UNIX primary server verification — NetBackup 11.1.0.2 | Cohesity Documentation

Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist

UNIX primary server verification — NetBackup 11.1.0.2 | Cohesity Documentation

UNIX primary server verification

Use the following procedures to verify the UNIX primary server:

Verify UNIX primary server settings.
Verify which computers are permitted to perform authorization lookups.
Verify that the database is configured correctly.
Verify that the nbatd and nbazd processes are running.
Verify that the host properties are configured correctly.

The following table describes the verification process for the UNIX primary server.

Table: Verification process for the UNIX primary server

Process	Description
Verify UNIX primary server settings	Determine in what domain a host is registered (where the primary authentication broker resides), and determine the name of the computer the certificate represents. Run bpnbat with -whoami with -cf for the primary server's credential file. The server credentials are located in the `/usr/openv/var/vxss/credentials/` directory. For example: bpnbat -whoami -cf /usr/openv/var/vxss/credentials/unix_primary.company.com Name: unix_primary.company.com Domain: NBU_Machines@unix_primary.company.com Issued by: /CN=broker/OU=root@unix_primary/O=vx Expiry Date: Oct 31 15:44:30 2007 GMT Authentication method: Veritas Private Security Operation completed successfully. If the domain listed is not NBU_Machines@unix_primary.company.com, or the file does not exist, consider running bpnbat -addmachine for the name in question (unix_primary). Run this command on the computer that serves the NBU_Machines domain (unix_primary). Then, on the computer where we want to place the certificate (unix_primary), run: bpnbat -loginmachine Note: When determining if a credential has expired, remember that the output displays the expiration time in GMT, not local time. Note: For the remaining procedures in this verification topic, assume that the commands are performed from a console window. The window in which the user identity is in question has run bpnbat -login using an identity that is a member of NBU_Security Admin. This identity is usually the first identity with which the security was set up.
Verify which computers are present in the authentication broker	To verify which computers are present in the authentication broker, log on as a member of the Administrators group and run the following command: bpnbat -ShowMachines The following command shows which computers you have run: bpnbat -AddMachine
Verify which computers are permitted to perform authorization lookups	To verify which computers can perform authorization lookups, log on as root on the authorization broker and run the following command: bpnbaz -ShowAuthorizers ========== Type: User Domain Type: vx Domain:NBU_Machines@unix_primary.company.com Name: unix_primary.company.com ========== Type: User Domain Type: vx Domain:NBU_Machines@unix_primary.company.com Name: unix_media.company.com Operation completed successfully. This command shows that unix_primary and unix_media are permitted to perform authorization lookups. Note that both servers are authenticated against the same vx (Cohesity Private Domain) Domain, NBU_Machines@unix_primary.company.com. If a primary server or media server is not part of the list of authorized computers, run bpnbaz -allowauthorization <server_name> to add the missing computer.
Verify that the database is configured correctly	To make sure that the database is configured correctly, run bpnbaz -listgroups: bpnbaz -listgroups NBU_Operator NBU_Admin NBU_SAN Admin NBU_User NBU_Security Admin Vault_Operator Operation completed successfully. If the groups do not appear, or if bpnbaz -listmainobjects does not return data, run bpnbaz -SetupSecurity.
Verify that the nbatd and nbazd processes are running	Run the ps command to ensure that the nbatd and nbazd processes are running on the designated host. If necessary, start them. For example: ps -fed \|grep vx root 10716 1 0 Dec 14 ? 0:02 /usr/openv/netbackup/bin/private/nbatd root 10721 1 0 Dec 14 ? 4:17 /usr/openv/netbackup/bin/private/nbazd
Verify that the host properties are configured correctly	In the Access Control host properties, verify that the NetBackup Authentication and Authorization property is set correctly. (The setting should be either Automatic or Required, depending on whether all of the computers use NetBackup Authentication and Authorization or not. If all computers do not use NetBackup Authentication and Authorization, set it to Automatic. In the Access Control host properties, verify that the authentication domains on the list are spelled correctly. Also make sure that they point to the proper servers (valid authentication brokers). If all domains are UNIX-based, they should point to a UNIX machine that is running the authentication broker. This process can also be verified in bp.conf using cat. cat bp.conf SERVER = unix_primary SERVER = unix_media CLIENT_NAME = unix_primary AUTHENTICATION_DOMAIN = company.com "default company NIS namespace" NIS unix_primary 0 AUTHENTICATION_DOMAIN = unix_primary "unix_primary password file" PASSWD unix_primary 0 AUTHORIZATION_SERVICE = unix_primary.company.com 0 USE_VXSS = AUTOMATIC #

Feedback

Was this page helpful?

Feedback

Was this page helpful?