EPM-UL Shared Libraries

When configured with Kerberos, SSL, LDAP, or PAM, EPM-UL requires the appropriate third-party libraries. The installation provides Kerberos, SSL, LDAP, and PAM libraries that are designed to work with EPM-UL. We recommended you install these third-party libraries.

The shared libraries for the following operating systems are not currently supported:
  • NCR
  • IRIX
  • OSF
  • QNX

Shared Libraries for Kerberos

These settings are related to the shared libraries that are needed for Kerberos in EPM-UL.

sharedlibkrb5dependencies

  • Version 5.0.4 and earlier: sharedlibkrb5dependencies setting not available.
  • Version 5.1.0 and later: sharedlibkrb5dependencies setting available.

The libraries are listed in the order they are loaded (dependencies first). This setting should be used in either of the following circumstances:

  • The kerberos setting is set to yes, the pam setting is set to yes, and PAM uses Kerberos
  • The ssl setting is set to yes and the SSL libraries that are listed in the sharedlibssldependencies setting are dependent on the Kerberos libraries

By default, the shared libraries that are listed for this setting are the ones that are shipped with EPM-UL. However, you can replace them with libraries that are used by the PAM or SSL services that are installed on the EPM-UL host computer.

sharedlibkrb5dependencies /usr/lib/beyondtrust/pb/libcom_err.so.3 /usr/lib/beyondtrust/pb/libk5crypto.so.3.1 /usr/lib/beyondtrust/pb/libkrb5.so.3.3 /usr/lib/beyondtrust/pb/libgssapi_krb5.so.2.2

Default

No default value

Used on

  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

loadkrb5libs

  • Version 5.2 and earlier: loadkrb5libs setting not available.
  • Version 6.0 and later: loadkrb5libs setting available.

The loadkrb5libs setting determines whether the libraries that are listed in the sharedlibkrb5dependencies setting are loaded at runtime even if the value of the kerberos setting is no. This setting is ignored when kerberos is set to yes.This setting is useful in certain cases where the operating system is configured to use Kerberos and the EPM-ULsubmitconfirmuser() function returns false even when the correct Kerberos password is supplied.

loadkrb5libs yes

Default

loadkrb5libs no

Used on

  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Shared Libraries for SSL

The following setting is related to the shared libraries needed for SSL use.

loadssllibs

  • Version 6.2.5 and earlier: loadssllibs setting not available.
  • Version 6.2.6 and later: loadssllibs setting available.

The loadssllibs setting determines whether the libraries that are listed in the sharedlibssldependencies setting are loaded at runtime even if the value of the ssl setting is no. This setting is ignored when ssl is set to yes.This setting is useful in certain cases where the operating system is configured to use SSL and we need to force EPM-UL to load the SSL libraries.

loadssllibs yes
Default
loadssllibs no
Used on
  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

sharedlibssldependencies

  • Version 5.0.4 and earlier: sharedlibssldependencies setting not available.
  • Version 5.1.0 and later: sharedlibssldependencies setting available .

The libraries are listed in the order they are loaded (dependencies first). This setting should be used in either of the following circumstances:

  • The ssl setting is set to yes
  • LDAP is used in the policy or by PAM and the LDAP libraries that are listed in the sharedlibldapdependencies setting are dependent on the SSL libraries

By default, the shared libraries listed for this setting are shipped with EPM-UL. However, you can replace them with libraries that are used by the SSL service that is installed on the EPM-UL host computer.

sharedlibssldependencies /usr/lib/beyondtrust/pb/libcrypto.so.1.1 /usr/lib/beyondtrust/pb/libssl.so.1.1
Default

No default value

Used on
  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Shared Libraries for LDAP

The following setting is related to the shared libraries that are needed for LDAP use.

loadldaplibs

  • Version 6.2.5 and earlier: loadldaplibs setting not available.
  • Version 6.2.6 and later: loadldaplibs setting available.

The loadldaplibs setting determines whether the libraries that are listed in the sharedlibldapdependencies setting are loaded at runtime even if policy LDAP functions are not used. This setting is useful in certain cases where the operating system is configured to use LDAP and we need to force EPM-UL to load the LDAP libraries.

loadldaplibs yes
Default
loadldaplibs no
Used on
  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

sharedlibldapdependencies

  • Version 5.0.4 and earlier: sharedlibldapdependencies setting not available.
  • Version 5.1.0 and later: sharedlibldapdependencies setting available .

The libraries are listed in the order they are loaded (dependencies first). This setting should be used in either of the following circumstances:

  • LDAP is used in the EPM-UL policy
  • The pam setting is set to yes and PAM is using LDAP

By default, the shared libraries that are listed for this setting are shipped with EPM-UL. However, you can replace them with libraries that are used by the LDAP service that is installed on the EPM-UL host computer.

sharedlibldapdependencies /usr/lib/beyondtrust/pb/liblber-2.5.so.0.1.7 /usr/lib/beyondtrust/pb/libldap-2.5.so.0.1.7
Default

No default value

Used on
  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Shared Library Directory Location for AIX and HP (PA RISC)

For AIX and HP (PA-RISC), the directory for installing third-party libraries must be in one of the following locations:

  • /usr/lib/symark/pb
  • /usr/lib
  • /lib
  • /usr/local/lib

If any other directory is specified, then it is rejected with an error message stating that you must use one of these four directory locations.

Shared Library File Name for AIX

The notation that is used on AIX to specify some libraries (Kerberos and LDAP) is different from other platforms. On AIX for third-party libraries that are archives, you also need to specify the shared object that is a member of the archive and add it to the file name.

If libcom_err.a.3.0 is an archive and shr.0.3.0 is the actual shared object, then the file specification for the member of the archive is:
libcom_err.a.3.0(shr.0.3.0)

For SSL, because the library is not an archive, it is not necessary to alter the file name.

Shared Libraries for PAM

The following are the shared libraries needed for PAM use.

libpam

  • Version 5.2 and earlier: libpam setting not available.
  • Version 6.0 and later: libpam setting available.

libpam is a user-defined PAM library that EPM-UL uses as a first option in case the system does not use the standard default PAM libraries. The notation used for AIX to specify the OS-provided PAM library is the following:

/usr/lib/libpam.a(shr.o)
libpam /lib/libpam.so.1
Default

No default value

Used on
  • Policy server hosts
  • Submit hosts
  • Run hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Hardware Security Module (HSM)

EPM-UL, through its integration with the SafeNet Luna SA Hardware Security Module (HSM), provides the first privileged user management solution to use FIPS 140-2 Security Level 2-validated key storage services to achieve compliance with the most strict key storage requirements and standards. EPM-UL supports the configuration of an SSL engine. An SSL engine is a plug-in mechanism for third parties to add extra cryptographic capabilities to SSL. The SSL engine must be properly configured according to the engine provider’s instructions.The SSL library that is shipped with EPM-UL does not support the use of SSL engines. Therefore, to use an SSL engine, you must build your own set of SSL libraries to support the SSL engine. If you use Kerberos or LDAP, then you must also build your own set of those libraries.The file name of the SSL engine shared object should be appended to the sharedlibssldependencies setting, and the engine ID should be specified using the sslengine keyword.

sslengine

  • Version 5.0.4 and earlier: sslengine setting not available.
  • Version 5.1.0 and later: sslengine setting available.

The sslengine setting specifies the SSL engine ID to be used with the HSM. The value is case-sensitive.

The following is an example pb.settings configuration when using the SafeNet Luna SA Hardware Security Module:
sharedlibkrb5dependencies none
    sharedlibldapdependencies none
    sharedlibssldependencies /usr/local/lunassl/lib/libcrypto.so.0.9.8
    /usr/local/lunassl/lib/libssl.so.0.9.8
    /usr/local/lunassl/lib/engines/liblunaca3.so
            
    ssl yes
    sslservercertfile /etc/pb/CERTS/safenet.crt
    sslserverkeyfile /etc/pb/CERTS/safenet.key

sslengine LunaCA3

New SSL libraries with engine support are built and installed in the /usr/local/lunassl directory. Kerberos and LDAP are not in use. The engine ID is LunaCA3. The key file value is a name that is interpreted by the engine to access the private key on the HSM.

Default

No default value

Used on
  • Policy server hosts
  • Log hosts
sharedlibkrb5dependencies /usr/lib/beyondtrust/pb/libcom_err.so.3 /usr/lib/beyondtrust/pb/libk5crypto.so.3.1 /usr/lib/beyondtrust/pb/libkrb5.so.3.3 /usr/lib/beyondtrust/pb/libgssapi_krb5.so.2.2

Default

No default value

Used on

  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

loadkrb5libs

  • Version 5.2 and earlier: loadkrb5libs setting not available.
  • Version 6.0 and later: loadkrb5libs setting available.

The loadkrb5libs setting determines whether the libraries that are listed in the sharedlibkrb5dependencies setting are loaded at runtime even if the value of the kerberos setting is no. This setting is ignored when kerberos is set to yes.This setting is useful in certain cases where the operating system is configured to use Kerberos and the EPM-ULEPM-L submitconfirmuser() function returns false even when the correct Kerberos password is supplied.

loadkrb5libs yes

Default

loadkrb5libs no

Used on

  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Shared Libraries for SSL

The following setting is related to the shared libraries needed for SSL use.

loadssllibs

  • Version 6.2.5 and earlier: loadssllibs setting not available.
  • Version 6.2.6 and later: loadssllibs setting available.

The loadssllibs setting determines whether the libraries that are listed in the sharedlibssldependencies setting are loaded at runtime even if the value of the ssl setting is no. This setting is ignored when ssl is set to yes.This setting is useful in certain cases where the operating system is configured to use SSL and we need to force EPM-ULEPM-L to load the SSL libraries.

loadssllibs yes
Default
loadssllibs no
Used on
  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

sharedlibssldependencies

  • Version 5.0.4 and earlier: sharedlibssldependencies setting not available.
  • Version 5.1.0 and later: sharedlibssldependencies setting available .

The libraries are listed in the order they are loaded (dependencies first). This setting should be used in either of the following circumstances:

  • The ssl setting is set to yes
  • LDAP is used in the policy or by PAM and the LDAP libraries that are listed in the sharedlibldapdependencies setting are dependent on the SSL libraries

By default, the shared libraries listed for this setting are shipped with EPM-ULEPM-L. However, you can replace them with libraries that are used by the SSL service that is installed on the EPM-ULEPM-L host computer.

sharedlibssldependencies /usr/lib/beyondtrust/pb/libcrypto.so.1.1 /usr/lib/beyondtrust/pb/libssl.so.1.1
Default

No default value

Used on
  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Shared Libraries for LDAP

The following setting is related to the shared libraries that are needed for LDAP use.

loadldaplibs

  • Version 6.2.5 and earlier: loadldaplibs setting not available.
  • Version 6.2.6 and later: loadldaplibs setting available.

The loadldaplibs setting determines whether the libraries that are listed in the sharedlibldapdependencies setting are loaded at runtime even if policy LDAP functions are not used. This setting is useful in certain cases where the operating system is configured to use LDAP and we need to force EPM-ULEPM-L to load the LDAP libraries.

loadldaplibs yes
Default
loadldaplibs no
Used on
  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

sharedlibldapdependencies

  • Version 5.0.4 and earlier: sharedlibldapdependencies setting not available.
  • Version 5.1.0 and later: sharedlibldapdependencies setting available .

The libraries are listed in the order they are loaded (dependencies first). This setting should be used in either of the following circumstances:

  • LDAP is used in the EPM-ULEPM-L policy
  • The pam setting is set to yes and PAM is using LDAP

By default, the shared libraries that are listed for this setting are shipped with EPM-ULEPM-L. However, you can replace them with libraries that are used by the LDAP service that is installed on the EPM-ULEPM-L host computer.

sharedlibldapdependencies /usr/lib/beyondtrust/pb/liblber-2.5.so.0.1.7 /usr/lib/beyondtrust/pb/libldap-2.5.so.0.1.7
Default

No default value

Used on
  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Shared Library Directory Location for AIX and HP (PA RISC)

For AIX and HP (PA-RISC), the directory for installing third-party libraries must be in one of the following locations:

  • /usr/lib/symark/pb
  • /usr/lib
  • /lib
  • /usr/local/lib

If any other directory is specified, then it is rejected with an error message stating that you must use one of these four directory locations.

Shared Library File Name for AIX

The notation that is used on AIX to specify some libraries (Kerberos and LDAP) is different from other platforms. On AIX for third-party libraries that are archives, you also need to specify the shared object that is a member of the archive and add it to the file name.

If libcom_err.a.3.0 is an archive and shr.0.3.0 is the actual shared object, then the file specification for the member of the archive is:
libcom_err.a.3.0(shr.0.3.0)

For SSL, because the library is not an archive, it is not necessary to alter the file name.

Shared Libraries for PAM

The following are the shared libraries needed for PAM use.

libpam

  • Version 5.2 and earlier: libpam setting not available.
  • Version 6.0 and later: libpam setting available.

libpam is a user-defined PAM library that EPM-ULEPM-L uses as a first option in case the system does not use the standard default PAM libraries. The notation used for AIX to specify the OS-provided PAM library is the following:

/usr/lib/libpam.a(shr.o)
libpam /lib/libpam.so.1
Default

No default value

Used on
  • Policy server hosts
  • Submit hosts
  • Run hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Hardware Security Module (HSM)

EPM-ULEPM-L, through its integration with the SafeNet Luna SA Hardware Security Module (HSM), provides the first privileged user management solution to use FIPS 140-2 Security Level 2-validated key storage services to achieve compliance with the most strict key storage requirements and standards. EPM-ULEPM-L supports the configuration of an SSL engine. An SSL engine is a plug-in mechanism for third parties to add extra cryptographic capabilities to SSL. The SSL engine must be properly configured according to the engine provider’s instructions.The SSL library that is shipped with EPM-ULEPM-L does not support the use of SSL engines. Therefore, to use an SSL engine, you must build your own set of SSL libraries to support the SSL engine. If you use Kerberos or LDAP, then you must also build your own set of those libraries.The file name of the SSL engine shared object should be appended to the sharedlibssldependencies setting, and the engine ID should be specified using the sslengine keyword.

sslengine

  • Version 5.0.4 and earlier: sslengine setting not available.
  • Version 5.1.0 and later: sslengine setting available.

The sslengine setting specifies the SSL engine ID to be used with the HSM. The value is case-sensitive.

The following is an example pb.settings configuration when using the SafeNet Luna SA Hardware Security Module:
sharedlibkrb5dependencies none
    sharedlibldapdependencies none
    sharedlibssldependencies /usr/local/lunassl/lib/libcrypto.so.0.9.8
    /usr/local/lunassl/lib/libssl.so.0.9.8
    /usr/local/lunassl/lib/engines/liblunaca3.so
            
    ssl yes
    sslservercertfile /etc/pb/CERTS/safenet.crt
    sslserverkeyfile /etc/pb/CERTS/safenet.key

sslengine LunaCA3

New SSL libraries with engine support are built and installed in the /usr/local/lunassl directory. Kerberos and LDAP are not in use. The engine ID is LunaCA3. The key file value is a name that is interpreted by the engine to access the private key on the HSM.

Default

No default value

Used on
  • Policy server hosts
  • Log hosts