of user
ID. WLI provides the following policy types:
• File Lock Access Control (FLAC)—Read access is allowed and write access is denied to all
executables. A FLAC-protected regular file cannot be modified, deleted, or renamed within
the directory where it resides. Content of a FLAC-protected directory cannot be modified and
files immediately under the directory cannot be modified, but files residing in subdirectories
are not affected.
• Identity Based Access Control (IBAC)—Identity of a binary executable is imparted by signing
with private keys recognized by WLI. The signature uniquely identifies the binary as an
authorized executable. An IBAC policy permits an authorized executable to access the
IBAC-protected file. A file can have multiple IBAC policies, each permitting access to a different
authorized executable.
WLI policy enforcement precedes enforcement of DAC permissions. If WLI permits file access, DAC
permissions are still in effect.

Capabilities
WLI restricts access to certain system resources considered to be security risks. Access to these
restricted resources is controlled through WLI administrator keys. An administrator key has the
ability to allow access to a restricted resource by granting the capability pertaining to the resource.
A capability can be granted to any user or administrator key, or a WLI-signed binary executable.
When a capability is granted to a key, the key can be used to grant the capability to an arbitrary
command executing as a child process of a WLI command. The private key and its passphrase
are then required to invoke the signed executable and access the restricted resource.
When a capability is granted to a WLI-signed executable, the executable has the capability
whenever it is invoked. This permits any user to access the protected resource through the signed
executable.
For the initial WLI release, capabilities are:
mem Permits access to memory image files /dev/mem and /dev/kmem.
dlkm Permits loading a Dynamically Loadable Kernel Module (DLKM).
wmd Permits access to WLI metadata. WLI metadata stores policy and signature information.
api Permits access to libwliapi.so, the shared library providing functions for managing
WLI file access policies.

RSA key parsing

WLI uses FIPS 140-2 certified OpenSSL 1.1.2 archive libcrypto.a, based on OpenSSL
A.00.09.07m. This archive is stored at /opt/openssl/fips/0.9.7/lib/hpux64/
libcrypto.a when included with an OpenSSL version such as A.00.09.08l.003. For more
information about FIPS 140-2 (Federal Information Processing Standard 140-2), see http://
www.openssl.org/docs/fips.
Because functions from this archive are statically linked into WLI commands, the archive is not
required to be present on platforms with WLI installed. WLI uses libcrypto.a functions to parse
RSA key files generated by all OpenSSL versions.
The OpenSSL license is stored at /opt/ wli/OpenSSL.LICENSE as part of the WLI installation.

6 About this product

2 What is new in Whitelisting A.01.03
The following are the changes in this version:
• A fix for potential memory corruption in one of WLI arenas is provided.

7
3 Installing WLI
Installation requirements
Hardware requirement
HP Integrity servers.

Operating system requirements

The operating system must be HP-UX 11i v3 at level B.11.31.0909 or later.
To determine the level of HP-UX 11i v3 installed on your system:
% swlist | grep HPUX11i
For example:
% swlist | grep HPUX11i
HPUX11i-DC-OE B.11.31.0909 HP-UX Data Center Operating Environment
If your HP-UX 11i v3 OE version is B.11.31.1503, WLI A.01.03 is installed by default. To configure
WLI A.01.03, see “Configuring” (page 10).
If your HP-UX 11i v3 system level is earlier than B.11.31.0909, download this release from:
https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=SD

Patch requirements
The following corequisite patches are required for WLI installation:
• HP-UX patch PHKL_38951—VFS cumulative patch
• HP-UX patch PHKL_39401—VM cumulative patch
• HP-UX patch PHKL_40450—DLKM cumulative patch
These patches are bundled with the WLI product and are installed if necessary.

Disk space requirements

• At least 28 MB of disk space must be available on file system “/”.
• At least 24 MB of disk space available on file system “/stand”.

System reboot
The system automatically reboots following installation.

Installation procedure
Only a root user (user ID 0) can successfully install WLI. To install WLI, use the following procedure:
1. Review Section (page 8).
2. Log in to the target system as the root user.
3. Go to the HP Software Depot:
http://www.hp.com/go/softwaredepot
4. Search for HP-UX Whitelisting. Read the product information webpage for the latest updates
and release information.
5. Click Select.
6. Enter your registration information. Read and accept the Terms and Conditions and the Software
License Agreement. Click Next.

8 Installing WLI
7. Click Download.
8. Save the HP-UX WhiteList Infrastructure bundle as a local file on your system. Use the file name
/tmp/<wli-depotname>.depot, for example.
9. Verify the depot file is saved on your system with the following command:
# swlist -d @ /tmp/<wli-depotname>.depot
10. Install the bundle:
# swinstall -x autoreboot=true -s /tmp/<wli-depotname>.depot WhiteListInf
11. Verify the installation:
# swverify WhiteListInf
If WLI is installed correctly on the system, the swverify command includes the following text in
the reported data:
Verification succeeded
WLI relies on the OpenSSL product for RSA key generation, but the OpenSSL product is not required
for installation. The latest version of OpenSSL is recommended, but any version installable on
HP-UX 11i v3 is sufficient. You can download the latest version from:
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=OPENSSL11I
OpenSSL installs by default with every HP-UX OE release, but might have been removed or not
installed with the OE. To determine the OpenSSL version and verify its content, enter:
# swlist OpenSSL
# swverify OpenSSL

Installation procedure 9
4 Configuring
NOTE: Contents of this chapter are not applicable if WLI A.01.00 or A.01.01 is already
configured on your system and is being upgraded to WLI A.01.03.
When WLI installation completes, the system reboots. The kernel rebuilt with WLI components
becomes active for enabling WLI services. To bring WLI to a completely operational state, perform
the following steps manually:
• Enabling WLI
• Authorize the recovery key
• Authorize administrator keys
• Identify and sign essential DLKMs
• Back up the WLI database
• Reboot with security mode set to restricted

Enabling WLI
NOTE: This section can be ignored if WLI A.01.03 is installed on your system where WLI A.01.00
was already installed..
In WLI A.01.03, the WLI kernel module is disabled by default. The WLI kernel module must be
enabled before it can be used.
To enable WLI kernel module on your system, perform the following steps:
1. Execute the following commands as root:
# kcmodule wli=best
# reboot
2. Once the system is up, verify the WLI module is loaded as follows:
# kcmodule wli
Module State Cause
wli static explicit
3. Execute the following as root:
# mkdir –m 0755 /dev/wli
Get the major number of WLI module:
# major_num=`lsdev -hd wli | awk '{print $1}'`)
# mknod /dev/wli/admin c $major_num 0
# chmod 0666 /dev/wli/admin
# chown root:root /dev/wli/admin
WLI is now enabled.
After enabling WLI A.01.03 on your system, you may notice some performance degradation and
higher memory consumption depending your system configuration.

Authorizing the recovery key

After WLI is installed and the server is rebooted, the wliadm command must be executed to
initialize database files and authorize the recovery key. Root user (user ID 0) authority is required
to execute the initialization command:

10 Configuring
 % wliadm -i <pub_key> -k <priv_key> [-p <src:val>]
where:
<pub_key> is the public key file extracted from <priv_key> in PEM format.
<priv_key> is an OpenSSL-generated RSA key file in PEM format.
<src:val> is the passphrase source and value. If the -p option is not included, A prompt
appears for the passphrase at the /dev/tty device.
You can execute this command only once for each installation. The specified key becomes the
recovery key for WLI. The recovery key is a special key for granting administrator authority to other
RSA keys and must be stored safely. You can replace it by reinstalling WLI or restoring the WLI
database backup described in this section. After the recovery key is authorized, it can grant WLI
administrative capability to other keys. The recovery key is limited to granting administrator
capability.

Authorizing administrator keys

At least one administrator key is necessary to authorize the WLI administrator commands. To
simplify security maintenance, the number of authorized administrator keys must be minimal, even
though an unlimited amount is allowed. The recovery key generated in the previous procedure
must generate the first administrator key.
An administrator key can be used for all WLI operations, including granting itself capabilities. For
details on authorizing keys for WLI administration, see wliadm(1M). For details on granting
capabilities, see wlicert(1M).
HP recommends all administrator keys are authorized before the reboot because the database file
holding administrator keys cannot be backed up or restored after the system is rebooted with WLI
security mode set as restricted.
Root user (user ID 0) authority is not required to authorize a key for WLI administration. The user
must have read permission on the key and know the passphrase. To authorize an administrator
key:
% wliadm -n <user>.<instance> -k <priv_key> [-p <src:val>] <pub_key>
where:
<user> is the key identifier; user is a valid user ID.
<instance> is the key identifier; instance is a string chosen by an administrator.
<priv_key> is the recovery key or previously authorized administrator key.
<src:val> is the passphrase source and value. If the -p option is not included, a prompt
appears for the passphrase at the /dev/tty device.
<pub_key> is the public key being authorized for WLI administrator authority.
Changing administrator key passphrases does not impact WLI database files. Generating a new
WLI database backup following passphrase changes to user or administrator keys is not necessary.

Signing DLKMs
WLI protects a system against rogue DLKMs in restricted mode. For a DLKM to be loaded by
the system during boot, it must be signed with wlisign using an authorized key. The signing key
does not require dlkm capability. The signature permits the DLKM to be authenticated by WLI
before it is loaded.
One essential DLKM that loads during boot is the Kernel Random Number Generator, /usr/conf/
mod/rng. Before setting WLI to restricted mode and rebooting the system, it is necessary to
sign this DLKM. If /home/jane/jane.priv is a key with WLI administration authority, the
following procedure allows /usr/conf/mod/rng to load and initialize during boot:

Authorizing administrator keys 11

 • Sign the DLKM:
% wlisign -a -k /home/jane/jane.priv /usr/conf/mod/rng
where:
jane is a valid user ID.
jane.priv is the key identifier.
priv is an arbitrary string chosen by the administrator.

Backing up the WLI database

After all administrator keys are authorized, HP recommends backing up the WLI database while
the security mode is maintenance. A backup of administrator key files is not possible after
WLI is operational in restricted mode. To backup the WLI database in maintenance mode:
% tar -cf wli.tar /etc/wli
For this example, tar is used. Proprietary backup utilities or cpio also work.
No procedure changes are required for restoring a database backup in maintenance mode.
In restricted mode, a database backup cannot be restored because of read/write protection
on administrator key storage.

Rebooting to restricted mode

WLI installs and configures when security mode is set to maintenance. This mode disables
all WLI file and resource protection, allowing the installer to complete all the previous steps.
After all administrator keys are authorized and a WLI database backup is generated, the system
can be rebooted for WLI to operate in restricted mode:
% wlisyspolicy -s mode=restricted -k <wli_admin_key>
The following must be executed by root user:
# shutdown -r
Following reboot, WLI is completely operational in the secure restricted mode.

12 Configuring
5 Troubleshooting and known issues
Software distributor issues
Signing an ELF formatted binary adds a signature metadata section to the binary file. This action
has the side effect of changing the file modification time and size. If the binary happens to be
delivered as part of a product, the swverify command registers errors.
If error free swverify analysis on a product is important, sign and use a duplicate of the command
whenever practical. If using a copy is not practical, the SD-UX product database can be updated
with swmodify so that swverify errors are not reported.
For example, if /usr/bin/ssh and /usr/sbin/sshd are signed, clear the swverify error
with the following:
% wlisign -a -k userkey1 /usr/bin/ssh
% wlisign -a -k userkey1 /usr/sbin/sshd
% swmodify -x files=’/usr/bin/ssh /usr/sbin/sshd” Secure_Shell.SECURE_SHELL

WLI reinstallation
Residual file access policy and signature metadata from a previous installation can interfere with
a WLI reinstallation. The metadata from a previous installation can prevent generation of new file
access policies and signatures.
When WLI is removed by swremove, the WLI database must be deleted to allow a possible
reinstallation to install and configure correctly. But WLI does not keep track of policies and signed
files, and they are not removed when the product is removed.
This problem does not appear if WLI is upgraded to a later revision. The WLI database remains
intact, and the manual configuration steps must not be executed for WLI upgrades.
Consider the following habits for administrators and users:
• Minimize using administrator keys for generating policies and signatures. Removing
authorization from administrator keys has more impact than from user keys.
• Remove policies and signatures when no longer needed.

Lost WLI administrator key or passphrase

A new administrator key can always be authorized through wliadm if the recovery key is available
and its passphrase is known. Always store the recovery key and passphrase safely. The recovery
key is not useful except for authorizing administrator keys and you can store it apart from the
system where it has authority.
WLI keys are wrapped (encrypted with a cipher and passphrase) by the OpenSSL genrsa
subcommand. If the passphrase is lost, no procedure exists to recover or decrypt the wrapped
private key. For security, delete an administrator key with unknown passphrase. To delete an
administrator key with missing passphrase:
% wliadm -d <user>.<instance> -k <recovery_key>
For more information about generating RSA keys and authorizing as WLI administrative keys, see
wliadm(1).

WLI database corruption

The database can become corrupted if the underlying storage device sustains physical damage.
If the files comprising the database lose their integrity, WLI can display unpredictable behavior.
The WLI database needs to be restored from an archive.

Software distributor issues 13

 For a WLI database archive to be internally consistent, the archive must contain all files residing
under /etc/wli. These files must not have any intervening updates.
The database is updated through the wliadm, wlicert, wlisys, and wlisyspolicy commands.
The database can be restored from archive only with WLI security mode set as maintenance.
The security mode is cached within kernel space, not read from the database. The security
mode in effect can only be determined by:
% wlisyspolicy -g
To switch to maintenance mode:
% wlisyspolicy -s mode=maintenance -k <admin_key>
The command might return a message that a reboot is necessary. Following reboot, query once
more with wlisyspolicy to verify maintenance mode is in effect.
To restore the WLI database from archive:
% su root
# rm -r /etc/wli
If deletion fails for any file, reboot the system with a kernel that does not contain WLI.
# tar -xf /tmp/wlikeydb.tar
Or use an equivalent archive restore operation.
If the WLI database has been severely damaged, switching to maintenance mode might not be
possible. To maintain the highest possible security, the security mode defaults to restricted
if the initialization value cannot be read from the WLI database.
If the system cannot be switched to maintenance mode using wlisyspolicy, a kernel must
be booted that does not contain the WLI components.
To rebuild the kernel without wli:
# kcmodule wli=unused
# shutdown -r
Following reboot, all WLI file access policies and resource protections are disabled. After restoring
the WLI database, the WLI kernel can be rebuilt and rebooted:
# kcmodule wli=static
# shutdown -r

HP Serviceguard
WLI has no associated processes in user or kernel space. Therefore, failover packaging is not
required for WLI by itself. However, a product that accesses files protected by WLI access policies
might need some adjustments to its failover packaging.
WLI does not affect device special files with the exception of /dev/mem and /dev/kmem. A
failover package does not need modification for WLI services with regard to the transitioning of
communication and storage links between nodes. The
WLI database contains certain files unique to each platform that cannot be shared among cluster
nodes. The WLI database must also reside on the root file system, which is mounted early following
the kernel initialization phase of boot. Because the WLI database is not sharable among nodes,
successful product failover depends on WLI administrative command operations being executed
identically on each node following the initial installation.
Veritas Storage Foundation CFS is not supported by WLI. Policies assigned to files residing on CFS
file systems are not enforced.
The shared library functions in /opt/wli/lib/libwliapi.so are not supported on HP
Serviceguard clusters in this release.

14 Troubleshooting and known issues

6 Support and other resources
Contacting HP
Before you contact HP
Be sure to have the following information available before you contact HP:
• Technical support registration number (if applicable)
• Product serial number
• Product identification number
• Applicable error message
• Add-on boards or hardware
• Third-party hardware or software
• Operating system type and revision level

HP contact information
For the name of the nearest HP authorized reseller:
• See the Contact HP worldwide (in English) webpage (http://welcome.hp.com/country/us/
en/wwcontact.html).
For HP technical support:
• In the United States, for contact options see the Contact HP United States webpage (http://
welcome.hp.com/country/us/en/contact_us.html). To contact HP by phone:
◦ Call 1-800-HP-INVENT (1-800-474-6836). This service is available 24 hours a day, 7
days a week. For continuous quality improvement, calls may be recorded or monitored.
◦ If you have purchased a Care Pack (service upgrade), call 1-800-633-3600. For more
information about Care Packs, see the HP website (http://www.hp.com/hps).
• In other locations, see the Contact HP worldwide (in English) webpage (http://
welcome.hp.com/country/us/en/wwcontact.html).
For customers with an HP-UX support agreement, technical support is available through the HP
World Wide Response Centers at www.hp.com/support. Support is also offered through the IT
Resource Center at www.itrc.hp.com.
For the HP-UX discussion forum, from the ITRC home page click Forums→HP-UX→Security. Or,
the direct link is ITRC Forums Security.
If you find a security vulnerability associated with WLI, report it at: http://welcome.hp.com/country/
us/en/sftware_security.html.

Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
http://www.hp.com/country/us/en/contact_us.html
After registering, you will receive email notification of product enhancements, new driver versions,
firmware updates, and other product resources.

Contacting HP 15
Related information
Documents
• OpenSSL A.00.09.08n.010, A.00.09.08n.011, and A.00.09.08n.012 Release Notes HP-UX
11i v1, HP-UX 11i v2,and HP-UX 11i v3:
http://www.hp.com/go/hpux-security-docs
Click HP-UX OpenSSL Software.
• Symantec NetBackup™ Snapshots, Continuous Data Protection, and Replication:
http://eval.symantec.com/mktginfo/enterprise/white_papers/
b-techbrief_nbu_snapshots_replction_cdp_WP-20719041.en-us.pdf
• For a high level description of HP-UX file systems, see HP-UX System Administrator's Guide:
Overview HP-UX 11i Version 3:
http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c02281492/
c02281492.pdf

Websites
• HP-UX Whitelisting documentation website:
http://www.hp.com/go/hpux-security-docs
Click HP-UX Security Products and Features Software.
• HP Serviceguard Solutions for high availability and disaster recovery:
http://www.hp.com/go/serviceguardsolutions
• HP Serviceguard publications:
http://www.hp.com/go/hpux-serviceguard-docs
• Veritas Storage Foundation Cluster File System:
http://www.symantec.com/business/storage-foundation-cluster-file-system

Typographic conventions
This document uses the following typographical conventions:
%, $, or # A percent sign represents the C shell system prompt. A dollar sign
represents the system prompt for the Bourne, Korn, and POSIX
shells. A number sign represents the superuser prompt.
audit(5) A manpage. The manpage name is audit, and it is located in
Section 5.
Command A command name or qualified command phrase.
Computer output Text displayed by the computer.
Ctrl+x A key sequence. A sequence such as Ctrl+x indicates that you
must hold down the key labeled Ctrl while you press another key
or mouse button.
ENVIRONMENT VARIABLE The name of an environment variable, for example, PATH.
ERROR NAME The name of an error, usually returned in the errno variable.
Function() The name of a function.
Key The name of a keyboard key. Return and Enter both refer to the
same key.

16 Support and other resources

Parameter The name of a parameter.
Term The defined use of an important word or phrase.
User input Commands and other text that you type.
Variable The name of a placeholder in a command, function, or other
syntax display that you replace with an actual value.
[] The contents are optional in syntax. If the contents are a list
separated by |, you must choose one of the items.
{} The contents are required in syntax. If the contents are a list
separated by |, you must choose one of the items.
... The preceding element can be repeated an arbitrary number of
times.
Indicates the continuation of a code example.
| Separates items in a list of choices.
WARNING A warning calls attention to important information that if not
understood or followed will result in personal injury or
nonrecoverable system problems.
CAUTION A caution calls attention to important information that if not
understood or followed will result in data loss, data corruption,
or damage to hardware or software.
IMPORTANT This alert provides essential information to explain a concept or
to complete a task.
NOTE A note contains additional information to emphasize or supplement
important points of the main text.

Typographic conventions 17
7 Documentation feedback
HP is committed to providing documentation that meets your needs. To help us improve the
documentation, send any errors, suggestions, or comments to Documentation Feedback
(docsfeedback@hp.com). Include the document title and part number, version number, or the URL
when submitting your feedback.

Support policy for HP-UX

For more information about support policy for HP-UX, see HP-UX support policy.

18 Documentation feedback