Veritas NetBackup™ Security and Encryption Guide
- Increasing NetBackup security
- Security deployment models
- Port security
- About NetBackup daemons, ports, and communication
- Additional port information for products that interoperate with NetBackup
- About configuring ports
- Auditing NetBackup operations
- About Enhanced Auditing
- Access control security
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Configuring user groups
- About defining a user group and users
- Viewing specific user permissions for NetBackup user groups
- About AD and LDAP domains
- Security management using NetBackup CA and NetBackup certificates
- About the Security Management utilities
- About audit events
- About host management
- Adding shared or cluster mappings
- Allowing or disallowing automatic certificate reissue
- About global security settings
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About NetBackup certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Host ID-based certificate deployment in a clustered setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- External CA support in NetBackup
- About external CA support in NetBackup
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- About certificate revocation lists for external CA
- About certificate enrollment
- Configuring an external certificate for the NetBackup web server
- About external certificate configuration for a clustered master server
- Configuration options for external CA-signed certificates for a virtual name
- About API keys in NetBackup
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- Data at rest key management
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
- Regenerating keys and certificates
- NetBackup web services account
Configuration and troubleshooting topics for NetBackup Authentication and Authorization
The following table lists helpful configuration and troubleshooting topics and tips for NetBackup Authentication and Authorization. In addition, the table also contains information about a few known issues and tips to resolve them:
Table: Configuration and troubleshooting topics and tips for NetBackup Authentication and Authorization
Verifying master server settings
bpnbat -whoami -cf "c:\program Files\veritas\netbackup\var\vxss\credentials\ master.company.com "Name: master.company.com Domain: NBU_Machines@master.company.com Issued by: /CN=broker/OUemail@example.com/O=vx Expiry Date: Oct 31 20:17:51 2007 GMT Authentication method: Veritas Private Security Operation completed successfully.
If the domain listed is not NBU_Machines@master.company.com, consider running bpnbat -addmachine for the name in question (master). The command is run on the computer that serves the NBU_Machines domain (master).
Then, on the computer where you want to place the credentials, run: bpnbat -loginmachine
Establishing root credentials
If you have problems setting up either the authentication server or authorization server, and the application complains about your credentials as root: ensure that the $HOME environmental variable is correct for root.
Use the following command to detect the current value:
This value should agree with root's home directory, which can be typically found in the /etc/passwd file.
Note that when switching to root, you may need to use:
instead of only su to correctly condition the root environment variables.
Expired credentials message
If your credential has expired or is incorrect, you may receive the following message while running a bpnbaz or bpnbat command:
Supplied credential is expired or incorrect. Please reauthenticate and try again.
Run bpnbat -Login to update an expired credential.
Useful debug logs
The following logs are useful to debug NetBackup Access Control:
On the master: admin, bpcd, bprd, bpdbm, bpjobd, bpsched
On the client: admin, bpcd
Access control: nbatd, nbazd.
If the master server uses NetBackup Access Control (NBAC) in the REQUIRED mode and the EMM database is remote, the logging information appears in the bpdbm log.
See the NetBackup Troubleshooting Guide for instructions on proper logging.
Uninstalling NetBackup Authentication and Authorization Shared Services
Using installics, select the option for uninstalling authentication and authorization. The following directories should be empty after uninstalling:
/opt/VRTSat and /opt/VRTSaz
/etc/vx/vss /var/VRTSat and /var/VRTSaz
Use the Windows Add/Remove Programs panel from the Control Menu to uninstall authentication and authorization. The \Veritas\Security directory should be empty after uninstalling.
Unhooking Shared AT from PBX
When NetBackup is upgraded and NBAC was already enabled in a previous setup, the old Shared AT should be unhooked from PBX.
To unhook shared AT, run following command.
On UNIX platforms, run /opt/VRTSat/bin/vssat setispbxexchflag --disable.
On Windows x86, run C:\Program Files\VERITAS\Security\Authentication\bin\vssat setispbxexchflag --disable.
On Windows x64 , run C:\Program Files(x86)\VERITAS\Security\Authentication\bin\vssat setispbxexchflag --disable.
Where credentials are stored
The NetBackup Authentication and Authorization credentials are stored in the following directories:
User credentials: $HOME/.vxss
Computer credentials: /usr/openv/var/vxss/credentials/
How system time affects access control
Credentials have a birth time and death time. Computers with large discrepancies in system clock time view credentials as being created in the future or prematurely expired. Consider synchronizing system time if you have trouble communicating between systems.
NetBackup Authentication and Authorization ports
The NetBackup Authentication and Authorization daemon services use ports 13783 and 13722 for back-level media server and clients. The services use PBX connections.
You can verify that the processes are listening with the following commands:
netstat -an | grep 13783
netstat -a -n | find "13783"
netstat -an | grep 13722
netstat -a -n | find "13722"
Stopping NetBackup Authentication and Authorization daemons for Shared Services
When the NetBackup Authentication and Authorization services are stopped, stop authorization first, then stop authentication.
UNIX -Use the following commands.
To stop authorization use the term signal as shown in the example:
# ps -fed |grep nbazd root 17018 1 4 08:47:35 ? 0:01 ./nbazd root 17019 16011 0 08:47:39 pts/2 0:00 grep nbazd # kill 17018
To stop authentication use the term signal as shown in the example:
# ps -fed |grep nbatd root 16018 1 4 08:47:35 ? 0:01 ./nbatd root 16019 16011 0 08:47:39 pts/2 0:00 grep nbatd # kill 16018
Use the Services utility that Windows provides, since these services do not appear in the NetBackup Activity Monitor.
If you lock yourself out of NetBackup
You can lock yourself out of the NetBackup Administration Console if access control is incorrectly configured.
If this lockout occurs, use vi to read the bp.conf entries (UNIX) or regedit (Windows) to view the Windows registry in the following location:
You can look to see if the following entries are set correctly: AUTHORIZATION_SERVICE, AUTHENTICATION_DOMAIN, and USE_VXSS.
The administrator may not want to use NetBackup Access Control or does not have the authorization libraries installed. Make certain that the USE_VXSS entry is set to Prohibited, or is deleted entirely.
Backups of storage units on media servers might not work in an NBAC environment
The host name of a system in NetBackup domain (master server, media server, or
client) and host name that is specified in the
Using the nbac_cron utility
For more information about the nbac_cron utility:
nbac_cron.exe is found in the following location:
For detailed information about using the nbac_cron utility:
Enabling NBAC after a recovery on Windows
Use the following procedure to manually enable NBAC after a recovery on Windows.
On a cluster run the bpclusterutil -enableSvc nbatd and bpclusterutil -enable nbazd commands.
In cluster installations the setupmaster might fail
A known issue exists in the case of cluster installations, where the configuration file is on a shared disk, the setupmaster might fail.
Known issue on a cluster if shared security services (vxatd or vxazd) are clustered along with the master server
A known issue exists on a cluster if shared security services (vxatd or vxazd) are clustered along with the master server. When executing the bpnbaz -SetupMaster command and setting up security (NBAC), freeze the shared security services service groups persistently where applicable or offline the services (but make sure their shared disk is online), and run the setupmaster command.
Known issue in a clustered master server upgrade with NBAC, that all the AUTHENTICATION_DOMAIN entries in the
A known issue exists where in a clustered master server upgrade with NBAC, all the AUTHENTICATION_DOMAIN entries in the
Known issue on Windows 2003 dual stack computers
A known issue exists on Windows 2003 dual stack computers. You need Microsoft patch kb/928646 from http://support.microsoft.com/.
Known issue relating to access control failures and short and long host names
A known issue exists that includes failures with respect to access control. Determine if the short and long host names are properly resolvable and are resolving to the same IP address.
Known issue in a cluster upgrade with NBAC when the broker profile has ClusterName set to the virtual name of AT
A known issue exists in a cluster upgrade with NBAC when the broker profile has ClusterName set to the virtual name of AT. This is migrated as-is to the embedded broker. The embedded broker has UseClusterNameAsBrokerName set to 1 in its profile. When a request is sent for broker domain maps, it uses the virtual name of the shared AT as the broker name. The bpnbaz -GetDomainInfosFromAuthBroker returns none. In upgrades, the
Known issue of multiple instances of bpcd causing a possible error
A known issue exists where the bpnbaz -SetupMedia command, bprd uses the AT_LOGINMACHINE_RQST protocol to talk with bpcd on the destination box. A new instance of bpcd is spawned. After the command completes it tries to free a char array as a regular pointer possibly causing bpcd to core dump on the client side. Functionality should not be lost as this bpcd instance is only created temporarily and exits normally. The parent bpcd is unaffected.
Known issue with clusters using shared AT with configuration files on the shared drive
A known issue exists with clusters that use a shared AT with configuration files on the shared drive. Unhooking shared services only works on the node where this shared drive is accessible. Unhook fails on the remaining nodes. The implication of this is that while doing a bpnbaz -SetupMaster to manage remote broker parts fail. You will have to manually configure passive nodes. Run bpnbaz -SetupMedia for each passive node.
Known issue relating to database utilities supporting NBAZDB
A known issue exists in which some database utilities support NBAZDB and other database utilities do not.
The following database utilities support NBAZDB: nbdb_backup, nbdb_move, nbdb_ping, nbdb_restore, and nbdb_admin.
The following utilities do not support NBAZDB: nbdb_unload and dbadm.