Troubleshooting issues with multi-person authorization
This topic provides information on how to troubleshoot issues that are specific to multi-person authorization process in NetBackup.
For more information on the multi-person authorization, see the NetBackup Security and Encryption Guide.
Table:
Sr. No. | Issue | Possible reason | Resolution |
|---|---|---|---|
1. | After enabling multi-person authorization, NetBackup Vault creation or modification operation fails in the NetBackup Administration Console with the following error: Intermittent connectivity lost with the server. | Multi-person authorization is enabled for the image expiration operation. | Contact the NetBackup Security Administrator to exempt the user from the multi-person authorization process. |
2. | After enabling multi-person authorization, the nbholdutil -delete command on the earlier media server fails with the following error: Permission Denied by Hold Service | Multi-person authorization in enabled for the image hold deletion operation on the primary server. | Do one of the following:
|
3. | One of the following operations fails with the exit status: 9382 Error: The operation has failed because it is configured for multi-person authorization.
| Multi-person authorization is enabled for the image expiration operation. |
|
4. | A user that is exempted from the multi-person authorization process is not able to perform the multi-person authorization enabled operation using CLIs and the error with 5930 error code is displayed. | The user is not authenticated. The bpnbat -login -logintype WEB command is not run after adding the user to the exempted list. | Run the bpnbat -login -logintype WEB command to successfully load the current permission set and perform the multi-person authorization enabled operation using one of the following interfaces:
|
5. | User is removed from the exempted users' list, however is able to run a multi-person authorization enabled operation without a second approval. | Removal of a user from the exempted user list creates a multi-person authorization ticket. However, the associated ticket is not yet approved. | Check if a ticket for multi-person authorization configuration is created. Request the multi-person authorization approver to approve the ticket. After the approval, the user is removed from the exempted list. |
6. | An exempted user failed to expire an image (failed to perform a multi-person authorization enabled operation) |
| Refer to the respective documentation. |
7. | A multi-person authorization enabled operation is successful using the NetBackup Administration Console or CLIs. | The user must be in the exempted users' list. | If you want a multi-person authorization ticket to be created for this user, remove the user from the exempted users' list. |
8. | Unable to add user groups to the exempted list. | Adding user groups to the exempted list is not allowed. | Add individual users to the exempted list. |
9. | When trying to configure multi-person authorization from the NetBackup web UI, the following error is displayed: The date is not within the allowed range that is between 01/01/1970 and the current date | System date must not be set correctly. | Check the system date and specify a valid date that is between 01/01/1970 and the current date. Correct the date and restart the NetBackup services. |
10. | Multi-person authorization tickets do not get expired even after the scheduled expiration period. |
| Start the NetBackup Web Management Console (nbwmc) and the NetBackup PostgreSQL database services or daemons. |
11. | Multi-person authorization tickets do not get purged even after the scheduled purge period. |
| Start the NetBackup Web Management Console (nbwmc) and the NetBackup PostgreSQL database services or daemons. |
12. | NetBackup image expiry operation execution failed using CLIs after enabling multi-person authorization. | If multi-person authorization is enabled for an operation on the primary server, that operation is allowed only using the web UI and APIs. If user tries to perform the operation using the NetBackup Administration Console or the command-line interface, the operation fails. |
|
13. | Not able to fetch a multi-person authorization ticket. |
|
|
14. | Unable to update the state of the multi-person authorization ticket. | The multi-person authorization ticket cannot be updated, because the current state of the ticket cannot be changed to the proposed state. | Check the current state of the multi-person ticket and ensure that you are performing the operation based on the following state transitions that are allowed: Current state - Pending, Expired Proposed state - Approved, Rejected, Canceled, Pending |
15. | Unable to update the multi-person authorization ticket. | If you are not the requester of the ticket or the multi-person authorization approver, you cannot approve, reject, cancel, or renew the ticket or add a comment. | Contact the NetBackup Administrator for the required permissions. |
16. | While configuring multi-person authorization or performing any associated operations on a ticket, the following error is displayed: Unable to connect to server | The NetBackup Web Management Console service may be down. | Ensure that all the required NetBackup services are up and running. |
17. | Image expiration operation using CLIs failed with error code 9387 after multi-person authorization is enabled. | If the multi-person authorization is enabled for the operation on the primary server, a ticket is generated when the operation takes place. | Check the current state of the multi-person authorization ticket by signing into NetBackup web UI. The ticket should be approved after which the operation is successful. |
18. | A user is not able to perform the multi-person authorization enabled operation using CLIs and the error with 5930 error code is displayed. | The user is not authenticated. The bpnbat -login -logintype WEB command is not run. | Run the bpnbat -login -logintype WEB command to successfully load the current permission set and perform the multi-person authorization enabled operation using CLI: |
19. | Image expiration operation using CLI did not create a ticket after multi-person authorization is enabled. |
|
|
20. | Image expiration operation through CLI using bid file failed with error code 20 after multi-person authorization is enabled. | The bid file is not in the required format. | Ensure that the bid file is in the required format and it contains up to 100 entries. A maximum of 100 images can be expired in a bulk when multi-person authorization is enabled. |
21. | nbcertcmd -setsecconfig, nbseccmd -setsecurityconfig command fails on the media server and client. Request to set the certificate deployment level failed. Exit status: 5969 Error: Response from the NetBackup Web Management Console service could not be parsed. | Media server and client hosts are earlier than NetBackup 10.3 | Upgrade NetBackup to the current version. Check if a ticket is created for the operation in the web UI. |
22. | Unable to see UNCHANGED/UPDATED values in multi-person authorization ticket details. | Unable to read the JSON API payload. | Check if all fields in the API payload are passed as expected. |
23. | Multi-person authorization ticket is created for exempted users after global security settings are modified. | Exempted users need to go through multi-person authorization when they modify multi-person authorization configuration, global security settings, or risk engine-based anomaly detection configuration. | Contact your MPA Approver for the ticket approval. |
24. | Image expiry ticket is not marked as 'conflicting with' when there is a conflict | Tickets that are in pending state are not marked as 'conflicting with' for the following operations: multi-person authorization configuration, global security settings | Tickets for the following operations are not marked as 'conflicting with': Image expiry, WORM configuration change, WORM retention lock removal, remove image hold |