Veritas NetBackup™ Security and Encryption Guide
- Increasing NetBackup security
- Security deployment models
- Port security
- About NetBackup daemons, ports, and communication
- Additional port information for products that interoperate with NetBackup
- About configuring ports
- Auditing NetBackup operations
- Configuring Enhanced Auditing
- Access control security
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Viewing specific user permissions for NetBackup user groups
- Security management in NetBackup
- About the Security Management utilities
- About audit events
- About host management
- Adding shared or cluster mappings
- About global security settings
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Security certificate deployment in a clustered NetBackup setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- Data at rest key management
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
- Regenerating keys and certificates
- NetBackup web services account
Changing the web service user account
To support changing web service user accounts, use the utility script wmcUtils. This utility script does not validate if a web service user and group exist. Before you use this utility, you must ensure that the web service user and the group exist and the user is part of the group. Consider the following when changing the web service user account:
If your environment uses Windows domain users, use the DOMAIN\USER format.
If you use a clustered environment on a Windows platform, the NetBackup web services user account must be a DOMAIN user. (Example: AD user)
If you use non-clustered environments, the NetBackup web service user can be a local or a domain user.
If you use a clustered environment on Linux or UNIX platforms, the NetBackup web service user can be a local user. Additionally, the group can be a local group. The NetBackup web service user must have the same name and UID on all nodes of the cluster. Also, the group must have the same name and GID on all nodes of the cluster. It is recommended to use domain users (Example: NIS) for clustered environments.
Note:
Do not use the logged on user to run the wmcUtils utility script. If you are logged into an environment as my_domain\my_user, you cannot use this account to run the NetBackup Web Management Console service. NetBackup does not support this scenario.
To change the web service user account on Windows
- Open command prompt.
- Change the directory to:
install_path\wmc\bin\install
- Run wmcUtils.bat -changeUser to change the web service user.
Example: (nbwebsvc1 is the web service user and nbwebgrp1 is the user group that nbwebsvc1 is a member of)
wmcUtils.bat - changeUser nbwebsvc1 nbwebgrp1
For more information about the wmcUtils.bat utility script, use the wmcUtils.bat -help option.
- (Conditional) If using a clustered environment, run wmcUtils.bat - changeUser on the active and the inactive nodes.
- Enter the web service user password (example: nbwebsvc1) when prompted by the script.
The NetBackup Web Management Console service is restarted when the correct password is entered. If you enter an incorrect password, a Logon failure error is displayed before the NetBackup Web Management Console service starts.
- To verify that the web service user is changed, ensure that
install_path\bin\nbcertcmd.exe - ping
works.
Note:
The output of wmcUtils.bat utility script is captured in the nbwmc_support.log
. The log is located here: install_path\wmc\webserver\logs\nbwmc_support.log
To change the web service user account on Linux or UNIX
- Open a shell.
- Change the directory to:
/usr/openv/wmc/bin/install
- Run wmcUtils -changeUser to change the web service user.
Example: (nbwebsvc1 is the web service user and nbwebgrp1 is the user group that nbwebsvc1 is a member of)
usr/openv/wmc/bin/install/wmcUtils - changeUser nbwebsvc1 nbwebgrp1
For more information about the wmcUtils utility script, use the wmcUtils -help option.
- (Conditional) If using a clustered environment, run wmcUtils.bat - changeUser on the active and the inactive nodes.
- Enter the web service user password (example: nbwebsvc1) when prompted by the script.
The NetBackup Web Management Console service is restarted when the correct password is entered. If you enter an incorrect password, a Logon failure error is displayed before the NetBackup Web Management Console service starts.
- To verify that the web service user is changed, ensure that
/usr/openv/netbackup/bin/nbcertcmd - ping
works.
Note:
The output of wmcUtils utility script is captured in the nbwmc_support.log
. The log is located here: /usr/openv/wmc/webserver/logs/nbwmc_support.log