Upload
deepaksharma15
View
213
Download
0
Embed Size (px)
Citation preview
8/14/2019 VxSS_Cluster_Netbackup65
1/16
Contents
Chapter 1 NBAC for a highly available NetBackup Master Server in aclustered environment
Abstract ...................................................................................................................1
Background .............................................................................................................1
Explanation of Abbreviations ..............................................................................1
Prerequisites ...........................................................................................................2
Installation ..............................................................................................................2
NetBackup .......................................................................................................2
AT Service .......................................................................................................2
AZ Service ........................................................................................................3Cluster configuration ............................................................................................3
NetBackup ...............................................................................................................5
AT Service .......................................................................................................5
AZ Service ........................................................................................................5
NetBackup NBAC ....................................................................................................6
I. Authentication ............................................................................................ 6
II. Authorization ...........................................................................................10
III. Verification .............................................................................................12IV. Enable ENBAC .........................................................................................13
8/14/2019 VxSS_Cluster_Netbackup65
2/16
2 Contents
8/14/2019 VxSS_Cluster_Netbackup65
3/16
8/14/2019 VxSS_Cluster_Netbackup65
4/16
2 NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment
Prerequisites
VxSS refers to Symantec Product Authorization and Authentication Service
Prerequisites NetBackup 6.5
AT and AZ that are shipped with NetBackup 6.5
Supported Cluster Environments
The shared disk must be configured and accessible to all cluster nodes onwhich you want to install NetBackup
Verify that you have an IP address and host name (virtual name) to be
assigned to the NetBackup cluster group
The shared disk must be configured and accessible to all cluster nodes on
which you want to install AT
The shared disk must be configured and accessible to all cluster nodes on
which you want to install AZ
Verify that you have an IP address and host name (virtual name) to be
assigned to the Symantec Product Authorization and Authentication Service
(AT/AZ) cluster group
For VCS 4.1 and above, AT and AZ each need their own virtual name
InstallationFollow the NetBackup, AT Service, and AZ Service information in the following
sections.
NetBackupInstall NetBackup on each node of the cluster. Please refer to the NetBackup
Installation Guides (UNIX, Windows) - as well as the NetBackup HighAvailability Guide for detailed instructions on configuring a clustered
NetBackup server.
Note: On Windows, the install and cluster configuration of NetBackup is a single
step process performed by the installation tool.
AT ServiceInstall and configure AT (typically root+ab) server on each node of the cluster.
8/14/2019 VxSS_Cluster_Netbackup65
5/16
3NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment
Cluster configuration
Important:
Make sure to install the SAME type of AT server on all nodes of the cluster
Make sure to provide the SAME type of information (e.g. passwords)
On UNIX
When asked to perform cluster configuration, answer "yes"
Provide the virtual name of AT server.
When asked to start AT server, answer "no"
On Windows
Select "Complete" installation
Check the "service is clustered" checkbox
Provide the virtual name of AT server in the "Cluster Name" textbox
AZ ServiceInstall and configure AZ server on each node of the cluster
On UNIX
When asked to start AZ server, answer "no"
On Windows
Select "Custom" installation
For "ReadOnly" dialog box, select NO
Cluster configurationAT and AZ each require a shared disk. A separate shared disk is also required for
NetBackup. Ensure that three shared disks are configured and available to be
used by the Symantec Product Authentication and Authorization Service (VxSS)
and NetBackup clustering scripts.
Note: For Microsoft Cluster, AT and AZ use the same shared disk.
Prior to performing cluster configuration, please ensure the following:
1 Cluster environment is configured and functioning properly
8/14/2019 VxSS_Cluster_Netbackup65
6/16
4 NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment
Cluster configuration
2 AT daemon/service is stopped on all nodes in the cluster. On Windows, AT
service is set to "manual".
3 AZ daemon/service is stopped on all nodes in the cluster. On Windows, AT
service is set to "manual".
4 Virtual names are available for NetBackup and Symantec Product
Authentication and Authorization Service (VxSS) usage
A sample environment is shown in the following table.
A fully qualified domain name example is shown in the following table.
Note: For VCS 4.1 and above, a separate FQDN virtual name is needed for AT and
AZ
A Windows NT domain example is shown in the following table.
Table 1-1 Two-node cluster sample environment
Node Name
Vxnbu Node1
Vxnbu Node2
Table 1-2 Fully Qualified Domain Name (FQDN)
Product FQDN
VxSS (AT and AZ) vxssvirtual.mycompany.com
NetBackup nbuvirtual.mycompany.com
Table 1-3 Windows NT Domain
Operating system Windows NT domain name
Windows MYNTDOMAIN
8/14/2019 VxSS_Cluster_Netbackup65
7/16
5NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment
NetBackup
NetBackupFor complete details on installing and configuring NetBackup, please refer to
the VERITAS Cluster Server Administrator's Guide (under Configuring
VERITAS NetBackup).
AT Service
Important:
Prior to clustering AT, ensure NetBackup is offline in the cluster.
Clustering of AT is performed using a script located in /bin. The
script is cluster technology specific. Please refer to the Symantec ProductAuthentication Service Installation Guide.
The clustering script will create a cluster group containing the necessary
resources for AT and AZ.
AZ ServiceClustering of AZ is performed using a script located in /bin. The
script is cluster technology specific. Please refer to the Symantec ProductAuthorization Service Installation Guide.
VxnbuNode1 VxnbuNode2
PrivateNetwork
NetBackupMaster ServerClustered
8/14/2019 VxSS_Cluster_Netbackup65
8/16
6 NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment
NetBackup NBAC
Important:
The script must be run on the node where AT is currently active.
For UNIX clusters, make sure the shared mount point is the default location
(e.g. /var/VRTSaz/shared)
For SunCluster, the shared mount point must be /var/VRTSaz.
The clustering script will add the AZ server to the existing Symantec
Product Authentication and Authorization Service (VxSS) cluster group. For
VCS 4.1 and above, a separate AZ group is created.
NetBackup NBAC
I. AuthenticationAuthentication steps are performed on all nodes of the cluster. It is broken down
to a two part process. Part I steps are performed on the node where SymantecProduct Authentication and Authorization Service (VxSS) is currently running,
Part II steps are performed on all remaining nodes where Symantec Product
Authentication and Authorization Service (VxSS) is NOT running.
Part I
On the node where Symantec Product Authentication and Authorization Service
(VxSS) cluster group is online, perform the following steps:1 Open shell/command window
2 Change directory to the NetBackup "bin" directory
3 bpnbat -addmachine
Sample command output:
bpnbat -addmachineaMachine Name: VxnbuNode1.mycompany.com
bPassword:*****cPassword: *****
Operation completed successfully
a When prompted for the machine name, enter the fully qualified domain
name of the host (physical node name) and press enter
b When prompted enter a password
c Confirm the password and press enter
4 Repeat step 3 for all remaining physical node names in the cluster
8/14/2019 VxSS_Cluster_Netbackup65
9/16
7NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment
NetBackup NBAC
5 bpnbat -addmachine
Sample command output:bpnbat -addmachineaMachine Name: nbuvirtual.mycompany.combPassword:*****cPassword: *****
Operation completed successfully
a When prompted for the machine name, enter the fully qualified domain
name of the virtual name (e.g. NetBackup server virtual name, virtual
name of application to be backed up) and press enter
b When prompted enter a password
c Confirm the password and press enter
6 Repeat step 5 for all remaining virtual names that NetBackup will be using
in the cluster (these include virtual names of applications that NetBackup
protects).
7 bpnbat - LoginMachineSample command output:
bpnbat -loginmachineaDoes this machine use Dynamic Host Configuration Protocol (DHCP)? (y/n)
nbAuthentication Broker: vxssvirtual.mycompany.comcAuthentication port [Enter = default]:dMachine Name: VxnbuNode1.mycompany.comePassword: *****
Operation completed successfully.
a When prompted with the following, select n and press enter
"Does this machine use Dynamic Host Configuration Protocol (DHCP)
(Y/N)"
b Enter the fully qualified domain name of the authentication broker (FQ
Virtual Name) and press enter
c When prompted for the "Authentication port number", accept the
default by pressing enter
d When prompted for the machine name, enter the fully qualified domain
name of the host (physical node name) currently logged into and press
enter
e When prompted enter the password you set earlier
8 bpnbat - LoginMachineSample command output:
bpnbat -loginmachine
8/14/2019 VxSS_Cluster_Netbackup65
10/16
8 NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment
NetBackup NBAC
aDoes this machine use Dynamic Host Configuration Protocol (DHCP)? (y/n)
nbAuthentication Broker: vxssvirtual.mycompany.comcAuthentication port [Enter = default]:dMachine Name: nbuvirtual.mycompany.comePassword: *****
Operation completed successfully.
a When prompted with the following, select n and press enter
"Does this machine use Dynamic Host Configuration Protocol (DHCP)
(Y/N)"
b Enter the fully qualified domain name of the authentication broker (FQ
Virtual Name) and press enter
c When prompted for the "Authentication port number", accept the
default by pressing enter
d When prompted for the machine name, enter the fully qualified domain
name of the virtual name (e.g. NetBackup server virtual name, virtualname of application to be backed up) and press enter
e When prompted enter the password you set earlier
9 Repeat step 8 for all remaining virtual names that NetBackup will be using
in the cluster (these include virtual names of applications that NetBackup
protects).
10 Exit shell/command window
Part II
On the node where Symantec Product Authentication and Authorization Service
(VxSS) cluster group is offline (not running), perform the following steps:
1 Open shell/command window
2 Change directory to the NetBackup "bin" directory
3 bpnbat - LoginMachineSample command output:
bpnbat -loginmachineaDoes this machine use Dynamic Host Configuration Protocol (DHCP)? (y/n)
nbAuthentication Broker: vxssvirtual.mycompany.comcAuthentication port [Enter = default]:dMachine Name: VxnbuNode2.mycompnay.com
ePassword: *****Operation completed successfully.
8/14/2019 VxSS_Cluster_Netbackup65
11/16
9NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment
NetBackup NBAC
a When prompted with the following, select n and press enter
"Does this machine use Dynamic Host Configuration Protocol (DHCP)(Y/N)"
b Enter the fully qualified domain name of the authentication broker (FQ
Virtual Name) and press enter
c When prompted for the "Authentication port number", accept the
default by pressing enter
d When prompted for the machine name, enter the fully qualified domain
name of the host (physical node name) currently logged into and pressenter
e When prompted enter the password you set earlier
4 bpnbat - LoginMachine
Sample command output:
bpnbat -loginmachineaDoes this machine use Dynamic Host Configuration Protocol (DHCP)? (y/n)
nbAuthentication Broker: vxssvirtual.mycompany.comcAuthentication port [Enter = default]:dMachine Name: nbuvirtual.mycompnay.comePassword: *****
Operation completed successfully.
a When prompted with the following, select n and press enter "Does this
machine use Dynamic Host Configuration Protocol (DHCP) (Y/N)"b Enter the fully qualified domain name of the authentication broker (FQ
Virtual Name) and press enter
c When prompted for the "Authentication port number", accept the
default by pressing enter
d When prompted for the machine name, enter the fully qualified domain
name of the virtual name (e.g. NetBackup server virtual name, virtual
name of application to be backed up) and press enter
e When prompted enter the password you set earlier
5 Repeat step 4 for all remaining virtual names that NetBackup will be using
in the cluster (these include virtual names of applications that NetBackup
protects).
6 Repeat steps 1-5 for all remaining nodes where Symantec Product
Authentication and Authorization Service (VxSS) cluster group is offline
(not running).
8/14/2019 VxSS_Cluster_Netbackup65
12/16
10 NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment
NetBackup NBAC
II. AuthorizationAuthorization steps are only performed on the node where Symantec Product
Authentication and Authorization Service (VxSS) is currently running.
On the node where Symantec Product Authentication and Authorization Service
(VxSS) cluster group is online, perform the following steps:
1 Open shell/command window
2 Change directory to the NetBackup "admincmd" directory (under
netbackup\bin)3 bpnbaz -SetupSecurity -server
8/14/2019 VxSS_Cluster_Netbackup65
13/16
11NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment
NetBackup NBAC
Sample command output:
bpnbaz -AllowAuthorization VxnbuNode1.mycompany.com -servervxssvirtual.mycompany.com
Operation completed successfully.
5 Repeat step 4 for all remaining physical node names in the cluster
6 bpnbaz -AllowAuthorization -server
Sample command output:
bpnbaz -AllowAuthorization nbuvirtual.mycompany.com -servervxssvirtual.mycompany.com
Operation completed successfully.
7 Exit shell/command window
Important:
If the authentication type is "unixpwd", each node name of the cluster must be
added to the NBU_Admin and NBU_Security_Admin groups as follows:bpnbaz -AddUser
NBU_Admin unixpwd::
-Server
and
bpnbaz -AddUser
"NBU_Security Admin" unixpwd::
-Server
Note: You may need to perform bpnbat -login prior to running these commands.
e.g.
bpnbaz -AddUser "NBU_Admin" unixpwd:VxnbuNode1.mycompany.com:root
-Server vxssvirtual.mycompany.com
Operation completed successfully.
bpnbaz -AddUser "NBU_Security Admin"
unixpwd:VxnbuNode1.mycompany.com:root
-Server vxssvirtual.mycompany.com
Operation completed successfully.
8/14/2019 VxSS_Cluster_Netbackup65
14/16
12 NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment
NetBackup NBAC
III. VerificationOn the node where Symantec Product Authentication and Authorization Service
(VxSS) is online (currently running), perform the following steps:
1 Launch shell/command window
2 Change directory to the NetBackup "bin" directory
3 bpnbat -login
a Enter the fully qualified domain name of the authentication broker (FQ
Virtual name) and press enter.
b When prompted for the "Authentication port number", accept the
default by pressing enter.
c When prompted for the authentication type on a windows master enter
NT and press enter.
d When prompted enter the domain name ONLY (e.g. NT domain name).
e When prompted for a login name, enter the account that will be the firstsecurity principal (e.g. administrator).
f Enter the password for this account and press enter.
4 Change directory to the NetBackup "admincmd" directory (under
netbackup\bin)
5 bpnbaz -ShowAuthorizers -Server vxssvirtual.mycompany.com
Sample output:
==========
Type: User
Domain Type: windows
Domain:[email protected]
Name: nbuvirtual.mycompany.com
==========
Type: User
Domain Type: windows
Domain:[email protected]
Name: vxnbuNode1.mycompany.com
==========
Type: User
Domain Type: windows
Domain:[email protected]
Name: vxnbuNode2.mycompany.com
Operation completed successfully.
6 bpnbaz -ListGroups -Server vxssvirtual.mycompany.com
Sample output:
8/14/2019 VxSS_Cluster_Netbackup65
15/16
13NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment
NetBackup NBAC
NBU_User
NBU_OperatorNBU_Admin
NBU_Security Admin
Vault_Operator
NBU_SAN Admin
Operation completed successfully.
IV. Enable ENBACBring NetBackup online on a node in the cluster. Launch the NetBackup
administration console GUI to configure NetBackup access control.
1 Select the Master server host properties, access control section.
2 In the Symantec Authentication and Authorization Service tab configure
the following:
a Set the VxSS services to automatic.
b Add the physical cluster node names (fully qualified domain name) as
hosts
For Example:
vxnbuNode1.mycompany.com
vxnbuNode2.mycompany.com
c Add the NetBackup Virtual Name FQDN as host
For Example:
nbuvirtual.mycompany.com
d Add the domain name as domain type
For Example:
mycompany.com
e For each of the above set the VxSS to "automatic" in the attributes
section to the right of the VxSS network list.
3 Select the Authentication Domain tab
a Click Add button
b Specify the domain name, authentication mechanism, and broker name
for the domain
For Example, see the table below.
8/14/2019 VxSS_Cluster_Netbackup65
16/16
14 NBAC for a highly available NetBackup 6.5 Master Server in a clustered environment
NetBackup NBAC
4 Select the authorization service tab
a Enter the fully qualified domain name (virtual name) of the
authorization broker
b Click Apply
c Select "Current Node only"
d Click OK
e Close the NetBackup administration console5 Failover NetBackup group to each of the remaining nodes and performs
steps 1-4.
6 For NBAC to take effect, restart NetBackup by performing offline and online
a Perform offline of NetBackup resource
b Perform online of NetBackup resource
Note: It is important to perform the bpnbat -LoginMachine command every 14
days or instead call the NetBackup support to obtain the engineering binaries
that address this situation.
Table 1-4 Authentication Domain tab example entries
Domain name Authentication Broker
mycompany.com NIS vxssvirtual.mycompany.com
MYNTDOMAIN WINDOWS vxssvirtual.mycompany.com