Veritas NetBackup™ Commands Reference Guide

Last Published:
Product(s): NetBackup (8.2)
  1. Introduction
    1.  
      About NetBackup commands
    2.  
      Navigating multiple menu levels
    3.  
      NetBackup command conventions
    4.  
      NetBackup Media Manager command notes
    5.  
      IPV6 updates
  2. Appendix A. NetBackup Commands
    1.  
      acsd
    2.  
      add_media_server_on_clients
    3.  
      backupdbtrace
    4.  
      backuptrace
    5.  
      bmrc
    6.  
      bmrconfig
    7.  
      bmrepadm
    8.  
      bmrprep
    9.  
      bmrs
    10.  
      bmrsrtadm
    11.  
      bp
    12.  
      bparchive
    13.  
      bpbackup
    14.  
      bpbackupdb
    15.  
      bpcatarc
    16.  
      bpcatlist
    17.  
      bpcatres
    18.  
      bpcatrm
    19.  
      bpcd
    20.  
      bpchangeprimary
    21.  
      bpclient
    22.  
      bpclimagelist
    23.  
      bpclntcmd
    24.  
      bpclusterutil
    25.  
      bpcompatd
    26.  
      bpconfig
    27.  
      bpdbjobs
    28.  
      bpdbm
    29.  
      bpdgclone
    30.  
      bpdown
    31.  
      bpduplicate
    32.  
      bperror
    33.  
      bpexpdate
    34.  
      bpfis
    35.  
      bpflist
    36.  
      bpgetconfig
    37.  
      bpgetdebuglog
    38.  
      bpimage
    39.  
      bpimagelist
    40.  
      bpimmedia
    41.  
      bpimport
    42.  
      bpinst
    43.  
      bpkeyfile
    44.  
      bpkeyutil
    45.  
      bplabel
    46.  
      bplist
    47.  
      bpmedia
    48.  
      bpmedialist
    49.  
      bpminlicense
    50.  
      bpnbat
    51.  
      bpnbaz
    52.  
      bppficorr
    53.  
      bpplcatdrinfo
    54.  
      bpplclients
    55.  
      bppldelete
    56.  
      bpplinclude
    57.  
      bpplinfo
    58.  
      bppllist
    59.  
      bpplsched
    60.  
      bpplschedrep
    61.  
      bpplschedwin
    62.  
      bppolicynew
    63.  
      bpps
    64.  
      bprd
    65.  
      bprecover
    66.  
      bprestore
    67.  
      bpretlevel
    68.  
      bpschedule
    69.  
      bpschedulerep
    70.  
      bpsetconfig
    71.  
      bpstsinfo
    72.  
      bpstuadd
    73.  
      bpstudel
    74.  
      bpstulist
    75.  
      bpsturep
    76.  
      bptestbpcd
    77.  
      bptestnetconn
    78.  
      bptpcinfo
    79.  
      bpup
    80.  
      bpverify
    81.  
      cat_convert
    82.  
      cat_export
    83.  
      cat_import
    84.  
      configureCertsForPlugins
    85.  
      configureMQ
    86.  
      configurePorts
    87.  
      configureWebServerCerts
    88.  
      create_nbdb
    89.  
      csconfig cldinstance
    90.  
      csconfig cldprovider
    91.  
      csconfig meter
    92.  
      csconfig throttle
    93.  
      csconfig reinitialize
    94.  
      duplicatetrace
    95.  
      importtrace
    96.  
      jbpSA
    97.  
      jnbSA
    98.  
      ltid
    99.  
      manageClientCerts
    100.  
      mklogdir
    101.  
      nbauditreport
    102.  
      nbcatsync
    103.  
      NBCC
    104.  
      NBCCR
    105.  
      nbcertcmd
    106.  
      nbcertupdater
    107.  
      nbcldutil
    108.  
      nbcloudrestore
    109.  
      nbcomponentupdate
    110.  
      nbcplogs
    111.  
      nbdb_admin
    112.  
      nbdb_backup
    113.  
      nbdb_move
    114.  
      nbdb_ping
    115.  
      nbdb_restore
    116.  
      nbdb_unload
    117.  
      nbdbms_start_server
    118.  
      nbdbms_start_stop
    119.  
      nbdc
    120.  
      nbdecommission
    121.  
      nbdelete
    122.  
      nbdeployutil
    123.  
      nbdevconfig
    124.  
      nbdevquery
    125.  
      nbdiscover
    126.  
      nbdna
    127.  
      nbemm
    128.  
      nbemmcmd
    129.  
      nbfindfile
    130.  
      nbfirescan
    131.  
      nbftadm
    132.  
      nbftconfig
    133.  
      nbgetconfig
    134.  
      nbhba
    135.  
      nbholdutil
    136.  
      nbhostidentity
    137.  
      nbhostmgmt
    138.  
      nbhypervtool
    139.  
      nbimageshare
    140.  
      nbinstallcmd
    141.  
      nbjm
    142.  
      nbkmsutil
    143.  
      nboraadm
    144.  
      nborair
    145.  
      nbpem
    146.  
      nbpemreq
    147.  
      nbperfchk
    148.  
      nbplupgrade
    149.  
      nbrb
    150.  
      nbrbutil
    151.  
      nbregopsc
    152.  
      nbreplicate
    153.  
      nbrepo
    154.  
      nbrestorevm
    155.  
      nbseccmd
    156.  
      nbsetconfig
    157.  
      nbsnapimport
    158.  
      nbsnapreplicate
    159.  
      nbsqladm
    160.  
      nbstl
    161.  
      nbstlutil
    162.  
      nbstop
    163.  
      nbsu
    164.  
      nbsvrgrp
    165.  
      resilient_clients
    166.  
      restoretrace
    167.  
      stopltid
    168.  
      tl4d
    169.  
      tl8d
    170.  
      tl8cd
    171.  
      tldd
    172.  
      tldcd
    173.  
      tlhd
    174.  
      tlhcd
    175.  
      tlmd
    176.  
      tpautoconf
    177.  
      tpclean
    178.  
      tpconfig
    179.  
      tpext
    180.  
      tpreq
    181.  
      tpunmount
    182.  
      verifytrace
    183.  
      vltadm
    184.  
      vltcontainers
    185.  
      vlteject
    186.  
      vltinject
    187.  
      vltoffsitemedia
    188.  
      vltopmenu
    189.  
      vltrun
    190.  
      vmadd
    191.  
      vmchange
    192.  
      vmcheckxxx
    193.  
      vmd
    194.  
      vmdelete
    195.  
      vmoprcmd
    196.  
      vmphyinv
    197.  
      vmpool
    198.  
      vmquery
    199.  
      vmrule
    200.  
      vmupdate
    201.  
      vnetd
    202.  
      vssat
    203.  
      vwcp_manage
    204.  
      vxlogcfg
    205.  
      vxlogmgr
    206.  
      vxlogview
    207.  
      W2KOption

Name

bpinst — configure legacy NetBackup Encryption

SYNOPSIS

bpinst -LEGACY_CRYPT [-crypt_option option] [-crypt_strength strength] [-passphrase_prompt |-passphrase_stdin] [-verbose] [ [-policy_encrypt 0 | 1] -policy_names] name1 [name2 ... nameN]

On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/

On Windows systems, the directory path to this command is install_path\NetBackup\bin\

DESCRIPTION

NetBackup Encryption provides file-level encryption of backups and archives.

-LEGACY_CRYPT is the Legacy Encryption method. It provides the user with the encryption strength choices previously available (40-bit DES and 56-bit DES).

The bpinst command that is used with the -LEGACY_CRYPT option configures the legacy NetBackup Encryption product on the NetBackup clients that can support encryption. You can also configure encryption for a client that is installed on the master server host.

Activate bpinst -LEGACY_CRYPT on the master server to configure NetBackup Encryption on the clients. A single activation makes the necessary configuration changes on both the clients and the master server.

Note:

Ensure that the DISALLOW_SERVER_FILE_WRITES NetBackup configuration option is not set on the client. If this option is set, the server cannot configure the software on the client.

Note:

The output of the bpinst -h command shows a bpinst -NB option. This option is an internal only option and is not intended for customer use.

OPTIONS

-LEGACY_CRYPT

Required if you use 40-bit DES or 56-bit DES encryption. To configure DES encryption, specify this option first to use the bpinst command. The order is important; do not omit this option.

-crypt_option option

Configures the CRYPT_OPTION configuration entry on the NetBackup clients. If you do not specify -crypt_option, the client allows either encrypted or unencrypted backups (see ALLOWED).

The possible values for option are:

DENIED | denied | -1

Specifies that the client does not permit encrypted backups. If the server requests an encrypted backup, it is considered an error. This option is the default for a client that has not been configured for encryption.

ALLOWED | allowed | 0

Specifies that the client allows either encrypted or unencrypted backups. ALLOWED is the default condition.

REQUIRED | required | 1

Specifies that the client requires encrypted backups. If the server requests an unencrypted backup, it is considered an error.

-crypt_strength strength

Configures the CRYPT_STRENGTH configuration entry on the NetBackup clients. If you do not specify this option, the CRYPT_STRENGTH configuration entries on the clients remain unchanged.

The possible values for strength are:

DES_40 | des_40 | 40

Specifies the 40-bit DES encryption. This value is the default value for a client that has not been configured for encryption.

DES_56 | des_56 | 56

Specifies the 56-bit DES encryption.

-passphrase_prompt | -passphrase_stdin

Note:

Do not forget the pass phrase. If the key file is damaged or lost, you may need the pass phrase to regenerate the key file. Without the proper key file, you cannot restore encrypted backups.

NetBackup uses a pass phrase to create the data that it places in a key file on each client. NetBackup then uses the data in the key file to create the encryption keys that are required to encrypt and decrypt the backup data. This option applies to the -LEGACY_CRYPT option only.

The -passphrase_prompt option prompts you to enter a pass phrase. The actual pass phrase is hidden while you type.

The -passphrase_stdin option reads the pass phrase through standard input. You must enter the pass phrase twice. This option is less secure than the -passphrase_prompt option because the pass phrase is not hidden. However, it may be more convenient if you use bpinst -LEGACY_CRYPT in a shell script.

NetBackup uses the pass phrase for all the clients that you specify on the bpinst -LEGACY_CRYPT command. If you want separate pass phrases for each client, enter a separate bpinst -LEGACY_CRYPT command for each client.

When you specify a pass phrase, bpinst -LEGACY_CRYPT creates or updates the key files on the clients. The encryption keys (generated from the pass phrase) are used for subsequent backups. Old encryption keys are retained in the key file to allow restores of previous backups.

If you do not specify either the -passphrase_prompt or -passphrase_stdin option, the key files on the clients remain unchanged.

-verbose

Prints the current encryption configuration of each client and what gets installed and reconfigured on each client.

-policy_encrypt 0 | 1

Sets the Encryption policy attribute for the NetBackup policies. You can include -policy_encrypt only with the -policy_names option. The possible values are:

0 - clears the Encryption attribute (or leaves it clear) so the server does not request encryption for clients in this policy. This setting is the default for the policies that are not configured for encryption.

1 - sets the Encryption attribute so the server requests encryption for clients in this policy.

If you do not specify this option, the Encryption attributes for the policies remain unchanged.

-policy_names

Specifies that the names you specify (with the names option) are NetBackup policy names.

If you include the -policy_names option, bpinst -LEGACY_CRYPT configures all the clients in each specified policy. If you omit the -policy_names option, the names are assumed to be NetBackup client names.

name1 [name2 ... nameN]

Specifies one or more NetBackup client or policy names, depending on whether you have included the -policy_names option. If you omit the -policy_names option, the names are assumed to be NetBackup client names.

NOTES

The following notes apply to the -LEGACY_CRYPT option:

  • If you are running NetBackup in a clustered environment, you can push configuration data to the client only from the active node.

  • If you push the configuration to clients that are located in a cluster, do the following: Specify the hostnames of the individual nodes (not virtual names) in the clients list.

  • When you finish the restore of encrypted files from a client, rename or delete the key file created. Move or rename your own key file to its original location or name. If you do not re-establish your key file to its original location or name, you may not be able to restore your own encrypted backups.

  • Existing 40-bit encryption license keys or 56-bit encryption license keys are valid for upgrades.

  • A privately defined NetBackup 40-bit DES key encrypts the pass phrase that bpinst -LEGACY_CRYPT sends over the network.

  • The key file on each NetBackup client is encrypted with a privately defined NetBackup DES key. The key can be 40 bits or 56 bits depending on how the client is configured. Restrict access to the key file to the administrator of the client computer. On a UNIX client, the owner of the key file should be root and the mode bits should be 600. The key file should not be exportable through NFS.

  • The key file must be the same on all nodes in a cluster.

  • Remember pass phrases. In a disaster recovery situation, you may have to recreate a key file on a client by using bpinst -LEGACY_CRYPT. For example, suppose a NetBackup client that is named orca performs encrypted backups and an accident occurs that causes orca to lose its files. In this case you must reinstall and configure encryption on the client to restore your backups.

For more about how to restore the operating system and NetBackup, see the NetBackup Troubleshooting Guide.

To provide disaster recovery when you use encryption (client named orbit)

  1. Reinstall the operating system on orbit.
  2. Reinstall and configure the NetBackup client software on orbit.
  3. Reinstall and configure encryption on orbit by using the following command:
    # bpinst -LEGACY_CRYPT -crypt_option allowed
  4. Activate bpinst -LEGACY_CRYPT to create a pass phrase by using the following command:
    # bpinst -LEGACY_CRYPT -passphrase_prompt orbit
    Enter new NetBackup pass phrase: *********************
    Re-enter new NetBackup pass phrase: *********************

    Enter the pass phrase that is used on orca.

  5. Activate bpinst -LEGACY_CRYPT for each subsequent pass phrase that is used on orbit by entering the following:
    # bpinst -LEGACY_CRYPT -passphrase_prompt orbit
    Enter new NetBackup pass phrase: *********************
    Re-enter new NetBackup pass phrase: *********************
  6. Restore the backed up files to orbit.

EXAMPLES

Example 1 - Configure all on one line 40-bit DES encryption on UNIX clients in a policy named policy40:

# bpinst -LEGACY_CRYPT -crypt_option allowed -crypt_strength des_40 
-policy_encrypt 1 -policy_names policy40

Use the -policy_encrypt option to set the Encryption attribute for the policy. You can also use the NetBackup administrator utility to set the Encryption attribute.

Example 2 - Use the -passphrase_prompt option to create a passphrase on all clients in a policy named policy40:

# bpinst -LEGACY_CRYPT -passphrase_prompt -policy_names policy40
Enter new NetBackup pass phrase: *********************
Re-enter new NetBackup pass phrase: *********************

Example 3 - Specify all on one line the NetBackup client named strong must use 56-bit DES encryption:

# bpinst -LEGACY_CRYPT -crypt_option required -crypt_strength des_56 
strong

Example 4 - Display a verbose listing of the configuration for the client named strong:

# bpinst -LEGACY_CRYPT -verbose strong

BPCD protocol version 8.0.0 on client strong
40-bit library version is 3.1.0.40 on client strong
56-bit library version is 3.1.0.56 on client strong
BPCD platform is redhat for client strong
Current configuration entries are:
CRYPT_KEYFILE = /usr/openv/netbackup/keyfile
CRYPT_LIBPATH = /usr/openv/lib
CRYPT_OPTION = required
CRYPT_STRENGTH = des-56
V_PATH_SHARE = /usr/openv/share
No update of NetBackup configuration required for client strong
No update of NetBackup pass phrase required for client strong

FILES

The following are the files that are used on UNIX systems:

  • UNIX server command

    /usr/openv/netbackup/bin/bpinst
  • UNIX client encryption libraries for 40-bit DES and 56-bit DES

    /usr/openv/lib/libvdes*.*
  • UNIX client encryption key file for 40-bit DES and 56-bit DES

    /usr/openv/netbackup/keyfile
  • UNIX client encryption key file utility for 40-bit DES and 56-bit DES

    /usr/openv/netbackup/bin/bpkeyfile
  • UNIX client encryption key file utility for 128-bit OpenSSL cipher and 256-bit OpenSSL cipher

    /usr/openv/netbackup/bin/bpkeyutil
    /usr/openv/share/ciphers.txt

The following are the files that are used on Windows systems:

  • Windows server command

    install_path\NetBackup\bin\bpinst.exe
  • Windows client encryption key file

    install_path\NetBackup\var\keyfile.dat
  • Windows client encryption libraries

    install_path\bin\libvdes*.dll
  • Windows client encryption key file utility

    install_path\bin\bpkeyfile.exe
    install_path\share\ciphers.txt