NetBackup Access Control (NBAC) a brief overview

The NetBackup Access Control (NBAC) is the role-based access control that is used for master servers, media servers, and clients.

In a nutshell, NBAC offers you higher security and permission granularity but also more complexity of your backup environment.

NBAC can be used in the following situations:

  • Use a set of permissions for different levels of administrators for an application. A backup application can have operators (perhaps load and unload tapes).
  • Separate administrators so that root permission to the system is not required to administer the system. You can then separate the administrators for the systems themselves from the ones who administer the applications.

NBAC Components

NBAC Components

NBAC is made up of the following components:

  • Root broker — Authenticates the authentication broker. The root broker does not authenticate clients.
  • Authentication broker — Authenticates the master server, media server, GUI, and clients by establishing credentials with each one of them. The authentication broker also authenticates a user when operating a command prompt. There can be more than one authentication broker in a datacenter installation. The authentication broker can be combined with the root broker.
  • Authorization engine — Communicates with the master server and the media server to determine the permissions of an authenticated user. These permissions determine the functionality available to a given server. The authorization engine also stores user groups and permissions. Only one authorization engine is required in a datacenter installation. The authorization engine also communicates over the WAN to authorize other media servers in a multi-datacenter environment.
  • GUI — Specifies a Remote Administration Console that receives credentials from the authentication brokers. The GUI then may use the credentials to gain access to functionality on the clients, media, and master servers.

Note: When you need to upgrade the NetBackup, you also have to follow additional steps to be able to do the upgrade successfully.

Configuring NBAC

NBAC should be configured on the following NetBackup components:

Configuring NBAC on a Master server

To configure NBAC on the NBU Master server, we need to run the following steps:

  1. Run bpnbaz -setupmaster command, and enter y to continue with the configuration wizard.
    C:\Program files\Veritas\NetBackup\bin\admincmd> bpnbaz -setupmaster
    You will have to restart NetBackup services on this machne after the command completes successfully.
    Do you want to continue(y/n)y
    Gathering configuration information.
    Please be patient as we wait for 10 sec for the security services to start their operation.
    Generating identity for host 'nbumstr.lab.home'
    Setting up basic authorization information. Please be patient.
    Basic authorization information generated successfully.
    Granting authorization check permissions to host 'nbumstr.lab.home'
    Configuring authentication domains within NetBackup
    Setting up authorization information in NetBackup configuration files.
    Setting up NBAC on target host: nbumast.lab.home
    Warning: NetBackup Master Server is currently configured into AUTOMATIC mode.
    Security will be enforced only in REQUIRED mode. This can be done after entire NetBackup domain is configured with NBAC
    Operation completed successfully.
    
  2. When the setup wizard has finished successfully, restart the NetBackup services
    C:\Program files\Veritas\NetBackup\bin\admincmd> bpdown -v -f
  3. Once services have restarted, run bpnbat -login to log in to the Authorization component:
    C:\Program files\Veritas\NetBackup\bin\admincmd> bpnbat -login
    Authentication Broker: nbumstr.lab.home
    Authentication port [0 is default:
    Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd, ldap): WINDOWS
    Domain: lab.home
    Login name: administrator
    Password: ************
    Operation completed successfully.

Configuring NBAC on a Media Server

To configure NBAC on NBU Media Servers,cute the following steps:

  1. Run bpnbaz -setupmedia with the fqdn of the media server, and enter y to continue with the configuration wizard:
    C:\Program files\Veritas\NetBackup\bin\admincmd> bpnbaz -setupmedia nbumedia.lab.home
    Gathering configuration information.
    You will have to restart NetBackup services on 'nbumedia.lab.home' after the command completes successfully.
    WARNING: Before restarting, please delete AzHandleCache.data file on media server, if exists already at <INSTALL_DIR>\NetBackup\var\vxss directory on Windows or at <INSTALL_DIR>/var/vxss/ on Unix.
    Enter password if the media server is pre 7.0 else press ENTER:
    Setting up NBAC on target 'nbumedia.lab.home'
    Graning authorization check permissions to host 'nbumedia.lab.home'
    The file: SetupMedia.nbac has been updated in the current directory with results of this operation
    Warning: NetBackup Media Server is currently configured in AUTOMATIC mode.
    Security will be enforced only in REQUIRED mode. This can be done after entire NetBackup domain is configured with NBAC
    Operation completed successuflly.
  2. Once the above command is successful, restart NetBackup services on the media server:
    C:\Program files\Veritas\NetBackup\bin\admincmd> bpdown -vf

Note: repeat the above steps for all media servers

Configuring NBAC on NetBackup clients

To configure NBAC on your NetBackup clients, please following these steps:

  1. Run bpnbaz -setupclient with the fqdn of the client, also enter y to continue with the configuration wizard:
    C:\Program files\Veritas\NetBackup\bin\admincmd> bpnbaz -setupclient sol9b.lab.home
    Gathering configuration information.
    looking for sol9b.lab.home
    Enter password if the client is pre 7.0 else press ENTER:
    Setting up NBAC on target host: sol8b.lab.home
    The file: SetupClient.nbac has been updated in the current directory with results of this operation
    Warning: NetBackup Client is currently configured in AUTOMATIC mode.
    Security will be enforced only in REQUIRED mode. This can be done after entire NetBackup domain is configured with NBAC
    Operation completed successfully.
  2. Once the above command is successful, restart NetBackup services on the media server:
    C:\Program files\Veritas\NetBackup\bin\admincmd> bpdown -vf

Note: repeat the above steps for all NetBackup clients.


Whilst NBAC offers you higher security and permission granularity it also make your backup environment more complexed. If you do not need this complexity simlpy limit access to the NetBackup machines.