HP-UX Package Installer

This section describes how to install Endpoint Privilege Management for Unix and Linux using a package installer for HP-UX 11i v1, 11i v2, or 11i v3. Use the HP-UX package installation if you want to install Endpoint Privilege Management for Unix and Linux using the HP-UX Software Distributor (SD) on a local or remote computer.

The Endpoint Privilege Management for Unix and Linux HP-UX package installer that is described here is not compatible with the Endpoint Privilege Management version 5 HP-UX depots. If the Endpoint Privilege Management version 5 HP-UX depots are installed, you must remove them before installing the Endpoint Privilege Management for Unix and Linux version 6 HP-UX depots.

Prerequisites

To use the Endpoint Privilege Management for Unix and Linux HP-UX package installer, you must have the following:

  • Package tarball file for the appropriate Endpoint Privilege Management for Unix and Linux flavor

For the Endpoint Privilege Management for Unix and Linux HP-UX package installer, the tarball files are cumulative. That is, an update tarball file contains a complete Endpoint Privilege Management for Unix and Linux installation. It is not necessary to install a baseline version of Endpoint Privilege Management for Unix and Linux before installing an update.

  • Root access or superuser privileges

The Endpoint Privilege Management for Unix and Linux HP-UX package installer does not support prefix/suffix installations.

Plan Your Installation

When preparing to use the Endpoint Privilege Management for Unix and Linux HP-UX package installer, you should be familiar with the following concepts and restrictions:

  • Depots and Filesets: HP-UX packaged software is delivered as a single file called a depot (.depot) file. A depot can be thought of as a compressed file that contains one or more filesets. A fileset is a component of the software and may contain many files. Installing an HP-UX depot extracts the files from the filesets and writes them to the appropriate directory locations.
  • Component depot and component filesets: an Endpoint Privilege Management for Unix and Linux component fileset is a part of the Endpoint Privilege Management for Unix and Linux component depot that installs a portion of the Endpoint Privilege Management for Unix and Linux application. There are seven Endpoint Privilege Management for Unix and Linux component filesets. In the following list, arch is the architecture of the target platform; for example, ia64A.
    • PowerBroker-arch.LOGHOST: Contains log host, pbsync, and pbsyncd.
    • PowerBroker-arch.SHAREDLIBS: Contains shared libraries.
    • PowerBroker-arch.RESTHOST: Contains REST API files.
    • PowerBroker-arch.RNSSVR: Contains Registry Name Service files.
    • PowerBroker-arch.LICSVR: Contains license server files.
    • PowerBroker-arch.MASTERHOST: Contains policy server host, pbsync, and pbsyncd.
    • PowerBroker-arch.SUBMITHOST: Contains submit host andEndpoint Privilege Management for Unix and Linux shells.
    • PowerBroker-arch.RUNHOST: Contains run host andEndpoint Privilege Management for Unix and Linux utilities.

Which component filesets are required depends on the type of Endpoint Privilege Management for Unix and Linux host you create, such as policy server host, submit host, and so on. You can select the types of Endpoint Privilege Management for Unix and Linux hosts in the pbinstall installation menu, as shown in the following table:

Menu Selection

Required Components

Install everything here (demo mode)? = Yes

MASTERHOST

RUNHOST

SUBMITHOST

LOGHOST

GUIHOST

SHAREDLIBS

Install Policy Server Host? = Yes

MASTERHOST

Install Run Host? = Yes

RUNHOST

Install Submit Host? = Yes

SUBMITHOST

Install Log Host? = Yes

LOGHOST
Install BeyondTrust built-in third-party libraries? = Yes

SHAREDLIBS
Install Registry Name Services Server? [yes] RNSSVR
Install License Server? [yes] LICSVR

     

  • Configuration depot: HP-UX depot (separate from the component depot) that is used to install the following files:
    • pb.settings: Hardcoded target location /etc/pb.settings
    • pb.cfg: Hardcoded target location /etc/pb.cfg
    • All the encryption keyfiles defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption
    • By default, two key files are created: pb.key and pb.rest.key
    • The sysadmin can define multiple encryption with different keyfiles in locations other than /etc. To upgrade and retain settings on the target machine, view all encryption settings in /etc/pb.settings and copy the files to the settings_files directory before running "pbinstall -z" and pbcreate*cfgpkg
    • pb.conf (for policy server hosts)
  • Diagnostic logs files

The Endpoint Privilege Management for Unix and Linux configuration depot is created by the pbcreatehpuxcfgpkg program. The component filesets must be copied to the SD depot using the swcopy command before you copy the configuration fileset to the distribution depot.

  • SD Depot: The SD depot is the software distribution depot, to which software depots are copied by using the HP-UX swcopy command prior to the installation of their filesets. By default, /var/spool/sw is the location of the SD depot.
  • pbinstall program: To create the Endpoint Privilege Management for Unix and Linux settings files, you use the pbinstall program with the -z (settings only) option. pbinstall -z only creates the settings files and is incompatible with the following command line options:

    Option

    Description

    -bRuns pbinstall in batch mode.
    -cSkip the steps that process or update the Endpoint Privilege Management for Unix and Linux settings file.
    -eRuns install script automatically by bypassing the menu step of pbinstall.
    -iIgnores previous pb.settings and pb.cfg files.
    -pSets the pb installation prefix.
    -sSets the pb installation suffix.
    -uInstall the utility programs.
    -xCreates a log synchronization host (that is, installs pbsyncd).

When you execute pbinstall with the -z option, you can see two menu items that are not otherwise available:

  • Enter existing pb.settings path: Enables you to specify your own pb.settings file. pbinstall reads this settings file and populates the remaining menu choices. You can override some menu choices. If set to none, then pbinstall does not read a settings file. The remaining menu choices are populated with default values.
  • Enter directory path for settings file creation: Enables you to specify an alternative output directory for the settings files. The default directory is /unzip-dir/powerbroker/version/<flavor>/install/settings_files, where unzip-dir is the directory where the package tarball file was unzipped and version is the Endpoint Privilege Management for Unix and Linux version number.

    The behavior of pbinstall -z depends on whether certain additional command line options are specified:

  • If no other command line options are specified, pbinstall initially presents a short version of the installation menu (items 1–8 only). Depending on the choices you make in these items, further menu items become available.
  • If command line options -g, -l, -m, -o, -r, or -w are specified, pbinstall presents an expanded version of the installation menu that reflects the host types that you are configuring.

When running pbinstall with the -z option, the following menu items are preprogrammed and cannot be changed:

  • Install man pages?
  • Daemon location
  • Administration programs location
  • User programs location
  • GUI library directory
  • Policy include (sub) file directory
  • User man page location
  • Admin man page location
  • Policy filename
  • BeyondTrust built-in third-party library directory

In addition, the values of the following menu items determine the values of other menu items:

Options Preset When Running pbinstall -z

Setting this menu option to Yes

Sets these values to Yes
Install Policy Server Host?

Install Synchronization?

Synchronization can be initiated from this host?
Install Run Host? Install Utilities?
Install Submit Host?

Install PBSSH?

Install pbksh?

Install pbsh?

Will this host use a Log Host?
Install Log Host?

Install Synchronization?

Synchronization can be initiated from this host?

If you plan to use Registry Name Service and are running pbinstall -z on a client host (non-primary server), you must perform client registration. This is necessary to properly set up the registry name service database. Client registration also requires that you collect from the Endpoint Privilege Management for Unix and Linux primary server the following information:

  • REST Application ID
  • REST Application Key
  • Primary server network name or IP address
  • Primary License Server REST TCP/IP port
  • Registration Client Profile name

If you are using the package installer to install Endpoint Privilege Management for Unix and Linux on a computer that already has an interactive Endpoint Privilege Management for Unix and Linux installation on it, see Installation Considerations for additional considerations.

RNS client registration: If Registry Name Services is enabled for Endpoint Privilege Management for Unix and Linux, each client host (after the first server installation) needs to be registered with the Primary Registry Name Server. When using package installers on a target host, a post-install configuration script (/opt/pbul/scripts/pbrnscfg.sh) is provided to be manually executed on that host to properly register it. This post-install configuration script asks for information about the Primary Registry Name Server, including the Application ID (appid), Application Key (appkey), address/domain name, and the REST TCP/IP port number. This is the same information provided during the client registration part of a pbinstall -z install which generates the settings file.

If you prefer a more convenient method of registering RNS clients where the post-install configuration script is non-interactive, Endpoint Privilege Management for Unix and Linux can save the relevant information in a hidden file during the settings-only run of pbinstall, bundle it with the configuration package, and automatically apply it to the target host when that package is installed. However, understand that this is not secure, but is available if the security-convenience trade-off is acceptable. To enable this, refer to the question regarding post-install configuration script displayed when running pbinstall -z.

For more complete pbinstall command-line options, see the Installation Programs.

Overview of Steps

Using the Endpoint Privilege Management for Unix and Linux HP-UX package installer involves the following steps.

  1. Unpack the Endpoint Privilege Management for Unix and Linux HP-UX package tarball file.
  2. Use the pbinstall program to create Endpoint Privilege Management for Unix and Linux settings files.
  3. Use the pbcreatehpuxcfgpkg program to create the Endpoint Privilege Management for Unix and Linux configuration depot.
  4. Use the HP-UX swcopy command to copy the Endpoint Privilege Management for Unix and Linux component depot to the desired SD depot.
  5. Use the HP-UX swcopy command to copy the Endpoint Privilege Management for Unix and Linux configuration depot to the desired SD depot.
  6. Use the HP-UX swinstall command to install the Endpoint Privilege Management for Unix and Linux configuration depot. The dependencies that are identified in the configuration fileset will cause the appropriate component filesets to be installed as well.
  7. If Registry Name Service is enabled and installed on a non-primary servery, run /opt/pbul/scripts/pbrnscfg.sh to register the host.

For more detailed information on the above steps, see Installation Procedure.

Installation Procedure

To install Endpoint Privilege Management for Unix and Linux using the HP-UX SD feature, do the following:

  1. Extract the package tarball files into the /unzip-dir/ directory by executing the following command: 
    gunzip -c pmul_<flavor_version>_pkg.tar.Z | tar xvf -
  2. Navigate to the /unzip-dir/powerbroker/version/flavor/install/ directory.
  3. Execute the following command: 
    ./pbinstall -z

    You are asked if you want to use client registration. If you plan to enable Registry Name Service, and install on a host that is not designated as a primary server, you must run client registration.

    pbinstall then asks if you want to enable Registry Name Service.

    pbinstall displays the Endpoint Privilege Management for Unix and Linux installation menu.

  4. Make your menu selections. Note that the Enter existing pb.settings path menu option enables you to specify your own pb.settings file to use. Also, the Enter directory path for settings file creation menu option enables you to specify where to save the generated settings files. These menu options are available only when running pbinstall with the -z option. When the menu selection process is complete, pbinstall creates the following files in the specified location:
    • pb.settings
    • pb.cfg
    • pb.key (if encryption is enabled)
    • pb.conf (for policy server host)
    • pbpolicykey.pem and pbpolicypubcert.pem (for Policy Server hosts with Cached Policy feature enabled)
  5. Optional. For an Endpoint Privilege Management for Unix and Linux client, if client-server communications are to be encrypted, replace the generated pb.key file with pb.key file from the policy server host. Also, copy any other required key files into the same directory.
  6. Optional. For a policy server host, write a policy file (pb.conf) and place it in the directory with the other generated files. If you do not provide a pb.conf file, a pb.conf file with the single command reject; is generated and packaged.

    Starting with v8.0, pbinstall -z can optionally install the default role-based policies and asks: 

    Installing default role-based policy pbul_policy.conf and pbul_functions.conf in <install_dir>/settings_files
Would you like to use the default role-based policy in the configuration package?

    Answer Yes for new installs only.

    If you are upgrading an existing configuration package, to avoid overwriting your existing policy, answer No.

    Use the default role-based policy [Y]?

    If you answer Yes, the default pb.conf, pbul_policy.conf and pbul_functions.conf are created and installed on the policy server.

    If you are installing over an existing installation, and have an existing policy in place, answer No.

  7. Navigate to the /unzip-dir/powerbroker/version/flavor/install/ directory.
  8. Run the pbcreatehpuxcfgpkg utility by typing: 
    pbcreatehpuxcfgpkg [-d] -p depot-fileset-name -s directory

    where:

    • -d is an option that sets the component fileset dependency to hppaD rather than the default hppaB.
    • depot-fileset-name is a user-specified name for the configuration fileset. The resulting fileset is PowerBroker-Cfg.depot-fileset-name.
    • directory is the directory that contains the Endpoint Privilege Management for Unix and Linux settings and configuration files to include in the configuration fileset.

    The pbcreatehpuxcfgpkg utility creates the configuration depot with the file name PowerBroker-Cfg-version.depot-fileset-name.depot.

  9. Navigate to the /unzip-dir/powerbroker/version/flavor/package/ directory.
  10. Run the HP-UX swcopy utility to copy the Endpoint Privilege Management for Unix and Linux component depot to the desired SD depot by typing: 
    swcopy -s /path/PowerBroker-arch.depot PowerBroker-arch.FILESET [@ sd-directory]

    where

    • path is the absolute path to the directory that contains the Endpoint Privilege Management for Unix and Linux component depot.
    • arch is the target platform architecture.
    • FILESET is the specific fileset to be copied; alternatively, use \* instead of PowerBroker-arch.FILESET to copy all filesets.
    • sd-directory is the desired SD directory; if you omit @ sd-directory, the default /var/spool/sw is used.
To copy only the log host component fileset:
# swcopy -s /unzip-dir/powerbroker/v9.4/pmul_hpux.hppa64_9.4.3/package/PowerBroker-hppa64-9.4.3.06.depot PowerBroker-hppa64.LOGHOST @ /var/spool/sw
To copy the log host and policy server host component filesets to the default SD depot:
# swcopy -s /unzip-dir/powerbroker/v9.4/pmul_hpux.hppa64_9.4.3-06/package/PowerBroker-hppa64-9.4.3.06.depot PowerBroker-hppa64.LOGHOST PowerBroker-hppa64.MASTERHOST
To copy all component filesets to the default SD depot:
swcopy -s /unzip-dir/powerbroker/v9.4/pmul_hpux.hppa64_9.4.3-06/package/PowerBroker-hppa64-9.4.3.06.depot\*
  1. Run the HP-UX swcopy utility to copy the Endpoint Privilege Management for Unix and Linux configuration fileset to the desired SD depot.
# swcopy -s /unzip-dir/powerbroker/v9.4/pmul_hpux.hppa64_9.4.3-06/install/PowerBroker-Cfg-9.4.3.06.CLIENT.depot  PowerBroker-Cfg.CLIENT @ /var/spool/sw
  1. Run the HP-UX swinstall utility to install the Endpoint Privilege Management for Unix and Linux configuration fileset by typing: 
    swinstall PowerBroker-Cfg.depot-fileset-name

depot-fileset-name is the configuration fileset name specified when the Endpoint Privilege Management for Unix and Linux configuration package is created in step 8. Any component dependencies that are identified by the configuration fileset are automatically installed as well.

If you attempt to install filesets from more than one flavor onto a single system, the installation fails with an error message.

  1. Verify the installation of the filesets with the HP-UX swverify utility by typing one of the following commands: 
    swverify PowerBroker-arch
    swverify PowerBroker-Cfg
  2. If Registry Name Service is enabled and installed on a non-primary server, register the host with the Primary Registry Name Server using a post-install configuration script. Gather the Application ID, Application Key, network name or IP address, and REST TCP/IP port of the primary server, then run the script to register the host and follow the prompts:
    /opt/pbul/scripts/pbrnscfg.sh

Many of the HP-UX depot management commands display a message regarding where to find a log file that contains additional information. We recommend that you look at these log files, because some important diagnostic information appears in the log file but not in the utility’s standard output.

For more information, see the following:

Remove Endpoint Privilege Management for Unix and Linux Filesets

Removing the Endpoint Privilege Management for Unix and Linux depots completely uninstalls Endpoint Privilege Management for Unix and Linux from a computer. Because the component filesets are dependencies of the configuration fileset, the configuration fileset must be removed first. To remove the Endpoint Privilege Management for Unix and Linux filesets, do the following:

  1. Remove the Endpoint Privilege Management for Unix and Linux configuration fileset by typing:
    swremove PowerBroker-Cfg.depot-fileset-name

depot-fileset-name is the name of the fileset that you specified when you created the configuration depot.

  1. Remove the Endpoint Privilege Management for Unix and Linux component filesets by typing: 
    swremove PowerBroker-arch
You can remove the configuration and component filesets in the same command, for example: 
swremove PowerBroker-Cfg.FILESET PowerBroker-arch

Remote Installation

Because the HP-UX SD system uses a daemon for software administration, you can install from a local depot to a remote machine, or install from a remote depot to a local machine. Additionally, you can install a depot to an alternate root and then remount the alternate root as an actual root on another node.

To install a depot on a remote system, you must have ACL access to that remote system; you can use the swacl command to manage these access controls. Use the @ argument with the swinstall command.

swinstall PowerBroker-hppaB @ remotehost:/

To install a depot on an alternate root, you also use the @ argument.

swinstall PowerBroker-hppaB @ /export/shared_root/node1

For alternate root installation, you must run the swconfig utility on the actual node, after the alternate root is remounted as the node’s actual root.

For more information, see the man pages for the HP-UX SD commands.