1 Tech Note 4 NBAC (NetBackup Access Control) UNIX Quick Install Non HA This section includes the following topics About NBAC (NetBackup Access Control) About NBAC (NetBackup Access Control) Starting Checklist NetBackup Planning the Upgrade to 7.0 NBAC Security Administrator NBAC Installation Sequence Connection Validation for Media Servers and Clients NBAC Configuration Overview Installing and configuring access control on NBU 7.0 standalone Master Servers Installing and configuring access control on NBU 7.0 Media Servers Installing and configuring access control on NBU 7.0 clients Establishing a trust relationship between the broker and the Windows remote consoles Media Server Configuration bout NBAC (NetBackup Access Control) Including authentication and authorization databases in NetBackup hot catalog backups Manually configuring access control host properties Unifying NetBackup Management infrastructures with the setuptrust command Using the setuptrust command Using hostnames when adding machines Master server & media server host properties Access control host properties dialog 1
2 Symantec Product Authentication & Authorization tab Authentication domain tab Authorization Service tab Client host properties Access control host properties dialog for client Symantec Product Authentication & Authorization tab for client Authentication and authorization installation diagnostics and tools About NBAC (NetBackup Access Control) Access to NetBackup can be controlled by defining user groups and granting explicit permissions to these groups. Configuring user groups and assigning permissions is done using Access Management in the NetBackup Administration Console. You can find documents at the following Web site that can be helpful in your deployment of NBAC. See NBAC is an implementation of role-based access control. One employs role based access control in situations where: One wants to have a set of permissions for different levels of administrators for an application. A backup application can have operators (perhaps load and unload tapes). It can have local administrators (manage the application within one facility). And it can have overall administrators who may have responsibility for multiple sites and to determine backup policy. Note that this feature is also highly useful in preventing user errors. If junior level administrators are restricted from certain operations, they are prevented from making inadvertent mistakes. One wants to separate administrators so that root permission to the system is not required to administer the system. One can then separate the administrators for the systems themselves from the ones who administer the applications. A role based access control like NBAC has the following: Authentication supplied by the Symantec Product Authentication Service (VxAT) determines if a person or entity should be considered as legitimate for any operation in the application. Authorization supplied by the Symantec Product Authorization Service that defines the scope of what a person or entity can do (role) and labeled VxAZ. Starting checklist This prerequisites starting check list can help before you start to configure NBAC. If you have these items, your installation is likely to go more smoothly. The following contains the information for this installation: The software for NBU 7.0 NBAC installation can be found on the NBU DVDs. Remote login permission for the NetBackup Java Console (if this console is being used) Media servers must be configured with NBAC to enable non root users to manage these servers NetBackup Access Management relies on the use of home directories. Please refer to the OS documentation for the OS you are installing on for more details on home directories 2
3 No License is required for enabling NBAC Required Specifics from your environment User name or password for master server (root or administrator permission). Name of master server Name of all media servers that are connected to the master server Name of all clients to be backed up Host name or IP address for all items listed above Host names should be resolvable to a valid IP address. Use ping or traceroute as one of the tools to ensure you can see the hosts.using these commands ensures that you have not configured a firewall or other obstruction to block access. List of all Symantec applications and revision levels that are located on your Master Servers. This includes Storage Foundation, CC Storage, etc. This is for ensuring that the proper levels of AT are installed. It is assumed that there is no clustering software installed on the master server. NetBackup: Planning the upgrade to 7.0 Determine the plan for upgrading Master Servers, Media Servers and clients to NBU 7.0 as follows: The minimum upgrade is to move to an NBU 7.0 Master server. One can then add Media Servers and or Clients Some features are provided by upgrading master servers, some by media servers, and some from upgrading clients. Determine the features needed. A NetBackup 7.0 master server can support both 6.5 and 7.0 media servers and clients Put together a plan of planned upgrades. Deployment can be step wise if required. NetBackup access management relies on the use of home directories. Please see the documentation for your operating system for more information on home directories. NBAC Security Administrator The user who installs and configures Symantec Product Authentication Service and Symantec Product Authorization Service software for NetBackup Access Management specifies a user account. That account becomes the first member of the NBU Security Admin user group. This chapter refers to a member of the NBU Security Admin group as a security administrator. Users can be added to the group, typically consisting of few members. Members of the NBU Security Admin user group are the only users who can view the contents of Access Management > Users and Access Management > NBU User Groups. This group is in the NetBackup Administration Console. Security administrators are the only users allowed to create user groups, assign users to the groups, and define permissions for the groups. By default security administrators do not have permission to perform any other NetBackup administration activities. The administrator group (Windows) or root (UNIX) is always a member of the NBU Security 3
4 Admin group. They are a member on the system where the authorization daemon service runs (master server). NBAC installation sequence For information on the NBAC installation sequence, refer to this procedure. Use the following NBAC installation sequence. 1. Complete Root + AB installation of the Symantec Product Authentication Service on the master server. See Installing or upgrading the Symantec Product Authentication Service sections. 2. Complete Symantec Product Authorization Service server installation on the master server. See Installing or upgrading the Symantec Product Authorization Service sections. 3. Configure the master server for NetBackup Access Control. See "Installing and configuring access control on stand alone master servers" The master server can be installed in a stand alone mode or in a highly available configuration on a cluster. 4. Complete your media server binary installation; then configure media servers for NetBackup Access Control. See "Installing and configuring access control on media servers" 5. Complete all NetBackup client installations, then configure clients for NetBackup Access Control. See "Installing and configuring access control on clients" Symantec Product Authentication Service and Symantec Product Authorization Service component distribution The Symantec Product Authentication Service and Symantec Product Authorization Service should be installed on the master server. No additional components are needed on media or clients. For further information on Symantec Product Authentication Service and Symantec Product Authorization Service refer to the following Tech PDF at the Symantec support site: This Tech PDF provides information to help organizations securely deploy Symantec products in individual and multiple product environments and can be accessed on the web. While possible to share the Enterprise Media Manager server between multiple master servers, this configuration is not supported for access control. The EMM server must be bound to one master server. Installing or upgrading the Symantec Product Authentication Service in Root + AB mode On a UNIX platform, you can install or upgrade the Symantec Product Authentication Service Root + AB mode interactively, using the installics script. To install or upgrade the Symantec Product Authentication Service Root+AB mode on UNIX platform use the following procedure. 1. Invoke the installics script from CD-ROM_ROOT/ICS directory. 4
5 2. Select a task from the Task menu prompt. Type I to install a product. 3. Select a product to install from the product sub-menu prompt. Type 1 to install the Symantec Product Authentication Service. 4. The following message is displayed: AT will be installed on localhost: <hostname> Press Enter to continue. If there is an older version of the authentication service already installed on the machine, then there is a confirmation prompt for the upgrade. Enter y and complete the installation. 5. Select the service mode in which you want the Symantec Product Authentication Service to be installed. Type 1 To install the Symantec Product Authentication Service in Root+AB mode. 6. When the package to be installed is displayed, press Enter. The VRTSat server package is installed, depending on the platform. 7. Allow the installation to complete. A progress bar tracks the installation progress. After the installation is complete, the following prompt is displayed: Installation completed successfully on all systems. It is optional to configure AT now. If you choose to configure AT later, you can either do so manually or run the installat -configure command. You can configure the Symantec Product Authentication Service broker later by the selecting C option in the ICS Installer Task menu. 8. When you are prompted to start the Authentication server processes, Type Y to start the processes. 9. Press Enter to continue. The installation log files, summary file, and the response file are saved at the following location: /opt/vrts/install/logs/installics-idstring Installing or upgrading the Symantec Product Authorization Service on UNIX platform On a UNIX platform, you can install or upgrade the Symantec Product Authorization Service interactively, using the installics script. The Symantec Product Authorization Service server should be installed on the master server. This installation ensures that the master server and media servers can communicate with the authorization server at all times. To install or upgrade the Symantec Product Authorization Service on UNIX platform use the following procedure. 1. Log on to master server machine and invoke the installics script from the CD-ROM_ROOT/ICS directory. 2. Select a task from the Task menu prompt. Type I to install a product. 3. Select a product to install from the product sub-menu prompt. Type 2 to install the AZ. 5
6 4. The following message is displayed: VxAZ will be installed on localhost: <hostname> Press Enter to continue. If there is an older version of the authorization service already installed on the machine, then there is a confirmation prompt to upgrade it. Enter y and complete the installation. 5. When the package to be installed is displayed, press Enter. The VRTSaz server package is installed. 6. Allow the installation to complete. A progress bar tracks the installation progress. After the installation is complete, the following prompt is displayed: Installation completed successfully on all systems 7. If there is Symantec Private Branch Exchange (PBX) service installed on the machine, then there is a prompt to hookup Authorization service with the PBX. Enter y for this prompt. 8. When you are prompted to start the Authorization server processes, Type Y to start the processes. 9. Press Enter to continue. The installation log files, summary file, and the response file are saved at the following location: /opt/vrts/install/logs/installics-idstring 10. Go to the section NBAC Configuration review. Connection Validation to media servers and clients Before proceeding, Symantec recommends validating the connections between the Master Server and the Media Servers and clients. A set of OS commands and one NetBackup command is useful for this first level of troubleshooting and validation. The OS commands are ping, traceroute and telnet. The NetBackup command is bpclntcmd. Use these commands to establish that the hosts can communicate with each other. A complete troubleshooting section is found later in this chapter NBAC configuration overview This section contains recommendations for configuring NBAC using the bpnbaz command. This command is available under the NETBACKUP_INSTALL_PATH/bin/admincmd directory. The bpnbaz utility has been upgraded so that it needs to be run from only the master server. You do not need to log into each NetBackup 7.0 media server and client to configure access control. For configuring access control for NetBackup pre-7.0 media and client hosts, refer to Configuring access control for back revision hosts. A summary reference is provided for the command beneath this section. This section provides an example of using these commands with specific details on recommended usage. Note that the services should be restarted on each of the servers and clients once configured. Since the configuration is done from the master server, assure that operational communications links exist between the master server, the media servers, and the clients. You can review the prerequisites list earlier in this chapter. Review the list to ensure that you have noted all the associated media servers, clients, and the addresses to communicate with them. A complete troubleshooting section is found later in this chapter. A set of OS commands and one NetBackup command is useful for the first level of troubleshooting. The OS commands are ping, traceroute and telnet. The NetBackup command is bpclntcmd. Use these commands to establish that the hosts can communicate with each other. Installing and configuring access control on stand alone master servers The following procedures describe installing and configuring NetBackup Access Control on master servers installed on a single machine. A master server requires an authentication server and authorization server. Example host names describes the host names for the configuration examples that are used throughout this chapter. 6
7 Table 5-1 Example host names Host name Windows UNIX Master servers win_master unix_master Media servers win_media unix_media Clients win_client unix_client Use the following procedure to install and configure access control on master servers. 1. If this installation is an upgrade installation, stop NetBackup. 2. You have already used the Infrastructure Common Services DVDs. You have used these DVDs to install the Symantec Product Authentication Service and Symantec Product Authorization Service Root + AB for your platform. 3. Complete all NetBackup master server installations or upgrades. 4. Run the bpnbaz -setupmaster command. When asked to continue, enter y. Enter the current user password. The system then begins gathering configuration information. The system then begins setting up authorization information. 5. Restart NetBackup services on this machine after the bpnbaz -setupmaster command completes successfully. 6. Proceed to setting up the media servers. See "Installing and configuring access control on media servers" Installing and configuring access control on NBU 7.0 media servers (Windows and UNIX) The following steps describe installing and configuring NetBackup Access Control on media servers in a NetBackup configuration. These steps are needed for media servers that are not co-located with the master server. The target media server should be running NetBackup server software version 7.0 or higher. Use the following procedure to configure access control on media servers. 1. Log into the target media server machine. 2. If this installation is an upgrade installation, stop NetBackup. 3. Complete all NetBackup 7.0 media server installations or upgrades. 4. Log into the master server machine as UNIX root. 5. Check that both the authentication daemon (vxatd) and the authorization daemon (vxazd) are running. If they are not running, first start the authentication daemon. Then start the authorization daemon. See "Starting authentication and authorization daemon services" 6. Go to the NETBACKUP_INSTALL_PATH/bindirectory. 7. Log on as the NetBackup security administrator using the following command: bpnbat -Login The following information is displayed: The UNIX root users on the master server are the default NetBackup security administrators. 7
8 Authentication Broker [master.server.com is default]: Authentication port [0 is default]: Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd) [unixpwd is default]: Domain [master.server.com is default]: Login Name [root is default]: Password: Operation completed successfully. 8. The bpnbaz -SetupMedia command has a number of options. This command does not work without an extension for either the individual host, or the all option. See "NBAC configure commands summary" 9. It is recommended to do a dry run of the configuration first, with the -dryrun option. It can be used with both -all and single server configuration. By default, the discovered host list is written to the file SetupMedia.nbac. You can also provide your own output file name using -out <output file> option. If you use your own output file, then it should be passed for the subsequent runs with -file option. The dry-run command would look some thing like the following: bpnbaz -SetupMedia -all -dryrun [-out <outfile>] or bpnbaz -SetupMedia <media.server.com> -dryrun [-out <outfile>]. 10. If all the media servers you want to update are in the log file use the -dryrun option. You can proceed with the -all command to do them all at once. For example, you can use: bpnbaz -SetupMedia - all or bpnbaz -SetupMedia -file <progress file>. Note that the -all option updates all the media servers seen each time it runs. If you want to run it for a selected set of media servers, can you do it. Keep only the media server host names that you wanted to configure in a file, and pass that file using the -file option. This input file would either be SetupMedia.nbac or the custom file name you provided with the -out option in the previous dry run. For example you may have used: - bpnbaz - SetupMedia -file SetupMedia.nbac. For configuring a single media server, specify the media server host name as the option. For example use: bpnbaz -SetupMedia <media.server.com>. 11. Restart NetBackup services on the target media servers after the command completes successfully. It sets up NBAC on the target hosts. If the configuration of some target hosts did not complete, you can check the output file. Proceed to the access control configuration for the client hosts after this step. See "Installing and configuring access control on clients" Installing and configuring access control on NBU 7.0 clients (Windows and UNIX) The following steps describe installing and configuring NetBackup Access Control on clients in a NetBackup configuration. The target client should be running NetBackup client software version 7.0 or higher. Use the following procedure to configure access control on clients. 1. Make sure that no backups are currently running for the client machine. 2. Stop NetBackup on the clients? Complete any remaining installation steps of NetBackup client software 3. Log into the master server machine as the UNIX root. 4. Check that authentication daemon (vxatd) is running. If not, start the authentication daemon. See "Stopping authentication and authorization daemon services" 5. Go to the NBU_INSTALL_PATH/bindirectory. 6. Log on as the NetBackup security administrator using the following command: bpnbat -Login The following information is displayed. 8
9 The UNIX root users on the master server are the default NetBackup security administrators. Authentication Broker [master.server.com is default]: Authentication port [0 is default]: Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd) [unixpwd is default]: Domain [master.server.com is default]: Login Name [root is default]: Password: Operation completed successfully. 7. Run bpnbaz -SetupClient with the described options. Note that this command does not work without an extension for either the individual host, or the -all option. See "NBAC configure commands summary" 8. First do a dry run to see all the clients visible to the master server. Use this process for companies that have a large number of clients (greater than 250). The -dryrun option can be used with both -all and single client configuration. By default, the discovered host list is written to the file SetupClient.nbac in the same directory. You can also provide your own output file name using -out <output file> option. If you use your own output file, then it should be passed for the subsequent runs with -file option. For example you can use: bpnbaz -SetupClient -all -dryrun [-out <outfile>] or bpnbaz -SetupClient <client.host.com> -dryrun [-out <outfile>]. 9. After the dry run, check the client host names and run the same command without the -dryrun option. For example use: bpnbaz -SetupClient -all or bpnbaz -SetupClient -file SetupClient.nbac or bpnbaz -SetupClient <client.host.com>. The -all option runs with the clients known to the master server. It can take time to address all the clients in a large environment( greater than 250). The -all client listing updates the credentials on all clients. It can take some time and resource. Instead use the -file option to update a subset of the clients. You can run the same command multiple times, until all the clients in the progress file are successfully configured. The status for each client is updated in the input file. The ones that succeeded in each run are commented out for the subsequent runs. A smaller subset is left for each successive run. Use this option if you have added a number of clients (greater than 250). Target the ones you want to update at that time. The -images option with -all looks for client host names in the image catalogs. It can return decommissioned hosts in larger environments. Run the -all -dryrun options with the -images option to determine which hosts should be updated 10. Restart the client services on the specific clients once the installation is finished. Configuring access control for NetBackup pre 7.0 media server s and clients You can configure the access control for NetBackup pre-7.0 media and client machines. Use the following procedure to configure the access control for NetBackup pre-7.0 media servers and clients. 1. Install Authentication and Authorization client packages on the target machine. If the target machine is a NetBackup client, then install the authentication client only. If the target machine is a NetBackup media server, install both authentication and authorization clients. You can choose to install both client and server binaries on the target machine, but there is no need to configure the servers. You need to install the authentication and authorization packages that are available on Infrastructure Common Services (ICS) DVDs shipped with the older NetBackup media. The authentication and authorization binaries available with NetBackup 7.0 may not be compatible with the older NetBackup media servers or clients. On UNIX platforms, use the installics utility to install the authentication and authorization packages. On 9
10 Windows, use VxSSVRTSatSetup.exe and VRTSazSetup.exe. Please refer to the older NetBackup documentation for more details on how to install authentication and authorization clients. 2. Set up a credential for the target media server or the client machine. Log on as either root (UNIX) or as a member of the local Administrator group (Windows) on the master server. Make sure that the authentication and the authorization services are running on the master server. Create a machine account for the target media server or client machine by running the following command on the master server: On UNIX, bpnbat is located in directory /usr/openv/netbackup/bin. On Windows, bpnbat is located in directory Install_path\NetBackup\bin. bpnbat -addmachine Machine Name: host.domain.com Password: ******* Password: ******* Operation completed successfully. Log on to the target media server or the client machine as either root (UNIX) or a member of the local Administrator group (Windows), and run the following command: bpnbat -loginmachine Does this machine use Dynamic Host Configuration Protocol (DHCP)? (y/n)? n Authentication Broker: master.server.com Authentication port [Enter = default]: Machine Name: local.host.name --> This should be the same value entered in the previous step. Password: *******Operation completed successfully. Repeat this step 2 for each alias or host name used by the media or client machine. 3. Enable authorization server access to the target media server host. This step is only needed for the NetBackup media servers, and not the client machines. Log on to the master server machine as either root (UNIX) or a member of the local Administrator group (Windows) On UNIX, bpnbaz is located in directory /usr/openv/netbackup/bin/admincmd. On Windows, bpnbaz is located in directory Install_path\NetBackup\bin\admincmd. Run the following command: bpnbaz -AllowAuthorization media.server.com Operation completed successfully 4. Set up the proper access control host properties for the target media server or the client host. For the media servers, see Master server and media server host properties. For the Clients, see Client host properties. 5. Restart the NetBackup process on the target media server or the client machine. 10
11 Establishing a trust relationship between the broker and the Windows remote console Establish a trust relationship between the master server (broker) and the administration client. Use this procedure to establish a trust relationship between the broker and the Windows remote console. 1. From the master server, run the following command: Sample output of VXSS_SETTINGS.txt: Install_path\Veritas\NetBackup\bin\ admincmd>bpgetconfig USE_VXSS AUTHENTICATION_DOMAIN >VXSS_SETTINGS.txt USE_VXSS = AUTOMATIC AUTHENTICATION_DOMAIN = <domain_name> "" WINDOWS <broker_host> 0 2. Copy VXSS_SETTINGS.txt to the administration client. 3. Run the following command from the administration client: Running this command matches the settings on the administration client with those on the broker. It sets the administration client to log on automatically to the broker. C:\Program Files\Veritas\NetBackup\bin\admincmd>bpsetconfig "<absolute_path>\vxss_settings.txt" 4. Launch the Administration Console from the administration client, a request to establish a trust with the broker should occur. Once the trust is agreed to, the administration console should be available. Including authentication and authorization databases in NetBackup hot catalog backups In NetBackup environments using the online hot catalog backup method: no additional configuration is needed to include the Symantec Product Authentication Service and Symantec Product Authorization Service databases in the catalog backup. Hot catalog backup does not run in the NBAC mode REQUIRED. Manually configuring access control host properties Run the bpnbaz -setupclient, bpnbaz -setupmedia, and bpnbaz - setupmaster commands to do this configuration automatically. You only need to do this configuration if you want to change defaults or add additional brokers. Also do this for the back revision media server and client hosts. Use the following sections for manually configuring the access control host properties. You must set the master server Symantec Product Authentication Service and Symantec Product Authorization Service property to Automatic until the clients are configured for access control. Then change the Symantec Product Authentication Service and Symantec Product Authorization Service property on the master server to Required. 11
12 Unifying NetBackup Management infrastructures with the setuptrust command Symantec products management servers need to communicate so that an administrator for one product has permission to administer another product. This communication ensures that application processes in one management server work with another server. One way of ensuring communication is to use a common independent security server called a root broker. If all the management servers point to a common root broker, the permission for each server is based on a common certificate. Another way of ensuring communication is to use the setuptrust command. This command is used to establish trust between the two management servers. The command is issued from the management server that needs to trust another management server. The security information is transferred from that host to the one requesting the trust establishment. A one-way trust is established. Setting up two way (mutual) trust is performed by issuing the setuptrust command from each of the two servers involved. For example, a NetBackup configuration might consist of a Symantec OpsCenter server (OPS) and three master servers (A, B, and C). Each of the master servers has connected to them the NBAC policies and management for the clients and the media servers. The first step is to have the Symantec OpsCenter server (OPS) setup trust with each of the master servers (A, B, and C). This trust ensures that the Symantec OpsCenter server receives secure communications from each of the master servers, the clients and the media servers connected to each of the master servers. A sequence of these events is as follows: The OPS sets up trust with master server A. The OPS sets up trust with master server B. The OPS sets up trust with master server C. If Symantec OpsCenter is set up to perform actions on the individual master servers, a trust relationship needs to be set up from each of the master servers to the Symantec OpsCenter server (OPS). A sequence of these events is as follows. In this case, the setuptrust command is run six times. The master server A sets up trust with Symantec OpsCenter server (OPS). The master server B sets up trust with Symantec OpsCenter server (OPS). The master server C sets up trust with Symantec OpsCenter server (OPS). The Symantec OpsCenter server OPS sets up trust with master server A. The Symantec OpsCenter server OPS sets up trust with master server B. The Symantec OpsCenter server OPS sets up trust with master server C. NetBackup 7.0 and OpsCenter 7.0 establish trust automatically. You may need to do these manual setuptrust operations with older NetBackup master servers. At the end of the NetBackup master server 7.0 installation, there is a question on the OpsCenter host name. With that, the master server can initiate a two-way trust setup. Details on the setuptrust command are described in the Symantec Commands guide. A summary of the command is provided here for your convenience. Using the setuptrust command Use the setuptrustcommand to contact the broker to be trusted, obtain its certificate or details over the wire, and add to the trust repository if the furnished details are trustworthy. The security administrator can configure one of the following levels of security for distributing root certificates: 12
13 High security (2): If a previously untrusted root is acquired from the peer (that is, if no certificate with the same signature exists in our trust store), the user will be prompted to verify the hash. Medium security (1): The first authentication broker will be trusted without prompting. Any attempts to trust subsequent authentication brokers will cause the user to be prompted for a hash verification before the certificate is added to the trusted store. Low security (0): The authentication broker certificate is always trusted without any prompting. The vssat CLI is located in the authentication service 'bin' directory. The setuptrustcommand uses the following syntax: vssat setuptrust --broker <host[:port]> -- securitylevel high The setuptrustcommand uses the following arguments: The broker, host, and portarguments are first. The host and port of the broker to be trusted. The registered port for Authentication is If the broker has been configured with another port number, consult your security administrator for information. Using hostnames when adding machines NBAC does not require the use of fully qualified hostnames when you add machines. However, commands accepting hostnames (bpnbat -AddMachine, bpnbat -LoginMachine, and bpnbaz - AllowAuthorization) can retrieve the fully-qualified hostname if a non-fully-qualified hostname is specified. For example, if a host unix_machine.company.com exists, and only unix_machine is specified for any of these commands: then that command attempts to resolve the name to unix_machine.company.com. To determine what name these commands have resolved, you can run bpnbat -ShowMachines. It lists the names of all hosts that are added to NetBackup's private domain in the authentication broker. Specify the fully qualified hostname when you use these commands to make sure that the correct name is chosen. In addition, using fully qualified hostnames is more secure. It ensures the uniqueness of the host name used by a machine. Symantec does recommend the use of fully qualified hostnames for NBAC. Master server and media server host properties The access control host properties are described in the following sections. The master server and media server host properties are in the NetBackup Administration Console. Open NetBackup Management > Host Properties > master server or media server > Select server > access control. Access control host properties dialog Set the Symantec Product Authentication Service and Symantec Product Authorization Service to either Required or Automatic. A setting of Automatic takes into account that there may be hosts within the configuration that are not yet configured for NBAC. The server attempts to negotiate the most secure connection possible when it communicates to other NetBackup systems. The Automatic setting should be used until all clients and servers are configured for NBAC. Access control host properties dialog shows the access control host properties dialog. 13
14 Figure 5-1 Access control host properties dialog When Automatic is used, you may specify machines or domains required to use Symantec Product Authentication Service and Symantec Product Authorization Service. Or you may specify machines prohibited from using Symantec Product Authentication Service and Symantec Product Authorization Service. Symantec Product Authentication & Authorization tab View the access control host properties, on the Symantec Product Authentication and Authorization tab. Add the master server to the Symantec Product Authentication Service and Symantec Product Authorization Service Network list. Then set Symantec Product Authentication Service and Symantec Product Authorization Service to Required. Symantec product authentication and authorization tab shows the Symantec product authentication and authorization tab. Figure 5-2 Symantec product authentication and authorization tab 14
15 A UNIX domain unixbox.mycompany.com on the authentication server UNIXBOX. Notice that the authentication mechanism for this domain is PASSWD. Each new NetBackup client or media server (version 5.0 or higher), added to the NetBackup master, needs to have the access control properties configured. These properties are configured on both itself and the master. This configuration can be done through the host properties on the master server. Authentication domain tab The Authentication Domain tab is used to define the following: Which authentication servers support which authentication mechanisms What domains each supports. Add the domain you want users to authenticate against. Be sure to select the proper authentication mechanism. The following examples contain three authentication domains and three authentication types. Two are hosted on the authentication server UNIXBOX, and a third Windows AD/PDC (Active Directory/Primary domain controller ) hosted on WINMACHINE. Authentication domain tab shows the authentication domain tab. Figure 5-3 Authentication domain tab Notice that the authentication mechanism for this domain is NIS. When a UNIX authentication domain is used, enter the fully qualified domain name of the host performing the authentication. Authentication types supported are NIS, NISPLUS, WINDOWS, vx, and unixpwd (unixpwd is default). 15
16 A NIS domain NIS.MYCOMPANY.COM on the authentication server UNIXBOX. UNIX Authentication domain shows the UNIX authentication domain. Figure 5-4 UNIX Authentication domain A Windows AD/PDC domain WINDOWS on the authentication server WINMACHINE. Notice that the authentication mechanism for this domain is WINDOWS. Domain WINDOWS shows the domain WINDOWS. Figure 5-5 Domain WINDOWS 16
17 Authorization Service tab Within the access control host properties, on the Authorization Service tab, complete the properties for the authorization server. Specify the host name for the system running the authorization daemon service (typically the master). Specify the alternate port for which this daemon service has been configured. The default listening port for the authorization daemon service is Authorization service tab shows the authorization service tab. Figure 5-6 Authorization service tab Make any changes to the host properties and restart the daemon services. Client host properties Access the client host properties in the NetBackup Administration Console. Open NetBackup Management > Host Properties > Clients > Select client(s) > access control. Access control host properties dialog for client Select the NetBackup client in the host properties. (On the master server, in the NetBackup Administration Console, open NetBackup Management > Host Properties > Clients > Selected clients > access control.) Access control host properties shows the access control host properties. 17
18 Figure 5-7 Access control host properties Set the Symantec Product Authentication Service and Symantec Product Authorization Service to Required or Automatic. Symantec Product Authentication & Authorization tab for client Select the NetBackup client in the host properties. This tab is only enabled in Automatic mode. It can be used to control which systems require or prohibit the use of Symantec Product Authentication Service and Symantec Product Authorization Service on a per-machine basis. Note that both systems must have matching settings to communicate. Authentication and authorization tab shows the Authentication and Authorization tab. Figure 5-8 Authentication and authorization tab Authentication domain tab Within the access control host properties, on the Authentication Domain tab, add the list of domains a client can use to authenticate. 18
19 Authentication and authorization installation diagnostics and tools This section contains uninstalling information and a number of diagnostic tools. This section also includes information on creating response files to further automate the installation process. The sections on uninstalling authentication and authorization should only be used when required. Proceed to the section on NBAC Configuration overview and refer to that section only if you have challenges. Using a response file A response file is generated at end of the first manual installation. This file saves all the configuration settings that are specified during the first installation. This response file then can be used for multiple installations. On Windows platform, the response file name is: <filename>.rsp On UNIX platform, the response file name is: installics-idstring.response where IdString is a unique ID string generated by the installics script for the installer execution. Finding authentication service install location You can find the directory location of the authentication service using the locations as follows: On UNIX platforms, Authentication service is installed under /opt/vrtsat. On 32bit Windows, it is installed under %ProgramFiles%\VERITAS\Security\Authentication. On 64bit Windows, it is installed under %ProgramFiles(x86)%\VERITAS\Security\Authentication. The specified locations are defaults for Windows. If the service is installed in a non-default location, refer to the system registry key InstallDir for the actual location. On a 32bit machine, this key is under HKEY_LOCAL_MACHINE\SOFTWARE\VERITAS\Security\Authentication. On a 64bit machine, this key is under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VERITAS\Security\Authentication. Determining if the authentication broker is properly configured Some Symantec Storage Foundation products install the authentication service, but leave the broker in an unconfigured state. These products configure the broker only when the security option is turned on in those products. If the NetBackup master server is installed on one of these machines, then you need to configure the Authentication broker. The broker needs to be configured in Root+AB mode before doing the access control (NBAC) configuration. 19
20 Use the following procedure to check whether Authentication broker is configured or not. 1. Go to the 'bin' directory under Authentication service install location. See "Finding authentication service install location" 2. Run thevssat showbrokermode command. The output is similar to the following: showbrokermode s Broker mode is : Mode 0 means the broker is not configured. It should be configured either in Mode 3 (Root+AB) or in Mode 1 (AB) for setting up the NetBackup Access Control. If it is Mode 0, follow the steps in Manually configuring the authentication broker section. Manually configuring the authentication broker This procedure allows the authentication broker to be configured in Root+AB mode (mode 3). Use the following procedure to manually configure the authentication broker in Root+AB mode (mode 3). 1. Go to bin directory under the authentication service install location See "Finding authentication service install location" 2. Run the following command to configure the broker in Root+AB mode: vxatd -o -a -r On Windows platforms, run the vxatd -i command to install authentication broker as a service: 3. Start the Authentication service. See "Starting authentication and authorization daemon services" Stopping authentication and authorization daemon services Use the following commands for stopping the authentication daemons and authorization daemons on UNIX and Linux: Stop authentication daemon - kill <vxatd process id> Stop authorization daemon -/opt/vrtsaz/bin/vrtsaz -stop On Windows, the Symantec Product Authentication Service and Symantec Product Authorization Service can be stopped from the Services panel. Use the following commands to stop them manually: For authentication use:net stop vrtsat. For authorization use:net stop vrtsaz. Starting authentication and authorization daemon services Use the following commands for starting the authentication daemons and authorization daemons on UNIX and Linux: Start authentication daemon - /opt/vrtsaz/bin/vxatd Start authorization daemon - /opt/vrtsaz/bin/vrtsaz On Windows, the Symantec Product Authentication Service and Symantec Product Authorization Service can be started from the windows Services panel. Use the following commands to start them manually: For authentication use:net start vrtsat. For authorization use:net start vrtsaz. 20
DC Agent Troubleshooting Topic 50320 DC Agent Troubleshooting Web Security Solutions v7.7.x, 7.8.x 27-Mar-2013 This collection includes the following articles to help you troubleshoot DC Agent installation
Setup and configuration for Intelicode SQL Server Express Due to overwhelming demand and the increased load on support, we are providing a complete SQL Server installation walkthrough document. SQL Server
Introduction EASYLABEL 6 has several new features for saving the history of label formats. This history can include information about when label formats were edited and printed. In order to save this history,
IBM WebSphere Application Server Version 7.0 Centralized Installation Manager for IBM WebSphere Application Server Network Deployment Version 7.0 Note: Before using this information, be sure to read the
User Manual Onsight Management Suite Version 5.1 Another Innovation by Librestream Doc #: 400075-06 May 2012 Information in this document is subject to change without notice. Reproduction in any manner
NovaBACKUP xsp Version 15.0 Upgrade Guide NovaStor / November 2013 2013 NovaStor, all rights reserved. All trademarks are the property of their respective owners. Features and specifications are subject
Websense v7.6 Install or Upgrade Checklist Greetings from Websense Technical Support. Most Websense upgrades complete successfully, and from my years of troubleshooting, I have learned a number of steps
VERITAS Backup Exec TM 10.0 for Windows Servers Quick Installation Guide N134418 July 2004 Disclaimer The information contained in this publication is subject to change without notice. VERITAS Software
The (UMT): Is a stand-alone Windows command-line application that performs migration in the granularity of a Unified ICM instance. It migrates only Unified ICM AD user accounts (config/setup and supervisors)
MIGRATING TO AVALANCHE 5.0 WITH MS SQL SERVER This document provides instructions for migrating to Avalanche 5.0 from an installation of Avalanche MC 4.6 or newer using MS SQL Server 2005. You can continue
Installation & Configuration Guide Bluebeam Studio Enterprise ( Software ) 2014 Bluebeam Software, Inc. All Rights Reserved. Patents Pending in the U.S. and/or other countries. Bluebeam and Revu are trademarks
Archive Attender Version 3.5 Getting Started Guide Sherpa Software (800) 255-5155 www.sherpasoftware.com Page 1 Under the copyright laws, neither the documentation nor the software can be copied, photocopied,
MadCap Software Installation Guide for Pulse on Windows Server 2008R2 Pulse Copyright 2014 MadCap Software. All rights reserved. Information in this document is subject to change without notice. The software
NSi Mobile Installation Guide Version 6.2 Revision History Version Date 1.0 October 2, 2012 2.0 September 18, 2013 2 CONTENTS TABLE OF CONTENTS PREFACE... 5 Purpose of this Document... 5 Version Compatibility...
Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer.
OnCommand Performance Manager 1.1 Installation and Setup Guide For Red Hat Enterprise Linux NetApp, Inc. 495 East Java Drive Sunnyvale, CA 94089 U.S. Telephone: +1 (408) 822-6000 Fax: +1 (408) 822-4501
DS License Server Installation and Configuration Guide 3DEXPERIENCE R2014x Contains JAVA SE RUNTIME ENVIRONMENT (JRE) VERSION 7 Contains IBM(R) 64-bit SDK for AIX(TM), Java(TM) Technology Edition, Version
Symantec NetBackup Getting Started Guide Release 7.1 21159722 Contents NetBackup Getting Started Guide... 5 About NetBackup... 5 How a NetBackup system works... 6 How to make a NetBackup system work for
PROPALMS VDI Version 2.1 Quick Start Guide for Parallels Virtuozzo Rev. 1.1 Published: JULY-2011 1999-2011 Propalms Ltd. All rights reserved. The information contained in this document represents the current
Freshservice Discovery Probe User Guide 1. What is Freshservice Discovery Probe? 1.1 What details does Probe fetch? 1.2 How does Probe fetch the information? 2. What are the minimum system requirements
IIS, FTP Server and Windows The Objective: To setup, configure and test FTP server. Requirement: Any version of the Windows 2000 Server. FTP Windows s component. Internet Information Services, IIS. Steps:
Symantec NetBackup Security and Encryption Guide UNI, Windows, and Linux Release 7.5 Symantec NetBackup Security and Encryption Guide The software described in this book is furnished under a license agreement
CommandCenter Secure Gateway Quick Setup Guide for CC-SG Virtual Appliance and lmadmin License Server Management This Quick Setup Guide explains how to install and configure the CommandCenter Secure Gateway.
Using Logon Agent for Transparent User Identification Websense Logon Agent (also called Authentication Server) identifies users in real time, as they log on to domains. Logon Agent works with the Websense
DS License Server V6R2013x DS License Server V6R2013x Installation and Configuration Guide Contains JAVA SE RUNTIME ENVIRONMENT (JRE) VERSION 7 Contains IBM(R) 64-bit SDK for AIX(TM), Java(TM) Technology
Universal Management Service 2015 UMS 2015 Help All rights reserved. No parts of this work may be reproduced in any form or by any means - graphic, electronic, or mechanical, including photocopying, recording,
How To Industrial Networking Prepared by: Matt Crites Product: Date: April 2014 Any RAM or SN 6xxx series router Legacy firmware 3.14/4.14 or lower Subject: This document provides a step by step procedure
WhatsUp Log Management Installation and Migration Guide, including Getting Started Information (Applies to v10.1.5 and later) C o n t e n t s Getting Started with WhatsUp Log Management Before You Begin...
TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link: ftp://ftp.software.ibm.com/storage/tivoli-storagemanagement/maintenance/client/v6r2/windows/x32/v623/
Contents Verify implementation of pcanywhere Solution... 2 Deployment of the pcanywhere plug-in from the SMC... 3 Plug-in installation on managed computer... 5 Problems during pcanywhere Plug-in installation...
Using Delphix Server with Microsoft SQL Server (BETA) Table of Contents Architecture High level components in linking a SQL Server database to Delphix High level components in provisioning a SQL Server
MadCap Software Installation Guide for Pulse on Windows Server 2012 Pulse Copyright 2014 MadCap Software. All rights reserved. Information in this document is subject to change without notice. The software
This chapter provides information about the Security Assertion Markup Language (SAML) Single Sign-On feature, which allows administrative users to access certain Cisco Unified Communications Manager and
Securing Windows 7 8/23/2011 Table of Contents About this lab... 3 About the Laboratory Environment... 4 Lab 1: Restricting Users... 5 Exercise 1. Verify the default rights of users... 5 Exercise 2. Adding
Pearl Echo Installation Checklist Use this checklist to enter critical installation and setup information that will be required to install Pearl Echo in your network. For detailed deployment instructions
AVG Business SSO Connecting to Active Directory Contents AVG Business SSO Connecting to Active Directory... 1 Selecting an identity repository and using Active Directory... 3 Installing Business SSO cloud
Active Directory Management Agent Deployment Guide Document Revision Date: June 12, 2014 Active Directory Management Deployment Guide i Contents System Requirements...1 Hardware Requirements...1 Installation...3
SOA Software API Gateway Appliance 7.1.x Administration Guide Trademarks SOA Software and the SOA Software logo are either trademarks or registered trademarks of SOA Software, Inc. Other product names,
ACTIVE DIRECTORY DEPLOYMENT CASAS Technical Support 800.255.1036 2009 Comprehensive Adult Student Assessment Systems. All rights reserved. Version 031809 CONTENTS 1. INTRODUCTION... 1 1.1 LAN PREREQUISITES...
Administering Jive for Outlook TOC 2 Contents Administering Jive for Outlook...3 System Requirements...3 Installing the Plugin... 3 Installing the Plugin... 3 Client Installation... 4 Resetting the Binaries...4
1 Table of Contents Introduction... 4 System and Hardware Requirements... 4 Supported Operating Systems... 4 Microsoft SQL Server... 4 Microsoft.NET Framework 4.0... 4 Microsoft Internet Information Services
Contents Installation Overview... 2 How to Install Ad-Aware Management Server... 3 How to Deploy the Ad-Aware Security Solutions... 5 General Deployment Conditions... 5 Deploying Ad-Aware Management Agent...
Big Data Operations Guide for Cloudera Manager v5.x Hadoop Logging into the Enterprise Cloudera Manager 1. On the server where you have installed 'Cloudera Manager', make sure that the server is running,
Page 1 of 16 Security How to Configure Windows Firewall in a Small Business Environment using Group Policy Introduction This document explains how to configure the features of Windows Firewall on computers
Symantec NetBackup Troubleshooting Guide UNIX, Windows, and Linux Release 7.6 21317380 Symantec NetBackup Troubleshooting Guide The software described in this book is furnished under a license agreement
Force10 Networks Inc. TransNav Management System Documentation Management Server Guide Release TN4.2.2 Publication Date: April 2009 Document Number: 800-0006-TN422 Rev. A Copyright 2009 Force10 Networks,
APPENDIXC Reference and Troubleshooting: FTP, IIS, and Firewall Information Although Cisco VXC Manager automatically installs and configures everything you need for use with respect to FTP, IIS, and the
FileMaker Server 12 FileMaker Server Help 2010-2012 FileMaker, Inc. All Rights Reserved. FileMaker, Inc. 5201 Patrick Henry Drive Santa Clara, California 95054 FileMaker is a trademark of FileMaker, Inc.
Network Load Balancing Step by Step installation of Network Load Balancing in Windows Server 2008 R2. Prerequisite for NLB Cluster 1. Log on to NODE1 Windows Server 2008 R2 system with a domain account
Quick Install Guide 1. Installation Overview Thank you for selecting Bitdefender Business Solutions to protect your business. This document enables you to quickly get started with the installation of Bitdefender
Course Length: 2 days CEUs 1.2 AUDIENCE After completion of this course, you should be able to: Administer the IBM PDA/Netezza Install Netezza Client Software Use the Netezza System Interfaces Understand
VMware vcenter.ga September 25, 2013 GA Last updated: September 24, 2013 Check for additions and updates to these release notes. RELEASE NOTES What s in the Release Notes The release notes cover the following
IGEL Universal Management Installation Guide Important Information Copyright This publication is protected under international copyright laws, with all rights reserved. No part of this manual, including
CYAN SECURE WEB HOWTO June 2008 Applies to: CYAN Secure Web 1.4 and above NTLM helps to transparently synchronize user names and passwords of an Active Directory Domain and use them for authentication.
Configuring Security Features of Session Recording Summary This article provides information about the security features of Citrix Session Recording and outlines the process of configuring Session Recording
Contents I EventSentry Overview Part I Introduction 1 Part II Setting up SQL 2008 R2 Express 2 1 Downloads... 2 2 Installation... 3 3 Configuration... 7 Part III Setting up IIS 9 1 Installation... 9 Part
Secure Messaging Server Console... 2 Upgrading your PEN Server Console:... 2 Server Console Installation Guide... 2 Prerequisites:... 2 General preparation:... 2 Installing the Server Console... 2 Activating
MANJRASOFT PTY LTD Aneka 3.0 Manjrasoft 5/13/2013 This document describes in detail the steps involved in installing and configuring an Aneka Cloud. It covers the prerequisites for the installation, the
PROJECTIONS SUITE Database Setup Utility (and Prerequisites) Installation and General Instructions v0.9 draft prepared by David Weinstein Introduction These are the instructions for installing, updating,
Deploying System Center 2012 R2 Configuration Manager This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
OnCommand Unified Manager Operations Manager Administration Guide For Use with Core Package 5.2 NetApp, Inc. 495 East Java Drive Sunnyvale, CA 94089 U.S. Telephone: +1(408) 822-6000 Fax: +1(408) 822-4501
Sage 200 Web Time & Expenses Guide Sage (UK) Limited Copyright Statement Sage (UK) Limited, 2006. All rights reserved If this documentation includes advice or information relating to any matter other than
Modular Messaging Release 4.0 Service Pack 4 Whitepaper: Support for Active Directory and Exchange 2007 running on Windows Server 2008 platforms. April 2009 2006-2009 Avaya Inc. All Rights Reserved. Notice
Secret Server Discovery Guide Table of Contents Introduction... 3 How Discovery Works... 3 Active Directory / Local Windows Accounts... 3 Unix accounts... 3 VMware ESX accounts... 3 Why use Discovery?...
Deploying BitDefender Client Security and BitDefender Windows Server Solutions Quick Install Guide Copyright 2010 BitDefender; 1. Installation Overview Thank you for selecting BitDefender Business Solutions
MadCap Software Upgrading Guide Pulse Copyright 2014 MadCap Software. All rights reserved. Information in this document is subject to change without notice. The software described in this document is furnished
. All right reserved. For more information about Specops Gpupdate and other Specops products, visit www.specopssoft.com Copyright and Trademarks Specops Gpupdate is a trademark owned by Specops Software.
Upgrade Guide BES12 Version 12.1 Published: 2015-02-25 SWD-20150413111718083 Contents Supported upgrade environments...4 Upgrading from BES12 version 12.0 to BES12 version 12.1...5 Preupgrade tasks...5
QuickStart Guide Welcome to the QuickStart Guide This QuickStart Guide provides the information you need to install and start using Express Software Manager. For more comprehensive help on using Express
Scheduling in SAS 9.3 SAS Documentation The correct bibliographic citation for this manual is as follows: SAS Institute Inc 2011. Scheduling in SAS 9.3. Cary, NC: SAS Institute Inc. Scheduling in SAS 9.3
Enhanced Connector Applications SupportPac VP01 for IBM WebSphere Business Events 3.0.0 Third edition (May 2012). Copyright International Business Machines Corporation 2012. US Government Users Restricted
orrelogtm Security Correlation Server Quick Installation Guide This guide provides brief information on how to install the CorreLog Server system on a Microsoft Windows platform. This information can also
USER GUIDE Product Snow Inventory Data Receiver Version 2.1 Release date 2013-04-26 Content Prerequisites Installation Configuration Document date 2014-12-02 CONTENT ABOUT THIS DOCUMENT... 3 PREREQUISITES...
Installing and Configuring vcloud Connector vcloud Connector 2.7.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new
This presentation will discuss how to troubleshoot different types of project creation issues with Information Server DataStage version 8. Page 1 of 29 The objectives of this module are to list the causes
Quick Start Guide DocuSign Retrieve 3.2.2 Published April 2015 Overview DocuSign Retrieve is a windows-based tool that "retrieves" envelopes, documents, and data from DocuSign for use in external systems.
DameWare Server Administrator Guide About DameWare Contact Information Team Contact Information Sales 1.866.270.1449 General Support Technical Support Customer Service User Forums http://www.dameware.com/customers.aspx
Install MS SQL Server 2012 Express Edition Sohodox now works with SQL Server Express Edition. Earlier versions of Sohodox created and used a MS Access based database for storing indexing data and other
Backup Exec Private Cloud Services Planning and Deployment Guide Chapter 1 Introducing Backup Exec Private Cloud Services This chapter includes the following topics: About Backup Exec Private Cloud Services