Solaris Package Installer

This section describes how to install Endpoint Privilege Management for Unix and Linux using a package installer for Solaris 9 or 10 on an x86 or SPARC computer. Use the Solaris package installer if you want to do any of the following:

  • Install Endpoint Privilege Management for Unix and Linux using the Solaris Package Manager.
  • Make the Endpoint Privilege Management for Unix and Linux installation packages available on a JumpStart server to automate the installation of Solaris computers.

The Endpoint Privilege Management for Unix and Linux Solaris package installer that is described here is not compatible with the BeyondTrust Endpoint Privilege Management v5.x packages. If the Symark Endpoint Privilege Management v5.x packages are installed, you must remove them before installing the Endpoint Privilege Management for Unix and Linux Solaris packages.

Prerequisites

To use the Solaris package installer, you must have the following:

  • Package tarball file for the appropriate Endpoint Privilege Management for Unix and Linux flavor

For the Solaris package installer, the tarball files are cumulative. That is, an update tarball file contains a complete Endpoint Privilege Management for Unix and Linux installation. It is not necessary to install a baseline version of Endpoint Privilege Management for Unix and Linux before installing an update.

  • Root access or superuser privileges

The Solaris package installer does not support prefix or suffix installations.

Plan Your Installation

When preparing to use the Solaris package installer, you should be familiar with the following concepts and restrictions:

  • Component packages: an Endpoint Privilege Management for Unix and Linux component package is a Solaris datastream (.ds) file that installs a portion of the Endpoint Privilege Management for Unix and Linux application.

    The Endpoint Privilege Management for Unix and Linux component packages are:

    • BTPBlogh.ds: Contains the log host, pbsync, and pbsyncd.
    • BTPBlibs.ds: Contains the shared libraries.
    • BTPBrest.ds: Contains the REST API files.
    • BTPBrnsh.ds: Contains Registry Name Service files.
    • BTPBlich.ds: Contains the license server files.
    • BTPBmsth.ds: Contains the policy server host, pbsync, and pbsyncd.
    • BTPBsbmh.ds: Contains the submit host andEndpoint Privilege Management for Unix and Linux shells.
    • BTPBrunh.ds: Contains the run host andEndpoint Privilege Management for Unix and Linux utilities.

    Which component packages are required depends on the type of Endpoint Privilege Management for Unix and Linux host you create, such as policy server host, log host, and so forth. You can select the types of Endpoint Privilege Management for Unix and Linux hosts in the pbinstall installation menu, as shown in the following table.

    Menu Selection

    Required Components

    Install everything here (demo mode)? = YesBTPBmstr
    BTPBrunh
    BTPBsbmh
    BTPBlogh
    BTPBguih
    BTPBlibs
    Install Policy Server Host? = YesBTPBmstr
    Install Run Host? = YesBTPBrunh
    Install Submit Host? = YesBTPBsbmh
    Install Log Host? = YesBTPBlogh
    Install BeyondTrust built-in third-party libraries? = YesBTPBlibs
    Install Registry Name Services Server? [yes]BTPBrnsh.ds
    Install License Server? [yes]BTPBlich.ds
  • Configuration package: Solaris installation package that is used to install the following files:
    • pb.settings: Hardcoded target location /etc/pb.settings
    • pb.cfg: Hardcoded target location /etc/pb.cfg
    • All the encryption keyfiles defined for networkencryption, eventlogencryption, iologencryption, reportencryption, policyencryption, and restkeyencryption
    • By default, two key files are created: pb.key and pb.rest.key
    • The sysadmin can define multiple encryption with different keyfiles in locations other than /etc. To upgrade and retain settings on the target machine, view all encryption settings in /etc/pb.settings and copy the files to the settings_files directory before running "pbinstall -z" and pbcreate*cfgpkg
    • pb.conf (for Policy Server hosts)
    • Man pages for the pbinstall and pbcreatesolcfgpkg programs

    The Endpoint Privilege Management for Unix and Linux configuration package is created by the pbcreatesolcfgpkg program. The component packages must be installed before you install the configuration package.

     
  • Response file: pbcreatesolcfgpkg may also create a corresponding response file. The response file contains select information provided to pbinstall to customize objects contained within the prebuilt component package. For example, it ensures correct ownership of pblighttpd files. This file is created in the component package directory, /unzip-dir/powerbroker/<version>/<flavor>/package if it is accessible. If it is not, it is created in the current directory in the same location where the component package is created. Its name contains the same prefix supplied to pbcreatesolcfgpkg.
  • Package name: Name of the installation package stored in the Solaris package manager database. For Endpoint Privilege Management for Unix and Linux package installations, this name is the same as the package file name without the .ds extension.
  • Package administration file: Contains alternative settings that control how Solaris packages are installed.
  • Relocated base directory: The directory where the Endpoint Privilege Management for Unix and Linux binary files and log files are installed. You can choose an alternative directory in which to install these files.
  • pbinstall program: To create the Endpoint Privilege Management for Unix and Linux settings files, you use the pbinstall program with the -z (settings only) option. pbinstall -z only creates the settings files and is incompatible with the following command line options:

    Options Incompatible with pbinstall -z

    Description

    -bRuns pbinstall in batch mode.
    -cSkip the steps that process or update the Endpoint Privilege Management for Unix and Linux settings file.
    -eRuns install script automatically by bypassing the menu step of pbinstall.
    -iIgnores previous pb.settings and pb.cfg files.
    -pSets the pb installation prefix.
    -sSets the pb installation suffix.
    -uInstall the utility programs.
    -xCreates a log synchronization host (that is, installs pbsyncd).

    When you execute pbinstall with the -z option, you can see two menu items that are not otherwise available:

    • Enter existing pb.settings path: Enables you to specify your own pb.settings file. pbinstall reads this settings file and populates the remaining menu choices. You can override some menu choices. If set to none, then pbinstall does not read a settings file. The remaining menu choices are populated with default values.
    • Enter directory path for settings file creation: Enables you to specify an alternative output directory for the settings files. The default directory is /unzip-dir/powerbroker/<version>/<flavor>/install/settings_files, where unzip-dir is the directory where the package tarball file was unzipped.

    The behavior of pbinstall -z depends on whether certain additional command line options are specified:

    • If no other command line options are specified, pbinstall initially presents a short version of the installation menu (items 1–8 only). Depending on the choices you make in these items, further menu items become available.
    • If command line options -g, -l, -m, -o, -r, or -w are specified, pbinstall presents an expanded version of the installation menu that reflects the host types that you are configuring.

    When running pbinstall with the -z option, the following menu items are preprogrammed and cannot be changed:

    • Install man pages?
    • Daemon location
    • Administration programs location
    • User programs location
    • GUI library directory
    • Policy include (sub) file directory
    • User man page location
    • Admin man page location
    • Policy filename
    • BeyondTrust built-in third-party library directory

    In addition, the values of the following menu items determine the values of other menu items:

    Options Preset When Running pbinstall -z

    Setting this menu option to Yes

    Sets these values to Yes

    Install Policy Server Host?

    Install Synchronization? Synchronization can be initiated from this host?

    Install Run Host?

    Install Utilities?

    Install Submit Host?

    Install PBSSH?

    Install pbksh? Install pbsh?

    Will this host use a Log Host?

    Install Log Host?

    Install Synchronization? Synchronization can be initiated from this host?

    If you plan to use Registry Name Service and are running pbinstall -z on a client host (non-primary server), you must perform client registration. This is necessary to properly set up the registry name service database. Client registration also requires that you collect the following information from the Endpoint Privilege Management for Unix and Linux primary server:

    • REST Application ID
    • REST Application Key
    • Primary server network name or IP address
    • Primary License Server REST TCP/IP port
    • Registration Client Profile name
  • Registering client with Primary RNS: If Registry Name Services is enabled for Endpoint Privilege Management for Unix and Linux, each client host (after the first server installation) needs to be registered with the Primary Registry Name Server. When using package installers on a target host, a post-install configuration script (/opt/pbul/scripts/pbrnscfg.sh) is provided to be manually executed on that host to properly register it. This post-install configuration script will ask for information about the Primary Registry Name Server, including the Application ID (appid), Application Key (appkey), address/domain name, and the REST TCP/IP port number. This is the same information provided during the client registration part of a pbinstall -z install which generates the settings file.

    If you prefer a more convenient method of registering RNS clients where the post-install configuration script is non-interactive, Endpoint Privilege Management for Unix and Linux can save the relevant information in a hidden file during the settings-only run of pbinstall, bundle it with the configuration package, and automatically apply it to the target host when that package is installed. However, understand that this is not secure, but is available if the security-convenience trade-off is acceptable. To enable this, refer to the question regarding post-install configuration script displayed when running pbinstall -z.

For more information, see the following:

Choose a Package Administration File

We recommend that you use the package administration files that are provided by BeyondTrust (BTPBadmin and BTPBadmin<suffix>). These package administration files are configured to eliminate interactive prompts during package installation. If you want to use the Solaris default package administration file or other package administration file for your environment, you may be required to respond to prompts to install the packages.

When installing a package using custom JumpStart, the installation process is required to be noninteractive.

Use Endpoint Privilege Management for Unix and Linux Packages on Solaris Zones

The Endpoint Privilege Management for Unix and Linux Solaris package installer supports Solaris Zones in Solaris release 10. The primary operating system instance is referred to as the global zone. All zones that are not the global zone are referred to as non-global zones.

Solaris release 10 is required. The use of Solaris Zones is not supported on earlier releases. There are three types of zones:
  • Sparse root: A sparse zone is the default zone configuration and is configurable. It shares the read-only global zone’s /usr /lib /platform and /sbin partitions.
  • Whole root: A whole root zone does not share global zone partitions, which increases configuration flexibility.
  • Branded: A branded zone allows virtualization of Solaris 8, 9, or Linux and shares no partitions from the global zone. Branded zones are available as of Solaris 10 release 08/07 update 4.

Endpoint Privilege Management for Unix and Linux Solaris Packages do not JumpStart to non-global zones. Using Custom JumpStart to install packages on Solaris 10 Zoned systems results in errors as the zones are not running during JumpStart execution.

Installing Endpoint Privilege Management for Unix and Linux Solaris Packages on Zones is very similar to installing these packages on Solaris systems without zones. However, keep the following considerations in mind:

  • Endpoint Privilege Management for Unix and Linux Solaris packages are designed to be installed from the global zone. Packages are propagated to the sparse and whole root zones upon global zone pkgadd and upon zone creation.
  • Endpoint Privilege Management for Unix and Linux Solaris packages are designed to be uninstalled from the global zone. Packages are removed from sparse and whole root zones upon the global zone pkgrm.
  • Endpoint Privilege Management for Unix and Linux Solaris packages can be installed in the global zone only, by using the pkgadd -G command. Endpoint Privilege Management for Unix and Linux Solaris packages cannot be installed in sparse zones (with read-only partitions) and should instead be installed in the global zone. Although Endpoint Privilege Management for Unix and Linux Solaris packages could be installed into a whole-root zone, Endpoint Privilege Management for Unix and Linux Solaris packages are designed to be installed from the global zone. Packages installed on a whole-root zone are subject to overwriting by packages installed in the global zone.
  • As Solaris branded zones are fully contained instances of Solaris 8 or 9, Endpoint Privilege Management for Unix and Linux packages should be installed as with non-zoned Solaris instances. Loading packages to the global zone does not update a branded zone. Endpoint Privilege Management for Unix and Linux Solaris packages for Solaris branded zones running Linux are not supported.
  • The Endpoint Privilege Management for Unix and Linux Solaris configuration package must be removed before removing any Endpoint Privilege Management for Unix and Linux component packages and must be removed individually. Endpoint Privilege Management for Unix and Linux Solaris component packages may be removed simultaneously.

Overview of Steps

Using the Endpoint Privilege Management for Unix and Linux Solaris package installer involves the following steps:

  1. Unpack the Endpoint Privilege Management for Unix and Linux package tarball file.
  2. Use the pbinstall program to create Endpoint Privilege Management for Unix and Linux settings files.
  3. Use the pbcreatesolcfgpkg program to create the Endpoint Privilege Management for Unix and Linux configuration package along with a corresponding response file used for additional customization.
  4. Perform a package installation using the Solaris pkgadd command for any required components.
  5. Perform a package installation using the Solaris pkgadd command for the Endpoint Privilege Management for Unix and Linux configuration package.
  6. If Registry Name Service is enabled and installed on a non-primary server, run /opt/pbul/scripts/pbrnscfg.sh to register the host.

For more detail on the steps above, see Installation Procedure.