Upgrades and reinstallations in EPM-UL | EPM-UL
The Endpoint Privilege Management for Unix and Linux (EPM-UL) installers are designed to enable easy upgrades of an installed version to a new version. During an upgrade, the current configuration can be retained or a new configuration can be put in place.
EPM-UL installation scripts pbinstall and pbmakeremotetar can also be used to perform upgrades and reinstallations.
If you want to return to an older version of EPM-UL or reinstall the current version with a different configuration, EPM-UL can be reinstalled to the current or older version without uninstalling, as long as the older version is 2.8.1 or later.
Pre-upgrade instructions
Before performing an upgrade or reinstallation, do the following:
- Obtain the new release, either on an ISO file or using FTP.
- Read the release notes and installation instructions.
- Determine the order for updating the policy server host machines. Note that pbrun clients need to be redirected to a new policy server host while their primary policy server host is updated. If your current installation includes policy server host failover machines, you may want to consider upgrading the policy server hosts failover machines first, followed by the submit hosts and run hosts, followed by the primary policy server hosts.
The EPM-UL settings files on the policy server hosts may need to be updated as each policy server host is upgraded.
- If your current installation includes one or more policy server host failover machines, then ensure that the security policy files on the primary policy server host and the policy server host failover machines are synchronized.
- Verify the current location of the EPM-UL administration programs, user programs, and log files. This information is in the pb.cfg file (/etc/pb.cfg or pb/install/pb.cfg.{flavor}) and the settings file, /etc/pb.settings.
- If you do not have a recent backup of the host, or if it is imperative that no log entries can be lost, then create a save directory (for example, /var/tmp/pb.{rev_rel}) that can be used to restore EPM-UL files from in case the upgrade fails. After creating the directory, copy (do not use move) the files that are listed below to the new save directory (a shell script can be created to copy the necessary files).
| EPM-UL files for all host types |
|---|
| /etc/services |
| /etc/pb.settings |
| /etc/pb.cfg (and pb.cfg.* on older installations) |
| /etc/pb.key (if encryption is in use on the system) |
| pb* log files (typically in /var/adm, /var/log or /usr/adm) |
| EPM-UL Policy Server files |
|---|
| /opt/pbul/policies/pb.conf |
| All included Security Policy Sub Files |
| EPM-UL database files (contents of databasedir which default to /opt/pbul/dbs) |
| /etc/inetd.conf (or your xinetd, launchd, or SMF configuration file) |
| Any event log or I/O log files to save |
| EPM-UL Submit Host and Run Host files |
|---|
| /etc/inetd.conf (or your xinetd, launchd, or SMF configuration file) |
| EPM-UL Log Server files |
|---|
| /etc/inetd.conf (or your xinetd, launchd, or SMF configuration file), /etc/inetd.conf |
| Any event log or I/O log files to save |
| EPM-UL GUI Host files |
|---|
| /etc/inetd.conf (or your xinetd, launchd, or SMF configuration file), /etc/inetd.conf |
- Determine in which directories to install the new EPM-UL log files, administration programs, and user programs. If you choose different directories for the EPM-UL programs, you might need to update the path variable for the root user and other users.
- Be aware that users cannot submit monitored task requests while updates are in progress. Consider writing an EPM-UL configuration policy file that rejects all users from executing pbrun and echoes a print statement to their screen, informing them that an upgrade is in progress.
- EPM-UL releases are always upward-compatible when encryption is not used. We recommend that you perform an uninstall if a release is replaced by a version older than 2.8.1.
- If you use an encrypted settings file and intend to do an upgrade or reinstall, then the unencrypted version of the settings file needs to be restored before performing an upgrade or reinstall; otherwise, the settings file cannot be read.
- If you have a previous installation of EPM-UL for v5.1 or earlier and your encryption is set to none, then when you install EPM-UL v5.2, all the encryption options (options 98 through 103) are set to none. You can change these options during installation.
pbinstall install upgrades
To upgrade or reinstall EPM-UL with the same configuration as the currently installed version, run pbinstall in batch mode:
./pbinstall -b
If you reinstall to an older version, be aware that the older version may not have the same features as the newer version. In this case, the upgrade process discards the configuration of the features not available in the older version of EPM-UL. When you upgrade, make sure to configure the newer features when running pbinstall.
To change the configuration during the upgrade or reinstall, run pbinstall in interactive mode:
./pbinstall
The present configuration is read into pbinstall. Change the configuration and then use the c command to continue. pbinstall then installs EPM-UL with the new configuration.
For step-by-step instructions for using pbinstall, see Step-by-Step Instructions for a Basic Installation Using pbinstall .
pbmakeremotetar install upgrades and reinstallations
Starting in EPM-UL version 25.1.6, pbmakeremotetar is no longer supported.
Upgrading or reinstalling with pbmakeremotetar is the same process as installing with pbmakeremotetar. There is one difference to be aware of. In pbinstall, the in-place files are backed up as sybak files during the upgrade process; whereas in a pbmakeremotetar upgrade or reinstall, the files are overwritten.
Post-upgrade instructions
To encrypt your settings file after upgrading EPM-UL, save a copy of the unencrypted file (for future upgrades) and re-encrypt the settings file.
Patch installations
For information on how to perform a patch installation, see pbpatchinstall.
Updated about 1 month ago
