The preferred methods for installing Privilege Management for Unix and Linux are to use the command line pbinstall or pbmakeremotetar. In some instances, however, customer requirements may dictate some custom installation methods. This section covers several topics you should be aware of when planning a custom installation.
Before performing a custom installation of Privilege Management for Unix and Linux, several issues need to be taken into consideration:
- Third-party libraries
- Executable files
- pb.settings file
- pb.key file
- Superdaemon configuration update
- Policy files for policy server hosts
There are some concerns about file system accessibility when using remotely mounted file systems. If an installation initially references files on a system with a different name (due to network and/or NIC configurations), the target system may have problems referencing the files correctly on the original host.
The appropriate third-party libraries are required when Privilege Management for Unix and Linux is configured with SSL, Kerberos, or LDAP.
For more information about third-party libraries, please see Configure Third-Party Libraries.
Regardless of how Privilege Management for Unix and Linux is placed on multiple systems, the proper executable and supporting files for the flavor and functions of the system must be visible and executable on that system.
It is possible to place the target of the administration, user, daemon, and/or utility programs on a remotely mounted file system. If this is done, the following issues must be addressed:
- The correct flavor for a system must be visible in the path for the given system.
- The superuser owner and suid setting of pbrun must be handled properly.
- The remotely mounted file system must be very reliable.
- Privilege Management for Unix and Linux event, I/O, and daemon error logs are not supported when written to remotely mounted file systems.
The /etc/pb.settings file must be properly configured for the functions that the new host is to perform, and the install scripts do this. When performing a custom install, each machine needs a correctly configured /etc/pb.settings file.
If encryption is used, then the pb.key file must be the same across all cooperating Privilege Management for Unix and Linux installations. This is typically a manual distribution (because the pb.key file can be compromised if it is not handled properly) except when performing a remote installation using the archive from pbmakeremotetar.
The superdaemons on the system must be configured for the Privilege Management for Unix and Linux daemon configuration. The Privilege Management for Unix and Linux installation performs this configuration automatically.
For more information about superdaemons, please see the documentation for your operating system.
Policy Files for Policy Server Hosts
Policy files and their subfiles must be copied between policy server hosts so that all of the policy servers use the same policies.
Privilege Management for Unix and Linux, being an authentication tool and not a software distribution tool, does not automatically propagate policy files between policy server hosts. It is possible, and left as an exercise, to write procedures and policies that allow a central policy server host to propagate policy files to other policy server hosts.
Policy subfiles are copied if their name is specified as a constant. If the name is specified as a variable or string concatenation in the parent policy, then that policy is not copied by pbmakeremotetar and must be manually propagated to the target machines.
The policy subfile directory tree and directories referenced by the policies should be created to insure the multiple policy server hosts have the same directory tree.