Installation Preparation

This section lists the items that you need to plan for and be aware of before starting the Privilege Management for Unix and Linux installation.

Pre-installation Checks

pbulpreinstall.sh performs some basic preinstallation checks such as:

  • Checks hostname resolution and DNS and name services resolution to verify that the default ports are not in use.
  • Checks for sufficient disk space.
  • Reports technical support-related information such as the operating system, NIC information, gateway, and super daemon status. If Privilege Management for Unix and Linux is already installed, the Privilege Management for Unix and Linux roles such as submithost, runhost, policy perver, logserver, and pbx are reported.

This script has an optional -t <datetime in UTC> argument, which initiates a time verification check. This check simply validates that the host's time is within 60 seconds of the time specified. The time specified must be UTC, in the format 20130827154130, such as:

date -u '+%Y%m%d%H%M%S'

This script has an optional -f argument, which causes pbulpreinstall.sh to produce machine readable output intended for the BeyondInsight for Unix & Linux installation console.

Prior to installation, the pbulpreinstall.sh script is located in the Privilege Management for Unix and Linux distribution in the following directory powerbroker/<version>/<flavor>/install. After installation, this script is installed in the '$inst_admin' directory. /usr/sbin is the default.

Obtain a License Validation Key

To install Privilege Management for Unix and Linux, you need a license string, which is provided by your BeyondTrust sales representative.

Privilege Management for Unix and Linux primary license server hosts perform the license resolution functions for Privilege Management for Unix and Linux and are the only Privilege Management for Unix and Linux host types that require a license key. For a policy server host to accept a task, the primary license server must have a current valid license key. The distribution includes a temporary license key with a two month expiration date from the date of the installation.

If installing using pbinstall, the license key may be configured during installation using the Privilege Management for Unix and Linux license installation menu item. After the installation is complete, the Privilege Management for Unix and Linux license can also be added using the pbadmin --lic -u command.

Obtain root Access

Installation of the Privilege Management for Unix and Linux product requires root access.

Plan Privilege Management for Unix and Linux Hosts

A Privilege Management for Unix and Linux installation includes several host types, each of which performs specific functions. Prior to installation, you need to determine which host type needs to be placed on the individual machines in your environment.

Privilege Management for Unix and Linux must be installed separately on each machine running any type of Privilege Management for Unix and Linux host.

Select License Servers

Determine which hosts to use as license servers. These are the machines that perform the license resolution functions for Privilege Management for Unix and Linux. These hosts are the only types that require a license key. They store and maintain the product license, parameters, and usage information.

The first installation of Privilege Management for Unix and Linux becomes the primary license server. Subsequent license server installations obtain their data when the primary license server performs synchronization.

Select Submit Hosts

Select Submit Hosts determines which machines to use as submit hosts. These are the machines where pbrun is installed and executed. pbrun is the Privilege Management for Unix and Linux utility used to submit secure tasks that might run on the same or different hosts. At minimum, one submit host must be available to process monitored task requests.

Select Run Hosts

Determine which machines to use as Privilege Management for Unix and Linux run hosts. These are the machines where pblocald, pbsh, and pbksh are installed and executed. pblocald is the daemon process that executes secure tasks. At minimum, one run host must be available to process accepted task requests.

Multiple Privilege Management for Unix and Linux components can be installed on a single machine. For example, it is possible for a single physical machine to serve as a submit host, policy server host, run host, log host, log sync host, and GUI host.

Select Policy Server Hosts

Determine which machines to use as Privilege Management for Unix and Linux policy server hosts. These are the machines where pbmasterd is installed and executed. pbmasterd is the daemon process that accepts or rejects all tasks that are submitted by submit hosts, and if accepted, it authorizes a specific run host to execute each task. The policy server host is where policy files reside (by default /opt/pbul/policies/pb.conf from v9.4.3+ and /etc/pb.conf prior to v9.4.3). Any policy files referenced by include statements are also in the policy file.

There must be at least one policy server host in a Privilege Management for Unix and Linux installation. We recommend that a second, failover policy server host also be installed and have the same policy files as the primary policy server host to give redundancy to your Privilege Management for Unix and Linux installation.

Depending on the size of your Privilege Management for Unix and Linux environment and the volume of tasks executed through the Privilege Management for Unix and Linux system, it may be desirable to add additional Privilege Management for Unix and Linux policy server hosts to your Privilege Management for Unix and Linux installation. Additional Privilege Management for Unix and Linux policy server hosts can be added during the initial installation of Privilege Management for Unix and Linux or afterward.

Select Log Hosts

Using a log host to record event and I/O logs is optional. To use this feature, determine which machine (or machines) to use as Privilege Management for Unix and Linux log hosts. This machine is where pblogd is installed and executed. For Privilege Management for Unix and Linux, if a log host is not used, pbmasterd and pblocald are responsible for logging activities. As with policy server hosts, multiple log hosts are recommended to provide redundancy. When there is a log host failover, the log synchronization utilities in Privilege Management for Unix and Linux can be used to resynchronize the log entries.

The load on the log hosts varies with the amount of logging performed. I/O logs require greater resources on the log hosts. Additional log hosts can be added to your environment during installation or afterward, as needed.

Enable Log Synchronization Host

Log synchronization enables a log host, or a policy server host that is acting as a log host, to participate in log synchronization. Install the log synchronization component on any log host or policy server host that may participate in log synchronization. Log synchronization should be installed on each log or policy server host if you are installing primary and failover log hosts, or are installing policy server hosts that are acting as log hosts.

If log synchronization is used, then one or more machines need to have the ability to initiate log synchronization.

Enable GUI Host

Using a GUI host is optional. The Privilege Management for Unix and Linux GUI is a Web interface for administering the policy server hosts and log hosts, and the Privilege Management for Unix and Linux settings file, /etc/pb.settings. The GUI host can maintain Privilege Management for Unix and Linux components only on the same machine as where the GUI host is installed. The GUI host can be configured to use the HTTP protocol or the HTTPS protocol. When used with HTTPS, the Web interface is called the secure GUI host.

Privilege Management for Unix and Linux Utilities

Using the Privilege Management for Unix and Linux utilities is optional. The Privilege Management for Unix and Linux utilities are secured versions of vi, nvi, mg, umacs, and less. Privilege Management for Unix and Linux utilities can only be installed on a machine where a Privilege Management for Unix and Linux run host is installed.

Privilege Management for Unix and Linux Shells

Using the Privilege Management for Unix and Linux shells is optional. ThePrivilege Management for Unix and Linux shells are secured versions of the Korn Shell and the Borne Shell. The Privilege Management for Unix and Linux & Linux shells can be installed only on a machine where a Privilege Management for Unix and Linux submit host is installed.

Select Port Numbers

You need to decide whether to use the Privilege Management for Unix and Linux default port numbers or to specify your own. Privilege Management for Unix and Linux uses the following default port numbers:

pbmasterd 24345
pblocald 24346
pblogd 24347
pbguid 24348
pbsguid 24349
pbsyncd 24350
pbrestport 24351

 

If you decide to change the port number defaults, be sure to choose port numbers that do not conflict with those already in use. See /etc/services. Also, if present and active, review the services NIS map. Privilege Management for Unix and Linux port numbers must use the non-reserved system ports. The allowed port numbers are 1024 to 65535.

Select Installation Directories

Decide whether to use the Privilege Management for Unix and Linux default installation directories or to specify your own. Specifying your own installation directories allows for Privilege Management for Unix and Linux optimization of the local installation.

Select syslog

Use of syslog is optional. Determine if the policy server host, run host, submit host, GUI host, log sync host, and/or log host should generate syslog records when system error conditions are encountered.

Select Encryption

By default, Privilege Management for Unix and Linux installs with AES-256 encryption; however, it can support a large number of encryption technologies. In Privilege Management for Unix and Linux v3.0 and earlier, DES and 3DES are supported. Beginning with Privilege Management for Unix and Linux v3.2, many additional encryption modes are supported.

Prior to selecting which encryption technology you plan to use, please see the Privilege Management for Unix and Linux Administration Guide.

Firewalls

Privilege Management for Unix and Linux can be used in a firewall environment with special configuration.

If you are installing Privilege Management for Unix and Linux into an environment where the Privilege Management for Unix and Linux components need to communicate across firewalls, please see the Privilege Management for Unix and Linux Administration Guide before installing.

Use NIS

Privilege Management for Unix and Linux can use NIS to provide configuration services for Privilege Management for Unix and Linux settings. Netgroups can be defined for the Accept policy servers (pbacceptmaster), Submit solicy servers (pbsubmitmasters) and log host (pblogservers) settings. NIS can also be used to provide port lookup information for the Privilege Management for Unix and Linux components. If NIS is running in your environment, consider using Privilege Management for Unix and Linux netgroups and port definitions.

Verify Proper TCP/IP Operation

Privilege Management for Unix and Linux uses TCP/IP as its communication protocol. Therefore, it is essential that TCP/IP be working correctly before Privilege Management for Unix and Linux installation. Use programs such as ping, netstat, route, or traceroute to verify correct TCP/IP operation among all hosts that will have Privilege Management for Unix and Linux components installed.

Verify Network Host Information

Ensure that each network host knows the names and addresses of all other network hosts. Network host information is generally stored in the /etc/hosts file on each network host machine or in the NIS maps or DNS files on a server. Each submit host should resolve all of the policy server host names correctly. Each policy server host should resolve all submit, run, GUI, and log host names correctly. The resolution must work correctly in both directions: name-to-IP address and IP address-to-name.

After installation, the pbbench utility generates warnings for any host name resolution issues on a host where Privilege Management components are installed.