A step by step example of installing the VERITAS Security Services (VxSS)

and configuring VERITAS NetBackup (tm) Access Control (NBAC) on a

UNIX Master/Media Server.

I. Introduction
This document is intended as a detailed example of the steps necessary to set
up the NetBackup Access Control (NBAC) feature in an extremely simple
NetBackup environment. The NBAC feature allows non-root users to have
NetBackup administrative capabilities, using either the NetBackup administrative
graphical user interface (GUI), or the command line utilities. For a detailed
description of this feature, refer to Chapter 1 of the Veritas NetBackup (tm) 5.1
System Administrator's Guide, Volume II or the Veritas NetBackup (tm) 6.0
System Administrator's Guide, Volume II (found below, in the Related Documents
section).

The example environment referred to throughout this document is a single

Solaris 9 server named rosv240-06.xxx.example.com. This server has already
been configured as a NetBackup master/media server running NetBackup 5.1
Maintenance Pack 3 (MP3). (These same instructions should also apply to any
NetBackup version, starting with 5.0 MP1, however the screen shots may vary
between releases.)

This document will first explain how to install the VERITAS Security Services
(VxSS) components that are required for using NBAC. This document will then
explain how to enable and configure NBAC.

There are two non-root users that will be given NetBackup administrative access.
The user named vxssuser is defined in the Solaris /etc/passwd file. The
vxssuser will be the initial user being set up in this example. The NBAC
configuration will also be updated to include the user named rworman, who is
defined in the Network Information Name Services ("NIS") databases.

II. Installation

II.A. Installation Prerequisites

There are three important prerequisites for guaranteeing proper NBAC
functionality:
• The Domain Name Services (DNS) system must be configured for
both forward and reverse lookups of the master server's hostname.
This is a general NetBackup requirement and is true for all
NetBackup releases. (See Figure 1)
• NetBackup must be configured to use the fully qualified domain
name (FQDN) of the master server, as set by the first SERVER
entry in the bp.conf configuration file. (See Figure 1.) Note: This
requirement has been removed as of the NetBackup 5.1 MP5 and

Page 1 of 49
 NetBackup 6.0 MP2 releases, allowing the use of the short
hostname.
• The non-root user must have a valid home directory that is
writeable by that non-root user. (See Figure 2.)

Figure 1: Verifying DNS functionality and verifying that NetBackup is

using the FQDN for the master server.

Figure 2: Verifying that the non-root user vxssuser has a writeable home
directory.

II.B. Installing the VXSS Authentication (AT) Server

Page 2 of 49
Insert the NetBackup 5.1 VxSS CD-ROM, use the cd command to change
to the appropriate platform directory on this CD-ROM, and then run the
installvss script. (See Figure 3 for example commands.)

Figure 3: Launching the installvss script from the VxSS CD-ROM.

The following series of screenshots walks through the sequence of

screens that the AT installer will present. All user input is highlighted in
red.

Figure 4: Specify "Install" Operation.

Figure 5: Specify AT Service.

Page 3 of 49
Figure 6: Specify AT install host.

Figure 7: Summary of initial system check results (no user input

necessary, just press Return).

Page 4 of 49
Figure 8: Summary of OS packages that are about to be installed (no
input necessary, just press Return).

Figure 9: Summary of OS package requirement checks (no input

necessary, just press Return).

Figure 10: Confirm installation of the Authentication Broker Server.

Figure 11: Summary of AT installation result (no input necessary, just

press Return).

Page 5 of 49
Figure 12: Confirm configuration of AT.

Figure 13: Explanation of user navigation (no input necessary, just press
Return).

Figure 14: Specify AT mode of "Authentication + Root Broker".

Page 6 of 49
Figure 15: Deny cluster configuration.

Figure 16: Summary of AT configuration results (no input necessary, just

press Return).

Figure 17: Final summary of AT installation (note location of log files, if

any problems were encountered).

Page 7 of 49
II.C. Installing the VXSS Authorization ("AZ") Server
If the VxSS CD-ROM is not already mounted from the previous step, insert
the NetBackup 5.1 VxSS CD-ROM; use the "cd" command to change to
the appropriate platform directory on this CD-ROM, and then run the
installvss script, as shown in Figure 3.

The following series of screenshots walks through the sequence of

screens that the AZ installer will present. All user input is highlighted in
red.

Figure 18: Specify "Install" Operation.

Page 8 of 49
Figure 19: Specify AZ Service.

Figure 20: Specify AZ install host.

Figure 21: Summary of initial system check results (no user input
necessary, just press Return).

Page 9 of 49
Figure 22: Summary of OS packages that are about to be installed (no
input necessary, just press Return).

Figure 23: Summary of OS package requirement checks (no input

necessary, just press Return).

Figure 24: Confirm installation of the Authorization Service.

Figure 25: Summary of AZ installation result (no input necessary, just

press Return).

Page 10 of 49
Figure 26: Confirm configuration of AZ.

Figure 27: Explanation of user navigation (no input necessary, just press
Return).

Figure 28: Deny cluster configuration.

Page 11 of 49
Figure 29: Summary of AZ configuration results (no input necessary, just
press Return).

Figure 30: Final summary of AZ installation (note location of log files, if

any problems were encountered).

Page 12 of 49
II.D. Verifying basic VxSS functionality
At this point, you should be able to start the VxSS daemons and the
vssat command can be used to verify the AT domain name. See Figures
31 and 32 below, for examples of how to verify these items.

Figure 31: Start the AT and AZ daemons, verify they are running.

Figure 32: Run the vssat command to verify the AT domain name is
"root@FQDN", and run the vrtsaz command to verify that the AZ server
is in a "ready" state.

Page 13 of 49
III. NBAC Configuration
As mentioned in step II.D above, it is important that the VxSS daemons are
running (as shown in Figure 31) prior to proceeding to the next steps.

The following steps will seed the VxSS database with the data necessary for
using NBAC.

III.A. Bootstrap VxSS/NBAC configuration

The following sequence of commands only needs to be run once on a
system that has no NBAC configuration in place. Running these
commands on an existing NBAC configuration could result in a loss of any
NBAC customizations. (E.g. custom groups or modification of the default
group permissions)

The following series of screenshots walks through the exact sequence of

commands that should be run, followed by the expected output from each
of those commands. All user input is highlighted in red.

Figure 33: Run bpnbat -addmachine to create a machine account

for this host. NOTE: the password used with this command does not
need to match any existing password elsewhere in the
Solaris/NetBackup/VxSS configuration! (For this example, the
password specified was "machinepass".)

Page 14 of 49
Figure 34: Run bpnbat -loginmachine to login to the machine
account that was just created. Note: The password used with this
command should be the same password that was supplied to
bpnbat -addmachine in Figure 33. (For this example, the
password entered was "machinepass".)

Figure 35: Run bpnbaz -setupsecurity to create the NBAC

default groups and permissions, and to add the first member of the NBAC
Security Administrator group. Note: The username and password used
with this command should be the UNIX username and password for
the desired non-root user. (For this example, the password entered was
"vxssuser123".)

Page 15 of 49
Figure 36: Run bpnbaz -allowauthorization to add the master
server as a host allowed to perform authorization checks.

Figure 37: Use the bpnbat -login command to authenticate this user
for command line access. Note: The username and password used
with this command should be the UNIX login and password for this
user. (For this example, the password entered was "vxssuser123".)
Next, run the bpnbaz -listgroups command as a simple
verification of the initial NBAC configuration.

Page 16 of 49
III.B. NetBackup GUI configuration (done as root)
The following steps are the last NetBackup GUI actions that must be done
while logged in as the root user.

The following series of screenshots walks through the exact sequence of

GUI operations necessary to complete the NBAC configuration. All user
input is highlighted in red:

Figure 38: Launch jnbSA as the root user.

Figure 39: Log into jnbSA as the root user.

Page 17 of 49
Figure 40: Select Host Properties --> Master Server, right-click and
select Properties.

Figure 41: Select Access Control

Page 18 of 49
Figure 42: Select Automatic, and select the VxSS tab, and click the Add
button

Page 19 of 49
Figure 43: Select Host Name, specify the FQDN of the Master, and click
the Add button.

Page 20 of 49
Figure 44: Click the Close button.

Page 21 of 49
Figure 45: Select the Authentication Domains tab.

Page 22 of 49
Figure 46: Click the Add button.

Page 23 of 49
Figure 47: Specify the Domain (FQDN of the Master), choose PASSWD
for the Authentication Mechanism, specify the Broker (FQDN again),
click the Add button.

Page 24 of 49
Figure 48: Click the Close button.

Figure 49: Select the Authorization Service tab.

Page 25 of 49
Figure 50: Specify the Host (FQDN of the Master) and click the OK
button.

Page 26 of 49
Figure 51: A notification to restart daemons will appear. Dismiss the
notification by clicking the OK button.

Figure 52: Exit the jnbSA application.

Page 27 of 49
Figure 53: Note that four new entries have been added to the end of the
bp.conf file.

Figure 54: Stop and start the NetBackup daemons.

Page 28 of 49
III.C. Verifying non-root capabilities (done as vxssuser)
At this point in our example, the non-root vxssuser account is the only
user with NetBackup administrative capabilities, via either the GUI or the
command line. Given that the UNIX root user has historically been an all-
powerful NetBackup administrator, some NetBackup administrators may
want to allow root to be another NetBackup administrator under NBAC.
This is easily done, and is described in section III.D.1 of this document.
("Adding the root user (defined in the /etc/passwd file) as a NetBackup
Administrator.")

The following series of screenshots walks through the exact sequence of

steps to demonstrate the vxssuser administrative capabilities. All user
input is highlighted in red.

III.C.1. Verifying non-root GUI (jnbSA) access

Figure 55: Start a new terminal session on the master server,

logging in as vxssuser, and launch the jnbSA GUI.

Page 29 of 49
Figure 56: Log in to jnbSA as vxssuser.

Page 30 of 49
Figure 57: Observe that the full administrative GUI is presented (as
opposed to only the Backup, Archive and Restore GUI that would
normally be presented to a non-root user).

Figure 58: Select Help --> Current NBAC User to see the details
of the vxssuser GUI credentials.

Page 31 of 49
Figure 59: vxssuser GUI credentials (Note that credential expiry is
24 hours from the time that vxssuser logged into jnbSA - See
TechNote 274786 for how to extend this expiry date.)

Page 32 of 49
III.C.2. Verifying non-root command line access

Figure 60: While logged in as vxssuser, NetBackup command line

utilities like bpstulist cannot be run due to a lack of proper
credentials. (But, if the bpnbat -login command, from Figure
37, was run within the past 24 hours, the command in this example
will work.)

Figure 61: Run the bpnbat -login command to authenticate

this user for command line access. Note: The username and
password used with this command should be the UNIX login
and password for this user. (For this example, the password
entered was "vxssuser123".)

Figure 62: Observe that the NetBackup bpstulist command can

now be run.

Page 33 of 49
 Figure 63: Run the bpnbat -whoami command to see
command line credential details. (Note that credential expiry is 24
hours from the time that vxssuser ran the bpnbat -login
command - See TechNote 274786 for how to extend this expiry
date.)

III.D. Adding additional NetBackup Administrators

The final step of this example is to demonstrate the addition of two more
users to this NBAC configuration:
• The root user, as defined in the local /etc/passwd file
• Another nonroot user rworman, who is defined in the Network
Information Name Service (NIS) databases instead of the
/etc/passwd file. Adding this NIS user to the NBAC configuration
will first require the creation of a second Authentication Domain

III.D.1. Adding the root user to the NBAC NetBackup

Administrators Group
When using NBAC, it is not necessary for the UNIX root user to
have any NetBackup administration capabilities. However, the root
user has historically been the de facto NetBackup administrator, so

Page 34 of 49
some NetBackup administrators may prefer to provide root with
NBAC administrative access.

The following series of screenshots walks through the exact

sequence of GUI operations necessary to add root to the NBAC
configuration. All user input is highlighted in red:

Figure 64: Log in to a jnbSA session as a username that is a

member of the NBAC Security Administrator group. In our
example, this can only be the vxssuser username.

Figure 65: Select the Access Management --> User Groups node
and right-click on the NBU_Admin User Group and select Change.

Page 35 of 49
Figure 66: Select the Users tab and click the New User button

Page 36 of 49
Figure 67: Specify the new user name to be added, specify the
domain (FQDN of the master server), choose UNIX PWD for the
Domain Type, choose Individual User for the User Type, and click
the OK button.

Page 37 of 49
Figure 68: Observe that the user root has been added to the list of
Assigned Users for this group. Click the OK button to complete the
modification of this group.

Page 38 of 49
Figure 69: Exit the jnbSA application.

Page 39 of 49
The root user now has full NetBackup administrative access.
Verifying this is left as an exercise for the reader, based on the
steps provided in section III.C, of this document.

III.D.2. Adding another Authentication Domain for NIS users

In order to add the rworman user to our example NBAC
configuration, it is necessary to add a second Authentication
Domain to the NBAC configuration. This second domain will allow
NBAC to authenticate users who are defined in the NIS databases.

The following series of screenshots walks through the exact

sequence of GUI operations necessary to add a NIS Authentication
Domain. All user input is highlighted in red.

Figure 70: Identify the NIS domain name using the Solaris
domainname command (our example NIS domain is
xxx.example.com)

Page 40 of 49
Figure 71: Log in to a jnbSA session as a username that is a
member of the NBAC Security Administrator group. In our
example, this is vxssuser, but root would also work, because of the
actions taken in section III.D.1.

Figure 72: Select Host Properties --> Master Server, right-click

and select Properties.

Page 41 of 49
Figure 73: Select Access Control node, select the
Authentication Domains tab, and click the Add button.

Page 42 of 49
Figure 74: Specify the Domain that you identified in Figure 70
(xxx.example.com), choose NIS for the Authentication
Mechanism, specify the Broker (FQDN of the master server), and
click the Add button.

Page 43 of 49
Figure 75: Click the Close button

Page 44 of 49
Figure 76: Observe that the second Domain has been added to the
list. Click the OK button to apply these changes.

Figure 77: Dismiss the Restart Daemons dialog by clicking the OK

button. NOTE: In this instance, the request to restart the
NetBackup daemons may be safely ignored.

Page 45 of 49
III.D.3. Adding the rworman NIS user to the NBAC NetBackup
Administrators Group
Much like the steps outlined in III.D.1 above, the following series of
screenshots walks through the exact sequence of GUI operations
necessary to add rworman to the NBAC configuration. All user
input is highlighted in red.

The screenshots below assume that a NetBackup Admin user is

already logged into the jnbSA application.

Figure 78: Select the Access Management --> User Groups

node and right-click on the NBU_Admin User Group and select
Change.

Figure 79: Select the Users tab and click the New User button.

Page 46 of 49
Figure 80: Specify the new username to be added, specify the NIS
domain (from Figure 64), choose NIS for the Domain Type, choose
Individual User for the User Type, and click the OK button

Page 47 of 49
Figure 81: Observe that the user rworman has been added to the
list of Assigned Users for this group. Click the OK button to
complete the modification of this group.

Figure 82: Exit the jnbSA application.

Page 48 of 49
 The NIS user rworman now has full NetBackup administrative
access. Verifying this is left as an exercise for the reader, based on
the steps already given in section III.C, of this document.

IV. Conclusion
This document is provided as a detailed explanation of how to configure the
simplest possible UNIX NBAC configuration. It demonstrates how to grant full
NetBackup administrative capabilities to three users on a single NetBackup
Master+Media server. Most real world configurations would require a more
complex NBAC configuration than this, including one or more of the following:
• Using NBAC on clients and media servers
• Using NBAC on a mixture of Windows and UNIX platforms
• Granting different levels of NetBackup administrative access to different
users

Detailed walk-throughs and screenshots describing the above tasks would be

beyond the scope of this document. These tasks (and many other aspects of
NBAC) are described in Chapter 1 of the Veritas NetBackup ™ 5.1 System
Administrator's Guide, Volume II or the Veritas NetBackup (tm) 6.0 System
Administrator's Guide, Volume II.

Page 49 of 49