Veritas NetBackup™ Logging Reference Guide
- Using logs
- Changing the logging levels
- About unified logging
- About legacy logging
- Backup process and logging
- Media and device processes and logging
- Restore process and logging
- Advanced backup and restore features
- Storage logging
- NetBackup Deduplication logging
- OpenStorage Technology (OST) logging
- Storage lifecycle policy (SLP) and Auto Image Replication (A.I.R.) logging
- NetBackup secure communication logging
- NetBackup proxy helper logging
- NetBackup proxy tunnel logging
- Snapshot technologies
- Locating logs
- NetBackup Administration Console logging
- Using the Logging Assistant
Setting up a secure channel between the NetBackup Administration Console and bpjava-*
The following steps describe the process flow to set up a secure channel between the NetBackup Administration Console and bpjava-*:
The following processes are used: bpjava-msvc, which controls the login and authentication; bpjava-susvc, which is the administration console process; and bpjava-usvc, which is the client Backup, Archive, and Restore (BAR) interface.
The user initiates a login to the console. The credentials are sent to bpjava-msvc over the SSL (using the Server Security Certificate).
The bpjava-msvc process authenticates the user who uses the user credentials that were received in step 1.
After the user is authenticated, the bpjava-msvc process performs the following:
Generates the entities that are called the self-signed session certificate, the key, and the session token.
Launches the daemon bpjava-*usvc to gather more requests from the NetBackup Administration Console.
Passes the self-signed session certificate and the session token to bpjava-*usvc.
The bpjava-*usvc process uses a session certificate as a Server Security Certificate for the SSL channel. It uses the session token to authenticate the NetBackup Administration Console. The console does not use credentials while it connects to the bpjava-*usvc process. The NetBackup Administration Console uses the session token for authentication.
Sends the session token and the fingerprint of the session certificate to the NetBackup Administration Console.
Persists session token and user information to a secure directory (
install_path/var; for example,
/usr/openv/var) in a file on the NetBackup host. This directory is accessible only to the root/administrator. The file name format is as follows:
msvc saves this information so it can be used by nbsl or nbvault to authenticate the NetBackup Administration Console.
The msvc process stops the execution and exits.
bpjava-*usvc uses the session certificate to start the secure channel with the NetBackup Administration Console. This secure channel is a one-way authenticated SSL channel. (Only the server certificate is present and there is no peer certificate. There is no certificate from the NetBackup Administration Console side.)
The NetBackup Administration Console receives the session certificate as a part of the initial SSL handshake. It verifies the authenticity of the session certificate by using the pre-existing fingerprint of the session certificate (see step 3). The NetBackup Administration Console calculates the fingerprint of the session certificate that was received from bpjava-*usvc due to the SSL handshake. It compares the new fingerprint with the fingerprint sent by msvc.
Once the authenticity of the certificate is verified, the NetBackup Administration Console sends the session token (received in step 3) to bpjava-*usvc.
bpjava-*usvc verifies the received session token with the pre-existing one (see step 3).
The success of the session token validation creates trust between bpjava-*usvc and the NetBackup Administration Console.
All further communication occurs between bpjava-*usvc and the NetBackup Administration Console on this trusted secure channel.