Master Server Verification Points
The following sections describe procedures for Windows master server verification.
Verify Windows Master Server Settings
To determine in what domain a host is registered (where the primary Authentication broker resides), and the name of the machine the certificate represents, run bpnbat with -whoami. For example:
bpnbat -whoami -cf
"e:\program Files\veritas\netbackup\var\vxss\credentials\win_master"
Name: win_master.min.com
Domain: NBU_Machines@win_master.min.com
Issued by: /CN=broker/OU=root@win_master.min.com/O=vx
Expiry Date: Nov 5 20:17:51 2004 GMT
Authentication method: VERITAS Private Security
Operation completed successfully.
If the domain listed is not NBU_Machines@win_master.min.com, consider running bpnbat -addmachine for the name in question (win_master) on the machine that is serving the NBU_Machines domain (win_master).
Then, on the machine where we want to place the certificate, run:
bpnbat -loginmachine
Note
When determining if a user's credentials have expired, keep in mind that the output displays the expiration time in GMT, not local time.
Note
For the remaining procedures in this verification section, we assume that the commands are performed from an operating system window in which the user identity in question has run bpnbat -login using an identity that is a member of NBU_Security Admin. This is usually the first identity with which the security was set up.
Verify which Machines are Permitted to Perform Authorization Lookups
Logged in as a member of the Administrators group run the following command:
bpnbaz -ShowAuthorizers
This command shows that win_master and win_media (media server) are permitted to perform Authorization lookups. Note that both servers are authenticated against the same vx (VERITAS Private Domain) Domain, NBU_Machines@win_master.min.com.
bpnbaz -ShowAuthorizers
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@win_master.min.com
Name: win_master.min.com
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@win_master.min.com
Name: win_media.min.com
Operation completed successfully.
If a master or media server is missing from the list of Authorized machines, run
bpnbaz -allowauthorization to add the missing machine.
Verify that the Database is Configured Correctly
To make sure that the database is configured correctly, run bpnbaz -listgroups:
bpnbaz -listgroups
NBU_User
NBU_Operator
NBU_Security Admin
Vault_Operator
NBU_Admin
Operation completed successfully.
If the groups do not appear, or if bpnbaz -listmainobjects does not return data, run bpnbaz -SetupSecurity.
Verify that the vxatd and vxazd Processes are Running
Use the Windows Task Manager to make sure that vxatd.exe and vxazd.exe are running on the designated host. If necessary, start them.
Verify that the Host Properties are Configured Correctly
In the Access Control host properties, verify that the VERITAS Security Services property is set correctly. (The setting should be either Automatic or Required, depending on whether all machines are using VxSS or not. If all machines are not using VxSS, set it to Automatic.
This can also be verified by viewing USE_VXSS in the registry at:
HKEY_LOCAL_MACHINE\Software\VERITAS\NetBackup\CurrentVersion\config
In the Access Control host properties, verify that the authentication domains listed are spelled correctly and point to the proper servers (valid Authentication brokers). If all domains are Windows-based, they should point to a Windows machine running the At broker.
|
