Installation programs | EPM-UL

This section describes the EPM-UL installation programs and their options.

pbinstall

• pbinstall is a menu-driven, interactive installation script enabling the superuser installer to install, update, or reconfigure all EPM-UL products as required by configuration changes or updates.
• pbinstall properly configures (as appropriate) /etc/services, the superdaemon configuration files (/etc/inetd.conf and/or /etc/xinetd.conf), and EPM-UL for most execution environments.

An initial screen of legal information and credits is displayed, followed by a check to determine if the VISUAL or EDITOR environment variables select the editor to use during the installation. If you have not set either of these environment variables, then you are prompted to supply the path to an editor, with vi as the default.

EPM-UL is configured by a menu system with a menu of numbered selections and lettered options.

• To select an item to configure, type the number of that item and press ENTER to display the configuration prompts.
• To navigate the menu pages, use the following commands:
  • C Continue installation
  • N Next menu page
  • P Previous menu page
  • R Redraw menu (not shown due to space limitations)
  • X Exit script without performing any configuration
• After C is selected, you are asked if the settings are acceptable. If you indicate that they are not, then pbinstall returns to the configuration menu.
• If the settings are acceptable, then pbinstall asks if you want to view the generated installation script.

🚧

Important information

The generated installation script contains thousands of lines of code; therefore, viewing this script is recommended for advanced users only. To view the script, type y.

• You are then asked if the generated installation script is to be executed. If it is not to be executed, then the name of that script is displayed and pbinstall exits. Otherwise, the script is immediately executed.

Multiple command line options can be used together. During an update installation, the –m, –l, –r, –g, and –i arguments have no effect and must be explicitly changed using the pbinstall installation menu.

An update installation is an installation in which the previous version has not been uninstalled. It uses the same installation directories as the previous installation (including the untar and unpack occurring in the same directories as the previous installation if the distribution was using FTP), and uses the existing pb.settings, pb.key, and pb.conf files. If done properly, all (or almost all) of the previous installation parameters carry forward to the new installation.

Syntax

pbinstall [options]

Examples

pbinstall -h

pbinstall -L   hostname

pbinstall command-line options

Files

Not applicable

ℹ️

For more information, see run_pbinstall and pbuninstall.

run_pbinstall

run_pbinstall is a wrapper script for pbinstall that simplifies installation of components, providing a smaller set of options. It is meant to be used for fresh installation where it is acceptable to use default settings.

Syntax

run_pbinstall [options]
-a|b|c [--L host [-L host]...] [-M host [[-M host]...] [-p prefix] [-s suffix]

Examples

run_pbinstall -a

run_pbinstall -a -p adm1 -L lhost1 -L lhost2 -M mhost1

Arguments

pbmakeremotetar

ℹ️

Starting in EPM-UL version 25.1.6, pbmakeremotetar is no longer supported.

pbmakeremotetar clones a configuration for a binary and configuration-compatible target environment for EPM-UL.

• pbmakeremotetar is a menu-driven, interactive installation script enabling the superuser installer to install, update, or reconfigure EPM-UL as required by configuration changes or updates.
• pbmakeremotetar properly configures (as appropriate) /etc/services, the superdaemon configuration files (/etc/inetd.conf and/or /etc/xinetd.conf), and EPM-UL for most execution environments.

pbmakeremotetar must be executed where the default directory is the directory in which pbmakeremotetar resides or the parent directory to the directory containing pbmakeremotetar.

An initial screen appears, reminding the user about the function of pbmakeremotetar. A prompt also appears, allowing a SIGINT (CTRL+C) to abort the script.

When the script continues, it determines the switches that are necessary for tar to function as desired. A list of files to transfer to the target system is generated and presented to the user for approval or editing.

When the file list is accepted, a tarball file that contains the selected files is created, with the specified tarfilename and with the additional file type of tar appended. The remote_unpack script is generated. Finally, a tarball file that contains both the first tarball file and the remote_unpack script is generated at the location that is specified by tarfilename.

After the final tarball file is created, it must be made available to the target systems. This can be done in any manner that preserves the security and binary integrity of the tarball file.

An installation work directory should be selected other than /tmp (for the same reasons as with pbinstall). Unpack the tarball file using the following commands:

$ cd {installation_directory}
$ tar -xvf {tarfilename_on_local_system}
$ ./remote_unpack

The remote_unpack script unpacks the encapsulated tarball file into the proper locations. The script then prompts you to allow the configuration of the system (/etc/services, superdaemon configuration files). If you allow this configuration, then these configuration files are automatically modified with the appropriate superdaemons instructed to reload their databases. If you decide not to do the configuration at this time, then the name of the script to continue with the configuration is displayed and the script exits.

For policy server target installations, an initial installation (using pbinstall) must be done before a target remote install. Doing so ensures the proper handling of all licensing issues.

Different target system installation (working) directories should be used for different prefix and/or suffix versions of cloned installations.

Encrypted policy files are not scanned for included policy files. You must process the encrypted policy files by restoring the unencrypted ones before running pbmakeremotetar, or by manually moving the encrypted files.

ℹ️

If the settings file is encrypted, then pbmakeremotetar does not work. An unencrypted version of the settings file must be restored before pbmakeremotetar can work. An encrypted policy file is not handled properly.

ℹ️

For details about including encrypted policy files or policy subfiles, see pbmakeremotetar Installation Information.

Syntax

pbmakeremotetar [options] tarfilename

Example

pbmakeremotetar -h

Arguments

ℹ️

Any combination of -c, -g, -l, -r, and -m may be specified if the current installation has those components.

Registry name service (RNS) support

Any new RNS-enabled installation must register with the RNS primary server to use the RNS features.

• pbmakeremotetar creates an RNS registration script to include in the generated tar ball, and is extracted as /opt/pbul/scripts/<prefix>pbrnscfg.sh<suffix> by remote_unpack on the target host.
• remote_unpack calls pbremoteinstall, which automatically invokes the RNS registration script. The script displays prompts for the registration information (RNS Primary Server’s appid/appkey/address/port#).
• You can use pbmakeremotetar to save appid/appkey information to make it available for pbrnscfg.sh. To safeguard the appid/appkey information, decline the pbmakeremotetar prompt and use the interactive prompt of pbrnscfg.sh when running on the target host.
• If you save the appid/appkey information, pbmakeremotetarcreates the input file which is written to /etc/.<prefix>pbrnscfg.in<suffix> on the target host. The RNS registration script automatically looks for this hidden input file, thus skipping the interactive prompts.

Files

Not applicable

ℹ️

For more information, see run_pbinstall and pbuninstall.

pbpatchinstall

• [ver 5.1.2 and earlier]: pbpatchinstall not available.
• [ver 5.2 and later]: pbpatchinstall available.

pbpatchinstall enables you to install and uninstall patches for installations that are running EPM-UL v4 and later.

ℹ️

All EPM-UL daemons running a process during the patch installation should be stopped before using pbpatchinstall and restarted after using pbpatchinstall.

Only root can run pbpatchinstall. It must be run from the install directory where the patch was untarred. For example, if you untarred the patch from the /opt/beyondtrust directory, the patch install directory is then /opt/beyondtrust/powerbroker/v6.0/ pbx86_linuxA-6.0.0-16-sp1/install.

pbpatchinstall should not be moved from this install directory because it is dependent on the included installer scripts (sy_install_support and pb_install_support) that are located there.

pbpatchinstall allows a patch to load if the patch release number differs from the installation release number. However, it does not allow a patch to load if the patch version does not match the installation major and minor version numbers.

pbpatchinstall does not run on versions earlier than v4.0 due to binary - version argument limitations. Also, pbpatchinstall does not report the binary version for executable files pbnvi or pbuvqrpg.

To uninstall a patch, go to the install directory where the patch was originally installed and execute pbpatchinstall -u. pbpatchinstall attempts to uninstall the patch version that is defined by the install directory where pbpatchinstall resides.

For example, if you run pbpatchinstall from the /opt/beyondtrust/powerbroker/v5.1/ pbx86_linuxA-5.1.2-03-sp1/install directory, pbpatchinstall attempts to uninstall the pbx86_linuxA-5.1.2- 03-sp1 patch from that install directory.

If multiple patches are installed and you need to remove one or more of them, they must be removed in the reverse order from the order in which they were added.

Syntax

pbpatchinstall [options]

Example

pbpatchinstall -p test

This creates an installation using the prefix test.

Arguments

ℹ️

For more information, see the following:

• On version numbering, Installation considerations.
• run_pbinstall
• pbuninstall

pbcreateaixcfgpkg

• [ver 6.1 and earlier]: pbcreateaixcfgpkg not available.
• [ver 6.2 and later]: pbcreateaixcfgpkg available.

pbcreateaixcfgpkg is a script that builds a BeyondTrust Endpoint Privilege Management AIX LPP configuration package. The package can be loaded with one or more BeyondTrust Endpoint Privilege Management AIX LPP component packages.

Run pbcreateaixcfgpkg interactively or non-interactively.

Unlike the Endpoint Privilege Management AIX LPP component packages, which are created and distributed by BeyondTrust, you can create AIX LPP configuration packages.

• Create settings files; run pbinstall with the -z argument. Settings files are created by default in directory install/settings_files, although you can select the directory.
• Optionally, include an existing policy file pb.conf in the settings_files directory to include in the configuration package. If pb.conf is not included, a new pb.conf is created and packaged containing the entry reject;
• To include other Endpoint Privilege Management installations keyfiles in the configuration package, copy the keyfiles to the settings files directory prior to building the configuration package.

After the settings files are created, run pbcreateaixcfgpkg from the Endpoint Privilege Management install directory.

pbcreateaixcfgpkg accepts the following arguments:

-h Help (this message) and exit.
-l Save (do not delete) package build directory.
-p User-specified lpp package name to be appended to powerbroker.config.
-s Settings files directory location.
-v Print version of pbcreateaixcfgpkg and exit.

If the -p or -s arguments are not supplied on the command line, the pbcreateaixcfgpkg script becomes interactive and prompts the user for input.

Upon running pbcreateaixcfgpkg, the script informs you as to which Endpoint Privilege Management component packages need to be loaded on the target system. The configuration package does not load until the required component packages are loaded on the target system. Load AIX LPP packages using the installp command.

Syntax

pbcreateaixcfgpkg [options]

Example

pbcreateaixcfgpkg -v

Arguments

ℹ️

For more information, see run_pbinstall.

pbcreatehpuxcfgpkg

• [ver 6.2 and earlier]: pbcreatehpuxcfgpkg not available.
• [ver 6.2.1 and later]: pbcreatehpuxcfgpkg available.

pbcreatehpuxcfgpkg is a script that builds a EPM-UL HP-UX configuration depot. The depot can be loaded with one or more EPM-UL HP-UX component filesets.

Run pbcreatehpuxcfgpkg interactively or non-interactively.

Unlike the BeyondTrust HP-UX component depot, which is created and distributed by BeyondTrust, you can create the HP-UX configuration depots.

• Create settings files; run pbinstall with the -z argument. Settings files are created by default in directory install/settings_files, although you can select the directory.
• Optionally, include a policy file pb.conf in the settings_files directory in the configuration package. If pb.conf is not included, a new pb.conf is created and packaged containing the entry: reject;
• To include other EPM-UL installations keyfiles in the configuration depot, copy the keyfiles to the settings files directory prior to building the configuration depot.

After the depot is created, run pbcreatehpuxcfgpkg from the Endpoint Privilege Management install directory.

pbcreatehpuxcfgpkg accepts the following arguments:

-d Set the component fileset dependency to hppaD rather than hppaB (default)
-h Help (this message) and exit.
-l Save (do not delete) depot build directory.
-p User-specified name for the configuration fileset.
-s Settings files directory location.
-v Print version of pbcreatehpuxcfgpkg and exit.

If one or both of the -p and -s arguments are not supplied on the command line, the pbcreatehpuxcfgpkg script becomes interactive and prompts you for input.

ℹ️

If you create configuration depots for different flavors, use the -p argument to specify different fileset names for each flavor.

Upon running pbcreatehpuxcfgpkg, the script informs you as to which Endpoint Privilege Management for Unix and Linux component filesets must be installed on the target system. The configuration package installs the required component filesets if they are not already installed, provided they have been copied into the appropriate SD depot. HP-UX depots are copied into an SD depot using the swcopy command and are installed using the swinstall command.

Syntax

pbcreatehpuxcfgpkg [options]

Example

pbcreatehpuxcfgpkg -h

Arguments

ℹ️

For more information, see run_pbinstall.

pbcreatelincfgpkg

• [ver 5.2 and earlier]: pbcreatelincfgpkg not available.
• [ver 6.0 and later]: pbcreatelincfgpkg available.

pbcreatelincfgpkg creates a Linux RPM installation package for EPM-UL configuration and settings files. Installing this package after the required component packages completes the package installation.

If the -p option or -s option is not specified, then you are prompted to supply these values.

The output from pbcreatelincfgpkg indicates which component packages must be installed before the configuration package.

After you create the configuration package with pbcreatelincfgpkg, install the required component packages, then install the configuration package.

Syntax

pbcreatelincfgpkg [options]

Example

pbcreatelincfgpkg -p SBM -sopt/beyondtrust/powerbroker/v6.0/ pbx86_linuxB-6.0.0-09/install/settings_files

This example uses the settings and configuration files located in /opt/beyondtrust/powerbroker/v6.0/pbx86_linuxB-6.0.0-09/ install/settings_files and creates an RPM file (powerbroker-configSBM-6.0.0-09-1- noarch.rpm) in the current directory.

Arguments

pbcreatesolcfgpkg

• [ver 5.2 and earlier]: pbcreatesolcfgpkg not available.
• [ver 6.0 and later]: pbcreatesolcfgpkg available.

pbcreatesolcfgpkg creates a Solaris installation package and corresponding package administration file for EPM-UL configuration and settings files. Installing this package after the required component packages completes the EPM-UL package installation.

If the -p option or -s option is not specified, then you are prompted to supply these values.

The output from pbcreatesolcfgpkg indicates which component packages must be installed before the configuration package.

After you create the configuration package with pbcreatesolcfgpkg, install the required component packages, then install the configuration package.

Syntax

pbcreatesolcfgpkg [options]

Example

pbcreatesolcfgpkg -p SBM -s /opt/beyondtrust/powerbroker/v6.0/ pbsparc_solarisC-6.0.0-09/install/settings_files

This example uses the settings and configuration files located in /opt/beyondtrust/powerbroker/v6.0/pbsparc_solarisC-6.0.0-09/install/settings_files and creates a datastream file (SYPBcfSBM.ds) and package admin file (SYPBcfSBM) in the current directory.

Arguments

pblighttpd

The pblighttpd_svc.sh script is packaged in the distribution tar under <installdir>/powerbroker/<version>/pbul_*/bin.

When the REST service is installed and configured to continuously run in the background, the script is installed. It is required when at least one EPM-UL server component is present. If the installation is an EPM-UL client-only installation, it is configured to be managed by the superserver daemon, and there is no need for this script to be present.

By default, pbinstall places the script in $inst_admindir and is set to /usr/sbin. However, the location can be changed in the installation menu with the option Where do you want the administrator programs installed?.

The script is removed by pbuninstall from $inst_admindir.

This script should be installed with each server/client component package. Below are commands for each package type.

AIX

/usr/bin/startsrc -s ${prefix}pblighttpd${suffix}
/usr/bin/stopsrc -s ${prefix}pblighttpd${suffix}

Solaris

/usr/sbin/svcadm enable ${prefix}pblighttpd${suffix}
/usr/sbin/svcadm disable ${prefix}pblighttpd${suffix}


/etc/init.d/${prefix}pblighttpd${suffix} start
/etc/init.d/${prefix}pblighttpd${suffix} stopt

HP

/sbin/init.d/${prefix}pblighttpd${suffix} start
/sbin/init.d/${prefix}pblighttpd${suffix} stop

Linux

/bin/systemctl start ${prefix}pblighttpd${suffix}.service
/bin/systemctl stop ${prefix}pblighttpd${suffix}.service


/usr/sbin/service ${prefix}pblighttpd${suffix} start
/usr/sbin/service ${prefix}pblighttpd${suffix} stop
  
*: /etc/init.d/${prefix}pblighttpd${suffix} start
   /etc/init.d/${prefix}pblighttpd${suffix} stop

pbuninstall

pbuninstall is a menu-driven, interactive script that is used to uninstall EPM-UL. pbuninstall properly configures (as appropriate) /etc/services and the superdaemon configuration files (/etc/inetd.conf and/or /etc/xinetd.conf) for the removal of EPM-UL from most execution environments.

pbuninstall must be executed where the default directory is the directory in which pbuninstall resides, or the parent directory to the directory containing pbuninstall.

When pbuninstall is executed, you are presented with a reminder of the script’s function and prompted: Hit return to continue. Using CTRL+C at this time stops the execution of the script.

ℹ️

pbuninstall removes only those installations that are explicitly named on the command line. It must be run separately for each prefixed and suffixed installation.

During execution, the script identifies files to move to $TMPDIR (log, policy, and configuration files), copies them to $TMPDIR (typically /tmp) and removes them from their original location. Files to be removed are removed.

/etc/services and the superdaemon configuration files have the appropriate EPM-UL configuration lines removed. The appropriate superdaemon processes are requested to reload their configuration files.

Syntax

pbuninstall [options]

ℹ️

For a pbuninstall execution example, see Example of a pbuninstall Execution.

Arguments

Files

Not applicable

Note

ℹ️

For more information, see pbmakeremotetar and pbuninstall.