pbdbutil, pbadmin
- Version 8.5.0 and earlier: pbdbutil not available.
- Version 9.0.0 and later: pbdbutil available.
Due to the evolving nature of the pbdbutil command, its name will be changing to pbadmin in the future. To assist in this future transition a symbolic link called pbadmin is now automatically created for your convenience.
The command has global options that are used to carry out maintenance tasks on all databases, and more specific options that allow maintenance of specified databases. Each group of database options have their own usage/help.
Usage
pbdbutil [<options>] [ <file> <file> ...]
Global Options
| -y | Use cached credentials for remote functionality. |
| -c <files(s)> | Perform database integrity check. |
| -K <newkeypath> <file(s)> | (Re)encrypt the database. |
| -O <oldkeypath> | Specify the old database key file. |
| -C | Output in CSV format instead of JSON. |
| -P | Pretty print JSON output. |
Authentication Options
| --auth <options...> | Various authentication options. |
| -h | Help on authentication options. |
Info Options
| --info <options...> | Various information options. |
| -h | Help on info options. |
License Maintenance and Statistics Options
| --lic <options...> | License Maintenance and Statistics options. |
| -h | Help on License Maintenance and Statistics options. |
Setting/Configuration/Key Options
| --cfg <options...> | Specify setting/config options. |
| -h | Help on Setting/Configuration options. |
Role Based Policy Options
| --rbp <options...> | Role Based Policy options. |
| -h | Help on Role Based Policy options. |
Client Registration Profile Options
| --reg <options...> | Client Registration options. |
| -h | Help on Client Registration options. |
Management Event Options
| --evt <options...> | Event options. |
| -h | Help on Management Event options. |
REST Keystore Options
| --rest <options...> | REST keystore options. |
| -h | Help on Management REST keystore options. |
Sudo Policy Database Options
| --sudo <options...> | Sudo database options. |
| -h | Help on Management sudo database options. |
Registry Name Service Database Options
| --svc <options...> | Registry Name Service database options. |
Database Synchronization Options
| --dbsync <options...> | Database Synchronization options. |
Registry Name Service Cache Options
| --scache <options...> | Registry Name Service cache options. |
File integrity Monitor Options
| --fim <options...> | File integrity monitor options. |
Event Log Cache Options
| --evtcache <options...> | Event Log Cache options. |
| -h | Help on Event Log Cache options. |
IO Log Cache Options
| --iocache <options...> | IO Log Cache options. |
| -h | Help on IO Log Cache options. |
IO Log Queue Options
| --iologidx <options...> | IO Log Queue options. |
| -h | Help on IO Log Queue options. |
Integrated Product Options
| --intprod <options...> | Integrated Product options. |
| -h | Help on Integrated Product options. |
Write Queue Status Options
| --wqstatus <options...> | Write queue status options. |
| -h | Help on Write Queue Status options. |
Global Options
| --check <file(s)...> | Do an integrity check on the specified files. If the database(s) are encrypted it attempts to read the file using the database key specified in the pb.settings file. |
| <-c|--csv> | By default all output messages and data is output in JSON format. This option specifies output in Comma Separated Values. |
| <-p|--pretty> | When outputting data in JSON pretty print the data in a more human readable form. |
|
<-K|--newkeypath> [<-O|--oldkeypath>] [<file(s)...>] |
Reencrypt database file(s) using the specified new key. If the old key path is not supplied it attempts to open the database file with the key specified in pb.settings file. |
Setting/Configuration Options
These options provide methods to import, maintain and export the settings, configuration and key files that were traditionally kept in files in EPM-UL. These files can now be imported into a database which provide versioning and change management, methods to retrieve, update, and save settings and configuration across the enterprise in a secure manner using the EPM-UL REST services.
These options need to be specified after the --cfg option.
Usage
pbdbutil --cfg [<options>] [ <file> <file> ...]
| --reinit | Reinit/upgrade the database. |
| -u <setting> <arg>[ <argN>] | Set the specified setting in the current settings file. |
| -o <file> | Set the specified setting in the specified settings file. |
| -u '{"<setting>":"<val>",...}' | Set the specified setting using JSON format. |
| --verify [<file>] | Verify the current or specified settings file. |
| --verify '{"<setting>":"<val>",...}' | Verify the specified settings using JSON format. |
| -g <setting> | Get the specified setting from the current settings file. |
| -o <file> | Get the specified setting from the specified settings file |
| --value | Display the value of the variable only. |
| --default |
Display the default value of the variable only. This is not the value in pb.settings, but the default value when the variable is not defined (or commented out) in pb.settings. The output is displayed in JSON format with all metadata. The following displays the values in JSON format of the variable pbresttimeskew:
# pbadmin --cfg --default -g pbresttimeskew {"disabled":true,"description":"Max time skew between hosts (sec)","default":60,"type":"number","gtype":4,"deprecated":false,"name":"pbresttimeskew"} The following command gets default variable value in simple string form:
# pbadmin --cfg --default --value -g <var> Wildcards are allowed. If used the output is in variable=value format.
# pbadmin --cfg --default -g \* # pbadmin --cfg --default -g pb\* |
| -g '["<setting1>"[,"<settingN>"]' | Get the specified setting(s) using JSON format. |
| -d <setting> | Delete the specified setting in the current settings file. |
| -o <file> | Delete the specified setting in the specified settings file. |
| -d '["<setting1>"[,"<settingN>"]' | Delete the specified setting(s) using JSON format. |
| -i [<file(s)>] | Import/update all or specified .cfg file(s) in the database. |
| -m <msg> | Specify message. Required when change management enabled. |
| -N | Do not rename file on import. |
| -e [<files(s)>] | Export all or specified .cfg file(s) in the database. |
| -e -o <outfile> <file> | Export .cfg file from database and output to new file name. |
| --force | Force the overwrite of the output file when exporting. |
| --lock | Lock/checkout the exported file in the database when exporting |
| -V <ver|tag> | Used with export .cfg file, but export given version or tag. |
| -D [<file(s)>] | Diff all/specified file(s) with current exported file(s). |
| -V <from:to> | Used to specify from/to versions to diff. |
| -V <ver|tag> | Used to specify version or tag to diff. |
| -r <files(s)> | Mark specified .cfg file(s) deleted in the database. |
| -l | List active .cfg files in the database. |
| -l | List all .cfg files in the database. |
| -l | List .cfg files and their current versions in the database |
| -s <[-|+]attribute> | Sort the list of records by attribute (asc/desc). |
| -l <file(s)> | List version information of .cfg file(s) in the database. |
| -t <tag> [<file(s)>] | Tag .cfg file(s) in the database at current version. |
| -x <tag> [<file(s)>] | Delete tag from .cfg file(s) in the database. |
| -k <encryption> <file(s)> | Encrypt .cfg file(s) in the database. |
| n [--force] <file(s)> | Create new key file(s) in the database |
| -K <files(s)> | Lock .cfg files in the database. |
| -U | Force unlock of locked cfg files in the database |
| -A <file> <svcgname> <...> | Set file as being automatically synchronized within Service Group |
| -X <file> <svcgname> <...> | Unset file as being automatically synchronized within Service Group |
| -L | List synchronization configuration for cfg files in the database |
|
-u <setting> <arg>[ <argN>] |
Set the setting in the current settings file. |
Descriptions
|
"<-i|--import>" "<-m|--msg>" "<message>" "[<file(s)...>]" |
Import specified settings, configuration or key files into the /etc/pb.db database. If Change Management is enabled, a message must be supplied to log in the audit event database. If no files are specified on the command line, all files that already exist in the database are checked and imported if required. |
|
<-e|--export> [-f] [<file (s)...>] <-e|--export> [-f] <-V|-- version> <num|tag> [<file (s)...>] <-e|--export> [-f] <-o|-- output> <outfile> <file> <-e|--export> [-f] <-V|--version> <num|tag> <-o|-- output> <outfile> <file> |
Export specified settings, configuration or key file(s) from the /etc/pb.db database. If no files are specified on the command line, all files that exist in the database are exported. Specific versions or tagged groups of files can be exported. If the output file(s) already exist the -f parameter must be applied to force the overwrite of the existing file. |
| <-l|--list> |
List all the current files held in the /etc/pb.db database. |
| <-l|--list> [-j] [<file (s)...>] | List all the versions of specified files held in the /etc/pb.db database. By default this is displayed in .csv, but can be displayed in JSON using the -j option. Specify a tag for current versions of files that exist in the /etc/pb.db database. These files can then be exported as a tagged group to facilitate change sets of files. |
| <-t|--tag> <tag text> [<file (s)...>] |
Specify a tag for current versions of files that exist in the /etc/pb.db database. These files can then be exported as a tagged group to facilitate change sets of files. If file names are not specified, all current versions are added to the tagged group. |
| <-d|--deltag> <tag text> [<file(s)...>] | Remove the tag from files specified. If file names are not specified, the tag is removed from all files that exist in the /etc/pb.db database. |
| <-k|--encrypt> <algorithm> [<file(s)...>] | Encrypt existing setting/configuration files in the /etc/pb.db database. |
| <-n|--newkey> [<file(s)...>] | Create a new key file in the/etc/pb.db database. |
License Management Options
These options are not available on EPM-L clients.
This command line administration tool provides methods to update the license string, to list summary statistics and to retire clients to free up licenses.
All of the commands that list statistics can be run from any server that provides a service. All commands that update the database, such as updating the license itself or retiring clients, should be run on the primary license server:
pbadmin --lic -u '{ "PBULPolClnts":200, "SudoPolClnts":200, "RBPClnts":200, "ACAClnts":1, "AKAClnts":0, "FIMClnts":0, "SOLRClnts":1, "Owner":"My Company Corp", "Comment":"Standard License for My Company", "AutoRetire":7, "Recycle":7, "Expires":"2018-03-01 00:00:00", "Terminates":"2019-03-01 00:00:00", "HostId":"7faf7681-4d42-4b69-00bfdad93b4a3dfb", "HMAC":"UtGE3tD6qK2UwutY3GFOqodjdq30pEDAW2cKb5/OaMc="}'
This command updates the installation with the license string provided by BeyondTrust to a standard license.
Usage
pbadmin --lic [<options>] ...
| -u '{ param }' | Update primary license server license where the { param } argument is the supplied JSON formatted license. |
| -u <path> | Update primary license server license where <path> is the path to a file that contains the supplied JSON formatted license. |
| -G | Retrieve the license string and attributes. |
| -l [<wildcard>] [-l] |
List client license usage summary. Supply an extra -l to detail service information. |
|
-l '{ … ["fqdn" : "<wildcard>",] ["retired" : <true|false>,] ["updated_older" : <epoch>,] ["updated_newer" : <epoch>,] ["updated_older" : { "years" : n, "months" : n, "days" : n, "hours" : n ] ["updated_newer" : { "years" : n, "months" : n, "days" : n, "hours" : n ] |
Alternatively specify a filter expression to list only those clients that match the filter.
|
| -s <[-|+]attribute> | Use -s to sort the list of records by attribute name (asc/desc). |
| -L [<service>] [-L] | List client Service License Usage summary. Specify an extra -L to detail client information. |
|
-r {"uuid" : "<uuid|wildcard>"} -r {"uuid" : ["<uuid|wildcard>", "uuid", ...]} -r {"fqdn" : "<fqdn|wildcard>"} -r {"fqdn" : ["<fqdn|wildcard>", "fqdn", ...]} --force |
Retire client(s) by UUID or FQDN. Use --force to over-ride warning message. |
| -R |
Immediately refresh the license statistics from the primary license server. |
| --wq <file> |
The license write queue file includes the following records:
|
Sample Commands
| pbadmin --lic -G |
Retrieves the full license string, detailing the entitlements and expiry of the license. |
| pbadmin --lic -l |
Lists all of the clients that are currently licensed throughout the installation. |
| pbadmin --lic -L |
Lists the summary statistics referenced by the EPM-UL service type. |
| pbadmin --lic -l '{ "retired": true }' |
Lists all of the clients that are currently manually retired. |
| pbadmin --lic -l '{ "fqdn" : "*.mydom.com" }' |
Lists all of the clients that have been licensed are in the mydom.com domain. |
| pbadmin --lic -l '{ "updated_older" : "2018-01-01" } |
Lists all of the clients that were last updated before the 1st of January 2018. |
| pbadmin --lic -l '{ "updated_older" : { "months" : 6 }}' |
Lists all of the clients that were last updated 6 months or more ago. |
| pbadmin --lic -r '{ "uuid" : "7faf7681-4d42-4b69-00bfdad93b4a3dfc" }' --force |
Manually retires a client specified by its unique id. |
| pbadmin --lic -r '{ "updated_older" : { "days" : 120 }}' --force |
Manually retires all clients that have not been updated in the last 120 days. |
Authentication Credential Cache Options
These options allow users of pbdbutil to cache credentials to facilitate working with remote services.
Usage
pbdbutil --auth [<options>] [ <file> <file> ...]
Auth Options
| --login { "appid":"<appid>","appkey":"<appkey"[,"svc":"<svc>"]} | Cache specified appid/appkey credential for authentication. |
| --logout [{"key":"<key>"[,"svc":"<svc>"]}] | Remove default or specified credential key from cache. |
| -l | List cached credentials. |
| -h | Help on auth options. |
Information Options
These options provide various information about the current system configuration or status.
Usage
pbdbutil --info [<options>]
Info Options
| --fqdn [<hostname>] | Get fully qualified name for this host or hostname. |
| --sched | List Scheduler tasks. |
| --uuid | Get the local hosts UUID. |
| --msgs [--level=<number> ] |
Retrieve the Message Router statistics. Set --level=2 to include additional debugging information:
|
| --timewrites <0|1> |
Use this option to log the time it takes to write the event to the configured destinations. The results are written to the configured pbrest.log file. To enable debugging, set --timewrites to 1. To turn debugging off, set --timewrites to 0. Use for brief periods as log file entries are generated in pbrest.log. |
| --restsvr | Retrieve the REST Service statistics. |
| -h | Help on info options. |
