Installation Procedure

To install Endpoint Privilege Management for Unix and Linux using the RPM package manager, do the following:

1. Extract the package tarball files into the /opt/beyondtrust/ directory by executing the following command:

   tar xvfz pmul_<flavor_version>_pkg.tar.Z

2. Optional. The Endpoint Privilege Management for Unix and Linux Linux package files are digitally signed. You can verify that the packages are genuine by doing the following:
   • Go to the www.beyondtrust.com, and click Support to display the Endpoint Privilege Management for Unix and Linux Downloads page.
   • In the Customers section, click Login. Use your customer user name and password to log in to the Endpoint Privilege Management for Unix and Linux Downloads page.
   • Click Digital Signature file for Linux RPM packages and download the tar file to the Linux computer.
   • Extract the key from the tar file.
   • Import the key to the RPM database with the following command:

     rpm --import keyfile

     keyfile is the file name of the key file.

   • Navigate to the /opt/beyondtrust/powerbroker/<version>/<flavor>/package/ directory.
   • Execute the following command:

     rpm -K *.rpm

     For each package, you should see output similar to the following:

     powerbroker-master-6.2.0.11-1.i386.rpm: (sha1) dsa sha1 md5 gpg OK

     The OK at the end of the line indicates that the package is genuine.

3. Navigate to the /opt/beyondtrust/powerbroker/<version>/<flavor>/install/ directory.
4. Execute the following command:

   ./pbinstall -z

   You can include other options with the -z option. Use the -R option to specify an alternate base directory for installing the component packages.

   pbinstall displays the Endpoint Privilege Management for Unix and Linux installation menu.

   You are asked if you want to use client registration. If you plan to enable Registry Name Service, and install on a host that is not designated as a primary server, you must run client registration.

   pbinstall then asks if you want to enable Registry Name Service.

5. Make your menu selections. Note that the Enter existing pb.settings path menu option enables you to specify your own pb.settings file to use. Also, the Enter directory path for settings file creation menu option enables you to specify where to save the generated settings files. These menu options are available only when running pbinstall with the -z option.

   When the menu selection process is complete, pbinstall creates the following files in the specified location:

   • pb.settings
   • pb.cfg
   • pb.key (if encryption is enabled)
   • pb.conf (for policy server host)
   • pbpolicykey.pem and pbpolicypubcert.pem (for Policy Server hosts with Cached Policy feature enabled)
6. Optional. For an Endpoint Privilege Management for Unix and Linux client, if client-server communications are to be encrypted, replace the generated pb.key file with the pb.key file from the policy server host. Also, copy any other required key files into the same directory.

This step is automatically done if you choose to use client registration.

7. Required for Cached Policy client installation: Copy the policypubcertfile (default=/etc/pbpolicypubcert.pem) from the policy server to the settings_files directory.
8. Optional. For a policy server host, write a policy file (pb.conf) and place it in the directory with the other generated files. If you do not provide a pb.conf file, a pb.conf file with the single command reject; is generated and packaged.

   Starting with v8.0, pbinstall -z can optionally install the default role-based policies and asks:

   Installing default role-based policy pbul_policy.conf and pbul_functions.conf in <install_dir>/settings_files
   Would you like to use the default role-based policy in the configuration package?

   • Answer Yes for new installs only.
   • If you are upgrading an existing configuration package, to avoid overwriting your existing policy, answer No.

     Use the default role-based policy [Y]?

   • If you answer Yes, the default pb.conf, pbul_policy.conf and pbul_functions.conf files are created and installed on the policy server.
   • If you plan to install over an existing installation, and have an existing policy in place, answer No.
9. Navigate to the /opt/beyondtrust/powerbroker/<version>/<flavor>/install/ directory.
10. Run the pbcreatelincfgpkg utility by typing:

    pbcreatelincfgpkg -p suffix -s directory

    • suffix is appended to the configuration package name; length can be up to 18 characters.
    • directory contains the Endpoint Privilege Management for Unix and Linux settings and configuration files to include in the package.

    The pbcreatelincfgpkg utility creates the Endpoint Privilege Management for Unix and Linux configuration package file, powerbroker-config<suffix>-sv-pv.arch.rpm.

11. Navigate to the /opt/beyondtrust/powerbroker/<version>/<flavor>/package/ directory.
12. For each required component package, run the Linux rpm utility to install the component package by typing:

    rpm -iv package-file

    package-file is the name of the component package (.rpm) file. For example:

    rpm -iv powerbroker-submithost-9.4.1.03-1.x86_64.rpm

rpm -iv *.rpm

13. Navigate to the /opt/beyondtrust/powerbroker/<version>/<flavor>/install/ directory.
14. Run the Linux rpm utility to install the Endpoint Privilege Management for Unix and Linux configuration package by typing:

    rpm -iv package-file

    package-file is the name of the configuration package (.rpm) file created in step 9.

15. Verify the installation of the packages by typing:

    rpm -qa| grep powerbroker

16. If Registry Name Service is enabled and installed on a non-primary server, register the host with the Primary Registry Name Server using a post-install configuration script. Gather the Application ID, Application Key, network name or IP address, and REST TCP/IP port of the primary server, then run the script to register the host and follow the prompts:

    /opt/pbul/scripts/pbrnscfg.sh