Documentation

Cached policy and logs settings

Suggest Edits

The following settings are used and need to be set when cached policy is implemented and used.

allowcaching

  • Version 22.3 and earlier: allowcaching setting not available
  • Version 23.1 and later: allowcaching setting available

The allowcaching setting specifies whether a role-based policy server and license server allow policy caching.

Default

allowcaching    no

Used on

Policy server hosts

enablecaching

  • Version 22.3 and earlier: enablecaching setting not available
  • Version 23.1 and later: enablecaching setting available

The enablecaching setting specifies whether a submit host running pbrun, pbsh and/or pbksh can use cached policy and write cached logs when connectivity to the policy server fails.

Default

enablecaching    no

Used on

Submit hosts

cachedpolicylimitdays

  • Version 22.3 and earlier: cachedpolicylimitdays setting not available
  • Version 23.1 and later: cachedpolicylimitdays setting available

The cachedpolicylimitdays setting specifies the number of days to allow a cached policy to operate without update. The minimum is 1 and there is no maximum.

Default

cachedpolicylimitdays    30

Used on

Submit hosts on which caching is enabled.

cachedforwardinterval

  • Version 22.3 and earlier: cachedforwardinterval setting not available
  • Version 23.1 and later: cachedforwardinterval setting available

The cachedforwardinterval setting specifies the interval (in minutes) between scheduled attempts to forward cached write queue and IO log files to the log server. The minimum is 5 and there is no maximum.

Default

cachedforwardinterval    30

Used on

Submit hosts on which caching is enabled.

cachedrbpencryption

  • Version 22.3 and earlier: cachedrbpencryption setting not available
  • Version 23.1 and later: cachedrbpencryption setting available

The cachedrbpencryption setting specifies the encryption scheme used to encrypt and decrypt a cached role-based policy. It uses the following syntax:

cachedrbpencryption <algorithm-1>:<keyfile=/fullpath/data-file-1>     [:<startdate=yyyy/mm/dd>:<enddate=yyyy/mm/dd>]     <algorithm-2>:<keyfile=/fullpath/data-file-2> [:<startdate=yyyy/mm/dd>:<enddate=yyyy/mm/dd>] ...

where:

  • algorithm-n is the name of the algorithm type.
  • /fullpath/data-file-n (optional) specifies the full path and file name of the data file, which is used to dynamically derive the encryption key.
  • startdate=yyyy/mm/dd specifies the earliest date that this algorithm is to be used.
  • enddate=yyyy/mm/dd specifies the latest date this algorithm is to be used.

Within each encryption setting, each component is separated by a colon (:). Multiple encryption settings are separated by a space.

You can provide a list of algorithm/key pairs, but only the first valid entry is used for encryption purposes; all other entries are used as historical references to decrypt the cached RBP file. Algorithm/key pairs that are not active can still be used to read existing files.

The starting and ending dates are optional and are applied as follows:

  • If the optional dates are used, then the algorithm/data-file pair is only valid for writing to files during the specified time period.
  • If a starting date is specified, then the algorithm/key data-file takes effect at the start of that day; otherwise, the algorithm/key data-file is active immediately.
  • If an ending date is specified, then the algorithm becomes inactive at the end of that date; otherwise, the algorithm/key data-file never expires.

The starting and ending dates are reckoned using Universal Coordinated Time (UTC). Doing so eliminates ambiguity when the machines are in different time zones.

Default

aes-256:keyfile=/etc/pbcached.key when caching is supported; none otherwise.

cachedrbpencryption aes-256:keyfile=/etc/pbcached.key

Used on

Policy server hosts on which caching is allowed and submit hosts on which caching is enabled.

cachedwqencryption

  • Version 22.3 and earlier: cachedwqencryption setting not available
  • Version 23.1 and later: cachedwqencryption setting available

The cachedwqencryption setting specifies the encryption scheme used to encrypt and decrypt write queue files cached on submit hosts. It uses the following syntax:

cachedwqencryption <algorithm-1>:<keyfile=/fullpath/data-file-1>     [:<startdate=yyyy/mm/dd>:<enddate=yyyy/mm/dd>]     <algorithm-2>:<keyfile=/fullpath/data-file-2> [:<startdate=yyyy/mm/dd>:<enddate=yyyy/mm/dd>] ...

where:

  • algorithm-n is the name of the algorithm type.
  • /fullpath/data-file-n (optional) specifies the full path and file name of the data file, which is used to dynamically derive the encryption key.
  • startdate=yyyy/mm/dd specifies the earliest date that this algorithm is to be used.
  • enddate=yyyy/mm/dd specifies the latest date this algorithm is to be used.

Within each encryption setting, each component is separated by a colon (:). Multiple encryption settings are separated by a space.

You can provide a list of algorithm/key pairs, but only the first valid entry is used for encryption purposes; all other entries are used as historical references to decrypt the cached write queue file. Algorithm/key pairs that are not active can still be used to read existing files.

The starting and ending dates are optional and are applied as follows:

  • If the optional dates are used, then the algorithm/data-file pair is only valid for writing to files during the specified time period.
  • If a starting date is specified, then the algorithm/key data-file takes effect at the start of that day; otherwise, the algorithm/key data-file is active immediately.
  • If an ending date is specified, then the algorithm becomes inactive at the end of that date; otherwise, the algorithm/key data-file never expires.

The starting and ending dates are reckoned using Universal Coordinated Time (UTC). Doing so eliminates ambiguity when the machines are in different time zones.

Default

aes-256:keyfile=/etc/pbcached.key when caching is supported; none otherwise.

cachedwqencryption aes-256:keyfile=/etc/pbcached.key

Used on

Submit hosts on which caching is enabled.

pbcachedresttimeout

  • Version 22.3 and earlier: pbcachedresttimeout setting not available
  • Version 23.1 and later: pbcachedresttimeout setting available

The pbcachedresttimeout setting specifies the number of seconds before an attempt to send a cached write queue or IO log file to the log server times out. The minimum value is 30 and the maximum is 600.

Default

pbcachedresttimeout    300

Used on

Submit hosts on which caching is enabled.

pbcachedfilespath

  • Version 22.3 and earlier: pbcachedfilespath setting not available
  • Version 23.1 and later: pbcachedfilespath setting available

The pbcachedfilespath setting is the name of the top-level subdirectory of the installation base directory to which write queue and IO log files are written on cached clients and to which incoming write queue and log files are written on log servers.

Default

pbcached (giving a typical full path name of /opt/pbul/pbcached)

pbcachedfilespath /opt/pbul/pbcached

Used on

Log server hosts in caching configurations and submit hosts on which caching is enabled.

pbcacheddb

  • Version 22.3 and earlier: pbcacheddb setting not available
  • Version 23.1 and later: pbcacheddb setting available

The pbcacheddb setting is the name of the database file that stores information on cached write queue and IO log files awaiting transfer to the log server. That database file resides in the configured database directory (typically /opt/pbul/dbs).

Default

pbcached.db (giving a typical full path name of /opt/pbul/dbs/pbcached.db)

pbcacheddb /opt/pbul/dbs/pbcached.db

Used on

Submit hosts on which caching is enabled.

policykeyfile

  • Version 22.3 and earlier: policykeyfile setting not available
  • Version 23.1 and later: policykeyfile setting available

The policykeyfile setting specifies the name of the file containing the private key used to sign a role-based policy used for caching. That file resides in the directory in which EPM-UL expects to find certificates and keys (typically /etc).

Default

pbpolicykey.pem (giving a typical full path name of /etc/pbpolicykey.pem)

policykeyfile /etc/pbpolicykey.pem

Used on

Policy server hosts on which caching is allowed.

policypubcertfile

  • Version 22.3 and earlier: policypubcertfile setting not available
  • Version 23.1 and later: policypubcertfile setting available

The policypubcertfile setting specifies the name of the file containing the public key with which to verify the signature of a role-based policy delivered to a client that supports caching. The file resides in the directory in which EPM-UL expects to find certificates and keys (typically /etc).

Default

pbpolicypubcert.pem (giving a typical full path name of /etc/pbpolicypubcert.pem)

policypubcertfile /etc/pbpolicypubcert.pem

Used on

Policy server hosts on which caching is allowed and submit hosts on which caching is enabled.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.