The information contained in this publication is subject to change without notice. VERITAS Software
Corporation makes no warranty of any kind with regard to this manual, including, but not limited to,
the implied warranties of merchantability and fitness for a particular purpose. VERITAS Software
Corporation shall not be liable for errors contained herein or for incidental or consequential damages
in connection with the furnishing, performance, or use of this manual.
Portions of this software are derived from the RSA Data Security, Inc. MD5 Message-Digest
Algorithm. Copyright 1991-92, RSA Data Security, Inc. Created 1991. All rights reserved.
VERITAS Software Corporation
350 Ellis Street
Mountain View, CA 94043
USA
Phone 650-527-8000
Fax 650-527-2908
www.veritas.com
Third-Party Copyrights
For a list of third-party copyrights, see the NetBackup Release Notes appendix.
ii NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
xviii NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Preface
This guide describes how to configure and manage the operation of VERITAS
NetBackup™ Server and VERITAS NetBackup Enterprise Server for UNIX and Linux
platforms. See the NetBackup Release Notes for a list of the hardware and operating system
levels that NetBackup supports.
To determine the version and release date of installed software, see the version file
located here in /usr/openv/netbackup
Getting Help
You can find answers to questions and get help from the NetBackup documentation and
from the VERITAS technical support web site.
Finding NetBackup Documentation
A list of the entire NetBackup documentation set appears as an appendix in the NetBackup
Release Notes. All NetBackup documents are included in PDF format on the NetBackup
Documentation CD.
For definitions of NetBackup terms, consult the online glossary.
▼ To access the NetBackup online glossary
1. In the NetBackup Administration Console, click Help > Help Topics.
2. Click the Contents tab.
3. Click Glossary of NetBackup Terms.
Use the scroll function to navigate through the glossary.
xix
Getting Help
Accessing the VERITAS Technical Support Web Site
The address for the VERITAS Technical Support Web site is http://support.veritas.com.
The VERITAS Support Web site lets you do any of the following:
◆ Obtain updated information about NetBackup, including system requirements,
supported platforms, and supported peripherals
◆ Contact the VERITAS Technical Support staff and post questions to them
◆ Get the latest patches, upgrades, and utilities
◆ View the NetBackup Frequently Asked Questions (FAQ) page
◆ Search the knowledge base for answers to technical support questions
◆ Receive automatic notice of product updates
◆ Find out about NetBackup training
◆ Read current white papers related to NetBackup
From http://support.veritas.com, you can complete various tasks to obtain specific types
of support for NetBackup:
1. Subscribe to the VERITAS Email notification service to be informed of software alerts,
newly published documentation, Beta programs, and other services.
a. From the main http://support.veritas.com page, select a product family and a
product.
b. Under Support Resources, click Email Notifications.
Your customer profile ensures you receive the latest VERITAS technical
information pertaining to your specific interests.
2. Locate the telephone support directory at http://support.veritas.com by clicking the
Phone Support icon. A page appears that contains VERITAS support numbers from
around the world.
Note Telephone support for NetBackup is only available with a valid support
contract. To contact VERITAS for technical support, dial the appropriate phone
number listed on the Technical Support Guide included in the product box and
have your product license information ready for quick navigation to the proper
support group.
3. Contact technical support using e-mail.
xx NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
a. From the main http://support.veritas.com page, click the E-mail Support icon.
A wizard guides you to do the following:
◆ Select a language of your preference
◆ Select a product and a platform
◆ Provide additional contact and product information, and your message
◆ Associate your message with an existing technical support case
b. After providing the required information, click Send Message.
Contacting VERITAS Licensing
For license information, you can contact us as follows:
◆ Call 1-800-634-4747 and select option 3
◆ Fax questions to 1-650-527-0952
◆ In the Americas, send e-mail to amercustomercare@veritas.com.
In the Asia and Pacific areas, send email to apaccustomercare@veritas.com.
In all other areas, send email to internationallicense@veritas.com.
Accessibility Features
Accessibility Features
NetBackup contains features that make the user interface easier to use by people who are
visually impaired and by people who have limited dexterity. Accessibility features
include:
◆ Support for assistive technologies such as screen readers and voice input (Windows
servers only)
◆ Support for keyboard (mouseless) navigation using accelerator keys and mnemonic
keys
For more information, see the NetBackup Installation Guide.
Preface xxi
Comment on the Documentation
Comment on the Documentation
Let us know what you like and dislike about the documentation. Were you able to find the
information you needed quickly? Was the information clearly presented? You can report
errors and omissions or tell us what you would find useful in future versions of our
manuals and online help.
Please include the following information with your comment:
◆ The title and product version of the manual on which you are commenting
◆ The topic (if relevant) on which you are commenting
◆ Your c omme nt
◆ Your n ame
Email your comment to NBDocs@veritas.com.
Please only use this address to comment on product documentation. See “Getting Help”
in this preface for information on how to contact Technical Support about our software.
We appreciate your feedback.
xxii NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Access Management
Access to NetBackup can be controlled by defining user groups and granting explicit
permissions to these groups. Configuring user groups and assigning permissions is done
using Access Management in the NetBackup Administration Console.
This chapter discusses how to set up and manage access to NetBackup. It contains the
following sections:
◆ “NetBackup Access Management Components” on page 2
◆ “Installation Overview” on page 5
◆ “Installing and Configuring Access Control for Master Servers” on page 8
◆ “Installing and Configuring Access Control for Media Servers” on page 12
◆ “Installing and Configuring Access Control for Clients” on page 15
◆ “Installing the Authentication Service Root Broker (Root + AB)” on page 18
◆ “Installing the Authorization Server” on page 21
◆ “Configuring Access Control Host Properties” on page 23
◆ “Access Management Troubleshooting Guidelines” on page 28
◆ “Using the Access Management Utility” on page 54
◆ “Determining Who Can Access NetBackup” on page 56
1
Note Access Management and Enhanced Authorization and Authentication (see Chapter 2) are
independent methods of Access Control. Access Management is the newest and will
be the preferred method in future NetBackup releases. If both Access Management
and Enhanced Authorization and Authentication are configured, Access
Management takes precedence.
Note If some media servers are not configured with access control,
non-root/non-administrator users will not be able to manage those servers.
1
NetBackup Access Management Components
NetBackup Access Management Components
NetBackup uses the VERITAS Security Services (VxSS) to help implement core security.
VxSS is a set of shared VERITAS infrastructure services, installed from one of the
infrastructure common services CDs containing VxSS for your platform. The CDs are
packaged as part of NetBackup.
Note NetBackup Access Management relies on the use of home directories. Please see the
documentation for your operating system for more information on home
directories.
Note In order for members of the NBU_Operator user group to continue viewing media
and device information, run the following command:
bpnbaz -UpGrade60
Running this command brings the NetBackup 5.x permissions for the
NBU_Operator user group up to the expected configuration for 6.0.
VxSS Components
When you install VxSS, you’re installing and configuring the following services and client
software:
◆ Authentication (At Server, At Client)
Authentication is the process of proving your identity to the VxSS system.
Authentication is accomplished by communicating with the daemon which, in turn,
validates your identity with the operating system.
For more information on authentication or the authentication daemon (vxatd), see
the VERITAS Security Services Administrator’s Guide found on one of the infrastructure
common services CDs containing VxSS for your platform.
◆ Authorization (Az Server, Az Client)
Authorization is the process of verifying that an identity has permission to perform
the desired action. NetBackup verifies permissions with the authorization daemon for
most actions. In many cases, NetBackup alters what information is accessible from the
command line and Administration Console.
For more information on authorization or the authorization daemon (vxazd), see the
VERITAS Security Services Administrator’s Guide found on one of the infrastructure
common services CDs containing VxSS for your platform.
2 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
NetBackup Access Management Components
Root Broker
A Root Broker is a NetBackup server that has VxSS Authentication Server installed and is
configured to be a Root Broker. There is always one Root Broker in every NetBackup
Access Management configuration.
The Root Broker acts as the most trusted certificate authority, implementing a registration
authority for Authentication Brokers, as well as itself.
While a Root Broker can authenticate an Authentication Broker, an Authentication Broker
cannot authenticate a Root Broker.
In many cases, the Root Broker will also be an Authentication Broker. This chapter
describes installing VxSS services, then it describes configuring the NetBackup server to
be a Root Broker and an Authentication Broker (Root Broker + AB). For more information
on the authentication Root Broker, see the VERITAS Security Services Administrator’s Guide
found on one of the infrastructure common services CDs containing VxSS for your
platform.
Authentication Brokers
An Authentication Broker is a server that has VxSS Authentication Server installed. This
machine is part of the Root Broker’s private Access Management domain. An
Authentication Broker can authenticate clients, but not other brokers.
The member of the NetBackup Security Administrator user group can choose which
Authentication Broker a client should contact for authentication. (See “Example
Configuration Containing Windows Systems Only” on page 29 or “Example
Configuration Containing UNIX Systems Only” on page 35 for a depiction of this
configuration.)
For example:
◆ A Windows 2000 client uses a Windows Authentication Broker for authentication.
◆ A UNIX client uses a UNIX Authentication Broker for authentication.
◆ For more information on authentication brokers, see the VERITAS Security Services
Administrator’s Guide found on one of the infrastructure common services CDs
containing VxSS for your platform.
Security Administrator
The user who installs and configures VxSS software for use with NetBackup Access
Management is, by default, a member of the NBU_Security Admin user group. This
chapter will refer to a member of the NBU_Security Admin group as a Security
Administrator. Users can be added to the group, but there are usually few members.
Chapter 1, Access Management 3
NetBackup Access Management Components
Members of the NBU_Security Admin user group are the only users who can view the
contents of Access Management > Users and Access Management > NBU User Groups
in the NetBackup Administration Console. Security Administrators are the only users
allowed to create user groups, assign users to the groups, and define permissions for the
groups. However, Security Administrators, by default, do not have permission to perform
any other NetBackup administration activities. (See “Security Administrator
(NBU_Security Admin)” on page 58.)
4 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Installation Overview
For a detailed installation description, see “Installing and Configuring Access Control
for Master Servers” on page 8.
Order for Installation
1. Complete all NetBackup master server installations:
a. Complete Root + AB installation of VxSS Authentication server.
b. Complete VxSS Authorization server installation.
c. Configure master servers for NetBackup Access Control. See “Installing and
Configuring Access Control for Master Servers” on page 8.
2. Complete all NetBackup media server installations, then configure media servers for
NetBackup Access Control. See “Installing and Configuring Access Control
for Media Servers” on page 12.
3. Complete all NetBackup client installations, then configure clients for NetBackup
Access Control. See “Installing and Configuring Access Control for Clients” on
page 15.
Installation Overview
Order for Upgrade
Use the following order for upgrading any NetBackup machine that uses NetBackup
Access Control.
1. Stop NetBackup.
2. Upgrade VxSS.
3. Configure Access Control on the NetBackup machines. See:
◆ “Installing and Configuring Access Control for Master Servers” on page 8.
◆ “Installing and Configuring Access Control for Media Servers” on page 12.
◆ “Installing and Configuring Access Control for Clients” on page 15.
Chapter 1, Access Management 5
Installation Overview
Including VxSS Databases in the NetBackup Catalog Backup
In NetBackup environments which use the online, hot catalog backup method, no
additional configuration is needed in order to include the VxSS Authorization and
Authentication databases in the catalog backup.
In environments which use the
offline, cold catalog backup
method, one additional step is
required:
Within the NetBackup Catalog
Wizard or on the Files tab of the
offline catalog configuration
dialog, add the following
directives for each host in the
NBAC domain:
Note If the master server using
[
host
:]nbat
[
host
:]nbaz
NBAC is a UNIX machine,
VERITAS recommends that
you do not include the NetBackup master server configuration file
(/usr/openv/netbackup/bp.conf) in the offline catalog backup file list. If
bp.conf is included in the list, it must not be recovered until all other catalog
recovery is completed.
VxSS Component Distribution
The VxSS components can be distributed throughout a configuration, just as NetBackup
can distribute master servers, media servers and clients.
Note Although the Authentication broker and Authorization broker can technically be
placed on any machine, VERITAS currently recommends that the root
Authentication broker and Authorization broker be placed on the NetBackup
master server. At a minimum, the root Authentication broker must reside on the
master server.
6 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Installation Overview
For specific VxSS installation information, refer to the VERITAS Security Services Installation Guide, found on the VxSS installation CD.
Windows Remote Administration At client Az client
Console (only)
Java Windows Display Console (only)* At client None
Java Display Console At client None
*The At client is required for all Java consoles. Concerning the Java Windows Display Console, the
At client must be installed on the Windows host before installing the Java Windows Display
Console. This ensures that the Windows Display Console is configured correctly to use the VxSS
component successfully.
Note While it is possible to share the Enterprise Media Manager server between multiple
master servers, this configuration is not supported when using Access Control. The
EMM server must be bound to one master server.
The following sections describe some actions you can take to verify that the components
are correctly installed in a mixed environment:
◆ “Windows Verification Points” on page 28
◆ “UNIX Verification Points” on page 35
◆ “Verification Points in a Mixed Environment with a UNIX Master Server” on page 41
◆ “Verification Points in a Mixed Environment with a Windows Master Server” on
page 46
◆ “UNIX Verification Points” on page 35
Chapter 1, Access Management 7
Installing and Configuring Access Control for Master Servers
Installing and Configuring Access Control
for Master Servers
The following steps describe configuring NetBackup Access Control for the master server
in a NetBackup configuration. A master server requires Authentication Server and Client
software and Authorization Server and Client software.
Throughout this chapter, in the configuration examples we’ll refer to the following host
names:
Windows UNIX
Master Servers win_master unix_master
Media Servers win_media unix_media
Clients win_client unix_client
1. If this is an upgrade installation, stop NetBackup.
2. Using one of the infrastructure common services CDs containing VxSS for your
platform, install both the VxSS Authentication Server and Client software on the
master server. This master server will be a Root + AB (Authentication Broker).
See “Installing the Authentication Service Root Broker (Root + AB)” on page 18 and
the VERITAS Security Services Installation Guide on the VxSS installation CD.
3. Using one of the infrastructure common services CDs containing VxSS for your
platform, install the VxSS Authorization Server and Client software on the master
server. To do this, you must perform a custom installation.
See “Installing the Authorization Server” on page 21 and the VERITAS Security Services Installation Guide on one of the infrastructure common services CDs
containing VxSS for your platform.
4. Complete all NetBackup master server installations or upgrades.
5. Create a machine account for the master server. Make sure that the Authentication
and the Authorization services are running. See “UNIX Verification Points” on
page 35 or “Windows Verification Points” on page 28.
The command in this step must be run as either root (UNIX) or as a member of the
local Administrator group (Windows) on the Root+AB Authentication broker. For
more information about this step, see “Configuring Authentication on the Root Broker
for Use with NetBackup” on page 19.
8 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Installing and Configuring Access Control for Master Servers
To add the master server locally to the private domain, run the following command
on the master server:
bpnbat is located in directory /usr/openv/netbackup/bin/
bpnbat -addmachine
Does this machine use Dynamic Host Configuration Protocol (DHCP)?
(y/n) n
Authentication Broker:
Authentication port[ Enter = default]:
Machine Name: win_master
Password: *******
Password: *******
Operation completed successfully.
win_master
Note The default Authentication port is 2821.
6. Log in to the machine account for the master server.
To create a credential for the master server, run the following command on the master
server:
bpnbat -LoginMachine
Does this machine use Dynamic Host Configuration Protocol (DHCP)?
(y/n) n
Authentication Broker:
Authentication port[ Enter = default]:
Machine Name:
Password: *******
Operation completed successfully.
win_master
win_master
Note Repeat this step for each alias used by NetBackup.
For more information about this step, see “Configuring Authentication on the Root
Broker for Use with NetBackup” on page 19.
7. Create the first Security Administrator (bootstrapping security).
bpnbaz is located in directory /usr/openv/netbackup/bin/admincmd
bpnbaz -setupsecurity win_master
Please enter the login information for the first Security
Administrator other than root/Administrator. This identity
will be added to the security administrators group
(NBU_Security Admin), and to the netbackup administrators
group (NBU_Admin). It will also be used to build the initial
security information.
Authentication Broker:
Chapter 1, Access Management 9
win_master
Installing and Configuring Access Control for Master Servers
Authentication port[ Enter = default]:
Authentication type (NIS, NIS+, WINDOWS, vx, unixpwd: WINDOWS
Domain: domain1
Login Name: admin1
Password: ******
Processing - please be patient
Operation completed successfully.
For more information about this step, see “Configuring the Authorization Server” on
page 21.
8. Add the master server as a host that is authorized to perform Authorization checks.
bpnbaz -AllowAuthorization win_master
Operation completed successfully.
For more information about this step, see “Configuring the Authorization Server” on
page 21.
9. Configure the Access Control host properties of the master server.
◆ Set VERITAS Security Services to Automatic or Required. (If some clients or
media servers will not use NetBackup Access Control, set to Automatic.)
◆ On the Authentication Domain tab, add authentication domain(s) and the host
that will act as the broker for the domain (domain1).
The broker is a machine using an operating system supporting the domain type
and the specific domain that has the VxSS Authentication service installed on it.
10 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Installing and Configuring Access Control for Master Servers
On the Authorization Service tab, specify the master server on which you
◆
installed the VxSS Authorization service (win_master).
For more information about this step, see “Configuring Access Control Host
Properties” on page 23.
10. After changing the host properties, recycle the server daemons for the changes to take
effect.
Chapter 1, Access Management 11
Installing and Configuring Access Control for Media Servers
Installing and Configuring Access Control
for Media Servers
The following steps describe configuring NetBackup Access Control for a media server in
a NetBackup configuration. A media server requires Authentication Client software and
Authorization Client software.
1. If this is an upgrade installation, stop NetBackup.
2. Using one of the infrastructure common services CDs containing VxSS for your
platform, install Authentication Client software on the system.
3. Using one of the infrastructure common services CDs containing VxSS for your
platform,install the Authorization Client software on the media server.
4. Complete all NetBackup media server installations or upgrades.
5. On the master server, create a machine account for the media server. Make sure that
the Authentication and the Authorization services are running. See “UNIX
Verification Points” on page 35 or “Windows Verification Points” on page 28.
The command in this step must be run as either root (UNIX) or as a member of the
local Administrator group (Windows) on the Root+AB Authentication broker.
To add the media server locally to the private domain, run the following command on
the master server:
bpnbat is located in directory /usr/openv/netbackup/bin
bpnbat -addmachine
Does this machine use Dynamic Host Configuration Protocol (DHCP)?
(y/n) n
Authentication Broker:
Authentication port[ Enter = default]:
Machine Name: win_media
Password: *******
Password: *******
Operation completed successfully.
For more information about this step, see “Configuring Authentication on the Root
Broker for Use with NetBackup” on page 19.
6. Log in to the machine account for the media server.
To create a credential for the media server, run the following command on the media
server:
bpnbat -LoginMachine
12 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
win_master
Installing and Configuring Access Control for Media Servers
Does this machine use Dynamic Host Configuration Protocol (DHCP)?
(y/n) n
Authentication Broker:
Authentication port[ Enter = default]:
Machine Name: win_media
Password: *******
Operation completed successfully.
win_master
Note Repeat this step for each alias used by NetBackup.
For more information about this step, see “Configuring Authentication on the Root
Broker for Use with NetBackup” on page 19.
7. Add the media server as a host authorized to perform Authorization checks.
bpnbaz is located in directory /usr/openv/netbackup/bin/admincmd
On the master server, run:
bpnbaz -AllowAuthorization win_media
Operation completed successfully.
For more information about this step, see “Configuring the Authorization Server” on
page 21.
8. Set up the proper Access Control host properties for the media server. The properties
are described in “Configuring Access Control Host Properties” on page 23.
Open Access Control host properties for the media server (win_media) through the
master server. In the NetBackup Administration Console, select NetBackup
Management > Host Properties > Media Server > Select media server win_media >
Access Control.
◆Set VxSS mode to Required. If some clients or media servers will not use
NetBackup Access Control, set to Automatic.
◆ Add authentication domains based on the systems where you have installed
Authentication servers and the Authentication methods supported.
For example, given a Windows system configured for Authentication using
domain WINUSER, and a UNIX system configured for Authentication using the
NIS domain my.company, the tab would look like the following:
Chapter 1, Access Management 13
Installing and Configuring Access Control for Media Servers
◆ On the Authorization Services tab, indicate the host that will perform
authorization for this media server.
9. After changing the host properties, recycle the server daemons for the changes to take
effect.
14 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Installing and Configuring Access Control for Clients
Installing and Configuring Access Control for Clients
The following steps describe configuring NetBackup Access Control for a client in a
NetBackup configuration. A client requires Authentication Client software.
1. If this is an upgrade installation, stop NetBackup.
2. Using one of the infrastructure common services CDs containing VxSS for your
platform, install Authentication Client software on the system.
3. Using one of the infrastructure common services CDs containing VxSS for your
platform, install Authentication client software on the system.
4. Using bpnbat, register the client with the Authentication Broker, as described in
step 2 on page 19.
For example, if registering a machine (win_client) with the Authentication Broker (win_master), run the following command on the At server (win_master).
To add the client locally to the private domain, run the following command on the
master server:
bpnbat -AddMachine
Does the machine use Dynamic Host Configuration Protocol (DHCP)?
(y/n) n
Authentication Broker:
Authentication Port: [Enter = Default]:
Name: win_client.min.com
Password:
Password:
Operation completed successfully.
[any password]
[enter password again]
win_master.min.com
5. To create a credential for the client, run the following command on the client
(win_client):
bpnbat -loginmachine
Does this machine use Dynamic Host Configuration Protocol (DHCP)?
(y/n) n
Authentication Broker:
Authentication port[ Enter = default]:
Name: win_client.min.com
Password:
Operation completed successfully.
[same password as in step a]
win_master.min.com
6. Set up the proper Access Control host properties for the client. The properties are
described in “Configuring Access Control Host Properties” on page 23.
Chapter 1, Access Management 15
Installing and Configuring Access Control for Clients
a. Open Access Control host properties for the client (win_client) through the master
server. In the NetBackup Administration Console, select NetBackup
◆ Add authentication domains based on the systems where you have installed
Authentication servers and the Authentication methods supported.
For example, given a Windows system configured for Authentication using
domain WINUSER, and a UNIX system configured for Authentication using
the NIS domain my.company, the tab would look like the following:
b. Set up Access Control on the master server (win_master) for the client:
On the VxSS tab, add win_client.min.com to the VxSS Network list as Required.
16 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Installing and Configuring Access Control for Clients
Establishing a Trust Relationship Between the Broker and the
Windows Remote Console
To establish a trust relationship between the master server (broker) and the administration
client:
1. From the master server, run the following command:
Running this command matches the VXSS settings on the administration client with
those on the broker and sets the administration client to log in automatically to the
broker.
4. Launch the Administration Console from the administration client, a request to
establish a trust with the broker should be requested. Once the trust is agreed to, the
administration console should be available.
\VERITAS\NetBackup\bin\
<domain_name>
<absolute_path>
"" WINDOWS
\VXSS_SETTINGS.txt"
<broker_host>
0
Chapter 1, Access Management 17
Installing the Authentication Service Root Broker (Root + AB)
Installing the Authentication Service Root Broker
(Root + AB)
Before installing the VxSS services which will create a Root Broker that is also an
Authentication Broker, check that the following conditions are true:
◆ Make sure that you are root on the system where you plan to install the VxSS Root
Broker software. To become root, enter the following command:
su -
◆After becoming root, verify that root’s home directory is correctly specified.
Use the following command:
echo $HOME
◆ If NetBackup is currently installed, shut down all NetBackup services before
installing VxSS software.
Install the VxSS Root Broker software using one of the infrastructure common services
CDs containing VxSS for your platform, according to the instructions in the VERITAS Security Services Installation Guide. The manual is found on the installation CD.
NetBackup recommends placing the Root + AB broker on the NetBackup master server.
This allows for more centralized administration of the NetBackup server and can facilitate
upgrading to NetBackup Access Management.
After installing the Authentication Server software, configure the VxSS Root Broker as
described in “Configuring Authentication on the Root Broker for Use with NetBackup”
on page 19.
18 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Installing the Authentication Service Root Broker (Root + AB)
Configuring Authentication on the Root Broker for
Use with NetBackup
Configure the Root Broker using the NetBackup command, bpnbat located in directory
/usr/openv/netbackup/bin/
1. Shut down NetBackup on the master server and start the At daemon, then the Az
daemon:
To shut down NetBackup daemons, use
NetBackup stop
located in the goodies directory.
To start the At daemon, enter /opt/VRTSat/bin/vxatd
To start the Az daemon, enter /opt/VRTSaz/bin/vrtsaz
2. Allow the machines to communicate with one another:
Note The steps below require a password that should not be a user or root password.
The password must be at least five characters long, and match one another in both
steps. However, it is not necessary to use the same password each time the two
steps are run for a new machine in the domain.
a. To add a machine locally to the private domain:
In order for the NetBackup master servers, media servers, and clients to
communicate, this machine needs to be added to the private database of the
Authentication Broker by running the following command on the At server:
bpnbat -AddMachine
Does this machine use Dynamic Host Configuration Protocol (DHCP)?
(y/n) n
Authentication Broker:
Authentication port[ Enter = default]:
Name:
Password:
Password:
Operation completed successfully.
Where:
broker is the name of the machine that will act as the Authentication Broker for this
machine. In this case, since this machine is Root Broker + AB, enter the name of this
machine.
broker_port is a specified port number. To use the default Authentication port number
(2821), press Enter.
Chapter 1, Access Management 19
machine_name
any_password
Re-enter password
broker
broker_port
Installing the Authentication Service Root Broker (Root + AB)
machine_name is the name of this machine.
any_password may be a unique password (at least five characters long) used only for
the purpose of registering this machine. However, the same password must be used in
both this step, when registering the machine locally in the private domain, and the
next step, when registering the machine, but not in the private domain.
b. To create a credential for a machine:
In order to log the machine into the specified Authentication Broker, enter the
following command on the machine that needs to be logged in:
bpnbat -loginmachine
Does this machine use Dynamic Host Configuration Protocol (DHCP)?
(y/n) n
Authentication Broker:
Authentication port[ Enter = default]:
Name:
Password:
You do not currently trust the server:
Do you wish to trust it? (y/n) y
Operation completed successfully.
machine_name
same password as in step a
broker
Continue to the next section for instructions on configuring authorization on the Root
Broker.
broker_port
broker
20 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Installing the Authorization Server
Install the VxSS Authorization software from one of the infrastructure common services
CDs containing VxSS for your platform, according to the instructions in the VERITAS Security Services Installation Guide. The manual is found on the installation CD.
NetBackup recommends installing the Authorization server on the master server. This
ensures that the master and media servers are able to communicate with the
Authentication server at all times.
Configuring the Authorization Server
The bpnbaz command is used during Authorization setup to perform two functions
necessary for Access Management:
◆ Create the object hierarchy that appears in the NetBackup Administration Console
under Access Management.
◆ Set up user groups and add the first identity to the security administration group
(NBU_Security Admin).
bpnbaz is located in the directory /usr/openv/netbackup/bin/admincmd
Before running bpnbaz commands, check that both the Authentication daemon (vxatd)
and the Authorization daemon (vxazd) are running. If necessary, start the At daemon
first, then the Az daemon.
Installing the Authorization Server
Note The user named in the following command will be set up as the first NetBackup
security administrator.
1. On the machine where the VxSS Authorization server software is installed and
contains the Authorization server, run:
bpnbaz -SetupSecurity
Where:
master_server
AZ_server
software is installed.
Note bpnbaz -SetupSecurity must be run by root (UNIX) or Administrator
(Windows).
This process may take a number of minutes.
See step 7 on page 9 for an example of this command.
Chapter 1, Access Management 21
is the fully qualified name of the NetBackup master server.
is the fully qualified name of the machine where Authorization server
master_server
[-server
AZ_server
]
Installing the Authorization Server
2. Allow authorization:
Run the following command on the Authorization server:
bpnbaz -AllowAuthorization
server
This command must be run on the Az server for each master or media server that will
utilize NetBackup Access Control.
Note bpnbaz -AllowAuthorization
server
must be run by root (UNIX) or
Administrator (Windows).
Where:
server is the fully qualified name of the machine where the Authorization client
software is installed. (Typically a media or master server.)
3. Start NetBackup daemons on the machine(s).
4. Continue with “Configuring Access Control Host Properties” on page 23 for
instructions on configuring NetBackup Access Control host properties for the master
server (Root Broker).
22 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Configuring Access Control Host Properties
Configuring Access Control Host Properties
Until host properties configuration on the master server is complete, NetBackup Access
Control is not enforced. As such, UNIX users must temporarily load the Java NetBackup
Administration Console (jnbSA) as root and Windows users must load the NetBackup
Administration Console as Administrator.
Note VERITAS recommends setting master server VxSS property to Automatic until the
clients are configured for Access Control. Then, if desired, change the VxSS
property on the master server to Required.
Master Server and Media Server Host Properties
The Access Control host properties are described fully in Chapter 7 of the NetBackup
System Administrator’s Guide, Volume I, but the following sections describe some points to
double-check.
To get to the master and media server host properties in the NetBackup Administration
Console, open NetBackup Management > Host Properties > Master Server or Media Server > Select server > Access Control.
Access Control Host Properties Dialog
Set the VERITAS Security Services to
either Required or Automatic. A
setting of Automatic takes into
account that there may be hosts within
the configuration that are not
upgraded to NetBackup version 5.0 or
higher. The server will attempt to
negotiate the most secure connection
possible when talking to other
NetBackup systems.
Note VERITAS recommends setting the master server VxSS property to Automatic until
the clients are configured for Access Control. Then, if desired, change the VxSS on
the master server to Required.
When using Automatic, you may specify machines or domains requiring VxSS or
Prohibited from using VxSS.
Chapter 1, Access Management 23
Configuring Access Control Host Properties
VxSS Tab
Within the Access Control host
properties, on the VxSS tab, add the
master server to the VxSS Network
list and set VERITAS Security Services to Required.
Each new NetBackup client or media
server (version 5.0 or higher), added
to the NetBackup master, needs to
have the Access Control properties
configured on both itself and the
master. This can be done through the host properties on the master server.
Note VERITAS recommends setting the master server VxSS property to Automatic until
the clients are configured for Access Control. Then, if desired, change the VxSS on
the master server to Required.
Authentication Domain Tab
The Authentication Domain tab is used to define the following:
◆ which Authentication servers support which authentication mechanisms, and
◆ what domains each supports.
Add the domain you wish users to authenticate against. Be sure to select the proper
authentication mechanism.
The following examples contain three authentication domains and three authentication
types, two hosted on the authentication server UNIXBOX, and a Windows AD/PDC
(Active Directory/Primary Domain Controller) hosted on WINMACHINE.
24 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
A UNIX domain
UNIXBOX.MYCOMPANY.COM on the
Authentication server UNIXBOX.
Notice that the authentication
mechanism for this domain is
PASSWD.
Note If using a UNIX authentication
domain, enter the fully qualified
domain name of the host
performing the authentication.
A NIS domain NIS.MYCOMPANY.COM
on the Authentication server
NISMACHINE.
Notice that the authentication
mechanism for this domain is NIS.
Configuring Access Control Host Properties
A Windows AD/PDC domain
WINDOWS.MYCOMPANY.COM on the
Authentication server WINMACHINE:
Notice that the authentication
mechanism for this domain is
WINDOWS.
Chapter 1, Access Management 25
Configuring Access Control Host Properties
Authorization Service Tab
Within the Access Control host
properties, on the Authorization Service tab, complete the properties
for the Authorization server. Specify
the fully qualified domain name for
the system running the Authorization
daemon (typically the master). If
needed, specify the alternate port for
which this daemon has been
configured. The default listening port
for the Authorization daemon is 4032.
After making any changes to the host
properties, restart the daemons.
Note If configuring this tab for a media server using Access Control, you must define the
host that will perform authorization.
Verifying Master Server Settings
Running bpnbat -whoami tells in what domain a host is registered and the name of the
machine the certificate represents (master.min.com).
Set the VERITAS Security Services to
Required or Automatic.
VxSS Tab
Select the NetBackup client in the
host properties. This tab is only
enabled in Automatic mode and can
be used to control which systems
require or prohibit the use of VxSS on
a per-machine basis. Note that both
systems must have matching settings
in order to have communicate.
Authentication Domain Tab
Within the Access Control host
properties, on the Authentication Domain tab, add the domain in which
the NetBackup client resides and
select the proper authentication
mechanism.
Chapter 1, Access Management 27
Access Management Troubleshooting Guidelines
Access Management Troubleshooting Guidelines
In the configuration examples we’ll refer to the following host names:
Windows UNIX
Master Servers win_master unix_master
Media Servers win_media unix_media
Clients
Note While it is possible to share the Enterprise Media Manager server between multiple
master servers, this configuration is not supported when using Access Control. The
EMM server must be bound to one master server.
win_client
unix_client
Windows Verification Points
There are procedures that help you verify that the master server, media server and client
are configured correctly for Access Control.
28 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
At server
Az server
Access Management Troubleshooting Guidelines
Example Configuration Containing Windows Systems Only
Windows User accounts
authenticate via Windows
Authentication Broker
Note:
Each machine has a private domain account created for it. Using these accounts allows NetBackup to
more reliably identify machines as they communicate with each other.
win_media.min.com@NBU_Machines
Client (Windows) win_client.min.com
At Client
win_client.min.com@NBU_Machines
Chapter 1, Access Management 29
Access Management Troubleshooting Guidelines
Master Server Verification Points
The following sections describe procedures for Windows master server verification.
Verify Windows Master Server Settings
To determine in what domain a host is registered (where the primary Authentication
broker resides), and the name of the machine the certificate represents, run bpnbat with
If the domain listed is not NBU_Machines@win_master.min.com, consider running
bpnbat -addmachine for the name in question (win_master) on the machine that is
serving the NBU_Machines domain (win_master).
Then, on the machine where we want to place the certificate, run:
bpnbat -loginmachine
win_master"
Note When determining if a user’s credentials have expired, keep in mind that the output
displays the expiration time in GMT, not local time.
Note For the remaining procedures in this verification section, we assume that the
commands are performed from an operating system window in which the user
identity in question has run bpnbat -login using an identity that is a member of
NBU_Security Admin. This is usually the first identity with which the security was
set up.
Verify which Machines are Permitted to Perform Authorization Lookups
Logged in as a member of the Administrators group run the following command:
bpnbaz -ShowAuthorizers
This command shows that win_master and win_media (media server) are permitted to
perform Authorization lookups. Note that both servers are authenticated against the same
vx (VERITAS Private Domain) Domain, NBU_Machines@win_master.min.com.
30 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Access Management Troubleshooting Guidelines
Note This command must be run by a local administrator or by root. The local
administrator must be a member of the NBU_Security Admin user group.
If the groups do not appear, or if bpnbaz -listmainobjects does not return data, run
bpnbaz -SetupSecurity.
Verify that the vxatd and vxazd Processes are Running
Use the Windows Task Manager to make sure that vxatd.exe and vxazd.exe are running
on the designated host. If necessary, start them.
Verify that the Host Properties are Configured Correctly
In the Access Control host properties, verify that the VERITAS Security Services
property is set correctly. (The setting should be either Automatic or Required, depending
on whether all machines are using VxSS or not. If all machines are not using VxSS, set it to
Automatic.
This can also be verified by viewing USE_VXSS in the registry at:
In the Access Control host properties, verify that the authentication domains listed are
spelled correctly and point to the proper servers (valid Authentication brokers). If all
domains are Windows-based, they should point to a Windows machine running the At
broker.
Media Server Verification Points
The following sections describe procedures for Windows media server verification.
Verify the Media Server
To determine which Authentication broker the media server is authenticated against, run
bpnbat -whoami. For example:
If this command fails, run bpnbaz -AllowAuthorization on the master server that is
the Authorization broker (win_master.min.com).
Unable to Load Library Message
Verifying the media server and verifying that the media server has access to the proper
database indirectly informs us that the VxSS client libraries for both At and Az are
properly installed. If either of these procedures fail with messages pertaining to “unable to
load libraries,” check to make certain the Authentication and Authorization client
libraries are installed. See the VERITAS Security Services Installation Guide on the VxSS
installation CD for proper installation procedures.
You may also verify that the Authentication domains are correct by viewing the Access
Control host properties for this media server, or by using regedit directly on the media
server.
Client Verification Points
The following sections describe procedures for Windows client verification.
Verify the Credential for the Client
To check that the credential for the client is indeed for the correct client and comes from
the correct domain, run bpnbat -whoami. For example:
Verify that the VxSS Authentication Client Libraries are Installed
Run bpnbat -login on the client to verify that the VxSS authentication client libraries
are installed.
bpnbat -login
Authentication Broker:
Authentication port[ Enter = default]:
Authentication type (NIS, NIS+, WINDOWS, vx, unixpwd): WINDOWS
Domain: ENTERPRISE
Name: Smith
Password:
Operation completed successfully.
This can also be done by looking at the Windows Add/Remove Programs.
Verify Correct Authentication Domains
In the Access Control host properties or by using regedit, check that any defined
authentication domains for the client are correct. Make certain the domains are spelled
correctly, and that the authentication brokers listed for each of the domains is valid for
that domain type.
win_master
34 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
UNIX Verification Points
These are the procedures that help you verify that the UNIX master server, media server
and client are configured correctly for Access Control.
Example Configuration Containing UNIX Systems Only
UNIX User accounts
authenticate via UNIX
Authentication Broker
Note:
Each machine has a private domain account created for it. Using these accounts allows NetBackup to
more reliably identify machines as they communicate with each other.
Chapter 1, Access Management 35
unix_media.min.com@NBU_Machines
Client (UNIX) unix_client.min.com
At Client
unix_client.min.com@NBU_Machines
Access Management Troubleshooting Guidelines
Master Server Verification Points
The following sections describe procedures for UNIX master server verification.
Verify UNIX Master Server Settings
To determine in what domain a host is registered (where the primary Authentication
broker resides), and the name of the machine the certificate represents, run bpnbat with
If the domain listed is not NBU_Machines@unix_master.min.com, consider running
bpnbat -addmachine for the name in question (unix_master) on the machine that is
serving the NBU_Machines domain (unix_master).
Then, on the machine where we want to place the certificate, run:
bpnbat -loginmachine
Note When determining if a user’s credentials have expired, keep in mind that the output
displays the expiration time in GMT, not local time.
Note For the remaining procedures in this verification section, we assume that the
commands are performed from an operating system window in which the user
identity in question has run bpnbat -login using an identity that is a member of
NBU_Security Admin. This is usually the first identity with which the security was
set up.
Verify which Machines are Permitted to Perform Authorization Lookups
Logged in as root on the Authorization broker, run the following command:
bpnbaz -ShowAuthorizers
This command shows that unix_master and unix_media are permitted to perform
Authorization lookups. Note that both servers are authenticated against the same vx
(VERITAS Private Domain) Domain, NBU_Machines@unix_master.min.com.
bpnbaz -ShowAuthorizers
==========
36 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Access Management Troubleshooting Guidelines
Type: User
Domain Type: vx
Domain:NBU_Machines@unix_master.min.com
Name: unix_master.min.com
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@unix_master.min.com
Name: unix_media.min.com
Operation completed successfully.
If a master or media server is missing from the list of Authorized machines, run
bpnbaz -allowauthorization to add the missing machine.
Verify that the Database is Configured Correctly
To make sure that the database is configured correctly, run bpnbaz -listgroups:
See the VERITAS Security Services Administrator’s Guide for more details on how to start vxatd and vxazd.
Chapter 1, Access Management 37
Access Management Troubleshooting Guidelines
Verify that the Host Properties are Configured Correctly
In the Access Control host properties, verify that the VERITAS Security Services
property is set correctly. (The setting should be either Automatic or Required, depending
on whether all machines are using VxSS or not. If all machines are not using VxSS, set it to
Automatic.
In the Access Control host properties, verify that the authentication domains listed are
spelled correctly and point to the proper servers (valid Authentication brokers). If all
domains are UNIX-based, they should point to a UNIX machine running the At broker.
If this command fails, run bpnbaz -AllowAuthorization on the master server that is
the Authorization broker (unix_master).
Unable to Load Library Message
Verifying the media server and verifying that the media server has access to the proper
database indirectly informs us that the VxSS client libraries for both At and Az are
properly installed. If either of these procedures fail with messages pertaining to “unable to
load libraries,” check to make certain the Authentication and Authorization client
libraries are installed. See the VERITAS Security Services Installation Guide on the VxSS
installation CD.
You may also verify that the Authentication domains are correct by viewing the Access
Control host properties for this media server, or by using cat(1)ing the bp.conf file.
Client Verification Points
The following sections describe procedures for UNIX client verification.
Verify the Credential for the Client
To check that the credential for the client is indeed for the correct client and comes from
the correct domain, run bpnbat -whoami. For example:
Verify that the VxSS Authentication Client Libraries are Installed
Run bpnbat -login on the client to verify that the VxSS authentication client libraries
are installed.
bpnbat -login
Authentication Broker: unix_master.min.com
Authentication port[ Enter = default]:
Authentication type (NIS, NIS+, WINDOWS, vx, unixpwd): NIS
Domain: min.com
Name: Smith
Password:
Operation completed successfully.
This can also be done by looking at /etc/vx/vss/*.loc to see where the libraries are
installed, and verify they are in the location indicated:
cat /etc/vx/vss/*.loc
ProductInstallDir=/opt/VRTSat
ProductInstallDir=/opt/VRTSaz
ls -l /opt/VRTSat/*/opt/VRTSaz/*
Verify Correct Authentication Domains
In the Access Control host properties or by using vi, check that any defined
authentication domains for the client are correct. Make certain the domains are spelled
correctly, and that the authentication brokers listed for each of the domains is valid for
that domain type.
40 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Access Management Troubleshooting Guidelines
Verification Points in a Mixed Environment with a UNIX Master
Server
The following procedures can help you verify that the master server, media server and
client are configured correctly for a heterogeneous NetBackup Access Control
environment, where the master server is a UNIX machine.
Chapter 1, Access Management 41
Access Management Troubleshooting Guidelines
Example Mixed Configuration Containing a UNIX Master
NBU master server (UNIX) unix_master.min.com
At server
Az server
Root Broker
Authentication Broker
Authorization Service
Private VxSS domain called
NBU_Machines@unix_master.min.com
contains the following credentials:
UNIX hosts
authenticate via UNIX
Authentication Broker
Note:
Each machine has a private domain account created for it. Using these accounts allows
NetBackup to more reliably identify machines as they communicate with each other.
unix_media.min.com@NBU_Machines
Client (UNIX) unix_client.min.com
At Client
unix_client.min.com@NBU_Machines
42 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Access Management Troubleshooting Guidelines
Master Server Verification Points
Follow the same procedures as those listed in “Master Server Verification Points” on
page 36.
Media Server Verification Points
Verify the UNIX Media Server
For UNIX media servers, follow the same procedures as those listed in “Media Server
Verification Points” on page 38.
Verify the Windows Media Server
Check the machine certificate comes from the root Authentication broker, which is found
on the UNIX master server (unix_master).
If the certificate is missing, run the following commands to correct the problem:
◆bpnbat -addmachine on the root Authentication broker (in this example,
unix_master)
◆bpnbat -loginmachine (in this example, win_media)
If the media server is not allowed to perform authorization checks, run bpnbaz
-allowauthorization on the master server for the media server name in question.
Unable to Load Library Message
Verifying the Windows media server and verifying that the media server is permitted to
perform authorization checks indirectly informs us that the VxSS client libraries for both
At and Az are properly installed. If either of these procedures fail with messages
pertaining to “unable to load libraries,” check to make certain the Authentication and
Authorization client libraries are installed. See the VERITAS Security Services Installation Guide on the VxSS installation CD.
Verify Authentication Domains
You may also verify that the Authentication domains are correct by viewing the Access
Control host properties for this media server, or by using regedit directly on the media
server in the following location:
Take extra care in mixed environments to ensure that the appropriate domain types point
to the correct authentication brokers. In the example below, note that the WINDOWS
domains point to win_media.min.com.
Client Verification Points
For UNIX client machines, follow the same procedures as those listed in “Client
Verification Points” on page 39.
For Windows clients:
44 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Access Management Troubleshooting Guidelines
Verify the Credential for the Windows Client
To check that the credential for the client is indeed for the correct client and comes from
the correct domain, run bpnbat -whoami. For example:
Verify that the VxSS Authentication Client Libraries are Installed
Run bpnbat -login on the client to verify that the VxSS authentication client libraries
are installed. For example:
bpnbat -login
Authentication Broker: unix_master.min.com
Authentication port[ Enter = default]:
Authentication type (NIS, NIS+, WINDOWS, vx, unixpwd): NIS
Domain: min.com
Name: Smith
Password:
Operation completed successfully.
Verifying the Windows Authentication Broker
Make sure that the Windows Authentication broker either has mutual trust with the main
UNIX Authentication broker, or is using the UNIX broker as its root broker. See the
VERITAS Security Services Installation Guide on the VxSS installation CD for more
information regarding these scenarios.
Chapter 1, Access Management 45
Access Management Troubleshooting Guidelines
Verification Points in a Mixed Environment with a Windows
Master Server
The following procedures can help you verify that the master server, media server and
client are configured correctly for a heterogeneous NetBackup Access Control
environment, where the master server is a Windows machine.
46 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Example Mixed Configuration Containing a Windows Master
NBU master server (Windows) win_server.min.com
At server
Az server
Root Broker
Authentication Broker
Authorization Service
Private VxSS domain called
NBU_Machines@win_server.min.com
contains the following credentials:
Windows user accounts
authenticate via Windows
Authentication Broker
Note:
Each machine has a private domain account created for it. Using these accounts allows
NetBackup to more reliably identify machines as they communicate with each other.
win_media.min.com@NBU_Machines
Client (Windows) win_client.min.com
At Client
win_client.min.com@NBU_Machines
Chapter 1, Access Management 47
Access Management Troubleshooting Guidelines
Master Server Verification Points
Follow the same procedures as those listed in “Master Server and Media Server Host
Properties” on page 23.
Media Server Verification Points
Verify the Windows Media Server
For Windows media servers, follow the same procedures as those listed in “Media Server
Verification Points” on page 32.
Verify the UNIX Media Server
Check that the machine certificate is issued from the root Authentication broker, found on
the Windows master server (win_master). To determine which Authentication broker the
media server is authenticated against, run bpnbat -whoami. For example:
Verify that the Server has Access to the Authorization Database
To make sure that the media server is able to access the Authorization database as it needs
to perform authorization checks, run bpnbaz -ListGroups -CredFile
"
If the media server is not allowed to perform authorization checks, run bpnbaz
-allowauthorization on the master server for the media server name in question.
48 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Access Management Troubleshooting Guidelines
Unable to Load Library Message
Verifying the media server and verifying that the media server has access to the proper
database indirectly informs us that the VxSS client libraries for both At and Az are
properly installed. If either of these procedures fail with messages pertaining to “unable to
load libraries,” check to make certain the Authentication and Authorization client
libraries are installed. See the VERITAS Security Services Installation Guide on the VxSS
installation CD.
Cross Platform Authentication Domains
You may also verify that the Authentication domains are correct by viewing the Access
Control host properties for this media server, or by using cat(1)ing the bp.conf file.
Take extra care in mixed environments to ensure that the appropriate domain types point
to the correct authentication brokers. In the example below, note that the PASSWD and
NIS domains point to unix_media.min.com, which, in this example, is the UNIX
Authentication broker:
Verify that the VxSS Authentication Client Libraries are Installed
Run bpnbat -login on the client to verify that the VxSS authentication client libraries
are installed.
bpnbat -login
Authentication Broker: unix_media.min.com
Authentication port[ Enter = default]:
Authentication type (NIS, NIS+, WINDOWS, vx, unixpwd): NIS
Domain: min.com
Name: Smith
Password:
You do not currently trust the server: unix_media.min.com, do you
wish to tr
ust it? (y/n):
y
Operation completed successfully.
Verify the UNIX Authentication Broker
Make sure that the UNIX Authentication broker either has mutual trust with the main
Windows Authentication broker, or is using the Windows broker as its root broker. See the
VERITAS Security Services Installation Guide on the VxSS installation CD for more
information regarding this scenario.
50 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Access Management Troubleshooting Guidelines
Other Troubleshooting Topics
The following sections describe topics that may be helpful when configuring VxSS with
NetBackup.
Expired Credentials Message
If your credential has expired or is incorrect, you may receive the following message while
running a bpnbaz or bpnbat command:
Supplied credential is expired or incorrect. Please reauthenticate and
try again.
Run bpnbat -Login to update an expired credential.
Useful Debug Logs
The following logs are useful when debugging NetBackup Access Control:
On the master: admin, bpcd, bprd, bpdbm, bpjobd
On the client: admin, bpcd, bprd, bpdbjobs
See the NetBackup Troubleshooting Guide for instructions on implementing proper logging.
If Uninstalling VxSS
On UNIX:
Using installvss, select the option for uninstalling Authentication and Authorization.
The following directories should be empty after uninstalling:
/opt
/etc/vx/vss
/var/
On Windows:
Use the Windows Add/Remove Programs panel from the Control Menu to uninstall
Authentication and Authorization. The \Veritas\Security directory should be empty
after uninstalling.
Where Credentials Are Stored
NetBackup VxSS credentials are stored in the following UNIX directories:
Credentials have a birth and death time. Machines with large discrepancies in time may
see credentials as being created in the future or may prematurely consider a credential to
be expired. Consider synchronizing system time if you have trouble communicating
between systems.
VxSS Ports
VxSS daemons listen at the following ports:
Authentication:
netstat -an | grep 2821
Authorization:
netstat -an | grep 4032
Stopping VxSS Daemons
When stopping the VxSS daemons, stop Az first, then stop At.
When stopping the VxSS services, stop Authorization first, then stop Authentication.
UNIX: Use the following commands.
To stop Az: /opt/VRTSaz/bin/vrtsaz -stop
To stop At: Use the term signal as shown in the example below:
You’ll look to see if he following entries are set correctly: AUTHORIZATION_SERVICE,
AUTHENTICATION_DOMAIN, and USE_VXSS.
If the administrator does not wish to use NetBackup Access Control or does not have the
VxSS libraries installed, make certain that the USE_VXSS entry is set to Prohibited, or is
deleted entirely.
nbac_cron Utility
Use the nbac_cron utility to create identities under which to run cron or at jobs.
nbac_cron is found in the following location:
UNIX: /opt/openv/netbackup/bin/goodies/nbac_cron
Windows:
Install_path
\netbackup\bin\goodies\nbac_cron.exe
nbac_cron options:
◆ -SetupAt [-Port #]
-SetupCron [-Port #]
Either option sets up an Authentication account. Optionally, specify a port number to
use for authentication.
◆ -AddAt
Create an at account for a user.
◆ -AddCron
Create a cron account for a user.
Chapter 1, Access Management 53
Using the Access Management Utility
Using the Access Management Utility
Users assigned to the NetBackup Security Administrator user group have access to Access
Management. Users assigned to any other user group, including NetBackup
Administrator, can see the Access Management node in the NetBackup Administration
Console, but cannot expand it.
If a user other than a Security Administrator tries to select Access Management, an error
message displays. Toolbar buttons and menu items specific to Access Management are
not displayed.
Upon successful completion, the default NetBackup user groups should display in the
NetBackup Administration Console under Access Management > NBU User Groups.
To list the groups on the command line, run
bpnbaz -ListGroups on the machine where
the VxSS Authorization server software is installed.
bpnbaz is located in directory /usr/openv/netbackup/bin/admincmd
(You must be logged in as the Security Administrator by using bpnbat -login)
The NetBackup user groups are listed. This verifies that the Security Administrator can
access the user groups.
Access Management Menus
The Menu bar consists of the following menu items:
Option Description
File Options Change Server, New Window from Here, Adjust Application Time Zone,
Export, Page Setup, Print Preview, Print, Close Window, and Exit are described in
Chapter 1 of the NetBackup System Administrator’s Guide for UNIX, Volume I.
Edit Options New, Change, Delete, and Find are described in Chapter 1 of the
NetBackup System Administrator’s Guide for UNIX, Volume I.
The Change option is available when a NBU user group is selected in the details
pane.
54 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Using the Access Management Utility
Option Description
View Options Show Toolbar, Show Tree, Back, Forward, Up One Level, Options,
Refresh, Column Layout, Sort, and Filter are described in Chapter 1 of the
NetBackup System Administrator’s Guide for UNIX, Volume I.
Actions The Actions menu contains the following options when Access Management is
selected:
◆ New User Group: Click to create a new NetBackup user group.
◆ Copy to New User Group: Use to create a new user group based on an existing
user group. Users and permissions can be changed as needed for the new user
group.
Help Options Help Topics, Troubleshooter, License Keys, Current NBAC User, and
About NetBackup Administration Console are described in Chapter 1 of the
NetBackup System Administrator’s Guide for UNIX, Volume I.
Chapter 1, Access Management 55
Determining Who Can Access NetBackup
Determining Who Can Access NetBackup
Access Management allows only one user group, by default, the NBU_Security Admin user
group, to define the following aspects of NetBackup Access Management:
◆ The permissions of individual users.
◆ The creation of user groups.
First, determine which NetBackup resources your users will need to access. (See
“Permissions for Default NetBackup User Groups” on page 65 for resources and
associated permissions.)
The Security Administrator may want to first consider what different users have in
common, then create user groups with the permissions that these users require. User
groups generally correspond to a role, such as administrators, operators, or end-users.
Consider basing user groups on one or more of the following criteria:
◆ Functional units in your organization (UNIX administration, for example)
◆ NetBackup resources (drives, policies, for example)
◆ Location (East Coast or West coast, for example)
◆ Individual responsibilities (tape operator, for example)
Note Permissions are granted to individuals in user groups, not to individuals on a
per-host basis. If a machine is authenticated within the configuration, any
individual in the user group can operate NetBackup to the extent that they are
authorized to do so. There are no restrictions based on a machine name.
Individual Users
NetBackup Access Management uses your existing OS-defined users, groups, and
domains. As such, Access Management maintains no list of users and passwords. When
defining members of groups, the Security Administrator is specifying existing OS level
users as members of user groups.
56 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Determining Who Can Access NetBackup
Every authenticated user belongs to at least one authorization user group. By default,
every user belongs to the user group NBU_Users, which contains all authenticated users.
Only users and OS groups display
in the console, not domains.
Note: Contents of Access Management
visible only to members of the
NBU_Security Admin
user group.
There are two types of users that are implicit members of groups:
◆ On the server hosting the Authorization daemons, root is an implicit member of the
NBU_Security Admin user group
◆All authenticated users are implicit members of the NBU_Users user group
All other groups must have members defined explicitly. The NetBackup Security
Administrator can delete members added manually to other groups; however, the
Security Administrator may not delete the predefined implicit members of the NBU_Users
and NBU_Security Admin groups. OS groups and OS users may be added to an
authorization group.
Note Although root (UNIX) or administrator (Windows) on the master server are added to
the NetBackup Administrators user group and get NetBackup Administrator
permissions, root and administrator are not predefined users.)
Chapter 1, Access Management 57
Determining Who Can Access NetBackup
User Groups
Rather than assigning permissions directly to
individual users, NetBackup Access Management
is configured by assigning permissions to user
groups, then assigning users to the user groups.
Upon successful installation, NetBackup provides
five default user groups that complement how
sites often manage the duties of NetBackup
operation. The user groups are listed under Access Management > NBU User Groups. Keep in mind
that the contents of Access Management are
visible to members of the NBU_Security Admin
group only.
The Security Administrator may choose to use the
default NetBackup user groups, or may choose to
create custom user groups.
Default User Groups
The permissions granted to users in each of the five default user groups correlate to the
group name. Essentially, an authorization object correlates to a node in the NetBackup
Administration Console tree.
Note: Contents of Access
Management visible only to members of
the
NBU_Security Admin
user group.
The following sections describe each NetBackup default user group:
Security Administrator (NBU_Security Admin)
There are usually very few members in the NBU_Security Admin user group. The only
permission that the Security Administrator possesses by default is that of configuring
Access Control within Access Management. Configuring Access Control includes the
following permissions:
◆ Ability to see the contents of Access Management in the NetBackup Administration
Console
◆ Ability to create, modify and delete users and user groups
◆ Ability to assign users to user groups
◆ Ability to assign permissions to user groups
58 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Determining Who Can Access NetBackup
Administrator (NBU_Admin)
By default, members of the NBU_Admin user group have full permission to access,
configure, and operate any NetBackup authorization object. In other words, members
have all the capabilities that are currently available to administrators without Access
Management in place. However, as members of this group, it is not necessary to log on as
root or administrator at the OS level.
Note Members of the NBU_Admin user group cannot see the contents of Access
Management, and therefore, cannot ascribe permissions to other user groups.
Operator (NBU_Operator)
The main task of the NBU_Operator user group is to monitor jobs. For example, members
of the NBU_Operator user group might monitor jobs and notify a NetBackup
administrator if there is a problem so the problem can be addressed by the administrator.
Using the default permissions, a member of the NBU_Operator user group would
probably not have enough access to be address larger problems.
Members of the NBU_Operator user group have permissions that allow them to perform
some tasks such as moving tapes, operating drives, and inventorying robots.
Note In order for members of the NBU_Operator user group to continue viewing media
and device information, run the command bpnbaz -UpGrade60.
Running this command brings the NetBackup 5.x permissions for the
NBU_Operator user group up to the expected configuration for 6.0.
Default User (NBU_User)
The NBU_User user group is the default NetBackup user group with the fewest
permissions. Members of the NBU_User user group can only backup, restore, and archive
files. NBU_User user group members have access to the functionality of the NetBackup
client interface (BAR).
Vault Operator (Vault_Operator)
The Vault_Operator user group is the default user group that contains permissions to
perform the operator actions necessary for the Vault process.
Chapter 1, Access Management 59
Determining Who Can Access NetBackup
Additional User Groups
The Security Administrator (member of NBU_Security Admin or equivalent) can create
user groups as needed. Although the default user groups can be selected, changed and
saved, NetBackup recommends that the groups be copied, renamed, then saved in order
to retain the default settings for future reference.
User Group Configuration
The Security Administrator can create a new user groups by clicking Actions > New
Group or by selecting an existing user group and selecting Actions > Copy to New
Group.
▼ To create a new user group
1. As a member of the NBU_Security Admin user group (or equivalent), expand Access
Management > User Groups.
2. Select Actions > New User Group. The Add New User Group dialog displays,
opened to the General tab.
3. Type the name of the new group in the Name field, then click the Users tab. For more
information on users, see “Users Tab” on page 61.
4. Select the defined users that you wish to assign to this new user group, then click
Assign. Or, to include all the defined users in the group, click Assign All. To remove
users from the assigned users list, select the user name, then click Remove.
5. Click the Permissions tab. For more information on permissions, see “Permissions
Ta b” on page 64.
6. Select a resource from the Resources list, then select the permissions for the object.
7. Click OK to save the user group and the group permissions.
▼ To create a new user group by copying an existing user group
1. As a member of the NBU_Security Admin user group (or equivalent), expand Access
Management > User Groups.
2. Select an existing user group in the Details pane. (The pane on the left side of the
NetBackup Administration Console.)
60 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Determining Who Can Access NetBackup
3. Select Actions > Copy to New User Group. A dialog based on the selected user group
displays, opened to the General tab.
4. Type the name of the new group in the Name field, then click the Users tab.
5. Select the defined users that you wish to assign to this new user group, then click
Assign. Or, to include all the defined users in the group, click Assign All. To remove
users from the assigned users list, select the user name, then click Remove.
6. Click the Permissions tab.
7. Select a resource from the Resources list, then select the permissions for the object.
8. Click OK to save the user group and the group permissions. The new name for the
user group appears in the Details pane.
Renaming User Groups
Once a NetBackup user group has been created, the user group cannot be renamed. The
alternative to directly renaming a user group is to copy the user group, give the copy a
new name, ensure the same membership as the original, then delete the original
NetBackup user group.
General Tab
The General tab contains the name of
the user group. If creating a new user
group, the Name field can be edited.
Users Tab
The Users tab contains controls to
assign and remove users from user groups.
Chapter 1, Access Management 61
Determining Who Can Access NetBackup
Defined Users
The Defined Users list is a list of all
users defined manually within other
groups.
◆Assign button: Select a user in the
Defined User list and click Assign
to assign that user to a user group.
◆Assign All button: Click Assign
All to add all defined users to the
user group.
Assigned Users
The Assigned Users list contains
defined users who have been added to
the user group.
◆Remove button: Select a user in the
Assigned Users list and click Remove to remove that user from the user group.
◆Remove All button: Click Remove All to remove all assigned users from the
Assigned User list.
New User
Click New User to add a user to the Defined Users list. After adding a user, the name
appears in the Defined Users list and the Security Administrator can assign the user to
the user group. (See “To add a new user to a user group” on page 63.)
Defining User Groups and Users
NetBackup authenticates existing users of the operating system rather than requiring that
NetBackup users be created with a NetBackup password and profile.
62 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Defining a User Group
Determining Who Can Access NetBackup
Users can belong to more than one
user group and have the combined
access of both groups.
While users can be members of
multiple user groups simultaneously,
NetBackup does not allow user
groups to be nested.
For example, while members of a
user group can belong to more than
one user group, a user group cannot
belong to another user group.
▼ To add a new user to a user group
1. As a member of the NBU_Security Admin
user group (or equivalent), expand Access Management > NBU User Groups.
Users can
belong in more
than one user
group
Nested user
groups are not
allowed
User_Group_1
Users
User_Group_2
Users
User_Group_1
Users
User_Group_2
Users
2. Double-click on the user group to which
you wish to add a user.
3. Select the Users tab and click New User.
4. Enter the user name and the
authentication domain. Select the domain
type of the user: NIS, NIS+, PASSWD,
Windows or Vx. See the VERITAS Security Services Administrator’s Guide for more information on domain types.
For the User Type, select whether the user is an individual user or an OS domain.
5. Click OK. The name is added to the Assigned Users list.
Chapter 1, Access Management 63
Determining Who Can Access NetBackup
Permissions Tab
The Permissions tab contains a list of NetBackup authorization objects and configurable
permissions associated with each object.
Authorization Objects and Permissions List
Select an authorization object, then
place a check in front of a permission
that you want to grant the members of
the user group currently selected.
When a user group is copied to create a
new user group, the permission
settings are copied as well.
64 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Determining Who Can Access NetBackup
Permissions for Default NetBackup User Groups
The permissions granted to users in each of the five default user groups correlate to the
name of the user group.
In the following tables:
◆ X indicates that the specified user group has permission to perform the activity.
◆ --- indicates that the user group does not have permission to perform the activity.
Backup, Archive, and Restore (BAR) Client Interface
The table below shows the permissions associated with the BAR authorization object for
the five default NetBackup user groups. BAR includes only Access and Operate
permission sets, and does not include a Configure permission set.
In the NetBackup Administration Console, BAR is accessed by selecting File > Backup, Archive, and Restore.
Backup, Archive, and Restore Permission Defaults
Set Activity Sec Admin NBU_Admin NBU_Operator NBU_User Vault_Operator
Access Read
Browse
Operate Backup
Restore
Alternate client
List
DB Agent
Admin Access
Chapter 1, Access Management 65
---
---
---
---
---
---
---
---
X
X
X
X
X
X
X
X
X
X
X
X
X
X
---
---
X
X
X
X
---
X
---
---
X
X
X
---
---
X
---
---
Determining Who Can Access NetBackup
License Permissions
The table below shows the permissions associated with the License authorization object
for the five default NetBackup user groups.
In the NetBackup Administration Console, the license dialog is accessed by selecting Help
> License Keys.
License Permission Defaults
Set Activity Sec Admin NBU_Admin NBU_Operator NBU_User Vault_Operator
Access Read license
Browse license
Configure New
Delete
Operate Assign license ---X ---------
---
---
---
---
X
X
X
X
---
---
---
---
---
---
---
---
---
---
---
---
Jobs Tab in the Activity Monitor Permissions
The table below shows the permissions associated with the Jobs tab authorization object
for the five default NetBackup user groups.
The Jobs tab is found in the NetBackup Administration Console under NetBackup Management > Activity Monitor > Jobs tab.
Jobs Tab Permission Defaults
Set Activity Sec Admin NBU_Admin NBU_Operator NBU_User Vault_Operator
Access Read job
Browse job
Configure Delete job
New job
---
---
---
---
X
X
X
X
X
X
X
X
---
---
---
---
---
---
---
---
Operate Suspend job
Resume job
Restart job
Cancel job
66 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
---
---
---
---
X
X
X
X
X
X
X
X
---
---
---
---
---
---
---
---
Determining Who Can Access NetBackup
Permissions in the Device Monitor
The table below shows the permissions associated with the Device Monitor authorization
object for the five default NetBackup user groups.
The Device Monitor is found in the NetBackup Administration Console under Media and Device Management.
Device Monitor Permission Default
Set Activity Sec Admin NBU_Admin NBU_Operator NBU_User Vault_Operator
Access Read device host
Browse device host
Configure New
Delete
Operate Up drive
Down drive
Reset drive
---
---
---
---
---
---
---
X
X
X
X
X
X
X
X
X
---
---
X
X
X
---
---
---
---
---
---
---
---
---
---
---
---
---
---
Chapter 1, Access Management 67
Determining Who Can Access NetBackup
Daemons Tab Permissions in the Activity Monitor
The table below shows the permissions associated with the Daemons tab authorization
object for the five default NetBackup user groups. The Daemons tab includes only Access
and Operate permission sets, and does not include a Configure permission set.
The Daemons tab is found in the NetBackup Administration Console under NetBackup Management > Activity Monitor > Daemons tab.
Daemons Tab Permission Defaults
Set Activity Sec Admin NBU_Admin NBU_Operator NBU_User Vault_Operator
Access Read
Browse
Operate Stop daemon ---X** X ------
---
---
X*
X*
X
X
---
---
---
---
* The Read and Browse permissions do not have an affect on the Daemons tab. This
information is harvested from the server using user level calls to access the process list
and is displayed to all users for informational purposes.
** If a user is not a member of the NBU_Admin user group, but is logged on as an OS
administrator (root), the user will be able to restart a daemon from the command line
only:
/etc/init.d/netbackup start
If a user is a member of the NBU_Admin user group, but is not logged on as an OS
administrator (root), the user will not be able to restart a daemon from the NetBackup
Administration Console or from the command line.
68 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Determining Who Can Access NetBackup
Reports Permissions
The table below shows the permissions associated with the Reports authorization object
for the five default NetBackup user groups. Reports includes only the Access permission
set, and does not include a Configure or Operate permission set.
Reports is found in the NetBackup Administration Console under NetBackup
Management > Reports.
Reports Permission Defaults
Set Activity Sec Admin NBU_Admin NBU_Operator NBU_User Vault_Operator
Access Read report ---X ------X
Browse report ---X ------X
Policy Permissions
The table below shows the permissions associated with the Policy authorization object for
the five default NetBackup user groups.
Policy is found in the NetBackup Administration Console under NetBackup
Management > Policies.
Policy Permissi on Defaults
Set Activity Sec Admin NBU_Admin NBU_Operator NBU_User Vault_Operator
Access Read policy ---X X ------
Browse policy ---X X ------
Configure New policy ---X ---------
Delete policy ---X ---------
Operate Activate policy ---X ---------
Deactivate policy ---X ---------
Backup (manually) ---X X ------
Chapter 1, Access Management 69
Determining Who Can Access NetBackup
Storage Units Permissions
The table below shows the permissions associated with the Storage Unit authorization
object for the five default NetBackup user groups.
Storage Units is found in the NetBackup Administration Console under NetBackup
Management > Storage Units.
Storage Unit Permission Set Defaults
Set Activity Sec Admin NBU_Admin NBU_Operator NBU_User Vault_Operator
Access Read storage unit
Browse storage unit
Configure New
Operate Assign storage unit
storage unit
Delete storage unit
---
---
---
---
X
X
X
X
X ---
---
---
---
---
---------
---
---
---
---
---
---
---
---
Storage Unit Groups Permissions
The table below shows the permissions associated with the Storage Unit Groups
authorization object for the five default NetBackup user groups.
Storage Unit Groups is found in the NetBackup Administration Console under
NetBackup Management > Storage Unit Groups.
Storage Unit Groups Permission Set Defaults
Set Activity Sec Admin NBU_Admin NBU_Operator NBU_User Vault_Operator
Access Read
group
Browse storage unit
group
storage unit
---
---
X
X
---
---
---
---
---
---
Configure New storage unit
group
Delete storage unit
group
Operate Assign
storage unit
group
70 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
---
---
---X ---------
X
X
---
---
---
---
---
---
Determining Who Can Access NetBackup
Catalog Permissions
The table below shows the permissions associated with the Catalog authorization object
for the five default NetBackup user groups.
Catalog is found in the NetBackup Administration Console under NetBackup
Management > Catalog.
Catalog Permission Set Defaults
Set Activity Sec Admin NBU_Admin NBU_Operator NBU_User Vault_Operator
Access Read catalog
Browse catalog
Configure Online, hot
catalog backup
Offline, cold
catalog backup
Delete ---X ---------
Expire ---X ---------
Operate Verify catalog
Duplicate catalog
Import catalog
Set Primary Copy
Backup (online,
hot method)
Backup (offline,
cold method)
Recover online, hot
catalog backup
Recover offline, cold
catalog backup
Read configuration ---X ---------
Set configuration ---X ---------
---
---
---X ---------
---X ---------
---X ---------
---X ---------
---X ---------
---X ---------
---X ---------
---X ---------
---X ---------
---X ---------
X
X
---
---
---
---
---
---
Chapter 1, Access Management 71
Determining Who Can Access NetBackup
Host Properties Permissions
The table below shows the permissions associated with the Host Properties authorization
object for the five default NetBackup user groups.
Host Properties is found in the NetBackup Administration Console under NetBackup
Management > Host Properties.
Host Properties Permission Set Defaults
Set Activity Sec Admin NBU_Admin NBU_Operator NBU_User Vault_Operator
Access Read host properties ---X X ------
Browse host properties ---X X ------
Configure New host properties ---X ---------
Delete host properties ---X ---------
Media Permissions
The table below shows the permissions associated with the Media authorization object for
the five default NetBackup user groups.
Media is found in the NetBackup Administration Console under Media and Device
Management > Media.
Media Permission Set Defaults
Set Activity Sec Admin NBU_Admin NBU_Operator NBU_User Vault_Operator
Access Read media
Browse media
Configure New media
Delete media
Expire media
Operate Update barcode
Inject media
Eject media
Move media
Assign media
Deassign media
Update database
72 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
---
---
---
---
---
---
---
---
---
---
---
---
X
X
X
X
X
X
X
X
X
X
X
X
X
X
---
---
---
X
X
X
X
X
X
X
---
---
---
---
---
---
---
---
---
---
---
---
X
X
---
---
---
X
X
X
X
X
X
X
Determining Who Can Access NetBackup
Volume Group Permissions
The table below shows the permissions associated with the Volume Group authorization
object for the five default NetBackup user groups.
Volume Group is found in the NetBackup Administration Console under Media and
Device Management > Media > Vo l u m e Gr ou ps .
Volume Group Permission Set Defaults
Set Activity Sec Admin NBU_Admin NBU_Operator NBU_User Vault_Operator
Access Read volume group
Browse volume group
Configure New
volume group
Delete volume group
---
---
---
---
X
X
X
X
X
X
---
---
---
---
---
---
---
---
---
---
Volume Pools Permissions
The table below shows the permissions associated with the Volume Pools authorization
object for the five default NetBackup user groups.
Volume Pools is found in the NetBackup Administration Console under Media and
Device Management > Media > Vo l u m e Po ol s.
Volume Pools Permission Set Defaults
Set Activity Sec Admin NBU_Admin NBU_Operator NBU_User Vault_Operator
Access Read
Browse volume pool
Configure New
Delete volume pool
volume pool
volume pool
---
---
---
---
X
X
X
X
X
X
---
---
---
---
---
---
---
---
---
---
Operate Assign volume pool ---X ---------
Chapter 1, Access Management 73
Determining Who Can Access NetBackup
Robots Permissions
The table below shows the permissions associated with the Robots authorization object
for the five default NetBackup user groups.
Robots is found in the NetBackup Administration Console under Media and Device
Management > Media > Robots.
Volume Robots Permission Set Defaults
Set Activity Sec Admin NBU_Admin NBU_Operator NBU_User Vault_Operator
Access Read robot
Browse robot
Configure New robot
Delete robot
Operate Inventory robot ---X X ---X
---
---
---
---
X
X
X
X
X
X
---
---
---
---
---
---
X
X
---
---
Device Host Permissions
The table below shows the permissions associated with the Device Host authorization
object for the five default NetBackup user groups.
Device Host is found in the NetBackup Administration Console under Media and Device
Management > Devices > Hosts.
Device Host Permission Set Defaults
Set Activity Sec Admin NBU_Admin NBU_Operator NBU_User Vault_Operator
Access Read device host
Browse device host
Configure
New device host
Delete device host
Synchronize device host
---
---
---
---
---
X
X
X
X
X X
X
X
---
---
---
---
---
---
---
---
---
---
---
---
Operate
Stop device host
74 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
---------
X X
Enhanced Authentication and Authorization
Enhanced authentication allows each side of a NetBackup connection to verify the host and
user on the other side of the connection. By default, NetBackup runs without enhanced
authentication.
Enhanced authorization determines if authenticated users (or groups of users) have
NetBackup administrative privileges. By default, NetBackup provides administrative
privileges to UNIX root administrators or Windows system administrators on
NetBackup servers. In order to use the enhanced authorization, you must configure and
enable it.
This chapter contains the following sections:
◆ “Common Configuration Elements” on page 76
◆ “Enhanced Authentication” on page 86
◆ “Enhanced Authorization” on page 95
Note Access Management and Enhanced Authorization and Authentication are
independent methods of access control. Access Management is the newest method
and will be the preferred method in future NetBackup releases. If both Access
Management and Enhanced Authorization and Authentication are configured,
Access Management takes precedence.
2
Note Please note that Enhanced Authorization and Authentication will be removed from
the next major release of NetBackup.
There are additional types of authorization outside of what is described in this chapter.
One of these is the appearance of MEDIA_SERVER entries in the bp.conf. The machine
listed as a MEDIA_SERVER has media server privileges only and has no administrative
privileges. For more information, see “MEDIA_SERVER” on page 140.
Another form of authorization concerns restricting administrative privileges when using
the NetBackup Java Console (jnbSA) through entries in auth.conf.
75
Common Configuration Elements
Refer to “NetBackup-Java Administration Console Architectural Overview” on page 484
in NetBackup System Administrator’s Guide, Volume I for information relevant to
understanding this topic.
Common Configuration Elements
The following sections describe elements involved in configuring enhanced
authentication and enhanced authorization.
Configuration Files
The following configuration files are used by enhanced authentication, enhanced
authorization, or both of these files. Some may need to be modified during configuration.
Location of Configuration Files
Option
Enhanced
Authentication
and
Enhanced
Authorization
The order in which the methods are listed in the file is important: The method listed first
indicates that it is preferred to the second method.
Syntax rules for methods.txt
◆ Empty lines are ignored
◆ The # character and all following characters on a line are ignored.
methods_allow.txt
The methods_allow.txt file defines the authentication methods that NetBackup
servers and clients can use.
When a client or server attempts a connection, it specifies the authentication method it is
using. The other server or client then checks its methods_allow.txt file to determine if
that method is allowed for the system that is attempting the connection. If an entry in this
file matches the host and method, the method is allowed. Otherwise, NetBackup checks
the methods_deny.txt file.
# All hosts in the ourcompany.com domain and host name
# bob.theircompany.com can use the vopie method.
vopie : .ourcompany.com, bob.theircompany.com
Chapter 2, Enhanced Authentication and Authorization 77
Common Configuration Elements
#
# Hosts with IP addresses in the 12.123.56 network and IP address
# 2.123.57.23 can use all methods.
ALL : 12.123.56.
ALL : 12.123.57.23
The keyword ALL is used to specify all valid methods, as in the previous example, or all
possible hosts.
The default file is empty.
◆ Each entry must be on a separate line.
◆ Empty lines are ignored.
◆ The # character and all following characters on a line are ignored.
◆ If a domain name is preceded by a dot (.), all hosts in that domain will match.
◆ If a network number is followed by a dot (.), all IP numbers in that network will
match.
◆ A comma-separated list of domain name patterns and network number patterns can
be specified on a single line.
methods_deny.txt
The methods_deny.txt file defines the authentication methods that NetBackup servers
and clients cannot use.
NetBackup checks this file only if the methods_allow.txt file does not have a
matching entry for the host and method. If a matching entry is found in
methods_deny.txt the method is not allowed and authentication is not used.
Otherwise, the method is used and authentication proceeds.
Example methods_deny.txt File
# All hosts in the ourcompany.com domain cannot use the vopie method.
vopie : .ourcompany.com
#
# Hosts with IP addresses in the 12.123.56 network cannot use all
# methods.
ALL : 12.123.56.
The default file contains only the following entry:
ALL : ALL
This means that all methods are denied for all hosts, unless it is specified otherwise in the
methods_allow.txt file.
78 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.