Search <book_title>...

NetBackup IT Analytics System Administrator Guide

Last Published: 2025-08-01

Product(s): NetBackup IT Analytics (11.5)

Introduction
1. NetBackup IT Analytics Overview
2. Purpose of this document
Preparing for updates
1. About upgrades and updates
2. Determine the data collector version
3. Data collector updates with an aptare.jar file
4. Manual download of the aptare.jar file
5. Portal updates
Backing up and restoring data
1. Best practices for disaster recovery
2. Oracle database backups
3. File system backups
4. Oracle database: Cold backup
5. Oracle database: Export backups
6. Scheduling the oracle database export
7. Oracle database: On demand backup
8. Restoring the NetBackup IT Analytics system
9. Import the Oracle database
10. Manual steps for database import / export using data pump
Monitoring NetBackup IT Analytics
1. Starting and stopping portal server software
2. Starting and stopping the reporting database
3. Starting and stopping data collectors
4. Monitoring tablespaces
Accessing NetBackup IT Analytics reports with the REST API
1. Overview
2. Authentication for REST APIs
3. Extracting data from tabular reports (with pagination)
4. Exporting reports
5. Exporting custom dashboards
Defining NetBackup estimated tape capacity
1. NetBackup estimated tape capacity overview
2. Estimated capacity notes
3. Updating the estimated capacity table
4. Listing volume pool IDs and media types
Automating host group management
1. About automating host group management
2. Task overview: managing host groups in bulk
3. Preparing to use PL/SQL utilities
4. General utilities
5. Categorize host operating systems by platform and version
  1. Use Regular Expressions to Override or Modify Default Host OS Categorization
  2. Host OS Categorization Default Settings
  3. Utility to Update Host OS Categorizations
  4. Categorize Host Operating Systems On Demand
6. Identifying a host group ID
7. Move or copy clients
8. Organize clients by attribute
9. Move host group
10. Delete host group
11. Move hosts and remove host groups
12. Organize clients into groups by backup server
13. Merge duplicate backup clients
14. Merge duplicate hosts
15. Bulk load utilities
  1. Load host aliases
  2. Load details of new hosts or update existing hosts
  3. Load relationships between hosts and host group
    1. Sample Audit File (output from load_package.loadGroupMemberFile)
16. Veritas NetBackup utilities
17. Automate NetBackup utilities
  1. Scheduling a NetBackup Utility Job to Run Automatically
18. Organize clients into groups by management server
19. Set up an inactive clients group
20. Set up a host group for clients in inactive policies
21. Set up clients by policy
22. Set up clients by policy type
23. IBM Tivoli storage manager utilities
24. Set up clients by policy domain
25. Set up clients by IBM Tivoli storage manager instance
26. Scheduling utilities to run automatically
  1. Sample .sql file (setup_ora_job.sql) to set up an automatic job
27. Host matching identification for single-domain multi-customer environments
Attribute management
1. Attribute bulk load utilities
2. Attribute naming rules
3. Rename attributes before upgrading
4. Load host attributes and values
5. Load attributes and values and assign to hosts
6. Load array attributes and values and assign to arrays
7. Overview of application attributes and values
8. Load application database attributes and values
9. Load MS Exchange organization attributes and values
10. Load LUN attributes and values
11. Load switch attributes and values
12. Load port attributes and values
13. Load Subscription attributes and values
Importing generic backup data
1. About generic backup data collection
  1. Considerations
2. Configuring generic backup data collection
3. CSV Format Specification
  1. EXAMPLE: genericBackupJobs.csv
4. Manually loading the CSV file
Backup job overrides
1. Overview
2. Configure a backup job override
Managing host data collection
1. Identifying hosts by WWN to avoid duplicates
2. Setting a host's priority
3. Determining host ranking
4. Loading host and WWN relationships
5. Loading the host HBA port data
6. Create a CSV file
7. Execute the script
System configuration in the Portal
1. System configuration in the Portal
2. System configuration: functions
3. Navigation overview
4. System configuration parameter descriptions: Additional info
5. Anomaly detection
6. Data collection: Capacity chargeback
7. Database administration: database
8. Host discovery: EMC Avamar
9. Host discovery: Host
10. Events captured for audit
11. Custom parameters
Performance profile schedule customization
1. Overview
2. Customize the performance profile schedule
LDAP and SSO authentication for Portal access
1. Overview
2. Configure AD/LDAP
3. Configure single sign-on (SSO)
4. Enable local authentication
Change Oracle database user passwords
1. Overview
2. Database connection properties
3. Modify the Oracle database user passwords
4. Modify the Oracle database user passwords for split architecture
5. Determine if Oracle is using the default login password
Integrate with CyberArk
1. Introduction
2. CyberArk setup prerequisites
3. Setting up the portal to integrate with CyberArk
Tuning NetBackup IT Analytics
1. Before you begin tuning
2. Tuning the portal database
3. Performance recommendations
4. Reclaiming free space from Oracle
5. Portal / Data receiver Java memory settings
Working with log files
1. About debugging NetBackup IT Analytics
2. Turn on debugging
3. Database logging
4. Portal and data collector log files - reduce logging
  1. Portal Log Files
  2. Data Collector Log Files
5. Database SCON logging - reduce logging
6. Refreshing the database SCON log
7. Logging user activity in audit.log
8. Logging only what a user deletes
9. Logging all user activity
10. Data collector log files
11. Data collector log file organization
12. Data collector log file naming conventions
13. General data collector log files
14. Find the event / meta collector ID
15. Portal log files
  1. Managing Apache Log Files
16. Database log files
17. Installation / Upgrade log files
Defining report metrics
1. Changing backup success percentage
2. Changing job status
SNMP trap alerting
1. Overview
2. SNMP configurations
SSL certificate configuration
1. SSL certificate configuration
2. SSL implementation overview
3. Obtain an SSL certificate
4. Update the web server configuration to enable SSL
5. Configure virtual hosts for portal and / or data collection SSL
6. Enable / Disable SSL for a Data Collector
7. Enable / Disable SSL for emailed reports
8. Test and troubleshoot SSL configurations
9. Create a self-signed SSL certificate
10. Configure the Data Collector to trust the certificate
11. Keystore file locations on the Data Collector server
12. Import a certificate into the Data Collector Java keystore
13. Keystore on the portal server
14. Add a virtual interface to a Linux server
15. Add a virtual / secondary IP address on Windows
Portal properties: Format and portal customizations
1. Introduction
2. Configuring global default inventory object selection
3. Restricting user IDs to single sessions
4. Customizing date format in the report scope selector
5. Customizing the maximum number of lines for exported reports
6. Customizing the total label display in tabular reports
7. Customizing the host management page size
8. Customizing the path and directory for file analytics database
9. Configuring badge expiration
10. Configuring the maximum cache size in memory
11. Configuring the cache time for reports
12. Configuring LDAP to use active directory (AD) for user group privileges
Data retention periods for SDK database objects
1. Data retention periods for SDK database objects
2. Data aggregation
  1. Pre-requisites
  2. Data aggregation and retention levels
3. Find the domain ID and database table names
4. Retention period update for SDK user-defined objects example
5. SDK user-defined database objects
6. Capacity: default retention for basic database tables
7. Capacity: default retention for EMC Symmetrix enhanced performance
8. Capacity: Default retention for EMC XtremIO
9. Capacity: Default retention for Dell EMC Elastic Cloud Storage (ECS)
10. Capacity: Default retention for Windows file server
11. Capacity: Default retention for Pure Storage FlashArray
12. Cloud: Default retention for Amazon Web Services (AWS)
13. Cloud: Default retention for Microsoft Azure
14. Cloud: Default retention for OpenStack Ceilometer
15. Configure multi-tenancy data purging retention periods
Troubleshooting
1. Troubleshooting user login problems
2. Forgotten password procedure
3. Login issues
4. Connectivity issues
5. Data Collector and database issues
6. Portal upgrade performance issues
Appendix A. Kerberos based proxy user's authentication in Oracle
1. Overview
  1. Pre-requisite
2. Exporting service and user principal's to keytab file on KDC
3. Modifications for Oracle
4. Modifications for Portal
Appendix B. Configure TLS-enabled Oracle database on NetBackup IT Analytics Portal and data receiver
1. About Transport Layer Security (TLS)
2. TLS in Oracle environment
3. Configure TLS in Oracle with NetBackup IT Analytics on Linux in split architecture
4. Configure TLS in Oracle with NetBackup IT Analytics on Linux in non-split architecture
5. Configure TLS in Oracle with NetBackup IT Analytics on Windows in split architecture
6. Configure TLS in Oracle with NetBackup IT Analytics on Windows in non-split architecture
7. Configure TLS in user environment
Appendix C. NetBackup IT Analytics for NetBackup on Kubernetes and appliances
1. Configure embedded NetBackup IT Analytics Data collector for NetBackup deployment on appliances (including Flex appliances)

Modifications for Portal

Following are the steps to perform the portal related modifications:

Portal Modifications

Create a copy of /etc/krb5.conf from KDC to Portal server /etc/krb5.conf path.
Copy the keytab file from KDC to Portal at /etc/v5srvtab.
Note:
The exported keytab file can be removed from KDC once it has been copied to portal server.
For more information, see See Exporting service and user principal's to keytab file on KDC.
Modify the owner and permission of above copied two files using the following commands:
```
chown <oracle user>:<oracle group> /etc/krb5.conf /etc/v5srvtab
# chmod 444 /etc/krb5.conf /etc/v5srvtab
```
For example: # chown aptare:dba /etc/krb5.conf /etc/v5srvtab
Add the following entries to /opt/aptare/oracle/network/admin/sqlnet.ora file
- SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)
- SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=scdb
- SQLNET.KERBEROS5_CONF=/etc/krb5.conf
- SQLNET.KERBEROS5_CONF_MIT=TRUE
- SQLNET.KERBEROS5_REALMS=/etc/krb5.conf
- SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab
- SQLNET.FALLBACK_AUTHENTICATION=TRUE
- SQLNET.KERBEROS5_CC_NAME=/tmp/kcache
- SQLNET.KERBEROS5_CLOCKSKEW=300
Modifications in the property file is required because when JDBC try to make multiple connections to Oracle DB, Oracle application treats this as a replay attack and errors out.
To avoid the error, ensure that the [libdefaults] section in the Kerberos configuration file /etc/krb5.conf on KDC and client machine is configured forwardable = false.
To update, restart kdc and admin service on KDC server using the following commands:
systemctl restart krb5kdc.service
systemctl restart kadmin.service

Create cache file for portal user.

For example, the command to generate cache file: kinit -k -t <Key Tab File> <kerberos user@domain realm name> -c <cache file name>

kinit -k -t <Key Tab File> <kerberos user name>@<domain realm name>
 -c <cache file name> 
# su - aptare (login as oracle user)
# kinit -k -t /etc/v5srvtab k1portal@EXAMPLE.COM 
-c /tmp/portal_kcache;

Tomcat user must have read privileges to the cache file. To ensure that the Tomcat OS user is able to make a JDBC connection to Oracle DB, use the following commands:
```
.
# chown <portal user>:<portal group> /tmp/portal_kcache;
# chmod 444 /tmp/portal_kcache;
```
For example: chown aptare:aptare /tmp/portal_kcache;
The following properties must be added or updated in /opt/aptare/portalconf/portal.properties
- db.url=jdbc:oracle:thin:@(DESCRIPTION=
  (ADDRESS=(PROTOCOL=tcp)(HOST=localhost)
  (PORT=1521))(CONNECT_DATA=(SERVICE_NAME=scdb)))
  Host and Service name could be different here.
- db.user=<kerberos user name>@<domain realm name>
  For example: db.user=k1portal@EXAMPLE.COM Combination of kerberos portal user name and domain realm name
- db.auth.scheme=kerberos
  This property must be defined to enable kerberos authentication and is case-insensitive
- db.kerberos.keytab.path=/etc/v5srvtab
  This is absolute path of keytab file
- db.driver=oracle.jdbc.OracleDriver
- db.kerberos.portal_kcache.path=/tmp/portal_kcache
  This is absolute path of portal user cache file
- db.connection.max=25
- db.connection.min=25
- db.connection.expiration=5

Similar changes are required in the Data-receiver property file /opt/aptare/datarcvrconf/datrarcvrproperties.xml.

Add or updated the bold perperties.

<dataSource>
<Driver> oracle.jdbc.driver.Oracle</Driver>
<URL>jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)
(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=scdb)))</URL>
<UserId><kerberos user name>@<>
<domain realm name></UserId>

For example: <UserId>k1portal@EXAMPLE.COM</UserId>

<Password>Z0Q5W+lQD2jreQaLBoYsviYO21WGOq5iTEo0Ad2uUj/e0GtqPkOtXFblKxCse
KXO4VhpIQwwfrSfe59nGy156DV8lYoa7HWmL0hF+kAZXOoXfIN5YRAGfqDbCwrKQdtPY7pQh
uTkZMPLl0d9Kzy6sLGMb/33L4hKuEl0ZZN2FG5US26JZ/uSOBF7T69ppqxGqXMleZ19QBcv
UElLwJTn52SurL+K3RjCY7Xi0VJb4wLkax07xCkpSK9dJ6NMFJS3ybWP4jNs3rC3roudZak8
wGqLNhAacyXgW4pMpgigVjGwNr0N8rJIgcGmXgAxSNs0qmQItuXPIyqGf+nWWEfScQ==
</Password>

<oracle_service_name>scdb</oracle_service_name>

<ro_user>aptare_ro</ro_user>

<ro_password>U9a7a+af94q0CUaIfzaVmYl1P1DhdQW96CQiYWgxUGSV5sfVVsxoWF5Riy
V85MD8V0Ogy7UJo1sFmAL36KjDy8LA61pKeO4X39hRK/g8vvl/xNnG5bBYIF04/1LwD2FTz
0lJERWopKVZ6pd6TkT0mGeKrnu2oYi97GtlW4J73tPGTFRhHyVw7yZKMmaxbs/FBwrz5aIf
je3rT0w85m7Obtrjf2nJ2HjsaHnmToh0Ua96xlshjrE75UbaLMu0QEcF3PYF3qufYVIegn
4VGSHcpsU/AFzurKpr0JTsU/6VqvdE4veBLv4FH5D05bRetaOA0SGKCazWA50
xiirwocvgyw==
</ro_password>

<MaxConnections>125</MaxConnections>

<MinConnections>5</MinConnections>

<ConnExpirationTime>5</ConnExpirationTime>
<authScheme>kerberos</authScheme>        
<portalKcacheFile>/tmp/portal_kcache</portalKcacheFile>
<kKeyTabFile>/etc/v5srvtab</kKeyTabFile>
</dataSource>

Before the upgrade

The following are the steps to be performed before the upgrade.

Provide dba grant to Kerberos portal user.

# su - aptare ( login as Oracle service user)

# sqlplus / as sysdba

SQL> alter session set container=scdb;
SQL> GRANT DBA TO k1portal;
SQL> GRANT EXECUTE ON SYS.DBMS_JOB TO k1portal;
SQL> GRANT EXECUTE ON SYS.DBMS_LOB TO k1portal;
SQL> GRANT EXECUTE ON SYS.DBMS_SCHEDULER TO k1portal;
SQL> GRANT SELECT ON DBA_OBJECTS TO k1portal;

Ensure portal cache file is valid and Tomcat user must have read permission.
```
# chmod 444 /tmp/portal_kcache;
chown <portal user>:<portal group> /tmp/portal_kcache
```
For example:# chown aptare:aptare /tmp/portal_kcache

Post upgrade

The following are the steps to be performed after the upgrade.

Revoke DBA role and grant a specific list of privileges to Kerberos users after a successful upgrade. k1portal is the Kerberos username here. It can be varied from environment to environment.
Under sys user performs below revoke tasks:
```
# su - aptare (login as oracle user)
```
```
# sqlplus "/ as sysdba"

SQL> alter session set container=scdb;
Session altered.

SQL> REVOKE DBA FROM k1portal;
Revoke succeeded.
```
Again under sys user runs individual PLSQL scripts to grant a list of required privileges to Kerberos-enabled users for the normal functioning of ITA application.

Ensure that the correct Kerberos username is given as arguments to the script.

# su - aptare

sqlplus "/ as sysdba"
SQL> alter session set container=scdb;
SQL> @/opt/aptare/database/ora_scripts/kerberos_grants_portal.plb;
Enter value for db_object_schema: portal
Enter value for kerberos_schema: k1portal
SQL> @/opt/aptare/database/ora_scripts/
metadata_grants_to_kerberos_user.plb
Enter value for kerberos_user_name: k1portal
SQL> exit;

Restart tomcat-portal and tomcat-agent and verify NBU ITA portal.

/opt/aptare/bin/tomcat-portal restart

/opt/aptare/bin/tomcat-agent restart

Note:

Kerberos cache file should not be expired, Tomcat and Aptare users must have access to the cache file, for this add a script in crontab to re-generate cache file as below :

# cat krb_cache_refresh.sh
su - aptare (login as oracle user)
okinit -k -t /etc/v5srvtab k1portal
kinit -k -t /etc/v5srvtab k1portal@EXAMPLE.COM
 -c /tmp/portal_kcache
chmod 444 /tmp/portal_kcache;
chown <portal user>:<portal group> /tmp/portal_kcache

For example: chown aptare:aptare /tmp/portal_kcache