Documentation

Package installer

The following sections detail how to install the server-side components of Endpoint Privilege Management for Unix and Linux on Solaris, Linux, HPUX and AIX using the system native package installer.

Endpoint Privilege Management for Unix and Linux has several separate component packages for each log server, run host, policy server, etc.

Starting with v9.0, the shared library component package and the REST API component package need to be installed prior to installation of policy server, GUI, run host, submit host and log server.

Solaris package installer

This section describes how to install Endpoint Privilege Management for Unix and Linux using a package installer for Solaris 9 or 10 on an x86 or SPARC computer. Use the Solaris package installer if you want to do any of the following:

  • Install Endpoint Privilege Management for Unix and Linux using the Solaris Package Manager.
  • Make the Endpoint Privilege Management for Unix and Linux installation packages available on a JumpStart server to automate the installation of Solaris computers.

The Endpoint Privilege Management for Unix and Linux Solaris package installer that is described here is not compatible with the BeyondTrust Endpoint Privilege Management v5.x packages. If the beyondtrust Endpoint Privilege Management v5.x packages are installed, you must remove them before installing the Endpoint Privilege Management for Unix and Linux Solaris packages.

Prerequisites

To use the Solaris package installer, you must have the following:

  • Package tarball file for the appropriate Endpoint Privilege Management for Unix and Linux flavor

ℹ️

Note

For the Solaris package installer, the tarball files are cumulative. That is, an update tarball file contains a complete Endpoint Privilege Management for Unix and Linux installation. It is not necessary to install a baseline version of Endpoint Privilege Management for Unix and Linux before installing an update.

  • Root access or superuser privileges

ℹ️

Note

The Solaris package installer does not support prefix or suffix installations.

Plan your installation

When preparing to use the Solaris package installer, you should be familiar with the following concepts and restrictions:

  • Component packages: an Endpoint Privilege Management for Unix and Linux component package is a Solaris datastream (.ds) file that installs a portion of the Endpoint Privilege Management for Unix and Linux application.

    The Endpoint Privilege Management for Unix and Linux component packages are:

    • BTPBlogh.ds: Contains the log host, pbsync, and pbsyncd.
    • BTPBlibs.ds: Contains the shared libraries.
    • BTPBrest.ds: Contains the REST API files.
    • BTPBrnsh.ds: Contains Registry Name Service files.
    • BTPBlich.ds: Contains the license server files.
    • BTPBmsth.ds: Contains the policy server host, pbsync, and pbsyncd.
    • BTPBsbmh.ds: Contains the submit host andEndpoint Privilege Management for Unix and Linux shells.
    • BTPBrunh.ds: Contains the run host andEndpoint Privilege Management for Unix and Linux utilities.

    Which component packages are required depends on the type of Endpoint Privilege Management for Unix and Linux host you create, such as policy server host, log host, and so forth. You can select the types of Endpoint Privilege Management for Unix and Linux hosts in the pbinstall installation menu, as shown in the following table.

Menu selectionRequired components
Install everything here (demo mode)? = Yes

BTPBmstr

BTPBrunh

BTPBsbmh

BTPBlogh

BTPBguih

BTPBlibs

Install Policy Server Host? = YesBTPBmstr
Install Run Host? = YesBTPBrunh
Install Submit Host? = YesBTPBsbmh
Install Log Host? = YesBTPBlogh
Install BeyondTrust built-in third-party libraries? = YesBTPBlibs
Install Registry Name Services Server? [yes]BTPBrnsh.ds
Install License Server? [yes]BTPBlich.ds
  • Configuration package: Solaris installation package that is used to install the following files:

    • pb.settings: Hardcoded target location /etc/pb.settings
    • pb.cfg: Hardcoded target location /etc/pb.cfg
    • All the encryption keyfiles defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption
    • By default, two key files are created: pb.key and pb.rest.key
    • The sysadmin can define multiple encryption with different keyfiles in locations other than /etc. To upgrade and retain settings on the target machine, view all encryption settings in /etc/pb.settings and copy the files to the settings_files directory before running "pbinstall -z" and pbcreate*cfgpkg
    • pb.conf (for Policy Server hosts)
    • Man pages for the pbinstall and pbcreatesolcfgpkg programs

    The Endpoint Privilege Management for Unix and Linux configuration package is created by the pbcreatesolcfgpkg program. The component packages must be installed before you install the configuration package.

  • Response file: pbcreatesolcfgpkg may also create a corresponding response file. The response file contains select information provided to pbinstall to customize objects contained within the prebuilt component package. For example, it ensures correct ownership of pblighttpd files. This file is created in the component package directory, /unzip-dir/powerbroker///package if it is accessible. If it is not, it is created in the current directory in the same location where the component package is created. Its name contains the same prefix supplied to pbcreatesolcfgpkg.

  • Package name: Name of the installation package stored in the Solaris package manager database. For Endpoint Privilege Management for Unix and Linux package installations, this name is the same as the package file name without the .ds extension.

  • Package administration file: Contains alternative settings that control how Solaris packages are installed.

  • Relocated base directory: The directory where the Endpoint Privilege Management for Unix and Linux binary files and log files are installed. You can choose an alternative directory in which to install these files.

  • pbinstall program: To create the Endpoint Privilege Management for Unix and Linux settings files, you use the pbinstall program with the -z (settings only) option. pbinstall -z only creates the settings files and is incompatible with the following command line options:

    Options Incompatible with pbinstall -zDescription
    -bRuns pbinstall in batch mode.
    -cSkip the steps that process or update the Endpoint Privilege Management for Unix and Linux settings file.
    -eRuns install script automatically by bypassing the menu step of pbinstall.
    -iIgnores previous pb.settings and pb.cfg files.
    -pSets the pb installation prefix.
    -sSets the pb installation suffix.
    -uInstall the utility programs.
    -xCreates a log synchronization host (that is, installs pbsyncd).

When you execute pbinstall with the -z option, you can see two menu items that are not otherwise available:

  • Enter existing pb.settings path: Enables you to specify your own pb.settings file. pbinstall reads this settings file and populates the remaining menu choices. You can override some menu choices. If set to none, then pbinstall does not read a settings file. The remaining menu choices are populated with default values.

  • Enter directory path for settings file creation: Enables you to specify an alternative output directory for the settings files. The default directory is /unzip-dir/powerbroker///install/settings_files, where unzip-dir is the directory where the package tarball file was unzipped.

    The behavior of pbinstall -z depends on whether certain additional command line options are specified:

  • If no other command line options are specified, pbinstall initially presents a short version of the installation menu (items 1–8 only). Depending on the choices you make in these items, further menu items become available.

  • If command line options -g, -l, -m, -o, -r, or -w are specified, pbinstall presents an expanded version of the installation menu that reflects the host types that you are configuring.

    When running pbinstall with the -z option, the following menu items are preprogrammed and cannot be changed:

  • Install man pages?

  • Daemon location

  • Administration programs location

  • User programs location

  • GUI library directory

  • Policy include (sub) file directory

  • User man page location

  • Admin man page location

  • Policy filename

  • BeyondTrust built-in third-party library directory

In addition, the values of the following menu items determine the values of other menu items:

Options Preset When Running pbinstall -z
Setting this menu option to YesSets these values to Yes
Install Policy Server Host?Install Synchronization? Synchronization can be initiated from this host?
Install Run Host?Install Utilities?
Install Submit Host?Install PBSSH?
Install pbksh? Install pbsh?
Will this host use a Log Host?
Install Log Host?Install Synchronization? Synchronization can be initiated from this host?

If you plan to use Registry Name Service and are running pbinstall -z on a client host (non-primary server), you must perform client registration. This is necessary to properly set up the registry name service database. Client registration also requires that you collect the following information from the Endpoint Privilege Management for Unix and Linux primary server:

  • REST Application ID

  • REST Application Key

  • Primary server network name or IP address

  • Primary License Server REST TCP/IP port

  • Registration Client Profile name

  • Registering client with Primary RNS: If Registry Name Services is enabled for Endpoint Privilege Management for Unix and Linux, each client host (after the first server installation) needs to be registered with the Primary Registry Name Server. When using package installers on a target host, a post-install configuration script (/opt/pbul/scripts/pbrnscfg.sh) is provided to be manually executed on that host to properly register it. This post-install configuration script will ask for information about the Primary Registry Name Server, including the Application ID (appid), Application Key (appkey), address/domain name, and the REST TCP/IP port number. This is the same information provided during the client registration part of a pbinstall -z install which generates the settings file.

    If you prefer a more convenient method of registering RNS clients where the post-install configuration script is non-interactive, Endpoint Privilege Management for Unix and Linux can save the relevant information in a hidden file during the settings-only run of pbinstall, bundle it with the configuration package, and automatically apply it to the target host when that package is installed. However, understand that this is not secure, but is available if the security-convenience trade-off is acceptable. To enable this, refer to the question regarding post-install configuration script displayed when running pbinstall -z.

ℹ️

Note

For more information, see the following:

  • Relocate the base directory
  • If you use the package installer to install Endpoint Privilege Management for Unix and Linux on a computer that already has an interactive Endpoint Privilege Management for Unix and Linux installation on it, Interactive versus packaged installation for additional considerations
  • For complete pbinstall command-line options, see Installation Programs

Choose a package administration file

We recommend that you use the package administration files that are provided by BeyondTrust (BTPBadmin and BTPBadmin). These package administration files are configured to eliminate interactive prompts during package installation. If you want to use the Solaris default package administration file or other package administration file for your environment, you may be required to respond to prompts to install the packages.

ℹ️

Note

When installing a package using custom JumpStart, the installation process is required to be noninteractive.

Use EPM-UL packages on Solaris zones

The Endpoint Privilege Management for Unix and Linux Solaris package installer supports Solaris Zones in Solaris release 10. The primary operating system instance is referred to as the global zone. All zones that are not the global zone are referred to as non-global zones.

ℹ️

Note

Solaris release 10 is required. The use of Solaris Zones is not supported on earlier releases. There are three types of zones:

  • Sparse root: A sparse zone is the default zone configuration and is configurable. It shares the read-only global zone’s /usr /lib /platform and /sbin partitions.
  • Whole root: A whole root zone does not share global zone partitions, which increases configuration flexibility.
  • Branded: A branded zone allows virtualization of Solaris 8, 9, or Linux and shares no partitions from the global zone. Branded zones are available as of Solaris 10 release 08/07 update 4.

ℹ️

Note

Endpoint Privilege Management for Unix and Linux Solaris Packages do not JumpStart to non-global zones. Using Custom JumpStart to install packages on Solaris 10 Zoned systems results in errors as the zones are not running during JumpStart execution.

Installing Endpoint Privilege Management for Unix and Linux Solaris Packages on Zones is very similar to installing these packages on Solaris systems without zones. However, keep the following considerations in mind:

  • Endpoint Privilege Management for Unix and Linux Solaris packages are designed to be installed from the global zone. Packages are propagated to the sparse and whole root zones upon global zone pkgadd and upon zone creation.
  • Endpoint Privilege Management for Unix and Linux Solaris packages are designed to be uninstalled from the global zone. Packages are removed from sparse and whole root zones upon the global zone pkgrm.
  • Endpoint Privilege Management for Unix and Linux Solaris packages can be installed in the global zone only, by using the pkgadd -G command. Endpoint Privilege Management for Unix and Linux Solaris packages cannot be installed in sparse zones (with read-only partitions) and should instead be installed in the global zone. Although Endpoint Privilege Management for Unix and Linux Solaris packages could be installed into a whole-root zone, Endpoint Privilege Management for Unix and Linux Solaris packages are designed to be installed from the global zone. Packages installed on a whole-root zone are subject to overwriting by packages installed in the global zone.
  • As Solaris branded zones are fully contained instances of Solaris 8 or 9, Endpoint Privilege Management for Unix and Linux packages should be installed as with non-zoned Solaris instances. Loading packages to the global zone does not update a branded zone. Endpoint Privilege Management for Unix and Linux Solaris packages for Solaris branded zones running Linux are not supported.
  • The Endpoint Privilege Management for Unix and Linux Solaris configuration package must be removed before removing any Endpoint Privilege Management for Unix and Linux component packages and must be removed individually. Endpoint Privilege Management for Unix and Linux Solaris component packages may be removed simultaneously.

Overview of steps

Using the Endpoint Privilege Management for Unix and Linux Solaris package installer involves the following steps:

  1. Unpack the Endpoint Privilege Management for Unix and Linux package tarball file.
  2. Use the pbinstall program to create Endpoint Privilege Management for Unix and Linux settings files.
  3. Use the pbcreatesolcfgpkg program to create the Endpoint Privilege Management for Unix and Linux configuration package along with a corresponding response file used for additional customization.
  4. Perform a package installation using the Solaris pkgadd command for any required components.
  5. Perform a package installation using the Solaris pkgadd command for the Endpoint Privilege Management for Unix and Linux configuration package.
  6. If Registry Name Service is enabled and installed on a non-primary server, run /opt/pbul/scripts/pbrnscfg.sh to register the host.

ℹ️

Note

For more detail on the steps above, see Installation Process.

Installation procedure

ℹ️

Note

Before installing Solaris packages, if the directories where files are installed, /usr/local, /usr/bin etc., are symbolic links to other directories, then set the environment variable PKG_NONABI_SYMLINKS to true:

# PKG_NONABI_SYMLINKS=true
# export PKG_NONABI_SYMLINKS

This prevents the symbolic links from being removed by the pkgadd command on Solaris.

To install Endpoint Privilege Management for Unix and Linux using the Solaris Package Manager, do the following:

  1. Extract the package tarball files into the /opt/beyondtrust/ directory by executing the following command:

    gunzip -c pmul<flavor_version>_pkg.tar.Z | tar xvf -
    
  2. Navigate to the /opt/beyondtrust/powerbroker///install/ directory.

  3. Execute the following command:

    ./pbinstall -z
    

    You can include other options with the -z option. Use the -R option if you want to specify an alternate base directory for installing the component packages.

    You are asked if you want to use client registration. If you plan to enable Registry Name Service, and are installing on a host that is not designated as a primary server, you must run client registration.

    pbinstall then asks if you want to enable Registry Name Service.

    pbinstall displays the Endpoint Privilege Management for Unix and Linux installation menu.

  4. Make your menu selections.

    When the menu selection process is complete, pbinstall creates the following files in the specified location:

    • pb.settings
    • pb.cfg
    • pb.key (if encryption is enabled)
    • pb.conf (for Policy Server host)
    • pbpolicykey.pem and pbpolicypubcert.pem (for Policy Server hosts with Cached Policy feature enabled)

ℹ️

Note

The Enter existing pb.settings path menu option enables you to specify your own pb.settings file to use. Also, the Enter directory path for settings file creation menu option enables you to specify where to save the generated settings files. These menu options are available only when running pbinstall with the -z option.

  1. Optional. For an Endpoint Privilege Management for Unix and Linux client, if client-server communications are to be encrypted, replace the generated pb.key file with the pb.key file from the policy server host. Also, copy any other required key files into the same directory.

  2. Optional. For a policy server host, write a policy file (pb.conf) and place it in the directory with the other generated files. If you do not provide a pb.conf file, a pb.conf file with the single command reject; is generated and packaged.

    Starting with v8.0, pbinstall -z can optionally install the default role-based policies and asks:

    Installing default role-based policy pbul_policy.conf and pbul_functions.conf in <install_dir>/settings_files
    Would you like to use the default role-based policy in the configuration package?
    
    • Answer Yes for new installs only.
    • If you are upgrading an existing configuration package, to avoid overwriting your existing policy, answer No.
      Use the default role-based policy [Y]?
      
    • If you answer Yes, the default pb.conf, pbul_policy.conf and pbul_functions.conf are created and installed on the policy server.
    • If you are installing over an existing installation, and have an existing policy in place, answer No.
  3. Navigate to the /opt/beyondtrust/powerbroker///install/ directory.

  4. Run the pbcreatesolcfgpkg utility by typing:

    pbcreatesolcfgpkg -p suffix -s directory
    
    • suffix is appended to the filenames of the configuration package datastream file and the package administration file; length can be up to 26 characters (3 characters for unpatched Solaris 8).
    • directory contains the Endpoint Privilege Management for Unix and Linux settings and configuration files to include in the package.

    The pbcreatesolcfgpkg utility creates the following files:

    • Configuration package file BTPBcf.ds
    • Package administration file BTPBadmin
    • Response file BTPB.resp
  5. Navigate to the /opt/beyondtrust/powerbroker///package/ directory.

  6. Optional. To install Endpoint Privilege Management for Unix and Linux in an alternative base directory, edit the provided BTPBadmin file and change the basedir=default entry as follows:

    basedir=target_base_directory
    

    target_base_directory is the absolute path of the target base directory.

  7. For each required component package, run the Solaris pkgadd utility to install the component package by typing:

    pkgadd -a BTPBadmin -r response-file  -d pkg-datastream-file pkg-name
    

    pkg-datastream-file is the name of the component package datastream (.ds) file. response-file is the location and name of the response file, if generated, and pkg-name is the name of the package. For Endpoint Privilege Management for Unix and Linux packages, the package name is the same as the datastream file name without the .ds extension.

Example

pkgadd -a BTPBadmin -r ./BTPB<suffix>.resp -d BTPBrunh.ds BTPBrunh

If no response file is generated (not applicable):

pkgadd -a BTPBadmin -d BTPBrunh.ds BTPBrunh
  1. Run the Solaris pkgadd utility to install the Endpoint Privilege Management for Unix and Linux configuration package by typing:

  2. pkgadd -a BTPBadmin<suffix> -d BTPBcf<suffix>.ds BTPBcf<suffix>
    

    is the suffix specified when the Endpoint Privilege Management for Unix and Linux configuration package is created in step 8.

  3. Verify the installation of the packages with the Solaris pkginfo utility by typing:

    pkginfo | grep BTPB
    
  4. If Registry Name Service is enabled and installed on a non-primary server, register the host with the Primary Registry Name Server using a post-install configuration script. Gather the Application ID, Application Key, network name or IP address, and REST TCP/IP port of the primary server, then run the script to register the host and follow the prompts:

    /opt/pbul/scripts/pbrnscfg.sh
    

ℹ️

Note

If you install Endpoint Privilege Management for Unix and Linux using a custom JumpStart session, the Endpoint Privilege Management for Unix and Linux configuration package should be added or removed only once per session to avoid installing conflicting rc scripts.

ℹ️

Note

For more information, see the following:

Remove EPM-UL packages

Removing the packages completely uninstalls Endpoint Privilege Management for Unix and Linux from a computer.

To remove the packages:

  1. Navigate to the /opt/beyondtrust/powerbroker///install/ directory.

  2. Remove the Endpoint Privilege Management for Unix and Linux packages by typing:

    pkgrm -na ./BTPBadmin config-package-name component-package-1 ... component-package-n
    
    • BTPBadmin is the package administration file that is supplied by BeyondTrust. You can specify a different package administration file, or leave out the -a option to use the default package administration file. The BTPBadmin package administration file is designed to make the package installation and removal processes run noninteractively.
    • config-package-name is the name of the package specified when the configuration package is installed. Because of the dependency relationship between the configuration package and the component packages, this package name must come first in the list.
    • component-package-1 through component-package-n are the names of the packages specified when the component packages are installed.

Relocate the base directory

The Solaris package management system enables you specify an alternative base directory for package installation. With this feature, specify a directory to install the binary files and log files. Certain files, such as pb.settings, pb.cfg, and key files, must be located in the /etc directory for Endpoint Privilege Management for Unix and Linux to run. These files are not relocatable.

To relocate the base directory from the default / (root) directory:

  1. On the target machine, create the target base directory if it does not already exist.

  2. When you run pbinstall, use the -R option and specify the new base directory.

  3. Before installing the Endpoint Privilege Management for Unix and Linux component packages, edit the provided BTPBadmin package administration file and change the basedir entry to refer to the new base directory.

    Change the basedir=default entry as follows:

    basedir=target_base_directory
    

    target_base_directory is the absolute path of the target base directory.

  4. When you install the component packages, execute pkgadd with the -a option and use the BTPBadmin package administration file.

    For each required component package, run the Solaris pkgadd utility to install the component package by typing:

    pkgadd -a BTPBadmin -r response-file  -d pkg-datastream-file pkg-name
    

    pkg-datastream-file is the name of the component package datastream (.ds) file. response-file is the location and name of the response file, if generated, and pkg-name is the name of the package. For Endpoint Privilege Management for Unix and Linux packages, the package name is the same as the datastream file name without the .ds extension.

Example

pkgadd -a BTPBadmin -r ./BTPB<suffix>.resp -d BTPBrunh.ds BTPBrunh

If no response file is generated (not applicable):

pkgadd -a BTPBadmin -d BTPBrunh.ds BTPBrunh

Update EPM-UL with the Solaris Package Installer

The Solaris package installer can be used to update an existing installation to a new version. The existing version should have been installed with the Endpoint Privilege Management for Unix and Linux package installer.

ℹ️

Note

It is possible to use the Solaris package installer to install Endpoint Privilege Management for Unix and Linux over an existing version that was installed with pbinstall. However, doing so is not recommended because it can result in unused files from the existing version remaining in the file system.

Package update considerations

Installing an update with the Solaris package installer is similar to using the Solaris package installer to install Endpoint Privilege Management for Unix and Linux for the first time. Keep these considerations in mind when you prepare to update Endpoint Privilege Management for Unix and Linux:

  • Technically, the Solaris packages are update packages, as opposed to upgrade packages. An update package overwrites the existing files before registering the new version number in the Solaris Package Manager database.
  • A Solaris update package contains a complete Endpoint Privilege Management for Unix and Linux installation, not just the files that have changed since the previous release.
  • The Solaris update packages are compatible with JumpStart.
  • If you have more than one Endpoint Privilege Management for Unix and Linux package on a computer, update all packages on that computer.
  • A newer release can introduce features that use new settings or configurations. An upgrade of the configuration package of Endpoint Privilege Management for Unix and Linux is also needed.
  • Unlike Endpoint Privilege Management for Unix and Linux patches that are installed with pbpatchinstall, update packages cannot be rolled back to a previous release. However, you can install an older package over a newer one, effectively rolling back to the older release.

Package update procedure

Follow this procedure to update your installation of Endpoint Privilege Management for Unix and Linux using the Solaris package installer:

  1. Obtain the tarball file for the Solaris update packages that are appropriate for your hardware. The tarball file name has the format pmul-v.v.r-b-pn_pkg.tar.Z, where:
    • indicates the operating system and hardware architecture.
    • v.v.r is the major and minor version number and the release number.
    • b is the build number.
    • n is the update number.
  2. Extract the package tarball files into the /unzip-dir/ directory of the computer that you are updating by executing the following command:
    gunzip -c pmul<flavor_version>_pkg.tar.Z | tar xvf -
    
  3. Navigate to the /unzip-dir/powerbroker///install/ directory.
  4. Create the settings_files directory and change directory to that location.
  5. To retain or correctly update the settings of the current installation, copy the following files from the target installation host into the settings_files directory you created in step 4:
    • /etc/pb.settings
    • /etc/pb.cfg
    • encryption keys defined in pb.settings for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption settings (if enabled)

ℹ️

Note

In a default installation, there are typically 2 key files created: pb.key and pb.rest.key.

  • policy file defined in policyfile setting in pb.settings (if the target installation is a Policy Server)

ℹ️

Note

In a default installation, the policy file is located in /opt/pbul/policies/pb.conf.

  1. Execute the following command and verify the installation settings:
./pbinstall -z
  1. Create the upgrade configuration package by running the pbcreatesolcfgpkg utility:
pbcreatesolcfgpkg -p suffix

Use the current suffix of the installation to be upgraded. Use the suffix you provided in the initial package installation in step 8 of the Installation procedure.

Another way to find the suffix is to run the following command on the target installation host to get the list of packages installed:

pkginfo -x | grep BTPB

Identify the suffix of the Endpoint Privilege Management for Unix and Linux configuration package using this format:

BTPBcf<suffix>
  1. Navigate to the /unzip-dir/powerbroker///package/ directory.

  2. Optional. To install Endpoint Privilege Management for Unix and Linux in an alternative base directory, edit the provided BTPBadmin file and change the basedir=default entry as follows:

    basedir=target_base_directory
    

    target_base_directory is the absolute path of the target base directory.

  3. For each required component package, run the Solaris pkgadd utility to install the component package by typing:

    pkgadd -a BTPBadmin -r response-file -d pkg-datastream-file pkg-name
    

    pkg-datastream-file is the name of the component package datastream (.ds) file. response-file is the location and name of the response file, if generated, and pkg-name is the name of the package. For Endpoint Privilege Management for Unix and Linux packages, the package name is the same as the datastream file name without the .ds extension.

Example

pkgadd -a BTPBadmin -r ./BTPB<suffix>.resp -d BTPBrunh.ds BTPBrunh

If no response file is generated (not applicable):

pkgadd -a BTPBadmin -d BTPBrunh.ds BTPBrunh
  1. Navigate to the /unzip-dir/powerbroker///install/ directory.

  2. Run the Solaris pkgadd utility to install the Endpoint Privilege Management for Unix and Linux configuration package by typing:

    pkgadd -a BTPBadmin<suffix> -d BTPBcf<suffix>.ds BTPBcf<suffix>
    

    is the suffix specified when the Endpoint Privilege Management for Unix and Linux configuration package is created in step 7.

  3. Verify the installation of the packages with the Solaris pkginfo utility by typing:

    pkginfo -x | grep BTPB
    

Upgrade the configuration package

When upgrading the configuration package (cfg pkg), some settings that are part of the package might need settings and configuration files copied from the existing installation to the staging host.

Files included in the cfg package:

  • pb.settings: Hardcoded target location /etc/pb.settings.

  • pb.cfg: Hardcoded target location /etc/pb.cfg.

  • All the encryption key files defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption. By default, two key files are typically created:

    • pb.key
    • pb.rest.key

    The sysadmin can define encryption with different key files in locations other than /etc. Therefore, when upgrading, and to retain what is installed on the target machine, look at all the encryption settings in /etc/pb.settings. Copy the settings to the settings_files directory before running pbinstall -z and pbcreate*cfgpkg.

  • Policy file if the target is a policy server.

Sample Execution for the Solaris Package Installer

The sample execution shows the installation of an Endpoint Privilege Management for Unix and Linux submit host, run host, and shared libraries using the Endpoint Privilege Management for Unix and Linux Solaris package installer.

This sample execution is divided into the following parts:

  • Generate the Endpoint Privilege Management for Unix and Linux settings files.
  • Create the Endpoint Privilege Management for Unix and Linux configuration package using the pbcreatesolcfgpkg program.
  • Install the component packages using the pkgadd command.
  • Install the configuration package using the pkgadd command.

Generate the EPM-UL settings files

This section of the execution shows the generation of the Endpoint Privilege Management for Unix and Linux settings files (pb.key, pb.cfg, and pb.settings) and also displays the Endpoint Privilege Management for Unix and Linux installation menu. This output was generated using the pbinstall program with the options: -z, -l, and -r.

Example

# ./pbinstall -z -l -r
Starting pbinstall main() from /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/.
solaris9-10.x86
WARNING:When creating configuration packages to be installed on Solaris Zones, care must be taken to set log file directories to Zone-writable partitions.
The default Solaris sparse zone has the following read-only and/or shared partitions, although configuration can vary:
/usr /lib /platform /sbin
The Endpoint Privilege Management for Unix and Linux log file default directory for Solaris Zones is '/var/adm'.

Endpoint Privilege Management for Unix and Linux Settings File Generation

Please read theEndpoint Privilege Management for Unix and Linux Installation Instructions before proceeding.

Checking MANIFEST against release directory

Press return to continue

The Registry Name Service of Endpoint Privilege Management for Unix and Linux facilitates location of other services within the EPM-UL enterprise with the aid of a centralized data repository.
IMPORTANT: client registration is required if this is not the Primary Server and you intend to use Registry Name Services.
Do you wish to utilize Registry Name Service? [yes]? no
BeyondTrust Endpoint Privilege Management for Unix and Linux Installation Menu
        Opt  Description                              [Value] 
        1  Install Everything Here (Demo Mode)?        [no]
        2  Install License Server?                     [no]
        3  Install Registry Name Services Server?      [no]
        4  Install Client Registration Server?         [no]
        7  Install Submit Host?                         [yes]
        8  Install PBSSH                                [yes]
        10  Install Log Host?                           [yes]
        11  Enable Logfile Tracking and Archiving?      [yes]
        12  Is this a Log Archiver Storage Server?      [no]
        13  Is this a Log Archiver Database Server?     [no]
        14  Install File Integrity Monitoring Polic...  [no]
        15  Install REST Services?                      [yes]
        16  List of License Servers                     [*]
        19  Path to Password Safe 'pkrun' binary        []
        23  Install Synchronization program?            [yes]
        25  Install Secure GUI Host?                    [yes]
        26  Install Utilities: pbvi, pbnvi, pbmg, p...  [yes]
        27  Install pbksh?                              [yes]
        28  Install pbsh?                               [yes]
        29  Install man pages?                          [no]
        30  Will this host use a Log Host?              [yes]
        31  AD Bridge Integration?                      [no]
        37  Integration with BeyondInsight?             [no]
        55  Synchronization program can be initiate...  [yes]
        56  Daemons location                            [/usr/sbin]
        57  Number of reserved spaces for submit pr...  [80]
        58  Administration programs location            [/usr/sbin]
        59  User programs location                      [/usr/local/bin]
        60  GUI library directory                       [/usr/local/lib/pbbuilder]
        61  Policy include (sub) file directory         [/opt/pbul/policies]
        62  Policy file name                            [/opt/pbul/policies/pb.conf]
        65  Log Archive Storage Server name             []
        67  Log Archiver Database Server name           []
        69  Logfile Name Cache Database file path?      [/opt/pbul/dbs/pblogcache.db]
        70  REST Service installation directory?        [/usr/lib/beyondtrust/pb/rest]
        71  Install REST API sample code?               [no]
        73  Pblighttpd user                             [pblight]
        75  Pblighttpd user UID                         []
        76  Pblighttpd user GID                         []
        78  Configure systemd?                          [yes]
        79  Command line options for pbmasterd          [-ar]
        80  Policy Server Delay                         [500]
        81  Policy Server Protocol Timeout              [-1]
        82  pbmasterd diagnostic log                    [/var/log/pbmasterd.log]
        83  Eventlog filename                           [/var/log/pb.eventlog]
        84  Configure eventlog rotation via size?       []
        85  Configure eventlog rotation path?           []
        86  Configure eventlog rotation via cron?       [no]
        87  Validate Submit Host Connections?           [no]
        88  List of Policy Servers to submit to         [kandor]
        89  pbrun diagnostic log?                       [none]
        90  pbssh diagnostic log?                       [none]
        91  Allow Local Mode?                           [yes]
        92  Additional secured task checks?             [no]
        93  Suppress Policy Server host failover er...  [yes]
        94  List of Policy Servers to accept from       [kandor]
        95  pblocald diagnostic log                     [/var/log/pblocald.log]
        96  Command line options for pblocald           []
        97  Syslog pblocald sessions?                   [no]
        98  Record PTY sessions in utmp/utmpx?          [yes]
        99  Validate Policy Server Host Connections?    [no]
        100  List of Log Hosts                          [kandor]
        101  Command line options for pblogd            []
        102  Log Host Delay                             [500]
        103  Log Host Protocol Timeout                  [-1]
        104  pblogd diagnostic log                      [/var/log/pblogd.log]
        105  List of log reserved filesystems           [none]
        106  Number of free blocks per log system fi... [0]
        107  Command line options for pbsyncd           []
        108  Sync Protocol Timeout                      [-1]
        109  pbsyncd diagnostic log                     [/var/log/pbsyncd.log]
        110  pbsync diagnostic log                      [/var/log/pbsync.log]
        111  pbsync sychronization time interval (in... [15]
        112  Add installed shells to /etc/shells        [no]
        113  pbksh diagnostic file                      [/var/log/pbksh.log]
        114  pbsh diagnostic file                       [/var/log/pbsh.log]
        115  Stand-alone pblocald command               [none]
        116  Stand-alone root shell default iolog       [/pbshell.iolog]
        
       
        
        
        121  Use syslog?                                [yes]
        122  Syslog facility to use?                    [LOG_AUTHPRIV]
        123  Base Daemon port number                    [24345]
        124  pbmasterd port number                      [24345]
        125  pblocald port number                       [24346]
        126  pblogd port number                         [24347]
        
       
        129  pbsyncd port number                        [24350]
        130  REST Service port number                   [24351]
        131  Add entries to '/etc/services'             [yes]
        132  Allow non-reserved port connections        [yes]
        133  Inbound Port range                         [1025-65535]
        134  Outbound Port range                        [1025-65535]
        137  Network encryption options                 [aes-256:keyfile=/etc/pb.key]
        138  Event log encryption options               [none]
        139  I/O log encryption options                 [none]
        140  Report encryption options                  [none]
        141  Policy file encryption options             [none]
        142  Settings file encryption type              [none]
        143  REST API encryption options                [aes-256:keyfile=/etc/pb.re...]
        144  Configure with Kerberos v5?                [no]
        150  Enforce High Security Encryption?          [yes]
        151  Use SSL?                                   [yes]
        152  SSL Configuration?                         [requiressl]
        153  SSL pbrun Certificate Authority Directory? [none]
        154  SSL pbrun Certificate Authority File?      [none]
        155  SSL pbrun Cipher List?                     [HIGH:!SSLv2:!3DES:!MD5:@ST…]
        156  SSL pbrun Certificate Directory?           [none]
        157  SSL pbrun Certificate File?                [none]
        158  SSL pbrun Private Key Directory?           [none]
        159  SSL pbrun Private Key File?                [none]
        160  SSL pbrun Certificate Subject Checks?      [none]
        161  SSL Server Certificate Authority Direct... [none]
        162  SSL Server Certificate Authority File?     [none]
        163  SSL Server Cipher List?                    [HIGH:!SSLv2:!3DES:!MD5:@ST...]
        164  SSL Server Certificate Directory?          [none]
        165  SSL Server Certificate File?               [/etc/pbssl.pem]
        166  SSL Server Private Key Directory?          [none]
        167  SSL Server Private Key File?               [/etc/pbssl.pem]
        168  SSL Server Certificate Subject Checks?     [none]
        169  SSL Certificate Country Code               [US]
        170  SSL Certificate State/Province             [AZ]
        171  SSL Certificate Location (Town/City)       [Phoenix]
        172  SSL Certificate Organizational Unit/Dep... [Security]
        173  SSL Certificate Organization               [BeyondTrust]
        174  Configure Privilege Management for Unix... [no]
        175  Install BeyondTrust built-in third-part... [yes]
        176  BeyondTrust built-in third-party librar... [/usr/lib/beyondtrust/pb]
        188  Use PAM?                                   [no]
        196  Allow Remote Jobs?                         [yes]
        197  UNIX Domain Socket directory               [none]
        198  Reject Null Passwords?                     [no]
        199  Enable TCP keepalives?                     [no]
        200  Name Resolution Timeout                    [0]
        N for the next menu page, P for the previous menu page, C to continue, X to exit
        Please enter a menu option [For technical support call 1-800-234-9072]> c

Generating key file /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/settings_files/pb.key...

Are all the installation settings correct [yes]?
Generating config file /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/settings_files/pb.cfg
Creating the settings file creation script
Backed up existing settings file creation script to:
'/opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/pbcreatesettingsfile.ctime.May_26_11:01'
Running settings file creation script
Creating settings file /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/settings_files/pb.settings
Generated settings files are in directory: /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/settings_files
Endpoint Privilege Management for Unix and Linux Settings File Generation completed successfully.

Create the EPM-UL configuration package using pbcreatesolcfgpkg

This section shows the creation of the Endpoint Privilege Management for Unix and Linux configuration package using the pbcreatesolcfgpkg program with the -p and -s options.

ℹ️

Note

At the end of its output, the pbcreatesolcfgpkg script shows which Endpoint Privilege Management for Unix and Linux component packages need to be installed.

Example

# cd /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install
# ./pbcreatesolcfgpkg -p CLIENT1 -s /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/settings_files
pbcreatesolcfgpkg: starting from /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install
        
Warning: Unpatched Solaris 8 has a 9 character package name limitation!
The package name created 'BTPBcfCLIENT1' is 13 characters...
        
pbcreatesolcfgpkg: keyfile pb.key will be included in package
Reading /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/settings_files/pb.cfg
## Building pkgmap from package prototype file.
## Processing pkginfo file.
## Attempting to volumize 15 entries in pkgmap.
part  1 -- 637 blocks, 24 entries
## Packaging one part.
/opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/pkgmap
/opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/pkginfo
/opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/root/etc/init.d/sypbcfg_svcsinetdsmf
/opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/root/etc/pb.cfg
/opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/root/etc/pb.key
/opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/root/etc/pb.settings
/opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/root/etc/rc2.d/S99sypbcfg_pbpatton
/opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/root/var/adm/pbksh.log
/opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/root/var/adm/pblocald.log
/opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/root/var/adm/pbsh.log
/opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/install/checkinstall
/opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/install/copyright
/opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/install/depend
/opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/install/postinstall
/opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/install/postremove
/opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/install/preinstall
/opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1/BTPBcfCLIENT1/install/preremove
## Validating control scripts.
## Packaging complete.
pbcreatesolcfgpkg: created package BTPBcfCLIENT1 in /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1
Checking uninstalled directory format package <BTPBcfCLIENT1> from </opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1>
## Checking control scripts.
## Checking package objects.
## Checking is complete.
pbcreatesolcfgpkg: pkgchk for spooled package BTPBcfCLIENT1 succeeded.
Transferring <BTPBcfCLIENT1> package instance
pbcreatesolcfgpkg: pkgtrans for package BTPBcfCLIENT1 succeeded.
Checking uninstalled stream format package <BTPBcfCLIENT1> from </opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1.ds>
## Checking control scripts.
## Checking package objects.
## Checking is complete.
rm: Cannot remove any directory in the path of the current working directory
/var/tmp/aaaJEaG90/BTPBcfCLIENT1
pbcreatesolcfgpkg: pkgchk for datastream package BTPBcfCLIENT1 succeeded.
pbcreatesolcfgpkg: spooled package BTPBcfCLIENT1 removed.

pbcreatesolcfgpkg: package datastream file is: /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1.ds
pbcreatesolcfgpkg: package admin file is: /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBadminCLIENT1

pbcreatesolcfgpkg: the following packages will need to be loaded to the target system:
BTPBrunh BTPBsbmh BTPBlibs

pbcreatesolcfgpkg: completed.

Install component packages using the pkgadd command

This section shows the execution of the pkgadd command to install component packages for the submit host, run host, and shared libraries. The execution text also includes copyright, trademark, trade secrets, and other legal text; however, those notices and text were removed from the following excerpt to save space:

Example

# cd /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/package
# ls
BTPBadmin    BTPBguih.ds  BTPBlibs.ds  BTPBlogh.ds  BTPBmsth.ds  BTPBrest.ds  BTPBrnsh.ds  BTPBrunh.ds  BTPBsbmh.ds
# pkgadd -a BTPBadmin -d BTPBlibs.ds BTPBlibs
Processing package instance <BTPBlibs> from </opt/acpkg/powerbroker/v9.4/ppmul_solaris9-10.x86_9.4.3-18/package/BTPBlibs.ds>
BeyondTrust PowerBroker Shared Libraries - Root Delegation and Privilege Management
(x86) 9.4.3-18
## Executing checkinstall script.
Using /> as the package base directory.
## Processing package information.
## Processing system information.
## Verifying package dependencies.
## Verifying disk space requirements.
Installing BeyondTrust PowerBroker Shared Libraries - Root Delegation and Privilege Management as <BTPBlibs>
        ## Executing preinstall script.
        ## Installing part 1 of 1.
        /usr/lib/beyondtrust/pb/libcom_err.so <symbolic link>
        /usr/lib/beyondtrust/pb/libcom_err.so.3 <symbolic link>
        /usr/lib/beyondtrust/pb/libcom_err.so.3.0
        /usr/lib/beyondtrust/pb/libcrypto.so <symbolic link>
        /usr/lib/beyondtrust/pb/libcrypto.so.1 <symbolic link>
        /usr/lib/beyondtrust/pb/libcrypto.so.1.0.0
        /usr/lib/beyondtrust/pb/libcurl.so <symbolic link>
        /usr/lib/beyondtrust/pb/libcurl.so.4 <symbolic link>
        /usr/lib/beyondtrust/pb/libcurl.so.4.3.0
        /usr/lib/beyondtrust/pb/libgssapi_krb5.so <symbolic link>
        /usr/lib/beyondtrust/pb/libgssapi_krb5.so.2 <symbolic link>
        /usr/lib/beyondtrust/pb/libgssapi_krb5.so.2.2
        /usr/lib/beyondtrust/pb/libk5crypto.so <symbolic link>
        /usr/lib/beyondtrust/pb/libk5crypto.so.3 <symbolic link>
        /usr/lib/beyondtrust/pb/libk5crypto.so.3.1
        /usr/lib/beyondtrust/pb/libkrb5.so <symbolic link>
        /usr/lib/beyondtrust/pb/libkrb5.so.3 <symbolic link>
        /usr/lib/beyondtrust/pb/libkrb5.so.3.3
        /usr/lib/beyondtrust/pb/libkrb5support.so <symbolic link>
        /usr/lib/beyondtrust/pb/libkrb5support.so.0 <symbolic link>
        /usr/lib/beyondtrust/pb/libkrb5support.so.0.1
        /usr/lib/beyondtrust/pb/liblber-2.4.so <symbolic link>
        /usr/lib/beyondtrust/pb/liblber-2.4.so.2 <symbolic link>
        /usr/lib/beyondtrust/pb/liblber-2.4.so.2.10.3
        /usr/lib/beyondtrust/pb/libLDAP-2.4.so <symbolic link>
        /usr/lib/beyondtrust/pb/libLDAP-2.4.so.2 <symbolic link>
        /usr/lib/beyondtrust/pb/libLDAP-2.4.so.2.10.3
        /usr/lib/beyondtrust/pb/libssl.so <symbolic link>
        /usr/lib/beyondtrust/pb/libssl.so.1 <symbolic link>
        /usr/lib/beyondtrust/pb/libssl.so.1.0.0
        /usr/lib/beyondtrust/pb/pam_radius_auth.so <symbolic link>
        /usr/lib/beyondtrust/pb/pam_radius_auth.so.1 <symbolic link>
        /usr/lib/beyondtrust/pb/pam_radius_auth.so.1.3.17
        [ verifying class <none> ]
## Executing postinstall script.
        Checking installation of package: BTPBlibs
Installation of <BTPBlibs> was successful.# pkgadd -a BTPBadmin -d  BTPBsbmh.ds BTPBsbmh
Processing package instance <BTPBsbmh> from </opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/package/BTPBsbmh.ds>
BeyondTrust PowerBroker Submit Host - Root Delegation and Privilege Management
        (x86) 9.4.3-18
        ## Executing checkinstall script.
        Using /> as the package base directory.
        ## Processing package information.
        ## Processing system information.
        1 package pathname is already properly installed.
        ## Verifying package dependencies.
        ## Verifying disk space requirements.
        Installing BeyondTrust PowerBroker Submit Host - Root Delegation and Privilege Management as <BTPBsbmh>
        ## Executing preinstall script.
        ## Installing part 1 of 1.
        /opt/pbul/scripts/pbrnscfg.sh
        /usr/lib/secure/64/libpbul_aca-elf64.so
        /usr/lib/secure/libpbul_aca-elf32.so
        /usr/local/bin/pbbench
        /usr/local/bin/pbcall
        /usr/local/bin/pbksh
        /usr/local/bin/pbrun
        /usr/local/bin/pbrunssh
        /usr/local/bin/pbsh
        /usr/local/bin/pbssh
        /usr/local/man/man1/pbbench.1
        /usr/local/man/man1/pbrun.1
        /usr/local/man/man1/pbssh.1
        /usr/local/man/man8/pbclienthost_uuid.8
        /usr/local/man/man8/pbcreatesolcfgpkg.8
        /usr/local/man/man8/pbdbutil.8
        /usr/local/man/man8/pbencode.8
        /usr/local/man/man8/pbinstall.8
        /usr/local/man/man8/pbregister.8
        /usr/local/man/man8/pbsum.8
        /usr/local/man/man8/pbulpreinstall.sh.8
        /usr/local/man/man8/pbversion.8
        /usr/sbin/pbclienthost_uuid
        /usr/sbin/pbdbutil
        /usr/sbin/pbencode
        /usr/sbin/pbregister
        /usr/sbin/pbsnapshot.sh
        /usr/sbin/pbsum
        /usr/sbin/pbulpreinstall.sh
        /usr/sbin/pbversion
        [ verifying class <none> ]
        ## Executing postinstall script.
        Checking installation of package: BTPBsbmh
Installation of <BTPBsbmh> was successful.
# pkgadd -a BTPBadmin -d BTPBrunh.ds BTPBrunh
Processing package instance <BTPBrunh> from </opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/package/BTPBrunh.ds>
BeyondTrust PowerBroker Run Host - Root Delegation and Privilege Management
(x86) 9.4.3-18
## Executing checkinstall script.
Using /> as the package base directory.
        ## Processing package information.
        ## Processing system information.
        25 package pathnames are already properly installed.
        ## Verifying package dependencies.
        ## Verifying disk space requirements.
        Installing BeyondTrust PowerBroker Run Host - Root Delegation and Privilege Management as <BTPBrunh>
        ## Executing preinstall script.
        ## Installing part 1 of 1.
        /usr/local/bin/pbless
        /usr/local/bin/pbmg
        /usr/local/bin/pbnvi
        /usr/local/bin/pbumacs
        /usr/local/bin/pbvi
        /usr/local/man/man1/pbless.1
        /usr/local/man/man1/pbmg.1
        /usr/local/man/man1/pbnvi.1
        /usr/local/man/man1/pbumacs.1
        /usr/local/man/man1/pbvi.1
        /usr/local/man/man8/pblocald.8
        /usr/sbin/pblocald
        [ verifying class <none> ]
        ## Executing postinstall script.
        
Checking installation of package: BTPBrunh
Installation of <BTPBrunh> was successful.

Installing the configuration package using the pkgadd command

This section shows the execution of the Solaris pkgadd command to install the configuration package. Following installation of the configuration package, the installation is verified by submitting the id command to Endpoint Privilege Management for Unix and Linux, and the Solaris pkginfo utility is used to list the Endpoint Privilege Management for Unix and Linux packages that are installed.

The execution text also includes copyright, trademark, trade secrets, and other legal text; however, those notices and text were removed from the following excerpt to save space:

Example

# cd /opt/acpkg/powerbroker/v9.4/pbul_solaris9-10.x86_9.4.3-18/install
        # pkgadd -a ./BTPBadminCLIENT1 -d BTPBcfCLIENT1.ds BTPBcfCLIENT1
        Processing package instance <BTPBcfCLIENT1> from </opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.x86_9.4.3-18/install/BTPBcfCLIENT1.ds>
        BeyondTrust PowerBroker Unix/Linux Configuration - Root Delegation and Privilege Management
        (noarch) 9.4.3-18
        BeyondTrust PowerBroker Unix/Linux
        ## Executing checkinstall script.
        Checking installation of dependent component packages...
        ## Processing package information.
        ## Processing system information.
        6 package pathnames are already properly installed.
        ## Verifying package dependencies.
        ## Verifying disk space requirements.
        Installing BeyondTrust PowerBroker Unix/Linux Configuration - Root Delegation and Privilege Management as <BTPBcfCLIENT1>
        ## Executing preinstall script.
        ## Installing part 1 of 1.
        /etc/init.d/sypbcfg_svcsinetdsmf
        /etc/pb.cfg
        /etc/pb.key
        /etc/pb.settings
        /etc/rc2.d/S99sypbcfg_pbpatton
        /etc/rc2.d/S99sypbcfg_svcsinetdsmf <symbolic link>
        /var/adm/pbksh.log
        /var/adm/pblocald.log
        /var/adm/pbsh.log
        [ verifying class <none> ]
        ## Executing postinstall script.
        Checking installation of package: BTPBcfCLIENT1
        'pkgchk' of package BTPBcfCLIENT1 succeeded
        Reading pb.cfg...
        Checking installation of dependent component packages...
        'pkgchk' of package BTPBlibs succeeded
        'pkgchk' of package BTPBsbmh succeeded
        'pkgchk' of package BTPBrunh succeeded
        Looking for SuperDaemons to configure...
        Finished looking for SuperDaemons to configure...
        Removing PowerBroker service definitions (if any) from /etc/inet/services.
        Adding PowerBroker service definitions to /etc/inet/services.
        Removing any PowerBroker definitions from SuperDaemon inetd file /etc/inet/inetd.conf
        Adding PowerBroker definitions to SuperDaemon configurations  /etc/inet/inetd.conf.
        Reloading SuperDaemon Configurations...
        Done Reloading SuperDaemon Configurations...
        Updating Settings in database (if any)...
        Installation of <BTPBcfCLIENT1> was successful.

#  pkginfo | grep BTPB application BTPBcfCLIENT1                                            BeyondTrust PowerBroker Unix/Linux Configuration - Root Delegation and Privilege Management
application BTPBlibs                                                                       BeyondTrust PowerBroker Shared Libraries - Root Delegation and Privilege Management
application BTPBrunh                                                                         BeyondTrust PowerBroker Run Host - Root Delegation and Privilege Management
application BTPBsbmh                                                               BeyondTrust PowerBroker Submit Host - Root Delegation and Privilege Management

Sample of the Uninstall Process from a Package Installation

This section shows the execution of the Solaris pkgrm utility to remove the Endpoint Privilege Management for Unix and Linux packages.

Example


# cd /opt/acpkg/powerbroker/v9.4/pmul_solaris9-10.sparc_9.4.3-06/install

# pkgrm -na ./BTPBadminCLIENT1 BTPBcfCLIENT1 BTPBsbmh BTPBrunh BTPBlibs


Reading pb.cfg...  
Looking for SuperDaemons to configure...  
Finished looking for SuperDaemons to configure...  
Removing PowerBroker service definitions (if any) from /etc/inet/services.  
Removing any PowerBroker definitions from SuperDaemon inetd file /etc/inet/inetd.conf  
Reloading SuperDaemon Configurations...  
Done Reloading SuperDaemon Configurations...  
Removal of <BTPBcfCLIENT1> was successful.  
Removal of <BTPBsbmh> was successful.  
Removal of <BTPBrunh> was successful.  
Removal of <BTPBlibs> was successful.

Linux package installer

This section describes how to install Endpoint Privilege Management for Unix and Linux using a package installer for Red Hat Enterprise Linux (RHEL) 4 or 5 on an x86, x86_64, ia64, or S/390 computer. Use the Linux package installation if you want to install Endpoint Privilege Management for Unix and Linux using the Linux RPM package manager.

The Endpoint Privilege Management for Unix and Linux Linux package installer that is described here is not compatible with the Endpoint Privilege Management Endpoint Privilege Management v5.x packages. You must remove BeyondTrust Endpoint Privilege Management packages v5.x before installing Endpoint Privilege Management for Unix and Linux Linux packages.

Prerequisites

To use the Linux package installer, you must have the following:

  • Package tarball file for the appropriate Endpoint Privilege Management for Unix and Linux flavor

ℹ️

Note

For the Endpoint Privilege Management for Unix and Linux Linux package installer, the tarball files are cumulative. That is, an update tarball file contains a complete Endpoint Privilege Management for Unix and Linux installation. It is not necessary to install a baseline version of Endpoint Privilege Management for Unix and Linux before installing an upgrade.

  • Root access or superuser privileges
  • RPM Package Manager (rpm) v4.4 or later

ℹ️

Note

The Endpoint Privilege Management for Unix and Linux Linux package installer does not support prefix or suffix installations.

Plan your installation

When preparing to use the Endpoint Privilege Management for Unix and Linux package installer, you should be familiar with the following concepts and restrictions:

Component packages: an Endpoint Privilege Management for Unix and Linux component package is an RPM package manager (.rpm) file that installs a part of the Endpoint Privilege Management for Unix and Linux application. The Endpoint Privilege Management for Unix and Linux component packages are listed below with the format powerbroker-component-v.v.r.bb-pv.arch.rpm, where:

  • component = Endpoint Privilege Management component package name
  • v = major version v = minor version r = release
  • bb = build
  • pv = version number of the package
  • arch = architecture (for example, i386)
Component PackageDescription
powerbroker-loghost-v.v.r.bb-pv.arch.rpmContains log host, pbsync, and pbsyncd.
powerbroker-shlibs-v.v.r.bb-pv.arch.rpmContains shared libraries.
powerbroker-pbrest-v.v.r.bb-pv.arch.rpmContains REST API files.
powerbroker-rnssvr-v.v.r.bb-pv.arch.rpmContains Registry Name Service files.
powerbroker-licsvr-v.v.r.bb-pv.arch.rpmContains license server files.
powerbroker-master-v.v.r.bb-pv.arch.rpmContains policy server host, pbsync, and pbsyncd.
powerbroker-submithost-v.v.r.bb-pv.arch.rpmContains submit host and Endpoint Privilege Management for Unix and Linux shells.
powerbroker-runhost-v.v.r.bb-pv.arch.rpmContains run host and Endpoint Privilege Management for Unix and Linux utilities.

Which component packages are required depends on the type of Endpoint Privilege Management for Unix and Linux host you create, such as policy server host, submit host, and so on. You can select the types of Endpoint Privilege Management for Unix and Linux hosts in the pbinstall installation menu, as shown in the following table. For readability the ending of each component in the table (-v.v.r.bb-pv.arch.rpm) is removed.

Menu SelectionRequired Components (-v.v.r.bb-pv.arch.rpm)
Install everything here (demo mode)? = Yespowerbroker-master
powerbroker-runhost
powerbroker-submithost
powerbroker-loghost
powerbroker-guihost
powerbroker-shlibs
Install Master Host? = Yespowerbroker-master
Install Run Host? = Yespowerbroker-runhost
Install Submit Host? = Yespowerbroker-submithost
Install Log Host? = Yespowerbroker-loghost
Install BeyondTrust built-in third-party libraries? = Yespowerbroker-shlibs
Install Registry Name Services Server? [yes]powerbroker-rnssvr
Install License Server? [yes]powerbroker-licsvr

Configuration package: RPM package that is used to install the following files:

  • pb.settings: Hardcoded target location /etc/pb.settings
  • pb.cfg: Hardcoded target location /etc/pb.cfg
  • All the encryption keyfiles defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption
  • By default, two key files are created: pb.key and pb.rest.key
  • The sysadmin can define multiple encryption with different keyfiles in locations other than /etc. To upgrade and retain settings on the target machine, view all encryption settings in /etc/pb.settings and copy the files to the settings_files directory before running "pbinstall -z" and pbcreate*cfgpkg
  • If installing a Cached Policy client, copy the policypubcertfile (default=/etc/pbpolicypubcert.pem) from the policy server to the settings_files directory before running pbinstall -z and pbcreate*cfgpkg.
  • pb.conf (for policy server hosts)
  • Man pages for the pbinstall and pbcreatelincfgpkg programs

The Endpoint Privilege Management for Unix and Linux configuration package is created by the pbcreatelincfgpkg program. The component packages must be installed before you install the configuration package.

Package name: Name of the package as stored in the RPM package manager database. For Endpoint Privilege Management for Unix and Linux package installations, this name is the same as the package file name without the .arch.rpm extension.

Relocated base directory: The directory where the Endpoint Privilege Management for Unix and Linux binary files and log files are installed. You can choose an alternative directory in which to install these files.

pbinstall program: To create the Endpoint Privilege Management for Unix and Linux settings files, you use the pbinstall program with the -z (settings only) option. pbinstall -z only creates the settings files, and is incompatible with the following command line options:

Options Incompatible with pbinstall -zDescription
-bRuns pbinstall in batch mode.
-cSkip the steps that process or update the Endpoint Privilege Management for Unix and Linux settings file.
-eRuns install script automatically by bypassing the menu step of pbinstall.
-iIgnores previous pb.settings and pb.cfg files.
-pSets the pb installation prefix.
-sSets the pb installation suffix.
-uInstalls the utility programs.
-xCreates a log synchronization host (installs pbsyncd).

When you execute pbinstall with the -z option, you can see two menu items that are not otherwise available:

  • Enter existing pb.settings path: This enables you to specify your own pb.settings file. pbinstall reads this settings file and populates the remaining menu choices. You can override some menu choices. If set to none, then pbinstall does not read a settings file. The remaining menu choices are populated with default values.
  • Enter directory path for settings file creation: This enables you to specify an alternative output directory for the settings files. The default directory is /unzip-dir/powerbroker/v/install/settings_files, where unzip-dir is the directory where the package tarball file was unzipped.

The behavior of pbinstall -z depends on whether certain additional command line options are specified:

  • If no other command line options are specified, pbinstall initially presents a short version of the installation menu. Depending on the choices you make in these items, further menu items become available.
  • If command line options -g, -l, -m, -o, -r, or -w are specified, pbinstall presents an expanded version of the installation menu that reflects the host types that you are configuring.

When running pbinstall with the -z option, the following menu items are preprogrammed and cannot be changed:

  • Install man pages?
  • Endpoint Privilege Management daemon location
  • Administration programs location
  • User programs location
  • GUI library directory
  • Policy include (sub) file directory
  • User man page location
  • Admin man page location
  • Policy filename
  • BeyondTrust built-in third-party library directory

In addition, the values of the following menu items determine the values of other menu items:

Options Preset When Running pbinstall -z
Setting this menu option to YesSets these values to Yes
Install Master Host?Install Synchronization? Synchronization can be initiated from this host?
Install Run Host?Install Utilities?
Install Submit Host?Install PBSSH?Install pbksh?
Install pbsh?
Will this host use a Log Host?
Install Log Host?Install Synchronization? Synchronization can be initiated from this host?

ℹ️

Note

If you plan to use the package installer to install Endpoint Privilege Management for Unix and Linux on a computer that already has an interactive Endpoint Privilege Management for Unix and Linux installation on it, see Interactive Versus Packaged Installation for additional considerations.

If you plan to use Registry Name Service and are running pbinstall -z on a client host (non-primary server), you must perform client registration. This is necessary to properly set up the registry name service database. Client registration also requires that you collect from the Endpoint Privilege Management for Unix and Linux primary server the following information:

  • REST Application ID
  • REST Application Key
  • Primary server network name or IP address
  • Primary License Server REST TCP/IP port
  • Registration Client Profile name

Registering client with Primary RNS: If Registry Name Services is enabled for Endpoint Privilege Management for Unix and Linux, each client host (after the first server installation) needs to be registered with the Primary Registry Name Server. When using package installers on a target host, a post-install configuration script (/opt/pbul/scripts/pbrnscfg.sh) is provided to be manually executed on that host to properly register it. This post-install configuration script asks for information about the Primary Registry Name Server, including the Application ID (appid), Application Key (appkey), address/domain name, and the REST TCP/IP port number. This is the same information provided during the client registration part of a pbinstall -z install which generates the settings file.

If you prefer a more convenient method of registering RNS clients where the post-install configuration script is non-interactive, Endpoint Privilege Management for Unix and Linux can save the relevant information in a hidden file during the settings-only run of pbinstall, bundle it with the configuration package, and automatically apply it to the target host when that package is installed. However, understand that this is not secure, but is available if the security-convenience trade-off is acceptable. To enable this, refer to the question regarding post-install configuration script displayed when running pbinstall -z.

Overview of steps

Use of the Linux package installer involves the following steps:

  1. Unpack the Endpoint Privilege Management for Unix and Linux package tarball file.
  2. Use the pbinstall program to create Endpoint Privilege Management for Unix and Linux settings files.
  3. Use the pbcreatelincfgpkg program to create the Endpoint Privilege Management for Unix and Linux configuration package.
  4. Perform a package installation using the Linux rpm command for any required components.
  5. Perform a package installation using the Linux rpm command for the Endpoint Privilege Management for Unix and Linux configuration package.
  6. If Registry Name Service is enabled and installing on a non-primary servery, run /opt/pbul/scripts/pbrnscfg.sh to register the host.

Installation procedure

To install Endpoint Privilege Management for Unix and Linux using the RPM package manager, do the following:

  1. Extract the package tarball files into the /opt/beyondtrust/ directory by executing the following command:

    tar xvfz pmul_<flavor_version>_pkg.tar.Z
    
  2. Optional. The Endpoint Privilege Management for Unix and Linux Linux package files are digitally signed. You can verify that the packages are genuine by doing the following:

    • Go to www.beyondtrust.com, and click Support to display the Endpoint Privilege Management for Unix and Linux Downloads page.

    • In the Customers section, click Login. Use your customer user name and password to log in to the Endpoint Privilege Management for Unix and Linux Downloads page.

    • Click Digital Signature file for Linux RPM packages and download the tar file to the Linux computer.

    • Extract the key from the tar file.

    • Import the key to the RPM database with the following command:

      rpm --import keyfile
      

      keyfile is the file name of the key file.

    • Navigate to the /opt/beyondtrust/powerbroker///package/ directory.

    • Execute the following command:

      rpm -K *.rpm
      

      For each package, you should see output similar to the following:

      powerbroker-master-6.2.0.11-1.i386.rpm: (sha1) dsa sha1 md5 gpg OK
      

      The OK at the end of the line indicates that the package is genuine.

  3. Navigate to the /opt/beyondtrust/powerbroker///install/ directory.

  4. Execute the following command:

    ./pbinstall -z
    

    You can include other options with the -z option. Use the -R option to specify an alternate base directory for installing the component packages.

    pbinstall displays the Endpoint Privilege Management for Unix and Linux installation menu.

    You are asked if you want to use client registration. If you plan to enable Registry Name Service, and install on a host that is not designated as a primary server, you must run client registration.

    pbinstall then asks if you want to enable Registry Name Service.

  5. Make your menu selections. Note that the Enter existing pb.settings path menu option enables you to specify your own pb.settings file to use. Also, the Enter directory path for settings file creation menu option enables you to specify where to save the generated settings files. These menu options are available only when running pbinstall with the -z option.

    When the menu selection process is complete, pbinstall creates the following files in the specified location:

    • pb.settings
    • pb.cfg
    • pb.key (if encryption is enabled)
    • pb.conf (for policy server host)
    • pbpolicykey.pem and pbpolicypubcert.pem (for Policy Server hosts with Cached Policy feature enabled)
  6. Optional. For an Endpoint Privilege Management for Unix and Linux client, if client-server communications are to be encrypted, replace the generated pb.key file with the pb.key file from the policy server host. Also, copy any other required key files into the same directory.

ℹ️

Note

This step is automatically done if you choose to use client registration.

  1. Required for Cached Policy client installation: Copy the policypubcertfile (default=/etc/pbpolicypubcert.pem) from the policy server to the settings_files directory.

  2. Optional. For a policy server host, write a policy file (pb.conf) and place it in the directory with the other generated files. If you do not provide a pb.conf file, a pb.conf file with the single command reject; is generated and packaged.

    Starting with v8.0, pbinstall -z can optionally install the default role-based policies and asks:

    Installing default role-based policy pbul_policy.conf and pbul_functions.conf in <install_dir>/settings_files
    Would you like to use the default role-based policy in the configuration package?
    
    • Answer Yes for new installs only.
    • If you are upgrading an existing configuration package, to avoid overwriting your existing policy, answer No.
      Use the default role-based policy [Y]?
      
    • If you answer Yes, the default pb.conf, pbul_policy.conf and pbul_functions.conf files are created and installed on the policy server.
    • If you plan to install over an existing installation, and have an existing policy in place, answer No.
  3. Navigate to the /opt/beyondtrust/powerbroker///install/ directory.

  4. Run the pbcreatelincfgpkg utility by typing:

    pbcreatelincfgpkg -p suffix -s directory
    
    • suffix is appended to the configuration package name; length can be up to 18 characters.
    • directory contains the Endpoint Privilege Management for Unix and Linux settings and configuration files to include in the package.

    The pbcreatelincfgpkg utility creates the Endpoint Privilege Management for Unix and Linux configuration package file, powerbroker-config-sv-pv.arch.rpm.

  5. Navigate to the /opt/beyondtrust/powerbroker///package/ directory.

  6. For each required component package, run the Linux rpm utility to install the component package by typing:

    rpm -iv package-file
    

    package-file is the name of the component package (.rpm) file. For example:

    rpm -iv powerbroker-submithost-9.4.1.03-1.x86_64.rpm
    

ℹ️

Note

To install all component packages, type the following command:

rpm -iv *.rpm
  1. Navigate to the /opt/beyondtrust/powerbroker///install/ directory.

  2. Run the Linux rpm utility to install the Endpoint Privilege Management for Unix and Linux configuration package by typing:

    rpm -iv package-file
    

    package-file is the name of the configuration package (.rpm) file created in step 9.

  3. Verify the installation of the packages by typing:

    rpm -qa| grep powerbroker
    
  4. If Registry Name Service is enabled and installed on a non-primary server, register the host with the Primary Registry Name Server using a post-install configuration script. Gather the Application ID, Application Key, network name or IP address, and REST TCP/IP port of the primary server, then run the script to register the host and follow the prompts:

    /opt/pbul/scripts/pbrnscfg.sh
    

ℹ️

Note

For more information, see the following:

Remove EPM-UL packages

Removing the Endpoint Privilege Management for Unix and Linux packages completely uninstalls Endpoint Privilege Management for Unix and Linux from a computer.

To remove the Endpoint Privilege Management for Unix and Linux packages, type the following:

rpm -e config-package-name
   component-package-1 ... component-package-n
  • config-package-name is the name of the package specified when the configuration package is installed. This package name is not required to come first in the list; rpm removes it first. However, if you remove packages with separate rpm processes, you must remove the configuration package first.
  • component-package-1 through component-package-n are the names of the packages specified when the component packages are installed.

Example

rpm  -e  powerbroker-configPBUL941-9.4.1.03-1.x86_64  powerbroker-submithost-9.4.1.03-1.x86_64

Relocate the base directory

Using the RPM package management system you can set an alternative base directory for installing packages. With this feature, you can specify a directory to install the Endpoint Privilege Management for Unix and Linux binary files and log files in. Certain files, such as pb.settings, pb.cfg, and Endpoint Privilege Management for Unix and Linux key files, must be located in the /etc directory for Endpoint Privilege Management for Unix and Linux to run. These files are not relocatable.

To relocate the base directory from the default / (root) directory, do the following:

  1. On the target machine, create the target base directory if it does not already exist.
  2. When you run pbinstall, use the -R option and specify the new base directory.
  3. When installing the component packages, execute rpm with the --prefix option and specify the relocated directory.

Example

rpm  -ivh  --prefix /local/powerbroker  powerbroker-runhost-9.4.1.03-1.x86_64.rpm

ℹ️

Note

The files that are installed by the configuration package cannot be relocated. Do not use the --prefix option when installing the configuration package.

Update EPM-UL with the Linux package installer

The Endpoint Privilege Management for Unix and Linux Linux package installer can be used to upgrade an existing Endpoint Privilege Management for Unix and Linux installation to a new version. The existing Endpoint Privilege Management for Unix and Linux version should have been installed with the Endpoint Privilege Management for Unix and Linux package installer.

ℹ️

Note

It is possible to use the Linux package installer to install Endpoint Privilege Management for Unix and Linux over an existing version that was installed with pbinstall. However, we do not recommended doing so because it can result in unused files from the existing version remaining in the file system.

Package upgrade considerations

Installing an upgrade with the Linux package installer is similar to using the Linux package installer to install Endpoint Privilege Management for Unix and Linux for the first time. Keep these considerations in mind when you prepare to upgrade:

  • Technically, the Endpoint Privilege Management for Unix and Linux Linux packages are upgrade packages, as opposed to update packages. An upgrade package installs the new files before removing the existing files and registering the new version number in the RPM database.
  • an Endpoint Privilege Management for Unix and Linux Linux upgrade package contains a complete Endpoint Privilege Management for Unix and Linux installation, rather than simply the files that have changed since the previous release.
  • If you have more than one Endpoint Privilege Management for Unix and Linux package on a computer, upgrade all packages on that computer.
  • A newer release can introduce features that use new settings or configurations. In which case, an upgrade of the configuration package of Endpoint Privilege Management for Unix and Linux is also needed.
  • Unlike Endpoint Privilege Management for Unix and Linux patches that are installed with pbpatchinstall, upgrade packages cannot be rolled back to a previous release. However, you can install an older package over a newer one, effectively rolling back to the older release.

Package upgrade procedure

Follow this procedure to upgrade your installation of Endpoint Privilege Management for Unix and Linux using the Linux package installer:

  1. Obtain the tarball file for the Linux upgrade packages that are appropriate for your hardware. The tarball file name has the format pmul_-v.v.r-bb-pn_pkg.tar.Z.

    • indicates the operating system and hardware architecture.
    • v.v.r is the major and minor version number and the release number.
    • bb is the build number.
    • n is the update number.
  2. Extract the package tarball files into the /unzip-dir/ directory by executing the following command:

    tar xvfz pmul_<flavor_version>_pkg.tar.Z
    
  3. Navigate to the /unzip-dir/powerbroker/v//install/ directory

  4. Create the settings_files directory and change directory to that location.

  5. To retain or correctly update the settings of the current installation, copy the following files from the target installation host into the settings_files directory you created in step 4:

    • /etc/pb.settings
    • /etc/pb.cfg
    • encryption keys defined in pb.settings for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption settings (if enabled)

ℹ️

Note

In a default installation, there are typically 2 key files created: pb.key and pb.rest.key.

  • policy file defined in policyfile setting in pb.settings (if the target installation is a Policy Server)

ℹ️

Note

In a default installation, the policy file is located in /opt/pbul/policies/pb.conf.

  • For Cached Policy clients: policypubcertfile (default=/etc/pbpolicypubcert.pem)
  1. Execute the following command and verify the installation settings:
./pbinstall -z
  1. Create the upgrade configuration package by running the pbcreatelincfgpkg utility:
pbcreatelincfgpkg -p suffix

Use the current suffix of the installation to be upgraded. Use the suffix you provided during the initial package installation in step 9 of the Installation Procedure.

Another way to find the suffix is to run the following command on the target installation host to get the list of packages installed:

rpm -qa |grep powerbroker

Identify the suffix of the Endpoint Privilege Management for Unix and Linux configuration package using this format:

powerbroker-config<suffix>-<version>.noarch
  1. Navigate to the /unzip-dir/powerbroker/v//package/ directory.
  2. Use the Linux rpm utility to upgrade the component packages by typing:
rpm -Uv package-file-1 package-file-2...

package-file-n is the name of a component package (.rpm) file.

rpm  -Uv  powerbroker-submithost-9.4.1.03-1.p2-1.x86\_64.rpm  powerbroker-runhost-9.4.1.03-1.p2-1.x86\_64.rpm
  1. Navigate to the /unzip-dir/powerbroker///install/ directory.
  2. Run the Linux rpm utility to install the Endpoint Privilege Management for Unix and Linux configuration package by typing:
rpm -Uv package-file

package-file is the name of the configuration package (.rpm) file created in step 12. Verify the installation of the packages by typing:

rpm -qa| grep powerbroker

Revert to a previous version

Unlike Endpoint Privilege Management for Unix and Linux patches that are installed with pbpatchinstall, upgrade packages cannot be rolled back to a previous release. However, you can install an older package over a newer one, effectively rolling back to the older release. To install older packages over newer ones, use the following command:

rpm -Uv --oldpackage package-file-1 package file-2...

This command restores the previous release. Repeat the command to restore earlier releases. To restore a single package per rpm command, add the --replacepkgs option.

Upgrade the configuration package

When upgrading the configuration package (cfg pkg), some settings that are part of the package might need settings and configuration files copied from the existing installation to the staging host.

Files included in the cfg package:

  • pb.settings: Hardcoded target location /etc/pb.settings.

  • pb.cfg: Hardcoded target location /etc/pb.cfg.

  • All the encryption key files defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption. By default, two key files are typically created:

    • pb.key
    • pb.rest.key

    The sysadmin can define encryption with different key files in locations other than /etc. Therefore, when upgrading, and to retain what is installed on the target machine, look at all the encryption settings in /etc/pb.settings. Copy the settings to the settings_files directory before running pbinstall -z and pbcreate*cfgpkg.

  • Policy file if the target is a policy server.

Sample Execution for the Linux Package Installer

The sample execution shows the installation of an Endpoint Privilege Management for Unix and Linux submit host, run host, and shared libraries using the Endpoint Privilege Management for Unix and Linux Linux package installer.

This sample execution is divided into the following parts:

  • Generate the Endpoint Privilege Management for Unix and Linux settings files.
  • Create the Endpoint Privilege Management for Unix and Linux configuration package using the pbcreatelincfgpkg program.
  • Install the component packages using the rpm command.
  • Install the configuration package using the rpm command.

Generate the EPM-UL settings files

This section of the execution shows the generation of the Endpoint Privilege Management for Unix and Linux settings files (pb.key, pb.cfg, and pb.settings) and also displays the Endpoint Privilege Management for Unix and Linux installation menu. This output was generated using the pbinstall program with the options: –z, -l, and -r:

Example

# ./pbinstall -zlr
Starting pbinstall main() from /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/.
linux.x86-64
&nbsp;
Endpoint Privilege Management for Unix and Linux Settings File Generation
&nbsp;
Please read the Endpoint Privilege Management for Unix and Linux Installation Instructions before proceeding.
&nbsp;
Checking MANIFEST against release directory
Press return to continue
The Registry Name Service of Endpoint Privilege Management for Unix and Linux facilitates location of other services within the EPM-UL enterprise with the aid of a centralized
data repository.
IMPORTANT: client registration is required if this is not the Primary Server and you intend to use Registry Name Services.
Do you wish to utilize Registry Name Service? [yes]? no
BeyondTrust Endpoint Privilege Management for Unix and Linux Installation Menu          
            Opt  Description                                [Value] 
            1  Install Everything Here (Demo Mode)?         [no]
            2  Install License Server?                      [no]
            3  Install Registry Name Services Server?       [no]
            4  Install Client Registration Server?          [no]
            5  Install Policy Server Host?                  [yes]
            6  Install Run Host?                            [yes]
            7  Install Submit Host?                         [yes]
            8  Install PBSSH?                               [yes]
            10  Install Log Host?                           [yes]
            11  Enable Logfile Tracking and Archiving?      [yes]
            12  Is this a Log Archiver Storage Server?      [no]
            13  Is this a Log Archiver Database Server?     [no]
            14  Install File Integrity Monitoring Polic...  [no]
            15  Install REST Services?                      [yes]
            16  List of License Servers                     [*]
            19  Path to Password Safe 'pkrun' binary        []
            23  Install Synchronization program?            [yes]
            25  Install Secure GUI Host?                    [yes]
            26  Install Utilities: pbvi, pbnvi, pbmg, p...  [yes]
            27  Install pbksh?                              [yes]
            28  Install pbsh?                               [yes]
            29  Install man pages?                          [no]
            30  Will this host use a Log Host?              [yes]
            31  AD Bridge Integration?                      [no]
            37  Integration with BeyondInsight?             [no]
            55  Synchronization program can be initiate...  [yes]
            56  Daemons location                            [/usr/sbin]
            57  Number of reserved spaces for submit pr...  [80]
            58  Administration programs location            [/usr/sbin]
            59  User programs location                      [/usr/local/bin]
            60  GUI library directory                       [/usr/local/lib/pbbuilder]
            61  Policy include (sub) file directory         [/opt/pbul/policies]
            62  Policy file name                            [/opt/pbul/policies/pb.conf]
            65  Log Archive Storage Server name             []
            67  Log Archiver Database Server name           []
            69  Logfile Name Cache Database file path?      [/opt/pbul/dbs/pblogcache.db]
            70  REST Service installation directory?        [/usr/lib/beyondtrust/pb/rest]
            71  Install REST API sample code?               [no]
            73  Pblighttpd user                             [pblight]
            75  Pblighttpd user UID                         []
            76  Pblighttpd user GID                         []
            78  Configure systemd?                          [yes]
            79  Command line options for pbmasterd          [-ar]
            80  Policy Server Delay                         [500]
            81  Policy Server Protocol Timeout              [-1]
            82  pbmasterd diagnostic log                    [/var/log/pbmasterd.log]
            83  Eventlog filename                           [/var/log/pb.eventlog]
            84  Configure eventlog rotation via size?       []
            85  Configure eventlog rotation path?           []
            86  Configure eventlog rotation via cron?       [no]
            87  Validate Submit Host Connections?           [no]
            88  List of Policy Servers to submit to         [kandor]
            89  pbrun diagnostic log?                       [none]
            90  pbssh diagnostic log?                       [none]
            91  Allow Local Mode?                           [yes]
            92  Additional secured task checks?             [no]
            93  Suppress Policy Server host failover er...  [yes]
            94  List of Policy Servers to accept from       [kandor]
            95  pblocald diagnostic log                     [/var/log/pblocald.log]
            96  Command line options for pblocald           []
            97  Syslog pblocald sessions?                   [no]
            98  Record PTY sessions in utmp/utmpx?          [yes]
            99  Validate Policy Server Host Connections?    [no]
            100  List of Log Hosts                          [kandor]
            101  Command line options for pblogd            []
            102  Log Host Delay                             [500]
            103  Log Host Protocol Timeout                  [-1]
            104  pblogd diagnostic log                      [/var/log/pblogd.log]
            105  List of log reserved filesystems           [none]
            106  Number of free blocks per log system fi... [0]
            107  Command line options for pbsyncd           []
            108  Sync Protocol Timeout                      [-1]
            109  pbsyncd diagnostic log                     [/var/log/pbsyncd.log]
            110  pbsync diagnostic log                      [/var/log/pbsync.log]
            111  pbsync sychronization time interval (in... [15]
            112  Add installed shells to /etc/shells        [no]
            113  pbksh diagnostic file                      [/var/log/pbksh.log]
            114  pbsh diagnostic file                       [/var/log/pbsh.log]
            115  Stand-alone pblocald command               [none]
            116  Stand-alone root shell default iolog       [/pbshell.iolog]
            
            
            
           
            121  Use syslog?                                [yes]
            122  Syslog facility to use?                    [LOG_AUTHPRIV]
            123  Base Daemon port number                    [24345]
            124  pbmasterd port number                      [24345]
            125  pblocald port number                       [24346]
            126  pblogd port number                         [24347]
            
            
            129  pbsyncd port number                        [24350]
            130  REST Service port number                   [24351]
            131  Add entries to '/etc/services'             [yes]
            132  Allow non-reserved port connections        [yes]
            133  Inbound Port range                         [1025-65535]
            134  Outbound Port range                        [1025-65535]
            137  Network encryption options                 [aes-256:keyfile=/etc/pb.key]
            138  Event log encryption options               [none]
            139  I/O log encryption options                 [none]
            140  Report encryption options                  [none]
            141  Policy file encryption options             [none]
            142  Settings file encryption type              [none]
            143  REST API encryption options                [aes-256:keyfile=/etc/pb.re...]
            144  Configure with Kerberos v5?                [no]
            150  Enforce High Security Encryption?          [yes]
            151  Use SSL?                                   [yes]
            152  SSL Configuration?                         [requiressl]
            153  SSL pbrun Certificate Authority Directory? [none]
            154  SSL pbrun Certificate Authority File?      [none]
            155  SSL pbrun Cipher List?                     [HIGH:!SSLv2:!3DES:!MD5:@ST…]
            156  SSL pbrun Certificate Directory?           [none]
            157  SSL pbrun Certificate File?                [none]
            158  SSL pbrun Private Key Directory?           [none]
            159  SSL pbrun Private Key File?                [none]
            160  SSL pbrun Certificate Subject Checks?      [none]
            161  SSL Server Certificate Authority Direct... [none]
            162  SSL Server Certificate Authority File?     [none]
            163  SSL Server Cipher List?                    [HIGH:!SSLv2:!3DES:!MD5:@ST...]
            164  SSL Server Certificate Directory?          [none]
            165  SSL Server Certificate File?               [/etc/pbssl.pem]
            166  SSL Server Private Key Directory?          [none]
            167  SSL Server Private Key File?               [/etc/pbssl.pem]
            168  SSL Server Certificate Subject Checks?     [none]
            169  SSL Certificate Country Code               [US]
            170  SSL Certificate State/Province             [AZ]
            171  SSL Certificate Location (Town/City)       [Phoenix]
            172  SSL Certificate Organizational Unit/Dep... [Security]
            173  SSL Certificate Organization               [BeyondTrust]
            174  Configure Privilege Management for Unix... [no]
            175  Install BeyondTrust built-in third-part... [yes]
            176  BeyondTrust built-in third-party librar... [/usr/lib/beyondtrust/pb]
            188  Use PAM?                                   [no]
            196  Allow Remote Jobs?                         [yes]
            197  UNIX Domain Socket directory               [none]
            198  Reject Null Passwords?                     [no]
            199  Enable TCP keepalives?                     [no]
            200  Name Resolution Timeout                    [0]
            N for the next menu page, P for the previous menu page, C to continue, X to exit
Please enter a menu option [For technical support call 1-800-234-9072]> c
Generating key file /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/settings_files/pb.key...
&nbsp;
Are all the installation settings correct [yes]?
Generating config file /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/settings_files/pb.cfg
Creating the settings file creation script
Backed up existing settings file creation script to:
'/opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/pbcreatesettingsfile.ctime.Feb_13_16:28'
Running settings file creation script
Creating settings file /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/settings_files/pb.settings
Generated settings files are in directory: /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/settings_filesEndpoint Privilege Management for Unix and Linux Settings File Generation completed successfully.

Create the EPM-UL configuration package using pbcreatelincfgpkg

This section shows the creation of the Endpoint Privilege Management for Unix and Linux configuration package using the pbcreatelincfgpkg program with the -p and -s options.

ℹ️

Note

At the end of its output, the pbcreatelincfgpkg script shows which Endpoint Privilege Management for Unix and Linux component packages need to be installed.

Example

# ./pbcreatelincfgpkg  -p CLIENTPAKU  -s /opt/final/powerbroker/v9.4/CLIENTPAKU_settings_files
pbcreatelincfgpkg: starting from /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install
pbcreatelincfgpkg: keyfile pb.key will be included in package
Reading /opt/final/powerbroker/v9.4/CLIENTPAKU_settings_files/pb.cfg
        &nbsp;
pbcreatelincfgpkg: making PowerBroker Linux configuration package . . .
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.kq2x6j
+ umask 022
+ cd /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILD
+ LANG=C
+ export LANG
+ unset DISPLAY
+ rm -rf '/opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILD/*'
+ exit 0
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.Z2J5QI
+ umask 022
+ cd /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILD
+ LANG=C
+ export LANG
+ unset DISPLAY
+ exit 0
Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.wlumC7
+ umask 022
+ cd /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILD
+ '[' /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64 '!=' / ']'
+ rm -rf /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64
++ dirname /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64
+ mkdir -p /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT
+ mkdir /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64
+ LANG=C
+ export LANG
+ unset DISPLAY
+ mkdir -p /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/etc
+ mkdir -p /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/etc/pb
+ cp /opt/final/powerbroker/v9.4/CLIENTPAKU_settings_files/pb.settings /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/etc/pb.settings
+ cp /opt/final/powerbroker/v9.4/CLIENTPAKU_settings_files/pb.cfg /opt/final/powerbroker/v9.4/pbul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/etc/pb.cfg
+ cp /opt/final/powerbroker/v9.4/CLIENTPAKU_settings_files/pb.key /opt/final/powerbroker/v9.4/pbul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/etc/pb.key
++ dirname /var/log/pblocald.log
+ logfiledir=/var/log
+ '[' '!' -d /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/var/log ']'
+ mkdir -p /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/var/log
++ dirname /var/log/pbksh.log
+ logfiledir=/var/log
+ '[' '!' -d /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/var/log ']'
++ dirname /var/log/pbsh.log
+ logfiledir=/var/log
+ '[' '!' -d /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/var/log ']'
++ dirname /pbshell.iolog
+ logfiledir=/
+ '[' '!' -d /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/ ']'
+ /usr/lib/rpm/check-buildroot
+ /usr/lib/rpm/redhat/brp-compress
+ /usr/lib/rpm/redhat/brp-strip /usr/bin/strip
+ /usr/lib/rpm/redhat/brp-strip-static-archive /usr/bin/strip
+ /usr/lib/rpm/redhat/brp-strip-comment-note /usr/bin/strip /usr/bin/objdump
+ /usr/lib/rpm/brp-python-bytecompile /usr/bin/python
+ /usr/lib/rpm/redhat/brp-python-hardlink
+ /usr/lib/rpm/redhat/brp-java-repack-jars
Processing files: powerbroker-configCLIENTPAKU-9.4.1.03-1.noarch
Requires(interp): /bin/sh /bin/sh /bin/sh /bin/sh
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires(pre): /bin/sh
Requires(post): /bin/sh
Requires(preun): /bin/sh
Requires(postun): /bin/sh
Checking for unpackaged file(s): /usr/lib/rpm/check-files /opt/final/powerbroker/v9.4/pbul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64
Wrote: /opt/final/powerbroker/v9.4/pbul_linux.x86-64_9.4.1-03/install/rpmbuild/RPMS/noarch/powerbroker-configCLIENTPAKU-9.4.1.03-1.noarch.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.A8w0eY
+ umask 022
+ cd /opt/final/powerbroker/v9.4/pbul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILD
+ rm -rf /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/etc /opt/final/powerbroker/v9.4/pbul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/pbshell.iolog /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install/rpmbuild/BUILDROOT/powerbroker-9.4.1.03-1.x86_64/var
+ exit 0
pbcreatelincfgpkg: rpm package built
pbcreatelincfgpkg: rpm package verified
pbcreatelincfgpkg: rpm package 'powerbroker-configCLIENTPAKU-9.4.1.03-1.noarch.rpm' placed in
/opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install
        &nbsp;
pbcreatelincfgpkg: the following packages will need to be loaded to the target system:
powerbroker-runhost powerbroker-submithost powerbroker-shlibs
    &nbsp;
pbcreatelincfgpkg: completed.

Install component packages using the rpm command

This section shows the execution of the rpm command to install component packages for the submit host, run host, and shared libraries:

Example

# cd /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/package
# rpm -iv powerbroker-shlibs-9.4.1.03-1.x86_64.rpm powerbroker-submithost-9.4.1.03-1.x86_64.rpm  powerbroker-runhost-9.4.1.03-1.x86_64.rpm
warning: powerbroker-shlibs-9.4.1.03-1.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 19227ca5: NOKEY
        Preparing packages for installation...
        powerbroker-shlibs-9.4.1.03-1
        powerbroker-runhost-9.4.1.03-1
        powerbroker-submithost-9.4.1.03-1

Install the configuration package using the rpm command

This section shows the execution of the Linux rpm command to install the configuration package. Following installation of the configuration package, the installation is verified by submitting the id command to Endpoint Privilege Management for Unix and Linux, and the Linux rpm -qa utility is used to list the Endpoint Privilege Management for Unix and Linux packages that are installed:

Example

# cd /opt/final/powerbroker/v9.4/pmul_linux.x86-64_9.4.1-03/install
# rpm  -iv powerbroker-configCLIENTPAKU-9.4.1.03-1.noarch.rpm
Preparing packages for installation...
powerbroker-configCLIENTPAKU-9.4.1.03-1
Reading pb.cfg...
Updating Settings in database (if any)...
Checking installation of dependent component packages...
'rpm -V' of package powerbroker-shlibs succeeded
'rpm -V' of package powerbroker-submithost succeeded
'rpm -V' of package powerbroker-runhost succeeded
Looking for SuperDaemons to configure...
Finished looking for SuperDaemons to configure...
Removing PowerBroker service definitions (if any) from /etc/services.
Adding PowerBroker service definitions to /etc/services.
Removing any PowerBroker definitions from SuperDaemon xinetd file /etc/xinetd.conf
Adding PowerBroker definitions to SuperDaemon configurations   /etc/xinetd.conf.
Reloading SuperDaemon Configurations...
Done Reloading SuperDaemon Configurations...
# rpm -qa | grep powerbroker
powerbroker-runhost-9.4.1.03-1.x86_64
powerbroker-configCLIENTPAKU-9.4.1.03-1.noarch
powerbroker-shlibs-9.4.1.03-1.x86_64
powerbroker-submithost-9.4.1.03-1.x86_64
        &nbsp;
# pbrun id # test PowerBroker
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk), 10(wheel),501(amanda)
    &nbsp;
# rpm -qa | grep powerbroker # list PowerBroker packages
powerbroker-runhost-9.4.1.03-1.x86_64
powerbroker-configCLIENTPAKU-9.4.1.03-1.noarch
powerbroker-shlibs-9.4.1.03-1.x86_64
powerbroker-submithost-9.4.1.03-1.x86_64

Sample of the uninstall process from a package installation

This section shows the execution of the Linux rpm utility to remove the Endpoint Privilege Management for Unix and Linux packages:

Example

# rpm -e powerbroker-configCLIENTPAKU powerbroker-shlibs powerbroker- submithost powerbroker-runhost
Reading pb.cfg...
Looking for SuperDaemons to configure...
Finished looking for SuperDaemons to configure...
Removing PowerBroker service definitions (if any) from /etc/services. Removing any PowerBroker definitions from SuperDaemon xinetd file
/etc/xinetd.conf
Reloading SuperDaemon Configurations...
Done Reloading SuperDaemon Configurations...

AIX package installer

This section describes how to install Endpoint Privilege Management for Unix and Linux using a package installer for AIX v5.3, 6.1 and 7.0 on a POWER 64-bit computer. AIX package installers are compatible with or without workload partitions (WPARs). Use the AIX package installer if you want to install Endpoint Privilege Management for Unix and Linux using the AIX installp command.

The Endpoint Privilege Management for Unix and Linux AIX package installer that is described here is not compatible with the BeyondTrustEndpoint Privilege Management v5.x packages. If the BeyondTrust Endpoint Privilege Management v5.x packages are installed, you must remove them before installing the Endpoint Privilege Management for Unix and Linux AIX packages.

WPARs

If you have AIX v6.1 or higher, then you can use WPARs.

ℹ️

Note

For more information about WPARs and propagating BeyondTrust AIX package installations to them, see the following:

Prerequisites

To use the AIX package installer, you must have the following:

  • Package tarball file for the appropriate Endpoint Privilege Management for Unix and Linux flavor
  • Root access or superuser privileges

ℹ️

Note

The Endpoint Privilege Management for Unix and Linux AIX package installer does not support prefix or suffix installations.

Plan your installation

When preparing to use the Endpoint Privilege Management for Unix and Linux package installer, you should be familiar with the following concepts and restrictions:

Component packages: an Endpoint Privilege Management for Unix and Linux component package is an AIX backup file format (.bff) file that installs a portion of the Endpoint Privilege Management for Unix and Linux application. Endpoint Privilege Management for Unix and Linux component packages use a format of powerbroker.component-v.v.r.bb.bff, where:

  • v = major version
  • v = minor version
  • r = release
  • bb = build

Example

powerbroker.masterhost-6.2.0.05.bff

Component package or file namesDescription
powerbroker.loghost-v.v.r.bb.bffContains the log host, pblogd, and man pages. powerbroker.common-v.v.r.bb.bff is a prerequisite for this package.
powerbroker-pbrest-v.v.r.bb-pv.arch.rpmContains REST API files.
powerbroker.rnssvr-v.v.r.bb.bffContains Registry Name Service files.
powerbroker.licsvr-v.v.r.bb.bffContains license server files.
powerbroker.sharedlibs-v.v.r.bb.bffContains the shared libraries: libcom_err.so.3.0, libcrypto.a, libgssapi_krb5.so.2.2, libk5crypto.so.3.1, libkrb5.so.3.3, liblber-2.5.a, libldap-2.5.a, libssl.a. powerbroker.common-v.v.r.bb.bff is a prerequisite for this package.
powerbroker.common-v.v.r.bb.bffContains the shared files and pbbench, pbcall, bencode, pbsum, man pages and pbinstall.8, and pbcreateaixcfgpkg.8. This package is a prerequisite for all the previously listed packages: powerbroker.masterhost, powerbroker.submithost, powerbroker.guihost, powerbroker.loghost and powerbroker.sharedlibs.
powerbroker.mlcommon-v.v.r.bb.bffContains the policy server log shared files, pblog, pbreplay, pbsyncd, pbsync, and man pages. This package is a prerequisite for powerbroker.masterhost-v.v.r.bb.bff and powerbroker.loghost-v.v.r.bb.bff.
powerbroker.masterhost-v.v.r.bb.bffContains the policy server host, pbcheck, pbkey, pbmasterd, pbpasswd, pbpatton, pbprint, and man pages. powerbroker.common-v.v.r.bb.bff is a prerequisite for this package.
powerbroker.runhost-v.v.r.bb.bffContains the run host and Endpoint Privilege Management for Unix and Linux utilities: pblocald, pbless, pbmg, pbnvi, pbumacs, pbvi, and man pages. powerbroker.common- v.v.r.bb.bff is a prerequisite for this package.
powerbroker.submithost-v.v.r.bb.bffContains the submit host and Endpoint Privilege Management for Unix and Linux shells, pbksh, pbsh, pbssh, pbrun, and man pages. powerbroker.common-v.v.r.bb.bff is a prerequisite for this package.

Which component packages are required depends on the type of Endpoint Privilege Management for Unix and Linux host you are creating, such as policy server host, log host, and so on. You can select the types of hosts in the pbinstall installation menu, as shown in the following table.

Menu SelectionRequired Components
Install everything here (demo mode)? = Yespowerbroker.masterhost-v.v.r.bb.bffpowerbroker.runhost-v.v.r.bb.bff
powerbroker.submithost-v.v.r.bb.bff
powerbroker.loghost-v.v.r.bb.bffpowerbroker.guihost-v.v.r.bb.bff
powerbroker.sharedlibs-v.v.r.bb.bff
powerbroker.common-v.v.r.bb.bff
powerbroker.mlcommon-v.v.r.bb.bff
Install Policy Server Host? = Yespowerbroker.masterhost-v.v.r.bb.bff
powerbroker.common-v.v.r.bb.bff
powerbroker.mlcommon-v.v.r.bb.bff
Install Run Host? = Yespowerbroker.runhost-v.v.r.bb.bff
powerbroker.common-v.v.r.bb.bff
Install Submit Host? = Yespowerbroker.submithost-v.v.r.bb.bff
powerbroker.common-v.v.r.bb.bff
Install Log Host? = Yespowerbroker.loghost-v.v.r.bb.bff
powerbroker.common-v.v.r.bb.bff
powerbroker.mlcommon-v.v.r.bb.bff
Install BeyondTrust built-in third-party libraries? = Yespowerbroker.sharedlibs-v.v.r.bb.bff
powerbroker.common-v.v.r.bb.bff
Install Registry Name Services Server? [yes]powerbroker.rnssvr-v.v.r.bb.bff
Install License Server? [yes]powerbroker.licsvr-v.v.r.bb.bff

Configuration package: AIX installation package created by the user named powerbroker.config[suffix], where suffix is user-defined. It contains the configuration files that are used to install the following files:

  • pb.settings: Hardcoded target location /etc/pb.settings
  • pb.cfg: Hardcoded target location /etc/pb.cfg
  • All the encryption keyfiles defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption
  • By default, two key files are created: pb.key and pb.rest.key
  • The sysadmin can define multiple encryption with different keyfiles in locations other than /etc. To upgrade and retain settings on the target machine, view all encryption settings in /etc/pb.settings and copy the files to the settings_files directory before running "pbinstall -z" and pbcreate*cfgpkg
  • pb.conf (for policy server hosts)
  • Man pages for the pbinstall and pbcreateaixcfgpkg programs

The Endpoint Privilege Management for Unix and Linux configuration package is created by the pbcreateaixcfgpkg program. The component packages must be installed before you install the configuration package.

Package name: Name of the installation package stored in the AIX database. For Endpoint Privilege Management for Unix and Linux package installations, this name is the same as the package file name without the .bff extension.

pbinstall program: To create the Endpoint Privilege Management for Unix and Linux settings files, you use the pbinstall program with the -z (settings only) option. pbinstall -z only creates the settings files and is incompatible with the following command line options:

Options Incompatible with pbinstall -zDescription
-bRuns pbinstall in batch mode.
-cSkip the steps that process or update the Endpoint Privilege Management for Unix and Linux settings file.
-eRuns install script automatically by bypassing the menu step of pbinstall.
-iIgnores previous pb.settings and pb.cfg files.
-pSets the pb installation prefix.
-sSets the pb installation suffix.
-uInstalls the utility programs.
-xCreates a log synchronization host (that is, installs pbsyncd).

When you execute pbinstall with the -z option, you can see two menu items that are not otherwise available:

  • Enter existing pb.settings path: Enables you to specify your own pb.settings file. pbinstall reads this settings file and populates the remaining menu choices. You can override some menu choices. If set to none, then pbinstall does not read a settings file. The remaining menu choices are populated with default values.
  • Enter directory path for settings file creation: Enables you to specify an alternative output directory for the settings files. The default directory is /unzip-dir/powerbroker/// install/settings_files, where unzip-dir is the directory where the package tarball file was unzipped.

The behavior of pbinstall -z depends on whether certain additional command line options are specified:

  • If no other command line options are specified, pbinstall initially presents a short version of the installation menu (items 1–8 only). Depending on the choices you make in these items, further menu items become available.
  • If command line options -g, -l, -m, or -r are specified, pbinstall presents an expanded version of the installation menu that reflects the host types that you are configuring.

When running pbinstall with the -z option, the following menu items are preprogrammed and cannot be changed:

  • Install man pages?
  • Daemon location
  • Administration programs location
  • User programs location
  • GUI library directory
  • Policy include (sub) file directory
  • User man page location
  • Admin man page location
  • Policy filename
  • BeyondTrust built-in third-party library directory

In addition, the values of the following menu items determine the values of other menu items:

Options Preset When Running pbinstall -z
Setting this menu option to YesSets these values to Yes
Install Policy Server Host?Install Synchronization? Synchronization can be initiated from this host?
Install Run Host?Install Utilities?
Install Submit Host?Install PBSSH?
Install pbksh? Install pbsh?
Will this host use a Log Host?
Install Log Host?Install Synchronization? Synchronization can be initiated from this host?

If you plan to use Registry Name Service and are running pbinstall -z on a client host (non-primary server), you must perform client registration. This is necessary to properly set up the registry name service database. Client registration will also require that you collect from the Endpoint Privilege Management for Unix and Linux primary server the following information:

  • REST Application ID
  • REST Application Key
  • Primary server network name or IP address
  • Primary License Server REST TCP/IP port
  • Registration Client Profile name

ℹ️

Note

If you are using the package installer to install Endpoint Privilege Management for Unix and Linux on a computer that already has an interactive Endpoint Privilege Management for Unix and Linux installation on it, see Installation considerations for additional considerations.

RNS client registration: If Registry Name Services is enabled for Endpoint Privilege Management for Unix and Linux, each client host (after the first server installation) needs to be registered with the Primary Registry Name Server. When using package installers on a target host, a post-install configuration script (/opt/pbul/scripts/pbrnscfg.sh) is provided to be manually executed on that host to properly register it. This post-install configuration script asks for information about the Primary Registry Name Server, including the Application ID (appid), Application Key (appkey), address/domain name, and the REST TCP/IP port number. This is the same information provided during the client registration part of a pbinstall -z install which generates the settings file.

If you prefer a more convenient method of registering RNS clients where the post-install configuration script is non-interactive, Endpoint Privilege Management for Unix and Linux can save the relevant information in a hidden file during the settings-only run of pbinstall, bundle it with the configuration package, and automatically apply it to the target host when that package is installed. However, understand that this is not secure, but is available if the security-convenience trade-off is acceptable. To enable this, refer to the question regarding post-install configuration script displayed when running pbinstall -z.

Use EPM-UL packages on AIX WPARs

The Endpoint Privilege Management for Unix and Linux AIX package installer supports AIX WPARs in AIX v6.1 and higher. The primary operating system instance is referred to as the global WPARs. All WPARs that are not global are referred to as non-global WPARs.

ℹ️

Note

AIX release v6.1 or higher is required. The use of WPARs is not supported on earlier releases. There are two types of WPARs:

  • Shared WPARs share some of the global environment’s file systems and are administered by the global environment.
  • Non-shared WPARs share none of the global environment’s file systems and are treated as stand-alone systems.

Installing Endpoint Privilege Management for Unix and Linux AIX packages on WPARs is very similar to installing these packages on AIX systems without WPARs.

Overview of steps

Using the Endpoint Privilege Management for Unix and Linux AIX package installer involves the following steps:

  1. Unpack theEndpoint Privilege Management for Unix and Linux package tarball file.
  2. Use the pbinstall program to create Endpoint Privilege Management for Unix and Linux settings files.
  3. Use the pbcreateaixcfgpkg program to create the Endpoint Privilege Management for Unix and Linux configuration package.
  4. Perform a package installation using the AIX installp command for any required components.
  5. Perform a package installation using the AIX installp command for the Endpoint Privilege Management for Unix and Linux configuration package.
  6. If Registry Name Service is enabled and installing on a non-primary servery, run /opt/pbul/scripts/pbrnscfg.sh to register the host.

Installation procedure

To install Endpoint Privilege Management for Unix and Linux in the AIX global environment, do the following:

  1. Extract the package tarball files into the /opt/beyondtrust/ directory by executing the following command:

    gunzip -c pmul_<flavor_version>_pkg.tar.Z | tar xvf -
    
  2. Navigate to the /opt/beyondtrust/powerbroker///install/ directory.

  3. Execute the following command:

    ./pbinstall -z
    

    You are asked if you want to use client registration. If you plan to enable Registry Name Service, and are installing on a host that is not designated as a primary server, you must run client registration.

    pbinstall next asks if you want to enable Registry Name Service.

    pbinstall displays the Endpoint Privilege Management for Unix and Linux installation menu.

  4. Make your menu selections. When the menu selection process is complete, pbinstall creates the following files in the specified location:

    • pb.settings
    • pb.cfg
    • pb.key (if encryption is enabled)
    • pb.conf (for policy server host)
    • pbpolicykey.pem and pbpolicypubcert.pem (for Policy Server hosts with Cached Policy feature enabled)

ℹ️

Note

The Enter existing pb.settings path menu option enables you to specify your own pb.settings file to use. Also, the Enter directory path for settings file creation menu option enables you to specify where to save the generated settings files. These menu options are available only when running pbinstall with the -z option.

  1. Optional. For an Endpoint Privilege Management for Unix and Linux client, if client-server communications are to be encrypted, replace the generated pb.key file with pb.key file from the policy server host. Also, copy any other required key files into the same directory.

  2. Optional. For a policy server host, write a policy file (pb.conf) and place it in the directory with the other generated files. If you do not provide a pb.conf file, a pb.conf file with the single command reject ; is generated and packaged.

    Starting with v8.0, pbinstall -z can optionally install the default role-based policies and asks:

    Installing default role-based policy pbul_policy.conf and pbul_functions.conf in <install_dir>/settings_files
                        
    Would you like to use the default role-based policy in the configuration package?
    
    • Answer Yes for new installs only.
    • If you are upgrading an existing configuration package, to avoid overwriting your existing policy, answer No.
    Use the default role-based policy [Y]?
    
    • If you answer Yes, the default pb.conf, pbul_policy.conf and pbul_functions.conf files are created and installed on the policy server.
    • If you are installing over an existing installation, and have an existing policy in place, answer No.
  3. Navigate to the /opt/beyondtrust/powerbroker///install/ directory.

  4. Run the pbcreateaixcfgpkg utility by typing:

    pbcreateaixcfgpkg -p suffix -s directory
    
    • suffix is appended to the filenames of the configuration package backup file format file and the package administration file; the length can be up to 26 characters.
    • directory contains the Endpoint Privilege Management for Unix and Linux settings and configuration files to include in the package.

    The pbcreateaixcfgpkg utility creates the configuration package file, powerbroker.config-v.v.r.b.bff.

  5. Navigate to the /opt/beyondtrust/powerbroker///package/ directory.

  6. For each required component package, run the AIX installp command to install one component package by typing:

    installp -agd ./ powerbroker.pkg-name
    

    pkg-name is the name of the component package file.

    Example

    installp -agd ./ powerbroker.pkg-name
    

Using the -g option installs all the prerequisite packages along with the powerbroker.submithost package. In this case, powerbroker.common is a prerequisite package for the powerbroker.submit package.

Alternately you can install all the component packages by typing:

installp -agd ./ powerbroker
  1. Run the AIX installp command to install the Endpoint Privilege Management for Unix and Linux configuration package by typing:
installp -ad ./ powerbroker.config<suffix>

is the suffix that is set when you create the Endpoint Privilege Management for Unix and Linux configuration package in step 8.

  1. Verify the installation of the packages with the AIX lslpp command by typing:
lslpp -l | grep powerbroker
  1. If Registry Name Service is enabled and installed on a non-primary server, register the host with the Primary Registry Name Server using a post-install configuration script. Gather the Application ID, Application Key, network name or IP address, and REST TCP/IP port of the primary server, then run the script to register the host and follow the prompts:
/opt/pbul/scripts/pbrnscfg.sh

ℹ️

Note

For additional information, see the following:

Install EPM-UL onto WPARs

The process for installing Endpoint Privilege Management AIX packages onto non-shared workload partitions (WPARs) is similar to the process for installing in the global AIX environment because the installed software is private to the non-shared WPAR. Therefore, there is no need for synchronization.

To install packages onto shared WPARs, follow the following:

  1. Follow the procedures in the installation procedure to create the AIX packages.
  2. Install Endpoint Privilege Management component (usr) packages in the global AIX environment. The usr packages are visible to the WPARs.
  3. Install Endpoint Privilege Management configuration (root) package in the global AIX environment. The root packages are not visible to the WPARs until propagated.
  4. To make the Endpoint Privilege Management configuration (root) package visible to the WPARs, use the syncwpar command and propagate the packages to WPARs.
  5. Optional. List the WPARs.

Remove EPM-UL packages

Removing the Endpoint Privilege Management for Unix and Linux packages completely uninstalls Endpoint Privilege Management for Unix and Linux from a computer. To remove the packages, do the following:

  1. Navigate to the /opt/beyondtrust/powerbroker//aix/install/ directory.
  2. Remove multiple Endpoint Privilege Management for Unix and Linux packages by typing:
    installp -u powerbroker.configClient component-package-1 ... component-package-n
    
  • configClient is the name of the package specified during installation of the configuration package. Because of the dependency relationship between the configuration package and the component packages, this package name must come first in the list.
  • component-package-1 through component-package-n are the names of the packages specified during installation of the component packages, such as powerbroker.submithost.

Example

installp -u powerbroker.configClient powerbroker.submithost powerbroker.loghost

Or you may remove a package and its prerequisites by using the installp -gu command.

Example

The following command removes the powerbroker.runhost package and its prerequisite package powerbroker.common:

installp -gu powerbroker.runhost

Remove AIX package from shared WPARs

To remove Endpoint Privilege Management for Unix and Linux packages from shared workload partitions (WPARs), do the following:

  1. Remove the Endpoint Privilege Management for Unix and Linux packages from the global AIX environment using the following command:

    installp -u powerbroker
    

    All Endpoint Privilege Management for Unix and Linux usr packages and the global root package are removed.

  2. Remove the Endpoint Privilege Management for Unix and Linux root packages from WPARs by doing either of the following:

    • Remove the Endpoint Privilege Management for Unix and Linux root package from one or more specified WPARs by typing the following command from the global AIX environment:

      syncwpar [nodeA] [nodeB] ... [nodeX]
      

      nodeA, nodeB, ... nodeX are the names of the WPARs.

    • Remove the Endpoint Privilege Management for Unix and Linux root package from all WPARs by typing the following command from the global AIX environment:

      syncwpar -A
      

      When you use the -A option, all Endpoint Privilege Management root packages are removed from WPAR.

ℹ️

Note

The syncwpar command synchronizes all packages between the AIX global environment and shared WPARs.

  1. Optional. Verify that the packages are removed from the WPARs.

Update EPM-UL with update packages

The Endpoint Privilege Management for Unix and Linux AIX package installer can be used to update an existing Endpoint Privilege Management for Unix and Linux installation to a new version. The existing Endpoint Privilege Management for Unix and Linux version should have been installed using the Endpoint Privilege Management for Unix and Linux package installer.

Update package considerations

Installing an update package is similar to using the AIX package installer to install Endpoint Privilege Management for Unix and Linux for the first time. Keep these considerations in mind when you prepare to upgrade Endpoint Privilege Management for Unix and Linux:

  • Each release of Endpoint Privilege Management for Unix and Linux AIX update packages contains only the updated files. Therefore, a full Endpoint Privilege Management for Unix and Linux package installation (of the same major and minor version) must be performed before you can install an upgrade package. For example, before you can install update package version 9.2.1, you must have the full Endpoint Privilege Management for Unix and Linux package version 9.2.0 installed.
  • Each successive Endpoint Privilege Management AIX update package is cumulative; for example, update package version 9.4.1 contains all of the updates in update package version 9.4.0.
  • A newer release can introduce features that use new settings or configurations. In which case, an upgrade of the configuration package of Endpoint Privilege Management for Unix and Linux is also needed.
  • Update packages that have not been committed can be rejected. You cannot reject update packages that have been committed.
  • Committing a given update package requires prior or concurrent commit of earlier update packages.
  • The Endpoint Privilege Management for Unix and Linux configuration package does not contain any executable files and therefore does not need to be upgraded. However, if you are creating a new configuration package, you should create it with the same version of Endpoint Privilege Management for Unix and Linux as the component packages you are installing.

Update package procedure

Follow this procedure to update your installation of Endpoint Privilege Management for Unix and Linux using the update packages:

  1. Obtain the tarball file for the AIX update packages that are appropriate for your hardware. The tarball file name has the format pmul_-v.v.r-bb-update_pkg.tar.Z, where:
    • indicates the operating system and hardware architecture.
    • v.v.r is the major and minor version number and the release number.
    • bb is the build number.
  2. Extract the package files into the /unzip-dir/ directory by executing the following command:
    gunzip -c pmul_<flavor_version>-update_pkg.tar.Z | tar xvf -
    
  3. Navigate to the /unzip-dir/powerbroker/v//install/ directory.
  4. Create the settings_files directory and change directory to that location.
  5. To retain or correctly update the settings of the current installation, copy the following files from the target installation host into the settings_files directory you created in step 4:
    • /etc/pb.settings
    • /etc/pb.cfg
    • encryption keys defined in pb.settings for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption settings (if enabled)

ℹ️

Note

In a default installation, there are typically 2 key files created: pb.key and pb.rest.key.

  • policy file defined in policyfile setting in pb.settings (if the target installation is a Policy Server)

ℹ️

Note

In a default installation, the policy file is located in /opt/pbul/policies/pb.conf.

  1. Execute the following command to verify and update the installation settings in the settings_files directory:
./pbinstall -z
  1. Create the upgrade configuration package by running the pbcreateaixcfgpkg utility:
pbcreateaixcfgpkg -p suffix

Use the current suffix of the installation to be upgraded. Use the suffix you provided during the initial package installation in step 8 of the Installation procedure.

Another way to find the suffix is to run the following command on the target installation host to get the list of packages installed:

lslpp -l | grep powerbroker

Identify the suffix of the Endpoint Privilege Management for Unix and Linux configuration package using this format:

powerbroker.config<suffix>
  1. Navigate to the /unzip-dir/powerbroker/version/flavor/package/ directory.

  2. Run the AIX installp utility to install the Endpoint Privilege Management for Unix and Linux component package or packages by typing:

    installp -ad ./ powerbroker.package_name [v.v.r.bb] [powerbrokder.package_name [v.v.r.bb] ... ]
    

    where:

    • package_name is the name of the Endpoint Privilege Management for Unix and Linux package to be installed.
    • v.v.r.bb (optional) is the version, release, and build number, for example, 9.4.1.03.
  3. Navigate to the /unzip-dir/powerbroker///install/ directory.

  4. Run the AIX installp command to install the Endpoint Privilege Management for Unix and Linux configuration package by typing:

    installp -ad ./ powerbroker.config<suffix>
    

    is the suffix that is set when you create the Endpoint Privilege Management for Unix and Linux configuration package in step 7.

  5. Commit the update package by typing:

    installp -c powerbroker [v.v.r.bb]
    

    v.v.r.bb (optional) is the version, release, and build number, for example, 9.4.1.03.

  6. Verify the installation of the filesets with the AIX lslpp utility by typing:

    lslpp -al powerbroker.package_name
    

    package_name is the name of the Endpoint Privilege Management for Unix and Linux package that you installed.

Reject an update package

You can reject an update package that has been applied but not committed by typing:

installp -r powerbroker.package_name [v.v.r.bb]

where:

  • package_name is the name of the Endpoint Privilege Management for Unix and Linux package that you want to reject.
  • v.v.r.bb (optional) is the version, release, and build number, for example, 6.2.1.11 After an update package has been committed, you can not reject it.

Update packages and WPARs

Installing update packages on workload partitions (WPARs) involves the same considerations as installing a baseline Endpoint Privilege Management for Unix and Linux package on WPARs.

Upgrade the configuration package

When upgrading the configuration package (cfg pkg), some settings that are part of the package might need settings and configuration files copied from the existing installation to the staging host.

Files included in the cfg package:

  • pb.settings: Hardcoded target location /etc/pb.settings.

  • pb.cfg: Hardcoded target location /etc/pb.cfg.

  • All the encryption key files defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption. By default, two key files are typically created:

    • pb.key
    • pb.rest.key

    The sysadmin can define encryption with different key files in locations other than /etc. Therefore, when upgrading, and to retain what is installed on the target machine, look at all the encryption settings in /etc/pb.settings. Copy the settings to the settings_files directory before running pbinstall -z and pbcreate*cfgpkg.

  • Policy file if the target is a policy server.

Sample Execution for the AIX Package Installer

The sample execution shows the installation of an Endpoint Privilege Management for Unix and Linux submit host, run host, and shared libraries using the Endpoint Privilege Management for Unix and Linux AIX package installer.

This sample execution is divided into the following parts:

  • Generate the Endpoint Privilege Management for Unix and Linux settings files.
  • Create the Endpoint Privilege Management for Unix and Linux configuration package using the pbcreateaixcfgpkg program.
  • Install the component packages using the installp -ad command.
  • Install the configuration package using the installp -ad command.
  • Use syncwpar to propagate additional AIX global environment packages to shared workload partitions (WPARs). WPARS are available with AIX v6.1 and higher.

Generate the Endpoint Privilege Management for Unix and Linux settings files

This section of the execution shows the generation of the Endpoint Privilege Management for Unix and Linux settings files (pb.key, pb.cfg, and pb.settings) and also displays the Endpoint Privilege Management for Unix and Linux installation menu. This output was generated using the pbinstall program with the -z option.

Example

# ./pbinstall -zlr
Starting pbinstall main() from /opt/bt_pkg/powerbroker/v9.4/pmul_aix52+_9.4.3-18/install/.
aix52+
WARNING:
When creating configuration packages to be installed on AIX WPARs, care
must be taken to set log file directories to WPAR-writable partitions.
The default AIX shared WPAR has the following read-only and/or shared
partitions, although configuration can vary:
/usr /opt /proc
TheEndpoint Privilege Management for Unix and Linux log file default directory for AIX WPARs is '/var/adm'.
	&nbsp;Endpoint Privilege Management for Unix and Linux Settings File Generation
			&nbsp;
Please read theEndpoint Privilege Management for Unix and Linux Installation Instructions before proceeding.
			&nbsp;
Checking MANIFEST against release directory
			&nbsp;
Press return to continue
The Registry Name Service ofEndpoint Privilege Management for Unix and Linux facilitates location of other services within the PBUL enterprise with the aid of a centralized data repository.
IMPORTANT: client registration is required if this is not the Primary Server and you intend to use Registry Name Services.
Do you wish to utilize Registry Name Service? [yes]? no BeyondTrust Endpoint Privilege Management for Unix and Linux Installation Menu   
             Opt  Description                              [Value]
            1  Install Everything Here (Demo Mode)?         [no]
            2  Install License Server?                      [no]
            3  Install Registry Name Services Server?       [no]
            4  Install Client Registration Server?          [no]
            5  Install Policy Server Host?                  [yes]
            6  Install Run Host?                            [yes]
            7  Install Submit Host?                         [yes]
            8  Install PBSSH                                [yes]
            10  Install Log Host?                           [yes]
            11  Enable Logfile Tracking and Archiving?      [yes]
            12  Is this a Log Archiver Storage Server?      [no]
            13  Is this a Log Archiver Database Server?     [no]
            14  Install File Integrity Monitoring Polic...  [no]
            15  Install REST Services?                      [yes]
            16  List of License Servers                     [*]
            19  Path to Password Safe 'pkrun' binary        []
            23  Install Synchronization program?            [yes]
            25  Install Secure GUI Host?                    [yes]
            26  Install Utilities: pbvi, pbnvi, pbmg, p...  [yes]
            27  Install pbksh?                              [yes]
            28  Install pbsh?                               [yes]
            29  Install man pages?                          [no]
            30  Will this host use a Log Host?              [yes]
            31  AD Bridge Integration?                      [no]
            37  Integration with BeyondInsight?             [no]
            55  Synchronization program can be initiate...  [yes]
            56  Daemons location                            [/usr/sbin]
            57  Number of reserved spaces for submit pr...  [80]
            58  Administration programs location            [/usr/sbin]
            59  User programs location                      [/usr/local/bin]
            60  GUI library directory                       [/usr/local/lib/pbbuilder]
            61  Policy include (sub) file directory         [/opt/pbul/policies]
            62  Policy file name                            [/opt/pbul/policies/pb.conf]
            65  Log Archive Storage Server name             []
            67  Log Archiver Database Server name           []
            69  Logfile Name Cache Database file path?      [/opt/pbul/dbs/pblogcache.db]
            70  REST Service installation directory?        [/usr/lib/beyondtrust/pb/rest]
            71  Install REST API sample code?               [no]
            73  Pblighttpd user                             [pblight]
            75  Pblighttpd user UID                         []
            76  Pblighttpd user GID                         []
            78  Configure systemd?                          [yes]
            79  Command line options for pbmasterd          [-ar]
            80  Policy Server Delay                         [500]
            81  Policy Server Protocol Timeout              [-1]
            82  pbmasterd diagnostic log                    [/var/log/pbmasterd.log]
            83  Eventlog filename                           [/var/log/pb.eventlog]
            84  Configure eventlog rotation via size?       []
            85  Configure eventlog rotation path?           []
            86  Configure eventlog rotation via cron?       [no]
            87  Validate Submit Host Connections?           [no]
            88  List of Policy Servers to submit to         [kandor]
            89  pbrun diagnostic log?                       [none]
            90  pbssh diagnostic log?                       [none]
            91  Allow Local Mode?                           [yes]
            92  Additional secured task checks?             [no]
            93  Suppress Policy Server host failover er...  [yes]
            94  List of Policy Servers to accept from       [kandor]
            95  pblocald diagnostic log                     [/var/log/pblocald.log]
            96  Command line options for pblocald           []
            97  Syslog pblocald sessions?                   [no]
            98  Record PTY sessions in utmp/utmpx?          [yes]
            99  Validate Policy Server Host Connections?    [no]
            100  List of Log Hosts                          [kandor]
            101  Command line options for pblogd            []
            102  Log Host Delay                             [500]
            103  Log Host Protocol Timeout                  [-1]
            104  pblogd diagnostic log                      [/var/log/pblogd.log]
            105  List of log reserved filesystems           [none]
            106  Number of free blocks per log system fi... [0]
            107  Command line options for pbsyncd           []
            108  Sync Protocol Timeout                      [-1]
            109  pbsyncd diagnostic log                     [/var/log/pbsyncd.log]
            110  pbsync diagnostic log                      [/var/log/pbsync.log]
            111  pbsync sychronization time interval (in... [15]
            112  Add installed shells to /etc/shells        [no]
            113  pbksh diagnostic file                      [/var/log/pbksh.log]
            114  pbsh diagnostic file                       [/var/log/pbsh.log]
            115  Stand-alone pblocald command               [none]
            116  Stand-alone root shell default iolog       [/pbshell.iolog]
            
            
            
            
            121  Use syslog?                                [yes]
            122  Syslog facility to use?                    [LOG_AUTHPRIV]
            123  Base Daemon port number                    [24345]
            124  pbmasterd port number                      [24345]
            125  pblocald port number                       [24346]
            126  pblogd port number                         [24347]
            
           
            129  pbsyncd port number                        [24350]
            130  REST Service port number                   [24351]
            131  Add entries to '/etc/services'             [yes]
            132  Allow non-reserved port connections        [yes]
            133  Inbound Port range                         [1025-65535]
            134  Outbound Port range                        [1025-65535]
            137  Network encryption options                 [aes-256:keyfile=/etc/pb.key]
            138  Event log encryption options               [none]
            139  I/O log encryption options                 [none]
            140  Report encryption options                  [none]
            141  Policy file encryption options             [none]
            142  Settings file encryption type              [none]
            143  REST API encryption options                [aes-256:keyfile=/etc/pb.re...]
            144  Configure with Kerberos v5?                [no]
            150  Enforce High Security Encryption?          [yes]
            151  Use SSL?                                   [yes]
            152  SSL Configuration?                         [requiressl]
            153  SSL pbrun Certificate Authority Directory? [none]
            154  SSL pbrun Certificate Authority File?      [none]
            155  SSL pbrun Cipher List?                     [HIGH:!SSLv2:!3DES:!MD5:@ST…]
            156  SSL pbrun Certificate Directory?           [none]
            157  SSL pbrun Certificate File?                [none]
            158  SSL pbrun Private Key Directory?           [none]
            159  SSL pbrun Private Key File?                [none]
            160  SSL pbrun Certificate Subject Checks?      [none]
            161  SSL Server Certificate Authority Direct... [none]
            162  SSL Server Certificate Authority File?     [none]
            163  SSL Server Cipher List?                    [HIGH:!SSLv2:!3DES:!MD5:@ST...]
            164  SSL Server Certificate Directory?          [none]
            165  SSL Server Certificate File?               [/etc/pbssl.pem]
            166  SSL Server Private Key Directory?          [none]
            167  SSL Server Private Key File?               [/etc/pbssl.pem]
            168  SSL Server Certificate Subject Checks?     [none]
            169  SSL Certificate Country Code               [US]
            170  SSL Certificate State/Province             [AZ]
            171  SSL Certificate Location (Town/City)       [Phoenix]
            172  SSL Certificate Organizational Unit/Dep... [Security]
            173  SSL Certificate Organization               [BeyondTrust]
            174  Configure Privilege Management for Unix... [no]
            175  Install BeyondTrust built-in third-part... [yes]
            176  BeyondTrust built-in third-party librar... [/usr/lib/beyondtrust/pb]
            188  Use PAM?                                   [no]
            196  Allow Remote Jobs?                         [yes]
            197  UNIX Domain Socket directory               [none]
            198  Reject Null Passwords?                     [no]
            199  Enable TCP keepalives?                     [no]
            200  Name Resolution Timeout                    [0]
            N for the next menu page, P for the previous menu page, C to continue, X to exit
Please enter a menu option [For technical support call 1-800-234-9072]> c
&nbsp;
no such map in server's domain
No submitmasters was specified and no NIS netgroup called pbsubmitmasters found
Endpoint Privilege Management for Unix and Linux needs to know the submitmasters(s) to work.
TheEndpoint Privilege Management for Unix and Linux programs need to know which Policy Server Host(s) you have
decided to allow to act as submitmaster(s) for this machine.
Submitmasters take requests for secured tasks from Submit Hosts,
accept or reject them, and pass the accepted requests to a Run Host.
To locate submitmasters, programs look for a setting in the settings file
containing the names of the submitmaster machines or a netgroup
called pbsubmitmasters.
	&nbsp;
Enter Policy Server list (submitmasters):  aix52-ca012-05.unix.beyondtrust.com
no such map in server's domain
No acceptmasters was specified and no NIS netgroup called pbacceptmasters found
Endpoint Privilege Management for Unix and Linux needs to know the acceptmasters(s) to work.
			&nbsp;
TheEndpoint Privilege Management for Unix and Linux programs need to know which Policy Server Host(s) you have
decided to allow to request execution of secured tasks to this machine.
Hosts on the acceptmasters list are the Policy Server Hosts which are allowed
to make secured task requests to this machine.
				&nbsp;
To do this, programs look for a setting in the settings file containing the
names of the acceptmasters machines or a netgroup called pbacceptmasters.
			&nbsp;
Enter Incoming Policy Server list (acceptmasters):  aix52-ca012-05.unix.beyondtrust.com
no such map in server's domain
No log hosts was specified and no NIS netgroup called pblogservers foundEndpoint Privilege Management for Unix and Linux needs to know the log hosts(s) to work.
				&nbsp;
TheEndpoint Privilege Management for Unix and Linux programs need to know which machine(s) you have selected as Log Host(s).  Log Hosts are hosts which Policy Servers
select for Run Hosts to do event and I/O logging.
				&nbsp;
To do this, pbmasterd looks for the setting logservers in the settings
file. This setting contains the names of the Log Host machines or a netgroup.
				&nbsp;
Current installation settings for Log Server(s):
			&nbsp;
Enter Log Server list (logservers):  aix52-ca012-05.unix.beyondtrust.com
				&nbsp;
Generating key file /opt/bt_pkg/powerbroker/v9.4/pmul_aix52+_9.4.3-18/install/settings_files/pb.key...
				&nbsp;
Are all the installation settings correct [yes]?
Generating config file /opt/bt_pkg/powerbroker/v9.4/pmul_aix52+_9.4.3-18/install/settings_files/pb.cfg
Creating the settings file creation script
Running settings file creation script
Creating settings file /opt/bt_pkg/powerbroker/v9.4/pmul_aix52+_9.4.3-18/install/settings_files/pb.settings
Generated settings files are in directory: /opt/bt_pkg/powerbroker/v9.4/pmul_aix52+_9.4.3-18/install/settings_files
Endpoint Privilege Management for Unix and Linux Settings File Generation completed successfully.

Install Component Packages Using the installp Command

This section shows the execution of the installp command to install component packages for the submit host, run host, and shared libraries.

The execution text also includes copyright, trademark, trade secrets, and other legal text; however, those notices and text were removed from the following excerpt to save space:

Example

# cd /opt/bt_pkg/powerbroker/v9.4/pbul_aix52+_9.4.3-18/package
# installp -ad ./ powerbroker.sharedlibs powerbroker.common powerbroker.runhost powerbroker.submithost
+-----------------------------------------------------------------------------+
Pre-installation Verification...
+-----------------------------------------------------------------------------+
Verifying selections...done
Verifying requisites...done
Results...
SUCCESSES
---------
Filesets listed in this section passed pre-installation verification
and will be installed.
Selected Filesets
-----------------
powerbroker.common 9.4.3.18                 # BeyondTrust PowerBroker Comm...
powerbroker.runhost 9.4.3.18                # BeyondTrust PowerBroker Run ...
powerbroker.sharedlibs 9.4.3.18             # BeyondTrust PowerBroker Shar...
powerbroker.submithost 9.4.3.18             # BeyondTrust PowerBroker Subm...
<< End of Success Section >>
+-----------------------------------------------------------------------------+
BUILDDATE Verification ...
+-----------------------------------------------------------------------------+
Verifying build dates...done
FILESET STATISTICS
------------------
4  Selected to be installed, of which:
4  Passed pre-installation verification
----
4  Total to be installed
+-----------------------------------------------------------------------------+
Installing Software...
+-----------------------------------------------------------------------------+
installp:  APPLYING software for:
powerbroker.common 9.4.3.18
Filesets processed:  1 of 4  (Total time:  1 secs).
installp:  APPLYING software for:
powerbroker.runhost 9.4.3.18
Filesets processed:  2 of 4  (Total time:  3 secs).
installp:  APPLYING software for:
powerbroker.submithost 9.4.3.18
sysck: 3001-036 WARNING:  File

    /usr/lib//libpbul_aca-xcoff64.so
    is also owned by fileset powerbroker.runhost.
        
sysck: 3001-036 WARNING:  File

    /usr/share/man/man8/pbclienthost_uuid.8
    is also owned by fileset powerbroker.runhost.
        
sysck: 3001-036 WARNING:  File

    /usr/lib//libpbul_aca-xcoff32.so
    is also owned by fileset powerbroker.runhost.
        
sysck: 3001-036 WARNING:  File

    /usr/sbin/pbclienthost_uuid
    is also owned by fileset powerbroker.runhost.
        
Filesets processed:  3 of 4  (Total time:  4 secs).
installp:  APPLYING software for:
powerbroker.sharedlibs 9.4.3.18
Finished processing all filesets.  (Total time:  5 secs).
+-----------------------------------------------------------------------------+
Summaries:
+-----------------------------------------------------------------------------+
Installation Summary
--------------------
Name                        Level           Part        Event       Result
-------------------------------------------------------------------------------
powerbroker.common          9.4.3.18        USR         APPLY       SUCCESS
powerbroker.runhost         9.4.3.18        USR         APPLY       SUCCESS
powerbroker.submithost      9.4.3.18        USR         APPLY       SUCCESS
powerbroker.sharedlibs      9.4.3.18        USR         APPLY       SUCCESS

Install the Configuration Package Using the installp Command

This section shows the execution of the AIX installp -ad command to install the configuration package. Following installation of the configuration package, the installation is verified by submitting the pbrun id command to Endpoint Privilege Management for Unix and Linux, and the AIX lslpp -l |grep powerbroker command is used to list the Endpoint Privilege Management for Unix and Linux packages that are installed.

The execution text also includes copyright, trademark, trade secrets, and other legal text; however, those notices and text were removed from the following excerpt to save space:

Example

# cd /opt/bt_pkg/powerbroker/v9.4/pbul_aix52+_9.4.3-18/install
# installp -ad ./ powerbroker.configCLIENT1-9.4.3.18.bff
+-----------------------------------------------------------------------------+
Pre-installation Verification...
+-----------------------------------------------------------------------------+
Verifying selections...done
Verifying requisites...done
Results...
SUCCESSES
---------
Filesets listed in this section passed pre-installation verification
and will be installed.
Selected Filesets
-----------------
powerbroker.configCLIENT1 9.4.3.18          # BeyondTrust PowerBroker Unix...
<< End of Success Section >>
+-----------------------------------------------------------------------------+
BUILDDATE Verification ...
+-----------------------------------------------------------------------------+
Verifying build dates...done
FILESET STATISTICS
------------------
1  Selected to be installed, of which:
1  Passed pre-installation verification
----
1  Total to be installed
+-----------------------------------------------------------------------------+
Installing Software...
+-----------------------------------------------------------------------------+
installp:  APPLYING software for:
powerbroker.configCLIENT1 9.4.3.18
Reading pb.cfg...
Checking installation of dependent component packages...
'lppchk -f/-c' of package powerbroker.common succeeded
'lppchk -f/-c' of package powerbroker.runhost succeeded
'lppchk -f/-c' of package powerbroker.submithost succeeded
'lppchk -f/-c' of package powerbroker.sharedlibs succeeded
Looking for SuperDaemons to configure...
Finished looking for SuperDaemons to configure...
Removing PowerBroker service definitions (if any) from /etc/services.
Adding PowerBroker service definitions to /etc/services.
Removing any PowerBroker definitions from SuperDaemon inetd file /etc/inetd.conf
Adding PowerBroker definitions to SuperDaemon configurations  /etc/inetd.conf.
Reloading SuperDaemon Configurations...
0513-095 The request for subsystem refresh was completed successfully.
Done Reloading SuperDaemon Configurations...
Updating Settings in database (if any)...
 
Checking installation of package: powerbroker.configCLIENT1
'lppchk -f/-c' of package powerbroker.configCLIENT1 succeeded
Finished processing all filesets.  (Total time:  5 secs).
+-----------------------------------------------------------------------------+
Summaries:
+-----------------------------------------------------------------------------+
Installation Summary
--------------------
Name                        Level           Part        Event       Result
-------------------------------------------------------------------------------
powerbroker.configCLIENT1   9.4.3.18        USR         APPLY       SUCCESS
powerbroker.configCLIENT1   9.4.3.18        ROOT        APPLY       SUCCESS

View a List of Installed EPM-UL Packages

To view a list of the installed Endpoint Privilege Management for Unix and Linux packages, do the following:

# lslpp -l | grep powerbroker

A list similar to the one in the example below appears. The Endpoint Privilege Management for Unix and Linux configuration package appears twice because there are usr and root package portions.

Example

powerbroker.common        9.4.3.18  COMMITTED  BeyondTrust PowerBroker Common
powerbroker.configCLIENT1
powerbroker.runhost       9.4.3.18  COMMITTED  BeyondTrust PowerBroker Run
powerbroker.sharedlibs    9.4.3.18  COMMITTED  BeyondTrust PowerBroker Shared
powerbroker.submithost    9.4.3.18  COMMITTED  BeyondTrust PowerBroker Submit
powerbroker.configCLIENT1

Perform a cursory test of EPM-UL on the AIX global environment

To perform a cursory test of Endpoint Privilege Management for Unix and Linux on the AIX global environment, type the following:

# pbrun id

Results such as those shown in the example below are displayed:

Example

uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10 (audit),11(lp),4(adm),1(staff),6(mail), 501(amanda)

View a list of WPARs

WPARs are a new feature of AIX and exist only in AIX v6.1 and higher. To view a list of WPARs, type the following:

# lswpar

A list similar to the one in the example below appears:

Example

Name State Type Hostname Directory
---------------------------------------------
wpar01 A S wpar01 /wpars/wpar01

Use syncwpar to Propagate Additional Packages to Shared WPARs

The syncwpar command synchronizes all packages between the AIX global environment and shared workload partitions (WPARs). This section shows how to use syncwpar to propagate additional AIX global environment packages to shared WPARs. WPARs are a feature that exists only in AIX v6.1 and later.

Example

# syncwpar wpar01
*****************************************************************************
**
Synchronizing workload partition wpar01 (1 of 1).
*****************************************************************************
**
Executing /usr/sbin/syncroot in workload partition wpar01. syncroot: Processing root part installation status. syncroot: Synchronizing installp software.
+-----------------------------------------------------------------------------
+
Pre-installation Verification...
+-----------------------------------------------------------------------------
+
Verifying selections...done Verifying requisites...done Results...
         
SUCCESSES
---------
Filesets listed in this section passed pre-installation verification and will be installed.
         
Selected Filesets
-----------------
powerbroker.configClient 6.2.0.1 # BeyondTrust PowerBroker Conf...
     
<< End of Success Section >>
     
+-----------------------------------------------------------------------------
+
BUILDDATE Verification ...
+-----------------------------------------------------------------------------
+
Verifying build dates...done FILESET STATISTICS
------------------
1 Selected to be installed, of which:
1 Passed pre-installation verification
----
1 Total to be installed
         
         
+-----------------------------------------------------------------------------
+
Installing Software...
+-----------------------------------------------------------------------------
+
         
installp: APPLYING software for: powerbroker.configClient 6.2.0.1
         
Reading pb.cfg...
Checking installation of dependent component packages... 'lppchk -f/-c' of package powerbroker.common succeeded 'lppchk -f/-c' of package powerbroker.runhost succeeded 'lppchk -f/-c' of package powerbroker.submithost succeeded 'lppchk -f/-c' of package powerbroker.sharedlibs succeeded Looking for SuperDaemons to configure...
Finished looking for SuperDaemons to configure...
Removing PowerBroker service definitions (if any) from /etc/services. Adding PowerBroker service definitions to /etc/services.
Removing any PowerBroker definitions from SuperDaemon inetd file
/etc/inetd.conf
Adding PowerBroker definitions to SuperDaemon configurations /etc/inetd.conf. Reloading SuperDaemon Configurations...
0513-095 The request for subsystem refresh was completed successfully. Done Reloading SuperDaemon Configurations...
Checking installation of package: powerbroker.configClient 'lppchk -f/-c' of package powerbroker.configClient succeeded Finished processing all filesets. (Total time: 2 secs).
     
+-----------------------------------------------------------------------------
+
Summaries:
+-----------------------------------------------------------------------------
+
 
Installation Summary
--------------------
Name Level Part Event Result
------------------------------------------------------------------------------
-
powerbroker.configClient 6.2.0.1 ROOT APPLY SUCCESS syncroot: Processing root part installation status.
syncroot: Installp root packages are currently synchronized. syncroot: RPM root packages are currently synchronized. syncroot: Root part is currently synchronized.
syncroot: Returns Status = SUCCESS
Workload partition wpar01 synchronized successfully. Return Status = SUCCESS.

Log in to shared WPARs

Workload partitions (WPARs) are a feature that exists only in AIX v6.1 and higher.

To login to shared WPARs, type the following:

# clogin wpar01

Example

A welcome message such as the one shown in the example below is displayed:

* *
* Welcome to AIX Version 6.1! *
* *

Run a cursory test of EPM-UL on a shared WPAR system

Workload partitions (WPARs) are a feature that exists only in AIX v6.1 and higher.

To run a cursory test of Endpoint Privilege Management for Unix and Linux on a shared WPAR system, type the following:

# pbrun id

Results such as those shown in the example below are displayed:

Example

uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10 (audit),11(lp)

Sample Removal of an AIX Package Installation

This section shows the execution of the AIX installp -u command to remove the Endpoint Privilege Management for Unix and Linux packages.

Example

# installp -u powerbroker
+-----------------------------------------------------------------------------+
Pre-deinstall Verification...
+-----------------------------------------------------------------------------+
Verifying selections...done
Verifying requisites...done
Results...
SUCCESSES
---------
Filesets listed in this section passed pre-deinstall verification
and will be removed.
Selected Filesets
-----------------
powerbroker.common 9.4.3.18                 # BeyondTrust PowerBroker Comm...
powerbroker.configCLIENT1 9.4.3.18          # BeyondTrust PowerBroker Unix...
powerbroker.runhost 9.4.3.18                # BeyondTrust PowerBroker Run ...
powerbroker.sharedlibs 9.4.3.18             # BeyondTrust PowerBroker Shar...
powerbroker.submithost 9.4.3.18             # BeyondTrust PowerBroker Subm...
<< End of Success Section >>
FILESET STATISTICS
------------------
5  Selected to be deinstalled, of which:
5  Passed pre-deinstall verification
----
5  Total to be deinstalled
+-----------------------------------------------------------------------------+
Deinstalling Software...
+-----------------------------------------------------------------------------+
installp:  DEINSTALLING software for:
powerbroker.configCLIENT1 9.4.3.18
Reading pb.cfg...
Looking for SuperDaemons to configure...
Finished looking for SuperDaemons to configure...
Removing PowerBroker service definitions (if any) from /etc/services.
Removing any PowerBroker definitions from SuperDaemon inetd file /etc/inetd.conf
Reloading SuperDaemon Configurations...
0513-095 The request for subsystem refresh was completed successfully.
Done Reloading SuperDaemon Configurations...
Filesets processed:  1 of 5  (Total time:  6 secs).
installp:  DEINSTALLING software for:
powerbroker.runhost 9.4.3.18
Filesets processed:  2 of 5  (Total time:  6 secs).
installp:  DEINSTALLING software for:
powerbroker.sharedlibs 9.4.3.18
Filesets processed:  3 of 5  (Total time:  7 secs).
installp:  DEINSTALLING software for:
powerbroker.submithost 9.4.3.18
Filesets processed:  4 of 5  (Total time:  7 secs).
installp:  DEINSTALLING software for:
powerbroker.common 9.4.3.18
Removing /opt/pbul
Finished processing all filesets.  (Total time:  8 secs).
+-----------------------------------------------------------------------------+
Summaries:
+-----------------------------------------------------------------------------+
Installation Summary
--------------------
Name                        Level           Part        Event       Result
-------------------------------------------------------------------------------
powerbroker.configCLIENT1   9.4.3.18        ROOT        DEINSTALL   SUCCESS
powerbroker.configCLIENT1   9.4.3.18        USR         DEINSTALL   SUCCESS
powerbroker.runhost         9.4.3.18        USR         DEINSTALL   SUCCESS
powerbroker.sharedlibs      9.4.3.18        USR         DEINSTALL   SUCCESS
powerbroker.submithost      9.4.3.18        USR         DEINSTALL   SUCCESS
powerbroker.common          9.4.3.18        USR         DEINSTALL   SUCCESS

Example using syncwpar to propagate package removal from shared WPARs

The syncwpar command synchronizes all packages between the AIX global environment and shared workload partitions (WPARs). This section shows an example of how to use the syncwpar command to propagate removal of AIX global environment packages from shared WPARs. WPARs are a feature that exists only in AIX v6.1 and higher.

ℹ️

Note

When syncwpar is run and an Endpoint Privilege Management configuration package is removed, the following message may display:

"inulag: The file system has read permission only."

This message can be ignored.

Example

# syncwpar wpar01
*****************************************************************************
**
Synchronizing workload partition wpar01 (1 of 1).
*****************************************************************************
**
Executing /usr/sbin/syncroot in workload partition wpar01. syncroot: Processing root part installation status. syncroot: Synchronizing installp software.
+-----------------------------------------------------------------------------
+
Pre-deinstall Verification...
+-----------------------------------------------------------------------------
+
Verifying selections...done Verifying requisites...done Results...
 
SUCCESSES
---------
Filesets listed in this section passed pre-deinstall verification and will be removed.
 
Selected Filesets
-----------------
powerbroker.configClient 6.2.0.1 # BeyondTrust PowerBroker Conf...
 
<< End of Success Section >> FILESET STATISTICS
         
         
------------------
1 Selected to be deinstalled, of which:
1 Passed pre-deinstall verification
----
1 Total to be deinstalled
 
+-----------------------------------------------------------------------------
+
Deinstalling Software...
+-----------------------------------------------------------------------------
+
         
installp: DEINSTALLING software for: powerbroker.configClient 6.2.0.1
         
Reading pb.cfg...
Looking for SuperDaemons to configure...
Finished looking for SuperDaemons to configure...
Removing PowerBroker service definitions (if any) from /etc/services. Removing any PowerBroker definitions from SuperDaemon inetd file
/etc/inetd.conf
Reloading SuperDaemon Configurations...
0513-095 The request for subsystem refresh was completed successfully. Done Reloading SuperDaemon Configurations...
inulag: The file system has read permission only. Finished processing all filesets. (Total time: 1 secs).
     
+-----------------------------------------------------------------------------
+
Summaries:
+-----------------------------------------------------------------------------
+
 
Installation Summary
--------------------
Name Level Part Event Result
------------------------------------------------------------------------------
-
powerbroker.configClient 6.2.0.1 ROOT DEINSTALL SUCCESS syncroot: Processing root part installation status.
syncroot: Installp root packages are currently synchronized. syncroot: RPM root packages are currently synchronized. syncroot: Root part is currently synchronized.
syncroot: Returns Status = SUCCESS
Workload partition wpar01 synchronized successfully. Return Status = SUCCESS.

Verify removal of Endpoint Privilege Management for Unix and Linux packages

To verify that all Endpoint Privilege Management for Unix and Linux packages were removed, type the following:

# lslpp -l | grep powerbroker

If all packages are removed, results such as those shown in the example below are displayed:

Example

# <no output.>

HP-UX package installer

This section describes how to install Endpoint Privilege Management for Unix and Linux using a package installer for HP-UX 11i v1, 11i v2, or 11i v3. Use the HP-UX package installation if you want to install Endpoint Privilege Management for Unix and Linux using the HP-UX Software Distributor (SD) on a local or remote computer.

ℹ️

Note

The Endpoint Privilege Management for Unix and Linux HP-UX package installer described here is not compatible with the Endpoint Privilege Management version 5 HP-UX depots. If the Endpoint Privilege Management version 5 HP-UX depots are installed, you must remove them before installing the Endpoint Privilege Management for Unix and Linux version 6 HP-UX depots.

Prerequisites

To use the Endpoint Privilege Management for Unix and Linux HP-UX package installer, you must have the following:

  • Package tarball file for the appropriate Endpoint Privilege Management for Unix and Linux flavor

ℹ️

Note

For the Endpoint Privilege Management for Unix and Linux HP-UX package installer, the tarball files are cumulative. That is, an update tarball file contains a complete installation. It is not necessary to install a baseline version of before installing an update.

  • Root access or superuser privileges

ℹ️

Note

The Endpoint Privilege Management for Unix and Linux HP-UX package installer does not support prefix/suffix installations.

Plan your installation

When preparing to use the Endpoint Privilege Management for Unix and Linux HP-UX package installer, you should be familiar with the following concepts and restrictions:

  • Depots and Filesets: HP-UX packaged software is delivered as a single file called a depot (.depot) file. A depot can be thought of as a compressed file that contains one or more filesets. A fileset is a component of the software and may contain many files. Installing an HP-UX depot extracts the files from the filesets and writes them to the appropriate directory locations.
  • Component depot and component filesets: an Endpoint Privilege Management for Unix and Linux component fileset is a part of the Endpoint Privilege Management for Unix and Linux component depot that installs a portion of the Endpoint Privilege Management for Unix and Linux application. There are seven Endpoint Privilege Management for Unix and Linux component filesets. In the following list, arch is the architecture of the target platform; for example, ia64A.
    • PowerBroker-arch.LOGHOST: Contains log host, pbsync, and pbsyncd.
    • PowerBroker-arch.SHAREDLIBS: Contains shared libraries.
    • PowerBroker-arch.RESTHOST: Contains REST API files.
    • PowerBroker-arch.RNSSVR: Contains Registry Name Service files.
    • PowerBroker-arch.LICSVR: Contains license server files.
    • PowerBroker-arch.MASTERHOST: Contains policy server host, pbsync, and pbsyncd.
    • PowerBroker-arch.SUBMITHOST: Contains submit host andEndpoint Privilege Management for Unix and Linux shells.
    • PowerBroker-arch.RUNHOST: Contains run host andEndpoint Privilege Management for Unix and Linux utilities.

Which component filesets are required depends on the type of Endpoint Privilege Management for Unix and Linux host you create, such as policy server host, submit host, and so on. You can select the types of hosts in the pbinstall installation menu, as shown in the following table:

Menu SelectionRequired Components
Install everything here (demo mode)? = YesMASTERHOST
RUNHOST
SUBMITHOST
LOGHOST
GUIHOST
SHAREDLIBS
Install Policy Server Host? = YesMASTERHOST
Install Run Host? = YesRUNHOST
Install Submit Host? = YesSUBMITHOST
Install Log Host? = YesLOGHOST
Install BeyondTrust built-in third-party libraries? = YesSHAREDLIBS
Install Registry Name Services Server? [yes]RNSSVR
Install License Server? [yes]LICSVR
  • Configuration depot: HP-UX depot (separate from the component depot) that is used to install the following files:
    • pb.settings:** Hardcoded target location /etc/pb.settings**
    • pb.cfg: Hardcoded target location /etc/pb.cfg****
    • All the encryption keyfiles defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption
    • By default, two key files are created: pb.key and pb.rest.key
    • The sysadmin can define multiple encryption with different keyfiles in locations other than /etc. To upgrade and retain settings on the target machine, view all encryption settings in /etc/pb.settings and copy the files to the settings_files directory before running "pbinstall -z" and pbcreate*cfgpkg
    • pb.conf (for policy server hosts)
  • Diagnostic logs files

The Endpoint Privilege Management for Unix and Linux configuration depot is created by the pbcreatehpuxcfgpkg program. The component filesets must be copied to the SD depot using the swcopy command before you copy the configuration fileset to the distribution depot.

  • SD Depot: The SD depot is the software distribution depot, to which software depots are copied by using the HP-UX swcopy command prior to the installation of their filesets. By default, /var/spool/sw is the location of the SD depot.
  • pbinstall program: To create the Endpoint Privilege Management for Unix and Linux settings files, you use the pbinstall program with the -z (settings only) option. pbinstall -z only creates the settings files and is incompatible with the following command line options:
OptionDescription
-bRuns pbinstall in batch mode.
-cSkip the steps that process or update the Endpoint Privilege Management for Unix and Linux settings file.
-eRuns install script automatically by bypassing the menu step of pbinstall.
-iIgnores previous pb.settings and pb.cfg files.
-pSets the pb installation prefix.
-sSets the pb installation suffix.
-uInstall the utility programs.
-xCreates a log synchronization host (that is, installs pbsyncd).

When you execute pbinstall with the -z option, you can see two menu items that are not otherwise available:

  • Enter existing pb.settings path: Enables you to specify your own pb.settings file. pbinstall reads this settings file and populates the remaining menu choices. You can override some menu choices. If set to none, then pbinstall does not read a settings file. The remaining menu choices are populated with default values.

  • Enter directory path for settings file creation: Enables you to specify an alternative output directory for the settings files. The default directory is /unzip-dir/powerbroker/version//install/settings_files, where unzip-dir is the directory where the package tarball file was unzipped and version is the Endpoint Privilege Management for Unix and Linux version number.

    The behavior of pbinstall -z depends on whether certain additional command line options are specified:

  • If no other command line options are specified, pbinstall initially presents a short version of the installation menu (items 1–8 only). Depending on the choices you make in these items, further menu items become available.

  • If command line options -g, -l, -m, -o, -r, or -w are specified, pbinstall presents an expanded version of the installation menu that reflects the host types that you are configuring.

When running pbinstall with the -z option, the following menu items are preprogrammed and cannot be changed:

  • Install man pages?
  • Daemon location
  • Administration programs location
  • User programs location
  • GUI library directory
  • Policy include (sub) file directory
  • User man page location
  • Admin man page location
  • Policy filename
  • BeyondTrust built-in third-party library directory

In addition, the values of the following menu items determine the values of other menu items:

Options Preset When Running pbinstall -z
Setting this menu option to YesSets these values to Yes
Install Policy Server Host?Install Synchronization?
Synchronization can be initiated from this host?
Install Run Host?Install Utilities?
Install Submit Host?Install PBSSH?
Install pbksh?
Install pbsh?
Will this host use a Log Host?
Install Log Host?Install Synchronization?
Synchronization can be initiated from this host?

If you plan to use Registry Name Service and are running pbinstall -z on a client host (non-primary server), you must perform client registration. This is necessary to properly set up the registry name service database. Client registration also requires that you collect from the Endpoint Privilege Management for Unix and Linux primary server the following information:

  • REST Application ID
  • REST Application Key
  • Primary server network name or IP address
  • Primary License Server REST TCP/IP port
  • Registration Client Profile name

ℹ️

Note

If you are using the package installer to install Endpoint Privilege Management for Unix and Linux on a computer that already has an interactive Endpoint Privilege Management for Unix and Linux installation on it, see Installation Considerations for additional considerations.

RNS client registration: If Registry Name Services is enabled for Endpoint Privilege Management for Unix and Linux, each client host (after the first server installation) needs to be registered with the Primary Registry Name Server. When using package installers on a target host, a post-install configuration script (/opt/pbul/scripts/pbrnscfg.sh) is provided to be manually executed on that host to properly register it. This post-install configuration script asks for information about the Primary Registry Name Server, including the Application ID (appid), Application Key (appkey), address/domain name, and the REST TCP/IP port number. This is the same information provided during the client registration part of a pbinstall -z install which generates the settings file.

If you prefer a more convenient method of registering RNS clients where the post-install configuration script is non-interactive, Endpoint Privilege Management for Unix and Linux can save the relevant information in a hidden file during the settings-only run of pbinstall, bundle it with the configuration package, and automatically apply it to the target host when that package is installed. However, understand that this is not secure, but is available if the security-convenience trade-off is acceptable. To enable this, refer to the question regarding post-install configuration script displayed when running pbinstall -z.

ℹ️

Note

For more complete pbinstall command-line options, see [Installation Programs](doc:installation-> programs).

Overview of steps

Using the Endpoint Privilege Management for Unix and Linux HP-UX package installer involves the following steps.

  1. Unpack the Endpoint Privilege Management for Unix and Linux HP-UX package tarball file.
  2. Use the pbinstall program to create Endpoint Privilege Management for Unix and Linux settings files.
  3. Use the pbcreatehpuxcfgpkg program to create the Endpoint Privilege Management for Unix and Linux configuration depot.
  4. Use the HP-UX swcopy command to copy the Endpoint Privilege Management for Unix and Linux component depot to the desired SD depot.
  5. Use the HP-UX swcopy command to copy the Endpoint Privilege Management for Unix and Linux configuration depot to the desired SD depot.
  6. Use the HP-UX swinstall command to install the Endpoint Privilege Management for Unix and Linux configuration depot. The dependencies that are identified in the configuration fileset will cause the appropriate component filesets to be installed as well.
  7. If Registry Name Service is enabled and installed on a non-primary servery, run /opt/pbul/scripts/pbrnscfg.sh to register the host.

Installation procedure

To install Endpoint Privilege Management for Unix and Linux using the HP-UX SD feature, do the following:

  1. Extract the package tarball files into the /unzip-dir/ directory by executing the following command:

    gunzip -c pmul_<flavor_version>_pkg.tar.Z | tar xvf -
    
  2. Navigate to the /unzip-dir/powerbroker/version/flavor/install/ directory.

  3. Execute the following command:

    ./pbinstall -z
    

    You are asked if you want to use client registration. If you plan to enable Registry Name Service, and install on a host that is not designated as a primary server, you must run client registration.

    pbinstall then asks if you want to enable Registry Name Service.

    pbinstall displays the Endpoint Privilege Management for Unix and Linux installation menu.

  4. Make your menu selections. Note that the Enter existing pb.settings path menu option enables you to specify your own pb.settings file to use. Also, the Enter directory path for settings file creation menu option enables you to specify where to save the generated settings files. These menu options are available only when running pbinstall with the -z option. When the menu selection process is complete, pbinstall creates the following files in the specified location:

    • pb.settings
    • pb.cfg
    • pb.key (if encryption is enabled)
    • pb.conf (for policy server host)
    • pbpolicykey.pem and pbpolicypubcert.pem (for Policy Server hosts with Cached Policy feature enabled)
  5. Optional. For an Endpoint Privilege Management for Unix and Linux client, if client-server communications are to be encrypted, replace the generated pb.key file with pb.key file from the policy server host. Also, copy any other required key files into the same directory.

  6. Optional. For a policy server host, write a policy file (pb.conf) and place it in the directory with the other generated files. If you do not provide a pb.conf file, a pb.conf file with the single command reject; is generated and packaged.

    Starting with v8.0, pbinstall -z can optionally install the default role-based policies and asks:

    Installing default role-based policy pbul_policy.conf and pbul_functions.conf in <install_dir>/settings_files
    Would you like to use the default role-based policy in the configuration package?
    

    Answer Yes for new installs only.

    If you are upgrading an existing configuration package, to avoid overwriting your existing policy, answer No.

    Use the default role-based policy [Y]?
    

    If you answer Yes, the default pb.conf, pbul_policy.conf and pbul_functions.conf are created and installed on the policy server.

    If you are installing over an existing installation, and have an existing policy in place, answer No.

  7. Navigate to the /unzip-dir/powerbroker/version/flavor/install/ directory.

  8. Run the pbcreatehpuxcfgpkg utility by typing:

    pbcreatehpuxcfgpkg [-d] -p depot-fileset-name -s directory
    

    where:

    • -d is an option that sets the component fileset dependency to hppaD rather than the default hppaB.
    • depot-fileset-name is a user-specified name for the configuration fileset. The resulting fileset is PowerBroker-Cfg.depot-fileset-name.
    • directory is the directory that contains the Endpoint Privilege Management for Unix and Linux settings and configuration files to include in the configuration fileset.

    The pbcreatehpuxcfgpkg utility creates the configuration depot with the file name PowerBroker-Cfg-version.depot-fileset-name.depot.

  9. Navigate to the /unzip-dir/powerbroker/version/flavor/package/ directory.

  10. Run the HP-UX swcopy utility to copy the Endpoint Privilege Management for Unix and Linux component depot to the desired SD depot by typing:

swcopy -s /path/PowerBroker-arch.depot PowerBroker-arch.FILESET [@ sd-directory]

where

  • path is the absolute path to the directory that contains the Endpoint Privilege Management for Unix and Linux component depot.
  • arch is the target platform architecture.
  • FILESET is the specific fileset to be copied; alternatively, use \* instead of PowerBroker-arch.FILESET to copy all filesets.
  • sd-directory is the desired SD directory; if you omit @ sd-directory, the default /var/spool/sw is used.

Example

To copy only the log host component fileset:

# swcopy -s /unzip-dir/powerbroker/v9.4/pmul_hpux.hppa64_9.4.3/package/PowerBroker-hppa64-9.4.3.06.depot PowerBroker-hppa64.LOGHOST @ /var/spool/sw

Example

To copy the log host and policy server host component filesets to the default SD depot:

# swcopy -s /unzip-dir/powerbroker/v9.4/pmul_hpux.hppa64_9.4.3-06/package/PowerBroker-hppa64-9.4.3.06.depot PowerBroker-hppa64.LOGHOST PowerBroker-hppa64.MASTERHOST

Example

To copy all component filesets to the default SD depot:

swcopy -s /unzip-dir/powerbroker/v9.4/pmul_hpux.hppa64_9.4.3-06/package/PowerBroker-hppa64-9.4.3.06.depot\*
  1. Run the HP-UX swcopy utility to copy the Endpoint Privilege Management for Unix and Linux configuration fileset to the desired SD depot.

Example

# swcopy -s /unzip-dir/powerbroker/v9.4/pmul_hpux.hppa64_9.4.3-06/install/PowerBroker-Cfg-9.4.3.06.CLIENT.depot  PowerBroker-Cfg.CLIENT @ /var/spool/sw
  1. Run the HP-UX swinstall utility to install the Endpoint Privilege Management for Unix and Linux configuration fileset by typing:
swinstall PowerBroker-Cfg.depot-fileset-name

ℹ️

Note

depot-fileset-name is the configuration fileset name specified when the Endpoint Privilege Management for Unix and Linux configuration package is created in step 8. Any component dependencies that are identified by the configuration fileset are automatically installed as well.

ℹ️

Note

If you attempt to install filesets from more than one flavor onto a single system, the installation fails with an error message.

  1. Verify the installation of the filesets with the HP-UX swverify utility by typing one of the following commands:
swverify PowerBroker-arch
swverify PowerBroker-Cfg
  1. If Registry Name Service is enabled and installed on a non-primary server, register the host with the Primary Registry Name Server using a post-install configuration script. Gather the Application ID, Application Key, network name or IP address, and REST TCP/IP port of the primary server, then run the script to register the host and follow the prompts:
/opt/pbul/scripts/pbrnscfg.sh

ℹ️

Note

Many of the HP-UX depot management commands display a message regarding where to find a log file that contains additional information. We recommend that you look at these log files, because some important diagnostic information appears in the log file but not in the utility’s standard output.

ℹ️

Note

For more information, see the following:

Remove EPM-UL filesets

Removing the depots completely uninstalls Endpoint Privilege Management for Unix and Linux from a computer. Because the component filesets are dependencies of the configuration fileset, the configuration fileset must be removed first.

To remove the Endpoint Privilege Management for Unix and Linux filesets, do the following:

  1. Remove the Endpoint Privilege Management for Unix and Linux configuration fileset by typing:
    swremove PowerBroker-Cfg.depot-fileset-name
    

ℹ️

Note

depot-fileset-name is the name of the fileset that you specified when you created the configuration depot.

  1. Remove the Endpoint Privilege Management for Unix and Linux component filesets by typing:
swremove PowerBroker-arch

ℹ️

Note

You can remove the configuration and component filesets in the same command, for example:

swremove PowerBroker-Cfg.FILESET PowerBroker-arch

Remote installation

Because the HP-UX SD system uses a daemon for software administration, you can install from a local depot to a remote machine, or install from a remote depot to a local machine. Additionally, you can install a depot to an alternate root and then remount the alternate root as an actual root on another node.

To install a depot on a remote system, you must have ACL access to that remote system; you can use the swacl command to manage these access controls. Use the @ argument with the swinstall command.

Example

swinstall PowerBroker-hppaB @ remotehost:/

To install a depot on an alternate root, you also use the @ argument.

Example

swinstall PowerBroker-hppaB @ /export/shared_root/node1

ℹ️

Note

For alternate root installation, you must run the swconfig utility on the actual node, after the alternate root is remounted as the node’s actual root.

ℹ️

Note

For more information, see the man pages for the HP-UX SD commands.

Updating EPM-UL with Update Depots

The Endpoint Privilege Management for Unix and Linux HP-UX package installer can be used to update an existing Endpoint Privilege Management for Unix and Linux installation to a new version. The existing Endpoint Privilege Management for Unix and Linux version should have been installed using the Endpoint Privilege Management for Unix and Linux package installer.

Update depot considerations

Installing an Endpoint Privilege Management for Unix and Linux update depot is similar to using the HP-UX package installer to install Endpoint Privilege Management for Unix and Linux for the first time. Keep these considerations in mind when you prepare to upgrade Endpoint Privilege Management for Unix and Linux:

  • an Endpoint Privilege Management for Unix and Linux HP-UX update depot contains a complete Endpoint Privilege Management for Unix and Linux installation, not just the files that have changed since the previous release.
  • Each Endpoint Privilege Management for Unix and Linux update depot is cumulative; that is, it includes all previous update filesets that BeyondTrust released since the baseline version. Therefore, there is no need to install the previous update depots.
  • A newer release can introduce features that use new settings or configurations. In which case, an upgrade of the configuration package of Endpoint Privilege Management for Unix and Linux is also needed.

Unlike Endpoint Privilege Management for Unix and Linux patches that are installed with pbpatchinstall, update filesets cannot be rolled back to a previous release. However, you can install an older fileset over a newer one, effectively rolling back to the older release.

Update depot procedure

Follow this procedure to update your installation of Endpoint Privilege Management for Unix and Linux using the update depots:

  1. Obtain the tarball file for the HP-UX update depots that are appropriate for your hardware. The tarball file name has the format pmul_-v.v.r-bb-update_pkg.tar.Z, where:
    • indicates the operating system and hardware architecture.
    • v.v.r is the major and minor version number and the release number.
    • bb is the build number.
  2. Extract the depot files into the /unzip-dir/ directory by executing the following command:
    tar xvfz pmul_<flavor_version>-update_pkg.tar.Z
    
  3. Navigate to the /unzip-dir/powerbroker/v//install/ directory
  4. Create the settings_files directory and change directory to that location.
  5. To retain or correctly update the settings of the current installation, copy the following files from the target installation host into the settings_files directory you created in step 4:
    • /etc/pb.settings
    • /etc/pb.cfg
    • encryption keys defined in pb.settings for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption settings (if enabled)

ℹ️

Note

In a default installation, there are typically 2 key files created: pb.key and pb.rest.key.

  • policy file defined in policyfile setting in pb.settings (if the target installation is a Policy Server)

ℹ️

Note

In a default installation, the policy file is located in /opt/pbul/policies/pb.conf.

  1. Obtain the tarball file for the HP-UX update depots that are appropriate for your hardware. The tarball file name has the format pmul_-v.v.r-bb-update_pkg.tar.Z, where:
    • indicates the operating system and hardware architecture.
    • v.v.r is the major and minor version number and the release number.
    • bb is the build number.
  2. Execute the following command to verify and update the installation settings in the settings_files directory:
./pbinstall -z
  1. Obtain the tarball file for the HP-UX update depots that are appropriate for your hardware. The tarball file name has the format pmul_-v.v.r-bb-update_pkg.tar.Z, where:
    • indicates the operating system and hardware architecture.
    • v.v.r is the major and minor version number and the release number.
    • bb is the build number.
  2. Create the upgrade configuration package by running the pbcreatehpuxcfgpkg utility:
pbcreatehpuxcfgpkg -p fileset-name

Use the current fileset-name of the installation to be upgraded. Use the fileset-name you provided during the initial package installation in step 8 of the Installation procedure.

Another way to find the fileset-name is to run the following command on the target installation host to get the list of packages installed:

swlist PowerBroker\*

Identify the fileset-name of the Endpoint Privilege Management for Unix and Linux configuration package using this format:

PowerBroker-Cfg.<fileset-name>
  1. Navigate to the directory: /unzip-dir/powerbroker/version/flavor/package/

  2. Run the HP-UX swcopy utility to copy the Endpoint Privilege Management for Unix and Linux component depot to the desired SD depot by typing:

    swcopy -s /path/PowerBroker-arch.depot PowerBroker-arch.FILESET [@ sd-directory]
    

    This is the absolute path to the directory that contains the Endpoint Privilege Management for Unix and Linux component depot.

    arch is the target platform architecture.

    FILESET is the specific fileset to be copied. Alternatively, use \* instead of PowerBroker-arch.FILESET to copy all filesets.

    sd-directory is the desired SD directory. If you omit @ sd-directory, the default /var/spool/sw is used.

  3. Navigate to the /unzip-dir/powerbroker/version/flavor/install/ directory.

  4. Run the HP-UX swcopy utility to copy the Endpoint Privilege Management for Unix and Linux configuration fileset to the desired SD depot:

    # swcopy -s /<cfgdepotdir>/PowerBroker-Cfg-<ver>.<filesetname>.depot  PowerBroker-Cfg.<filesetname>
    
  5. Run the HP-UX swinstall utility to install the Endpoint Privilege Management for Unix and Linux component filesets by typing: swinstall PowerBroker-arch.

  6. Verify the installation of the filesets with the HP-UX swverify utility by typing: swverify PowerBroker-arch.

Revert to a previous version

Unlike Endpoint Privilege Management for Unix and Linux patches that are installed with pbpatchinstall, update depots cannot be rolled back to a previous release. However, you can install an older fileset over a newer one, effectively rolling back to the older release. To install older filesets over newer ones, use the following command:

swinstall -x allow_downdate=true PowerBroker-arch

This command restores the previous release. Repeat the command to restore earlier releases.

Upgrade configuration package

When upgrading the configuration package (cfg pkg), some settings that are part of the package might need settings and configuration files copied from the existing installation to the staging host.

Files included in the cfg package:

  • pb.settings: Hardcoded target location /etc/pb.settings.

  • pb.cfg: Hardcoded target location /etc/pb.cfg.

  • All the encryption key files defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption. By default, two key files are typically created:

    • pb.key
    • pb.rest.key

    The sysadmin can define encryption with different key files in locations other than /etc. Therefore, when upgrading, and to retain what is installed on the target machine, look at all the encryption settings in /etc/pb.settings. Copy the settings to the settings_files directory before running pbinstall -z and pbcreate*cfgpkg.

  • Policy file if the target is a policy server.

Generate the EPM-UL Settings Files

This section of the execution shows the generation of the Endpoint Privilege Management for Unix and Linux settings files (pb.key, pb.cfg, and pb.settings) and also displays the Endpoint Privilege Management for Unix and Linux installation menu. This output was generated using the pbinstall program with the -z option and selecting menu options to install a run host and a submit host:

Example

# ./pbinstall -z
Starting pbinstall main() from /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/.
hpux.ia64
Endpoint Privilege Management for Unix and Linux Settings File Generation
		&nbsp;
Please read theEndpoint Privilege Management for Unix and Linux Installation Instructions before proceeding.
		&nbsp;
Checking MANIFEST against release directory
		&nbsp;
Press return to continue
The Registry Name Service of Endpoint Privilege Management for Unix and Linux facilitates location of other services within the pmul enterprise with the aid of a centralized
data repository.
IMPORTANT: client registration is required if this is not the Primary Server and you intend to use Registry Name Services.
Do you wish to utilize Registry Name Service? [yes]? no
BeyondTrustEndpoint Privilege Management for Unix and Linux Installation Menu
Opt  Description                                [Value]
1    Install Everything Here (Demo Mode)?       [no]
2    Install License Server?                    [no]
3    Install Registry Name Services Server?     [no]
5    Install Policy Server Host?                [yes]
6    Install Run Host?                          [yes]
7    Install Submit Host?                       [yes]
9    Install sudo Policy Server?                [no]
10   Install Log Host?                          [yes]
14   Install File Integrity Monitoring Polic... [no]
N for the next menu page, C to continue, X to exit
Please enter a menu option [For technical support call 1-800-234-9072]> 7
		&nbsp;
Endpoint Privilege Management for Unix and Linux executes secured tasks on hosts which are designated as Run Hosts.  These hosts execute the commands using the pblocald daemon.
		&nbsp;
To allowEndpoint Privilege Management for Unix and Linux to execute a command, a host must be configured as a Run Host.
		&nbsp;
Do you want this host to be a Run Host [no]? yes
BeyondTrustEndpoint Privilege Management for Unix and Linux Installation Menu
Opt  Description                                Value]
1    Install Everything Here (Demo Mode)?       [no]
2    Install License Server?                    [no]
3    Install Registry Name Services Server?     [no]
5    Install Policy Server Host?                [yes]
6    Install Run Host?                          [yes]
7    Install Submit Host?                       [yes]
9    Install sudo Policy Server?                [no]
10   Install Log Host?                          [yes]
14   Install File Integrity Monitoring Polic... [no]
25   Install Secure GUI Host?                   [yes]
26   Install Utilities: pbvi, pbnvi, pbmg, p... [yes]
29   Install man pages?                         [no]
30   Will this host use a Log Host?             [yes]
31   AD Bridge Integration?                     [no]
55   Synchronization program can be initiate... [yes]
56   Daemons location                           [/usr/sbin]
59   User programs location                     [/usr/local/bin]
N for the next menu page, C to continue, X to exit
Please enter a menu option [For technical support call 1-800-234-9072]> 8
Endpoint Privilege Management for Unix and Linux allows requests for secured tasks to be made on hosts configured as Submit Hosts.
		&nbsp;
To have pbrun initiate requests for secured tasks, this host must be a Submit Host.
		&nbsp;
Do you want this host to be a Submit Host [no]? yes
BeyondTrustEndpoint Privilege Management for Unix and Linux Installation Menu
Opt  Description                                  [Value] 
1    Install Everything Here (Demo Mode)?         [no]
2    Install License Server?                      [no]
3    Install Registry Name Services Server?       [no]
4    Install Client Registration Server?          [no]
5    Install Policy Server Host?                  [yes]
6    Install Run Host?                            [yes]
7    Install Submit Host?                         [yes]
8    Install PBSSH                                [yes]
9    Install sudo Policy Server?                  [no]
10   Install Log Host?                            [yes]
11   Enable Logfile Tracking and Archiving?       [yes]
12   Is this a Log Archiver Storage Server?       [no]
13   Is this a Log Archiver Database Server?      [no]
14   Install File Integrity Monitoring Polic...   [no]
15   Install REST Services?                       [yes]
16   List of License Servers                      [*]
19   Path to Password Safe 'pkrun' binary         []
23   Install Synchronization program?             [yes]              			
25   Install Secure GUI Host?                     [yes]
26   Install Utilities: pbvi, pbnvi, pbmg, p...   [yes]
27   Install pbksh?                               [yes]
28   Install pbsh?                                [yes]
29   Install man pages?                           [no]
30   Will this host use a Log Host?               [yes]
31   AD Bridge Integration?                       [no]
37   Integration with BeyondInsight?              [no]
55   Synchronization program can be initiate...   [yes]
56   Daemons location                             [/usr/sbin]
57   Number of reserved spaces for submit pr...   [80]
58   Administration programs location             [/usr/sbin]
59   User programs location                       [/usr/local/bin]
60   GUI library directory                        [/usr/local/lib/pbbuilder]
61   Policy include (sub) file directory          [/opt/pbul/policies]
62   Policy file name                             [/opt/pbul/policies/pb.conf]
65   Log Archive Storage Server name              []
67   Log Archiver Database Server name            []
69   Logfile Name Cache Database file path?       [/opt/pbul/dbs/pblogcache.db]
70   REST Service installation directory?         [/usr/lib/beyondtrust/pb/rest]
71   Install REST API sample code?                [no]
73   Pblighttpd user                              [pblight]
75   Pblighttpd user UID                          []
76   Pblighttpd user GID                          []
78   Configure systemd?                           [yes]
79   Command line options for pbmasterd           [-ar]
80   Policy Server Delay                          [500]
81   Policy Server Protocol Timeout               [-1]
82   pbmasterd diagnostic log                     [/var/log/pbmasterd.log]
83   Eventlog filename                            [/var/log/pb.eventlog]
84   Configure eventlog rotation via size?        []
85   Configure eventlog rotation path?            []
86   Configure eventlog rotation via cron?        [no]
87   Validate Submit Host Connections?            [no]
88   List of Policy Servers to submit to          [kandor]
89   pbrun diagnostic log?                        [none]
90   pbssh diagnostic log?                        [none]
91   Allow Local Mode?                            [yes]
92   Additional secured task checks?              [no]
93   Suppress Policy Server host failover er...   [yes]
94   List of Policy Servers to accept from        [kandor]
95   pblocald diagnostic log                      [/var/log/pblocald.log]
96   Command line options for pblocald            []
97   Syslog pblocald sessions?                    [no]
98   Record PTY sessions in utmp/utmpx?           [yes]
99   Validate Policy Server Host Connections?     [no]
100  List of Log Hosts                            [kandor]
101  Command line options for pblogd              []
102  Log Host Delay                               [500]
103  Log Host Protocol Timeout                    [-1]
104  pblogd diagnostic log                        [/var/log/pblogd.log]
105  List of log reserved filesystems             [none]			
106  Number of free blocks per log system fi...   [0]
107  Command line options for pbsyncd             []
108  Sync Protocol Timeout                        [-1]
109  pbsyncd diagnostic log                       [/var/log/pbsyncd.log]
110  pbsync diagnostic log                        [/var/log/pbsync.log]
111  pbsync sychronization time interval (in...   [15]
112  Add installed shells to /etc/shells          [no]
113  pbksh diagnostic file                        [/var/log/pbksh.log]
114  pbsh diagnostic file                         [/var/log/pbsh.log]
115  Stand-alone pblocald command                 [none]
116  Stand-alone root shell default iolog         [/pbshell.iolog]
121  Use syslog?                                  [yes]
122  Syslog facility to use?                      [LOG_AUTHPRIV]
123  Base Daemon port number                      [24345]
124  pbmasterd port number                        [24345]
125  pblocald port number                         [24346]
126  pblogd port number                           [24347]
127  pbguid port number                           [24348]
129  pbsyncd port number                          [24350]
130  REST Service port number                     [24351]
131  Add entries to '/etc/services'               [yes]
132  Allow non-reserved port connections          [yes]
133  Inbound Port range                           [1025-65535]
134  Outbound Port range                          [1025-65535]
137  Network encryption options                   [aes-256:keyfile=/etc/pb.key]
138  Event log encryption options                 [none]
139  I/O log encryption options                   [none]
140  Report encryption options                    [none]
141  Policy file encryption options               [none]
142  Settings file encryption type                [none]
143  REST API encryption options                  [aes-256:keyfile=/etc/pb.re...]
144  Configure with Kerberos v5?                  [no]
150  Enforce High Security Encryption?            [yes]
151  Use SSL?                                     [yes]
152  SSL Configuration?                           [requiressl]
153  SSL pbrun Certificate Authority Directory?   [none]
154  SSL pbrun Certificate Authority File?        [none]
155  SSL pbrun Cipher List?                       [HIGH:!SSLv2:!3DES:!MD5:@ST…]
156  SSL pbrun Certificate Directory?             [none]
157  SSL pbrun Certificate File?                  [none]
158  SSL pbrun Private Key Directory?             [none]
159  SSL pbrun Private Key File?                  [none]
160  SSL pbrun Certificate Subject Checks?        [none]
161  SSL Server Certificate Authority Direct...   [none]
162  SSL Server Certificate Authority File?       [none]
163  SSL Server Cipher List?                      [HIGH:!SSLv2:!3DES:!MD5:@ST...]
164  SSL Server Certificate Directory?            [none]
165  SSL Server Certificate File?                 [/etc/pbssl.pem]
166  SSL Server Private Key Directory?            [none]
167  SSL Server Private Key File?                 [/etc/pbssl.pem]
168  SSL Server Certificate Subject Checks?       [none]
169  SSL Certificate Country Code                 [US]
170  SSL Certificate State/Province               [AZ]
171  SSL Certificate Location (Town/City)         [Phoenix]
172  SSL Certificate Organizational Unit/Dep...   [Security]
173  SSL Certificate Organization                 [BeyondTrust]
174  Configure Privilege Management for Unix...   [no]
175  Install BeyondTrust built-in third-part...   [yes]
176  BeyondTrust built-in third-party librar...   [/usr/lib/beyondtrust/pb]
188  Use PAM?                                     [no]
196  Allow Remote Jobs?                           [yes]
197  UNIX Domain Socket directory                 [none]
198  Reject Null Passwords?                       [no]
199  Enable TCP keepalives?                       [no]
200  Name Resolution Timeout                      [0]
N for the next menu page, P for the previous menu page, C to continue, X to exit
Please enter a menu option [For technical support call 1-800-234-9072]> c
		&nbsp;
ypcat:  no such map in server's NIS domain
No submitmasters was specified and no NIS netgroup called pbsubmitmasters found
Endpoint Privilege Management for Unix and Linux needs to know the submitmasters(s) to work.
TheEndpoint Privilege Management for Unix and Linux programs need to know which Policy Server Host(s) you have decided to allow to act as submitmaster(s) for this machine.
Submitmasters take requests for secured tasks from Submit Hosts,
accept or reject them, and pass the accepted requests to a Run Host.
To locate submitmasters, programs look for a setting in the settings file
containing the names of the submitmaster machines or a netgroup
called pbsubmitmasters.
		&nbsp;
Enter Policy Server list (submitmasters):  hp113-ca025-012.unix.beyondtrust.com
ypcat:  no such map in server's NIS domain
No acceptmasters was specified and no NIS netgroup called pbacceptmasters foundEndpoint Privilege Management for Unix and Linux needs to know the acceptmasters(s) to work.
		&nbsp;
TheEndpoint Privilege Management for Unix and Linux programs need to know which Policy Server Host(s) you have decided to allow to request execution of secured tasks to this machine.
Hosts on the acceptmasters list are the Policy Server Hosts which are allowed
to make secured task requests to this machine.
		&nbsp;
To do this, programs look for a setting in the settings file containing the
names of the acceptmasters machines or a netgroup called pbacceptmasters.
		&nbsp;
Enter Incoming Policy Server list (acceptmasters):  hp113-ca025-012.unix.beyondtrust.com
ypcat:  no such map in server's NIS domain
No log hosts was specified and no NIS netgroup called pblogservers found
Endpoint Privilege Management for Unix and Linux needs to know the log hosts(s) to work.
		&nbsp;
TheEndpoint Privilege Management for Unix and Linux programs need to know which machine(s) you have selected as Log Host(s).  Log Hosts are hosts which Policy Servers
select for Run Hosts to do event and I/O logging.
		&nbsp;
To do this, pbmasterd looks for the setting logservers in the settings
file. This setting contains the names of the Log Host machines or a netgroup.
		&nbsp;
Current installation settings for Log Server(s):
		&nbsp;
Enter Log Server list (logservers):  hp113-ca025-012.unix.beyondtrust.com
		&nbsp;
Generating key file /opt/pbpkg/powerbroker/v9.4/pbul_hpux.ia64_9.4.3-18/install/settings_files/pb.key...
		&nbsp;
Are all the installation settings correct [yes]?
Generating config file /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/settings_files/pb.cfg
Creating the settings file creation script
Backed up existing settings file creation script to:
'/opt/pbpkg/powerbroker/v9.4/pbul_hpux.ia64_9.4.3-18/install/pbcreatesettingsfile.ctime.May_26_15:05'
Running settings file creation script
Creating settings file /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/settings_files/pb.settings
Generated settings files are in directory: /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/settings_files
<MadCap:variable name="PM.EPMUL" /> Settings File Generation completed successfully.

Create the EPM-UL Configuration Package Using pbcreatehpuxcfgpkg

This section shows the creation of the Endpoint Privilege Management for Unix and Linux configuration depot using the pbcreatehpuxcfgpkg program with the -p and -s options.

ℹ️

Note

At the end of its output, the pbcreatehpuxcfgpkg script shows which Endpoint Privilege Management for Unix and Linux component filesets need to be copied to the SD depot.

Example

# cd /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install
# ./pbcreatehpuxcfgpkg -p CLIENT1 -s /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/settings_files
pbcreatehpuxcfgpkg: starting from /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install
pbcreatehpuxcfgpkg: keyfile pb.key will be included in package
pbcreatehpuxcfgpkg: reading /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/settings_files/pb.cfg
pbcreatehpuxcfgpkg: processing, please wait . . .
                &nbsp;
pbcreatehpuxcfgpkg: packaging PowerBroker Unix/Linux Configuration HP-UX Depot . . .
=======  05/26/17 15:19:42 PDT  BEGIN swpackage SESSION
* Session started for user
"[email protected]".
                &nbsp;
* Source:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg/psf/PowerBroker-Cfg.psf
                &nbsp;
* Target:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg/depot/PowerBroker-Cfg-9.4.3.18.CLIENT1.depot
                &nbsp;
* Software selections:
*
* Beginning Selection Phase.
* Reading the Product Specification File (PSF)
"/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg/psf/PowerBroker-Cfg.psf".
                &nbsp;
* Reading the product "PowerBroker-Cfg" at line 11.
* Reading the fileset "CLIENT1" at line 48.
NOTE:    The temporary target depot "/var/tmp/pkgAAA005165" has been
created.
* Selection Phase succeeded.
* Beginning Analysis Phase.
NOTE:    The fileset "PowerBroker-Cfg.CLIENT1" has a prerequisite
dependency on a software object which exists in another
product, "PowerBroker-hppa64.RUNHOST", which was not selected
for packaging and does not exist in the target depot.
NOTE:    The fileset "PowerBroker-Cfg.CLIENT1" has a prerequisite
dependency on a software object which exists in another
product, "PowerBroker-hpia64.RUNHOST", which was not selected
for packaging and does not exist in the target depot.
NOTE:    The fileset "PowerBroker-Cfg.CLIENT1" has a prerequisite
dependency on a software object which exists in another
product, "PowerBroker-hppa64.SUBMITHOST", which was not
selected for packaging and does not exist in the target depot.
NOTE:    The fileset "PowerBroker-Cfg.CLIENT1" has a prerequisite
dependency on a software object which exists in another
product, "PowerBroker-hpia64.SUBMITHOST", which was not
selected for packaging and does not exist in the target depot.
NOTE:    The fileset "PowerBroker-Cfg.CLIENT1" has a prerequisite
dependency on a software object which exists in another
product, "PowerBroker-hppa64.SHAREDLIBS", which was not
selected for packaging and does not exist in the target depot.
NOTE:    The fileset "PowerBroker-Cfg.CLIENT1" has a prerequisite
dependency on a software object which exists in another
product, "PowerBroker-hpia64.SHAREDLIBS", which was not
selected for packaging and does not exist in the target depot.
NOTE:    One or more of the filesets you selected specify a dependency
on software which exists in another product.  (See above).
The other software was not selected for packaging and does not
exist in the target depot.  (An unresolved dependency on
another product may prevent the dependent product from being
installed.)
* Analysis Phase succeeded.
* Beginning Package Phase.
* Packaging the product "PowerBroker-Cfg".
* Packaging the fileset "PowerBroker-Cfg.CLIENT1".
* Package Phase succeeded.
* Beginning Tapemaker Phase.
* Copying the temporary depot to the tape
"/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg/depot/PowerBroker-Cfg-9.4.3.18.CLIENT1.depot".
            &nbsp;
* Calculating the tape blocks required to copy the temporary
depot to the tape
"/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg/depot/PowerBroker-Cfg-9.4.3.18.CLIENT1.depot".
                &nbsp;
NOTE:    The temporary depot requires 220 Kbytes on the tape
"/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg/depot/PowerBroker-Cfg-9.4.3.18.CLIENT1.depot".
                &nbsp;
* Writing the tape
"/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg/depot/PowerBroker-Cfg-9.4.3.18.CLIENT1.depot"
(tape 1 of 1).
* Writing the fileset "PowerBroker-Cfg.CLIENT1" (1 of 1)
* Tape #1: CRC-32 checksum &amp; size: 2376197741 225280
* Removing the temporary depot.
* Tapemaker Phase succeeded.
=======  05/26/17 15:19:42 PDT  END swpackage SESSION
pbcreatehpuxcfgpkg: depot 'PowerBroker-Cfg-9.4.3.18.CLIENT1.depot' placed in /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install
                &nbsp;
pbcreatehpuxcfgpkg: the following depot filesets will need to be loaded to the target system:
PowerBroker-{arch}.RUNHOST PowerBroker-{arch}.SUBMITHOST PowerBroker-{arch}.SHAREDLIBS
where {arch} is the appropriate architecture for the target system, 'hppa64' or 'ia64'.
            &nbsp;
pbcreatehpuxcfgpkg: completed.

Copy the EPM-UL Depots Using the swcopy Command

This section shows the execution of the swcopy command to copy the Endpoint Privilege Management component and configuration depots to the default SD depot. This section also includes execution of the swjob and swlist commands to verify that the depots have been copied:

Example

# swcopy -s /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/package/PowerBroker-hpia64-9.4.3.18.depot PowerBroker-hpia64.SHAREDLIBS PowerBroker-hpia64.SUBMITHOST PowerBroker-hpia64.RUNHOST
=======  05/26/17 16:47:14 PDT  BEGIN swcopy SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0263)
* Session started for user
"[email protected]".
        &nbsp;
* Beginning Selection
* "pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw":  This
target does not exist and will be created.
* Source:
/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/package/PowerBroker-hpia64-9.4.3.18.depot
        &nbsp;
* Targets:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
* Software selections:
PowerBroker-hpia64.RUNHOST,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SHAREDLIBS,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SUBMITHOST,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
* Selection succeeded.
        &nbsp;
        &nbsp;
* Beginning Analysis and Execution
* Session selections have been saved in the file
"/.sw/sessions/swcopy.last".
* The analysis phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* The execution phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* Analysis and Execution succeeded.
        &nbsp;
        &nbsp;
NOTE:    More information may be found in the agent logfile using the
command "swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0263
@ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
=======  05/26/17 16:47:21 PDT  END swcopy SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0263)
# swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0263 @ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
=======  05/26/17 16:47:15 PDT  BEGIN copy AGENT SESSION (pid=7319)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0263)
* Agent session started for user
"[email protected]". (pid=7319)
* Beginning Analysis Phase.
* Source:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/package/PowerBroker-hpia64-9.4.3.18.depot
        &nbsp;
* Target:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
* Target logfile:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw/swagent.log
* Reading source for product information.
* Reading source for file information.
NOTE:    The used disk space on filesystem "/var" is estimated to
increase by 91664 Kbytes.
This will leave 5407144 Kbytes of available user disk space
after the installation.
* Summary of Analysis Phase:
* 3 of 3 filesets had no Errors or Warnings.
* The Analysis Phase succeeded.
* Beginning the Copy Execution Phase.
* Filesets:         3
* Files:            105
* Kbytes:           90877
* Copying fileset "PowerBroker-hpia64.RUNHOST,r=9.4.3.18" (1 of
3).
* Copying fileset "PowerBroker-hpia64.SHAREDLIBS,r=9.4.3.18" (2
of 3).
* Copying fileset "PowerBroker-hpia64.SUBMITHOST,r=9.4.3.18" (3
of 3).
* Summary of Execution Phase:
* 3 of 3 filesets had no Errors or Warnings.
* The Execution Phase succeeded.
=======  05/26/17 16:47:21 PDT  END copy AGENT SESSION (pid=7319)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0263)
# swcopy -s /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg-9.4.3.18.CLIENT1.depot PowerBroker-Cfg.CLIENT1
=======  05/26/17 16:49:48 PDT  BEGIN swcopy SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0264)
* Session started for user
"[email protected]".
        &nbsp;
* Beginning Selection
* Target connection succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* Source:
/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg-9.4.3.18.CLIENT1.depot
        &nbsp;
* Targets:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
* Software selections:
PowerBroker-Cfg.CLIENT1,r=9.4.3.18,a=HP-UX_B.11.11/23/31_32/64_IA/PA,v=BeyondTrust
* Selection succeeded.
        &nbsp;
        &nbsp;
* Beginning Analysis and Execution
* Session selections have been saved in the file
"/.sw/sessions/swcopy.last".
* The analysis phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* The execution phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* Analysis and Execution succeeded.
        &nbsp;
        &nbsp;
NOTE:    More information may be found in the agent logfile using the
command "swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0264
@ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
=======  05/26/17 16:49:48 PDT  END swcopy SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0264)
# swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0264 @ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
=======  05/26/17 16:49:48 PDT  BEGIN copy AGENT SESSION (pid=7373)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0264)
* Agent session started for user
"[email protected]". (pid=7373)
* Beginning Analysis Phase.
* Source:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/PowerBroker-Cfg-9.4.3.18.CLIENT1.depot
    &nbsp;
* Target:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
* Target logfile:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw/swagent.log
* Reading source for product information.
* Reading source for file information.
NOTE:    The used disk space on filesystem "/var" is estimated to
increase by 232 Kbytes.
This will leave 5446360 Kbytes of available user disk space
after the installation.
* Summary of Analysis Phase:
* 1 of 1 filesets had no Errors or Warnings.
* The Analysis Phase succeeded.
* Beginning the Copy Execution Phase.
* Filesets:         1
* Files:            6
* Kbytes:           186
* Copying fileset "PowerBroker-Cfg.CLIENT1,r=9.4.3.18" (1 of 1).
* Summary of Execution Phase:
* 1 of 1 filesets had no Errors or Warnings.
* The Execution Phase succeeded.
=======  05/26/17 16:49:48 PDT  END copy AGENT SESSION (pid=7373)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0264)

Install the EPM-UL Filesets Using the swinstall Command

This section shows the execution of the HP-UX swinstall command to install the Endpoint Privilege Management for Unix and Linux filesets. Because the swinstall command automatically installs the dependent filesets, you need only run the swinstall command for the configuration fileset. Following installation of the configuration package, the installation is verified by submitting the swlist, swjob, and swverify commands. Finally, the id command is submitted to Endpoint Privilege Management for Unix and Linux to test the installation.

ℹ️

Note

During the Endpoint Privilege Management for Unix and Linux fileset installation process, you might see a warning message regarding "core transition links." You can ignore this warning.

Example

# swinstall PowerBroker-Cfg.CLIENT1
=======  05/26/17 16:50:39 PDT  BEGIN swinstall SESSION
(non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265)
* Session started for user
"[email protected]".
        &nbsp;
* Beginning Selection
* Target connection succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Source connection succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* Source: /var/spool/sw
* Targets:  pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
* Software selections:
PowerBroker-Cfg.CLIENT1,r=9.4.3.18,a=HP-UX_B.11.11/23/31_32/64_IA/PA,v=BeyondTrust
+ PowerBroker-hpia64.RUNHOST,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
+ PowerBroker-hpia64.SHAREDLIBS,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
+ PowerBroker-hpia64.SUBMITHOST,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
* A "+" indicates an automatic selection due to dependency or
the automatic selection of a patch or reference bundle.
* Selection succeeded.
        &nbsp;
        &nbsp;
* Beginning Analysis and Execution
* Session selections have been saved in the file
"/.sw/sessions/swinstall.last".
* The analysis phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* The execution phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Analysis and Execution succeeded.
        &nbsp;
        &nbsp;
NOTE:    More information may be found in the agent logfile using the
command "swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265
@ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
=======  05/26/17 16:50:54 PDT  END swinstall SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265)
# swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265 @ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
=======  05/26/17 16:50:39 PDT  BEGIN install AGENT SESSION (pid=7464)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265)
* Agent session started for user
"[email protected]". (pid=7464)
* Beginning Analysis Phase.
* Source:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
* Target:           pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
* Target logfile:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/adm/sw/swagent.log
* Reading source for product information.
* Reading source for file information.
* Executing preDSA command.
NOTE: The used disk space on filesystem "/" is estimated to increase by 24 Kbytes.
This will leave 205712 Kbytes of available user disk space after the installation.
NOTE: The used disk space on filesystem "/opt" is estimated to increase by 32 Kbytes.
This will leave 2466280 Kbytes of available user disk space after the installation.
NOTE: The used disk space on filesystem "/usr" is estimated to increase by 91552 Kbytes.
This will leave 3519968 Kbytes of available user disk space after the installation.
NOTE: The used disk space on filesystem "/var" is estimated to increase by 288 Kbytes.
This will leave 5410848 Kbytes of available user disk space after the installation.
* Summary of Analysis Phase:
* 4 of 4 filesets had no Errors or Warnings.
* The Analysis Phase succeeded.
* Beginning the Install Execution Phase.
* Filesets: 4
* Files:  111
* Kbytes:  91063
* Installing fileset "PowerBroker-hpia64.SUBMITHOST,r=9.4.3.18" because one or more other selected filesets depend on it (1 of 4).
* Installing fileset "PowerBroker-hpia64.SHAREDLIBS,r=9.4.3.18" because one or more other selected filesets depend on it (2 of 4).
* Installing fileset "PowerBroker-hpia64.RUNHOST,r=9.4.3.18" because one or more other selected filesets depend on it (3 of 4).
* Installing fileset "PowerBroker-Cfg.CLIENT1,r=9.4.3.18" (4 of 4).
* Beginning the Configure Execution Phase.
NOTE: Reading pb.cfg...
NOTE: Looking for SuperDaemons to configure...
NOTE: Finished looking for SuperDaemons to configure...
NOTE: Removing PowerBroker service definitions (if any) from /etc/services.
NOTE: Adding PowerBroker service definitions to /etc/services
NOTE: Removing any PowerBroker definitions from SuperDaemon inetd file /etc/inetd.conf
NOTE: Adding PowerBroker definitions to SuperDaemon configurations /etc/inetd.conf
NOTE: Reloading SuperDaemon Configurations...
NOTE: Done Reloading SuperDaemon Configurations...
Updating Settings in database (if any)...
* Summary of Execution Phase:
* 4 of 4 filesets had no Errors or Warnings.
* The Execution Phase succeeded.
=======  05/26/17 16:50:54 PDT  END install AGENT SESSION (pid=7464)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265)
        &nbsp;
# swlist PowerBroker\*
# Initializing...
# Contacting target "pbul-qa-hpux11v3-01.unix.beyondtrust.com"...
#
# Target:  pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
#
# PowerBroker-Cfg 9.4.3.18 BeyondTrust PowerBroker Unix/Linux - Root Delegation and Privilege Management
PowerBroker-Cfg.CLIENT1 9.4.3.18 BeyondTrust PowerBroker Unix/Linux Configuration - Root Delegation and Privilege Management# PowerBroker-hpia64 9.4.3.18 BeyondTrust PowerBroker - Root Delegation and Privilege Management
PowerBroker-hpia64.RUNHOST 9.4.3.18 BeyondTrust PowerBroker Run Host - Root Delegation and Privilege Management
PowerBroker-hpia64.SHAREDLIBS 9.4.3.18 BeyondTrust PowerBroker Shared Libraries - Root Delegation and Privilege Management
PowerBroker-hpia64.SUBMITHOST 9.4.3.18 BeyondTrust PowerBroker Submit Host - Root Delegation and Privilege Management
# swverify PowerBroker-Cfg PowerBroker-hpia64
=======  05/26/17 16:52:13 PDT  BEGIN swverify SESSION
(non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266)
* Session started for user
"[email protected]".
        &nbsp;
* Beginning Selection
* Target connection succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Software selections:
PowerBroker-Cfg.CLIENT1,l=/,r=9.4.3.18,a=HP-UX_B.11.11/23/31_32/64_IA/PA,v=BeyondTrustPowerBroker-hpia64.RUNHOST,l=/,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SHAREDLIBS,l=/,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SUBMITHOST,l=/,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
* Selection succeeded.
        &nbsp;
        &nbsp;
* Beginning Analysis
* Session selections have been saved in the file
"/.sw/sessions/swverify.last".
* The analysis phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Verification succeeded.
        &nbsp;
    &nbsp;
NOTE: More information may be found in the agent logfile using the
command "swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266
@ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
=======  05/26/17 16:52:17 PDT  END swverify SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266)
# swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266 @ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
=======  05/26/17 16:52:14 PDT  BEGIN verify AGENT SESSION (pid=7787)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266)
* Agent session started for user
"[email protected]". (pid=7787)
* Beginning Analysis Phase.
* Target:           pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
* Target logfile:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/adm/sw/swagent.log
* Reading source for file information.
*     Configured    PowerBroker-hpia64.SUBMITHOST,l=/,r=9.4.3.18
*     Configured    PowerBroker-hpia64.SHAREDLIBS,l=/,r=9.4.3.18
*     Configured    PowerBroker-hpia64.RUNHOST,l=/,r=9.4.3.18
*     Configured    PowerBroker-Cfg.CLIENT1,l=/,r=9.4.3.18
* Summary of Analysis Phase:
Verified      PowerBroker-hpia64.SUBMITHOST,l=/,r=9.4.3.18
Verified      PowerBroker-hpia64.SHAREDLIBS,l=/,r=9.4.3.18
Verified      PowerBroker-hpia64.RUNHOST,l=/,r=9.4.3.18
Verified      PowerBroker-Cfg.CLIENT1,l=/,r=9.4.3.18
* 4 of 4 filesets had no Errors or Warnings.
* The Analysis Phase succeeded.
=======  05/26/17 16:52:17 PDT  END verify AGENT SESSION (pid=7787)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266)

This section shows the execution of the HP-UX swinstall command to install the Endpoint Privilege Management for Unix and Linux filesets. Because the swinstall command automatically installs the dependent filesets, you need only run the swinstall command for the configuration fileset. Following installation of the configuration package, the installation is verified by submitting the swlist, swjob, and swverify commands. Finally, the id command is submitted to Endpoint Privilege Management for Unix and Linux to test the installation.

ℹ️

Note

During the Endpoint Privilege Management for Unix and Linux fileset installation process, you might see a warning message regarding "core transition links." You can ignore this warning.

Example

# swinstall PowerBroker-Cfg.CLIENT1
=======  05/26/17 16:50:39 PDT  BEGIN swinstall SESSION
(non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265)
* Session started for user
"[email protected]".
        &nbsp;
* Beginning Selection
* Target connection succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Source connection succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* Source: /var/spool/sw
* Targets:  pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
* Software selections:
PowerBroker-Cfg.CLIENT1,r=9.4.3.18,a=HP-UX_B.11.11/23/31_32/64_IA/PA,v=BeyondTrust
+ PowerBroker-hpia64.RUNHOST,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
+ PowerBroker-hpia64.SHAREDLIBS,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
+ PowerBroker-hpia64.SUBMITHOST,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
* A "+" indicates an automatic selection due to dependency or
the automatic selection of a patch or reference bundle.
* Selection succeeded.
        &nbsp;
        &nbsp;
* Beginning Analysis and Execution
* Session selections have been saved in the file
"/.sw/sessions/swinstall.last".
* The analysis phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* The execution phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Analysis and Execution succeeded.
        &nbsp;
        &nbsp;
NOTE:    More information may be found in the agent logfile using the
command "swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265
@ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
=======  05/26/17 16:50:54 PDT  END swinstall SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265)
# swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265 @ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
=======  05/26/17 16:50:39 PDT  BEGIN install AGENT SESSION (pid=7464)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265)
* Agent session started for user
"[email protected]". (pid=7464)
* Beginning Analysis Phase.
* Source:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
* Target:           pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
* Target logfile:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/adm/sw/swagent.log
* Reading source for product information.
* Reading source for file information.
* Executing preDSA command.
NOTE: The used disk space on filesystem "/" is estimated to increase by 24 Kbytes.
This will leave 205712 Kbytes of available user disk space after the installation.
NOTE: The used disk space on filesystem "/opt" is estimated to increase by 32 Kbytes.
This will leave 2466280 Kbytes of available user disk space after the installation.
NOTE: The used disk space on filesystem "/usr" is estimated to increase by 91552 Kbytes.
This will leave 3519968 Kbytes of available user disk space after the installation.
NOTE: The used disk space on filesystem "/var" is estimated to increase by 288 Kbytes.
This will leave 5410848 Kbytes of available user disk space after the installation.
* Summary of Analysis Phase:
* 4 of 4 filesets had no Errors or Warnings.
* The Analysis Phase succeeded.
* Beginning the Install Execution Phase.
* Filesets: 4
* Files:  111
* Kbytes:  91063
* Installing fileset "PowerBroker-hpia64.SUBMITHOST,r=9.4.3.18" because one or more other selected filesets depend on it (1 of 4).
* Installing fileset "PowerBroker-hpia64.SHAREDLIBS,r=9.4.3.18" because one or more other selected filesets depend on it (2 of 4).
* Installing fileset "PowerBroker-hpia64.RUNHOST,r=9.4.3.18" because one or more other selected filesets depend on it (3 of 4).
* Installing fileset "PowerBroker-Cfg.CLIENT1,r=9.4.3.18" (4 of 4).
* Beginning the Configure Execution Phase.
NOTE: Reading pb.cfg...
NOTE: Looking for SuperDaemons to configure...
NOTE: Finished looking for SuperDaemons to configure...
NOTE: Removing PowerBroker service definitions (if any) from /etc/services.
NOTE: Adding PowerBroker service definitions to /etc/services
NOTE: Removing any PowerBroker definitions from SuperDaemon inetd file /etc/inetd.conf
NOTE: Adding PowerBroker definitions to SuperDaemon configurations /etc/inetd.conf
NOTE: Reloading SuperDaemon Configurations...
NOTE: Done Reloading SuperDaemon Configurations...
Updating Settings in database (if any)...
* Summary of Execution Phase:
* 4 of 4 filesets had no Errors or Warnings.
* The Execution Phase succeeded.
=======  05/26/17 16:50:54 PDT  END install AGENT SESSION (pid=7464)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0265)
        &nbsp;
# swlist PowerBroker\*
# Initializing...
# Contacting target "pbul-qa-hpux11v3-01.unix.beyondtrust.com"...
#
# Target:  pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
#
# PowerBroker-Cfg 9.4.3.18 BeyondTrust PowerBroker Unix/Linux - Root Delegation and Privilege Management
PowerBroker-Cfg.CLIENT1 9.4.3.18 BeyondTrust PowerBroker Unix/Linux Configuration - Root Delegation and Privilege Management# PowerBroker-hpia64 9.4.3.18 BeyondTrust PowerBroker - Root Delegation and Privilege Management
PowerBroker-hpia64.RUNHOST 9.4.3.18 BeyondTrust PowerBroker Run Host - Root Delegation and Privilege Management
PowerBroker-hpia64.SHAREDLIBS 9.4.3.18 BeyondTrust PowerBroker Shared Libraries - Root Delegation and Privilege Management
PowerBroker-hpia64.SUBMITHOST 9.4.3.18 BeyondTrust PowerBroker Submit Host - Root Delegation and Privilege Management
# swverify PowerBroker-Cfg PowerBroker-hpia64
=======  05/26/17 16:52:13 PDT  BEGIN swverify SESSION
(non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266)
* Session started for user
"[email protected]".
        &nbsp;
* Beginning Selection
* Target connection succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Software selections:
PowerBroker-Cfg.CLIENT1,l=/,r=9.4.3.18,a=HP-UX_B.11.11/23/31_32/64_IA/PA,v=BeyondTrustPowerBroker-hpia64.RUNHOST,l=/,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SHAREDLIBS,l=/,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SUBMITHOST,l=/,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
* Selection succeeded.
        &nbsp;
        &nbsp;
* Beginning Analysis
* Session selections have been saved in the file
"/.sw/sessions/swverify.last".
* The analysis phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Verification succeeded.
        &nbsp;
    &nbsp;
NOTE: More information may be found in the agent logfile using the
command "swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266
@ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
=======  05/26/17 16:52:17 PDT  END swverify SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266)
# swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266 @ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
=======  05/26/17 16:52:14 PDT  BEGIN verify AGENT SESSION (pid=7787)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266)
* Agent session started for user
"[email protected]". (pid=7787)
* Beginning Analysis Phase.
* Target:           pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
* Target logfile:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/adm/sw/swagent.log
* Reading source for file information.
*     Configured    PowerBroker-hpia64.SUBMITHOST,l=/,r=9.4.3.18
*     Configured    PowerBroker-hpia64.SHAREDLIBS,l=/,r=9.4.3.18
*     Configured    PowerBroker-hpia64.RUNHOST,l=/,r=9.4.3.18
*     Configured    PowerBroker-Cfg.CLIENT1,l=/,r=9.4.3.18
* Summary of Analysis Phase:
Verified      PowerBroker-hpia64.SUBMITHOST,l=/,r=9.4.3.18
Verified      PowerBroker-hpia64.SHAREDLIBS,l=/,r=9.4.3.18
Verified      PowerBroker-hpia64.RUNHOST,l=/,r=9.4.3.18
Verified      PowerBroker-Cfg.CLIENT1,l=/,r=9.4.3.18
* 4 of 4 filesets had no Errors or Warnings.
* The Analysis Phase succeeded.
=======  05/26/17 16:52:17 PDT  END verify AGENT SESSION (pid=7787)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0266)

Sample of the uninstall process from a package installation

This section shows the execution of the HP-UX swremove utility to remove the Endpoint Privilege Management for Unix and Linux depots. First, swremove is used to uninstall Endpoint Privilege Management for Unix and Linux software from the host. Then, swremove is used to remove the Endpoint Privilege Management for Unix and Linux depots from the SD depot:

Example

# swremove PowerBroker-Cfg PowerBroker-hpia64
=======  05/27/17 09:54:20 PDT  BEGIN swremove SESSION
(non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0267)
* Session started for user
"[email protected]".
                &nbsp;
* Beginning Selection
* Target connection succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Software selections:
PowerBroker-Cfg.CLIENT1,l=/,r=9.4.3.18,a=HP-UX_B.11.11/23/31_32/64_IA/PA,v=BeyondTrust
PowerBroker-hpia64.RUNHOST,l=/,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SHAREDLIBS,l=/,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SUBMITHOST,l=/,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
* Selection succeeded.
                &nbsp;
* Beginning Analysis
* Session selections have been saved in the file
"/.sw/sessions/swremove.last".
* The analysis phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Analysis succeeded.
                &nbsp;
* Beginning Execution
* The execution phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
* Execution succeeded.
                &nbsp;
NOTE: More information may be found in the agent logfile using the
command "swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0267
@ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/".
=======  05/27/17 09:54:26 PDT  END swremove SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0267)
# swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0267 @ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
=======  05/27/17 09:54:20 PDT  BEGIN remove AGENT SESSION (pid=16901)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0267)
* Agent session started for user
"[email protected]". (pid=16901)
* Beginning Analysis Phase.
* Target:  pbul-qa-hpux11v3-01.unix.beyondtrust.com:/
* Target logfile:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/adm/sw/swagent.log
* Reading source for file information.
* Summary of Analysis Phase:
* 4 of 4 filesets had no Errors or Warnings.
* The Analysis Phase succeeded.
* Beginning the Unconfigure Execution Phase.
* Filesets:         4
* Files:            111
* Kbytes:           91063
NOTE: Reading pb.cfg...
NOTE: Looking for SuperDaemons to configure...
NOTE: Finished looking for SuperDaemons to configure...
NOTE: Removing PowerBroker service definitions (if any) from /etc/services.
NOTE: Removing any PowerBroker definitions from SuperDaemon inetd file /etc/inetd.conf
NOTE: Reloading SuperDaemon Configurations...
NOTE: Done Reloading SuperDaemon Configurations...
* Beginning the Remove Execution Phase.
* Removing fileset "PowerBroker-Cfg.CLIENT1,l=/,r=9.4.3.18" (1 of 4).
* Removing fileset "PowerBroker-hpia64.RUNHOST,l=/,r=9.4.3.18" (2 of 4).
Removing /opt/pbul/scripts
* Removing fileset
"PowerBroker-hpia64.SHAREDLIBS,l=/,r=9.4.3.18" (3 of 4).
* Removing fileset
"PowerBroker-hpia64.SUBMITHOST,l=/,r=9.4.3.18" (4 of 4).
* Summary of Execution Phase:
* 4 of 4 filesets had no Errors or Warnings.
* The Execution Phase succeeded.
=======  05/27/17 09:54:26 PDT  END remove AGENT SESSION (pid=16901)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0267)
# swremove -d PowerBroker-Cfg PowerBroker-hpia64
=======  05/27/17 09:56:54 PDT  BEGIN swremove SESSION
(non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0268)
* Session started for user
"[email protected]".
    &nbsp;
* Beginning Selection
* Target connection succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* Software selections:
PowerBroker-Cfg.CLIENT1,r=9.4.3.18,a=HP-UX_B.11.11/23/31_32/64_IA/PA,v=BeyondTrust
PowerBroker-hpia64.RUNHOST,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SHAREDLIBS,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
PowerBroker-hpia64.SUBMITHOST,r=9.4.3.18,a=HP-UX_B.11.23/31_64_IA,v=BeyondTrust
* Selection succeeded.
                &nbsp;
* Beginning Analysis
* Session selections have been saved in the file
"/.sw/sessions/swremove.last".
* The analysis phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* Analysis succeeded.
                &nbsp;
* Beginning Execution
* The execution phase succeeded for
"pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
* Execution succeeded.
            &nbsp;
NOTE:    More information may be found in the agent logfile using the
command "swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0268
@ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw".
=======  05/27/17 09:56:54 PDT  END swremove SESSION (non-interactive)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0268)
# swjob -a log pbul-qa-hpux11v3-01.unix.beyondtrust.com-0268 @ pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
=======  05/27/17 09:56:54 PDT  BEGIN remove AGENT SESSION (pid=17066)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0268)
* Agent session started for user
"[email protected]". (pid=17066)
* Beginning Analysis Phase.
* Target:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw
* Target logfile:
pbul-qa-hpux11v3-01.unix.beyondtrust.com:/var/spool/sw/swagent.log
* Reading source for file information.
* Summary of Analysis Phase:
* 4 of 4 filesets had no Errors or Warnings.
* The Analysis Phase succeeded.
* Beginning the Remove Execution Phase.
* Filesets:  4
* Files:  111
* Kbytes: 91063
* Removing fileset "PowerBroker-Cfg.CLIENT1,r=9.4.3.18" (1 of 4).
* Removing fileset "PowerBroker-hpia64.RUNHOST,r=9.4.3.18" (2 of 4).
* Removing fileset "PowerBroker-hpia64.SHAREDLIBS,r=9.4.3.18" (3  of 4).
* Removing fileset "PowerBroker-hpia64.SUBMITHOST,r=9.4.3.18" (4 of 4).
* Summary of Execution Phase:
* 4 of 4 filesets had no Errors or Warnings.
* The Execution Phase succeeded.
=======  05/27/17 09:56:54 PDT  END remove AGENT SESSION (pid=17066)
(jobid=pbul-qa-hpux11v3-01.unix.beyondtrust.com-0268)


©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.