cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

How to point a NBU policy to an MSEO policy?

Go to solution
LT2013
Level 4

‎07-08-2014 08:07 AM

I got a hit in the forum for this exact question, but the thread was locked sooo...

Trying to familiarize myself with MSEO, and configured an MSEO policy. However the documentation is unclear as to how to specify the MSEO policy within the NBU policy. Seems my backup is going to default MSEO policy (from the event log).

I'm running NBU 7.6.0.2 on Windows 2008, and MSEO 7.6. Master and media server are the same physical server.

Also, if you wish to share any tips/best practices, feel free. I've setup some keys, keygroup and policy using the following naming convention, but I'm not sure if it makes sense...

Keys: NBdomainname_date key was created

KG: NBdomainname_KG

Policy: NBdomainname_pol

I'm thinking that the MSEO policy and KG shold be static, but the keys should be changes ever so often (bi-yearly ???).

 

Thanks

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
mph999
Level 6
Employee Accredited

‎07-08-2014 02:49 PM

Here is an example :

  vod_mseo

    rules
      rule 1
        Effect=permit audit netbackup
        Action=write
        Compress=|netbackup.keyword.Compress|
        KeyGroup=vod_mseo_group
        KeyType=|netbackup.keyword.KeyType|
        match
          Name=netbackup.keyword.KeyType
          MatchOp=!empty
        match
          Name=netbackup.keyword.Compress
          MatchOp=!empty
      rule 2
        Effect=permit audit netbackup
        Action=write
        Compress=none
        KeyGroup=vod_mseo_key
        KeyType=none
      rule 3
        Effect=permit audit
        Action=read

Here the Keytype and the Compression must be defined in the NBU policy, like this:

In the NBU policy 'keyword phrase', you would add 
<mseo>KeyType=aes128; Compress=none;</mseo>

The above policy can be set up like this:

#1 Add new keys (vod_mseo_key_1)
cgadmin add key vod_mseo_key_1 keysize:1024

#2 Add new keygroup (vod_meso_group)
cgadmin add keygroup vod_mseo_group vod_mseo_key_1

#3 Add new policy (vod_meso)
cgadmin add policy vod_mseo rule Effect "permit audit netbackup" Action write Compress "|netbackup.keyword.Compress|" KeyGroup vod_mseo_group KeyType "|netbackup.keyword.KeyType|" match Name "netbackup.keyword.KeyType" MatchOp "!empty" match Name "netbackup.keyword.Compress" MatchOp "!empty"

#4 Modify policy to add 'match' statements to allow keywords in NBU policy to work
cgadmin edit policy vod_mseo add 2 Effect "permit audit netbackup" Action write Compress none KeyType none KeyGroup vod_mseo_key
cgadmin edit policy vod_mseo add 3 Effect "permit audit" Action read

#5 Switch host to use new policy
cgadmin edit host <ip address> replace vod_mseo

#6 Export keys - Need to run manually as a password is required to protect them. Do not forget this password.
#Copy keys from mseo/server/export directory to multiple safe copies off the machine, you will have to export and then backup each keys separately, as when you export, any previous keys in the export dir are overwritten)
#cgadmin export keys vod_mseo_key_1
#cgadmin export keys default

NOTES:

#3 This is one long line, you will be unable to run it from the command line, so I suggest you copy all the lines into a script, and just run the script. Make sure there are no ‘windows special characters’ copied in.
#5 Please change IP address to equal the ip address of your host
#6 Have to run manually, as a passwd is required so these commands are #’d out. The keys are exported to the mseo/server/export dir. You have to do each separately, and back it up / move before doing the next.

 

View solution in original post

0 Kudos
4 REPLIES 4

Go to solution
mph999
Level 6
Employee Accredited

‎07-08-2014 10:25 AM

It's up to you if you wish to change keys. Probably not a bad idea. You don't really point NBU at meso, you create a meso policy and associate that with the server. In the policy you match what ever elements you want, for example, NBU volume pool = mseo, then if you use a volume pool called mseo, the backups should be encrypted. The meso manual is actually quite good, if you follow the examples it should work (check meso log to see). You can be more adventures and set the meso policy to look for keywords within the NBU policy - the manual has a screen shot of this something like <\meso> ... Be very aware of this : MSEO is not compatible with Asynchronous Tapemarks which were introduced in NetBackup 7.1 Symptoms include write and/or read errors on tapes encrypted with MESO. Creating the empty file ' /usr/openv/netbackup/db/config/DISABLE_IMMEDIATE_WEOF ' will resolve the issue Basically, if you are at NBU 7.1 or above, create the file. To be honest, meso is great, but if your drive support encryption (eg LTO 4 +) then I'd advise to use KMS
0 Kudos

Go to solution
mph999
Level 6
Employee Accredited

‎07-08-2014 02:49 PM

Here is an example :

  vod_mseo

    rules
      rule 1
        Effect=permit audit netbackup
        Action=write
        Compress=|netbackup.keyword.Compress|
        KeyGroup=vod_mseo_group
        KeyType=|netbackup.keyword.KeyType|
        match
          Name=netbackup.keyword.KeyType
          MatchOp=!empty
        match
          Name=netbackup.keyword.Compress
          MatchOp=!empty
      rule 2
        Effect=permit audit netbackup
        Action=write
        Compress=none
        KeyGroup=vod_mseo_key
        KeyType=none
      rule 3
        Effect=permit audit
        Action=read

Here the Keytype and the Compression must be defined in the NBU policy, like this:

In the NBU policy 'keyword phrase', you would add 
<mseo>KeyType=aes128; Compress=none;</mseo>

The above policy can be set up like this:

#1 Add new keys (vod_mseo_key_1)
cgadmin add key vod_mseo_key_1 keysize:1024

#2 Add new keygroup (vod_meso_group)
cgadmin add keygroup vod_mseo_group vod_mseo_key_1

#3 Add new policy (vod_meso)
cgadmin add policy vod_mseo rule Effect "permit audit netbackup" Action write Compress "|netbackup.keyword.Compress|" KeyGroup vod_mseo_group KeyType "|netbackup.keyword.KeyType|" match Name "netbackup.keyword.KeyType" MatchOp "!empty" match Name "netbackup.keyword.Compress" MatchOp "!empty"

#4 Modify policy to add 'match' statements to allow keywords in NBU policy to work
cgadmin edit policy vod_mseo add 2 Effect "permit audit netbackup" Action write Compress none KeyType none KeyGroup vod_mseo_key
cgadmin edit policy vod_mseo add 3 Effect "permit audit" Action read

#5 Switch host to use new policy
cgadmin edit host <ip address> replace vod_mseo

#6 Export keys - Need to run manually as a password is required to protect them. Do not forget this password.
#Copy keys from mseo/server/export directory to multiple safe copies off the machine, you will have to export and then backup each keys separately, as when you export, any previous keys in the export dir are overwritten)
#cgadmin export keys vod_mseo_key_1
#cgadmin export keys default

NOTES:

#3 This is one long line, you will be unable to run it from the command line, so I suggest you copy all the lines into a script, and just run the script. Make sure there are no ‘windows special characters’ copied in.
#5 Please change IP address to equal the ip address of your host
#6 Have to run manually, as a passwd is required so these commands are #’d out. The keys are exported to the mseo/server/export dir. You have to do each separately, and back it up / move before doing the next.

 

0 Kudos

Go to solution
LT2013
Level 4

‎07-09-2014 10:00 AM

MPH,

Thanks for the detailed reply. Looks like I was missing the cgadmin step to edit the host.

0 Kudos

Go to solution
mph999
Level 6
Employee Accredited

‎07-09-2014 02:28 PM

You are welcome.
0 Kudos