Troubleshooting issues with the security configuration risk feature
Security configuration risk depends on the status of the security settings in your NetBackup domain. A higher configuration risk score indicates weaker security configurations. To minimize the risk, enable all the security settings.
For more information on the security configuration risk feature, refer to the NetBackup Security and Encryption Guide.
Table:
Sr. No. | Issue | Possible reason | Resolution |
|---|---|---|---|
1. | Internal server error in: GET API /security/status | Error in extracting the cluster name or client name for the given host through NetBackup Service Layer (NBSL). Check the logs to confirm the following: "Cannot retrieve hostName from system property" | Check if the NBSL service is up and running. Ensure that the Client name (virtual name in case of cluster) is properly set for the given primary server. |
Exception in searching for the given host by its host name in database. Check the logs to confirm the following: "Exception occurred: hostname not found." | Ensure that the NetBackup database services are up and running. Increase verbosity, and retry the operations. Contact Cohesity technical support. | ||
Failure in reading base state template from database. Check the logs to confirm the following: "Caught exception while reading security template json." | Ensure that the correct JSON file is present in the database in EMM_MAIN schema: emm_hostconffileversiondata No key should have a null value. | ||
Error in extracting number of hosts configured with service user from the database. Check the logs. | Ensure that the NetBackup database services are up and running. Increase verbosity, and retry the operations. Contact Cohesity technical support. | ||
API failed to extract malware configuration details for the host. Check the logs to confirm the following: "Exception raised from getting malware settings" | Increase verbosity, and retry the operations. Contact Cohesity technical support. | ||
API failed to extract number of hosts from the database. Check the logs to confirm the following: "Cannot retrieve number of hosts from database." | Ensure the NetBackup database services are up and running. Increase verbosity, and retry the operations. Contact Cohesity technical support. | ||
API failed to extract supported operations for MPA. Check the logs to confirm the following: "Error in fetching list of MPA supported operations." | Ensure the NetBackup database services are up and running. Increase verbosity, and retry the operations. Contact Cohesity technical support. | ||
8. | Internal server error in POST API /security/configuration-baseline | Validation of the request DTO failed. Check the logs to confirm the following: "Request DTO validation failed." | Validate input JSON to the API. Refer to the following to check the possible states of settings:
|
9. | Notifications for security configuration risk are not generated. | Security baseline may be changed within 10 seconds of the change in configuration settings. | Avoid changing security baseline within 10 seconds of changing the security settings state. Retry the operations. Contact Veritas technical support if the issue still persists. Collect web service logs and NetBackup audit logs. |
10. | Exception with message: "The dashboard security status request or the data that is sent is not valid." | Possible reasons:
| Set the security baseline again. |
NetBackup database service is not running. | Ensure that the NetBackup database services are up and running. | ||
Anomaly management service is not running. | Ensure that Anomaly management service is up and running. | ||
nbstserv is not running. | Ensure that nbstserv is up and running. | ||
NetBackup Service Layer service is not running. The file should have service_user permissions. | Ensure that the NetBackup Service Layer (NBSL) is up and running. | ||
Validation of the request DTO failed. The payload provided was having one of the unsupported attributes (from API version 13.0) or invalid value. | Validate input JSON to the POST security/configuration-baseline API for request API Version 12.0. The following payload JSON is supported: { "data": { "type": "securityTemplateRequest", "attributes": { "securitySettingsTemplate": { "allowInsecureBackLevelHost": 0, "certificateAutoDeployLevel": 0, "mfaEnforced": false, "dteGlobalMode": "PREFERRED_OFF", "hostPercentageWithDteEnabled": 0, "backupAnomalyDetection": 0, "mpa": "ENABLED", "malwareDetection": "CONFIGURED", "hostPercentageWithServiceUser": 0 } } } } | ||
Validation of the request DTO failed. The payload was containing attribute with invalid value. | Validate input JSON to the POST security/configuration-baseline API for request API Version 13.0. The following JSON is supported: { "data": { "type": "securityTemplateRequest", "attributes": { "securitySettingsTemplate": { "allowInsecureBackLevelHost": 0, "certificateAutoDeployLevel": 0, "mfaEnforced": false, "dteGlobalMode": "PREFERRED_OFF", "hostPercentageWithDteEnabled": 0, "backupAnomalyDetection": 0, "mpa": "ENABLED", "malwareDetection": "CONFIGURED", "hostPercentageWithServiceUser": 0, "backupStoragePercentageWithEncryptionEnabled": 0, "isImmutableBackupStorageConfigured": true, "serverPercentageWithLatestNbuVersion": 0, "clientPercentageWithLatestNbuVersion": 0, "isCliAccessToOsAdmins": 0, "isWebUiAccessToOsAdmins": 0, "redirectedRestore": true } } } } | ||
11. | Some settings do not have baseline value after upgrade | Some of the new security settings that are added in the NetBackup 11.0 do not have baseline set unless you set it explicitly. | Set the baseline values for all the security settings. |