Veritas NetBackup™ 52xx Appliance Initial Configuration Guide

To perform the initial configuration on a 52xx media server appliance from the NetBackup Appliance Shell Menu

1. On the laptop that is connected to the NIC1 appliance port, navigate to the Local Area Connection Properties dialog box.

   On the General tab, select Internet Protocol (TCP/IP) so that it is highlighted, then click Properties.

   

   On the Alternate Configuration tab, perform the following tasks:

   

   • Click User Configured.

   • For the IP address, enter 192.168.229.nnn, where nnn is any number from 2 through 254 except for 233.

   • For the Subnet mask, enter 255.255.255.0.

   • Click OK.

2. On the laptop that is connected to the appliance, open an SSH session to 192.168.229.233 and log on to your appliance.

   The logon is admin and the default password is P@ssw0rd.

   After you log on, the welcome message appears in the shell menu and the prompt is at the Main_Menu view.

3. From the Main_Menu > Network view, enter the following command to configure the IP address of a single network that you want your appliance to connect to.

   Configure IPAddress Netmask GatewayIPAddress [InterfaceNames]

   Where IPAddress is the new IP address, Netmask is the netmask, and GatewayIPAddress is the default gateway for the interface. The [InterfaceNames] option is optional.

   The IPAddress or the GatewayIPAddress can be an IPv4 or IPv6 address. Only global-scope and unique-local IPv6 addresses are allowed.

   Remember that you should not use both IPv4 and IPv6 addresses in the same command. For example, you cannot use Configure 9ffe::9 255.255.255.0 1.1.1.1.. You should use Configure 9ffe::46 64 9ffe::49 eth1

   See About IPv4-IPv6-based network support.

   If you want to configure multiple networks you must first configure the IP address of each network that you want to add. Then you configure the Gateway address for each network you added. You must make sure that you add the default Gateway address first. Use the following two commands:

   Configure the IP address of each network

   Use either of the following commands depending on whether you want to configure an IPv4 or an IPv6 address for the network interface: To configure the IPv4 address of a network interface: IPv4 IPAddress Netmask [InterfaceName] Where IPAddress is the new IP address, Netmask is the netmask, and [InterfaceName] is optional. Repeat this command for each IP address that you want to add. To configure the IPv6 address of a network interface: IPv6 <IP Address> <Prefix> [InterfaceNames] Where IPAddress is the IPv6 address, Prefix is the prefix length, and [InterfaceName] is optional.

   Configure the gateway address for each network that you added

   Gateway Add GatewayIPAddress [TargetNetworkIPAddress] [Netmask] [InterfaceName] Where GatewayIPAddress is the gateway for the interface and TargetNetworkIPAddress, Netmask, and InterfaceName are optional. Repeat this command to add the gateway to all of the destination networks. The GatewayIPAddress or the TargetNetworkIPAddress can be an IPv4 or an IPv6 address. Remember that you should not use both IPv4 and IPv6 address in the same command. For example, you cannot use Gateway Add 9ffe::3 255.255.255.0 eth1. You should use Gateway Add 9ffe::3 6ffe:: 64 eth1.

4. From the Main_Menu > Network view, use the following command to set the appliance DNS domain name.

   Note:

   If you do not use DNS, then you can proceed to Step 7.

   DNS Domain Name

   Where Name is the new domain name for the appliance.

5. From the Main_Menu > Network view, use the following command to add the DNS name server to your appliance configuration.

   DNS Add NameServer IPAddress

   Where IPAddress is the IP address of the DNS server.

   The address can be either IPv4 or IPv6. Only global-scope and unique-local IPv6 addresses are allowed.

   See About IPv4-IPv6-based network support.

   To add multiple IP addresses, use a comma to separate each address and no space.

6. From the Main_Menu > Network view, use the following command to add a DNS search domain to your appliance configuration so the appliance can resolve the host names that are in different domains:

   DNS Add SearchDomain SearchDomain

   Where SearchDomain is the target domain to add for searching.

7. This step is optional. It lets you add the IP addresses of other hosts in the appliance hosts file.

   From the Main_Menu > Network view, use the following command to add host entries to the hosts file on your appliance.

   Hosts Add IPAddress FQHN ShortName

   Where IPAddress is the IPv4 or IPv6 address, FQHN is the fully qualified host name, and ShortName is the short host name.

   See About IPv4-IPv6-based network support.

8. From the Main_Menu > Network view, use the following command to set the host name for your appliance.

   Note:

   If you plan to configure Active Directory (AD) authentication on this appliance, the host name must be 15 characters or less. Otherwise, AD configuration can fail.

   Hostname Set Name

   Where Name is the short host name or the fully qualified domain name (FQDN) of this appliance.

   The host name is applied to the entire appliance configuration with a few exceptions. The short name always appears in the following places:

   • NetBackup Appliance Shell Menu prompts

   • Deduplication pool catalog backup policy

   • Default storage unit and disk pool names

   If this appliance has been factory reset and you want to import any of its previous backup images, the appliance host name must meet one of the following rules:

   • The host name must be exactly the same as the one used before the factory reset.

   • If you want to change the host name to an FQDN, it must include the short name that was used before the factory reset. For example, if "myhost" was used before the factory reset, use "myhost.domainname.com" as the new FQDN.

   • If you want to change the host name to a short host name, it must be derived from the FQDN that was used before the factory reset. For example, if "myhost.domainname.com" was used before the factory reset, use "myhost" as the new short host name.

   Note:

   The Domain Name Suffix is appended to the host name and cannot be changed after the initial configuration is completed. If you need to change the suffix or move the appliance to a different domain at a later time, you must perform a factory reset first, and then perform the initial configuration again.

   With this step, NetBackup is re-configured to operate with the new host name. This process may take a while to complete.

   For the command Hostname set to work, at least one IPv4 address is required. For example, you may want to set the host name of a specific host to v46. To do that, first ensure that the specific host has at least an IPv4 address and then run the following command.

   Main_Menu > Network > Hostname Set v46

9. In addition to the above network configuration settings, you may also use the Main_Menu > Network view to create a bond and to tag a VLAN during the initial configuration of your appliance

   • Use the Network > LinkAggregation Create command to create a bond between two or more network interfaces.

   • Use the Network > VLAN Tag command to tag a VLAN to a physical interface or bond interface.

   For detailed information about the LinkAggregation and the VLAN command options, refer to the NetBackup Appliance Command Reference Guide.

10. From the Main_Menu > Network view, use the following commands to set the time zone, the date, and the time for this appliance:

    • Set the time zone by entering the following command:

      TimeZone Set

      Select the appropriate time zone from the displayed list.

    • Set the date and the time by entering the following command:

      Date Set Month Day HHMMSS Year

      Where Month is the name of the month.

      Where Day is the day of the month from 0 to 31.

      Where HHMMSS is the hour, minute, and seconds in a 24-hour format. The fields are separated by semi-colons, for example, HH:MM:SS.

      Where Year is the calendar year from 1970 through 2037.

11. From the Main_Menu > Settings > Alerts > Email view, use the following commands to enter the SMTP server name and the email addresses for appliance failure alerts.

    Enter the SMTP server name	Email SMTP Add Server [Account] [Password] The Server variable is the host name of the target SMTP server that is used to send emails. The [Account] option identifies the name of the account that was used or the authentication to the SMTP server. The [Password] option is the password for authentication to the SMTP server.
    Enter email addresses	Email Software Add Addresses Where Addresses is the user's email address. To define multiple emails, separate them with a semi-colon.

12. If you plan to use this media server in a NAT network, perform the following tasks on the associated primary server before you set the appliance role:

    • Enable the DNAT feature on the primary server.

    • Add the name of this media server to the NetBackup Servers list on the primary server.

      See Configuring a primary server to communicate with an appliance media server.

13. Set the role for the appliance to a media server.

    Note:

    Before you configure this appliance as a media server, you must add the name of this appliance to the primary server that must work with this appliance.

    From the Main_Menu > Appliance view, run the following command:

    Media PrimaryServer

    Where PrimaryServer is either a standalone primary server, a multihomed primary server, or a clustered primary server. The following defines each of these scenarios:

    Standalone primary server	This scenario shows one primary server host name. This name does not need to be a fully qualified name as long as your appliance recognizes the primary server on your network. The following is an example of how the command would appear. Media PrimaryServerName
    Multihomed primary server	In this scenario, the primary server has more than one host name that is associated with it. You must use a comma as a delimiter between the host names. The following is an example of how the command would appear. Media PrimaryNet1Name,PrimaryNet2Name
    Clustered primary server	In this scenario, the primary server is in a cluster. Veritas recommends that you list the cluster name first, followed by the active node, and then the passive nodes in the cluster. This list requires you to separate the node names with a comma. The following is an example of how the command would appear. Media PrimaryClusterName,ActiveNodeName,PassiveNodeName
    Multihomed clustered primary server	In this scenario, the primary server is in a cluster and has more than one host name that is associated with it. Veritas recommends that you list the cluster name first, followed by the active node, and then the passive nodes in the cluster. This list requires you to separate the node names with a comma. The following is an example of how the command would appear. Media PrimaryClusterName,ActiveNodeName, PassiveNodeName,PrimaryNet1Name,PrimaryNet2Name To prevent any future issues, when you perform the appliance role configuration, Veritas recommends that you provide all of the associated primary server names.
    Default passwords Veritas Usage Insights customer registration key Call Home settings test AutoUpdate for UpgradeReadinessCheck	Default passwords The following prompt appears to change the default passwords: - [Info] Default password change is required for the following user(s): admin, maintenance, sysadmin Change each user account password as prompted. Review the following password policy before setting a new password: Passwords must contain at least eight characters. Passwords must contain at least one lowercase letter (a-z) and one number (0-9). Dictionary words are considered weak passwords and are not accepted. Passwords for the sysadmin (IPMI) user must contain no more than 20 characters. The last seven passwords cannot be reused and the new password cannot be similar to previous passwords. Note: If you enter five consecutive invalid passwords for any user account, the appliance aborts the initial configuration process automatically. You must start the initial configuration process again. Note: If you enable the STIG feature after completing the initial configuration, you may be prompted to change the new passwords you entered here to meet the requirements of the STIG password policy. Call Home settings test Starting with release 5.0, a settings test for the Call Home feature is performed automatically. The test is performed to ensure that the appliance can communicate with the Veritas Call Home server. If the test fails, the following message appears: Warning: The appliance is not able to connect to the Veritas Call Home server to upload hardware and software telemetry. Providing the Call Home information to Veritas allows for an improved support experience and recommendations through the NetInsights Console. It is recommended that you enable Call Home and ensure the system can reach the Veritas Call Home server through correct name resolution or proxy server setting. You can ignore this message and continue with the initial configuration. AutoUpdate for UpgradeReadinessCheck Starting with release 5.1.1, a prompt appears for you to enable the AutoUpdate option for the UpgradeReadinessCheck feature. When the feature is enabled and a new analyzer tool version is available, the analyzer tool on the appliance is updated automatically. If an analyzer tool does not already exist on the appliance when you enable this feature, the latest version of the analyzer tool is downloaded automatically. You can also download the latest version of the analyzer tool from the Veritas Download Center. Veritas recommends that you enable AutoUpdate.
    Certificate provisioning Certificate revocation list (CRL)	After you have entered the primary server name, the appliance pings the primary server for the Certificate Authority (CA) status and shows the result. Each of the following bullet statements describes the possible status results. Follow the instructions that appear below the applicable status result to complete the certificate configuration. If the primary server has an enabled External CA-signed certificate, the following appears: The primary server <primary_server_name> has an enabled External CA-signed certificate. Do you want to import the External CA-signed certificate for this Media server now [yes,no](yes): Press Enter to continue. The following message appears: The following shares have been opened on the appliance for you to upload certificate files: NFS share <media_server_name>:/inst/share CIFS share \\<media_server_name>\general_share Enter the following details for external certificate configuration: Enter the certificate file path: Enter the trust store file path: Enter the private key path: Enter the password for the passphrase file path or skip security configuration (default: NONE): Enter the following details for CRL usage: Should a CRL be honored for the external certificate? 1) Use the CRL defined in the certificate. 2) Use the specific CRL directory. 3) Do not use a CRL. q) Skip security configuration. CRL option: Enter 1, 2, 3, or q. Verify the External CA details that you entered: Certificate file name: Trust store file name: Private key file name: CRL check level: (Shows the selected CRL option.) Do you want to use the above certificate files? [yes, no](yes): After verifying that the entered information is correct, press Enter to continue and answer the following prompt: Is this correct? [yes, no](yes): If all of the information is correct, press Enter to continue. The appliance performs an ECA health check and shows the result of each validation check. When the health check has completed successfully, the following messages appear: ECA health check was successful. The external certificate has been registered successfully. The primary server <primary_server_name> currently uses an external CA issued certificate and its own internal certificate. Would you like to proceed with the external CA issued certificate? [yes,no](yes): If you select no, the following message appears: This appliance will use a NetBackup issued certificate for secure communication. If you select yes, enter the following details for external certificate configuration: Enter the certificate file path: Enter the trust store file path: Enter the private key path: Enter the password for the passphrase file path or skip security configuration (default: NONE): Enter the following details for CRL usage: Should a CRL be honored for the external certificate? 1) Use the CRL defined in the certificate. 2) Use the specific CRL directory. 3) Do not use a CRL. q) Skip security configuration. CRL option: Enter 1, 2, 3, or q. Verify the External CA details that you entered: Certificate file name: Trust store file name: Private key file name: CRL check level: (Shows the selected CRL option.) Do you want to use the above certificate files? [yes, no](yes): After verifying that the entered information is correct, press Enter to continue and answer the following prompt: Is this correct? [yes, no](yes): If all of the information is correct, press Enter to continue. The appliance performs an ECA health check and shows the result of each validation check. When the health check has completed successfully, the following messages appear: ECA health check was successful. The external certificate has been registered successfully. This appliance will use an External Certificate for secure communication. If the primary server has a disabled External CA-signed certificate, the following message appears: The primary server <server_name> has a disabled External CA-signed certificate. Trust the certificate to continue the role configuration process. Do you trust the certificate? [yes, no], If you select yes, this appliance will continue to do storage configuration. If you select no, the role configuration will be aborted. This appliance will use a NetBackup issued certificate for secure communication. No further certificate configuration is required. Click Next to continue

    For more information about security certificates, refer to the chapter Security certificates in NetBackup in the NetBackup Security and Encryption Guide.

    Note:

    If the host name of the primary server is an FQDN, Veritas recommends that you use the FQDN to specify the primary server for the media server.

14. After you set the role configuration, the disk storage prompts appear for the AdvancedDisk and the Deduplication (MSDP) partitions.

    To configure storage partitions, you must do the following:

    • Enter a storage pool size in GB or TB.

      To skip the storage pool size configuration for any partition, enter 0 when prompted for its size. To keep the storage pool at its current size, press Enter.

    • Enter a disk pool name.

      The default names are dp_adv_<hostname> for AdvancedDisk and dp_disk_<hostname> for Deduplication. To keep the default names, press Enter.

    • Enter a storage pool name.

      The default names are stu_adv_<hostname> for AdvancedDisk and stu_disk_<hostname> for Deduplication. To keep the default names, press Enter.

    Note the following for MSDP partition sizes:

    • Make sure that the MSDP volume is larger than 10GB. Partitions smaller than 10GB or less than 1/100 of the average MSDP volume are not supported.

    • If the available disk space is more than 10GB, a message informs you that the partition has been created.

    • If the available disk space is less than 10GB, the process checks for the next disk in the storage array with more than 10GB of free space. A message informs you that the partition has been created.

    • If no disks have more than 10GB of available space, a message informs you of the maximum available space and allows you to create the partition at the smaller size.

    The storage prompts appear in the following order:

    AdvancedDisk partition size in GB/TB: (1 GB)
    AdvancedDisk diskpool name:
    AdvancedDisk storage unit name:
    MSDP partition size in GB/TB: (10 GB)
    MSDP diskpool name:
    MSDP storage unit name:
    MSDP Catalog partition size in GB/TB:

    After you configure the storage partitions, a summary of the storage configuration appears with the following prompt:

    Do you want to make changes to the storage configuration
    shown above? [yes,no]:

    Type yes to make any changes, or type no to keep the current configuration.

15. Disconnect the laptop from the NIC1 appliance port.

    Note:

    If your network uses the 192.168.x.x IP address range, refer to the following topic for important information:

    See About NIC1 (eth0) port usage on NetBackup appliances.

16. After all appliances are configured and operational, you are ready to install client software on the computers that you want to back up.

    See Downloading NetBackup client packages to a client from a NetBackup appliance.

    See Installing NetBackup client software through an NFS share.

17. If you want to configure the appliance for MSDP cloud, do the following:

    • Log in to the appliance primary server and run the following command to change the default password for the nbasecadmin user:

      Main > Settings > Password nbasecadmin

    • Log in to the NetBackup web UI as the nbasecadmin user and configure the MSDP cloud storage as follows:

      • Create a disk pool.

      • Create a storage unit.

        For details, see the NetBackup Web UI Administrator's Guide.