Update Endpoint Privilege Management for Unix and Linux with Update Packages

The Endpoint Privilege Management for Unix and Linux AIX package installer can be used to update an existing Endpoint Privilege Management for Unix and Linux installation to a new version. The existing Endpoint Privilege Management for Unix and Linux version should have been installed using the Endpoint Privilege Management for Unix and Linux package installer.

Update Package Considerations

Installing an Endpoint Privilege Management for Unix and Linux update package is similar to using the AIX package installer to install Endpoint Privilege Management for Unix and Linux for the first time. Keep these considerations in mind when you prepare to upgrade Endpoint Privilege Management for Unix and Linux:

  • Each release of Endpoint Privilege Management for Unix and Linux AIX update packages contains only the updated files. Therefore, a full Endpoint Privilege Management for Unix and Linux package installation (of the same major and minor version) must be performed before you can install an upgrade package. For example, before you can install update package version 9.2.1, you must have the full Endpoint Privilege Management for Unix and Linux package version 9.2.0 installed.
  • Each successive Endpoint Privilege Management AIX update package is cumulative; for example, update package version 9.4.1 contains all of the updates in update package version 9.4.0.
  • A newer release can introduce features that use new settings or configurations. In which case, an upgrade of the configuration package of Endpoint Privilege Management for Unix and Linux is also needed.
  • Update packages that have not been committed can be rejected. You cannot reject update packages that have been committed.
  • Committing a given update package requires prior or concurrent commit of earlier update packages.
  • The Endpoint Privilege Management for Unix and Linux configuration package does not contain any executable files and therefore does not need to be upgraded. However, if you are creating a new configuration package, you should create it with the same version of Endpoint Privilege Management for Unix and Linux as the component packages you are installing.

Update Package Procedure

Follow this procedure to update your installation of Endpoint Privilege Management for Unix and Linux using the update packages:

  1. Obtain the tarball file for the AIX update packages that are appropriate for your hardware. The tarball file name has the format pmul_<flavor>-v.v.r-bb-update_pkg.tar.Z, where:
    • <flavor> indicates the operating system and hardware architecture.
    • v.v.r is the major and minor version number and the release number.
    • bb is the build number.
  2. Extract the package files into the /unzip-dir/ directory by executing the following command: 
    gunzip -c pmul_<flavor_version>-update_pkg.tar.Z | tar xvf -
  3. Navigate to the /unzip-dir/powerbroker/v<version>/<flavor>/install/ directory.
  4. Create the settings_files directory and change directory to that location.
  5. To retain or correctly update the settings of the current installation, copy the following files from the target installation host into the settings_files directory you created in step 4:
    • /etc/pb.settings
    • /etc/pb.cfg
    • encryption keys defined in pb.settings for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption settings (if enabled)

In a default installation, there are typically 2 key files created: pb.key and pb.rest.key.

    • policy file defined in policyfile setting in pb.settings (if the target installation is a Policy Server)

In a default installation, the policy file is located in /opt/pbul/policies/pb.conf.

  1. Execute the following command to verify and update the installation settings in the settings_files directory:
    ./pbinstall -z
  2. Create the upgrade configuration package by running the pbcreateaixcfgpkg utility:
    pbcreateaixcfgpkg -p suffix

    Use the current suffix of the installation to be upgraded. Use the suffix you provided during the initial package installation in step 8 of the Installation Procedure.

    Another way to find the suffix is to run the following command on the target installation host to get the list of packages installed:

    lslpp -l | grep powerbroker

    Identify the suffix of the Endpoint Privilege Management for Unix and Linux configuration package using this format:

    powerbroker.config<suffix>
  3. Navigate to the /unzip-dir/powerbroker/version/flavor/package/ directory.
  4. Run the AIX installp utility to install the Endpoint Privilege Management for Unix and Linux component package or packages by typing: 
    installp -ad ./ powerbroker.package_name [v.v.r.bb] [powerbrokder.package_name [v.v.r.bb] ... ]

    where:

    • package_name is the name of the Endpoint Privilege Management for Unix and Linux package to be installed.
    • v.v.r.bb (optional) is the version, release, and build number, for example, 9.4.1.03.
  5. Navigate to the /unzip-dir/powerbroker/<version>/<flavor>/install/ directory.
  6. Run the AIX installp command to install the Endpoint Privilege Management for Unix and Linux configuration package by typing: 
    installp -ad ./ powerbroker.config<suffix>

    <suffix> is the suffix that is set when you create the Endpoint Privilege Management for Unix and Linux configuration package in step 7.

  7. Commit the update package by typing:
    installp -c powerbroker [v.v.r.bb]

    v.v.r.bb (optional) is the version, release, and build number, for example, 9.4.1.03.

  8. Verify the installation of the filesets with the AIX lslpp utility by typing: 
    lslpp -al powerbroker.package_name

    package_name is the name of the Endpoint Privilege Management for Unix and Linux package that you installed.

Reject an Update Package

You can reject an update package that has been applied but not committed by typing:

installp -r powerbroker.package_name [v.v.r.bb]

where:

  • package_name is the name of the Endpoint Privilege Management for Unix and Linux package that you want to reject.
  • v.v.r.bb (optional) is the version, release, and build number, for example, 6.2.1.11 After an update package has been committed, you can not reject it.

Update Packages and WPARs

Installing update packages on workload partitions (WPARs) involves the same considerations as installing a baseline Endpoint Privilege Management for Unix and Linux package on WPARs.

For more information, see Installation Procedure.

Upgrade the Configuration Package

When upgrading the configuration package (cfg pkg), some settings that are part of the package might need settings and configuration files copied from the existing installation to the staging host.

Files included in the cfg package:

  • pb.settings: Hardcoded target location /etc/pb.settings.
  • pb.cfg: Hardcoded target location /etc/pb.cfg.
  • All the encryption key files defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption. By default, two key files are typically created:
    • pb.key
    • pb.rest.key

    The sysadmin can define encryption with different key files in locations other than /etc. Therefore, when upgrading, and to retain what is installed on the target machine, look at all the encryption settings in /etc/pb.settings. Copy the settings to the settings_files directory before running pbinstall -z and pbcreate*cfgpkg.

  • Policy file if the target is a policy server.