Updating Endpoint Privilege Management for Unix and Linux with Update Depots

The Endpoint Privilege Management for Unix and Linux HP-UX package installer can be used to update an existing Endpoint Privilege Management for Unix and Linux installation to a new version. The existing Endpoint Privilege Management for Unix and Linux version should have been installed using the Endpoint Privilege Management for Unix and Linux package installer.

Update Depot Considerations

Installing an Endpoint Privilege Management for Unix and Linux update depot is similar to using the HP-UX package installer to install Endpoint Privilege Management for Unix and Linux for the first time. Keep these considerations in mind when you prepare to upgrade Endpoint Privilege Management for Unix and Linux:

  • an Endpoint Privilege Management for Unix and Linux HP-UX update depot contains a complete Endpoint Privilege Management for Unix and Linux installation, not just the files that have changed since the previous release.
  • Each Endpoint Privilege Management for Unix and Linux update depot is cumulative; that is, it includes all previous update filesets that BeyondTrust released since the baseline version. Therefore, there is no need to install the previous update depots.
  • A newer release can introduce features that use new settings or configurations. In which case, an upgrade of the configuration package of Endpoint Privilege Management for Unix and Linux is also needed.

Unlike Endpoint Privilege Management for Unix and Linux patches that are installed with pbpatchinstall, update filesets cannot be rolled back to a previous release. However, you can install an older fileset over a newer one, effectively rolling back to the older release.

Update Depot Procedure

Follow this procedure to update your installation of Endpoint Privilege Management for Unix and Linux using the update depots:

  1. Obtain the tarball file for the HP-UX update depots that are appropriate for your hardware. The tarball file name has the format pmul_<flavor>-v.v.r-bb-update_pkg.tar.Z, where:
    • <flavor> indicates the operating system and hardware architecture.
    • v.v.r is the major and minor version number and the release number.
    • bb is the build number.
  2. Extract the depot files into the /unzip-dir/ directory by executing the following command:
    tar xvfz pmul_<flavor_version>-update_pkg.tar.Z
  3. Navigate to the /unzip-dir/powerbroker/v<version>/<flavor>/install/ directory
  4. Create the settings_files directory and change directory to that location.
  5. To retain or correctly update the settings of the current installation, copy the following files from the target installation host into the settings_files directory you created in step 4:
    • /etc/pb.settings
    • /etc/pb.cfg
    • encryption keys defined in pb.settings for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption settings (if enabled)

In a default installation, there are typically 2 key files created: pb.key and pb.rest.key.

    • policy file defined in policyfile setting in pb.settings (if the target installation is a Policy Server)

In a default installation, the policy file is located in /opt/pbul/policies/pb.conf.

  1. Obtain the tarball file for the HP-UX update depots that are appropriate for your hardware. The tarball file name has the format pmul_<flavor>-v.v.r-bb-update_pkg.tar.Z, where:
    • <flavor> indicates the operating system and hardware architecture.
    • v.v.r is the major and minor version number and the release number.
    • bb is the build number.
  2. Execute the following command to verify and update the installation settings in the settings_files directory: 
    ./pbinstall -z
  3. Obtain the tarball file for the HP-UX update depots that are appropriate for your hardware. The tarball file name has the format pmul_<flavor>-v.v.r-bb-update_pkg.tar.Z, where:
    • <flavor> indicates the operating system and hardware architecture.
    • v.v.r is the major and minor version number and the release number.
    • bb is the build number.
  4. Create the upgrade configuration package by running the pbcreatehpuxcfgpkg utility:
    pbcreatehpuxcfgpkg -p fileset-name

    Use the current fileset-name of the installation to be upgraded. Use the fileset-name you provided during the initial package installation in step 8 of the Installation Procedure.

    Another way to find the fileset-name is to run the following command on the target installation host to get the list of packages installed:

    swlist PowerBroker\*

    Identify the fileset-name of the Endpoint Privilege Management for Unix and Linux configuration package using this format:

    PowerBroker-Cfg.<fileset-name>
  5. Navigate to the directory: /unzip-dir/powerbroker/version/flavor/package/
  6. Run the HP-UX swcopy utility to copy the Endpoint Privilege Management for Unix and Linux component depot to the desired SD depot by typing: 
    swcopy -s /path/PowerBroker-arch.depot PowerBroker-arch.FILESET [@ sd-directory]

    This is the absolute path to the directory that contains the Endpoint Privilege Management for Unix and Linux component depot.

    arch is the target platform architecture.

    FILESET is the specific fileset to be copied. Alternatively, use \* instead of PowerBroker-arch.FILESET to copy all filesets.

    sd-directory is the desired SD directory. If you omit @ sd-directory, the default /var/spool/sw is used.

  7. Navigate to the /unzip-dir/powerbroker/version/flavor/install/ directory.
  8. Run the HP-UX swcopy utility to copy the Endpoint Privilege Management for Unix and Linux configuration fileset to the desired SD depot: 
    # swcopy -s /<cfgdepotdir>/PowerBroker-Cfg-<ver>.<filesetname>.depot  PowerBroker-Cfg.<filesetname>
  9. Run the HP-UX swinstall utility to install the Endpoint Privilege Management for Unix and Linux component filesets by typing: swinstall PowerBroker-arch.
  10. Verify the installation of the filesets with the HP-UX swverify utility by typing: swverify PowerBroker-arch.

Revert to a Previous Version

Unlike Endpoint Privilege Management for Unix and Linux patches that are installed with pbpatchinstall, update depots cannot be rolled back to a previous release. However, you can install an older fileset over a newer one, effectively rolling back to the older release. To install older filesets over newer ones, use the following command:

swinstall -x allow_downdate=true PowerBroker-arch

This command restores the previous release. Repeat the command to restore earlier releases.

Upgrade Configuration Package

When upgrading the configuration package (cfg pkg), some settings that are part of the package might need settings and configuration files copied from the existing installation to the staging host.

Files included in the cfg package:

  • pb.settings: Hardcoded target location /etc/pb.settings.
  • pb.cfg: Hardcoded target location /etc/pb.cfg.
  • All the encryption key files defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption. By default, two key files are typically created:
    • pb.key
    • pb.rest.key

    The sysadmin can define encryption with different key files in locations other than /etc. Therefore, when upgrading, and to retain what is installed on the target machine, look at all the encryption settings in /etc/pb.settings. Copy the settings to the settings_files directory before running pbinstall -z and pbcreate*cfgpkg.

  • Policy file if the target is a policy server.