Synchronize Policy Configuration and Other Configuration Files

Although all configuration databases are automatically synchronized across the Service Group, other configuration such as Endpoint Privilege Management for Unix and Linux policy scripts and encryption keys are not. They must be manually configured to synchronize across the Service Group. Only files that are kept within the standard configuration database pb.db on a primary server can be synchronized, so they need to be imported, and then synchronization configured.

All configuration databases are automatically synchronized across the Service Group. Other files, such as policy scripts and encryption keys, are not similarly treated and must be manually set up for synchronization. Only files that are kept within the standard configuration database /etc/pb.db on a primary server can be synchronized, so they need to be imported, and then synchronization configured.

The pbdbutil utility has been enhanced to provide the new synchronization options:

Usage

pbdbutil --cfg [<options>] [ <file> <file> ...]
-A <file> <svcgname> <...> Set file as being automatically synchronized within Service Group.
-X <file> <svcgname> <...> Unset file as being automatically synchronized within Service Group.
-L List synchronization configuration for CFG files in the database.

Force Synchronize Configuration Files

Prior to EPM-UL version 22.3, not all versions of configuration files were synchronized to secondary servers and file tags and file permissions were not synchronized.

Follow the below steps to clean up secondary servers and force synchronize the configuration files including the file tags and permissions of all versions of configuration files.

  1. On secondary servers, remove the existing pb.db and create a new one
mv /etc/pb.db /etc/pb.db.backup
pbdbutil --cfg --reinit
  1. On primary servers, start a dbsync with --force option
pbdbutil --dbsync -R <service group> --force

Synchronize Endpoint Privilege Management for Unix and Linux REST appkeys

Endpoint Privilege Management for Unix and Linux REST appkeys are often required to authenticate users and services on remote servers, and are specific to each host. However, to provide role-based access to servers across a Service Group, REST appkeys can now be marked as synchronized across the Service Group.

The host must be the primary of the specified Service Group to synchronize the appkeys.

Usage

pbdbutil --rest [<options>] [ <file> <file> ...]
-g <appid> [--svcgname <name>] [<acl> ...]

Create new Application key with ACLs.

Specify svcgname to sync key across Service Group.

Database Synchronization

dbsyncdb

  • Version 9.3.0 and earlier: dbsyncdb setting not available.
  • Version 9.4.0 and later: dbsyncdb setting available.

The dbsyncdb option specifies the full path to the Database Synchronization Summary Database. This file is created in databasedir by default, unless the file name starts with a slash (/).

dbsyncdb /etc/pbdbsync.db
Default
dbsyncdb /opt/<prefix>pbul<suffix>/dbs/dbsync.db
Used On

All primary servers when Registry Name Server is enabled.

dbsyncrefresh

  • Version 9.3.0 and earlier: dbsyncrefresh setting not available.
  • Version 9.4.0 and later: dbsyncrefresh setting available.

The dbsyncrefresh option defines the interval in seconds between database synchronization tasks. Increasing this value lowers the load on primary servers, but increases the time before configuration changes are applied to secondary servers.

dbsyncrefresh 360
Default
dbsyncrefresh 3600
Used On

All primary servers when Registry Name Server is enabled.

dbsyncloginterval

  • Version 9.3.0 and earlier: dbsyncloginterval setting not available.
  • Version 9.4.0 and later: dbsyncloginterval setting available.

The dbsyncloginterval option defines the interval in seconds between logging synchronization success and failure messages. Increasing this time makes the REST log smaller, but provides slower feedback on current status of the Database Synchronization on any given host.

dbsyncloginterval 360
Default
dbsyncloginterval 720
Used On

All primary servers when Registry Name Server is enabled.