Custom Installations

The preferred methods for installing Endpoint Privilege Management for Unix and Linux are to use the command line pbinstall or pbmakeremotetar. In some instances, however, customer requirements may dictate some custom installation methods. This section covers several topics you should be aware of when planning a custom installation.

Before performing a custom installation of Endpoint Privilege Management for Unix and Linux, several issues need to be taken into consideration:

Third-party libraries
Executable files
pb.settings file
pb.key file
Superdaemon configuration update
Policy files for policy server hosts

There are some concerns about file system accessibility when using remotely mounted file systems. If an installation initially references files on a system with a different name (due to network and/or NIC configurations), the target system may have problems referencing the files correctly on the original host.

Third-Party Libraries

The appropriate third-party libraries are required when Endpoint Privilege Management for Unix and Linux is configured with SSL, Kerberos, or LDAP.

For more information about third-party libraries, see Configure Third-Party Libraries.

Executable Files

Regardless of how Endpoint Privilege Management for Unix and Linux is placed on multiple systems, the proper executable and supporting files for the flavor and functions of the system must be visible and executable on that system.

It is possible to place the target of the administration, user, daemon, and/or utility programs on a remotely mounted file system. If this is done, the following issues must be addressed:

The correct flavor for a system must be visible in the path for the given system.
The superuser owner and suid setting of pbrun must be handled properly.
The remotely mounted file system must be very reliable.
Endpoint Privilege Management for Unix and Linux event, I/O, and daemon error logs are not supported when written to remotely mounted file systems.

Settings File

The /etc/pb.settings file must be properly configured for the functions that the new host is to perform, and the install scripts do this. When performing a custom install, each machine needs a correctly configured /etc/pb.settings file.

Key File

If encryption is used, then the pb.key file must be the same across all cooperating Endpoint Privilege Management for Unix and Linux installations. This is typically a manual distribution (because the pb.key file can be compromised if it is not handled properly) except when performing a remote installation using the archive from pbmakeremotetar.

superdaemon Configuration

The superdaemons on the system must be configured for the Endpoint Privilege Management for Unix and Linux daemon configuration. The Endpoint Privilege Management for Unix and Linux installation performs this configuration automatically.

For more information about superdaemons, see the documentation for your operating system.

Policy Files for Policy Server Hosts

Policy files and their subfiles must be copied between policy server hosts so that all of the policy servers use the same policies.

Endpoint Privilege Management for Unix and Linux, being an authentication tool and not a software distribution tool, does not automatically propagate policy files between policy server hosts. It is possible, and left as an exercise, to write procedures and policies that allow a central policy server host to propagate policy files to other policy server hosts.

Policy subfiles are copied if their name is specified as a constant. If the name is specified as a variable or string concatenation in the parent policy, then that policy is not copied by pbmakeremotetar and must be manually propagated to the target machines.

The policy subfile directory tree and directories referenced by the policies should be created to insure the multiple policy server hosts have the same directory tree.