Veritas NetBackup™ Security and Encryption Guide

Last Published:
Product(s): NetBackup (8.3.0.1, 8.3)
  1. Increasing NetBackup security
    1.  
      About NetBackup security and encryption
    2.  
      NetBackup security implementation levels
    3.  
      World-level security
    4.  
      Enterprise-level security
    5.  
      Datacenter-level security overview
    6.  
      NetBackup Access Control (NBAC)
    7.  
      Combined world, enterprise, and data center levels
    8.  
      NetBackup security implementation types
    9.  
      Operating system security
    10.  
      NetBackup security vulnerabilities
    11.  
      Standard NetBackup security
    12.  
      Client side encryption security
    13.  
      NBAC on master, media server, and graphical user interface security
    14.  
      NBAC complete security
  2. Security deployment models
    1.  
      Workgroups
    2.  
      Single datacenters
    3.  
      Multi-datacenters
    4.  
      Workgroup with NetBackup
    5.  
      Single datacenter with standard NetBackup
    6.  
      Single datacenter with client side encryption
    7.  
      Single datacenter with NBAC on master and media servers
    8.  
      Single datacenter with NBAC complete
    9.  
      Multi-datacenter with standard NetBackup
    10.  
      Multi-datacenter with client side encryption
    11.  
      Multi-datacenter with NBAC on master and media servers
    12.  
      Multi-datacenter with NBAC complete
  3. Port security
    1.  
      About NetBackup TCP/IP ports
    2. About NetBackup daemons, ports, and communication
      1.  
        Standard NetBackup ports
      2.  
        NetBackup master server outgoing ports
      3.  
        NetBackup media server outgoing ports
      4.  
        NetBackup enterprise media management (EMM) server outgoing ports
      5.  
        Client outgoing ports
      6.  
        Java server outgoing ports
      7.  
        Java console outgoing ports
      8.  
        About MSDP port usage
      9.  
        About Cloud port usage
      10. Additional port information for products that interoperate with NetBackup
        1.  
          About communication ports and firewall considerations in OpsCenter
        2.  
          Ports required to communicate with backup products
        3.  
          Web browser to launch OpsCenter user interface
        4.  
          About OpsCenter user interface and OpsCenter server software communication
        5.  
          About OpsCenter server to NetBackup master server (NBSL) communication
        6.  
          About SNMP traps
        7.  
          About communication between OpsCenter and Sybase database
        8.  
          About email communication in OpsCenter
    3. About configuring ports
      1.  
        Enabling or disabling random port assignments
      2.  
        Editing port information in configuration files
      3.  
        Updating client connection options
      4.  
        Updating port settings for the Media Manager in the vm.conf file
    4.  
      Port requirements for NDMP backups
    5.  
      Known firewall problems encountered when using NetBackup with third-party robotic products
  4. Auditing NetBackup operations
    1.  
      About NetBackup auditing
    2.  
      Viewing the current audit settings
    3.  
      Audit retention period and catalog backups of audit records
    4.  
      Viewing the detailed NetBackup audit report
    5.  
      User identity in the audit report
    6.  
      Disabling auditing
    7.  
      Audit alert notification for audit failures (NetBackup Administration Console)
    8. About Enhanced Auditing
      1.  
        Enabling Enhanced Auditing
      2. Configuring Enhanced Auditing
        1.  
          Connecting to a media server with Enhanced Auditing
        2.  
          Changing a server across NetBackup domains
        3.  
          Configuration requirements if using Change Server with NBAC or Enhanced Auditing
      3.  
        Disabling Enhanced Auditing
  5. Access control security
    1.  
      About access control in NetBackup
    2.  
      Managing users with Enhanced Auditing
    3.  
      User authentication with Enhanced Auditing
    4.  
      Impact of Enhanced Auditing on NetBackup Administration Console authorization
  6. NetBackup Access Control Security (NBAC)
    1.  
      About using NetBackup Access Control (NBAC)
    2.  
      NetBackup access management administration
    3.  
      About NetBackup Access Control (NBAC) configuration
    4. Configuring NetBackup Access Control (NBAC)
      1.  
        NBAC configuration overview
      2.  
        Configuring NetBackup Access Control (NBAC) on standalone master servers
      3.  
        Installing the NetBackup master server highly available on a cluster
      4.  
        Configuring NetBackup Access Control (NBAC) on a clustered master server
      5.  
        Configuring NetBackup Access Control (NBAC) on media servers
      6.  
        Installing and configuring access control on clients
      7.  
        About including authentication and authorization databases in the NetBackup hot catalog backups
      8.  
        NBAC configure commands summary
      9.  
        Unifying NetBackup Management infrastructures with the setuptrust command
      10.  
        Using the setuptrust command
    5. Configuring Access Control host properties for the master and media server
      1.  
        Authentication Domain tab
      2.  
        Authorization Service tab
      3.  
        Network Attributes tab
    6. Access Control host properties dialog for the client
      1.  
        Authentication Domain tab for the client
      2.  
        Network Attributes tab for the client
    7.  
      Using NetBackup Access Control (NBAC) with Auto Image Replication
    8. Troubleshooting Access Management
      1.  
        Troubleshooting NBAC issues
      2.  
        Configuration and troubleshooting tips for NetBackup Authentication and Authorization
      3. Windows verification points
        1.  
          Master server verification points for Windows
        2.  
          Media server verification points for Windows
        3.  
          Client verification points for Windows
      4. UNIX verification points
        1.  
          UNIX master server verification
        2.  
          UNIX media server verification
        3.  
          UNIX client verification
      5. Verification points in a mixed environment with a UNIX master server
        1.  
          Master server verification points for a mixed UNIX master server
        2.  
          Media server verification points for a mixed UNIX master server
        3.  
          Client verification points for a mixed UNIX master server
      6. Verification points in a mixed environment with a Windows master server
        1.  
          Master server verification points for a mixed Windows master server
        2.  
          Media server verification points for a mixed Windows master server
        3.  
          Client verification points for a mixed Windows master server
      7.  
        About the nbac_cron utility
      8.  
        Using the nbac_cron utility
    9.  
      Using the Access Management utility
    10. About determining who can access NetBackup
      1.  
        Individual users
      2.  
        User groups
      3.  
        NetBackup default user groups
      4. Configuring user groups
        1.  
          Creating a new user group
        2.  
          Creating a new user group by copying an existing user group
        3.  
          Renaming a user group
        4.  
          Adding a new user to the user group
      5. About defining a user group and users
        1.  
          Logging on as a new user
        2.  
          Assigning a user to a user group
        3.  
          About authorization objects and permissions
    11. Viewing specific user permissions for NetBackup user groups
      1.  
        Granting permissions
      2.  
        Authorization objects
      3.  
        Media authorization object permissions
      4.  
        Policy authorization object permissions
      5.  
        Drive authorization object permissions
      6.  
        Report authorization object permissions
      7.  
        NBU_Catalog authorization object permissions
      8.  
        Robot authorization object permissions
      9.  
        Storage unit authorization object permissions
      10.  
        DiskPool authorization object permissions
      11.  
        BUAndRest authorization object permissions
      12.  
        Job authorization object permissions
      13.  
        Service authorization object permissions
      14.  
        HostProperties authorization object permissions
      15.  
        License authorization object permissions
      16.  
        Volume group authorization object permissions
      17.  
        VolumePool authorization object permissions
      18.  
        DevHost authorization object permissions
      19.  
        Security authorization object permissions
      20.  
        Fat server authorization object permissions
      21.  
        Fat client authorization object permissions
      22.  
        Vault authorization object permissions
      23.  
        Server group authorization object permissions
      24.  
        Key management system (kms) group authorization object permissions
    12.  
      Upgrading NetBackup Access Control (NBAC)
  7. About AD and LDAP domains
    1.  
      Adding AD or LDAP domains in NetBackup
    2.  
      Troubleshooting AD or LDAP domain configuration issues
    3.  
      Certificate authorities trusted by the NetBackup Authentication Service
  8. NetBackup CA and NetBackup certificates
    1.  
      Overview of security certificates in NetBackup
    2.  
      About secure communication in NetBackup
    3. About the Security Management utilities
      1.  
        About login activity
    4. About audit events
      1.  
        Viewing audit events
      2.  
        Audit Events tab
      3.  
        Viewing audit event details
      4.  
        Audit Events Details dialog box
      5.  
        Viewing audit event status
      6.  
        Troubleshooting auditing issues related to the Access History tab
    5. About host management
      1.  
        Hosts tab
      2.  
        Adding host ID to host name mappings
      3.  
        Add or Remove Host Mappings dialog box
      4.  
        Removing host ID to host name mappings
      5.  
        Mappings for Approval tab
      6.  
        Viewing auto-discovered mappings
      7.  
        Mapping Details dialog box
      8.  
        Approving host ID to host name mappings
      9.  
        Rejecting host ID to host name mappings
      10. Adding shared or cluster mappings
        1.  
          About shared or cluster mapping scenarios
      11.  
        Add Shared or Cluster Mappings dialog box
      12.  
        Resetting NetBackup host attributes
      13. Allowing or disallowing automatic certificate reissue
        1.  
          Configuring validity of the autoreissue parameter for a host
      14.  
        Adding or deleting comment for a host
    6. About global security settings
      1.  
        About secure communication settings
      2.  
        Disabling insecure communication
      3.  
        About insecure communication with 8.0 and earlier hosts
      4.  
        About communication with 8.0 or earlier host in multiple NetBackup domains
      5.  
        Automatically mapping host ID to host names and IP addresses
      6.  
        About disaster recovery settings
      7.  
        Setting a passphrase to encrypt disaster recovery packages
      8.  
        Disaster recovery packages
    7. About host name-based certificates
      1.  
        Deploying host name-based certificates
    8. About host ID-based certificates
      1.  
        Web login requirements for nbcertcmd command options
      2. Using the Certificate Management utility to issue and deploy host ID-based certificates
        1.  
          Viewing host ID-based certificate details
      3. About NetBackup certificate deployment security levels
        1.  
          Configuring the certificate deployment security levels
      4.  
        Automatic host ID-based certificate deployment
      5.  
        Deploying host ID-based certificates
      6.  
        Deploying host ID-based certificates in an asynchronous manner
      7.  
        Implication of clock skew on certificate validity
      8. Setting up trust with the master server (Certificate Authority)
        1.  
          Finding and communicating the fingerprint of the certificate authority
      9.  
        Forcing or overwriting certificate deployment
      10.  
        Retaining host ID-based certificates when reinstalling NetBackup on non-master hosts
      11.  
        Deploying certificates on a client that has no connectivity with the master server
      12.  
        About host ID-based certificate expiration and renewal
      13.  
        Deleting sensitive certificates and keys from media servers and clients
      14.  
        Cleaning host ID-based certificate information from a host before cloning a virtual machine
      15. About reissuing host ID-based certificates
        1.  
          Creating a reissue token
        2.  
          Changing the key pair for a host
    9. About Token Management for host ID-based certificates
      1.  
        Creating authorization tokens
      2.  
        Deleting authorization tokens
      3.  
        Viewing authorization token details
      4.  
        About expired authorization tokens and cleanup
    10. About the host ID-based certificate revocation list
      1.  
        Refreshing the CRL on the master server
      2.  
        Refreshing the CRL on a NetBackup host
    11. About revoking host ID-based certificates
      1.  
        Removing trust between a host and a master server
      2.  
        Revoking a host ID-based certificate
      3.  
        Determining a NetBackup host's certificate state
      4.  
        Getting a list of NetBackup hosts that have revoked certificates
    12.  
      Deleting host ID-based certificates
    13. Host ID-based certificate deployment in a clustered setup
      1. About deployment of a host ID-based certificate on a clustered NetBackup host
        1.  
          Host ID-based certificate deployment on the active master server node
        2.  
          Host ID-based certificate deployment on inactive master server nodes
      2.  
        Deploying host ID-based certificates on cluster nodes
      3.  
        Revoking a host ID-based certificate for a clustered NetBackup setup
      4.  
        Deploying a host ID-based certificate on a clustered NetBackup setup using reissue token
      5.  
        Creating a reissue token for a clustered NetBackup setup
      6.  
        Renewing a host ID-based certificate on a clustered NetBackup setup
      7.  
        Viewing certificate details of a clustered NetBackup setup
      8.  
        Removing CA certificates from a clustered NetBackup setup
      9.  
        Generating a certificate on a clustered master server after disaster recovery installation
    14.  
      About the communication between a NetBackup client located in a demilitarized zone and a master server through an HTTP tunnel
    15.  
      Adding a NetBackup host manually
    16. Migrating NetBackup CA
      1.  
        Setting the required key strength before installation or upgrade using the NB_KEYSIZE environment variable
      2.  
        Migrating NetBackup CA when the entire NetBackup domain is upgraded to NetBackup 8.3
      3.  
        Manually migrating NetBackup CA after installation or upgrade
      4.  
        Establishing communication with clients that do not have new CA certificates after CA migration
      5.  
        Viewing a list of NetBackup CAs in the domain
      6.  
        Viewing the CA migration summary
      7.  
        Decommissioning the inactive NetBackup CA
  9. External CA support in NetBackup
    1. About external CA support in NetBackup
      1.  
        Command-line options used for external certificate configuration
    2.  
      Workflow to use external certificates for NetBackup host communication
    3. Configuration options for external CA-signed certificates
      1. ECA_CERT_PATH for NetBackup servers and clients
        1.  
          Specifying Windows certificate store for ECA_CERT_PATH
      2.  
        ECA_TRUST_STORE_PATH for NetBackup servers and clients
      3.  
        ECA_PRIVATE_KEY_PATH for NetBackup servers and clients
      4.  
        ECA_KEY_PASSPHRASEFILE for NetBackup servers and clients
      5.  
        ECA_CRL_CHECK for NetBackup servers and clients
      6.  
        ECA_CRL_PATH for NetBackup servers and clients
      7.  
        ECA_CRL_PATH_SYNC_HOURS for NetBackup servers and clients
      8.  
        ECA_CRL_REFRESH_HOURS for NetBackup servers and clients
      9.  
        ECA_DISABLE_AUTO_ENROLLMENT for NetBackup servers and clients
      10.  
        ECA_DR_BKUP_WIN_CERT_STORE for NetBackup servers and clients
    4. About certificate revocation lists for external CA
      1.  
        How CRLs from ECA_CRL_PATH are used
      2.  
        How CRLs from CDP URLs are used
    5. About certificate enrollment
      1.  
        About automatic enrollment of an external certificate
    6.  
      About viewing enrollment status of master servers
    7. Configuring an external certificate for the NetBackup web server
      1.  
        Updating or renewing external certificate for the web server
      2.  
        Removing the external certificate configured for the web server
    8.  
      Configuring the master server to use an external CA-signed certificate
    9.  
      Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
    10.  
      Enrolling an external certificate for a remote host
    11.  
      Viewing the certificate authorities that your NetBackup domain supports
    12.  
      Viewing external CA-signed certificates in the NetBackup web UI
    13.  
      Renewing a file-based external certificate
    14.  
      Removing certificate enrollment
    15.  
      Disabling the NetBackup CA in a NetBackup domain
    16.  
      Enabling the NetBackup CA in a NetBackup domain
    17.  
      Disabling an external CA in a NetBackup domain
    18.  
      Changing the subject name of an enrolled external certificate
    19. About external certificate configuration for a clustered master server
      1.  
        Workflow to use external certificates for a clustered master server
      2. Configuration options for external CA-signed certificates for a virtual name
        1.  
          CLUSTER_ECA_CERT_PATH for clustered master server
        2.  
          CLUSTER_ECA_TRUST_STORE_PATH for clustered master server
        3.  
          CLUSTER_ECA_PRIVATE_KEY_PATH for clustered master server
        4.  
          CLUSTER_ECA_KEY_PASSPHRASEFILE for clustered master server
      3.  
        Configuring an external certificate for a clustered master server
  10. About API keys in NetBackup
    1.  
      About API keys
    2.  
      Creating API keys
    3.  
      Managing an API key
    4. Using an API key
      1.  
        Setting an API key environment variable to run NetBackup commands
  11. Data at rest encryption security
    1.  
      Data at rest encryption terminology
    2.  
      Data at rest encryption considerations
    3.  
      Encryption security questions to consider
    4.  
      Comparison of encryption options
    5. About NetBackup client encryption
      1.  
        Installation prerequisites for encryption security
      2. About running an encryption backup
        1.  
          About choosing encryption for a backup
        2.  
          Standard encryption backup process
        3.  
          Legacy encryption backup process
      3.  
        NetBackup standard encryption restore process
      4.  
        NetBackup legacy encryption restore process
    6. Configuring standard encryption on clients
      1.  
        Managing standard encryption configuration options
      2.  
        Managing the NetBackup encryption key file
      3. About configuring standard encryption from the server
        1.  
          About creating encryption key files on the clients
        2.  
          Creating the key files
        3.  
          Best practices for key file restoration
        4.  
          Manual retention to protect key file pass phrases
        5.  
          Automatic backup of the key file
      4.  
        Restoring an encrypted backup file to another client
      5.  
        About configuring standard encryption directly on clients
      6.  
        Setting standard encryption attribute in policies
      7.  
        Changing the client encryption settings from the NetBackup server
    7. Configuring legacy encryption on clients
      1. About configuring legacy encryption from the client
        1.  
          Managing legacy encryption key files
      2. About configuring legacy encryption from the server
        1.  
          About pushing the legacy encryption configuration to clients
        2.  
          About pushing the legacy encryption pass phrases to clients
      3.  
        Restoring a legacy encrypted backup created on another client
      4.  
        About setting legacy encryption attribute in policies
      5.  
        Changing client legacy encryption settings from the server
      6. Additional legacy key file security for UNIX clients
        1.  
          Running the bpcd -keyfile command
        2.  
          Terminating bpcd on UNIX clients
  12. Data at rest key management
    1.  
      Federal Information Processing Standards (FIPS)
    2.  
      About FIPS enabled KMS
    3. About the Key Management Service (KMS)
      1.  
        KMS considerations
      2.  
        KMS principles of operation
      3.  
        About writing an encrypted tape
      4.  
        About reading an encrypted tape
      5.  
        KMS terminology
    4. Installing KMS
      1.  
        Using KMS with NBAC
      2.  
        About installing KMS with HA clustering
      3.  
        Enabling the monitoring of the KMS service
      4.  
        Disabling the monitoring of the KMS service
    5. Configuring KMS
      1.  
        Creating the key database
      2. About key groups and key records
        1.  
          About creating key groups
        2.  
          About creating key records
      3. Overview of key record states
        1.  
          Key record state considerations
        2.  
          Prelive key record state
        3.  
          Active key record state
        4.  
          Inactive key record state
        5.  
          Deprecated key record state
        6.  
          Terminated key record state
      4.  
        About backing up the KMS database files
      5.  
        About recovering KMS by restoring all data files
      6.  
        Recovering KMS by restoring only the KMS data file
      7.  
        Recovering KMS by regenerating the data encryption key
      8.  
        Problems backing up the KMS data files
      9.  
        Solutions for backing up the KMS data files
      10.  
        Creating a key record
      11.  
        Listing keys from a key group
      12. Configuring NetBackup to work with KMS
        1.  
          NetBackup and key records from KMS
        2.  
          Example of setting up NetBackup to use tape encryption
      13.  
        Configuring NetBackup KMS using the KMS web application
    6. About using KMS for encryption
      1.  
        About importing KMS encrypted images
      2.  
        Example of running an encrypted tape backup
      3.  
        Example of verifying an encryption backup
    7. KMS database constituents
      1.  
        Creating an empty KMS database
      2.  
        Importance of the KPK ID and HMK ID
      3.  
        About periodically updating the HMK and KPK
      4.  
        Backing up the KMS keystore and administrator keys
    8. Command line interface (CLI) commands
      1.  
        CLI usage help
      2.  
        Create a new key group
      3.  
        Create a new key
      4.  
        Modify key group attributes
      5.  
        Modify key attributes
      6.  
        Get details of key groups
      7.  
        Get details of keys
      8.  
        Delete a key group
      9.  
        Delete a key
      10.  
        Recover a key
      11. About exporting and importing keys from the KMS database
        1. Exporting keys
          1.  
            Troubleshooting common errors during an export
        2. Importing keys
          1.  
            Troubleshooting common errors during an import
      12.  
        Modify host master key (HMK)
      13.  
        Get host master key (HMK) ID
      14.  
        Get key protection key (KPK) ID
      15.  
        Modify key protection key (KPK)
      16.  
        Get keystore statistics
      17.  
        Quiesce KMS database
      18.  
        Unquiesce KMS database
      19.  
        Key creation options
    9. Troubleshooting KMS
      1.  
        Solution for backups not encrypting
      2.  
        Solution for restores that do not decrypt
      3.  
        Troubleshooting example - backup with no active key record
      4.  
        Troubleshooting example - restore with an improper key record state
  13. External KMS support in NetBackup
    1.  
      About external KMS
    2.  
      Certificate configuration and authorization
    3.  
      Workflow for external KMS configuration
    4.  
      Validating KMS credentials
    5. Configuring KMS credentials
      1.  
        Listing KMS credentials
      2.  
        Updating KMS credentials
      3.  
        Deleting KMS credentials
    6. Configuring KMS
      1.  
        Listing KMS configurations
      2.  
        Updating KMS configuration
      3.  
        Deleting KMS configuration
    7.  
      Configuring keys in an external KMS for NetBackup consumption
    8. Creating keys in an external KMS
      1.  
        Listing keys
    9.  
      Determining a key group name during storage configuration
    10. Working with multiple KMS servers
      1.  
        Migrating one KMS server to another KMS server
      2.  
        Using a separate KMS server for each storage configuration
    11.  
      Working with external KMS during backup and restore
    12.  
      Key rotation
    13.  
      Disaster recovery when catalog backup is encrypted using an external KMS server
    14.  
      Alerts for expiration of KMS credentials
  14. Regenerating keys and certificates
    1.  
      About regenerating keys and certificates
    2.  
      Regenerating NetBackup authentication broker keys and certificates
    3.  
      Regenerating host identity keys and certificates
    4.  
      Regenerating web service keys and certificates
    5.  
      Regenerating nbcertservice keys and certificates
    6.  
      Regenerating tomcat keys and certificates
    7.  
      Regenerating JWT keys
    8.  
      Regenerating NetBackup gateway certificates
    9.  
      Regenerating web trust store certificates
    10.  
      Regenerating VMware vCenter plug-in certificates
    11.  
      Regenerating NetBackup Administrator Console session certificates
    12.  
      Regenerating OpsCenter keys and certificates
    13.  
      Regenerating NetBackup encryption key file
  15. NetBackup web services account
    1.  
      About the NetBackup web services account
    2.  
      Changing the web service user account

Configuration and troubleshooting tips for NetBackup Authentication and Authorization

The following table lists helpful configuration and troubleshooting tips for NetBackup Authentication and Authorization. In addition, the table also contains information about a few known issues and tips to resolve them:

Table: Configuration and troubleshooting tips for NetBackup Authentication and Authorization

Topic

Configuration tips

Verifying master server settings

Running bpnbat -whoami and specifying the computer credentials, tells in what domain a host is registered and the name of the computer the certificate represents.

  bpnbat -whoami -cf 
    "c:\program 
   Files\veritas\netbackup\var\vxss\credentials\
   master.company.com
    "Name: master.company.com
   Domain: NBU_Machines@master.company.com
   Issued by: /CN=broker/OU=root@master.company.com/O=vx
   Expiry Date: Oct 31 20:17:51 2007 GMT
   Authentication method: Veritas Private Security
   Operation completed successfully.

If the domain listed is not NBU_Machines@master.company.com, consider running bpnbat -addmachine for the name in question (master). The command is run on the computer that serves the NBU_Machines domain (master).

Then, on the computer where you want to place the credentials, run: bpnbat -loginmachine

Establishing root credentials

If you have problems setting up either the authentication server or authorization server, and the application complains about your credentials as root: ensure that the $HOME environmental variable is correct for root.

Use the following command to detect the current value:

   echo $HOME

This value should agree with root's home directory, which can be typically found in the /etc/passwd file.

Note that when switching to root, you may need to use:

   su -

instead of only su to correctly condition the root environment variables.

Expired credentials message

If your credential has expired or is incorrect, you may receive the following message while running a bpnbaz or bpnbat command:

Supplied credential is expired or incorrect. Please
reauthenticate and try again.

Run bpnbat -Login to update an expired credential.

Useful debug logs

The following logs are useful to debug NetBackup Access Control:

On the master: admin, bpcd, bprd, bpdbm, bpjobd, bpsched

On the client: admin, bpcd

Access control: nbatd, nbazd.

If the master server uses NetBackup Access Control (NBAC) in the REQUIRED mode and the EMM database is remote, the logging information appears in the bpdbm log.

See the NetBackup Troubleshooting Guide for instructions on proper logging.

Unhooking Shared AT from PBX

When NetBackup is upgraded and NBAC was already enabled in a previous setup, the old Shared AT should be unhooked from PBX.

To unhook shared AT, run following command.

On UNIX platforms, run /opt/VRTSat/bin/vssat setispbxexchflag --disable.

On Windows x86, run C:\Program Files\VERITAS\Security\Authentication\bin\vssat setispbxexchflag --disable.

On Windows x64 , run C:\Program Files(x86)\VERITAS\Security\Authentication\bin\vssat setispbxexchflag --disable.

Where credentials are stored

The NetBackup Authentication and Authorization credentials are stored in the following directories:

UNIX:

User credentials: $HOME/.vxss

Computer credentials: /usr/openv/var/vxss/credentials/

Windows:

<user_home_dir>\Application Data\VERITAS\VSS

How system time affects access control

Credentials have a birth time and death time. Computers with large discrepancies in system clock time view credentials as being created in the future or prematurely expired. Consider synchronizing system time if you have trouble communicating between systems.

NetBackup Authentication and Authorization ports

The NetBackup Authentication and Authorization daemon services use ports 13783 and 13722 for back-level media server and clients. The services use PBX connections.

You can verify that the processes are listening with the following commands:

Authentication:

UNIX

netstat -an | grep 13783

Windows

netstat -a -n | find "13783"

Authorization:

UNIX

netstat -an | grep 13722

Windows

netstat -a -n | find "13722"

Stopping NetBackup Authentication and Authorization daemons for Shared Services

When the NetBackup Authentication and Authorization services are stopped, stop authorization first, then stop authentication.

UNIX -Use the following commands.

To stop authorization use the term signal as shown in the example:

   # ps -fed |grep nbazd
     root 17018     1 4 08:47:35 ?     0:01 ./nbazd
     root 17019 16011 0 08:47:39 pts/2 0:00 grep nbazd
    # kill 17018

To stop authentication use the term signal as shown in the example:

   # ps -fed |grep nbatd
     root 16018     1 4 08:47:35 ?     0:01 ./nbatd
     root 16019 16011 0 08:47:39 pts/2 0:00 grep nbatd
    # kill 16018

Windows

Use the Services utility that Windows provides, since these services do not appear in the NetBackup Activity Monitor.

If you lock yourself out of NetBackup

You can lock yourself out of the NetBackup Administration Console if access control is incorrectly configured.

If this lockout occurs, use vi to read the bp.conf entries (UNIX) or regedit (Windows) to view the Windows registry in the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\NetBackup\
CurrentVersion\config

You can look to see if the following entries are set correctly: AUTHORIZATION_SERVICE, AUTHENTICATION_DOMAIN, and USE_VXSS.

The administrator may not want to use NetBackup Access Control or does not have the authorization libraries installed. Make certain that the USE_VXSS entry is set to Prohibited, or is deleted entirely.

Backups of storage units on media servers might not work in an NBAC environment

The host name of a system in NetBackup domain (master server, media server, or client) and host name that is specified in the bp.conf file should be the same.

Using the nbac_cron utility

Use the nbac_cron.exe utility to create identities under which to run cron or at jobs.

For more information about the nbac_cron utility:

See About the nbac_cron utility.

nbac_cron.exe is found in the following location:

UNIX -/opt/openv/netbackup/bin/goodies/nbac_cron

Windows -Install_path\Veritas\netbackup\bin\goodies\nbac_cron.exe

For detailed information about using the nbac_cron utility:

See Using the nbac_cron utility.

Enabling NBAC after a recovery on Windows

Use the following procedure to manually enable NBAC after a recovery on Windows.

  • Add AUTHENTICATION_DOMAIN, AUTHORIZATION_SERVICE, and USE_VXSS entries in Registry.

  • Change the service type of NetBackup Authentication and Authorization services to AUTOMATIC.

  • Restart the NetBackup services.

  • Verify that the nbatd and nbazd services are running.

Note:

On a cluster run the bpclusterutil -enableSvc nbatd and bpclusterutil -enable nbazd commands.

In cluster installations the setupmaster might fail

A known issue exists in the case of cluster installations, where the configuration file is on a shared disk, the setupmaster might fail.

Known issue on a cluster if shared security services (vxatd or vxazd) are clustered along with the master server

A known issue exists on a cluster if shared security services (vxatd or vxazd) are clustered along with the master server. When executing the bpnbaz -SetupMaster command and setting up security (NBAC), freeze the shared security services service groups persistently where applicable or offline the services (but make sure their shared disk is online), and run the setupmaster command.

Known issue in a clustered master server upgrade with NBAC, that all the AUTHENTICATION_DOMAIN entries in thebp.conf file are updated with the master server virtual name as the authentication broker

A known issue exists where in a clustered master server upgrade with NBAC, all the AUTHENTICATION_DOMAIN entries in thebp.conf file are updated with the master server virtual name as the authentication broker. If any domain entry is present that refers to a different authentication broker other than the master server (and the master server does not service that domain), that entry needs to be manually removed from the bp.conf file.

Known issue on Windows 2003 dual stack computers

A known issue exists on Windows 2003 dual stack computers. You need Microsoft patch kb/928646 from http://support.microsoft.com/.

Known issue relating to access control failures and short and long host names

A known issue exists that includes failures with respect to access control. Determine if the short and long host names are properly resolvable and are resolving to the same IP address.

Known issue in a cluster upgrade with NBAC when the broker profile has ClusterName set to the virtual name of AT

A known issue exists in a cluster upgrade with NBAC when the broker profile has ClusterName set to the virtual name of AT. This is migrated as-is to the embedded broker. The embedded broker has UseClusterNameAsBrokerName set to 1 in its profile. When a request is sent for broker domain maps, it uses the virtual name of the shared AT as the broker name. The bpnbaz -GetDomainInfosFromAuthBroker returns none. In upgrades, the bp.conf file is updated to have the NetBackup virtual name.

Known issue of multiple instances of bpcd causing a possible error

A known issue exists where the bpnbaz -SetupMedia command, bprd uses the AT_LOGINMACHINE_RQST protocol to talk with bpcd on the destination box. A new instance of bpcd is spawned. After the command completes it tries to free a char array as a regular pointer possibly causing bpcd to core dump on the client side. Functionality should not be lost as this bpcd instance is only created temporarily and exits normally. The parent bpcd is unaffected.

Known issue with clusters using shared AT with configuration files on the shared drive

A known issue exists with clusters that use a shared AT with configuration files on the shared drive. Unhooking shared services only works on the node where this shared drive is accessible. Unhook fails on the remaining nodes. The implication of this is that while doing a bpnbaz -SetupMaster to manage remote broker parts fail. You will have to manually configure passive nodes. Run bpnbaz -SetupMedia for each passive node.

Known issue relating to database utilities supporting NBAZDB

A known issue exists in which some database utilities support NBAZDB and other database utilities do not.

The following database utilities support NBAZDB: nbdb_backup, nbdb_move, nbdb_ping, nbdb_restore, and nbdb_admin.

The following utilities do not support NBAZDB: nbdb_unload and dbadm.