Sample Execution for the AIX Package Installer

The sample execution shows the installation of a Privilege Management for Unix and Linux submit host, run host, and shared libraries using the Privilege Management for Unix and Linux AIX package installer.

This sample execution is divided into the following parts:

  • Generate the Privilege Management for Unix and Linux settings files.
  • Create the Privilege Management for Unix and Linux configuration package using the pbcreateaixcfgpkg program.
  • Install the component packages using the installp -ad command.
  • Install the configuration package using the installp -ad command.
  • Use syncwpar to propagate additional AIX global environment packages to shared workload partitions (WPARs). WPARS are available with AIX v6.1 and higher.

Generate the Privilege Management for Unix and Linux Settings Files

This section of the execution shows the generation of the Privilege Management for Unix and Linux settings files (pb.key, pb.cfg, and pb.settings) and also displays the Privilege Management for Unix and Linux installation menu. This output was generated using the pbinstall program with the -z option.

# ./pbinstall -zlr
Starting pbinstall main() from /opt/bt_pkg/powerbroker/v9.4/pmul_aix52+_9.4.3-18/install/.
aix52+
WARNING:
When creating configuration packages to be installed on AIX WPARs, care
must be taken to set log file directories to WPAR-writable partitions.
The default AIX shared WPAR has the following read-only and/or shared
partitions, although configuration can vary:
	/usr /opt /proc
ThePrivilege Management for Unix and Linux log file default directory for AIX WPARs is '/var/adm'.
	 Privilege Management for Unix and Linux Settings File Generation
			 
Please read thePrivilege Management for Unix and Linux Installation Instructions before proceeding.
			 
Checking MANIFEST against release directory
			 
Press return to continue
The Registry Name Service ofPrivilege Management for Unix and Linux facilitates location of other services within the PBUL enterprise with the aid of a centralized data repository.
IMPORTANT: client registration is required if this is not the Primary Server and you intend to use Registry Name Services.
Do you wish to utilize Registry Name Service? [yes]? no BeyondTrust Privilege Management for Unix and Linux Installation Menu   
             Opt  Description                              [Value]
            1  Install Everything Here (Demo Mode)?         [no]
            2  Install License Server?                      [no]
            3  Install Registry Name Services Server?       [no]
            4  Install Client Registration Server?          [no]
            5  Install Policy Server Host?                  [yes]
            6  Install Run Host?                            [yes]
            7  Install Submit Host?                         [yes]
            8  Install PBSSH                                [yes]
            10  Install Log Host?                           [yes]
            11  Enable Logfile Tracking and Archiving?      [yes]
            12  Is this a Log Archiver Storage Server?      [no]
            13  Is this a Log Archiver Database Server?     [no]
            14  Install File Integrity Monitoring Polic...  [no]
            15  Install REST Services?                      [yes]
            16  List of License Servers                     [*]
            19  Path to Password Safe 'pkrun' binary        []
            23  Install Synchronization program?            [yes]
            25  Install Secure GUI Host?                    [yes]
            26  Install Utilities: pbvi, pbnvi, pbmg, p...  [yes]
            27  Install pbksh?                              [yes]
            28  Install pbsh?                               [yes]
            29  Install man pages?                          [no]
            30  Will this host use a Log Host?              [yes]
            31  AD Bridge Integration?                      [no]
            37  Integration with BeyondInsight?             [no]
            55  Synchronization program can be initiate...  [yes]
            56  Daemons location                            [/usr/sbin]
            57  Number of reserved spaces for submit pr...  [80]
            58  Administration programs location            [/usr/sbin]
            59  User programs location                      [/usr/local/bin]
            60  GUI library directory                       [/usr/local/lib/pbbuilder]
            61  Policy include (sub) file directory         [/opt/pbul/policies]
            62  Policy file name                            [/opt/pbul/policies/pb.conf]
            65  Log Archive Storage Server name             []
            67  Log Archiver Database Server name           []
            69  Logfile Name Cache Database file path?      [/opt/pbul/dbs/pblogcache.db]
            70  REST Service installation directory?        [/usr/lib/beyondtrust/pb/rest]
            71  Install REST API sample code?               [no]
            73  Pblighttpd user                             [pblight]
            75  Pblighttpd user UID                         []
            76  Pblighttpd user GID                         []
            78  Configure systemd?                          [yes]
            79  Command line options for pbmasterd          [-ar]
            80  Policy Server Delay                         [500]
            81  Policy Server Protocol Timeout              [-1]
            82  pbmasterd diagnostic log                    [/var/log/pbmasterd.log]
            83  Eventlog filename                           [/var/log/pb.eventlog]
            84  Configure eventlog rotation via size?       []
            85  Configure eventlog rotation path?           []
            86  Configure eventlog rotation via cron?       [no]
            87  Validate Submit Host Connections?           [no]
            88  List of Policy Servers to submit to         [kandor]
            89  pbrun diagnostic log?                       [none]
            90  pbssh diagnostic log?                       [none]
            91  Allow Local Mode?                           [yes]
            92  Additional secured task checks?             [no]
            93  Suppress Policy Server host failover er...  [yes]
            94  List of Policy Servers to accept from       [kandor]
            95  pblocald diagnostic log                     [/var/log/pblocald.log]
            96  Command line options for pblocald           []
            97  Syslog pblocald sessions?                   [no]
            98  Record PTY sessions in utmp/utmpx?          [yes]
            99  Validate Policy Server Host Connections?    [no]
            100  List of Log Hosts                          [kandor]
            101  Command line options for pblogd            []
            102  Log Host Delay                             [500]
            103  Log Host Protocol Timeout                  [-1]
            104  pblogd diagnostic log                      [/var/log/pblogd.log]
            105  List of log reserved filesystems           [none]
            106  Number of free blocks per log system fi... [0]
            107  Command line options for pbsyncd           []
            108  Sync Protocol Timeout                      [-1]
            109  pbsyncd diagnostic log                     [/var/log/pbsyncd.log]
            110  pbsync diagnostic log                      [/var/log/pbsync.log]
            111  pbsync sychronization time interval (in... [15]
            112  Add installed shells to /etc/shells        [no]
            113  pbksh diagnostic file                      [/var/log/pbksh.log]
            114  pbsh diagnostic file                       [/var/log/pbsh.log]
            115  Stand-alone pblocald command               [none]
            116  Stand-alone root shell default iolog       [/pbshell.iolog]
            117  Command line options for pbguid            []
            118  Command line options for secure pbsguid    []
            119  pbguid and pbsguid diagnostic log          [/var/log/pbguid.log]
            120  pbguid and pbsguid site configuration file [none]
            121  Use syslog?                                [yes]
            122  Syslog facility to use?                    [LOG_AUTHPRIV]
            123  Base Daemon port number                    [24345]
            124  pbmasterd port number                      [24345]
            125  pblocald port number                       [24346]
            126  pblogd port number                         [24347]
            127  pbguid port number                         [24348]
            128  Secure pbsguid port number                 [24349]
            129  pbsyncd port number                        [24350]
            130  REST Service port number                   [24351]
            131  Add entries to '/etc/services'             [yes]
            132  Allow non-reserved port connections        [yes]
            133  Inbound Port range                         [1025-65535]
            134  Outbound Port range                        [1025-65535]
            137  Network encryption options                 [aes-256:keyfile=/etc/pb.key]
            138  Event log encryption options               [none]
            139  I/O log encryption options                 [none]
            140  Report encryption options                  [none]
            141  Policy file encryption options             [none]
            142  Settings file encryption type              [none]
            143  REST API encryption options                [aes-256:keyfile=/etc/pb.re...]
            144  Configure with Kerberos v5?                [no]
            150  Enforce High Security Encryption?          [yes]
            151  Use SSL?                                   [yes]
            152  SSL Configuration?                         [requiressl]
            153  SSL pbrun Certificate Authority Directory? [none]
            154  SSL pbrun Certificate Authority File?      [none]
            155  SSL pbrun Cipher List?                     [HIGH:!SSLv2:!3DES:!MD5:@ST…]
            156  SSL pbrun Certificate Directory?           [none]
            157  SSL pbrun Certificate File?                [none]
            158  SSL pbrun Private Key Directory?           [none]
            159  SSL pbrun Private Key File?                [none]
            160  SSL pbrun Certificate Subject Checks?      [none]
            161  SSL Server Certificate Authority Direct... [none]
            162  SSL Server Certificate Authority File?     [none]
            163  SSL Server Cipher List?                    [HIGH:!SSLv2:!3DES:!MD5:@ST...]
            164  SSL Server Certificate Directory?          [none]
            165  SSL Server Certificate File?               [/etc/pbssl.pem]
            166  SSL Server Private Key Directory?          [none]
            167  SSL Server Private Key File?               [/etc/pbssl.pem]
            168  SSL Server Certificate Subject Checks?     [none]
            169  SSL Certificate Country Code               [US]
            170  SSL Certificate State/Province             [AZ]
            171  SSL Certificate Location (Town/City)       [Phoenix]
            172  SSL Certificate Organizational Unit/Dep... [Security]
            173  SSL Certificate Organization               [BeyondTrust]
            174  Configure Privilege Management for Unix... [no]
            175  Install BeyondTrust built-in third-part... [yes]
            176  BeyondTrust built-in third-party librar... [/usr/lib/beyondtrust/pb]
            188  Use PAM?                                   [no]
            196  Allow Remote Jobs?                         [yes]
            197  UNIX Domain Socket directory               [none]
            198  Reject Null Passwords?                     [no]
            199  Enable TCP keepalives?                     [no]
            200  Name Resolution Timeout                    [0]
            N for the next menu page, P for the previous menu page, C to continue, X to exit
Please enter a menu option [For technical support call 1-800-234-9072]> c
 
no such map in server's domain
No submitmasters was specified and no NIS netgroup called pbsubmitmasters found
Privilege Management for Unix and Linux needs to know the submitmasters(s) to work.
ThePrivilege Management for Unix and Linux programs need to know which Policy Server Host(s) you have
decided to allow to act as submitmaster(s) for this machine.
Submitmasters take requests for secured tasks from Submit Hosts,
accept or reject them, and pass the accepted requests to a Run Host.
To locate submitmasters, programs look for a setting in the settings file
containing the names of the submitmaster machines or a netgroup
called pbsubmitmasters.
	 
Enter Policy Server list (submitmasters):  aix52-ca012-05.unix.symark.com
no such map in server's domain
No acceptmasters was specified and no NIS netgroup called pbacceptmasters found
Privilege Management for Unix and Linux needs to know the acceptmasters(s) to work.
			 
ThePrivilege Management for Unix and Linux programs need to know which Policy Server Host(s) you have
decided to allow to request execution of secured tasks to this machine.
Hosts on the acceptmasters list are the Policy Server Hosts which are allowed
to make secured task requests to this machine.
				 
To do this, programs look for a setting in the settings file containing the
names of the acceptmasters machines or a netgroup called pbacceptmasters.
			 
Enter Incoming Policy Server list (acceptmasters):  aix52-ca012-05.unix.symark.com
no such map in server's domain
No log hosts was specified and no NIS netgroup called pblogservers foundPrivilege Management for Unix and Linux needs to know the log hosts(s) to work.
				 
ThePrivilege Management for Unix and Linux programs need to know which machine(s) you have selected as Log Host(s).  Log Hosts are hosts which Policy Servers
select for Run Hosts to do event and I/O logging.
				 
To do this, pbmasterd looks for the setting logservers in the settings
file. This setting contains the names of the Log Host machines or a netgroup.
				 
Current installation settings for Log Server(s):
			 
Enter Log Server list (logservers):  aix52-ca012-05.unix.symark.com
				 
Generating key file /opt/bt_pkg/powerbroker/v9.4/pmul_aix52+_9.4.3-18/install/settings_files/pb.key...
				 
Are all the installation settings correct [yes]?
Generating config file /opt/bt_pkg/powerbroker/v9.4/pmul_aix52+_9.4.3-18/install/settings_files/pb.cfg
Creating the settings file creation script
Running settings file creation script
Creating settings file /opt/bt_pkg/powerbroker/v9.4/pmul_aix52+_9.4.3-18/install/settings_files/pb.settings
Generated settings files are in directory: /opt/bt_pkg/powerbroker/v9.4/pmul_aix52+_9.4.3-18/install/settings_files
Privilege Management for Unix and Linux Settings File Generation completed successfully.