pbdbutil

  • Version 8.5.0 and earlier: pbdbutil setting not available.
  • Version 9.0.0 and later: pbdbutil setting available.

Starting with version 9, Privilege Management for Unix and Linux uses database files for the storage of all the normal configuration files and scripts, plus data storage for a range of new facilities. The utility pbdbutil provides a command line tool to maintain all of these databases.

Due to the evolving nature of the pbdbutil command, its name will be changing to pbadmin in the future. To assist in this future transition a symbolic link called pbadmin is now automatically created for your convenience.

The command has global options that are used to carry out maintenance tasks on all databases, and more specific options that allow maintenance of specified databases. Each group of database options have their own usage/help:

pbdbutil [<options>] [ <file> <file> ...]
-y Use cached credentials for remote functionality.
-c <files(s)> Perform database integrity check.
-K <newkeypath> <file(s)> (Re)encrypt the database.

-O <oldkeypath>

Specify the old database key file.
-C Output in CSV format instead of JSON.
-P Pretty print JSON output.
--auth <options...> Various authentication options.
-h Help on authentication options.
--info <options...> Various information options.
-h Help on info options.
--lic <options...> License Maintenance and Statistics options.
-h Help on License Maintenance and Statistics options.
--cfg <options...> Specify setting/config options.
-h Help on Setting/Configuration options.
--rbp <options...> Role Based Policy options.
-h Help on Role Based Policy options.
--reg <options...> Client Registration options.
-h Help on Client Registration options.
--evt <options...> Event options.
-h Help on Management Event options.
--rest <options...> REST keystore options.
-h Help on Management REST keystore options.
--sudo <options...> Sudo database options.
-h Help on Management sudo database options.
--svc <options...> Registry Name Service database options.
--dbsync <options...> Database Synchronization options.
--scache <options...> Registry Name Service cache options.
--fim <options...> File integrity monitor options.
--evtcache <options...> Event Log Cache options.
-h Help on Event Log Cache options.
--iocache <options...> IO Log Cache options.
-h Help on IO Log Cache options.
--iologidx <options...> IO Log Queue options.
-h Help on IO Log Queue options.
--intprod <options...> Integrated Product options.
-h Help on Integrated Product options.

Global Options

--check <file(s)...> Do an integrity check on the specified files. If the database(s) are encrypted it attempts to read the file using the database key specified in the pb.settings file.
<-c|--csv> By default all output messages and data is output in JSON format. This option specifies output in Comma Separated Values.
<-p|--pretty> When outputting data in JSON pretty print the data in a more human readable form.

<-K|--newkeypath>

[<-O|--oldkeypath>]

[<file(s)...>]

Reencrypt database file(s) using the specified new key. If the old key path is not supplied it attempts to open the database file with the key specified in pb.settings file.

Setting/Configuration Options

These options provide methods to import, maintain and export the settings, configuration and key files that were traditionally kept in files in Privilege Management for Unix and Linux. These files can now be imported into a database which provide versioning and change management, methods to retrieve, update, and save settings and configuration across the enterprise in a secure manner using the Privilege Management for Unix and Linux REST services.

These options need to be specified after the --cfg option.

pbdbutil --cfg [<options>] [ <file> <file> ...]
-i [<file(s)>] Import/update all or specified .cfg file(s) in the database.
-m <msg> Specify message. Required when change management enabled.
-N Do not rename file on import.
-e [<files(s)>] Export all or specified .cfg file(s) in the database.
-e -o <outfile> <file> Export .cfg file from database and output to new file name.
--force Force the overwrite of the output file when exporting.
-V <ver|tag> Used with export .cfg file, but export given version or tag.
-D [<file(s)>] Diff all/specified file(s) with current exported file(s).
-V <from:to> Used to specify from/to versions to diff.
-V <ver|tag> Used to specify version or tag to diff.
-r <files(s)> Mark specified .cfg file(s) deleted in the database.
-l List all .cfg files in the database.
-s <[-|+]attribute> Sort the list of records by attribute (asc/desc).
-l <file(s)> List version information of .cfg file(s) in the database.
-t <tag> [<file(s)>] Tag .cfg file(s) in the database at current version.
-x <tag> [<file(s)>] Delete tag from .cfg file(s) in the database.
-k <encryption> <file(s)> Encrypt .cfg file(s) in the database.
n [--force] <file(s)> Create new key file(s) in the database
-U Force unlock of locked cfg files in the database
-A <file> <svcgname> <...> Set file as being automatically synchronized within Service Group
-X <file> <svcgname> <...> Unset file as being automatically synchronized within Service Group
-L List synchronization configuration for cfg files in the database

-u <setting> <arg>[ <argN>]

Set the setting in the current settings file.

-o <file>

Set the setting in the specified settings file. Need to use -o with -u.

-u '{"<setting>":"<val>",...}' Set the setting using JSON format.
-g <setting> --value

Displays the value of the variable <setting> as set in /etc/pb.settings in a simple string format.

Wildcards are allowed. If used, the output is in variable=value format.

-g <setting>

-o <file>

Get the setting from the current settings file in JSON format.

Get the setting from the specified settings file. -o need to be used with -g.

-g --default <setting>

Gets the default value of the variable <setting>. This is not the value in pb.settings, but the default value when the variable is not defined (or commented out) in pb.settings. The output is displayed in JSON format with all metadata.

The following displays the values in JSON format of the variable pbresttimeskew:
# pbadmin --cfg --default -g pbresttimeskew
{"disabled":true,"description":"Max time skew between hosts (sec)","default":60,"type":"number","gtype":4,"deprecated"
:false,"name":"pbresttimeskew"}

Wildcards are allowed. If used the output is in variable=value format.

-g --default --value <setting>

Displays the value of the variable in a simple string format.

For example, the following command gets default variable value in simple string form:

pbadmin --cfg --default --value -g <var> 

Wildcards are allowed. If used the output is in variable=value format.

pbadmin --cfg --default -g \*
pbadmin --cfg --default -g pb\*
-g '["<setting1>"[,"<settingN>"]' Get the settings using JSON format.

-d <setting>

-o <file>

Delete the setting in the current settings file.

Delete the setting in the specified settings file. -o needs to be used with -d.

-d '["<setting1>"[,"<settingN>"]' Delete the settings using JSON format.

"<-i|--import>" "<-m|--msg>"

"<message>"

"[<file(s)...>]"

Import specified settings, configuration or key files into the /etc/pb.db database. If Change Management is enabled, a message must be supplied to log in the audit event database. If no files are specified on the command line, all files that already exist in the database are checked and imported if required.

<-e|--export> [-f] [<file (s)...>]

<-e|--export> [-f] <-V|-- version> <num|tag> [<file (s)...>]

<-e|--export> [-f] <-o|-- output> <outfile> <file>

<-e|--export> [-f] <-V|--version> <num|tag> <-o|-- output> <outfile>

<file>

Export specified settings, configuration or key file(s) from the /etc/pb.db database. If no files are specified on the command line, all files that exist in the database are exported. Specific versions or tagged groups of files can be exported. If the output file(s) already exist the -f parameter must be applied to force the overwrite of the existing file.
<-l|--list>

List all the current files held in the /etc/pb.db database.

<-l|--list> [-j] [<file (s)...>] List all the versions of specified files held in the /etc/pb.db database. By default this is displayed in .csv, but can be displayed in JSON using the -j option. Specify a tag for current versions of files that exist in the /etc/pb.db database. These files can then be exported as a tagged group to facilitate change sets of files.
<-t|--tag> <tag text> [<file (s)...>]

Specify a tag for current versions of files that exist in the /etc/pb.db database. These files can then be exported as a tagged group to facilitate change sets of files.

If file names are not specified, all current versions are added to the tagged group.

<-d|--deltag> <tag text> [<file(s)...>] Remove the tag from files specified. If file names are not specified, the tag is removed from all files that exist in the /etc/pb.db database.
<-k|--encrypt> <algorithm> [<file(s)...>] Encrypt existing setting/configuration files in the /etc/pb.db database.
<-n|--newkey> [<file(s)...>] Create a new key file in the/etc/pb.db database.

License Management Options

As of version 10.0, License Management is centralized and can be carried out on the primary license server using the command pbadmin.

pbadmin --lic [<options>] ...
-u '{ param }' Update primary license server license where the { param } argument is the supplied JSON formatted license.
-u <path> Update primary license server license where <path> is the path to a file that contains the supplied JSON formatted license.
-G Retrieve the license string and attributes.

-l [<wildcard>] [-l]

List client license usage summary. Supply an extra -l to detail service information.

-l '{ …

["fqdn" : "<wildcard>",]

["retired" : <true|false>,]

["updated_older" : <epoch>,]

["updated_newer" : <epoch>,]

["updated_older" : { "years" : n, "months" : n, "days" : n, "hours" : n ]

["updated_newer" : { "years" : n, "months" : n, "days" : n, "hours" : n ]

Alternatively specify a filter expression to list only those clients that match the filter.

 

-s <[-|+]attribute> Use -s to sort the list of records by attribute name (asc/desc).
-L [<service>] [-L] List client Service License Usage summary. Specify an extra -L to detail client information.

-r {"uuid" : "<uuid|wildcard>"}

-r {"uuid" : ["<uuid|wildcard>", "uuid", ...]}

-r {"fqdn" : "<fqdn|wildcard>"}

-r {"fqdn" : ["<fqdn|wildcard>", "fqdn", ...]}

--force

Retire client(s) by UUID or FQDN. Use --force to over-ride warning message.
-R

Immediately refresh the license statistics from the primary license server.

Authentication Credential Cache Options

These options allow users of pbdbutil to cache credentials to facilitate working with remote services.

pbdbutil --auth [<options>] [ <file> <file> ...]
--login { "appid":"<appid>","appkey":"<appkey"[,"svc":"<svc>"]} Cache specified appid/appkey credential for authentication.
--logout [{"key":"<key>"[,"svc":"<svc>"]}] Remove default or specified credential key from cache.
-l List cached credentials.
-h Help on auth options.

Information Options

These options provide various information about the current system configuration or status.

pbdbutil --info [<options>]
--fqdn [<hostname>] Get fully qualified name for this host or hostname.
--sched List Scheduler tasks.
--uuid Get the local hosts UUID.
--msgs Retrieve the Message Router statistics.
--restsvr Retrieve the REST Service statistics.
-h Help on info options.