pbregister | EPM-UL
Registers an EPM-UL client or secondary server to the primary license server.
The command line utility provides a method of retrieving default configuration and required data files from the primary license server to aid the initial install of the service.
Pbregister is primarily used by EPM-UL installer. We highly recommend that its direct use should be made under the guidance of BeyondTrust Technical Support.
Syntax
- Version 9.0 and earlier: pbregister options not supported.
- Version 10.0.1 and later: pbregister options supported.
Usage
pbregister <options...>Arguments
| -a <application id> | The REST Application ID generated on the primary license server. Required to authenticate against the remote REST service. |
| -k <application key> | The REST Application Key generated on the primary license server. Required to authenticate against the remote REST service. |
| -n <hostname/address> | The TCP/IP address/domain name to contact the primary license server REST service. This is required. |
| -p <port> | The TCP/IP port to contact the primary license server REST service. If not specified, default is 24351. |
| -u <url> | Optional additional URL of primary license server. |
| -c <path> | Path to the libcurl shared libraries supplied by EPM-UL. Multiple libraries can be specified separated by a colon. |
| -s <path> | Path to the libcrypto and libssl shared libraries supplied by EPM-UL. Multiple libraries can be specified separated by a colon. |
| -N <profile> | The Registration Client Profile name, as defined in the primary license server database. If none is supplied the default profile is used. |
| -P <prefix> | The EPM-UL prefix. |
| -S <suffix> | The EPM-UL suffix. |
| -z | Set this hosts name when registering with Registry Name Service. |
| -g '[{"svcgname" : "<name>", "role" : "<primary/secondary/client>"},{...}]' | Register this host as given roles within specified service groups. |
| -R | Register with the Primary Registry Name Service. |
| -C | Create simple x509 certificate. |
| --x509 <certificateType> | In contrast to -C above, this will create a specific certificate type, as per the table below. Note that -X is the short for of --x509. |
| --cert <filename> | Name of the certificate file to be created (or read for its certtype or fingerprint). |
| --key <filename> | Name of the key file to be created. |
| --CAcert <filename> | Name of an existing CA certificate that will be used to verify a request for a new certificate. |
| --CAkey <filename> | Name of an existing CA key file used when creating a certificate on the same server as the CA. |
| --CAhash <sha256_hash> | SHA-256 hash of the primary server's root CA certificate, used when creating a certificate on a non-primary server. |
| --CAdn "<RDN1=Value1,RDN2=Value2,...>"` | The Certificate Authority (CA) distinguished name (DN) used for certificate distribution. The value is a comma‑separated list of relative distinguished name (RDN) components (for example, CN=Example CA,O=Example Corp,C=US). |
| -L <certificateLifetimes> | When performing an installation with
For example:
specifies a 10-year lifetime for the root CA certificate, 5 years for subordinate CA certificates, 3 years for server certificates and 2 years for client certificates. |
| --sversion | Retrieve the version of the server against which this installation is being registered. If that version is before 26.1.0, then "unknown" will be returned. |
| -q | Run the command in quiet mode. Displays minimal feedback, and will not interact. |
| -v | --version |
certificateType options for --x509
The argument to --x509 specifies the certificate type and dictates the set of additional arguments that should be passed to pbregister:
-
createROOTCA: Create certificate and private key for the Root Certificate Authority on the First/Primary Server. Sample additional arguments include:
--x509 createROOTCA --key "/etc/pmul_root_ca.key" --cert "/etc/pmul_root_ca.pem" --CAdn "C=US,ST=AZ,L=Phoenix,O=BeyondTrust,OU=Security" -c <curlLibs> -s <sslLibs> [-L "<certificatelifetimes>" ] -
fetchCA: Non-Primary Servers Fetch Root Certificate Authority certificate. Sample additional arguments include:
--x509 fetchCA --CAcert "/etc/pmul_root_ca.pem" --CAhash "<cafingerprint>" -n <regservername> -p <restport> // optional, defaults to 24351 -c <curlLibs> -s <sslLibs> -
createLocalSUBCA: Create certificate and private key for the Subordinate Certificate Authority (subCA) (on registration servers). Some additional arguments include:
--x509 createLocalSUBCA --key "/etc/pmul_ca.key" --cert "/etc/pmul_ca.pem" --CAkey "/etc/pmul_root_ca.key" --CAcert "/etc/pmul_root_ca.pem" --CAdn "C=US,ST=AZ,L=Phoenix,O=BeyondTrust,OU=Security" -c <curlLibs> -s <sslLibs> -
createSUBCA: Create certificate and private key for a subordinate CA on Non-Primary Servers that can act as Registration Servers. Some additional arguments include:
--x509 createSUBCA --key "/etc/pmul_ca.key" --cert "/etc/pmul_ca.pem" -n <regservername> -a <appid> -k <appkey> -p <restport> // optional, defaults to 24351 --CAdn "C=US,ST=AZ,L=Phoenix,O=BeyondTrust,OU=Security" -c <curlLibs> -s <sslLibs> -
LocalServerCert: Create certificate and private key for the EPM-UL servers on the First/Primary server. Some additional arguments include:
--x509 LocalServerCert --key <private_key_path> --cert <cert_path> --CAkey "/etc/pmul_ca.key" --CAcert "/etc/pmul_ca.pem" --CAdn "C=US,ST=AZ,L=Phoenix,O=BeyondTrust,OU=Security" -c <curlLibs> -s <sslLibs> -
serverCert: Create certificate and private key for EPM-UL servers running on the non-primary server. Some additional arguments include:
--x509 serverCert --key "/etc/pbsslkey.pem" --cert "/etc/pbssl.pem" -n <regservername> -a <appid> -k <appkey> -p <restport> // optional, defaults to 24351 --CAdn "C=US,ST=AZ,L=Phoenix,O=BeyondTrust,OU=Security" -c <curlLibs> -s <sslLibs> -
LocalEndpointCert: Create endpoint certificate and private key for EPM-UL Servers having only pblocald on the first primary server. Some additional arguments include:
--x509 LocalEndpointCert --key "/etc/pbsslkey.pem" --cert "/etc/pbssl.pem" --CAkey "/etc/pmul_ca.key" --CAcert "/etc/pmul_ca.pem" --CAdn "C=US,ST=AZ,L=Phoenix,O=BeyondTrust,OU=Security" -c <curlLibs> -s <sslLibs> -
endpointCert: Create endpoint certificate and private key for EPM-UL Servers having only pblocald on non-primary servers. Some additional arguments include:
--x509 endpointCert --key "/etc/pbsslkey.pem" --cert "/etc/pbssl.pem" -n <regservername> -a <appid> -k <appkey> -p <restport> // optional, defaults to 24351 --CAdn "C=US,ST=AZ,L=Phoenix,O=BeyondTrust,OU=Security" -c <curlLibs> -s <sslLibs> -
certtype: Get certificate type information. Note that this is also implemented via
pbadmin --info --certtype <target_cert_path>. Some additional arguments for thispbregistercommand include:--x509 certtype --cert <target_certpath> --CAdn <cadn_str> -c <curlLibs> -s <sslLibs>Possible outputs returned include:
Output Meaning "invalid" Invalid certificate file "unknown" Customer or non-EPM-UL-default certificate "unknown_ca" Customer or non-EPM-UL-default CA certificate "unknown_root_ca" Customer or non-EPM-UL-default root CA certificate "unusable" Customer self-signed certificate "legacy" EPM-UL's old self-signed certificate "client" New EPM-UL TLS certificate for client endpoints "server" New EPM-UL TLS certificate for servers "secondary_ca" New EPM-UL TLS certificate for a subordinate CA "ca" New EPM-UL TLS certificate for a root CA -
fingerprint: Get the SHA-256 hash of the root CA certificate. Some additional arguments include:
--x509 fingerprint --cert <target_rootcacert_path> -c <curlLibs> -s <sslLibs>
RDN subcomponents for --CAdn
The --CAdn value is built from one or more of the relative distinguished name (RDN) components:
| RDN | Meaning | Example value |
|---|---|---|
| CN | Common Name | Example CA |
| O | Organization | Example Corp |
| OU | Organizational Unit | Security Team |
| C | Country | US |
| ST | State or Province | California |
| L | Locality (City or Region) | San Francisco |
Example
bash
pbregister ... --CAdn "CN=Example CA,O=Example Corp,C=US"Updated 4 days ago
