Master Server Verification Points
The following sections describe procedures for UNIX master server verification.
Verify UNIX Master Server Settings
To determine in what domain a host is registered (where the primary Authentication broker resides), and the name of the machine the certificate represents, run bpnbat with -whoami. For example:
bpnbat -whoami -cf /usr/openv/var/vxss/credentials/unix_master.min.com
Name: unix_master.min.com
Domain: NBU_Machines@win_master
Issued by: /CN=broker/OU=root@win_master/O=vx
Expiry Date: Nov 13 15:44:30 2004 GMT
Authentication method: VERITAS Private Security
Operation completed successfully.
If the domain listed is not NBU_Machines@unix_master.min.com, consider running bpnbat -addmachine for the name in question (unix_master) on the machine that is serving the NBU_Machines domain (unix_master).
Then, on the machine where we want to place the certificate, run:
bpnbat -loginmachine
Note
When determining if a user's credentials have expired, keep in mind that the output displays the expiration time in GMT, not local time.
Note
For the remaining procedures in this verification section, we assume that the commands are performed from an operating system window in which the user identity in question has run bpnbat -login using an identity that is a member of NBU_Security Admin. This is usually the first identity with which the security was set up.
Verify which Machines are Permitted to Perform Authorization Lookups
Logged in as root on the Authorization broker, run the following command:
bpnbaz -ShowAuthorizers
This command shows that unix_master and unix_media are permitted to perform Authorization lookups. Note that both servers are authenticated against the same vx (VERITAS Private Domain) Domain, NBU_Machines@unix_master.min.com.
bpnbaz -ShowAuthorizers
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@unix_master.min.com
Name: unix_master.min.com
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@unix_master.min.com
Name: unix_media.min.com
Operation completed successfully.
If a master or media server is missing from the list of Authorized machines, run
bpnbaz -allowauthorization to add the missing machine.
Verify that the Database is Configured Correctly
To make sure that the database is configured correctly, run bpnbaz -listgroups:
bpnbaz -listgroups
NBU_User
NBU_Operator
NBU_Admin
NBU_Security Admin
Vault_Operator
Operation completed successfully.
If the groups do not appear, or if bpnbaz -listmainobjects does not return data, run bpnbaz -SetupSecurity.
Verify that the vxatd and vxazd Processes are Running
Run the ps command to ensure that vxatd and vxazd are running on the designated host. If necessary, start them. For example:
ps -fed |grep vx
root 10716 1 0 Nov 11 ? 0:02 /opt/VRTSat/bin/vxatd
root 10721 1 0 Nov 11 ? 4:17 /opt/VRTSaz/bin/vxazd
See the VERITAS Security Services Administrator's Guide for more details on how to start vxatd and vxazd.
Verify that the Host Properties are Configured Correctly
In the Access Control host properties, verify that the VERITAS Security Services property is set correctly. (The setting should be either Automatic or Required, depending on whether all machines are using VxSS or not. If all machines are not using VxSS, set it to Automatic.
In the Access Control host properties, verify that the authentication domains listed are spelled correctly and point to the proper servers (valid Authentication brokers). If all domains are UNIX-based, they should point to a UNIX machine running the At broker.
This can also be verified in bp.conf using vi.
cat bp.conf
SERVER = unix_master
SERVER = unix_media
CLIENT_NAME = unix_master
AUTHENTICATION_DOMAIN = min.com "default company NIS namespace" NIS unix_master 0
AUTHENTICATION_DOMAIN = unix_master "unix_master password file" PASSWD unix_master 0
AUTHORIZATION_SERVICE = unix_master.min.com 0
USE_VXSS = REQUIRED
#
|
