Installation process

Endpoint Privilege Management for Unix and Linux supports interactive installation methods and package installation methods. Before you choose which installation method to use, we recommend that you review the indicated section.

• Use pbinstall: pbinstall is a command-line script that can be used to install (or upgrade) Endpoint Privilege Management for Unix and Linux. It enables the user to review each setting during the installation process and customize the Endpoint Privilege Management for Unix and Linux installation on that host.

A wrapper script, run_pbinstall, is available to simplify installation of all Endpoint Privilege Management for Unix and Linux components.

• Use pbmakeremotetar:pbmakeremotetar enables you to clone an Endpoint Privilege Management for Unix and Linux installation on a host across other hosts. pbmakeremotetar is effective when you have multiple systems that are running the same Endpoint Privilege Management for Unix and Linux flavor and are to be configured identically.
• Use pbpatchinstall: pbpatchinstall enables you to install Endpoint Privilege Management for Unix and Linux patches on installations of Endpoint Privilege Management for Unix and Linux v4.0 and higher.
• Use package installers: For Solaris, Linux, HP-UX, and AIX, you can install Endpoint Privilege Management for Unix and Linux using package installers.

📘

For more information, see the following:

• run_pbinstall
• pbmakeremotetar
• Example of a pbpatchinstall execution
• Solaris Package Installer
• Linux package installer
• HP-UX package installer
• AIX Package Installer
• Custom installations

Basic pbinstall information

The following list provides basic information about the pbinstall script:

• The pbinstall script is located in the Endpoint Privilege Management for Unix and Linux distribution in the powerbroker///install directory.
• pbinstall can be run from an Endpoint Privilege Management for Unix and Linux distribution CD or from an unpacked tar file. The pbinstall install script guides you through the installation and enables you to specify which Endpoint Privilege Management for Unix and Linux components to install.
• Run pbinstall on each machine that needs Endpoint Privilege Management for Unix and Linux components installed.
• Superuser authority is required to run pbinstall. Before running pbinstall, either log on as root or use the su command to acquire root privileges.
• pbinstall can be run with various options.

ℹ️

Note

For more information, see Installation Programs.

Navigate the pbinstall menu and choose option values

The pbinstall script presents options in a numbered menu. Because of the large number of options, the menu is divided into pages. You use the navigation characters listed below to navigate the pages. To use a navigation character, type the character and press Enter.

The navigation characters are as follows:

• C: Continue installation
• N: Next menu page
• P: Previous menu page
• R: Redraw menu (not shown due to space limitations)
• X: Exit script without performing any configuration

To set the value of a menu option, type the number for that option and press Enter. Specify the value for the option and press Enter. For Yes and No options, you can specify N, n, Y, or y.

You might also see the following prompts, which are synonymous:

• Press return to continue
• Hit return to continue

Review the messages preceding these prompts on the screen. Press Return, Enter, , or for the installation process to continue.

pbinstall installation menu conventions

Conventions for the pbinstall installation menu include the following:

• Some options are displayed only if other options or the system configuration allow them.
• The item numbers vary with the configuration of the installation target system.
• The step numbers for the basic Endpoint Privilege Management for Unix and Linux installation instructions do not necessarily match the option numbers in the pbinstall installation script.
• If the current value of an option forces the line to be longer than 80 characters, the value within the square brackets is truncated and appended with ellipsis (…).
• Menu pages are limited to a maximum of 18 items. To view additional options, use the navigation characters: N (for next page) or P (for previous page).
• The values that are shown in the installation menu are examples and not necessarily the defaults or recommended values for your system. Your defaults and existing values (on a re-installation) will appear in the appropriate places when pbinstall executes.
• Yes and No answers are not case-sensitive and may be abbreviated as y and n.
• pbinstall is designed for 24 line by 80 column displays. Using a larger display is also supported.
• pbinstall does not support smaller displays.
• Although white space, line terminators, and shell (sh) meta characters are usually allowed in file and directory names, Endpoint Privilege Management for Unix and Linux does not support them. Do not use them in Endpoint Privilege Management for Unix and Linux file or directory names.

ℹ️

Note

For more information, see the following:

• On a basic installation, Step-by-Step Instructions for a Basic Installation Using pbinstall

Installation events using pbinstall

When pbinstall runs, the following actions occur:

• If client registration is used:
  • The /etc/pb.settings file is downloaded from the primary license server.
  • The /etc/pb.key (or equivalent) is downloaded from the primary license server.
• If SSL is enabled the SSL server certificates are downloaded from the primary license server.
  • The REST services daemon (pbconfigd) is installed and configuration made to the operating system to enable service management through the native operating system service manager.
• The /etc/pb.settings file is created. It contains various parameters and settings that Endpoint Privilege Management for Unix and Linux uses at run time. Endpoint Privilege Management for Unix and Linux cannot run without this file.
• The installation process also creates a work file, /etc/pb.cfg. The pb.cfg file is used to locate the Endpoint Privilege Management for Unix and Linux components during upgrades and uninstalls.
• The /etc/pb.key file is created. It stores the encryption key. This step is completed only if the Endpoint Privilege Management for Unix and Linux encryption option is selected.
• If you choose to add entries to /etc/services, then the following two steps are performed:
  • The /etc/services file is backed up to /etc/services.sybak.####. The installation script backs up files using the name format {original_name}.sybak.####, where #### is a number between 0000 and 9999. By default, up to 10 of these files are kept in the directory. This backup method is especially advantageous when performing multiple installations and uninstalls.
  • Entries are added to the /etc/services file for pbmasterd, pblocald, and pblogd.
• If the system uses inetd.conf for superdaemon configuration, then the following three steps are performed. If the system uses xinetd.conf, then similar steps are performed.
  • The /etc/inetd.conf file is backed up to a file called: /etc/inetd.sybak.####.
  • Entries are added to the inetd.conf file. These entries enable inetd to start instances including:
    • pbmasterd: Validate a monitored task request.
    • pblocald: Execute a monitored task request that has been accepted by pbmasterd.
    • pblogd: Perform logging.
    • pblighttpd: Run Endpoint Privilege Management REST services.
  • The inetd superdaemon restarts.
• The appropriate Endpoint Privilege Management for Unix and Linux programs and online man pages are copied to the specified installation directories.
• During the installation, you have the option to view the generated install script. This option is only for troubleshooting by BeyondTrust Technical Support; the generated install scri

EPM-UL pbinstall installation menu

The pbinstall script is a comprehensive list of the installation menu options and default prompts. The items displayed vary depending on your system, options selected, and any settings that are found from a current or removed Endpoint Privilege Management for Unix and Linux installation. The values used here are for demonstration purposes and are not necessarily the defaults or recommended values for a given installation.

The following list shows all the menu options. However, the menu option numbers that you see might differ from this list, depending on your Endpoint Privilege Management for Unix and Linux flavor.

Step-by-step instructions for a basic installation using pbinstall

The basic pbinstall procedure assumes that you have successfully downloaded and unarchived the Endpoint Privilege Management for Unix and Linux distribution or have an Endpoint Privilege Management for Unix and Linux CD.

ℹ️

Note

For additional information about Endpoint Privilege Management for Unix and Linux components and more options for pbinstall, see the following:

• Installation preparation
• Advanced installation instructions using pbinstall

Run a basic installation using pbinstall

To perform a basic Endpoint Privilege Management for Unix and Linux installation using the pbinstall script, use the following procedure:

1. If you downloaded Endpoint Privilege Management for Unix and Linux using the Web or FTP, then do the following. To install Endpoint Privilege Management for Unix and Linux from a CD, skip to step 2.
   • Create the /opt/beyondtrust directory if it does not already exist.
   • Extract the Endpoint Privilege Management for Unix and Linux installation files by executing the following command:

     gunzip -c pmul<flavor_version>.tar.Z | tar xvf -
     

2. To install from a CD, insert it into the CD-ROM drive on your machine. Mount the CD by entering:

   mount /cdrom <device_name>
   

ℹ️

Note

Your system may require additional command options or have a different mount point. For more information, see the mount main page for your system.

3. Navigate to the appropriate install directory on the file system or CD.

4. Start the pbinstall script with the following command:

   ./pbinstall
   

5. Press Enter after you read the initial messages.

6. A prompt will ask if this is the first installation in the enterprise:

   Endpoint Privilege Management for Unix and Linux must have a designated Primary Server to provide control and consistency for all its components/entities.
   The Primary Server must be installed and configured first before all other hosts.
   Is this the first installation in the enterprise (designated Primary Server) [yes]?
   

7. If you install a new client you may wish to use the client registration facility. When first invoking pbinstall, the following is displayed:

   Client registration provides a method of automatic configuration based upon a profile provided by your Primary License Server. To use this functionality you will need to know specific parameters from your  Primary License Server setup. See the installation guide for details.
   Do you wish to utilize client registration? [no]? yes
   Enter the Application ID generated on the Primary License Server: appid
   Enter the Application Key generated on the Primary License Server: 0b5e954e- be38-424d-b7e7-3e0ec91d9301                                                                                                            
   Enter the Primary License Server address/domain name for registering clients: master.organization.com
   Enter the Primary License Server REST TCP/IP port [24351]:
   Enter the Registration Client Profile name[default]:
   

   If you wish to enable automatic configuration using client registration, you need the following:

   • REST Application ID
   • REST Application Key
   • Network name or IP address of the primary license server that has been configured to enable client registration
   • REST services port
   • Name of the client registration profile configured by the administrator

   Once you have the data and have entered them into the pbinstall prompts, the configuration of the client is downloaded and the installation continues. All defaults used during the rest of the installation process are from the information retrieved.

8. A prompt asks if you want to install the Registry Name Services.

   The Registry Name Service of Endpoint Privilege Management for Unix and Linux facilitates location of other services within the pmul enterprise with the aid of a centralized data repository.
   IMPORTANT: It is highly recommended to utilize client registration if you are using Registry Name Services. Do you wish to utilize Registry Name Service? [yes]?
   

   If you answer no to the previous question, Is this the first installation?, you are asked to register the host as a Registry Name Service client.

   To enable the use of Registry Name Services each client needs to be registered with the primary server.

   Please complete the questions below to enable this registration.
   Enter the Application ID generated on the Primary Registry Name Server:  appid
   Enter the Application Key generated on the Primary Registry Name Server:  appkey
   Enter the address/domain name for the Primary Registry Name Server:  host
   Enter the Primary Registry Name Server REST TCP/IP port [24351]:
   

   If RNS is specified, the defaults for submitmasters, acceptmasters, logservers, etc, are changed to asterisk (*), and registrynameserver yes is added to the prospective pb.settings.

9. The pbinstall menu displays a set of options similar to the following:

ℹ️

Note

The following instructions select the required options to do a basic installation only.

10. Choose your options.
11. Use the c navigation command to continue the installation.
12. A prompt asks if you want to view the install script. Specify n.

⚠️

Important

This option is intended for troubleshooting by BeyondTrust Technical Support. The generated install script contains thousands of lines of code.

13. A prompt asks if you want to install the product now. Specify y.

The Endpoint Privilege Management for Unix and Linux install script executes and installs Endpoint Privilege Management for Unix and Linux components on this machine.

14. If an Endpoint Privilege Management for Unix and Linux policy file exists, it is not modified. Starting with version 8.0, if you do not have a policy file, a default policy is installed by default. The files {prefix}pbul_policy.conf{suffix} and {prefix}pbul_functions.conf{suffix} are created in the default directory /opt/pbul/policies from v9.4.3+ and /etc prior to v9.4.3. {prefix}pbul_policy.conf{suffix} is then included in the main policy (by default /opt/pbul/policies/{prefix}pb.conf {suffix} from v9.4.3+ and /etc/{prefix}pb.conf {suffix} prior to v9.4.3).

⚠️

Important

An empty policy file rejects all Endpoint Privilege Management for Unix and Linux commands. For information about writing policy files, see the Endpoint Privilege Management for Unix and Linux Policy Language Guide.

15. Change the permissions on the policy file so that it can be read by root only:

chmod 600 /opt/pbul/policies/pb.conf

The installation is now complete.

Advanced installation instructions using pbinstall

This section provides step-by-step instructions for using all the installation options that are available using the pbinstall script. These options are discussed in the order that they are used in the Endpoint Privilege Management for Unix and Linux installation menu.

ℹ️

Note

These steps are optional and should be selected after reviewing Installation considerations and Installation preparation.

In addition, some options do not appear unless certain combinations of options are selected.

ℹ️

Note

For more information, see Complete the Installation.

Start pbinstall

If you downloaded Endpoint Privilege Management for Unix and Linux using the Web or FTP, do the following.

1. Extract the tarball files into /opt/beyondtrust by executing the following command:

   gunzip -c pmul<flavor_version>.tar.Z | tar xvf -
   

2. Navigate to the installation directory:

   cd /opt/beyondtrust/powerbroker/<version>/<flavor>/install
   

3. Execute the installation script by typing:

   ./pbinstall
   

4. After reading the initial messages, press Enter.

ℹ️

Note

For more information, see the following:

On how to install Endpoint Privilege Management for Unix and Linux from a CD, Step-by-Step Instructions for a Basic Installation Using pbinstall.

If you are using a prefix or suffix, or both, Prefix and Suffix Installation Instructions

Use the menu options

ℹ️

Note

Depending on your operating system and other factors, the option numbers listed in the following table may not match the menu option numbers you see on the screen, and some items might not be available. In these steps, choose this option means to type the number that corresponds to the option on the screen and press Enter.

Custom installations

The preferred methods for installing Endpoint Privilege Management for Unix and Linux are to use the command line pbinstall or pbmakeremotetar. In some instances, however, customer requirements may dictate some custom installation methods. This section covers several topics you should be aware of when planning a custom installation.

Before performing a custom installation of Endpoint Privilege Management for Unix and Linux, several issues need to be taken into consideration:

• Third-party libraries
• Executable files
• pb.settings file
• pb.key file
• Superdaemon configuration update
• Policy files for policy server hosts

There are some concerns about file system accessibility when using remotely mounted file systems. If an installation initially references files on a system with a different name (due to network and/or NIC configurations), the target system may have problems referencing the files correctly on the original host.

Third-party libraries

The appropriate third-party libraries are required when Endpoint Privilege Management for Unix and Linux is configured with SSL, Kerberos, or LDAP.

Executable files

Regardless of how Endpoint Privilege Management for Unix and Linux is placed on multiple systems, the proper executable and supporting files for the flavor and functions of the system must be visible and executable on that system.

It is possible to place the target of the administration, user, daemon, and/or utility programs on a remotely mounted file system. If this is done, the following issues must be addressed:

• The correct flavor for a system must be visible in the path for the given system.
• The superuser owner and suid setting of pbrun must be handled properly.
• The remotely mounted file system must be very reliable.
• Endpoint Privilege Management for Unix and Linux event, I/O, and daemon error logs are not supported when written to remotely mounted file systems.

Settings file

The /etc/pb.settings file must be properly configured for the functions that the new host is to perform, and the install scripts do this. When performing a custom install, each machine needs a correctly configured /etc/pb.settings file.

Key file

If encryption is used, then the pb.key file must be the same across all cooperating Endpoint Privilege Management for Unix and Linux installations. This is typically a manual distribution (because the pb.key file can be compromised if it is not handled properly) except when performing a remote installation using the archive from pbmakeremotetar.

superdaemon configuration

The superdaemons on the system must be configured for the Endpoint Privilege Management for Unix and Linux daemon configuration. The Endpoint Privilege Management for Unix and Linux installation performs this configuration automatically.

ℹ️

Note

For more information about superdaemons, see the documentation for your operating system.

Policy files for policy server hosts

Policy files and their subfiles must be copied between policy server hosts so that all of the policy servers use the same policies.

Endpoint Privilege Management for Unix and Linux, being an authentication tool and not a software distribution tool, does not automatically propagate policy files between policy server hosts. It is possible, and left as an exercise, to write procedures and policies that allow a central policy server host to propagate policy files to other policy server hosts.

Policy subfiles are copied if their name is specified as a constant. If the name is specified as a variable or string concatenation in the parent policy, then that policy is not copied by pbmakeremotetar and must be manually propagated to the target machines.

The policy subfile directory tree and directories referenced by the policies should be created to insure the multiple policy server hosts have the same directory tree.

Complete the installation

After you finish making menu choices, do the following to complete the installation:

1. Use the c command to continue the installation.
2. A prompt asks if all of the installation settings are correct. If they are correct, then specify y. If they are not correct, then specify n, make the necessary changes, and continue the previous step.
3. A prompt asks if you want to view the installation script. Choose n.

⚠️

Important

This option is intended for troubleshooting by BeyondTrust Technical Support; the generated installation script contains thousands of lines of code.

4. A prompt asks if you want to install the product now. Press Enter to accept the default of y.
5. The installation script now executes and installs Endpoint Privilege Management for Unix and Linux components on this machine.
6. If an Endpoint Privilege Management for Unix and Linux policy file exists, it is not modified. If you do not have a policy file, then create a policy file using the following command:

   touch /opt/pbul/policies/pb.conf
   

⚠️

Important

An empty policy file rejects all Endpoint Privilege Management for Unix and Linux commands. For information about writing policy files, see the Endpoint Privilege Management for Unix and Linux Policy Language Guide.

7. Change the permissions on the policy file so that it can be read by root only:

chmod 600 /opt/pbul/policies/pb.conf

The installation is now complete.

Example of a pbinstall execution

The following is an example of a pbinstall execution:

✅

Example

/usr/local/lib/pbbuilder will be created as part of the installation
/etc/pb.key exists.. taking a copy...
             
Checking disk space...
             
... mountpoints are
/ /dev /net/build/build /net/nethome/nethome/tmp
/net/nethome/nethome/user /pbis
             
... local mount points are
/ /dev
             
Mount Point Needed Available Flag
/ 27117 359448716 works
             
Disk Free space on selected mountpoints appears to be okay.
         
Are all the installation settings correct [yes]? Creating the installation script:
'/opt/beyondtrust/powerbroker/v8.0/pbx86_64_linuxA-8.0.0-06/install/PowerBroker_ Install'
An install script has been made that will install BeyondTrust Endpoint Privilege Management
			 
			 
according to your settings. View the install script [no]?
Install BeyondTrust Endpoint Privilege Management for Unix and Linux now [yes]?
			 
Executing '/opt/beyondtrust/powerbroker/v8.0/pbx86_64_linuxA-8.0.0- 06/install/PowerBroker_Install'
Creating settings file /etc/pb.settings
Removing PowerBroker service definitions (if any) from /etc/services. Adding PowerBroker service definitions to /etc/services.
Removing any PowerBroker definitions from SuperDaemon xinetd file
/etc/xinetd.conf
Adding PowerBroker definitions to SuperDaemon configurations /etc/xinetd.conf. Installed /usr/lib/beyondtrust/pb/libcom_err.so.3.0
Installed /usr/lib/beyondtrust/pb/libgssapi_krb5.so.2.2 Installed /usr/lib/beyondtrust/pb/libk5crypto.so.3.0 Installed /usr/lib/beyondtrust/pb/libkrb5.so.3.2 Installed /usr/lib/beyondtrust/pb/libcrypto.so.0.9.8 Installed /usr/lib/beyondtrust/pb/libssl.so.0.9.8 Installed /usr/lib/beyondtrust/pb/liblber-2.3.so.0.2.12 Installed /usr/lib/beyondtrust/pb/libLDAP-2.3.so.0.2.12 Installed /usr/lib/beyondtrust/pb/libcurl.so.4.3.0
Created symbolic link /usr/lib/beyondtrust/pb/libcom_err.so.3 Created symbolic link /usr/lib/beyondtrust/pb/libcom_err.so Created symbolic link /usr/lib/beyondtrust/pb/libgssapi_krb5.so.2 Created symbolic link /usr/lib/beyondtrust/pb/libgssapi_krb5.so Created symbolic link /usr/lib/beyondtrust/pb/libk5crypto.so.3 Created symbolic link /usr/lib/beyondtrust/pb/libk5crypto.so Created symbolic link /usr/lib/beyondtrust/pb/libkrb5.so.3
Created symbolic link /usr/lib/beyondtrust/pb/libkrb5.so Created symbolic link /usr/lib/beyondtrust/pb/libcrypto.so.0 Created symbolic link /usr/lib/beyondtrust/pb/libcrypto.so Created symbolic link /usr/lib/beyondtrust/pb/libssl.so.0 Created symbolic link /usr/lib/beyondtrust/pb/libssl.so
Created symbolic link /usr/lib/beyondtrust/pb/liblber-2.3.so.0 Created symbolic link /usr/lib/beyondtrust/pb/liblber-2.3.so Created symbolic link /usr/lib/beyondtrust/pb/libLDAP-2.3.so.0 Created symbolic link /usr/lib/beyondtrust/pb/libLDAP-2.3.so Created symbolic link /usr/lib/beyondtrust/pb/libcurl.so.4 Created symbolic link /usr/lib/beyondtrust/pb/libcurl.so Installed pbrun as /usr/local/bin/pbrun
Installed /usr/local/man/man1/pbrun.1 Installed pbssh as /usr/local/bin/pbssh Installed /usr/local/man/man1/pbssh.1 Installed pbrunssh as /usr/local/bin/pbrunssh Installed pbmasterd as /usr/sbin/pbmasterd Installed /usr/local/man/man8/pbmasterd.8
Installed pbfwdevents as /usr/sbin/pbfwdevents Installed /usr/local/man/man8/pbfwdevents.8 Installed pblocald as /usr/sbin/pblocald Installed /usr/local/man/man8/pblocald.8 Installed pblogd as /usr/sbin/pblogd
			 
			 
Installed /usr/local/man/man8/pblogd.8 Installed pbguid as /usr/sbin/pbguid Installed /usr/local/man/man8/pbguid.8 Installed pbsyncd as /usr/sbin/pbsyncd Installed /usr/local/man/man8/pbsyncd.8 Installed pbencode as /usr/sbin/pbencode Installed /usr/local/man/man8/pbencode.8 Installed pbhostid as /usr/sbin/pbhostid Installed /usr/local/man/man8/pbhostid.8 Installed pblicense as /usr/sbin/pblicense Installed /usr/local/man/man8/pblicense.8 Installed pbpasswd as /usr/sbin/pbpasswd Installed /usr/local/man/man8/pbpasswd.8 Installed pbsum as /usr/sbin/pbsum Installed /usr/local/man/man8/pbsum.8
Installed pbbench as /usr/local/bin/pbbench Installed /usr/local/man/man1/pbbench.1 Installed pbcheck as /usr/sbin/pbcheck Installed /usr/local/man/man8/pbcheck.8 Installed pbcall as /usr/local/bin/pbcall Installed pbless as /usr/local/bin/pbless Installed /usr/local/man/man1/pbless.1 Installed pbmg as /usr/local/bin/pbmg Installed /usr/local/man/man1/pbmg.1 Installed pbnvi as /usr/local/bin/pbnvi Installed /usr/local/man/man1/pbnvi.1 Installed pbumacs as /usr/local/bin/pbumacs Installed /usr/local/man/man1/pbumacs.1 Installed pbvi as /usr/local/bin/pbvi Installed /usr/local/man/man1/pbvi.1 Installed pbkey as /usr/sbin/pbkey
Installed /usr/local/man/man8/pbkey.8 Installed pblog as /usr/sbin/pblog Installed /usr/local/man/man8/pblog.8 Installed pbreplay as /usr/sbin/pbreplay Installed /usr/local/man/man8/pbreplay.8 Installed pbmerge as /usr/sbin/pbmerge Installed /usr/local/man/man8/pbmerge.8 Installed pbsync as /usr/sbin/pbsync Installed /usr/local/man/man8/pbsync.8 Installed pbping as /usr/sbin/pbping Installed /usr/local/man/man8/pbping.8 Installed pbprint as /usr/sbin/pbprint Installed /usr/local/man/man8/pbprint.8 Installed pbksh as /usr/local/bin/pbksh Installed pbsh as /usr/local/bin/pbsh Installed pbreport as /usr/sbin/pbreport Installed /usr/local/man/man8/pbreport.8 Installed pbuvqrpg as /usr/sbin/pbuvqrpg Installed /usr/local/man/man8/pbuvqrpg.8 Installed pbversion as /usr/sbin/pbversion Installed /usr/local/man/man8/pbversion.8 Installed /usr/local/man/man8/pbinstall.8 Installed /usr/local/man/man8/pbuninstall.8
			 
			 
Installed /usr/local/man/man8/pbmakeremotetar.8 Installed /usr/local/man/man8/pbpatchinstall.8
Placing policy examples in '/usr/local/lib/pbbuilder'
Placing pbguid html help files in '/usr/local/lib/pbbuilder' Installing /etc/pb.key
Reloading SuperDaemon Configurations...
Done Reloading SuperDaemon Configurations...
			 
			 
------------------------------------------------------------------------------------
Installing default role-based policy pbul_policy.conf and pbul_functions.conf in /opt/pbul/policies
The main policy pbul_policy.conf will be included in /opt/pbul/policies/pb.conf
			 
Installed pbul_policy.conf as /opt/pbul/policies/pbul_policy.conf
------------------------------------------------------------------------------------
You will have to edit the /opt/pbul/policies/pb.conf file now.
Installed pblighttpd as /usr/lib/beyondtrust/pb/rest/sbin/pblighttpd Installed pblighttpd-svc as /usr/lib/beyondtrust/pb/rest/sbin/pblighttpd-svc Installed /usr/lib/beyondtrust/pb/rest/lib/mod_access.so
Installed /usr/lib/beyondtrust/pb/rest/lib/mod_dirlisting.so Installed /usr/lib/beyondtrust/pb/rest/lib/mod_fastcgi.so Installed /usr/lib/beyondtrust/pb/rest/lib/mod_indexfile.so Installed /usr/lib/beyondtrust/pb/rest/lib/mod_staticfile.so Installed /usr/lib/beyondtrust/pb/rest/..//pbsudoers_server.so
Installed pbconfigd as /usr/lib/beyondtrust/pb/rest/sbin/pb900pbconfigd Installed pbrestcall as /usr/sbin/pbrestcall
Starting pblighttpd-svc service.BeyondTrust Endpoint Privilege Management for Unix and Linux Installation terminated successfully.

pbmakeremotetar installation script

Deployment of Endpoint Privilege Management for Unix and Linux across multiple machines of the same platform type can be simplified by cloning the installations. Installation cloning is done by making a remote tarball using pbmakeremotetar, a menu-driven, interactive installation script.

pbmakeremotetar Installation Information

The section contains information about running an example pbmakeremotetar installation.

• pbmakeremotetar is used to clone an installed copy of Endpoint Privilege Management for Unix and Linux so it can be quickly installed on other hosts that use the same Endpoint Privilege Management for Unix and Linux flavor. The directory structure on the target systems must also be the same as on the host that is running pbmakeremotetar.
• pbmakeremotetar properly configures (as appropriate) /etc/services and the superdaemon configuration files (/etc/inetd.conf, /etc/xinetd.conf, or SMF).
• For Policy Server target installations, an initial installation (not a remote installation) must be done before any target remote installation. Doing so ensures that all licensing issues are handled properly.
• Different target system installation working directories should be used for different prefix and/or suffix versions of cloned installations.
• pbmakeremotetar scans the main policy file (by default /opt/pbul/policies/pb.conf from v9.4.3+ and /etc/pb.conf prior to v9.4.3) for included policy files and includes them in the tarball. If the main policy file is encrypted, pbmakeremotetar is not able to scan it for included policy files. Therefore, if the main policy file is encrypted, you must do one of the following:
  • Restore the unencrypted policy file before running the pbmakeremotetar installation script.
  • Specify each encrypted policy file in the editor session after answering y to the Do you wish to make changes to this list? prompt:
  • Manually move the encrypted files to the target systems.
  • For pbmakeremotetar/pbremoteinstall installations where integration with AD Bridge is desired, if AD Bridge is configured on the system where the Endpoint Privilege Management for Unix and Linux instance is cloned, when the cloned instance is installed, if the AD Bridge libraries are missing, then a warning message is displayed.

Remote installations using pbmakeremotetar

Remote installations using pbmakeremotetar perform the following three basic steps:

1. Execute pbmakeremotetar.
2. Make the created tar file available to the target system.
3. Unarchive the tar file and execute remote_unpack from that tar file.

Example of a pbmakeremotetar execution

The following is an example of a pbmakeremotetar execution:

✅

Example

# ./pbmakeremotetar -a /opt/beyondtrust/pb.tar
Starting pbmakeremotetar main() from /opt/beyondtrust/powerbroker/v6.0/pbx86_ linuxB-6.0.0-01/install/.
     
pbmakeremotetar
         
This command is used to duplicate the current system's installation of BeyondTrust Endpoint Privilege Management for Unix and Linux to allow this duplication to be installed on one or more identically configured systems.
x86_linuxB
Hit return or enter to continue...
			 
Checking tar command for needed switches...
Done checking tar command for needed switches...
Making file /opt/beyondtrust/pb.tar for architecture x86_linuxB Reading /etc/pb.cfg
			 
Current additional files for deployment: [displays list of files]
Do you wish to make changes to this list [no]?
			 
Building encapsulated tarball
/etc/pb.cfg
/etc/pb.conf
/etc/pb.key
/etc/pb.settings
/etc/pb.key
/opt/beyondtrust/powerbroker/v6.0/pbx86_linuxB-6.0.0-01/install/./pb.keyfiles
/opt/beyondtrust/powerbroker/v6.0/pbx86_linuxB-6.0.0- 01/install/./pbremoteinstall
/opt/beyondtrust/powerbroker/v6.0/pbx86_linuxB-6.0.0-01/install/./pb_install_
support
/opt/beyondtrust/powerbroker/v6.0/pbx86_linuxB-6.0.0- 01/install/./pbmakeremotetar
/opt/beyondtrust/powerbroker/v6.0/pbx86_linuxB-6.0.0-01/install/./pbuninstall
/opt/beyondtrust/powerbroker/v6.0/pbx86_linuxB-6.0.0-01/install/./sy_install_ support
/usr/lib/beyondtrust/pb/.BeyondTrustCreated
/usr/lib/beyondtrust/pb/.pbinstalls
/usr/lib/beyondtrust/pb/libcom_err.so
/usr/lib/beyondtrust/pb/libcom_err.so.3
/usr/lib/beyondtrust/pb/libcom_err.so.3.0
/usr/lib/beyondtrust/pb/libcrypto.so			 
/usr/lib/beyondtrust/pb/libcrypto.so.0
/usr/lib/beyondtrust/pb/libcrypto.so.0.9.7
/usr/lib/beyondtrust/pb/libgssapi_krb5.so
/usr/lib/beyondtrust/pb/libgssapi_krb5.so.2
/usr/lib/beyondtrust/pb/libgssapi_krb5.so.2.2
/usr/lib/beyondtrust/pb/libk5crypto.so
/usr/lib/beyondtrust/pb/libk5crypto.so.3
/usr/lib/beyondtrust/pb/libk5crypto.so.3.0
/usr/lib/beyondtrust/pb/libkrb5.so
/usr/lib/beyondtrust/pb/libkrb5.so.3
/usr/lib/beyondtrust/pb/libkrb5.so.3.2
/usr/lib/beyondtrust/pb/liblber-2.3.so
/usr/lib/beyondtrust/pb/liblber-2.3.so.0
/usr/lib/beyondtrust/pb/liblber-2.3.so.0.2.12
/usr/lib/beyondtrust/pb/libLDAP-2.3.so
/usr/lib/beyondtrust/pb/libLDAP-2.3.so.0
/usr/lib/beyondtrust/pb/libLDAP-2.3.so.0.2.12
/usr/lib/beyondtrust/pb/libssl.so
/usr/lib/beyondtrust/pb/libssl.so.0
/usr/lib/beyondtrust/pb/libssl.so.0.9.7
/usr/local/bin/pbbench
/usr/local/bin/pbcall
/usr/local/bin/pbksh
/usr/local/bin/pbless
/usr/local/bin/pbmg
/usr/local/bin/pbnvi
/usr/local/bin/pbrun
/usr/local/bin/pbsh
/usr/local/bin/pbumacs
/usr/local/bin/pbvi
/usr/local/man/man1/pbbench.1
/usr/local/man/man1/pbless.1
/usr/local/man/man1/pbmg.1
/usr/local/man/man1/pbnvi.1
/usr/local/man/man1/pbrun.1
/usr/local/man/man1/pbumacs.1
/usr/local/man/man1/pbvi.1
/usr/local/man/man8/pbcheck.8
/usr/local/man/man8/pbencode.8
/usr/local/man/man8/pbguid.8
/usr/local/man/man8/pbhostid.8
/usr/local/man/man8/pbkey.8
/usr/local/man/man8/pblicense.8
/usr/local/man/man8/pblocald.8
/usr/local/man/man8/pblog.8
/usr/local/man/man8/pblogd.8
/usr/local/man/man8/pbmasterd.8
/usr/local/man/man8/pbmerge.8
/usr/local/man/man8/pbpasswd.8
/usr/local/man/man8/pbprint.8
/usr/local/man/man8/pbreplay.8
/usr/local/man/man8/pbreport.8
/usr/local/man/man8/pbsum.8
/usr/local/man/man8/pbsync.8
/usr/local/man/man8/pbsyncd.8
/usr/local/man/man8/pbuvqrpg.8
/usr/sbin/pbcheck
/usr/sbin/pbencode

/usr/sbin/pbhostid
/usr/sbin/pbkey
/usr/sbin/pblocald
/usr/sbin/pblog
/usr/sbin/pblogd
/usr/sbin/pbmasterd/usr/sbin/pbmerge
/usr/sbin/pbpasswd
/usr/sbin/pbprint
/usr/sbin/pbreplay
/usr/sbin/pbreport
/usr/sbin/pbsum
/usr/sbin/pbsync
/usr/sbin/pbsyncd
/usr/sbin/pbuvqrpg
Building encapsulating tarball remote_unpack
pb.tar.tar
			 
/opt/beyondtrust/pb.tar has been built

Make the tar file available to the remote system

To make the tar file available to the remote system, you can use FTP (image mode), NFS, or any other mechanism as long as the security and integrity of the binary tar file are maintained.

If tar –x warns about a directory checksum error, then the tar file archive may be corrupt because it was copied in ASCII, not binary (or image) mode.

Untar the remote archive and execute remote_unpack

When the tar file is made available to the remote system, a temporary working directory must be selected to unarchive the remote archive. An installation work directory other than /tmp should be selected (for the same reasons as with pbinstall). Unpacking the archive makes the encapsulated tar archive and a script called remote_unpack visible.

The remote_unpack script then executes. This script unpacks the encapsulated tar file (putting the files in their required places) and reconfigures the system files (/etc/services and the superdaemon configuration) for Endpoint Privilege Management for Unix and Linux.

The following listing shows an example execution of the remote_unpack script:

✅

Example

# cd {workingdirectory}
# tar -xvf {tarfilename}.tar
x remote_unpack, 1250 bytes, 3 tape blocks
x tarfilename.tar.tar, 48152576 bytes, 94048 tape blocks
# ./remote_unpack
             
Deploying executable files...
             
x /usr/local/bin/pbrun, 4282296 bytes, 8364 tape blocks x /usr/local/man/man1/pbrun.1, 2852 bytes, 6 tape blocks
x /usr/local/bin/pbbench, 3414416 bytes, 6669 tape blocks x /usr/local/man/man1/pbbench.1, 1152 bytes, 3 tape blocks x /usr/local/bin/pbless, 178964 bytes, 350 tape blocks
x /usr/local/man/man1/pbless.1, 743 bytes, 2 tape blocks x /usr/local/bin/pbmg, 52 bytes, 1 tape blocks
x /usr/local/man/man1/pbmg.1, 809 bytes, 2 tape blocks x /usr/local/bin/pbumacs, 52 bytes, 1 tape blocks
x /usr/local/man/man1/pbumacs.1, 832 bytes, 2 tape blocks x /usr/local/bin/pbvi, 212000 bytes, 415 tape blocks
x /usr/local/man/man1/pbvi.1, 1107 bytes, 3 tape blocks x /usr/local/bin/pbcall, 3585880 bytes, 7004 tape blocks x /usr/sbin/pblocald, 4714020 bytes, 9208 tape blocks
x /usr/local/man/man8/pblocald.8, 1525 bytes, 3 tape blocks x /usr/sbin/pbcheck, 4202964 bytes, 8209 tape blocks
x /usr/local/man/man8/pbcheck.8, 2824 bytes, 6 tape blocks x /usr/sbin/pbhostid, 191596 bytes, 375 tape blocks
x /usr/local/man/man8/pbhostid.8, 815 bytes, 2 tape blocks x /usr/sbin/pbkey, 187548 bytes, 367 tape blocks
x /usr/local/man/man8/pbkey.8, 1113 bytes, 3 tape blocks x /usr/sbin/pblog, 3836692 bytes, 7494 tape blocks
x /usr/local/man/man8/pblog.8, 5346 bytes, 11 tape blocks x /usr/sbin/pbpasswd, 186536 bytes, 365 tape blocks
x /usr/local/man/man8/pbpasswd.8, 1413 bytes, 3 tape blocks x /usr/sbin/pbreplay, 3550320 bytes, 6935 tape blocks
x /usr/local/man/man8/pbreplay.8, 3522 bytes, 7 tape blocks x /usr/sbin/pbsum, 77872 bytes, 153 tape blocks
x /usr/local/man/man8/pbsum.8, 853 bytes, 2 tape blocks x /usr/sbin/pbencode, 3163940 bytes, 6180 tape blocks
x /usr/local/man/man8/pbencode.8, 927 bytes, 2 tape blocks x /usr/sbin/pbmasterd, 5505740 bytes, 10754 tape blocks
x /usr/local/man/man8/pbmasterd.8, 1578 bytes, 4 tape blocks x /usr/sbin/pblogd, 3956552 bytes, 7728 tape blocks
x /usr/local/man/man8/pblogd.8, 1015 bytes, 2 tape blocks x /usr/sbin/pbguid, 6537648 bytes, 12769 tape blocks
x /usr/local/lib/pbbuilder/.BeyondTrustCreated, 29 bytes, 1 tape blocks x /usr/local/lib/pbbuilder/fileselect.html, 1075 bytes, 3 tape blocks
x /usr/local/lib/pbbuilder/iolog.html, 2346 bytes, 5 tape blocks x /usr/local/lib/pbbuilder/log.html, 1139 bytes, 3 tape blocks
x /usr/local/lib/pbbuilder/settings.html, 23014 bytes, 45 tape blocks x /usr/local/lib/pbbuilder/variables.html, 34964 bytes, 69 tape blocks
x /usr/local/lib/pbbuilder/.BeyondTrustCreated, 29 bytes, 1 tape blocks x /usr/local/lib/pbbuilder/fileselect.html, 1075 bytes, 3 tape blocks
x /usr/local/lib/pbbuilder/iolog.html, 2346 bytes, 5 tape blocks x /usr/local/lib/pbbuilder/log.html, 1139 bytes, 3 tape blocks
x /usr/local/lib/pbbuilder/settings.html, 23014 bytes, 45 tape blocks x /usr/local/lib/pbbuilder/variables.html, 34964 bytes, 69 tape blocks
x /opt/beyondtrust/pb/install/pbremoteinstall, 3362 bytes, 7 tape blocks
x /opt/beyondtrust/pb/install/pbmakeremotetar, 14650 bytes, 29 tape blocks x /opt/beyondtrust/pb/install/pbuninstall, 11565 bytes, 23 tape blocks
x /opt/beyondtrust/pb/install/pb_install_support, 13212 bytes, 26 tape blocks
x /opt/beyondtrust/pb/install/sy_install_support, 93560 bytes, 183 tape blocks
x /opt/beyondtrust/pb/install/platform, 5971 bytes, 12 tape blocks x /etc/pb.key, 1026 bytes, 3 tape blocks
x /opt/beyondtrust/pb/install/pb.cfg, 1161 bytes, 3 tape blocks
x /opt/beyondtrust/pb/install/pb.cfg.sparc_solaris7, 2 bytes, 1 tape blocks x /opt/beyondtrust/pb/install/pb.cfg.default, 2 bytes, 1 tape blocks
x /etc/pb.settings, 1915 bytes, 4 tape blocks
x /usr/local/man/man8/pbinstall.8, 6047 bytes, 12 tape blocks x /usr/local/man/man8/pbuninstall.8, 2569 bytes, 6 tape blocks
x /usr/local/man/man8/pbmakeremotetar.8, 4239 bytes, 9 tape blocks x /etc/pb.conf, 202 bytes, 1 tape blocks
Configure System now? [yes]
Starting pbremoteinstall main() from /opt/beyondtrust//pb_xyzzy/pb/install Reading /opt/beyondtrust/pb/install/pb.cfg
Reading /opt/beyondtrust/pb/install/pb.cfg.sparc_solaris7 Reading /opt/beyondtrust/pb/install/pb.cfg.default
Removing PowerBroker service definitions (if any) from /etc/services. Removing PowerBroker service definitions (if any) from /etc/services. Adding PowerBroker service definitions to /etc/services.
Looking for SuperDaemons to configure...
Finished looking for SuperDaemons to configure...
Removing any PowerBroker definitions from SuperDaemon inetd file
/etc/inetd.conf
Adding PowerBroker definitions to SuperDaemon configurations
/etc/inetd.conf.
Reloading SuperDaemon Configurations...
Done Reloading SuperDaemon Configurations...
/opt/beyondtrust/pb/install/pbremoteinstall ... Done

pbpatchinstall installation script

BeyondTrust occasionally releases patches to the Endpoint Privilege Management for Unix and Linux product that improve performance and fix problems. You install these patches with the pbpatchinstall installation script.

pbpatchinstall installation information

This section contains information about installing an Endpoint Privilege Management for Unix and Linux patch with the pbpatchinstall script.

pbpatchinstall determines the current release of Endpoint Privilege Management for Unix and Linux that is installed on the machine and whether the release is compatible with the current patch. Multiple patches can be installed.

Based on the type of Endpoint Privilege Management for Unix and Linux host that is installed on the machine (policy server host, submit host, log host, and so forth), pbpatchinstall copies only the appropriate files to the appropriate directories to replace the existing files. pbpatchinstall makes a backup copy of all replaced files. These backup files are then available to restore the original files if the patch needs to be removed.

ℹ️

Note

All Endpoint Privilege Management for Unix and Linux daemons running a process during the patch installation should be stopped before using pbpatchinstall and restarted after using pbpatchinstall.

After you extract an Endpoint Privilege Management for Unix and Linux patch tarball file, the patch version becomes part of the directory path. For example, in the patch directory: /opt/beyondtrust/powerbroker/v5.1/ pbx86_linuxA-5.1.2-03-sp1/install, the patch version is pbx86_linuxA-5.1.2-03-sp1.

The pbpatchinstall installation process performs the following:

• Inventories the Endpoint Privilege Management for Unix and Linux installation, using prefixes and/or suffixes (if any). Use the -p and/or -s arguments if you want pbpatchinstall to use prefixes and/or suffixes.
• Validates the existence and version of the Endpoint Privilege Management for Unix and Linux binary files that should be present for each component.
• Lists the Endpoint Privilege Management for Unix and Linux components that are currently installed.

The Endpoint Privilege Management for Unix and Linux patch release number must match the installed Endpoint Privilege Management for Unix and Linux release number. If the release numbers do not match, a prompt is displayed, stating that the patch release does not match the existing Endpoint Privilege Management for Unix and Linux release and asks if you want to install the patch release over the existing Endpoint Privilege Management for Unix and Linux release. To complete the installation, type y.

ℹ️

Note

To run the patch installation without this prompt, use the -f argument.

Example of a pbpatchinstall execution

The following is an example of a pbpatchinstall execution:

✅

Example

#pwd
/opt/beyondtrust/powerbroker/v5.1/pbx86_linuxB-5.1.1-03-sp1/install
# ./pbpatchinstall
             
Starting pbpatchinstall from /opt/beyondtrust/powerbroker/v5.1/pbx86_linuxB
-5.1.1-03-sp1/install/.x86_linuxB BeyondTrust PowerBroker Patch Installation
Checking MANIFEST against release directory Trying /etc/pb.settings
Settings are from file='/etc/pb.settings'
Reading /etc/pb.cfg
PowerBroker version 5.1.0-08 established from /etc/pb.cfg PowerBroker components currently installed:
run_host submit_host log_synchronization secure_gui_host utilities
pbksh log_sync_initiator
         
All installed binaries match Endpoint Privilege Management for Unix and Linux version 5.1.0-08 Version is not evaluated for binaries pbuvqrpg and pbnvi.
			 
Patch release 5.1.1 does not match Endpoint Privilege Management for Unix and Linux release 5.1.0
Install PowerBroker patch release 5.1.1 over Endpoint Privilege Management for Unix and Linux release 5.1.0? [no] y Checking disk space...
... mountpoints are
/ /boot /data /dev /net/nethome/nethome/user
			 
... local mount points are
/ /boot /data /dev
			 
Mount Point Needed Available Flag
/ 1024 2921852 works
/data 2590 126953328 works
Disk Free space on selected mountpoints appears to be okay. Patched /usr/sbin/pbencode installed.
Patched /usr/local/bin/pbbench installed. Patched /usr/local/bin/pbrun installed. Patched /usr/sbin/pbreport installed. Patched /usr/local/bin/pbksh installed.
6 files patched, replaced files moved to /opt/beyondtrust/powerbroker/v5.1/pbx86_linuxB-5.1.1-03- sp1/bin_patchbkp
NOTE: In order to remove patch, directory /opt/beyondtrust/powerbroker/v5.1/pbx86_linuxB-5.1.1-
03-sp1/bin_patchbkp must be left in place.
/etc/pb.cfg updated with patch information. 5.1.1-03-sp1 patches installed.

Prefix and suffix installation instructions

A prefixed or suffixed installation is performed by specifying the -p or -s arguments to pbinstall and pbuninstall, respectively. Both options take one argument: the prefix or suffix to be used.

With a prefix or suffix specified, or both, the names of all of the executable programs, services and ports, and default log file names are qualified with that prefix or suffix, or both.

Prefixes are always added to the beginning of the name. Suffixes, with the exception of the daemon error logs and man page file names, are added to the end of the name. Daemon error logs are named (for example) {prefix}pbmasterd{suffix}.log.

ℹ️

Note

You cannot use a prefixed or suffixed installation with Endpoint Privilege Management package installations.

If Endpoint Privilege Management for Unix and Linux is installed with a prefix or suffix, execute pbuninstall using the same prefix or suffix. Failure to correctly specify the prefix or suffix to pbuninstall results in either pbuninstall failing or the uninstall of the incorrect copy of Endpoint Privilege Management for Unix and Linux.

ℹ️

Note

The pb.cfg file is also prefixed or suffixed when it is created.

ℹ️

Note

For more information, see the following:

• Installation Programs
• pbuninstall

Run prefixed and suffixed installations

To run a prefix installation, type:

./pbinstall -p prefix

prefix is the prefix you are using.

To run a suffix installation, type:

./pbinstall -s suffix

suffix is the suffix you are using.

To run a prefix and suffix installation, type:

./pbinstall -p prefix -s suffix

prefix is the prefix and suffix is the suffix you are using.