NetBackup™ Commands Reference Guide
- Introduction
- Appendix A. NetBackup Commands
- acsd
- backupdbtrace
- backuptrace
- bmrc
- bmrconfig
- bmrepadm
- bmrprep
- bmrs
- bmrsrtadm
- bp
- bparchive
- bpbackup
- bpbackupdb
- bpcatarc
- bpcatlist
- bpcatres
- bpcatrm
- bpcd
- bpchangeprimary
- bpcleanrestore
- bpclient
- bpclimagelist
- bpclntcmd
- bpclusterutil
- bpcompatd
- bpconfig
- bpdbjobs
- bpdbm
- bpdgclone
- bpdown
- bpduplicate
- bperror
- bpexpdate
- bpfis
- bpflist
- bpgetconfig
- bpgetdebuglog
- bpimage
- bpimagelist
- bpimmedia
- bpimport
- bpinst
- bpkeyfile
- bpkeyutil
- bplabel
- bplist
- bpmedia
- bpmedialist
- bpminlicense
- bpnbat
- bpnbaz
- bppficorr
- bpplcatdrinfo
- bpplclients
- bppldelete
- bpplinclude
- bpplinfo
- bppllist
- bpplsched
- bpplschedrep
- bpplschedwin
- bppolicynew
- bpps
- bprd
- bprecover
- bprestore
- bpretlevel
- bpschedule
- bpschedulerep
- bpsetconfig
- bpstsinfo
- bpstuadd
- bpstudel
- bpstulist
- bpsturep
- bptestbpcd
- bptestnetconn
- bpup
- bpverify
- cat_convert
- cat_export
- cat_import
- configureCerts
- configureMQ
- configureWebServerCerts
- create_nbdb
- csconfig cldinstance
- csconfig cldprovider
- csconfig meter
- csconfig reinitialize
- csconfig throttle
- duplicatetrace
- importtrace
- jbpSA
- jnbSA
- ltid
- mklogdir
- msdpcldutil
- nbauditreport
- nbcallhomeproxyconfig
- nbcatsync
- NBCC
- NBCCR
- nbcertcmd
- nbcertupdater
- nbcldutil
- nbcmdrun
- nbcomponentupdate
- nbcplogs
- nbcredkeyutil
- nbdb_admin
- nbdb_backup
- nbdb_move
- nbdb_ping
- nbdb_restore
- nbdb_unload
- nbdb2adutl
- nbdbms_start_server
- nbdbms_start_stop
- nbdc
- nbdecommission
- nbdelete
- nbdeployutil
- nbdevconfig
- nbdevquery
- nbdiscover
- nbdna
- nbemm
- nbemmcmd
- nbepicfile
- nbfindfile
- nbfirescan
- nbfp
- nbftadm
- nbftconfig
- nbgetconfig
- nbhba
- nbholdutil
- nbhostidentity
- nbhostmgmt
- nbhypervtool
- nbidpcmd
- nbimageshare
- nbinstallcmd
- nbjm
- nbkmiputil
- nbkmscmd
- nbkmsutil
- nboraadm
- nborair
- nboracmd
- nbpem
- nbpemreq
- nbmariadb
- nbmlb
- nbperfchk
- nbplupgrade
- nbrb
- nbrbutil
- nbreplicate
- nbrepo
- nbrestorevm
- nbseccmd
- nbserviceusercmd
- nbsetconfig
- nbshvault
- nbsmartdiag
- nbsnapimport
- nbsnapreplicate
- nbsqladm
- nbsqlite
- nbstl
- nbstlutil
- nbstop
- nbsu
- nbsvrgrp
- netbackup_deployment_insights
- resilient_clients
- restoretrace
- stopltid
- tldd
- tldcd
- tpautoconf
- tpclean
- tpconfig
- tpext
- tpreq
- tpunmount
- verifytrace
- vltadm
- vltcontainers
- vlteject
- vltinject
- vltoffsitemedia
- vltopmenu
- vltrun
- vmadd
- vmchange
- vmcheckxxx
- vmd
- vmdelete
- vmoprcmd
- vmphyinv
- vmpool
- vmquery
- vmrule
- vmupdate
- vnetd
- vssat
- vwcp_manage
- vxlogcfg
- vxlogmgr
- vxlogview
- W2KOption
Name
nbseccmd — run the NetBackup Security Configuration service utility
SYNOPSIS
-disableMPA
-drpkgpassphrase
-getNBKeysize [-server master_server_name] [-json]
-getpassphraseconstraints [-workflow | -w NetBackup workflow type] [-json]
-getsecurityconfig [[-autoaddhostmapping] | [-insecurecommunication] | [-dteglobalmode] | [-dtemediamode -mediaserver media_server_name] | [-externalcertidentity] | [-auditretentionperiod]] [-masterserver master_server_name]
-nbcaList [-state value] [-json]
-nbcaMigrate -initiateMigration | -i -keysize key_value -activateNewCA | -a -completeMigration | -c -decommissionCA | -d -fingerprint certificate_fingerprint -summary | -s -hostsPendingTrustPropagation | -pt -syncMigrationDB | -S -hostsPendingRenewal | -pr [-reason description_for_auditing] [-json] [-force] [-quiet]
-resetMFA -userinfo domainType:domainName:userName
-setpassphraseconstraints [-workflow | -w NetBackup workflow type] [-lowercase | -l minimum required lowercase characters] [-uppercase | -u minimum required uppercase characters] [-specialcharacter | -s minimum required special characters] [-digit | -d minimum required digits] [-minlength | -ml minimum required passphrase length]
-setsecurityconfig [[[-autoaddhostmapping | -insecurecommunication] off|on] | [-dteglobalmode 0|1|2] | [-dtemediamode off|on -mediaserver media_server_name}] | [-externalcertidentity dn|cn] | [-auditretentionperiod number_of_days]] [-masterserver master_server_name]
-setuptrustedmaster -add | -update | -remove -masterserver master_server_name -remotemasterserver remote_master_server [-domainname domain_name] [-username username] -fpfile filename
-setuptrustedmaster - add | -update | -remove -info answer_file
-help
On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/admincmd/
On Windows systems, the directory path to this command is install_path\NetBackup\bin\admincmd\
DESCRIPTION
Use the nbseccmd command to establish trust relationships among various primary servers or to change the security configuration of the source primary server.
You must have root or administrator permissions to use this command if NetBackup Access Control (NBAC) is enabled.
Note:
If the source or the target primary server version is NetBackup 8.0 or earlier, please refer to the NetBackup Commands Guide for 8.0 or earlier. The command underwent a number of changes for NetBackup 8.1.
OPTIONS
- -activatenewca | -a
Use this option to activate the new NetBackup CA that can start issuing NetBackup certificates going forward.
- -auditretentionperiod number_of_days
Specifies the number of days to retain user actions for the audit report. If no retention period is indicated, the default audit retention period is 90 days. A value of 0 (zero) indicates that the records are never purged. The value for the auditretentionperiod option must be either 0 or more than 27.
If multiperson authorization is enabled for security properties operation, a ticket is generated. This ticket, when approved, sets the specified audit retention period.
- -autoaddhostmapping [on|off]
Use this option to manage the addition of host ID to the host name or the IP addresses that the master server automatically detects.
Hosts may have multiple host names or IP addresses associated with them. For successful communication among hosts, all relevant host names and IP addresses must be mapped to the respective host IDs. During communication, NetBackup may detect new host names or IP addresses with respect to a host ID.
When you use the -getsecurityconfig, the option takes no parameters, and reports the current setting for the -autoaddhostmapping value.
When you used the -setsecurityconfig option, this option enables or disables automatic host mapping. Use the on parameter to automatically map the host ID to the host name or the IP addresses detected. Disable this action with the off parameter.
If multiperson authorization is enabled for security properties operation and this option is used with the -setsecurityconfig option, a ticket is generated. This ticket, when approved, sets the specified security configuration attribute.
- -completeMigration | -c
Use this option to complete the NetBackup CA migration process that cleans up the migration status on the master server.
- -decommissionCA | -d
Use this option to decommission the NetBackup CA with the given fingerprint.
- -digit | -d
Specifies the minimum number of digits that are supposed to be in the passphrase.
- -disableMPA
Use this option to disable multi-person authorization for all operations.
- -domainname domain_name
Specifies the domain to which the user that is specified in -username belongs. You are prompted to enter a password to validate the credentials of the remote master server host.
The -domainname option is mandatory for a target master server that uses NetBackup certificates.
- -drpkgpassphrase
The -drpkgpassphrase option is used to specify the passphrase that is used to encrypt disaster recovery packages. If a passphrase already exists, it is overwritten.
Note:
You must set the passphrase for successful catalog backups. Failure to set the passphrase results in failed catalog backups.
The disaster recovery package stores the identity of the NetBackup master server and is created during each catalog backup.
These packages are encrypted with the passphrase that you specify here. You must provide this passphrase when you reinstall NetBackup on the master server after a disaster.
Before using this command, you must run the bpnbat command to log on:
bpnbat -login -loginType WEB
When you set the passphrase, please note:
If you have not set the passphrase constraints using the -setpassphraseconstraints option, the passphrase must contain a minimum of eight characters and a maximum of 1024 characters. If the passphrase constraints are set, ensure that all those constraints are met.
The existing passphrase and the new passphrase must be different.
You must be an authorized user with administrator or root privileges to run the nbseccmd -drpkgpassphrase command.
Only the characters that are listed are supported for the passphrase:
White spaces
Uppercase and lowercase characters (A to Z, a to z)
Numbers (0 to 9)
The special characters shown: ~ ! @ # $ % ^ & * ( ) _ + - = ` { } [ ] | : ; ' " , . / ? < >
Caution:
If you enter an unsupported character, you may face issues during disaster recovery package restore. The passphrase may not be validated and you may not be able to restore the disaster recovery package.
- -dteglobalmode 0|1|2
Specifies the data-in-transit encryption mode that is to be set at the global level. The -dteglobalmode option can have the following values:
0 or PREFERRED_OFF: Specifies that the data-in-transit encryption is disabled in the NetBackup domain. Change the NetBackup client setting to override this value.
1 or PREFERRED_ON: Specifies that the data-in-transit encryption is enabled only for NetBackup 9.1 and later clients. Change the NetBackup client setting to override this value.
2 or ENFORCED: Specifies that the data-in-transit encryption is enforced if the NetBackup client setting is either Automatic or On. With this option selected, jobs fail for the NetBackup clients that have the data-in-transit encryption set to Off and for the hosts earlier than 9.1. By default, data-in-transit encryption for NetBackup 9.1 clients is set to Off. For NetBackup 10.0 and later clients data-in-transit encryption is set to Automatic.
If multiperson authorization is enabled for security properties operation and this option is used with the -setsecurityconfig option, a ticket is generated. This ticket, when approved, sets the specified security configuration attribute.
If multifactor authentication is configured for your user account, NetBackup may prompt you to reauthenticate yourself before you perform the -setsecurityconfig operation with the -dteglobalmode option. Reauthenticate yourself by entering the one-time password that is displayed in the authenticator application on your smart device.
- -dtemediamode off|on -mediaserver media_server_name
Use this option to disable DTE for a particular media server that is involved in a data transfer job. You can change or view the DTE media server settings with the nbseccmd command on the primary server.
- -externalcertidentity dn|cn
Use this option to change the unique certificate identification attribute for external CA-signed certificate. If the option is set to dn, the complete distinguished name of the certificate is treated as a unique attribute. If the option is set to cn, only the common name of the certificate is treated as a unique identification attribute.
If multiperson authorization is enabled for security properties operation and this option is used with the -setsecurityconfig option, a ticket is generated. This ticket, when approved, sets the specified security configuration attribute.
- -fingerprint certificate_fingerprint
Specifies the fingerprint of the NetBackup CA that needs to be decommissioned. Use this option with -decommissionCA. The fingerprint can be of SHA-1 or SHA-256 algorithm.
- -fpfile filename
This option accepts the root certificate fingerprint information that is required for validating the root certificate of the remote master server. You can store the fingerprint details in a text file.
- -force
Suppresses the confirmation prompts. The -force option skips the check for the hosts awaiting trust propagation or certificate renewal. The -force option activates the new CA and completes the migration. Use this option with -completeMigration and -activatenewCA.
- -getNBKeysize master_server_name
Retrieves the key size for the NetBackup CA for the given master server.
- -getpassphraseconstraints workflow
Retrieves the passphrase constraints for a specific workflow. Lists the passphrase constraints for all workflows if the workflow is not specified.
- -getsecurityconfig -autoaddhostmapping | -insecurecommunication | externalcertidentity | -auditretentionperiod
Use this option to get the security configuration information for NetBackup. When you use the -autoaddhostmapping option, you get the value for the -autoaddhostmapping option. When you use the -insecurecommunication option, you get the value for the -insecurecommunication option. When you use the -externalcertidentity option, you get the value for the -externalcertidentity option. When you use the -auditretentionperiod option, you get the value for -auditretentionperiod option.
- -hostsPendingRenewal | -pr
Use this option to retrieve the list of hosts that require certificate renewal.
- -hostspendingtrustpropagation | -pt
Use this option to retrieve the list of hosts that do not have the required CA certificates in their trust stores.
- -info answerfile
The -info option accepts the information that is required for setting up a trusted master server. The information is stored in an answer file, which is a text file. It contains the following entries:
masterserver: remotemasterserver: trusttype: domainname: username: password: token: fpfile:
The password is optional in the answer file. If you do not provide a password, you are prompted for the password when you run the command.
Note:
The trusttype value is valid only for master servers at version 8.0 and earlier. Possible values for trusttype are mutualtrust, remoteonly, and localonly. The trusttype of localonly does not require a domain name or user credentials.
The entries in your answer file must match the format that is shown in the example.
Example sample file: masterserver:testmaster1 remotemasterserver:testmaster2 trusttype:mutualtrust domainname:testdomain username:Administrator password:abc123
- -initiateMigration | -i
Use this option to initiate the NetBackup certificate authority (CA) migration. It sets up a new CA for NetBackup with the specified certificate key size. The new CA runs in a stand-by mode until the CA is activated or the migration status moves to ACTIVATED.
This operation does not change the root CA.
Before initiating the CA migration, confirm that you do not have media servers with NetBackup versions 8.1.2.1 or earlier that are configured as cloud storage servers. Backups on these media servers fail.
- -insecurecommunication [on | off]
Use this option to manage insecure communication within your NetBackup environment. The on parameter enables insecure communication with all NetBackup hosts that are present in the NetBackup environment. Disable insecure communication with the off parameter.
Veritas implemented new security features in 8.1 which are not present in NetBackup 8.0 and earlier. NetBackup communicates with 8.0 and earlier hosts insecurely. For increased security, upgrade all your hosts to the current version of NetBackup, and then use this option with the on parameter. This action ensures that only secure communication is possible between NetBackup hosts.
If multiperson authorization is enabled for security properties operation and this option is used with the -setsecurityconfig option, a ticket is generated. This ticket, when approved, sets the specified security configuration attribute.
- -json
Prints the data in JSON format on a single line.
- -keysize key_value
Use this option with the -initiateMigration option to specify the certificate key size for a new NetBackup CA that you want to set up. The key size must be one of the sizes shown: 2048, 4096, or 8192.
Caution:
You should carefully choose the key size for your environment. Choosing a large key size may reduce performance. You should consider all factors to determine the correct key size for your environment.
- -lowercase | -l
Specifies the minimum number of lowercase characters that are supposed to be in the passphrase.
- -masterserver master_server_name
Specifies the name of the master server that the user has logged into. Auto Image Replication uses this name for the current master server or the source master server.
- -minlength | -ml
Specifies the minimum required length of the passphrase.
- -nbcamigrate
Migrates the existing NetBackup CA to a new one.
- -nbcaList
Use this option to list the NetBackup CAs in your NetBackup domain.
- -resetMFA
Reset multifactor authentication (MFA) of a specific NetBackup user. After the reset, the user can reconfigure multifactor authentication, if required. Only privileged users such as root or administrator can reset multifactor authentication for other NetBackup users.
- -quiet
Suppresses the prompt message to proceed further. You can use this option with the -initiateMigration option.
- -reason description_for_auditing
Specifies the reason that is stored in the audit record for this operation.
- -remotemasterserver remote_master_server
Specifies the name of the remote master server with whom the trust is to be established. Auto Image Replication uses this name for the target master server.
- -remoteonly | -localonly | -mutualtrust
Specifies the way that a trust must be established. Either the local master (source) trusts the remote master (target) or vice versa. If neither of these options is specified, a two-way trust (-mutualtrust) is established.
- -setpassphraseconstraints
Sets the passphrase constraints for a specific NetBackup workflow. For example disaster recovery (DR) package.
- -setsecurityconfig -autoaddhostmapping | -insecurecommunication | externalcertidentity | -auditretentionperiod number_of_days
Use this option to set the security configuration information for NetBackup. When you use the -autoaddhostmapping option, you set the behavior for the addition of host names and IP addresses. When you use the -insecurecommunication option, you set the behavior for secure communication. When you use the -externalcertidentity option, you set the behavior for unique external certificate identification attribute. When you use the -auditretentionperiod number_of_days option, you specify how long audit records are retained for the audit report.
If multiperson authorization is enabled for security properties operation and -setsecurityconfig option is used with any of the above four options, a ticket is generated. This ticket, when approved, sets the specified security configuration attribute.
If multifactor authentication is configured for your user account, NetBackup may prompt you to reauthenticate yourself before you perform the -setsecurityconfig operation with any of the previous four options. Reauthenticate yourself by entering the one-time password that is displayed in the authenticator application on your smart device.
- -setuptrustedmaster -add | -update | -remove
Add, update, or remove inter-domain trust across master servers. To update a trust relationship, run the -update option on both the source and the target server. Both servers must be on version 8.1. or later. You must use the -update option if after you establish a trust, you upgrade the source or the target master server to version 8.1 or later. To remove a trusted master server, the domain, user name, and password are not required.
You can update the trust with external certificate to the trust with NetBackup certificate and vice versa.
You must run the bpnbat command to remove a trusted master before you can use the -setuptrustedmaster option. Log on locally on the master server you want to remove and use the bpnbat command as shown: bpnbat -login -loginType WEB
The user that is specified during the bpnbat -login -loginType WEB operation should have permissions equivalent to the Default Security Administrator role in NetBackup RBAC.
To remove the trust that is added using an external certificate, you do not need to run the bpnbat -login command.
If your user account is configured for multifactor authentication on the target host, append the appropriate one-time password to the password.
- specialcharacter | -s
Specifies the minimum number of special characters that are supposed to be in the passphrase.
- -state value
Use this option with the -nbcaList option to retrieve NetBackup CAs of a particular state, for example: ACTIVE, ABANDONED, or DECOMMISSIONED. Use comma-separated states to filter the result with more than one state.
- -summary
Retrieves the NetBackup CA migration information. It shows the current NetBackup CA migration status and the fingerprint of the current certificate-issuing NetBackup CA.
- -syncMigrationDB | -S
Updates the CA migration database with the current NetBackup CA certificate details.
- -uppercase | -u
Specifies the minimum number of uppercase characters that are supposed to be in the passphrase.
- -userinfo domainType:domainName:userName
Information of the user for whom you want to reset multifactor authentication. Specify domain type (such as NT, VX, or UNIXPWD), domain name, and username. If the domain type is unixpwd, the domain name can be blank (unixpwd::username). In case of other domain types, the domain name must be provided.
- -username username
Specifies the logon user name of the remote master server host. This option is used with the -domainname option. You are prompted to enter a password to validate the credentials of the remote master server host. If you specify only the domain name, you are prompted to enter the Authorization Token of the remote master server.
The -username option is mandatory for the target master server that uses NetBackup certificate.
- -workflow | -w
Specifies the NetBackup workflow for which you want to set a passphrase. For example to set a passphrase for DR package, the value of the -workflow option should be set to DR_PKG.
EXAMPLES
Example 1 - Set up a trusted master server using user credentials.
nbseccmd -setuptrustedmaster -add -masterserver testmaster1 -remotemasterserver testmaster2 -domainname testdomain -username Administrator Password:****** The SHA1 fingerprint of root certificate is C7:87:7F:9D:13:B4:67:F6:D9:65:F4:95:EC:DC:D4:50:8C:20:18:BF. Are you sure you want to continue using this certificate ? (y/n): y The validation of root certificate fingerprint is successful. CA certificate stored successfully from server testmaster2. testdomain.com. Host certificate received successfully from server testmaster2. testdomain.com. Trusted master operation successful.
Example 2 - Set up a trusted master server using authentication token.
nbseccmd -setuptrustedmaster -add -masterserver testmaster1 -remotemasterserver testmaster2 -domainname testdomain Authorization Token:***** The SHA1 fingerprint of root certificate is C7:87:7F:9D:13:B4:67:F6:D9:65:F4:95:EC:DC:D4:50:8C:20:18:BF. Are you sure you want to continue using this certificate ? (y/n): y The validation of root certificate fingerprint is successful. CA certificate stored successfully from server testmaster2. testdomain.com. Host certificate received successfully from server testmaster2. testdomain.com. Trusted master operation successful.
Example 3 - Set up a trusted master server using -fpfile.
nbseccmd -setuptrustedmaster -add -masterserver testmaster1 -remotemasterserver testmaster2 -domainname testdomain -username Administrator -fpfile C:\fp_file Password:****** The validation of root certificate fingerprint is successful. CA certificate stored successfully from server testmaster2. testdomain.com. Host certificate received successfully from server testmaster2. testdomain.com. Trusted master operation successful.
Example 4 - Set up a trusted master server using an answer file.
nbseccmd -setuptrustedmaster -add -info C:\nbseccmd_answerfile.txt The validation of root certificate fingerprint is successful. CA certificate stored successfully from server testmaster2. testdomain.com. Host certificate received successfully from server testmaster2. testdomain.com. Trusted master operation successful.
Example 5 - Update trust after you upgrade both the source and the master server to version 8.1 and later.
-setuptrustedmaster -update -masterserver testmaster1 -remotemasterserver testmaster2 Authorization Token: Authenticity of root certificate cannot be established. The SHA1 fingerprint of root certificate is finger_print_details Are you sure you want to continue using this certificate ? (y/n): y The validation of root certificate fingerprint is successful. CA certificate stored successfully from server testmaster2. Host certificate received successfully from server testmaster2. Trusted master operation successful
Example 6 - Remove a trusted master server.
-setuptrustedmaster -remove -masterserver testmaster2 -remotemasterserver testmaster1 Certificate revoke request processed successfully. Trusted master operation successful