Generate the Endpoint Privilege Management for Unix and Linux Settings Files
This section of the execution shows the generation of the Endpoint Privilege Management for Unix and Linux settings files (pb.key, pb.cfg, and pb.settings) and also displays the Endpoint Privilege Management for Unix and Linux installation menu. This output was generated using the pbinstall program with the -z option and selecting menu options to install a run host and a submit host:
# ./pbinstall -z Starting pbinstall main() from /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/. hpux.ia64 Endpoint Privilege Management for Unix and Linux Settings File Generation Please read theEndpoint Privilege Management for Unix and Linux Installation Instructions before proceeding. Checking MANIFEST against release directory Press return to continue The Registry Name Service of Endpoint Privilege Management for Unix and Linux facilitates location of other services within the pmul enterprise with the aid of a centralized data repository. IMPORTANT: client registration is required if this is not the Primary Server and you intend to use Registry Name Services. Do you wish to utilize Registry Name Service? [yes]? no BeyondTrustEndpoint Privilege Management for Unix and Linux Installation Menu Opt Description [Value] 1 Install Everything Here (Demo Mode)? [no] 2 Install License Server? [no] 3 Install Registry Name Services Server? [no] 5 Install Policy Server Host? [yes] 6 Install Run Host? [yes] 7 Install Submit Host? [yes] 9 Install sudo Policy Server? [no] 10 Install Log Host? [yes] 14 Install File Integrity Monitoring Polic... [no] N for the next menu page, C to continue, X to exit Please enter a menu option [For technical support call 1-800-234-9072]> 7 Endpoint Privilege Management for Unix and Linux executes secured tasks on hosts which are designated as Run Hosts. These hosts execute the commands using the pblocald daemon. To allowEndpoint Privilege Management for Unix and Linux to execute a command, a host must be configured as a Run Host. Do you want this host to be a Run Host [no]? yes BeyondTrustEndpoint Privilege Management for Unix and Linux Installation Menu Opt Description Value] 1 Install Everything Here (Demo Mode)? [no] 2 Install License Server? [no] 3 Install Registry Name Services Server? [no] 5 Install Policy Server Host? [yes] 6 Install Run Host? [yes] 7 Install Submit Host? [yes] 9 Install sudo Policy Server? [no] 10 Install Log Host? [yes] 14 Install File Integrity Monitoring Polic... [no] 25 Install Secure GUI Host? [yes] 26 Install Utilities: pbvi, pbnvi, pbmg, p... [yes] 29 Install man pages? [no] 30 Will this host use a Log Host? [yes] 31 AD Bridge Integration? [no] 55 Synchronization program can be initiate... [yes] 56 Daemons location [/usr/sbin] 59 User programs location [/usr/local/bin] N for the next menu page, C to continue, X to exit Please enter a menu option [For technical support call 1-800-234-9072]> 8 Endpoint Privilege Management for Unix and Linux allows requests for secured tasks to be made on hosts configured as Submit Hosts. To have pbrun initiate requests for secured tasks, this host must be a Submit Host. Do you want this host to be a Submit Host [no]? yes BeyondTrustEndpoint Privilege Management for Unix and Linux Installation Menu Opt Description [Value] 1 Install Everything Here (Demo Mode)? [no] 2 Install License Server? [no] 3 Install Registry Name Services Server? [no] 4 Install Client Registration Server? [no] 5 Install Policy Server Host? [yes] 6 Install Run Host? [yes] 7 Install Submit Host? [yes] 8 Install PBSSH [yes] 9 Install sudo Policy Server? [no] 10 Install Log Host? [yes] 11 Enable Logfile Tracking and Archiving? [yes] 12 Is this a Log Archiver Storage Server? [no] 13 Is this a Log Archiver Database Server? [no] 14 Install File Integrity Monitoring Polic... [no] 15 Install REST Services? [yes] 16 List of License Servers [*] 19 Path to Password Safe 'pkrun' binary [] 23 Install Synchronization program? [yes] 25 Install Secure GUI Host? [yes] 26 Install Utilities: pbvi, pbnvi, pbmg, p... [yes] 27 Install pbksh? [yes] 28 Install pbsh? [yes] 29 Install man pages? [no] 30 Will this host use a Log Host? [yes] 31 AD Bridge Integration? [no] 37 Integration with BeyondInsight? [no] 55 Synchronization program can be initiate... [yes] 56 Daemons location [/usr/sbin] 57 Number of reserved spaces for submit pr... [80] 58 Administration programs location [/usr/sbin] 59 User programs location [/usr/local/bin] 60 GUI library directory [/usr/local/lib/pbbuilder] 61 Policy include (sub) file directory [/opt/pbul/policies] 62 Policy file name [/opt/pbul/policies/pb.conf] 65 Log Archive Storage Server name [] 67 Log Archiver Database Server name [] 69 Logfile Name Cache Database file path? [/opt/pbul/dbs/pblogcache.db] 70 REST Service installation directory? [/usr/lib/beyondtrust/pb/rest] 71 Install REST API sample code? [no] 73 Pblighttpd user [pblight] 75 Pblighttpd user UID [] 76 Pblighttpd user GID [] 78 Configure systemd? [yes] 79 Command line options for pbmasterd [-ar] 80 Policy Server Delay [500] 81 Policy Server Protocol Timeout [-1] 82 pbmasterd diagnostic log [/var/log/pbmasterd.log] 83 Eventlog filename [/var/log/pb.eventlog] 84 Configure eventlog rotation via size? [] 85 Configure eventlog rotation path? [] 86 Configure eventlog rotation via cron? [no] 87 Validate Submit Host Connections? [no] 88 List of Policy Servers to submit to [kandor] 89 pbrun diagnostic log? [none] 90 pbssh diagnostic log? [none] 91 Allow Local Mode? [yes] 92 Additional secured task checks? [no] 93 Suppress Policy Server host failover er... [yes] 94 List of Policy Servers to accept from [kandor] 95 pblocald diagnostic log [/var/log/pblocald.log] 96 Command line options for pblocald [] 97 Syslog pblocald sessions? [no] 98 Record PTY sessions in utmp/utmpx? [yes] 99 Validate Policy Server Host Connections? [no] 100 List of Log Hosts [kandor] 101 Command line options for pblogd [] 102 Log Host Delay [500] 103 Log Host Protocol Timeout [-1] 104 pblogd diagnostic log [/var/log/pblogd.log] 105 List of log reserved filesystems [none] 106 Number of free blocks per log system fi... [0] 107 Command line options for pbsyncd [] 108 Sync Protocol Timeout [-1] 109 pbsyncd diagnostic log [/var/log/pbsyncd.log] 110 pbsync diagnostic log [/var/log/pbsync.log] 111 pbsync sychronization time interval (in... [15] 112 Add installed shells to /etc/shells [no] 113 pbksh diagnostic file [/var/log/pbksh.log] 114 pbsh diagnostic file [/var/log/pbsh.log] 115 Stand-alone pblocald command [none] 116 Stand-alone root shell default iolog [/pbshell.iolog] 121 Use syslog? [yes] 122 Syslog facility to use? [LOG_AUTHPRIV] 123 Base Daemon port number [24345] 124 pbmasterd port number [24345] 125 pblocald port number [24346] 126 pblogd port number [24347] 127 pbguid port number [24348] 128 Secure pbsguid port number [24349] 129 pbsyncd port number [24350] 130 REST Service port number [24351] 131 Add entries to '/etc/services' [yes] 132 Allow non-reserved port connections [yes] 133 Inbound Port range [1025-65535] 134 Outbound Port range [1025-65535] 137 Network encryption options [aes-256:keyfile=/etc/pb.key] 138 Event log encryption options [none] 139 I/O log encryption options [none] 140 Report encryption options [none] 141 Policy file encryption options [none] 142 Settings file encryption type [none] 143 REST API encryption options [aes-256:keyfile=/etc/pb.re...] 144 Configure with Kerberos v5? [no] 150 Enforce High Security Encryption? [yes] 151 Use SSL? [yes] 152 SSL Configuration? [requiressl] 153 SSL pbrun Certificate Authority Directory? [none] 154 SSL pbrun Certificate Authority File? [none] 155 SSL pbrun Cipher List? [HIGH:!SSLv2:!3DES:!MD5:@ST…] 156 SSL pbrun Certificate Directory? [none] 157 SSL pbrun Certificate File? [none] 158 SSL pbrun Private Key Directory? [none] 159 SSL pbrun Private Key File? [none] 160 SSL pbrun Certificate Subject Checks? [none] 161 SSL Server Certificate Authority Direct... [none] 162 SSL Server Certificate Authority File? [none] 163 SSL Server Cipher List? [HIGH:!SSLv2:!3DES:!MD5:@ST...] 164 SSL Server Certificate Directory? [none] 165 SSL Server Certificate File? [/etc/pbssl.pem] 166 SSL Server Private Key Directory? [none] 167 SSL Server Private Key File? [/etc/pbssl.pem] 168 SSL Server Certificate Subject Checks? [none] 169 SSL Certificate Country Code [US] 170 SSL Certificate State/Province [AZ] 171 SSL Certificate Location (Town/City) [Phoenix] 172 SSL Certificate Organizational Unit/Dep... [Security] 173 SSL Certificate Organization [BeyondTrust] 174 Configure Privilege Management for Unix... [no] 175 Install BeyondTrust built-in third-part... [yes] 176 BeyondTrust built-in third-party librar... [/usr/lib/beyondtrust/pb] 188 Use PAM? [no] 196 Allow Remote Jobs? [yes] 197 UNIX Domain Socket directory [none] 198 Reject Null Passwords? [no] 199 Enable TCP keepalives? [no] 200 Name Resolution Timeout [0] N for the next menu page, P for the previous menu page, C to continue, X to exit Please enter a menu option [For technical support call 1-800-234-9072]> c ypcat: no such map in server's NIS domain No submitmasters was specified and no NIS netgroup called pbsubmitmasters found Endpoint Privilege Management for Unix and Linux needs to know the submitmasters(s) to work. TheEndpoint Privilege Management for Unix and Linux programs need to know which Policy Server Host(s) you have decided to allow to act as submitmaster(s) for this machine. Submitmasters take requests for secured tasks from Submit Hosts, accept or reject them, and pass the accepted requests to a Run Host. To locate submitmasters, programs look for a setting in the settings file containing the names of the submitmaster machines or a netgroup called pbsubmitmasters. Enter Policy Server list (submitmasters): hp113-ca025-012.unix.symark.com ypcat: no such map in server's NIS domain No acceptmasters was specified and no NIS netgroup called pbacceptmasters foundEndpoint Privilege Management for Unix and Linux needs to know the acceptmasters(s) to work. TheEndpoint Privilege Management for Unix and Linux programs need to know which Policy Server Host(s) you have decided to allow to request execution of secured tasks to this machine. Hosts on the acceptmasters list are the Policy Server Hosts which are allowed to make secured task requests to this machine. To do this, programs look for a setting in the settings file containing the names of the acceptmasters machines or a netgroup called pbacceptmasters. Enter Incoming Policy Server list (acceptmasters): hp113-ca025-012.unix.symark.com ypcat: no such map in server's NIS domain No log hosts was specified and no NIS netgroup called pblogservers found Endpoint Privilege Management for Unix and Linux needs to know the log hosts(s) to work. TheEndpoint Privilege Management for Unix and Linux programs need to know which machine(s) you have selected as Log Host(s). Log Hosts are hosts which Policy Servers select for Run Hosts to do event and I/O logging. To do this, pbmasterd looks for the setting logservers in the settings file. This setting contains the names of the Log Host machines or a netgroup. Current installation settings for Log Server(s): Enter Log Server list (logservers): hp113-ca025-012.unix.symark.com Generating key file /opt/pbpkg/powerbroker/v9.4/pbul_hpux.ia64_9.4.3-18/install/settings_files/pb.key... Are all the installation settings correct [yes]? Generating config file /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/settings_files/pb.cfg Creating the settings file creation script Backed up existing settings file creation script to: '/opt/pbpkg/powerbroker/v9.4/pbul_hpux.ia64_9.4.3-18/install/pbcreatesettingsfile.ctime.May_26_15:05' Running settings file creation script Creating settings file /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/settings_files/pb.settings Generated settings files are in directory: /opt/pbpkg/powerbroker/v9.4/pmul_hpux.ia64_9.4.3-18/install/settings_files <MadCap:variable name="PM.EPMUL" /> Settings File Generation completed successfully.