Netbackup and CA PAM access

Hello Forum Folks,


Currrently we have NBU 7.6.0.3 installed on a Linux RedHat 2.6 Master and Media servers. The administrators and tech who complete restores access the Java GUI using their Unix accounts with the /usr/openv/java/auth.conf looking similar to:

# cat /usr/openv/java/auth.conf
root ADMIN=ALL JBP=ALL
* ADMIN=JBP JBP=ENDUSER+BU+ARC
useracct1 ADMIN=ALL JBP=ALL
useracct2 ADMIN=ALL JBP=ALL
..etc...
 
Now the server admins want to remove the Linux user accounts and implement PAM (CA Privileged Access Management) with an application service account.  The admin says "Applications should not be running under someone’s personal account.  If the app needs an account, it should have a service account created and configured"

 

Very broad questions I know, but I'm not familiar with PAM and wonder if anyone here has configured NetBackup to work with PAM type access.  

Q:  Any idea on how to configure Java auth.conf access ?

Q:  With only one service account, how would access be limited for the techs who only do restores, and still keep all access open to the NBU admins ?

Q:  Without separate accounts, how could we track admin changes ?

Q: Is there a better way than using one application service account ?

Q: Not sure how PAM references the root account, so not sure how to configure NBU for root access ?

Not sure what else to ask
Thanks for any info !

1 Reply
Highlighted

Re: Netbackup and CA PAM access

Q:  Any idea on how to configure Java auth.conf access ?

Sure - configure it like this:

root ADMIN=ALL JBP=ALL
nbuadmin ADMIN=ALL JBP=ALL
* ADMIN=JBP JBP=ENDUSER+BU+ARC

*** note that the * ADMIN=JBP JBP=ENDUSER+BU+ARC should always be the last line in the auth.conf

Q:  With only one service account, how would access be limited for the techs who only do restores, and still keep all access open to the NBU admins ?

If users wish to restore data that they have the authority to modify/view/execute, they should simply be able to login using their account and be given access to the BAR gui (that's with the * ADMIN=JBP JBP=ENDUSER+BU+ARC is for - it's telling NBU that any other user can access the BAR gui to do backup, archive or restore.)

Q:  Without separate accounts, how could we track admin changes ?  

You don't.  Here is a 'pick your poison' sort of thing.  You can either have a generic account everyone has access to you have individual accounts and you can track access and changes (it's easier in later versions because you can enable enhanced auditing).

Q: Is there a better way than using one application service account ?

Not really - I don't recommend a single service account as it makes accountability for changes more difficult.

 

Q: Not sure how PAM references the root account, so not sure how to configure NBU for root access ?

I'm not sure either - I would check with the O/S vendor and see how to configure pam on that o/s.