NetBackup™ 10.2.0.1 Application Guide

Last Published:
Product(s): Appliances (3.3, 3.2, 3.1)
Platform: Flex Appliance OS
  1. Product overview
    1.  
      Introduction to NetBackup applications for Flex Appliance
    2.  
      About the Flex Appliance documentation
  2. Release notes
    1.  
      NetBackup 10.2.0.1 application new features, enhancements, and changes
    2.  
      Supported upgrade paths to this release
    3.  
      Operational notes
  3. Geting started
    1.  
      Prerequisites before you can create NetBackup application instances
    2.  
      Installing the NetBackup Administration Console and client packages
  4. Creating NetBackup application instances
    1. Creating application instances
      1.  
        Creating a NetBackup primary server instance
      2.  
        Creating a NetBackup media server instance
      3.  
        Creating a NetBackup WORM storage server instance
  5. Managing NetBackup application instances
    1.  
      Managing application instances from Flex Appliance and NetBackup
    2. Accessing NetBackup primary and media server instances for management tasks
      1. Managing users on a primary or a media server instance
        1.  
          Adding and removing local users on a primary or a media server instance
        2.  
          Connecting an Active Directory user domain to a primary or a media server instance
        3.  
          Connecting an LDAP user domain to a primary or a media server instance
        4.  
          Changing a user password on a primary or a media server instance
        5.  
          Using SSH keys for authentication on a primary or a media server instance
      2. Running NetBackup commands on a primary or a media server application instance
        1.  
          Creating a NetBackup touch file on a primary or a media server application instance
        2.  
          Installing NetBackup notify scripts on a primary or a media server application instance
      3.  
        Monitoring NetBackup services on a NetBackup primary server instance
      4.  
        Mounting an NFS share on a NetBackup primary server instance
      5.  
        Setting environment variables on primary and media server instances
      6.  
        Storing custom data on a primary or a media server instance
      7.  
        Modifying or disabling the nbdeployutil utility on a primary server instance
      8.  
        Disabling SMB server signing on a media server instance
      9.  
        Enabling extra OS STIG hardening on a primary or a media server instance
      10.  
        Using a login banner on a primary or a media server instance
      11.  
        Using a primary server instance for disaster recovery
    3. Accessing NetBackup WORM storage server instances for management tasks
      1. Managing users from the deduplication shell
        1.  
          Adding and removing local users from the deduplication shell
        2.  
          Adding MSDP users from the deduplication shell
        3.  
          Connecting an Active Directory domain to a WORM storage server for Universal Shares and Instant Access
        4.  
          Disconnecting an Active Directory domain from the deduplication shell
        5.  
          Changing a user password from the deduplication shell
      2.  
        Managing VLAN interfaces from the deduplication shell
      3.  
        Viewing the lockdown mode on a WORM storage server
      4.  
        Managing the retention policy on a WORM storage server
      5.  
        Managing images with a retention lock on a WORM storage server
      6.  
        Auditing WORM retention changes
      7.  
        Protecting the NetBackup catalog on a WORM storage server
      8. Managing certificates from the deduplication shell
        1.  
          Viewing the certificate details from the deduplication shell
        2.  
          Importing certificates from the deduplication shell
        3.  
          Removing certificates from the deduplication shell
      9.  
        Managing FIPS mode from the deduplication shell
      10.  
        Encrypting backups from the deduplication shell
      11. Configuring an isolated recovery environment from the deduplication shell
        1.  
          Configuring data transmission between a production environment and an IRE WORM storage server from the deduplication shell
      12.  
        Managing an isolated recovery environment from the deduplication shell
      13.  
        Tuning the MSDP configuration from the deduplication shell
      14.  
        Setting the MSDP log level from the deduplication shell
      15. Managing NetBackup services from the deduplication shell
        1.  
          Managing the cyclic redundancy checking (CRC) service
        2.  
          Managing the content router queue processing (CRQP) service
        3.  
          Managing the online checking service
        4.  
          Managing the compaction service
        5.  
          Managing the deduplication (MSDP) services
        6.  
          Managing the Storage Platform Web Service (SPWS)
        7.  
          Managing the Veritas provisioning file system (VPFS) configuration parameters
        8.  
          Managing the Veritas provisioning file system (VPFS) mounts
        9.  
          Managing the NGINX service
        10.  
          Managing the SMB service
      16. Monitoring and troubleshooting NetBackup services from the deduplication shell
        1.  
          Managing the health monitor
        2.  
          Viewing information about the system
        3.  
          Viewing the deduplication (MSDP) history or configuration files
        4.  
          Viewing the log files
        5.  
          Collecting and transferring troubleshooting files
      17. Managing S3 service from the deduplication shell
        1.  
          Configuring the S3 service
        2.  
          Creating or resetting root credentials
        3.  
          Changing the S3 service certificates
        4.  
          Managing the S3 service

Connecting an LDAP user domain to a primary or a media server instance

Use the following procedure to connect an LDAP user domain to a primary or a media server instance.

To connect an LDAP user domain

  1. From the Flex Appliance Console, verify that the instance is on the same network as the LDAP domain. If it is not, edit the settings so that the instance can reach the domain.
  2. Open the following port between the instance and the remote host if it is not already open:

    • If you want to enable SSL for the connection: port 389

    • If you do not want to enable SSL for the connection: port 636

  3. Open an SSH session to the instance as the appadmin user and run the following command to navigate to the SSSD configuration file:

    sudo vi /etc/sssd/sssd.conf.

  4. Run the following command to copy the file and create a backup:

    sudo cp /etc/sssd/sssd.conf /mnt/Nbdata/sssd.conf.orig

  5. In the sssd.conf file, locate and modify the following entries:

    • ldap_uri =

      Enter the LDAP server name and port. If you want to enable SSL for the connection, use port 636. If you do not want to enable SSL, use port 389.

      For example: ldap_uri = ldaps://example.veritas.com:636

    • ldap_search_base =

      Enter the LDAP search domain.

      For example: ldap_search_base = dc=example,dc=veritas,dc=com

    • ldap_tls_reqcert =

      If you want to enable SSL for the connection, enter hard.

      If you do not want to enable SSL for the connection, enter never.

      For example: ldap_tls_reqcert = hard

    Note:

    Other fields may also need to be modified depending on your LDAP configuration. Check the LDAP vendor documentation and follow those instructions if there are any differences.

  6. If you did not enable SSL, proceed to the next step.

    If you enabled SSL, perform the following additional steps:

    • Add the following lines to the sssd.conf file:

      • ldap_tls_cacertdir = /mnt/nbdata/sssd/certs

      • ldap_tls_cacert = /mnt/nbdata/sssd/certs/<CA certificate>

        Where <CA certificate> is the file name of the LDAP CA certificate.

    • Run the following command to create a directory for the LDAP certificates:

      sudo mkdir -p /mnt/nbdata/sssd/certs

    • Copy all LDAP certificate files to this directory.

    • Run the following command to navigate to the LDAP configuration file:

      sudo vi /etc/openldap/ldap.conf

    • Add the following entry to this file:

      TLS_CACERTDIR /mnt/nbdata/sssd/certs

  7. By default, all users on the remote user domain can log in to the instance. If you need to restrict access to specific users or groups, perform the following steps:

    • Navigate to /etc/sssd/sssd.conf on the instance and verify that the file includes the following line:

      access_provider = ldap

      If it does not, add it.

    • Add the following filter to the file:

      ldap_access_filter = <user list>

      Where <user list> is the list of users that you want to have access, in one of the following formats:

      • To add user groups, replace <user list> with the following:

        (memberOf=cn=<common name>,ou=<organizational unit>,dc=<domain component>)

        Where everything after memberOf= specifies the group that you want to provide access to.

        There may be more than one ou or dc, and you can also add multiple groups to the filter. For example:

        ldap_access_filter = (|(memberOf=cn=users1,ou=groups,dc=example,dc=company,dc=com) (memberOf=cn=users2,ou=admins,ou=groups,dc=example,dc=company,dc=com))

      • To add users, replace <user list> with the following:

        (sAMAccountName=<username>)

        You can also add multiple users. For example:

        ldap_access_filter = (|(sAMAccountName=user1) (sAMAccountName=user2))

      For more information on the LDAP access filter, refer to the Red Hat documentation.

    • Run the following command:

      systemctl restart sssd

  8. By default, LDAP users have super administrator privileges and full access to the instance. To remove those privileges and designate the appadmin user as the only super administrator, perform the following steps:

    • Navigate to /etc/ssh/sshd_config and add the following line to the end of the file:

      AllowUsers appadmin

    • Run the following command:

      systemctl restart sshd

  9. When the connection is complete, sign in to the instance as the appadmin user from the NetBackup web UI. Add and configure the remote users that you want to have access to the instance from the web UI. See the NetBackup Web UI Administrator's Guide for details.

    Note:

    The username maintenance is not supported on application instances.