nbu accss control340675
TRANSCRIPT
-
8/9/2019 nbu accss control340675
1/21
-
8/9/2019 nbu accss control340675
2/21
NBAC WindowsNon HA
2
Symantec Product Authentication & Authorization tab Authentication domain tab Authorization Service tab Client host properties Access control host properties dialog for client Symantec Product Authentication & Authorization tab for client Authentication and authorization installation diagnostics and tools
AboutNBAC(NetBackupAccessControl)
Access to NetBackup can be controlled by defining user groups and granting explicit permissions to these groups.
Configuring user groups and assigning permissions is done using Access Management in the NetBackup
Administration Console.
Note: You can find documents at the following Web site that can be helpful in your deployment of
NBAC. See http://entsupport.symantec.com/docs/336967.
NBAC is an implementation of role-based access control. One employs role based access control in situations
where:
One wants to have a set of permissions for different levels of administrators for an application. A backupapplication can have operators (perhaps load and unload tapes). It can have local administrators (manage
the application within one facility). And it can have overall administrators who may have responsibility for
multiple sites and to determine backup policy. Note that this feature is also highly useful in preventing user
errors. If junior level administrators are restricted from certain operations, they are prevented from making
inadvertent mistakes.
One wants to separate administrators so that root permission to the system is not required to administer thesystem. One can then separate the administrators for the systems themselves from the ones who administer
the applications.
A role based access control like NBAC has the following:
Authentication supplied by the Symantec Product Authentication Service (VxAT) determines if a person orentity should be considered as legitimate for any operation in the application.
Authorization supplied by the Symantec Product Authorization Service that defines the scope of what aperson or entity can do (role) and labeled VxAZ.
Startingchecklist
This prerequisites starting check list can help before you start to configure NBAC. If you have these items, yourinstallation is likely to go more smoothly. The following contains the information for this installation:
The software for NBU 7.0 NBAC installation can be found on the NBU DVDs. Remote login permission for the NetBackup Java Console (if this console is being used) Media servers must be configured with NBAC to enable non root users to manage these servers NetBackup Access Management relies on the use of home directories. Please refer to the OS
documentation for the OS you are installing on for more details on home directories
-
8/9/2019 nbu accss control340675
3/21
NBAC WindowsNon HA
3
No License is required for enabling NBAC Required Specifics from your environment
User name or password for master server (root or administrator permission). Name of master server Name of all media servers that are connected to the master server Name of all clients to be backed up Host name or IP address for all items listed above
Note: Host names should be resolvable to a valid IP address.
Use ping or traceroute as one of the tools to ensure you can see the hosts. Using these commandsensures that you have not configured a firewall or other obstruction to block access.
List of all Symantec applications and revision levels that are located on your Master Servers. Thisincludes Storage Foundation, CC Storage, etc. This is for ensuring that the proper levels of AT are
installed. It is assumed that there is no clustering software on the Master Servers
NetBackup:Planningtheupgradeto7.0
Determine the plan for upgrading Master Servers, Media Servers and clients to NBU 7.0 as follows:
The minimum upgrade is to move to an NBU 7.0 Master server. One can then add Media Servers and orClients
Some features are provided by upgrading master servers, some by media servers, and some from upgradingclients. Determine the features needed.
A NetBackup 7.0 master server can support both 6.5 and 7.0 media servers and clients Put together a plan of planned upgrades. Deployment can be step wise if required.
Note: NetBackup access management relies on the use of home directories. Please see the
documentation for your operating system for more information on home directories.
NBACSecurityAdministrator
The user who installs and configures Symantec Product Authentication Service and Symantec Product Authorization
Service software for NetBackup Access Management specifies a user account. That account becomes the first
member of the NBU Security Admin user group. This chapter refers to a member of the NBU Security Admin group
as a security administrator. Users can be added to the group, typically consisting of few members.
Members of the NBU Security Admin user group are the only users who can view the contents ofAccess
Management > Users and Access Management > NBU User Groups. This group is in the NetBackup
Administration Console. Security administrators are the only users allowed to create user groups, assign users to the
groups, and define permissions for the groups. By default security administrators do not have permission to perform
any other NetBackup administration activities.
-
8/9/2019 nbu accss control340675
4/21
NBAC WindowsNon HA
4
Note: The administrator group (Windows) or root (UNIX) is always a member of the NBU Security
Admin group. They are a member on the system where the authorization daemon service runs
(master server).
NBACinstallation
sequence
For information on the NBAC installation sequence, refer to this procedure.
Use the following NBAC installation sequence.
1. Complete Root + AB installation of the Symantec Product Authentication Service on the master server. SeeInstalling or upgrading the Symantec Product Authentication Service sections.
2. Complete Symantec Product Authorization Service server installation on the master server. SeeInstallingor upgrading the Symantec Product Authorization Servicesections.
3. Configure the master server for NetBackup Access Control. See "Installing and configuring access controlon stand alone master servers"
Note: The master server can be installed in a stand alone mode or in a highly available configuration on
a cluster.
4. Complete your media server binary installation; then configure media servers for NetBackup AccessControl. See "Installing and configuring access control on media servers"
5. Complete all NetBackup client installations, then configure clients for NetBackup Access Control. See"Installing and configuring access control on clients"
SymantecProductAuthenticationServiceandSymantecProduct
AuthorizationServicecomponentdistribution
The Symantec Product Authentication Service and Symantec Product Authorization Service should be installed on
the master server. No additional components are needed on media or clients.
For further information on Symantec Product Authentication Service and Symantec Product Authorization Service
refer to the following Tech PDF at the Symantec support site: http://entsupport.symantec.com/docs/336967. This
Tech PDF provides information to help organizations securely deploy Symantec products in individual and multiple
product environments and can be accessed on the web.
Note: While possible to share the Enterprise Media Manager server between multiple master servers,
this configuration is not supported for access control. The EMM server must be bound to one
master server.
Installingor
upgrading
the
Symantec
Product
Authentication
Service
in
Root
+
ABmodeonWindowsplatform
On a Windows platform, you can install or upgrade the Symantec Product Authentication Service in Root+AB mode
interactively, using the VxSSVRTSatSetup.exe.
To install or upgrade the Symantec Product Authentication Service in Root + AB mode on
Windows platform use the following procedure.
-
8/9/2019 nbu accss control340675
5/21
NBAC WindowsNon HA
5
6. Log on as administrator on the machine where you want to install.7. Confirm that the machine uses the NTFS file system. FAT does not provide any file system security and
hence compromises the security of the Symantec Product Authentication Service.
8. Open Explorer (Start > Explore) and navigate to the Authentication folder on the installation disc:CD-ROM_ROOT\Addons\x86\ICS\Authentication
9. Run VxSSVRTSatSetup.exe.Note: When there an older version of authentication service is already installed, there is a confirmation
prompt to upgrade it. Select Yes and complete the installation.
10. When the opening InstallShield Wizard screen is displayed, clickNext.11. When the Setup Type screen is displayed, select Complete, and clickNext.12. Complete the Authentication Broker Service Options screen:
Select Root + Authentication Broker as broker mode. See "Installing the Symantec ProductAuthentication Service in AB mode on Windows platform"
If you want to enable clustering, click the Service is clustered checkbox and type in the clustername. Cluster name is case sensitive.
Indicate whether the service is to be started manually or automatically and whether it is to bestarted immediately after installation.
When you have completed your selections, click Next.13. When the Summary screen is displayed, click Next.14. When the Root \ Authentication Password screen is displayed, enter an eight or more character string
password for the root broker and the authentication broker. Click Next to continue.
15. After the files are copied, the InstallShield Wizard Maintenance Complete screen is displayed. ClickFinish.
InstallingorupgradingtheSymantecProductAuthorizationServiceon
Windowsplatform
To install or upgrade the Symantec Product Authorization Service on Windows platform
use the following procedure.
16. Log on as administrator on the master server.17. Navigate to the Authorization folder on the installation disc: CD-
ROM_ROOT\Addons\x86\ICS\Authorization
18. Double-click the VRTSazSetup.exe file in the Authorization folder.19. When the InstallShield Wizard screen is displayed, click Next.
Note: If there is an older version of authorization service already installed, then there is a confirmation
prompt to upgrade it. Select Yes and complete the installation.
20. When the Setup Type screen is displayed, select Custom, and then click Next.
-
8/9/2019 nbu accss control340675
6/21
NBAC WindowsNon HA
6
21. When the Choose Destination Location screen is displayed, click Browse, and select the location whereyou want to install AZ. However, it is recommended to install AZ in the default location. Click Next to
continue.
22. When the Select Features screen is displayed, click Next.23.
When the Question screen is displayed, click No to install the Symantec Product Authorization Service onWindows in Read-Write mode.
24. When the Start Copying Files screen is displayed, click Next to begin the installation, and then allow theinstallation to complete.
25. When the InstallShield Wizard Complete screen is displayed, click Finish.
ConnectionValidationtomediaserversandclients
Before proceeding, Symantec recommends validating the connections between the Master Server and the Media
Servers and clients. A set of OS commands and one NetBackup command is useful for this first level of
troubleshooting and validation. The OS commands are ping, traceroute and telnet. The NetBackupcommand is bpclntcmd. Use these commands to establish that the hosts can communicate with each other. A
complete troubleshooting section is found later in this chapter
NBACconfigurationoverview
This section contains recommendations for configuring NBAC using the bpnbaz command. This command is
available under the NETBACKUP_INSTALL_PATH/bin/admincmd directory.
The bpnbaz utility has been upgraded so that it needs to be run from only the master server. You do not need to log
into each NetBackup 7.0 media server and client to configure access control. For configuring access control for
NetBackup pre-7.0 media and client hosts, refer to Configuring access control for back revision hosts. A summary
reference is provided for the command beneath this section. This section provides an example of using these
commands with specific details on recommended usage. Note that the services should be restarted on each of the
servers and clients once configured.
Since the configuration is done from the master server, assure that operational communications links exist between
the master server, the media servers, and the clients. You can review the prerequisites list earlier in this chapter.
Review the list to ensure that you have noted all the associated media servers, clients, and the addresses to
communicate with them.
A complete troubleshooting section is found later in this chapter. A set of OS commands and one NetBackup
command is useful for the first level of troubleshooting. The OS commands are ping, traceroute and telnet.
The NetBackup command is bpclntcmd. Use these commands to establish that the hosts can communicate with
each other.
Installingandconfiguringaccesscontrolonstandalonemasterservers
The following procedures describe installing and configuring NetBackup Access Control on master servers installedon a single machine. A master server requires an authentication server and authorization server.
Example host names describes the host names for the configuration examples that are used throughout this chapter.
Table 5-1 Example host names
Host name Windows UNIX
Master servers win_master unix_master
-
8/9/2019 nbu accss control340675
7/21
NBAC WindowsNon HA
7
Media servers win_media unix_media
Clients win_client unix_client
Use the following procedure to install and configure access control on master servers.
1. If this installation is an upgrade installation, stop NetBackup.2. You have already used the Infrastructure Common Services DVDs. You have used these DVDs to install
the Symantec Product Authentication Service and Symantec Product Authorization Service Root + AB for
your platform.
3. Complete all NetBackup master server installations or upgrades.4. Run the bpnbaz -setupmaster command. When asked to continue, enter y. Enter the current
user password. The system then begins gathering configuration information. The system then begins setting
up authorization information.
5. Restart NetBackup services on this machine after the bpnbaz -setupmaster command completessuccessfully.6. Proceed to setting up the media servers. See "Installing and configuring access control on media servers"
InstallingandconfiguringaccesscontrolonNBU7.0mediaservers(Windows
orUNIX)
The following steps describe installing and configuring NetBackup Access Control on media servers in a NetBackup
configuration. These steps are needed for media servers that are not co-located with the master server. The target
media server should be running NetBackup server software version 7.0 or higher.
Use the following procedure to configure access control on media servers.
1. Log into the target media server machine.2. If this installation is an upgrade installation, stop NetBackup.3. Complete all NetBackup 7.0 media server installations or upgrades.4. Log into the master server machine as UNIX root or Windows Administratory.5. Check that both the authentication daemon (vxatd) and the authorization daemon (vxazd) are running. If
they are not running, first start the authentication daemon. Then start the authorization daemon. See
"Starting authentication and authorization daemon services"
6. Go to the NETBACKUP_INSTALL_PATH/bindirectory.7. Log on as the NetBackup security administrator using the following command: bpnbat -Login The
following information is displayed:
Note: The UNIX root users on the master server are the default NetBackup security administrators.
-
8/9/2019 nbu accss control340675
8/21
NBAC WindowsNon HA
8
Authentication Broker [master.server.com is default]:
Authentication port [0 is default]:
Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd) [unixpwd is
default]:
Domain [master.server.com is default]:
Login Name [root is default]:
Password:
Operation completed successfully.
8. The bpnbaz -SetupMedia command has a number of options. This command does not work withoutan extension for either the individual host, or the all option. See "NBAC configure commands summary"
9. It is recommended to do a dry run of the configuration first, with the -dryrun option. It can be used withboth -all and single server configuration. By default, the discovered host list is written to the file
SetupMedia.nbac. You can also provide your own output file name using -out
option. If you use your own output file, then it should be passed for the subsequent runs with -file
option. The dry-run command would look some thing like the following: bpnbaz -SetupMedia -all
-dryrun [-out ] or bpnbaz -SetupMedia -dryrun
[-out ].
10. If all the media servers you want to update are in the log file use the -dryrun option. You can proceedwith the -all command to do them all at once. For example, you can use: bpnbaz -SetupMedia -
all or bpnbaz -SetupMedia -file . Note that the -all option updates all
the media servers seen each time it runs. If you want to run it for a selected set of media servers, can you do
it. Keep only the media server host names that you wanted to configure in a file, and pass that file using the
-file option. This input file would either be SetupMedia.nbac or the custom file name you provided
with the -out option in the previous dry run. For example you may have used: - bpnbaz -
SetupMedia -file SetupMedia.nbac. For configuring a single media server, specify the media
server host name as the option. For example use: bpnbaz -SetupMedia .
11. Restart NetBackup services on the target media servers after the command completes successfully. It setsup NBAC on the target hosts. If the configuration of some target hosts did not complete, you can check the
output file. Proceed to the access control configuration for the client hosts after this step. See "Installing
and configuring access control on clients"
InstallingandconfiguringaccesscontrolonNBU7.0clients(Windowsor
UNIX)
The following steps describe installing and configuring NetBackup Access Control on clients in a NetBackup
configuration. The target client should be running NetBackup client software version 7.0 or higher.
Use the following procedure to configure access control on clients.
1. Make sure that no backups are currently running for the client machine.2. Stop NetBackup on the clients? Complete any remaining installation steps of NetBackup client software3. Log into the master server machine as the UNIX root or as Windows administrator.4. Check that authentication daemon (vxatd) is running. If not, start the authentication daemon. See
"Stopping authentication and authorization daemon services"
5. Go to the NBU_INSTALL_PATH/bindirectory.6. Log on as the NetBackup security administrator using the following command: bpnbat -Login The
following information is displayed.
-
8/9/2019 nbu accss control340675
9/21
NBAC WindowsNon HA
9
Note: The UNIX root users on the master server are the default NetBackup security administrators.
Authentication Broker [master.server.com is default]:
Authentication port [0 is default]:
Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd) [unixpwd isdefault]:
Domain [master.server.com is default]:
Login Name [root is default]:
Password:
Operation completed successfully.
7. Run bpnbaz -SetupClient with the described options. Note that this command does not workwithout an extension for either the individual host, or the -all option. See "NBAC configure commands
summary"
8. First do a dry run to see all the clients visible to the master server. Use this process for companies that havea large number of clients (greater than 250). The -dryrun option can be used with both -all and single
client configuration. By default, the discovered host list is written to the file SetupClient.nbac in the
same directory. You can also provide your own output file name using -out option.If you use your own output file, then it should be passed for the subsequent runs with -file option. For
example you can use: bpnbaz -SetupClient -all -dryrun [-out ] or
bpnbaz -SetupClient -dryrun [-out ].
9. After the dry run, check the client host names and run the same command without the -dryrun option.For example use: bpnbaz -SetupClient -all or bpnbaz -SetupClient -file
SetupClient.nbac or bpnbaz -SetupClient . The -all option
runs with the clients known to the master server. It can take time to address all the clients in a large
environment( greater than 250). The -all client listing updates the credentials on all clients. It can take
some time and resource. Instead use the -file option to update a subset of the clients. You can run the
same command multiple times, until all the clients in the progress file are successfully configured. The
status for each client is updated in the input file. The ones that succeeded in each run are commented out
for the subsequent runs. A smaller subset is left for each successive run. Use this option if you have added anumber of clients (greater than 250). Target the ones you want to update at that time. The -images option
with -all looks for client host names in the image catalogs. It can return decommissioned hosts in larger
environments. Run the -all -dryrun options with the -images option to determine which hosts
should be updated
10. Restart the client services on the specific clients once the installation is finished.ConfiguringaccesscontrolforNetBackuppre-7.0mediaserversandclients
You can configure the access control for NetBackup pre-7.0 media and client machines.
Use the following procedure to configure the access control for NetBackup pre-7.0 media
and client machines.
1. Install Authentication and Authorization client packages on the target machine. If the target machine is aNetBackup client, then install the authentication client only. If the target machine is a NetBackup media
server, install both authentication and authorization clients. You can choose to install both client and server
binaries on the target machine, but there is no need to configure the servers. You need to install the
authentication and authorization packages that are available on Infrastructure Common Services (ICS)
DVDs shipped with the older NetBackup media. The authentication and authorization binaries available
with NetBackup 7.0 may not be compatible with the older NetBackup media servers or clients. On UNIX
platforms, use the installics utility to install the authentication and authorization packages. On
-
8/9/2019 nbu accss control340675
10/21
NBAC WindowsNon HA
10
Windows, use VxSSVRTSatSetup.exe and VRTSazSetup.exe. Please refer to the older
NetBackup documentation for more details on how to install authentication and authorization clients.
2. Set up a credential for the target media server or the client machine. Log on as either root (UNIX) or as a member of the local Administrator group (Windows) on the
master server.
Make sure that the authentication and the authorization services are running on the master server. Create a machine account for the target media server or client machine by running the following
command on the master server: On UNIX, bpnbat is located in directory
/usr/openv/netbackup/bin. On Windows, bpnbat is located in directory
Install_path\NetBackup\bin.
bpnbat -addmachine
Machine Name: host.domain.com
Password: *******
Password: *******
Operation completed successfully.
Log on to the target media server or the client machine as either root (UNIX) or a member of thelocal Administrator group (Windows) , and run the following command:bpnbat -loginmachine
Does this machine use Dynamic Host Configuration Protocol
(DHCP)? (y/n)? n
Authentication Broker: master.server.com
Authentication port [Enter = default]:
Machine Name: local.host.name --> Note: This should be the
same value entered in the previous step.
Password: *******Operation completed successfully.
Note: Repeat this step 2 for each alias or host name used by the media or client machine.
3. Enable authorization server access to the target media server host.Note: This step is only needed for the NetBackup media servers, and not the client machines.
Log on to the master server machine as either root (UNIX) or a member of the local Administratorgroup (Windows) On UNIX, bpnbaz is located in directory
/usr/openv/netbackup/bin/admincmd . On Windows, bpnbaz is located in directory
Install_path\NetBackup\bin\admincmd .
Run the following command:bpnbaz -AllowAuthorization media.server.com
Operation completed successfully
4. Set up the proper access control host properties for the target media server or the client host. For the mediaservers, seeMaster server and media server host properties. For the Clients, see Client host properties.
5. Restart the NetBackup process on the target media server or the client machine.
-
8/9/2019 nbu accss control340675
11/21
NBAC WindowsNon HA
11
EstablishingatrustrelationshipbetweenthebrokerandtheWindowsremote
console
Establish a trust relationship between the master server (broker) and the administration client.
Use this procedure to establish a trust relationship between the broker and the Windowsremote console.
1. From the master server, run the following command: Sample output ofVXSS_SETTINGS.txt:Install_path\Veritas\NetBackup\bin\
admincmd>bpgetconfig USE_VXSS AUTHENTICATION_DOMAIN
>VXSS_SETTINGS.txt
USE_VXSS = AUTOMATIC
AUTHENTICATION_DOMAIN = "" WINDOWS 0
2. Copy VXSS_SETTINGS.txt to the administration client.3.
Run the following command from the administration client: Running this command matches the settings onthe administration client with those on the broker. It sets the administration client to log on automatically to
the broker.
C:\Program Files\Veritas\NetBackup\bin\admincmd>bpsetconfig
"\VXSS_SETTINGS.txt"
4. Launch the Administration Console from the administration client, a request to establish a trust with thebroker should occur. Once the trust is agreed to, the administration console should be available.
IncludingauthenticationandauthorizationdatabasesinNetBackuphot
catalogbackups
In NetBackup environments using the online hot catalog backup method: no additional configuration is needed to
include the Symantec Product Authentication Service and Symantec Product Authorization Service databases in thecatalog backup.
Note: Hot catalog backup does not run in the NBAC mode REQUIRED.
Manuallyconfiguringaccesscontrolhostproperties
Note: Run the bpnbaz -setupClient, bpnbaz -setupMedia, and bpnbaz -
setupMaster commands to do this configuration automatically. You only need to do this
configuration if you want to change defaults or add additional brokers. Also do this for the back
revision media server and client hosts.
Use the following sections for manually configuring the access control host properties.
Note: You must set the master server Symantec Product Authentication Service and Symantec Product
Authorization Service property to Automatic until the clients are configured for access control.
Then change the Symantec Product Authentication Service and Symantec Product Authorization
Service property on the master server to Required.
-
8/9/2019 nbu accss control340675
12/21
NBAC WindowsNon HA
12
UnifyingNetBackupManagementinfrastructureswiththesetuptrust
command
Symantec products management servers need to communicate so that an administrator for one product has
permission to administer another product. This communication ensures that application processes in one
management server work with another server. One way of ensuring communication is to use a common independentsecurity server called a root broker. If all the management servers point to a common root broker, the permission for
each server is based on a common certificate. Another way of ensuring communication is to use the setuptrust
command. This command is used to establish trust between the two management servers. The command is issued
from the management server that needs to trust another management server. The security information is transferred
from that host to the one requesting the trust establishment. A one-way trust is established. Setting up two way
(mutual) trust is performed by issuing the setuptrust command from each of the two servers involved. For
example, a NetBackup configuration might consist of a Symantec OpsCenter server (OPS) and three master servers
(A, B, and C). Each of the master servers has connected to them the NBAC policies and management for the clients
and the media servers.
The first step is to have the Symantec OpsCenter server (OPS) setup trust with each of the master servers (A, B, and
C). This trust ensures that the Symantec OpsCenter server receives secure communications from each of the master
servers, the clients and the media servers connected to each of the master servers. A sequence of these events is as
follows:
The OPS sets up trust with master server A. The OPS sets up trust with master server B. The OPS sets up trust with master server C.
If Symantec OpsCenter is set up to perform actions on the individual master servers, a trust relationship needs to be
set up from each of the master servers to the Symantec OpsCenter server (OPS). A sequence of these events is as
follows. In this case, the setuptrust command is run six times.
The master server A sets up trust with Symantec OpsCenter server (OPS). The master server B sets up trust with Symantec OpsCenter server (OPS). The master server C sets up trust with Symantec OpsCenter server (OPS). The Symantec OpsCenter server OPS sets up trust with master server A. The Symantec OpsCenter server OPS sets up trust with master server B. The Symantec OpsCenter server OPS sets up trust with master server C.
Note: NetBackup 7.0 and OpsCenter 7.0 establish trust automatically. You may need to do these manual
setuptrust operations with older NetBackup master servers. At the end of the NetBackup
master server 7.0 installation, there is a question on the OpsCenter host name. With that, the
master server can initiate a two-way trust setup.
Details on the setuptrust command are described in the Symantec Commands guide. A summary of thecommand is provided here for your convenience.
Usingthe setuptrustcommand
Use the setuptrustcommand to contact the broker to be trusted, obtain its certificate or details over the wire, and
add to the trust repository if the furnished details are trustworthy. The security administrator can configure one of
the following levels of security for distributing root certificates:
-
8/9/2019 nbu accss control340675
13/21
NBAC WindowsNon HA
13
High security (2): If a previously untrusted root is acquired from the peer (that is, if no certificate with thesame signature exists in our trust store), the user will be prompted to verify the hash.
Medium security (1): The first authentication broker will be trusted without prompting. Any attempts totrust subsequent authentication brokers will cause the user to be prompted for a hash verification before the
certificate is added to the trusted store.
Low security (0): The authentication broker certificate is always trusted without any prompting. Thevssat CLI is located in the authentication service 'bin' directory.
The setuptrustcommand uses the following syntax:
vssat setuptrust --broker -- securitylevel high
The setuptrustcommand uses the following arguments:
The broker, host, and portarguments are first. The host and port of the broker to be trusted. The registered port
for Authentication is 2821. If the broker has been configured with another port number, consult your security
administrator for information.
Usinghostnameswhenaddingmachines
NBAC does not require the use of fully qualified hostnames when you add machines. However, commands
accepting hostnames (bpnbat -AddMachine, bpnbat -LoginMachine, and bpnbaz -
AllowAuthorization) can retrieve the fully-qualified hostname if a non-fully-qualified hostname is specified.
For example, if a host unix_machine.company.com exists, and only unix_machine is specified for any of these
commands: then that command attempts to resolve the name to unix_machine.company.com. To determine what
name these commands have resolved, you can run bpnbat -ShowMachines. It lists the names of all hosts that
are added to NetBackup's private domain in the authentication broker.
Specify the fully qualified hostname when you use these commands to make sure that the correct name is chosen. In
addition, using fully qualified hostnames is more secure. It ensures the uniqueness of the host name used by a
machine. Symantec does recommend the use of fully qualified hostnames for NBAC.
Masterserverandmediaserverhostproperties
The access control host properties are described in the following sections. The master server and media server host
properties are in the NetBackup Administration Console. Open NetBackup Management > Host Properties > master
server or media server > Select server> access control.
Accesscontrolhostpropertiesdialog
Set the Symantec Product Authentication Service and Symantec Product Authorization Service to either Required or
Automatic. A setting of Automatic takes into account that there may be hosts within the configuration that are not
yet configured for NBAC. The server attempts to negotiate the most secure connection possible when it
communicates to other NetBackup systems. The Automatic setting should be used until all clients and servers are
configured for NBAC.
Access control host properties dialog shows the access control host properties dialog.
-
8/9/2019 nbu accss control340675
14/21
NBAC WindowsNon HA
Figure 5-1 Access control host properties dialog
When Automatic is used, you may specify machines or domains required to use Symantec Product Authentication
Service and Symantec Product Authorization Service. Or you may specify machines prohibited from using
Symantec Product Authentication Service and Symantec Product Authorization Service.
SymantecProductAuthentication&Authorizationtab
View the access control host properties, on the Symantec Product Authentication and Authorization tab. Add the
master server to the Symantec Product Authentication Service and Symantec Product Authorization Service
Network list. Then set Symantec Product Authentication Service and Symantec Product Authorization Service to
Required.
Symantec product authentication and authorization tab shows the Symantec product authentication and authorization
tab.
Figure 5-2 Symantec product authentication and authorization tab
14
-
8/9/2019 nbu accss control340675
15/21
NBAC WindowsNon HA
A UNIX domain unixbox.mycompany.com on the authentication server UNIXBOX.
Notice that the authentication mechanism for this domain is PASSWD.
Each new NetBackup client or media server (version 5.0 or higher), added to the NetBackup master, needs to have
the access control properties configured. These properties are configured on both itself and the master. Thisconfiguration can be done through the host properties on the master server.
Authenticationdomaintab
The Authentication Domain tab is used to define the following:
Which authentication servers support which authentication mechanisms What domains each supports.
Add the domain you want users to authenticate against. Be sure to select the proper authentication mechanism.
The following examples contain three authentication domains and three authentication types. Two are hosted on the
authentication server UNIXBOX, and a third Windows AD/PDC (Active Directory/Primary domain controller )
hosted on WINMACHINE.
Authentication domain tab shows the authentication domain tab.
Figure 5-3 Authentication domain tab
Notice that the authentication mechanism for this domain is NIS.
Note: When a UNIX authentication domain is used, enter the fully qualified domain name of the host
performing the authentication.
Note: Authentication types supported are NIS, NISPLUS, WINDOWS, vx, and unixpwd
(unixpwd is default).
15
-
8/9/2019 nbu accss control340675
16/21
NBAC WindowsNon HA
A NIS domain NIS.MYCOMPANY.COM on the authentication server UNIXBOX.
UNIX Authentication domain shows the UNIX authentication domain.
Figure 5-4 UNIX Authentication domain
A Windows AD/PDC domain WINDOWS on the authentication server WINMACHINE. Notice that the
authentication mechanism for this domain is WINDOWS.
Domain WINDOWS shows the domain WINDOWS.
Figure 5-5 Domain WINDOWS
16
-
8/9/2019 nbu accss control340675
17/21
NBAC WindowsNon HA
AuthorizationServicetab
Within the access control host properties, on the Authorization Service tab, complete the properties for the
authorization server. Specify the host name for the system running the authorization daemon service (typically the
master). Specify the alternate port for which this daemon service has been configured. The default listening port for
the authorization daemon service is 4032.
Authorization service tab shows the authorization service tab.
Figure 5-6 Authorization service tab
Make any changes to the host properties and restart the daemon services.
Clienthostproperties
Access the client host properties in the NetBackup Administration Console. Open NetBackup Management > Host
Properties > Clients > Select client(s) > access control.
Accesscontrolhostpropertiesdialogforclient
Select the NetBackup client in the host properties. (On the master server, in the NetBackup Administration Console,
open NetBackup Management > Host Properties > Clients > Selected clients > access control.)
Access control host properties shows the access control host properties.
17
-
8/9/2019 nbu accss control340675
18/21
NBAC WindowsNon HA
Figure 5-7 Access control host properties
Set the Symantec Product Authentication Service and Symantec Product Authorization Service to Required or
Automatic.
SymantecProductAuthentication&Authorizationtabforclient
Select the NetBackup client in the host properties. This tab is only enabled in Automatic mode. It can be used to
control which systems require or prohibit the use of Symantec Product Authentication Service and Symantec
Product Authorization Service on a per-machine basis. Note that both systems must have matching settings to
communicate.
Authentication and authorization tab shows the Authentication and Authorization tab.
Figure 5-8 Authentication and authorization tab
Authenticationdomaintab
Within the access control host properties, on the Authentication Domain tab, add the list of domains a client can use
to authenticate.
18
-
8/9/2019 nbu accss control340675
19/21
NBAC WindowsNon HA
19
Authenticationandauthorizationinstallationdiagnosticsandtools
This section contains uninstalling information and a number of diagnostic tools. This section also includes
information on creating response files to further automate the installation process. The sections on uninstalling
authentication and authorization should only be used when required. Proceed to the section onNBAC Configuration
overview and refer to that section only if you have challenges.
Usingaresponsefile
A response file is generated at end of the first manual installation. This file saves all the configuration settings that
are specified during the first installation.
This response file then can be used for multiple installations.
On Windows platform, the response file name is:
.rsp
On UNIX platform, the response file name is:
installics-IdString.response
where IdString is a unique ID string generated by the installics script for the installer execution.
Findingauthenticationserviceinstalllocation
You can find the directory location of the authentication service using the locations as follows:
On UNIX platforms, Authentication service is installed under /opt/VRTSat. On 32bit Windows, it is installed under
%ProgramFiles%\VERITAS\Security\Authentication .
On 64bit Windows, it is installed under%ProgramFiles(x86)%\VERITAS\Security\Authentication .
Note: The specified locations are defaults for Windows. If the service is installed in a non-default
location, refer to the system registry key InstallDir for the actual location.
Note: On a 32bit machine, this key is under
HKEY_LOCAL_MACHINE\SOFTWARE\VERITAS\Security\Authentication .
Note: On a 64bit machine, this key is under
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VERITAS\Security\Authentication .
Determiningiftheauthenticationbrokerisproperlyconfigured
Some Symantec Storage Foundation products install the authentication service, but leave the broker in an
unconfigured state. These products configure the broker only when the security option is turned on in those
products. If the NetBackup master server is installed on one of these machines, then you need to configure the
Authentication broker. The broker needs to be configured in Root+AB mode before doing the access control
(NBAC) configuration.
-
8/9/2019 nbu accss control340675
20/21
NBAC WindowsNon HA
20
Use the following procedure to check whether Authentication broker is configured or not.
1. Go to the 'bin' directory under Authentication service install location. See "Finding authentication serviceinstall location"
2.
Run thevssat showbrokermode command. The output is similar to the following:showbrokermode
----------------------s
----------------------
Broker mode is : 3
----------------------
Mode 0 means the broker is not configured. It should be configured either in Mode 3 (Root+AB) or in Mode 1 (AB)
for setting up the NetBackup Access Control. If it is Mode 0, follow the steps inManually configuring the
authentication brokersection.
Manuallyconfiguringtheauthenticationbroker
This procedure allows the authentication broker to be configured in Root+AB mode (mode 3).
Use the following procedure to manually configure the authentication broker in Root+AB
mode (mode 3).
1. Go to bin directory under the authentication service install location See "Finding authentication serviceinstall location"
2. Run the following command to configure the broker in Root+AB mode: vxatd -o -a -r On Windowsplatforms, run the vxatd -i command to install authentication broker as a service:
3. Start the Authentication service. See "Starting authentication and authorization daemon services"Stoppingauthenticationandauthorizationdaemonservices
Use the following commands for stopping the authentication daemons and authorization daemons on UNIX and
Linux:
Stop authentication daemon - kill Stop authorization daemon -/opt/VRTSaz/bin/vrtsaz -stop On Windows, the Symantec Product
Authentication Service and Symantec Product Authorization Service can be stopped from the Services
panel. Use the following commands to stop them manually: For authentication use:net stop vrtsat.
For authorization use:net stop vrtsaz.
Startingauthenticationandauthorizationdaemonservices
Use the following commands for starting the authentication daemons and authorization daemons on UNIX and
Linux:
Start authentication daemon - /opt/VRTSaz/bin/vxatd Start authorization daemon - /opt/VRTSaz/bin/vrtsaz On Windows, the Symantec Product
Authentication Service and Symantec Product Authorization Service can be started from the windows
Services panel. Use the following commands to start them manually: For authentication use:net start
vrtsat. For authorization use:net start vrtsaz.
-
8/9/2019 nbu accss control340675
21/21
NBAC WindowsNon HA
21
UninstallingtheSymantecProductAuthenticationServicefromWindows
platform
Note: A highly available (HA) NetBackup server installation (master server or OpsCenter) can use VCS
(Veritas Cluster Server) to provide the HA functionality. The VCS uses Authentication in a shared
mode for secure HA functionality. These steps should be used when it is desired to repurpose the
hosts or start to build a configuration from scratch. You should not remove Authentication for
those instances where VCS is to be left running on the host.
On a Windows platform, you can uninstall the Symantec Product Authentication Service using the Add or Remove
Programs.
To uninstall the Symantec Product Authentication Service from Windows platform
1. From the Windows Control Panel, open Add or Remove Programs.2. In the Add or Remove Programs window program list, click Symantec Product Authentication Service.
The Change and Remove options are displayed.
3. Click Remove.4. When the Modify, repair, or remove the program dialog box is displayed, select Remove, and then click
Next.
5. A confirmation dialog box is displayed, click Yes, and then allow the uninstallation to complete.6. When the Maintenance Complete dialog box is displayed, click Finish.
UninstallingtheSymantecProductAuthorizationServicefromWindows
platform
On a Windows platform, you can uninstall the Symantec Product Authorization Service, using the Add or Remove
Program.
To uninstall the Symantec Product Authorization Service from Windows platform
7. From the Windows Control Panel, open Add or Remove Programs.8. In the Add or Remove Programs window program list, click Symantec Product Authorization Service.
The Change and Remove options are displayed.
9. Click Remove.10. When the Modify, repair, or remove the program dialog box is displayed, select Remove, and then click
Next.
11. A confirmation dialog box is displayed, click Yes, and then allow the uninstallation to complete.12. When the Maintenance Complete dialog box is displayed, click Finish.