Update Privilege Management for Unix and Linux with Update Packages

The Privilege Management for Unix and Linux AIX package installer can be used to update an existing Privilege Management for Unix and Linux installation to a new version. The existing Privilege Management for Unix and Linux version should have been installed using the Privilege Management for Unix and Linux package installer.

Update Package Considerations

Installing a Privilege Management for Unix and Linux update package is similar to using the AIX package installer to install Privilege Management for Unix and Linux for the first time. Keep these considerations in mind when you prepare to upgrade Privilege Management for Unix and Linux:

  • Each release of Privilege Management for Unix and Linux AIX update packages contains only the updated files. Therefore, a full Privilege Management for Unix and Linux package installation (of the same major and minor version) must be performed before you can install an upgrade package. For example, before you can install update package version 9.2.1, you must have the full Privilege Management for Unix and Linux package version 9.2.0 installed.
  • Each successive Privilege Management AIX update package is cumulative; for example, update package version 9.4.1 contains all of the updates in update package version 9.4.0.
  • A newer release can introduce features that use new settings or configurations. In which case, an upgrade of the configuration package of Privilege Management for Unix and Linux is also needed.
  • Update packages that have not been committed can be rejected. You cannot reject update packages that have been committed.
  • Committing a given update package requires prior or concurrent commit of earlier update packages.
  • The Privilege Management for Unix and Linux configuration package does not contain any executable files and therefore does not need to be upgraded. However, if you are creating a new configuration package, you should create it with the same version of Privilege Management for Unix and Linux as the component packages you are installing.

Update Package Procedure

Follow this procedure to update your installation of Privilege Management for Unix and Linux using the update packages:

  1. Obtain the tarball file for the AIX update packages that are appropriate for your hardware. The tarball file name has the format pmul_<flavor>-v.v.r-bb-update_pkg.tar.Z, where:
    • <flavor> indicates the operating system and hardware architecture.
    • v.v.r is the major and minor version number and the release number.
    • bb is the build number.
  2. Extract the package files into the /opt/beyondtrust/ directory by executing the following command:
    gunzip -c pmul_<flavor_version>-update_pkg.tar.Z | tar xvf -
  1. Navigate to the /opt/beyondtrust/powerbroker/v<version>/<flavor>/install/ directory.
  1. Create the settings_files directory and change directory to that location.
  2. To retain or correctly update the settings of the current installation, copy the following files from the target installation host into the settings_files directory you created in step 4:
    • /etc/pb.settings
    • /etc/pb.cfg
    • encryption keys defined in pb.settings for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption settings (if enabled)

      Note: In a default installation, there are typically 2 key files created: pb.key and pb.rest.key

    • policy file defined in policyfile setting in pb.settings (if the target installation is a Policy Server)

      Note: In a default installation, the policy file is located in /opt/pbul/policies/pb.conf

  1. Execute the following command to verify and update the installation settings in the settings_files directory:
  2. ./pbinstall -z
  1. Create the upgrade configuration package by running the pbcreateaixcfgpkg utility:
  2. pbcreateaixcfgpkg -p suffix

    Use the current suffix of the installation to be upgraded. Use the suffix you provided during the initial package installation in step 8 of the Installation Procedure.

    Another way to find the suffix is to run the following command on the target installation host to get the list of packages installed:

    lslpp -l | grep powerbroker

    Identify the suffix of the Privilege Management for Unix and Linux configuration package using this format:

    powerbroker.config<suffix>
  1. Navigate to the /opt/beyondtrust/powerbroker/version/flavor/package/ directory.
  2. Run the AIX installp utility to install the Privilege Management for Unix and Linux component package or packages by typing:
    installp -ad ./ powerbroker.package_name [v.v.r.bb] [powerbrokder.package_name [v.v.r.bb] ... ]

    where:

    • package_name is the name of the Privilege Management for Unix and Linux package to be installed.
    • v.v.r.bb (optional) is the version, release, and build number, for example, 9.4.1.03.
  1. Navigate to the /opt/beyondtrust/powerbroker/<version>/<flavor>/install/ directory.
  2. Run the AIX installp command to install the Privilege Management for Unix and Linux configuration package by typing:
    installp -ad ./ powerbroker.config<suffix>

    <suffix> is the suffix that is set when you create the Privilege Management for Unix and Linux configuration package in step 7.

  1. Commit the update package by typing:
    installp -c powerbroker [v.v.r.bb]

    v.v.r.bb (optional) is the version, release, and build number, for example, 9.4.1.03.

  2. Verify the installation of the filesets with the AIX lslpp utility by typing:
    lslpp -al powerbroker.package_name

    package_name is the name of the Privilege Management for Unix and Linux package that you installed.

Reject an Update Package

You can reject an update package that has been applied but not committed by typing:

installp -r powerbroker.package_name [v.v.r.bb]

where:

  • package_name is the name of the Privilege Management for Unix and Linux package that you want to reject.
  • v.v.r.bb (optional) is the version, release, and build number, for example, 6.2.1.11 After an update package has been committed, you can not reject it.

Update Packages and WPARs

Installing update packages on workload partitions (WPARs) involves the same considerations as installing a baseline Privilege Management for Unix and Linux package on WPARs.

For more information, please see Installation Procedure.