Search <book_title>...

NetBackup™ Commands Reference Guide

Last Published: 2024-03-27

Product(s): NetBackup & Alta Data Protection (10.4)

Introduction
Appendix A. NetBackup Commands
1. acsd
2. backupdbtrace
3. backuptrace
4. bmrc
5. bmrconfig
6. bmrepadm
7. bmrprep
8. bmrs
9. bmrsrtadm
10. bp
11. bparchive
12. bpbackup
13. bpbackupdb
14. bpcatarc
15. bpcatlist
16. bpcatres
17. bpcatrm
18. bpcd
19. bpchangeprimary
20. bpcleanrestore
21. bpclient
22. bpclimagelist
23. bpclntcmd
24. bpclusterutil
25. bpcompatd
26. bpconfig
27. bpdbjobs
28. bpdbm
29. bpdgclone
30. bpdown
31. bpduplicate
32. bperror
33. bpexpdate
34. bpfis
35. bpflist
36. bpgetconfig
37. bpgetdebuglog
38. bpimage
39. bpimagelist
40. bpimmedia
41. bpimport
42. bpinst
43. bpkeyfile
44. bpkeyutil
45. bplabel
46. bplist
47. bpmedia
48. bpmedialist
49. bpminlicense
50. bpnbat
51. bpnbaz
52. bppficorr
53. bpplcatdrinfo
54. bpplclients
55. bppldelete
56. bpplinclude
57. bpplinfo
58. bppllist
59. bpplsched
60. bpplschedrep
61. bpplschedwin
62. bppolicynew
63. bpps
64. bprd
65. bprecover
66. bprestore
67. bpretlevel
68. bpschedule
69. bpschedulerep
70. bpsetconfig
71. bpstsinfo
72. bpstuadd
73. bpstudel
74. bpstulist
75. bpsturep
76. bptestbpcd
77. bptestnetconn
78. bpup
79. bpverify
80. cat_convert
81. cat_export
82. cat_import
83. configureCerts
84. configureMQ
85. configureWebServerCerts
86. create_nbdb
87. csconfig cldinstance
88. csconfig cldprovider
89. csconfig meter
90. csconfig reinitialize
91. csconfig throttle
92. duplicatetrace
93. importtrace
94. jbpSA
95. jnbSA
96. ltid
97. mklogdir
98. msdpcldutil
99. nbauditreport
100. nbcallhomeproxyconfig
101. nbcatsync
102. NBCC
103. NBCCR
104. nbcertcmd
105. nbcertupdater
106. nbcldutil
107. nbcmdrun
108. nbcomponentupdate
109. nbcplogs
110. nbcredkeyutil
111. nbdb_admin
112. nbdb_backup
113. nbdb_move
114. nbdb_ping
115. nbdb_restore
116. nbdb_unload
117. nbdb2adutl
118. nbdbms_start_server
119. nbdbms_start_stop
120. nbdc
121. nbdecommission
122. nbdelete
123. nbdeployutil
124. nbdevconfig
125. nbdevquery
126. nbdiscover
127. nbdna
128. nbemm
129. nbemmcmd
130. nbepicfile
131. nbfindfile
132. nbfirescan
133. nbfp
134. nbftadm
135. nbftconfig
136. nbgetconfig
137. nbhba
138. nbholdutil
139. nbhostidentity
140. nbhostmgmt
141. nbhypervtool
142. nbidpcmd
143. nbimageshare
144. nbinstallcmd
145. nbjm
146. nbkmiputil
147. nbkmscmd
148. nbkmsutil
149. nboraadm
150. nborair
151. nboracmd
152. nbpem
153. nbpemreq
154. nbmariadb
155. nbmlb
156. nbperfchk
157. nbplupgrade
158. nbrb
159. nbrbutil
160. nbreplicate
161. nbrepo
162. nbrestorevm
163. nbseccmd
164. nbserviceusercmd
165. nbsetconfig
166. nbshvault
167. nbsmartdiag
168. nbsnapimport
169. nbsnapreplicate
170. nbsqladm
171. nbsqlite
172. nbstl
173. nbstlutil
174. nbstop
175. nbsu
176. nbsvrgrp
177. netbackup_deployment_insights
178. resilient_clients
179. restoretrace
180. stopltid
181. tldd
182. tldcd
183. tpautoconf
184. tpclean
185. tpconfig
186. tpext
187. tpreq
188. tpunmount
189. verifytrace
190. vltadm
191. vltcontainers
192. vlteject
193. vltinject
194. vltoffsitemedia
195. vltopmenu
196. vltrun
197. vmadd
198. vmchange
199. vmcheckxxx
200. vmd
201. vmdelete
202. vmoprcmd
203. vmphyinv
204. vmpool
205. vmquery
206. vmrule
207. vmupdate
208. vnetd
209. vssat
210. vwcp_manage
211. vxlogcfg
212. vxlogmgr
213. vxlogview
214. W2KOption

Name

bpnbat — perform Authentication tasks from within NetBackup

SYNOPSIS

bpnbat [-AddDomain | -RemoveDomain] Private_Domain

bpnbat [-AddMachine]

bpnbat [-AddUser | -RemoveUser] Name Private_Domain

bpnbat -GetBrokerCert Broker_Name Broker_Port

bpnbat -Login [-Info answer_file] [-cf credential_file] [-LoginType AT|WEB|APIKEY|WEBUI] [-skipDomainValidation] [-i | -Interactive]

bpnbat -LoginMachine

bpnbat -Logout [-LogoutType AT|WEB|APIKEY|WEBUI] [-cf credential_file]

bpnbat -RemoveBrokerCert host_name

bpnbat -RenewCred [-cf credential_file]

bpnbat -ShowBrokerCerts

bpnbat -ShowMachines

bpnbat -Version

bpnbat -WhoAmI [-cf credential_file] [-Verify]

On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/

On Windows systems, the directory path to this command is install_path\NetBackup\bin\

DESCRIPTION

The bpnbat command is a tool that enables a user to use the Veritas Product Authentication and Authorization Service.

This service contains the following two distinct parts:

Authentication - prove who you are
Authorization - check what you can do

bpnbat enables a user to do authentication tasks from within NetBackup.

If a command needs a password, it doesn't echo the password or asterisks, which someone can use to narrow the password search space significantly.

NetBackup Access Control requires the user's home directories to work correctly.

You must have administrator privileges to run the following command options: -AddDomain, -RemoveDomain, -AddMachine, -AddUser, -RemoveUser, -LoginMachine, and -ShowMachines.

OPTIONS

[-AddDomain | -RemoveDomain] Private_Domain

These options enable an administrator that runs locally on an Authentication server to add or remove domains within the private Veritas Domain Database. These domains are not accessible from within any operating system. They are meaningful only within Veritas Product Authentication and Authorization Service. Use them where a centralized naming authority (such as a PDC/AD or NIS domain) is not available.

-AddMachine

Registers a computer in a private Veritas Product Authentication. The identity is placed in the private domain NBU_Machines@at.server.name. Run this option on your authentication broker (root +ab).

[-AddUser | -RemoveUser] Private_Domain

Enables an administrator that runs locally on an Authentication server to add or remove users from domains in the private Veritas Domain Database. These accounts are meaningful only within Veritas Product Authentication and Authorization Service. Use them when a centralized naming authority (such as PDC/AD or NIS domain) is not available.

-GetBrokerCert

Obtains a broker certificate without authenticating to a broker.

-Login [-Info answer_file] [-cf credential_file] [-LoginType AT|WEB|APIKEY|WEBUI][-requestApproval] [-i | -Interactive]

Identifies yourself to the system. When you run this command with no options, you are prompted to enter a name, password, domain, authentication type, and a server to authenticate. The combination of a name, password, domain, and domain type creates a unique identity within an Enterprise-wide network. The first time a broker is contacted, you are asked if you want to trust that broker and authenticate them. You cannot use an untrusted broker.

Note:

You must use the bpnbat -login command to perform certain authorization token and host ID-based certificate-related operations.

The -Info option accepts the name, password, and domain information from an answer file. The password is optional in the answer file. You can also place the certificate in a credential file (if specified) or the default location. If you do not provide a password, you are prompted for the password when you run the command.

The -Info [-i | -Interactive] option prompts you to enter the one-time password during logon when your user account is configured for multifactor authentication.

If multifactor authentication is enforced and you have not configured multifactor authentication for your user account, use of NetBackup web UI is recommended to configure multifactor authentication.

For the bpnbat -login operation on NetBackup host earlier than 10.3, you must append the one-time password to the password.

If you have not provided any value for the bpnbat -LoginType option and user enters one-time password appended to password, the web logon succeeds. The authentication of the Veritas authentication service (AT), however, fails. For successful AT authentication and web logon, you must enter the password and one-time password separately.

The -requestApproval option is applicable only for WEBUI login. Use this option to request NetBackup command line interface execution permission.

For the APIKEY login type, the answer file should contain the details in the following order:

User name
API key
Master server

Example of a sample answer file:

administrator
A1WMg0EmC4pKBXlZjL61qlqJ0YE4-IRacjViMKLg9pUVaU-XJAnroQNawlnKLaNx
nbmaster1

Warning:

Saving the user name and password in a plain text file is a potential security issue. Unauthorized users with read access to the text file can obtain the user name and password for the Veritas Product Authentication and Authorization Service to manually authenticate with the bpnbat command. Make certain that you secure access to the answer text file.

The answer file is a text file with entries for the required information.

The answer file for WEB must contain the four lines that are shown in the order shown:

domain type
domain
user name
password

A sample answer file is:

NT
Sample_Domain
administrator
s@Mpl3

The answer file for AT must contain the four lines that are shown in the order shown:

domain type
domain
user name
password
authentication broker

A sample answer file is:

unixpwd
Sample_Domain
root
s@Mpl3
Sample_Domain

As previously explained, password is an optional value. The domain type value must be one of the values shown:

NIS
NIS+
NT
vx
unixpwd

If you use an answer file, ensure that the appropriate AUTHENTICATION_DOMAIN is configured on the server. See the NetBackup Security and Encryption Guide.

The NetBackup Web Management Console Service (nbwmc) always runs on the NetBackup master server. The Authentication Broker normally runs on the NetBackup master server as well. But in certain instances, it can run on a host other than the master server.

The answer file for APIKEY must contain the three lines that are shown:

Login name
API key
Master server

If the -LoginType is AT, only a NetBackup AT broker log on for the master server is performed. If the -LoginType is WEB or APIKEY, only a NetBackup web application log on for the Authentication Broker or the master server is performed. If the -LoginType is not specified, both the AT and the WEB logons are performed if the Authentication Broker is on the master server. If the -LoginType is not specified and the Authentication Broker is not on the master server: the WEB logon succeeds and the AT logon fails. The AT logon fails with a security services status code 96. If the -LoginType is APIKEY, only API key logon is performed. The - cf option is not applicable if the -LoginType is WEB or APIKEY.

-LoginMachine

Identifies a computer that uses an account within the Veritas Security Subsystem private domain NBU_Machines@at.server.name. Run this option on your NetBackup Media, Master, and Clients. This option is similar to when you log on as a user to an authentication broker.

-Logout [-cf credential_file] [-LogoutType AT|WEB|APIKEY|WEBUI]

Invalidates the current user credentials that require the user to log on again to continue. Without the -cf option, the credential that is stored at the default location is expired. The -cf option points to the actual credential file, which allows a user to explicitly specify the credential to be expired.

If the -LogoutType is AT, only a NetBackup AT broker logout is performed. If the -LogoutType is WEB, WEBUI, or APIKEY, it is a NetBackup web application logout. If the -LogoutType is not specified, the AT, web and the WEBUI logout are performed. The - cf option is applicable only for the AT logout.

-RemoveBrokerCert server.name.com

Removes a trust of a specified authentication broker for all users except the root user (administrator). You can use this command to remove a broker when you no longer trust it. For example, an authentication broker is moved to a different corporate division.

-RenewCred [-cf credential_file]

Renews the current user credentials from the VxSS store or the credential file that is specified with the -cf option.

-ShowBrokerCerts

Lists all of the brokers that the user currently trusts. NetBackup trusts any broker that is listed to handle the authentication requests that are sent to it.

-ShowMachines

Lists all computers that have been added to the computers domain of a private Veritas Security Subsystem database by using the -AddMachines option. It also shows if DNS fully resolved the computer name. Run this option on your authentication broker (root +ab).

-skipDomainValidation

Use this option to skip authentication domain validation. Applicable only for AT or WEB login.

-Version

Retrieves the version of the executable.

-WhoAmI [-cf credential_file] [-Verify]

Specifies the identity you currently use within Veritas Product Authentication and Authorization Service. It lists the following:

Name
Domain
For API key type of login, the domain is displayed as vrts.apikey
For WEBUI type of login, if approval is requested to execute NetBackup command line interface, then the domain is displayed as CLI.
Authentication broker who issued the credential
The time a certificate expires
The domain type that was used when the credential was created

EXAMPLES

Example 1 - The user uses -Login and the default port number to connect to the authentication broker that is called test.domain.veritas.com. (It is the server that handles the Authentication process.) An NIS account is used. Therefore, a domain name that is associated with the NIS account is provided in addition to a user and password.

# bpnbat -Login
Authentication Broker: test.domain.veritas.com
Authentication port[ Enter = default]:
Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd): NIS
Domain: domain.veritas.com
Name: username
Password: 
You do not currently trust the server: test.domain.veritas.com, do 
you wish to trust it? (y/n): y
Operation completed successfully.

Example 2 - The -WhoAmI option verifies the identity that you currently use within the Veritas Product Authentication and Authorization Service.

# bpnbat -WhoAmI
Name: user name
Domain: domain.veritas.com
Issued by: /CN=broker/OU=root@eek.example.com/O=vx
Expiry Date: Oct 27 20:57:43 2009 GMT
Authentication method: NIS
Operation completed successfully.

Example 3 - Add a computer to the computer identities list:

# bpnbat -AddMachine
Machine Name: auto.domain.veritas.com
Password: 
Operation completed successfully.

Next, it shows the computer identities list:

# bpnbat -ShowMachines
auto.domain.veritas.com
Operation completed successfully

Then it logs on a computer to a specified authentication broker:

# bpnbat -LoginMachine
Does this machine use Dynamic Host Configuration Protocol (DHCP)? 
(y/n) n
Authentication Broker: test.domain.veritas.com
Authentication port[ Enter = default]: 
Name: auto.domain.veritas.com
Password: 
Operation completed successfully.

Finally, you log into a computer to a specified authentication broker and a problem occurs:

If the user has a multi-NIC configuration or types the broker name incorrectly, a second prompt appears. It gives the user a second chance to enter the proper broker name. The following example assumes sleemanNB is a private NIC name. The public NIC name that Veritas Product Authentication and Authorization Service uses to build the authentication domain is sleeman.example.com. If a failure occurs with -loginmachine, the user has a second chance to enter an explicit primary host name for the authentication broker. (Failures include a bad computer name, wrong password, or incorrect broker name.) Refer to the following example:

# bpnbat -LoginMachine
Does this machine use Dynamic Host Configuration Protocol (DHCP)? 
(y/n) n
Authentication Broker: sleemanNB
Authentication port[ Enter = default]: 
Machine Name: challenger
Password: 
Primary host name of broker: sleeman.example.com
Operation completed successfully.

Example 4 - Obtain a broker certificate without authenticating to a broker. It expects a broker (test.domain.veritas.com) and a port (0 for default)

# bpnbat -GetBrokerCert test.domain.veritas.com 0
Operation completed successfully.

Example 5 - Lists all the brokers that the user currently trusts

# bpnbat -ShowBrokerCerts
Name: root
Domain: root@test.domain.veritas.com
Issued by: /CN=root/OU=root@test.domain.veritas.com/O=vx
Expiry Date: Jun 12 20:45:19 2006 GMT
Authentication method: Veritas Private Security

Name: root
Domain: root@auto.domain.veritas.com
Issued by: /CN=root/OU=root@auto.domain.veritas.com/O=vx
Expiry Date: Feb 17 19:05:39 2006 GMT
Authentication method: Veritas Private Security
Operation completed successfully.

Example 6 - The -RemoveBrokerCert option removes a broker when the user no longer wants to trust it. In the following example, an authentication broker is moved to a different corporate division.

# bpnbat -RemoveBrokerCert test.domain.veritas.com
Operation completed successfully.

The user can now use the -ShowBrokerCerts option to display current certificates. The previously removed certificate is no longer displayed.

Example 7 - Show how to use an answer file to supply logon information for automated commands (cron, etc.).

For UNIX: The UNIX NIS domain name is location.example.com, the user name in this domain is bgrable, and the password is hello456. The corresponding answer file for bpnbat -login must contain the following four lines:

NIS
location.example.com 
bgrable
hello456

If the answer file is located in /docs and is called login.txt, the bpnbat command executes as follows:

# bpnbat -login -info /docs/vslogin.txt

After the bpnbat -login command is run, commands like bpbackup can be run without authentication errors.

For Windows: The windows domain name is corporate, the user name in this domain is jsmith, and the user password is hello123. The corresponding answer file for bpnbat -login has to contain the following four lines:

NT
corporate 
jsmith
hello123

If the answer file is located in /docs and is called login.txt, the bpnbat command executes as follows:

# bpnbat -login -info c:\docs\vslogin.txt

After the bpnbat -login command is run, commands like bpbackup can be run without authentication errors.

Example 8 - How to use the bpnbat -login command with the -LoginType parameter.

# bpnbat -login -LoginType AT
Authentication Broker: server.domain.com
Authentication port [0 is default]: 0
Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd, ldap): unixpwd
Domain:  server.domain.com
Login Name: root
Password:
Operation completed successfully.

# bpnbat -login -LoginType WEB
Authentication Broker: server.domain.com
Authentication port [0 is default]: 0
Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd, ldap): unixpwd
Domain:  server.domain.com
Login Name: root
Password:
Operation completed successfully.

Example 9 - bpnbat logon for a multifactor authentication registered user

# bpnbat -Login -LoginType WEB
Authentication Broker [primaryserver is default]:
Authentication port [0 is default]:
Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd, ldap) [unixpwd 
is default]:
Domain:  primaryserver
Login Name [root is default]:
Password:
One-time password: 016594

Operation completed successfully.

Example 10 - bpnbat logon for multifactor authentication registered user with the interactive option

# bpnbat -Login -info "/root/bpnbat.txt" -interactive
Password:
One-time password: 295362

Operation completed successfully.