Veritas NetBackup™ Security and Encryption Guide
- Increasing NetBackup security
- Security deployment models
- Port security
- About NetBackup daemons, ports, and communication
- Additional port information for products that interoperate with NetBackup
- About configuring ports
- Auditing NetBackup operations
- About Enhanced Auditing
- Access control security
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Configuring user groups
- About defining a user group and users
- Viewing specific user permissions for NetBackup user groups
- About AD and LDAP domains
- Security management using NetBackup CA and NetBackup certificates
- About the Security Management utilities
- About audit events
- About host management
- Adding shared or cluster mappings
- Allowing or disallowing automatic certificate reissue
- About global security settings
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About NetBackup certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Host ID-based certificate deployment in a clustered setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- External CA support in NetBackup
- About external CA support in NetBackup
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- About certificate revocation lists for external CA
- About certificate enrollment
- Configuring an external certificate for the NetBackup web server
- About external certificate configuration for a clustered master server
- Configuration options for external CA-signed certificates for a virtual name
- About API keys in NetBackup
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- Data at rest key management
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
- Regenerating keys and certificates
- NetBackup web services account
About using NetBackup Access Control (NBAC)
NetBackup Access Control (NBAC) is the legacy access control method for NetBackup and is no longer being updated. Veritas recommends that you use role-based access control (RBAC) with the web UI.
You cannot use the NetBackup web UI and the web APIs if you have NetBackup Access Control (NBAC) enabled.
The NetBackup Access Control (NBAC) is the role-based access control that is used for master servers, media servers, and clients. NBAC can be used in situations where you want to:
Use a set of permissions for different levels of administrators for an application. A backup application can have operators (perhaps load and unload tapes). It can have local administrators (manage the application within one facility). It can also have overall administrators who may have responsibility for multiple sites and determine backup policy. Note that this feature is very useful in preventing user errors. If junior level administrators are restricted from certain operations, they are prevented from making inadvertent mistakes.
Separate administrators so that root permission to the system is not required to administer the system. You can then separate the administrators for the systems themselves from the ones who administer the applications.
The following table lists the NBAC considerations.
Table: NBAC considerations
Consideration or issue
Description or resolution
Prerequisites before you configure NBAC
This prerequisites list can help you before you start to configure NBAC. These items ensure an easier installation. The following list contains the information for this installation:
Determine if the master server, media server, or client is to be upgraded
Determine if the master server, media server, or client is to be upgraded as follows:
Information about roles
Determine the roles in the configuration as follows:
NBAC license requirements
No license is required to turn on the access controls.
NBAC and KMS permissions
Typically when using NBAC and when the Setupmaster command is run, the NetBackup related group permissions (for example, NBU_Admin and KMS_Admin) are created. The default root and administrator users are also added to those groups. In some cases the root and administrator users are not added to the KMS group when NetBackup is upgraded. The solution is to grant the root and the administrator users NBU_Admin and KMS_Admin permissions manually.
Windows Server Failover Clustering (WSFC) error messages while unhooking shared security services from PBX
In WSFC environments running the bpnbaz -UnhookSharedSecSvcsWithPBX <virtualhostname> command can trigger error messages. However the shared Authentication and Authorization services are successfully unhooked from PBX and the errors can be ignored.
Possible cluster node errors
In a clustered environment when the command bpnbaz -setupmaster is run in the context of
local Administrator the AUTHENTICATION_DOMAIN entries may not contain the other cluster node entries. In such case these entries must be manually added from Host
Properties into the
Catalog recovery fails when NBAC is set to REQUIRED mode
If NBAC is running in REQUIRED mode and a catalog recovery was performed, NBAC needs to be reset back from PROHIBTED mode to REQUIRED mode.
Policy validation fails in NBAC mode (USE_VXSS = REQUIRED)
Back up, restore, and verification of policy for snapshot can fail in NBAC enabled mode if one of the following has been done.
The bpnbaz -setupmaster command fails with an error "Unable to contact Authorization Service"
If a user other than an Administrator tries to modify NetBackup security, the bpnbaz - setupmaster fails.
Only a user 'Administrator' who is a part of the Administrator's group has permissions to modify the NetBackup security and enable NBAC.
Failure of authentication broker configuration during installation.
Invalid domain name configuration of the system causes failure during configuration of authentication broker.
To correct this problem, use the bpnbaz -configureauth command to configure the authentication broker.
For information about the bpnbaz command, see the NetBackup Commands Reference Guide.
NetBackup GUI errors may occur if NBAC is enabled on a system that previously had Enhanced Auditing enabled.
When switching the NetBackup server from Enhanced Auditing to NBAC, make sure that all directories that are named after users are deleted in the following directory:
The following topic contains more details: