Solaris Package Installer
This section describes how to install Privilege Management for Unix and Linux using a package installer for Solaris 9 or 10 on an x86 or SPARC computer. Use the Solaris package installer if you want to do any of the following:
- Install Privilege Management for Unix and Linux using the Solaris Package Manager.
- Make the Privilege Management for Unix and Linux installation packages available on a JumpStart server to automate the installation of Solaris computers.
The Privilege Management for Unix and Linux Solaris package installer that is described here is not compatible with the BeyondTrust Privilege Management v5.x packages. If the Symark Privilege Management v5.x packages are installed, you must remove them before installing the Privilege Management for Unix and Linux Solaris packages.
To use the Solaris package installer, you must have the following:
- Package tarball file for the appropriate Privilege Management for Unix and Linux flavor
For the Solaris package installer, the tarball files are cumulative. That is, an update tarball file contains a complete Privilege Management for Unix and Linux installation. It is not necessary to install a baseline version of Privilege Management for Unix and Linux before installing an update.
- Root access or superuser privileges
The Solaris package installer does not support prefix or suffix installations.
When preparing to use the Solaris package installer, you should be familiar with the following concepts and restrictions:
- Component packages: A Privilege Management for Unix and Linux component package is a Solaris datastream (.ds) file that installs a portion of the Privilege Management for Unix and Linux application.
The Privilege Management for Unix and Linux component packages are:
- BTPBlogh.ds: Contains the log host, pbsync, and pbsyncd.
- BTPBlibs.ds: Contains the shared libraries.
- BTPBrest.ds: Contains the REST API files.
- BTPBrnsh.ds: Contains Registry Name Service files.
- BTPBlich.ds: Contains the license server files.
- BTPBmsth.ds: Contains the policy server host, pbsync, and pbsyncd.
- BTPBsbmh.ds: Contains the submit host andPrivilege Management for Unix and Linux shells.
- BTPBrunh.ds: Contains the run host andPrivilege Management for Unix and Linux utilities.
- BTPBguih.ds: Contains the GUI host and secure GUI host.
Which component packages are required depends on the type of Privilege Management for Unix and Linux host you create, such as policy server host, log host, and so forth. You can select the types of Privilege Management for Unix and Linux hosts in the pbinstall installation menu, as shown in the following table.
Install everything here (demo mode)? = Yes
Install Policy Server Host? = Yes
Install Run Host? = Yes
Install Submit Host? = Yes
Install Log Host? = Yes
Install GUI Host? = Yes
Install Secure GUI Host? = Yes
Install BeyondTrust built-in third-party libraries? = Yes
Install Registry Name Services Server? [yes] BTPBrnsh.ds Install License Server? [yes] BTPBlich.ds
- Configuration package: Solaris installation package that is used to install the following files:
- pb.settings: Hardcoded target location /etc/pb.settings
- pb.cfg: Hardcoded target location /etc/pb.cfg
- All the encryption keyfiles defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption
- By default, two key files are created: pb.key and pb.rest.key
- The sysadmin can define multiple encryption with different keyfiles in locations other than /etc. To upgrade and retain settings on the target machine, view all encryption settings in /etc/pb.settings and copy the files to the settings_files directory before running "pbinstall -z" and pbcreate*cfgpkg
- pb.conf (for Policy Server hosts)
- Man pages for the pbinstall and pbcreatesolcfgpkg programs
The Privilege Management for Unix and Linux configuration package is created by the pbcreatesolcfgpkg program. The component packages must be installed before you install the configuration package.
- Response file: pbcreatesolcfgpkg may also create a corresponding response file. The response file contains select information provided to pbinstall to customize objects contained within the prebuilt component package. For example, it ensures correct ownership of pblighttpd files. This file is created in the component package directory, /unzip-dir/powerbroker/<version>/<flavor>/package if it is accessible. If it is not, it is created in the current directory in the same location where the component package is created. Its name contains the same prefix supplied to pbcreatesolcfgpkg.
- Package name: Name of the installation package stored in the Solaris package manager database. For Privilege Management for Unix and Linux package installations, this name is the same as the package file name without the .ds extension.
- Package administration file: Contains alternative settings that control how Solaris packages are installed.
- Relocated base directory: The directory where the Privilege Management for Unix and Linux binary files and log files are installed. You can choose an alternative directory in which to install these files.
- pbinstall program: To create the Privilege Management for Unix and Linux settings files, you use the pbinstall program with the -z (settings only) option. pbinstall -z only creates the settings files and is incompatible with the following command line options:
Options Incompatible with pbinstall -z
-b Runs pbinstall in batch mode. -c Skip the steps that process or update the Privilege Management for Unix and Linux settings file. -e Runs install script automatically by bypassing the menu step of pbinstall. -i Ignores previous pb.settings and pb.cfg files. -p Sets the pb installation prefix. -s Sets the pb installation suffix. -u Install the utility programs. -x Creates a log synchronization host (that is, installs pbsyncd).
When you execute pbinstall with the -z option, you can see two menu items that are not otherwise available:
- Enter existing pb.settings path: Enables you to specify your own pb.settings file. pbinstall reads this settings file and populates the remaining menu choices. You can override some menu choices. If set to none, then pbinstall does not read a settings file. The remaining menu choices are populated with default values.
- Enter directory path for settings file creation: Enables you to specify an alternative output directory for the settings files. The default directory is /unzip-dir/powerbroker/<version>/<flavor>/install/settings_files, where unzip-dir is the directory where the package tarball file was unzipped.
The behavior of pbinstall -z depends on whether certain additional command line options are specified:
- If no other command line options are specified, pbinstall initially presents a short version of the installation menu (items 1–8 only). Depending on the choices you make in these items, further menu items become available.
- If command line options -g, -l, -m, -o, -r, or -w are specified, pbinstall presents an expanded version of the installation menu that reflects the host types that you are configuring.
When running pbinstall with the -z option, the following menu items are preprogrammed and cannot be changed:
- Install man pages?
- Daemon location
- Administration programs location
- User programs location
- GUI library directory
- Policy include (sub) file directory
- User man page location
- Admin man page location
- Policy filename
- BeyondTrust built-in third-party library directory
In addition, the values of the following menu items determine the values of other menu items:
Options Preset When Running pbinstall -z
Setting this menu option to Yes
Sets these values to Yes
Install Policy Server Host?
Install Synchronization? Synchronization can be initiated from this host?
Install Run Host?
Install Submit Host?
Install pbksh? Install pbsh?
Will this host use a Log Host?
Install Log Host?
Install Synchronization? Synchronization can be initiated from this host?
- REST Application ID
- REST Application Key
- Primary server network name or IP address
- Primary License Server REST TCP/IP port
- Registration Client Profile name
If you plan to use Registry Name Service and are running pbinstall -z on a client host (non-primary server), you must perform client registration. This is necessary to properly set up the registry name service database. Client registration also requires that you collect the following information from the Privilege Management for Unix and Linux primary server:
- Registering client with Primary RNS: If Registry Name Services is enabled for Privilege Management for Unix and Linux, each client host (after the first server installation) needs to be registered with the Primary Registry Name Server. When using package installers on a target host, a post-install configuration script (/opt/pbul/scripts/pbrnscfg.sh) is provided to be manually executed on that host to properly register it. This post-install configuration script will ask for information about the Primary Registry Name Server, including the Application ID (appid), Application Key (appkey), address/domain name, and the REST TCP/IP port number. This is the same information provided during the client registration part of a pbinstall -z install which generates the settings file.
If you prefer a more convenient method of registering RNS clients where the post-install configuration script is non-interactive, Privilege Management for Unix and Linux can save the relevant information in a hidden file during the settings-only run of pbinstall, bundle it with the configuration package, and automatically apply it to the target host when that package is installed. However, understand that this is not secure, but is available if the security-convenience trade-off is acceptable. To enable this, refer to the question regarding post-install configuration script displayed when running pbinstall -z.
For more information, please see the following:
- Relocate the Base Directory
- If you use the package installer to install Privilege Management for Unix and Linux on a computer that already has an interactive Privilege Management for Unix and Linux installation on it, Interactive Versus Packaged Installation for additional considerations
- For complete pbinstall command-line options, please see Installation Programs
Choose a Package Administration File
We recommend that you use the package administration files that are provided by BeyondTrust (BTPBadmin and BTPBadmin<suffix>). These package administration files are configured to eliminate interactive prompts during package installation. If you want to use the Solaris default package administration file or other package administration file for your environment, you may be required to respond to prompts to install the packages.
When installing a package using custom JumpStart, the installation process is required to be noninteractive.
Use Privilege Management for Unix and Linux Packages on Solaris Zones
The Privilege Management for Unix and Linux Solaris package installer supports Solaris Zones in Solaris release 10. The primary operating system instance is referred to as the global zone. All zones that are not the global zone are referred to as non-global zones.
- Sparse root: A sparse zone is the default zone configuration and is configurable. It shares the read-only global zone’s /usr /lib /platform and /sbin partitions.
- Whole root: A whole root zone does not share global zone partitions, which increases configuration flexibility.
- Branded: A branded zone allows virtualization of Solaris 8, 9, or Linux and shares no partitions from the global zone. Branded zones are available as of Solaris 10 release 08/07 update 4.
Privilege Management for Unix and Linux Solaris Packages do not JumpStart to non-global zones. Using Custom JumpStart to install packages on Solaris 10 Zoned systems results in errors as the zones are not running during JumpStart execution.
Installing Privilege Management for Unix and Linux Solaris Packages on Zones is very similar to installing these packages on Solaris systems without zones. However, keep the following considerations in mind:
- Privilege Management for Unix and Linux Solaris packages are designed to be installed from the global zone. Packages are propagated to the sparse and whole root zones upon global zone pkgadd and upon zone creation.
- Privilege Management for Unix and Linux Solaris packages are designed to be uninstalled from the global zone. Packages are removed from sparse and whole root zones upon the global zone pkgrm.
- Privilege Management for Unix and Linux Solaris packages can be installed in the global zone only, by using the pkgadd -G command. Privilege Management for Unix and Linux Solaris packages cannot be installed in sparse zones (with read-only partitions) and should instead be installed in the global zone. Although Privilege Management for Unix and Linux Solaris packages could be installed into a whole-root zone, Privilege Management for Unix and Linux Solaris packages are designed to be installed from the global zone. Packages installed on a whole-root zone are subject to overwriting by packages installed in the global zone.
- As Solaris branded zones are fully contained instances of Solaris 8 or 9, Privilege Management for Unix and Linux packages should be installed as with non-zoned Solaris instances. Loading packages to the global zone does not update a branded zone. Privilege Management for Unix and Linux Solaris packages for Solaris branded zones running Linux are not supported.
- The Privilege Management for Unix and Linux Solaris configuration package must be removed before removing any Privilege Management for Unix and Linux component packages and must be removed individually. Privilege Management for Unix and Linux Solaris component packages may be removed simultaneously.
Overview of Steps
Using the Privilege Management for Unix and Linux Solaris package installer involves the following steps:
- Unpack the Privilege Management for Unix and Linux package tarball file.
- Use the pbinstall program to create Privilege Management for Unix and Linux settings files.
- Use the pbcreatesolcfgpkg program to create the Privilege Management for Unix and Linux configuration package along with a corresponding response file used for additional customization.
- Perform a package installation using the Solaris pkgadd command for any required components.
- Perform a package installation using the Solaris pkgadd command for the Privilege Management for Unix and Linux configuration package.
- If Registry Name Service is enabled and installed on a non-primary server, run /opt/pbul/scripts/pbrnscfg.sh to register the host.
For more detail on the steps above, please see Installation Procedure.