UNIX primary server verification
Use the following procedures to verify the UNIX primary server:
Verify UNIX primary server settings.
Verify which computers are permitted to perform authorization lookups.
Verify that the database is configured correctly.
Verify that the nbatd and nbazd processes are running.
Verify that the host properties are configured correctly.
The following table describes the verification process for the UNIX primary server.
Table: Verification process for the UNIX primary server
Process | Description |
|---|---|
Verify UNIX primary server settings |
Determine in what domain a host is registered (where the primary authentication broker resides), and determine the name of the computer the certificate represents. Run bpnbat with -whoami with -cf for the primary server's credential file. The server credentials are located in the For example: bpnbat -whoami -cf
/usr/openv/var/vxss/credentials/unix_primary.company.com
Name: unix_primary.company.com
Domain: NBU_Machines@unix_primary.company.com
Issued by: /CN=broker/OU=root@unix_primary/O=vx
Expiry Date: Oct 31 15:44:30 2007 GMT
Authentication method: Veritas Private Security
Operation completed successfully.
If the domain listed is not NBU_Machines@unix_primary.company.com, or the file does not exist, consider running bpnbat -addmachine for the name in question (unix_primary). Run this command on the computer that serves the NBU_Machines domain (unix_primary). Then, on the computer where we want to place the certificate (unix_primary), run: bpnbat -loginmachine Note: When determining if a credential has expired, remember that the output displays the expiration time in GMT, not local time. Note: For the remaining procedures in this verification topic, assume that the commands are performed from a console window. The window in which the user identity is in question has run bpnbat -login using an identity that is a member of NBU_Security Admin. This identity is usually the first identity with which the security was set up. |
Verify which computers are present in the authentication broker |
To verify which computers are present in the authentication broker, log on as a member of the Administrators group and run the following command: bpnbat -ShowMachines The following command shows which computers you have run: bpnbat -AddMachine |
Verify which computers are permitted to perform authorization lookups |
To verify which computers can perform authorization lookups, log on as root on the authorization broker and run the following command: bpnbaz -ShowAuthorizers
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@unix_primary.company.com
Name: unix_primary.company.com
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@unix_primary.company.com
Name: unix_media.company.com
Operation completed successfully.
This command shows that unix_primary and unix_media are permitted to perform authorization lookups. Note that both servers are authenticated against the same vx (Veritas Private Domain) Domain, NBU_Machines@unix_primary.company.com. If a primary server or media server is not part of the list of authorized computers, run bpnbaz -allowauthorization <server_name> to add the missing computer. |
Verify that the database is configured correctly |
To make sure that the database is configured correctly, run bpnbaz -listgroups: bpnbaz -listgroups NBU_Operator NBU_Admin NBU_SAN Admin NBU_User NBU_Security Admin Vault_Operator Operation completed successfully. If the groups do not appear, or if bpnbaz -listmainobjects does not return data, run bpnbaz -SetupSecurity. |
Verify that the nbatd and nbazd processes are running |
Run the ps command to ensure that the nbatd and nbazd processes are running on the designated host. If necessary, start them. For example: ps -fed |grep vx root 10716 1 0 Dec 14 ? 0:02 /usr/openv/netbackup/bin/private/nbatd root 10721 1 0 Dec 14 ? 4:17 /usr/openv/netbackup/bin/private/nbazd |
Verify that the host properties are configured correctly |
In the Access Control host properties, verify that the NetBackup Authentication and Authorization property is set correctly. (The setting should be either or , depending on whether all of the computers use NetBackup Authentication and Authorization or not. If all computers do not use NetBackup Authentication and Authorization, set it to . In the Access Control host properties, verify that the authentication domains on the list are spelled correctly. Also make sure that they point to the proper servers (valid authentication brokers). If all domains are UNIX-based, they should point to a UNIX machine that is running the authentication broker. This process can also be verified in bp.conf using cat. cat bp.conf
SERVER = unix_primary
SERVER = unix_media
CLIENT_NAME = unix_primary
AUTHENTICATION_DOMAIN = company.com "default company
NIS namespace"
NIS unix_primary 0
AUTHENTICATION_DOMAIN = unix_primary "unix_primary password file"
PASSWD unix_primary 0
AUTHORIZATION_SERVICE = unix_primary.company.com 0
USE_VXSS = AUTOMATIC
# |