Forum Discussion

ChristopherW's avatar
3 years ago

NetBackup 10 – Authentication Enhancements with Smart Cards and RBAC

You and your organization have a growing need to ensure authentication methods are robust and resilient.  You need to prove you are who you say you are while meeting strict compliance guidelines.

Smart-Card authentication

For many organizations, Smart Cards provide an excellent method to adopt zero trust security models and, in some cases, comply with federal regulations {link}.  This can be a challenge when the Smart Card is not part of the same authentication mechanism as NetBackup.  This enhancement provides an option to support the smart card without using a directory service, such AD or LDAP.

NetBackup has adapted our smart card authentication in an environment to be more flexible without associating a directory service.  The user will be added simply using the Common Name (CN) or Universal Principal Name (UPN) of the certificate for user mapping instead of a complex directory service configuration for the Smart Card. 

After you toggle on the Smart card authentication, you’ll see the options to proceed without a domain, and which certificate mapping attribute to use.  (See picture 1 below) 


Multi-Factor Authentication for CLI users

Your Role-Based Access Control (RBAC) users are granted rights within the WebUI to perform their related workload tasks.   There are situations where those RBAC users may need to work on the command line outside of the NetBackup WebUI.  There is now a mechanism to allow those users to access the Command Line Interface (CLI).   Conversely, you can ensure that this new role is only delegated to those users with the need.


Below is the use-case:

  • User already has an RBAC role and has logged into the NetBackup WebUI previously
  • User needs CLI access for short periods (less than 24 hours)

In the WebUI, the user must be part of the new NetBackup Command Line (CLI) Administrator Role, in addition to their desired workload RBAC role.   This role will allow all commands to be executed by the user, so zero-trust procedures should be taken to grant this role only to users with permissible purpose.

From the CLI, a user initiates the login process with the following command, with special attention to the “loginType”:

# /usr/openv/netbackup/bin/bpnbat -login -loginType WebUI

{CLI screenshot of 2FA workflow, including WebUI popup}

Approvals for the CLI login will come to the user’s WebUI session as a 6 digit code.  Since the user already had to authenticate in the configured way, this is highly trusted.  This allows the bpnbat command to proceed.  This allows CLI privileges for the next 24 hours to your user.

Therefore, Smart cards are now easier to consume in NetBackup by removing previous directory service requirements, allowing ease-of-use balanced with security.   Multi-Factor Authentication for the CLI paired with the new RBAC role offers more control of your users.



No RepliesBe the first to reply