Veritas NetBackup™ 8.0 Security and Encryption Guide
- Increasing NetBackup security
- Security deployment models
- Port security
- About NetBackup daemons, ports, and communication
- Additional port information for products that interoperate with NetBackup
- About configuring ports
- Auditing NetBackup operations
- Configuring Enhanced Auditing
- Access control security
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Viewing specific user permissions for NetBackup user groups
- Security certificates in NetBackup
- Overview of security certificates in NetBackup
- About the Security Management utilities
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About revoking host ID-based certificates
- Security certificate deployment in a clustered NetBackup setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- About deploying a new host ID-based certificate
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- Data at rest key management
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
Using the nbac_cron utility
The following steps help you to create credentials to execute cron jobs.
Using the nbac_cron utility to run cron jobs
- Run the command nbac_cron-addCron as root or administrator on the master server.
root@amp# /usr/openv/netbackup/bin/goodies/nbac_cron -AddCron
# nbac_cron -AddCron
This application will generate a Veritas private domain identity that can be used in order to run unattended cron and/or at jobs.
User name to create account for (e.g. root, JSmith etc.): Dan
Password:*****
Password:*****
Access control group to add this account to [NBU_Admin]:
Do you with to register this account locally for root(Y/N) ? N
In order to use the account created please login as the OS identity that will run the at or cron jobs. Then run nbac_cron -setupcron or nbac_cron -setupat. When nbac_cron -setupcron or nbac_cron -setupat is run the user name, password and authentication broker will need to be supplied. Please make note of the user name, password, and authentication broker. You may rerun this command at a later date to change the password for an account.
Operation completed successfully.
If you do not explicitly specify an access control group (for example, NBU_Operator or Vault_Operator) to add the user to, the cron user (Dan here), is added to the NBU_Admin group.
If you respond with a 'Yes' to register the account locally for root, the nbac_cron - SetupCron command is automatically executed for the cron_user as root. If you plan to run the cron jobs as a non-root OS user then you should say 'No' here and manually run the nbac_cron - SetupCron command as that non-root OS user.
An identity is generated in the Veritas private domain. This identity can be used to run the cron jobs.
- Now, run the nbac_cron-SetupCron command as the OS user who wants to execute the cron jobs to obtain credentials for this identity.
[dan@amp ~]$ /usr/openv/netbackup/bin/goodies/nbac_cron -SetupCron
This application will now create your cron and/or at identity.
Authentication Broker: amp.sec.punin.sen.veritas.com
Name: Dan
Password:*****
You do not currently trust the server: amp.sec.punin.sen.veritas.com, do you wish to trust it? (Y/N): Y
Created cron and/or at account information. To use this account in your own cron or at jobs make sure that the environment variable VXSS_CREDENTIAL_PATH is set to "/home/dan/.vxss/credentials.crat"
Operation completed successfully.
The 'You do not currently trust' the server message is only shown once if you have not already trusted the broker.
The credential is created in the user's home directory atuser/.vxss/credentials.crat. The credential is valid for a year from the time when it is generated.
If required, you can check the credential details as shown:
dan@amp~]$ /usr/openv/netbackup/bin/bpnbat -whoami -cf ~dan/.vxss/credentials.crat
Name: CronAt_dan
Domain: CronAtUsers@amp.sec.punin.sen.veritas.com
Issued by: /CN=broker/OU=amp.sec.punin.sen.veritas.com
Expiry Date: Feb 4 13:36:08 2016 GMT
Authentication method: Veritas Private Domain
Operation completed successfully.
You must re-run the SetupCron operation (Step 2) to renew the credential before it expires.
- You can now create your own cron jobs. Ensure that the VXSS_CREDENTIAL_PATH path is set to point to the credentials you created above before you schedule any new job.