VxSS_Cluster_Netbackup65

8/14/2019 VxSS_Cluster_Netbackup65

1/16

Contents

Chapter 1 NBAC for a highly available NetBackup Master Server in aclustered environment

Abstract ...................................................................................................................1

Background .............................................................................................................1

Explanation of Abbreviations ..............................................................................1

Prerequisites ...........................................................................................................2

Installation ..............................................................................................................2

NetBackup .......................................................................................................2

AT Service .......................................................................................................2

AZ Service ........................................................................................................3Cluster configuration ............................................................................................3

NetBackup ...............................................................................................................5

AT Service .......................................................................................................5

AZ Service ........................................................................................................5

NetBackup NBAC ....................................................................................................6

I. Authentication ............................................................................................ 6

II. Authorization ...........................................................................................10

III. Verification .............................................................................................12IV. Enable ENBAC .........................................................................................13


2/16

2 Contents


3/16


4/16

2 NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment

Prerequisites

VxSS refers to Symantec Product Authorization and Authentication Service

Prerequisites NetBackup 6.5

AT and AZ that are shipped with NetBackup 6.5

Supported Cluster Environments

The shared disk must be configured and accessible to all cluster nodes onwhich you want to install NetBackup

Verify that you have an IP address and host name (virtual name) to be

assigned to the NetBackup cluster group

The shared disk must be configured and accessible to all cluster nodes on

which you want to install AT

The shared disk must be configured and accessible to all cluster nodes on

which you want to install AZ

Verify that you have an IP address and host name (virtual name) to be

assigned to the Symantec Product Authorization and Authentication Service

(AT/AZ) cluster group

For VCS 4.1 and above, AT and AZ each need their own virtual name

InstallationFollow the NetBackup, AT Service, and AZ Service information in the following

sections.

NetBackupInstall NetBackup on each node of the cluster. Please refer to the NetBackup

Installation Guides (UNIX, Windows) - as well as the NetBackup HighAvailability Guide for detailed instructions on configuring a clustered

NetBackup server.

Note: On Windows, the install and cluster configuration of NetBackup is a single

step process performed by the installation tool.

AT ServiceInstall and configure AT (typically root+ab) server on each node of the cluster.


5/16

3NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment

Cluster configuration

Important:

Make sure to install the SAME type of AT server on all nodes of the cluster

Make sure to provide the SAME type of information (e.g. passwords)

On UNIX

When asked to perform cluster configuration, answer "yes"

Provide the virtual name of AT server.

When asked to start AT server, answer "no"

On Windows

Select "Complete" installation

Check the "service is clustered" checkbox

Provide the virtual name of AT server in the "Cluster Name" textbox

AZ ServiceInstall and configure AZ server on each node of the cluster

On UNIX

When asked to start AZ server, answer "no"

On Windows

Select "Custom" installation

For "ReadOnly" dialog box, select NO

Cluster configurationAT and AZ each require a shared disk. A separate shared disk is also required for

NetBackup. Ensure that three shared disks are configured and available to be

used by the Symantec Product Authentication and Authorization Service (VxSS)

and NetBackup clustering scripts.

Note: For Microsoft Cluster, AT and AZ use the same shared disk.

Prior to performing cluster configuration, please ensure the following:

1 Cluster environment is configured and functioning properly


6/16


Cluster configuration

2 AT daemon/service is stopped on all nodes in the cluster. On Windows, AT

service is set to "manual".

3 AZ daemon/service is stopped on all nodes in the cluster. On Windows, AT

service is set to "manual".

4 Virtual names are available for NetBackup and Symantec Product

Authentication and Authorization Service (VxSS) usage

A sample environment is shown in the following table.

A fully qualified domain name example is shown in the following table.

Note: For VCS 4.1 and above, a separate FQDN virtual name is needed for AT and

AZ

A Windows NT domain example is shown in the following table.

Table 1-1 Two-node cluster sample environment

Node Name

Vxnbu Node1

Vxnbu Node2

Table 1-2 Fully Qualified Domain Name (FQDN)

Product FQDN

VxSS (AT and AZ) vxssvirtual.mycompany.com

NetBackup nbuvirtual.mycompany.com

Table 1-3 Windows NT Domain

Operating system Windows NT domain name

Windows MYNTDOMAIN


7/16


NetBackup

NetBackupFor complete details on installing and configuring NetBackup, please refer to

the VERITAS Cluster Server Administrator's Guide (under Configuring

VERITAS NetBackup).

AT Service

Important:

Prior to clustering AT, ensure NetBackup is offline in the cluster.

Clustering of AT is performed using a script located in /bin. The

script is cluster technology specific. Please refer to the Symantec ProductAuthentication Service Installation Guide.

The clustering script will create a cluster group containing the necessary

resources for AT and AZ.

AZ ServiceClustering of AZ is performed using a script located in /bin. The

script is cluster technology specific. Please refer to the Symantec ProductAuthorization Service Installation Guide.

VxnbuNode1 VxnbuNode2

PrivateNetwork

NetBackupMaster ServerClustered


8/16


NetBackup NBAC

Important:

The script must be run on the node where AT is currently active.

For UNIX clusters, make sure the shared mount point is the default location

(e.g. /var/VRTSaz/shared)

For SunCluster, the shared mount point must be /var/VRTSaz.

The clustering script will add the AZ server to the existing Symantec

Product Authentication and Authorization Service (VxSS) cluster group. For

VCS 4.1 and above, a separate AZ group is created.

NetBackup NBAC

I. AuthenticationAuthentication steps are performed on all nodes of the cluster. It is broken down

to a two part process. Part I steps are performed on the node where SymantecProduct Authentication and Authorization Service (VxSS) is currently running,

Part II steps are performed on all remaining nodes where Symantec Product

Authentication and Authorization Service (VxSS) is NOT running.

Part I

On the node where Symantec Product Authentication and Authorization Service

(VxSS) cluster group is online, perform the following steps:1 Open shell/command window

2 Change directory to the NetBackup "bin" directory

3 bpnbat -addmachine

Sample command output:

bpnbat -addmachineaMachine Name: VxnbuNode1.mycompany.com

bPassword:*****cPassword: *****

Operation completed successfully

a When prompted for the machine name, enter the fully qualified domain

name of the host (physical node name) and press enter

b When prompted enter a password

c Confirm the password and press enter

4 Repeat step 3 for all remaining physical node names in the cluster


9/16


NetBackup NBAC

5 bpnbat -addmachine

Sample command output:bpnbat -addmachineaMachine Name: nbuvirtual.mycompany.combPassword:*****cPassword: *****

Operation completed successfully

a When prompted for the machine name, enter the fully qualified domain

name of the virtual name (e.g. NetBackup server virtual name, virtual

name of application to be backed up) and press enter

b When prompted enter a password

c Confirm the password and press enter

6 Repeat step 5 for all remaining virtual names that NetBackup will be using

in the cluster (these include virtual names of applications that NetBackup

protects).

7 bpnbat - LoginMachineSample command output:

bpnbat -loginmachineaDoes this machine use Dynamic Host Configuration Protocol (DHCP)? (y/n)

nbAuthentication Broker: vxssvirtual.mycompany.comcAuthentication port [Enter = default]:dMachine Name: VxnbuNode1.mycompany.comePassword: *****

Operation completed successfully.

a When prompted with the following, select n and press enter

"Does this machine use Dynamic Host Configuration Protocol (DHCP)

(Y/N)"

b Enter the fully qualified domain name of the authentication broker (FQ

Virtual Name) and press enter

c When prompted for the "Authentication port number", accept the

default by pressing enter

d When prompted for the machine name, enter the fully qualified domain

name of the host (physical node name) currently logged into and press

enter

e When prompted enter the password you set earlier


bpnbat -loginmachine


10/16


NetBackup NBAC

aDoes this machine use Dynamic Host Configuration Protocol (DHCP)? (y/n)

nbAuthentication Broker: vxssvirtual.mycompany.comcAuthentication port [Enter = default]:dMachine Name: nbuvirtual.mycompany.comePassword: *****



"Does this machine use Dynamic Host Configuration Protocol (DHCP)

(Y/N)"






name of the virtual name (e.g. NetBackup server virtual name, virtualname of application to be backed up) and press enter




protects).

10 Exit shell/command window

Part II


(VxSS) cluster group is offline (not running), perform the following steps:

1 Open shell/command window




nbAuthentication Broker: vxssvirtual.mycompany.comcAuthentication port [Enter = default]:dMachine Name: VxnbuNode2.mycompnay.com

ePassword: *****Operation completed successfully.


11/16


NetBackup NBAC


"Does this machine use Dynamic Host Configuration Protocol (DHCP)(Y/N)"






name of the host (physical node name) currently logged into and pressenter


4 bpnbat - LoginMachine



nbAuthentication Broker: vxssvirtual.mycompany.comcAuthentication port [Enter = default]:dMachine Name: nbuvirtual.mycompnay.comePassword: *****


a When prompted with the following, select n and press enter "Does this

machine use Dynamic Host Configuration Protocol (DHCP) (Y/N)"b Enter the fully qualified domain name of the authentication broker (FQ





name of the virtual name (e.g. NetBackup server virtual name, virtual

name of application to be backed up) and press enter




protects).

6 Repeat steps 1-5 for all remaining nodes where Symantec Product

Authentication and Authorization Service (VxSS) cluster group is offline

(not running).


12/16


NetBackup NBAC

II. AuthorizationAuthorization steps are only performed on the node where Symantec Product

Authentication and Authorization Service (VxSS) is currently running.


(VxSS) cluster group is online, perform the following steps:

1 Open shell/command window

2 Change directory to the NetBackup "admincmd" directory (under

netbackup\bin)3 bpnbaz -SetupSecurity -server


13/16


NetBackup NBAC


bpnbaz -AllowAuthorization VxnbuNode1.mycompany.com -servervxssvirtual.mycompany.com


5 Repeat step 4 for all remaining physical node names in the cluster

6 bpnbaz -AllowAuthorization -server


bpnbaz -AllowAuthorization nbuvirtual.mycompany.com -servervxssvirtual.mycompany.com


7 Exit shell/command window

Important:

If the authentication type is "unixpwd", each node name of the cluster must be

added to the NBU_Admin and NBU_Security_Admin groups as follows:bpnbaz -AddUser

NBU_Admin unixpwd::

-Server

and

bpnbaz -AddUser

"NBU_Security Admin" unixpwd::

-Server

Note: You may need to perform bpnbat -login prior to running these commands.

e.g.

bpnbaz -AddUser "NBU_Admin" unixpwd:VxnbuNode1.mycompany.com:root

-Server vxssvirtual.mycompany.com


bpnbaz -AddUser "NBU_Security Admin"

unixpwd:VxnbuNode1.mycompany.com:root

-Server vxssvirtual.mycompany.com



14/16


NetBackup NBAC

III. VerificationOn the node where Symantec Product Authentication and Authorization Service

(VxSS) is online (currently running), perform the following steps:

1 Launch shell/command window


3 bpnbat -login

a Enter the fully qualified domain name of the authentication broker (FQ

Virtual name) and press enter.

b When prompted for the "Authentication port number", accept the

default by pressing enter.

c When prompted for the authentication type on a windows master enter

NT and press enter.

d When prompted enter the domain name ONLY (e.g. NT domain name).

e When prompted for a login name, enter the account that will be the firstsecurity principal (e.g. administrator).

f Enter the password for this account and press enter.

4 Change directory to the NetBackup "admincmd" directory (under

netbackup\bin)

5 bpnbaz -ShowAuthorizers -Server vxssvirtual.mycompany.com

Sample output:

==========

Type: User

Domain Type: windows

Domain:[email protected]

Name: nbuvirtual.mycompany.com

==========

Type: User



Name: vxnbuNode1.mycompany.com

==========

Type: User



Name: vxnbuNode2.mycompany.com


6 bpnbaz -ListGroups -Server vxssvirtual.mycompany.com

Sample output:


15/16


NetBackup NBAC

NBU_User

NBU_OperatorNBU_Admin

NBU_Security Admin

Vault_Operator

NBU_SAN Admin


IV. Enable ENBACBring NetBackup online on a node in the cluster. Launch the NetBackup

administration console GUI to configure NetBackup access control.

1 Select the Master server host properties, access control section.

2 In the Symantec Authentication and Authorization Service tab configure

the following:

a Set the VxSS services to automatic.

b Add the physical cluster node names (fully qualified domain name) as

hosts

For Example:

vxnbuNode1.mycompany.com

vxnbuNode2.mycompany.com

c Add the NetBackup Virtual Name FQDN as host

For Example:

nbuvirtual.mycompany.com

d Add the domain name as domain type

For Example:

mycompany.com

e For each of the above set the VxSS to "automatic" in the attributes

section to the right of the VxSS network list.

3 Select the Authentication Domain tab

a Click Add button

b Specify the domain name, authentication mechanism, and broker name

for the domain

For Example, see the table below.


16/16


NetBackup NBAC

4 Select the authorization service tab

a Enter the fully qualified domain name (virtual name) of the

authorization broker

b Click Apply

c Select "Current Node only"

d Click OK

e Close the NetBackup administration console5 Failover NetBackup group to each of the remaining nodes and performs

steps 1-4.

6 For NBAC to take effect, restart NetBackup by performing offline and online

a Perform offline of NetBackup resource

b Perform online of NetBackup resource

Note: It is important to perform the bpnbat -LoginMachine command every 14

days or instead call the NetBackup support to obtain the engineering binaries

that address this situation.

Table 1-4 Authentication Domain tab example entries

Domain name Authentication Broker

mycompany.com NIS vxssvirtual.mycompany.com

MYNTDOMAIN WINDOWS vxssvirtual.mycompany.com

Documents

VxSS_Cluster_Netbackup65