Veritas NetBackup™ Commands Reference Guide

Last Published:
Product(s): NetBackup (8.1)
  1. Introduction
    1.  
      About NetBackup commands
    2.  
      Navigating multiple menu levels
    3.  
      NetBackup command conventions
    4.  
      NetBackup Media Manager command notes
  2. Appendix A. NetBackup Commands
    1.  
      acsd
    2.  
      add_media_server_on_clients
    3.  
      backupdbtrace
    4.  
      backuptrace
    5.  
      bmrc
    6.  
      bmrconfig
    7.  
      bmrepadm
    8.  
      bmrprep
    9.  
      bmrs
    10.  
      bmrsrtadm
    11.  
      bp
    12.  
      bparchive
    13.  
      bpbackup
    14.  
      bpbackupdb
    15.  
      bpcatarc
    16.  
      bpcatlist
    17.  
      bpcatres
    18.  
      bpcatrm
    19.  
      bpcd
    20.  
      bpchangeprimary
    21.  
      bpclient
    22.  
      bpclimagelist
    23.  
      bpclntcmd
    24.  
      bpclusterutil
    25.  
      bpcompatd
    26.  
      bpconfig
    27.  
      bpdbjobs
    28.  
      bpdbm
    29.  
      bpdgclone
    30.  
      bpdown
    31.  
      bpduplicate
    32.  
      bperror
    33.  
      bpexpdate
    34.  
      bpfis
    35.  
      bpflist
    36.  
      bpgetconfig
    37.  
      bpgetdebuglog
    38.  
      bpimage
    39.  
      bpimagelist
    40.  
      bpimmedia
    41.  
      bpimport
    42.  
      bpinst
    43.  
      bpkeyfile
    44.  
      bpkeyutil
    45.  
      bplabel
    46.  
      bplist
    47.  
      bpmedia
    48.  
      bpmedialist
    49.  
      bpminlicense
    50.  
      bpnbat
    51.  
      bpnbaz
    52.  
      bppficorr
    53.  
      bpplcatdrinfo
    54.  
      bpplclients
    55.  
      bppldelete
    56.  
      bpplinclude
    57.  
      bpplinfo
    58.  
      bppllist
    59.  
      bpplsched
    60.  
      bpplschedrep
    61.  
      bppolicynew
    62.  
      bpps
    63.  
      bprd
    64.  
      bprecover
    65.  
      bprestore
    66.  
      bpretlevel
    67.  
      bpschedule
    68.  
      bpschedulerep
    69.  
      bpsetconfig
    70.  
      bpstsinfo
    71.  
      bpstuadd
    72.  
      bpstudel
    73.  
      bpstulist
    74.  
      bpsturep
    75.  
      bptestbpcd
    76.  
      bptestnetconn
    77.  
      bptpcinfo
    78.  
      bpup
    79.  
      bpverify
    80.  
      cat_convert
    81.  
      cat_export
    82.  
      cat_import
    83.  
      configurePorts
    84.  
      create_nbdb
    85.  
      csconfig cldinstance
    86.  
      csconfig cldprovider
    87.  
      csconfig meter
    88.  
      csconfig throttle
    89.  
      duplicatetrace
    90.  
      importtrace
    91.  
      jbpSA
    92.  
      jnbSA
    93.  
      ltid
    94.  
      manageClientCerts
    95.  
      mklogdir
    96.  
      nbauditreport
    97.  
      nbcatsync
    98.  
      NBCC
    99.  
      NBCCR
    100.  
      nbcertcmd
    101.  
      nbcertupdater
    102.  
      nbcldutil
    103.  
      nbcomponentupdate
    104.  
      nbcplogs
    105.  
      nbdb_admin
    106.  
      nbdb_backup
    107.  
      nbdb_move
    108.  
      nbdb_ping
    109.  
      nbdb_restore
    110.  
      nbdb_unload
    111.  
      nbdbms_start_server
    112.  
      nbdbms_start_stop
    113.  
      nbdc
    114.  
      nbdecommission
    115.  
      nbdelete
    116.  
      nbdeployutil
    117.  
      nbdevconfig
    118.  
      nbdevquery
    119.  
      nbdiscover
    120.  
      nbdna
    121.  
      nbemm
    122.  
      nbemmcmd
    123.  
      nbexecute
    124.  
      nbfindfile
    125.  
      nbfirescan
    126.  
      nbftadm
    127.  
      nbftconfig
    128.  
      nbgetconfig
    129.  
      nbhba
    130.  
      nbholdutil
    131.  
      nbhostidentity
    132.  
      nbhostmgmt
    133.  
      nbhypervtool
    134.  
      nbjm
    135.  
      nbkmsutil
    136.  
      nboraadm
    137.  
      nborair
    138.  
      nbpem
    139.  
      nbpemreq
    140.  
      nbperfchk
    141.  
      nbplupgrade
    142.  
      nbrb
    143.  
      nbrbutil
    144.  
      nbregopsc
    145.  
      nbreplicate
    146.  
      nbrestorevm
    147.  
      nbseccmd
    148.  
      nbsetconfig
    149.  
      nbsnapimport
    150.  
      nbsnapreplicate
    151.  
      nbsqladm
    152.  
      nbstl
    153.  
      nbstlutil
    154.  
      nbstop
    155.  
      nbsu
    156.  
      nbsvrgrp
    157.  
      resilient_clients
    158.  
      restoretrace
    159.  
      stopltid
    160.  
      tl4d
    161.  
      tl8d
    162.  
      tl8cd
    163.  
      tldd
    164.  
      tldcd
    165.  
      tlhd
    166.  
      tlhcd
    167.  
      tlmd
    168.  
      tpautoconf
    169.  
      tpclean
    170.  
      tpconfig
    171.  
      tpext
    172.  
      tpreq
    173.  
      tpunmount
    174.  
      verifytrace
    175.  
      vltadm
    176.  
      vltcontainers
    177.  
      vlteject
    178.  
      vltinject
    179.  
      vltoffsitemedia
    180.  
      vltopmenu
    181.  
      vltrun
    182.  
      vmadd
    183.  
      vmchange
    184.  
      vmcheckxxx
    185.  
      vmd
    186.  
      vmdelete
    187.  
      vmoprcmd
    188.  
      vmphyinv
    189.  
      vmpool
    190.  
      vmquery
    191.  
      vmrule
    192.  
      vmupdate
    193.  
      vnetd
    194.  
      vxlogcfg
    195.  
      vxlogmgr
    196.  
      vxlogview
    197.  
      W2KOption

Name

bpnbat — perform Authentication tasks from within NetBackup

SYNOPSIS

bpnbat [-AddDomain | -RemoveDomain] Private_Domain

bpnbat [-AddMachine]

bpnbat [-AddUser | -RemoveUser] Name Private_Domain

bpnbat -GetBrokerCert Broker_Name Broker_Port

bpnbat -Login [-Info answer_file] [-cf credential_file] [-LoginType AT|WEB]

bpnbat -LoginMachine

bpnbat -Logout [-LogoutType AT|WEB] [-cf credential_file]

bpnbat -RemoveBrokerCert host_name

bpnbat -RenewCred [-cf credential_file]

bpnbat -ShowBrokerCerts

bpnbat -ShowMachines

bpnbat -Version

bpnbat -WhoAmI [-cf credential_file] [-Verify]

On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/

On Windows systems, the directory path to this command is install_path\NetBackup\bin\

DESCRIPTION

The bpnbat command is a tool that enables a user to use the Veritas Product Authentication and Authorization Service.

This service contains the following two distinct parts:

  • Authentication - prove who you are

  • Authorization - check what you can do

bpnbat enables a user to do authentication tasks from within NetBackup.

If a command needs a password, it doesn't echo the password or asterisks, which someone can use to narrow the password search space significantly.

NetBackup Access Control requires the user's home directories to work correctly.

You must have administrator privileges to run the following command options: -AddDomain, -RemoveDomain, -AddMachine, -AddUser, -RemoveUser, -LoginMachine, and -ShowMachines.

OPTIONS

[-AddDomain | -RemoveDomain] Private_Domain

These options enable an administrator that runs locally on an Authentication server to add or remove domains within the private Veritas Domain Database. These domains are not accessible from within any operating system. They are meaningful only within Veritas Product Authentication and Authorization Service. Use them where a centralized naming authority (such as a PDC/AD or NIS domain) is not available.

-AddMachine

Registers a computer in a private Veritas Product Authentication. The identity is placed in the private domain NBU_Machines@at.server.name. Run this option on your authentication broker (root +ab).

[-AddUser | -RemoveUser] Private_Domain

Enables an administrator that runs locally on an Authentication server to add or remove users from domains in the private Veritas Domain Database. These accounts are meaningful only within Veritas Product Authentication and Authorization Service. Use them when a centralized naming authority (such as PDC/AD or NIS domain) is not available.

-GetBrokerCert

Obtains a broker certificate without authenticating to a broker.

-Login [-Info answer_file] [-cf credential_file] [-LoginType AT|WEB]

Identifies yourself to the system. When you run this command with no options, you are prompted to enter a name, password, domain, authentication type, and a server to authenticate. The combination of a name, password, domain, and domain type creates a unique identity within an Enterprise-wide network. The first time a broker is contacted, you are asked if you want to trust that broker and authenticate them. You cannot use an untrusted broker.

Note:

You must use the bpnbat -login command to perform certain authorization token and host ID-based certificate-related operations. You must have NetBackup administrator privileges to do a web logon.

The -Info option accepts the name, password, and domain information from an answer file. The password is optional in the answer file. You can also place the certificate in a credential file (if specified) or the default location. If you do not provide a password, you are prompted for the password when you run the command.

Warning:

Saving the user name and password in a plain text file is a potential security issue. Unauthorized users with read access to the text file can obtain the user name and password for the Veritas Product Authentication and Authorization Service to manually authenticate with the bpnbat command. Make certain that you secure access to the answer text file.

The answer file is a text file with entries for the required information. The answer file must contain the four lines that are shown in the order shown:

domain type
domain
user name
password

A sample answer file is:

NT
Sample_Domain
administrator
s@Mpl3

As previously explained, password is an optional value. The domain type value must be one of the values shown:

  • NIS

  • NIS+

  • NT

  • vx

  • unixpwd

If you use an answer file, ensure that the appropriate AUTHENTICATION_DOMAIN is configured on the server. See the NetBackup Security and Encryption Guide.

The NetBackup Web Management Console Service (nbwmc) always runs on the NetBackup master server. The Authentication Broker normally runs on the NetBackup master server as well. But in certain instances, it can run on a host other than the master server. More information is available.

http://www.veritas.com/docs/000041888

If the -LoginType is AT, only a NetBackup AT broker logon for the master server is performed. If the -LoginType is WEB, only a NetBackup web application logon for the Authentication Broker is performed. If the -LoginType is not specified, both the AT and the WEB logons are performed if the Authentication Broker is on the master server. If the -LoginType is not specified and the Authentication Broker is not on the master server: the WEB logon succeeds and the AT logon fails. The AT logon fails with a security services status code 96. The - cf option is not applicable if the -LoginType is WEB.

-LoginMachine

Identifies a computer that uses an account within the Veritas Security Subsystem private domain NBU_Machines@at.server.name. Run this option on your NetBackup Media, Master, and Clients. This option is similar to when you log on as a user to an authentication broker.

-Logout [-cf credential_file] [-LogoutType AT|WEB]

Invalidates the current user credentials that require the user to log on again to continue. Without the -cf option, the credential that is stored at the default location is expired. The -cf option points to the actual credential file, which allows a user to explicitly specify the credential to be expired.

If the -LogoutType is AT, only a NetBackup AT broker logout is performed. If the -LogoutType is WEB, it is a NetBackup web application logout. If the -LogoutType is not specified, both the AT and the web logout are performed. The - cf option is applicable only for the AT logout.

-RemoveBrokerCert server.name.com

Removes a trust of a specified authentication broker for all users except the root user (administrator). You can use this command to remove a broker when you no longer trust it. For example, an authentication broker is moved to a different corporate division.

-RenewCred [-cf credential_file]

Renews the current user credentials from the VxSS store or the credential file that is specified with the -cf option.

-ShowBrokerCerts

Lists all of the brokers that the user currently trusts. NetBackup trusts any broker that is listed to handle the authentication requests that are sent to it.

-ShowMachines

Lists all computers that have been added to the computers domain of a private Veritas Security Subsystem database by using the -AddMachines option. It also shows if DNS fully resolved the computer name. Run this option on your authentication broker (root +ab).

-Version

Retrieves the version of the executable.

-WhoAmI [-cf credential_file] [-Verify]

Specifies the identity you currently use within Veritas Product Authentication and Authorization Service. It lists the following:

  • Name

  • Domain

  • Authentication broker who issued the credential

  • The time a certificate expires

  • The domain type that was used when the credential was created

EXAMPLES

Example 1 - The user uses -Login and the default port number to connect to the authentication broker that is called test.domain.veritas.com. (It is the server that handles the Authentication process.) An NIS account is used. Therefore, a domain name that is associated with the NIS account is provided in addition to a user and password.

# bpnbat -Login
Authentication Broker: test.domain.veritas.com
Authentication port[ Enter = default]:
Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd): NIS
Domain: domain.veritas.com
Name: username
Password: 
You do not currently trust the server: test.domain.veritas.com, do 
you wish to trust it? (y/n): y
Operation completed successfully.

Example 2 - The -WhoAmI option verifies the identity that you currently use within the Veritas Product Authentication and Authorization Service.

# bpnbat -WhoAmI
Name: user name
Domain: domain.veritas.com
Issued by: /CN=broker/OU=root@eek.example.com/O=vx
Expiry Date: Oct 27 20:57:43 2009 GMT
Authentication method: NIS
Operation completed successfully.

Example 3 - Add a computer to the computer identities list:

# bpnbat -AddMachine
Machine Name: auto.domain.veritas.com
Password: 
Operation completed successfully.

Next, it shows the computer identities list:

# bpnbat -ShowMachines
auto.domain.veritas.com
Operation completed successfully

Then it logs on a computer to a specified authentication broker:

# bpnbat -LoginMachine
Does this machine use Dynamic Host Configuration Protocol (DHCP)? 
(y/n) n
Authentication Broker: test.domain.veritas.com
Authentication port[ Enter = default]: 
Name: auto.domain.veritas.com
Password: 
Operation completed successfully.

Finally, you log into a computer to a specified authentication broker and a problem occurs:

If the user has a multi-NIC configuration or types the broker name incorrectly, a second prompt appears. It gives the user a second chance to enter the proper broker name. The following example assumes sleemanNB is a private NIC name. The public NIC name that Veritas Product Authentication and Authorization Service uses to build the authentication domain is sleeman.example.com. If a failure occurs with -loginmachine, the user has a second chance to enter an explicit primary host name for the authentication broker. (Failures include a bad computer name, wrong password, or incorrect broker name.) Refer to the following example:

# bpnbat -LoginMachine
Does this machine use Dynamic Host Configuration Protocol (DHCP)? 
(y/n) n
Authentication Broker: sleemanNB
Authentication port[ Enter = default]: 
Machine Name: challenger
Password: 
Primary host name of broker: sleeman.example.com
Operation completed successfully.

Example 4 - Obtain a broker certificate without authenticating to a broker. It expects a broker (test.domain.veritas.com) and a port (0 for default)

# bpnbat -GetBrokerCert test.domain.veritas.com 0
Operation completed successfully.

Example 5 - Lists all the brokers that the user currently trusts

# bpnbat -ShowBrokerCerts
Name: root
Domain: root@test.domain.veritas.com
Issued by: /CN=root/OU=root@test.domain.veritas.com/O=vx
Expiry Date: Jun 12 20:45:19 2006 GMT
Authentication method: Veritas Private Security

Name: root
Domain: root@auto.domain.veritas.com
Issued by: /CN=root/OU=root@auto.domain.veritas.com/O=vx
Expiry Date: Feb 17 19:05:39 2006 GMT
Authentication method: Veritas Private Security
Operation completed successfully.

Example 6 - The -RemoveBrokerCert option removes a broker when the user no longer wants to trust it. In the following example, an authentication broker is moved to a different corporate division.

# bpnbat -RemoveBrokerCert test.domain.veritas.com
Operation completed successfully.

The user can now use the -ShowBrokerCerts option to display current certificates. The previously removed certificate is no longer displayed.

Example 7 - Show how to use an answer file to supply logon information for automated commands (cron, etc.).

For UNIX: The UNIX NIS domain name is location.example.com, the user name in this domain is bgrable, and the password is hello456. The corresponding answer file for bpnbat -login must contain the following four lines:

NIS
location.example.com 
bgrable
hello456

If the answer file is located in /docs and is called login.txt, the bpnbat command executes as follows:

# bpnbat -login -info /docs/vslogin.txt

After the bpnbat -login command is run, commands like bpbackup can be run without authentication errors.

For Windows: The windows domain name is corporate, the user name in this domain is jsmith, and the user password is hello123. The corresponding answer file for bpnbat -login has to contain the following four lines:

NT
corporate 
jsmith
hello123

If the answer file is located in /docs and is called login.txt, the bpnbat command executes as follows:

# bpnbat -login -info c:\docs\vslogin.txt

After the bpnbat -login command is run, commands like bpbackup can be run without authentication errors.

Example 8 - How to use the bpnbat -login command with the -LoginType parameter.

# bpnbat -login -LoginType AT
Authentication Broker: server.domain.com
Authentication port [0 is default]: 0
Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd, ldap): unixpwd
Domain:  server.domain.com
Login Name: root
Password:
Operation completed successfully.
# bpnbat -login -LoginType WEB
Authentication Broker: server.domain.com
Authentication port [0 is default]: 0
Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd, ldap): unixpwd
Domain:  server.domain.com
Login Name: root
Password:
Operation completed successfully.

SEE ALSO

See bpnbaz.

See nbcertcmd.