AIX Package Installer

This section describes how to install Endpoint Privilege Management for Unix and Linux using a package installer for AIX v5.3, 6.1 and 7.0 on a POWER 64-bit computer. AIX package installers are compatible with or without workload partitions (WPARs). Use the AIX package installer if you want to install Endpoint Privilege Management for Unix and Linux using the AIX installp command.

The Endpoint Privilege Management for Unix and Linux AIX package installer that is described here is not compatible with the BeyondTrustEndpoint Privilege Management v5.x packages. If the BeyondTrust Endpoint Privilege Management v5.x packages are installed, you must remove them before installing the Endpoint Privilege Management for Unix and Linux AIX packages.

WPARs

If you have AIX v6.1 or higher, then you can use WPARs.

For more information about WPARs and propagating BeyondTrust AIX package installations to them, see the following:

Prerequisites

To use the AIX package installer, you must have the following:

  • Package tarball file for the appropriate Endpoint Privilege Management for Unix and Linux flavor
  • Root access or superuser privileges

The Endpoint Privilege Management for Unix and Linux AIX package installer does not support prefix or suffix installations.

Plan Your Installation

When preparing to use the Endpoint Privilege Management for Unix and Linux package installer, you should be familiar with the following concepts and restrictions:

Component packages: an Endpoint Privilege Management for Unix and Linux component package is an AIX backup file format (.bff) file that installs a portion of the Endpoint Privilege Management for Unix and Linux application. Endpoint Privilege Management for Unix and Linux component packages use a format of powerbroker.component-v.v.r.bb.bff, where:

  • v = major version
  • v = minor version
  • r = release
  • bb = build

powerbroker.masterhost-6.2.0.05.bff

Component package or file names Description
powerbroker.loghost-v.v.r.bb.bff Contains the log host, pblogd, and man pages. powerbroker.common-v.v.r.bb.bff is a prerequisite for this package.
powerbroker-pbrest-v.v.r.bb-pv.arch.rpm Contains REST API files.
powerbroker.rnssvr-v.v.r.bb.bff Contains Registry Name Service files.
powerbroker.licsvr-v.v.r.bb.bff Contains license server files.
powerbroker.sharedlibs-v.v.r.bb.bff Contains the shared libraries: libcom_err.so.3.0, libcrypto.a, libgssapi_krb5.so.2.2, libk5crypto.so.3.1, libkrb5.so.3.3, liblber-2.5.a, libldap-2.5.a, libssl.a. powerbroker.common-v.v.r.bb.bff is a prerequisite for this package.
powerbroker.common-v.v.r.bb.bff Contains the shared files and pbbench, pbcall, bencode, pbsum, man pages and pbinstall.8, and pbcreateaixcfgpkg.8. This package is a prerequisite for all the previously listed packages: powerbroker.masterhost, powerbroker.submithost, powerbroker.guihost, powerbroker.loghost and powerbroker.sharedlibs.
powerbroker.mlcommon-v.v.r.bb.bff Contains the policy server log shared files, pblog, pbreplay, pbsyncd, pbsync, and man pages. This package is a prerequisite for powerbroker.masterhost-v.v.r.bb.bff and powerbroker.loghost-v.v.r.bb.bff.
powerbroker.masterhost-v.v.r.bb.bff Contains the policy server host, pbcheck, pbkey, pbmasterd, pbpasswd, pbpatton, pbprint, and man pages. powerbroker.common-v.v.r.bb.bff is a prerequisite for this package.
powerbroker.runhost-v.v.r.bb.bff Contains the run host and Endpoint Privilege Management for Unix and Linux utilities: pblocald, pbless, pbmg, pbnvi, pbumacs, pbvi, and man pages. powerbroker.common- v.v.r.bb.bff is a prerequisite for this package.
powerbroker.submithost-v.v.r.bb.bff Contains the submit host and Endpoint Privilege Management for Unix and Linux shells, pbksh, pbsh, pbssh, pbrun, and man pages. powerbroker.common-v.v.r.bb.bff is a prerequisite for this package.

Which component packages are required depends on the type of Endpoint Privilege Management for Unix and Linux host you are creating, such as policy server host, log host, and so on. You can select the types of hosts in the pbinstall installation menu, as shown in the following table.

Menu Selection

Required Components
Install everything here (demo mode)? = Yes

powerbroker.masterhost-v.v.r.bb.bffpowerbroker.runhost-v.v.r.bb.bff

powerbroker.submithost-v.v.r.bb.bff

powerbroker.loghost-v.v.r.bb.bffpowerbroker.guihost-v.v.r.bb.bff

powerbroker.sharedlibs-v.v.r.bb.bff

powerbroker.common-v.v.r.bb.bff

powerbroker.mlcommon-v.v.r.bb.bff
Install Policy Server Host? = Yes

powerbroker.masterhost-v.v.r.bb.bff

powerbroker.common-v.v.r.bb.bff

powerbroker.mlcommon-v.v.r.bb.bff
Install Run Host? = Yes

powerbroker.runhost-v.v.r.bb.bff

powerbroker.common-v.v.r.bb.bff
Install Submit Host? = Yes

powerbroker.submithost-v.v.r.bb.bff

powerbroker.common-v.v.r.bb.bff
Install Log Host? = Yes

powerbroker.loghost-v.v.r.bb.bff

powerbroker.common-v.v.r.bb.bff

powerbroker.mlcommon-v.v.r.bb.bff
Install BeyondTrust built-in third-party libraries? = Yes

powerbroker.sharedlibs-v.v.r.bb.bff

powerbroker.common-v.v.r.bb.bff
Install Registry Name Services Server? [yes] powerbroker.rnssvr-v.v.r.bb.bff
Install License Server? [yes] powerbroker.licsvr-v.v.r.bb.bff

Configuration package: AIX installation package created by the user named powerbroker.config[suffix], where suffix is user-defined. It contains the configuration files that are used to install the following files:

  • pb.settings: Hardcoded target location /etc/pb.settings
  • pb.cfg: Hardcoded target location /etc/pb.cfg
  • All the encryption keyfiles defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption
  • By default, two key files are created: pb.key and pb.rest.key
  • The sysadmin can define multiple encryption with different keyfiles in locations other than /etc. To upgrade and retain settings on the target machine, view all encryption settings in /etc/pb.settings and copy the files to the settings_files directory before running "pbinstall -z" and pbcreate*cfgpkg
  • pb.conf (for policy server hosts)
  • Man pages for the pbinstall and pbcreateaixcfgpkg programs

The Endpoint Privilege Management for Unix and Linux configuration package is created by the pbcreateaixcfgpkg program. The component packages must be installed before you install the configuration package.

Package name: Name of the installation package stored in the AIX database. For Endpoint Privilege Management for Unix and Linux package installations, this name is the same as the package file name without the .bff extension.

pbinstall program: To create the Endpoint Privilege Management for Unix and Linux settings files, you use the pbinstall program with the -z (settings only) option. pbinstall -z only creates the settings files and is incompatible with the following command line options:

Options Incompatible with pbinstall -z

Description
-b

Runs pbinstall in batch mode.
-c

Skip the steps that process or update the Endpoint Privilege Management for Unix and Linux settings file.
-e

Runs install script automatically by bypassing the menu step of pbinstall.
-i

Ignores previous pb.settings and pb.cfg files.
-p

Sets the pb installation prefix.
-s

Sets the pb installation suffix.
-u

Installs the utility programs.
-x Creates a log synchronization host (that is, installs pbsyncd).

When you execute pbinstall with the -z option, you can see two menu items that are not otherwise available:

  • Enter existing pb.settings path: Enables you to specify your own pb.settings file. pbinstall reads this settings file and populates the remaining menu choices. You can override some menu choices. If set to none, then pbinstall does not read a settings file. The remaining menu choices are populated with default values.
  • Enter directory path for settings file creation: Enables you to specify an alternative output directory for the settings files. The default directory is /unzip-dir/powerbroker/<version>/<flavor>/ install/settings_files, where unzip-dir is the directory where the package tarball file was unzipped.

The behavior of pbinstall -z depends on whether certain additional command line options are specified:

  • If no other command line options are specified, pbinstall initially presents a short version of the installation menu (items 1–8 only). Depending on the choices you make in these items, further menu items become available.
  • If command line options -g, -l, -m, or -r are specified, pbinstall presents an expanded version of the installation menu that reflects the host types that you are configuring.

When running pbinstall with the -z option, the following menu items are preprogrammed and cannot be changed:

  • Install man pages?
  • Daemon location
  • Administration programs location
  • User programs location
  • GUI library directory
  • Policy include (sub) file directory
  • User man page location
  • Admin man page location
  • Policy filename
  • BeyondTrust built-in third-party library directory

In addition, the values of the following menu items determine the values of other menu items:

Options Preset When Running pbinstall -z

Setting this menu option to Yes

Sets these values to Yes
Install Policy Server Host? Install Synchronization? Synchronization can be initiated from this host?
Install Run Host? Install Utilities?
Install Submit Host?

Install PBSSH?

Install pbksh? Install pbsh?

Will this host use a Log Host?
Install Log Host? Install Synchronization? Synchronization can be initiated from this host?

If you plan to use Registry Name Service and are running pbinstall -z on a client host (non-primary server), you must perform client registration. This is necessary to properly set up the registry name service database. Client registration will also require that you collect from the Endpoint Privilege Management for Unix and Linux primary server the following information:

  • REST Application ID
  • REST Application Key
  • Primary server network name or IP address
  • Primary License Server REST TCP/IP port
  • Registration Client Profile name
If you are using the package installer to install Endpoint Privilege Management for Unix and Linux on a computer that already has an interactive Endpoint Privilege Management for Unix and Linux installation on it, see Installation Considerations for additional considerations.

RNS client registration: If Registry Name Services is enabled for Endpoint Privilege Management for Unix and Linux, each client host (after the first server installation) needs to be registered with the Primary Registry Name Server. When using package installers on a target host, a post-install configuration script (/opt/pbul/scripts/pbrnscfg.sh) is provided to be manually executed on that host to properly register it. This post-install configuration script asks for information about the Primary Registry Name Server, including the Application ID (appid), Application Key (appkey), address/domain name, and the REST TCP/IP port number. This is the same information provided during the client registration part of a pbinstall -z install which generates the settings file.

If you prefer a more convenient method of registering RNS clients where the post-install configuration script is non-interactive, Endpoint Privilege Management for Unix and Linux can save the relevant information in a hidden file during the settings-only run of pbinstall, bundle it with the configuration package, and automatically apply it to the target host when that package is installed. However, understand that this is not secure, but is available if the security-convenience trade-off is acceptable. To enable this, refer to the question regarding post-install configuration script displayed when running pbinstall -z.

For more complete pbinstall command-line options, see Installation Programs

Use Endpoint Privilege Management for Unix and Linux Packages on AIX WPARs

The Endpoint Privilege Management for Unix and Linux AIX package installer supports AIX WPARs in AIX v6.1 and higher. The primary operating system instance is referred to as the global WPARs. All WPARs that are not global are referred to as non-global WPARs.

AIX release v6.1 or higher is required. The use of WPARs is not supported on earlier releases. There are two types of WPARs:
  • Shared WPARs share some of the global environment’s file systems and are administered by the global environment.
  • Non-shared WPARs share none of the global environment’s file systems and are treated as stand-alone systems.

Installing Endpoint Privilege Management for Unix and Linux AIX packages on WPARs is very similar to installing these packages on AIX systems without WPARs.

For instructions, see Installation Procedure.

Overview of Steps

Using the Endpoint Privilege Management for Unix and Linux AIX package installer involves the following steps:

  1. Unpack theEndpoint Privilege Management for Unix and Linux package tarball file.
  2. Use the pbinstall program to create Endpoint Privilege Management for Unix and Linux settings files.
  3. Use the pbcreateaixcfgpkg program to create the Endpoint Privilege Management for Unix and Linux configuration package.
  4. Perform a package installation using the AIX installp command for any required components.
  5. Perform a package installation using the AIX installp command for the Endpoint Privilege Management for Unix and Linux configuration package.
  6. If Registry Name Service is enabled and installing on a non-primary servery, run /opt/pbul/scripts/pbrnscfg.sh to register the host.

For more information, see Installation Procedure.