Advanced Installation Instructions Using pbinstall

This section provides step-by-step instructions for using all the installation options that are available using the pbinstall script. These options are discussed in the order that they are used in the Privilege Management for Unix and Linux installation menu.

These steps are optional and should be selected after reviewing Installation Considerations and Installation Preparation.

In addition, some options do not appear unless certain combinations of options are selected.

For more information, please see Complete the Installation.

Start pbinstall

If you downloaded Privilege Management for Unix and Linux using the Web or FTP, do the following.

  1. Extract the tarball files into /opt/beyondtrust by executing the following command:
    gunzip -c pmul<flavor_version>.tar.Z | tar xvf -
  2. Navigate to the installation directory:
    cd /opt/beyondtrust/powerbroker/<version>/<flavor>/install
  3. Execute the installation script by typing:
    ./pbinstall
  1. After reading the initial messages, press Enter.

For more information, please see the following:

Use the Menu Options

Depending on your operating system and other factors, the option numbers listed in the following table may not match the menu option numbers you see on the screen, and some items might not be available. In these steps, choose this option means to type the number that corresponds to the option on the screen and press Enter.

Opt #

Menu Item

Description

1 Install Everything Here (Demo Mode)? Choose this option and specify y to install the policy server host, run host, submit host, and log host on this computer. This option is useful for testing or demonstrating Privilege Management for Unix and Linux on a single computer in your environment.
2 Install license server? Specify y to install a license server which provides product license management for Privilege Management for Unix and Linux.
3 Install Registry Name Services Server? Specify y to install the Registry Name Service which provides the product with a method of addressing and locating other parts of Privilege Management for Unix and Linux.
4 Install Client registration Server? Specify y to install the client registration Server which provides a repository for customized install profiles. If you already chose to install the Registry Name Service, installing client registration Server is mandatory.
5 Install Policy Server Host? Choose this option and specify y to install the policy server host component on this host.
6 Install Run Host? Choose this option and specify y to install the run host component on this host.
7 Install Submit Host? Choose this option and specify y to install the submit host component on this host.

This option installs pbrun.

8 Install PBSSH This item is available only when you specify y for the previous item. Using the Privilege Management for Unix and Linux pbssh program, you can control access to, and activities on, SSH-managed devices. The pbssh program uses the SSH protocol (or, optionally, the telnet protocol) to connect to devices that do not have Privilege Management for Unix and Linux installed on them; such devices can include Windows computers and certain network devices. Choose this option and specify y to install the ppssh program.
9 Install Log Host? Choose this option and specify y to install the log host component on this host.
10 Enable Logfile Tracking and Archiving?

If the installation detects that the user is installing the policy server host or the log host on the current machine, it displays in the menu the install question Enable Logfile Tracking and Archiving? and set it to yes by default. When the answer to this question is set to yes, the installer prompts the user for the Log Archive Storage Server name and the Log Archiver Database Server name. Log Tracking and Archiving requires REST services to be installed.

REST Services are not fully supported on macOS.

11 Is this a Log Archiver Storage Server? If the current machine is the intended Log Archive Database Server, it must have the REST service preinstalled on it. It is also required to have the logarchivedb setting in pb.settings, which specifies the SQLite database that stores the location of logfiles, as well as where the archiving information is located.

If the answer to this question is set to yes, the install displays the following question:

Configure this host to be a Log Archive Storage Server which receives logfiles to archive and stores them in the appropriate path: Yes
This host will be configured as a Log Archiver Storage Server
No This host will NOT be configured as a LogArchiver Storage Server
Set as a Log Archiver Storage Server? [no]? yes
The Log Archive Storage Server which will accept and place archived logfiles in a designated pathname. Ensure that it is located in filesystem with ample free space to accommodate incoming logfiles. Enter the default directory path for archived logfiles []: /pbul/logs

It also sets the Log Archive Storage Server name to the hostname of the current machine.

12 Is this a Log Archiver Database Server? If the current machine is the intended Log Archive Database Server, it must have the REST service preinstalled on it. It is also required to have the logarchivedb setting in pb.settings, which specifies the SQLite database that stores the location of logfiles, as well as where the archiving information is located. If the answer to this question is set to yes, the install displays the following question:
Configure this host to be a Log Archive Database Server which creates and maintains the log tracking database:
Yes This host will be configured as a Log Archiver Database Server
No This host will NOT be configured as a LogArchiver Database Server
Set as a Log Archiver Database Server? [no]? yes
Privilege Management for Unix and Linux will create and maintain a SQLite database to track the location of logfiles. Specify the path and filename of the SQLite 
logfile tracking database file and ensure that the given database 
file system has ample space for growth.
Enter the path and filename of Privilege Management for Unix and Linux's SQLite log tracking database file []: /var/log/pbul90_tracking.db

It also sets the Log Archive Database Server name to the hostname of the current machine.

13 Install File Integrity Monitoring Policy Server? Specify y to install and configure the centralized repository for FIM policies.
14 Install REST Services? This option is automatically enabled to install the Privilege Management RESTful web-based API for product settings, policy configuration, and I/O log retrieval. When installing server-side components of Privilege Management for Unix and Linux, installing the REST Services is mandatory. This option is automatically enabled to install the Privilege Management RESTful web-based API for product settings, policy configuration, and I/O log retrieval. When installing server-side components of Privilege Management for Unix and Linux, installing the REST Services is mandatory.

REST Services are not fully supported on macOS.

15 List of license servers Enter a space-separated list of hostnames of license servers within the Privilege Management for Unix and Linux installation. The primary license server is first in the list, followed by secondary license servers listed in order of failover. If Registry Name Service is configured, this value should be an asterisk (*), denoting that the value is held within the service database.
18 Database directory? Choose this option and select a secure directory location. This path is assigned to the databasedir setting which defines the default location of databases used in Privilege Management for Unix and Linux, when only the relative path is provided.
19 Path to Password Safe 'pkrun' binary This item is available only if you choose to install PBSSH. Choose this option to specify where the BeyondTrustPassword Safepkrun binary resides. The pbssh command can use BeyondTrustPassword Safe for the userid’s password acquisition. To do this, Privilege Management for Unix and Linux needs to know where the BeyondTrustPassword Safepkrun binary resides. Choose this option and do one of the following:
  • Specify the absolute path where pkrun resides.
  • Specify none to clear the entry (default).
23 Install Synchronization program? Choose this option and specify y to enable this host to participate in log synchronization.
25 Install Secure GUI Host? Choose this option and specify y to install the secure GUI host component on this host.
26 Install Utilities: pbvi, ... Choose this option and specify y to install the Privilege Management for Unix and Linux utilities on this host.
27 Install pbksh? Choose this option and specify y to install the pbksh component on this host.
28 Install pbsh? Choose this option and specify y to install the pbsh component on this host.
29 Install man pages? Choose this option and specify y to install the man pages.
30 Will this host use a Log Host? Choose this option and specify y to log the components on this host to a log server.
31 AD Bridge Integration? The pbinstall program does not detect whether AD Bridge is installed. Choose this option and specify one of the following:
  • no to disable Privilege Management for Unix and Linux integration with AD Bridge. This is the default.
  • yes to enable Privilege Management for Unix and Linux integration with AD Bridge.
37 Integration with BeyondInsight? This option is available for log servers and policy server hosts. This option allows the sending of eventlog records to BeyondInsight and indexing of I/O logs.
52 Synchronization can be initiated from this host? Choose this option and specify y to install pbsync to enable this host to start log synchronization.
53 Daemons location Choose this option and specify a location for it. We recommend that you use the default location, but you can choose to specify a different location. However, do not use system directories for this purpose.
54 Number of reserved spaces for submit pr…[80] Available in v8.0 and later, and only on Linux, AIX and macOS platforms, this feature modifies the pbmasterd, pblocald and pblogd command line arguments (viewable via ps) to include information about the originating pbrun request. This allows administrators to determine which pbrun/pbmasterd/pblocald/pblogd processes are related to a given request.
Choose this option and specify the number of space to reserve in the process list of pbmasterd, pblocald and pblogd processes by adding a -i to the daemon startup files. This new command line option is used to reserve space in the process list so that the command line argument space can be updated with information about the originating request (submituser, submithost, runcommand, and the pbrun pid).
55 Administration programs location Choose this option and specify a location for administration programs. We recommend that you use the default location, but you can choose to specify a different location. However, do not use system directories for this purpose.
56 User programs location Choose this option and specify a location for user programs. We recommend that you use the default location, but you may choose to specify a different location. However, do not use system directories for this purpose.
57 GUI library directory Choose this option and specify a location for the GUI library. This option creates a directory under /usr/local/lib to contain the help files for the Privilege Management for Unix and Linux browser Interface, as well as the sample policy files. We recommend that you use the default location, but you can specify a different location. However, do not use system directories for this purpose.
58 Policy include (sub) file directory Choose this option and specify a directory for the policy files. We recommend that you use the default location, but you can specify a different location. However, do not use system directories for this purpose.
59 Policy file name Enter the Privilege Management for Unix and Linux policy file name.
62 Log Archive Storage Server name The Log Archive Storage Server is the destination host where the logfiles are archived. The PBUL REST service must be pre-installed on that machine. There is no default value for this field, but the user is not allowed to proceed without specifying the appropriate server name. The value is saved in the logarchivehost setting.
64 Log Archiver Database Server name The Log Archive Database Server is the destination host where the logfile tracking database resides. The REST service must be preinstalled on that machine. There is no default value for this field, but the user is not allowed to proceed without specifying the appropriate server name. The value is saved in the logarchivedbhost setting.
69 Logfile Name Cache Database file path? Enter the path of the database file to cache the location of event and I/O logfiles. It is used when integrating BeyondInsight for Unix and Linux with Privilege Management for Unix and Linux. Enter none to disable the feature.
69 REST Service installation directory?

This menu item is enabled only if REST services are to be installed.

REST services are not fully supported on macOS.

70 Install REST API sample code?

This menu item is enabled only if REST services are to be installed.

REST services are not fully supported on macOS.

72 Pblighttpd user

The user name used to run the REST services as. The default value is pblight. This user is created if you answer yes to the menu option Create Pblighttpd User?. This menu item is enabled only if installing REST Services.

REST services are not fully supported on macOS.

74 Create Pblighttpd user?

This menu is only visible if the pblighttpd user specified in the previous step does not exist.

Answer yes if you want pbinstall to automatically create the pblighttpd user. Otherwise, answer no.

74 Pblighttpd user UID

Optionally, specify the user id for the new pblighttpd user.

The value must be unique.

This menu is only visible if the pblighttpd user specified in step 73 does not exist and you chose to have pbinstall automatically create the user.

75 Pblighttpd user GID

Optionally, specify the group id for the new pblighttpd user.

This menu is only visible if the pblighttpd user specified in step 73 does not exist and you chose to have pbinstall automatically create the user.

If you enter an existing GID, then the group name associated with that GID is populated in step 77 (Pblighttpd user group name).

If you enter a non-existent GID, you are prompted for the new group name to associate it.

If you select this menu more than once and toggle the value between an existing GID and non-existent GID, pbinstall tries to enforce the association with the correct group name for step 77. This means that you cannot provide an existing GID and try to specify a non-existent group name. Conversely, you cannot provide a non-existent GID and try to assign an existing group name to it.

76 Pblighttpd user group name

Enter a user group name or use the default value.

The pblighttpd user specified in step 73 is assigned to the group name provided.

  • If you enter a group name that does not exist, that group is created and the pblighttpd user specified in step 73 is assigned to it.
  • If you enter a group name that exists, then the pblighttpd user is assigned to that preexisting group.
78 Configure systemd? Choose this option and specify y if you want to configure the file. Privilege Management for Unix and Linux can be configured into the systemd, inetd, xinetd, launchd, or SMF superdaemons, which are OS-dependent. These superdaemons are used by Privilege Management for Unix and Linux to listen on a TCP/IP port for inbound connections requesting Privilege Management for Unix and Linux daemon services. When the superdaemon detects a connection request, it forks a copy of the Privilege Management for Unix and Linux daemon to serve the request.

If you specify no, any existing Privilege Management for Unix and Linux installation that is configured with the specified prefix and/or suffix is removed from the superdaemon configuration.

This menu option is platform dependent. On older RHEL or other operating systems using inetd or xinetd, it may display Configure inetd or xinetd, while on Solaris, it displays Configure Solaris Services.

79 Command line options for pbmasterd

Choose this option and specify the command line options that you want. Available syntax and command line options for pbmasterd are:

Syntax: [-arsV] [-e logfile]
[--disable_optimized_runmode]

-a: Send the job acceptance messages to syslog.

-e: Use the log file as the pbmasterd diagnostic log file. The -e command line option overrides the syslog setting in the pb.settings file. You must specify the file name if you use the -e option.

-r: Send the job rejection messages to syslog.

-s: Send the error messages to syslog. The -s command line option overrides the syslog setting in the pb.settings file, if you want to change it in the future.

-V: Print the version number mismatch messages.

none: Erase all options.

--disable_optimized_runmode: Suppresses optimized run mode for any tasks that are authorized by this policy server host.

The installation is currently set to use the syslog in the Privilege Management for Unix and Linux pb.settings file. This setting is the default.

80 Policy Server Delay Choose this option and specify the length of time (in milliseconds) that a pbrun command should wait for an initial connection to a policy server host. If a connection does not occur within a specified number of milliseconds, then the command uses another host that is specified in the pb.settings file for submitmasters.
81 Policy Server Protocol Timeout Choose this option and specify the length of time the daemon should wait for a response from a policy server host or the time a policy server host should wait for a response from another Privilege Management for Unix and Linux program.
82 pbmasterd diagnostic log Choose this option and specify a location. This option enables you to specify where the pbmasterd diagnostic log is located.
83 Eventlog filename Choose this option and specify a location. This option enables you to specify where the event log file is located.
84 Configure eventlog rotation via size Choose this option and specify a size for event log rotation.
85 Configure eventlog rotation path Choose this option and specify a path where the event log is moved to.
86 Configure eventlog rotation via cron Choose this option add a cron job to rotate the eventlog, and specify the cron minute, hour, days-of-the-month, month, and days-of-the-week fields.
87 Validate Submit Host Connections?

Choose this option and specify one of the following settings. The Privilege Management for Unix and Linux policy server daemon (pbmasterd) can use name resolution to validate the host name and IP address of the submit host connection to a policy server host.

  • Specify y to validate submit host connections. If you decide to use this facility, then you must do the following:
    • Ensure that name resolution works correctly on all machines.
    • Ensure all policy server hosts and submit hosts are upgraded to Privilege Management for Unix and Linux v3.5.7 or higher before enabling this feature.
    • Ensure that each submit host connection’s host name and IP address match those that are listed in the policy server host’s name resolution services.
  • Specify n to disable this checking. This setting is the default value.
88 List of Policy Servers to submit to

Choose this option and do the following:

  • If submitmasters already has a value, specify y at the Do you wish to make changes to this list? prompt.
  • At the Enter Policy Server list (submitmasters) prompt, specify a host name, or a list of space-delimited host names, to serve as policy servers to submit secured tasks to (a fully-qualified domain name may be required):

    The host names should now appear in the List of Privilege Management policy server hosts to submit to line of the pbinstall menu.

89 pbrun diagnostic log? Choose this option and specify a location for the diagnostic log. This option is typically used only when requested by BeyondTrust Technical Support.
90 pbssh diagnostic log? The BeyondTrustPrivilege Management for Unix and Linuxpbssh program can maintain a separate, individual host diagnostic log file. This log file is typically only used when requested by BeyondTrust Technical Support.
Specify a full path specification for the pbssh diagnostic log file or none for none.
91 Allow Local Mode? Choose this option and specify y to allow Local Mode. This option allows the requested secured task to replace the executing copy of pbrun. Local Mode executes secured tasks on the submit host only.
92 Additional secured task checks?

Choose this option and specify whether to enable additional secured task checks.
This option determines whether the run host or submit host performs an additional check on the security of the requested command. This check helps to ensure that the command cannot be compromised by a user other than root or the user running the Privilege Management for Unix and Linux command (for example, sys, oracle). This setting is used on run hosts or submit hosts using Local Mode. The policy language variable runsecurecommand can be set by the configuration policy on the policy server host for the same effect.

  • Specify y to check the runcommand and all directories above it to see if anyone other than root or the runuser has write permission. If the command file or any of the directories above it are writable by anyone other than root or the runuser, then the run host refuses to run the command.
  • Specify n to disable this feature.
93 Suppress Policy Server host failover error messages?

When a connection to policy server host fails, Privilege Management for Unix and Linux fails over to another available policy server host (if configured), and generate an error message regarding the event. Choose this option and do one of the following:

  • Specify n to enable the policy server host failover error messages (default).
  • Specify y to suppress the policy server host failover error messages.
94 List of Policy Servers to accept from

Choose this option and then do the following:

  • If acceptmasters already has a value, specify y at the Do you wish to make changes to this list? prompt.
  • At the Enter Incoming Policy Server list (acceptmasters) prompt, specify a host name, or a list of space-delimited host names, to serve as policy servers to accept secured tasks from (a fully-qualified domain name may be required).

    The accept policy server host name should now display in the List of Privilege Management Policy Server hosts to accept from ... line of the pbinstall menu.

95 pblocald diagnostic log Choose this option and specify a directory and file name for it.
96 Command line options for pblocald Choose this option and specify the command line options that you want. Available syntax and command line options for pblocald are:
[-sV] [-e logfile] [-m master_host]
  • -s: Send error messages to syslog. The -s command line option overrides the syslog setting in the pb.settings file if you decide to change it in the future.
  • -e: Use logfile as the pblocald diagnostic log file. The -e command line option overrides the settings file.
  • -m: Accept pbmasterd connections from master_host only. Multiple -m options can be used to specify more than one host.
  • -V: Print version number mismatch messages.
  • none: Erase all options.

The installation is currently set to use the syslog in the Privilege Management for Unix and Linuxpb.settings file. This setting is the default.

97 Syslog pblocald sessions? Choose this option and specify y to log pblocald accepted and rejected requests to syslog.
98 Record PTY sessions in utmp/utmpx? Choose this option and specify y to record Privilege Management for Unix and Linux terminal sessions in the utmp (or utmpx) file.
99 Validate Policy Server Host Connections?

Choose this option and specify one of the following settings. The Privilege Management for Unix and Linux local daemon (pblocald) can use name resolution to validate the host name and IP address of the policy server host connection to a run host.

  • Specify y to validate policy server host connections. This validation requires that each policy server connection’s host name and internet address match those that are retrieved from name resolution services.

If you decide to use this facility, then you must ensure that name resolution works correctly on all machines before enabling this feature. You must also ensure that all policy server hosts and run hosts are upgraded to Privilege Management for Unix and Linux v3.5.7 or later before enabling this feature.

  • Specify n to disable this checking. This setting is the default value.

100

List of Log Hosts

Choose this option and specify which machines are to be log hosts. Privilege Management for Unix and Linux needs to know which machines you have selected as log hosts. Log hosts are the hosts that policy server hosts select to perform event and I/O logging. To accomplish this task, policy server looks at the setting for logservers in the pb.settings file. This logservers setting contains the names of the log host machines or a netgroup. You can add, modify, or remove machine names by doing the following:

  • If logservers already has a value, specify y at the Do you wish to make changes to this list? prompt.
  • At the Enter Log Server list (logservers) prompt, specify a host name, or a list of space-delimited host names, to serve as Log Hosts:

  • The log host names should now appear in the List of Privilege ManagementLog Hosts line of the pbinstall menu.

A logserver must be installed before enabling the changemanagementevents keyword.

101 Command line options for pblogd

Choose this option and specify the command line options that you want. The available syntax and command line options for pblogd are:

[-ars] [-e logfile]

-a: Record accept events on syslog.

-e: Use logfile as the pblogd diagnostic log file. If you previously specified the pblogd log file as /var/log/pblogd.log, the -e command line option overrides the pblogd setting in the pb.settings file.

-r: Record reject events on syslog.

-s: Send error messages to syslog. If you have previously specified to use the syslog setting in the pb.settings file, the -s command line option overrides the settings file if you decide to change it in the future.

none: Erase all options.

102 Log Host Delay Choose this option and specify the length of time (in milliseconds) that a daemon should wait for an initial connection to a log host. If a connection does not occur within a specified number of milliseconds, then it tries another server that is specified in the logservers setting in the pb.settings file.
103 Log Host Protocol Timeout Choose this option and specify the length of time a daemon should wait for a response from a log host or the time a log host should wait for a response from another Privilege Management for Unix and Linux program. Enter the value of the log host protocol timeout (-1 to 1200000). 0 or -1 disables this timeout. -1 is the default.
104 pblogd diagnostic log Choose this option and specify a location for it. This option enables you to specify the directory and file name for the pblogd diagnostic log. Enter none for no error reporting.
105 List of log reserved file systems

Choose this option to specify reserved file systems. Privilege Management for Unix and Linux allows the log host to control the file system space and enables the immediate failover to the next log host.

  • Enter none to specify no reserved file systems.
  • To specify reserved file systems, type the names of the reserved file systems that you want to failover. Use spaces to separate multiple file system names.

When a file system is specified in this option, you also should use the next option to specify the minimum number of free blocks that the log system file must have available. If that number of free blocks is not available, then the logging is done on the next log host.

106 Number of free blocks per log system file Choose this option and specify the minimum number of free blocks or enter 0 to have no minimum number of free blocks allowed for the file systems specified in the previous option. The valid values for the minimum number of free blocks are 0 to 2048000.
107 Command line options for pbsyncd

Choose this option and specify the command line options that you want. The available command line options for pbsyncd are:

[-s] [-e logfile]
  • -e: Use logfile as the pbsyncd diagnostic log file.
  • -s: Use the syslog facilities.
108 Sync Protocol Timeout Choose this option and specify the length of time a synchronization client or server should wait for protocol checks to be completed. Enter the value of the synchronization protocol timeout (-1 to 1200000). 0 or -1 disables this timeout. -1 is the default.
109 pbsyncd diagnostic log Choose this option and specify the directory and file name for the pbsyncd diagnostic log.
110 pbsync diagnostic log This option enables you to specify the directory and file name for the pbsync diagnostic log.
111 pbsync synchronization time interval (in minutes) Choose this option to specify the time interval in minutes between synchronizations.
112 Add installed shells to /etc/shells

Choose this option and specify whether to add installed shells. The operating system can validate your Privilege Management for Unix and Linux shells and then add them to /etc/shells.

  • yes: Add installed shells to /etc/shells.
  • no: Do not add installed shells to /etc/shells.
113 pbksh diagnostic file Choose this option to specify the directory and file name for the pbksh diagnostic log.
114 pbsh diagnostic file Choose this option to specify the directory and file name for the pbsh diagnostic log.
115 Stand-alone pblocald command

shell executes with the system in Single-User Mode, it is necessary to know which command to execute for some secured task requests that are handled by pblocald. This setting provides the Privilege Management for Unix and Linux shell, running in Single-User Mode, with the pblocald command to execute. Specify the full command for the local daemon.

Choose this option and indicate whether to specify a stand-alone pblocald command. When a Privilege Management for Unix and Linux

/usr/sbin/[prefix]pblocald[suffix] -s

When you specify the command, any installation prefix or suffix must be included. Specify none to specify no command for the local daemon in Single-User Mode.

116 Stand-alone root shell default iolog Choose this option to specify the directory and file name for the stand-alone root shell default I/O log.
117 Command line options for pbguid

Choose this option and specify the command line option that you want to use. The available syntax and command line option for pbguid are:

[-e logfile]
  • -e: Use logfile as the pbguid log file.
  • none: Erase all options.
118 Command line options for secure pbsguid

Choose this option and specify the command line option that you want to use. The available syntax and command line option for pbsguid are:

[-e logfile]
  • -e: Use logfile as the pbsguid log file.
  • none: Erase all options.
120 pbguid and pbsguid diagnostic log Choose this option to specify the directory and file name for the pbguid diagnostic log.
119 pbguid and pbsguid site configuration file Choose this option to specify the location for the GUI site configuration file. The Privilege Management for Unix and Linux pbguid daemon uses a site file to store system-wide defaults for the Privilege Management for Unix and Linux GUI. If this file is not specified, then the system-wide GUI defaults are not used. Enter the full path for the directory and file name for the pbguid site configuration file.
121 Use syslog?

Choose this option to specify whether to use the system syslog facility.

The Privilege Management for Unix and Linux programs can send errors reported by the policy server and local daemons to the syslog. If you decide to use the system’s syslog facility, then you must ensure that the facility selected for use by Privilege Management for Unix and Linux is enabled according to your system’s documentation.

  • Specify y to use the system syslog facility.
  • Specify n to not use the system syslog facility.
122 Syslog facility to use?

Choose this option to specify the syslog facility to use. For Privilege Management for Unix and Linux to use the syslog facility, it must be specified. The facilities that can be specified are:

  • LOG_AUTH security/authorization messages
  • LOG_AUTHPRIV security/authorization messages (Linux and macOS). Only supported in Privilege Management for Unix and Linux 7.1.0 and later.
  • LOG_DAEMON daemon messages
  • LOG_LOCAL0 local messages
  • LOG_LOCAL1 local messages
  • LOG_LOCAL2 local messages
  • LOG_LOCAL3 local messages
  • LOG_LOCAL4 local messages
  • LOG_LOCAL5 local messages
  • LOG_LOCAL6 local messages
  • LOG_LOCAL7 local messages
  • LOG_USER user messages

The default [LOG_AUTH] is usually sufficient. The message severity level that is used by Privilege Management for Unix and Linux is LOG_INFO.

123 Base daemon port number

 

Unlike individual daemon ports, the base port may not be a Unix or Linux domain socket or a program name. Any daemon port that is already set to either a Unix or Linux domain socket or program name will not be changed. However, the used port number will be skipped. For more information about assigning ports, see Installation Preparation.

Choose this option and do one of the following:

  • If ports 24345 to 24350 are available for all of the Privilege Management for Unix and Linux daemon ports, then accept these ports and continue the installation.
  • If those ports are not available, then do one of the following:
    • Specify an available port number that also has the next six sequential port numbers available to set all of the Privilege Management for Unix and Linux daemon ports. The specified value must be numeric and must fall within the range from 1024 to 65530 (inclusive).
    • The pbmasterd port is set to the specified value.

      The pblocald port is set to the specified value +1.

      The pblogd port is set to the specified value +2.

      The pbguid port is set to the specified value +3.

      The pbsguid port is set to the specified value +4.

      The pbsyncd port is set to the specified value +5.

      The pbrest port is set to the specified value +6.

    • Use the following port-related menu options to set the port numbers individually for pbmasterd, pblocald, pblogd, pbguid, pbsyncd and pbrestport.
124 pbmasterd port number

Choose this option to specify the port number for pbmasterd. The Privilege Management for Unix and Linux policy server host daemon (pbmasterd) requires a dedicated port number or a Unix or Linux domain socket name to receive inbound secured task requests from submit hosts. See Important! in step 126.

125 pblocald port number

Choose this option to specify the port number for pblocald. The Privilege Management for Unix and Linux run host daemon (pblocald) requires a dedicated port number or a Unix or Linux domain socket name to receive inbound secured task requests from policy server hosts. See Important! in menu item Base daemon port number.

126 pblogd port number

Choose this option to specify the port number for pblogd. The Privilege Management for Unix and Linux log host daemon (pblogd) requires a dedicated port number or a Unix or Linux domain socket name to receive inbound secured task requests from policy server and local daemons. See Important! in menu item Base daemon port number.

127 pbguid port number

Choose this option to specify the port number for pbguid. The Privilege Management for Unix and Linux GUI daemon (pbguid) requires a dedicated port number or a Unix or Linux domain socket name to receive inbound requests from Web browsers. See Important! in menu item Base daemon port number.

128 Secure pbsguid port number

Choose this option to specify the port number for pbguid. The Privilege Management for Unix and Linux GUI secure daemon (pbsguid) service requires a dedicated port number or a Unix or Linux domain socket name to receive inbound requests from Web browsers. See Important! in menu item Base daemon port number.

129 pbsyncd port number

Choose this option to specify the port number for pbsyncd. The Privilege Management for Unix and Linux log synchronization daemon (pbsyncd) requires a dedicated port number or a Unix or Linux domain socket name to receive inbound requests. See Important! in menu item Base daemon port number.

130 REST Service port number Choose the TCP/IP port number on which the REST service is listening, on the primary policy manager.
131 Add entries to '/etc/services'

Choose this option and specify y to have the services entries added to /etc/services. Privilege Management for Unix and Linux must be able to look up the port numbers to be used by the various Privilege Management for Unix and Linux services. The port number lookup can be done from NIS after you manually create the appropriate NIS entries. Otherwise, these services should be listed in /etc/services.

Only ports that are specified by number for the Privilege Management for Unix and Linux daemons can have services added to /etc/services. Unix and Linux domain sockets and ports that are specified by name are not added to /etc/services by this installation procedure.

On some systems you must put entries into your NIS services map (or reboot) because inetd ignores /etc/services after boot time.

132 Allow non-reserved port connections

Choose this option and choose one of the following:

  • Specify y to allow non-reserved port connections.
  • Specify n to disallow connections from non-reserved port connections.
133 Inbound port range

The MinListeningPort setting in the pb.settings file determines the lower bound on the originating port range that may be used to make Privilege Management for Unix and Linux connections on the listening side. The MaxListeningPort setting determines the upper bound on the originating port range that may be used to make Privilege Management for Unix and Linux connections on the listening side.

Choose this option and do the following:

  • Specify the value of the minimum port number to listen on. The value of this setting must be between 1 and the current value of the MaxListeningPort setting (65535).
  • Specify the value of the maximum port number to listen on. The value of this setting must be between the current value of the MinListeningPort setting (1025) and 65535.
134 Outbound port range

The MinOutgoingPort setting in the pb.settings file determines the lower bound on the originating port range that may be used to make Privilege Management for Unix and Linux connections on the originating side. The MaxOutgoingPort setting determines the upper bound on the originating port range that may be used to make Privilege Management for Unix and Linux connections on the originating side.

Choose this option and do the following:

  • Specify the value of the minimum outbound port number to originate from. The value of this setting must be between 1 and 65535.
  • Specify the value of the maximum outbound port number to originate from. The value of this setting must be between the current value of the MinOutgoingPort setting (600) and 65535.

Starting with version 8.0, the new default in pbinstall for the minimum value of the outbound port range was changed from 600 to 1025. However, if you don't set this value during the install and the keyword minoutgoingport is commented out in the pb.settings, the default used by the binaries is still 600. This is in order to keep backward compatibility with older releases of Privilege Management for Unix and Linux.

137 Network encryption options

Before specifying any file types are to be encrypted, see Network Traffic and File Encryption in the Privilege Management for Unix and Linux System Administration Guide.

Choose this option and do one of the following:

  • Specify none to not use any network encryption. Optionally, you can type the start date and/or end date for not using any network encryption in the format: yyyy/mm/dd. Dates are evaluated in Universal Coordinated Time (UTC).
  • To add a new network encryption option, do the following:
    • Specify a to add a new network encryption option.
    • Specify the encryption type from the list in the following table. The default for version 8.0 and later is AES-256, and for versions prior to 8.0 is DES. The default (AES-256 or DES) is used if end dates are specified for the listed network encryption algorithm and they have all expired. If you do not want the default to be used, then specify a network encryption or none with no end date.

      Algorithm

      Encryption Type

      none

      none

      DES

      des 3des

      tripledes

      AES

      aes-16-16 (or aes-128) aes-16-24 (or aes-192) aes-16-32 (or aes-256) aes-24-16

      aes-24-24 aes-24-32 aes-32-16 aes-32-24 aes-32-32

      Blowfish

      blowfish

      Cast128

      cast128

      Gost

      gost

      Loki97

      loki97

      Saferplus

      saferplus-16 saferplus-24 saferplus-32

      Serpent

      serpent-16 serpent-24 serpent-32

      Threeway

      threeway

      Tiny

      tiny

      Twofish

      twofish-16 twofish-24 twofish-32

    • Type the full path and file name where Privilege Management for Unix and Linux is to place the encryption key file. The default is /etc/pb.key. Privilege Management for Unix and Linux requires a key file to use encryption. We recommend that you specify the /etc directory for the encryption key file.
    • Optional. Type the start date and/or end date for the encryption pair in the format: yyyy/mm/dd. Dates are evaluated in Universal Coordinated Time (UTC).

 

Administrators must ensure that all hosts are using the same encryption pair; otherwise, the hosts cannot communicate with each other.

  • Specify e to edit an existing network encryption option and specify the number of the network encryption option. You can edit any of the following items for the selected option:
    • Network encryption type
    • Location and file name for the encryption file
    • Start date for the encryption pair to take effect
    • End date for the encryption pair
  • Specify d to delete an existing network encryption option and specify the number of the network encryption option to delete it.
  • Specify x to exit this option.
138 Event log encryption options

Choose this option and do one of the following:

  • Specify none to not use any event log encryption. Optionally, you may type the start date and/or end date for not using any event log encryption in the format: yyyy/mm/dd. Dates are evaluated in Universal Coordinated Time (UTC).
  • To add a new event log encryption option, do the following:
    • Specify a to add a new event log encryption option.
    • Set the encryption type. The default for version 8.0 and later is AES-256, and for versions prior to 8.0 is DES.
    • Specify the full path and file name where Privilege Management for Unix and Linux is to place the encryption key file. The default is /etc/pb.key. Privilege Management for Unix and Linux requires a key file to use encryption. We recommend that you specify the /etc directory for the encryption key file.
    • Optional. Type the start date and/or end date for the encryption pair in the format: yyyy/mm/dd. Dates are evaluated in Universal Coordinated Time (UTC).
  • Specify e to edit an existing event log encryption option and specify the number of the event log encryption option. You can edit any of the following items for the selected option:
    • Event log encryption type
    • Location and file name for the encryption file
    • Start date for the encryption pair to take effect
    • End date for the encryption pair
  • Specify d to delete an existing event log encryption option and specify the number of the event log encryption option to delete it.
  • Choose x to exit this option.
139 I/O log encryption options

Choose this option and do one of the following:

  • Specify none to not use any I/O log encryption. Optionally, you may type the start date and/or end date for not using any I/O log encryption in the format: yyyy/mm/dd. Dates are evaluated in Universal Coordinated Time (UTC).
  • To add a new I/O log encryption option, do the following:
    • Specify a to add a new I/O log encryption option.
    • Set the encryption type. The default for version 8.0 and later is AES-256, and for versions prior to 8.0 is DES.
    • Specify the full path and file name where Privilege Management for Unix and Linux is to place the encryption key file. The default is /etc/pb.key. Privilege Management for Unix and Linux requires a key file to use encryption. We recommend that you specify the /etc directory for the encryption key file.
    • Optional. Type the start date and/or end date for the encryption pair in the format: yyyy/mm/dd. Dates are evaluated in Universal Coordinated Time (UTC).

 

Administrators must ensure that all hosts are using the same encryption pair; otherwise, the hosts cannot communicate with each other.

  • Specify e to edit an existing I/O log encryption option and specify the number of the I/O log encryption option. You can edit any of the following items for the selected option:
    • I/O log encryption type
    • Location and file name for the encryption file
    • Start date for the encryption pair to take effect
    • End date for the encryption pair
  • Specify d to delete an existing I/O log encryption option and specify the number of the I/O log encryption option to delete it.
  • Choose x to exit this option.
140 Report encryption options

Choose this option and do one of the following:

  • Specify none to not use any report encryption. Optionally, you may type the start date and/or end date for not using any report encryption in the format: yyyy/mm/dd. Dates are evaluated in Universal Coordinated Time (UTC).
  • To add a new report encryption option, do the following:
    • Specify a to add a new report encryption option.
    • Set the encryption type. The default for version 8.0 and later is AES-256, and for versions prior to 8.0 is DES.
    • Specify the full path and file name where Privilege Management for Unix and Linux is to place the encryption key file. The default is /etc/pb.key.Privilege Management for Unix and Linux requires a key file to use encryption. We recommend that you specify the /etc directory for the encryption key file.
    • Optional. Type the start date and/or end date for the encryption pair in the format: yyyy/mm/dd. Dates are evaluated in Universal Coordinated Time (UTC).

 

Administrators must ensure that all hosts are using the same encryption pair; otherwise, the hosts cannot communicate with each other.

  • Choose e to edit an existing report encryption option and specify the number of the report encryption option. You can edit any of the following items for the selected option:
    • Report encryption type
    • Location and file name for the encryption file
    • Start date for the encryption pair to take effect
    • End date for the encryption pair
  • Choose d to delete an existing report encryption option and specify the number of the report encryption option to delete it.
  • Choose x to exit this option.
141 Policy file encryption options

Choose this option and do the following:

  • Enter none to not use any policy file encryption.
  • To use the policy file encryption options, do the following:
    • Set the encryption type. The default for version 8.0 and later is AES-256, and for versions prior to 8.0 is DES.
    • Specify the full path and file name where Privilege Management for Unix and Linux is to place the encryption key file. The default is /etc/pb.key.Privilege Management for Unix and Linux requires a key file to use encryption. We recommend that you specify the /etc directory for the encryption key file.
142 Settings file encryption type

Choose this option and do one of the following:

  • Specify none to not use any settings file encryption.
  • Specify one of the encryption types.
143 REST API encryption options

Configure encryption for the REST service Application Key database. Choose this option and do one of the following:

  • Specify none to not use encryption for the REST keystore. Optionally you may type the start date and/or end date for not using any REST keystore encryption in the format: yyyy/mm/dd. Dates are evaluated in Universal Coordinated Time (UTC).
  • To add a new REST keystore encryption option, do the following:
    • Choose a to add a new REST keystore encryption option.
    • Set the encryption type. The default for version 8.0 and later is AES-256, and for versions prior to 8.0 is DES.
    • Specify the full path and file name where Privilege Management for Unix and Linux is to place the encryption key file. The default is /etc/pb.rest.key. Privilege Management for Unix and Linux requires a key file to use encryption. We recommend that you specify the /etc directory for the encryption key file.
    • Optional. Type the start date and/or end date for the encryption pair in the format: yyyy/mm/dd. Dates are evaluated in Universal Coordinated Time (UTC).
  • Choose e to edit an existing REST keystore encryption option and specify the entry number of the encryption option to change. You can edit any of the following items for the selected option:
    • REST keystore encryption type.
    • Location and file name for the encryption file
    • Start date for the encryption pair to take effect
    • End date for the encryption pair
  • Choose d to delete an existing REST keystore encryption option and specify the entry number of the encryption option to delete.
  • Specify x to exit this option.
144 Configure with Kerberos v5?

Choose this option and do one of the following:

  • Specify n if Kerberos v5 is not used.
  • Specify y to configure using Kerberos v5. You need also to perform steps 148 through 152.
150 Enforce High Security Encryption

Enabling High Security enforces configuration to adhere to FIPS 140-2 security. Non-FIPS compatible encryption and hashing algorithms will be disabled. SSL running in strict FIPS mode will be enabled, enhancing the security of the installation.

150

Use SSL?

 

Choose this option and do one of the following:

  • Enter y to use SSL. When using SSL, you need to perform steps 155 to 176.
  • Enter n to not use SSL and skip steps 155 to 176.

Starting in version 10.3.2, on new installs the option SSLFirst is turned on by default.

152 SSL Configuration?

Choose this option and do one of the following:

  • Specify allownonssl to allow connections to and from non-SSL hosts.
  • Specify clientcertificates to require client certificates.
  • Specify requiressl to allow communication among Privilege Management for Unix and Linux components without requiring Privilege Management for Unix and Linux client certificates. This option is not compatible with the AllowNonSSL option.
  • Specify none to clear all existing parameters.
153 SSL pbrun Certificate Authority Directory?

Choose this option and do one of the following:

  • Specify the directory location for the SSL pbrun certificate authority files.
  • Specify none to not specify a directory for the SSL pbrun certificate authority file. If you do not specify a directory, then you must specify the full path and file name for the SSL pbrun certificate authority file in the next step.
154 SSL pbrun Certificate Authority File?

Choose this option and do one of the following:

  • Specify the file name for the SSL pbrun certificate authority file. If you did not specify a directory in the previous step, then you need to provide the full path and file name.
  • Specify none to not specify a filename for the SSL pbrun certificate authority file.

 

Failure to specify this file name results in failed communication negotiation.

155 SSL pbrun Cipher List?

SSL provides a variety of algorithms that can be used for encryption. This option enables you to restrict the set of encryption algorithms that are used by pbrun for server communication to a subset of those ciphers that are available to SSL.

Choose this option and do one of the following:

  • Specify ALL to allow all ciphers to be used from the list in the following table:

    NULL-MD5

    NULL-SHA

    EXP-RC4-MD5

    RC4-MD5

    RC4-SHA

    EXP-RC2-CBC-MD5

    EXP-DES-CBC-SHA

    DES-CBC-SHA

    DES-CBC3-SHA

    EXP-EDH-DSS-DES-CBC-SHA

    EDH-DSS-CBC-SHA

    EDH-DSS-DFS-CBC3-SHA

    EXP-EDH-RSA-DES-CBC-SHA

    EDH-RSA-DES-CBC-SHA

    EDH-RSA-DES-CBC3-SHA

     

  • Specify one or more of the ciphers. If more than one cipher is specified, then type a space between the ciphers.
156 SSL pbrun Certificate Directory?

Choose this option and do one of the following:

  • Specify the directory location for the SSL pbrun certificate file.
  • Specify none to not specify a directory for the SSL pbrun certificate file. If you do not specify a directory, then you must specify the full path and file name for the SSL pbrun certificate file in the next step.
157 SSL pbrun Certificate File?

Choose this option and do one of the following:

  • Specify the file name for the SSL pbrun certificate file. If you did not specify a directory in the previous step, you need to provide the full path and file name.
  • Specify none to not specify a file name for the SSL pbrun certificate file.

 

Failure to specify this file name results in failed communication negotiation.

158 SSL pbrun Private Key Directory?

Choose this option and do one of the following:

  • Specify the directory for the SSL pbrun private key file.
  • Specify none to not specify a directory for the SSL pbrun private key file. If you do not specify a directory, you need to provide the full path and file name in the next step.
159 SSL pbrun Private Key File?

Choose this option and do one of the following:

  • Specify the file name for the SSL pbrun private key file. This is the PEM-formatted private key for the client certificate file. If you did not specify a directory in the previous step, then you need to provide the full path and file name.
  • Specify none to not specify a filename for the SSL pbrun private key file.

 

Failure to specify this file name results in failed communication negotiation.

160 SSL pbrun Certificate Subject Checks?

The sslpbrunverifysubject setting enables strings or substrings of the subjects of SSL certificates to be checked and accepted by pbrun from pbmasterd.

Choose this option and do one of the following:

  • Specify the string or substring to check in the SSL pbrun certificate subject. If the specified string or substring finds a match in the certificate subject, then the connection proceeds; otherwise, the connection fails.
  • Specify none to remove all checks.
161 SSL Server Certificate Authority Directory?

Choose this option and do one of the following:

  • Specify the directory for the SSL server certificate authority file.
  • Specify none to not specify a directory for the SSL server certificate file. If you do not specify a directory, then you need to provide the full path and file name for the SSL server certificate authority directory in the next step.
162 SSL Server Certificate Authority File?

Choose this option and do one of the following:

  • Specify the file name for the SSL server certificate authority file. If you did not specify a directory in the previous step, then you need to provide the full path and file name.
  • Specify none to not specify a SSL server certificate authority file.

 

Failure to specify this file name results in failed communication negotiation.

163 SSL Server Cipher List?

OpenSSL provides a variety of algorithms which can be used for encryption. This option enables you to restrict the set of encryption algorithms that are used by the SSL server for communication to a subset of those ciphers that are available to OpenSSL.

Choose this option and do one of the following:

  • Specify ALL to allow all ciphers in the following table to be used

    NULL-MD5

    NULL-SHA

    EXP-RC4-MD5

    RC4-MD5

    RC4-SHA

    EXP-RC2-CBC-MD5

    EXP-DES-CBC-SHA

    DES-CBC-SHA

    DES-CBC3-SHA

    EXP-EDH-DSS-DES-CBC-SHA

    EDH-DSS-CBC-SHA

    EDH-DSS-DFS-CBC3-SHA

    EXP-EDH-RSA-DES-CBC-SHA

    EDH-RSA-DES-CBC-SHA

    EDH-RSA-DES-CBC3-SHA

     

  • Specify one or more of the ciphers. If more than one cipher is specified, type a space between the ciphers.
164 SSL Server Certificate Directory?

Choose this option and do one of the following:

  • Specify the directory for the SSL server certificate file.
  • Specify none to not specify a directory for the SSL server certificate file. If you do not specify a directory, then you need to provide the full path and file name for the SSL server certificate file in the next step.
165 SSL Server Certificate File?

Choose this option and do one of the following:

  • Specify the file name for the SSL server certificate file. If you did not specify a directory in the previous step, you need to provide the full path and file name.
  • Specify none to not specify a SSL server certificate file name.

As a convenience, pbinstall can generate the SSL server certificate file if it doesn't yet exist, provided that the absolute path is specified and the parent directories already exist.

 

Failure to specify this file name results in failed communication negotiation.

166 SSL Server Private Key Directory?

Choose this option and do one of the following:

  • Specify the directory for the SSL server private key file.
  • Specify none to not specify a directory for the SSL server private key file. If you do not specify a directory, then you need to provide the full path and file name for the SSL server private key file in the next step.
167 SSL Server Private Key File?

Choose this option and do one of the following:

  • Specify the file name for the SSL server private key file. If you did not specify a directory in the previous step, then you need to provide the full path and file name.
  • Specify none to not specify the SSL server private key file name.

As a convenience, pbinstall can generate the SSL Server private key file if it doesn't yet exist, provided that the absolute path is specified and the parent directories already exist.

 

Failure to specify this file name results in failed communication negotiation.

168 SSL Server Certificate Subject Checks?

Choose this option and do one of the following:

  • Specify the string or substring to check in the SSL server certificate subject. If the specified string or substring finds a match in the certificate subject, then the connection proceeds; otherwise, the connection fails.
  • Specify none to remove all checks.
169 SSL Certificate Country Code The Country Code used when creating client x509 certificates.
170 SSL Certificate State/Province The State/Province used when creating client x509 certificates.
171 SSL Certificate Location/Town The general location or town used when creating client x509 certificates.
172 SSL Certificate Organizational Unit The organizational unit used when creating client x509 certificates.
173 SSL Certificate Organization The organization used when creating client x509 certificates.
174 Configure Privilege Management for Unix...

Choose this option and do one of the following:

  • Specify n to not enable Privilege Management for Unix and Linux to use LDAP
  • Specify y to enable Privilege Management for Unix and Linux to use LDAP.
175 Install BeyondTrust built-in third-party libraries?

Choose this option and do one of the following:

  • Specify y to install the BeyondTrust built-in third-party libraries.
  • Specify n to not install BeyondTrust built-in third party libraries.

If you are using LDAP, Kerberos, or SSL, then you need to install third-party libraries. You can install the BeyondTrust third-party libraries or your own. We recommend that you use the BeyondTrust third-party libraries.

176 BeyondTrust built-in third-party library directory?

Choose this option and specify the directory for the BeyondTrust built-in third-party libraries. You also need to specify a directory for your own built-in libraries in step 188 .

188 Use PAM?

Privilege Management for Unix and Linux enables the use of Pluggable Authentication Modules (PAM) when Privilege Management for Unix and Linux asks for password confirmation.

The authentication and account management portions of this service are invoked whenever Privilege Management for Unix and Linux verifies a password.

For macOS, PAM must be configured. Otherwise, the Privilege Management for Unix and Linux user and password policy functions do not work. These functions are listed in "User and Password Functions" in the Privilege Management for Unix and Linux Policy Language Guide.

  • PAM is used on a policy server host when the getuserpasswd() and getgrouppasswd() policy functions are invoked and this setting is set to y.
  • PAM is used on a submit host when the policy calls the submitconfirmuser() policy language function and this setting is set to y.
  • PAM is used on a run host when the policy sets the runconfirmuser policy language variable to TRUE and this setting is set to y.

Choose this option and do one of the following:

  • Specify y to use PAM Privilege Management for Unix and Linux processing on this machine. You also need to perform the next PAM-related steps.
  • Specify n to not use PAM Privilege Management for Unix and Linux processing on this machine.
196 Allow Remote Jobs?

When this option is set to n, Privilege Management for Unix and Linux prohibits the control of remotely executed jobs as follows:

  • On a policy server host, requests that have different submit host and run host names are automatically rejected. The runhost policy variable is set to read only.
  • On a submit host, the -h option for the pbrun command is disabled, and the runhost variable of the request is set to the IP address of the submit host.
  • On a run host, all requests that do not originate from the Run Host are rejected. Choose this option and do one of the following:
    • Specify y to allow remote jobs. This setting is the default.
    • Specify n to not allow remote jobs.
197 UNIX Domain Socket directory

When Privilege Management for Unix and Linux determines that communication may occur using Unix or Linux domain sockets, there must be a protected directory that contains the sockets used for reconnects and backconnects. Using Unix and Linux domain sockets for communication between daemons on the same machine should be more efficient than TCP socket communications.

The directory that is specified for Privilege Management for Unix and Linux Unix and Linux domain sockets must be protected from non-root read and write access, and each of the parent directories must be protected from non-root write access.

Choose this option and specify the directory for the Privilege Management for Unix and Linux Unix or Linux domain socket.

198 Reject Null Passwords?

Choose this option and do one of the following:

  • Specify n to match an entered null password to any existing password.
  • Specify y to require the user to exactly match the password.
199 Enable TCP keepalives? Privilege Management for Unix and Linux enables the communication TCP connections to use the TCP stack’s keepalive feature. TCP keepalives can be useful in cases where a firewall keeps track of idle TCP connections and terminates the sessions prematurely.

Choose this option and do one of the following:

  • Specify n to disable TCP keepalive signals.
  • Specify y to enable TCP keepalive signals.
200 Name Resolution Timeout Privilege Management for Unix and Linux attempts to obtain fully qualified domain names when a pblogd, pblocald, pbmasterd, or pbrun session is started. This setting defines the timeout period (in seconds) to be used for the request to expire.

Choose this option and do one of the following:

  • Set the value to 0 to disable this feature (default).
  • Set the value from 1 to 7200 to define the number of seconds to use for the timeout period.

For more information, please see the following: