Installing and Configuring Access Control for Master Servers
The following steps describe configuring NetBackup Access Control for the master server in a NetBackup configuration. A master server requires Authentication Server and Client software and Authorization Server and Client software.
Throughout this chapter, in the configuration examples we'll refer to the following host names:
|
|
Windows
|
UNIX
|
Master Servers
|
win_master
|
unix_master
|
Media Servers
|
win_media
|
unix_media
|
Clients
|
win_client
|
unix_client
|
-
Complete all NetBackup master server installations or upgrades.
-
Using the VxSS installation CD, install both the VxSS Authentication Server and Client software on the master server. This master server will be a Root + AB (Authentication Broker).
See Installing the Authentication Service Root Broker (Root + AB) and the VERITAS Security Services Installation Guide on the VxSS installation CD.
-
Using the VxSS installation CD, install the VxSS Authorization Server and Client software on the master server. To do this, you must perform a custom installation.
See Installing the Authorization Server and the VERITAS Security Services Installation Guide on the VxSS installation CD.
-
Create a machine account for the master server. Make sure that the Authentication and the Authorization services are running. See UNIX Verification Points or Windows Verification Points.
The command in this step must be run as either root (UNIX) or as a member of the local Administrator group (Windows) on the Root+AB Authentication broker. For more information about this step, see
bpnbat is located in directory /usr/openv/netbackup/bin/
bpnbat -addmachine
Does this machine use Dynamic Host Configuration Protocol (DHCP)? (y/n) n
Authentication Broker: win_master
Authentication port[ Enter = default]:
Machine Name: win_master
Password: *******
Password: *******
Operation completed successfully.
-
Log in to the machine account for the master server.
For more information about this step, see
bpnbat -LoginMachine
Does this machine use Dynamic Host Configuration Protocol (DHCP)? (y/n) n
Authentication Broker: win_master
Authentication port[ Enter = default]:
Machine Name: win_master
Password: *******
Operation completed successfully.
Note
Repeat this step for each alias used by NetBackup.
-
Create the first Security Administrator (bootstrapping security).
For more information about this step, see
bpnbaz is located in directory /usr/openv/netbackup/bin/admincmd
bpnbaz -setupsecurity win_master
Please enter the login information for the first Security
Administrator other than root/Administrator. This identity
will be added to the security administrators group
(NBU_Security Admin), and to the netbackup administrators
group (NBU_Admin). It will also be used to build the initial
security information.
Authentication Broker: win_master
Authentication port[ Enter = default]:
Authentication type (NIS, NIS+, NT, vx, UNIXpwd: nt
Domain: domain1
Login Name: admin1
Password: ******
Processing - please be patient
Operation completed successfully.
-
Add the master server as a host authorized to perform Authorization checks.
For more information about this step, see
bpnbaz -AllowAuthorization win_master
Operation completed successfully.
-
Configure the Access Control host properties of the master server.
For more information about this step, see
- Set VERITAS Security Services to Automatic or Required. (If some clients will not use NetBackup Access Control, set to Automatic.)
- On the VxSS tab, add the host to the VxSS network (win_master). (If the VxSS property is set to Required, this tab is not available.)
- On the Authentication Domain tab, add authentication domain(s) and the host that will act as the broker for the domain (domain1).
The broker is a machine using an operating system supporting the domain type that has the VxSS Authentication service installed on it.
- On the Authorization Service tab, specify the master server on which you installed the VxSS Authorization service (win_master).
After changing the host properties, recycle the server daemons for the changes to take effect.
|
