How To Install Netbackup Access Control (Netbackup) On A Netbackups (Net Backup) On Unix And Non Ha (Net Backup) (Net Backups) (Unix) (Non Ha) (Windows) (

Transcription

1 Tech Note 4 NBAC (NetBackup Access Control) UNIX Quick Install Non HA This section includes the following topics About NBAC (NetBackup Access Control) About NBAC (NetBackup Access Control) Starting Checklist NetBackup Planning the Upgrade to 7.0 NBAC Security Administrator NBAC Installation Sequence Connection Validation for Media Servers and Clients NBAC Configuration Overview Installing and configuring access control on NBU 7.0 standalone Master Servers Installing and configuring access control on NBU 7.0 Media Servers Installing and configuring access control on NBU 7.0 clients Establishing a trust relationship between the broker and the Windows remote consoles Media Server Configuration bout NBAC (NetBackup Access Control) Including authentication and authorization databases in NetBackup hot catalog backups Manually configuring access control host properties Unifying NetBackup Management infrastructures with the setuptrust command Using the setuptrust command Using hostnames when adding machines Master server & media server host properties Access control host properties dialog 1

2 Symantec Product Authentication & Authorization tab Authentication domain tab Authorization Service tab Client host properties Access control host properties dialog for client Symantec Product Authentication & Authorization tab for client Authentication and authorization installation diagnostics and tools About NBAC (NetBackup Access Control) Access to NetBackup can be controlled by defining user groups and granting explicit permissions to these groups. Configuring user groups and assigning permissions is done using Access Management in the NetBackup Administration Console. You can find documents at the following Web site that can be helpful in your deployment of NBAC. See NBAC is an implementation of role-based access control. One employs role based access control in situations where: One wants to have a set of permissions for different levels of administrators for an application. A backup application can have operators (perhaps load and unload tapes). It can have local administrators (manage the application within one facility). And it can have overall administrators who may have responsibility for multiple sites and to determine backup policy. Note that this feature is also highly useful in preventing user errors. If junior level administrators are restricted from certain operations, they are prevented from making inadvertent mistakes. One wants to separate administrators so that root permission to the system is not required to administer the system. One can then separate the administrators for the systems themselves from the ones who administer the applications. A role based access control like NBAC has the following: Authentication supplied by the Symantec Product Authentication Service (VxAT) determines if a person or entity should be considered as legitimate for any operation in the application. Authorization supplied by the Symantec Product Authorization Service that defines the scope of what a person or entity can do (role) and labeled VxAZ. Starting checklist This prerequisites starting check list can help before you start to configure NBAC. If you have these items, your installation is likely to go more smoothly. The following contains the information for this installation: The software for NBU 7.0 NBAC installation can be found on the NBU DVDs. Remote login permission for the NetBackup Java Console (if this console is being used) Media servers must be configured with NBAC to enable non root users to manage these servers NetBackup Access Management relies on the use of home directories. Please refer to the OS documentation for the OS you are installing on for more details on home directories 2

3 No License is required for enabling NBAC Required Specifics from your environment User name or password for master server (root or administrator permission). Name of master server Name of all media servers that are connected to the master server Name of all clients to be backed up Host name or IP address for all items listed above Host names should be resolvable to a valid IP address. Use ping or traceroute as one of the tools to ensure you can see the hosts.using these commands ensures that you have not configured a firewall or other obstruction to block access. List of all Symantec applications and revision levels that are located on your Master Servers. This includes Storage Foundation, CC Storage, etc. This is for ensuring that the proper levels of AT are installed. It is assumed that there is no clustering software installed on the master server. NetBackup: Planning the upgrade to 7.0 Determine the plan for upgrading Master Servers, Media Servers and clients to NBU 7.0 as follows: The minimum upgrade is to move to an NBU 7.0 Master server. One can then add Media Servers and or Clients Some features are provided by upgrading master servers, some by media servers, and some from upgrading clients. Determine the features needed. A NetBackup 7.0 master server can support both 6.5 and 7.0 media servers and clients Put together a plan of planned upgrades. Deployment can be step wise if required. NetBackup access management relies on the use of home directories. Please see the documentation for your operating system for more information on home directories. NBAC Security Administrator The user who installs and configures Symantec Product Authentication Service and Symantec Product Authorization Service software for NetBackup Access Management specifies a user account. That account becomes the first member of the NBU Security Admin user group. This chapter refers to a member of the NBU Security Admin group as a security administrator. Users can be added to the group, typically consisting of few members. Members of the NBU Security Admin user group are the only users who can view the contents of Access Management > Users and Access Management > NBU User Groups. This group is in the NetBackup Administration Console. Security administrators are the only users allowed to create user groups, assign users to the groups, and define permissions for the groups. By default security administrators do not have permission to perform any other NetBackup administration activities. The administrator group (Windows) or root (UNIX) is always a member of the NBU Security 3

4 Admin group. They are a member on the system where the authorization daemon service runs (master server). NBAC installation sequence For information on the NBAC installation sequence, refer to this procedure. Use the following NBAC installation sequence. 1. Complete Root + AB installation of the Symantec Product Authentication Service on the master server. See Installing or upgrading the Symantec Product Authentication Service sections. 2. Complete Symantec Product Authorization Service server installation on the master server. See Installing or upgrading the Symantec Product Authorization Service sections. 3. Configure the master server for NetBackup Access Control. See "Installing and configuring access control on stand alone master servers" The master server can be installed in a stand alone mode or in a highly available configuration on a cluster. 4. Complete your media server binary installation; then configure media servers for NetBackup Access Control. See "Installing and configuring access control on media servers" 5. Complete all NetBackup client installations, then configure clients for NetBackup Access Control. See "Installing and configuring access control on clients" Symantec Product Authentication Service and Symantec Product Authorization Service component distribution The Symantec Product Authentication Service and Symantec Product Authorization Service should be installed on the master server. No additional components are needed on media or clients. For further information on Symantec Product Authentication Service and Symantec Product Authorization Service refer to the following Tech PDF at the Symantec support site: This Tech PDF provides information to help organizations securely deploy Symantec products in individual and multiple product environments and can be accessed on the web. While possible to share the Enterprise Media Manager server between multiple master servers, this configuration is not supported for access control. The EMM server must be bound to one master server. Installing or upgrading the Symantec Product Authentication Service in Root + AB mode On a UNIX platform, you can install or upgrade the Symantec Product Authentication Service Root + AB mode interactively, using the installics script. To install or upgrade the Symantec Product Authentication Service Root+AB mode on UNIX platform use the following procedure. 1. Invoke the installics script from CD-ROM_ROOT/ICS directory. 4

5 2. Select a task from the Task menu prompt. Type I to install a product. 3. Select a product to install from the product sub-menu prompt. Type 1 to install the Symantec Product Authentication Service. 4. The following message is displayed: AT will be installed on localhost: <hostname> Press Enter to continue. If there is an older version of the authentication service already installed on the machine, then there is a confirmation prompt for the upgrade. Enter y and complete the installation. 5. Select the service mode in which you want the Symantec Product Authentication Service to be installed. Type 1 To install the Symantec Product Authentication Service in Root+AB mode. 6. When the package to be installed is displayed, press Enter. The VRTSat server package is installed, depending on the platform. 7. Allow the installation to complete. A progress bar tracks the installation progress. After the installation is complete, the following prompt is displayed: Installation completed successfully on all systems. It is optional to configure AT now. If you choose to configure AT later, you can either do so manually or run the installat -configure command. You can configure the Symantec Product Authentication Service broker later by the selecting C option in the ICS Installer Task menu. 8. When you are prompted to start the Authentication server processes, Type Y to start the processes. 9. Press Enter to continue. The installation log files, summary file, and the response file are saved at the following location: /opt/vrts/install/logs/installics-idstring Installing or upgrading the Symantec Product Authorization Service on UNIX platform On a UNIX platform, you can install or upgrade the Symantec Product Authorization Service interactively, using the installics script. The Symantec Product Authorization Service server should be installed on the master server. This installation ensures that the master server and media servers can communicate with the authorization server at all times. To install or upgrade the Symantec Product Authorization Service on UNIX platform use the following procedure. 1. Log on to master server machine and invoke the installics script from the CD-ROM_ROOT/ICS directory. 2. Select a task from the Task menu prompt. Type I to install a product. 3. Select a product to install from the product sub-menu prompt. Type 2 to install the AZ. 5

6 4. The following message is displayed: VxAZ will be installed on localhost: <hostname> Press Enter to continue. If there is an older version of the authorization service already installed on the machine, then there is a confirmation prompt to upgrade it. Enter y and complete the installation. 5. When the package to be installed is displayed, press Enter. The VRTSaz server package is installed. 6. Allow the installation to complete. A progress bar tracks the installation progress. After the installation is complete, the following prompt is displayed: Installation completed successfully on all systems 7. If there is Symantec Private Branch Exchange (PBX) service installed on the machine, then there is a prompt to hookup Authorization service with the PBX. Enter y for this prompt. 8. When you are prompted to start the Authorization server processes, Type Y to start the processes. 9. Press Enter to continue. The installation log files, summary file, and the response file are saved at the following location: /opt/vrts/install/logs/installics-idstring 10. Go to the section NBAC Configuration review. Connection Validation to media servers and clients Before proceeding, Symantec recommends validating the connections between the Master Server and the Media Servers and clients. A set of OS commands and one NetBackup command is useful for this first level of troubleshooting and validation. The OS commands are ping, traceroute and telnet. The NetBackup command is bpclntcmd. Use these commands to establish that the hosts can communicate with each other. A complete troubleshooting section is found later in this chapter NBAC configuration overview This section contains recommendations for configuring NBAC using the bpnbaz command. This command is available under the NETBACKUP_INSTALL_PATH/bin/admincmd directory. The bpnbaz utility has been upgraded so that it needs to be run from only the master server. You do not need to log into each NetBackup 7.0 media server and client to configure access control. For configuring access control for NetBackup pre-7.0 media and client hosts, refer to Configuring access control for back revision hosts. A summary reference is provided for the command beneath this section. This section provides an example of using these commands with specific details on recommended usage. Note that the services should be restarted on each of the servers and clients once configured. Since the configuration is done from the master server, assure that operational communications links exist between the master server, the media servers, and the clients. You can review the prerequisites list earlier in this chapter. Review the list to ensure that you have noted all the associated media servers, clients, and the addresses to communicate with them. A complete troubleshooting section is found later in this chapter. A set of OS commands and one NetBackup command is useful for the first level of troubleshooting. The OS commands are ping, traceroute and telnet. The NetBackup command is bpclntcmd. Use these commands to establish that the hosts can communicate with each other. Installing and configuring access control on stand alone master servers The following procedures describe installing and configuring NetBackup Access Control on master servers installed on a single machine. A master server requires an authentication server and authorization server. Example host names describes the host names for the configuration examples that are used throughout this chapter. 6

7 Table 5-1 Example host names Host name Windows UNIX Master servers win_master unix_master Media servers win_media unix_media Clients win_client unix_client Use the following procedure to install and configure access control on master servers. 1. If this installation is an upgrade installation, stop NetBackup. 2. You have already used the Infrastructure Common Services DVDs. You have used these DVDs to install the Symantec Product Authentication Service and Symantec Product Authorization Service Root + AB for your platform. 3. Complete all NetBackup master server installations or upgrades. 4. Run the bpnbaz -setupmaster command. When asked to continue, enter y. Enter the current user password. The system then begins gathering configuration information. The system then begins setting up authorization information. 5. Restart NetBackup services on this machine after the bpnbaz -setupmaster command completes successfully. 6. Proceed to setting up the media servers. See "Installing and configuring access control on media servers" Installing and configuring access control on NBU 7.0 media servers (Windows and UNIX) The following steps describe installing and configuring NetBackup Access Control on media servers in a NetBackup configuration. These steps are needed for media servers that are not co-located with the master server. The target media server should be running NetBackup server software version 7.0 or higher. Use the following procedure to configure access control on media servers. 1. Log into the target media server machine. 2. If this installation is an upgrade installation, stop NetBackup. 3. Complete all NetBackup 7.0 media server installations or upgrades. 4. Log into the master server machine as UNIX root. 5. Check that both the authentication daemon (vxatd) and the authorization daemon (vxazd) are running. If they are not running, first start the authentication daemon. Then start the authorization daemon. See "Starting authentication and authorization daemon services" 6. Go to the NETBACKUP_INSTALL_PATH/bindirectory. 7. Log on as the NetBackup security administrator using the following command: bpnbat -Login The following information is displayed: The UNIX root users on the master server are the default NetBackup security administrators. 7

8 Authentication Broker [master.server.com is default]: Authentication port [0 is default]: Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd) [unixpwd is default]: Domain [master.server.com is default]: Login Name [root is default]: Password: Operation completed successfully. 8. The bpnbaz -SetupMedia command has a number of options. This command does not work without an extension for either the individual host, or the all option. See "NBAC configure commands summary" 9. It is recommended to do a dry run of the configuration first, with the -dryrun option. It can be used with both -all and single server configuration. By default, the discovered host list is written to the file SetupMedia.nbac. You can also provide your own output file name using -out <output file> option. If you use your own output file, then it should be passed for the subsequent runs with -file option. The dry-run command would look some thing like the following: bpnbaz -SetupMedia -all -dryrun [-out <outfile>] or bpnbaz -SetupMedia <media.server.com> -dryrun [-out <outfile>]. 10. If all the media servers you want to update are in the log file use the -dryrun option. You can proceed with the -all command to do them all at once. For example, you can use: bpnbaz -SetupMedia - all or bpnbaz -SetupMedia -file <progress file>. Note that the -all option updates all the media servers seen each time it runs. If you want to run it for a selected set of media servers, can you do it. Keep only the media server host names that you wanted to configure in a file, and pass that file using the -file option. This input file would either be SetupMedia.nbac or the custom file name you provided with the -out option in the previous dry run. For example you may have used: - bpnbaz - SetupMedia -file SetupMedia.nbac. For configuring a single media server, specify the media server host name as the option. For example use: bpnbaz -SetupMedia <media.server.com>. 11. Restart NetBackup services on the target media servers after the command completes successfully. It sets up NBAC on the target hosts. If the configuration of some target hosts did not complete, you can check the output file. Proceed to the access control configuration for the client hosts after this step. See "Installing and configuring access control on clients" Installing and configuring access control on NBU 7.0 clients (Windows and UNIX) The following steps describe installing and configuring NetBackup Access Control on clients in a NetBackup configuration. The target client should be running NetBackup client software version 7.0 or higher. Use the following procedure to configure access control on clients. 1. Make sure that no backups are currently running for the client machine. 2. Stop NetBackup on the clients? Complete any remaining installation steps of NetBackup client software 3. Log into the master server machine as the UNIX root. 4. Check that authentication daemon (vxatd) is running. If not, start the authentication daemon. See "Stopping authentication and authorization daemon services" 5. Go to the NBU_INSTALL_PATH/bindirectory. 6. Log on as the NetBackup security administrator using the following command: bpnbat -Login The following information is displayed. 8

9 The UNIX root users on the master server are the default NetBackup security administrators. Authentication Broker [master.server.com is default]: Authentication port [0 is default]: Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd) [unixpwd is default]: Domain [master.server.com is default]: Login Name [root is default]: Password: Operation completed successfully. 7. Run bpnbaz -SetupClient with the described options. Note that this command does not work without an extension for either the individual host, or the -all option. See "NBAC configure commands summary" 8. First do a dry run to see all the clients visible to the master server. Use this process for companies that have a large number of clients (greater than 250). The -dryrun option can be used with both -all and single client configuration. By default, the discovered host list is written to the file SetupClient.nbac in the same directory. You can also provide your own output file name using -out <output file> option. If you use your own output file, then it should be passed for the subsequent runs with -file option. For example you can use: bpnbaz -SetupClient -all -dryrun [-out <outfile>] or bpnbaz -SetupClient <client.host.com> -dryrun [-out <outfile>]. 9. After the dry run, check the client host names and run the same command without the -dryrun option. For example use: bpnbaz -SetupClient -all or bpnbaz -SetupClient -file SetupClient.nbac or bpnbaz -SetupClient <client.host.com>. The -all option runs with the clients known to the master server. It can take time to address all the clients in a large environment( greater than 250). The -all client listing updates the credentials on all clients. It can take some time and resource. Instead use the -file option to update a subset of the clients. You can run the same command multiple times, until all the clients in the progress file are successfully configured. The status for each client is updated in the input file. The ones that succeeded in each run are commented out for the subsequent runs. A smaller subset is left for each successive run. Use this option if you have added a number of clients (greater than 250). Target the ones you want to update at that time. The -images option with -all looks for client host names in the image catalogs. It can return decommissioned hosts in larger environments. Run the -all -dryrun options with the -images option to determine which hosts should be updated 10. Restart the client services on the specific clients once the installation is finished. Configuring access control for NetBackup pre 7.0 media server s and clients You can configure the access control for NetBackup pre-7.0 media and client machines. Use the following procedure to configure the access control for NetBackup pre-7.0 media servers and clients. 1. Install Authentication and Authorization client packages on the target machine. If the target machine is a NetBackup client, then install the authentication client only. If the target machine is a NetBackup media server, install both authentication and authorization clients. You can choose to install both client and server binaries on the target machine, but there is no need to configure the servers. You need to install the authentication and authorization packages that are available on Infrastructure Common Services (ICS) DVDs shipped with the older NetBackup media. The authentication and authorization binaries available with NetBackup 7.0 may not be compatible with the older NetBackup media servers or clients. On UNIX platforms, use the installics utility to install the authentication and authorization packages. On 9

10 Windows, use VxSSVRTSatSetup.exe and VRTSazSetup.exe. Please refer to the older NetBackup documentation for more details on how to install authentication and authorization clients. 2. Set up a credential for the target media server or the client machine. Log on as either root (UNIX) or as a member of the local Administrator group (Windows) on the master server. Make sure that the authentication and the authorization services are running on the master server. Create a machine account for the target media server or client machine by running the following command on the master server: On UNIX, bpnbat is located in directory /usr/openv/netbackup/bin. On Windows, bpnbat is located in directory Install_path\NetBackup\bin. bpnbat -addmachine Machine Name: host.domain.com Password: ******* Password: ******* Operation completed successfully. Log on to the target media server or the client machine as either root (UNIX) or a member of the local Administrator group (Windows), and run the following command: bpnbat -loginmachine Does this machine use Dynamic Host Configuration Protocol (DHCP)? (y/n)? n Authentication Broker: master.server.com Authentication port [Enter = default]: Machine Name: local.host.name --> This should be the same value entered in the previous step. Password: *******Operation completed successfully. Repeat this step 2 for each alias or host name used by the media or client machine. 3. Enable authorization server access to the target media server host. This step is only needed for the NetBackup media servers, and not the client machines. Log on to the master server machine as either root (UNIX) or a member of the local Administrator group (Windows) On UNIX, bpnbaz is located in directory /usr/openv/netbackup/bin/admincmd. On Windows, bpnbaz is located in directory Install_path\NetBackup\bin\admincmd. Run the following command: bpnbaz -AllowAuthorization media.server.com Operation completed successfully 4. Set up the proper access control host properties for the target media server or the client host. For the media servers, see Master server and media server host properties. For the Clients, see Client host properties. 5. Restart the NetBackup process on the target media server or the client machine. 10

11 Establishing a trust relationship between the broker and the Windows remote console Establish a trust relationship between the master server (broker) and the administration client. Use this procedure to establish a trust relationship between the broker and the Windows remote console. 1. From the master server, run the following command: Sample output of VXSS_SETTINGS.txt: Install_path\Veritas\NetBackup\bin\ admincmd>bpgetconfig USE_VXSS AUTHENTICATION_DOMAIN >VXSS_SETTINGS.txt USE_VXSS = AUTOMATIC AUTHENTICATION_DOMAIN = <domain_name> "" WINDOWS <broker_host> 0 2. Copy VXSS_SETTINGS.txt to the administration client. 3. Run the following command from the administration client: Running this command matches the settings on the administration client with those on the broker. It sets the administration client to log on automatically to the broker. C:\Program Files\Veritas\NetBackup\bin\admincmd>bpsetconfig "<absolute_path>\vxss_settings.txt" 4. Launch the Administration Console from the administration client, a request to establish a trust with the broker should occur. Once the trust is agreed to, the administration console should be available. Including authentication and authorization databases in NetBackup hot catalog backups In NetBackup environments using the online hot catalog backup method: no additional configuration is needed to include the Symantec Product Authentication Service and Symantec Product Authorization Service databases in the catalog backup. Hot catalog backup does not run in the NBAC mode REQUIRED. Manually configuring access control host properties Run the bpnbaz -setupclient, bpnbaz -setupmedia, and bpnbaz - setupmaster commands to do this configuration automatically. You only need to do this configuration if you want to change defaults or add additional brokers. Also do this for the back revision media server and client hosts. Use the following sections for manually configuring the access control host properties. You must set the master server Symantec Product Authentication Service and Symantec Product Authorization Service property to Automatic until the clients are configured for access control. Then change the Symantec Product Authentication Service and Symantec Product Authorization Service property on the master server to Required. 11

12 Unifying NetBackup Management infrastructures with the setuptrust command Symantec products management servers need to communicate so that an administrator for one product has permission to administer another product. This communication ensures that application processes in one management server work with another server. One way of ensuring communication is to use a common independent security server called a root broker. If all the management servers point to a common root broker, the permission for each server is based on a common certificate. Another way of ensuring communication is to use the setuptrust command. This command is used to establish trust between the two management servers. The command is issued from the management server that needs to trust another management server. The security information is transferred from that host to the one requesting the trust establishment. A one-way trust is established. Setting up two way (mutual) trust is performed by issuing the setuptrust command from each of the two servers involved. For example, a NetBackup configuration might consist of a Symantec OpsCenter server (OPS) and three master servers (A, B, and C). Each of the master servers has connected to them the NBAC policies and management for the clients and the media servers. The first step is to have the Symantec OpsCenter server (OPS) setup trust with each of the master servers (A, B, and C). This trust ensures that the Symantec OpsCenter server receives secure communications from each of the master servers, the clients and the media servers connected to each of the master servers. A sequence of these events is as follows: The OPS sets up trust with master server A. The OPS sets up trust with master server B. The OPS sets up trust with master server C. If Symantec OpsCenter is set up to perform actions on the individual master servers, a trust relationship needs to be set up from each of the master servers to the Symantec OpsCenter server (OPS). A sequence of these events is as follows. In this case, the setuptrust command is run six times. The master server A sets up trust with Symantec OpsCenter server (OPS). The master server B sets up trust with Symantec OpsCenter server (OPS). The master server C sets up trust with Symantec OpsCenter server (OPS). The Symantec OpsCenter server OPS sets up trust with master server A. The Symantec OpsCenter server OPS sets up trust with master server B. The Symantec OpsCenter server OPS sets up trust with master server C. NetBackup 7.0 and OpsCenter 7.0 establish trust automatically. You may need to do these manual setuptrust operations with older NetBackup master servers. At the end of the NetBackup master server 7.0 installation, there is a question on the OpsCenter host name. With that, the master server can initiate a two-way trust setup. Details on the setuptrust command are described in the Symantec Commands guide. A summary of the command is provided here for your convenience. Using the setuptrust command Use the setuptrustcommand to contact the broker to be trusted, obtain its certificate or details over the wire, and add to the trust repository if the furnished details are trustworthy. The security administrator can configure one of the following levels of security for distributing root certificates: 12

13 High security (2): If a previously untrusted root is acquired from the peer (that is, if no certificate with the same signature exists in our trust store), the user will be prompted to verify the hash. Medium security (1): The first authentication broker will be trusted without prompting. Any attempts to trust subsequent authentication brokers will cause the user to be prompted for a hash verification before the certificate is added to the trusted store. Low security (0): The authentication broker certificate is always trusted without any prompting. The vssat CLI is located in the authentication service 'bin' directory. The setuptrustcommand uses the following syntax: vssat setuptrust --broker <host[:port]> -- securitylevel high The setuptrustcommand uses the following arguments: The broker, host, and portarguments are first. The host and port of the broker to be trusted. The registered port for Authentication is If the broker has been configured with another port number, consult your security administrator for information. Using hostnames when adding machines NBAC does not require the use of fully qualified hostnames when you add machines. However, commands accepting hostnames (bpnbat -AddMachine, bpnbat -LoginMachine, and bpnbaz - AllowAuthorization) can retrieve the fully-qualified hostname if a non-fully-qualified hostname is specified. For example, if a host unix_machine.company.com exists, and only unix_machine is specified for any of these commands: then that command attempts to resolve the name to unix_machine.company.com. To determine what name these commands have resolved, you can run bpnbat -ShowMachines. It lists the names of all hosts that are added to NetBackup's private domain in the authentication broker. Specify the fully qualified hostname when you use these commands to make sure that the correct name is chosen. In addition, using fully qualified hostnames is more secure. It ensures the uniqueness of the host name used by a machine. Symantec does recommend the use of fully qualified hostnames for NBAC. Master server and media server host properties The access control host properties are described in the following sections. The master server and media server host properties are in the NetBackup Administration Console. Open NetBackup Management > Host Properties > master server or media server > Select server > access control. Access control host properties dialog Set the Symantec Product Authentication Service and Symantec Product Authorization Service to either Required or Automatic. A setting of Automatic takes into account that there may be hosts within the configuration that are not yet configured for NBAC. The server attempts to negotiate the most secure connection possible when it communicates to other NetBackup systems. The Automatic setting should be used until all clients and servers are configured for NBAC. Access control host properties dialog shows the access control host properties dialog. 13

14 Figure 5-1 Access control host properties dialog When Automatic is used, you may specify machines or domains required to use Symantec Product Authentication Service and Symantec Product Authorization Service. Or you may specify machines prohibited from using Symantec Product Authentication Service and Symantec Product Authorization Service. Symantec Product Authentication & Authorization tab View the access control host properties, on the Symantec Product Authentication and Authorization tab. Add the master server to the Symantec Product Authentication Service and Symantec Product Authorization Service Network list. Then set Symantec Product Authentication Service and Symantec Product Authorization Service to Required. Symantec product authentication and authorization tab shows the Symantec product authentication and authorization tab. Figure 5-2 Symantec product authentication and authorization tab 14

15 A UNIX domain unixbox.mycompany.com on the authentication server UNIXBOX. Notice that the authentication mechanism for this domain is PASSWD. Each new NetBackup client or media server (version 5.0 or higher), added to the NetBackup master, needs to have the access control properties configured. These properties are configured on both itself and the master. This configuration can be done through the host properties on the master server. Authentication domain tab The Authentication Domain tab is used to define the following: Which authentication servers support which authentication mechanisms What domains each supports. Add the domain you want users to authenticate against. Be sure to select the proper authentication mechanism. The following examples contain three authentication domains and three authentication types. Two are hosted on the authentication server UNIXBOX, and a third Windows AD/PDC (Active Directory/Primary domain controller ) hosted on WINMACHINE. Authentication domain tab shows the authentication domain tab. Figure 5-3 Authentication domain tab Notice that the authentication mechanism for this domain is NIS. When a UNIX authentication domain is used, enter the fully qualified domain name of the host performing the authentication. Authentication types supported are NIS, NISPLUS, WINDOWS, vx, and unixpwd (unixpwd is default). 15

16 A NIS domain NIS.MYCOMPANY.COM on the authentication server UNIXBOX. UNIX Authentication domain shows the UNIX authentication domain. Figure 5-4 UNIX Authentication domain A Windows AD/PDC domain WINDOWS on the authentication server WINMACHINE. Notice that the authentication mechanism for this domain is WINDOWS. Domain WINDOWS shows the domain WINDOWS. Figure 5-5 Domain WINDOWS 16

17 Authorization Service tab Within the access control host properties, on the Authorization Service tab, complete the properties for the authorization server. Specify the host name for the system running the authorization daemon service (typically the master). Specify the alternate port for which this daemon service has been configured. The default listening port for the authorization daemon service is Authorization service tab shows the authorization service tab. Figure 5-6 Authorization service tab Make any changes to the host properties and restart the daemon services. Client host properties Access the client host properties in the NetBackup Administration Console. Open NetBackup Management > Host Properties > Clients > Select client(s) > access control. Access control host properties dialog for client Select the NetBackup client in the host properties. (On the master server, in the NetBackup Administration Console, open NetBackup Management > Host Properties > Clients > Selected clients > access control.) Access control host properties shows the access control host properties. 17

18 Figure 5-7 Access control host properties Set the Symantec Product Authentication Service and Symantec Product Authorization Service to Required or Automatic. Symantec Product Authentication & Authorization tab for client Select the NetBackup client in the host properties. This tab is only enabled in Automatic mode. It can be used to control which systems require or prohibit the use of Symantec Product Authentication Service and Symantec Product Authorization Service on a per-machine basis. Note that both systems must have matching settings to communicate. Authentication and authorization tab shows the Authentication and Authorization tab. Figure 5-8 Authentication and authorization tab Authentication domain tab Within the access control host properties, on the Authentication Domain tab, add the list of domains a client can use to authenticate. 18

19 Authentication and authorization installation diagnostics and tools This section contains uninstalling information and a number of diagnostic tools. This section also includes information on creating response files to further automate the installation process. The sections on uninstalling authentication and authorization should only be used when required. Proceed to the section on NBAC Configuration overview and refer to that section only if you have challenges. Using a response file A response file is generated at end of the first manual installation. This file saves all the configuration settings that are specified during the first installation. This response file then can be used for multiple installations. On Windows platform, the response file name is: <filename>.rsp On UNIX platform, the response file name is: installics-idstring.response where IdString is a unique ID string generated by the installics script for the installer execution. Finding authentication service install location You can find the directory location of the authentication service using the locations as follows: On UNIX platforms, Authentication service is installed under /opt/vrtsat. On 32bit Windows, it is installed under %ProgramFiles%\VERITAS\Security\Authentication. On 64bit Windows, it is installed under %ProgramFiles(x86)%\VERITAS\Security\Authentication. The specified locations are defaults for Windows. If the service is installed in a non-default location, refer to the system registry key InstallDir for the actual location. On a 32bit machine, this key is under HKEY_LOCAL_MACHINE\SOFTWARE\VERITAS\Security\Authentication. On a 64bit machine, this key is under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VERITAS\Security\Authentication. Determining if the authentication broker is properly configured Some Symantec Storage Foundation products install the authentication service, but leave the broker in an unconfigured state. These products configure the broker only when the security option is turned on in those products. If the NetBackup master server is installed on one of these machines, then you need to configure the Authentication broker. The broker needs to be configured in Root+AB mode before doing the access control (NBAC) configuration. 19

20 Use the following procedure to check whether Authentication broker is configured or not. 1. Go to the 'bin' directory under Authentication service install location. See "Finding authentication service install location" 2. Run thevssat showbrokermode command. The output is similar to the following: showbrokermode s Broker mode is : Mode 0 means the broker is not configured. It should be configured either in Mode 3 (Root+AB) or in Mode 1 (AB) for setting up the NetBackup Access Control. If it is Mode 0, follow the steps in Manually configuring the authentication broker section. Manually configuring the authentication broker This procedure allows the authentication broker to be configured in Root+AB mode (mode 3). Use the following procedure to manually configure the authentication broker in Root+AB mode (mode 3). 1. Go to bin directory under the authentication service install location See "Finding authentication service install location" 2. Run the following command to configure the broker in Root+AB mode: vxatd -o -a -r On Windows platforms, run the vxatd -i command to install authentication broker as a service: 3. Start the Authentication service. See "Starting authentication and authorization daemon services" Stopping authentication and authorization daemon services Use the following commands for stopping the authentication daemons and authorization daemons on UNIX and Linux: Stop authentication daemon - kill <vxatd process id> Stop authorization daemon -/opt/vrtsaz/bin/vrtsaz -stop On Windows, the Symantec Product Authentication Service and Symantec Product Authorization Service can be stopped from the Services panel. Use the following commands to stop them manually: For authentication use:net stop vrtsat. For authorization use:net stop vrtsaz. Starting authentication and authorization daemon services Use the following commands for starting the authentication daemons and authorization daemons on UNIX and Linux: Start authentication daemon - /opt/vrtsaz/bin/vxatd Start authorization daemon - /opt/vrtsaz/bin/vrtsaz On Windows, the Symantec Product Authentication Service and Symantec Product Authorization Service can be started from the windows Services panel. Use the following commands to start them manually: For authentication use:net start vrtsat. For authorization use:net start vrtsaz. 20