Documentation

Activate the installation

Suggest Edits

After you've created, downloaded, and installed your packages, you must activate the installation.

Important information prior to activation

Prior to use, the EPM-L client installation must be activated using a registration binary (pbactivate), to obtain the proper client certificates for the application and finalize its configuration.

The pbactivate binary requires a token string obtained from the EPM-L console as input. When it completes its operation, it creates two files:

  • /etc/pbscert.crt –The per-endpoint client machine certificate.
  • /etc/pbskey.pem – The private key for the client machine certificate.

BeyondTrust recommends properly protecting these files, to avoid spoofing by malicious actors.

❗️

Warning

Do not share certificates between machines. Clients cannot use a certificate issued to a different machine.

Retrieve the token

  1. From the top left of the BeyondTrust Home page, click > Endpoint Privilege Management for Linux > Installers.
    The Linux Deployment Packages page displays.
  2. At the bottom of the page, click Retrieve Token.
  3. Enter a token expiry value, in minutes.

    📘

    Note

    Supported values are 30 minutes and greater.

  4. Click the Copy icon to copy the token string to your machine browser's clipboard.

Activate the installation

  1. Retrieve the token from the Linux Deployment Packages page.
  2. Navigate to the terminal connected to the EPM-L client as root.
  3. Run pbactivate with the -t option to specify the copied token string as its command-line parameter:
[root@client~] /usr/sbin/pbactivate -t eyJhbGciOiJNEQIgEk...vM5o1qbhoJfsI7beI7w
About to contact epm.beyondtrust.io
Received request results. Verifying...
Verified data integrity.
Stored client authentication data.
  • If pbactivate runs with an incorrect token string, it reports “Malformed activation token”.
  • If pbactivate runs with a token that has expired, it reports “Activation token expired”.
  1. Provide the token string to pbactivate.

    📘

    Note

    Proivde the token string in one of the following ways (listed in order of preference):

    command-line parameter

    The command-line parameter is when -t is used (recommended).
    /usr/sbin/pbactivate -t

    stdin via a file redirect A file redirect might be:

    /usr/sbin/pbactivate < token.txt

    stdin via a pipe A pipe might be:

    echo "eyJhbGciOiJS...kBfE_W3i4g" | /usr/sbin/pbactivate

    or

    echo ${TOKEN} | /usr/sbin/pbactivate

    environment variable The environment variable to use is `PBATOKEN`.

    export PBATOKEN=eyJhbGciOiJS...kBfE_W3i4g ... /usr/sbin/pbactivate

    stdin via TTY if in foreground

    If the program is being invoked from a foreground terminal session, pbactivate will prompt the user to enter the token (this is where you paste the token in):
    /usr/sbin/pbactivate Enter token:

The package installation and activation completes.

Updated about 1 month ago

What’s Next

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.