8/9/2019 nbu accss control340675

1/21

8/9/2019 nbu accss control340675

2/21

NBAC WindowsNon HA

2

Symantec Product Authentication & Authorization tab Authentication domain tab Authorization Service tab Client host properties Access control host properties dialog for client Symantec Product Authentication & Authorization tab for client Authentication and authorization installation diagnostics and tools

AboutNBAC(NetBackupAccessControl)

Access to NetBackup can be controlled by defining user groups and granting explicit permissions to these groups.

Configuring user groups and assigning permissions is done using Access Management in the NetBackup

Administration Console.

Note: You can find documents at the following Web site that can be helpful in your deployment of

NBAC. See http://entsupport.symantec.com/docs/336967.

NBAC is an implementation of role-based access control. One employs role based access control in situations

where:

One wants to have a set of permissions for different levels of administrators for an application. A backupapplication can have operators (perhaps load and unload tapes). It can have local administrators (manage

the application within one facility). And it can have overall administrators who may have responsibility for

multiple sites and to determine backup policy. Note that this feature is also highly useful in preventing user

errors. If junior level administrators are restricted from certain operations, they are prevented from making

inadvertent mistakes.

One wants to separate administrators so that root permission to the system is not required to administer thesystem. One can then separate the administrators for the systems themselves from the ones who administer

the applications.

A role based access control like NBAC has the following:

Authentication supplied by the Symantec Product Authentication Service (VxAT) determines if a person orentity should be considered as legitimate for any operation in the application.

Authorization supplied by the Symantec Product Authorization Service that defines the scope of what aperson or entity can do (role) and labeled VxAZ.

Startingchecklist

This prerequisites starting check list can help before you start to configure NBAC. If you have these items, yourinstallation is likely to go more smoothly. The following contains the information for this installation:

The software for NBU 7.0 NBAC installation can be found on the NBU DVDs. Remote login permission for the NetBackup Java Console (if this console is being used) Media servers must be configured with NBAC to enable non root users to manage these servers NetBackup Access Management relies on the use of home directories. Please refer to the OS

documentation for the OS you are installing on for more details on home directories

8/9/2019 nbu accss control340675

3/21

NBAC WindowsNon HA

3

No License is required for enabling NBAC Required Specifics from your environment

User name or password for master server (root or administrator permission). Name of master server Name of all media servers that are connected to the master server Name of all clients to be backed up Host name or IP address for all items listed above

Note: Host names should be resolvable to a valid IP address.

Use ping or traceroute as one of the tools to ensure you can see the hosts. Using these commandsensures that you have not configured a firewall or other obstruction to block access.

List of all Symantec applications and revision levels that are located on your Master Servers. Thisincludes Storage Foundation, CC Storage, etc. This is for ensuring that the proper levels of AT are

installed. It is assumed that there is no clustering software on the Master Servers

NetBackup:Planningtheupgradeto7.0

Determine the plan for upgrading Master Servers, Media Servers and clients to NBU 7.0 as follows:

The minimum upgrade is to move to an NBU 7.0 Master server. One can then add Media Servers and orClients

Some features are provided by upgrading master servers, some by media servers, and some from upgradingclients. Determine the features needed.

A NetBackup 7.0 master server can support both 6.5 and 7.0 media servers and clients Put together a plan of planned upgrades. Deployment can be step wise if required.

Note: NetBackup access management relies on the use of home directories. Please see the

documentation for your operating system for more information on home directories.

NBACSecurityAdministrator

The user who installs and configures Symantec Product Authentication Service and Symantec Product Authorization

Service software for NetBackup Access Management specifies a user account. That account becomes the first

member of the NBU Security Admin user group. This chapter refers to a member of the NBU Security Admin group

as a security administrator. Users can be added to the group, typically consisting of few members.

Members of the NBU Security Admin user group are the only users who can view the contents ofAccess

Management > Users and Access Management > NBU User Groups. This group is in the NetBackup

Administration Console. Security administrators are the only users allowed to create user groups, assign users to the

groups, and define permissions for the groups. By default security administrators do not have permission to perform

any other NetBackup administration activities.

8/9/2019 nbu accss control340675

4/21

NBAC WindowsNon HA

4

Note: The administrator group (Windows) or root (UNIX) is always a member of the NBU Security

Admin group. They are a member on the system where the authorization daemon service runs

(master server).

NBACinstallation

sequence

For information on the NBAC installation sequence, refer to this procedure.

Use the following NBAC installation sequence.

1. Complete Root + AB installation of the Symantec Product Authentication Service on the master server. SeeInstalling or upgrading the Symantec Product Authentication Service sections.

2. Complete Symantec Product Authorization Service server installation on the master server. SeeInstallingor upgrading the Symantec Product Authorization Servicesections.

3. Configure the master server for NetBackup Access Control. See "Installing and configuring access controlon stand alone master servers"

Note: The master server can be installed in a stand alone mode or in a highly available configuration on

a cluster.

4. Complete your media server binary installation; then configure media servers for NetBackup AccessControl. See "Installing and configuring access control on media servers"

5. Complete all NetBackup client installations, then configure clients for NetBackup Access Control. See"Installing and configuring access control on clients"

SymantecProductAuthenticationServiceandSymantecProduct

AuthorizationServicecomponentdistribution

The Symantec Product Authentication Service and Symantec Product Authorization Service should be installed on

the master server. No additional components are needed on media or clients.

For further information on Symantec Product Authentication Service and Symantec Product Authorization Service

refer to the following Tech PDF at the Symantec support site: http://entsupport.symantec.com/docs/336967. This

Tech PDF provides information to help organizations securely deploy Symantec products in individual and multiple

product environments and can be accessed on the web.

Note: While possible to share the Enterprise Media Manager server between multiple master servers,

this configuration is not supported for access control. The EMM server must be bound to one

master server.

Installingor

upgrading

the

Symantec

Product

Authentication

Service

in

Root

+

ABmodeonWindowsplatform

On a Windows platform, you can install or upgrade the Symantec Product Authentication Service in Root+AB mode

interactively, using the VxSSVRTSatSetup.exe.

To install or upgrade the Symantec Product Authentication Service in Root + AB mode on

Windows platform use the following procedure.

8/9/2019 nbu accss control340675

5/21

NBAC WindowsNon HA

5

6. Log on as administrator on the machine where you want to install.7. Confirm that the machine uses the NTFS file system. FAT does not provide any file system security and

hence compromises the security of the Symantec Product Authentication Service.

8. Open Explorer (Start > Explore) and navigate to the Authentication folder on the installation disc:CD-ROM_ROOT\Addons\x86\ICS\Authentication

9. Run VxSSVRTSatSetup.exe.Note: When there an older version of authentication service is already installed, there is a confirmation

prompt to upgrade it. Select Yes and complete the installation.

10. When the opening InstallShield Wizard screen is displayed, clickNext.11. When the Setup Type screen is displayed, select Complete, and clickNext.12. Complete the Authentication Broker Service Options screen:

Select Root + Authentication Broker as broker mode. See "Installing the Symantec ProductAuthentication Service in AB mode on Windows platform"

If you want to enable clustering, click the Service is clustered checkbox and type in the clustername. Cluster name is case sensitive.

Indicate whether the service is to be started manually or automatically and whether it is to bestarted immediately after installation.

When you have completed your selections, click Next.13. When the Summary screen is displayed, click Next.14. When the Root \ Authentication Password screen is displayed, enter an eight or more character string

password for the root broker and the authentication broker. Click Next to continue.

15. After the files are copied, the InstallShield Wizard Maintenance Complete screen is displayed. ClickFinish.

InstallingorupgradingtheSymantecProductAuthorizationServiceon

Windowsplatform

To install or upgrade the Symantec Product Authorization Service on Windows platform

use the following procedure.

16. Log on as administrator on the master server.17. Navigate to the Authorization folder on the installation disc: CD-

ROM_ROOT\Addons\x86\ICS\Authorization

18. Double-click the VRTSazSetup.exe file in the Authorization folder.19. When the InstallShield Wizard screen is displayed, click Next.

Note: If there is an older version of authorization service already installed, then there is a confirmation

prompt to upgrade it. Select Yes and complete the installation.

20. When the Setup Type screen is displayed, select Custom, and then click Next.

8/9/2019 nbu accss control340675

6/21

NBAC WindowsNon HA

6

21. When the Choose Destination Location screen is displayed, click Browse, and select the location whereyou want to install AZ. However, it is recommended to install AZ in the default location. Click Next to

continue.

22. When the Select Features screen is displayed, click Next.23.

When the Question screen is displayed, click No to install the Symantec Product Authorization Service onWindows in Read-Write mode.

24. When the Start Copying Files screen is displayed, click Next to begin the installation, and then allow theinstallation to complete.

25. When the InstallShield Wizard Complete screen is displayed, click Finish.

ConnectionValidationtomediaserversandclients

Before proceeding, Symantec recommends validating the connections between the Master Server and the Media

Servers and clients. A set of OS commands and one NetBackup command is useful for this first level of

troubleshooting and validation. The OS commands are ping, traceroute and telnet. The NetBackupcommand is bpclntcmd. Use these commands to establish that the hosts can communicate with each other. A

complete troubleshooting section is found later in this chapter

NBACconfigurationoverview

This section contains recommendations for configuring NBAC using the bpnbaz command. This command is

available under the NETBACKUP_INSTALL_PATH/bin/admincmd directory.

The bpnbaz utility has been upgraded so that it needs to be run from only the master server. You do not need to log

into each NetBackup 7.0 media server and client to configure access control. For configuring access control for

NetBackup pre-7.0 media and client hosts, refer to Configuring access control for back revision hosts. A summary

reference is provided for the command beneath this section. This section provides an example of using these

commands with specific details on recommended usage. Note that the services should be restarted on each of the

servers and clients once configured.

Since the configuration is done from the master server, assure that operational communications links exist between

the master server, the media servers, and the clients. You can review the prerequisites list earlier in this chapter.

Review the list to ensure that you have noted all the associated media servers, clients, and the addresses to

communicate with them.

A complete troubleshooting section is found later in this chapter. A set of OS commands and one NetBackup

command is useful for the first level of troubleshooting. The OS commands are ping, traceroute and telnet.

The NetBackup command is bpclntcmd. Use these commands to establish that the hosts can communicate with

each other.

Installingandconfiguringaccesscontrolonstandalonemasterservers

The following procedures describe installing and configuring NetBackup Access Control on master servers installedon a single machine. A master server requires an authentication server and authorization server.

Example host names describes the host names for the configuration examples that are used throughout this chapter.

Table 5-1 Example host names

Host name Windows UNIX

Master servers win_master unix_master

8/9/2019 nbu accss control340675

7/21

NBAC WindowsNon HA

7

Media servers win_media unix_media

Clients win_client unix_client

Use the following procedure to install and configure access control on master servers.

1. If this installation is an upgrade installation, stop NetBackup.2. You have already used the Infrastructure Common Services DVDs. You have used these DVDs to install

the Symantec Product Authentication Service and Symantec Product Authorization Service Root + AB for

your platform.

3. Complete all NetBackup master server installations or upgrades.4. Run the bpnbaz -setupmaster command. When asked to continue, enter y. Enter the current

user password. The system then begins gathering configuration information. The system then begins setting

up authorization information.

5. Restart NetBackup services on this machine after the bpnbaz -setupmaster command completessuccessfully.6. Proceed to setting up the media servers. See "Installing and configuring access control on media servers"

InstallingandconfiguringaccesscontrolonNBU7.0mediaservers(Windows

orUNIX)

The following steps describe installing and configuring NetBackup Access Control on media servers in a NetBackup

configuration. These steps are needed for media servers that are not co-located with the master server. The target

media server should be running NetBackup server software version 7.0 or higher.

Use the following procedure to configure access control on media servers.

1. Log into the target media server machine.2. If this installation is an upgrade installation, stop NetBackup.3. Complete all NetBackup 7.0 media server installations or upgrades.4. Log into the master server machine as UNIX root or Windows Administratory.5. Check that both the authentication daemon (vxatd) and the authorization daemon (vxazd) are running. If

they are not running, first start the authentication daemon. Then start the authorization daemon. See

"Starting authentication and authorization daemon services"

6. Go to the NETBACKUP_INSTALL_PATH/bindirectory.7. Log on as the NetBackup security administrator using the following command: bpnbat -Login The

following information is displayed:

Note: The UNIX root users on the master server are the default NetBackup security administrators.

8/9/2019 nbu accss control340675

8/21

NBAC WindowsNon HA

8

Authentication Broker [master.server.com is default]:

Authentication port [0 is default]:

Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd) [unixpwd is

default]:

Domain [master.server.com is default]:

Login Name [root is default]:

Password:

Operation completed successfully.

8. The bpnbaz -SetupMedia command has a number of options. This command does not work withoutan extension for either the individual host, or the all option. See "NBAC configure commands summary"

9. It is recommended to do a dry run of the configuration first, with the -dryrun option. It can be used withboth -all and single server configuration. By default, the discovered host list is written to the file

SetupMedia.nbac. You can also provide your own output file name using -out

option. If you use your own output file, then it should be passed for the subsequent runs with -file

option. The dry-run command would look some thing like the following: bpnbaz -SetupMedia -all

-dryrun [-out ] or bpnbaz -SetupMedia -dryrun

[-out ].

10. If all the media servers you want to update are in the log file use the -dryrun option. You can proceedwith the -all command to do them all at once. For example, you can use: bpnbaz -SetupMedia -

all or bpnbaz -SetupMedia -file . Note that the -all option updates all

the media servers seen each time it runs. If you want to run it for a selected set of media servers, can you do

it. Keep only the media server host names that you wanted to configure in a file, and pass that file using the

-file option. This input file would either be SetupMedia.nbac or the custom file name you provided

with the -out option in the previous dry run. For example you may have used: - bpnbaz -

SetupMedia -file SetupMedia.nbac. For configuring a single media server, specify the media

server host name as the option. For example use: bpnbaz -SetupMedia .

11. Restart NetBackup services on the target media servers after the command completes successfully. It setsup NBAC on the target hosts. If the configuration of some target hosts did not complete, you can check the

output file. Proceed to the access control configuration for the client hosts after this step. See "Installing

and configuring access control on clients"

InstallingandconfiguringaccesscontrolonNBU7.0clients(Windowsor

UNIX)

The following steps describe installing and configuring NetBackup Access Control on clients in a NetBackup

configuration. The target client should be running NetBackup client software version 7.0 or higher.

Use the following procedure to configure access control on clients.

1. Make sure that no backups are currently running for the client machine.2. Stop NetBackup on the clients? Complete any remaining installation steps of NetBackup client software3. Log into the master server machine as the UNIX root or as Windows administrator.4. Check that authentication daemon (vxatd) is running. If not, start the authentication daemon. See

"Stopping authentication and authorization daemon services"

5. Go to the NBU_INSTALL_PATH/bindirectory.6. Log on as the NetBackup security administrator using the following command: bpnbat -Login The

following information is displayed.

8/9/2019 nbu accss control340675

9/21

NBAC WindowsNon HA

9

Note: The UNIX root users on the master server are the default NetBackup security administrators.

Authentication Broker [master.server.com is default]:

Authentication port [0 is default]:

Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd) [unixpwd isdefault]:

Domain [master.server.com is default]:

Login Name [root is default]:

Password:

Operation completed successfully.

7. Run bpnbaz -SetupClient with the described options. Note that this command does not workwithout an extension for either the individual host, or the -all option. See "NBAC configure commands

summary"

8. First do a dry run to see all the clients visible to the master server. Use this process for companies that havea large number of clients (greater than 250). The -dryrun option can be used with both -all and single

client configuration. By default, the discovered host list is written to the file SetupClient.nbac in the

same directory. You can also provide your own output file name using -out option.If you use your own output file, then it should be passed for the subsequent runs with -file option. For

example you can use: bpnbaz -SetupClient -all -dryrun [-out ] or

bpnbaz -SetupClient -dryrun [-out ].

9. After the dry run, check the client host names and run the same command without the -dryrun option.For example use: bpnbaz -SetupClient -all or bpnbaz -SetupClient -file

SetupClient.nbac or bpnbaz -SetupClient . The -all option

runs with the clients known to the master server. It can take time to address all the clients in a large

environment( greater than 250). The -all client listing updates the credentials on all clients. It can take

some time and resource. Instead use the -file option to update a subset of the clients. You can run the

same command multiple times, until all the clients in the progress file are successfully configured. The

status for each client is updated in the input file. The ones that succeeded in each run are commented out

for the subsequent runs. A smaller subset is left for each successive run. Use this option if you have added anumber of clients (greater than 250). Target the ones you want to update at that time. The -images option

with -all looks for client host names in the image catalogs. It can return decommissioned hosts in larger

environments. Run the -all -dryrun options with the -images option to determine which hosts

should be updated

10. Restart the client services on the specific clients once the installation is finished.ConfiguringaccesscontrolforNetBackuppre-7.0mediaserversandclients

You can configure the access control for NetBackup pre-7.0 media and client machines.

Use the following procedure to configure the access control for NetBackup pre-7.0 media

and client machines.

1. Install Authentication and Authorization client packages on the target machine. If the target machine is aNetBackup client, then install the authentication client only. If the target machine is a NetBackup media

server, install both authentication and authorization clients. You can choose to install both client and server

binaries on the target machine, but there is no need to configure the servers. You need to install the

authentication and authorization packages that are available on Infrastructure Common Services (ICS)

DVDs shipped with the older NetBackup media. The authentication and authorization binaries available

with NetBackup 7.0 may not be compatible with the older NetBackup media servers or clients. On UNIX

platforms, use the installics utility to install the authentication and authorization packages. On

8/9/2019 nbu accss control340675

10/21

NBAC WindowsNon HA

10

Windows, use VxSSVRTSatSetup.exe and VRTSazSetup.exe. Please refer to the older

NetBackup documentation for more details on how to install authentication and authorization clients.

2. Set up a credential for the target media server or the client machine. Log on as either root (UNIX) or as a member of the local Administrator group (Windows) on the

master server.

Make sure that the authentication and the authorization services are running on the master server. Create a machine account for the target media server or client machine by running the following

command on the master server: On UNIX, bpnbat is located in directory

/usr/openv/netbackup/bin. On Windows, bpnbat is located in directory

Install_path\NetBackup\bin.

bpnbat -addmachine

Machine Name: host.domain.com

Password: *******

Password: *******

Operation completed successfully.

Log on to the target media server or the client machine as either root (UNIX) or a member of thelocal Administrator group (Windows) , and run the following command:bpnbat -loginmachine

Does this machine use Dynamic Host Configuration Protocol

(DHCP)? (y/n)? n

Authentication Broker: master.server.com

Authentication port [Enter = default]:

Machine Name: local.host.name --> Note: This should be the

same value entered in the previous step.

Password: *******Operation completed successfully.

Note: Repeat this step 2 for each alias or host name used by the media or client machine.

3. Enable authorization server access to the target media server host.Note: This step is only needed for the NetBackup media servers, and not the client machines.

Log on to the master server machine as either root (UNIX) or a member of the local Administratorgroup (Windows) On UNIX, bpnbaz is located in directory

/usr/openv/netbackup/bin/admincmd . On Windows, bpnbaz is located in directory

Install_path\NetBackup\bin\admincmd .

Run the following command:bpnbaz -AllowAuthorization media.server.com

Operation completed successfully

4. Set up the proper access control host properties for the target media server or the client host. For the mediaservers, seeMaster server and media server host properties. For the Clients, see Client host properties.

5. Restart the NetBackup process on the target media server or the client machine.

8/9/2019 nbu accss control340675

11/21

NBAC WindowsNon HA

11

EstablishingatrustrelationshipbetweenthebrokerandtheWindowsremote

console

Establish a trust relationship between the master server (broker) and the administration client.

Use this procedure to establish a trust relationship between the broker and the Windowsremote console.

1. From the master server, run the following command: Sample output ofVXSS_SETTINGS.txt:Install_path\Veritas\NetBackup\bin\

admincmd>bpgetconfig USE_VXSS AUTHENTICATION_DOMAIN

>VXSS_SETTINGS.txt

USE_VXSS = AUTOMATIC

AUTHENTICATION_DOMAIN = "" WINDOWS 0

2. Copy VXSS_SETTINGS.txt to the administration client.3.

Run the following command from the administration client: Running this command matches the settings onthe administration client with those on the broker. It sets the administration client to log on automatically to

the broker.

C:\Program Files\Veritas\NetBackup\bin\admincmd>bpsetconfig

"\VXSS_SETTINGS.txt"

4. Launch the Administration Console from the administration client, a request to establish a trust with thebroker should occur. Once the trust is agreed to, the administration console should be available.

IncludingauthenticationandauthorizationdatabasesinNetBackuphot

catalogbackups

In NetBackup environments using the online hot catalog backup method: no additional configuration is needed to

include the Symantec Product Authentication Service and Symantec Product Authorization Service databases in thecatalog backup.

Note: Hot catalog backup does not run in the NBAC mode REQUIRED.

Manuallyconfiguringaccesscontrolhostproperties

Note: Run the bpnbaz -setupClient, bpnbaz -setupMedia, and bpnbaz -

setupMaster commands to do this configuration automatically. You only need to do this

configuration if you want to change defaults or add additional brokers. Also do this for the back

revision media server and client hosts.

Use the following sections for manually configuring the access control host properties.

Note: You must set the master server Symantec Product Authentication Service and Symantec Product

Authorization Service property to Automatic until the clients are configured for access control.

Then change the Symantec Product Authentication Service and Symantec Product Authorization

Service property on the master server to Required.

8/9/2019 nbu accss control340675

12/21

NBAC WindowsNon HA

12

UnifyingNetBackupManagementinfrastructureswiththesetuptrust

command

Symantec products management servers need to communicate so that an administrator for one product has

permission to administer another product. This communication ensures that application processes in one

management server work with another server. One way of ensuring communication is to use a common independentsecurity server called a root broker. If all the management servers point to a common root broker, the permission for

each server is based on a common certificate. Another way of ensuring communication is to use the setuptrust

command. This command is used to establish trust between the two management servers. The command is issued

from the management server that needs to trust another management server. The security information is transferred

from that host to the one requesting the trust establishment. A one-way trust is established. Setting up two way

(mutual) trust is performed by issuing the setuptrust command from each of the two servers involved. For

example, a NetBackup configuration might consist of a Symantec OpsCenter server (OPS) and three master servers

(A, B, and C). Each of the master servers has connected to them the NBAC policies and management for the clients

and the media servers.

The first step is to have the Symantec OpsCenter server (OPS) setup trust with each of the master servers (A, B, and

C). This trust ensures that the Symantec OpsCenter server receives secure communications from each of the master

servers, the clients and the media servers connected to each of the master servers. A sequence of these events is as

follows:

The OPS sets up trust with master server A. The OPS sets up trust with master server B. The OPS sets up trust with master server C.

If Symantec OpsCenter is set up to perform actions on the individual master servers, a trust relationship needs to be

set up from each of the master servers to the Symantec OpsCenter server (OPS). A sequence of these events is as

follows. In this case, the setuptrust command is run six times.

The master server A sets up trust with Symantec OpsCenter server (OPS). The master server B sets up trust with Symantec OpsCenter server (OPS). The master server C sets up trust with Symantec OpsCenter server (OPS). The Symantec OpsCenter server OPS sets up trust with master server A. The Symantec OpsCenter server OPS sets up trust with master server B. The Symantec OpsCenter server OPS sets up trust with master server C.

Note: NetBackup 7.0 and OpsCenter 7.0 establish trust automatically. You may need to do these manual

setuptrust operations with older NetBackup master servers. At the end of the NetBackup

master server 7.0 installation, there is a question on the OpsCenter host name. With that, the

master server can initiate a two-way trust setup.

Details on the setuptrust command are described in the Symantec Commands guide. A summary of thecommand is provided here for your convenience.

Usingthe setuptrustcommand

Use the setuptrustcommand to contact the broker to be trusted, obtain its certificate or details over the wire, and

add to the trust repository if the furnished details are trustworthy. The security administrator can configure one of

the following levels of security for distributing root certificates:

8/9/2019 nbu accss control340675

13/21

NBAC WindowsNon HA

13

High security (2): If a previously untrusted root is acquired from the peer (that is, if no certificate with thesame signature exists in our trust store), the user will be prompted to verify the hash.

Medium security (1): The first authentication broker will be trusted without prompting. Any attempts totrust subsequent authentication brokers will cause the user to be prompted for a hash verification before the

certificate is added to the trusted store.

Low security (0): The authentication broker certificate is always trusted without any prompting. Thevssat CLI is located in the authentication service 'bin' directory.

The setuptrustcommand uses the following syntax:

vssat setuptrust --broker -- securitylevel high

The setuptrustcommand uses the following arguments:

The broker, host, and portarguments are first. The host and port of the broker to be trusted. The registered port

for Authentication is 2821. If the broker has been configured with another port number, consult your security

administrator for information.

Usinghostnameswhenaddingmachines

NBAC does not require the use of fully qualified hostnames when you add machines. However, commands

accepting hostnames (bpnbat -AddMachine, bpnbat -LoginMachine, and bpnbaz -

AllowAuthorization) can retrieve the fully-qualified hostname if a non-fully-qualified hostname is specified.

For example, if a host unix_machine.company.com exists, and only unix_machine is specified for any of these

commands: then that command attempts to resolve the name to unix_machine.company.com. To determine what

name these commands have resolved, you can run bpnbat -ShowMachines. It lists the names of all hosts that

are added to NetBackup's private domain in the authentication broker.

Specify the fully qualified hostname when you use these commands to make sure that the correct name is chosen. In

addition, using fully qualified hostnames is more secure. It ensures the uniqueness of the host name used by a

machine. Symantec does recommend the use of fully qualified hostnames for NBAC.

Masterserverandmediaserverhostproperties

The access control host properties are described in the following sections. The master server and media server host

properties are in the NetBackup Administration Console. Open NetBackup Management > Host Properties > master

server or media server > Select server> access control.

Accesscontrolhostpropertiesdialog

Set the Symantec Product Authentication Service and Symantec Product Authorization Service to either Required or

Automatic. A setting of Automatic takes into account that there may be hosts within the configuration that are not

yet configured for NBAC. The server attempts to negotiate the most secure connection possible when it

communicates to other NetBackup systems. The Automatic setting should be used until all clients and servers are

configured for NBAC.

Access control host properties dialog shows the access control host properties dialog.

8/9/2019 nbu accss control340675

14/21

NBAC WindowsNon HA

Figure 5-1 Access control host properties dialog

When Automatic is used, you may specify machines or domains required to use Symantec Product Authentication

Service and Symantec Product Authorization Service. Or you may specify machines prohibited from using

Symantec Product Authentication Service and Symantec Product Authorization Service.

SymantecProductAuthentication&Authorizationtab

View the access control host properties, on the Symantec Product Authentication and Authorization tab. Add the

master server to the Symantec Product Authentication Service and Symantec Product Authorization Service

Network list. Then set Symantec Product Authentication Service and Symantec Product Authorization Service to

Required.

Symantec product authentication and authorization tab shows the Symantec product authentication and authorization

tab.

Figure 5-2 Symantec product authentication and authorization tab

14

8/9/2019 nbu accss control340675

15/21

NBAC WindowsNon HA

A UNIX domain unixbox.mycompany.com on the authentication server UNIXBOX.

Notice that the authentication mechanism for this domain is PASSWD.

Each new NetBackup client or media server (version 5.0 or higher), added to the NetBackup master, needs to have

the access control properties configured. These properties are configured on both itself and the master. Thisconfiguration can be done through the host properties on the master server.

Authenticationdomaintab

The Authentication Domain tab is used to define the following:

Which authentication servers support which authentication mechanisms What domains each supports.

Add the domain you want users to authenticate against. Be sure to select the proper authentication mechanism.

The following examples contain three authentication domains and three authentication types. Two are hosted on the

authentication server UNIXBOX, and a third Windows AD/PDC (Active Directory/Primary domain controller )

hosted on WINMACHINE.

Authentication domain tab shows the authentication domain tab.

Figure 5-3 Authentication domain tab

Notice that the authentication mechanism for this domain is NIS.

Note: When a UNIX authentication domain is used, enter the fully qualified domain name of the host

performing the authentication.

Note: Authentication types supported are NIS, NISPLUS, WINDOWS, vx, and unixpwd

(unixpwd is default).

15

8/9/2019 nbu accss control340675

16/21

NBAC WindowsNon HA

A NIS domain NIS.MYCOMPANY.COM on the authentication server UNIXBOX.

UNIX Authentication domain shows the UNIX authentication domain.

Figure 5-4 UNIX Authentication domain

A Windows AD/PDC domain WINDOWS on the authentication server WINMACHINE. Notice that the

authentication mechanism for this domain is WINDOWS.

Domain WINDOWS shows the domain WINDOWS.

Figure 5-5 Domain WINDOWS

16

8/9/2019 nbu accss control340675

17/21

NBAC WindowsNon HA

AuthorizationServicetab

Within the access control host properties, on the Authorization Service tab, complete the properties for the

authorization server. Specify the host name for the system running the authorization daemon service (typically the

master). Specify the alternate port for which this daemon service has been configured. The default listening port for

the authorization daemon service is 4032.

Authorization service tab shows the authorization service tab.

Figure 5-6 Authorization service tab

Make any changes to the host properties and restart the daemon services.

Clienthostproperties

Access the client host properties in the NetBackup Administration Console. Open NetBackup Management > Host

Properties > Clients > Select client(s) > access control.

Accesscontrolhostpropertiesdialogforclient

Select the NetBackup client in the host properties. (On the master server, in the NetBackup Administration Console,

open NetBackup Management > Host Properties > Clients > Selected clients > access control.)

Access control host properties shows the access control host properties.

17

8/9/2019 nbu accss control340675

18/21

NBAC WindowsNon HA

Figure 5-7 Access control host properties

Set the Symantec Product Authentication Service and Symantec Product Authorization Service to Required or

Automatic.

SymantecProductAuthentication&Authorizationtabforclient

Select the NetBackup client in the host properties. This tab is only enabled in Automatic mode. It can be used to

control which systems require or prohibit the use of Symantec Product Authentication Service and Symantec

Product Authorization Service on a per-machine basis. Note that both systems must have matching settings to

communicate.

Authentication and authorization tab shows the Authentication and Authorization tab.

Figure 5-8 Authentication and authorization tab

Authenticationdomaintab

Within the access control host properties, on the Authentication Domain tab, add the list of domains a client can use

to authenticate.

18

8/9/2019 nbu accss control340675

19/21

NBAC WindowsNon HA

19

Authenticationandauthorizationinstallationdiagnosticsandtools

This section contains uninstalling information and a number of diagnostic tools. This section also includes

information on creating response files to further automate the installation process. The sections on uninstalling

authentication and authorization should only be used when required. Proceed to the section onNBAC Configuration

overview and refer to that section only if you have challenges.

Usingaresponsefile

A response file is generated at end of the first manual installation. This file saves all the configuration settings that

are specified during the first installation.

This response file then can be used for multiple installations.

On Windows platform, the response file name is:

.rsp

On UNIX platform, the response file name is:

installics-IdString.response

where IdString is a unique ID string generated by the installics script for the installer execution.

Findingauthenticationserviceinstalllocation

You can find the directory location of the authentication service using the locations as follows:

On UNIX platforms, Authentication service is installed under /opt/VRTSat. On 32bit Windows, it is installed under

%ProgramFiles%\VERITAS\Security\Authentication .

On 64bit Windows, it is installed under%ProgramFiles(x86)%\VERITAS\Security\Authentication .

Note: The specified locations are defaults for Windows. If the service is installed in a non-default

location, refer to the system registry key InstallDir for the actual location.

Note: On a 32bit machine, this key is under

HKEY_LOCAL_MACHINE\SOFTWARE\VERITAS\Security\Authentication .

Note: On a 64bit machine, this key is under

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VERITAS\Security\Authentication .

Determiningiftheauthenticationbrokerisproperlyconfigured

Some Symantec Storage Foundation products install the authentication service, but leave the broker in an

unconfigured state. These products configure the broker only when the security option is turned on in those

products. If the NetBackup master server is installed on one of these machines, then you need to configure the

Authentication broker. The broker needs to be configured in Root+AB mode before doing the access control

(NBAC) configuration.

8/9/2019 nbu accss control340675

20/21

NBAC WindowsNon HA

20

Use the following procedure to check whether Authentication broker is configured or not.

1. Go to the 'bin' directory under Authentication service install location. See "Finding authentication serviceinstall location"

2.

Run thevssat showbrokermode command. The output is similar to the following:showbrokermode

----------------------s

----------------------

Broker mode is : 3

----------------------

Mode 0 means the broker is not configured. It should be configured either in Mode 3 (Root+AB) or in Mode 1 (AB)

for setting up the NetBackup Access Control. If it is Mode 0, follow the steps inManually configuring the

authentication brokersection.

Manuallyconfiguringtheauthenticationbroker

This procedure allows the authentication broker to be configured in Root+AB mode (mode 3).

Use the following procedure to manually configure the authentication broker in Root+AB

mode (mode 3).

1. Go to bin directory under the authentication service install location See "Finding authentication serviceinstall location"

2. Run the following command to configure the broker in Root+AB mode: vxatd -o -a -r On Windowsplatforms, run the vxatd -i command to install authentication broker as a service:

3. Start the Authentication service. See "Starting authentication and authorization daemon services"Stoppingauthenticationandauthorizationdaemonservices

Use the following commands for stopping the authentication daemons and authorization daemons on UNIX and

Linux:

Stop authentication daemon - kill Stop authorization daemon -/opt/VRTSaz/bin/vrtsaz -stop On Windows, the Symantec Product

Authentication Service and Symantec Product Authorization Service can be stopped from the Services

panel. Use the following commands to stop them manually: For authentication use:net stop vrtsat.

For authorization use:net stop vrtsaz.

Startingauthenticationandauthorizationdaemonservices

Use the following commands for starting the authentication daemons and authorization daemons on UNIX and

Linux:

Start authentication daemon - /opt/VRTSaz/bin/vxatd Start authorization daemon - /opt/VRTSaz/bin/vrtsaz On Windows, the Symantec Product

Authentication Service and Symantec Product Authorization Service can be started from the windows

Services panel. Use the following commands to start them manually: For authentication use:net start

vrtsat. For authorization use:net start vrtsaz.

8/9/2019 nbu accss control340675

21/21

NBAC WindowsNon HA

21

UninstallingtheSymantecProductAuthenticationServicefromWindows

platform

Note: A highly available (HA) NetBackup server installation (master server or OpsCenter) can use VCS

(Veritas Cluster Server) to provide the HA functionality. The VCS uses Authentication in a shared

mode for secure HA functionality. These steps should be used when it is desired to repurpose the

hosts or start to build a configuration from scratch. You should not remove Authentication for

those instances where VCS is to be left running on the host.

On a Windows platform, you can uninstall the Symantec Product Authentication Service using the Add or Remove

Programs.

To uninstall the Symantec Product Authentication Service from Windows platform

1. From the Windows Control Panel, open Add or Remove Programs.2. In the Add or Remove Programs window program list, click Symantec Product Authentication Service.

The Change and Remove options are displayed.

3. Click Remove.4. When the Modify, repair, or remove the program dialog box is displayed, select Remove, and then click

Next.

5. A confirmation dialog box is displayed, click Yes, and then allow the uninstallation to complete.6. When the Maintenance Complete dialog box is displayed, click Finish.

UninstallingtheSymantecProductAuthorizationServicefromWindows

platform

On a Windows platform, you can uninstall the Symantec Product Authorization Service, using the Add or Remove

Program.

To uninstall the Symantec Product Authorization Service from Windows platform

7. From the Windows Control Panel, open Add or Remove Programs.8. In the Add or Remove Programs window program list, click Symantec Product Authorization Service.

The Change and Remove options are displayed.

9. Click Remove.10. When the Modify, repair, or remove the program dialog box is displayed, select Remove, and then click

Next.

11. A confirmation dialog box is displayed, click Yes, and then allow the uninstallation to complete.12. When the Maintenance Complete dialog box is displayed, click Finish.