Documentation

Shared libraries

When configured with Kerberos, SSL, LDAP, or PAM, EPM-UL requires the appropriate third-party libraries. The installation includes Kerberos, SSL, LDAP, and PAM libraries that are designed to work with EPM-UL.

We recommend you install these third-party libraries.

ℹ️

Note

The shared libraries for the following operating systems are not currently supported:

  • NCR
  • IRIX
  • OSF
  • QNX

Shared libraries for Kerberos

These settings are related to the shared libraries that are needed for Kerberos in EPM-UL.

sharedlibkrb5dependencies

  • Version 5.0.4 and earlier: sharedlibkrb5dependencies setting not available.
  • Version 5.1.0 and later: sharedlibkrb5dependencies setting available.

The libraries are listed in the order they are loaded (dependencies first). This setting should be used in either of the following circumstances:

  • The kerberos setting is set to yes, the pam setting is set to yes, and PAM uses Kerberos
  • The ssl setting is set to yes and the SSL libraries that are listed in the sharedlibssldependencies setting are dependent on the Kerberos libraries

By default, the shared libraries that are listed for this setting are the ones that are shipped with EPM-UL. However, you can replace them with libraries that are used by the PAM or SSL services that are installed on the EPM-UL host computer.

Example

sharedlibkrb5dependencies /usr/lib/beyondtrust/pb/libcom_err.so.3 /usr/lib/beyondtrust/pb/libk5crypto.so.3.1 /usr/lib/beyondtrust/pb/libkrb5.so.3.3 /usr/lib/beyondtrust/pb/libgssapi_krb5.so.2.2

Default

No default value

Used on

  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

loadkrb5libs

  • Version 5.2 and earlier: loadkrb5libs setting not available.
  • Version 6.0 and later: loadkrb5libs setting available.

The loadkrb5libs setting determines whether the libraries that are listed in the sharedlibkrb5dependencies setting are loaded at runtime even if the value of the kerberos setting is no. This setting is ignored when kerberos is set to yes.This setting is useful in certain cases where the operating system is configured to use Kerberos and the EPM-ULsubmitconfirmuser() function returns false even when the correct Kerberos password is supplied.

Example

loadkrb5libs yes

Default

loadkrb5libs no

Used on

  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Shared libraries for SSL

The following setting is related to the shared libraries needed for SSL use.

loadssllibs

  • Version 6.2.5 and earlier: loadssllibs setting not available.
  • Version 6.2.6 and later: loadssllibs setting available.

The loadssllibs setting determines whether the libraries that are listed in the sharedlibssldependencies setting are loaded at runtime even if the value of the ssl setting is no. This setting is ignored when ssl is set to yes.This setting is useful in certain cases where the operating system is configured to use SSL and we need to force EPM-UL to load the SSL libraries.

Example

loadssllibs yes

Default

loadssllibs no

Used on

  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

sharedlibssldependencies

  • Version 5.0.4 and earlier: sharedlibssldependencies setting not available.
  • Version 5.1.0 and later: sharedlibssldependencies setting available .

The libraries are listed in the order they are loaded (dependencies first). This setting should be used in either of the following circumstances:

  • The ssl setting is set to yes
  • LDAP is used in the policy or by PAM and the LDAP libraries that are listed in the sharedlibldapdependencies setting are dependent on the SSL libraries

By default, the shared libraries listed for this setting are shipped with EPM-UL. However, you can replace them with libraries that are used by the SSL service that is installed on the EPM-UL host computer.

Example

sharedlibssldependencies /usr/lib/beyondtrust/pb/libcrypto.so.1.1 /usr/lib/beyondtrust/pb/libssl.so.1.1

Default

No default value

Used on

  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Shared libraries for LDAP

The following setting is related to the shared libraries that are needed for LDAP use.

loadldaplibs

  • Version 6.2.5 and earlier: loadldaplibs setting not available.
  • Version 6.2.6 and later: loadldaplibs setting available.

The loadldaplibs setting determines whether the libraries that are listed in the sharedlibldapdependencies setting are loaded at runtime even if policy LDAP functions are not used. This setting is useful in certain cases where the operating system is configured to use LDAP and we need to force EPM-UL to load the LDAP libraries.

Example

loadldaplibs yes

Default

loadldaplibs no

Used on

  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

sharedlibldapdependencies

  • Version 5.0.4 and earlier: sharedlibldapdependencies setting not available.
  • Version 5.1.0 and later: sharedlibldapdependencies setting available .

The libraries are listed in the order they are loaded (dependencies first). This setting should be used in either of the following circumstances:

  • LDAP is used in the EPM-UL policy
  • The pam setting is set to yes and PAM is using LDAP

By default, the shared libraries that are listed for this setting are shipped with EPM-UL. However, you can replace them with libraries that are used by the LDAP service that is installed on the EPM-UL host computer.

Example

sharedlibldapdependencies /usr/lib/beyondtrust/pb/liblber-2.5.so.0.1.7 /usr/lib/beyondtrust/pb/libldap-2.5.so.0.1.7

Default

No default value

Used on

  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Shared library directory location for AIX and HP (PA RISC)

For AIX and HP (PA-RISC), the directory for installing third-party libraries must be in one of the following locations:

  • /usr/lib/symark/pb
  • /usr/lib
  • /lib
  • /usr/local/lib

If any other directory is specified, then it is rejected with an error message stating that you must use one of these four directory locations.

Shared library file name for AIX

The notation that is used on AIX to specify some libraries (Kerberos and LDAP) is different from other platforms. On AIX for third-party libraries that are archives, you also need to specify the shared object that is a member of the archive and add it to the file name.

Example

If libcom_err.a.3.0 is an archive and shr.0.3.0 is the actual shared object, then the file specification for the member of the archive is:

libcom_err.a.3.0(shr.0.3.0)

ℹ️

Note

For SSL, because the library is not an archive, it is not necessary to alter the file name.

Shared libraries for PAM

The following are the shared libraries needed for PAM use.

libpam

  • Version 5.2 and earlier: libpam setting not available.
  • Version 6.0 and later: libpam setting available.

libpam is a user-defined PAM library that EPM-UL uses as a first option in case the system does not use the standard default PAM libraries. The notation used for AIX to specify the OS-provided PAM library is the following:

/usr/lib/libpam.a(shr.o)

Example

libpam /lib/libpam.so.1

Default

No default value

Used on

  • Policy server hosts
  • Submit hosts
  • Run hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Hardware security module (HSM)

EPM-UL, through its integration with the SafeNet Luna SA Hardware Security Module (HSM), provides the first privileged user management solution to use FIPS 140-2 Security Level 2-validated key storage services to achieve compliance with the most strict key storage requirements and standards.

EPM-UL supports the configuration of an SSL engine. An SSL engine is a plug-in mechanism for third parties to add extra cryptographic capabilities to SSL. The SSL engine must be properly configured according to the engine provider’s instructions.

The SSL library that ships with EPM-UL does not support using SSL engines. Therefore, to use an SSL engine, you must build your own set of SSL libraries. If you use Kerberos or LDAP, then you must also build your own set of those libraries.

The file name of the SSL engine shared object should be appended to the sharedlibssldependencies setting, and the engine ID should be specified using the sslengine keyword.

sslengine

  • Version 5.0.4 and earlier: sslengine setting not available.
  • Version 5.1.0 and later: sslengine setting available.

The sslengine setting specifies the SSL engine ID to use with the HSM. The value is case-sensitive.

Example

The following is an example pb.settings configuration when using the SafeNet Luna SA Hardware Security Module:

sharedlibkrb5dependencies none
    sharedlibldapdependencies none
    sharedlibssldependencies /usr/local/lunassl/lib/libcrypto.so.0.9.8
    /usr/local/lunassl/lib/libssl.so.0.9.8
    /usr/local/lunassl/lib/engines/liblunaca3.so
            
    ssl yes
    sslservercertfile /etc/pb/CERTS/safenet.crt
    sslserverkeyfile /etc/pb/CERTS/safenet.key

sslengine LunaCA3

New SSL libraries with engine support are built and installed in the /usr/local/lunassl directory. Kerberos and LDAP are not in use. The engine ID is LunaCA3. The key file value is a name that is interpreted by the engine to access the private key on the HSM.

Default

No default value

Used on

  • Policy server hosts
  • Log hosts

Example

sharedlibkrb5dependencies /usr/lib/beyondtrust/pb/libcom_err.so.3 /usr/lib/beyondtrust/pb/libk5crypto.so.3.1 /usr/lib/beyondtrust/pb/libkrb5.so.3.3 /usr/lib/beyondtrust/pb/libgssapi_krb5.so.2.2

Default

No default value

Used on

  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

loadkrb5libs

  • Version 5.2 and earlier: loadkrb5libs setting not available.
  • Version 6.0 and later: loadkrb5libs setting available.

The loadkrb5libs setting determines whether the libraries that are listed in the sharedlibkrb5dependencies setting are loaded at runtime even if the value of the kerberos setting is no. This setting is ignored when kerberos is set to yes.This setting is useful in certain cases where the operating system is configured to use Kerberos and the EPM-ULEPM-L submitconfirmuser() function returns false even when the correct Kerberos password is supplied.

Example

loadkrb5libs yes

Default

loadkrb5libs no

Used on

  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Shared libraries for SSL

The following setting is related to the shared libraries needed for SSL use.

loadssllibs

  • Version 6.2.5 and earlier: loadssllibs setting not available.
  • Version 6.2.6 and later: loadssllibs setting available.

The loadssllibs setting determines whether the libraries that are listed in the sharedlibssldependencies setting are loaded at runtime even if the value of the ssl setting is no. This setting is ignored when ssl is set to yes.This setting is useful in certain cases where the operating system is configured to use SSL and we need to force EPM-ULEPM-L to load the SSL libraries.

Example

loadssllibs yes

Default

loadssllibs no

Used on

  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

sharedlibssldependencies

  • Version 5.0.4 and earlier: sharedlibssldependencies setting not available.
  • Version 5.1.0 and later: sharedlibssldependencies setting available .

The libraries are listed in the order they are loaded (dependencies first). This setting should be used in either of the following circumstances:

  • The ssl setting is set to yes
  • LDAP is used in the policy or by PAM and the LDAP libraries that are listed in the sharedlibldapdependencies setting are dependent on the SSL libraries

By default, the shared libraries listed for this setting are shipped with EPM-ULEPM-L. However, you can replace them with libraries that are used by the SSL service that is installed on the EPM-ULEPM-L host computer.

Example

sharedlibssldependencies /usr/lib/beyondtrust/pb/libcrypto.so.1.1 /usr/lib/beyondtrust/pb/libssl.so.1.1

Default

No default value

Used on

  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Shared libraries for LDAP

The following setting is related to the shared libraries that are needed for LDAP use.

loadldaplibs

  • Version 6.2.5 and earlier: loadldaplibs setting not available.
  • Version 6.2.6 and later: loadldaplibs setting available.

The loadldaplibs setting determines whether the libraries that are listed in the sharedlibldapdependencies setting are loaded at runtime even if policy LDAP functions are not used. This setting is useful in certain cases where the operating system is configured to use LDAP and we need to force EPM-ULEPM-L to load the LDAP libraries.

Example

loadldaplibs yes

Default

loadldaplibs no

Used on

  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

sharedlibldapdependencies

  • Version 5.0.4 and earlier: sharedlibldapdependencies setting not available.
  • Version 5.1.0 and later: sharedlibldapdependencies setting available .

The libraries are listed in the order they are loaded (dependencies first). This setting should be used in either of the following circumstances:

  • LDAP is used in the EPM-ULEPM-L policy
  • The pam setting is set to yes and PAM is using LDAP

By default, the shared libraries that are listed for this setting are shipped with EPM-ULEPM-L. However, you can replace them with libraries that are used by the LDAP service that is installed on the EPM-ULEPM-L host computer.

Example

sharedlibldapdependencies /usr/lib/beyondtrust/pb/liblber-2.5.so.0.1.7 /usr/lib/beyondtrust/pb/libldap-2.5.so.0.1.7

Default

No default value

Used on

  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Shared library directory location for AIX and HP (PA RISC)

For AIX and HP (PA-RISC), the directory for installing third-party libraries must be in one of the following locations:

  • /usr/lib/beyondtrust/pb
  • /usr/lib
  • /lib
  • /usr/local/lib

If any other directory is specified, then it is rejected with an error message stating that you must use one of these four directory locations.

Shared library file name for AIX

The notation that is used on AIX to specify some libraries (Kerberos and LDAP) is different from other platforms. On AIX for third-party libraries that are archives, you also need to specify the shared object that is a member of the archive and add it to the file name.

Example

If libcom_err.a.3.0 is an archive and shr.0.3.0 is the actual shared object, then the file specification for the member of the archive is:

libcom_err.a.3.0(shr.0.3.0)

ℹ️

Note

For SSL, because the library is not an archive, it is not necessary to alter the file name.

Shared libraries for PAM

The following are the shared libraries needed for PAM use.

libpam

  • Version 5.2 and earlier: libpam setting not available.
  • Version 6.0 and later: libpam setting available.

libpam is a user-defined PAM library that EPM-ULEPM-L uses as a first option in case the system does not use the standard default PAM libraries. The notation used for AIX to specify the OS-provided PAM library is the following:

/usr/lib/libpam.a(shr.o)

Example

libpam /lib/libpam.so.1

Default

No default value

Used on

  • Policy server hosts
  • Submit hosts
  • Run hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Hardware Security Module (HSM)

EPM-ULEPM-L, through its integration with the SafeNet Luna SA Hardware Security Module (HSM), provides the first privileged user management solution to use FIPS 140-2 Security Level 2-validated key storage services to achieve compliance with the most strict key storage requirements and standards. EPM-ULEPM-L supports the configuration of an SSL engine. An SSL engine is a plug-in mechanism for third parties to add extra cryptographic capabilities to SSL. The SSL engine must be properly configured according to the engine provider’s instructions.The SSL library that is shipped with EPM-ULEPM-L does not support the use of SSL engines. Therefore, to use an SSL engine, you must build your own set of SSL libraries to support the SSL engine. If you use Kerberos or LDAP, then you must also build your own set of those libraries.The file name of the SSL engine shared object should be appended to the sharedlibssldependencies setting, and the engine ID should be specified using the sslengine keyword.

sslengine

  • Version 5.0.4 and earlier: sslengine setting not available.
  • Version 5.1.0 and later: sslengine setting available.

The sslengine setting specifies the SSL engine ID to be used with the HSM. The value is case-sensitive.

Example

The following is an example pb.settings configuration when using the SafeNet Luna SA Hardware Security Module:

sharedlibkrb5dependencies none
    sharedlibldapdependencies none
    sharedlibssldependencies /usr/local/lunassl/lib/libcrypto.so.0.9.8
    /usr/local/lunassl/lib/libssl.so.0.9.8
    /usr/local/lunassl/lib/engines/liblunaca3.so
            
    ssl yes
    sslservercertfile /etc/pb/CERTS/safenet.crt
    sslserverkeyfile /etc/pb/CERTS/safenet.key

sslengine LunaCA3

New SSL libraries with engine support are built and installed in the /usr/local/lunassl directory. Kerberos and LDAP are not in use. The engine ID is LunaCA3. The key file value is a name that is interpreted by the engine to access the private key on the HSM.

Default

No default value

Used on

  • Policy server hosts
  • Log hosts

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.