Upgrades and Reinstallations

The Endpoint Privilege Management for Unix and Linux installers are designed to enable easy upgrades of an installed version to a new version. During an upgrade, the current Endpoint Privilege Management for Unix and Linux configuration can be retained, or a new Endpoint Privilege Management for Unix and Linux configuration can be put in place.

Endpoint Privilege Management for Unix and Linux installation scripts pbinstall and pbmakeremotetar can also be used to perform upgrades and reinstallations.

If you want to return to an older version of Endpoint Privilege Management for Unix and Linux or reinstall the current version with a different configuration, Endpoint Privilege Management for Unix and Linux can be reinstalled to the current or older version without uninstalling, as long as the older version is 2.8.1 or later.

Pre-upgrade Instructions

Before performing an upgrade or reinstallation, do the following:

  1. Obtain the new release, either on a CD or using FTP.
  2. Read the release notes and installation instructions.
  3. Determine the order for updating the policy server host machines. Note that pbrun clients need to be redirected to a new policy server host while their primary policy server host is updated. If your current Endpoint Privilege Management for Unix and Linux installation includes policy server host failover machines, you may want to consider upgrading the policy server hosts failover machines first, followed by the submit hosts and run hosts, followed by the primary policy server hosts.

The Endpoint Privilege Management for Unix and Linux settings files on the policy server hosts may need to be updated as each policy server host is upgraded.

  1. If your current Endpoint Privilege Management for Unix and Linux installation includes one or more policy server host failover machines, then ensure that the security policy files on the primary policy server host and the policy server host failover machines are synchronized.
  2. Verify the current location of the Endpoint Privilege Management for Unix and Linux administration programs, user programs, and log files. This information is in the pb.cfg file (/etc/pb.cfg or pb/install/pb.cfg.{flavor}) and the settings file, /etc/pb.settings.
  3. If you do not have a recent backup of the host, or if it is imperative that no log entries can be lost, then create a save directory (for example, /var/tmp/pb.{rev_rel}) that can be used to restore Endpoint Privilege Management for Unix and Linux files from in case the upgrade fails. After creating the directory, copy (do not use move) the files that are listed below to the new save directory (a shell script can be created to copy the necessary files).

    Endpoint Privilege Management for Unix and Linux files for all host types
    /etc/services
    /etc/pb.settings
    /etc/pb.cfg (and pb.cfg.* on older installations)
    /etc/pb.key (if encryption is in use on the system)
    pb* log files (typically in /var/adm, /var/log or /usr/adm)

     

    Endpoint Privilege Management for Unix and Linux files Policy Server
    /opt/pbul/policies/pb.conf
    All included Security Policy Sub Files
    Endpoint Privilege Management for Unix and Linux database files (contents of databasedir which default to /opt/pbul/dbs)
    /etc/inetd.conf (or your xinetd, launchd, or SMF configuration file)
    Any event log or I/O log files to save

     

    Endpoint Privilege Management for Unix and Linux Submit Host and Run Host files
    /etc/inetd.conf (or your xinetd, launchd, or SMF configuration file)

     

    Endpoint Privilege Management for Unix and Linux Log Server files
    /etc/inetd.conf (or your xinetd, launchd, or SMF configuration file), /etc/inetd.conf
    Any event log or I/O log files to save

     

    Endpoint Privilege Management for Unix and Linux GUI Host files
    /etc/inetd.conf (or your xinetd, launchd, or SMF configuration file), /etc/inetd.conf
  4. Determine in which directories to install the new Endpoint Privilege Management for Unix and Linux log files, administration programs, and user programs. If you choose different directories for the Endpoint Privilege Management for Unix and Linux programs, you might need to update the path variable for the root user and other users.
  5. Be aware that users cannot submit monitored task requests while Endpoint Privilege Management for Unix and Linux updates are in progress. Consider writing an Endpoint Privilege Management for Unix and Linux configuration policy file that rejects all users from executing pbrun and echoes a print statement to their screen, informing them that an Endpoint Privilege Management for Unix and Linux upgrade is in progress.
  6. Endpoint Privilege Management for Unix and Linux releases are always upward-compatible when encryption is not used. We recommend that you perform an uninstall if a release is replaced by an Endpoint Privilege Management for Unix and Linux version older than 2.8.1.
  7. If you use an encrypted settings file and intend to do an upgrade or reinstall, then the unencrypted version of the settings file needs to be restored before performing an upgrade or reinstall; otherwise, the settings file cannot be read.
  8. If you have a previous installation of Endpoint Privilege Management for Unix and Linux for v5.1 or earlier and your encryption is set to none, then when you install Endpoint Privilege Management for Unix and Linux v5.2, all the encryption options (options 98 through 103) are set to none. You can change these options during installation.

For more information on changing these options, see Installation Process.

pbinstall Install Upgrades

To upgrade or reinstall Endpoint Privilege Management for Unix and Linux with the same configuration as the currently installed version, run pbinstall in batch mode:

./pbinstall -b

If you perform a reinstall of an older version, be aware that the older version may not have the same features as the newer version. In this case, the upgrade process discards the configuration of the features that are not available in the older version of Endpoint Privilege Management for Unix and Linux. When you upgrade to the newer version, make sure to configure the newer features when running pbinstall.

To change the configuration of Endpoint Privilege Management for Unix and Linux during the upgrade or reinstall, run pbinstall in interactive mode:

./pbinstall

The present configuration is read into pbinstall. Make the desired configuration changes and then use the c command to continue. pbinstall then installs Endpoint Privilege Management for Unix and Linux with the new configuration.

For step-by-step instructions for using pbinstall, see Step-by-Step Instructions for a Basic Installation Using pbinstall.

pbmakeremotetar Install Upgrades and Reinstallations

Upgrading or reinstalling Endpoint Privilege Management for Unix and Linux with pbmakeremotetar is the same process as installing with pbmakeremotetar. There is one difference to be aware of. In pbinstall, the in-place files are backed up as sybak files during the upgrade process; whereas in a pbmakeremotetar upgrade or reinstall, the files are overwritten.

Post-Upgrade Instructions

If you want to encrypt your settings file after upgrading Endpoint Privilege Management for Unix and Linux, then save a copy of the unencrypted file (for future upgrades) and re-encrypt the settings file.

Patch Installations

For information on how to perform a patch installation, see pbpatchinstall.