Licensing

Each time a user submits a request using pbrun or an administrator runs the File Integrity Monitor, Privilege Management for Unix and Linux will not accept requests from users.

As of version 10.0, a License String consists of a JSON (JavaScript Object Notation) string that details expiry, facilities, and services.

There are two types of licenses:

  • Temporary: The HostId attribute set to temporary and is installed automatically to allow customers to evaluate Privilege Management for Unix and Linux.
  • Standard: Supplied by BeyondTrust once a customer has purchased the product. A standard license has a HostId attribute that associates the license with the primary license server of the Privilege Management for Unix and Linux installation.
Temporary License String:
{"PBULPolClnts":20, "SudoPolClnts":20, "RBPClnts":20, "ACAClnts":1, "AKAClnts":20, "FIMClnts":20, "SOLRClnts":1, "Owner":"Temporary License", "Comment":"Temporary License", "AutoRetire":7, "Recycle":7, "Expires":"2018-03-11 00:00:00", "Terminates":"2018-04-10 00:00:00", "HostId":"temporary", "HMAC":"UtGE3tD6qK2UwutY3GFOqodjdq30pEDAW2cKb5/OaMc="}

A temporary license is installed automatically if a standard license is not provided when the primary license server is installed. It enables 20 client seats for all services and enable all facilities. The license is valid for 60 days.

When you request a request a standard license, you are asked to provide the output of pbadmin --info --uuid from the host to run the primary license service. This displays the UUID (Universal Unique Identifier) that identifies the host. From this, BeyondTrust can generate a license that is associated directly to the host, with the appropriate facilities and services. This can then be imported into the primary license server.

pbadmin --info --uuid Output:
7faf7681-4d42-4b69-00bf-dad93b4a3dfb
Standard License String:
{"PBULPolClnts":200, "SudoPolClnts":200, "RBPClnts":200, "ACAClnts":1, "AKAClnts":0, "FIMClnts":0, "SOLRClnts":1, "Owner":"My Company Corp", "Comment":"Standard License for My Company", "AutoRetire":7, "Recycle":7, "Expires":"2018-03-01 00:00:00", "Terminates":"2019-03-01 00:00:00", "HostId":"7faf7681-4d42-4b69-00bf-dad93b4a3dfb", "HMAC":"UtGE3tD6qK2UwutY3GFOqodjdq30pEDAW2cKb5/OaMc="}

pblicenserefresh

  • Version 9.3.0 and earlier: pblicenserefresh setting not available.
  • Version 9.4.0 and later: pblicenserefresh setting available.

The command line administration tool provides methods to update the license string, to list summary statistics and to retire clients to free up licenses.

All of the commands that list statistics can be run from any server that provides a service. All commands that update the database, such as updating the license itself or retiring clients, should be run on the primary license server:

pbadmin --lic -u '{ "PBULPolClnts":200, "SudoPolClnts":200, "RBPClnts":200, "ACAClnts":1, "AKAClnts":0, "FIMClnts":0, "SOLRClnts":1, "Owner":"My Company Corp", "Comment":"Standard License for My Company", "AutoRetire":7, "Recycle":7, "Expires":"2018-03-01 00:00:00", "Terminates":"2019-03-01 00:00:00", "HostId":"7faf7681-4d42-4b69-00bfdad93b4a3dfb", "HMAC":"UtGE3tD6qK2UwutY3GFOqodjdq30pEDAW2cKb5/OaMc="}'

This command updates the installation with the license string provided by BeyondTrust to a standard license.

pbadmin --lic -G

Retrieves the full license string, detailing the entitlements and expiry of the license.

pbadmin --lic -l

Lists all of the clients that are currently licensed throughout the installation.

pbadmin --lic -L

Lists the summary statistics referenced by the Privilege Management for Unix and Linux service type.

pbadmiin --lic -l '{ "retired": true }'

Lists all of the clients that are currently manually retired.

pbadmin --lic -l '{ "fqdn" : "*.mydom.com" }'

Lists all of the clients that have been licensed are in the mydom.com domain.

pbadmin --lic -l '{ "updated_older" : "2018-01-01" }

Lists all of the clients that were last updated before the 1st of January 2018.

pbadmin --lic -l '{ "updated_older" : { "months" : 6 }}'

Lists all of the clients that were last updated 6 months or more ago.

pbadmin --lic -r '{ "uuid" : "7faf7681-4d42-4b69-00bfdad93b4a3dfc" }' --force

Manually retires a client specified by its unique id.

pbadmin --lic -r '{ "updated_older" : { "days" : 120 }}' --force

Manually retires all clients that have not been updated in the last 120 days.

The pblicenserefresh option defines the interval in seconds between servers requesting license updates from the primary license server.

pblicenserefresh	86400
pblicenserefresh	300

All primary policy servers when Registry Name Server is enabled

pblicenseretireafter

  • Version 9.3.0 and earlier: pblicenseretireafter setting not available.
  • Version 9.4.0 and later: pblicenseretireafter setting available.

The pblicenseretireafter option defines the interval in days after which clients that have not connected are retired.

The host license string provides the AutoRetire attribute which details the minimum value for this setting. The pblicenseretireafter allows the configuration, in days, of values greater than this.

pblicenseretireafter	90
pblicenseretireafter 0

All policy servers

licensehistory

  • Version 9.4.6 and earlier: licensehistory setting not available.
  • Version 10.0.0 and later: licensehistory setting available.

The licensehistory setting is configured on the primary license server, and is synchronized to all hosts that provide a service. If it is enabled, every license event is logged to the primary log server for detailed license information.

When licensehistory is set to yes, a new record is added to pbevent.db for every pbrun (or any other "client"), keeping track of every access on each host. This can grow the size of pbevent.db. Only enable licensehistory if you want every single access to the license database logged.

licensehistory	yes
licensehistory	no

All servers

licenseservers

  • Version 9.4.6 and earlier: licenseservers setting not available.
  • Version 10.0.0 and later: licenseservers setting available.

The licenseservers setting details those hosts that are license servers. The primary license server is first in the list, with subsequent secondary license servers listed, in order of failover, afterwards. If Registry Name Service is configured this value should be an asterisk, (*) denoting that the value is held within the service database. This setting should be consistent across Privilege Management for Unix and Linux, and is synchronized from the primary license server to other servers.

licenseservers	myhost1 myhost2

No default value

All servers

licensestatsdb

  • Version 9.4.6 and earlier: licensestatsdb setting not available.
  • Version 10.0.0 and later: licensestatsdb setting available.

The licensestatsdb allows the specification of an absolute or relative path to the license database on server installations. If the path is relative, the absolute path is calculated using the databasedir setting. All of the license information, including the license itself, and client and service statistics, are stored in the database.

licensestatsdb	/mypath/pblicense.db
licensestatsdb	/opt/<prefix>pbul<suffix>/dbs/pblicense.db

All servers

licensestatswq

  • Version 9.4.6 and earlier: licensestatswq setting not available.
  • Version 10.0.0 and later: licensestatswq setting available.

While processing license statistics or logging license events temporary files are created to increase performance. These files are created with names derived from the licensestatswq setting.

licensestatswq	/mypath/pblicense_wq
licensestatswq	/opt/<prefix>pbul<suffix>/dbs/pblicense_wq

All servers

licensestatswqnum

  • Version 9.4.6 and earlier: licensestatswqnum setting not available.
  • Version 10.0.0 and later: licensestatswqnum setting available.

While processing license statistics or logging license events, temporary files are created to increase performance. This setting specifies how many temporary files are to be created. Generally, unless performance issues are experienced, we recommend that this be kept to its default value. Minimum value of licensestatswqnum is 10 and maximum is 9999.

licensestatswqnum	1000
licensestatswqnum	999

All servers

pblicensedblocktimeout

  • Version 9.4.6 and earlier: pblicensedblocktimeout setting not available.
  • Version 10.0.0 and later: pblicensedblocktimeout setting available.

This setting details the maximum delay, in milliseconds, that the database waits to attempt writing to the database. Generally, unless performance issues are experienced, we recommend that this be kept to its default value.

pblicensedblocktimeout	60000
pblicensedblocktimeout	10000

All servers

pblicensequeuetimeouts

  • Version 9.4.6 and earlier: pblicensequeuetimeouts setting not available.
  • Version 10.0.0 and later: pblicensequeuetimeouts setting available.

This setting details various performance timeout values for use in the license statistics processing. Generally, unless performance issues are experienced, we recommend that this be kept to its default value.

pblicensequeuetimeouts	openread=10000,200,1.0 openwrite=10000,200,1.0 write=10000,200,1.0 lock=10000,200,1.0

No default value

All servers

If you experience performance issues, please contact BeyondTrust Technical Support for more details on configuring this setting. For more information, please see www.beyondtrust.com/support.

freelicenseofautoretiredhosts

  • Version 10.3.2 and earlier: freelicenseofautoretiredhosts setting not available
  • Version 21.1.0 and later: freelicenseofautoretiredhosts setting available

The setting pblicenseretireafter option and the AutoRetire attribute of the license string define the number of days after which clients who have not connected are marked as autoretired. A client that is autoretired is available at any time for reuse, thus will continue to consume a license.

Setting freelicenseofautoretiredhosts setting to no allows the aforementioned behavior to continue.

Setting freelicenseofautoretiredhosts to yes causes licenses used by autoretired client hosts to be released by putting them in long-term retirement. Requests coming from such client hosts are not accepted until after the “Recycle” period, which is the minimum number of days after a client is put in long-term retirement. However, this will allow brand-new client hosts to connect and use the freed license slots. This is the default behavior.

The freelicenseofautoretiredhosts setting is configured on the Primary License Server.

freelicenseofautoretiredhosts no

freelicenseofautoretiredhosts yes

Primary License Server