Documentation

Configuration and settings database

Suggest Edits

Endpoint Privilege Management for Unix and Linux (EPM-UL) provides configuration and settings change management.

The configuration files, including the pb.settings, policy configuration scripts, and encryption keys can be stored in a database. The database stores versioning information and allows rollback of individual configuration files, or complete sets of files from the command line.

Import files into the database using pbdbutil to use change management.

Example

# pbdbutil --cfg -i /etc/pb.settings /opt/pbul/policies/pb.conf /etc/pb.key
{"fname":"/etc/pb.settings","version":1}``# pbdbutil --cfg -i /etc/pb.settings /etc/pb.rest.key
{"fname":"/etc/pb.settings","version":1}
{"fname":"/etc/pb.rest.key","version":1}

As soon as the files are imported they are versioned and every EPM-UL binary uses the current database copy in preference to the existing files. The existing file is renamed and a comment inserted at the top of the file as an aide-memoire.

ℹ️

Note

Because the database now stores the imported files, we recommend the original files are moved as a backup. The backup will also serve as a reminder that these files no longer represent the current version.

To change the files, export, make the change, and re-import:

# pbdbutil --cfg -e /etc/pb.settings
{"fname":"/etc/pb.settings","version":"#"}
# vi /etc/pb.settings
# pbdbutil --cfg -i /etc/pb.settings
{"fname":"/etc/pb.settings","version":2}

The version is incremented, and the current version stored.

A set of configuration files can be tagged together at their current version. At a later time, you can retrieve all the tagged files at their respective versions. To tag a group of files, use pbdbutil --cfg -t:

# pbdbutil --cfg -l
{"version":1,"pathname":"/opt/pbul/policies/pb.conf","deleted":0,"created":"2018-05-21 14:26:51"}
{"version":2,"pathname":"/etc/pb.settings","deleted":0,"created":"2018-05-21 14:26:48"}

# pbdbutil --cfg -t "working" /etc/pb.settings /opt/pbul/policies/pb.conf
{"fname":"/etc/pb.settings","tag":"working","version":"#"}
{"fname":"/opt/pbul/policies/pb.conf","tag":"working","version":"#"}

To export the files as a group:

# pbdbutil --cfg -l
{"version":1,"pathname":"/opt/pbul/policies/pb.conf","deleted":0,"created":"2018-05-21 14:26:51"}
{"version":2,"pathname":"/etc/pb.settings","deleted":0,"created":"2018-05-21 14:26:48"}

# pbdbutil --cfg -l /etc/pb.settings
{"pathname":"/etc/pb.settings","version":1,"tag":null,"deleted":0,"created ":"2018-05-21 14:26:46"}
{"pathname":"/etc/pb.settings","version":2,"tag":"working","deleted":0,"created":"2018-05-21 14:26:48"}

# pbdbutil --cfg -e -V working
{"fname":"/etc/pb.conf","version":"#"}
{"fname":"/etc/pb.settings","version":"#"}

ℹ️

Note

For more information on other options to import, export, tag and diff database configuration files, see "pbdbutil".

Database settings

databasedir

  • Version 9.3.0 and earlier: databasedir setting not available.
  • Version 9.4.0 and later: databasedir setting available.

The databasedir setting is used to specify the default path to databases used within the product, that are specified with a relative path.

Example

databasedir /opt/pbul/dbs
servicedb pbsvc.db

The example above configures the service database to be /opt/pbul/dbs/pbsvc.db. However,

databasedir /opt/pbul/dbs
servicedb /etc/pbsvc.db

does not affect servicedb

Default

databasedir /opt/<prefix>pbul<suffix>/dbs

Used on

All hosts

databaselocktimeouts

  • Version 10.0.1 and earlier: databaselocktimeouts setting not available.
  • Version 10.1.0 and later: databaselocktimeouts setting available.

The databaselocktimeouts setting is used to specify the database timeout values for all the various services with EPM-UL. Busy systems can sometimes produce delays in processing data because of contention for database resources. Usually a service will timeout on the specific database and return an error. However, this may not always be the best course of action.

The current list of services include:

  • license
  • rns
  • dbsync
  • akapolicy
  • iologidx
  • restkey
  • fim
  • event
  • logcache
  • rbp
  • sudo
  • sched
  • polpvar
  • logarchive
  • intprod
  • clientreg
  • pbpolicy

There is also a default service that is applied when a more specific setting has not been configured.

Values take the format of service=,, where delay is in microseconds.

Example

databaselocktimeouts default=1000,30 fim=2000,60 rbp=500,10

Default

No default value

Used on

All hosts

lockfileexpiry

Configuration and settings files are centrally managed by EPM-UL using a database. Administrators are allowed to lock the file(s) contained in databases to manage concurrency. The lockfileexpiry setting specifies the length of time (in seconds) before that file lock expires.

Example

lockfileexpiry 45

Default

0

Client registration

Client registration facilitates the installation and configuration of new EPM-UL clients into the enterprise. It consists of a centralized Registration Profile service, normally found on the primary server. This service is configured with customized profiles that match the settings required for the installation of hosts that provide differing roles in the organization. When new EPM-UL clients are installed these profiles are retrieved, providing the configuration required to complete the installation.

clntregdb

  • Version 9.3.0 and earlier: clntregdb setting not available.
  • Version 9.4.0 and later: clntregdb setting available.

The clntergdb option specifies the path to the Client Registration database. This file is created in databasedir by default, unless the file name starts with /.

Example

clntregdb /etc/pbclntreg.db

Default

clntregdb /opt/<prefix>pbul<suffix>/dbs/pbregclnt.db

Used on

Primary servers

Example client registration procedure

  1. Install the primary license server, making sure that the REST services are installed. Make a note of the port number of the REST service. Also make sure that if the host has any firewalls installed, that this TCP port is unblocked.
  2. After main installation is complete check that the REST service is running (ps -ef | grep pbconfigd), and if it isn't, follow normal procedures to start the service.
  3. Create a REST application ID and key:
pbdbutil --rest -g appid
{"appkey":"934bbab5-503e-4c40-8486-90c748142431"}
  1. Ensure the pb.settings file has all the necessary configuration, including encryption and encryption keys defined.
  2. Now we are ready for a client install. Run the normal pbinstall on the client and when asked whether to use Client Registration, answer yes, and provide responses to the Client Registration configuration questions:
Do you wish to utilize Client Registration? [yes]

Enter the Application ID generated on the Primary License Server: appid
Enter the Application Key generated on the Primary License Server: 934bbab5-503e-4c40-8486-90c748142431
Enter the Primary License Server address/domain name for registering clients: pbmasterhost.mydomain.com
Enter the Primary License Server REST TCP/IP port [24351]: 24351
Enter the Registration Client Profile name [default]: default
  1. pbinstall then defaults all the configuration of the install to the retrieved pb.settings and transfers all the necessary keyfiles automatically.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.