NetBackup™ 10.4 Application Guide

Last Published:
Product(s): Appliances (5.0)
Platform: Flex Appliance OS
  1. Product overview
    1.  
      Introduction to NetBackup applications for Flex Appliance
    2.  
      About the Flex Appliance documentation
  2. Release notes
    1.  
      NetBackup 10.4 application new features, enhancements, and changes
    2.  
      Supported upgrade paths to this release
    3.  
      Operational notes
  3. Geting started
    1.  
      Prerequisites before you can create NetBackup application instances
    2.  
      Installing the NetBackup client packages
  4. Creating NetBackup application instances
    1. Creating application instances
      1.  
        Creating a NetBackup primary server instance
      2.  
        Creating a NetBackup media server instance
      3.  
        Creating a NetBackup WORM storage server instance
  5. Managing NetBackup application instances
    1.  
      Managing application instances from Flex Appliance and NetBackup
    2. Accessing NetBackup primary and media server instances for management tasks
      1. Managing users on a primary or a media server instance
        1.  
          Adding and removing local users on a primary or a media server instance
        2.  
          Connecting an Active Directory user domain to a primary or a media server instance
        3.  
          Connecting an LDAP user domain to a primary or a media server instance
        4.  
          Changing a user password on a primary or a media server instance
        5.  
          Using SSH keys for authentication on a primary or a media server instance
      2.  
        Configuring the multi-factor authentication on NetBackup primary and media server instance
      3. Running NetBackup commands on a primary or a media server application instance
        1.  
          Creating a NetBackup touch file on a primary or a media server application instance
        2.  
          Installing NetBackup notify scripts on a primary or a media server application instance
      4.  
        Monitoring NetBackup services on a NetBackup primary server instance
      5.  
        Mounting an NFS share on a NetBackup primary server instance
      6.  
        Setting environment variables on primary and media server instances
      7.  
        Storing custom data on a primary or a media server instance
      8.  
        Modifying or disabling the nbdeployutil utility on a primary server instance
      9.  
        Disabling SMB server signing on a media server instance
      10.  
        Enabling extra OS STIG hardening on a primary or a media server instance
      11.  
        Using a login banner on a primary or a media server instance
      12.  
        Using a primary server instance for disaster recovery
      13.  
        Authorizing a primary or a media server instance for deletion
    3. Accessing NetBackup WORM storage server instances for management tasks
      1. Managing users from the deduplication shell
        1.  
          Adding and removing local users from the deduplication shell
        2.  
          Adding MSDP users from the deduplication shell
        3.  
          Connecting an Active Directory domain to a WORM storage server for Universal Shares and Instant Access
        4.  
          Disconnecting an Active Directory domain from the deduplication shell
        5.  
          Changing a user password from the deduplication shell
      2.  
        Configuring the multi-factor authentication on NetBackup WORM storage server instance
      3.  
        Managing VLAN interfaces from the deduplication shell
      4.  
        Viewing the lockdown mode on a WORM storage server
      5.  
        Managing the retention policy on a WORM storage server
      6.  
        Managing images with a retention lock on a WORM storage server
      7.  
        Auditing WORM retention changes
      8.  
        Protecting the NetBackup catalog on a WORM storage server
      9. Managing certificates from the deduplication shell
        1.  
          Viewing the certificate details from the deduplication shell
        2.  
          Importing certificates from the deduplication shell
        3.  
          Removing certificates from the deduplication shell
      10.  
        Managing FIPS mode from the deduplication shell
      11.  
        Encrypting backups from the deduplication shell
      12. Configuring an isolated recovery environment using the web UI
        1.  
          Configuring the allowed subnets
        2.  
          Configuring the reverse connections
        3.  
          Configuring the reverse replication schedule
        4.  
          Adding a replication operation to SLP at the production primary server
      13.  
        Tuning the MSDP configuration from the deduplication shell
      14.  
        Setting the MSDP log level from the deduplication shell
      15. Managing NetBackup services from the deduplication shell
        1.  
          Managing the cyclic redundancy checking (CRC) service
        2.  
          Managing the content router queue processing (CRQP) service
        3.  
          Managing the online checking service
        4.  
          Managing the compaction service
        5.  
          Managing the deduplication (MSDP) services
        6.  
          Managing the Storage Platform Web Service (SPWS)
        7.  
          Managing the Veritas provisioning file system (VPFS) configuration parameters
        8.  
          Managing the Veritas provisioning file system (VPFS) mounts
        9.  
          Managing the NGINX service
        10.  
          Managing the SMB service
      16. Monitoring and troubleshooting NetBackup services from the deduplication shell
        1.  
          Managing the health monitor
        2.  
          Viewing information about the system
        3.  
          Viewing the deduplication (MSDP) history or configuration files
        4.  
          Viewing process information in the pseudo-file system
        5.  
          Viewing the deduplication rate of a Veritas provisioning file service (VPFS) share
        6.  
          Viewing the log files
        7.  
          Collecting and transferring troubleshooting files
      17. Managing S3 service from the deduplication shell
        1.  
          Configuring the S3 service
        2.  
          Creating or resetting root credentials
        3.  
          Changing the S3 service certificates
        4.  
          Managing the S3 service
      18.  
        Authorizing a WORM storage server for deletion

Configuring the multi-factor authentication on NetBackup WORM storage server instance

On Flex appliance, you can log in to the NetBackup WORM storage server instance through SSH. You can configure multi-factor authentication (MFA) on NetBackup WORM storage server instance.

You can perform the following tasks to configure multi-factor authentication:

  • Enroll the multi-factor authentication.

    After you enroll multi-factor authentication, user is required to provide six-digit token additionally to username and password to be able to log in. The authentication application generates the token on the mobile phone every 30 seconds.

  • Enforce the multi-factor authentication.

    By default, multi-factor authentication is optional for the users. However, msdpadm user can enforce it for all SSH login users in the application instance.

  • Reset the multi-factor authentication.

    If the user's mobile phone is lost or factory-reset, the user is no longer able to log in with a token. The msdpadm user can help the user to reset and re-enroll the multi-factor authentication.

    If msdpadm user is locked, he cannot reset multi-factor authentication for himself. To avoid this situation, we recommend that two or multiple users scan the same QR code of msdpadm user with their mobile phones. If one user loses access to the MFA token, another can help him to enroll MFA again.

To configure the multi-factor authentication for SSH login

  1. Open deduplication shell.
  2. Run the following command to enroll the multi-factor authentication for SSH login:

    setting MFA enroll

    The command generates secret key randomly and displays it as the QR code.

  3. Scan the QR code using an authentication application on your mobile phone. For example, Google Authenticator or Microsoft Authenticator.
  4. If you want to manage multiple applications using the same secret key, you can get the secret key string from one MFA-enrolled application. Use the same key to configure multi-factor authentication on another instance.

    To show the secret key and QR code, run the following command:

    setting MFA show

    To enroll MFA using a specific secret key, run the following command:

    setting MFA enroll secret=<secret>

    Note:

    The token validation is based on the server time. Ensure that the clock of the Flex Appliance and the mobile phone are correct.

  5. Run the following command to enforce multi-factor authentication for all SSH login users in the application instance. You must be msdpadm user to perform this task.

    setting MFA setenforce enforce=1 [grace_period=<days>

    For example,

    setting MFA setenforce enforce=1 grace_period=90

    • setenforce: Sets the multi-factor authentication enforcement.

      The value "1" enforces the multi-factor authentication. The value "0" disables the multi-factor authentication enforcement.

    • grace_period: The grace period in days for SSH login without multi-factor authentication. After specified grace period is over, SSH login is denied if the user still does not enroll multi-factor authentication.

  6. To reset the multi-factor authentication for the user, run the following command. You must be msdpadm user to perform this task.

    setting MFA reset user=<user name>