Vous êtes sur la page 1sur 48

A step by step example of installing the VERITAS Security Services (VxSS) and configuring VERITAS NetBackup (tm) Access

Control (NBAC) on a UNIX Master/Media Server. I. Introduction This document is intended as a detailed example of the steps necessary to set up the NetBackup Access Control (NBAC) feature in an extremely simple NetBackup environment. The NBAC feature allows non-root users to have NetBackup administrative capabilities, using either the NetBackup administrative graphical user interface (GUI), or the command line utilities. For a detailed description of this feature, refer to Chapter 1 of the Veritas NetBackup (tm) 5.1 System Administrator's Guide, Volume II or the Veritas NetBackup (tm) 6.0 System Administrator's Guide, Volume II (found below, in the Related Documents section). The example environment referred to throughout this document is a single Solaris 9 server named rosv240-06.xxx.example.com. This server has already been configured as a NetBackup master/media server running NetBackup 5.1 Maintenance Pack 3 (MP3). (These same instructions should also apply to any NetBackup version, starting with 5.0 MP1, however the screen shots may vary between releases.) This document will first explain how to install the VERITAS Security Services (VxSS) components that are required for using NBAC. This document will then explain how to enable and configure NBAC. There are two non-root users that will be given NetBackup administrative access. The user named vxssuser is defined in the Solaris /etc/passwd file. The vxssuser will be the initial user being set up in this example. The NBAC configuration will also be updated to include the user named rworman, who is defined in the Network Information Name Services ("NIS") databases. II. Installation II.A. Installation Prerequisites There are three important prerequisites for guaranteeing proper NBAC functionality: The Domain Name Services (DNS) system must be configured for both forward and reverse lookups of the master server's hostname. This is a general NetBackup requirement and is true for all NetBackup releases. (See Figure 1) NetBackup must be configured to use the fully qualified domain name (FQDN) of the master server, as set by the first SERVER entry in the bp.conf configuration file. (See Figure 1.) Note: This requirement has been removed as of the NetBackup 5.1 MP5 and NetBackup 6.0 MP2 releases, allowing the use of the short hostname.

Page 1 of 48

The non-root user must have a valid home directory that is writeable by that non-root user. (See Figure 2.) Figure 1: Verifying DNS functionality and verifying that NetBackup is using the FQDN for the master server.

Figure 2: Verifying that the non-root user vxssuser has a writeable home directory.

II.B. Installing the VXSS Authentication (AT) Server Insert the NetBackup 5.1 VxSS CD-ROM, use the cd command to change to the appropriate platform directory on this CD-ROM, and then run the installvss script. (See Figure 3 for example commands.) Figure 3: Launching the installvss script from the VxSS CD-ROM.

Page 2 of 48

The following series of screenshots walks through the sequence of screens that the AT installer will present. All user input is highlighted in red. Figure 4: Specify "Install" Operation.

Figure 5: Specify AT Service.

Figure 6: Specify AT install host.

Page 3 of 48

Figure 7: Summary of initial system check results (no user input necessary, just press Return).

Figure 8: Summary of OS packages that are about to be installed (no input necessary, just press Return).

Page 4 of 48

Figure 9: Summary of OS package requirement checks (no input necessary, just press Return).

Figure 10: Confirm installation of the Authentication Broker Server.

Figure 11: Summary of AT installation result (no input necessary, just press Return).

Figure 12: Confirm configuration of AT.

Page 5 of 48

Figure 13: Explanation of user navigation (no input necessary, just press Return).

Figure 14: Specify AT mode of "Authentication + Root Broker".

Figure 15: Deny cluster configuration.

Page 6 of 48

Figure 16: Summary of AT configuration results (no input necessary, just press Return).

Figure 17: Final summary of AT installation (note location of log files, if any problems were encountered).

II.C. Installing the VXSS Authorization ("AZ") Server If the VxSS CD-ROM is not already mounted from the previous step, insert the NetBackup 5.1 VxSS CD-ROM; use the "cd" command to change to

Page 7 of 48

the appropriate platform directory on this CD-ROM, and then run the installvss script, as shown in Figure 3. The following series of screenshots walks through the sequence of screens that the AZ installer will present. All user input is highlighted in red. Figure 18: Specify "Install" Operation.

Figure 19: Specify AZ Service.

Figure 20: Specify AZ install host.

Page 8 of 48

Figure 21: Summary of initial system check results (no user input necessary, just press Return).

Figure 22: Summary of OS packages that are about to be installed (no input necessary, just press Return).

Figure 23: Summary of OS package requirement checks (no input necessary, just press Return).

Figure 24: Confirm installation of the Authorization Service.

Page 9 of 48

Figure 25: Summary of AZ installation result (no input necessary, just press Return).

Figure 26: Confirm configuration of AZ.

Figure 27: Explanation of user navigation (no input necessary, just press Return).

Page 10 of 48

Figure 28: Deny cluster configuration.

Figure 29: Summary of AZ configuration results (no input necessary, just press Return).

Page 11 of 48

Figure 30: Final summary of AZ installation (note location of log files, if any problems were encountered).

II.D. Verifying basic VxSS functionality At this point, you should be able to start the VxSS daemons and the vssat command can be used to verify the AT domain name. See Figures 31 and 32 below, for examples of how to verify these items. Figure 31: Start the AT and AZ daemons, verify they are running.

Figure 32: Run the vssat command to verify the AT domain name is "root@FQDN", and run the vrtsaz command to verify that the AZ server is in a "ready" state.

Page 12 of 48

III. NBAC Configuration As mentioned in step II.D above, it is important that the VxSS daemons are running (as shown in Figure 31) prior to proceeding to the next steps. The following steps will seed the VxSS database with the data necessary for using NBAC. III.A. Bootstrap VxSS/NBAC configuration The following sequence of commands only needs to be run once on a system that has no NBAC configuration in place. Running these commands on an existing NBAC configuration could result in a loss of any NBAC customizations. (E.g. custom groups or modification of the default group permissions) The following series of screenshots walks through the exact sequence of commands that should be run, followed by the expected output from each of those commands. All user input is highlighted in red. Figure 33: Run bpnbat -addmachine to create a machine account for this host. NOTE: the password used with this command does not need to match any existing password elsewhere in the Solaris/NetBackup/VxSS configuration! (For this example, the password specified was "machinepass".)

Page 13 of 48

Figure 34: Run bpnbat -loginmachine to login to the machine account that was just created. Note: The password used with this command should be the same password that was supplied to bpnbat -addmachine in Figure 33. (For this example, the password entered was "machinepass".)

Figure 35: Run bpnbaz -setupsecurity to create the NBAC default groups and permissions, and to add the first member of the NBAC Security Administrator group. Note: The username and password used with this command should be the UNIX username and password for the desired non-root user. (For this example, the password entered was "vxssuser123".)

Page 14 of 48

Figure 36: Run bpnbaz -allowauthorization to add the master server as a host allowed to perform authorization checks.

Figure 37: Use the bpnbat -login command to authenticate this user for command line access. Note: The username and password used with this command should be the UNIX login and password for this user. (For this example, the password entered was "vxssuser123".) Next, run the bpnbaz -listgroups command as a simple verification of the initial NBAC configuration.

Page 15 of 48

III.B. NetBackup GUI configuration (done as root) The following steps are the last NetBackup GUI actions that must be done while logged in as the root user. The following series of screenshots walks through the exact sequence of GUI operations necessary to complete the NBAC configuration. All user input is highlighted in red: Figure 38: Launch jnbSA as the root user.

Figure 39: Log into jnbSA as the root user.

Page 16 of 48

Figure 40: Select Host Properties --> Master Server, right-click and select Properties.

Figure 41: Select Access Control

Page 17 of 48

Figure 42: Select Automatic, and select the VxSS tab, and click the Add button

Page 18 of 48

Figure 43: Select Host Name, specify the FQDN of the Master, and click the Add button.

Page 19 of 48

Figure 44: Click the Close button.

Page 20 of 48

Figure 45: Select the Authentication Domains tab.

Page 21 of 48

Figure 46: Click the Add button.

Page 22 of 48

Figure 47: Specify the Domain (FQDN of the Master), choose PASSWD for the Authentication Mechanism, specify the Broker (FQDN again), click the Add button.

Page 23 of 48

Figure 48: Click the Close button.

Figure 49: Select the Authorization Service tab.

Page 24 of 48

Figure 50: Specify the Host (FQDN of the Master) and click the OK button.

Page 25 of 48

Figure 51: A notification to restart daemons will appear. Dismiss the notification by clicking the OK button.

Figure 52: Exit the jnbSA application.

Page 26 of 48

Figure 53: Note that four new entries have been added to the end of the bp.conf file.

Figure 54: Stop and start the NetBackup daemons.

Page 27 of 48

III.C. Verifying non-root capabilities (done as vxssuser) At this point in our example, the non-root vxssuser account is the only user with NetBackup administrative capabilities, via either the GUI or the command line. Given that the UNIX root user has historically been an allpowerful NetBackup administrator, some NetBackup administrators may want to allow root to be another NetBackup administrator under NBAC. This is easily done, and is described in section III.D.1 of this document. ("Adding the root user (defined in the /etc/passwd file) as a NetBackup Administrator.") The following series of screenshots walks through the exact sequence of steps to demonstrate the vxssuser administrative capabilities. All user input is highlighted in red. III.C.1. Verifying non-root GUI (jnbSA) access Figure 55: Start a new terminal session on the master server, logging in as vxssuser, and launch the jnbSA GUI.

Page 28 of 48

Figure 56: Log in to jnbSA as vxssuser.

Page 29 of 48

Figure 57: Observe that the full administrative GUI is presented (as opposed to only the Backup, Archive and Restore GUI that would normally be presented to a non-root user).

Figure 58: Select Help --> Current NBAC User to see the details of the vxssuser GUI credentials.

Page 30 of 48

Figure 59: vxssuser GUI credentials (Note that credential expiry is 24 hours from the time that vxssuser logged into jnbSA - See TechNote 274786 for how to extend this expiry date.)

III.C.2. Verifying non-root command line access

Page 31 of 48

Figure 60: While logged in as vxssuser, NetBackup command line utilities like bpstulist cannot be run due to a lack of proper credentials. (But, if the bpnbat -login command, from Figure 37, was run within the past 24 hours, the command in this example will work.)

Figure 61: Run the bpnbat -login command to authenticate this user for command line access. Note: The username and password used with this command should be the UNIX login and password for this user. (For this example, the password entered was "vxssuser123".)

Figure 62: Observe that the NetBackup bpstulist command can now be run.

Page 32 of 48

Figure 63: Run the bpnbat -whoami command to see command line credential details. (Note that credential expiry is 24 hours from the time that vxssuser ran the bpnbat -login command - See TechNote 274786 for how to extend this expiry date.)

III.D. Adding additional NetBackup Administrators The final step of this example is to demonstrate the addition of two more users to this NBAC configuration: The root user, as defined in the local /etc/passwd file Another nonroot user rworman, who is defined in the Network Information Name Service (NIS) databases instead of the /etc/passwd file. Adding this NIS user to the NBAC configuration will first require the creation of a second Authentication Domain III.D.1. Adding the root user to the NBAC NetBackup Administrators Group When using NBAC, it is not necessary for the UNIX root user to have any NetBackup administration capabilities. However, the root user has historically been the de facto NetBackup administrator, so some NetBackup administrators may prefer to provide root with NBAC administrative access. The following series of screenshots walks through the exact sequence of GUI operations necessary to add root to the NBAC configuration. All user input is highlighted in red: Figure 64: Log in to a jnbSA session as a username that is a member of the NBAC Security Administrator group. In our example, this can only be the vxssuser username.

Page 33 of 48

Figure 65: Select the Access Management --> User Groups node and right-click on the NBU_Admin User Group and select Change.

Page 34 of 48

Figure 66: Select the Users tab and click the New User button

Page 35 of 48

Figure 67: Specify the new user name to be added, specify the domain (FQDN of the master server), choose UNIX PWD for the Domain Type, choose Individual User for the User Type, and click the OK button.

Page 36 of 48

Figure 68: Observe that the user root has been added to the list of Assigned Users for this group. Click the OK button to complete the modification of this group.

Page 37 of 48

Figure 69: Exit the jnbSA application.

Page 38 of 48

The root user now has full NetBackup administrative access. Verifying this is left as an exercise for the reader, based on the steps provided in section III.C, of this document. III.D.2. Adding another Authentication Domain for NIS users In order to add the rworman user to our example NBAC configuration, it is necessary to add a second Authentication Domain to the NBAC configuration. This second domain will allow NBAC to authenticate users who are defined in the NIS databases. The following series of screenshots walks through the exact sequence of GUI operations necessary to add a NIS Authentication Domain. All user input is highlighted in red. Figure 70: Identify the NIS domain name using the Solaris domainname command (our example NIS domain is xxx.example.com)

Figure 71: Log in to a jnbSA session as a username that is a member of the NBAC Security Administrator group. In our example, this is vxssuser, but root would also work, because of the actions taken in section III.D.1.

Page 39 of 48

Figure 72: Select Host Properties --> Master Server, right-click and select Properties.

Page 40 of 48

Figure 73: Select Access Control node, select the Authentication Domains tab, and click the Add button.

Page 41 of 48

Figure 74: Specify the Domain that you identified in Figure 70 (xxx.example.com), choose NIS for the Authentication Mechanism, specify the Broker (FQDN of the master server), and click the Add button.

Page 42 of 48

Figure 75: Click the Close button

Page 43 of 48

Figure 76: Observe that the second Domain has been added to the list. Click the OK button to apply these changes.

Figure 77: Dismiss the Restart Daemons dialog by clicking the OK button. NOTE: In this instance, the request to restart the NetBackup daemons may be safely ignored.

Page 44 of 48

III.D.3. Adding the rworman NIS user to the NBAC NetBackup Administrators Group Much like the steps outlined in III.D.1 above, the following series of screenshots walks through the exact sequence of GUI operations necessary to add rworman to the NBAC configuration. All user input is highlighted in red. The screenshots below assume that a NetBackup Admin user is already logged into the jnbSA application. Figure 78: Select the Access Management --> User Groups node and right-click on the NBU_Admin User Group and select Change.

Figure 79: Select the Users tab and click the New User button.

Page 45 of 48

Figure 80: Specify the new username to be added, specify the NIS domain (from Figure 64), choose NIS for the Domain Type, choose Individual User for the User Type, and click the OK button

Page 46 of 48

Figure 81: Observe that the user rworman has been added to the list of Assigned Users for this group. Click the OK button to complete the modification of this group.

Figure 82: Exit the jnbSA application.

Page 47 of 48

The NIS user rworman now has full NetBackup administrative access. Verifying this is left as an exercise for the reader, based on the steps already given in section III.C, of this document. IV. Conclusion This document is provided as a detailed explanation of how to configure the simplest possible UNIX NBAC configuration. It demonstrates how to grant full NetBackup administrative capabilities to three users on a single NetBackup Master+Media server. Most real world configurations would require a more complex NBAC configuration than this, including one or more of the following: Using NBAC on clients and media servers Using NBAC on a mixture of Windows and UNIX platforms Granting different levels of NetBackup administrative access to different users Detailed walk-throughs and screenshots describing the above tasks would be beyond the scope of this document. These tasks (and many other aspects of NBAC) are described in Chapter 1 of the Veritas NetBackup 5.1 System Administrator's Guide, Volume II or the Veritas NetBackup (tm) 6.0 System Administrator's Guide, Volume II.

Page 48 of 48