Linux Package Installer
This section describes how to install Endpoint Privilege Management for Unix and Linux using a package installer for Red Hat Enterprise Linux (RHEL) 4 or 5 on an x86, x86_64, ia64, or S/390 computer. Use the Linux package installation if you want to install Endpoint Privilege Management for Unix and Linux using the Linux RPM package manager.
The Endpoint Privilege Management for Unix and Linux Linux package installer that is described here is not compatible with the Endpoint Privilege Management Endpoint Privilege Management v5.x packages. You must remove BeyondTrust Endpoint Privilege Management packages v5.x before installing Endpoint Privilege Management for Unix and Linux Linux packages.
Prerequisites
To use the Linux package installer, you must have the following:
- Package tarball file for the appropriate Endpoint Privilege Management for Unix and Linux flavor
For the Endpoint Privilege Management for Unix and Linux Linux package installer, the tarball files are cumulative. That is, an update tarball file contains a complete Endpoint Privilege Management for Unix and Linux installation. It is not necessary to install a baseline version of Endpoint Privilege Management for Unix and Linux before installing an upgrade.
- Root access or superuser privileges
- RPM Package Manager (rpm) v4.4 or later
The Endpoint Privilege Management for Unix and Linux Linux package installer does not support prefix or suffix installations.
Plan Your Installation
When preparing to use the Endpoint Privilege Management for Unix and Linux package installer, you should be familiar with the following concepts and restrictions:
Component packages: an Endpoint Privilege Management for Unix and Linux component package is an RPM package manager (.rpm) file that installs a part of the Endpoint Privilege Management for Unix and Linux application. The Endpoint Privilege Management for Unix and Linux component packages are listed below with the format powerbroker-component-v.v.r.bb-pv.arch.rpm, where:
- component = Endpoint Privilege Management component package name
- v = major version v = minor version r = release
- bb = build
- pv = version number of the package
- arch = architecture (for example, i386)
| Component Package | Description |
|---|---|
| powerbroker-loghost-v.v.r.bb-pv.arch.rpm | Contains log host, pbsync, and pbsyncd. |
| powerbroker-shlibs-v.v.r.bb-pv.arch.rpm | Contains shared libraries. |
| powerbroker-pbrest-v.v.r.bb-pv.arch.rpm | Contains REST API files. |
| powerbroker-rnssvr-v.v.r.bb-pv.arch.rpm | Contains Registry Name Service files. |
| powerbroker-licsvr-v.v.r.bb-pv.arch.rpm | Contains license server files. |
| powerbroker-master-v.v.r.bb-pv.arch.rpm | Contains policy server host, pbsync, and pbsyncd. |
| powerbroker-submithost-v.v.r.bb-pv.arch.rpm | Contains submit host and Endpoint Privilege Management for Unix and Linux shells. |
| powerbroker-runhost-v.v.r.bb-pv.arch.rpm | Contains run host and Endpoint Privilege Management for Unix and Linux utilities. |
Which component packages are required depends on the type of Endpoint Privilege Management for Unix and Linux host you create, such as policy server host, submit host, and so on. You can select the types of Endpoint Privilege Management for Unix and Linux hosts in the pbinstall installation menu, as shown in the following table. For readability the ending of each component in the table (-v.v.r.bb-pv.arch.rpm) is removed.
|
Menu Selection |
Required Components (-v.v.r.bb-pv.arch.rpm) |
|
Install everything here (demo mode)? = Yes |
powerbroker-master powerbroker-runhost powerbroker-submithost powerbroker-loghost powerbroker-guihost powerbroker-shlibs |
|
Install Master Host? = Yes |
powerbroker-master |
|
Install Run Host? = Yes |
powerbroker-runhost |
|
Install Submit Host? = Yes |
powerbroker-submithost |
| Install Log Host? = Yes | powerbroker-loghost |
| Install BeyondTrust built-in third-party libraries? = Yes | powerbroker-shlibs |
| Install Registry Name Services Server? [yes] | powerbroker-rnssvr |
| Install License Server? [yes] | powerbroker-licsvr |
Configuration package: RPM package that is used to install the following files:
- pb.settings: Hardcoded target location /etc/pb.settings
- pb.cfg: Hardcoded target location /etc/pb.cfg
- All the encryption keyfiles defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption
- By default, two key files are created: pb.key and pb.rest.key
- The sysadmin can define multiple encryption with different keyfiles in locations other than /etc. To upgrade and retain settings on the target machine, view all encryption settings in /etc/pb.settings and copy the files to the settings_files directory before running "pbinstall -z" and pbcreate*cfgpkg
- If installing a Cached Policy client, copy the policypubcertfile (default=/etc/pbpolicypubcert.pem) from the policy server to the settings_files directory before running pbinstall -z and pbcreate*cfgpkg.
- pb.conf (for policy server hosts)
- Man pages for the pbinstall and pbcreatelincfgpkg programs
The Endpoint Privilege Management for Unix and Linux configuration package is created by the pbcreatelincfgpkg program. The component packages must be installed before you install the configuration package.
Package name: Name of the package as stored in the RPM package manager database. For Endpoint Privilege Management for Unix and Linux package installations, this name is the same as the package file name without the .arch.rpm extension.
Relocated base directory: The directory where the Endpoint Privilege Management for Unix and Linux binary files and log files are installed. You can choose an alternative directory in which to install these files.
pbinstall program: To create the Endpoint Privilege Management for Unix and Linux settings files, you use the pbinstall program with the -z (settings only) option. pbinstall -z only creates the settings files, and is incompatible with the following command line options:
|
Options Incompatible with pbinstall -z |
Description |
| -b | Runs pbinstall in batch mode. |
| -c | Skip the steps that process or update the Endpoint Privilege Management for Unix and Linux settings file. |
| -e | Runs install script automatically by bypassing the menu step of pbinstall. |
| -i | Ignores previous pb.settings and pb.cfg files. |
| -p | Sets the pb installation prefix. |
| -s | Sets the pb installation suffix. |
| -u | Installs the utility programs. |
| -x | Creates a log synchronization host (installs pbsyncd). |
When you execute pbinstall with the -z option, you can see two menu items that are not otherwise available:
- Enter existing pb.settings path: This enables you to specify your own pb.settings file. pbinstall reads this settings file and populates the remaining menu choices. You can override some menu choices. If set to none, then pbinstall does not read a settings file. The remaining menu choices are populated with default values.
- Enter directory path for settings file creation: This enables you to specify an alternative output directory for the settings files. The default directory is /unzip-dir/powerbroker/v<flavor>/<flavor>install/settings_files, where unzip-dir is the directory where the package tarball file was unzipped.
The behavior of pbinstall -z depends on whether certain additional command line options are specified:
- If no other command line options are specified, pbinstall initially presents a short version of the installation menu. Depending on the choices you make in these items, further menu items become available.
- If command line options -g, -l, -m, -o, -r, or -w are specified, pbinstall presents an expanded version of the installation menu that reflects the host types that you are configuring.
When running pbinstall with the -z option, the following menu items are preprogrammed and cannot be changed:
- Install man pages?
- Endpoint Privilege Management daemon location
- Administration programs location
- User programs location
- GUI library directory
- Policy include (sub) file directory
- User man page location
- Admin man page location
- Policy filename
- BeyondTrust built-in third-party library directory
In addition, the values of the following menu items determine the values of other menu items:
| Options Preset When Running pbinstall -z | |
|---|---|
|
Setting this menu option to Yes |
Sets these values to Yes |
| Install Master Host? | Install Synchronization? Synchronization can be initiated from this host? |
| Install Run Host? | Install Utilities? |
| Install Submit Host? | Install PBSSH? Install pbksh? Install pbsh? Will this host use a Log Host? |
| Install Log Host? | Install Synchronization? Synchronization can be initiated from this host? |
If you plan to use the package installer to install Endpoint Privilege Management for Unix and Linux on a computer that already has an interactive Endpoint Privilege Management for Unix and Linux installation on it, see Interactive Versus Packaged Installation for additional considerations.
If you plan to use Registry Name Service and are running pbinstall -z on a client host (non-primary server), you must perform client registration. This is necessary to properly set up the registry name service database. Client registration also requires that you collect from the Endpoint Privilege Management for Unix and Linux primary server the following information:
- REST Application ID
- REST Application Key
- Primary server network name or IP address
- Primary License Server REST TCP/IP port
- Registration Client Profile name
Registering client with Primary RNS: If Registry Name Services is enabled for Endpoint Privilege Management for Unix and Linux, each client host (after the first server installation) needs to be registered with the Primary Registry Name Server. When using package installers on a target host, a post-install configuration script (/opt/pbul/scripts/pbrnscfg.sh) is provided to be manually executed on that host to properly register it. This post-install configuration script asks for information about the Primary Registry Name Server, including the Application ID (appid), Application Key (appkey), address/domain name, and the REST TCP/IP port number. This is the same information provided during the client registration part of a pbinstall -z install which generates the settings file.
If you prefer a more convenient method of registering RNS clients where the post-install configuration script is non-interactive, Endpoint Privilege Management for Unix and Linux can save the relevant information in a hidden file during the settings-only run of pbinstall, bundle it with the configuration package, and automatically apply it to the target host when that package is installed. However, understand that this is not secure, but is available if the security-convenience trade-off is acceptable. To enable this, refer to the question regarding post-install configuration script displayed when running pbinstall -z.
For more information, see the following:
- Relocate the Base Directory
- On pbinstall command-line options, Installation Programs
Overview of Steps
Use of the Linux package installer involves the following steps:
- Unpack the Endpoint Privilege Management for Unix and Linux package tarball file.
- Use the pbinstall program to create Endpoint Privilege Management for Unix and Linux settings files.
- Use the pbcreatelincfgpkg program to create the Endpoint Privilege Management for Unix and Linux configuration package.
- Perform a package installation using the Linux rpm command for any required components.
- Perform a package installation using the Linux rpm command for the Endpoint Privilege Management for Unix and Linux configuration package.
- If Registry Name Service is enabled and installing on a non-primary servery, run /opt/pbul/scripts/pbrnscfg.sh to register the host.
For additional details on the above steps, see Installation Procedure.
