Package installer
The following sections detail how to install the server-side components of Endpoint Privilege Management for Unix and Linux on Solaris, Linux, HPUX and AIX using the system native package installer.
Endpoint Privilege Management for Unix and Linux has several separate component packages for each log server, run host, policy server, etc.
Starting with v9.0, the shared library component package and the REST API component package need to be installed prior to installation of policy server, GUI, run host, submit host and log server.
Solaris package installer
This section describes how to install Endpoint Privilege Management for Unix and Linux using a package installer for Solaris 9 or 10 on an x86 or SPARC computer. Use the Solaris package installer if you want to do any of the following:
- Install Endpoint Privilege Management for Unix and Linux using the Solaris Package Manager.
- Make the Endpoint Privilege Management for Unix and Linux installation packages available on a JumpStart server to automate the installation of Solaris computers.
The Endpoint Privilege Management for Unix and Linux Solaris package installer that is described here is not compatible with the BeyondTrust Endpoint Privilege Management v5.x packages. If the beyondtrust Endpoint Privilege Management v5.x packages are installed, you must remove them before installing the Endpoint Privilege Management for Unix and Linux Solaris packages.
Prerequisites
To use the Solaris package installer, you must have the following:
- Package tarball file for the appropriate Endpoint Privilege Management for Unix and Linux flavor
Note
For the Solaris package installer, the tarball files are cumulative. That is, an update tarball file contains a complete Endpoint Privilege Management for Unix and Linux installation. It is not necessary to install a baseline version of Endpoint Privilege Management for Unix and Linux before installing an update.
- Root access or superuser privileges
Note
The Solaris package installer does not support prefix or suffix installations.
Plan your installation
When preparing to use the Solaris package installer, you should be familiar with the following concepts and restrictions:
-
Component packages: an Endpoint Privilege Management for Unix and Linux component package is a Solaris datastream (.ds) file that installs a portion of the Endpoint Privilege Management for Unix and Linux application.
The Endpoint Privilege Management for Unix and Linux component packages are:
- BTPBlogh.ds: Contains the log host, pbsync, and pbsyncd.
- BTPBlibs.ds: Contains the shared libraries.
- BTPBrest.ds: Contains the REST API files.
- BTPBrnsh.ds: Contains Registry Name Service files.
- BTPBlich.ds: Contains the license server files.
- BTPBmsth.ds: Contains the policy server host, pbsync, and pbsyncd.
- BTPBsbmh.ds: Contains the submit host andEndpoint Privilege Management for Unix and Linux shells.
- BTPBrunh.ds: Contains the run host andEndpoint Privilege Management for Unix and Linux utilities.
Which component packages are required depends on the type of Endpoint Privilege Management for Unix and Linux host you create, such as policy server host, log host, and so forth. You can select the types of Endpoint Privilege Management for Unix and Linux hosts in the pbinstall installation menu, as shown in the following table.
Menu selection | Required components |
---|---|
Install everything here (demo mode)? = Yes | BTPBmstr BTPBrunh BTPBsbmh BTPBlogh BTPBguih BTPBlibs |
Install Policy Server Host? = Yes | BTPBmstr |
Install Run Host? = Yes | BTPBrunh |
Install Submit Host? = Yes | BTPBsbmh |
Install Log Host? = Yes | BTPBlogh |
Install BeyondTrust built-in third-party libraries? = Yes | BTPBlibs |
Install Registry Name Services Server? [yes] | BTPBrnsh.ds |
Install License Server? [yes] | BTPBlich.ds |
-
Configuration package: Solaris installation package that is used to install the following files:
- pb.settings: Hardcoded target location /etc/pb.settings
- pb.cfg: Hardcoded target location /etc/pb.cfg
- All the encryption keyfiles defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption
- By default, two key files are created: pb.key and pb.rest.key
- The sysadmin can define multiple encryption with different keyfiles in locations other than /etc. To upgrade and retain settings on the target machine, view all encryption settings in /etc/pb.settings and copy the files to the settings_files directory before running "pbinstall -z" and pbcreate*cfgpkg
- pb.conf (for Policy Server hosts)
- Man pages for the pbinstall and pbcreatesolcfgpkg programs
The Endpoint Privilege Management for Unix and Linux configuration package is created by the pbcreatesolcfgpkg program. The component packages must be installed before you install the configuration package.
-
Response file: pbcreatesolcfgpkg may also create a corresponding response file. The response file contains select information provided to pbinstall to customize objects contained within the prebuilt component package. For example, it ensures correct ownership of pblighttpd files. This file is created in the component package directory, /unzip-dir/powerbroker///package if it is accessible. If it is not, it is created in the current directory in the same location where the component package is created. Its name contains the same prefix supplied to pbcreatesolcfgpkg.
-
Package name: Name of the installation package stored in the Solaris package manager database. For Endpoint Privilege Management for Unix and Linux package installations, this name is the same as the package file name without the .ds extension.
-
Package administration file: Contains alternative settings that control how Solaris packages are installed.
-
Relocated base directory: The directory where the Endpoint Privilege Management for Unix and Linux binary files and log files are installed. You can choose an alternative directory in which to install these files.
-
pbinstall program: To create the Endpoint Privilege Management for Unix and Linux settings files, you use the pbinstall program with the -z (settings only) option. pbinstall -z only creates the settings files and is incompatible with the following command line options:
Options Incompatible with pbinstall -z Description -b Runs pbinstall in batch mode. -c Skip the steps that process or update the Endpoint Privilege Management for Unix and Linux settings file. -e Runs install script automatically by bypassing the menu step of pbinstall. -i Ignores previous pb.settings and pb.cfg files. -p Sets the pb installation prefix. -s Sets the pb installation suffix. -u Install the utility programs. -x Creates a log synchronization host (that is, installs pbsyncd).
When you execute pbinstall with the -z option, you can see two menu items that are not otherwise available:
-
Enter existing pb.settings path: Enables you to specify your own pb.settings file. pbinstall reads this settings file and populates the remaining menu choices. You can override some menu choices. If set to none, then pbinstall does not read a settings file. The remaining menu choices are populated with default values.
-
Enter directory path for settings file creation: Enables you to specify an alternative output directory for the settings files. The default directory is /unzip-dir/powerbroker///install/settings_files, where unzip-dir is the directory where the package tarball file was unzipped.
The behavior of pbinstall -z depends on whether certain additional command line options are specified:
-
If no other command line options are specified, pbinstall initially presents a short version of the installation menu (items 1–8 only). Depending on the choices you make in these items, further menu items become available.
-
If command line options -g, -l, -m, -o, -r, or -w are specified, pbinstall presents an expanded version of the installation menu that reflects the host types that you are configuring.
When running pbinstall with the -z option, the following menu items are preprogrammed and cannot be changed:
-
Install man pages?
-
Daemon location
-
Administration programs location
-
User programs location
-
GUI library directory
-
Policy include (sub) file directory
-
User man page location
-
Admin man page location
-
Policy filename
-
BeyondTrust built-in third-party library directory
In addition, the values of the following menu items determine the values of other menu items:
Options Preset When Running pbinstall -z | |
---|---|
Setting this menu option to Yes | Sets these values to Yes |
Install Policy Server Host? | Install Synchronization? Synchronization can be initiated from this host? |
Install Run Host? | Install Utilities? |
Install Submit Host? | Install PBSSH? Install pbksh? Install pbsh? Will this host use a Log Host? |
Install Log Host? | Install Synchronization? Synchronization can be initiated from this host? |
If you plan to use Registry Name Service and are running pbinstall -z on a client host (non-primary server), you must perform client registration. This is necessary to properly set up the registry name service database. Client registration also requires that you collect the following information from the Endpoint Privilege Management for Unix and Linux primary server:
-
REST Application ID
-
REST Application Key
-
Primary server network name or IP address
-
Primary License Server REST TCP/IP port
-
Registration Client Profile name
-
Registering client with Primary RNS: If Registry Name Services is enabled for Endpoint Privilege Management for Unix and Linux, each client host (after the first server installation) needs to be registered with the Primary Registry Name Server. When using package installers on a target host, a post-install configuration script (/opt/pbul/scripts/pbrnscfg.sh) is provided to be manually executed on that host to properly register it. This post-install configuration script will ask for information about the Primary Registry Name Server, including the Application ID (appid), Application Key (appkey), address/domain name, and the REST TCP/IP port number. This is the same information provided during the client registration part of a pbinstall -z install which generates the settings file.
If you prefer a more convenient method of registering RNS clients where the post-install configuration script is non-interactive, Endpoint Privilege Management for Unix and Linux can save the relevant information in a hidden file during the settings-only run of pbinstall, bundle it with the configuration package, and automatically apply it to the target host when that package is installed. However, understand that this is not secure, but is available if the security-convenience trade-off is acceptable. To enable this, refer to the question regarding post-install configuration script displayed when running pbinstall -z.
Note
For more information, see the following:
- Relocate the base directory
- If you use the package installer to install Endpoint Privilege Management for Unix and Linux on a computer that already has an interactive Endpoint Privilege Management for Unix and Linux installation on it, Interactive versus packaged installation for additional considerations
- For complete pbinstall command-line options, see Installation Programs
Choose a package administration file
We recommend that you use the package administration files that are provided by BeyondTrust (BTPBadmin and BTPBadmin). These package administration files are configured to eliminate interactive prompts during package installation. If you want to use the Solaris default package administration file or other package administration file for your environment, you may be required to respond to prompts to install the packages.
Note
When installing a package using custom JumpStart, the installation process is required to be noninteractive.
Use EPM-UL packages on Solaris zones
The Endpoint Privilege Management for Unix and Linux Solaris package installer supports Solaris Zones in Solaris release 10. The primary operating system instance is referred to as the global zone. All zones that are not the global zone are referred to as non-global zones.
Note
Solaris release 10 is required. The use of Solaris Zones is not supported on earlier releases. There are three types of zones:
- Sparse root: A sparse zone is the default zone configuration and is configurable. It shares the read-only global zone’s /usr /lib /platform and /sbin partitions.
- Whole root: A whole root zone does not share global zone partitions, which increases configuration flexibility.
- Branded: A branded zone allows virtualization of Solaris 8, 9, or Linux and shares no partitions from the global zone. Branded zones are available as of Solaris 10 release 08/07 update 4.
Note
Endpoint Privilege Management for Unix and Linux Solaris Packages do not JumpStart to non-global zones. Using Custom JumpStart to install packages on Solaris 10 Zoned systems results in errors as the zones are not running during JumpStart execution.
Installing Endpoint Privilege Management for Unix and Linux Solaris Packages on Zones is very similar to installing these packages on Solaris systems without zones. However, keep the following considerations in mind:
- Endpoint Privilege Management for Unix and Linux Solaris packages are designed to be installed from the global zone. Packages are propagated to the sparse and whole root zones upon global zone pkgadd and upon zone creation.
- Endpoint Privilege Management for Unix and Linux Solaris packages are designed to be uninstalled from the global zone. Packages are removed from sparse and whole root zones upon the global zone pkgrm.
- Endpoint Privilege Management for Unix and Linux Solaris packages can be installed in the global zone only, by using the pkgadd -G command. Endpoint Privilege Management for Unix and Linux Solaris packages cannot be installed in sparse zones (with read-only partitions) and should instead be installed in the global zone. Although Endpoint Privilege Management for Unix and Linux Solaris packages could be installed into a whole-root zone, Endpoint Privilege Management for Unix and Linux Solaris packages are designed to be installed from the global zone. Packages installed on a whole-root zone are subject to overwriting by packages installed in the global zone.
- As Solaris branded zones are fully contained instances of Solaris 8 or 9, Endpoint Privilege Management for Unix and Linux packages should be installed as with non-zoned Solaris instances. Loading packages to the global zone does not update a branded zone. Endpoint Privilege Management for Unix and Linux Solaris packages for Solaris branded zones running Linux are not supported.
- The Endpoint Privilege Management for Unix and Linux Solaris configuration package must be removed before removing any Endpoint Privilege Management for Unix and Linux component packages and must be removed individually. Endpoint Privilege Management for Unix and Linux Solaris component packages may be removed simultaneously.
Overview of steps
Using the Endpoint Privilege Management for Unix and Linux Solaris package installer involves the following steps:
- Unpack the Endpoint Privilege Management for Unix and Linux package tarball file.
- Use the pbinstall program to create Endpoint Privilege Management for Unix and Linux settings files.
- Use the pbcreatesolcfgpkg program to create the Endpoint Privilege Management for Unix and Linux configuration package along with a corresponding response file used for additional customization.
- Perform a package installation using the Solaris pkgadd command for any required components.
- Perform a package installation using the Solaris pkgadd command for the Endpoint Privilege Management for Unix and Linux configuration package.
- If Registry Name Service is enabled and installed on a non-primary server, run /opt/pbul/scripts/pbrnscfg.sh to register the host.
Note
For more detail on the steps above, see Installation Process.
Installation procedure
Note
Before installing Solaris packages, if the directories where files are installed, /usr/local, /usr/bin etc., are symbolic links to other directories, then set the environment variable PKG_NONABI_SYMLINKS to true:
# PKG_NONABI_SYMLINKS=true
# export PKG_NONABI_SYMLINKS
This prevents the symbolic links from being removed by the pkgadd command on Solaris.
To install Endpoint Privilege Management for Unix and Linux using the Solaris Package Manager, do the following:
-
Extract the package tarball files into the /opt/beyondtrust/ directory by executing the following command:
gunzip -c pmul<flavor_version>_pkg.tar.Z | tar xvf -
-
Navigate to the /opt/beyondtrust/powerbroker///install/ directory.
-
Execute the following command:
./pbinstall -z
You can include other options with the -z option. Use the -R option if you want to specify an alternate base directory for installing the component packages.
You are asked if you want to use client registration. If you plan to enable Registry Name Service, and are installing on a host that is not designated as a primary server, you must run client registration.
pbinstall then asks if you want to enable Registry Name Service.
pbinstall displays the Endpoint Privilege Management for Unix and Linux installation menu.
-
Make your menu selections.
When the menu selection process is complete, pbinstall creates the following files in the specified location:
- pb.settings
- pb.cfg
- pb.key (if encryption is enabled)
- pb.conf (for Policy Server host)
- pbpolicykey.pem and pbpolicypubcert.pem (for Policy Server hosts with Cached Policy feature enabled)
Note
The Enter existing pb.settings path menu option enables you to specify your own pb.settings file to use. Also, the Enter directory path for settings file creation menu option enables you to specify where to save the generated settings files. These menu options are available only when running pbinstall with the -z option.
-
Optional. For an Endpoint Privilege Management for Unix and Linux client, if client-server communications are to be encrypted, replace the generated pb.key file with the pb.key file from the policy server host. Also, copy any other required key files into the same directory.
-
Optional. For a policy server host, write a policy file (pb.conf) and place it in the directory with the other generated files. If you do not provide a pb.conf file, a pb.conf file with the single command reject; is generated and packaged.
Starting with v8.0, pbinstall -z can optionally install the default role-based policies and asks:
Installing default role-based policy pbul_policy.conf and pbul_functions.conf in <install_dir>/settings_files Would you like to use the default role-based policy in the configuration package?
- Answer Yes for new installs only.
- If you are upgrading an existing configuration package, to avoid overwriting your existing policy, answer No.
Use the default role-based policy [Y]?
- If you answer Yes, the default pb.conf, pbul_policy.conf and pbul_functions.conf are created and installed on the policy server.
- If you are installing over an existing installation, and have an existing policy in place, answer No.
-
Navigate to the /opt/beyondtrust/powerbroker///install/ directory.
-
Run the pbcreatesolcfgpkg utility by typing:
pbcreatesolcfgpkg -p suffix -s directory
- suffix is appended to the filenames of the configuration package datastream file and the package administration file; length can be up to 26 characters (3 characters for unpatched Solaris 8).
- directory contains the Endpoint Privilege Management for Unix and Linux settings and configuration files to include in the package.
The pbcreatesolcfgpkg utility creates the following files:
- Configuration package file BTPBcf.ds
- Package administration file BTPBadmin
- Response file BTPB.resp
-
Navigate to the /opt/beyondtrust/powerbroker///package/ directory.
-
Optional. To install Endpoint Privilege Management for Unix and Linux in an alternative base directory, edit the provided BTPBadmin file and change the basedir=default entry as follows:
basedir=target_base_directory
target_base_directory is the absolute path of the target base directory.
-
For each required component package, run the Solaris pkgadd utility to install the component package by typing:
pkgadd -a BTPBadmin -r response-file -d pkg-datastream-file pkg-name
pkg-datastream-file is the name of the component package datastream (.ds) file. response-file is the location and name of the response file, if generated, and pkg-name is the name of the package. For Endpoint Privilege Management for Unix and Linux packages, the package name is the same as the datastream file name without the .ds extension.
Example
pkgadd -a BTPBadmin -r ./BTPB<suffix>.resp -d BTPBrunh.ds BTPBrunh
If no response file is generated (not applicable):
pkgadd -a BTPBadmin -d BTPBrunh.ds BTPBrunh
-
Run the Solaris pkgadd utility to install the Endpoint Privilege Management for Unix and Linux configuration package by typing:
-
pkgadd -a BTPBadmin<suffix> -d BTPBcf<suffix>.ds BTPBcf<suffix>
is the suffix specified when the Endpoint Privilege Management for Unix and Linux configuration package is created in step 8.
-
Verify the installation of the packages with the Solaris pkginfo utility by typing:
pkginfo | grep BTPB
-
If Registry Name Service is enabled and installed on a non-primary server, register the host with the Primary Registry Name Server using a post-install configuration script. Gather the Application ID, Application Key, network name or IP address, and REST TCP/IP port of the primary server, then run the script to register the host and follow the prompts:
/opt/pbul/scripts/pbrnscfg.sh
Note
If you install Endpoint Privilege Management for Unix and Linux using a custom JumpStart session, the Endpoint Privilege Management for Unix and Linux configuration package should be added or removed only once per session to avoid installing conflicting rc scripts.
Note
For more information, see the following:
- For other options you can use with the pbinstall -z option, Plan your installation
- pblighttpd
- pbcreatesolcfgpkg
Remove EPM-UL packages
Removing the packages completely uninstalls Endpoint Privilege Management for Unix and Linux from a computer.
To remove the packages:
-
Navigate to the /opt/beyondtrust/powerbroker///install/ directory.
-
Remove the Endpoint Privilege Management for Unix and Linux packages by typing:
pkgrm -na ./BTPBadmin config-package-name component-package-1 ... component-package-n
- BTPBadmin is the package administration file that is supplied by BeyondTrust. You can specify a different package administration file, or leave out the -a option to use the default package administration file. The BTPBadmin package administration file is designed to make the package installation and removal processes run noninteractively.
- config-package-name is the name of the package specified when the configuration package is installed. Because of the dependency relationship between the configuration package and the component packages, this package name must come first in the list.
- component-package-1 through component-package-n are the names of the packages specified when the component packages are installed.
Relocate the base directory
The Solaris package management system enables you specify an alternative base directory for package installation. With this feature, specify a directory to install the binary files and log files. Certain files, such as pb.settings, pb.cfg, and key files, must be located in the /etc directory for Endpoint Privilege Management for Unix and Linux to run. These files are not relocatable.
To relocate the base directory from the default / (root) directory:
-
On the target machine, create the target base directory if it does not already exist.
-
When you run pbinstall, use the -R option and specify the new base directory.
-
Before installing the Endpoint Privilege Management for Unix and Linux component packages, edit the provided BTPBadmin package administration file and change the basedir entry to refer to the new base directory.
Change the basedir=default entry as follows:
basedir=target_base_directory
target_base_directory is the absolute path of the target base directory.
-
When you install the component packages, execute pkgadd with the -a option and use the BTPBadmin package administration file.
For each required component package, run the Solaris pkgadd utility to install the component package by typing:
pkgadd -a BTPBadmin -r response-file -d pkg-datastream-file pkg-name
pkg-datastream-file is the name of the component package datastream (.ds) file. response-file is the location and name of the response file, if generated, and pkg-name is the name of the package. For Endpoint Privilege Management for Unix and Linux packages, the package name is the same as the datastream file name without the .ds extension.
Example
pkgadd -a BTPBadmin -r ./BTPB<suffix>.resp -d BTPBrunh.ds BTPBrunh
If no response file is generated (not applicable):
pkgadd -a BTPBadmin -d BTPBrunh.ds BTPBrunh
Update EPM-UL with the Solaris Package Installer
The Solaris package installer can be used to update an existing installation to a new version. The existing version should have been installed with the Endpoint Privilege Management for Unix and Linux package installer.
Note
It is possible to use the Solaris package installer to install Endpoint Privilege Management for Unix and Linux over an existing version that was installed with pbinstall. However, doing so is not recommended because it can result in unused files from the existing version remaining in the file system.
Package update considerations
Installing an update with the Solaris package installer is similar to using the Solaris package installer to install Endpoint Privilege Management for Unix and Linux for the first time. Keep these considerations in mind when you prepare to update Endpoint Privilege Management for Unix and Linux:
- Technically, the Solaris packages are update packages, as opposed to upgrade packages. An update package overwrites the existing files before registering the new version number in the Solaris Package Manager database.
- A Solaris update package contains a complete Endpoint Privilege Management for Unix and Linux installation, not just the files that have changed since the previous release.
- The Solaris update packages are compatible with JumpStart.
- If you have more than one Endpoint Privilege Management for Unix and Linux package on a computer, update all packages on that computer.
- A newer release can introduce features that use new settings or configurations. An upgrade of the configuration package of Endpoint Privilege Management for Unix and Linux is also needed.
- Unlike Endpoint Privilege Management for Unix and Linux patches that are installed with pbpatchinstall, update packages cannot be rolled back to a previous release. However, you can install an older package over a newer one, effectively rolling back to the older release.
Package update procedure
Follow this procedure to update your installation of Endpoint Privilege Management for Unix and Linux using the Solaris package installer:
- Obtain the tarball file for the Solaris update packages that are appropriate for your hardware. The tarball file name has the format pmul-v.v.r-b-pn_pkg.tar.Z, where:
- indicates the operating system and hardware architecture.
- v.v.r is the major and minor version number and the release number.
- b is the build number.
- n is the update number.
- Extract the package tarball files into the /unzip-dir/ directory of the computer that you are updating by executing the following command:
gunzip -c pmul<flavor_version>_pkg.tar.Z | tar xvf -
- Navigate to the /unzip-dir/powerbroker///install/ directory.
- Create the settings_files directory and change directory to that location.
- To retain or correctly update the settings of the current installation, copy the following files from the target installation host into the settings_files directory you created in step 4:
- /etc/pb.settings
- /etc/pb.cfg
- encryption keys defined in pb.settings for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption settings (if enabled)
Note
In a default installation, there are typically 2 key files created: pb.key and pb.rest.key.
- policy file defined in policyfile setting in pb.settings (if the target installation is a Policy Server)
Note
In a default installation, the policy file is located in /opt/pbul/policies/pb.conf.
- Execute the following command and verify the installation settings:
./pbinstall -z
- Create the upgrade configuration package by running the pbcreatesolcfgpkg utility:
pbcreatesolcfgpkg -p suffix
Use the current suffix of the installation to be upgraded. Use the suffix you provided in the initial package installation in step 8 of the Installation procedure.
Another way to find the suffix is to run the following command on the target installation host to get the list of packages installed:
pkginfo -x | grep BTPB
Identify the suffix of the Endpoint Privilege Management for Unix and Linux configuration package using this format:
BTPBcf<suffix>
-
Navigate to the /unzip-dir/powerbroker///package/ directory.
-
Optional. To install Endpoint Privilege Management for Unix and Linux in an alternative base directory, edit the provided BTPBadmin file and change the basedir=default entry as follows:
basedir=target_base_directory
target_base_directory is the absolute path of the target base directory.
-
For each required component package, run the Solaris pkgadd utility to install the component package by typing:
pkgadd -a BTPBadmin -r response-file -d pkg-datastream-file pkg-name
pkg-datastream-file is the name of the component package datastream (.ds) file. response-file is the location and name of the response file, if generated, and pkg-name is the name of the package. For Endpoint Privilege Management for Unix and Linux packages, the package name is the same as the datastream file name without the .ds extension.
Example
pkgadd -a BTPBadmin -r ./BTPB<suffix>.resp -d BTPBrunh.ds BTPBrunh
If no response file is generated (not applicable):
pkgadd -a BTPBadmin -d BTPBrunh.ds BTPBrunh
-
Navigate to the /unzip-dir/powerbroker///install/ directory.
-
Run the Solaris pkgadd utility to install the Endpoint Privilege Management for Unix and Linux configuration package by typing:
pkgadd -a BTPBadmin<suffix> -d BTPBcf<suffix>.ds BTPBcf<suffix>
is the suffix specified when the Endpoint Privilege Management for Unix and Linux configuration package is created in step 7.
-
Verify the installation of the packages with the Solaris pkginfo utility by typing:
pkginfo -x | grep BTPB
Upgrade the configuration package
When upgrading the configuration package (cfg pkg), some settings that are part of the package might need settings and configuration files copied from the existing installation to the staging host.
Files included in the cfg package:
-
pb.settings: Hardcoded target location /etc/pb.settings.
-
pb.cfg: Hardcoded target location /etc/pb.cfg.
-
All the encryption key files defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption. By default, two key files are typically created:
- pb.key
- pb.rest.key
The sysadmin can define encryption with different key files in locations other than /etc. Therefore, when upgrading, and to retain what is installed on the target machine, look at all the encryption settings in /etc/pb.settings. Copy the settings to the settings_files directory before running pbinstall -z and pbcreate*cfgpkg.
-
Policy file if the target is a policy server.
Sample Execution for the Solaris Package Installer
The sample execution shows the installation of an Endpoint Privilege Management for Unix and Linux submit host, run host, and shared libraries using the Endpoint Privilege Management for Unix and Linux Solaris package installer.
This sample execution is divided into the following parts:
- Generate the Endpoint Privilege Management for Unix and Linux settings files.
- Create the Endpoint Privilege Management for Unix and Linux configuration package using the pbcreatesolcfgpkg program.
- Install the component packages using the pkgadd command.
- Install the configuration package using the pkgadd command.
Generate the EPM-UL settings files
This section of the execution shows the generation of the Endpoint Privilege Management for Unix and Linux settings files (pb.key, pb.cfg, and pb.settings) and also displays the Endpoint Privilege Management for Unix and Linux installation menu. This output was generated using the pbinstall program with the options: -z, -l, and -r.
Example
# ./pbinstall -z -l -r Starting pbinstall main() from /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/. solaris9-10.x86 WARNING:When creating configuration packages to be installed on Solaris Zones, care must be taken to set log file directories to Zone-writable partitions. The default Solaris sparse zone has the following read-only and/or shared partitions, although configuration can vary: /usr /lib /platform /sbin The Endpoint Privilege Management for Unix and Linux log file default directory for Solaris Zones is '/var/adm'. Endpoint Privilege Management for Unix and Linux Settings File Generation Please read theEndpoint Privilege Management for Unix and Linux Installation Instructions before proceeding. Checking MANIFEST against release directory Press return to continue The Registry Name Service of Endpoint Privilege Management for Unix and Linux facilitates location of other services within the EPM-UL enterprise with the aid of a centralized data repository. IMPORTANT: client registration is required if this is not the Primary Server and you intend to use Registry Name Services. Do you wish to utilize Registry Name Service? [yes]? no BeyondTrust Endpoint Privilege Management for Unix and Linux Installation Menu Opt Description [Value] 1 Install Everything Here (Demo Mode)? [no] 2 Install License Server? [no] 3 Install Registry Name Services Server? [no] 4 Install Client Registration Server? [no] 7 Install Submit Host? [yes] 8 Install PBSSH [yes] 10 Install Log Host? [yes] 11 Enable Logfile Tracking and Archiving? [yes] 12 Is this a Log Archiver Storage Server? [no] 13 Is this a Log Archiver Database Server? [no] 14 Install File Integrity Monitoring Polic... [no] 15 Install REST Services? [yes] 16 List of License Servers [*] 19 Path to Password Safe 'pkrun' binary [] 23 Install Synchronization program? [yes] 25 Install Secure GUI Host? [yes] 26 Install Utilities: pbvi, pbnvi, pbmg, p... [yes] 27 Install pbksh? [yes] 28 Install pbsh? [yes] 29 Install man pages? [no] 30 Will this host use a Log Host? [yes] 31 AD Bridge Integration? [no] 37 Integration with BeyondInsight? [no] 55 Synchronization program can be initiate... [yes] 56 Daemons location [/usr/sbin] 57 Number of reserved spaces for submit pr... [80] 58 Administration programs location [/usr/sbin] 59 User programs location [/usr/local/bin] 60 GUI library directory [/usr/local/lib/pbbuilder] 61 Policy include (sub) file directory [/opt/pbul/policies] 62 Policy file name [/opt/pbul/policies/pb.conf] 65 Log Archive Storage Server name [] 67 Log Archiver Database Server name [] 69 Logfile Name Cache Database file path? [/opt/pbul/dbs/pblogcache.db] 70 REST Service installation directory? [/usr/lib/beyondtrust/pb/rest] 71 Install REST API sample code? [no] 73 Pblighttpd user [pblight] 75 Pblighttpd user UID [] 76 Pblighttpd user GID [] 78 Configure systemd? [yes] 79 Command line options for pbmasterd [-ar] 80 Policy Server Delay [500] 81 Policy Server Protocol Timeout [-1] 82 pbmasterd diagnostic log [/var/log/pbmasterd.log] 83 Eventlog filename [/var/log/pb.eventlog] 84 Configure eventlog rotation via size? [] 85 Configure eventlog rotation path? [] 86 Configure eventlog rotation via cron? [no] 87 Validate Submit Host Connections? [no] 88 List of Policy Servers to submit to [kandor] 89 pbrun diagnostic log? [none] 90 pbssh diagnostic log? [none] 91 Allow Local Mode? [yes] 92 Additional secured task checks? [no] 93 Suppress Policy Server host failover er... [yes] 94 List of Policy Servers to accept from [kandor] 95 pblocald diagnostic log [/var/log/pblocald.log] 96 Command line options for pblocald [] 97 Syslog pblocald sessions? [no] 98 Record PTY sessions in utmp/utmpx? [yes] 99 Validate Policy Server Host Connections? [no] 100 List of Log Hosts [kandor] 101 Command line options for pblogd [] 102 Log Host Delay [500] 103 Log Host Protocol Timeout [-1] 104 pblogd diagnostic log [/var/log/pblogd.log] 105 List of log reserved filesystems [none] 106 Number of free blocks per log system fi... [0] 107 Command line options for pbsyncd [] 108 Sync Protocol Timeout [-1] 109 pbsyncd diagnostic log [/var/log/pbsyncd.log] 110 pbsync diagnostic log [/var/log/pbsync.log] 111 pbsync sychronization time interval (in... [15] 112 Add installed shells to /etc/shells [no] 113 pbksh diagnostic file [/var/log/pbksh.log] 114 pbsh diagnostic file [/var/log/pbsh.log] 115 Stand-alone pblocald command [none] 116 Stand-alone root shell default iolog [/pbshell.iolog] 121 Use syslog? [yes] 122 Syslog facility to use? [LOG_AUTHPRIV] 123 Base Daemon port number [24345] 124 pbmasterd port number [24345] 125 pblocald port number [24346] 126 pblogd port number [24347] 129 pbsyncd port number [24350] 130 REST Service port number [24351] 131 Add entries to '/etc/services' [yes] 132 Allow non-reserved port connections [yes] 133 Inbound Port range [1025-65535] 134 Outbound Port range [1025-65535] 137 Network encryption options [aes-256:keyfile=/etc/pb.key] 138 Event log encryption options [none] 139 I/O log encryption options [none] 140 Report encryption options [none] 141 Policy file encryption options [none] 142 Settings file encryption type [none] 143 REST API encryption options [aes-256:keyfile=/etc/pb.re...] 144 Configure with Kerberos v5? [no] 150 Enforce High Security Encryption? [yes] 151 Use SSL? [yes] 152 SSL Configuration? [requiressl] 153 SSL pbrun Certificate Authority Directory? [none] 154 SSL pbrun Certificate Authority File? [none] 155 SSL pbrun Cipher List? [HIGH:!SSLv2:!3DES:!MD5:@ST…] 156 SSL pbrun Certificate Directory? [none] 157 SSL pbrun Certificate File? [none] 158 SSL pbrun Private Key Directory? [none] 159 SSL pbrun Private Key File? [none] 160 SSL pbrun Certificate Subject Checks? [none] 161 SSL Server Certificate Authority Direct... [none] 162 SSL Server Certificate Authority File? [none] 163 SSL Server Cipher List? [HIGH:!SSLv2:!3DES:!MD5:@ST...] 164 SSL Server Certificate Directory? [none] 165 SSL Server Certificate File? [/etc/pbssl.pem] 166 SSL Server Private Key Directory? [none] 167 SSL Server Private Key File? [/etc/pbssl.pem] 168 SSL Server Certificate Subject Checks? [none] 169 SSL Certificate Country Code [US] 170 SSL Certificate State/Province [AZ] 171 SSL Certificate Location (Town/City) [Phoenix] 172 SSL Certificate Organizational Unit/Dep... [Security] 173 SSL Certificate Organization [BeyondTrust] 174 Configure Privilege Management for Unix... [no] 175 Install BeyondTrust built-in third-part... [yes] 176 BeyondTrust built-in third-party librar... [/usr/lib/beyondtrust/pb] 188 Use PAM? [no] 196 Allow Remote Jobs? [yes] 197 UNIX Domain Socket directory [none] 198 Reject Null Passwords? [no] 199 Enable TCP keepalives? [no] 200 Name Resolution Timeout [0] N for the next menu page, P for the previous menu page, C to continue, X to exit Please enter a menu option [For technical support call 1-800-234-9072]> c Generating key file /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/settings_files/pb.key... Are all the installation settings correct [yes]? Generating config file /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/settings_files/pb.cfg Creating the settings file creation script Backed up existing settings file creation script to: '/opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/pbcreatesettingsfile.ctime.May_26_11:01' Running settings file creation script Creating settings file /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/settings_files/pb.settings Generated settings files are in directory: /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/settings_files Endpoint Privilege Management for Unix and Linux Settings File Generation completed successfully.
Create the EPM-UL configuration package using pbcreatesolcfgpkg
This section shows the creation of the Endpoint Privilege Management for Unix and Linux configuration package using the pbcreatesolcfgpkg program with the -p and -s options.
Note
At the end of its output, the pbcreatesolcfgpkg script shows which Endpoint Privilege Management for Unix and Linux component packages need to be installed.
Example
# cd /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install # ./pbcreatesolcfgpkg -p CLIENT1 -s /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/settings_files pbcreatesolcfgpkg: starting from /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install Warning: Unpatched Solaris 8 has a 9 character package name limitation! The package name created 'BTPBcfCLIENT1' is 13 characters... pbcreatesolcfgpkg: keyfile pb.key will be included in package Reading /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/settings_files/pb.cfg ## Building pkgmap from package prototype file. ## Processing pkginfo file. ## Attempting to volumize 15 entries in pkgmap. part 1 -- 637 blocks, 24 entries ## Packaging one part. /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/pkgmap /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/pkginfo /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/root/etc/init.d/sypbcfg_svcsinetdsmf /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/root/etc/pb.cfg /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/root/etc/pb.key /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/root/etc/pb.settings /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/root/etc/rc2.d/S99sypbcfg_pbpatton /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/root/var/adm/pbksh.log /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/root/var/adm/pblocald.log /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/root/var/adm/pbsh.log /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/install/checkinstall /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/install/copyright /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/install/depend /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/install/postinstall /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/install/postremove /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/install/preinstall /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/install/preremove ## Validating control scripts. ## Packaging complete. pbcreatesolcfgpkg: created package BTPBcfCLIENT1 in /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1 Checking uninstalled directory format package <BTPBcfCLIENT1> from </opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1> ## Checking control scripts. ## Checking package objects. ## Checking is complete. pbcreatesolcfgpkg: pkgchk for spooled package BTPBcfCLIENT1 succeeded. Transferring <BTPBcfCLIENT1> package instance pbcreatesolcfgpkg: pkgtrans for package BTPBcfCLIENT1 succeeded. Checking uninstalled stream format package <BTPBcfCLIENT1> from </opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1.ds> ## Checking control scripts. ## Checking package objects. ## Checking is complete. rm: Cannot remove any directory in the path of the current working directory /var/tmp/aaaJEaG90/BTPBcfCLIENT1 pbcreatesolcfgpkg: pkgchk for datastream package BTPBcfCLIENT1 succeeded. pbcreatesolcfgpkg: spooled package BTPBcfCLIENT1 removed. pbcreatesolcfgpkg: package datastream file is: /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1.ds pbcreatesolcfgpkg: package admin file is: /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBadminCLIENT1 pbcreatesolcfgpkg: the following packages will need to be loaded to the target system: BTPBrunh BTPBsbmh BTPBlibs pbcreatesolcfgpkg: completed.
Install component packages using the pkgadd command
This section shows the execution of the pkgadd command to install component packages for the submit host, run host, and shared libraries. The execution text also includes copyright, trademark, trade secrets, and other legal text; however, those notices and text were removed from the following excerpt to save space:
Example
# cd /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/package # ls BTPBadmin BTPBguih.ds BTPBlibs.ds BTPBlogh.ds BTPBmsth.ds BTPBrest.ds BTPBrnsh.ds BTPBrunh.ds BTPBsbmh.ds # pkgadd -a BTPBadmin -d BTPBlibs.ds BTPBlibs Processing package instance <BTPBlibs> from </opt/acpkg/powerbroker/v9.4/ppmul_solaris9-10.x86_9.4.3-18/package/BTPBlibs.ds> BeyondTrust PowerBroker Shared Libraries - Root Delegation and Privilege Management (x86) 9.4.3-18 ## Executing checkinstall script. Using /> as the package base directory. ## Processing package information. ## Processing system information. ## Verifying package dependencies. ## Verifying disk space requirements. Installing BeyondTrust PowerBroker Shared Libraries - Root Delegation and Privilege Management as <BTPBlibs> ## Executing preinstall script. ## Installing part 1 of 1. /usr/lib/beyondtrust/pb/libcom_err.so <symbolic link> /usr/lib/beyondtrust/pb/libcom_err.so.3 <symbolic link> /usr/lib/beyondtrust/pb/libcom_err.so.3.0 /usr/lib/beyondtrust/pb/libcrypto.so <symbolic link> /usr/lib/beyondtrust/pb/libcrypto.so.1 <symbolic link> /usr/lib/beyondtrust/pb/libcrypto.so.1.0.0 /usr/lib/beyondtrust/pb/libcurl.so <symbolic link> /usr/lib/beyondtrust/pb/libcurl.so.4 <symbolic link> /usr/lib/beyondtrust/pb/libcurl.so.4.3.0 /usr/lib/beyondtrust/pb/libgssapi_krb5.so <symbolic link> /usr/lib/beyondtrust/pb/libgssapi_krb5.so.2 <symbolic link> /usr/lib/beyondtrust/pb/libgssapi_krb5.so.2.2 /usr/lib/beyondtrust/pb/libk5crypto.so <symbolic link> /usr/lib/beyondtrust/pb/libk5crypto.so.3 <symbolic link> /usr/lib/beyondtrust/pb/libk5crypto.so.3.1 /usr/lib/beyondtrust/pb/libkrb5.so <symbolic link> /usr/lib/beyondtrust/pb/libkrb5.so.3 <symbolic link> /usr/lib/beyondtrust/pb/libkrb5.so.3.3 /usr/lib/beyondtrust/pb/libkrb5support.so <symbolic link> /usr/lib/beyondtrust/pb/libkrb5support.so.0 <symbolic link> /usr/lib/beyondtrust/pb/libkrb5support.so.0.1 /usr/lib/beyondtrust/pb/liblber-2.4.so <symbolic link> /usr/lib/beyondtrust/pb/liblber-2.4.so.2 <symbolic link> /usr/lib/beyondtrust/pb/liblber-2.4.so.2.10.3 /usr/lib/beyondtrust/pb/libLDAP-2.4.so <symbolic link> /usr/lib/beyondtrust/pb/libLDAP-2.4.so.2 <symbolic link> /usr/lib/beyondtrust/pb/libLDAP-2.4.so.2.10.3 /usr/lib/beyondtrust/pb/libssl.so <symbolic link> /usr/lib/beyondtrust/pb/libssl.so.1 <symbolic link> /usr/lib/beyondtrust/pb/libssl.so.1.0.0 /usr/lib/beyondtrust/pb/pam_radius_auth.so <symbolic link> /usr/lib/beyondtrust/pb/pam_radius_auth.so.1 <symbolic link> /usr/lib/beyondtrust/pb/pam_radius_auth.so.1.3.17 [ verifying class <none> ] ## Executing postinstall script. Checking installation of package: BTPBlibs Installation of <BTPBlibs> was successful.# pkgadd -a BTPBadmin -d BTPBsbmh.ds BTPBsbmh Processing package instance <BTPBsbmh> from </opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/package/BTPBsbmh.ds> BeyondTrust PowerBroker Submit Host - Root Delegation and Privilege Management (x86) 9.4.3-18 ## Executing checkinstall script. Using /> as the package base directory. ## Processing package information. ## Processing system information. 1 package pathname is already properly installed. ## Verifying package dependencies. ## Verifying disk space requirements. Installing BeyondTrust PowerBroker Submit Host - Root Delegation and Privilege Management as <BTPBsbmh> ## Executing preinstall script. ## Installing part 1 of 1. /opt/pbul/scripts/pbrnscfg.sh /usr/lib/secure/64/libpbul_aca-elf64.so /usr/lib/secure/libpbul_aca-elf32.so /usr/local/bin/pbbench /usr/local/bin/pbcall /usr/local/bin/pbksh /usr/local/bin/pbrun /usr/local/bin/pbrunssh /usr/local/bin/pbsh /usr/local/bin/pbssh /usr/local/man/man1/pbbench.1 /usr/local/man/man1/pbrun.1 /usr/local/man/man1/pbssh.1 /usr/local/man/man8/pbclienthost_uuid.8 /usr/local/man/man8/pbcreatesolcfgpkg.8 /usr/local/man/man8/pbdbutil.8 /usr/local/man/man8/pbencode.8 /usr/local/man/man8/pbinstall.8 /usr/local/man/man8/pbregister.8 /usr/local/man/man8/pbsum.8 /usr/local/man/man8/pbulpreinstall.sh.8 /usr/local/man/man8/pbversion.8 /usr/sbin/pbclienthost_uuid /usr/sbin/pbdbutil /usr/sbin/pbencode /usr/sbin/pbregister /usr/sbin/pbsnapshot.sh /usr/sbin/pbsum /usr/sbin/pbulpreinstall.sh /usr/sbin/pbversion [ verifying class <none> ] ## Executing postinstall script. Checking installation of package: BTPBsbmh Installation of <BTPBsbmh> was successful. # pkgadd -a BTPBadmin -d BTPBrunh.ds BTPBrunh Processing package instance <BTPBrunh> from </opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/package/BTPBrunh.ds> BeyondTrust PowerBroker Run Host - Root Delegation and Privilege Management (x86) 9.4.3-18 ## Executing checkinstall script. Using /> as the package base directory. ## Processing package information. ## Processing system information. 25 package pathnames are already properly installed. ## Verifying package dependencies. ## Verifying disk space requirements. Installing BeyondTrust PowerBroker Run Host - Root Delegation and Privilege Management as <BTPBrunh> ## Executing preinstall script. ## Installing part 1 of 1. /usr/local/bin/pbless /usr/local/bin/pbmg /usr/local/bin/pbnvi /usr/local/bin/pbumacs /usr/local/bin/pbvi /usr/local/man/man1/pbless.1 /usr/local/man/man1/pbmg.1 /usr/local/man/man1/pbnvi.1 /usr/local/man/man1/pbumacs.1 /usr/local/man/man1/pbvi.1 /usr/local/man/man8/pblocald.8 /usr/sbin/pblocald [ verifying class <none> ] ## Executing postinstall script. Checking installation of package: BTPBrunh Installation of <BTPBrunh> was successful.
Installing the configuration package using the pkgadd command
This section shows the execution of the Solaris pkgadd command to install the configuration package. Following installation of the configuration package, the installation is verified by submitting the id command to Endpoint Privilege Management for Unix and Linux, and the Solaris pkginfo utility is used to list the Endpoint Privilege Management for Unix and Linux packages that are installed.
The execution text also includes copyright, trademark, trade secrets, and other legal text; however, those notices and text were removed from the following excerpt to save space:
Example
# cd /opt/acpkg/powerbroker/v9.4/pbul_solaris9-10.x86_9.4.3-18/install # pkgadd -a ./BTPBadminCLIENT1 -d BTPBcfCLIENT1.ds BTPBcfCLIENT1 Processing package instance <BTPBcfCLIENT1> from </opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1.ds> BeyondTrust PowerBroker Unix/Linux Configuration - Root Delegation and Privilege Management (noarch) 9.4.3-18 BeyondTrust PowerBroker Unix/Linux ## Executing checkinstall script. Checking installation of dependent component packages... ## Processing package information. ## Processing system information. 6 package pathnames are already properly installed. ## Verifying package dependencies. ## Verifying disk space requirements. Installing BeyondTrust PowerBroker Unix/Linux Configuration - Root Delegation and Privilege Management as <BTPBcfCLIENT1> ## Executing preinstall script. ## Installing part 1 of 1. /etc/init.d/sypbcfg_svcsinetdsmf /etc/pb.cfg /etc/pb.key /etc/pb.settings /etc/rc2.d/S99sypbcfg_pbpatton /etc/rc2.d/S99sypbcfg_svcsinetdsmf <symbolic link> /var/adm/pbksh.log /var/adm/pblocald.log /var/adm/pbsh.log [ verifying class <none> ] ## Executing postinstall script. Checking installation of package: BTPBcfCLIENT1 'pkgchk' of package BTPBcfCLIENT1 succeeded Reading pb.cfg... Checking installation of dependent component packages... 'pkgchk' of package BTPBlibs succeeded 'pkgchk' of package BTPBsbmh succeeded 'pkgchk' of package BTPBrunh succeeded Looking for SuperDaemons to configure... Finished looking for SuperDaemons to configure... Removing PowerBroker service definitions (if any) from /etc/inet/services. Adding PowerBroker service definitions to /etc/inet/services. Removing any PowerBroker definitions from SuperDaemon inetd file /etc/inet/inetd.conf Adding PowerBroker definitions to SuperDaemon configurations /etc/inet/inetd.conf. Reloading SuperDaemon Configurations... Done Reloading SuperDaemon Configurations... Updating Settings in database (if any)... Installation of <BTPBcfCLIENT1> was successful. # pkginfo | grep BTPB application BTPBcfCLIENT1 BeyondTrust PowerBroker Unix/Linux Configuration - Root Delegation and Privilege Management application BTPBlibs BeyondTrust PowerBroker Shared Libraries - Root Delegation and Privilege Management application BTPBrunh BeyondTrust PowerBroker Run Host - Root Delegation and Privilege Management application BTPBsbmh BeyondTrust PowerBroker Submit Host - Root Delegation and Privilege Management
Sample of the Uninstall Process from a Package Installation
This section shows the execution of the Solaris pkgrm utility to remove the Endpoint Privilege Management for Unix and Linux packages.
Example
# cd /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.sparc_9.4.3-06/install # pkgrm -na ./BTPBadminCLIENT1 BTPBcfCLIENT1 BTPBsbmh BTPBrunh BTPBlibs
Reading pb.cfg... Looking for SuperDaemons to configure... Finished looking for SuperDaemons to configure... Removing PowerBroker service definitions (if any) from /etc/inet/services. Removing any PowerBroker definitions from SuperDaemon inetd file /etc/inet/inetd.conf Reloading SuperDaemon Configurations... Done Reloading SuperDaemon Configurations... Removal of <BTPBcfCLIENT1> was successful. Removal of <BTPBsbmh> was successful. Removal of <BTPBrunh> was successful. Removal of <BTPBlibs> was successful.
Linux package installer
This section describes how to install Endpoint Privilege Management for Unix and Linux using a package installer for Red Hat Enterprise Linux (RHEL) 4 or 5 on an x86, x86_64, ia64, or S/390 computer. Use the Linux package installation if you want to install Endpoint Privilege Management for Unix and Linux using the Linux RPM package manager.
The Endpoint Privilege Management for Unix and Linux Linux package installer that is described here is not compatible with the Endpoint Privilege Management Endpoint Privilege Management v5.x packages. You must remove BeyondTrust Endpoint Privilege Management packages v5.x before installing Endpoint Privilege Management for Unix and Linux Linux packages.
Prerequisites
To use the Linux package installer, you must have the following:
- Package tarball file for the appropriate Endpoint Privilege Management for Unix and Linux flavor
Note
For the Endpoint Privilege Management for Unix and Linux Linux package installer, the tarball files are cumulative. That is, an update tarball file contains a complete Endpoint Privilege Management for Unix and Linux installation. It is not necessary to install a baseline version of Endpoint Privilege Management for Unix and Linux before installing an upgrade.
- Root access or superuser privileges
- RPM Package Manager (rpm) v4.4 or later
Note
The Endpoint Privilege Management for Unix and Linux Linux package installer does not support prefix or suffix installations.
Plan your installation
When preparing to use the Endpoint Privilege Management for Unix and Linux package installer, you should be familiar with the following concepts and restrictions:
Component packages: an Endpoint Privilege Management for Unix and Linux component package is an RPM package manager (.rpm) file that installs a part of the Endpoint Privilege Management for Unix and Linux application. The Endpoint Privilege Management for Unix and Linux component packages are listed below with the format powerbroker-component-v.v.r.bb-pv.arch.rpm, where:
- component = Endpoint Privilege Management component package name
- v = major version v = minor version r = release
- bb = build
- pv = version number of the package
- arch = architecture (for example, i386)
Component Package | Description |
---|---|
powerbroker-loghost-v.v.r.bb-pv.arch.rpm | Contains log host, pbsync, and pbsyncd. |
powerbroker-shlibs-v.v.r.bb-pv.arch.rpm | Contains shared libraries. |
powerbroker-pbrest-v.v.r.bb-pv.arch.rpm | Contains REST API files. |
powerbroker-rnssvr-v.v.r.bb-pv.arch.rpm | Contains Registry Name Service files. |
powerbroker-licsvr-v.v.r.bb-pv.arch.rpm | Contains license server files. |
powerbroker-master-v.v.r.bb-pv.arch.rpm | Contains policy server host, pbsync, and pbsyncd. |
powerbroker-submithost-v.v.r.bb-pv.arch.rpm | Contains submit host and Endpoint Privilege Management for Unix and Linux shells. |
powerbroker-runhost-v.v.r.bb-pv.arch.rpm | Contains run host and Endpoint Privilege Management for Unix and Linux utilities. |
Which component packages are required depends on the type of Endpoint Privilege Management for Unix and Linux host you create, such as policy server host, submit host, and so on. You can select the types of Endpoint Privilege Management for Unix and Linux hosts in the pbinstall installation menu, as shown in the following table. For readability the ending of each component in the table (-v.v.r.bb-pv.arch.rpm) is removed.
Menu Selection | Required Components (-v.v.r.bb-pv.arch.rpm) |
---|---|
Install everything here (demo mode)? = Yes | powerbroker-master powerbroker-runhost powerbroker-submithost powerbroker-loghost powerbroker-guihost powerbroker-shlibs |
Install Master Host? = Yes | powerbroker-master |
Install Run Host? = Yes | powerbroker-runhost |
Install Submit Host? = Yes | powerbroker-submithost |
Install Log Host? = Yes | powerbroker-loghost |
Install BeyondTrust built-in third-party libraries? = Yes | powerbroker-shlibs |
Install Registry Name Services Server? [yes] | powerbroker-rnssvr |
Install License Server? [yes] | powerbroker-licsvr |
Configuration package: RPM package that is used to install the following files:
- pb.settings: Hardcoded target location /etc/pb.settings
- pb.cfg: Hardcoded target location /etc/pb.cfg
- All the encryption keyfiles defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption
- By default, two key files are created: pb.key and pb.rest.key
- The sysadmin can define multiple encryption with different keyfiles in locations other than /etc. To upgrade and retain settings on the target machine, view all encryption settings in /etc/pb.settings and copy the files to the settings_files directory before running "pbinstall -z" and pbcreate*cfgpkg
- If installing a Cached Policy client, copy the policypubcertfile (default=/etc/pbpolicypubcert.pem) from the policy server to the settings_files directory before running pbinstall -z and pbcreate*cfgpkg.
- pb.conf (for policy server hosts)
- Man pages for the pbinstall and pbcreatelincfgpkg programs
The Endpoint Privilege Management for Unix and Linux configuration package is created by the pbcreatelincfgpkg program. The component packages must be installed before you install the configuration package.
Package name: Name of the package as stored in the RPM package manager database. For Endpoint Privilege Management for Unix and Linux package installations, this name is the same as the package file name without the .arch.rpm extension.
Relocated base directory: The directory where the Endpoint Privilege Management for Unix and Linux binary files and log files are installed. You can choose an alternative directory in which to install these files.
pbinstall program: To create the Endpoint Privilege Management for Unix and Linux settings files, you use the pbinstall program with the -z (settings only) option. pbinstall -z only creates the settings files, and is incompatible with the following command line options:
Options Incompatible with pbinstall -z | Description |
---|---|
-b | Runs pbinstall in batch mode. |
-c | Skip the steps that process or update the Endpoint Privilege Management for Unix and Linux settings file. |
-e | Runs install script automatically by bypassing the menu step of pbinstall. |
-i | Ignores previous pb.settings and pb.cfg files. |
-p | Sets the pb installation prefix. |
-s | Sets the pb installation suffix. |
-u | Installs the utility programs. |
-x | Creates a log synchronization host (installs pbsyncd). |
When you execute pbinstall with the -z option, you can see two menu items that are not otherwise available:
- Enter existing pb.settings path: This enables you to specify your own pb.settings file. pbinstall reads this settings file and populates the remaining menu choices. You can override some menu choices. If set to none, then pbinstall does not read a settings file. The remaining menu choices are populated with default values.
- Enter directory path for settings file creation: This enables you to specify an alternative output directory for the settings files. The default directory is /unzip-dir/powerbroker/v/install/settings_files, where unzip-dir is the directory where the package tarball file was unzipped.
The behavior of pbinstall -z depends on whether certain additional command line options are specified:
- If no other command line options are specified, pbinstall initially presents a short version of the installation menu. Depending on the choices you make in these items, further menu items become available.
- If command line options -g, -l, -m, -o, -r, or -w are specified, pbinstall presents an expanded version of the installation menu that reflects the host types that you are configuring.
When running pbinstall with the -z option, the following menu items are preprogrammed and cannot be changed:
- Install man pages?
- Endpoint Privilege Management daemon location
- Administration programs location
- User programs location
- GUI library directory
- Policy include (sub) file directory
- User man page location
- Admin man page location
- Policy filename
- BeyondTrust built-in third-party library directory
In addition, the values of the following menu items determine the values of other menu items:
Options Preset When Running pbinstall -z | |
---|---|
Setting this menu option to Yes | Sets these values to Yes |
Install Master Host? | Install Synchronization? Synchronization can be initiated from this host? |
Install Run Host? | Install Utilities? |
Install Submit Host? | Install PBSSH?Install pbksh? Install pbsh? Will this host use a Log Host? |
Install Log Host? | Install Synchronization? Synchronization can be initiated from this host? |
Note
If you plan to use the package installer to install Endpoint Privilege Management for Unix and Linux on a computer that already has an interactive Endpoint Privilege Management for Unix and Linux installation on it, see Interactive Versus Packaged Installation for additional considerations.
If you plan to use Registry Name Service and are running pbinstall -z on a client host (non-primary server), you must perform client registration. This is necessary to properly set up the registry name service database. Client registration also requires that you collect from the Endpoint Privilege Management for Unix and Linux primary server the following information:
- REST Application ID
- REST Application Key
- Primary server network name or IP address
- Primary License Server REST TCP/IP port
- Registration Client Profile name
Registering client with Primary RNS: If Registry Name Services is enabled for Endpoint Privilege Management for Unix and Linux, each client host (after the first server installation) needs to be registered with the Primary Registry Name Server. When using package installers on a target host, a post-install configuration script (/opt/pbul/scripts/pbrnscfg.sh) is provided to be manually executed on that host to properly register it. This post-install configuration script asks for information about the Primary Registry Name Server, including the Application ID (appid), Application Key (appkey), address/domain name, and the REST TCP/IP port number. This is the same information provided during the client registration part of a pbinstall -z install which generates the settings file.
If you prefer a more convenient method of registering RNS clients where the post-install configuration script is non-interactive, Endpoint Privilege Management for Unix and Linux can save the relevant information in a hidden file during the settings-only run of pbinstall, bundle it with the configuration package, and automatically apply it to the target host when that package is installed. However, understand that this is not secure, but is available if the security-convenience trade-off is acceptable. To enable this, refer to the question regarding post-install configuration script displayed when running pbinstall -z.
Overview of steps
Use of the Linux package installer involves the following steps:
- Unpack the Endpoint Privilege Management for Unix and Linux package tarball file.
- Use the pbinstall program to create Endpoint Privilege Management for Unix and Linux settings files.
- Use the pbcreatelincfgpkg program to create the Endpoint Privilege Management for Unix and Linux configuration package.
- Perform a package installation using the Linux rpm command for any required components.
- Perform a package installation using the Linux rpm command for the Endpoint Privilege Management for Unix and Linux configuration package.
- If Registry Name Service is enabled and installing on a non-primary servery, run /opt/pbul/scripts/pbrnscfg.sh to register the host.
Installation procedure
To install Endpoint Privilege Management for Unix and Linux using the RPM package manager, do the following:
-
Extract the package tarball files into the /opt/beyondtrust/ directory by executing the following command:
tar xvfz pmul_<flavor_version>_pkg.tar.Z
-
Optional. The Endpoint Privilege Management for Unix and Linux Linux package files are digitally signed. You can verify that the packages are genuine by doing the following:
-
Go to www.beyondtrust.com, and click Support to display the Endpoint Privilege Management for Unix and Linux Downloads page.
-
In the Customers section, click Login. Use your customer user name and password to log in to the Endpoint Privilege Management for Unix and Linux Downloads page.
-
Click Digital Signature file for Linux RPM packages and download the tar file to the Linux computer.
-
Extract the key from the tar file.
-
Import the key to the RPM database with the following command:
rpm --import keyfile
keyfile is the file name of the key file.
-
Navigate to the /opt/beyondtrust/powerbroker///package/ directory.
-
Execute the following command:
rpm -K *.rpm
For each package, you should see output similar to the following:
powerbroker-master-6.2.0.11-1.i386.rpm: (sha1) dsa sha1 md5 gpg OK
The OK at the end of the line indicates that the package is genuine.
-
-
Navigate to the /opt/beyondtrust/powerbroker///install/ directory.
-
Execute the following command:
./pbinstall -z
You can include other options with the -z option. Use the -R option to specify an alternate base directory for installing the component packages.
pbinstall displays the Endpoint Privilege Management for Unix and Linux installation menu.
You are asked if you want to use client registration. If you plan to enable Registry Name Service, and install on a host that is not designated as a primary server, you must run client registration.
pbinstall then asks if you want to enable Registry Name Service.
-
Make your menu selections. Note that the Enter existing pb.settings path menu option enables you to specify your own pb.settings file to use. Also, the Enter directory path for settings file creation menu option enables you to specify where to save the generated settings files. These menu options are available only when running pbinstall with the -z option.
When the menu selection process is complete, pbinstall creates the following files in the specified location:
- pb.settings
- pb.cfg
- pb.key (if encryption is enabled)
- pb.conf (for policy server host)
- pbpolicykey.pem and pbpolicypubcert.pem (for Policy Server hosts with Cached Policy feature enabled)
-
Optional. For an Endpoint Privilege Management for Unix and Linux client, if client-server communications are to be encrypted, replace the generated pb.key file with the pb.key file from the policy server host. Also, copy any other required key files into the same directory.
Note
This step is automatically done if you choose to use client registration.
-
Required for Cached Policy client installation: Copy the policypubcertfile (default=/etc/pbpolicypubcert.pem) from the policy server to the settings_files directory.
-
Optional. For a policy server host, write a policy file (pb.conf) and place it in the directory with the other generated files. If you do not provide a pb.conf file, a pb.conf file with the single command reject; is generated and packaged.
Starting with v8.0, pbinstall -z can optionally install the default role-based policies and asks:
Installing default role-based policy pbul_policy.conf and pbul_functions.conf in <install_dir>/settings_files Would you like to use the default role-based policy in the configuration package?
- Answer Yes for new installs only.
- If you are upgrading an existing configuration package, to avoid overwriting your existing policy, answer No.
Use the default role-based policy [Y]?
- If you answer Yes, the default pb.conf, pbul_policy.conf and pbul_functions.conf files are created and installed on the policy server.
- If you plan to install over an existing installation, and have an existing policy in place, answer No.
-
Navigate to the /opt/beyondtrust/powerbroker///install/ directory.
-
Run the pbcreatelincfgpkg utility by typing:
pbcreatelincfgpkg -p suffix -s directory
- suffix is appended to the configuration package name; length can be up to 18 characters.
- directory contains the Endpoint Privilege Management for Unix and Linux settings and configuration files to include in the package.
The pbcreatelincfgpkg utility creates the Endpoint Privilege Management for Unix and Linux configuration package file, powerbroker-config-sv-pv.arch.rpm.
-
Navigate to the /opt/beyondtrust/powerbroker///package/ directory.
-
For each required component package, run the Linux rpm utility to install the component package by typing:
rpm -iv package-file
package-file is the name of the component package (.rpm) file. For example:
rpm -iv powerbroker-submithost-9.4.1.03-1.x86_64.rpm
Note
To install all component packages, type the following command:
rpm -iv *.rpm
-
Navigate to the /opt/beyondtrust/powerbroker///install/ directory.
-
Run the Linux rpm utility to install the Endpoint Privilege Management for Unix and Linux configuration package by typing:
rpm -iv package-file
package-file is the name of the configuration package (.rpm) file created in step 9.
-
Verify the installation of the packages by typing:
rpm -qa| grep powerbroker
-
If Registry Name Service is enabled and installed on a non-primary server, register the host with the Primary Registry Name Server using a post-install configuration script. Gather the Application ID, Application Key, network name or IP address, and REST TCP/IP port of the primary server, then run the script to register the host and follow the prompts:
/opt/pbul/scripts/pbrnscfg.sh
Note
For more information, see the following:
- For other options you can use with the pbinstall -z option, Plan your installation
- pblighttpd
- pbcreatelincfgpkg
Remove EPM-UL packages
Removing the Endpoint Privilege Management for Unix and Linux packages completely uninstalls Endpoint Privilege Management for Unix and Linux from a computer.
To remove the Endpoint Privilege Management for Unix and Linux packages, type the following:
rpm -e config-package-name
component-package-1 ... component-package-n
- config-package-name is the name of the package specified when the configuration package is installed. This package name is not required to come first in the list; rpm removes it first. However, if you remove packages with separate rpm processes, you must remove the configuration package first.
- component-package-1 through component-package-n are the names of the packages specified when the component packages are installed.
Example
rpm -e powerbroker-configPBUL941-9.4.1.03-1.x86_64 powerbroker-submithost-9.4.1.03-1.x86_64
Relocate the base directory
Using the RPM package management system you can set an alternative base directory for installing packages. With this feature, you can specify a directory to install the Endpoint Privilege Management for Unix and Linux binary files and log files in. Certain files, such as pb.settings, pb.cfg, and Endpoint Privilege Management for Unix and Linux key files, must be located in the /etc directory for Endpoint Privilege Management for Unix and Linux to run. These files are not relocatable.
To relocate the base directory from the default / (root) directory, do the following:
- On the target machine, create the target base directory if it does not already exist.
- When you run pbinstall, use the -R option and specify the new base directory.
- When installing the component packages, execute rpm with the --prefix option and specify the relocated directory.
Example
rpm -ivh --prefix /local/powerbroker powerbroker-runhost-9.4.1.03-1.x86_64.rpm
Note
The files that are installed by the configuration package cannot be relocated. Do not use the --prefix option when installing the configuration package.
Update EPM-UL with the Linux package installer
The Endpoint Privilege Management for Unix and Linux Linux package installer can be used to upgrade an existing Endpoint Privilege Management for Unix and Linux installation to a new version. The existing Endpoint Privilege Management for Unix and Linux version should have been installed with the Endpoint Privilege Management for Unix and Linux package installer.
Note
It is possible to use the Linux package installer to install Endpoint Privilege Management for Unix and Linux over an existing version that was installed with pbinstall. However, we do not recommended doing so because it can result in unused files from the existing version remaining in the file system.
Package upgrade considerations
Installing an upgrade with the Linux package installer is similar to using the Linux package installer to install Endpoint Privilege Management for Unix and Linux for the first time. Keep these considerations in mind when you prepare to upgrade:
- Technically, the Endpoint Privilege Management for Unix and Linux Linux packages are upgrade packages, as opposed to update packages. An upgrade package installs the new files before removing the existing files and registering the new version number in the RPM database.
- an Endpoint Privilege Management for Unix and Linux Linux upgrade package contains a complete Endpoint Privilege Management for Unix and Linux installation, rather than simply the files that have changed since the previous release.
- If you have more than one Endpoint Privilege Management for Unix and Linux package on a computer, upgrade all packages on that computer.
- A newer release can introduce features that use new settings or configurations. In which case, an upgrade of the configuration package of Endpoint Privilege Management for Unix and Linux is also needed.
- Unlike Endpoint Privilege Management for Unix and Linux patches that are installed with pbpatchinstall, upgrade packages cannot be rolled back to a previous release. However, you can install an older package over a newer one, effectively rolling back to the older release.
Package upgrade procedure
Follow this procedure to upgrade your installation of Endpoint Privilege Management for Unix and Linux using the Linux package installer:
-
Obtain the tarball file for the Linux upgrade packages that are appropriate for your hardware. The tarball file name has the format pmul_-v.v.r-bb-pn_pkg.tar.Z.
- indicates the operating system and hardware architecture.
- v.v.r is the major and minor version number and the release number.
- bb is the build number.
- n is the update number.
-
Extract the package tarball files into the /unzip-dir/ directory by executing the following command:
tar xvfz pmul_<flavor_version>_pkg.tar.Z
-
Navigate to the /unzip-dir/powerbroker/v//install/ directory
-
Create the settings_files directory and change directory to that location.
-
To retain or correctly update the settings of the current installation, copy the following files from the target installation host into the settings_files directory you created in step 4:
- /etc/pb.settings
- /etc/pb.cfg
- encryption keys defined in pb.settings for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption settings (if enabled)
Note
In a default installation, there are typically 2 key files created: pb.key and pb.rest.key.
- policy file defined in policyfile setting in pb.settings (if the target installation is a Policy Server)
Note
In a default installation, the policy file is located in /opt/pbul/policies/pb.conf.
- For Cached Policy clients: policypubcertfile (default=/etc/pbpolicypubcert.pem)
- Execute the following command and verify the installation settings:
./pbinstall -z
- Create the upgrade configuration package by running the pbcreatelincfgpkg utility:
pbcreatelincfgpkg -p suffix
Use the current suffix of the installation to be upgraded. Use the suffix you provided during the initial package installation in step 9 of the Installation Procedure.
Another way to find the suffix is to run the following command on the target installation host to get the list of packages installed:
rpm -qa |grep powerbroker
Identify the suffix of the Endpoint Privilege Management for Unix and Linux configuration package using this format:
powerbroker-config<suffix>-<version>.noarch
- Navigate to the /unzip-dir/powerbroker/v//package/ directory.
- Use the Linux rpm utility to upgrade the component packages by typing:
rpm -Uv package-file-1 package-file-2...
package-file-n is the name of a component package (.rpm) file.
rpm -Uv powerbroker-submithost-9.4.1.03-1.p2-1.x86\_64.rpm powerbroker-runhost-9.4.1.03-1.p2-1.x86\_64.rpm
- Navigate to the /unzip-dir/powerbroker///install/ directory.
- Run the Linux rpm utility to install the Endpoint Privilege Management for Unix and Linux configuration package by typing:
rpm -Uv package-file
package-file is the name of the configuration package (.rpm) file created in step 12. Verify the installation of the packages by typing:
rpm -qa| grep powerbroker
Revert to a previous version
Unlike Endpoint Privilege Management for Unix and Linux patches that are installed with pbpatchinstall, upgrade packages cannot be rolled back to a previous release. However, you can install an older package over a newer one, effectively rolling back to the older release. To install older packages over newer ones, use the following command:
rpm -Uv --oldpackage package-file-1 package file-2...
This command restores the previous release. Repeat the command to restore earlier releases. To restore a single package per rpm command, add the --replacepkgs option.
Upgrade the configuration package
When upgrading the configuration package (cfg pkg), some settings that are part of the package might need settings and configuration files copied from the existing installation to the staging host.
Files included in the cfg package:
-
pb.settings: Hardcoded target location /etc/pb.settings.
-
pb.cfg: Hardcoded target location /etc/pb.cfg.
-
All the encryption key files defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption. By default, two key files are typically created:
- pb.key
- pb.rest.key
The sysadmin can define encryption with different key files in locations other than /etc. Therefore, when upgrading, and to retain what is installed on the target machine, look at all the encryption settings in /etc/pb.settings. Copy the settings to the settings_files directory before running pbinstall -z and pbcreate*cfgpkg.
-
Policy file if the target is a policy server.
Sample Execution for the Linux Package Installer
The sample execution shows the installation of an Endpoint Privilege Management for Unix and Linux submit host, run host, and shared libraries using the Endpoint Privilege Management for Unix and Linux Linux package installer.
This sample execution is divided into the following parts:
- Generate the Endpoint Privilege Management for Unix and Linux settings files.
- Create the Endpoint Privilege Management for Unix and Linux configuration package using the pbcreatelincfgpkg program.
- Install the component packages using the rpm command.
- Install the configuration package using the rpm command.
Generate the EPM-UL settings files
This section of the execution shows the generation of the Endpoint Privilege Management for Unix and Linux settings files (pb.key, pb.cfg, and pb.settings) and also displays the Endpoint Privilege Management for Unix and Linux installation menu. This output was generated using the pbinstall program with the options: –z, -l, and -r:
Example
# ./pbinstall -zlr Starting pbinstall main() from /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/. linux.x86-64 Endpoint Privilege Management for Unix and Linux Settings File Generation Please read the Endpoint Privilege Management for Unix and Linux Installation Instructions before proceeding. Checking MANIFEST against release directory Press return to continue The Registry Name Service of Endpoint Privilege Management for Unix and Linux facilitates location of other services within the EPM-UL enterprise with the aid of a centralized data repository. IMPORTANT: client registration is required if this is not the Primary Server and you intend to use Registry Name Services. Do you wish to utilize Registry Name Service? [yes]? no BeyondTrust Endpoint Privilege Management for Unix and Linux Installation Menu Opt Description [Value] 1 Install Everything Here (Demo Mode)? [no] 2 Install License Server? [no] 3 Install Registry Name Services Server? [no] 4 Install Client Registration Server? [no] 5 Install Policy Server Host? [yes] 6 Install Run Host? [yes] 7 Install Submit Host? [yes] 8 Install PBSSH? [yes] 10 Install Log Host? [yes] 11 Enable Logfile Tracking and Archiving? [yes] 12 Is this a Log Archiver Storage Server? [no] 13 Is this a Log Archiver Database Server? [no] 14 Install File Integrity Monitoring Polic... [no] 15 Install REST Services? [yes] 16 List of License Servers [*] 19 Path to Password Safe 'pkrun' binary [] 23 Install Synchronization program? [yes] 25 Install Secure GUI Host? [yes] 26 Install Utilities: pbvi, pbnvi, pbmg, p... [yes] 27 Install pbksh? [yes] 28 Install pbsh? [yes] 29 Install man pages? [no] 30 Will this host use a Log Host? [yes] 31 AD Bridge Integration? [no] 37 Integration with BeyondInsight? [no] 55 Synchronization program can be initiate... [yes] 56 Daemons location [/usr/sbin] 57 Number of reserved spaces for submit pr... [80] 58 Administration programs location [/usr/sbin] 59 User programs location [/usr/local/bin] 60 GUI library directory [/usr/local/lib/pbbuilder] 61 Policy include (sub) file directory [/opt/pbul/policies] 62 Policy file name [/opt/pbul/policies/pb.conf] 65 Log Archive Storage Server name [] 67 Log Archiver Database Server name [] 69 Logfile Name Cache Database file path? [/opt/pbul/dbs/pblogcache.db] 70 REST Service installation directory? [/usr/lib/beyondtrust/pb/rest] 71 Install REST API sample code? [no] 73 Pblighttpd user [pblight] 75 Pblighttpd user UID [] 76 Pblighttpd user GID [] 78 Configure systemd? [yes] 79 Command line options for pbmasterd [-ar] 80 Policy Server Delay [500] 81 Policy Server Protocol Timeout [-1] 82 pbmasterd diagnostic log [/var/log/pbmasterd.log] 83 Eventlog filename [/var/log/pb.eventlog] 84 Configure eventlog rotation via size? [] 85 Configure eventlog rotation path? [] 86 Configure eventlog rotation via cron? [no] 87 Validate Submit Host Connections? [no] 88 List of Policy Servers to submit to [kandor] 89 pbrun diagnostic log? [none] 90 pbssh diagnostic log? [none] 91 Allow Local Mode? [yes] 92 Additional secured task checks? [no] 93 Suppress Policy Server host failover er... [yes] 94 List of Policy Servers to accept from [kandor] 95 pblocald diagnostic log [/var/log/pblocald.log] 96 Command line options for pblocald [] 97 Syslog pblocald sessions? [no] 98 Record PTY sessions in utmp/utmpx? [yes] 99 Validate Policy Server Host Connections? [no] 100 List of Log Hosts [kandor] 101 Command line options for pblogd [] 102 Log Host Delay [500] 103 Log Host Protocol Timeout [-1] 104 pblogd diagnostic log [/var/log/pblogd.log] 105 List of log reserved filesystems [none] 106 Number of free blocks per log system fi... [0] 107 Command line options for pbsyncd [] 108 Sync Protocol Timeout [-1] 109 pbsyncd diagnostic log [/var/log/pbsyncd.log] 110 pbsync diagnostic log [/var/log/pbsync.log] 111 pbsync sychronization time interval (in... [15] 112 Add installed shells to /etc/shells [no] 113 pbksh diagnostic file [/var/log/pbksh.log] 114 pbsh diagnostic file [/var/log/pbsh.log] 115 Stand-alone pblocald command [none] 116 Stand-alone root shell default iolog [/pbshell.iolog] 121 Use syslog? [yes] 122 Syslog facility to use? [LOG_AUTHPRIV] 123 Base Daemon port number [24345] 124 pbmasterd port number [24345] 125 pblocald port number [24346] 126 pblogd port number [24347] 129 pbsyncd port number [24350] 130 REST Service port number [24351] 131 Add entries to '/etc/services' [yes] 132 Allow non-reserved port connections [yes] 133 Inbound Port range [1025-65535] 134 Outbound Port range [1025-65535] 137 Network encryption options [aes-256:keyfile=/etc/pb.key] 138 Event log encryption options [none] 139 I/O log encryption options [none] 140 Report encryption options [none] 141 Policy file encryption options [none] 142 Settings file encryption type [none] 143 REST API encryption options [aes-256:keyfile=/etc/pb.re...] 144 Configure with Kerberos v5? [no] 150 Enforce High Security Encryption? [yes] 151 Use SSL? [yes] 152 SSL Configuration? [requiressl] 153 SSL pbrun Certificate Authority Directory? [none] 154 SSL pbrun Certificate Authority File? [none] 155 SSL pbrun Cipher List? [HIGH:!SSLv2:!3DES:!MD5:@ST…] 156 SSL pbrun Certificate Directory? [none] 157 SSL pbrun Certificate File? [none] 158 SSL pbrun Private Key Directory? [none] 159 SSL pbrun Private Key File? [none] 160 SSL pbrun Certificate Subject Checks? [none] 161 SSL Server Certificate Authority Direct... [none] 162 SSL Server Certificate Authority File? [none] 163 SSL Server Cipher List? [HIGH:!SSLv2:!3DES:!MD5:@ST...] 164 SSL Server Certificate Directory? [none] 165 SSL Server Certificate File? [/etc/pbssl.pem] 166 SSL Server Private Key Directory? [none] 167 SSL Server Private Key File? [/etc/pbssl.pem] 168 SSL Server Certificate Subject Checks? [none] 169 SSL Certificate Country Code [US] 170 SSL Certificate State/Province [AZ] 171 SSL Certificate Location (Town/City) [Phoenix] 172 SSL Certificate Organizational Unit/Dep... [Security] 173 SSL Certificate Organization [BeyondTrust] 174 Configure Privilege Management for Unix... [no] 175 Install BeyondTrust built-in third-part... [yes] 176 BeyondTrust built-in third-party librar... [/usr/lib/beyondtrust/pb] 188 Use PAM? [no] 196 Allow Remote Jobs? [yes] 197 UNIX Domain Socket directory [none] 198 Reject Null Passwords? [no] 199 Enable TCP keepalives? [no] 200 Name Resolution Timeout [0] N for the next menu page, P for the previous menu page, C to continue, X to exit Please enter a menu option [For technical support call 1-800-234-9072]> c Generating key file /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/settings_files/pb.key... Are all the installation settings correct [yes]? Generating config file /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/settings_files/pb.cfg Creating the settings file creation script Backed up existing settings file creation script to: '/opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/pbcreatesettingsfile.ctime.Feb_13_16:28' Running settings file creation script Creating settings file /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/settings_files/pb.settings Generated settings files are in directory: /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/settings_filesEndpoint Privilege Management for Unix and Linux Settings File Generation completed successfully.
Create the EPM-UL configuration package using pbcreatelincfgpkg
This section shows the creation of the Endpoint Privilege Management for Unix and Linux configuration package using the pbcreatelincfgpkg program with the -p and -s options.
Note
At the end of its output, the pbcreatelincfgpkg script shows which Endpoint Privilege Management for Unix and Linux component packages need to be installed.
Example
# ./pbcreatelincfgpkg -p CLIENTPAKU -s /opt/final/powerbroker/v9.4/CLIENTPAKU_settings_files pbcreatelincfgpkg: starting from /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install pbcreatelincfgpkg: keyfile pb.key will be included in package Reading /opt/final/powerbroker/v9.4/CLIENTPAKU_settings_files/pb.cfg pbcreatelincfgpkg: making PowerBroker Linux configuration package . . . Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.kq2x6j + umask 022 + cd /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILD + LANG=C + export LANG + unset DISPLAY + rm -rf '/opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILD/*' + exit 0 Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.Z2J5QI + umask 022 + cd /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILD + LANG=C + export LANG + unset DISPLAY + exit 0 Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.wlumC7 + umask 022 + cd /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILD + '[' /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64 '!=' / ']' + rm -rf /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64 ++ dirname /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64 + mkdir -p /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT + mkdir /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64 + LANG=C + export LANG + unset DISPLAY + mkdir -p /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/etc + mkdir -p /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/etc/pb + cp /opt/final/powerbroker/v9.4/CLIENTPAKU_settings_files/pb.settings /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/etc/pb.settings + cp /opt/final/powerbroker/v9.4/CLIENTPAKU_settings_files/pb.cfg /opt/final/powerbroker/v9.4/pbul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/etc/pb.cfg + cp /opt/final/powerbroker/v9.4/CLIENTPAKU_settings_files/pb.key /opt/final/powerbroker/v9.4/pbul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/etc/pb.key ++ dirname /var/log/pblocald.log + logfiledir=/var/log + '[' '!' -d /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/var/log ']' + mkdir -p /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/var/log ++ dirname /var/log/pbksh.log + logfiledir=/var/log + '[' '!' -d /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/var/log ']' ++ dirname /var/log/pbsh.log + logfiledir=/var/log + '[' '!' -d /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/var/log ']' ++ dirname /pbshell.iolog + logfiledir=/ + '[' '!' -d /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/ ']' + /usr/lib/rpm/check-buildroot + /usr/lib/rpm/redhat/brp-compress + /usr/lib/rpm/redhat/brp-strip /usr/bin/strip + /usr/lib/rpm/redhat/brp-strip-static-archive /usr/bin/strip + /usr/lib/rpm/redhat/brp-strip-comment-note /usr/bin/strip /usr/bin/objdump + /usr/lib/rpm/brp-python-bytecompile /usr/bin/python + /usr/lib/rpm/redhat/brp-python-hardlink + /usr/lib/rpm/redhat/brp-java-repack-jars Processing files: powerbroker-configCLIENTPAKU-9.4.1.03-1.noarch Requires(interp): /bin/sh /bin/sh /bin/sh /bin/sh Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 Requires(pre): /bin/sh Requires(post): /bin/sh Requires(preun): /bin/sh Requires(postun): /bin/sh Checking for unpackaged file(s): /usr/lib/rpm/check-files /opt/final/powerbroker/v9.4/pbul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64 Wrote: /opt/final/powerbroker/v9.4/pbul_linux.x86-64_9.4.1-03/install/rpmbuild/RPMS/noarch/powerbroker-configCLIENTPAKU-9.4.1.03-1.noarch.rpm Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.A8w0eY + umask 022 + cd /opt/final/powerbroker/v9.4/pbul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILD + rm -rf /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/etc /opt/final/powerbroker/v9.4/pbul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/pbshell.iolog /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/var + exit 0 pbcreatelincfgpkg: rpm package built pbcreatelincfgpkg: rpm package verified pbcreatelincfgpkg: rpm package 'powerbroker-configCLIENTPAKU-9.4.1.03-1.noarch.rpm' placed in /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install pbcreatelincfgpkg: the following packages will need to be loaded to the target system: powerbroker-runhost powerbroker-submithost powerbroker-shlibs pbcreatelincfgpkg: completed.
Install component packages using the rpm command
This section shows the execution of the rpm command to install component packages for the submit host, run host, and shared libraries:
Example
# cd /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/package # rpm -iv powerbroker-shlibs-9.4.1.03-1.x86_64.rpm powerbroker-submithost-9.4.1.03-1.x86_64.rpm powerbroker-runhost-9.4.1.03-1.x86_64.rpm warning: powerbroker-shlibs-9.4.1.03-1.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 19227ca5: NOKEY Preparing packages for installation... powerbroker-shlibs-9.4.1.03-1 powerbroker-runhost-9.4.1.03-1 powerbroker-submithost-9.4.1.03-1
Install the configuration package using the rpm command
This section shows the execution of the Linux rpm command to install the configuration package. Following installation of the configuration package, the installation is verified by submitting the id command to Endpoint Privilege Management for Unix and Linux, and the Linux rpm -qa utility is used to list the Endpoint Privilege Management for Unix and Linux packages that are installed:
Example
# cd /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install # rpm -iv powerbroker-configCLIENTPAKU-9.4.1.03-1.noarch.rpm Preparing packages for installation... powerbroker-configCLIENTPAKU-9.4.1.03-1 Reading pb.cfg... Updating Settings in database (if any)... Checking installation of dependent component packages... 'rpm -V' of package powerbroker-shlibs succeeded 'rpm -V' of package powerbroker-submithost succeeded 'rpm -V' of package powerbroker-runhost succeeded Looking for SuperDaemons to configure... Finished looking for SuperDaemons to configure... Removing PowerBroker service definitions (if any) from /etc/services. Adding PowerBroker service definitions to /etc/services. Removing any PowerBroker definitions from SuperDaemon xinetd file /etc/xinetd.conf Adding PowerBroker definitions to SuperDaemon configurations /etc/xinetd.conf. Reloading SuperDaemon Configurations... Done Reloading SuperDaemon Configurations... # rpm -qa | grep powerbroker powerbroker-runhost-9.4.1.03-1.x86_64 powerbroker-configCLIENTPAKU-9.4.1.03-1.noarch powerbroker-shlibs-9.4.1.03-1.x86_64 powerbroker-submithost-9.4.1.03-1.x86_64 # pbrun id # test PowerBroker uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk), 10(wheel),501(amanda) # rpm -qa | grep powerbroker # list PowerBroker packages powerbroker-runhost-9.4.1.03-1.x86_64 powerbroker-configCLIENTPAKU-9.4.1.03-1.noarch powerbroker-shlibs-9.4.1.03-1.x86_64 powerbroker-submithost-9.4.1.03-1.x86_64
Sample of the uninstall process from a package installation
This section shows the execution of the Linux rpm utility to remove the Endpoint Privilege Management for Unix and Linux packages:
Example
# rpm -e powerbroker-configCLIENTPAKU powerbroker-shlibs powerbroker- submithost powerbroker-runhost Reading pb.cfg... Looking for SuperDaemons to configure... Finished looking for SuperDaemons to configure... Removing PowerBroker service definitions (if any) from /etc/services. Removing any PowerBroker definitions from SuperDaemon xinetd file /etc/xinetd.conf Reloading SuperDaemon Configurations... Done Reloading SuperDaemon Configurations...
AIX package installer
This section describes how to install Endpoint Privilege Management for Unix and Linux using a package installer for AIX v5.3, 6.1 and 7.0 on a POWER 64-bit computer. AIX package installers are compatible with or without workload partitions (WPARs). Use the AIX package installer if you want to install Endpoint Privilege Management for Unix and Linux using the AIX installp command.
The Endpoint Privilege Management for Unix and Linux AIX package installer that is described here is not compatible with the BeyondTrustEndpoint Privilege Management v5.x packages. If the BeyondTrust Endpoint Privilege Management v5.x packages are installed, you must remove them before installing the Endpoint Privilege Management for Unix and Linux AIX packages.
WPARs
If you have AIX v6.1 or higher, then you can use WPARs.
Note
For more information about WPARs and propagating BeyondTrust AIX package installations to them, see the following:
- Installation Process
- View a List of Installed Endpoint Privilege Management for Unix and Linux Packages
Prerequisites
To use the AIX package installer, you must have the following:
- Package tarball file for the appropriate Endpoint Privilege Management for Unix and Linux flavor
- Root access or superuser privileges
Note
The Endpoint Privilege Management for Unix and Linux AIX package installer does not support prefix or suffix installations.
Plan your installation
When preparing to use the Endpoint Privilege Management for Unix and Linux package installer, you should be familiar with the following concepts and restrictions:
Component packages: an Endpoint Privilege Management for Unix and Linux component package is an AIX backup file format (.bff) file that installs a portion of the Endpoint Privilege Management for Unix and Linux application. Endpoint Privilege Management for Unix and Linux component packages use a format of powerbroker.component-v.v.r.bb.bff, where:
- v = major version
- v = minor version
- r = release
- bb = build
Example
powerbroker.masterhost-6.2.0.05.bff
Component package or file names | Description |
---|---|
powerbroker.loghost-v.v.r.bb.bff | Contains the log host, pblogd, and man pages. powerbroker.common-v.v.r.bb.bff is a prerequisite for this package. |
powerbroker-pbrest-v.v.r.bb-pv.arch.rpm | Contains REST API files. |
powerbroker.rnssvr-v.v.r.bb.bff | Contains Registry Name Service files. |
powerbroker.licsvr-v.v.r.bb.bff | Contains license server files. |
powerbroker.sharedlibs-v.v.r.bb.bff | Contains the shared libraries: libcom_err.so.3.0, libcrypto.a, libgssapi_krb5.so.2.2, libk5crypto.so.3.1, libkrb5.so.3.3, liblber-2.5.a, libldap-2.5.a, libssl.a. powerbroker.common-v.v.r.bb.bff is a prerequisite for this package. |
powerbroker.common-v.v.r.bb.bff | Contains the shared files and pbbench, pbcall, bencode, pbsum, man pages and pbinstall.8, and pbcreateaixcfgpkg.8. This package is a prerequisite for all the previously listed packages: powerbroker.masterhost, powerbroker.submithost, powerbroker.guihost, powerbroker.loghost and powerbroker.sharedlibs. |
powerbroker.mlcommon-v.v.r.bb.bff | Contains the policy server log shared files, pblog, pbreplay, pbsyncd, pbsync, and man pages. This package is a prerequisite for powerbroker.masterhost-v.v.r.bb.bff and powerbroker.loghost-v.v.r.bb.bff. |
powerbroker.masterhost-v.v.r.bb.bff | Contains the policy server host, pbcheck, pbkey, pbmasterd, pbpasswd, pbpatton, pbprint, and man pages. powerbroker.common-v.v.r.bb.bff is a prerequisite for this package. |
powerbroker.runhost-v.v.r.bb.bff | Contains the run host and Endpoint Privilege Management for Unix and Linux utilities: pblocald, pbless, pbmg, pbnvi, pbumacs, pbvi, and man pages. powerbroker.common- v.v.r.bb.bff is a prerequisite for this package. |
powerbroker.submithost-v.v.r.bb.bff | Contains the submit host and Endpoint Privilege Management for Unix and Linux shells, pbksh, pbsh, pbssh, pbrun, and man pages. powerbroker.common-v.v.r.bb.bff is a prerequisite for this package. |
Which component packages are required depends on the type of Endpoint Privilege Management for Unix and Linux host you are creating, such as policy server host, log host, and so on. You can select the types of hosts in the pbinstall installation menu, as shown in the following table.
Menu Selection | Required Components |
---|---|
Install everything here (demo mode)? = Yes | powerbroker.masterhost-v.v.r.bb.bffpowerbroker.runhost-v.v.r.bb.bff powerbroker.submithost-v.v.r.bb.bff powerbroker.loghost-v.v.r.bb.bffpowerbroker.guihost-v.v.r.bb.bff powerbroker.sharedlibs-v.v.r.bb.bff powerbroker.common-v.v.r.bb.bff powerbroker.mlcommon-v.v.r.bb.bff |
Install Policy Server Host? = Yes | powerbroker.masterhost-v.v.r.bb.bff powerbroker.common-v.v.r.bb.bff powerbroker.mlcommon-v.v.r.bb.bff |
Install Run Host? = Yes | powerbroker.runhost-v.v.r.bb.bff powerbroker.common-v.v.r.bb.bff |
Install Submit Host? = Yes | powerbroker.submithost-v.v.r.bb.bff powerbroker.common-v.v.r.bb.bff |
Install Log Host? = Yes | powerbroker.loghost-v.v.r.bb.bff powerbroker.common-v.v.r.bb.bff powerbroker.mlcommon-v.v.r.bb.bff |
Install BeyondTrust built-in third-party libraries? = Yes | powerbroker.sharedlibs-v.v.r.bb.bff powerbroker.common-v.v.r.bb.bff |
Install Registry Name Services Server? [yes] | powerbroker.rnssvr-v.v.r.bb.bff |
Install License Server? [yes] | powerbroker.licsvr-v.v.r.bb.bff |
Configuration package: AIX installation package created by the user named powerbroker.config[suffix], where suffix is user-defined. It contains the configuration files that are used to install the following files:
- pb.settings: Hardcoded target location /etc/pb.settings
- pb.cfg: Hardcoded target location /etc/pb.cfg
- All the encryption keyfiles defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption
- By default, two key files are created: pb.key and pb.rest.key
- The sysadmin can define multiple encryption with different keyfiles in locations other than /etc. To upgrade and retain settings on the target machine, view all encryption settings in /etc/pb.settings and copy the files to the settings_files directory before running "pbinstall -z" and pbcreate*cfgpkg
- pb.conf (for policy server hosts)
- Man pages for the pbinstall and pbcreateaixcfgpkg programs
The Endpoint Privilege Management for Unix and Linux configuration package is created by the pbcreateaixcfgpkg program. The component packages must be installed before you install the configuration package.
Package name: Name of the installation package stored in the AIX database. For Endpoint Privilege Management for Unix and Linux package installations, this name is the same as the package file name without the .bff extension.
pbinstall program: To create the Endpoint Privilege Management for Unix and Linux settings files, you use the pbinstall program with the -z (settings only) option. pbinstall -z only creates the settings files and is incompatible with the following command line options:
Options Incompatible with pbinstall -z | Description |
---|---|
-b | Runs pbinstall in batch mode. |
-c | Skip the steps that process or update the Endpoint Privilege Management for Unix and Linux settings file. |
-e | Runs install script automatically by bypassing the menu step of pbinstall. |
-i | Ignores previous pb.settings and pb.cfg files. |
-p | Sets the pb installation prefix. |
-s | Sets the pb installation suffix. |
-u | Installs the utility programs. |
-x | Creates a log synchronization host (that is, installs pbsyncd). |
When you execute pbinstall with the -z option, you can see two menu items that are not otherwise available:
- Enter existing pb.settings path: Enables you to specify your own pb.settings file. pbinstall reads this settings file and populates the remaining menu choices. You can override some menu choices. If set to none, then pbinstall does not read a settings file. The remaining menu choices are populated with default values.
- Enter directory path for settings file creation: Enables you to specify an alternative output directory for the settings files. The default directory is /unzip-dir/powerbroker/// install/settings_files, where unzip-dir is the directory where the package tarball file was unzipped.
The behavior of pbinstall -z depends on whether certain additional command line options are specified:
- If no other command line options are specified, pbinstall initially presents a short version of the installation menu (items 1–8 only). Depending on the choices you make in these items, further menu items become available.
- If command line options -g, -l, -m, or -r are specified, pbinstall presents an expanded version of the installation menu that reflects the host types that you are configuring.
When running pbinstall with the -z option, the following menu items are preprogrammed and cannot be changed:
- Install man pages?
- Daemon location
- Administration programs location
- User programs location
- GUI library directory
- Policy include (sub) file directory
- User man page location
- Admin man page location
- Policy filename
- BeyondTrust built-in third-party library directory
In addition, the values of the following menu items determine the values of other menu items:
Options Preset When Running pbinstall -z | |
---|---|
Setting this menu option to Yes | Sets these values to Yes |
Install Policy Server Host? | Install Synchronization? Synchronization can be initiated from this host? |
Install Run Host? | Install Utilities? |
Install Submit Host? | Install PBSSH? Install pbksh? Install pbsh? Will this host use a Log Host? |
Install Log Host? | Install Synchronization? Synchronization can be initiated from this host? |
If you plan to use Registry Name Service and are running pbinstall -z on a client host (non-primary server), you must perform client registration. This is necessary to properly set up the registry name service database. Client registration will also require that you collect from the Endpoint Privilege Management for Unix and Linux primary server the following information:
- REST Application ID
- REST Application Key
- Primary server network name or IP address
- Primary License Server REST TCP/IP port
- Registration Client Profile name
Note
If you are using the package installer to install Endpoint Privilege Management for Unix and Linux on a computer that already has an interactive Endpoint Privilege Management for Unix and Linux installation on it, see Installation considerations for additional considerations.
RNS client registration: If Registry Name Services is enabled for Endpoint Privilege Management for Unix and Linux, each client host (after the first server installation) needs to be registered with the Primary Registry Name Server. When using package installers on a target host, a post-install configuration script (/opt/pbul/scripts/pbrnscfg.sh) is provided to be manually executed on that host to properly register it. This post-install configuration script asks for information about the Primary Registry Name Server, including the Application ID (appid), Application Key (appkey), address/domain name, and the REST TCP/IP port number. This is the same information provided during the client registration part of a pbinstall -z install which generates the settings file.
If you prefer a more convenient method of registering RNS clients where the post-install configuration script is non-interactive, Endpoint Privilege Management for Unix and Linux can save the relevant information in a hidden file during the settings-only run of pbinstall, bundle it with the configuration package, and automatically apply it to the target host when that package is installed. However, understand that this is not secure, but is available if the security-convenience trade-off is acceptable. To enable this, refer to the question regarding post-install configuration script displayed when running pbinstall -z.
Use EPM-UL packages on AIX WPARs
The Endpoint Privilege Management for Unix and Linux AIX package installer supports AIX WPARs in AIX v6.1 and higher. The primary operating system instance is referred to as the global WPARs. All WPARs that are not global are referred to as non-global WPARs.
Note
AIX release v6.1 or higher is required. The use of WPARs is not supported on earlier releases. There are two types of WPARs:
- Shared WPARs share some of the global environment’s file systems and are administered by the global environment.
- Non-shared WPARs share none of the global environment’s file systems and are treated as stand-alone systems.
Installing Endpoint Privilege Management for Unix and Linux AIX packages on WPARs is very similar to installing these packages on AIX systems without WPARs.
Overview of steps
Using the Endpoint Privilege Management for Unix and Linux AIX package installer involves the following steps:
- Unpack theEndpoint Privilege Management for Unix and Linux package tarball file.
- Use the pbinstall program to create Endpoint Privilege Management for Unix and Linux settings files.
- Use the pbcreateaixcfgpkg program to create the Endpoint Privilege Management for Unix and Linux configuration package.
- Perform a package installation using the AIX installp command for any required components.
- Perform a package installation using the AIX installp command for the Endpoint Privilege Management for Unix and Linux configuration package.
- If Registry Name Service is enabled and installing on a non-primary servery, run /opt/pbul/scripts/pbrnscfg.sh to register the host.
Installation procedure
To install Endpoint Privilege Management for Unix and Linux in the AIX global environment, do the following:
-
Extract the package tarball files into the /opt/beyondtrust/ directory by executing the following command:
gunzip -c pmul_<flavor_version>_pkg.tar.Z | tar xvf -
-
Navigate to the /opt/beyondtrust/powerbroker///install/ directory.
-
Execute the following command:
./pbinstall -z
You are asked if you want to use client registration. If you plan to enable Registry Name Service, and are installing on a host that is not designated as a primary server, you must run client registration.
pbinstall next asks if you want to enable Registry Name Service.
pbinstall displays the Endpoint Privilege Management for Unix and Linux installation menu.
-
Make your menu selections. When the menu selection process is complete, pbinstall creates the following files in the specified location:
- pb.settings
- pb.cfg
- pb.key (if encryption is enabled)
- pb.conf (for policy server host)
- pbpolicykey.pem and pbpolicypubcert.pem (for Policy Server hosts with Cached Policy feature enabled)
Note
The Enter existing pb.settings path menu option enables you to specify your own pb.settings file to use. Also, the Enter directory path for settings file creation menu option enables you to specify where to save the generated settings files. These menu options are available only when running pbinstall with the -z option.
-
Optional. For an Endpoint Privilege Management for Unix and Linux client, if client-server communications are to be encrypted, replace the generated pb.key file with pb.key file from the policy server host. Also, copy any other required key files into the same directory.
-
Optional. For a policy server host, write a policy file (pb.conf) and place it in the directory with the other generated files. If you do not provide a pb.conf file, a pb.conf file with the single command reject ; is generated and packaged.
Starting with v8.0, pbinstall -z can optionally install the default role-based policies and asks:
Installing default role-based policy pbul_policy.conf and pbul_functions.conf in <install_dir>/settings_files Would you like to use the default role-based policy in the configuration package?
- Answer Yes for new installs only.
- If you are upgrading an existing configuration package, to avoid overwriting your existing policy, answer No.
Use the default role-based policy [Y]?
- If you answer Yes, the default pb.conf, pbul_policy.conf and pbul_functions.conf files are created and installed on the policy server.
- If you are installing over an existing installation, and have an existing policy in place, answer No.
-
Navigate to the /opt/beyondtrust/powerbroker///install/ directory.
-
Run the pbcreateaixcfgpkg utility by typing:
pbcreateaixcfgpkg -p suffix -s directory
- suffix is appended to the filenames of the configuration package backup file format file and the package administration file; the length can be up to 26 characters.
- directory contains the Endpoint Privilege Management for Unix and Linux settings and configuration files to include in the package.
The pbcreateaixcfgpkg utility creates the configuration package file, powerbroker.config-v.v.r.b.bff.
-
Navigate to the /opt/beyondtrust/powerbroker///package/ directory.
-
For each required component package, run the AIX installp command to install one component package by typing:
installp -agd ./ powerbroker.pkg-name
pkg-name is the name of the component package file.
Example
installp -agd ./ powerbroker.pkg-name
Using the -g option installs all the prerequisite packages along with the powerbroker.submithost package. In this case, powerbroker.common is a prerequisite package for the powerbroker.submit package.
Alternately you can install all the component packages by typing:
installp -agd ./ powerbroker
- Run the AIX installp command to install the Endpoint Privilege Management for Unix and Linux configuration package by typing:
installp -ad ./ powerbroker.config<suffix>
is the suffix that is set when you create the Endpoint Privilege Management for Unix and Linux configuration package in step 8.
- Verify the installation of the packages with the AIX lslpp command by typing:
lslpp -l | grep powerbroker
- If Registry Name Service is enabled and installed on a non-primary server, register the host with the Primary Registry Name Server using a post-install configuration script. Gather the Application ID, Application Key, network name or IP address, and REST TCP/IP port of the primary server, then run the script to register the host and follow the prompts:
/opt/pbul/scripts/pbrnscfg.sh
Note
For additional information, see the following:
- For other options you can use with the pbinstall -z option, Plan Your Installation.
- pblighttpd
- pbcreateaixcfgpkg
Install EPM-UL onto WPARs
The process for installing Endpoint Privilege Management AIX packages onto non-shared workload partitions (WPARs) is similar to the process for installing in the global AIX environment because the installed software is private to the non-shared WPAR. Therefore, there is no need for synchronization.
To install packages onto shared WPARs, follow the following:
- Follow the procedures in the installation procedure to create the AIX packages.
- Install Endpoint Privilege Management component (usr) packages in the global AIX environment. The usr packages are visible to the WPARs.
- Install Endpoint Privilege Management configuration (root) package in the global AIX environment. The root packages are not visible to the WPARs until propagated.
- To make the Endpoint Privilege Management configuration (root) package visible to the WPARs, use the syncwpar command and propagate the packages to WPARs.
- Optional. List the WPARs.
Remove EPM-UL packages
Removing the Endpoint Privilege Management for Unix and Linux packages completely uninstalls Endpoint Privilege Management for Unix and Linux from a computer. To remove the packages, do the following:
- Navigate to the /opt/beyondtrust/powerbroker//aix/install/ directory.
- Remove multiple Endpoint Privilege Management for Unix and Linux packages by typing:
installp -u powerbroker.configClient component-package-1 ... component-package-n
- configClient is the name of the package specified during installation of the configuration package. Because of the dependency relationship between the configuration package and the component packages, this package name must come first in the list.
- component-package-1 through component-package-n are the names of the packages specified during installation of the component packages, such as powerbroker.submithost.
Example
installp -u powerbroker.configClient powerbroker.submithost powerbroker.loghost
Or you may remove a package and its prerequisites by using the installp -gu command.
Example
The following command removes the powerbroker.runhost package and its prerequisite package powerbroker.common:
installp -gu powerbroker.runhost
Remove AIX package from shared WPARs
To remove Endpoint Privilege Management for Unix and Linux packages from shared workload partitions (WPARs), do the following:
-
Remove the Endpoint Privilege Management for Unix and Linux packages from the global AIX environment using the following command:
installp -u powerbroker
All Endpoint Privilege Management for Unix and Linux usr packages and the global root package are removed.
-
Remove the Endpoint Privilege Management for Unix and Linux root packages from WPARs by doing either of the following:
-
Remove the Endpoint Privilege Management for Unix and Linux root package from one or more specified WPARs by typing the following command from the global AIX environment:
syncwpar [nodeA] [nodeB] ... [nodeX]
nodeA, nodeB, ... nodeX are the names of the WPARs.
-
Remove the Endpoint Privilege Management for Unix and Linux root package from all WPARs by typing the following command from the global AIX environment:
syncwpar -A
When you use the -A option, all Endpoint Privilege Management root packages are removed from WPAR.
-
Note
The syncwpar command synchronizes all packages between the AIX global environment and shared WPARs.
- Optional. Verify that the packages are removed from the WPARs.
Update EPM-UL with update packages
The Endpoint Privilege Management for Unix and Linux AIX package installer can be used to update an existing Endpoint Privilege Management for Unix and Linux installation to a new version. The existing Endpoint Privilege Management for Unix and Linux version should have been installed using the Endpoint Privilege Management for Unix and Linux package installer.
Update package considerations
Installing an update package is similar to using the AIX package installer to install Endpoint Privilege Management for Unix and Linux for the first time. Keep these considerations in mind when you prepare to upgrade Endpoint Privilege Management for Unix and Linux:
- Each release of Endpoint Privilege Management for Unix and Linux AIX update packages contains only the updated files. Therefore, a full Endpoint Privilege Management for Unix and Linux package installation (of the same major and minor version) must be performed before you can install an upgrade package. For example, before you can install update package version 9.2.1, you must have the full Endpoint Privilege Management for Unix and Linux package version 9.2.0 installed.
- Each successive Endpoint Privilege Management AIX update package is cumulative; for example, update package version 9.4.1 contains all of the updates in update package version 9.4.0.
- A newer release can introduce features that use new settings or configurations. In which case, an upgrade of the configuration package of Endpoint Privilege Management for Unix and Linux is also needed.
- Update packages that have not been committed can be rejected. You cannot reject update packages that have been committed.
- Committing a given update package requires prior or concurrent commit of earlier update packages.
- The Endpoint Privilege Management for Unix and Linux configuration package does not contain any executable files and therefore does not need to be upgraded. However, if you are creating a new configuration package, you should create it with the same version of Endpoint Privilege Management for Unix and Linux as the component packages you are installing.
Update package procedure
Follow this procedure to update your installation of Endpoint Privilege Management for Unix and Linux using the update packages:
- Obtain the tarball file for the AIX update packages that are appropriate for your hardware. The tarball file name has the format pmul_-v.v.r-bb-update_pkg.tar.Z, where:
- indicates the operating system and hardware architecture.
- v.v.r is the major and minor version number and the release number.
- bb is the build number.
- Extract the package files into the /unzip-dir/ directory by executing the following command:
gunzip -c pmul_<flavor_version>-update_pkg.tar.Z | tar xvf -
- Navigate to the /unzip-dir/powerbroker/v//install/ directory.
- Create the settings_files directory and change directory to that location.
- To retain or correctly update the settings of the current installation, copy the following files from the target installation host into the settings_files directory you created in step 4:
- /etc/pb.settings
- /etc/pb.cfg
- encryption keys defined in pb.settings for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption settings (if enabled)
Note
In a default installation, there are typically 2 key files created: pb.key and pb.rest.key.
- policy file defined in policyfile setting in pb.settings (if the target installation is a Policy Server)
Note
In a default installation, the policy file is located in /opt/pbul/policies/pb.conf.
- Execute the following command to verify and update the installation settings in the settings_files directory:
./pbinstall -z
- Create the upgrade configuration package by running the pbcreateaixcfgpkg utility:
pbcreateaixcfgpkg -p suffix
Use the current suffix of the installation to be upgraded. Use the suffix you provided during the initial package installation in step 8 of the Installation procedure.
Another way to find the suffix is to run the following command on the target installation host to get the list of packages installed:
lslpp -l | grep powerbroker
Identify the suffix of the Endpoint Privilege Management for Unix and Linux configuration package using this format:
powerbroker.config<suffix>
-
Navigate to the /unzip-dir/powerbroker/version/flavor/package/ directory.
-
Run the AIX installp utility to install the Endpoint Privilege Management for Unix and Linux component package or packages by typing:
installp -ad ./ powerbroker.package_name [v.v.r.bb] [powerbrokder.package_name [v.v.r.bb] ... ]
where:
- package_name is the name of the Endpoint Privilege Management for Unix and Linux package to be installed.
- v.v.r.bb (optional) is the version, release, and build number, for example, 9.4.1.03.
-
Navigate to the /unzip-dir/powerbroker///install/ directory.
-
Run the AIX installp command to install the Endpoint Privilege Management for Unix and Linux configuration package by typing:
installp -ad ./ powerbroker.config<suffix>
is the suffix that is set when you create the Endpoint Privilege Management for Unix and Linux configuration package in step 7.
-
Commit the update package by typing:
installp -c powerbroker [v.v.r.bb]
v.v.r.bb (optional) is the version, release, and build number, for example, 9.4.1.03.
-
Verify the installation of the filesets with the AIX lslpp utility by typing:
lslpp -al powerbroker.package_name
package_name is the name of the Endpoint Privilege Management for Unix and Linux package that you installed.
Reject an update package
You can reject an update package that has been applied but not committed by typing:
installp -r powerbroker.package_name [v.v.r.bb]
where:
- package_name is the name of the Endpoint Privilege Management for Unix and Linux package that you want to reject.
- v.v.r.bb (optional) is the version, release, and build number, for example, 6.2.1.11 After an update package has been committed, you can not reject it.
Update packages and WPARs
Installing update packages on workload partitions (WPARs) involves the same considerations as installing a baseline Endpoint Privilege Management for Unix and Linux package on WPARs.
Upgrade the configuration package
When upgrading the configuration package (cfg pkg), some settings that are part of the package might need settings and configuration files copied from the existing installation to the staging host.
Files included in the cfg package:
-
pb.settings: Hardcoded target location /etc/pb.settings.
-
pb.cfg: Hardcoded target location /etc/pb.cfg.
-
All the encryption key files defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption. By default, two key files are typically created:
- pb.key
- pb.rest.key
The sysadmin can define encryption with different key files in locations other than /etc. Therefore, when upgrading, and to retain what is installed on the target machine, look at all the encryption settings in /etc/pb.settings. Copy the settings to the settings_files directory before running pbinstall -z and pbcreate*cfgpkg.
-
Policy file if the target is a policy server.
Sample Execution for the AIX Package Installer
The sample execution shows the installation of an Endpoint Privilege Management for Unix and Linux submit host, run host, and shared libraries using the Endpoint Privilege Management for Unix and Linux AIX package installer.
This sample execution is divided into the following parts:
- Generate the Endpoint Privilege Management for Unix and Linux settings files.
- Create the Endpoint Privilege Management for Unix and Linux configuration package using the pbcreateaixcfgpkg program.
- Install the component packages using the installp -ad command.
- Install the configuration package using the installp -ad command.
- Use syncwpar to propagate additional AIX global environment packages to shared workload partitions (WPARs). WPARS are available with AIX v6.1 and higher.
Generate the Endpoint Privilege Management for Unix and Linux settings files
This section of the execution shows the generation of the Endpoint Privilege Management for Unix and Linux settings files (pb.key, pb.cfg, and pb.settings) and also displays the Endpoint Privilege Management for Unix and Linux installation menu. This output was generated using the pbinstall program with the -z option.
Example
# ./pbinstall -zlr Starting pbinstall main() from /opt/bt_pkg/powerbroker/v9.4/pmul_aix52+_9.4.3-18/install/. aix52+ WARNING: When creating configuration packages to be installed on AIX WPARs, care must be taken to set log file directories to WPAR-writable partitions. The default AIX shared WPAR has the following read-only and/or shared partitions, although configuration can vary: /usr /opt /proc TheEndpoint Privilege Management for Unix and Linux log file default directory for AIX WPARs is '/var/adm'. Endpoint Privilege Management for Unix and Linux Settings File Generation Please read theEndpoint Privilege Management for Unix and Linux Installation Instructions before proceeding. Checking MANIFEST against release directory Press return to continue The Registry Name Service ofEndpoint Privilege Management for Unix and Linux facilitates location of other services within the PBUL enterprise with the aid of a centralized data repository. IMPORTANT: client registration is required if this is not the Primary Server and you intend to use Registry Name Services. Do you wish to utilize Registry Name Service? [yes]? no BeyondTrust Endpoint Privilege Management for Unix and Linux Installation Menu Opt Description [Value] 1 Install Everything Here (Demo Mode)? [no] 2 Install License Server? [no] 3 Install Registry Name Services Server? [no] 4 Install Client Registration Server? [no] 5 Install Policy Server Host? [yes] 6 Install Run Host? [yes] 7 Install Submit Host? [yes] 8 Install PBSSH [yes] 10 Install Log Host? [yes] 11 Enable Logfile Tracking and Archiving? [yes] 12 Is this a Log Archiver Storage Server? [no] 13 Is this a Log Archiver Database Server? [no] 14 Install File Integrity Monitoring Polic... [no] 15 Install REST Services? [yes] 16 List of License Servers [*] 19 Path to Password Safe 'pkrun' binary [] 23 Install Synchronization program? [yes] 25 Install Secure GUI Host? [yes] 26 Install Utilities: pbvi, pbnvi, pbmg, p... [yes] 27 Install pbksh? [yes] 28 Install pbsh? [yes] 29 Install man pages? [no] 30 Will this host use a Log Host? [yes] 31 AD Bridge Integration? [no] 37 Integration with BeyondInsight? [no] 55 Synchronization program can be initiate... [yes] 56 Daemons location [/usr/sbin] 57 Number of reserved spaces for submit pr... [80] 58 Administration programs location [/usr/sbin] 59 User programs location [/usr/local/bin] 60 GUI library directory [/usr/local/lib/pbbuilder] 61 Policy include (sub) file directory [/opt/pbul/policies] 62 Policy file name [/opt/pbul/policies/pb.conf] 65 Log Archive Storage Server name [] 67 Log Archiver Database Server name [] 69 Logfile Name Cache Database file path? [/opt/pbul/dbs/pblogcache.db] 70 REST Service installation directory? [/usr/lib/beyondtrust/pb/rest] 71 Install REST API sample code? [no] 73 Pblighttpd user [pblight] 75 Pblighttpd user UID [] 76 Pblighttpd user GID [] 78 Configure systemd? [yes] 79 Command line options for pbmasterd [-ar] 80 Policy Server Delay [500] 81 Policy Server Protocol Timeout [-1] 82 pbmasterd diagnostic log [/var/log/pbmasterd.log] 83 Eventlog filename [/var/log/pb.eventlog] 84 Configure eventlog rotation via size? [] 85 Configure eventlog rotation path? [] 86 Configure eventlog rotation via cron? [no] 87 Validate Submit Host Connections? [no] 88 List of Policy Servers to submit to [kandor] 89 pbrun diagnostic log? [none] 90 pbssh diagnostic log? [none] 91 Allow Local Mode? [yes] 92 Additional secured task checks? [no] 93 Suppress Policy Server host failover er... [yes] 94 List of Policy Servers to accept from [kandor] 95 pblocald diagnostic log [/var/log/pblocald.log] 96 Command line options for pblocald [] 97 Syslog pblocald sessions? [no] 98 Record PTY sessions in utmp/utmpx? [yes] 99 Validate Policy Server Host Connections? [no] 100 List of Log Hosts [kandor] 101 Command line options for pblogd [] 102 Log Host Delay [500] 103 Log Host Protocol Timeout [-1] 104 pblogd diagnostic log [/var/log/pblogd.log] 105 List of log reserved filesystems [none] 106 Number of free blocks per log system fi... [0] 107 Command line options for pbsyncd [] 108 Sync Protocol Timeout [-1] 109 pbsyncd diagnostic log [/var/log/pbsyncd.log] 110 pbsync diagnostic log [/var/log/pbsync.log] 111 pbsync sychronization time interval (in... [15] 112 Add installed shells to /etc/shells [no] 113 pbksh diagnostic file [/var/log/pbksh.log] 114 pbsh diagnostic file [/var/log/pbsh.log] 115 Stand-alone pblocald command [none] 116 Stand-alone root shell default iolog [/pbshell.iolog] 121 Use syslog? [yes] 122 Syslog facility to use? [LOG_AUTHPRIV] 123 Base Daemon port number [24345] 124 pbmasterd port number [24345] 125 pblocald port number [24346] 126 pblogd port number [24347] 129 pbsyncd port number [24350] 130 REST Service port number [24351] 131 Add entries to '/etc/services' [yes] 132 Allow non-reserved port connections [yes] 133 Inbound Port range [1025-65535] 134 Outbound Port range [1025-65535] 137 Network encryption options [aes-256:keyfile=/etc/pb.key] 138 Event log encryption options [none] 139 I/O log encryption options [none] 140 Report encryption options [none] 141 Policy file encryption options [none] 142 Settings file encryption type [none] 143 REST API encryption options [aes-256:keyfile=/etc/pb.re...] 144 Configure with Kerberos v5? [no] 150 Enforce High Security Encryption? [yes] 151 Use SSL? [yes] 152 SSL Configuration? [requiressl] 153 SSL pbrun Certificate Authority Directory? [none] 154 SSL pbrun Certificate Authority File? [none] 155 SSL pbrun Cipher List? [HIGH:!SSLv2:!3DES:!MD5:@ST…] 156 SSL pbrun Certificate Directory? [none] 157 SSL pbrun Certificate File? [none] 158 SSL pbrun Private Key Directory? [none] 159 SSL pbrun Private Key File? [none] 160 SSL pbrun Certificate Subject Checks? [none] 161 SSL Server Certificate Authority Direct... [none] 162 SSL Server Certificate Authority File? [none] 163 SSL Server Cipher List? [HIGH:!SSLv2:!3DES:!MD5:@ST...] 164 SSL Server Certificate Directory? [none] 165 SSL Server Certificate File? [/etc/pbssl.pem] 166 SSL Server Private Key Directory? [none] 167 SSL Server Private Key File? [/etc/pbssl.pem] 168 SSL Server Certificate Subject Checks? [none] 169 SSL Certificate Country Code [US] 170 SSL Certificate State/Province [AZ] 171 SSL Certificate Location (Town/City) [Phoenix] 172 SSL Certificate Organizational Unit/Dep... [Security] 173 SSL Certificate Organization [BeyondTrust] 174 Configure Privilege Management for Unix... [no] 175 Install BeyondTrust built-in third-part... [yes] 176 BeyondTrust built-in third-party librar... [/usr/lib/beyondtrust/pb] 188 Use PAM? [no] 196 Allow Remote Jobs? [yes] 197 UNIX Domain Socket directory [none] 198 Reject Null Passwords? [no] 199 Enable TCP keepalives? [no] 200 Name Resolution Timeout [0] N for the next menu page, P for the previous menu page, C to continue, X to exit Please enter a menu option [For technical support call 1-800-234-9072]> c no such map in server's domain No submitmasters was specified and no NIS netgroup called pbsubmitmasters found Endpoint Privilege Management for Unix and Linux needs to know the submitmasters(s) to work. TheEndpoint Privilege Management for Unix and Linux programs need to know which Policy Server Host(s) you have decided to allow to act as submitmaster(s) for this machine. Submitmasters take requests for secured tasks from Submit Hosts, accept or reject them, and pass the accepted requests to a Run Host. To locate submitmasters, programs look for a setting in the settings file containing the names of the submitmaster machines or a netgroup called pbsubmitmasters. Enter Policy Server list (submitmasters): aix52-ca012-05.unix.beyondtrust.com no such map in server's domain No acceptmasters was specified and no NIS netgroup called pbacceptmasters found Endpoint Privilege Management for Unix and Linux needs to know the acceptmasters(s) to work. TheEndpoint Privilege Management for Unix and Linux programs need to know which Policy Server Host(s) you have decided to allow to request execution of secured tasks to this machine. Hosts on the acceptmasters list are the Policy Server Hosts which are allowed to make secured task requests to this machine. To do this, programs look for a setting in the settings file containing the names of the acceptmasters machines or a netgroup called pbacceptmasters. Enter Incoming Policy Server list (acceptmasters): aix52-ca012-05.unix.beyondtrust.com no such map in server's domain No log hosts was specified and no NIS netgroup called pblogservers foundEndpoint Privilege Management for Unix and Linux needs to know the log hosts(s) to work. TheEndpoint Privilege Management for Unix and Linux programs need to know which machine(s) you have selected as Log Host(s). Log Hosts are hosts which Policy Servers select for Run Hosts to do event and I/O logging. To do this, pbmasterd looks for the setting logservers in the settings file. This setting contains the names of the Log Host machines or a netgroup. Current installation settings for Log Server(s): Enter Log Server list (logservers): aix52-ca012-05.unix.beyondtrust.com Generating key file /opt/bt_pkg/powerbroker/v9.4/pmul_aix52+_9.4.3-18/install/settings_files/pb.key... Are all the installation settings correct [yes]? Generating config file /opt/bt_pkg/powerbroker/v9.4/pmul_aix52+_9.4.3-18/install/settings_files/pb.cfg Creating the settings file creation script Running settings file creation script Creating settings file /opt/bt_pkg/powerbroker/v9.4/pmul_aix52+_9.4.3-18/install/settings_files/pb.settings Generated settings files are in directory: /opt/bt_pkg/powerbroker/v9.4/pmul_aix52+_9.4.3-18/install/settings_files Endpoint Privilege Management for Unix and Linux Settings File Generation completed successfully.
Install Component Packages Using the installp Command
This section shows the execution of the installp command to install component packages for the submit host, run host, and shared libraries.
The execution text also includes copyright, trademark, trade secrets, and other legal text; however, those notices and text were removed from the following excerpt to save space:
Example
# cd /opt/bt_pkg/powerbroker/v9.4/pbul_aix52+_9.4.3-18/package # installp -ad ./ powerbroker.sharedlibs powerbroker.common powerbroker.runhost powerbroker.submithost +-----------------------------------------------------------------------------+ Pre-installation Verification... +-----------------------------------------------------------------------------+ Verifying selections...done Verifying requisites...done Results... SUCCESSES --------- Filesets listed in this section passed pre-installation verification and will be installed. Selected Filesets ----------------- powerbroker.common 9.4.3.18 # BeyondTrust PowerBroker Comm... powerbroker.runhost 9.4.3.18 # BeyondTrust PowerBroker Run ... powerbroker.sharedlibs 9.4.3.18 # BeyondTrust PowerBroker Shar... powerbroker.submithost 9.4.3.18 # BeyondTrust PowerBroker Subm... << End of Success Section >> +-----------------------------------------------------------------------------+ BUILDDATE Verification ... +-----------------------------------------------------------------------------+ Verifying build dates...done FILESET STATISTICS ------------------ 4 Selected to be installed, of which: 4 Passed pre-installation verification ---- 4 Total to be installed +-----------------------------------------------------------------------------+ Installing Software... +-----------------------------------------------------------------------------+ installp: APPLYING software for: powerbroker.common 9.4.3.18 Filesets processed: 1 of 4 (Total time: 1 secs). installp: APPLYING software for: powerbroker.runhost 9.4.3.18 Filesets processed: 2 of 4 (Total time: 3 secs). installp: APPLYING software for: powerbroker.submithost 9.4.3.18 sysck: 3001-036 WARNING: File /usr/lib//libpbul_aca-xcoff64.so is also owned by fileset powerbroker.runhost. sysck: 3001-036 WARNING: File /usr/share/man/man8/pbclienthost_uuid.8 is also owned by fileset powerbroker.runhost. sysck: 3001-036 WARNING: File /usr/lib//libpbul_aca-xcoff32.so is also owned by fileset powerbroker.runhost. sysck: 3001-036 WARNING: File /usr/sbin/pbclienthost_uuid is also owned by fileset powerbroker.runhost. Filesets processed: 3 of 4 (Total time: 4 secs). installp: APPLYING software for: powerbroker.sharedlibs 9.4.3.18 Finished processing all filesets. (Total time: 5 secs). +-----------------------------------------------------------------------------+ Summaries: +-----------------------------------------------------------------------------+ Installation Summary -------------------- Name Level Part Event Result ------------------------------------------------------------------------------- powerbroker.common 9.4.3.18 USR APPLY SUCCESS powerbroker.runhost 9.4.3.18 USR APPLY SUCCESS powerbroker.submithost 9.4.3.18 USR APPLY SUCCESS powerbroker.sharedlibs 9.4.3.18 USR APPLY SUCCESS
Install the Configuration Package Using the installp Command
This section shows the execution of the AIX installp -ad command to install the configuration package. Following installation of the configuration package, the installation is verified by submitting the pbrun id command to Endpoint Privilege Management for Unix and Linux, and the AIX lslpp -l |grep powerbroker command is used to list the Endpoint Privilege Management for Unix and Linux packages that are installed.
The execution text also includes copyright, trademark, trade secrets, and other legal text; however, those notices and text were removed from the following excerpt to save space:
Example
# cd /opt/bt_pkg/powerbroker/v9.4/pbul_aix52+_9.4.3-18/install # installp -ad ./ powerbroker.configCLIENT1-9.4.3.18.bff +-----------------------------------------------------------------------------+ Pre-installation Verification... +-----------------------------------------------------------------------------+ Verifying selections...done Verifying requisites...done Results... SUCCESSES --------- Filesets listed in this section passed pre-installation verification and will be installed. Selected Filesets ----------------- powerbroker.configCLIENT1 9.4.3.18 # BeyondTrust PowerBroker Unix... << End of Success Section >> +-----------------------------------------------------------------------------+ BUILDDATE Verification ... +-----------------------------------------------------------------------------+ Verifying build dates...done FILESET STATISTICS ------------------ 1 Selected to be installed, of which: 1 Passed pre-installation verification ---- 1 Total to be installed +-----------------------------------------------------------------------------+ Installing Software... +-----------------------------------------------------------------------------+ installp: APPLYING software for: powerbroker.configCLIENT1 9.4.3.18 Reading pb.cfg... Checking installation of dependent component packages... 'lppchk -f/-c' of package powerbroker.common succeeded 'lppchk -f/-c' of package powerbroker.runhost succeeded 'lppchk -f/-c' of package powerbroker.submithost succeeded 'lppchk -f/-c' of package powerbroker.sharedlibs succeeded Looking for SuperDaemons to configure... Finished looking for SuperDaemons to configure... Removing PowerBroker service definitions (if any) from /etc/services. Adding PowerBroker service definitions to /etc/services. Removing any PowerBroker definitions from SuperDaemon inetd file /etc/inetd.conf Adding PowerBroker definitions to SuperDaemon configurations /etc/inetd.conf. Reloading SuperDaemon Configurations... 0513-095 The request for subsystem refresh was completed successfully. Done Reloading SuperDaemon Configurations... Updating Settings in database (if any)... Checking installation of package: powerbroker.configCLIENT1 'lppchk -f/-c' of package powerbroker.configCLIENT1 succeeded Finished processing all filesets. (Total time: 5 secs). +-----------------------------------------------------------------------------+ Summaries: +-----------------------------------------------------------------------------+ Installation Summary -------------------- Name Level Part Event Result ------------------------------------------------------------------------------- powerbroker.configCLIENT1 9.4.3.18 USR APPLY SUCCESS powerbroker.configCLIENT1 9.4.3.18 ROOT APPLY SUCCESS
View a List of Installed EPM-UL Packages
To view a list of the installed Endpoint Privilege Management for Unix and Linux packages, do the following:
# lslpp -l | grep powerbroker
A list similar to the one in the example below appears. The Endpoint Privilege Management for Unix and Linux configuration package appears twice because there are usr and root package portions.
Example
powerbroker.common 9.4.3.18 COMMITTED BeyondTrust PowerBroker Common powerbroker.configCLIENT1 powerbroker.runhost 9.4.3.18 COMMITTED BeyondTrust PowerBroker Run powerbroker.sharedlibs 9.4.3.18 COMMITTED BeyondTrust PowerBroker Shared powerbroker.submithost 9.4.3.18 COMMITTED BeyondTrust PowerBroker Submit powerbroker.configCLIENT1
Perform a cursory test of EPM-UL on the AIX global environment
To perform a cursory test of Endpoint Privilege Management for Unix and Linux on the AIX global environment, type the following:
# pbrun id
Results such as those shown in the example below are displayed:
Example
uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10 (audit),11(lp),4(adm),1(staff),6(mail), 501(amanda)
View a list of WPARs
WPARs are a new feature of AIX and exist only in AIX v6.1 and higher. To view a list of WPARs, type the following:
# lswpar
A list similar to the one in the example below appears:
Example
Name State Type Hostname Directory --------------------------------------------- wpar01 A S wpar01 /wpars/wpar01
Use syncwpar to Propagate Additional Packages to Shared WPARs
The syncwpar command synchronizes all packages between the AIX global environment and shared workload partitions (WPARs). This section shows how to use syncwpar to propagate additional AIX global environment packages to shared WPARs. WPARs are a feature that exists only in AIX v6.1 and later.
Example
# syncwpar wpar01 ***************************************************************************** ** Synchronizing workload partition wpar01 (1 of 1). ***************************************************************************** ** Executing /usr/sbin/syncroot in workload partition wpar01. syncroot: Processing root part installation status. syncroot: Synchronizing installp software. +----------------------------------------------------------------------------- + Pre-installation Verification... +----------------------------------------------------------------------------- + Verifying selections...done Verifying requisites...done Results... SUCCESSES --------- Filesets listed in this section passed pre-installation verification and will be installed. Selected Filesets ----------------- powerbroker.configClient 6.2.0.1 # BeyondTrust PowerBroker Conf... << End of Success Section >> +----------------------------------------------------------------------------- + BUILDDATE Verification ... +----------------------------------------------------------------------------- + Verifying build dates...done FILESET STATISTICS ------------------ 1 Selected to be installed, of which: 1 Passed pre-installation verification ---- 1 Total to be installed +----------------------------------------------------------------------------- + Installing Software... +----------------------------------------------------------------------------- + installp: APPLYING software for: powerbroker.configClient 6.2.0.1 Reading pb.cfg... Checking installation of dependent component packages... 'lppchk -f/-c' of package powerbroker.common succeeded 'lppchk -f/-c' of package powerbroker.runhost succeeded 'lppchk -f/-c' of package powerbroker.submithost succeeded 'lppchk -f/-c' of package powerbroker.sharedlibs succeeded Looking for SuperDaemons to configure... Finished looking for SuperDaemons to configure... Removing PowerBroker service definitions (if any) from /etc/services. Adding PowerBroker service definitions to /etc/services. Removing any PowerBroker definitions from SuperDaemon inetd file /etc/inetd.conf Adding PowerBroker definitions to SuperDaemon configurations /etc/inetd.conf. Reloading SuperDaemon Configurations... 0513-095 The request for subsystem refresh was completed successfully. Done Reloading SuperDaemon Configurations... Checking installation of package: powerbroker.configClient 'lppchk -f/-c' of package powerbroker.configClient succeeded Finished processing all filesets. (Total time: 2 secs). +----------------------------------------------------------------------------- + Summaries: +----------------------------------------------------------------------------- + Installation Summary -------------------- Name Level Part Event Result ------------------------------------------------------------------------------ - powerbroker.configClient 6.2.0.1 ROOT APPLY SUCCESS syncroot: Processing root part installation status. syncroot: Installp root packages are currently synchronized. syncroot: RPM root packages are currently synchronized. syncroot: Root part is currently synchronized. syncroot: Returns Status = SUCCESS Workload partition wpar01 synchronized successfully. Return Status = SUCCESS.
Log in to shared WPARs
Workload partitions (WPARs) are a feature that exists only in AIX v6.1 and higher.
To login to shared WPARs, type the following:
# clogin wpar01
Example
A welcome message such as the one shown in the example below is displayed:
* * * Welcome to AIX Version 6.1! * * *
Run a cursory test of EPM-UL on a shared WPAR system
Workload partitions (WPARs) are a feature that exists only in AIX v6.1 and higher.
To run a cursory test of Endpoint Privilege Management for Unix and Linux on a shared WPAR system, type the following:
# pbrun id
Results such as those shown in the example below are displayed:
Example
uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10 (audit),11(lp)
Sample Removal of an AIX Package Installation
This section shows the execution of the AIX installp -u command to remove the Endpoint Privilege Management for Unix and Linux packages.
Example
# installp -u powerbroker +-----------------------------------------------------------------------------+ Pre-deinstall Verification... +-----------------------------------------------------------------------------+ Verifying selections...done Verifying requisites...done Results... SUCCESSES --------- Filesets listed in this section passed pre-deinstall verification and will be removed. Selected Filesets ----------------- powerbroker.common 9.4.3.18 # BeyondTrust PowerBroker Comm... powerbroker.configCLIENT1 9.4.3.18 # BeyondTrust PowerBroker Unix... powerbroker.runhost 9.4.3.18 # BeyondTrust PowerBroker Run ... powerbroker.sharedlibs 9.4.3.18 # BeyondTrust PowerBroker Shar... powerbroker.submithost 9.4.3.18 # BeyondTrust PowerBroker Subm... << End of Success Section >> FILESET STATISTICS ------------------ 5 Selected to be deinstalled, of which: 5 Passed pre-deinstall verification ---- 5 Total to be deinstalled +-----------------------------------------------------------------------------+ Deinstalling Software... +-----------------------------------------------------------------------------+ installp: DEINSTALLING software for: powerbroker.configCLIENT1 9.4.3.18 Reading pb.cfg... Looking for SuperDaemons to configure... Finished looking for SuperDaemons to configure... Removing PowerBroker service definitions (if any) from /etc/services. Removing any PowerBroker definitions from SuperDaemon inetd file /etc/inetd.conf Reloading SuperDaemon Configurations... 0513-095 The request for subsystem refresh was completed successfully. Done Reloading SuperDaemon Configurations... Filesets processed: 1 of 5 (Total time: 6 secs). installp: DEINSTALLING software for: powerbroker.runhost 9.4.3.18 Filesets processed: 2 of 5 (Total time: 6 secs). installp: DEINSTALLING software for: powerbroker.sharedlibs 9.4.3.18 Filesets processed: 3 of 5 (Total time: 7 secs). installp: DEINSTALLING software for: powerbroker.submithost 9.4.3.18 Filesets processed: 4 of 5 (Total time: 7 secs). installp: DEINSTALLING software for: powerbroker.common 9.4.3.18 Removing /opt/pbul Finished processing all filesets. (Total time: 8 secs). +-----------------------------------------------------------------------------+ Summaries: +-----------------------------------------------------------------------------+ Installation Summary -------------------- Name Level Part Event Result ------------------------------------------------------------------------------- powerbroker.configCLIENT1 9.4.3.18 ROOT DEINSTALL SUCCESS powerbroker.configCLIENT1 9.4.3.18 USR DEINSTALL SUCCESS powerbroker.runhost 9.4.3.18 USR DEINSTALL SUCCESS powerbroker.sharedlibs 9.4.3.18 USR DEINSTALL SUCCESS powerbroker.submithost 9.4.3.18 USR DEINSTALL SUCCESS powerbroker.common 9.4.3.18 USR DEINSTALL SUCCESS
Example using syncwpar to propagate package removal from shared WPARs
The syncwpar command synchronizes all packages between the AIX global environment and shared workload partitions (WPARs). This section shows an example of how to use the syncwpar command to propagate removal of AIX global environment packages from shared WPARs. WPARs are a feature that exists only in AIX v6.1 and higher.
Note
When syncwpar is run and an Endpoint Privilege Management configuration package is removed, the following message may display:
"inulag: The file system has read permission only."
This message can be ignored.
Example
# syncwpar wpar01 ***************************************************************************** ** Synchronizing workload partition wpar01 (1 of 1). ***************************************************************************** ** Executing /usr/sbin/syncroot in workload partition wpar01. syncroot: Processing root part installation status. syncroot: Synchronizing installp software. +----------------------------------------------------------------------------- + Pre-deinstall Verification... +----------------------------------------------------------------------------- + Verifying selections...done Verifying requisites...done Results... SUCCESSES --------- Filesets listed in this section passed pre-deinstall verification and will be removed. Selected Filesets ----------------- powerbroker.configClient 6.2.0.1 # BeyondTrust PowerBroker Conf... << End of Success Section >> FILESET STATISTICS ------------------ 1 Selected to be deinstalled, of which: 1 Passed pre-deinstall verification ---- 1 Total to be deinstalled +----------------------------------------------------------------------------- + Deinstalling Software... +----------------------------------------------------------------------------- + installp: DEINSTALLING software for: powerbroker.configClient 6.2.0.1 Reading pb.cfg... Looking for SuperDaemons to configure... Finished looking for SuperDaemons to configure... Removing PowerBroker service definitions (if any) from /etc/services. Removing any PowerBroker definitions from SuperDaemon inetd file /etc/inetd.conf Reloading SuperDaemon Configurations... 0513-095 The request for subsystem refresh was completed successfully. Done Reloading SuperDaemon Configurations... inulag: The file system has read permission only. Finished processing all filesets. (Total time: 1 secs). +----------------------------------------------------------------------------- + Summaries: +----------------------------------------------------------------------------- + Installation Summary -------------------- Name Level Part Event Result ------------------------------------------------------------------------------ - powerbroker.configClient 6.2.0.1 ROOT DEINSTALL SUCCESS syncroot: Processing root part installation status. syncroot: Installp root packages are currently synchronized. syncroot: RPM root packages are currently synchronized. syncroot: Root part is currently synchronized. syncroot: Returns Status = SUCCESS Workload partition wpar01 synchronized successfully. Return Status = SUCCESS.
Verify removal of Endpoint Privilege Management for Unix and Linux packages
To verify that all Endpoint Privilege Management for Unix and Linux packages were removed, type the following:
# lslpp -l | grep powerbroker
If all packages are removed, results such as those shown in the example below are displayed:
Example
# <no output.>
HP-UX package installer
This section describes how to install Endpoint Privilege Management for Unix and Linux using a package installer for HP-UX 11i v1, 11i v2, or 11i v3. Use the HP-UX package installation if you want to install Endpoint Privilege Management for Unix and Linux using the HP-UX Software Distributor (SD) on a local or remote computer.
Note
The Endpoint Privilege Management for Unix and Linux HP-UX package installer described here is not compatible with the Endpoint Privilege Management version 5 HP-UX depots. If the Endpoint Privilege Management version 5 HP-UX depots are installed, you must remove them before installing the Endpoint Privilege Management for Unix and Linux version 6 HP-UX depots.
Prerequisites
To use the Endpoint Privilege Management for Unix and Linux HP-UX package installer, you must have the following:
- Package tarball file for the appropriate Endpoint Privilege Management for Unix and Linux flavor
Note
For the Endpoint Privilege Management for Unix and Linux HP-UX package installer, the tarball files are cumulative. That is, an update tarball file contains a complete installation. It is not necessary to install a baseline version of before installing an update.
- Root access or superuser privileges
Note
The Endpoint Privilege Management for Unix and Linux HP-UX package installer does not support prefix/suffix installations.
Plan your installation
When preparing to use the Endpoint Privilege Management for Unix and Linux HP-UX package installer, you should be familiar with the following concepts and restrictions:
- Depots and Filesets: HP-UX packaged software is delivered as a single file called a depot (.depot) file. A depot can be thought of as a compressed file that contains one or more filesets. A fileset is a component of the software and may contain many files. Installing an HP-UX depot extracts the files from the filesets and writes them to the appropriate directory locations.
- Component depot and component filesets: an Endpoint Privilege Management for Unix and Linux component fileset is a part of the Endpoint Privilege Management for Unix and Linux component depot that installs a portion of the Endpoint Privilege Management for Unix and Linux application. There are seven Endpoint Privilege Management for Unix and Linux component filesets. In the following list, arch is the architecture of the target platform; for example, ia64A.
- PowerBroker-arch.LOGHOST: Contains log host, pbsync, and pbsyncd.
- PowerBroker-arch.SHAREDLIBS: Contains shared libraries.
- PowerBroker-arch.RESTHOST: Contains REST API files.
- PowerBroker-arch.RNSSVR: Contains Registry Name Service files.
- PowerBroker-arch.LICSVR: Contains license server files.
- PowerBroker-arch.MASTERHOST: Contains policy server host, pbsync, and pbsyncd.
- PowerBroker-arch.SUBMITHOST: Contains submit host andEndpoint Privilege Management for Unix and Linux shells.
- PowerBroker-arch.RUNHOST: Contains run host andEndpoint Privilege Management for Unix and Linux utilities.
Which component filesets are required depends on the type of Endpoint Privilege Management for Unix and Linux host you create, such as policy server host, submit host, and so on. You can select the types of hosts in the pbinstall installation menu, as shown in the following table:
Menu Selection | Required Components |
---|---|
Install everything here (demo mode)? = Yes | MASTERHOST RUNHOST SUBMITHOST LOGHOST GUIHOST SHAREDLIBS |
Install Policy Server Host? = Yes | MASTERHOST |
Install Run Host? = Yes | RUNHOST |
Install Submit Host? = Yes | SUBMITHOST |
Install Log Host? = Yes | LOGHOST |
Install BeyondTrust built-in third-party libraries? = Yes | SHAREDLIBS |
Install Registry Name Services Server? [yes] | RNSSVR |
Install License Server? [yes] | LICSVR |
- Configuration depot: HP-UX depot (separate from the component depot) that is used to install the following files:
- pb.settings:** Hardcoded target location /etc/pb.settings**
- pb.cfg: Hardcoded target location /etc/pb.cfg****
- All the encryption keyfiles defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption
- By default, two key files are created: pb.key and pb.rest.key
- The sysadmin can define multiple encryption with different keyfiles in locations other than /etc. To upgrade and retain settings on the target machine, view all encryption settings in /etc/pb.settings and copy the files to the settings_files directory before running "pbinstall -z" and pbcreate*cfgpkg
- pb.conf (for policy server hosts)
- Diagnostic logs files
The Endpoint Privilege Management for Unix and Linux configuration depot is created by the pbcreatehpuxcfgpkg program. The component filesets must be copied to the SD depot using the swcopy command before you copy the configuration fileset to the distribution depot.
- SD Depot: The SD depot is the software distribution depot, to which software depots are copied by using the HP-UX swcopy command prior to the installation of their filesets. By default, /var/spool/sw is the location of the SD depot.
- pbinstall program: To create the Endpoint Privilege Management for Unix and Linux settings files, you use the pbinstall program with the -z (settings only) option. pbinstall -z only creates the settings files and is incompatible with the following command line options:
Option | Description |
---|---|
-b | Runs pbinstall in batch mode. |
-c | Skip the steps that process or update the Endpoint Privilege Management for Unix and Linux settings file. |
-e | Runs install script automatically by bypassing the menu step of pbinstall. |
-i | Ignores previous pb.settings and pb.cfg files. |
-p | Sets the pb installation prefix. |
-s | Sets the pb installation suffix. |
-u | Install the utility programs. |
-x | Creates a log synchronization host (that is, installs pbsyncd). |
When you execute pbinstall with the -z option, you can see two menu items that are not otherwise available:
-
Enter existing pb.settings path: Enables you to specify your own pb.settings file. pbinstall reads this settings file and populates the remaining menu choices. You can override some menu choices. If set to none, then pbinstall does not read a settings file. The remaining menu choices are populated with default values.
-
Enter directory path for settings file creation: Enables you to specify an alternative output directory for the settings files. The default directory is /unzip-dir/powerbroker/version//install/settings_files, where unzip-dir is the directory where the package tarball file was unzipped and version is the Endpoint Privilege Management for Unix and Linux version number.
The behavior of pbinstall -z depends on whether certain additional command line options are specified:
-
If no other command line options are specified, pbinstall initially presents a short version of the installation menu (items 1–8 only). Depending on the choices you make in these items, further menu items become available.
-
If command line options -g, -l, -m, -o, -r, or -w are specified, pbinstall presents an expanded version of the installation menu that reflects the host types that you are configuring.
When running pbinstall with the -z option, the following menu items are preprogrammed and cannot be changed:
- Install man pages?
- Daemon location
- Administration programs location
- User programs location
- GUI library directory
- Policy include (sub) file directory
- User man page location
- Admin man page location
- Policy filename
- BeyondTrust built-in third-party library directory
In addition, the values of the following menu items determine the values of other menu items:
Options Preset When Running pbinstall -z | |
---|---|
Setting this menu option to Yes | Sets these values to Yes |
Install Policy Server Host? | Install Synchronization? Synchronization can be initiated from this host? |
Install Run Host? | Install Utilities? |
Install Submit Host? | Install PBSSH? Install pbksh? Install pbsh? Will this host use a Log Host? |
Install Log Host? | Install Synchronization? Synchronization can be initiated from this host? |
If you plan to use Registry Name Service and are running pbinstall -z on a client host (non-primary server), you must perform client registration. This is necessary to properly set up the registry name service database. Client registration also requires that you collect from the Endpoint Privilege Management for Unix and Linux primary server the following information:
- REST Application ID
- REST Application Key
- Primary server network name or IP address
- Primary License Server REST TCP/IP port
- Registration Client Profile name
Note
If you are using the package installer to install Endpoint Privilege Management for Unix and Linux on a computer that already has an interactive Endpoint Privilege Management for Unix and Linux installation on it, see Installation Considerations for additional considerations.
RNS client registration: If Registry Name Services is enabled for Endpoint Privilege Management for Unix and Linux, each client host (after the first server installation) needs to be registered with the Primary Registry Name Server. When using package installers on a target host, a post-install configuration script (/opt/pbul/scripts/pbrnscfg.sh) is provided to be manually executed on that host to properly register it. This post-install configuration script asks for information about the Primary Registry Name Server, including the Application ID (appid), Application Key (appkey), address/domain name, and the REST TCP/IP port number. This is the same information provided during the client registration part of a pbinstall -z install which generates the settings file.
If you prefer a more convenient method of registering RNS clients where the post-install configuration script is non-interactive, Endpoint Privilege Management for Unix and Linux can save the relevant information in a hidden file during the settings-only run of pbinstall, bundle it with the configuration package, and automatically apply it to the target host when that package is installed. However, understand that this is not secure, but is available if the security-convenience trade-off is acceptable. To enable this, refer to the question regarding post-install configuration script displayed when running pbinstall -z.
Note
For more complete pbinstall command-line options, see [Installation Programs](doc:installation-> programs).
Overview of steps
Using the Endpoint Privilege Management for Unix and Linux HP-UX package installer involves the following steps.
- Unpack the Endpoint Privilege Management for Unix and Linux HP-UX package tarball file.
- Use the pbinstall program to create Endpoint Privilege Management for Unix and Linux settings files.
- Use the pbcreatehpuxcfgpkg program to create the Endpoint Privilege Management for Unix and Linux configuration depot.
- Use the HP-UX swcopy command to copy the Endpoint Privilege Management for Unix and Linux component depot to the desired SD depot.
- Use the HP-UX swcopy command to copy the Endpoint Privilege Management for Unix and Linux configuration depot to the desired SD depot.
- Use the HP-UX swinstall command to install the Endpoint Privilege Management for Unix and Linux configuration depot. The dependencies that are identified in the configuration fileset will cause the appropriate component filesets to be installed as well.
- If Registry Name Service is enabled and installed on a non-primary servery, run /opt/pbul/scripts/pbrnscfg.sh to register the host.
Installation procedure
To install Endpoint Privilege Management for Unix and Linux using the HP-UX SD feature, do the following:
-
Extract the package tarball files into the /unzip-dir/ directory by executing the following command:
gunzip -c pmul_<flavor_version>_pkg.tar.Z | tar xvf -
-
Navigate to the /unzip-dir/powerbroker/version/flavor/install/ directory.
-
Execute the following command:
./pbinstall -z
You are asked if you want to use client registration. If you plan to enable Registry Name Service, and install on a host that is not designated as a primary server, you must run client registration.
pbinstall then asks if you want to enable Registry Name Service.
pbinstall displays the Endpoint Privilege Management for Unix and Linux installation menu.
-
Make your menu selections. Note that the Enter existing pb.settings path menu option enables you to specify your own pb.settings file to use. Also, the Enter directory path for settings file creation menu option enables you to specify where to save the generated settings files. These menu options are available only when running pbinstall with the -z option. When the menu selection process is complete, pbinstall creates the following files in the specified location:
- pb.settings
- pb.cfg
- pb.key (if encryption is enabled)
- pb.conf (for policy server host)
- pbpolicykey.pem and pbpolicypubcert.pem (for Policy Server hosts with Cached Policy feature enabled)
-
Optional. For an Endpoint Privilege Management for Unix and Linux client, if client-server communications are to be encrypted, replace the generated pb.key file with pb.key file from the policy server host. Also, copy any other required key files into the same directory.
-
Optional. For a policy server host, write a policy file (pb.conf) and place it in the directory with the other generated files. If you do not provide a pb.conf file, a pb.conf file with the single command reject; is generated and packaged.
Starting with v8.0, pbinstall -z can optionally install the default role-based policies and asks:
Installing default role-based policy pbul_policy.conf and pbul_functions.conf in <install_dir>/settings_files Would you like to use the default role-based policy in the configuration package?
Answer Yes for new installs only.
If you are upgrading an existing configuration package, to avoid overwriting your existing policy, answer No.
Use the default role-based policy [Y]?
If you answer Yes, the default pb.conf, pbul_policy.conf and pbul_functions.conf are created and installed on the policy server.
If you are installing over an existing installation, and have an existing policy in place, answer No.
-
Navigate to the /unzip-dir/powerbroker/version/flavor/install/ directory.
-
Run the pbcreatehpuxcfgpkg utility by typing:
pbcreatehpuxcfgpkg [-d] -p depot-fileset-name -s directory
where:
- -d is an option that sets the component fileset dependency to hppaD rather than the default hppaB.
- depot-fileset-name is a user-specified name for the configuration fileset. The resulting fileset is PowerBroker-Cfg.depot-fileset-name.
- directory is the directory that contains the Endpoint Privilege Management for Unix and Linux settings and configuration files to include in the configuration fileset.
The pbcreatehpuxcfgpkg utility creates the configuration depot with the file name PowerBroker-Cfg-version.depot-fileset-name.depot.
-
Navigate to the /unzip-dir/powerbroker/version/flavor/package/ directory.
-
Run the HP-UX swcopy utility to copy the Endpoint Privilege Management for Unix and Linux component depot to the desired SD depot by typing:
swcopy -s /path/PowerBroker-arch.depot PowerBroker-arch.FILESET [@ sd-directory]
where
- path is the absolute path to the directory that contains the Endpoint Privilege Management for Unix and Linux component depot.
- arch is the target platform architecture.
- FILESET is the specific fileset to be copied; alternatively, use \* instead of PowerBroker-arch.FILESET to copy all filesets.
- sd-directory is the desired SD directory; if you omit @ sd-directory, the default /var/spool/sw is used.
Example
To copy only the log host component fileset:
# swcopy -s /unzip-dir/powerbroker/v9.4/pmul_hpux.hppa64_9.4.3/package/PowerBroker-hppa64-9.4.3.06.depot PowerBroker-hppa64.LOGHOST @ /var/spool/sw
Example
To copy the log host and policy server host component filesets to the default SD depot:
# swcopy -s /unzip-dir/powerbroker/v9.4/pmul_hpux.hppa64_9.4.3-06/package/PowerBroker-hppa64-9.4.3.06.depot PowerBroker-hppa64.LOGHOST PowerBroker-hppa64.MASTERHOST
Example
To copy all component filesets to the default SD depot:
swcopy -s /unzip-dir/powerbroker/v9.4/pmul_hpux.hppa64_9.4.3-06/package/PowerBroker-hppa64-9.4.3.06.depot\*
- Run the HP-UX swcopy utility to copy the Endpoint Privilege Management for Unix and Linux configuration fileset to the desired SD depot.
Example
# swcopy -s /unzip-dir/powerbroker/v9.4/pmul_hpux.hppa64_9.4.3-06/install/PowerBroker-Cfg-9.4.3.06.CLIENT.depot PowerBroker-Cfg.CLIENT @ /var/spool/sw
- Run the HP-UX swinstall utility to install the Endpoint Privilege Management for Unix and Linux configuration fileset by typing:
swinstall PowerBroker-Cfg.depot-fileset-name
Note
depot-fileset-name is the configuration fileset name specified when the Endpoint Privilege Management for Unix and Linux configuration package is created in step 8. Any component dependencies that are identified by the configuration fileset are automatically installed as well.
Note
If you attempt to install filesets from more than one flavor onto a single system, the installation fails with an error message.
- Verify the installation of the filesets with the HP-UX swverify utility by typing one of the following commands:
swverify PowerBroker-arch
swverify PowerBroker-Cfg
- If Registry Name Service is enabled and installed on a non-primary server, register the host with the Primary Registry Name Server using a post-install configuration script. Gather the Application ID, Application Key, network name or IP address, and REST TCP/IP port of the primary server, then run the script to register the host and follow the prompts:
/opt/pbul/scripts/pbrnscfg.sh
Note
Many of the HP-UX depot management commands display a message regarding where to find a log file that contains additional information. We recommend that you look at these log files, because some important diagnostic information appears in the log file but not in the utility’s standard output.
Note
For more information, see the following:
- Plan your installation
- Installation Process
- pbcreatehpuxcfgpkg
Remove EPM-UL filesets
Removing the depots completely uninstalls Endpoint Privilege Management for Unix and Linux from a computer. Because the component filesets are dependencies of the configuration fileset, the configuration fileset must be removed first.
To remove the Endpoint Privilege Management for Unix and Linux filesets, do the following:
- Remove the Endpoint Privilege Management for Unix and Linux configuration fileset by typing:
swremove PowerBroker-Cfg.depot-fileset-name
Note
depot-fileset-name is the name of the fileset that you specified when you created the configuration depot.
- Remove the Endpoint Privilege Management for Unix and Linux component filesets by typing:
swremove PowerBroker-arch
Note
You can remove the configuration and component filesets in the same command, for example:
swremove PowerBroker-Cfg.FILESET PowerBroker-arch
Remote installation
Because the HP-UX SD system uses a daemon for software administration, you can install from a local depot to a remote machine, or install from a remote depot to a local machine. Additionally, you can install a depot to an alternate root and then remount the alternate root as an actual root on another node.
To install a depot on a remote system, you must have ACL access to that remote system; you can use the swacl command to manage these access controls. Use the @ argument with the swinstall command.
Example
swinstall PowerBroker-hppaB @ remotehost:/
To install a depot on an alternate root, you also use the @ argument.
Example
swinstall PowerBroker-hppaB @ /export/shared_root/node1
Note
For alternate root installation, you must run the swconfig utility on the actual node, after the alternate root is remounted as the node’s actual root.
Note
For more information, see the man pages for the HP-UX SD commands.
Updating EPM-UL with Update Depots
The Endpoint Privilege Management for Unix and Linux HP-UX package installer can be used to update an existing Endpoint Privilege Management for Unix and Linux installation to a new version. The existing Endpoint Privilege Management for Unix and Linux version should have been installed using the Endpoint Privilege Management for Unix and Linux package installer.
Update depot considerations
Installing an Endpoint Privilege Management for Unix and Linux update depot is similar to using the HP-UX package installer to install Endpoint Privilege Management for Unix and Linux for the first time. Keep these considerations in mind when you prepare to upgrade Endpoint Privilege Management for Unix and Linux:
- an Endpoint Privilege Management for Unix and Linux HP-UX update depot contains a complete Endpoint Privilege Management for Unix and Linux installation, not just the files that have changed since the previous release.
- Each Endpoint Privilege Management for Unix and Linux update depot is cumulative; that is, it includes all previous update filesets that BeyondTrust released since the baseline version. Therefore, there is no need to install the previous update depots.
- A newer release can introduce features that use new settings or configurations. In which case, an upgrade of the configuration package of Endpoint Privilege Management for Unix and Linux is also needed.
Unlike Endpoint Privilege Management for Unix and Linux patches that are installed with pbpatchinstall, update filesets cannot be rolled back to a previous release. However, you can install an older fileset over a newer one, effectively rolling back to the older release.
Update depot procedure
Follow this procedure to update your installation of Endpoint Privilege Management for Unix and Linux using the update depots:
- Obtain the tarball file for the HP-UX update depots that are appropriate for your hardware. The tarball file name has the format pmul_-v.v.r-bb-update_pkg.tar.Z, where:
- indicates the operating system and hardware architecture.
- v.v.r is the major and minor version number and the release number.
- bb is the build number.
- Extract the depot files into the /unzip-dir/ directory by executing the following command:
tar xvfz pmul_<flavor_version>-update_pkg.tar.Z
- Navigate to the /unzip-dir/powerbroker/v//install/ directory
- Create the settings_files directory and change directory to that location.
- To retain or correctly update the settings of the current installation, copy the following files from the target installation host into the settings_files directory you created in step 4:
- /etc/pb.settings
- /etc/pb.cfg
- encryption keys defined in pb.settings for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption settings (if enabled)
Note
In a default installation, there are typically 2 key files created: pb.key and pb.rest.key.
- policy file defined in policyfile setting in pb.settings (if the target installation is a Policy Server)
Note
In a default installation, the policy file is located in /opt/pbul/policies/pb.conf.
- Obtain the tarball file for the HP-UX update depots that are appropriate for your hardware. The tarball file name has the format pmul_-v.v.r-bb-update_pkg.tar.Z, where:
- indicates the operating system and hardware architecture.
- v.v.r is the major and minor version number and the release number.
- bb is the build number.
- Execute the following command to verify and update the installation settings in the settings_files directory:
./pbinstall -z
- Obtain the tarball file for the HP-UX update depots that are appropriate for your hardware. The tarball file name has the format pmul_-v.v.r-bb-update_pkg.tar.Z, where:
- indicates the operating system and hardware architecture.
- v.v.r is the major and minor version number and the release number.
- bb is the build number.
- Create the upgrade configuration package by running the pbcreatehpuxcfgpkg utility:
pbcreatehpuxcfgpkg -p fileset-name
Use the current fileset-name of the installation to be upgraded. Use the fileset-name you provided during the initial package installation in step 8 of the Installation procedure.
Another way to find the fileset-name is to run the following command on the target installation host to get the list of packages installed:
swlist PowerBroker\*
Identify the fileset-name of the Endpoint Privilege Management for Unix and Linux configuration package using this format:
PowerBroker-Cfg.<fileset-name>
-
Navigate to the directory: /unzip-dir/powerbroker/version/flavor/package/
-
Run the HP-UX swcopy utility to copy the Endpoint Privilege Management for Unix and Linux component depot to the desired SD depot by typing:
swcopy -s /path/PowerBroker-arch.depot PowerBroker-arch.FILESET [@ sd-directory]
This is the absolute path to the directory that contains the Endpoint Privilege Management for Unix and Linux component depot.
arch is the target platform architecture.
FILESET is the specific fileset to be copied. Alternatively, use \* instead of PowerBroker-arch.FILESET to copy all filesets.
sd-directory is the desired SD directory. If you omit @ sd-directory, the default /var/spool/sw is used.
-
Navigate to the /unzip-dir/powerbroker/version/flavor/install/ directory.
-
Run the HP-UX swcopy utility to copy the Endpoint Privilege Management for Unix and Linux configuration fileset to the desired SD depot:
# swcopy -s /<cfgdepotdir>/PowerBroker-Cfg-<ver>.<filesetname>.depot PowerBroker-Cfg.<filesetname>
-
Run the HP-UX swinstall utility to install the Endpoint Privilege Management for Unix and Linux component filesets by typing: swinstall PowerBroker-arch.
-
Verify the installation of the filesets with the HP-UX swverify utility by typing: swverify PowerBroker-arch.
Revert to a previous version
Unlike Endpoint Privilege Management for Unix and Linux patches that are installed with pbpatchinstall, update depots cannot be rolled back to a previous release. However, you can install an older fileset over a newer one, effectively rolling back to the older release. To install older filesets over newer ones, use the following command:
swinstall -x allow_downdate=true PowerBroker-arch
This command restores the previous release. Repeat the command to restore earlier releases.
Upgrade configuration package
When upgrading the configuration package (cfg pkg), some settings that are part of the package might need settings and configuration files copied from the existing installation to the staging host.
Files included in the cfg package:
-
pb.settings: Hardcoded target location /etc/pb.settings.
-
pb.cfg: Hardcoded target location /etc/pb.cfg.
-
All the encryption key files defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption. By default, two key files are typically created:
- pb.key
- pb.rest.key
The sysadmin can define encryption with different key files in locations other than /etc. Therefore, when upgrading, and to retain what is installed on the target machine, look at all the encryption settings in /etc/pb.settings. Copy the settings to the settings_files directory before running pbinstall -z and pbcreate*cfgpkg.
-
Policy file if the target is a policy server.
Generate the EPM-UL Settings Files
This section of the execution shows the generation of the Endpoint Privilege Management for Unix and Linux settings files (pb.key, pb.cfg, and pb.settings) and also displays the Endpoint Privilege Management for Unix and Linux installation menu. This output was generated using the pbinstall program with the -z option and selecting menu options to install a run host and a submit host:
Example
# ./pbinstall -z
Starting pbinstall main() from /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/.
hpux.ia64
Endpoint Privilege Management for Unix and Linux Settings File Generation
Please read theEndpoint Privilege Management for Unix and Linux Installation Instructions before proceeding.
Checking MANIFEST against release directory
Press return to continue
The Registry Name Service of Endpoint Privilege Management for Unix and Linux facilitates location of other services within the pmul enterprise with the aid of a centralized
data repository.
IMPORTANT: client registration is required if this is not the Primary Server and you intend to use Registry Name Services.
Do you wish to utilize Registry Name Service? [yes]? no
BeyondTrustEndpoint Privilege Management for Unix and Linux Installation Menu
Opt Description [Value]
1 Install Everything Here (Demo Mode)? [no]
2 Install License Server? [no]
3 Install Registry Name Services Server? [no]
5 Install Policy Server Host? [yes]
6 Install Run Host? [yes]
7 Install Submit Host? [yes]
9 Install sudo Policy Server? [no]
10 Install Log Host? [yes]
14 Install File Integrity Monitoring Polic... [no]
N for the next menu page, C to continue, X to exit
Please enter a menu option [For technical support call 1-800-234-9072]> 7
Endpoint Privilege Management for Unix and Linux executes secured tasks on hosts which are designated as Run Hosts. These hosts execute the commands using the pblocald daemon.
To allowEndpoint Privilege Management for Unix and Linux to execute a command, a host must be configured as a Run Host.
Do you want this host to be a Run Host [no]? yes
BeyondTrustEndpoint Privilege Management for Unix and Linux Installation Menu
Opt Description Value]
1 Install Everything Here (Demo Mode)? [no]
2 Install License Server? [no]
3 Install Registry Name Services Server? [no]
5 Install Policy Server Host? [yes]
6 Install Run Host? [yes]
7 Install Submit Host? [yes]
9 Install sudo Policy Server? [no]
10 Install Log Host? [yes]
14 Install File Integrity Monitoring Polic... [no]
25 Install Secure GUI Host? [yes]
26 Install Utilities: pbvi, pbnvi, pbmg, p... [yes]
29 Install man pages? [no]
30 Will this host use a Log Host? [yes]
31 AD Bridge Integration? [no]
55 Synchronization program can be initiate... [yes]
56 Daemons location [/usr/sbin]
59 User programs location [/usr/local/bin]
N for the next menu page, C to continue, X to exit
Please enter a menu option [For technical support call 1-800-234-9072]> 8
Endpoint Privilege Management for Unix and Linux allows requests for secured tasks to be made on hosts configured as Submit Hosts.
To have pbrun initiate requests for secured tasks, this host must be a Submit Host.
Do you want this host to be a Submit Host [no]? yes
BeyondTrustEndpoint Privilege Management for Unix and Linux Installation Menu
Opt Description [Value]
1 Install Everything Here (Demo Mode)? [no]
2 Install License Server? [no]
3 Install Registry Name Services Server? [no]
4 Install Client Registration Server? [no]
5 Install Policy Server Host? [yes]
6 Install Run Host? [yes]
7 Install Submit Host? [yes]
8 Install PBSSH [yes]
9 Install sudo Policy Server? [no]
10 Install Log Host? [yes]
11 Enable Logfile Tracking and Archiving? [yes]
12 Is this a Log Archiver Storage Server? [no]
13 Is this a Log Archiver Database Server? [no]
14 Install File Integrity Monitoring Polic... [no]
15 Install REST Services? [yes]
16 List of License Servers [*]
19 Path to Password Safe 'pkrun' binary []
23 Install Synchronization program? [yes]
25 Install Secure GUI Host? [yes]
26 Install Utilities: pbvi, pbnvi, pbmg, p... [yes]
27 Install pbksh? [yes]
28 Install pbsh? [yes]
29 Install man pages? [no]
30 Will this host use a Log Host? [yes]
31 AD Bridge Integration? [no]
37 Integration with BeyondInsight? [no]
55 Synchronization program can be initiate... [yes]
56 Daemons location [/usr/sbin]
57 Number of reserved spaces for submit pr... [80]
58 Administration programs location [/usr/sbin]
59 User programs location [/usr/local/bin]
60 GUI library directory [/usr/local/lib/pbbuilder]
61 Policy include (sub) file directory [/opt/pbul/policies]
62 Policy file name [/opt/pbul/policies/pb.conf]
65 Log Archive Storage Server name []
67 Log Archiver Database Server name []
69 Logfile Name Cache Database file path? [/opt/pbul/dbs/pblogcache.db]
70 REST Service installation directory? [/usr/lib/beyondtrust/pb/rest]
71 Install REST API sample code? [no]
73 Pblighttpd user [pblight]
75 Pblighttpd user UID []
76 Pblighttpd user GID []
78 Configure systemd? [yes]
79 Command line options for pbmasterd [-ar]
80 Policy Server Delay [500]
81 Policy Server Protocol Timeout [-1]
82 pbmasterd diagnostic log [/var/log/pbmasterd.log]
83 Eventlog filename [/var/log/pb.eventlog]
84 Configure eventlog rotation via size? []
85 Configure eventlog rotation path? []
86 Configure eventlog rotation via cron? [no]
87 Validate Submit Host Connections? [no]
88 List of Policy Servers to submit to [kandor]
89 pbrun diagnostic log? [none]
90 pbssh diagnostic log? [none]
91 Allow Local Mode? [yes]
92 Additional secured task checks? [no]
93 Suppress Policy Server host failover er... [yes]
94 List of Policy Servers to accept from [kandor]
95 pblocald diagnostic log [/var/log/pblocald.log]
96 Command line options for pblocald []
97 Syslog pblocald sessions? [no]
98 Record PTY sessions in utmp/utmpx? [yes]
99 Validate Policy Server Host Connections? [no]
100 List of Log Hosts [kandor]
101 Command line options for pblogd []
102 Log Host Delay [500]
103 Log Host Protocol Timeout [-1]
104 pblogd diagnostic log [/var/log/pblogd.log]
105 List of log reserved filesystems [none]
106 Number of free blocks per log system fi... [0]
107 Command line options for pbsyncd []
108 Sync Protocol Timeout [-1]
109 pbsyncd diagnostic log [/var/log/pbsyncd.log]
110 pbsync diagnostic log [/var/log/pbsync.log]
111 pbsync sychronization time interval (in... [15]
112 Add installed shells to /etc/shells [no]
113 pbksh diagnostic file [/var/log/pbksh.log]
114 pbsh diagnostic file [/var/log/pbsh.log]
115 Stand-alone pblocald command [none]
116 Stand-alone root shell default iolog [/pbshell.iolog]
121 Use syslog? [yes]
122 Syslog facility to use? [LOG_AUTHPRIV]
123 Base Daemon port number [24345]
124 pbmasterd port number [24345]
125 pblocald port number [24346]
126 pblogd port number [24347]
127 pbguid port number [24348]
129 pbsyncd port number [24350]
130 REST Service port number [24351]
131 Add entries to '/etc/services' [yes]
132 Allow non-reserved port connections [yes]
133 Inbound Port range [1025-65535]
134 Outbound Port range [1025-65535]
137 Network encryption options [aes-256:keyfile=/etc/pb.key]
138 Event log encryption options [none]
139 I/O log encryption options [none]
140 Report encryption options [none]
141 Policy file encryption options [none]
142 Settings file encryption type [none]
143 REST API encryption options [aes-256:keyfile=/etc/pb.re...]
144 Configure with Kerberos v5? [no]
150 Enforce High Security Encryption? [yes]
151 Use SSL? [yes]
152 SSL Configuration? [requiressl]
153 SSL pbrun Certificate Authority Directory? [none]
154 SSL pbrun Certificate Authority File? [none]
155 SSL pbrun Cipher List? [HIGH:!SSLv2:!3DES:!MD5:@ST…]
156 SSL pbrun Certificate Directory? [none]
157 SSL pbrun Certificate File? [none]
158 SSL pbrun Private Key Directory? [none]
159 SSL pbrun Private Key File? [none]
160 SSL pbrun Certificate Subject Checks? [none]
161 SSL Server Certificate Authority Direct... [none]
162 SSL Server Certificate Authority File? [none]
163 SSL Server Cipher List? [HIGH:!SSLv2:!3DES:!MD5:@ST...]
164 SSL Server Certificate Directory? [none]
165 SSL Server Certificate File? [/etc/pbssl.pem]
166 SSL Server Private Key Directory? [none]
167 SSL Server Private Key File? [/etc/pbssl.pem]
168 SSL Server Certificate Subject Checks? [none]
169 SSL Certificate Country Code [US]
170 SSL Certificate State/Province [AZ]
171 SSL Certificate Location (Town/City) [Phoenix]
172 SSL Certificate Organizational Unit/Dep... [Security]
173 SSL Certificate Organization [BeyondTrust]
174 Configure Privilege Management for Unix... [no]
175 Install BeyondTrust built-in third-part... [yes]
176 BeyondTrust built-in third-party librar... [/usr/lib/beyondtrust/pb]
188 Use PAM? [no]
196 Allow Remote Jobs? [yes]
197 UNIX Domain Socket directory [none]
198 Reject Null Passwords? [no]
199 Enable TCP keepalives? [no]
200 Name Resolution Timeout [0]
N for the next menu page, P for the previous menu page, C to continue, X to exit
Please enter a menu option [For technical support call 1-800-234-9072]> c
ypcat: no such map in server's NIS domain
No submitmasters was specified and no NIS netgroup called pbsubmitmasters found
Endpoint Privilege Management for Unix and Linux needs to know the submitmasters(s) to work.
TheEndpoint Privilege Management for Unix and Linux programs need to know which Policy Server Host(s) you have decided to allow to act as submitmaster(s) for this machine.
Submitmasters take requests for secured tasks from Submit Hosts,
accept or reject them, and pass the accepted requests to a Run Host.
To locate submitmasters, programs look for a setting in the settings file
containing the names of the submitmaster machines or a netgroup
called pbsubmitmasters.
Enter Policy Server list (submitmasters): hp113-ca025-012.unix.beyondtrust.com
ypcat: no such map in server's NIS domain
No acceptmasters was specified and no NIS netgroup called pbacceptmasters foundEndpoint Privilege Management for Unix and Linux needs to know the acceptmasters(s) to work.
TheEndpoint Privilege Management for Unix and Linux programs need to know which Policy Server Host(s) you have decided to allow to request execution of secured tasks to this machine.
Hosts on the acceptmasters list are the Policy Server Hosts which are allowed
to make secured task requests to this machine.
To do this, programs look for a setting in the settings file containing the
names of the acceptmasters machines or a netgroup called pbacceptmasters.
Enter Incoming Policy Server list (acceptmasters): hp113-ca025-012.unix.beyondtrust.com
ypcat: no such map in server's NIS domain
No log hosts was specified and no NIS netgroup called pblogservers found
Endpoint Privilege Management for Unix and Linux needs to know the log hosts(s) to work.
TheEndpoint Privilege Management for Unix and Linux programs need to know which machine(s) you have selected as Log Host(s). Log Hosts are hosts which Policy Servers
select for Run Hosts to do event and I/O logging.
To do this, pbmasterd looks for the setting logservers in the settings
file. This setting contains the names of the Log Host machines or a netgroup.
Current installation settings for Log Server(s):
Enter Log Server list (logservers): hp113-ca025-012.unix.beyondtrust.com
Generating key file /opt/pbpkg/powerbroker/v9.4/pbul_hpux.ia64_9.4.3-18/install/settings_files/pb.key...
Are all the installation settings correct [yes]?
Generating config file /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/settings_files/pb.cfg
Creating the settings file creation script
Backed up existing settings file creation script to:
'/opt/pbpkg/powerbroker/v9.4/pbul_hpux.ia64_9.4.3-18/install/pbcreatesettingsfile.ctime.May_26_15:05'
Running settings file creation script
Creating settings file /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/settings_files/pb.settings
Generated settings files are in directory: /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/settings_files
<MadCap:variable name="PM.EPMUL" /> Settings File Generation completed successfully.
Create the EPM-UL Configuration Package Using pbcreatehpuxcfgpkg
This section shows the creation of the Endpoint Privilege Management for Unix and Linux configuration depot using the pbcreatehpuxcfgpkg program with the -p and -s options.
Note
At the end of its output, the pbcreatehpuxcfgpkg script shows which Endpoint Privilege Management for Unix and Linux component filesets need to be copied to the SD depot.
Example
# cd /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install
# ./pbcreatehpuxcfgpkg -p CLIENT1 -s /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/settings_files
pbcreatehpuxcfgpkg: starting from /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install
pbcreatehpuxcfgpkg: keyfile pb.key will be included in package
pbcreatehpuxcfgpkg: reading /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/settings_files/pb.cfg
pbcreatehpuxcfgpkg: processing, please wait . . .
pbcreatehpuxcfgpkg: packaging PowerBroker Unix/Linux Configuration HP-UX Depot . . .
======= 05/26/17 15:19:42 PDT BEGIN swpackage SESSION
* Session started for user
"[email protected]".
* Source:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg/psf/PowerBroker-Cfg.psf
* Target:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg/depot/PowerBroker-Cfg-9.4.3.18.CLIENT1.depot
* Software selections:
*
* Beginning Selection Phase.
* Reading the Product Specification File (PSF)
"/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg/psf/PowerBroker-Cfg.psf".
* Reading the product "PowerBroker-Cfg" at line 11.
* Reading the fileset "CLIENT1" at line 48.
NOTE: The temporary target depot "/var/tmp/pkgAAA005165" has been
created.
* Selection Phase succeeded.
* Beginning Analysis Phase.
NOTE: The fileset "PowerBroker-Cfg.CLIENT1" has a prerequisite
dependency on a software object which exists in another
product, "PowerBroker-hppa64.RUNHOST", which was not selected
for packaging and does not exist in the target depot.
NOTE: The fileset "PowerBroker-Cfg.CLIENT1" has a prerequisite
dependency on a software object which exists in another
product, "PowerBroker-hpia64.RUNHOST", which was not selected
for packaging and does not exist in the target depot.
NOTE: The fileset "PowerBroker-Cfg.CLIENT1" has a prerequisite
dependency on a software object which exists in another
product, "PowerBroker-hppa64.SUBMITHOST", which was not
selected for packaging and does not exist in the target depot.
NOTE: The fileset "PowerBroker-Cfg.CLIENT1" has a prerequisite
dependency on a software object which exists in another
product, "PowerBroker-hpia64.SUBMITHOST", which was not
selected for packaging and does not exist in the target depot.
NOTE: The fileset "PowerBroker-Cfg.CLIENT1" has a prerequisite
dependency on a software object which exists in another
product, "PowerBroker-hppa64.SHAREDLIBS", which was not
selected for packaging and does not exist in the target depot.
NOTE: The fileset "PowerBroker-Cfg.CLIENT1" has a prerequisite
dependency on a software object which exists in another
product, "PowerBroker-hpia64.SHAREDLIBS", which was not
selected for packaging and does not exist in the target depot.
NOTE: One or more of the filesets you selected specify a dependency
on software which exists in another product. (See above).
The other software was not selected for packaging and does not
exist in the target depot. (An unresolved dependency on
another product may prevent the dependent product from being
installed.)
* Analysis Phase succeeded.
* Beginning Package Phase.
* Packaging the product "PowerBroker-Cfg".
* Packaging the fileset "PowerBroker-Cfg.CLIENT1".
* Package Phase succeeded.
* Beginning Tapemaker Phase.
* Copying the temporary depot to the tape
"/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg/depot/PowerBroker-Cfg-9.4.3.18.CLIENT1.depot".
* Calculating the tape blocks required to copy the temporary
depot to the tape
"/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg/depot/PowerBroker-Cfg-9.4.3.18.CLIENT1.depot".
NOTE: The temporary depot requires 220 Kbytes on the tape
"/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg/depot/PowerBroker-Cfg-9.4.3.18.CLIENT1.depot".
* Writing the tape
"/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg/depot/PowerBroker-Cfg-9.4.3.18.CLIENT1.depot"
(tape 1 of 1).
* Writing the fileset "PowerBroker-Cfg.CLIENT1" (1 of 1)
* Tape #1: CRC-32 checksum & size: 2376197741 225280
* Removing the temporary depot.
* Tapemaker Phase succeeded.
======= 05/26/17 15:19:42 PDT END swpackage SESSION
pbcreatehpuxcfgpkg: depot 'PowerBroker-Cfg-9.4.3.18.CLIENT1.depot' placed in /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install
pbcreatehpuxcfgpkg: the following depot filesets will need to be loaded to the target system:
PowerBroker-{arch}.RUNHOST PowerBroker-{arch}.SUBMITHOST PowerBroker-{arch}.SHAREDLIBS
where {arch} is the appropriate architecture for the target system, 'hppa64' or 'ia64'.
pbcreatehpuxcfgpkg: completed.
Copy the EPM-UL Depots Using the swcopy Command
This section shows the execution of the swcopy command to copy the Endpoint Privilege Management component and configuration depots to the default SD depot. This section also includes execution of the swjob and swlist commands to verify that the depots have been copied:
Example
# swcopy -s /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/package/PowerBroker-hpia64-9.4.3.18.depot PowerBroker-hpia64.SHAREDLIBS PowerBroker-hpia64.SUBMITHOST PowerBroker-hpia64.RUNHOST
======= 05/26/17 16:47:14 PDT BEGIN swcopy SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0263)
* Session started for user
"[email protected]".
* Beginning Selection
* "pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw": This
target does not exist and will be created.
* Source:
/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/package/PowerBroker-hpia64-9.4.3.18.depot
* Targets:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
* Software selections:
PowerBroker-hpia64.RUNHOST,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SHAREDLIBS,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SUBMITHOST,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
* Selection succeeded.
* Beginning Analysis and Execution
* Session selections have been saved in the file
"/.sw/sessions/swcopy.last".
* The analysis phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* The execution phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* Analysis and Execution succeeded.
NOTE: More information may be found in the agent logfile using the
command "swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0263
@ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
======= 05/26/17 16:47:21 PDT END swcopy SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0263)
# swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0263 @ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
======= 05/26/17 16:47:15 PDT BEGIN copy AGENT SESSION (pid=7319)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0263)
* Agent session started for user
"[email protected]". (pid=7319)
* Beginning Analysis Phase.
* Source:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/package/PowerBroker-hpia64-9.4.3.18.depot
* Target:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
* Target logfile:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw/swagent.log
* Reading source for product information.
* Reading source for file information.
NOTE: The used disk space on filesystem "/var" is estimated to
increase by 91664 Kbytes.
This will leave 5407144 Kbytes of available user disk space
after the installation.
* Summary of Analysis Phase:
* 3 of 3 filesets had no Errors or Warnings.
* The Analysis Phase succeeded.
* Beginning the Copy Execution Phase.
* Filesets: 3
* Files: 105
* Kbytes: 90877
* Copying fileset "PowerBroker-hpia64.RUNHOST,r=9.4.3.18" (1 of
3).
* Copying fileset "PowerBroker-hpia64.SHAREDLIBS,r=9.4.3.18" (2
of 3).
* Copying fileset "PowerBroker-hpia64.SUBMITHOST,r=9.4.3.18" (3
of 3).
* Summary of Execution Phase:
* 3 of 3 filesets had no Errors or Warnings.
* The Execution Phase succeeded.
======= 05/26/17 16:47:21 PDT END copy AGENT SESSION (pid=7319)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0263)
# swcopy -s /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg-9.4.3.18.CLIENT1.depot PowerBroker-Cfg.CLIENT1
======= 05/26/17 16:49:48 PDT BEGIN swcopy SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0264)
* Session started for user
"[email protected]".
* Beginning Selection
* Target connection succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* Source:
/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg-9.4.3.18.CLIENT1.depot
* Targets:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
* Software selections:
PowerBroker-Cfg.CLIENT1,r=9.4.3.18,a=HP-UX_B.11.11/23/31_32/64_IA/PA,v=BeyondTrust
* Selection succeeded.
* Beginning Analysis and Execution
* Session selections have been saved in the file
"/.sw/sessions/swcopy.last".
* The analysis phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* The execution phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* Analysis and Execution succeeded.
NOTE: More information may be found in the agent logfile using the
command "swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0264
@ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
======= 05/26/17 16:49:48 PDT END swcopy SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0264)
# swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0264 @ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
======= 05/26/17 16:49:48 PDT BEGIN copy AGENT SESSION (pid=7373)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0264)
* Agent session started for user
"[email protected]". (pid=7373)
* Beginning Analysis Phase.
* Source:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg-9.4.3.18.CLIENT1.depot
* Target:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
* Target logfile:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw/swagent.log
* Reading source for product information.
* Reading source for file information.
NOTE: The used disk space on filesystem "/var" is estimated to
increase by 232 Kbytes.
This will leave 5446360 Kbytes of available user disk space
after the installation.
* Summary of Analysis Phase:
* 1 of 1 filesets had no Errors or Warnings.
* The Analysis Phase succeeded.
* Beginning the Copy Execution Phase.
* Filesets: 1
* Files: 6
* Kbytes: 186
* Copying fileset "PowerBroker-Cfg.CLIENT1,r=9.4.3.18" (1 of 1).
* Summary of Execution Phase:
* 1 of 1 filesets had no Errors or Warnings.
* The Execution Phase succeeded.
======= 05/26/17 16:49:48 PDT END copy AGENT SESSION (pid=7373)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0264)
Install the EPM-UL Filesets Using the swinstall Command
This section shows the execution of the HP-UX swinstall command to install the Endpoint Privilege Management for Unix and Linux filesets. Because the swinstall command automatically installs the dependent filesets, you need only run the swinstall command for the configuration fileset. Following installation of the configuration package, the installation is verified by submitting the swlist, swjob, and swverify commands. Finally, the id command is submitted to Endpoint Privilege Management for Unix and Linux to test the installation.
Note
During the Endpoint Privilege Management for Unix and Linux fileset installation process, you might see a warning message regarding "core transition links." You can ignore this warning.
Example
# swinstall PowerBroker-Cfg.CLIENT1
======= 05/26/17 16:50:39 PDT BEGIN swinstall SESSION
(non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265)
* Session started for user
"[email protected]".
* Beginning Selection
* Target connection succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Source connection succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* Source: /var/spool/sw
* Targets: pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
* Software selections:
PowerBroker-Cfg.CLIENT1,r=9.4.3.18,a=HP-UX_B.11.11/23/31_32/64_IA/PA,v=BeyondTrust
+ PowerBroker-hpia64.RUNHOST,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
+ PowerBroker-hpia64.SHAREDLIBS,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
+ PowerBroker-hpia64.SUBMITHOST,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
* A "+" indicates an automatic selection due to dependency or
the automatic selection of a patch or reference bundle.
* Selection succeeded.
* Beginning Analysis and Execution
* Session selections have been saved in the file
"/.sw/sessions/swinstall.last".
* The analysis phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* The execution phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Analysis and Execution succeeded.
NOTE: More information may be found in the agent logfile using the
command "swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265
@ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
======= 05/26/17 16:50:54 PDT END swinstall SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265)
# swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265 @ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
======= 05/26/17 16:50:39 PDT BEGIN install AGENT SESSION (pid=7464)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265)
* Agent session started for user
"[email protected]". (pid=7464)
* Beginning Analysis Phase.
* Source:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
* Target: pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
* Target logfile:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/adm/sw/swagent.log
* Reading source for product information.
* Reading source for file information.
* Executing preDSA command.
NOTE: The used disk space on filesystem "/" is estimated to increase by 24 Kbytes.
This will leave 205712 Kbytes of available user disk space after the installation.
NOTE: The used disk space on filesystem "/opt" is estimated to increase by 32 Kbytes.
This will leave 2466280 Kbytes of available user disk space after the installation.
NOTE: The used disk space on filesystem "/usr" is estimated to increase by 91552 Kbytes.
This will leave 3519968 Kbytes of available user disk space after the installation.
NOTE: The used disk space on filesystem "/var" is estimated to increase by 288 Kbytes.
This will leave 5410848 Kbytes of available user disk space after the installation.
* Summary of Analysis Phase:
* 4 of 4 filesets had no Errors or Warnings.
* The Analysis Phase succeeded.
* Beginning the Install Execution Phase.
* Filesets: 4
* Files: 111
* Kbytes: 91063
* Installing fileset "PowerBroker-hpia64.SUBMITHOST,r=9.4.3.18" because one or more other selected filesets depend on it (1 of 4).
* Installing fileset "PowerBroker-hpia64.SHAREDLIBS,r=9.4.3.18" because one or more other selected filesets depend on it (2 of 4).
* Installing fileset "PowerBroker-hpia64.RUNHOST,r=9.4.3.18" because one or more other selected filesets depend on it (3 of 4).
* Installing fileset "PowerBroker-Cfg.CLIENT1,r=9.4.3.18" (4 of 4).
* Beginning the Configure Execution Phase.
NOTE: Reading pb.cfg...
NOTE: Looking for SuperDaemons to configure...
NOTE: Finished looking for SuperDaemons to configure...
NOTE: Removing PowerBroker service definitions (if any) from /etc/services.
NOTE: Adding PowerBroker service definitions to /etc/services
NOTE: Removing any PowerBroker definitions from SuperDaemon inetd file /etc/inetd.conf
NOTE: Adding PowerBroker definitions to SuperDaemon configurations /etc/inetd.conf
NOTE: Reloading SuperDaemon Configurations...
NOTE: Done Reloading SuperDaemon Configurations...
Updating Settings in database (if any)...
* Summary of Execution Phase:
* 4 of 4 filesets had no Errors or Warnings.
* The Execution Phase succeeded.
======= 05/26/17 16:50:54 PDT END install AGENT SESSION (pid=7464)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265)
# swlist PowerBroker\*
# Initializing...
# Contacting target "pbul-qa-hpux11v3-01.unix.beyondtrust.com"...
#
# Target: pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
#
# PowerBroker-Cfg 9.4.3.18 BeyondTrust PowerBroker Unix/Linux - Root Delegation and Privilege Management
PowerBroker-Cfg.CLIENT1 9.4.3.18 BeyondTrust PowerBroker Unix/Linux Configuration - Root Delegation and Privilege Management# PowerBroker-hpia64 9.4.3.18 BeyondTrust PowerBroker - Root Delegation and Privilege Management
PowerBroker-hpia64.RUNHOST 9.4.3.18 BeyondTrust PowerBroker Run Host - Root Delegation and Privilege Management
PowerBroker-hpia64.SHAREDLIBS 9.4.3.18 BeyondTrust PowerBroker Shared Libraries - Root Delegation and Privilege Management
PowerBroker-hpia64.SUBMITHOST 9.4.3.18 BeyondTrust PowerBroker Submit Host - Root Delegation and Privilege Management
# swverify PowerBroker-Cfg PowerBroker-hpia64
======= 05/26/17 16:52:13 PDT BEGIN swverify SESSION
(non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266)
* Session started for user
"[email protected]".
* Beginning Selection
* Target connection succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Software selections:
PowerBroker-Cfg.CLIENT1,l=/,r=9.4.3.18,a=HP-UX_B.11.11/23/31_32/64_IA/PA,v=BeyondTrustPowerBroker-hpia64.RUNHOST,l=/,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SHAREDLIBS,l=/,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SUBMITHOST,l=/,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
* Selection succeeded.
* Beginning Analysis
* Session selections have been saved in the file
"/.sw/sessions/swverify.last".
* The analysis phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Verification succeeded.
NOTE: More information may be found in the agent logfile using the
command "swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266
@ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
======= 05/26/17 16:52:17 PDT END swverify SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266)
# swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266 @ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
======= 05/26/17 16:52:14 PDT BEGIN verify AGENT SESSION (pid=7787)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266)
* Agent session started for user
"[email protected]". (pid=7787)
* Beginning Analysis Phase.
* Target: pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
* Target logfile:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/adm/sw/swagent.log
* Reading source for file information.
* Configured PowerBroker-hpia64.SUBMITHOST,l=/,r=9.4.3.18
* Configured PowerBroker-hpia64.SHAREDLIBS,l=/,r=9.4.3.18
* Configured PowerBroker-hpia64.RUNHOST,l=/,r=9.4.3.18
* Configured PowerBroker-Cfg.CLIENT1,l=/,r=9.4.3.18
* Summary of Analysis Phase:
Verified PowerBroker-hpia64.SUBMITHOST,l=/,r=9.4.3.18
Verified PowerBroker-hpia64.SHAREDLIBS,l=/,r=9.4.3.18
Verified PowerBroker-hpia64.RUNHOST,l=/,r=9.4.3.18
Verified PowerBroker-Cfg.CLIENT1,l=/,r=9.4.3.18
* 4 of 4 filesets had no Errors or Warnings.
* The Analysis Phase succeeded.
======= 05/26/17 16:52:17 PDT END verify AGENT SESSION (pid=7787)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266)
This section shows the execution of the HP-UX swinstall command to install the Endpoint Privilege Management for Unix and Linux filesets. Because the swinstall command automatically installs the dependent filesets, you need only run the swinstall command for the configuration fileset. Following installation of the configuration package, the installation is verified by submitting the swlist, swjob, and swverify commands. Finally, the id command is submitted to Endpoint Privilege Management for Unix and Linux to test the installation.
Note
During the Endpoint Privilege Management for Unix and Linux fileset installation process, you might see a warning message regarding "core transition links." You can ignore this warning.
Example
# swinstall PowerBroker-Cfg.CLIENT1
======= 05/26/17 16:50:39 PDT BEGIN swinstall SESSION
(non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265)
* Session started for user
"[email protected]".
* Beginning Selection
* Target connection succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Source connection succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* Source: /var/spool/sw
* Targets: pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
* Software selections:
PowerBroker-Cfg.CLIENT1,r=9.4.3.18,a=HP-UX_B.11.11/23/31_32/64_IA/PA,v=BeyondTrust
+ PowerBroker-hpia64.RUNHOST,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
+ PowerBroker-hpia64.SHAREDLIBS,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
+ PowerBroker-hpia64.SUBMITHOST,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
* A "+" indicates an automatic selection due to dependency or
the automatic selection of a patch or reference bundle.
* Selection succeeded.
* Beginning Analysis and Execution
* Session selections have been saved in the file
"/.sw/sessions/swinstall.last".
* The analysis phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* The execution phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Analysis and Execution succeeded.
NOTE: More information may be found in the agent logfile using the
command "swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265
@ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
======= 05/26/17 16:50:54 PDT END swinstall SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265)
# swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265 @ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
======= 05/26/17 16:50:39 PDT BEGIN install AGENT SESSION (pid=7464)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265)
* Agent session started for user
"[email protected]". (pid=7464)
* Beginning Analysis Phase.
* Source:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
* Target: pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
* Target logfile:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/adm/sw/swagent.log
* Reading source for product information.
* Reading source for file information.
* Executing preDSA command.
NOTE: The used disk space on filesystem "/" is estimated to increase by 24 Kbytes.
This will leave 205712 Kbytes of available user disk space after the installation.
NOTE: The used disk space on filesystem "/opt" is estimated to increase by 32 Kbytes.
This will leave 2466280 Kbytes of available user disk space after the installation.
NOTE: The used disk space on filesystem "/usr" is estimated to increase by 91552 Kbytes.
This will leave 3519968 Kbytes of available user disk space after the installation.
NOTE: The used disk space on filesystem "/var" is estimated to increase by 288 Kbytes.
This will leave 5410848 Kbytes of available user disk space after the installation.
* Summary of Analysis Phase:
* 4 of 4 filesets had no Errors or Warnings.
* The Analysis Phase succeeded.
* Beginning the Install Execution Phase.
* Filesets: 4
* Files: 111
* Kbytes: 91063
* Installing fileset "PowerBroker-hpia64.SUBMITHOST,r=9.4.3.18" because one or more other selected filesets depend on it (1 of 4).
* Installing fileset "PowerBroker-hpia64.SHAREDLIBS,r=9.4.3.18" because one or more other selected filesets depend on it (2 of 4).
* Installing fileset "PowerBroker-hpia64.RUNHOST,r=9.4.3.18" because one or more other selected filesets depend on it (3 of 4).
* Installing fileset "PowerBroker-Cfg.CLIENT1,r=9.4.3.18" (4 of 4).
* Beginning the Configure Execution Phase.
NOTE: Reading pb.cfg...
NOTE: Looking for SuperDaemons to configure...
NOTE: Finished looking for SuperDaemons to configure...
NOTE: Removing PowerBroker service definitions (if any) from /etc/services.
NOTE: Adding PowerBroker service definitions to /etc/services
NOTE: Removing any PowerBroker definitions from SuperDaemon inetd file /etc/inetd.conf
NOTE: Adding PowerBroker definitions to SuperDaemon configurations /etc/inetd.conf
NOTE: Reloading SuperDaemon Configurations...
NOTE: Done Reloading SuperDaemon Configurations...
Updating Settings in database (if any)...
* Summary of Execution Phase:
* 4 of 4 filesets had no Errors or Warnings.
* The Execution Phase succeeded.
======= 05/26/17 16:50:54 PDT END install AGENT SESSION (pid=7464)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265)
# swlist PowerBroker\*
# Initializing...
# Contacting target "pbul-qa-hpux11v3-01.unix.beyondtrust.com"...
#
# Target: pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
#
# PowerBroker-Cfg 9.4.3.18 BeyondTrust PowerBroker Unix/Linux - Root Delegation and Privilege Management
PowerBroker-Cfg.CLIENT1 9.4.3.18 BeyondTrust PowerBroker Unix/Linux Configuration - Root Delegation and Privilege Management# PowerBroker-hpia64 9.4.3.18 BeyondTrust PowerBroker - Root Delegation and Privilege Management
PowerBroker-hpia64.RUNHOST 9.4.3.18 BeyondTrust PowerBroker Run Host - Root Delegation and Privilege Management
PowerBroker-hpia64.SHAREDLIBS 9.4.3.18 BeyondTrust PowerBroker Shared Libraries - Root Delegation and Privilege Management
PowerBroker-hpia64.SUBMITHOST 9.4.3.18 BeyondTrust PowerBroker Submit Host - Root Delegation and Privilege Management
# swverify PowerBroker-Cfg PowerBroker-hpia64
======= 05/26/17 16:52:13 PDT BEGIN swverify SESSION
(non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266)
* Session started for user
"[email protected]".
* Beginning Selection
* Target connection succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Software selections:
PowerBroker-Cfg.CLIENT1,l=/,r=9.4.3.18,a=HP-UX_B.11.11/23/31_32/64_IA/PA,v=BeyondTrustPowerBroker-hpia64.RUNHOST,l=/,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SHAREDLIBS,l=/,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SUBMITHOST,l=/,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
* Selection succeeded.
* Beginning Analysis
* Session selections have been saved in the file
"/.sw/sessions/swverify.last".
* The analysis phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Verification succeeded.
NOTE: More information may be found in the agent logfile using the
command "swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266
@ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
======= 05/26/17 16:52:17 PDT END swverify SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266)
# swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266 @ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
======= 05/26/17 16:52:14 PDT BEGIN verify AGENT SESSION (pid=7787)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266)
* Agent session started for user
"[email protected]". (pid=7787)
* Beginning Analysis Phase.
* Target: pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
* Target logfile:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/adm/sw/swagent.log
* Reading source for file information.
* Configured PowerBroker-hpia64.SUBMITHOST,l=/,r=9.4.3.18
* Configured PowerBroker-hpia64.SHAREDLIBS,l=/,r=9.4.3.18
* Configured PowerBroker-hpia64.RUNHOST,l=/,r=9.4.3.18
* Configured PowerBroker-Cfg.CLIENT1,l=/,r=9.4.3.18
* Summary of Analysis Phase:
Verified PowerBroker-hpia64.SUBMITHOST,l=/,r=9.4.3.18
Verified PowerBroker-hpia64.SHAREDLIBS,l=/,r=9.4.3.18
Verified PowerBroker-hpia64.RUNHOST,l=/,r=9.4.3.18
Verified PowerBroker-Cfg.CLIENT1,l=/,r=9.4.3.18
* 4 of 4 filesets had no Errors or Warnings.
* The Analysis Phase succeeded.
======= 05/26/17 16:52:17 PDT END verify AGENT SESSION (pid=7787)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266)
Sample of the uninstall process from a package installation
This section shows the execution of the HP-UX swremove utility to remove the Endpoint Privilege Management for Unix and Linux depots. First, swremove is used to uninstall Endpoint Privilege Management for Unix and Linux software from the host. Then, swremove is used to remove the Endpoint Privilege Management for Unix and Linux depots from the SD depot:
Example
# swremove PowerBroker-Cfg PowerBroker-hpia64
======= 05/27/17 09:54:20 PDT BEGIN swremove SESSION
(non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0267)
* Session started for user
"[email protected]".
* Beginning Selection
* Target connection succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Software selections:
PowerBroker-Cfg.CLIENT1,l=/,r=9.4.3.18,a=HP-UX_B.11.11/23/31_32/64_IA/PA,v=BeyondTrust
PowerBroker-hpia64.RUNHOST,l=/,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SHAREDLIBS,l=/,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SUBMITHOST,l=/,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
* Selection succeeded.
* Beginning Analysis
* Session selections have been saved in the file
"/.sw/sessions/swremove.last".
* The analysis phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Analysis succeeded.
* Beginning Execution
* The execution phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Execution succeeded.
NOTE: More information may be found in the agent logfile using the
command "swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0267
@ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
======= 05/27/17 09:54:26 PDT END swremove SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0267)
# swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0267 @ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
======= 05/27/17 09:54:20 PDT BEGIN remove AGENT SESSION (pid=16901)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0267)
* Agent session started for user
"[email protected]". (pid=16901)
* Beginning Analysis Phase.
* Target: pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
* Target logfile:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/adm/sw/swagent.log
* Reading source for file information.
* Summary of Analysis Phase:
* 4 of 4 filesets had no Errors or Warnings.
* The Analysis Phase succeeded.
* Beginning the Unconfigure Execution Phase.
* Filesets: 4
* Files: 111
* Kbytes: 91063
NOTE: Reading pb.cfg...
NOTE: Looking for SuperDaemons to configure...
NOTE: Finished looking for SuperDaemons to configure...
NOTE: Removing PowerBroker service definitions (if any) from /etc/services.
NOTE: Removing any PowerBroker definitions from SuperDaemon inetd file /etc/inetd.conf
NOTE: Reloading SuperDaemon Configurations...
NOTE: Done Reloading SuperDaemon Configurations...
* Beginning the Remove Execution Phase.
* Removing fileset "PowerBroker-Cfg.CLIENT1,l=/,r=9.4.3.18" (1 of 4).
* Removing fileset "PowerBroker-hpia64.RUNHOST,l=/,r=9.4.3.18" (2 of 4).
Removing /opt/pbul/scripts
* Removing fileset
"PowerBroker-hpia64.SHAREDLIBS,l=/,r=9.4.3.18" (3 of 4).
* Removing fileset
"PowerBroker-hpia64.SUBMITHOST,l=/,r=9.4.3.18" (4 of 4).
* Summary of Execution Phase:
* 4 of 4 filesets had no Errors or Warnings.
* The Execution Phase succeeded.
======= 05/27/17 09:54:26 PDT END remove AGENT SESSION (pid=16901)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0267)
# swremove -d PowerBroker-Cfg PowerBroker-hpia64
======= 05/27/17 09:56:54 PDT BEGIN swremove SESSION
(non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0268)
* Session started for user
"[email protected]".
* Beginning Selection
* Target connection succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* Software selections:
PowerBroker-Cfg.CLIENT1,r=9.4.3.18,a=HP-UX_B.11.11/23/31_32/64_IA/PA,v=BeyondTrust
PowerBroker-hpia64.RUNHOST,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SHAREDLIBS,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SUBMITHOST,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
* Selection succeeded.
* Beginning Analysis
* Session selections have been saved in the file
"/.sw/sessions/swremove.last".
* The analysis phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* Analysis succeeded.
* Beginning Execution
* The execution phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* Execution succeeded.
NOTE: More information may be found in the agent logfile using the
command "swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0268
@ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
======= 05/27/17 09:56:54 PDT END swremove SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0268)
# swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0268 @ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
======= 05/27/17 09:56:54 PDT BEGIN remove AGENT SESSION (pid=17066)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0268)
* Agent session started for user
"[email protected]". (pid=17066)
* Beginning Analysis Phase.
* Target:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
* Target logfile:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw/swagent.log
* Reading source for file information.
* Summary of Analysis Phase:
* 4 of 4 filesets had no Errors or Warnings.
* The Analysis Phase succeeded.
* Beginning the Remove Execution Phase.
* Filesets: 4
* Files: 111
* Kbytes: 91063
* Removing fileset "PowerBroker-Cfg.CLIENT1,r=9.4.3.18" (1 of 4).
* Removing fileset "PowerBroker-hpia64.RUNHOST,r=9.4.3.18" (2 of 4).
* Removing fileset "PowerBroker-hpia64.SHAREDLIBS,r=9.4.3.18" (3 of 4).
* Removing fileset "PowerBroker-hpia64.SUBMITHOST,r=9.4.3.18" (4 of 4).
* Summary of Execution Phase:
* 4 of 4 filesets had no Errors or Warnings.
* The Execution Phase succeeded.
======= 05/27/17 09:56:54 PDT END remove AGENT SESSION (pid=17066)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0268)
Updated 9 days ago