VOX

The process for configuring Veritas Security Services is as follows:

Make sure you can ping the NetBios version of your domain (i.e. mybox)

1.) Install Authentication service and Root Broker version 4.1.2.5 on the master server using the Custom install method.

2.) Install the Authorization service 4.1.2.5 on the same server using the Custom install option.

3.) Patch Authentication service to 4.1.2.7 (if installing to different path, before rebooting run regedit, goto hkey_local_machine -> Software -> Veritas -> Security -> Authentication -> installdir and correct the path, then go to windows services and set from Manual to automatic).

4.) Reboot

5.) Install Authorization service patch 4.1.2.7 on the server (should not require a reboot).

Verify both services are started.

6.) Goto Command line on server and change directories to the Netbackup\bin directory (default is Program files\Veritas\NetBackup\Bin).

7.) Run "bpnbat -addmachine" two times, one for the FQDN of the Master Server and once for the netbios version of the name.

8.) Input the information requested (authentication broker should ALWAYS be the FQDN of the Master server, and the port number should be left as default).

9.) Run "bpnbat -loginmachine" two times, one for the FQDN of the Master Server and once for the netbios version of the name.

10.) Input the information requested (authentication broker should ALWAYS be the FQDN of the Master server, and the port number should be left as default).

Change directories to the Admincmd directory.

11.) run "bpnbaz -setupsecurity %FQDN_of_Master%" (ie "bpnbaz -setupsecurity bob.mybox.local")

During this process you will be creating the NBU_Security_Admin, the person who is allowed to add users to other groups within Access Control. You will need to type in the Authentication broker name (again, FQDN of Master), port left as default, the Authentication Domain (If Active Directory, it will be either NT or Windows, Depending on version of Veritas Security Services). Domain will be the netbios version of domain (i.e. "mybox" not "mybox.com"). The login name (and the password to follow) will be the credentials for the user account that will be the security admin, so make sure you have access to it. When the information has been typed in and the password entered it will proceed to validate your account against your specified authentication type (ie Active Directory). If Successful, it will state "Operation Completed successfully". Anything else is considered a failure and will need to be reattempted.

12.) Next type in "bpnbaz -allowauthorization %FQDN_of_Master%" (ie "bpnbaz -allowauthorization bob.mybox.local"). This again should return an "Operation Completed successfully".

13.) Now change directories up one level to the bin directory, and type in "bpnbat -login" and hit enter.

Veritas Security Services will now ask for your credentials to validate you as an admin to login to Netbackup/Veritas Security Services. (reference information on "bpnbaz -setupsecurity" section above).

14.) Change directories to admincmd and type "bpnbaz -listgroups". Five groups should be returned. If not, process was unsuccessful and you will need to rerun the "bpnbaz -setupsecurity" process.

Final stage in process is to associate NetBackup to use Veritas Security Services.

15.) Open NetBackup Admin Console, expand the "Host Properties" section, then "Master Server". Bring up properties of Master Server and click "Access Control". Set VxSS to "Automatic". Click add, then select "Domain" from radio button, and type in the netbios version of domain, and click Add/Ok/Close. Change from "Required" to "Automatic" (important, do not miss this step or you could potentially cause backups to fail).

16.) Click on the Authentication Service tab. Click Add, and type in the domain, authentication mechanism (for Active Directory, it would be NT or Windows), followed by broker will be the FQDN of the master server. Click Add then Close.

17.) Click on the Authorization Service Tab and type in the FQDN of the Master Server.

Click apply and Ok. Close NetBackup Admin Console and then Reopen it. When it opens, Click Help and "Current NBAC User". If you can click it and it shows your credentials, you have completed the configuration of Veritas Security Services. You can now proceed to add your users and groups to the Access Management -> NBU User Groups Section.

NetBackup 6.0 System Administrator's Guide Volume 1
Pages 506-509

It wont let me copy the details, but here they are:
ALL = Administration of all applications
AM = Activity Monitor
BMR = Bare Metal Restore
BPM = Backup Policy Management
BAR or JBP = Backup, Archive and Restore
CAT = Catalog
DM = Device Manager
HPD = Host Properties
MM = Media Management
REP = Reports
SUM = Storage Unit Management
VLT = Vault Management

Authorization File Characteristics
The released version of the UNIX /usr/openv/java/auth.conf file is installed on all NetBackup-Java capable hosts and contains only the following entries:
root ADMIN=ALL JBP=ALL
* ADMIN=JBP JBP=ENDUSER+BU+ARC
◆ The first field of each entry is the user name that is granted access to the rights specified by that entry. In the released version, the first field allows root users to use all of the NetBackup-Java applications.
An asterisk in the first field indicates that any user name is accepted and the user is allowed to use the applications as specified. If the auth.conf file exists, it must have an entry for each user or an entry containing an asterisk (*) in the username field; users without entries cannot access any NetBackup-Java applications. Any entries that designate specific user names must precede a line that contains an asterisk in the username field.
Note The asterisk specification cannot be used to authorize all users for any administrator capabilities. Each user must be authorized via individual entries in the auth.conf file.
If you wish to deny all capabilities to a specific user, add a line indicating the user before a line starting with an asterisk. For example:
mydomain\ray ADMIN= JBP=
* ADMIN=JBP JBP=ENDUSER+BU+ARC
506 NetBackup System Administrator’s Guide for Windows, Volume I
Configuring the NetBackup-Java Administration Console
◆ The remaining fields specify the access rights.
◆
The ADMIN keyword specifies the applications that the user can access. ADMIN=ALLallows access to all NetBackup-Java applications and their related administrator related capabilities. To allow the use of only specific applications, see .
◆
The JBP keyword specifies what the user can do with the Backup, Archive, and Restore client application (jbpSA). JBP=ALL allows access to all Backup, Archive, and Restore capabilities, including those for administration. To allow only a subset of those capabilities, see .
◆
An asterisk in the first field indicates that any user name is accepted and the user is allowed to use the applications as specified. The second line of the released version has an asterisk in the first field, which means that NetBackup-Java validates any user name for access to the Backup, Archive, and Restore client application (jbpSA). JBP=ENDUSER+BU+ARC allows end users to only back up, archive and restore files.
When starting the NetBackup-Java administrator applications or the Backup, Archive, and Restore application (jbpSA), you must provide a user name and password that is valid on the machine that you specify in the NetBackup host field of the log in dialog. The NetBackup-Java application server authenticates the user name and password by using the system password file data for the specified machine, so the password must be the same as used when logging in to that machine.
For example, assume you log in with:
username = joe
password = access
Here you must use the same user name and password when logging in to NetBackup-Java.
Note The NetBackup-Java log in box accepts passwords greater than eight characters. However, only the first eight are significant when logging in to a NetBackup-Java application server running on a UNIX system.
It is possible to log in to the NetBackup-Java application server under a different user name than the one used for logging in to the operating system. For example, if you log in to the operating system with a user name of joe, you could subsequently log in to jnbSA as root. When you exit, in this instance, some application state information (for example, table column order) is automatically saved in joe’s $HOME/.java/.userPrefs/vrts directory and is restored the next time you log in to the operating system under account joe and initiate the NetBackup-Java application. This method of logging in is useful if there is more than one administrator because it saves the state information for each of them.
Chapter 8, Managing NetBackup 507
Configuring the NetBackup-Java Administration Console
Note NetBackup-Java creates a user’s $HOME/.java/.userPrefs/vrts directory the first time an application is exited. Only NetBackup-Java applications use the .java/.userPrefs/vrts directory.
If the user name is not valid according to the contents of the auth.conf file, the user sees the following error message in a popup message dialog and all applications are inaccessible.
No authorization entry exists in the auth.conf file for username
name_specified_in_login_dialog. None of the NB-Java applications are
available to you.
To summarize, you have two basic choices for types of entries in the auth.conf file:
◆
Use the released defaults to allow anyone with any valid user name to use the Backup, Archive, and Restore client application (jbpSA) and only root users to use the administrator applications and the administrator capabilities in jbpSA.
◆
Specify entries for valid user names.
Note The validated user name is the account the user can back up, archive or restore files from or to. The Backup, Archive, and Restore application (jbpSA) relies on system file permissions when browsing directories and files to back up or restore.
Configuring Nonroot Usage
Authorizing Nonroot Users for Specific Applications
It is possible to authorize nonroot users for a subset of the NetBackup-Java administrator applications.
To authorize users for a subset of the NetBackup-Java administrator applications, use the following identifiers for the ADMIN keyword in the auth.conf file:
auth.conf ADMIN Identifiers for Administrator Applications
ALL Indicates administration of all applications listed below AM Activity Monitor BMR Bare Metal Restore BPM Backup Policy Management
508 NetBackup System Administrator’s Guide for Windows, Volume I
Configuring the NetBackup-Java Administration Console
auth.conf ADMIN Identifiers for Administrator Applications
BARor JBP Backup, Archive, and Restore CAT Catalog DM Device Monitor HPD Host Properties MM Media Management REP Reports SUM Storage Unit Management VLT Vault Management
For example, to give a user named joe access only to the Device Monitor and Activity Monitor, add the following entry to the auth.conf file:
joe ADMIN=DM+AM
If necessary for a nonroot administrator to modify files used by the NetBackup-Java Administration Console, the script /usr/openv/java/nonroot_admin_nbjavacan be executed to change the permissions on the following files:
/usr/openv/java/auth.conf
/usr/openv/java/Debug.properties
/usr/openv/java/nbj.conf
Capabilities Authorization for jbpSA
Capabilities authorization in the Backup, Archive, and Restore interface enables certain parts of the user interface to allow one to perform certain tasks. Not all tasks can be performed successfully without some additional configuration. The following require additional configuration and are documented elsewhere:
◆
Redirected restores.
◆
User backups or archives require a policy schedule of these types and the task to be submitted within the time window of the schedule.
To authorize users for a subset of Backup, Archive, and Restore capabilities, use the following identifiers for the JBP keyword in the auth.conf file:
Chapter 8, Managing NetBackup 509
Configuring the NetBackup-Java Administration Console
◆
ENDUSER- Allows user to perform restore tasks from true image, archive or regular backups plus redirected restores
◆
BU - Allows user to perform backup tasks
◆
ARC - Allows user to perform archive tasks (BU capability required for this)
◆
RAWPART- Allows user to perform raw partition restores
◆
ALL - Allows user to perform all of the above actions, including restoring to a different client from the one you are logging into (that is, server-directed restores). Server-directed restores can only be performed from a NetBackup master server.
The following example entry allows a user named bill to restore but not back up or archive files:
bill ADMIN=JBP JBP=ENDUSER

Message Edited by David Parker on 05-02-200705:35 PM