Registering authorized locations used by a NetBackup database script-based policy

Registering authorized locations used by a NetBackup database script-based policy

Article: 100039639
Last Published: 2019-05-23
Ratings: 10 4
Product(s): NetBackup

Problem

For NetBackup versions 8.1 and later, during a backup, NetBackup checks for scripts in the default script location or the authorized location(s). The default, authorized script location for UNIX is usr/openv/netbackup/ext/db_ext and for Windows is install_path\netbackup\dbext. If the script is not in the default script location or an authorized location(s), then the policy job fails. You can move any script into the default script location or any additional authorized location and NetBackup recognizes the scripts. You need to update the policy with the script location if it has changed. An authorized location can be a directory and NetBackup recognizes any script within that directory. An authorized location can also be a full path to a script if an entire directory does not need to be authorized.

If the default script location does not work for your environment, use the following procedure to enter one or more authorized locations for your scripts. Use nbsetconfig or bpsetconfig to enter an authorized location where the scripts reside.

One recommendation is that scripts should not be world-writable. Scripts are not allowed to be run from network or remote locations. All scripts must be stored and run locally. Any script that is created and saved in the NetBackup db_ext (UNIX) or dbext (Windows) location needs to be protected during a NetBackup uninstall.

To add an authorized location

  1. Open a command prompt on the client.
  2. Use nbsetconfig to enter values for an authorized location. The client privileged user must run these commands.
  • On UNIX, to update the bp.conf file:

# /usr/openv/netbackup/bin/nbsetconfig
nbsetconfig>DB_SCRIPT_PATH = /Oracle/scripts
nbsetconfig>DB_SCRIPT_PATH = /db/Oracle/scripts/full_backup.sh
nbsetconfig>
<ctrl-D>

 

  • On Windows, to update the registry with a new "String Value" Registry entry:

C:\Program Files\Veritas\NetBackup\bin>nbsetconfig
nbsetconfig>DB_SCRIPT_PATH=c:\db_scripts
nbsetconfig>DB_SCRIPT_PATH=e:\oracle\fullbackup\full_rman.sh
nbsetconfig>
<Ctrl+Z> and ENTER

To save changes made in nbsetconfig on Windows,  use Ctrl+Z and ENTER to make the change and exit.

  1. (Conditional) Perform these steps on any clustered database or agent node that can perform the backup. 
  2. (Conditional) Update any policy if the script location was changed to the default or authorized location.
Note: Review the NetBackup Command Reference Guide for options, such as reading from a text file and remotely setting clients from a NetBackup server using bpsetconfig. If you have a text file with the script location or authorized locations listed, nbsetconfig or bpsetconfig can read from that text file. An entry of DB_SCRIPT_PATH=none does not allow any script to execute on a client. The none option is useful if an administrator wants to completely lock down a server from executing scripts.

Script Discovery Tool within the NetBackup environment

The db_script_discovery tool can be run within the /usr/openv/netbackup/bin/goodies (UNIX) or <install_path>\VERITAS\NetBackup\bin\goodies (Windows) directories (on master and media servers) which lists all policies in your environment that may need script approval. This tool can be run on a master server or any media server that is listed as an additional server. It queries all the policies in the NetBackup environment using bppllist and filters the output of affected policies that may need script approval. The output lists clients, policy names, policy types, script paths, and whether the policy is active or not active.

The db_script_discovery tool filters for these policy types:
  • Oracle
  • MSSQL Server
  • Sybase
  • SAP
  • DB2
  • Informix-On-BAR
  • DataStore
  • DataTools-SQL-BackTrack
Arguments:
  • help - Print usage information
  • csv - Print output as comma separated values instead of a whitespace formatted list.
Returns:
  • 0 - Successful execution
  • 1 - Error during execution
  • 2 - Invalid command line

Best Practices for script authorized location management

  • The script should not be world writable.
  • The client Privileged User should allow DBA's write permission on a script that is in an authorized location so they have the ability to update the script when needed.
  • Remove any script or path that is listed as an authorized location in the bp.conf if the script is no longer needed.
  • An entry of DB_SCRIPT_PATH=none will not allow any script to execute on a client.  This is useful if an administrator wants to completely lock down a server from executing scripts.
  • Any script that is created and saved in the NetBackup db_ext (UNIX) or dbext (Windows) location needs to be protected during a NetBackup uninstall.
  • To authorize a localized script path in a Windows client,  use bpsetconfig.  Alternately, administrators can also manually add or update the registry key with a new "string value" registry setting named "DB_SCRIPT_PATH" with the path set was the string in the setting,  instead of using the nbsetconfig command. Location: HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\NetBackup\CurrentVersion\Config\DB_SCRIPT_PATH

Error Message

New Error Messages:
  • 5449 - The script is not approved for execution.
  • 5450 - DB_SCRIPT_PATH=none was set on this client to prevent scripts from executing.
  • 5451 - The script is stored in a remote location.

Was this content helpful?