Veritas NetBackup™ 53xx Appliance Initial Configuration Guide
- Preparing for initial configuration
- Initial configuration procedures
- Post configuration procedures
Adding the partner node to the NetBackup 53xx high availability configuration
Once the partner node is configured, use this procedure to complete the HA setup as follows:
Add the partner node to the HA setup
You can add the partner node by using the NetBackup Appliance Web Console or the NetBackup Appliance Shell Menu.
Approve the host name mappings
Starting with release 3.1.2, to complete the HA setup you must approve all host name mappings in the NetBackup Administration Console on the associated primary server. If the mappings are not approved, the MSDP service will not be online after a switchover. The last step in each procedure describes how to approve the mappings.
Deploy the appropriate CA certificates to the partner node
NetBackup Appliance release 3.2 introduces support for external certificate authority certificates. This feature provides an alternative to using the NetBackup Certificate Authority for host verification and security. This procedure includes the necessary information to deploy these certificates. For more information about security certificates, see the chapter "External CA support in NetBackup" in the NetBackup Security and Encryption Guide
Note:
External CA deployment on a partner node is only supported through the NetBackup Appliance Shell Menu.
Starting with release 4.0, you are required to change the default passwords for the admin, maintenance, and sysadmin (IPMI) user accounts. If the passwords for these user accounts have not been changed on the partner node before performing this procedure, prompts appear to guide you through the process.
Once the partner node is added, the network information of the partner node is automatically added to the additional server list on the primary server. The firmware on each node and the shared Primary Storage Shelf in the HA setup are attached with the same asset tag automatically.
Warning:
Do not change the time and date settings on the two nodes once the HA setup is complete.
Before adding the partner node to complete an appliance HA setup, you must first verify that all NetBackup processes are running on the primary server and on both HA nodes.
Primary server
If the primary server is an appliance, log in to the appliance shell menu and enter the following command:
Support > Processes > NetBackup Show
If the primary server is not an appliance, log in to the NetBackup command line and enter the following command:
/usr/openv/netbackup/bin/goodies/netbackup show
Media server nodes
On the compute node and the partner that node you want to add, log in to the appliance shell menu and enter the following command:
Support > Processes > NetBackup Show
If any processes are not running on the primary server or on the nodes, adding the partner node fails. To prevent this failure, you must first stop all NetBackup processes and then restart them as follows:
Stopping NetBackup processes
For a primary server appliance and both appliance nodes, enter the following command:
Support > Processes > NetBackup Stop
If the primary server is not an appliance, enter the following command:
/usr/openv/netbackup/bin/goodies/netbackup stop
To verify that all processes have stopped, enter the following command:
/usr/openv/netbackup/bin/bpps -x
If any processes are still running, with the exception of
nbftsrvr/nbfdrv64
, re-enter the stop command:/usr/openv/netbackup/bin/goodies/netbackup stop
To stop the
nbftsrvr/nbfdrv64
process, enter the following command:/usr/openv/netbackup/bin/goodies/nbftserver stop
Note:
This process may not stop immediately. Make sure to wait until the command result shows that it has stopped.
Restarting NetBackup processes
For a primary server appliance and both appliance nodes, enter the following command:
Support > Processes > NetBackup Start
If the primary server is not an appliance, enter the following commands in the order as they appear:
/usr/openv/netbackup/bin/goodies/netbackup start
/usr/openv/netbackup/bin/goodies/nbftserver start
Use one of the following procedures to add the partner node to the HA setup.
To add the partner node from the NetBackup Appliance Web Console
Note:
If you need to deploy an External CA certificate, you must add the partner node from the NetBackup Appliance Shell Menu as described in the procedure that follows this one.
- On the node that you used to set up the HA configuration, log on to the NetBackup Appliance Web Console as
admin
. - On the Welcome to Veritas NetBackup Appliance Web Console page, click Manage > High Availability.
- On the High Availability page, the current status of the HA configuration is identified as incomplete. Click Add Partner.
- On the Add Partner Node dialog box, enter the configured hostname of the partner node and click Add.
- If the fingerprint values match, click Next.
- Enter the
admin
user password for the partner node and click Next. When the message Do you want to continue? appears, click Continue. - If the partner node that you are adding still contains the default passwords for the admin, maintenance, and sysadmin (IPMI) user accounts, follow the prompts to change the passwords.
- If the Certificate Verification dialog box appears, enter the authorization or the reissue token and click Deploy Certificate.
- When a message shows that the process was successful, click Close.
- To complete the HA setup, approve the host name mappings on the associated primary server.
On the associated primary server, log in to the NetBackup Administration Console.
In the left pane, click Security Management to expand its properties, then click Host Management.
In the lower-left of the right pane, click Mappings for Approval.
At the top of the right pane, click on any host mapping that is pending approval. When the Approve Mappings dialog box appears that prompts for approval, click Yes. Repeat this task for each host mapping that is pending approval.
To add the partner node from the NetBackup Appliance Shell Menu
- On the node where you set up the HA configuration, log on to the NetBackup Appliance Shell Menu as
admin
. - Go to Main > Manage > HighAvailability.
- Add the partner node to complete the HA configuration by entering the command:
AddNode hostname
Where hostname is the short host name or the fully qualified domain name (FQDN) of the partner node.
- When the following message appears, make sure that you have checked the SSH ECDSA fingerprint directly on the partner node:
Do the fingerprint values match? [yes, no] (no)
To ensure that the network is safe, you must confirm that the SSH ECDSA fingerprint of the partner node is correct. For the instructions on how to check the identity of the appliance, refer to NetBackup Appliance Command Reference Guide.
If the values match, enter yes.
- If the partner node that you are adding still contains the default passwords for the admin, maintenance, and sysadmin (IPMI) user accounts, follow the prompts to change the passwords.
- After the pre-check has passed, when either of the following messages appears, enter an authority token or a reissue token to trust the host ID-based certificate:
Authorization token is mandatory. Enter an authorization token. For more information about the authorization token, refer to the NetBackup Security and Encryption Guide.
Enter token:
or
Reissue token is mandatory. Enter the reissue token for the required host to obtain a host-ID based certificate. For more information about the reissue token, refer to the NetBackup Security and Encryption Guide.
Enter token:
For more information about security certificates, refer to the chapter "Security certificates in NetBackup" in the NetBackup Security and Encryption Guide.
- When the following message appears, enter yes to continue:
>> Do you want to continue? [yes, no] (no)
The appliance pings the primary server for the Certificate Authority (CA) status and shows the result. Each of the following bullet statements describes the possible status results. Follow the instructions that appear below the applicable status result to complete the certificate configuration.
The primary server <primary_server_name> currently uses an External CA-signed certificate. You are required to configure this appliance with a certificate issued by the same external CA. Do you want to import the External CA-signed certificate for this Media server now [yes,no](yes):
Press Enter to continue. The following message appears:
To configure the HA partner node, the External CA-signed certificate must include the vip hostname and FQDN DNS information in the Subject Alternative Name.
The following shares have been opened on the appliance for you to upload certificate files:
NFS share <media_server_name>:/inst/share
CIFS share \\<media_server_name>\general_share
Enter the following details for external certificate configuration:
Enter the certificate file path:
Enter the trust store file path:
Enter the private key path:
Enter the password for the passphrase file path or skip security configuration (default: NONE):
Enter the following details for CRL usage:
Should a CRL be honored for the external certificate?
1) Use the CRL defined in the certificate.
2) Use the specific CRL directory.
3) Do not use a CRL.
q) Skip security configuration.
CRL option: Enter 1, 2, 3, or q.
Verify the External CA details that you entered:
Certificate file name:
Trust store file name:
Private key file name:
CRL check level: (Shows the selected CRL option.)
Do you want to use the above certificate files? [yes, no](yes):
After verifying that the entered information is correct, press Enter to continue and answer the following prompt:
Is this correct? [yes, no](yes):
If all of the information is correct, press Enter to continue.
The appliance performs an ECA health check and shows the result of each validation check. When the health check has completed successfully, the following messages appear:
ECA health check was successful.
The external certificate has been registered successfully.
The primary server <primary_server_name> currently uses an external CA issued certificate and its own internal certificate. Would you like to proceed with the external CA issued certificate? [yes,no](yes):
If you select no, the following message appears:
This appliance will use a NetBackup issued certificate for secure communication.
If you select yes, the following message appears:
To configure the HA partner node, the External CA-signed certificate must include the vip hostname and FQDN DNS information in the Subject Alternative Name.
The following shares have been opened on the appliance for you to upload certificate files:
NFS share <media_server_name>:/inst/share
CIFS share \\<media_server_name>\general_share
Enter the following details for external certificate configuration:
Enter the certificate file path:
Enter the trust store file path:
Enter the private key path:
Enter the password for the passphrase file path or skip security configuration (default: NONE):
Enter the following details for CRL usage:
Should a CRL be honored for the external certificate?
1) Use the CRL defined in the certificate.
2) Use the specific CRL directory.
3) Do not use a CRL.
q) Skip security configuration.
CRL option: Enter 1, 2, 3, or q.
Verify the External CA details that you entered:
Certificate file name:
Trust store file name:
Private key file name:
CRL check level: (Shows the selected CRL option.)
Do you want to use the above certificate files? [yes, no](yes):
After verifying that the entered information is correct, press Enter to continue and answer the following prompt:
Is this correct? [yes, no](yes):
If all of the information is correct, press Enter to continue.
The appliance performs an ECA health check and shows the result of each validation check. When the health check has completed successfully, the following messages appear:
ECA health check was successful.
The external certificate has been registered successfully.
This appliance will use a NetBackup issued certificate for secure communication.
No further certificate configuration is required. Click Next to continue.
A message should appear that shows the process was successful.
- Approve the host name mappings as follows:
On the associated primary server, log in to the NetBackup Administration Console.
In the left pane, click Security Management to expand its properties, then click Host Management.
In the lower-left of the right pane, click Mappings for Approval.
At the top of the right pane, click on any host mapping that is pending approval. When the Approve Mappings dialog box appears that prompts for approval, click Yes. Repeat this task for each host mapping that is pending approval.