Veritas NetBackup™ 8.0 Security and Encryption Guide
- Increasing NetBackup security
- Security deployment models
- Port security
- About NetBackup daemons, ports, and communication
- Additional port information for products that interoperate with NetBackup
- About configuring ports
- Auditing NetBackup operations
- Configuring Enhanced Auditing
- Access control security
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Viewing specific user permissions for NetBackup user groups
- Security certificates in NetBackup
- Overview of security certificates in NetBackup
- About the Security Management utilities
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About revoking host ID-based certificates
- Security certificate deployment in a clustered NetBackup setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- About deploying a new host ID-based certificate
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- Data at rest key management
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
About access control in NetBackup
NetBackup provides the following types of access control:
The NetBackup Admin Console (default).
Access control is limited to the NetBackup Administration Console. (Interfaces like the Backup, Archive, and Restore client and the NetBackup MS SQL Client are not affected.) Any non-root or non-administrator user can access the NetBackup Administration Console. Access control is view-based, not role-based. The
auth.conf
defines the NetBackup applications that users can access. A user must be a root user or administrator to perform NetBackup operations with the CLI.For detailed information about access control with the NetBackup Administration Console, refer to the NetBackup Administrator's Guide, Volume I.
Enhanced Auditing.
This feature allows a non-root user or a non-administrator to perform all the NetBackup operations through a command line interface or the NetBackup Administration Console. The user is authorized to either perform all operations or no operations. This feature does not offer role-based access control.
NetBackup Access Control (NBAC)
NBAC is the role-based access control provided with NetBackup. It provides access control for master servers, media servers, and clients in situations where you want to:
Use a set of permissions for different levels of administrators for an application. A backup application can have operators (to monitor jobs) or administrators (with full permission to access, configure, and operate any NetBackup authorization object). You can also have Security administrators who can only configure access control.
Separate the administrators, so that root or administrator permissions are not required to administer the system. You can have separate administrators for the systems other than administrators for applications.
Refer to the following table for key differences between the access control methods:
Table:
Access and auditing | NetBackup Admin Console and auth.conf | Enhanced Auditing | NBAC |
---|---|---|---|
Who can use the NetBackup Admin Console? | Root users and administrators have full access to the Admin Console. Non-root users or non-administrators are limited to the Backup, Archive, and Restore application by default. Otherwise, these users can access the applications defined for them in the | Root users, administrators, and NetBackup administrators have full access to the Admin Console. Non-root users or non-administrators are limited to the Backup, Archive, and Restore application by default. | Root users and administrators have full access to the Admin Console. A user's NBAC group membership determines which applications they are authorized to use. |
Who can use the CLI? | Root users and administrators have full access to the CLI. | Root users, administrators, and NetBackup administrators have full access to the CLI. | Root users or administrators have full access to the CLI. Users authorized by NBAC can use the CLI. Their NBAC group membership determines which commands they are authorized to use. |
How is a user audited? | As root or administrator | With the real user name | With the real user name |
Compatibility with other features | Enhanced Auditing | NBAC works independently. | NetBackup Admin Console and Enhanced Auditing is not compatible with NBAC. |
Refer to the following flowcharts for details about the different access control methods.