Linux Package Installer

This section describes how to install Privilege Management for Unix and Linux using a package installer for Red Hat Enterprise Linux (RHEL) 4 or 5 on an x86, x86_64, ia64, or S/390 computer. Use the Linux package installation if you want to install Privilege Management for Unix and Linux using the Linux RPM package manager.

The Privilege Management for Unix and Linux Linux package installer that is described here is not compatible with the Privilege Management Privilege Management v5.x packages. You must remove BeyondTrust Privilege Management packages v5.x before installing Privilege Management for Unix and Linux Linux packages.

Prerequisites

To use the Linux package installer, you must have the following:

  • Package tarball file for the appropriate Privilege Management for Unix and Linux flavor

For the Privilege Management for Unix and Linux Linux package installer, the tarball files are cumulative. That is, an update tarball file contains a complete Privilege Management for Unix and Linux installation. It is not necessary to install a baseline version of Privilege Management for Unix and Linux before installing an upgrade.

  • Root access or superuser privileges
  • RPM Package Manager (rpm) v4.4 or later

The Privilege Management for Unix and Linux Linux package installer does not support prefix or suffix installations.

Plan Your Installation

When preparing to use the Privilege Management for Unix and Linux package installer, you should be familiar with the following concepts and restrictions:

Component packages: A Privilege Management for Unix and Linux component package is an RPM package manager (.rpm) file that installs a part of the Privilege Management for Unix and Linux application. The Privilege Management for Unix and Linux component packages are listed below with the format powerbroker-component-v.v.r.bb-pv.arch.rpm, where:

  • component = Privilege Management component package name
  • v = major version v = minor version r = release
  • bb = build
  • pv = version number of the package
  • arch = architecture (for example, i386)

 

Component Package Description
powerbroker-loghost-v.v.r.bb-pv.arch.rpm Contains log host, pbsync, and pbsyncd.
powerbroker-shlibs-v.v.r.bb-pv.arch.rpm Contains shared libraries.
powerbroker-pbrest-v.v.r.bb-pv.arch.rpm Contains REST API files.
powerbroker-rnssvr-v.v.r.bb-pv.arch.rpm Contains Registry Name Service files.
powerbroker-licsvr-v.v.r.bb-pv.arch.rpm Contains license server files.
powerbroker-master-v.v.r.bb-pv.arch.rpm Contains policy server host, pbsync, and pbsyncd.
powerbroker-submithost-v.v.r.bb-pv.arch.rpm Contains submit host and Privilege Management for Unix and Linux shells.
powerbroker-runhost-v.v.r.bb-pv.arch.rpm Contains run host and Privilege Management for Unix and Linux utilities.
powerbroker-guihost-v.v.r.bb-pv.arch.rpm Contains GUI host and secure GUI host.

Which component packages are required depends on the type of Privilege Management for Unix and Linux host you create, such as policy server host, submit host, and so on. You can select the types of Privilege Management for Unix and Linux hosts in the pbinstall installation menu, as shown in the following table. For readability the ending of each component in the table (-v.v.r.bb-pv.arch.rpm) is removed.

Menu Selection

Required Components (-v.v.r.bb-pv.arch.rpm)

Install everything here (demo mode)? = Yes

powerbroker-master

powerbroker-runhost

powerbroker-submithost

powerbroker-loghost

powerbroker-guihost

powerbroker-shlibs

Install Master Host? = Yes

powerbroker-master

Install Run Host? = Yes

powerbroker-runhost

Install Submit Host? = Yes

powerbroker-submithost

Install Log Host? = Yes powerbroker-loghost
Install GUI Host? = Yes powerbroker-guihost
Install Secure GUI Host? = Yes powerbroker-guihost
Install BeyondTrust built-in third-party libraries? = Yes powerbroker-shlibs
Install Registry Name Services Server? [yes] powerbroker-rnssvr
Install License Server? [yes] powerbroker-licsvr

Configuration package: RPM package that is used to install the following files:

  • pb.settings: Hardcoded target location /etc/pb.settings
  • pb.cfg: Hardcoded target location /etc/pb.cfg
  • All the encryption keyfiles defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption
  • By default, two key files are created: pb.key and pb.rest.key
  • The sysadmin can define multiple encryption with different keyfiles in locations other than /etc. To upgrade and retain settings on the target machine, view all encryption settings in /etc/pb.settings and copy the files to the settings_files directory before running "pbinstall -z" and pbcreate*cfgpkg
  • pb.conf (for policy server hosts)
  • Man pages for the pbinstall and pbcreatelincfgpkg programs

The Privilege Management for Unix and Linux configuration package is created by the pbcreatelincfgpkg program. The component packages must be installed before you install the configuration package.

Package name: Name of the package as stored in the RPM package manager database. For Privilege Management for Unix and Linux package installations, this name is the same as the package file name without the .arch.rpm extension.

Relocated base directory: The directory where the Privilege Management for Unix and Linux binary files and log files are installed. You can choose an alternative directory in which to install these files.

pbinstall program: To create the Privilege Management for Unix and Linux settings files, you use the pbinstall program with the -z (settings only) option. pbinstall -z only creates the settings files, and is incompatible with the following command line options:

Options Incompatible with pbinstall -z

Description

-b Runs pbinstall in batch mode.
-c Skip the steps that process or update the Privilege Management for Unix and Linux settings file.
-e Runs install script automatically by bypassing the menu step of pbinstall.
-i Ignores previous pb.settings and pb.cfg files.
-p Sets the pb installation prefix.
-s Sets the pb installation suffix.
-u Installs the utility programs.
-x Creates a log synchronization host (installs pbsyncd).

When you execute pbinstall with the -z option, you can see two menu items that are not otherwise available:

  • Enter existing pb.settings path: This enables you to specify your own pb.settings file. pbinstall reads this settings file and populates the remaining menu choices. You can override some menu choices. If set to none, then pbinstall does not read a settings file. The remaining menu choices are populated with default values.
  • Enter directory path for settings file creation: This enables you to specify an alternative output directory for the settings files. The default directory is /unzip-dir/powerbroker/v<flavor>/<flavor>install/settings_files, where unzip-dir is the directory where the package tarball file was unzipped.

The behavior of pbinstall -z depends on whether certain additional command line options are specified:

  • If no other command line options are specified, pbinstall initially presents a short version of the installation menu. Depending on the choices you make in these items, further menu items become available.
  • If command line options -g, -l, -m, -o, -r, or -w are specified, pbinstall presents an expanded version of the installation menu that reflects the host types that you are configuring.

When running pbinstall with the -z option, the following menu items are preprogrammed and cannot be changed:

  • Install man pages?
  • Privilege Management daemon location
  • Administration programs location
  • User programs location
  • GUI library directory
  • Policy include (sub) file directory
  • User man page location
  • Admin man page location
  • Policy filename
  • BeyondTrust built-in third-party library directory

In addition, the values of the following menu items determine the values of other menu items:

Options Preset When Running pbinstall -z

Setting this menu option to Yes

Sets these values to Yes

Install Master Host? Install Synchronization? Synchronization can be initiated from this host?
Install Run Host? Install Utilities?
Install Submit Host? Install PBSSH?

Install pbksh?

Install pbsh?

Will this host use a Log Host?

Install Log Host? Install Synchronization? Synchronization can be initiated from this host?

If you plan to use the package installer to install Privilege Management for Unix and Linux on a computer that already has an interactive Privilege Management for Unix and Linux installation on it, see Interactive Versus Packaged Installation for additional considerations.

If you plan to use Registry Name Service and are running pbinstall -z on a client host (non-primary server), you must perform client registration. This is necessary to properly set up the registry name service database. Client registration also requires that you collect from the Privilege Management for Unix and Linux primary server the following information:

  • REST Application ID
  • REST Application Key
  • Primary server network name or IP address
  • Primary License Server REST TCP/IP port
  • Registration Client Profile name

Registering client with Primary RNS: If Registry Name Services is enabled for Privilege Management for Unix and Linux, each client host (after the first server installation) needs to be registered with the Primary Registry Name Server. When using package installers on a target host, a post-install configuration script (/opt/pbul/scripts/pbrnscfg.sh) is provided to be manually executed on that host to properly register it. This post-install configuration script asks for information about the Primary Registry Name Server, including the Application ID (appid), Application Key (appkey), address/domain name, and the REST TCP/IP port number. This is the same information provided during the client registration part of a pbinstall -z install which generates the settings file.

If you prefer a more convenient method of registering RNS clients where the post-install configuration script is non-interactive, Privilege Management for Unix and Linux can save the relevant information in a hidden file during the settings-only run of pbinstall, bundle it with the configuration package, and automatically apply it to the target host when that package is installed. However, understand that this is not secure, but is available if the security-convenience trade-off is acceptable. To enable this, refer to the question regarding post-install configuration script displayed when running pbinstall -z.

For more information, please see the following:

Overview of Steps

Use of the Linux package installer involves the following steps:

  1. Unpack the Privilege Management for Unix and Linux package tarball file.
  2. Use the pbinstall program to create Privilege Management for Unix and Linux settings files.
  3. Use the pbcreatelincfgpkg program to create the Privilege Management for Unix and Linux configuration package.
  4. Perform a package installation using the Linux rpm command for any required components.
  5. Perform a package installation using the Linux rpm command for the Privilege Management for Unix and Linux configuration package.
  6. If Registry Name Service is enabled and installing on a non-primary servery, run /opt/pbul/scripts/pbrnscfg.sh to register the host.

For additional details on the above steps, please see Installation Procedure.