07-08-2014 08:07 AM
I got a hit in the forum for this exact question, but the thread was locked sooo...
Trying to familiarize myself with MSEO, and configured an MSEO policy. However the documentation is unclear as to how to specify the MSEO policy within the NBU policy. Seems my backup is going to default MSEO policy (from the event log).
I'm running NBU 7.6.0.2 on Windows 2008, and MSEO 7.6. Master and media server are the same physical server.
Also, if you wish to share any tips/best practices, feel free. I've setup some keys, keygroup and policy using the following naming convention, but I'm not sure if it makes sense...
Keys: NBdomainname_date key was created
KG: NBdomainname_KG
Policy: NBdomainname_pol
I'm thinking that the MSEO policy and KG shold be static, but the keys should be changes ever so often (bi-yearly ???).
Thanks
Solved! Go to Solution.
07-08-2014 02:49 PM
Here is an example :
vod_mseo
rules
rule 1
Effect=permit audit netbackup
Action=write
Compress=|netbackup.keyword.Compress|
KeyGroup=vod_mseo_group
KeyType=|netbackup.keyword.KeyType|
match
Name=netbackup.keyword.KeyType
MatchOp=!empty
match
Name=netbackup.keyword.Compress
MatchOp=!empty
rule 2
Effect=permit audit netbackup
Action=write
Compress=none
KeyGroup=vod_mseo_key
KeyType=none
rule 3
Effect=permit audit
Action=read
Here the Keytype and the Compression must be defined in the NBU policy, like this:
In the NBU policy 'keyword phrase', you would add
<mseo>KeyType=aes128; Compress=none;</mseo>
The above policy can be set up like this:
#1 Add new keys (vod_mseo_key_1)
cgadmin add key vod_mseo_key_1 keysize:1024
#2 Add new keygroup (vod_meso_group)
cgadmin add keygroup vod_mseo_group vod_mseo_key_1
#3 Add new policy (vod_meso)
cgadmin add policy vod_mseo rule Effect "permit audit netbackup" Action write Compress "|netbackup.keyword.Compress|" KeyGroup vod_mseo_group KeyType "|netbackup.keyword.KeyType|" match Name "netbackup.keyword.KeyType" MatchOp "!empty" match Name "netbackup.keyword.Compress" MatchOp "!empty"
#4 Modify policy to add 'match' statements to allow keywords in NBU policy to work
cgadmin edit policy vod_mseo add 2 Effect "permit audit netbackup" Action write Compress none KeyType none KeyGroup vod_mseo_key
cgadmin edit policy vod_mseo add 3 Effect "permit audit" Action read
#5 Switch host to use new policy
cgadmin edit host <ip address> replace vod_mseo
#6 Export keys - Need to run manually as a password is required to protect them. Do not forget this password.
#Copy keys from mseo/server/export directory to multiple safe copies off the machine, you will have to export and then backup each keys separately, as when you export, any previous keys in the export dir are overwritten)
#cgadmin export keys vod_mseo_key_1
#cgadmin export keys default
NOTES:
#3 This is one long line, you will be unable to run it from the command line, so I suggest you copy all the lines into a script, and just run the script. Make sure there are no ‘windows special characters’ copied in.
#5 Please change IP address to equal the ip address of your host
#6 Have to run manually, as a passwd is required so these commands are #’d out. The keys are exported to the mseo/server/export dir. You have to do each separately, and back it up / move before doing the next.
07-08-2014 10:25 AM
07-08-2014 02:49 PM
Here is an example :
vod_mseo
rules
rule 1
Effect=permit audit netbackup
Action=write
Compress=|netbackup.keyword.Compress|
KeyGroup=vod_mseo_group
KeyType=|netbackup.keyword.KeyType|
match
Name=netbackup.keyword.KeyType
MatchOp=!empty
match
Name=netbackup.keyword.Compress
MatchOp=!empty
rule 2
Effect=permit audit netbackup
Action=write
Compress=none
KeyGroup=vod_mseo_key
KeyType=none
rule 3
Effect=permit audit
Action=read
Here the Keytype and the Compression must be defined in the NBU policy, like this:
In the NBU policy 'keyword phrase', you would add
<mseo>KeyType=aes128; Compress=none;</mseo>
The above policy can be set up like this:
#1 Add new keys (vod_mseo_key_1)
cgadmin add key vod_mseo_key_1 keysize:1024
#2 Add new keygroup (vod_meso_group)
cgadmin add keygroup vod_mseo_group vod_mseo_key_1
#3 Add new policy (vod_meso)
cgadmin add policy vod_mseo rule Effect "permit audit netbackup" Action write Compress "|netbackup.keyword.Compress|" KeyGroup vod_mseo_group KeyType "|netbackup.keyword.KeyType|" match Name "netbackup.keyword.KeyType" MatchOp "!empty" match Name "netbackup.keyword.Compress" MatchOp "!empty"
#4 Modify policy to add 'match' statements to allow keywords in NBU policy to work
cgadmin edit policy vod_mseo add 2 Effect "permit audit netbackup" Action write Compress none KeyType none KeyGroup vod_mseo_key
cgadmin edit policy vod_mseo add 3 Effect "permit audit" Action read
#5 Switch host to use new policy
cgadmin edit host <ip address> replace vod_mseo
#6 Export keys - Need to run manually as a password is required to protect them. Do not forget this password.
#Copy keys from mseo/server/export directory to multiple safe copies off the machine, you will have to export and then backup each keys separately, as when you export, any previous keys in the export dir are overwritten)
#cgadmin export keys vod_mseo_key_1
#cgadmin export keys default
NOTES:
#3 This is one long line, you will be unable to run it from the command line, so I suggest you copy all the lines into a script, and just run the script. Make sure there are no ‘windows special characters’ copied in.
#5 Please change IP address to equal the ip address of your host
#6 Have to run manually, as a passwd is required so these commands are #’d out. The keys are exported to the mseo/server/export dir. You have to do each separately, and back it up / move before doing the next.
07-09-2014 10:00 AM
MPH,
Thanks for the detailed reply. Looks like I was missing the cgadmin step to edit the host.
07-09-2014 02:28 PM