NetBackup 7.7.2 - BPCD_WHITELIST_PATH will cause NetBackup commands to fail with "file open failed" or "unable to write to progress log" if not configured

NetBackup 7.7.2 - BPCD_WHITELIST_PATH will cause NetBackup commands to fail with "file open failed" or "unable to write to progress log" if not configured

Article: 100032284
Last Published: 2020-08-06
Ratings: 8 3
Product(s): NetBackup

Problem

After upgrading to NetBackup 7.7.2 or higher, running NetBackup commands, like bpbackup, fail with Error 12 - "file open failed" or "unable to write to progress log".

Bpbackup
bpbackup -w 0 -p Prod_Offline_SQL -s Monthly_Full -h server1 -L "F:\Tapebackup\Log\NB_Monthly_SQL.log" "F:\mssql\backup"

Example Error:
EXIT STATUS 12: file open failed

Bpduplicate 
bpduplicate -backupid server1_1479312904 -dstunit AdvancedDisk -L /root/duplication.log

Note that the console output reports a successful duplication and no errors.

Activity monitor job id = 1821
INF - Skipping copy 2 of backup id server1_1479312904, is not required copy 1.
INF - Skipping copy 3 of backup id server1_1479312904, is not required copy 1.
INF - Destination storage unit AdvancedDisk on host nbumaster.labs.veritas.com
INF - Duplicating policy Linux schedule FULL backup id server1_1479312904 copy 1 created on 11/16/2016 08:15:04 on source path @aaaab
INF - Duplicate of backupid server1_1479312904 successful.
INF - Status = successfully duplicated 1 of 1 images .

On viewing the progress log file however, it reveals that it was created but was not populated with any output from the NetBackup command.

ls -al /root/d*
-rw-------. 1 root root    0 Dec  5 16:03 /root/duplication.log

On further investigation, if a review of the Admin log is preformed, the cause of the error becomes obvious.

Admin Log 
15:56:38.086 [30828] <8> open_progress_log: cannot open progress file /root/duplication.log on sclr710-07, error = 6000
15:56:38.086 [30828] <8> open_progress_log: Access to /root/duplication.log denied: The provided path is not whitelisted

Error Message

NetBackup Status Code 12 -  "file open failed"  or  "unable to write to progress log"
* This error is seen on the console or Job Details

NetBackup Status Code 6000 - "The provided path is not whitelisted"
* This error is seen when viewing the Admin log on the Master

Cause

A new security feature introduced in NetBackup 7.7.2 is the BPCD_WHITELIST_PATH. If left unconfigured, NetBackup will deny access to creating files that are specified outside of the following paths:
  • NetBackup executable file paths
  • Default location for progress log, rename files, etc.
  • NetBackup configuration files
  • NetBackup logs folder
  • NetBackup temp folders
  • Operating System Temp folders
NetBackup will return error codes 12 or 6000 when a NetBackup command attempts to create a file (rename file, progress log, etc) outside of the paths allowed by the BPCD_WHITELIST_PATH setting. This feature applies to Master, Media and Client servers at 7.7.2 and above.

Solution

How to view, add or modify the BPCD_WHITELIST_PATH

To view, add or modify the current BPCD_WHITELIST_PATH settings, use the nbgetconfig and the nbsetconfig commands.
Refer to the NetBackup Command Reference Guide for usage details

 

Viewing the current BPCD_WHITELIST_PATH settings 

The easiest way to view the BPCD_WHITELIST_PATH settings is to use the command bpgetconfig.

Unix/Linux - /usr/openv/netbackup/bin/admincmd/bpgetconfig
Windows - C:\Program Files\Veritas\NetBackup\bin\admincmd>bpgetconfig

Use the bpgetconfig command line to display existing “BPCD_WHITELIST_PATH=” entries on a NetBackup system from its local console:

Unconfigured - setting will appear empty
>bpgetconfig BPCD_WHITELIST_PATH
BPCD_WHITELIST_PATH

Configured - paths will appear for previously configured entries
>bpgetconfig BPCD_WHITELIST_PATH
BPCD_WHITELIST_PATH = /root
BPCD_WHITELIST_PATH = /disk
BPCD_WHITELIST_PATH = /var/log

 

Adding or Editing the BPCD_WHITELIST_PATH settings 

Record the entries collected with bpgetconfig before adding or modifying the “BPCD_WHITELIST_PATH=” paths on a server. Whenever modifying the BPCD_WHITE_LIST setting with bpsetconfig, the tool overwrites existing entries and all previous whitelist entries are removed. To add entries, add all previous entries first. Then add each new path to be added. When folders are added to the whitelist, all of the sub-folders are allowed by the whitelist as well. Avoid creating a security issue by specifying a custom directory that does not reside within a sensitive area of the Operating System volume. Use this dedicated location for custom logging or other non-standard NetBackup files. 

Note:  Wildcard characters in “BPCD_WHITELIST_PATH” are not allowed.  


Option #1: From the NetBackup Master server, use bpsetconfig to add the paths

C:\Program Files\Veritas\NetBackup\bin\admincmd\bpsetconfig -h <client_name>
bpsetconfig> BPCD_WHITELIST_PATH=/home/NBuser
bpsetconfig> BPCD_WHITELIST_PATH=/home/shared
bpsetconfig> (<Ctrl> - D) + enter for UNIX
                    (<Ctrl> - Z) + enter for WINDOWS


Option #2: From the Client, manually add the paths to the registry or bp.conf

Windows:

Add the BPCD_WHITELIST_PATH to the Registry on the Client

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\NetBackup\CurrentVersion\Config
Create a MULTI-STRING called BPCD_WHITELIST_PATH
- In the right hand area  right click > new > multi-string value give it the name  BPCD_WHITELIST_PATH
- double click and add on your separate lines for the correct paths you want to use, e.g.:

F:\Tapebackup\Log\NB_DB.log
F:\mssql\backup

UNIX:
 
Using a file editor, edit the bp.conf file and manually add the entries. Add a new line for each entry.
vi /usr/openv/netbackup/bp.conf

BPCD_WHITELIST_PATH = /tmp
BPCD_WHITELIST_PATH = /root
 
Note: From NetBackup Version 8.1.2. operating system temporary folders no longer need to be manually added to whitelists.

Was this content helpful?