VxSS_Cluster_Netbackup65

Embed Size (px)

Citation preview

  • 8/14/2019 VxSS_Cluster_Netbackup65

    1/16

    Contents

    Chapter 1 NBAC for a highly available NetBackup Master Server in aclustered environment

    Abstract ...................................................................................................................1

    Background .............................................................................................................1

    Explanation of Abbreviations ..............................................................................1

    Prerequisites ...........................................................................................................2

    Installation ..............................................................................................................2

    NetBackup .......................................................................................................2

    AT Service .......................................................................................................2

    AZ Service ........................................................................................................3Cluster configuration ............................................................................................3

    NetBackup ...............................................................................................................5

    AT Service .......................................................................................................5

    AZ Service ........................................................................................................5

    NetBackup NBAC ....................................................................................................6

    I. Authentication ............................................................................................ 6

    II. Authorization ...........................................................................................10

    III. Verification .............................................................................................12IV. Enable ENBAC .........................................................................................13

  • 8/14/2019 VxSS_Cluster_Netbackup65

    2/16

    2 Contents

  • 8/14/2019 VxSS_Cluster_Netbackup65

    3/16

  • 8/14/2019 VxSS_Cluster_Netbackup65

    4/16

    2 NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment

    Prerequisites

    VxSS refers to Symantec Product Authorization and Authentication Service

    Prerequisites NetBackup 6.5

    AT and AZ that are shipped with NetBackup 6.5

    Supported Cluster Environments

    The shared disk must be configured and accessible to all cluster nodes onwhich you want to install NetBackup

    Verify that you have an IP address and host name (virtual name) to be

    assigned to the NetBackup cluster group

    The shared disk must be configured and accessible to all cluster nodes on

    which you want to install AT

    The shared disk must be configured and accessible to all cluster nodes on

    which you want to install AZ

    Verify that you have an IP address and host name (virtual name) to be

    assigned to the Symantec Product Authorization and Authentication Service

    (AT/AZ) cluster group

    For VCS 4.1 and above, AT and AZ each need their own virtual name

    InstallationFollow the NetBackup, AT Service, and AZ Service information in the following

    sections.

    NetBackupInstall NetBackup on each node of the cluster. Please refer to the NetBackup

    Installation Guides (UNIX, Windows) - as well as the NetBackup HighAvailability Guide for detailed instructions on configuring a clustered

    NetBackup server.

    Note: On Windows, the install and cluster configuration of NetBackup is a single

    step process performed by the installation tool.

    AT ServiceInstall and configure AT (typically root+ab) server on each node of the cluster.

  • 8/14/2019 VxSS_Cluster_Netbackup65

    5/16

    3NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment

    Cluster configuration

    Important:

    Make sure to install the SAME type of AT server on all nodes of the cluster

    Make sure to provide the SAME type of information (e.g. passwords)

    On UNIX

    When asked to perform cluster configuration, answer "yes"

    Provide the virtual name of AT server.

    When asked to start AT server, answer "no"

    On Windows

    Select "Complete" installation

    Check the "service is clustered" checkbox

    Provide the virtual name of AT server in the "Cluster Name" textbox

    AZ ServiceInstall and configure AZ server on each node of the cluster

    On UNIX

    When asked to start AZ server, answer "no"

    On Windows

    Select "Custom" installation

    For "ReadOnly" dialog box, select NO

    Cluster configurationAT and AZ each require a shared disk. A separate shared disk is also required for

    NetBackup. Ensure that three shared disks are configured and available to be

    used by the Symantec Product Authentication and Authorization Service (VxSS)

    and NetBackup clustering scripts.

    Note: For Microsoft Cluster, AT and AZ use the same shared disk.

    Prior to performing cluster configuration, please ensure the following:

    1 Cluster environment is configured and functioning properly

  • 8/14/2019 VxSS_Cluster_Netbackup65

    6/16

    4 NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment

    Cluster configuration

    2 AT daemon/service is stopped on all nodes in the cluster. On Windows, AT

    service is set to "manual".

    3 AZ daemon/service is stopped on all nodes in the cluster. On Windows, AT

    service is set to "manual".

    4 Virtual names are available for NetBackup and Symantec Product

    Authentication and Authorization Service (VxSS) usage

    A sample environment is shown in the following table.

    A fully qualified domain name example is shown in the following table.

    Note: For VCS 4.1 and above, a separate FQDN virtual name is needed for AT and

    AZ

    A Windows NT domain example is shown in the following table.

    Table 1-1 Two-node cluster sample environment

    Node Name

    Vxnbu Node1

    Vxnbu Node2

    Table 1-2 Fully Qualified Domain Name (FQDN)

    Product FQDN

    VxSS (AT and AZ) vxssvirtual.mycompany.com

    NetBackup nbuvirtual.mycompany.com

    Table 1-3 Windows NT Domain

    Operating system Windows NT domain name

    Windows MYNTDOMAIN

  • 8/14/2019 VxSS_Cluster_Netbackup65

    7/16

    5NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment

    NetBackup

    NetBackupFor complete details on installing and configuring NetBackup, please refer to

    the VERITAS Cluster Server Administrator's Guide (under Configuring

    VERITAS NetBackup).

    AT Service

    Important:

    Prior to clustering AT, ensure NetBackup is offline in the cluster.

    Clustering of AT is performed using a script located in /bin. The

    script is cluster technology specific. Please refer to the Symantec ProductAuthentication Service Installation Guide.

    The clustering script will create a cluster group containing the necessary

    resources for AT and AZ.

    AZ ServiceClustering of AZ is performed using a script located in /bin. The

    script is cluster technology specific. Please refer to the Symantec ProductAuthorization Service Installation Guide.

    VxnbuNode1 VxnbuNode2

    PrivateNetwork

    NetBackupMaster ServerClustered

  • 8/14/2019 VxSS_Cluster_Netbackup65

    8/16

    6 NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment

    NetBackup NBAC

    Important:

    The script must be run on the node where AT is currently active.

    For UNIX clusters, make sure the shared mount point is the default location

    (e.g. /var/VRTSaz/shared)

    For SunCluster, the shared mount point must be /var/VRTSaz.

    The clustering script will add the AZ server to the existing Symantec

    Product Authentication and Authorization Service (VxSS) cluster group. For

    VCS 4.1 and above, a separate AZ group is created.

    NetBackup NBAC

    I. AuthenticationAuthentication steps are performed on all nodes of the cluster. It is broken down

    to a two part process. Part I steps are performed on the node where SymantecProduct Authentication and Authorization Service (VxSS) is currently running,

    Part II steps are performed on all remaining nodes where Symantec Product

    Authentication and Authorization Service (VxSS) is NOT running.

    Part I

    On the node where Symantec Product Authentication and Authorization Service

    (VxSS) cluster group is online, perform the following steps:1 Open shell/command window

    2 Change directory to the NetBackup "bin" directory

    3 bpnbat -addmachine

    Sample command output:

    bpnbat -addmachineaMachine Name: VxnbuNode1.mycompany.com

    bPassword:*****cPassword: *****

    Operation completed successfully

    a When prompted for the machine name, enter the fully qualified domain

    name of the host (physical node name) and press enter

    b When prompted enter a password

    c Confirm the password and press enter

    4 Repeat step 3 for all remaining physical node names in the cluster

  • 8/14/2019 VxSS_Cluster_Netbackup65

    9/16

    7NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment

    NetBackup NBAC

    5 bpnbat -addmachine

    Sample command output:bpnbat -addmachineaMachine Name: nbuvirtual.mycompany.combPassword:*****cPassword: *****

    Operation completed successfully

    a When prompted for the machine name, enter the fully qualified domain

    name of the virtual name (e.g. NetBackup server virtual name, virtual

    name of application to be backed up) and press enter

    b When prompted enter a password

    c Confirm the password and press enter

    6 Repeat step 5 for all remaining virtual names that NetBackup will be using

    in the cluster (these include virtual names of applications that NetBackup

    protects).

    7 bpnbat - LoginMachineSample command output:

    bpnbat -loginmachineaDoes this machine use Dynamic Host Configuration Protocol (DHCP)? (y/n)

    nbAuthentication Broker: vxssvirtual.mycompany.comcAuthentication port [Enter = default]:dMachine Name: VxnbuNode1.mycompany.comePassword: *****

    Operation completed successfully.

    a When prompted with the following, select n and press enter

    "Does this machine use Dynamic Host Configuration Protocol (DHCP)

    (Y/N)"

    b Enter the fully qualified domain name of the authentication broker (FQ

    Virtual Name) and press enter

    c When prompted for the "Authentication port number", accept the

    default by pressing enter

    d When prompted for the machine name, enter the fully qualified domain

    name of the host (physical node name) currently logged into and press

    enter

    e When prompted enter the password you set earlier

    8 bpnbat - LoginMachineSample command output:

    bpnbat -loginmachine

  • 8/14/2019 VxSS_Cluster_Netbackup65

    10/16

    8 NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment

    NetBackup NBAC

    aDoes this machine use Dynamic Host Configuration Protocol (DHCP)? (y/n)

    nbAuthentication Broker: vxssvirtual.mycompany.comcAuthentication port [Enter = default]:dMachine Name: nbuvirtual.mycompany.comePassword: *****

    Operation completed successfully.

    a When prompted with the following, select n and press enter

    "Does this machine use Dynamic Host Configuration Protocol (DHCP)

    (Y/N)"

    b Enter the fully qualified domain name of the authentication broker (FQ

    Virtual Name) and press enter

    c When prompted for the "Authentication port number", accept the

    default by pressing enter

    d When prompted for the machine name, enter the fully qualified domain

    name of the virtual name (e.g. NetBackup server virtual name, virtualname of application to be backed up) and press enter

    e When prompted enter the password you set earlier

    9 Repeat step 8 for all remaining virtual names that NetBackup will be using

    in the cluster (these include virtual names of applications that NetBackup

    protects).

    10 Exit shell/command window

    Part II

    On the node where Symantec Product Authentication and Authorization Service

    (VxSS) cluster group is offline (not running), perform the following steps:

    1 Open shell/command window

    2 Change directory to the NetBackup "bin" directory

    3 bpnbat - LoginMachineSample command output:

    bpnbat -loginmachineaDoes this machine use Dynamic Host Configuration Protocol (DHCP)? (y/n)

    nbAuthentication Broker: vxssvirtual.mycompany.comcAuthentication port [Enter = default]:dMachine Name: VxnbuNode2.mycompnay.com

    ePassword: *****Operation completed successfully.

  • 8/14/2019 VxSS_Cluster_Netbackup65

    11/16

    9NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment

    NetBackup NBAC

    a When prompted with the following, select n and press enter

    "Does this machine use Dynamic Host Configuration Protocol (DHCP)(Y/N)"

    b Enter the fully qualified domain name of the authentication broker (FQ

    Virtual Name) and press enter

    c When prompted for the "Authentication port number", accept the

    default by pressing enter

    d When prompted for the machine name, enter the fully qualified domain

    name of the host (physical node name) currently logged into and pressenter

    e When prompted enter the password you set earlier

    4 bpnbat - LoginMachine

    Sample command output:

    bpnbat -loginmachineaDoes this machine use Dynamic Host Configuration Protocol (DHCP)? (y/n)

    nbAuthentication Broker: vxssvirtual.mycompany.comcAuthentication port [Enter = default]:dMachine Name: nbuvirtual.mycompnay.comePassword: *****

    Operation completed successfully.

    a When prompted with the following, select n and press enter "Does this

    machine use Dynamic Host Configuration Protocol (DHCP) (Y/N)"b Enter the fully qualified domain name of the authentication broker (FQ

    Virtual Name) and press enter

    c When prompted for the "Authentication port number", accept the

    default by pressing enter

    d When prompted for the machine name, enter the fully qualified domain

    name of the virtual name (e.g. NetBackup server virtual name, virtual

    name of application to be backed up) and press enter

    e When prompted enter the password you set earlier

    5 Repeat step 4 for all remaining virtual names that NetBackup will be using

    in the cluster (these include virtual names of applications that NetBackup

    protects).

    6 Repeat steps 1-5 for all remaining nodes where Symantec Product

    Authentication and Authorization Service (VxSS) cluster group is offline

    (not running).

  • 8/14/2019 VxSS_Cluster_Netbackup65

    12/16

    10 NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment

    NetBackup NBAC

    II. AuthorizationAuthorization steps are only performed on the node where Symantec Product

    Authentication and Authorization Service (VxSS) is currently running.

    On the node where Symantec Product Authentication and Authorization Service

    (VxSS) cluster group is online, perform the following steps:

    1 Open shell/command window

    2 Change directory to the NetBackup "admincmd" directory (under

    netbackup\bin)3 bpnbaz -SetupSecurity -server

  • 8/14/2019 VxSS_Cluster_Netbackup65

    13/16

    11NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment

    NetBackup NBAC

    Sample command output:

    bpnbaz -AllowAuthorization VxnbuNode1.mycompany.com -servervxssvirtual.mycompany.com

    Operation completed successfully.

    5 Repeat step 4 for all remaining physical node names in the cluster

    6 bpnbaz -AllowAuthorization -server

    Sample command output:

    bpnbaz -AllowAuthorization nbuvirtual.mycompany.com -servervxssvirtual.mycompany.com

    Operation completed successfully.

    7 Exit shell/command window

    Important:

    If the authentication type is "unixpwd", each node name of the cluster must be

    added to the NBU_Admin and NBU_Security_Admin groups as follows:bpnbaz -AddUser

    NBU_Admin unixpwd::

    -Server

    and

    bpnbaz -AddUser

    "NBU_Security Admin" unixpwd::

    -Server

    Note: You may need to perform bpnbat -login prior to running these commands.

    e.g.

    bpnbaz -AddUser "NBU_Admin" unixpwd:VxnbuNode1.mycompany.com:root

    -Server vxssvirtual.mycompany.com

    Operation completed successfully.

    bpnbaz -AddUser "NBU_Security Admin"

    unixpwd:VxnbuNode1.mycompany.com:root

    -Server vxssvirtual.mycompany.com

    Operation completed successfully.

  • 8/14/2019 VxSS_Cluster_Netbackup65

    14/16

    12 NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment

    NetBackup NBAC

    III. VerificationOn the node where Symantec Product Authentication and Authorization Service

    (VxSS) is online (currently running), perform the following steps:

    1 Launch shell/command window

    2 Change directory to the NetBackup "bin" directory

    3 bpnbat -login

    a Enter the fully qualified domain name of the authentication broker (FQ

    Virtual name) and press enter.

    b When prompted for the "Authentication port number", accept the

    default by pressing enter.

    c When prompted for the authentication type on a windows master enter

    NT and press enter.

    d When prompted enter the domain name ONLY (e.g. NT domain name).

    e When prompted for a login name, enter the account that will be the firstsecurity principal (e.g. administrator).

    f Enter the password for this account and press enter.

    4 Change directory to the NetBackup "admincmd" directory (under

    netbackup\bin)

    5 bpnbaz -ShowAuthorizers -Server vxssvirtual.mycompany.com

    Sample output:

    ==========

    Type: User

    Domain Type: windows

    Domain:[email protected]

    Name: nbuvirtual.mycompany.com

    ==========

    Type: User

    Domain Type: windows

    Domain:[email protected]

    Name: vxnbuNode1.mycompany.com

    ==========

    Type: User

    Domain Type: windows

    Domain:[email protected]

    Name: vxnbuNode2.mycompany.com

    Operation completed successfully.

    6 bpnbaz -ListGroups -Server vxssvirtual.mycompany.com

    Sample output:

  • 8/14/2019 VxSS_Cluster_Netbackup65

    15/16

    13NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment

    NetBackup NBAC

    NBU_User

    NBU_OperatorNBU_Admin

    NBU_Security Admin

    Vault_Operator

    NBU_SAN Admin

    Operation completed successfully.

    IV. Enable ENBACBring NetBackup online on a node in the cluster. Launch the NetBackup

    administration console GUI to configure NetBackup access control.

    1 Select the Master server host properties, access control section.

    2 In the Symantec Authentication and Authorization Service tab configure

    the following:

    a Set the VxSS services to automatic.

    b Add the physical cluster node names (fully qualified domain name) as

    hosts

    For Example:

    vxnbuNode1.mycompany.com

    vxnbuNode2.mycompany.com

    c Add the NetBackup Virtual Name FQDN as host

    For Example:

    nbuvirtual.mycompany.com

    d Add the domain name as domain type

    For Example:

    mycompany.com

    e For each of the above set the VxSS to "automatic" in the attributes

    section to the right of the VxSS network list.

    3 Select the Authentication Domain tab

    a Click Add button

    b Specify the domain name, authentication mechanism, and broker name

    for the domain

    For Example, see the table below.

  • 8/14/2019 VxSS_Cluster_Netbackup65

    16/16

    14 NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment

    NetBackup NBAC

    4 Select the authorization service tab

    a Enter the fully qualified domain name (virtual name) of the

    authorization broker

    b Click Apply

    c Select "Current Node only"

    d Click OK

    e Close the NetBackup administration console5 Failover NetBackup group to each of the remaining nodes and performs

    steps 1-4.

    6 For NBAC to take effect, restart NetBackup by performing offline and online

    a Perform offline of NetBackup resource

    b Perform online of NetBackup resource

    Note: It is important to perform the bpnbat -LoginMachine command every 14

    days or instead call the NetBackup support to obtain the engineering binaries

    that address this situation.

    Table 1-4 Authentication Domain tab example entries

    Domain name Authentication Broker

    mycompany.com NIS vxssvirtual.mycompany.com

    MYNTDOMAIN WINDOWS vxssvirtual.mycompany.com