Authentication Services for NetBackup

From World History Wiki
Jump to: navigation, search
World History Wiki is Brought to you by:
S.J.'s Adventures


This documents are for entertainment purposes only. Use at your own risk. This site is in no way affiliated with Symantec or NetBackup.

To increase security within NetBackup requires enhanced Authentication and Authorization configurations within NetBackup. This is accomplished by implementing the NetBackup Access Control (NBAC) functionality for the Master Servers, Media Servers, and Clients. For more details on this see the Symantec NetBackup™ Security and Encryption Guide Chapter 4 starting on page 120.

  • NBAC consists of a root broker, authentication broker, authorization engine, and GUI.
  • NBAC uses authentication identities from a trusted source (i.e. Active Directory via your OpsCenter Server on a Windows host integrate with AD authentication).
  • Access permission are then setup based on those identities.
  • The NetBackup Master server must be the root broker (v7.6 and newer), and authenticates the authentication broker. (does not authenticate clients).
  • The Authentication Broker can be the same server as the root broker, and authenticates servers, GUI, clients, and users.
  • The Authorization Engine communicates with servers to determine user permissions.
  • The GUI is the administration console

Also see Auditing NetBackup operations and Key Management for NetBackup.

NetBackup has a limited amount of documentation on some aspects of this product, but these outdated Technotes may still be helpful:

Symantec Product Authentication Service (VxAT) 4.3 Administrator's Guide
http://www.symantec.com/docs/TECH63907
Symantec YELLOW BOOKS - Product Authentication and Authorization
http://www.symantec.com/docs/TECH52574

NBAC Considerations

NetBackup Authentication Services can be used to:

  • Administer as non-root users
  • Administer UNIX with a Windows User ID.
  • Administer Windows with a UNIX account.
  • non-root administration of clients and servers
  • Segregate and limit the actions of specific users by using a set of permissions for different levels of administrators.
  • Facilitates trusted identification of some or all hosts participating in NetBackup
  • Root or Administrator or client hosts can still perform local client backups and restores
  • Can be combined with other security-related options

For a listing of the types of security models see Chapter 2 of the Symantec NetBackup™ Security and Encryption Guide starting on page 38.

Access to NetBackup is controlled by defining user groups and granting explicit permissions to each groups. Configuration is done from Access Management in the NetBackup Administration Console.

Media servers not configured with access control, cannot be managed by non-root/non-administrator users.

In order for the NetBackup-Java Administration Console to function, the user must have permission to log on to the system remotely.

Configuration

NOTE: Deployment can be done step wise if required. Some features may requiring the latest version of NetBackup be installed.

If you want to configure AD authentication in a primarily Linux/UNIX environment see this technote: http://www.symantec.com/docs/TECH199281

Considerations

You must set the master server NetBackup Authentication and Authorization property to Automatic until all clients and servers are configured for access control. Then, change the NetBackup Authentication and Authorization property on the master server to Required. The Automatic setting informs NetBackup that not all hosts are yet configured for NBAC. Only use Required if all servers and clients are configured for NBAC. When Automatic is selected, you can specify computers or domains required to use NetBackup Product Authentication and Authorization. Otherwise you can specify computers that are prohibited from using the NetBackup Product Authentication and Authorization.

For more details see Symantec NetBackup™ Security and Encryption Guide page 148.

One way of ensuring a common configuration is to use an independent security server called a root broker. Using the setuptrust command can establish trust between two management servers. For example:

vssat setuptrust --broker <host[:port]> --securitylevel high

NOTE: This is done automatically when the OpsCenter server name is provided during install time. If not done at install time the CLI command can be used. This is why I recommend installing OpsCenter first before any Master servers.
At the end of the NetBackup master server 7.6 installation, there is a question at the end of installation on the OpsCenter host name that when entered properly will cause the master server to initiate a two-way trust setup.

The authentication types that are supported are NIS, NISPLUS, WINDOWS, vx, and unixpwd (unixpwd is default). When UNIX authentication is used, use the fully qualified domain name of the host that performs the authentication.

The nbac_cron [-AddAt|-AddCron] utility can be used to create identities for running commands within cron or at jobs.

Prerequisites

  • User name or password for master server (root or administrator permission).
  • Name of master server
  • Name of all media servers that are connected to the master server
  • Name of all clients to be backed up
  • Host name or IP address
Note: Host names should be resolvable to a valid IP address.)
Use the ping or traceroute command as one of the tools to ensure that you can see the hosts. Using these commands ensures that you have not configured a firewall or other obstruction to block access.
  • Who administers the hosts (root permission on master server equals head administrator).
  • Determine roles to start and then add on the roles as required.
NOTE: The default root and/or administrator users are automatically added to the NBU_Admin and KMS_Admin groups.
Knowledge of the root and/or administrator password is required for initial configuration.

Setup Steps

Configuration is done form the master server, and requires operational communication with media servers and clients.

  1. Configure the Master server for NBAC (page 129)
    1. Complete all NetBackup Master Server Installation (and optionally Media Server Installations) and/or upgrades.
    2. Log-in to the Master server as the OS user to be configured as the initial NetBackup Administrator.
      • You will need the password for this user.
    3. Set USE_VXSS = AUTOMATIC in the bp.conf file, or by using the bpsetconfig command.
      bpsetconfig> USE_VXSS=AUTOMATIC
      Followed by Ctrl + Z + Enter on Windows, or Crtl + D on Linux/UNIX.
      On Windows the Registry Key is:
      HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\NetBackup\CurrentVersion\Config\USE_VXSS
    4. Run the bpnbaz -setupmaster -fsa command
      NOTE: Without the -fsa' option, the root or administrator account is used by default as the NetBackup Administrator.
      Examples of this command might be:
      bpnbaz -SetupMaster -fsa nt:DOMAIN:sjhollist
      bpnbaz -SetupMaster -fsa sjhollist
      • Enter y.
        The system begins to gather configuration information, then starts to set up authorization information.
      • Allow the configuration to complete.
    5. Restart the NetBackup services

  2. Configure Media servers for NBAC (page 131)
    1. run bpnbat -login
      • With only the root or administrator users configured by default, you will need to know the respective password.
    2. run bpnbaz -setupmedia with the appropriate options.
      it's recommended to use the -dryrun option first to insure the desired results are seen.
      • For example:
        bpnbaz -SetupMedia -all -dryrun -out <outfile>
        bpnbaz -SetupMedia <mediaserver.domain.com> -dryrun -out <outfile>
        bpnbaz -SetupMedia -file <progress file>
        The progress file can contain a list of media servers, or be the output file generated with the "-dryrun" option.
    3. Restart the NetBackup services on the target media server(s) after the command completes successfully.

  3. Optionally configure clients for NBAC (page 133)
    1. run the bpnbaz -setupClient command

  4. Establish trust relationship between the broker and the Windows remote console
    1. Get Windows Remote Console server's configuration
      bpgetconfig USE_VXSS AUTHENTICATION_DOMAIN > VXSS_SETTINGS.txt
      cat VXSS_SETTINGS.txt
    2. Copy VXSS_SETTINGS.txt to the administration client
    3. On the Windows administration client run
      C:\Program Files\Veritas\NetBackup\bin\admincmd>bpsetconfig "<absolute_path>\VXSS_SETTINGS.txt"
    4. Start the Administration Console, and acknowledge the request to establish a trust with the broker.
      You may have to re-login using the appropriate credentials by clicking on "File" -> "Login as New User..."

  5. Within the Administration Console you can continue to configure the Authentication Services
    1. To access the master server and media server host properties in the NetBackup Administration Console, expand NetBackup Management > Host Properties > master server or media server > Select server > Access Control.
      • In here you can set the NBAC mode, which computers or domains require NBAC (Required) or which one's are not allowed to use it (prohibited).
      • On the Network Settings tab you can add hosts then view and change the Access Control host properties.
      • The Authentication Domain tab is used to define:
        • Which authentication servers support which authentication mechanisms
        • What domains each server supports by adding the domain that you want users to authenticate against
      • The Authorization Service tab is a view only tab showing the host name.
    2. The client host properties can be accessed from the NetBackup Administration Console under NetBackup Management > Host Properties > Clients > Select client(s) > Access Control.
      • The selections are basically the same as those under the Master Server host properties.

  6. page 194

Once configuration is completed, the configuration can be verified using the bpnbaz -GetConfiguredHosts [-all|targethost.domain.com] command.

Automated Scripts

When you turn on NetBackup Authentication, running commands from an automated script, such as via cron, at, or bp_[start|end]_notify scripts, becomes an issue as the user they are run as must first be authenticated before the running the NetBackup commands.

The solution is to setup a Cron/AT user account to run these scripts from.

Cron User Configuration

  1. Setup an OS user account on the system the jobs are to be run from (This is an OS dependent task).
    Do not configure or authenticate this user in NBAC.
  2. Make sure you are logged in as root/admin on the server, and authenticated with sufficient permissions (i.e.: NBU_Security Admin) via bpnbat -login.
    I.E.:
    [root@nbumaster~]# bpnbat -login
    Authentication Broker [nbumaster.domain.com is default]:
    Authentication port [0 is default]:
    Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd, ldap) [unixpwd is default]:
    Domain [nbumaster.domain.com is default]:
    Login Name [root is default]: NBAC_USER_WITH_ADMIN_PRIVILEGES
    Password: (Above Users Password)
    Operation completed successfully.
  3. Use the below command to create a cron and/or at identity:
    /usr/openv/netbackup/bin/goodies/nbac_cron -AddCron
    You will be promoted for information about this user including:
    • Login Name of the user account created in step 1
      (Be sure to supply a user ID that is not credentialed within NBAC)
    • Password for the user account created in step 1 (enter twice)
    • Access control group to set what permissions this account has (i.e. a pre-configured read-only group if used just for reporting information).
    • If you answer 'Y' to the 'register this account locally for root' question, this will enable using these credentials as root.
      You may want to consider instead, using 'su - user_name' to run the commands as the OS user account from step 1.
  4. Log-in as the user account being setup to run the "cron/at" commands.
  5. Run this command to to finish the configuration
    /usr/openv/netbackup/bin/goodies/nbac_cron -setupcron
    You will be promoted for credentials for the user account being setup to run the "cron/at" commands (the one you are currently logged in as), including:
    • Authentication Broker (usually the master server - but can be a media server setup as the authentication broker)
    • Name (user ID setup in step 1)
    • Password (currently configured password for the user ID just provided)
    You will also be asked if you want to trust the server entered as the Authentication Broker. Obviously you must answer with a "Y".
  6. Finally you need to add a variable to the cron/at user's profile (i.e. .bashrc or .profile) as prompted by the final output of the "nbac_cron -setupcron" command.

I.E.:

echo "VXSS_CREDENTIAL_PATH=/home/[CronUser]/.vxss/credentials.crat" >> .bashrc
echo "export VXSS_CREDENTIAL_PATH" >> .bashrc

Theoretically, you can also authorize other OS accounts (such as root) to use the "Cron Users" credentials by running the "nbac_cron -setupcron" command as the user you want to have access to Cron User's credentials.

In practice, all you really need is to set the "VXSS_CREDENTIAL_PATH" variable to the fully qualified path of a valid certificate, export it within the scripts, and then the script can be run by anyone without first running "bpnbat –login".

I've also see were putting the variable and export into a cron job before running a command or script also works.

I.E.:

crontab -e

*/3 * * * * VXSS_CREDENTIAL_PATH=/home/[CronUser]/.vxss/credentials.crat; export VXSS_CREDENTIAL_PATH; /usr/openv/netbackup/bin/admincmd/bppllist -U > /tmp/bppllist.txt 2>&1

VSSAT Credentials

To verify your VSSAT Credentials run the command:

/usr/openv/netbackup/sec/at/bin/vssat showcred

To verify the default expiry for the 'vx' domain use this command (the expiry interval is listed in number of seconds):

/usr/openv/netbackup/sec/at/bin/vssat showexpiryintervals -p vx

NBAC logging

You can find entries logged in the /var/log/messages when NBAC users are configured.

Search the messages log for "nbatd".

Login Expiration

By defaults credentials will expire after 24 hours. This obviously doesn't work well for an account designed to run automated scripts and commands. This a slightly outdated Technote explaining how to change this (it changes it for all users):

http://www.symantec.com/docs/TECH37077

example

Prior to extending expiry for unixpwd domain type, we need to extend expiry for pam type domain cert, in this example extending it to 30 days:

/usr/openv/netbackup/sec/at/bin/vssat setexpiryintervals --pluginname pam --prpltype user --credexpiry 2592000
/usr/openv/netbackup/sec/at/bin/vssat setexpiryintervals --pluginname pam --prpltype default --credexpiry 2592000

After setting the pam domain type set credential expiration for "unixpwd" plugin for 30 days:

/usr/openv/netbackup/sec/at/bin/vssat setexpiryintervals --pluginname unixpwd --prpltype user --credexpiry 2592000
/usr/openv/netbackup/sec/at/bin/vssat setexpiryintervals --pluginname unixpwd --prpltype default --credexpiry 2592000

Verify

You can check the results with the following commands:

/usr/openv/netbackup/sec/at/bin/vssat showexpiryintervals -p pam | egrep 'Default|User'
/usr/openv/netbackup/sec/at/bin/vssat showexpiryintervals -p unixpwd | egrep 'Default|User'

Authenticated users may also want to run these commands:

/usr/openv/netbackup/sec/at/bin/vssat showcred
bpnbat -whoami
bpnbat -ShowBrokerCerts

Troubleshooting

See the Symantec NetBackup™ Security and Encryption Guide starting on page 156

Technote on collecting logs: http://www.symantec.com/docs/TECH202022

Also see Port usage by NetBackup

Large discrepancies in system clock time can cause credentials to be seen as in the future or prematurely expired.

The host name of a system in NetBackup domain (master server, media server, or client) and host name that is specified in the bp.conf file should be the same.

You can lock yourself out of the NetBackup Administration Console if access control is incorrectly configured. To correct this you must edit the bp.conf or registry HKEY_LOCAL_MACHINE\Software\Veritas\NetBackup\CurrentVersion\config. You can look to see if the following entries are set correctly:

AUTHORIZATION_SERVICE
AUTHENTICATION_DOMAIN
USE_VXSS

To disable set USE_VXSS to Prohibited, or delete the entries.

Useful Commands

  • bpnbat -whoami -cf <computer_credentials> - show's what domain a host is registered in
  • bpnbat -addmachine machine.domain.com - add the name of the server in question
  • bpnbat -loginmachine - add credentials to the local machine
  • bpnbat -Login - update an expired credential

Directories

UNIX / Linux:

/opt/VRTSat
/opt/VRTSaz
/etc/vx/vss
/var/VRTSat
/var/VRTSaz

User credentials: $HOME/.vxss

Computer credentials: /usr/openv/var/vxss/credentials/

Windows:

<Install Path>\Veritas\Security

Credentials: <user_home_dir>\Application Data\VERITAS\VSS

Useful Logs

The following logs are useful to debug NetBackup Access Control:

  • On the master: admin, bpcd, bprd, bpdbm, bpjobd, bpsched
  • On the client: admin, bpcd
  • Access control: nbatd, nbazd.

Server Validation

Use the following as a check list for validating NBAC configurations for each type of system:

UNIX Master

See the Symantec NetBackup™ Security and Encryption Guide starting on page 166

  • Verify UNIX master server settings.
  • Verify which computers are permitted to perform authorization lookups.
  • Verify that the database is configured correctly.
  • Verify that the nbatd and nbazd processes are running.
  • Verify that the host properties are configured correctly.

UNIX Media

See the Symantec NetBackup™ Security and Encryption Guide starting on page 169

  • Verify the media server settings.
  • Verify that the server has access to the authorization database.
  • Understand the unable to load library message.

UNIX client

See the Symantec NetBackup™ Security and Encryption Guide starting on page 171

  • Verify the credential for the UNIX client.
  • Verify that the authentication client libraries are installed.
  • Verify correct authentication domains.

Windows Master

See the Symantec NetBackup™ Security and Encryption Guide starting on page 187

  • Verify Windows master server settings.
  • Verify which computers are permitted to perform authorization lookups.
  • Verify that the database is configured correctly.
  • Verify that the nbatd and nbazd processes are running.
  • Verify that the host properties are configured correctly.

Windows Media

See the Symantec NetBackup™ Security and Encryption Guide starting on page 190

  • Verify the media server settings.
  • Verify that the server has access to the authorization database.
  • Unable to load library message

Windows Client

See the Symantec NetBackup™ Security and Encryption Guide starting on page 192

  • Verify the credential for the client.
  • Verify that the authentication client libraries are installed.
  • Verify correct authentication domains.

DR Recovery

  • NBAC is included in the NetBackup hot catalog backups, and will also be restored when the catalog is recovered.
  • After a recovery on Windows:
    • Add the AUTHENTICATION_DOMAIN, AUTHORIZATION_SERVICE and USE_VXSS entries in Registry.
    • Change the service type of NetBackup Authentication and Authorization services to AUTOMATIC.
    • Restart the NetBackup services.
  • If NBAC is running in REQUIRED mode and a catalog recovery was preformed, NBAC needs to be reset back from PROHIBTED mode to REQUIRED mode.
  • The atutil can be used to export and import the root broker configuration. This can be especially helpful in replicating the configuration from one Master Server (or root broker) to another. It can also help to save off or quickly implement a specialized configurations; such as during a DR exercise in an isolated environment.
  1. For example:
    atutil export -r -f <outputfile> -p <password>
    atutil import -z /usr/openv/var/global/vxss/eab/data/ -f <outputfile> -p <password>
  2. Follow this up by configuring NetBackup authentication service in R+AB mode:
    /usr/openv/netbackup/sec/at/bin/vssregctl -s -f /usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile/VRTSatlocal.conf -b "Security\Authentication\Authentication Broker" -k Mode -t int -v 3
  3. Then set USE_VXSS=AUTOMATIC and start the nbatd service. Next change USE_VXSS=PROHIBITED
    NOTE: These must be done via editing the bp.conf file or USE_VXSS registry key directly.
  4. Export the shared AB domain and import it into the NetBackup 7.6 running these commands:
    /usr/openv/netbackup/sec/at/bin/atutil export -t ab -f <AB output xml file> -p <password>
    /usr/openv/netbackup/sec/at/bin/atutil import -z /usr/openv/var/global/vxss/eab/data/ -f <AB output xml file> -p <password><pre>
  5. Start the NetBackup 7.6 Authorziztion service by running the ''nbazd -f'' command.
  6. Login to the AZ service running ''vssaz login --domain localhost''.
  7. Find the NetBackup APS name by running ''vssaz listaps''
  8. Export the NetBackup resource collection from the shared AZ by running ''vssaz rcexport --toplevelrcname <NBU APS name>''
  9. Log out of the shared AZ: ''vssaz logout''
  10. Login to NetBacukp 7.6 AZ: ''vssaz login --domain localhost''
  11. Import the NetBackup resource collection from the shared AZ into NetBackup 7.6<pre>/usr/openv/netbackup/sec/az/bin/vssaz rcimport --location /var/VRTSaz/objdb/export/<OID>/rc_<OID>.xml
  12. Restart NetBackup services with USE_VXSS = PROHIBITED
  13. Run the bpnbaz -setupmaster command
  14. Restart NetBackup services.



Back to Configuration Items In NetBackup