Veritas NetBackup™ 8.0 Security and Encryption Guide
- Increasing NetBackup security
- Security deployment models
- Port security
- About NetBackup daemons, ports, and communication
- Additional port information for products that interoperate with NetBackup
- About configuring ports
- Auditing NetBackup operations
- Configuring Enhanced Auditing
- Access control security
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Viewing specific user permissions for NetBackup user groups
- Security certificates in NetBackup
- Overview of security certificates in NetBackup
- About the Security Management utilities
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About revoking host ID-based certificates
- Security certificate deployment in a clustered NetBackup setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- About deploying a new host ID-based certificate
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- Data at rest key management
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
Installing and configuring NetBackup Access Control (NBAC) on clients
The following procedure describes how to install and configure NetBackup Access Control (NBAC) on clients in a NetBackup configuration. The target client should be running the NetBackup client software version 7.5 or later.
Installing and configuring NetBackup Access Control (NBAC) on clients
- Make sure that no backups are currently running for the client computer.
- Log on to the master server computer as the UNIX root or the Windows administrator.
- Check that authentication daemon (nbatd) is running. If not, start the authentication daemon.
- Go to the
NBU_INSTALL_PATH/bin
directory. - Log on as the NetBackup security administrator by using the following command:
Note:
The UNIX root user and the Windows administrator on the master server are the default NetBackup security administrators.
bpnbat -Login
The following information is displayed.
Authentication Broker [master.server.com is default]: Authentication port [0 is default]: Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd) [unixpwd is default]: Domain [master.server.com is default]: Login Name [root is default]: Password: Operation completed successfully.
- Run bpnbaz -SetupClient with the described options.
Note that this command does not work without an extension for either the individual host, or the -all option.
See NBAC configure commands summary.
First do a dry run to see all of the clients that are visible to the master server. Use this process for the companies that have a large number of clients (greater than 250). The -dryrun option can be used with both the -all and single client configuration. By default, the discovered host list is written to the file SetupClient.nbac in the same directory. You can also provide your own output file name using -out <output file> option. If you use your own output file, then it should be passed for the subsequent runs with -file option. For example, you can use the following command:
bpnbaz -SetupClient -all -dryrun [-out <outfile>] or
bpnbaz -SetupClient <client.host.com> -dryrun [-out <outfile>].
After the dry run, check the client host names and run the same command without the -dryrun option. For example, use the following command:
bpnbaz -SetupClient -all or
bpnbaz -SetupClient -file SetupClient.nbac or bpnbaz -SetupClient <client.host.com>.
The -all option runs with the clients known to the master server. It can take time to address all the clients in a large environment( greater than 250).
The -all client listing updates the credentials on all clients. It can take some time and resources; instead, use the -file option to update a subset of the clients. You can run the same command multiple times, until all the clients in the progress file are successfully configured. The status for each client is updated in the input file. The ones that succeeded in each run are commented out for the subsequent runs. A smaller subset is left for each successive run. Use this option if you have added a number of clients (greater than 250). Target the ones you want to update at that time.
The -images option with -all looks for client host names in the image catalogs. It can return decommissioned hosts in larger environments. Run the -all -dryrun options with the -images option to determine which hosts should be updated
- Restart the client services on the specific clients once the installation is finished.