The information contained in this publication is subject to change without notice. VERITAS Software
Corporation makes no warranty of any kind with regard to this manual, including, but not limited to,
the implied warranties of merchantability and fitness for a particular purpose. VERITAS Software
Corporation shall not be liable for errors contained herein or for incidental or consequential damages
in connection with the furnishing, performance, or use of this manual.
Portions of this software are derived from the RSA Data Security, Inc. MD5 Message-Digest
Algorithm. Copyright 1991-92, RSA Data Security, Inc. Created 1991. All rights reserved.
VERITAS Software Corporation
350 Ellis Street
Mountain View, CA 94043
USA
Phone 650-527-8000
Fax 650-527-2908
www.veritas.com
Third-Party Copyrights
For a list of third-party copyrights, see the NetBackup Release Notes appendix.
ii NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
xviii NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Preface
This guide describes how to configure and manage the operation of VERITAS
NetBackup™ Server and VERITAS NetBackup Enterprise Server for UNIX and Linux
platforms. See the NetBackup Release Notes for a list of the hardware and operating system
levels that NetBackup supports.
To determine the version and release date of installed software, see the version file
located here in /usr/openv/netbackup
Getting Help
You can find answers to questions and get help from the NetBackup documentation and
from the VERITAS technical support web site.
Finding NetBackup Documentation
A list of the entire NetBackup documentation set appears as an appendix in the NetBackup
Release Notes. All NetBackup documents are included in PDF format on the NetBackup
Documentation CD.
For definitions of NetBackup terms, consult the online glossary.
▼ To access the NetBackup online glossary
1. In the NetBackup Administration Console, click Help > Help Topics.
2. Click the Contents tab.
3. Click Glossary of NetBackup Terms.
Use the scroll function to navigate through the glossary.
xix
Getting Help
Accessing the VERITAS Technical Support Web Site
The address for the VERITAS Technical Support Web site is http://support.veritas.com.
The VERITAS Support Web site lets you do any of the following:
◆ Obtain updated information about NetBackup, including system requirements,
supported platforms, and supported peripherals
◆ Contact the VERITAS Technical Support staff and post questions to them
◆ Get the latest patches, upgrades, and utilities
◆ View the NetBackup Frequently Asked Questions (FAQ) page
◆ Search the knowledge base for answers to technical support questions
◆ Receive automatic notice of product updates
◆ Find out about NetBackup training
◆ Read current white papers related to NetBackup
From http://support.veritas.com, you can complete various tasks to obtain specific types
of support for NetBackup:
1. Subscribe to the VERITAS Email notification service to be informed of software alerts,
newly published documentation, Beta programs, and other services.
a. From the main http://support.veritas.com page, select a product family and a
product.
b. Under Support Resources, click Email Notifications.
Your customer profile ensures you receive the latest VERITAS technical
information pertaining to your specific interests.
2. Locate the telephone support directory at http://support.veritas.com by clicking the
Phone Support icon. A page appears that contains VERITAS support numbers from
around the world.
Note Telephone support for NetBackup is only available with a valid support
contract. To contact VERITAS for technical support, dial the appropriate phone
number listed on the Technical Support Guide included in the product box and
have your product license information ready for quick navigation to the proper
support group.
3. Contact technical support using e-mail.
xx NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
a. From the main http://support.veritas.com page, click the E-mail Support icon.
A wizard guides you to do the following:
◆ Select a language of your preference
◆ Select a product and a platform
◆ Provide additional contact and product information, and your message
◆ Associate your message with an existing technical support case
b. After providing the required information, click Send Message.
Contacting VERITAS Licensing
For license information, you can contact us as follows:
◆ Call 1-800-634-4747 and select option 3
◆ Fax questions to 1-650-527-0952
◆ In the Americas, send e-mail to amercustomercare@veritas.com.
In the Asia and Pacific areas, send email to apaccustomercare@veritas.com.
In all other areas, send email to internationallicense@veritas.com.
Accessibility Features
Accessibility Features
NetBackup contains features that make the user interface easier to use by people who are
visually impaired and by people who have limited dexterity. Accessibility features
include:
◆ Support for assistive technologies such as screen readers and voice input (Windows
servers only)
◆ Support for keyboard (mouseless) navigation using accelerator keys and mnemonic
keys
For more information, see the NetBackup Installation Guide.
Preface xxi
Comment on the Documentation
Comment on the Documentation
Let us know what you like and dislike about the documentation. Were you able to find the
information you needed quickly? Was the information clearly presented? You can report
errors and omissions or tell us what you would find useful in future versions of our
manuals and online help.
Please include the following information with your comment:
◆ The title and product version of the manual on which you are commenting
◆ The topic (if relevant) on which you are commenting
◆ Your c omme nt
◆ Your n ame
Email your comment to NBDocs@veritas.com.
Please only use this address to comment on product documentation. See “Getting Help”
in this preface for information on how to contact Technical Support about our software.
We appreciate your feedback.
xxii NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Access Management
Access to NetBackup can be controlled by defining user groups and granting explicit
permissions to these groups. Configuring user groups and assigning permissions is done
using Access Management in the NetBackup Administration Console.
This chapter discusses how to set up and manage access to NetBackup. It contains the
following sections:
◆ “NetBackup Access Management Components” on page 2
◆ “Installation Overview” on page 5
◆ “Installing and Configuring Access Control for Master Servers” on page 8
◆ “Installing and Configuring Access Control for Media Servers” on page 12
◆ “Installing and Configuring Access Control for Clients” on page 15
◆ “Installing the Authentication Service Root Broker (Root + AB)” on page 18
◆ “Installing the Authorization Server” on page 21
◆ “Configuring Access Control Host Properties” on page 23
◆ “Access Management Troubleshooting Guidelines” on page 28
◆ “Using the Access Management Utility” on page 54
◆ “Determining Who Can Access NetBackup” on page 56
1
Note Access Management and Enhanced Authorization and Authentication (see Chapter 2) are
independent methods of Access Control. Access Management is the newest and will
be the preferred method in future NetBackup releases. If both Access Management
and Enhanced Authorization and Authentication are configured, Access
Management takes precedence.
Note If some media servers are not configured with access control,
non-root/non-administrator users will not be able to manage those servers.
1
NetBackup Access Management Components
NetBackup Access Management Components
NetBackup uses the VERITAS Security Services (VxSS) to help implement core security.
VxSS is a set of shared VERITAS infrastructure services, installed from one of the
infrastructure common services CDs containing VxSS for your platform. The CDs are
packaged as part of NetBackup.
Note NetBackup Access Management relies on the use of home directories. Please see the
documentation for your operating system for more information on home
directories.
Note In order for members of the NBU_Operator user group to continue viewing media
and device information, run the following command:
bpnbaz -UpGrade60
Running this command brings the NetBackup 5.x permissions for the
NBU_Operator user group up to the expected configuration for 6.0.
VxSS Components
When you install VxSS, you’re installing and configuring the following services and client
software:
◆ Authentication (At Server, At Client)
Authentication is the process of proving your identity to the VxSS system.
Authentication is accomplished by communicating with the daemon which, in turn,
validates your identity with the operating system.
For more information on authentication or the authentication daemon (vxatd), see
the VERITAS Security Services Administrator’s Guide found on one of the infrastructure
common services CDs containing VxSS for your platform.
◆ Authorization (Az Server, Az Client)
Authorization is the process of verifying that an identity has permission to perform
the desired action. NetBackup verifies permissions with the authorization daemon for
most actions. In many cases, NetBackup alters what information is accessible from the
command line and Administration Console.
For more information on authorization or the authorization daemon (vxazd), see the
VERITAS Security Services Administrator’s Guide found on one of the infrastructure
common services CDs containing VxSS for your platform.
2 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
NetBackup Access Management Components
Root Broker
A Root Broker is a NetBackup server that has VxSS Authentication Server installed and is
configured to be a Root Broker. There is always one Root Broker in every NetBackup
Access Management configuration.
The Root Broker acts as the most trusted certificate authority, implementing a registration
authority for Authentication Brokers, as well as itself.
While a Root Broker can authenticate an Authentication Broker, an Authentication Broker
cannot authenticate a Root Broker.
In many cases, the Root Broker will also be an Authentication Broker. This chapter
describes installing VxSS services, then it describes configuring the NetBackup server to
be a Root Broker and an Authentication Broker (Root Broker + AB). For more information
on the authentication Root Broker, see the VERITAS Security Services Administrator’s Guide
found on one of the infrastructure common services CDs containing VxSS for your
platform.
Authentication Brokers
An Authentication Broker is a server that has VxSS Authentication Server installed. This
machine is part of the Root Broker’s private Access Management domain. An
Authentication Broker can authenticate clients, but not other brokers.
The member of the NetBackup Security Administrator user group can choose which
Authentication Broker a client should contact for authentication. (See “Example
Configuration Containing Windows Systems Only” on page 29 or “Example
Configuration Containing UNIX Systems Only” on page 35 for a depiction of this
configuration.)
For example:
◆ A Windows 2000 client uses a Windows Authentication Broker for authentication.
◆ A UNIX client uses a UNIX Authentication Broker for authentication.
◆ For more information on authentication brokers, see the VERITAS Security Services
Administrator’s Guide found on one of the infrastructure common services CDs
containing VxSS for your platform.
Security Administrator
The user who installs and configures VxSS software for use with NetBackup Access
Management is, by default, a member of the NBU_Security Admin user group. This
chapter will refer to a member of the NBU_Security Admin group as a Security
Administrator. Users can be added to the group, but there are usually few members.
Chapter 1, Access Management 3
NetBackup Access Management Components
Members of the NBU_Security Admin user group are the only users who can view the
contents of Access Management > Users and Access Management > NBU User Groups
in the NetBackup Administration Console. Security Administrators are the only users
allowed to create user groups, assign users to the groups, and define permissions for the
groups. However, Security Administrators, by default, do not have permission to perform
any other NetBackup administration activities. (See “Security Administrator
(NBU_Security Admin)” on page 58.)
4 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Installation Overview
For a detailed installation description, see “Installing and Configuring Access Control
for Master Servers” on page 8.
Order for Installation
1. Complete all NetBackup master server installations:
a. Complete Root + AB installation of VxSS Authentication server.
b. Complete VxSS Authorization server installation.
c. Configure master servers for NetBackup Access Control. See “Installing and
Configuring Access Control for Master Servers” on page 8.
2. Complete all NetBackup media server installations, then configure media servers for
NetBackup Access Control. See “Installing and Configuring Access Control
for Media Servers” on page 12.
3. Complete all NetBackup client installations, then configure clients for NetBackup
Access Control. See “Installing and Configuring Access Control for Clients” on
page 15.
Installation Overview
Order for Upgrade
Use the following order for upgrading any NetBackup machine that uses NetBackup
Access Control.
1. Stop NetBackup.
2. Upgrade VxSS.
3. Configure Access Control on the NetBackup machines. See:
◆ “Installing and Configuring Access Control for Master Servers” on page 8.
◆ “Installing and Configuring Access Control for Media Servers” on page 12.
◆ “Installing and Configuring Access Control for Clients” on page 15.
Chapter 1, Access Management 5
Installation Overview
Including VxSS Databases in the NetBackup Catalog Backup
In NetBackup environments which use the online, hot catalog backup method, no
additional configuration is needed in order to include the VxSS Authorization and
Authentication databases in the catalog backup.
In environments which use the
offline, cold catalog backup
method, one additional step is
required:
Within the NetBackup Catalog
Wizard or on the Files tab of the
offline catalog configuration
dialog, add the following
directives for each host in the
NBAC domain:
Note If the master server using
[
host
:]nbat
[
host
:]nbaz
NBAC is a UNIX machine,
VERITAS recommends that
you do not include the NetBackup master server configuration file
(/usr/openv/netbackup/bp.conf) in the offline catalog backup file list. If
bp.conf is included in the list, it must not be recovered until all other catalog
recovery is completed.
VxSS Component Distribution
The VxSS components can be distributed throughout a configuration, just as NetBackup
can distribute master servers, media servers and clients.
Note Although the Authentication broker and Authorization broker can technically be
placed on any machine, VERITAS currently recommends that the root
Authentication broker and Authorization broker be placed on the NetBackup
master server. At a minimum, the root Authentication broker must reside on the
master server.
6 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Installation Overview
For specific VxSS installation information, refer to the VERITAS Security Services Installation Guide, found on the VxSS installation CD.
Windows Remote Administration At client Az client
Console (only)
Java Windows Display Console (only)* At client None
Java Display Console At client None
*The At client is required for all Java consoles. Concerning the Java Windows Display Console, the
At client must be installed on the Windows host before installing the Java Windows Display
Console. This ensures that the Windows Display Console is configured correctly to use the VxSS
component successfully.
Note While it is possible to share the Enterprise Media Manager server between multiple
master servers, this configuration is not supported when using Access Control. The
EMM server must be bound to one master server.
The following sections describe some actions you can take to verify that the components
are correctly installed in a mixed environment:
◆ “Windows Verification Points” on page 28
◆ “UNIX Verification Points” on page 35
◆ “Verification Points in a Mixed Environment with a UNIX Master Server” on page 41
◆ “Verification Points in a Mixed Environment with a Windows Master Server” on
page 46
◆ “UNIX Verification Points” on page 35
Chapter 1, Access Management 7
Installing and Configuring Access Control for Master Servers
Installing and Configuring Access Control
for Master Servers
The following steps describe configuring NetBackup Access Control for the master server
in a NetBackup configuration. A master server requires Authentication Server and Client
software and Authorization Server and Client software.
Throughout this chapter, in the configuration examples we’ll refer to the following host
names:
Windows UNIX
Master Servers win_master unix_master
Media Servers win_media unix_media
Clients win_client unix_client
1. If this is an upgrade installation, stop NetBackup.
2. Using one of the infrastructure common services CDs containing VxSS for your
platform, install both the VxSS Authentication Server and Client software on the
master server. This master server will be a Root + AB (Authentication Broker).
See “Installing the Authentication Service Root Broker (Root + AB)” on page 18 and
the VERITAS Security Services Installation Guide on the VxSS installation CD.
3. Using one of the infrastructure common services CDs containing VxSS for your
platform, install the VxSS Authorization Server and Client software on the master
server. To do this, you must perform a custom installation.
See “Installing the Authorization Server” on page 21 and the VERITAS Security Services Installation Guide on one of the infrastructure common services CDs
containing VxSS for your platform.
4. Complete all NetBackup master server installations or upgrades.
5. Create a machine account for the master server. Make sure that the Authentication
and the Authorization services are running. See “UNIX Verification Points” on
page 35 or “Windows Verification Points” on page 28.
The command in this step must be run as either root (UNIX) or as a member of the
local Administrator group (Windows) on the Root+AB Authentication broker. For
more information about this step, see “Configuring Authentication on the Root Broker
for Use with NetBackup” on page 19.
8 NetBackup System Administrator’s Guide for UNIX and Linux, Volume II
Loading...
+ 308 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.