emc networker 8.2 sp1 security configuration guide

EMC ® NetWorker ®Version 8.2 SP1

Security Configuration Guide302-001-577

REV 02

Copyright © 2014-2015 EMC Corporation. All rights reserved. Published in USA.

Published February, 2015

EMC believes the information in this publication is accurate as of its publication date. The information is subject to changewithout notice.

The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind withrespect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for aparticular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicablesoftware license.

EMC², EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and othercountries. All other trademarks used herein are the property of their respective owners.

For the most up-to-date regulatory document for your product line, go to EMC Online Support (https://support.emc.com).

EMC CorporationHopkinton, Massachusetts 01748-91031-508-435-1000 In North America 1-866-464-7381www.EMC.com

2 EMC NetWorker 8.2 SP1 Security Configuration Guide

5

7

9

Introduction 13

Access Control Settings 15

User authentication.......................................................................................16Configuring the NMC server and the default user.............................. 16Configuring the NetWorker server administrators list........................ 17Configuring user access to NetWorker servers in NMC...................... 17

User authorization.........................................................................................38NMC server authorization................................................................. 38Server authorization.........................................................................39Troubleshooting authorization errors and NetWorker server accessissues.............................................................................................. 50

Component access control............................................................................ 51Component authentication...............................................................51Component authorization.................................................................67

Log Settings 71

NetWorker log files........................................................................................ 72View log files.................................................................................................76

Rendering a raw file manually.......................................................... 76Rendering raw log files at runtime.................................................... 78

Raw log file management.............................................................................. 79Managing raw log file size for the daemon.raw, networkr.raw, andgstd.raw files................................................................................... 81

Monitoring changes to the NetWorker server resources................................. 82Configuring logging levels............................................................................. 83

Setting the debug level for NetWorker daemons .............................. 83Run scheduled backups in debug mode...........................................87Running client-initiated backups in debug mode from command line........................................................................................................ 88Run Recoveries in debug mode........................................................ 88

Communication Security Settings 93

Port usage and firewall support..................................................................... 94Service ports....................................................................................94Connection ports..............................................................................94

Special considerations for firewall environments...........................................94Configuring TCP keep alives at the operating system level................ 95

Determining service port requirements..........................................................97

Figures

Tables

Preface

Chapter 1

Chapter 2

Chapter 3

Chapter 4

CONTENTS

EMC NetWorker 8.2 SP1 Security Configuration Guide 3

NetWorker client service port requirements...................................... 97Service port requirements for NetWorker storage nodes................... 98Service port requirements for the NetWorker server..........................99Service port requirements for NMC Server...................................... 100

Configuring service port ranges in NetWorker.............................................. 101Determine the available port numbers........................................... 101Configuring the port ranges in NetWorker ...................................... 101

Configuring the service ports on the firewall................................................ 104How to confirm the NMC server service ports..................................107

Determining service port requirement examples ......................................... 107Troubleshooting..........................................................................................112

Data Security Settings 115

Encrypting backup data...............................................................................116Modifying the lockbox resource......................................................116Defining the AES pass phrase.........................................................117Configuring the client resource to use AES encryption.................... 117Configure encryption for a client-initiated backup.......................... 118Recover encrypted data..................................................................119Federal Information Processing Standard Compliance....................120

Data integrity.............................................................................................. 122Verifying the integrity of the backup data....................................... 122Verifying the integrity of the NetWorker server media data and clientfile indexes.................................................................................... 124

Data erasure............................................................................................... 125NetWorker server media database and index data management.... 125Manually erasing data on tape and VTL volumes............................ 126Manually erasing data from an AFTD...............................................126

Security alert system settings......................................................................127Monitoring changes to NetWorker server resources........................ 127Security audit logging.................................................................... 127

141

Chapter 5

Index

CONTENTS


LDAP User Container......................................................................................................27LDAP Group Container................................................................................................... 27Manage Authentication Authorities values for an LDAP configuration ............................ 28ADSI Edit for User Container ..........................................................................................28ADSI Edit Group Container ............................................................................................ 30Manage Authentication Authorities values for AD configuration .................................... 31Create user window....................................................................................................... 37Uni-directional firewall with storage nodes ................................................................. 108Uni-directional firewall with storage nodes ................................................................. 109Bi-directional firewall with Data Domain appliance ..................................................... 110The audit log server manages a single data zone ........................................................ 129The NMC server is the audit log server for multiple data zones..................................... 130Each NetWorker server in a data zone is the audit log server........................................ 131Security Audit Log resource .........................................................................................139

1234567891011121314

FIGURES


FIGURES


Revision history............................................................................................................... 9Authority configuration parameters ...............................................................................23Hierarchy errors in the Configure Login Authentication wizard ....................................... 32NMC user roles and associated privileges......................................................................38Operations allowed for each NetWorker privilege .......................................................... 41Privileges associated with each NetWorker User Group.................................................. 45NetWorker log files........................................................................................................ 72Raw log file attributes that manage log file size..............................................................80Raw log file attributes that manage the log file trimming mechanism............................. 80Setting TCP parameters for each operating system.........................................................95Standard NetWorker Client port requirements to NetWorker server.................................97Additional service port requirements for Snapshot clients............................................. 98Service port requirements for storage nodes ................................................................. 98NetWorker server program port requirements.................................................................99Port requirements to NMC server to each NetWorker client .......................................... 101nsrports options.......................................................................................................... 103Port requirements for NetWorker communications with third-party applications ..........104NetWorker supported platforms that contain RSA BSAFE FIPS compliant encryptiontechnologies................................................................................................................121Levels available for the nsrck process..........................................................................124Security event resources and attributes....................................................................... 131Security audit log interoperability matrix .....................................................................134Auditlog rendered service attributes............................................................................ 138

123456789101112131415161718

19202122

TABLES


TABLES


Preface

As part of an effort to improve its product lines, EMC periodically releases revisions of itssoftware and hardware. Therefore, some functions described in this document might notbe supported by all versions of the software or hardware currently in use. The productrelease notes provide the most up-to-date information on product features.

Contact your EMC technical support professional if a product does not function properlyor does not function as described in this document.

Note

This document was accurate at publication time. Go to EMC Online Support (https://support.emc.com) to ensure that you are using the latest version of this document.

PurposeThis document provides an overview of security settings available in the NetWorkerproduct.

AudienceThis document is part of the EMC NetWorker documentation set, and is intended for useby system administrators who are responsible for setting up and maintaining NetWorkerand managing a secure network.

Revision historyThe following table presents the revision history of this document.

Table 1 Revision history

Revision Date Description

01 Jan 28, 2015 First release of this document for EMC NetWorker 8.2 SP1.

02 Feb 20, 2015 Updated the Access Control chapter to includeinformation about how to change the NMC databaseconnection credentials that previously appeared in theEMC NetWorker Administration Guide.

Related documentationThe NetWorker documentation set includes the following publications:

l EMC NetWorker Online Software Compatibility GuideProvides a list of client, server, and storage node operating systems supported by theEMC information protection software versions. You can access the Online SoftwareCompatibility Guide on the EMC Online Support site at https://support.emc.com.From the Support by Product pages, search for NetWorker using "Find a Product", andthen select the Install, License, and Configure link.

l EMC NetWorker Administration GuideDescribes how to configure and maintain the NetWorker software.

l EMC NetWorker Cluster Installation GuideContains information related to configuring NetWorker software on cluster serversand clients.

l EMC NetWorker Installation Guide


https://support.emc.com/

https://support.emc.com/

https://support.emc.com

Provides information on how to install, uninstall and update the NetWorker softwarefor clients, storage nodes, and servers on all supported operating systems.

l EMC NetWorker Updating from a Previous Release GuideDescribes how to update the NetWorker software from a previously installed release.

l EMC NetWorker Release NotesContains information on new features and changes, fixed problems, knownlimitations, environment and system requirements for the latest NetWorker softwarerelease.

l EMC NetWorker Avamar Devices Integration GuideProvides planning and configuration information on the use of Avamar devices in aNetWorker environment.

l EMC NetWorker Command Reference GuideProvides reference information for NetWorker commands and options.

l EMC NetWorker Data Domain Deduplication Devices Integration GuideProvides planning and configuration information on the use of Data Domain devicesfor data deduplication backup and storage in a NetWorker environment.

l EMC NetWorker Error Message GuideProvides information on common NetWorker error messages.

l EMC NetWorker Licensing GuideProvides information about licensing NetWorker products and features.

l EMC NetWorker Management Console Online HelpDescribes the day-to-day administration tasks performed in the NetWorkerManagement Console and the NetWorker Administration window. To view Help, clickHelp in the main menu.

l EMC NetWorker User Online HelpThe NetWorker User program is the Windows client interface. Describes how to usethe NetWorker User program which is the Windows client interface connect to aNetWorker server to back up, recover, archive, and retrieve files over a network.

Special notice conventions used in this documentEMC uses the following conventions for special notices:

NOTICE

Addresses practices not related to personal injury.

Note

Presents information that is important, but not hazard-related.

Typographical conventionsEMC uses the following type style conventions in this document:

Italic Use for full titles of publications referenced in text

Monospace Use for:

l System code

l System output, such as an error message or script

l Pathnames, file names, prompts, and syntax

l Commands and options

Monospace italic Use for variables

Preface


Monospace bold Use for user input

[ ] Square brackets enclose optional values

| Vertical bar indicates alternate selections - the bar means “or”

{ } Braces enclose content that the user must specify, such as x or y or z

... Ellipses indicate non-essential information omitted from the example

Where to get helpEMC support, product, and licensing information can be obtained as follows:

Product informationFor documentation, release notes, software updates, or information about EMC products,go to EMC Online Support at https://support.emc.com.

Technical supportGo to EMC Online Support and click Service Center. You will see several options forcontacting EMC Technical Support. Note that to open a service request, you must have avalid support agreement. Contact your EMC sales representative for details aboutobtaining a valid support agreement or with questions about your account.

Online communitiesVisit EMC Community Network at https://community.emc.com for peer contacts,conversations, and content on product support and solutions. Interactively engage onlinewith customers, partners, and certified professionals for all EMC products.

Your commentsYour suggestions will help us continue to improve the accuracy, organization, and overallquality of the user publications. Send your opinions of this document to [email protected]

Preface


https://support.emc.com

https://community.emc.com

mailto:[email protected]

Preface


CHAPTER 1

Introduction

EMC® NetWorker

® is a heterogeneous backup application that addresses data protection

challenges. The centralized management capabilities of NetWorker provides effectivedata protection for file systems, enterprise applications, storage arrays, and NAS filers toa variety of target devices.

This guide provides an overview of security configuration settings available in NetWorker,secure deployment, and physical security controls needed to ensure the secure operationof the product.

This guide is divided into the following sections:

Access Control SettingsAccess control settings enable the protection of resources against unauthorizedaccess. This chapter provides an overview of the settings available in the product toensure a secure operation of the product and describes how you can limit productaccess by end-users or by external product components.

Log SettingsA log is a chronological record that helps you to examine the sequence of activitiessurrounding or leading up to an operation, procedure, or event in a security-relatedtransaction from beginning to end. This chapter describes how to access andmanage the logs files available in NetWorker.

Communication Security SettingsCommunication security settings enable the establishment of secure communicationchannels between NetWorker components, NetWorker components and externalsystems, and NetWorker components and external components. This chapterdescribes how to ensure NetWorker uses secure channels for communication andhow to configure NetWorker in a firewall environment.

Data Security SettingsData security settings enable you to define controls that prevent unauthorizedaccess and disclosure of data permanently stored by NetWorker. This chapterdescribes the settings available to ensure the protection of the data handled byNetWorker.

Introduction 13

Introduction


CHAPTER 2

Access Control Settings

Access control settings enable the protection of resources against unauthorized access.This chapter describes settings you can use to limit access by end-user or by externalproduct components.

l User authentication...............................................................................................16l User authorization.................................................................................................38l Component access control.................................................................................... 51

Access Control Settings 15

User authenticationUser authentication settings control the processes that the NetWorker ManagementConsole (NMC) and the NetWorker software applications use to verify the identity claimedby a user and to determine the level of access allowed to the user.

When you use a web browser on a host (NMC client) to connect to the NMC server, thehttp daemon on the NMC server downloads the Java client to the NMC client. You do notrequire a secure http (https) connection because only the Java client transfersinformation and performs authentication between the NMC server and NMC client. TheNMC server uses SSL to encrypt the username and password that you specify in the loginwindow and authenticates the credentials. The first time an NMC client connects to theNMC server, the NMC server uses Native NMC-based authentication to authenticate theuser credentials. After you connect to the NMC server for the first time, you can continueto use the NMC-based authentication or you can configure access to the NMC server byusing an external authentication authority, such as LDAP or AD.

If the NetWorker server and the NMC server are on different hosts, then ensure that theadministrators list attribute on the NetWorker server includes the appropriate NMC useraccounts before you connect to a NetWorker server. Configuring the administrator list onpage 17 provides more information.

Configuring the NMC server and the default userThe NMC server has one default administrator account. When you use an NMC client toconnect to the NMC server for the first time, the configuration wizard prompts you to setthe password.

Before you begin

These steps assume that you have installed the NetWorker software and that you havemet all of the software and hardware requirements on the computer that will access theNMC server. The EMC NetWorker Installation Guide on the EMC Online Support siteprovides more information.

Procedure

1. From a supported web browser, type the URL of the NMC server: http://server_name:http_service_port

where:

l server_name is the name of the NMC server.

l http_service_port is the port for the embedded HTTP server. The default HTTP port is9000.

For example: http://houston:9000

2. On the Welcome window, click Start.

3. On the Security Warning window, click Start to install and run NetWorker Console.

4. On the Licensing Agreement window, select Accept.

5. If you did not install the appropriate JRE version on the system, then a prompt toinstall JRE appears. Follow the onscreen instructions to install JRE.

6. On the Welcome to the Console Configuration Wizard window, click Next.

7. On the Set Administrator password window, type the NMC password, and click Next.

8. On the Set Database Backup Server window, specify the name of the NetWorkerserver that will backup the NMC server database, and then click Next.



9. On the Add NetWorker servers window, specify the names of the NetWorker serverthat the NMC server will manage. When you specify more than one NetWorker server,add one name per line. Leave the default options Capture Events and GatherReporting Data enabled.

l Enable the Capture Events option to allow the NMC server to monitor and recordalerts for events that occur on the NetWorker server.

l Enable the Gather Reporting Data option to allow the NMC server to automaticallycollect data about the NetWorker server and generate reports. The NetWorkerAdministration Guide on the EMC Online Support Site describes on how to runreports and shows the reports that are available.

10.Click Finish.

Results

The Console window appears with a list of NetWorker servers.

Configuring the NetWorker server administrators listThe NetWorker server software provides administrator access by default to the root useron a Unix NetWorker server and members of the Windows Administrators group on aWindows NetWorker server. Administrator access gives a user all the NetWorkerprivileges required to change the configuration of a NetWorker server.

Before you begin

Log in to the NetWorker server as an administrator on Windows or as root on UNIX.

When the NMC server and the NetWorker server are on the same host, the NetWorkerserver install automatically adds the owner of the gstd process and the NMCadministrator user to the administrators list of the NetWorker server. When the NMCserver and the NetWorker server are on separate hosts, you must add the owner of thegstd process and the NMC administrator user to the administrators list on the NetWorkerserver.Add the NMC administrator account to the Administrators list attribute to enablethe NMC administrator user to administer and monitor the NetWorker server. The owner ofthe gstd process is the user that starts the gstd daemon on UNIX or the EMC GSTservice on Windows. By default, the process owner is the SYSTEM user on Windows andthe root user on UNIX.

Procedure

1. From a command prompt, use the nsraddadmin command to add the gstd processowner to the NetWorker server Administrators list attribute.

On Windows, type: nsraddadmin -u "user=SYSTEM, host=NMC_host"On a UNIX, type: nsraddadmin -u "user=root, host=NMC_host"

2. Add the NMC administrator user to the Administrators list attribute on the NetWorkerserver: nsraddadmin -u "user=administrator, host=NMC_host"

where NMC_host is the NMC server hostname.

Configuring user access to NetWorker servers in NMCThe NMC server allows you to restrict or grant access to a NetWorker server based on theNMC username. Requests to NetWorker servers through the NetWorker Administrationwindow always come from the NMC server. The privileges assigned to a NMC user on the


Configuring the NetWorker server administrators list 17

NetWorker server are based on the entries present in the Users attribute of the UserGroup resources, on the NetWorker server.

The NMC server controls how the NMC user accesses a managed NetWorker server. Whenyou enable the User Authentication for NetWorker system option on the NMC server, youcan grant and restrict NetWorker server access and privileges to individual NMC useraccounts. When you disable the User Authentication for NetWorker option, accessrequests to a NetWorker server appear to come from the gstd process owner on the NMCserver. All NMC users that access the NetWorker server are granted the same access andprivilege rights that are assigned to the gstd process owner account. The NMC serverenables the User Authentication for NetWorker system option by default. When youenable the option, the NMC server software creates a separate network connection fromthe NMC server to a NetWorker server for each NMC user that has an Administrationwindow open to that server. Additional network connections might require access toadditional firewall service ports.

When you do not set the User Authentication for NetWorker system option, there is onlyone network connection from the NMC server to the managed NetWorker server.

NetWorker supports the use Native NMC-based authentication or LDAP/AD authenticationto restrict or grant access to the NMC server and NetWorker servers.

Modifying the User Authentication for NetWorker system optionUse these steps to define how the NMC server controls the user account that requestsNetWorker server access.

Procedure

1. From the Console window, click Setup.

2. From the Setup menu, select System Options.

3. Set the Use Authentication for NetWorker option.

l When enabled, the NMC username determines the level of user access to theNetWorker server.

l When disabled, the user id of the gstd process owner determines the level of useraccess to the NetWorker server.

4. Click OK.

Configuring Native NMC-based authenticationNative NMC-based authentication uses a data store on the NMC server host toauthenticate NMC users. The NMC server maintains the NMC user names and passwords.When you log in to the NMC Console for the first time, the NMC configuration wizardcreates the NMC administrator account.

Additional set up is not required to enable Native NMC-based authentication but you canadd new NMC user accounts, change Console role assignments, and manage existingNMC users.

Adding NMC users

Perform the following steps to add additional NMC users when the NMC server usesNative NMC login authentication.

Before you begin

Log in to the NMC server as a Console Security Administrator. The administrator accountis a Console Security Administrator.



Procedure


2. In the left pane, right-click Users, then select New.

The Create User dialog box appears.

3. Enter a username.

The username cannot:

l Exceed 64 characters.

l Use spaces, or any of these characters: : < > /

l Use characters with an ASCII value less than or equal to 32.

l Begin a username with an underscore (_) character.

4. Optionally, enter the full name of the user and a user description.

5. Select the Console user roles.

6. Enter the user password.

Ensure that you specify a password that meets the following requirements:

l Is a minimum of eight characters long

l Is not the same as the username

If you upgrade from a previous version of NetWorker that did not enforce thesepassword requirements, NetWorker will enforce these requirements when you attemptto change the password.

7. In the Confirm Password attribute, re-enter the password.

8. Click OK.

Modifying NMC users

You can modify the password, descriptive information, and the roles of an existing NMCuser account.

Before you begin


Procedure


2. In the left pane, select Users.

3. Right-click the user and then select Properties.

4. On the Identification tab, modify the attributes as required.

Deleting an NMC user

This section describes how to remove NMC users. You cannot remove the administratoruser.

Procedure

1. Log into the Console server as a Console Security Administrator.

The NMC user administrator is a Console Security Administrator.



Configuring user access to NetWorker servers in NMC 19


4. Right-click the user and then select Delete.

5. Click Yes to confirm the deletion.

If the user had saved customized reports, then a dialog box prompts for the usernameto which to reassign those reports. Otherwise, the reports can be deleted.

Resetting the NMC administrator password

Use the GST_RESET_PW environment variable to reset the password for the NMCadministrator account.

Resetting the administrator password for an NMC server on WindowsUse the System applet in Control Panel to add theGST_RESET_PW variable and reset theadministrator password.

Procedure

1. On the Advanced tab of the System applet, select Environment Variables.

2. Create a new System variable.

a. In the Variable Name field, specify GST_RESET_PW.

b. In the Variable value field, specify 1.

3. Restart the EMC GST Service.

When the EMC GST Service starts, the NMC server administrator password resets.

4. Use a web browser to connect to the NMC server. When prompted, typeadministrator in the username and password fields.

5. Return to the Environment Variables window in the System applet and remove theGST_RESET_PW environment variable.

This step prevents a password reset each time the EMC GST Service starts.

Resetting the administrator password for an NMC server on UNIXUse the GST_RESET_PW environment variable to reset a lost or forgotten administratorpassword to the default value.

Before you begin

Perform the following steps as the root user.

Procedure

1. Set GST_RESET_PW to a non-null value by using the appropriate command for theshell.

For example, in ksh shell, type the following command:

export GST_RESET_PW= “non_null_value”2. Use one of the following commands to stop the NMC server daemon:

l Solaris and Linux: /etc/init.d/gst stopl AIX: /etc/rc.gst stop

3. Use one of the following commands to start the NMC server daemon:

l Solaris and Linux: /etc/init.d/gst startl AIX: /etc/rc.gst start

When the EMC GST Service starts, the NMC server administrator password resets.



4. Use a web browser to connect to the NMC server. When prompted, typeadministrator in the username and password fields.

5. Set GST_RESET_PW back to null by using the appropriate command for the shell.

For example, in the ksh shell, type the following command:

export GST_RESET_PW=

This step prevents a password reset each time the EMC GST Service starts.

Changing database connection credentials

When the NMC server starts for the first time, it automatically generates the logincredentials used to log into the NetWorker Console database. The NMC server stores thisinformation internally and the user does not need to know the required credentials.However, it may be necessary to force the NMC server to change the database connectioncredentials.

Procedure

1. Stop the GST Service.

2. Set the environment variable GST_RESET_DBPWD to any value.

For Windows system, set this value as a System Variable, then reboot the system afteryou set the variable.

3. Restart the GST Service.

4. Delete the GST_RESET_DBPWD environment variable. On Windows system, reboot themachine after you delete the variable.

Configuring LDAP or AD authentication authoritiesWhen you configure the NMC server to authenticate users by using an externalauthentication authority, you log in to the NMC server with user names and passwordsthat are maintained by a Lightweight Directory Access Protocol (LDAP), a LightweightDirectory Access Protocol over SSL (LDAPS), or a Microsoft Active Directory server (AD).You control user privileges by mapping LDAP or AD user roles or user names to NMC userroles. You do not manually add user names and passwords on the NMC server.

The NetWorker software automatically distributes the LDAP or AD configuration file fromthe NMC server to selected NetWorker servers. This automatically puts the managedNetWorker servers in LDAP or AD mode.

When an LDAP or AD user logs into the NMC server and connects to a NetWorker server:

l The NetWorker server performs a look-up to get the LDAP or AD group that the OSauthenticated user belongs to in the external authority. The NetWorker server doesnot authenticate the user against the LDAP authority.

l The privileges assigned to a user on the NetWorker server are based on the LDAP useror the group entries present in the External roles attribute of the User Group resourceon the NetWorker server. User Group Management on page 46 provides moreinformation about the User Group resource.



Preparing the NMC server and NetWorker server for LDAPS

Before you configure the NMC and NetWorker servers to use LDAPS, ensure that a localcopy of the CA Certificate, Client Certificate, and Client Key reside in the same file systempath, on each NMC and NetWorker server.

Before you begin

Ensure that the LDAPS certificates use the PEM format.

When the operating system of the NMC server and any NetWorker server differs, performthe following steps to ensure that each host can successfully communicate with the LDAPserver.

Procedure

1. Create a directory on the NMC server to store the certificate files:

l On a UNIX NMC server, create a subdirectory for the certificates in theNMC_installation_directory/cst directory. For example, on a SolarisNMC server, create a subdirectory called corpldap in the /opt/LGTOnmc/cstdirectory.

l On a UNIX NetWorker server, create a subdirectory for the certificates inthe /opt/nsr/cst directory. For example, create a subdirectory calledcorpldap in the /opt/nsr/cst directory.

l On a Windows NMC server, create a subdirectory for the certificates in theNMC_installation_directory\cst directory. For example, create asubdirectory called corpldap in the C:\Program Files\EMC NetWorker\Management\GST\cst directory.

l On a Windows NetWorker server, create a subdirectory for the certificates in theNetWorker_installation_directory\cst directory. For example, create asubdirectory called corpldap in C:\Program Files\EMC NetWorker\nsr\cst.

2. Copy the CA Certificate to the new subdirectory on each host that will use LDAPS. Ifthe LDAPS configuration requires a certificate from the client side, then copy the ClientCertificate and Client Key to the new directory on each host.

3. Optionally, to secure the subdirectory, you can restrict access to the directory.

For a UNIX host, ensure that the root account on UNIX has access to the directory. Fora Windows host, ensure that the Administrator and Local System accounts haveaccess to the directory.

Configuring LDAP or AD authentication

After you connect to the Console server for the first time and configure the Native NMCauthentication based administrator account, you can configure the NMC server to useLDAP, LDAPS, or AD authentication.

Before you begin

Log in to the NMC server with a user account that has the Console Security Administratorrole. The NMC user administrator is assigned to the Console Security Administrator role,by default.

Procedure

1. From the Setup menu, select Configure Login Authentication.

2. On the Select Authentication Method window, select External Repository.



3. Click Add to add a new external authentication authority.

4. Define the LDAP attributes for your configuration in the Parameters section. Thefollowing table summarizes and defines each attribute.

Table 2 Authority configuration parameters

Parameter name Parameter definition Configuration information

Authority Name Descriptive name for the LDAP orAD server.

Required.

This is a user defined field. Ifyou configured the LDAPScertificate directories, ensurethat the authority namematches the name of thesubdirectory you created on theNMC server and the NetWorkerserver.

For example, corpldap

Provider Server Name Hostname or IP address of theLDAP or AD server.

Required.

For LDAPS, ensure that youspecify the hostname exactly asit appears in the ca.cert file.

For example, if the ca.certfile contains the FQDN of theLDAPS server, you must specify

the FQDN in the ProviderServer Name field.

Distinguished Name The dn of an LDAP or AD accountthat you use to perform operationssuch as searching for users andgroups in the LDAP or ADhierarchy.

Required.

Specify an account on the LDAPor AD server that has full readaccess to the directory fromwhich the AD or LDAP serveraccesses its data.

Password Password of the LDAP or ADaccount.

Required.

User Search Path The dn to use when searching forusers on the LDAP or AD server.

Required.

Group search path The dn to use when searching forgroups on the LDAP or AD server.

Required.

Group Name Attribute Identifies the LDAP or AD group

name in the User Search Pathdn.

Required.Default value: cn

LDAPTimeout(millisecond)

The time out for LDAP or AD calls. Required.

Range is 0 to

2 000 000 000 ms.

A value of 0 indicates that callswill never time out.



Table 2 Authority configuration parameters (continued)


Default value: 30000

User ID Attribute The user ID associated with theusers in the User Search Path dn.

Required.

For LDAP this attribute is usuallyuid.

For AD, this attribute is usuallycn.

Default value: uid

User Object Class The object class that identifiesusers in the dn defined in the

User Search Path.

Required.

Group Object Class The object class that identifiesgroups in the LDAP or AD hierarchy

of the dn defined in the UserSearch Path.

Required.

For LDAP, depending on theconfiguration, usegroupOfNames orgroupOfUniqueNames.

For AD, use group.

Default value:groupOfUniqueNames.

Group Member Attribute The group membership of users in

dn that is defined in the User

Search Path.

Required.

For LDAP:

l If the Group Object Classis groupOfNames theattribute is usually member.

l If the Group Object Classis groupOfUniqueNames theattribute is usuallyuniquemember.

For AD the value is usuallymember.

The default value isuniquemember.

Note

Networker cannot validate the

Group Member Attribute.Ensure that you specify the

correct value in the GroupMember attribute.

LDAP Debug level Level of debug messages to log inthe gstd.raw file.

The default value is 0.

Change this value to 1 fortroubleshooting purposes only.



Table 2 Authority configuration parameters (continued)


Protocol Communication protocol betweenthe NetWorker server andauthentication server.

For LDAP or AD, select LDAP.

For secure communications,select LDAPS.

Server Certificate (LDAPSonly)

The full path to the CA certificateon the NMC server.

Required for LDAPS. When theNMC server and NetWorkerserver are on differentplatforms, use a forward slashto specify the path.

For example: C:/ProgramFiles/EMC NetWorker/Management/GST/cst/corpldap/ca.cert

Client certificate (LDAPSonly)

The full path to the Clientcertificate on the NMC server.

Required for LDAPS when theLDAPS server requires a clientcertificate.

When the NMC server andNetWorker server are ondifferent platforms, use aforward slash to specify thepath.

For example: C:/ProgramFiles/EMC NetWorker/Management/GST/cst/corpldap/client.cert

Client key (LDAPS only) The full path to the Client key onthe NMC server.

Required for LDAPS when theLDAPS server requires a clientcertificate.

When the NMC server is aWindows host, use a doublebackslash to specify the path.

For example: C:/ProgramFiles/EMC NetWorker/Management/GST/cst/corpldap/client.key

Port value Port number of the LDAP server. Required.

Default value: 389

5. Click Next.

Troubleshooting authentication errors on page 31 describes common errormessages that might appear.

6. In the External Roles field, specify the LDAP or AD users and group to assign to theNMC Console Security Administrator role.

7. Click Next.



If you specify a user or group that is not valid on the LDAP or AD server, then thefollowing message appears:

External role <user or group> is invalid

8. In the Distributed Authority Configuration File window, select the NetWorker serversthat will use LDAP or AD. This will copy the LDAP configuration file from the NMCserver to the NetWorker_install_path\nsr\cst directory on a WindowsNetWorker server or the NetWorker_install_path/nsr/cst folder on a UNIXNetWorker server. The NMC server is selected by default.

9. Click Distribute.

If the value specified in the Distinguished Name field is not valid, then the followingerror message appears:

Failed to validate authority option. Error code: -8, message: Search for user name failed.

To resolve this issue, return to the Authority Configuration window, correct the valuein the Distinguished Name field and attempt to distribute the authority configurationfile again.

10.In the Monitor Distribution Progress window, review the progress of the configurationfile distribution. Ensure that the authority configuration file distribution succeeds forall of the NetWorker servers.

11.Click Ok.

Logging in to the NMC server after LDAP or AD configurationThe next time you use an NMC client to connect to the NMC server, you must specify theappropriate LDAP or AD user. If you cannot log in to the NMC server, then you can revertback to Native NMC authentication mode and reconfigure AD/LDAP authentication.

The NetWorker Installation Guide provides more information.Consider the following:

l When the wizard distributes the authority file, the process adds each LDAP and ADauthenticated NMC user that has the NMC Console Security Administrator role to theSecurity Administrators User Group on each NetWorker server that the NMC serverhas the privilege to manage.

Note

Members of the Security Administrators User Group have permissions to modify theAudit Log server and User Group resources only. “Modifying User Group privileges onpage 47” describes how to add a manually created LDAP or AD user to a User Groupon a NetWorker server.

l When an LDAP or AD user logs in for the first time, the login process automaticallycreates a NMC user account for the user.

l When an LDAP or AD user logs into the NMC server for the first time, the NMC serverautomatically creates an NMC user account for the user and assigns the NMC user tothe same NMC role as the LDAP or AD group.

l LDAP and AD authentication does not support the use of the administrator username.

l The NMC server cannot perform LDAP and AD administrative functions. Perform LDAPand AD administrative functions such as creating new domain users and groups withthe appropriate LDAP and AD tools.



l The External Roles field for the Security Administrator User Group is not populateduntil an LDAP or AD user logs in for the first time.

l Troubleshooting login errors on page 35 provides detailed information totroubleshoot common login error messages.

Example: Configuring an LDAP authorityIn this example, a third party LDAP management tool, LDAPAdmin is used to view theproperties of the LDAP configuration.

The following figure provides an example of the values required to specify the followingattributes:

l Provider Server Name

l Distinguished Name

l User ID Attribute

l User Search Path — a combination of the AD Distinguished name and User Containername.

l User Object Class

Figure 1 LDAP User Container

The following figure provides an example of the values associated with following LDAPgroup attributes:

l Group Search Path — a combination of the Distinguished Name and Group Containername.

l Group Member Attribute

l Group Object Class

Figure 2 LDAP Group Container

The following image provides an example of the Manage Authentication Authoritiesscreen with configuration details related to an LDAP server installation specified in theattribute fields.



Figure 3 Manage Authentication Authorities values for an LDAP configuration

Example: Configuring an AD authorityIn this example, the Active Directory Services Interfaces Editor (ADSI Edit) program isused to view the properties of the AD configuration.

The following image provides an example of the values required to specify the followingattribute fields:

l Distinguished Name—a combination of the AD Distinguished name, User container,and User ID Attribute.

l User Search Path — a combination of the Distinguished name and User Containername.

l User Object Class

l User ID Attribute

Figure 4 ADSI Edit for User Container



The following figure provides an example of the values associated with following ADgroup attributes:

l Provider Service Name

l Group Container

l Group Member Attribute

l Group Object Class

l Group Search Path — a combination of the Distinguished Name and Group Containername.



Figure 5 ADSI Edit Group Container

The following figure provides an example of the Manage Authentication Authoritiesscreen with configuration details related to an AD server installation specified in theattribute fields.



Figure 6 Manage Authentication Authorities values for AD configuration

Troubleshooting authentication configuration error messages

This section provides a list of possible causes and resolutions for authenticationconfiguration error messages.

Authority definition must specify external authority attribute nameAppears in the Configure Login Authentication wizard when the Authority Name field isblank.

LDAP bind failed due to invalid credentialsAppears in the Configure Login Authentication wizard when:

l The LDAP or AD user specified in Distinguished Name field is incorrect.

l The password specified for the LDAP or AD user is incorrect.

Failed to propagate external roles to NetWorker serverAppears when the distribution of the authority file fails for a NetWorker server becausethe NMC user used to distribute the file is not a member of the Application AdministratorsUser Group on the NetWorker server.

To resolve this issue:

1. Close the Configure Login Authentication wizard.

2. Connect to the NetWorker server with a NMC user who is a member of the SecurityAdministrators User Group.

3. Add the appropriate LDAP or AD group to the Application Administrators User Group.

4. Launch the Configure Login Authentication wizard and configure the new LDAP or ADauthority.



No entry in hierarchy ‘ou=orgname, dc=domain_component1, dc=domain_component2dc=domain_component3 ...These error messages appear in the Configure Login Authentication window when theattribute value referenced in the error message is incorrect or the LDAP or AD authoritycannot validate the attribute value. The following table describes the messages thatappear and the attribute to correct.

Table 3 Hierarchy errors in the Configure Login Authentication wizard

No entry in hierarchy ‘ou=orgname,dc=domain_component1,dc=domain_component2dc=domain_component3 ..

This error message appears in the ConfigureLogin Authentication wizard when the valuedefined ...

...belongs to user object class‘user_object_class’

...in the User Object Class attribute is not valid forthe value defined in User Search Path attribute.

...has a group name attribute ‘groupname’ ...in the Group Name Attribute field is not valid onthe LDAP or AD server.

...has a user id attribute ‘user_id’ ...in the User ID Attribute field is not valid on theLDAP or AD server.

...belongs to object class‘group_object_class’

...in the Group Object Class field is not valid on theLDAP or AD server.

...has a group member attribute‘group_member_attribute’

...in the Group Member Attribute field is not validon the LDAP or AD server.

User Search Path hierarchyou=orgname,dc=domain_component1,dc=domain_component2’ dc=domain_component3’does not exist or is emptyAppears in the Configure Login Authentication wizard when the value defined in the UserSearch Path attribute is not valid on the LDAP or AD server.

No ldap search path for usernamesAppears in the Configure Login Authentication wizard when the value defined in the UserSearch Path attribute is not valid on the LDAP or AD server.

Group Search Path hierarchyou=orgname,dc=domain_component1,dc=domain_component2’ dc=domain_component3’does not exist or is emptyAppears in the Configure Login Authentication wizard when the value defined in theGroup Search Path attribute is not valid on the LDAP or AD server.

Error querying for user groupsAppears in the Configure Login Authentication wizard when the value defined in theGroup Search Path attribute is not valid on the LDAP or AD server.

LDAP bind failed because the server is downAppears in the Configure Login Authentication wizard when:

l The Port Number defined for the LDAP, LDAPS, or AD server is incorrect.

l The hostname specified in the Provider Server Name field is incorrect or thehostname is not resolvable.

l When the LDAPS server requires a certificate but the Server certificate file or Clientcertificate file field is empty.



networker_server (Permission denied, user 'LDAP_user' on 'NMC_server' does not have'Configure NetWorker' OR 'Change Application Settings' privilege to configure thisresource) - NSRThis error message appears in two scenarios:

l While distributing the authority configuration file to a new NetWorker server, the newNetWorker server cannot authenticate the LDAP user account.

To resolve this issue, configure the NMC server to use Native NMC-basedauthentication and then reconfigure the LDAP or AD authorities and distribute themto all the required servers.

For example:

1. In the Distribute Authority Configuration File window, click Finish.

2. Start the Configure Login Authentication wizard again.

3. In the Select Authentication Method window, click Next.

4. Record the values in each attribute field for the configured LDAP or AD authorities;click Back.

5. In the Select Authentication Method window, select Native NetWorkerManagement Consoleand click Next.

6. Select all servers with a status Requires Update and click Distribute.

7. Click Finish.

8. Start the Configure Login Authentication wizard again and recreate the LDAP or ADauthority configuration.

l When an LDAP or AD user tries to modify the Server resource (NSR) on a NetWorkerserver but the user is not a member of the Application Administrators or the SecurityAdministrators User Group.To resolve this issue:

1. Close the NetWorker server and NMC server browser windows.

2. Log in to the NMC server with an LDAP or AD account that is a member of theApplication Administrators or the Security Administrators User Group.

Failed to retrieve authentication control attributes from NetWorker server[NetWorker_server]Appears when an LDAP or AD user that is not a member of the Security AdministratorsUser Group on the NetWorker server attempts to distribute the authority configuration fileto the NetWorker server.



2. Close the NMC server browser window.

3. Log in to the NMC server with an LDAP or AD user that is a member of the SecurityAdministrators User Group on the NetWorker server. LDAP or AD users that have theConsole Security Administrator role on the NMC server are a member of the SecurityAdministrators User Group on the NetWorker server by default.



Note

Members of the Security Administrators User Group on a NetWorker server only havepermissions to modify the Security Audit Log server and User Group resources. Modifying User Group privileges on page 47 describes how to modify the UserGroup membership on a NetWorker server.

Could not validate external authority. Failed to get status of file (clientCertificate)'full_path_to_client_certificate': No such file or directory. Provide valid path or copy thecertificates/key to the specified pathThis message appears when the wizard attempts to distribute the authority configurationfile to the NetWorker server, but the paths that you specified to the certificate files areincorrect.



2. Start the Configure Login Authentication wizard again.

3. In the Select Authentication Method window, click Next.

4. Correct the pathnames in the certificate fields and retry the distribution.

Note

For Windows paths, use a forward slash (/) in the path. For example, c:/my_ldap_server.

NSR Could not validate external authority LDAP bind failed because the server is downThis messages appears when there is an issue with the LDAPS certificate.

To troubleshoot LDAPS certificate issues, use the openssl program. By default, aWindows host does not include the openssl program. http://www.openssl.orgdescribes how to obtain an openssl program from a third party provider.

1. Confirm that you can establish an SSL connection to the LDAPS server using the localcopy of the certificate files:openssl s_client -connect ldaps_server_name:ssl_port -CAfilefull_path_to_server_certificate -cert full_path_to_client_certificate -keyfull_path_to_client_key_file

where:

l full_path_to_certificate is the full path to the Server Certificate file on the localhost. If the environment has a hierarchy of CA authorities, then specify the root CAor the certificate file that contains all CA authority certificates.

l full_path_to_client_certificate_file specifies the full path to the Client Certificate fileon the local host. This option is only required when LDAPS requires a clientcertificate.

l full_path_to_client_key_file specifies the full path to the Client Certificate file onthe local host. This option is only required when LDAPS requires a client key.

In another example, the LDAPS server, myldaps.emc.com requires a CA certificateonly. The certificate file, ca.cert, resides in the cst directory of a NMC server onWindows. In this example, type the following command:

openssl s_client -connect myldaps.emc.com:636 -CAfile “C:\Program Files\EMC NetWorker\Management\GST\cst\ca.cert”



HTTP://WWW.OPENSSL.ORG/RELATED/BINARIES.HTML

Note

When the connection succeeds, the command returns the message:

Verify return code: 0 (ok)

For example: The LDAPS server, myldaps.emc.com requires a Client Certificate and aClient Key. The certificate files and the key file resides in the cst directory of a NMCserver on Windows. In this example, type the following command:

openssl s_client -connect myldaps.emc.com:636 -CAfile “C:\Program Files\EMC NetWorker\Management\GST\cst\ca.cert” -cert “C:\Program Files\EMC NetWorker\Management\GST\cst\client.cert” -key “C:\Program Files\EMC NetWorker\Management\GST\cst\client.key”

Note

When the connection succeeds, the command returns the message:

Verify return code: 0 (ok)

2. If the connection does not succeed, contact the LDAPS administrator to request newcopies of the certificate files. To manually copy the CA certificate file from the LDAPserver, perform the following steps:

a. Connect to the LDAPS server to display the Server Certificate (ca.cert) file:

openssl s_client -showcerts -connect ldaps_server_name:ssl_port

Note

The openssl command may display two certificates. The second certificate is

usually the CA certificate.

b. Ensure that the certificate you receive matches the CA certificate on the LDAPSserver.

Troubleshooting login errors

This section provides a list of possible causes and resolutions for NMC login errormessages.

You do not have privileges to use NetWorker Management ConsoleAppears when a valid LDAP or AD account tries to log in to the NMC server, but theaccount does not exist on the NMC server or is not assigned a Console role.

To resolve this issue, create the LDAP or AD account manually and try to log in again. Adding LDAP or AD users to the NMC server manually on page 37 describes how tocreate LDAP and AD user accounts manually.

Could not authenticate this user name and password, try againAppears when you attempt to log into the NMC server with:

l An unrecognized username or an incorrect password. To resolve this issue, use thecorrect user name and password combination for the configured NMC serverauthentication method.



l An AD user that has the option User must change password at next login enabled. Toresolve this issue, change the password before attempting to log in to the NMCserver.

The specified user name is restricted and cannot be used to log into the systemAppears when you use the Administrator username to log in to the NMC server and theNMC server authentication is LDAP or AD. An NMC server that uses AD or LDAPauthentication does not support the Administrator username.

To resolve this issue, log in to the NMC server with a different LDAP or AD username.

Manage LDAP and AD users in NMCUse the NMC Console to manually add, delete, and manage LDAP and AD users.

Add LDAP and AD users and groups to the NMC server

You can manually add new LDAP and AD users and groups to the NMC server manually orby using the Configure Login Authentication wizard.

Adding LDAP or AD users by using the Configure Login Authentication WizardUse this method to add LDAP and AD users that require membership to the SecurityAdministrator User Groups on all of the managed NetWorker servers.

Before you begin

Log in to the NMC server with a user that has the Console Security Administrator role.

The Configure Login Authentication wizard automatically assigns the new LDAP or ADusers and groups to:

l The Console Security Administrators role on the NMC server.

l The Security Administrators User Group on each managed NetWorker server

Procedure


2. From the Setup menu, select Configure Login Authentication.

3. In the Select Authentication Method window, select External Repository.

4. Select the appropriate LDAP or AD Authority Name and click Next.

5. In the External Roles field, specify the new LDAP or AD users and groups and clickNext.

6. In the Distribute Authority Configuration window, select the NetWorker servers thathave the Requires Update status and click Distribute.

7. In the Monitor Distribution Progress window, review the progress of the configurationfile distribution. Ensure that the configuration file distribution succeeds for allNetWorker servers.

8. Log out of the NMC server and log in with a user account in the new group. Troubleshooting LDAP and AD login errors on page 35 describes how to troubleshootlogin errors.

Note

Members of the Security Administrators group have permission to modify the SecurityAudit Log server and User Group resources only. Modifying User Group privileges onpage 47 describes how to add a manually created LDAP or AD user to a User Groupon a NetWorker server.



Adding LDAP or AD users to the NMC server manuallyUse this method to add LDAP or AD users to manage the NMC server, but restrictNetWorker server access.

Before you begin

Log into the NMC server with a user that has the Console Security Administrator role.

Procedure

1. On the Console window, click Setup.

2. In the left pane, right-click Users, then select New.

3. In the User Name attribute, enter the LDAP or AD username.

4. Optionally, enter the full name of the LDAP or AD user and a general description in theremaining attributes.

5. Click OK.

The following image provides an example of the Create User window.Figure 7 Create user window

Note

When you manually assign a user or group to the Console Security Administrator role,the NMC server does not automatically assign the user to the Security AdministratorsUser Group on the managed NetWorker servers. Modifying User Group privileges onpage 47 describes how to add a manually created LDAP or AD user to a User Groupon a NetWorker server.



Modifying an LDAP or AD NMC user

After you create an LDAP or AD user and assign it to an NMC console role, you can modifythe descriptive information about the user in the NMC console.

Before you begin


Procedure



3. Right-click the user and select Properties.

4. On the Identity tab, modify the attributes as required.

5. Click OK.

Deleting an LDAP or AD NMC user

After you create an LDAP or AD user and assign NMC console roles to the user, you candelete the user in the NMC console.

Before you begin


Procedure


2. In the left pane, click Users.

3. Right-click a username and select Delete.

4. Click Yes to confirm the deletion.

5. If the user saved customized reports, then a dialog box prompts for the username towhich to reassign those reports. Otherwise, delete the reports.

6. If required, remove the user from the LDAP user role on the LDAP server and anyNetWorker User Groups.

User authorizationUser authorization settings control rights or permissions that are granted to a user andenable access to a resource managed by NetWorker.

NMC server authorizationThe user that you use to connect to the NMC server determines the level of access to theNMC server.

The Console server restricts user privileges based on three authorization roles. Youcannot delete the roles or change the privileges assigned to each role.

Table 4 NMC user roles and associated privileges

User role Privileges



Table 4 NMC user roles and associated privileges (continued)

Console SecurityAdministrator

l Add, delete, and modify NMC Users.

l Configure login authentication such as configuring the NMC server to:

n Use LDAP authentication instead of Native NMC authentication.

n Use Native NMC authentication instead of LDAP authentication.

l Control user access to managed applications, such as a NetWorkerserver.

Console ApplicationAdministrator

l Configure Console system options.

l Set retention policies for reports.

l View custom reports.

l Specify the NetWorker server to backup the NMC database.

l Specify a NetWorker License Manager server.

l Run the Console Configuration wizard.

l All tasks available to a Console User role.

Console User All tasks except for those tasks explicitly mentioned for the ConsoleSecurity Administrator and the Console Application Administrator.

Tasks include:

l Add and delete hosts and folders.

l Add and delete Managed applications for NetWorker, Data Domain,and Avamar.

l Create and delete their own reports.

l Set features for Managed Applications.

l Manage a NetWorker server with the appropriate privilege levels.

l Dismiss events.

By default the NMC server adds users who are members of the Console SecurityAdministrators to the preconfigured Security Administrators user group on eachNetWorker server that the Console server manages. Members of the SecurityAdministrators user group only have privileges to modify the Security Audit Log serverand User Groups resources that the Console server can manage. User Group privileges onpage 41 summarizes the privileges assigned to users in each User Group.

Server authorizationThe NetWorker server provides a mechanism to authorize users that perform operationsfrom a command prompt and from the NMC GUI.

Modifying an admin list by using NMCThe NetWorker server software provides administrator access by default to the root useron a UNIX NetWorker server and members of the Windows Administrators group on aWindows NetWorker server. Administrator access gives a user all the NetWorkerprivileges required to change the configuration of a NetWorker server. NetWorker storesthe administrator list in the NSR resource on the NetWorker server. Modify theadministrators list by using the NMC console.


Server authorization 39

Before you begin

Use NMC to connect to the NetWorker server with a user that is a member of theApplication Administrators or Database Administrators user group.

Procedure

1. From the Administration window, select Configuration.

2. From the View menu, select Diagnostic mode.

3. Right-click the NetWorker server name in the left navigation pane and then selectProperties.

4. In the Administrator attribute, specify the user accounts that require administrativeaccess to the NetWorker server in one of the following formats:

l username@hostname

l group@hostname

l user=username , host=hostname

l group=groupname, host=hostname

5. Click OK.

Restricting managed server view for a userBy default the NMC server adds members of the Console Security Administrators to theSecurity Administrators user group on each NetWorker server that the NMC servermanages.

Before you begin

Log in to the NMC server with an account that has the Console Security Administratorrole.

To restrict the NetWorker servers that a user can view and manage, modify the privilegeson the user object.

Procedure


2. In the left pane, click Users.

3. Right-click a user, then select Permissions. The Edit User window appears and thePermissions tab displays.

4. To grant the user privileges to view various hosts, use the arrow keys to select theallowed hosts.

5. Click OK.

Results

The following implications result when you restrict the view for a user:

l In the Events window: The user sees only events from allowed NetWorker servers.

l In the Enterprise window: The user sees all the hierarchy folders, but only the allowedNetWorker servers appear in the folders.

l In the Libraries window: The user sees only the devices controlled by allowedNetWorker servers.

l In the Reports window: The user sees report data only from allowed NetWorkerservers.



l In the Setup window:

n The user sees properties for all users, in addition to its own properties andprivileges.

n The user can modify its own properties, but not privileges. Only the ConsoleSecurity Administrator can view and modify user privileges.

Each user can view and manage different sets of NetWorker servers and as a result, thecontents of the reports can vary among users. For example, a shared backup summaryreport entitled “Building C Backups” will display different data for different users (eveneach user runs the report simultaneously) when the privileges of the users includedifferent NetWorker servers. This applies to all report types, whether default orcustomized, private or shared.

If no data is available for a particular server, that server will not appear in any lists orreports, regardless of the user privileges.

NetWorker User GroupsUser Groups provide you with the ability to assign privileges to a group of Native NMC,LDAP, and AD users to perform operations on a NetWorker server.

The tasks that a user can perform on a NetWorker server depend on User Groupmembership and the privileges assigned to the User Group.

When you use LDAP or AD authentication on the NMC server, use the External Rolesattribute in the User Group resource to define LDAP or AD membership for the User Group.

When you use Native NMC authentication on the NMC server, use the Users attribute todefine Native NMC membership for the User Group.

When you run command locally on the NetWorker server from a command prompt, usethe Users attribute to define OS user or group membership for the User Group.

User Group privileges

User privileges define the NetWorker operations and tasks that NMC, AD, and LDAP userscan perform on a NetWorker server. With the exception of the Application Administratorsuser group and the Security Administrators user group, the privileges associated with aUser Group can be modified. The following table provides a summary of the availableprivileges and the operations that each privilege enables for a user.

Table 5 Operations allowed for each NetWorker privilege

NetWorkerprivilege

Operations allowed

ChangeSecuritySettings

The ability to modify:

l User groups

l Security Audit log resource

l Server resource

Note

The Change Security Settings privilege requires that you also set the followingprerequisite privileges: View Security Settings, Create Security Settings, andDelete Security Settings.

View SecuritySettings

The ability to view:

l User groups



Table 5 Operations allowed for each NetWorker privilege (continued)

NetWorkerprivilege

Operations allowed

l Audit log resource

l Server resource

Create SecuritySettings

The ability to create new user group resources.

Note

The Create Security Settings privilege requires that you also set the followingprerequisite privileges: View Security Settings, Change Security Settings, andDelete Security Settings.

Delete SecuritySettings

The ability to delete user created user groups. Preconfigured user groups cannotbe deleted.

Note

The Delete Security Settings privilege requires that you also set the followingprerequisite privileges: View Security Settings, Change Security Settings, andDelete Security Settings.

Remote AccessAll Clients

The ability to:

l Remotely browse and recover data associated with any client.

l View configurations for all client resources. This privilege is required toperform directed recoveries.

This privilege supersedes the users defined in the Remote Access attribute of aclient resource.

Note

The Remote Access All Clients privilege requires that you also set the followingprerequisite privileges: Operate NetWorker, Monitor NetWorker, OperateDevices and Jukeboxes, Backup Local Data, and Recover Local Data.

ConfigureNetWorker

The ability to configure resources associated with the NetWorker server, storagenodes, and clients. This includes creating, editing, and deleting resources.

Users with this privilege cannot configure User Group resources.

Note

The Configure NetWorker privilege requires that you also set the followingprerequisite privileges: Operate NetWorker, Monitor NetWorker, OperateDevices and Jukeboxes, Backup Local Data, and Recover Local Data.

OperateNetWorker

The ability to perform NetWorker operations. For example, members can:

l Reclaim space in a client file index.

l Set a volume location or mode.

l Start or stop a savegroup.

l Query the media database and client file indexes.




NetWorkerprivilege

Operations allowed

Note

The Operate NetWorker privilege requires that you also set the followingprerequisite privileges: Monitor NetWorker, Operate Devices and Jukeboxes,Backup Local Data, and Recover Local Data.

MonitorNetWorker

The ability to:

l Monitor NetWorker operations, including device status, save group status,and messages.

l View media database information.

l View NetWorker configuration information (except the security settingsdescribed in the Change Security Settings privilege).

This privilege is not required to back up and recover local data, although it maybe helpful for users to monitor messages and other information.

OperateDevices andJukeboxes

The ability to perform device and autochanger operations, for example,mounting, unmounting, and labeling. Users with this privilege can also viewdevice status and pending messages, as well as view information in the mediadatabase.

The Operate Devices and Jukebox privilege requires that you also set theMonitor NetWorker privilege.

Recover LocalData

The ability to:

l Recover data from the NetWorker server to the local client.

l View most client configuration attributes.

l Query client save sets and browse the client file index.

This privilege does not provide permission to view information about otherclients and does not override file-based privileges.

Users can only recover files with the appropriate user privileges for thatoperating system. To perform save set or NDMP recoveries, users with theprivilege must log in to the local host as root (UNIX) or administrator (Windows).

Backup LocalData

The ability to:

l Manually back up data from their local client to the NetWorker server.

l View most attributes in the client's configuration.

l Query the client save sets and browse the client file index.

This privilege does not provide permission to view information about otherclients and does not override file-based privileges.

Users can only back up files with the appropriate user privileges for thatoperating system. To run the savegroup command or to perform NDMP

backups, users with this privilege must log into the local hosts as root (UNIX) oradministrator (Windows). To allow scheduled backups to operate correctly, theroot user (UNIX) or administrator (Windows) on the client has this privilegeautomatically.




NetWorkerprivilege

Operations allowed

ViewApplicationSettings

The ability to view NetWorker resources including: Archive Requests, Clientresources, Device resources, Directives, Group, Jukebox, Label, License,Notification, Policies, Pool, Schedule, Staging, and Storage Node.

The View Application Settings privilege:

l Allows user group members to view the status of operations.

l Does not allow user group members to view the Server, User groups, orSecurity Audit Log resources.

Note

The View Application Settings privilege requires that you also set the followingprerequisite privileges: Change Application Settings, Create ApplicationSettings, and Delete Application Settings.

ChangeApplicationSettings

The ability to change NetWorker resources including: Archive Requests, Clientresources, Device resources, Directives, Group, Jukebox, Label, License,Notification, Policies, Pool, Schedule, Staging, and Storage Node.

The Change Application Settings privilege:


l Does not allow user group members to change the Server, User groups, orSecurity Audit Log resources.

Note

The Change Application Settings privilege requires that you also set thefollowing prerequisite privileges: Change Application Settings, CreateApplication Settings, and Delete Application Settings.

CreateApplicationSettings

The ability to create NetWorker resources including: Archive Requests, Clientresources, Device resources, Directives, Group, Jukebox, Label, License,Notification, Policies, Pool, Schedule, Staging, and Storage Node.

The Create Application Settings privilege:



Note

The Create Application Settings privilege requires that you also set the followingprerequisite privileges: Change Application Settings, Create ApplicationSettings, and Delete Application Settings.

DeleteApplicationSettings

The ability to delete NetWorker resources including: Archive Requests, Clientresources, Device resources, Directives, Group, Jukebox, Label, License,Notification, Policies, Pool, Schedule, Staging, and Storage Node.

The Delete Application Settings privilege:





NetWorkerprivilege

Operations allowed


Note

The Delete Application Settings privilege requires that you also set the followingprerequisite privileges: Change Application Settings, Create ApplicationSettings, and Delete Application Settings.

Archive Data The ability to archive data. The NetWorker application administrator must haveconfigured NetWorker for a user with this privilege to execute this operation.Only the client resource that pertains to the client that issues the archivecommand is viewable.

Backup RemoteData

Allows users to remotely back up data.

RecoverRemote Data

Allows users to recover data for a back up performed on another machine.

Preconfigured User Groups

By default, NetWorker provides preconfigured user groups with specific privileges. Youcannot delete preconfigured user groups.

The following table provides a summary of the preconfigured user groups and the defaultprivileges associated with each user group.

Note

By default, NMC, LDAP and AD users that have the NMC Console Security Administratorrole are automatically added to a preconfigured Security Administrators user group oneach NetWorker server that they have the right to manage.

Table 6 Privileges associated with each NetWorker User Group

NetWorker user group Associated privileges

Security Administrators l View Security Settings

l Change Security Settings

l Create Security Settings

l Delete Security Settings

ApplicationAdministrators

l Remote Access All Clients

l Configure NetWorker

l Operate NetWorker

l Monitor NetWorker

l Operate Devices and Jukeboxes

l Backup Local Data

l Backup Remote Data

l Create Application Settings

l View Application Settings

l Change Application Settings

l Delete Application Settings



Table 6 Privileges associated with each NetWorker User Group (continued)

NetWorker user group Associated privileges

l Recover Local Data

l Recover Remote Data

l Archive Data

Monitors l Monitor NetWorker




l Backup Local Data


l Create Application Settings


l Archive Data

Operators l Remote Access All Clients


l Operate NetWorker

l Monitor NetWorker


l Recover Local data


l Backup Local Data


l Archive Data

Auditors l View Security Settings

Users l Monitor NetWorker


l Backup Local Data

Database Operators l Remote Access All Clients

l Operate NetWorker

l Monitor NetWorker




l Backup Local Data


l Archive Data

Database Administrators l Remote Access All Clients

l Configure NetWorker

l Operate NetWorker

l Monitor NetWorker




l Backup Local Data


l Archive Data

User Group management

Users assigned to the Configure NetWorker privilege can manage and modify UserGroups.

The Application Administrators and Database Administrators user groups contain theConfigure NetWorker privilege by default.



Modifying User Group privilegesYou can change privileges associated with a user group, with the exception of theApplication Administrators and Security Administrators user groups.

Before you begin


Procedure

1. From the Administration window, click Configuration.

2. Click User Groups.

3. Right-click the user group to edit, then select Properties.

The Properties dialog box appears.

4. In the Privileges field, select or unselect the privileges as required.

5. Click OK.

If you select a privilege without selecting dependent privileges, then an error messageappears.

Creating User GroupsUse the NMC GUI to create user group resources.

Before you begin


Procedure



3. Right-click User Group, then select Create.

The Create User Group dialog box appears.

4. In the Name attribute, enter a name for the user group.

5. For native Console authentication only, specify the user names In the Users attribute.

6. For LDAP and AD users and groups authentication only, specify the users and groupsin the External roles attribute.

7. In the Privileges attribute, select the privileges to assign to the user group.

8. Click OK.

Copying User GroupsUse NMC to copy a User Group.

Before you begin


Procedure



3. Right-click the user group to edit, then select Copy.

The Create User Group dialog box appears, and contains the same information as theuser group that was copied, except for Name attribute.



4. In the Name attribute, enter a name for the new user group.

5. Edit the other attributes as appropriate, then click OK.

Deleting User GroupsUse the NMC GUI to delete User Groups.

Before you begin


Procedure



3. Right-click the user group to edit, then select Delete.

4. When prompted, click Yes to confirm the deletion.

Note

You cannot delete a preconfigured user group.

Modifying user group membershipUse the External Roles field to manage LDAP/AD user and group membership or the Userfield to manage OS and NMC user and group membership.

Note

When a user belongs to a large number of groups, the total number of characters for all ofthe group names can exceed the buffer size that NetWorker users to store the groupnames. NetWorker excludes characters and group names that exceed the buffer size. Ifyou add a group to the External roles field or the Users file that is not in the buffer for auserid, NetWorker will not consider the user to be a member of the User Group.

Modifying user group membership for LDAP/AD users and groupsThe authority file distribution process adds LDAP and AD authenticated NMC users withthe Console Security Administrator role on the Console server to the SecurityAdministrators User Group on all NetWorker servers that the users have the privilege tomanage. These users can modify the Audit Log server and User Group resources only,they cannot monitor back ups or manage other NetWorker resources. Use the Externalroles field in the User Group resource to manage LDAP/AD user and group access to theNetWorker server.

Before you begin


Procedure



3. Right-click the user group, then select Properties.

4. Modify the External roles attribute. When you add a user or group, use one of thefollowing formats:

l username

l groupname



l Group@LDAP_or_AD_hostnamel username@LDAP_or_AD_hostnamel host=LDAP_or_AD_hostnamel role=role,host=LDAP_or_AD_hostnameIf the format of the object is invalid or the object is not found in the LDAP or ADauthority, an error is displayed:

Cannot find group or user object in any configured authority

Note

EMC recommends that you specify usernames when your user accounts are a memberof a large number of groups.

Modifying user group membership for OS users and groupsUse the Users field in the User Group resource to manage NMC and OS user and groupaccess to the NetWorker server.

Before you begin


Procedure



3. Right-click the user group, then select Properties.

4. In the Users field, specify the NMC user. Specify the username with the followingsyntax: name=value[,name=value, ...]where name can be one of the following:

l user

l group

l host

l domain

l domainsid

l domaintype (either NIS or WINDOMAIN)

For example, to specify a user named patrick on a host named jupiter, enter this linein the Users attribute:

user=patrick,host=jupiter

Note

The formats user@host, host and user, and similar formats are ambiguous as towhether host or domain is intended. EMC recommends that you use the name=valueformat.

This example shows what to enter to provide NetWorker administrative privileges tothe following:



l The user root from any host.

l The user operator from the hosts mars and jupiter .

l Any users, valid hosts for the users, and valid domains for the users and host thatare included in the netgroup netadmins.

In the Users field, type the following information:

user=rootuser=operator,host=jupiteruser=operator,host=mars&netadmins

Consider the following information:

l If the value has spaces, then surround the value in quotation marks, for example:domain="Domain Admins"

l When you specify a netgroup name, preceded the name with an ampersand (&).

l You can use wildcards in place of a value. However, use wildcards with cautionbecause they can compromise your enterprise security.

l You can specify local and global Windows domain names and groups. Forexample, the Administrators group and Domain Admins group.

l When you log into the NetWorker server with a domain account, you can onlyspecify a global group.

l When you log into the NetWorker server locally, you can only specify local groups.

l When you log into the Networker server with a domain account but the NetWorkerserver cannot contact the AD server to verify the username, use multiple namesand values to ensure that NetWorker assigns the correct users or groups theappropriate privileges. For example, user=meghan, domain=Engineering orgroup=development, domainsid=S-1-5-32-323121-123

Note

EMC recommends that you specify usernames when your user accounts are a memberof a large number of groups.

Troubleshooting authorization errors and NetWorker server access issuesThis section provides a list of possible causes and resolutions for error messages relatedto NetWorker server authorization issues.

Insufficient permissionsThis message appears when you attempt to perform NetWorker operations, and theuserid that you used to log in to the NMC server is a member of a large number ofoperating system groups.

When a user belongs to a large number of groups, the total number of characters in thegroup names can exceed the buffer size that NetWorker uses to store the group names.NetWorker excludes characters and group names that exceed the buffer size. If you add agroup to the External Roles field in the Configure Log in wizard which is not in the bufferfor a userid, log in attempts for that userid fail.

To resolve this issue, edit the Usergroup resource that the userid is a member of andperform one of the following steps:



l If you use LDAP/AD authentication, then specify the userid in the External Roles field.

l If you use native NMC authentication, then specify the userid in the Users field.

Note

When you configure LDAP/AD authentication by using the Configure Login Authenticationwizard, specify the userid that is a member of a large number of groups in the ExternalRoles field.

Component access controlComponent access control settings define how to control external and internal system orcomponent access to the product.

Component authenticationNetWorker hosts and daemons use the nsrauth mechanism to authenticate componentsand users, and to prevent user and host impersonation. The nsrauth authenticationmechanism is a strong authentication that is based on the Secure Sockets Layer (SSL)protocol. For Windows and most UNIX hosts, nsrauth uses the SSL protocol provided byRSA BSAFE SSL. For some UNIX hosts, such as Darwin, HP-UX, Linux ppc64, Linux390,nsrauth uses the SSL protocol provided by the OpenSSL library.

The nsrexecd service on each NetWorker host provides the component authenticationservices. The first time the nsrexecd process starts on a host, the process creates thefollowing unique credentials for the host:

l 1024-bit RSA private key

l Self-signed certificate or public key

l NW Instance ID

l my hostname

NetWorker stores these credentials in the NSRLA resource found in the local NetWorkerclient database, nsrexec. These credentials are known as local host authenticationcredentials. NetWorker uses the local host authentication credentials to uniquely identifythe host, to other NetWorker hosts in the data zone.

When a NetWorker host communicates with other NetWorker hosts, the nsrauth processcreates an NSR Peer Information resource in the nsrexec database of the target host thatcontains local host authentication credentials for the initiating host. When a NetWorkerhost initiates a session connection to another host, the following steps occur:

1. The nsrexecd daemon on the initiating host contacts the nsrexecd daemon onthe target host.

2. The nsrexecd daemon on the initiating host sends the local host authenticationcredentials to the target host.

3. The target host compares the local host authentication credentials with theinformation stored in the local NSR Peer Information resource.

l If the information provided by the initiating host matches the information storedin the NSR Peer Information resource on the remote host, then the nsrexecddaemon creates a session key and establishes an SSL connection between thetwo hosts. NetWorker uses AES-128 bit encryption to encrypt the data exchangedbetween the two hosts.


Component access control 51

l If the information provided by the initiating host does not match the informationstored in the NSR Peer Information resource on the remote host, then the remotehost requests the certificate from the initiating host.

n If the certificate provided by the initiated host matches the certificate storedon the remote host, then the nsrexecd daemon creates a session key andestablishes an SSL connection between the two hosts. NetWorker usesAES-128 bit encryption to encrypt the data exchanged between the two hosts.

n If the certificate provided by the initiating host does not match the certificatestored on the remote host, NetWorker drops the connection between the twohosts.

l If the remote host does not contain an NSR Peer Information resource for theinitiating host, the remote host uses the information provided by the initiatinghost to create a new NSR Peer Information resource. NetWorker uses the sessionkey to establish an SSL connection between the two host. Componentauthentication uses the AES-128 bit encryption method.

Note

For compatibility with earlier NetWorker releases, NetWorker supports oldauthauthentication. EMC recommends that you use nsrauth authentication and only enableoldauth authentication when two hosts cannot authenticate by using nsrauth.

Configuring access privileges to the NetWorker client databaseTo modify access to the client database (nsrexec), use the nsradmin program to edit theadministrators list.

Before you begin

Perform the following steps on the target host as the root user on a UNIX host or as anadministrator user on a Windows host.

By default, the administrator attribute provides access to the following users:

l On a UNIX host any root user on any host to modify the nsrexec database attributes.

l On a Windows host any user in the administrators group can modify the nsrexecdatabase attributes.

To modify attributes for a host by using the Local Hosts resource in the NMC GUI, theadministrator attribute of the target host must contain the account that starts the gstdservice on the NMC server.

Procedure

1. Connect to the nsrexec database:

nsradmin -p nsrexec

2. Set the query to the NSRLA resource:

. type: NSRLA

3. Display the NSRLA resource and view the current settings for the administratorattribute:

print



4. Update the value of the administrator attribute to include the owner of the gstdprocess on the NMC server:

append administrator:"user=gstd_owner,host=NMC_host"

where:

l gstd_owner is the user account that starts the gstd daemon on UNIX or the EMCGST service on Windows. By default, the process owner is the SYSTEM user onWindows and is the root user on UNIX.

l NMC host is the hostname of the NMC server.

For example, to add the SYSTEM account on a Windows NMC server namedwin.emc.com to a UNIX NetWorker client named unix.emc.com, type:

update administrator: root, "user=root,host=unix.emc.com","user=SYSTEM,host=win.emc.com"

5. Type Yes to confirm the change.

6. Type Quit to exit the nsradmin program.

Modifying the authentication methods used by NetWorker hostsNetWorker enables you to restrict the authentication methods available forcommunication between NetWorker hosts and define the priority of authenticationmethods used by NetWorker hosts. Use the Configure Local Agent option in NMC or thensradmin command to modify the authentication method used by NetWorker hosts.

Using NMC to manage the authentication method

Use the Configure Local Agent option in NMC to manage the authentication method usedby a host.

Before you begin

The gstd process owner must have permission to update the nsrexec database on thetarget host. Configuring NetWorker client database access privileges on page 52 providesmore information.

Procedure

1. On the Administration window, select Configuration.

2. In the left navigation pane, expand the NetWorker server, and then expand the LocalHosts resource.

3. Right-click the target host and select Configure Local Agent.

4. On the Advanced tab, in the Auth Methods attribute, specify the authenticationmethods that other NetWorker hosts (peer hosts) can use when initiating aconnection.

Use the following format to specify the Auth Methods value:

IP_Address[mask], authentication_method[/authentication_method]...

where:

l IP_Address[mask] is an single IP address, a single host name, or an IP address andnetmask range. You can specify the number of bits for the mask value or use thefull subnet mask address.

l authentication_method is nsrauth, for strong authentication or oldauth for legacyauthentication.


Component authentication 53

Note

When you specify more than one authentication method, NetWorker attempts tocommunicate with the first method in the list. If the first method fails, thenNetWorker will attempt to communicate by using the second method in the list.

For example:

l To configure host mnd.emc.com to only use nsrauth when communicating with thehost, type:

mnd.emc.com,nsrauthl To configure all hosts on the 137.69.168.0 subnet to only use nsrauth when

communicating with the host, type:

137.69.160.0/24, nsrauthl To configure all hosts in the data zone to use nsrauth when communicating with

the host except for a host with the IP address 137.69.160.10, which should tryoldauth first, type the following two lines:

137.69.160.10, oldauth/nsrauth

0.0.0.0, nsrauth

Note


5. Click OK.

6. Restart the NetWorker services or daemons on the target host.

Using nsradmin to manage the authentication method

Use the nsradmin program to manage the authentication method used by a host.

Before you begin

Connect to the target host with an account that has administrator access to the nsrexecdatabase. Configuring NetWorker client database access privileges on page 52 describeshow to update the administrator list in the NetWorker client database.

Procedure


nsradmin -p nsrexec

2. Set the query type to the NSR Peer Information resource:

. type: nsr peer information

3. Display the current value for the auth methods attribute:

show auth methods

print



4. Update the auth methods attribute, by using the following format:

update auth methods: IP_Address[mask],authentication_method[/authentication_method]

Where:

l IP_Address[mask] is an single IP address, a single host name, or an IP address andnetmask range. You can specify the number of bits for the mask value or use thefull subnet mask address.

l authentication_method is nsrauth, for strong authentication or oldauth for legacyauthentication.

Note


For example:

l To configure host mnd.emc.com to only use the nsrauth when communicating withthe host, type:

update auth methods: mnd.emc.com,nsrauthl To configure all hosts on the 137.69.168.0 subnet to only use the nsrauth when

communicating with the host, type:

update auth methods: 137.69.160.0/24,nsrauthl To configure all hosts in the data zone to use the nsrauth when communicating

with the host except for a host with the IP address 137.69.160.10 which should tryoldauth first, type the following two lines:

update auth methods: 137.69.160.10,oldauth/nsrauth 0.0.0.0,nsrauth

Maintaining the NSRLA resourceThe NSRLA resource in the nsrexec database contains unique information that identifies aNetWorker host to other NetWorker hosts.

Use NMC or the nsradmin command to export and import the NSRLA resource. Use thenwinstcreate program to create a customized private key and certificate.

Exporting the local host credentials

Export the local host credentials for a host to ensure that you have a copy of the uniquecredential information. If data loss or corruption of the NSRLA resource occurs, you canimport the local host credentials and restore the original local host credentials to theNSRLA resource.

Exporting the local host credentials by using NMCConnect to the NetWorker server with NMC and export the local host credentials.

Before you begin


You cannot use NMC to export the local host credentials for a NetWorker host that doesnot have an existing client resource configured on the NetWorker server.



Procedure




4.On the Advanced tab, in the NW instance info operations attribute, select Export.

5. In the NW instance info file attribute, specify the path and name of the file that willcontain the exported information.

For Windows paths, use a forward slash (/) when you specify the path. For example,when the mnd_credentials.txt file is in c:\users, specify: c:/users/mnd_credentials.txt.

6. Click OK.

Results

NetWorker exports the local host credential information to the file you specify, on thetarget host.

Note

If you do not specify a path to the file, NetWorker creates the export file in the C:\Windows\system32 directory on a Windows host and in the /nsr/cores/nsrexecd directory on a UNIX host.

Exporting the local host credentials by using nsradminUse the nsradmin program to export the local host credentials.

Before you begin


Procedure


nsradmin -p nsrexec

2. Set the query type to NSRLA:

. type: NSRLA

3. Configure the NW instance info operations attribute and the NW instance info fileattribute to export the resource information:

update "NW instance info operations: export", "NW instance info file: pathname_filename"

For example, to export the information to the /home/root/export.txt file on aUNIX host, type:

update NW instance info operations: export; NW instance info file: /home/root/export.txt



For Windows paths, use a forward slash (/) when you specify the path.For example, when the mnd_credentials.txt file is in c:\users, specify: c:/users/mnd_credentials.txt.

Results

NetWorker exports the local host credential information to the file you specify, on thetarget host.

Create a custom certificate and private key for a host

NetWorker automatically creates certificate and private keys for each NetWorker host.However, you can create a certificate and a private key for a host manually.

You might want to do this in special cases, such as when your company policy stipulatesthat a host must use a certificate and private key that a trusted random numbergeneration utility creates. You can import the new certificate and key information to theNSRLA resource of the host and import the information into the NSR peer informationresource on each host within the enterprise.

Creating a custom certificate and private keyUse the nwinstcreate command to create a custom certificate and private key.

Perform the following steps from a command prompt on the host that will use the customcertificate and private key. You can import the custom file into the NSRLA resource on thelocal host or you can import the custom file into the NSR Peer Information resource for thehost, on other hosts in the data zone.

Procedure

1. Start the nwinstcreate program:

nwinstcreate -ix

2. On the Enter the file name to save NetWorker identifyinformation into prompt, specify the name of the file to save the customcertificate and private key or accept the default file name and location.

3. On the Enter a unique NetWorker instance name to identify yourmachine prompt, specify an instance name or accept the default value (hostname ofthe machine).

NetWorker uses the specified value in the my hostname attribute by default.

4. On the Enter the NetWorker instance id prompt, specify a unique value toidentify the host or accept the default value.

5. On the Enter the file containing the private key prompt, specify thepath and file name of a PEM formatted file that contains the private key for this host. Ifyour organization does not have a private key, leave the prompt blank and NetWorkerwill generate the private key for the host.

6. On Windows hosts only, ensure that the Windows Local System Account (System) hasread, write, and modify privileges for the file that contains the custom certificate andkey.

Importing local host credentials

If you used the nwinstcreate program to export the local host credentials for the hostor you created custom credentials, then you can use NMC or nsradmin to import theinformation into the NSRLA resource on a host.

When NSRLA corruption occurs and the nsrexecd program creates new local hostcredentials on a host, the nsrauth process will reject all connection attempts between the



host and all other hosts in the data zone that have communicated with the host prior tothe corruption. The nsrauth process rejects the connection because information in NSRPeer Information resource for the host differs from the new local host credentials that thehost will provide when it attempts to establish a connection. To resolve this issue, importa copy of the local host credentials for the host into the local NSRLA resource. Thisensures that the local host credentials for the host match the information stored in theNSR Peer Information resource on all other hosts in the data zone. Resolving NSR PeerInformation conflicts on page 63 describes how to resole this issue if an exported copyof the local host credential information is not available.

Importing local host credentials by using NMCConnect to the NetWorker server with NMC and import the local host credentials.

Before you begin


Procedure

1. Copy the file that contains the exported local host credentials to the target host.

2. On UNIX platforms, ensure that the root user has read and write permissions for thecredential file.

For example: chmod 600 export_file_name




6. On the Advanced tab, in the NW instance info operations attribute, select Import.

7. In the NW instance info file attribute, specify the path and name of the file thatcontains the exported information.

For Windows paths, use a forward slash (/) when you specify the path.For example, when the mnd_credentials.txt file is in c:\users, specify: c:/users/mnd_credentials.txt.

8. Click OK.

Results

NetWorker imports the local host credential information to the target host.Importing localhost credentials by using nsradminUse the nsradmin program to import local host credentials from a file into the NSRLAresource of a host.

Before you begin


Procedure


2. On UNIX platforms, ensure that the root user has read and write permissions for thecredential file.





nsradmin -p nsrexec

4. Set the query type to NSRLA:

. type: NSRLA

5. Configure the NW instance info operations attribute and the NW instance info fileattribute to import the resource information:

update NW instance info operations: import; NW instance info file: pathname_filename

For example, to export the information to the /home/root/mnd_credentials.txt file on a UNIX host, type:

update NW instance info operations: import; NW instance infofile: /home/root/mnd_credentials.txt

For Windows paths, use a forward slash (/) when you specify the path.For example,when the mnd_credentials.txt file is in c:\users, specify: c:/users/mnd_credentials.txt.For example, when the mnd_credentials.txt file is in c:\users, specify: c:/users/mnd_credentials.txt.

6. When prompted to update the resource, type Yes.

7. Exit the nsradmin program:

quit

Maintaining nsrauth authentication credentialsThis section describes how to maintain the local host credentials and the NSR PeerInformation resource.

Creating the NSR Peer Information resource manually

When a NetWorker host initiates a connection with another host for the first time,NetWorker automatically creates an NSR Peer Information resource for the initiating hostin the nsrexec database on the target host. NetWorker uses the information contained inthe NSR Peer Information resource to verify the identity of the initiating host onsubsequent authentication attempts. Manually create the NSR Peer Information resourceon the target client before the two hosts communicate for the first time, to eliminate thepossibility that an attacker could compromise this process.

Creating the NSR Peer Information resource manually by using NMCConnect to the NetWorker server with NMC to create a new NSR Peer Information resourcefor a host.

Before you begin




Review the contents of the file that contains the exported local host credentials for thehost and make note of the values in the Name, My hostname, and NW Instance IDattributes.Procedure


2. On the View menu, select Diagnostic mode.


4. Right-click on the target host and then select New.

5. On the Create certificate window, in the Change certificate drop-down menu, selectLoad certificate from file.

6. In the Name attribute, enter the Name value from the credential file.

7. In the Instance ID attribute, enter the NW Instance ID value from the credential file.

8. In the Peer Hostname attribute, enter the My Hostname value from the credential file

9. In the Change certificate drop-down, select Load certificate from file.

10.In the Certificate file to load attribute, specify the path and name of the file thatcontains the exported local host credentials.

For Windows paths, use a forward slash (/) when you specify the path. For example,when the mnd_credentials.txt file is in c:\users, specify: c:/users/mnd_credentials.txt.

11.On UNIX platforms, ensure that the root user has read and write permissions for thecredential file.


12.Click OK.

Creating the NSR Peer Information by using nsradminUse the nsradmin program on a host to create and NSR Peer Information resource for ahost.

Before you begin


Procedure



nsradmin -p nsrexecd

3. Create the NSR Peer Information resource:

create type: NSR Peer Information; name:hostname; NW Instance: nw_instance_id; peer hostname: my_hostname

where:

l hostname is value that appears in the Name attribute in the credential file.

l NW_instance_id is the value that appears in the NW Instance ID attribute in thecredential file.



l my_hostname is the value that appears in the My hostname attribute in thecredential file.

4. When prompted to create the resource, type Yes.

5. Set the current query to the new NSR Peer Information resource:

. type: NSR Peer Information; name: hostname

6. Update the new NSR Peer Information resource to use the exported certificate:

update: change certificate: load certificate from file; certificate file to load: pathname_filname

For Windows paths, use a forward slash (/) when you specify the path.For example,when the mnd_credentials.txt file is in c:\users, specify: c:/users/mnd_credentials.txt.


8. Display the hidden properties:

option hidden

9. Display the new NSR Peer Information resource:

print . type: NSR Peer Information;name: hostname

Deleting the NSR Peer Information resource

When the local host credentials for a NetWorker host change, authentication attempts toother hosts fail because the credential information stored in the target host does notmatch the local host credential information provided by the initiating host.

Use the nsradmin program or the Local Host window in NMC to delete the NSR PeerInformation resource for the initiating host on the target host. The next time the initiatinghost attempts to connect to the target host, the nsrauth authentication process will usethe current local host credentials to create a new NSR Peer Information resource for theinitiating host.

Deleting the NSR Peer Information resource by using NMCUse NMC to connect to the NetWorker server and delete the NSR Peer Informationresource for a NetWorker host.

Before you begin


Note

You cannot use NMC to delete the NSR Peer Information resource for a NetWorker hostthat does not have an existing client resource configured on the NetWorker server.

Procedure





3. Select the NetWorker host with the NSR Peer Information resource that you want todelete.

Note

The NetWorker host does not appear in the Local Hosts section when a client resourcedoes not exist on the NetWorker server.

The Certificate window displays a list of NSR Peer Information resources stored in thensrexec database on the host.

4. In the Certificate window, right-click the certificate that you want to delete and selectDelete.

5. When prompted to confirm the delete operation, select Yes.

If you receive the error, User username on machine hostname is not onadministrator list, you cannot modify the resource until you configure theNSRLA access privileges on the target host. Configuring NSRLA access privileges onpage 52 provides more information.

Results

The target host creates a new NSR Peer Information resource for the initiating host thenext time that the initiating host attempts to establish a connection with the target host.Deleting the NSR Peer Information resource by using nsradminUse the nsradmin command on the target host to delete the NSR Peer Informationresource for the initiating host.

Before you begin


Procedure


nsradmin -p nsrexec

2. Set the query type to the NSR Peer Information resource of the initiating host:

. type: nsr peer information;name: initiating_host_name

For example, if the hostname of the initiating host is pwd.emc.com, type:

. type: nsr peer information;name: pwd.emc.com3. Display all attributes for the NSR Peer Information resource:

show

4. Print the attributes for the NSR Peer Information resource and confirm that the nameand peer hostname attributes match the hostname of the initiating host:

print



5. Delete the NSR Peer Information resource:

delete

6. When prompted to confirm the delete operation, type y.

7. Quit the nsradmin program:

quit

Results

The target host creates a new NSR Peer Information resource for the initiating host thenext time that the initiating host attempts to establish a connection with the target host.

Resolving conflicts between the local host credentials and NSR Peer Information resourceAfter two NetWorker hosts successfully authenticate each other, the target host createsan NSR Peer Information resource to store the local host credentials of the initiating host.The Target host uses attributes stored in the NSR Peer Information resource to validateconnection requests from the target host. When unexpected data loss or corruptionoccurs in the NSRLA resource of the initiating host, the nsrexecd process creates newlocal host credentials. When a host with new local host credentials attempts to connectanother host, the target host rejects the connection request if an NSR Peer Informationresource exists for the initiating host because the credentials do not match the contentsof the NSR Peer Information resource.

When the local host credentials change for a host, all target hosts that have had a priorconnection with the host will reject a connection attempt. You can resolve this issue inone of the following ways:

l Manually delete the NSR Peer Information resource for the initiating host in theNetWorker client database of each target host.

Note

If the NetWorker server is the initiating host, you must delete the NSR PeerInformation resource on each host in the data zone.

l Import a backup copy of the local host credentials on the initiating host.

Deleting the NSR Peer Information resource

When the local host credentials for a NetWorker host change, authentication attempts toother hosts fail because the credential information stored in the target host does notmatch the local host credential information provided by the initiating host.

Use the nsradmin program or the Local Host window in NMC to delete the NSR PeerInformation resource for the initiating host on the target host. The next time the initiatinghost attempts to connect to the target host, the nsrauth authentication process will usethe current local host credentials to create a new NSR Peer Information resource for theinitiating host.

Deleting the NSR Peer Information resource by using NMCUse NMC to connect to the NetWorker server and delete the NSR Peer Informationresource for a NetWorker host.

Before you begin




Note

You cannot use NMC to delete the NSR Peer Information resource for a NetWorker hostthat does not have an existing client resource configured on the NetWorker server.

Procedure



3. Select the NetWorker host with the NSR Peer Information resource that you want todelete.

Note

The NetWorker host does not appear in the Local Hosts section when a client resourcedoes not exist on the NetWorker server.

The Certificate window displays a list of NSR Peer Information resources stored in thensrexec database on the host.

4. In the Certificate window, right-click the certificate that you want to delete and selectDelete.

5. When prompted to confirm the delete operation, select Yes.


Results

The target host creates a new NSR Peer Information resource for the initiating host thenext time that the initiating host attempts to establish a connection with the target host.Deleting the NSR Peer Information resource by using nsradminUse the nsradmin command on the target host to delete the NSR Peer Informationresource for the initiating host.

Before you begin


Procedure


nsradmin -p nsrexec




. type: nsr peer information;name: pwd.emc.com



3. Display all attributes for the NSR Peer Information resource:

show


print

5. Delete the NSR Peer Information resource:

delete

6. When prompted to confirm the delete operation, type y.

7. Quit the nsradmin program:

quit

Results

The target host creates a new NSR Peer Information resource for the initiating host thenext time that the initiating host attempts to establish a connection with the target host.

Importing local host credentials into the NSR Peer Information resource

Use the nsradmin program or the Local Host window in NMC to import the private keyand certificate into the NSR Peer Information resource for the initiating host, on the targethost.

The next time the initiating host attempts to connect to the target host, the nsrauthauthentication process uses the imported local host credentials to create a new NSR PeerInformation resource for the initiating host.

Importing local host credentials by using NMCUse NMC to connect to the NetWorker server and import the certificate and private keyinto the NSR Peer Information resource for a NetWorker host.

Before you begin


Procedure




4. Select the NetWorker host with the NSR Peer Information resource that you want tomodify.

5. In the Certificate window, right-click the certificate that you want to delete and selectProperties.

6. On the Create certificate window, in the Change certificate drop-down, select Loadcertificate from file.



7. In the Certificate file to load attribute, specify the path and name of the file thatcontains the exported local host credentials.


8. Click OK.

Importing local host credentials by using nsradminUse nsradmin to import the certificate and private key into the NSR Peer Informationresource for a NetWorker host.

Before you begin


Procedure


nsradmin -p nsrexec




. type: nsr peer information;name: pwd.emc.com3. Display hidden resources:

option hidden


print

5. Update the new NSR Peer Information resource to use the exported certificate:

update: change certificate: load certificate from file; certificate file to load: pathname_filname

For Windows paths, use a forward slash (/) when you specify the path.For example,when the mnd_credentials.txt file is in c:\users, specify: c:/users/mnd_credentials.txt.


7. Display the hidden properties:

option hidden



8. Display the new NSR Peer Information resource:

print . type: NSR Peer Information;name: hostname

Generating a new host certificate keyUse NMC to create a new host certificate key for a NetWorker host.

Before you begin


Procedure




4. Select the Advanced tab.

5. From the NW Instance Info Operations attribute list, select New Keys.

6. Click OK.

Results

NetWorker generates a new certificate for the NetWorker host. You must delete allexisting Peer Information resources for the host, on other NetWorker hosts. Deleting thePeer information resource on page 61 describes how to delete the resource.

Component authorizationNetWorker provides you with the ability to restrict remote program executions or client-tasking rights on a NetWorker host.

You can also:

l Define users that can access the data of a NetWorker host and recover the data to adifferent NetWorker host.

l Restrict client-initiated backups to the NetWorker server.

l Configure the NetWorker server to prevent the start up of new save and recoversessions.

Restricting remote program executions and client-tasking rightsWhen a NetWorker host requests the right to perform a task on another NetWorker host,the destination host compares the name of the requesting host to the list of host namesspecified in the servers file on the destination NetWorker host. If the hostname of therequesting host is not in the servers file, then the requesting host does not have client-tasking rights and the destination host rejects the request.

The following table provides a list of tasks that require client-tasking rights.

Operation Entries required in the client servers file

Archive request Add the FQDN and shortname of the NetWorker server.

Scheduled backup Add the FQDN and shortname of the NetWorker server.


Component authorization 67

Operation Entries required in the client servers file

For a clustered NetWorker server, add the long and shortname of thevirtual NetWorker and all physical nodes.

Remote directedrecovery

Add the FQDN and shortname of the administering client to the serversfile on the destination client.

NDMP DSA backup Add the FQDN and shortname of the NetWorker client that initiates thebackup.

The software installation process on Windows and Solaris allows you to specify a list ofhosts to add to the servers file. To change the servers file after the installationcompletes or to specify hosts on operating systems that do not allow you to configure thefile during the installation process, use a text editor to edit the servers file. Theservers file resides in the following locations:

l On UNIX and Mac NetWorker hosts: /nsr/resl On Windows NetWorker hosts:NetWorker_installation_path\resWhen you add a NetWorker host to the servers file, ensure that you perform thefollowing tasks:

l Specify the FQDN for the host.

l Specify one hostname on each line.

l Restart the nsrexecd service on the host, after you save the file.

Note

If the servers file is empty or does not exist, then any NetWorker host has client-

tasking rights to the host.

On UNIX computers, you can start the nsrexecd daemon with the -s servername optionto assign client-tasking rights to a host. The use of the -s option to start the nsrexecddaemon supersedes the use of the servers files to restrict client-tasking rights.

Configuring remote recover access rightsYou can control client recover access through the Client resource. The Remote Accessattribute displays the user accounts that have that ability to recover save sets from theNetWorker host to different NetWorker host. Add or remove user names depending on thelevel of security the files require.

Before you begin


Only the users specified in the Remote Access attribute and the following user accountscan perform remote or directed recoveries of the target client data:

l The root user on a target UNIX host.

l Member of the local ‘Administrators’ group on a target Windows host.

l Members of the ‘Application Administrator’ user group on the NetWorker Server.

l Members of a NetWorker Server user group that has the ‘Change Security Settings’privilege.

The NetWorker Administration Guide describes how to configure and perform remote anddirected recoveries.



Procedure


2. In the left navigation pane, select Clients.

3. Right-click the client and select Properties

4. On the Globals (2 of 2) tab, in the Remote Access attribute, specify the useraccounts that you want to have remote recover access to the client, in one of thefollowing formats:

l user=username

l username@hostname

l hostname

l host=hostname

l user=username, host=hostname

Note

If you enter a hostname or host=hostname in the Remote Access attribute, then anyuser on the specified host can recover the files for the client. To enter a usernamewithout specifying the host, enter user=username.

5. Click OK.

Restrict backup and recover access to the NetWorker serverYou can configure the NetWorker server to allow or prevent manual save operations,accept or reject new save sessions, and accept or reject new recovery sessions.

Restricting manual save operations

Use the manual saves attribute in the NSR resource to allow or prevent client-initiatedbackups to the NetWorker server. This option is enabled by default.

Before you begin

Connect to the NetWorker server with a user that is a member of the ApplicationAdministrators or Database Administrators user group.

Procedure


2. In the left navigation pane, right-click the NetWorker server and select Properties.

3. On the Setup tab, clear Manual saves.

Results

Users cannot use the save command or the NetWorker User application (Windowsclients only) to perform backups from any NetWorker host to the NetWorker server.

Rejecting new save sessions

NetWorker 8.0 and later allows you to configure the NetWorker server to reject new savesessions from an in-progress manual or scheduled backup. For example, the NetWorkerserver can reject new save sessions and allow routine NetWorker Server maintenance,such as a server reboot, to occur without cancelling in-progress backup operations duringthe shutdown process. By default, the NetWorker server is configured to accept new save


Component authorization 69

sessions. Perform the following steps to prevent the NetWorker server from acceptingnew save sessions.

Before you begin


Procedure



3. On the Miscellaneous tab, clear Accept new sessions.

Rejecting new recover and clone sessions

NetWorker 8.0 and later allows you to configure the NetWorker server to reject newrecover and clone sessions. For example, NetWorker can reject recover sessions andallow routine NetWorker Server maintenance, such as a server reboot, to occur withoutcancelling in-progress recover operations during the shutdown process. By default theNetWorker server is configured to accept new recover sessions. Perform the followingsteps to prevent the NetWorker server from accepting new recover sessions.

Before you begin


Procedure



3. On the Miscellaneous tab, clear Accept recover sessions.



CHAPTER 3

Log Settings

This chapter describes how to access and manage the logs files available in NetWorker.

l NetWorker log files................................................................................................ 72l View log files.........................................................................................................76l Raw log file management...................................................................................... 79l Monitoring changes to the NetWorker server resources......................................... 82l Configuring logging levels..................................................................................... 83

Log Settings 71

NetWorker log filesThis section provides a summary of the log files available on NetWorker hosts and log filemanagement.

Table 7 NetWorker log files

Component File name and default location Description

NetWorker server andclient daemons

UNIX: /nsr/logs/daemon.rawWindows: C:\Program Files\EMC NetWorker\nsr\logs\daemon.raw

Main NetWorker log file.Use the nsr_render_logprogram to view the contentsof the log file.

NetWorker servergenerated syslogmessages anddaemon.notice

UNIX: OS log file defined by systemlog configuration file.

Windows: C:\Program Files\EMC NetWorker\nsr\logs\messages

NetWorker servergenerated syslog

messageslocal0.notice andlocal0.alert

Log file name and location definedby the system log configuration file.

UNIX only, OS log file.

Unlike previous versions of theNetWorker software,NetWorker 8.0 and later doesnot modify the syslog.conffile to configurelocal0.notice and

local0.alert. Vendor

specific documentationdescribes how to configurelocal0.notice andlocal0.alert

NetWorker server disasterrecovery command linewizard, nsrdr program

UNIX: /nsr/logs/nsrdr.logWindows: C:\Program Files\EMC NetWorker\nsr\logs\nsrdr.log

Contains detailed informationabout the internal operationsperformed by the nsrdrprogram. NetWorker overwritesthis file each time you run thensrdr program.

Cloning UNIX: /nsr/logs/clone.logWindows: C:\Program Files\EMC NetWorker\nsr\logs\clone.log

Contains completioninformation about scheduledclone operations. By default,

the Scheduled clonecompletion and Scheduledclone failure notifications onthe NetWorker server sendinformation to the log file.

Index log UNIX: /nsr/logs/index.logWindows: C:\Program Files\EMC NetWorker\nsr\logs\index.log

Contains warnings about thesize of the client file index andlow disk space on the filesystem that contains the index

Log Settings


Table 7 NetWorker log files (continued)


files. By default, the Indexsize notification on theNetWorker server sendsinformation to the log file.

Report Home UNIX: /nsr/logs/report_home/DefaultReportHome_YYMMDDxxxxxxWindows: C:\Program Files\EMC NetWorker\nsr\logs\DefaultReportHome_YYMMDDxxxxxx

Contains status informationabout the delivery of theReport Home output file toEMC Support.

Hypervisor UNIX: /nsr/logs/Hypervisor/Windows: C:\Program Files\EMC NetWorker\nsr\logs\Hypervisor\

VMware protectionpolicies

UNIX: /nsr/logs/Policy/

VMware_protection_policy_nameWindows: C:\Program Files\EMC NetWorker\nsr\logs\Policy\VMware_protection_policy_name

Contains status informationabout VMware ProtectionPolicy actions. NetWorkercreates a separate log file foreach action.

Policies UNIX: /nsr/logs/policy.logWindows: C:\Program Files\EMC NetWorker\nsr\logs\policy.log

Contains completioninformation about VMwareProtection Policies. By default,

the VMware ProtectionPolicy Failure notification onthe NetWorker server sendsinformation to the log file.

Snapshot management UNIX: /nsr/logs/nwsnap.rawWindows: C:\Program Files\EMC NetWorker\nsr\logs\nwsnap.raw

Contains messages related tosnapshot managementoperations. For example,snapshot creation, mounting,deletion, and rolloveroperations. Use thensr_render_log program

to view the contents of the logfile.

Media management UNIX: /nsr/logs/media.logWindows: C:\Program Files\EMC NetWorker\nsr\logs\media.log

Contains device relatedmessages. By default, thedevice notifications on theNetWorker server send devicerelated messages to themedia.log file on the

NetWorker server and eachstorage node.

Log Settings

NetWorker log files 73



Windows Bare MetalRecovery (BMR)

The following files in the X:\Program Files\EMCNetWorker\nsr\logs\directory:

ossr_director.raw

Contains the recovery workflowof the DISASTER_RECOVERY:\and any errors related torecovering the save set files orWindows ASR writer errors. Usethe nsr_render_logprogram to view the contentsof the log file.

recover.log Contains the output generatedby the NetWorkerrecover.exe program and

error messages related tocritical volume data recovery.

winPE_wizard.log Contains work flow informationrelated to the NetWorker BMRwizard user interface.

winpe_nw_support.raw Contains output from thewinpe_nw_support.dlllibrary. The output providesinformation aboutcommunications between theNetWorker BMR wizard and theNetWorker server.

Use the nsr_render_logprogram to view the contentsof the log file.

winpe_os_support.log Contains output informationrelated to Microsoft native APIcalls.

Recovery Wizard UNIX: /nsr/logs/recovery/recover_config_name_YYYYMMDDHHMMSSWindows: C:\Program Files\EMC NetWorker\nsr\logs\recovery\recover_config_name_YYYYMMDDHHMMSS

Contains information that canassist you in troubleshootingrecovery failures. NetWorkercreates a log file on theNetWorker server for eachrecover job.

NMC server log files AIX & Linux: /opt/lgtonmc/management/logs/gstd.rawSolaris: /opt/LGTOnmc/management/logs/gstd.rawWindows: C:\Program Files\EMC NetWorker\Management\logs\gstd.raw

Contains information related toNMC server operations andmanagement. Use thensr_render_log program


Log Settings




NMC server databaseconversion

Solaris: /opt/LGTOnmc/logs/gstdbupgrade.logAIX and Linux: /opt/lgtonmc/logs/gstdbupgrade.logWindows: C:\Program Files\EMC NetWorker\Management\logs\gstdbupgrade.log

Contains the results of theNMC server databaseconversion performed duringan upgrade of a 7.6.x andearlier NMC server.

NMC web server AIX & Linux: /opt/lgtonmc/management/logs/web_outputSolaris: /opt/LGTOnmc/management/logs/web_outputWindows: C:\Program Files\EMC NetWorker\Management\logs\web_output

Contains messages for theembedded database server onthe NMC server.

NMC server database logfiles

AIX & Linux: /opt/lgtonmc/management/logs/db_outputSolaris: /opt/LGTOnmc/management/logs/web_outputWindows: C:\Program Files\EMC NetWorker\Management\logs\web_output

Contains messages for theembedded Apache httpd webserver on the NMC server.

Client push log UNIX: /nsr/logs/nsrcpd.rawWindows: C:\Program Files\EMC NetWorker\logs\nsrcpd.raw

Contains information related tothe Client Push wizard and thensrpush command. Use the

nsr_render_log program


Schedule group /savegroup logs

UNIX: /nsr/logs/sg/groupnameWindow: C:\Program Files\EMC NetWorker\logs\sg\groupname

Contains completioninformation about a server-initiated backup. By default,

the Savegroup completionand the Savegroup failurenotifications on the NetWorkerserver send information to thelog file.

Rap log UNIX: /nsr/logs/rap.logWindows: C:\Program Files\EMC NetWorker\logs\rap.log

Records configuration changesthat are made to theNetWorker server resourcedatabase.

Log Settings

NetWorker log files 75



Security Audit log UNIX: /nsr/logs/NetWorker_server_sec_audit.rawWindow: C:\Program Files\EMC NetWorker\logs\Networker_server_sec_audit.raw

Contains security audit relatedmessages.

User log C:\Program Files\EMCNetWorker\logs\networkr.raw

For Windows only, contains arecord of every file that waspart of an attempted manualbackup or recovery operationinitiated by the NetWorker Userprogram. Subsequent manualbackup or recover operationsoverwrite the file. Use thensr_render_log program


The EMC NetWorker Administration Guide describes how to configure log file notifications.

View log filesNetWorker sends messages to two types of logs. Plain text log files saved with the .logextension and unrendered log files saved with the .raw extension.

The .log files and the messages that appear in NMC use the locale setting of the servicethat generates the log message. To view the contents of .log files, use any text editor.Before you can view .raw files in a text editor, render the .raw file into the locale of thelocal machine. You can manually render the raw log files or configure NetWorker to renderthe log files at runtime.

Rendering a raw file manuallyThe nsr_render_log program is non-interactive. When you use thensr_render_log program to render the contents of the .raw file to the locale of thehost where you run the command, nsr_render_log prints the output to stdout. Youcan redirect this output to a file and view the output in a text editor.

Before you begin

The bin subdirectory in the NetWorker installation directory contains thensr_render_log program. If the bin directory is not in the search path of the hostwhere you run the command, include the full path when you use the nsr_render_logprogram. If you do not run the nsr_render_log command from the directory thatcontains the .raw file, include the path to the .raw file.

The nsr_render_log program supports a number of options that allow you to filter thecontents of a .raw file and render the contents into an easy to read format.

Log Settings


Procedure

l To render a raw file into a format similar to a .log file and redirect the output to a textfile, type: nsr_render_log -c -meapthy raw_filename 1>output_filename2>&1

where:

n raw_filename is the name of the unrendered file. For example, daemon.rawn output_filename is the name of the file to direct the output to.

n -c suppresses the category

n -m suppresses the message ID

n -e suppresses the error number

n -a suppresses the activity ID

n -p suppresses the process ID

n -t suppresses the thread ID

n -h suppresses the hostname

n -y suppresses the message severity

l To render a .raw file from a remote machine, type: nsr_render_log -c -meapthy-R hostname raw_filename 1>output_filename 2>&1

where:

n hostname is the name of the host that contains the .raw file.

n raw_filename is the name of the unrendered file. For example, daemon.rawn output_filename is the name of the file to direct the output to.

n -c suppresses the category

n -e suppresses the error number

n -m suppresses the message ID

n -p suppresses the process ID

n -a suppresses the activity ID

n -t suppresses the thread ID

n -h suppresses the hostname

n -y suppresses the message severity

l To render a .raw file and only view log file messages for a specific device, type:nsr_render_log -c -meapthy -F devicename raw_filename1>output_filename 2>&1

where: devicename is the name of the device.The EMC Command Reference Guide provides detailed information about thensr_render_log program and the available options.

l To render only the most recently logged messages, type: nsr_render_log -c -meapthy -B number raw_filename 1>output_filename 2>&1

where: number is the number of lines that you want to render.

Log Settings

Rendering a raw file manually 77

The EMC Command Reference Guide provides detailed information about thensr_render_log program and the available options.

Rendering raw log files at runtimeYou can instruct the NetWorker software to render the daemon.raw and gstd.raw filesinto the locale of the host at runtime, in addition to creating locale-independent log files.This allows you to view the log file in a text editor without using the nsr_render_logprogram to render the file first.

Before you begin

Log in to the NetWorker host with the root (UNIX) or administrator (Windows) useraccount.

To instruct the NetWorker software to render logs in the locale of the machine hosting thefile, set the runtime rendered log file attribute in the NSRLA database. For backwardcompatibility with previous releases of the NetWorker software, runtime rendered log filescontain the following attributes:

l Message ID

l Date and time of message

l Rendered message

Procedure

1. From a command prompt, use the nsradmin program to access the NSRLA database:

nsradmin -p nsrexec2. Set the resource type to NSR log:

. type: NSR log3. Display a list of all log file resources:

print

For example, on a Windows NMC server, output similar to the following appears:

nsradmin> print type: NSR log; administrator: Administrators,"group=Administrators,host=bu-iddnwserver.iddlab.local"; owner: NMC Log File; maximum size MB: 2; maximum versions: 10; runtime rendered log: ; runtime rollover by size: Disabled; runtime rollover by time: ; name: gstd.raw; log path: \"C:\\Program Files\\EMC NetWorker\\Management\\GST\\logs\\gstd.raw";

type: NSR log; administrator: Administrators,"group=Administrators,host=bu-iddnwserver.iddlab.local"; owner: NetWorker; maximum size MB: 2; maximum versions: 10; runtime rendered log: ; runtime rollover by size: Disabled;

Log Settings


runtime rollover by time: ; name: daemon.raw; log path: \"C:\\Program Files\\EMC NetWorker\\nsr\\logs\\daemon.raw";

4. Define the log resource that you want to edit:

. type: NSR log; name: log_file_name

For example, to select the daemon.raw file, type the following:

. type: NSR log; name: daemon.raw 5. Use the Runtime rendered log attribute to define the path and filename for the

rendered log file.

For example, to save rendered messages to the file rendered.log in the defaultNetWorker logs directory on a Windows host, type:

update runtime rendered log: "C:\\Program Files\\EMC NetWorker\\nsr\\logs\\rendered.log"

6. When prompted to confirm the update, type: y7. Verify that the attribute value update succeeds:

nsradmin> print

type: NSR log;administrator: root, "user=administrator,host=bu-iddnwserver.iddlab.local";owner: NetWorker;maximum size MB: 2;maximum versions: 10;runtime rendered log:C:\\Program Files\\EMC NetWorker\\nsr\\logs\\daemon.log ;runtime rollover by size: Disabled;runtime rollover by time:;name: daemon.raw;log path: C:\\Program Files\\EMC NetWorker\\Management\\GST\\logs\\daemon.raw;

8. Quit the nsradmin program.

Raw log file managementThe NetWorker software manages the size and the rollover of the raw log files.

NetWorker automatically manages the nwsnap.raw and nsrcpd.raw files in thefollowing ways:

l nwsnap.raw: Before a process writes messages to the nwsnap.raw file, theprocess checks the size of the .raw file. The process invokes the trimmingmechanism when the size of the log file is 100 MB or larger. Snapshot managementsupports up to 10 .raw file versions.

l nsrcpd.raw: When the NetWorker daemons start on the machine, the startupprocess checks the size of the raw file. The startup process invokes the trimmingmechanism when the size of the log file is 2 MB or larger. Client push supports 10 rawfile versions.

NetWorker enables you to customize the maximum file size, maximum number of fileversions, and the run time rollover of the daemon.raw, gstd.raw, networkr.raw,and Networker_server_sec_audit.raw files. Use the nsradmin program to

Log Settings

Raw log file management 79

access the NSRLA database, and modify the attributes that define how large the log filebecomes before NetWorker trims or renames the log file.

The following table describes the resource attributes that manage the log file sizes.

Table 8 Raw log file attributes that manage log file size

Attribute Information

Maximum sizeMB

Defines the maximum size of the log files.

Default: 2 MB

Maximumversions

Defines the maximum number of the saved log files.

When the number of copied log files reaches the maximum version value,NetWorker removes the oldest log when a new copy of the log file is created.

Default: 10

Runtime rolloverby size

When set, this attribute invokes an automatic hourly check of the log file size.

When you configure the runtime rendered log attribute, NetWorker trims theruntime rendered log file and the associated .raw file simultaneously.

Default: disabled

Runtime rolloverby time

When set, this attribute invokes an automatic trimming of the log file at thedefined time, regardless of the size. The format of the variable is HH:MM(hour:minute).

When you configure the runtime rendered log attribute, NetWorker trims theruntime rendered log file and the associated .raw file simultaneously.

Default: undefined

How the trimming mechanism trims the log files differs depending on the how you definethe log file size management attributes. The following table summarizes the trimmingbehavior.

Table 9 Raw log file attributes that manage the log file trimming mechanism

Attributeconfiguration

Trimming behavior

When you configureruntime rollover bytime or runtimerollover by size

l NetWorker copies the contents of the existing log file to a new filewith the naming convention:daemondate_time.raw

l NetWorker truncates the existing daemon.raw to 0 MB.

Note

When this mechanism starts on a NetWorker server that is under a heavyload, this process may take some time to complete.

When you do notconfigure runtimerollover by time orruntime rollover bysize

l NetWorker checks the log file size when the nsrexecd process startson the computer.

l When the log file size exceeds the size defined by the maximum sizeMB attribute, NetWorker renames the existing log file tolog_file_name_date_time.raw then creates a new empty log

file.

Log Settings


Table 9 Raw log file attributes that manage the log file trimming mechanism (continued)

Attributeconfiguration

Trimming behavior

Note

When the nsrd daemon or NetWorker Backup and Recover Server

service runs for a long time, the size of the log file can become muchlarger than the value defined by maximum size MB.

Managing raw log file size for the daemon.raw, networkr.raw, and gstd.raw filesTo configure the NetWorker software to rollover the .raw file by time, perform thefollowing steps.

Procedure

1. Log in to the NetWorker host with root on UNIX or with administrator for Windows.

2. Use the nsradmin program to access the NSRLA database:

nsradmin -p nsrexec3. Set the resource type to NSR log:

. type: NSR log4. Display a list of all log file resources:

print

For example, on a Windows NMC server, output similar to the following appears:

nsradmin> print type: NSR log; administrator: Administrators,"group=Administrators,host=bu-iddnwserver.iddlab.local"; owner: NMC Log File; maximum size MB: 2; maximum versions: 10; runtime rendered log: ; runtime rollover by size: Disabled; runtime rollover by time: ; name: gstd.raw; log path: \"C:\\Program Files\\EMC NetWorker\\Management\\GST\\logs\\gstd.raw";

type: NSR log; administrator: Administrators,"group=Administrators,host=bu-iddnwserver.iddlab.local"; owner: NetWorker; maximum size MB: 2; maximum versions: 10; runtime rendered log: ; runtime rollover by size: Disabled; runtime rollover by time: ; name: daemon.raw; log path: \"C:\\Program Files\\EMC NetWorker\\nsr\\logs\\daemon.raw";

Log Settings

Managing raw log file size for the daemon.raw, networkr.raw, and gstd.raw files 81

5. Define the log resource that you want to edit:

. type: NSR log; name: log_file_name

For example, to select the gstd.raw file, type the following:

. type: NSR log; name: gstd.raw 6. Update the runtime rollover by time attribute with the time that you want to rollover

the log file.

For example, to configure the gstd.raw file to rollover at 12:34 AM, type:

update runtime rollover by time: "00:34"7. When prompted to confirm the update, type: y8. Verify that the attribute value update succeeds:

nsradmin> print

type: NSR log;administrator: root, "user=administrator,host=bu-iddnwserver.iddlab.local";owner: NMC Log File;maximum size MB: 2;maximum versions: 10;runtime rendered log: ;runtime rollover by size: Disabled;runtime rollover by time: "00:34";name: gstd.raw;log path: C:\\Program Files\\EMC NetWorker\\Management\\GST\\logs\\gstd.raw;

9. Quit the nsradmin program.

Monitoring changes to the NetWorker server resourcesThe Monitor RAP (resource allocation protocol) attribute in the NSR resource enables youto track configuration modifications to the NetWorker server resources and attributes. TheNetWorker server records these changes in the rap.log file, located in theNetWorker_install_dir\logs directory. Each entry in the rap.log file consistsof the user action, the name of the user that performed the action, the name of the sourcecomputer, and the time of the change. NetWorker logs sufficient information in therap.log file to enable an administrator to undo any changes. The Monitor RAP attributeis enabled by default. To disable the attribute setting, perform the following steps.

Before you begin


Note

In NetWorker 8.0 and later, the Security Audit Log feature provides the NetWorker serverand the NMC server with the ability to log specific security audit events related to theiroperations.

Procedure

1. From the Administration window, select Configuration.

2. From the View menu, select Diagnostic mode.

Log Settings


3. Right-click the NetWorker server name in the left navigation pane and selectProperties.

4. On the Setup tab, select the Disabled button for the Monitor RAP attribute.

Configuring logging levelsThis section describes how to modify the logging levels of the NetWorker and NMCprocesses to troubleshoot issues.

Setting the debug level for NetWorker daemonsHow you configure the NetWorker daemons to run in debug mode depends on thedaemon.

On a NetWorker server, you can configure the nsrd and nsrexecd to start in debug mode.The nsrd daemon starts other daemons, as required. To capture debug output for thedaemons that the nsrd daemon starts use the dbgcommand.

On an NMC server, you can start the gstd daemon in debug mode.

Starting nsrd and nsrexecd daemons in debug mode on UNIXThe nsrd daemon is the main process for the NetWorker server. To debug problems withthe NetWorker server process, start the nsrd process in debug mode. The nsrexecdprocess is the main process for NetWorker client functions. To debug problems related toNetWorker client functions, start the nsrexecd process in debug mode.

Procedure

1. Log in to the NetWorker host with the root account and stop the NetWorker processes:

nsr_shutdown

2. Start the daemon from a command prompt and specify the debug level.

For example:

l To start the nsrexecd daemon in debug mode, type: nsrexecd -D91>filename 2>&1

l To start the nsrd daemon in debug mode, type: nsrd -D9 1>filename 2>&1where filename is the name of the text file that NetWorker uses to store the debugmessages.

3. After you collect the necessary debug information, perform the following steps:

a. Stop the NetWorker processes by using the nsr_shutdown command.

b. Restart the processes by using the NetWorker startup script:

l On Solaris and Linux, type: /etc/init.d/networker startl On HP-UX, type: /sbin/init.d/networker startl On AIX, type: /etc/rc.nsr

Starting the NetWorker daemons in debug mode on WindowsThe NetWorker Backup and Recovery service starts the nsrd process, which is the mainprocess for a NetWorker server. To debug problems with the NetWorker server process,start the nsrd process in debug mode. The NetWorker Remote Exec service starts thensrexecd process which is the main process for NetWorker client functions. To debug

Log Settings

Configuring logging levels 83

problems related to NetWorker client functions, start the nsrexecd process in debugmode.

Procedure

1. Open the Services applet, services.msc.

2. Stop the NetWorker Remote Exec service.

On a NetWorker server this also stops the NetWorker Backup and Recover service.

3. To put a nsrexecd process in debug mode:

a. Right-click the NetWorker Remote Exec service and select Properties.

b. In the Startup Parameters field, type -D x

where x is a number between 1 and 99.

c. Click the Start button.

4. To put the nsrd process in debug mode:

a. Right-click the NetWorker Backup and Recover service and select Properties.

b. In the Startup Parameters field, type -D x


c. Click the Start button.

Results

NetWorker stores the debug information in the daemon.raw file.

After you finish

After you capture the debug information, stop the NetWorker services, remove the -Dparameter, and then restart the services.

Starting the NMC server daemon in debug modeWhen you can access the NMC GUI, use the Debug Level attribute in the System Optionswindow to start the gstd daemon in debug mode.

When you cannot access the NMC GUI, use environment variables to start the gstddaemon in debug mode.

Starting the NMC server daemon in debug mode by using NMC

The gstd daemon is the main NMC server process. To troubleshoot NMC GUI issues, startthe gstd daemon in debug mode.

Before you begin

Log in to the NMC server with an administrator account.

Procedure

1. In the NMC Console, select Setup.

2. On the Setup menu, select System Options.

3. In the Debug Level field, select a number between 1 and 20.

Results

NMC stores the debug information in the gstd.raw file.

Log Settings


After you finish

After you capture the debug information, stop the NetWorker services, set the DebugLevel to 0, and then restart the services.

Starting the NMC server daemon in debug mode by using environmentvariables

Use environment variable to put the gstd daemon in debug mode when you cannotaccess the NMC GUI.

Setting the GST debug environment variable on WindowsTo set the GST debug environment variable on Windows, use the Control Panel systemapplet on the NMC server.

Procedure

1. Browse to Control Panel > System and Security > System > Advanced Settings.

2. On the General tab, click Environment Variables.

3. In the System variables section, click New.

4. In the Variable name field, type: GST_DEBUG5. In the Variable value field, type a number between 1 and 20.

6. Stop and start the EMC gstd service.

Results


After you finish

After you capture the debug information, stop the EMC gstd service, remove theenvironment variable from the startup file, and then restart the EMC gstd service.

Setting the GST debug environment variable on UNIXUse a borne shell script to put the gstd daemon in debug mode.

Procedure

1. Modify the file permissions for the gst startup file. By default, the file is a read-onlyfile.

The file location varies depending on the operating system:

l Solaris and Linux: /etc/init.d/gstl AIX: /etc/rc.gst

2. Edit the file and specify the following at beginning of the file:

GST_DEBUG=x

export GST_DEBUG


3. Stop and restart the gstd daemon:

l Solaris and Linux: Type: /etc/init.d/gst stop then /etc/init.d/gststart

l AIX: Type: /etc/rc.gst start then /etc/rc.gst stop

Results


Log Settings

Setting the debug level for NetWorker daemons 85

After you finish

After you capture the debug information, stop the gstd daemon, remove the environmentvariable from the startup file, and then restart the gstd daemon.

Using the dbgcommand program to put NetWorker process in debug modeUse the dbgcommand program to generate debug messages for NetWorker daemons andprocesses without the stopping and starting the NetWorker daemons. You can also usethe dbgcommand program to produce debug information for a process that anotherprocess starts. For example, use the dbgcommand to put the nsrmmd process in debugmode.

Procedure

1. From a command prompt on the NetWorker host, determine the process id (PID) of thedaemon or process that you want to debug.

l On Windows: Use the Task Manager to determine the PID.

Note

If you do not see the PID for each process on the Process tab, navigate to View >

Select Columns, and then select PID (Process Identifier)

l On UNIX, use the ps command. For example, type ps -ef | grep nsr to get alist of all of the NetWorker processes that start with nsr.

2. From a command prompt, type:

dbgcommand -p PID -Debug x

where:

l PID is the process id of the process.

l x is a number between 0 and 9.

Note

0 turns off debugging.

Results

NetWorker logs the process debug information in the daemon.raw file.

After you finish

To turn off debugging, type:

dbgcommand -p PID -Debug=0

Log Settings


Run scheduled backups in debug modeYou can configure NetWorker to log verbose output for all of the client backups inscheduled group. You can also configure individual clients in a scheduled group to run indebug mode.

Running all client backups in a group in verbose modeModify the properties of a Group resource to send verbose backup information to thedaemon.raw file, for all clients in a group.

Before you begin


Procedure

1. On the Administration window, click Configuration.

2. Click Groups in the left navigation pane.

3. Right click the group and select Properties.

4. On the Advanced tab, in the Options section, select Verbose.

5. Click Ok.

Results

At the scheduled time, NetWorker logs debug information for each backup in thedaemon.raw file.

After you finish

When the group backup operations complete, edit the properties of the group and clearthe Verbose option.

Running individual clients in a group in debug modeModify the backup command attribute for a Client resource to send verbose backupinformation to the daemon.raw file, for individual clients in a group.

Before you begin


Procedure


2. Click Clients in the left navigation pane.

3. Right click the client and select Modify Client Properties.

4. On the Apps & Modules tab, in the Backup command attribute, type:

save -Dx


5. Click OK.

Results

At the scheduled time, NetWorker logs debug information for the client backup in thedaemon.raw.

Log Settings

Run scheduled backups in debug mode 87

After you finish

When the group backup operations complete, edit the properties of the client and clearthe Backup Command field.

Running group backups manually in debug mode from command lineUse the savegrp command to manually run group backups from a command line indebug mode and send the output to a log file.

Procedure

1. From a command prompt on the NetWorker server, type:

savegrp -Dx groupname 1>filename 2>&1

where:


l groupname is the name of the backup group.

l filename is the name of the file that stores the debug information.

Running client-initiated backups in debug mode from command lineUse the save program to perform a client-initiated backup from the command line.

On the host you want to backup, type the following command:

save -Dx file_sytem_objects 1>filename 2>&1where:


l file_sytem_objects is the name of the files or directory to backup.


Note

The NetWorker Command Reference Guide provides detailed information about all of theavailable backup options and how to use the save command.

Run Recoveries in debug modeYou can configure NetWorker to log verbose output for recoveries when you RecoveryWizard, perform Windows disaster recoveries and by using the recover command.

Run Recovery Wizard recover jobs in debug modeYou can run recover jobs that you created in the Recovery Wizard by using the RecoveryWizard or by using the nsrtask program from the command line.

Running a recovery job in debug mode

To send verbose recovery information to the recovery log file, set the debug level of arecovery job.

Before you begin


Log Settings


Procedure

1. On the Administration window, click Recover.

2. On the Select the Recovery Options window, select Advanced Options.

l To modify a scheduled recover job, select the job in the Configured Recoverssection and then select Properties.

l To configure a new recover job, select New.

Note

You cannot modify an expired or failed recover job.

3. On the Select Recovery Options window, in the Debug level attribute, select thedebug level.

4. Complete the remaining steps in the Recovery Wizard.

Results

NetWorker logs the debug recovery information to the recover log file.

Running a recovery job in debug mode by using nsrtask

Use the nsrtask command to run a recovery job created by the Recovery Wizard, from acommand prompt.

Procedure

1. On the NetWorker server, type: nsradmin.

2. From the nsradmin prompt:

a. Set the resource attribute to the Recover resource:

. type: nsr recoverb. Display the attributes for the Recover resource that you want to troubleshoot:

print name: recover_resource_name

where recover_resource_name is the name of the Recover resource.

c. Make note of the values in the recover, recovery options, and recover stdinattributes. For example:

recover command: recover;recover options: -a -s nw_server.emc.com -c mnd.emc.com -I - -i R;recover stdin:“<xml><browsetime>May 30, 2013 4:49:57 PM GMT -0400</browsetime><recoverpath>C:</recoverpath></xml>”;

where:

l nw_server.emc.com is the name of the NetWorker server.

l mnd.emc.com is the name of the source NetWorker client.

Log Settings

Run Recoveries in debug mode 89

3. Confirm that the nsrd process can schedule the recover job:

a. Update the Recover resource to start the recover job:

update: name: recover_resource_name;start time: nowwhere recover_resource_name is the name of the Recover resource.

b. Quit the nsradmin application

c. Confirm that the nsrtask process starts.

If the nsrtask process does not start, the review the daemon.raw file on theNetWorker server for errors.

4. To confirm that the NetWorker server can run the recover command on the remotehost, type the following command on the NetWorker server:

nsrtask -D3 -t ‘NSR Recover’ recover_resource_name


5. When the nsrtask command completes, review the nsrtask output for errors.

6. To confirm that the Recovery UI sends the correct recovery arguments to the recoverprocess:

a. Open a command prompt on the destination client.

b. Run the recover command with the recover options that the Recover resource uses.

For example:

recover -a -s nw_server.emc.com -c mnd_emc.com -I - -i R

c. At the Recover prompt, specify the value in the recover stdin attribute. Do notinclude the “ ,” or the ";" that appears with the recover stdin attribute.

If the recover command appears to hang, then review the daemon.raw file forerrors.

d. When the recover command completes, review the recover output for errors. Ifthe recover command fails, then review the values specified in the Recoverresource for errors.

7. Use the jobquery command to review the details of the Recover job. From acommand prompt on the NetWorker server, type: jobquery

8. From the jobquery prompt, perform one of the following steps:

l Set the query to the Recovery resource and display the results of all recovery jobsfor a Recovery resource:

print name: recover_resource_name


l Set the query to a particular jobid and display the results of the job.

print job id: jobid

Where jobid is the jobid of the Recover job that you want to review.

Log Settings


Note

Review the daemon.raw file on the NetWorker server to obtain the jobid for the

recovery operation.

Running Windows BMR recoveries in debug modeUse the WinPE registry to debug recoveries performed with the BMR Recovery Wizard.

Procedure

1. From a command prompt, type: regedit2. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft

\Prefs\com\networker\win/P/E/Wizard

3. Change the Data value in the debug_mode attribute from 0 to 1.

4. Start the BMR Recovery Wizard.

Results

The Wizard logs the debug information related to the following in the X:\ProgramFiles\EMC NetWorker\nsr\logs\WinPE_Wizard.log file.After you collect the debug information, to turn off debug mode, modify the data value forthe debug_mode attribute from 1 to 0.

Running client-initiated recoveries in debug mode from command lineUse the recover program with the -D option to perform a client initiated backup fromthe command line.

For example, on the host you want to recover the data to, type the following command:

recover -Dx file_sytem_objects 1>filename 2>&1

Log Settings

Run Recoveries in debug mode 91

where:


l file_sytem_objects is the name of the files or directory to recover.


Note

The NetWorker Command Reference Guide provides detailed information about all of theavailable recovery options and how to use the recover command.

Log Settings


CHAPTER 4

Communication Security Settings

This chapter describes how to ensure NetWorker uses secure channels forcommunication and how to configure NetWorker in a firewall environment.

l Port usage and firewall support............................................................................. 94l Special considerations for firewall environments...................................................94l Determining service port requirements..................................................................97l Configuring service port ranges in NetWorker...................................................... 101l Configuring the service ports on the firewall........................................................ 104l Determining service port requirement examples ................................................. 107l Troubleshooting..................................................................................................112

Communication Security Settings 93

Port usage and firewall supportNetWorker uses a direct socket connection to communicate and move data across thenetwork to the required service with minimal overhead. While NetWorker opens someports for TCP and UDP, NetWorker only requires TCP ports. UDP ports are optional.NetWorker uses two types of ports, service ports and connection ports.

Service portsThe TCP server processes that run on each NetWorker host use service ports to listen forinbound connections. Service ports are also known as listener ports or destination ports.

NetWorker uses two types of service ports:

l Fixed ports—NetWorker uses two fixed ports: TCP/7937 and TCP/7938. You mustinclude these ports in the service port range of each NetWorker host. NetWorker usesthese ports to initiate connections.

l Variable ports—NetWorker dynamically opens ports. A NetWorker host can allocateany port in the defined service port range and the NetWorker daemons select thedynamic ports within that range randomly. The default range is 7937-9936 and youcan narrow or expand this range.

To increase security in the environment, reduce the variable ports range to specify onlythe minimum number of service ports that the NetWorker software requires. The minimumvalue depends on the installation type and the number of hosted NetWorker devices.NetWorker stores the service port range for a host in the NSR Local Agent (NSRLA)resource in the NetWorker client database (nsrexec).

Connection portsNetWorker processes use connection ports to connect to a service. The NetWorkersoftware requires one connection port for any type of communication between the client,storage node, and server. Connection ports are also known as communication ports,source ports, or outbound ports.

NetWorker uses a default range, 0-0, to indicate that the NetWorker software allows theoperating system to select the port for TCP clients. The operating system reservesconnection ports for short-term use and reuses the ports as needed. The operatingsystem might allow you to configure the dynamic port range, for example, by using thenetsh program on Windows. NetWorker does not require modifications to this range andEMC recommends that you use the default dynamic port range.

The use of the default port range does not cause security concerns. EMC recommendsthat you do not change the range for any NetWorker hosts in the data zone. NetWorkerperformance problems or random malfunctions can occur when the range is too narrow.

Special considerations for firewall environmentsYou can configure some firewall products to close an open connection that is inactive fora defined period of time. NetWorker uses persistent connections between daemons totransfer information as efficiently as possible.

Connections open at the start of communication, and close when the communicationfinishes. For example, a running backup may have connections open with the followingdaemons:



l nsrmmd, to send the backup data.

l nsrindexd, to send the client file index information.

l nsrjobd, to send control and status information.

NetWorker connections between hosts can remain idle for periods of time that exceed theidle timeout value on the firewall, and as a result, the firewall ends the connection. Forexample, the status connection to nsrjobd is frequently idle during a backup. When thereare no error messages to report, the connection will not have traffic until the backupcompletes and NetWorker generates the success message.

To prevent the firewall from closing a NetWorker connection prematurely, configure thefirewall to not close idle connections. If you cannot eliminate the firewall timeout, thenconfigure the data zone to send a keep alive signal between the hosts at an interval thatis shorter than the timeout period defined on the firewall. Configure the keep alive signalat the operating system level.

When you configure TCP keep alives within NetWorker, NetWorker does not send a keepalive signal across some connections, for example, between the save and nsrmmdprocesses. EMC recommends that you configure TCP keep alive signals at the operatingsystem level to ensure all connections do not close prematurely. EMC does notrecommend reducing the TIME_WAIT and CLOSE_WAIT intervals on a host to reduce thedemand for connection or service ports. When the intervals are too low, the port for aprocess might close while NetWorker is resending data packets to the process. In somesituations, a new instance of a process connects to the port and incorrectly receives thedata packet. This might corrupt the new process.

Configuring TCP keep alives at the operating system levelYou can change the TCP KeepAlive parameters temporarily on UNIX or permanently onUNIX and Windows operating systems. Restart all NetWorker services after you changethe TCP KeepAlive parameters.

Firewall configurations commonly define a one hour idle timeout. EMC recommends thatyou set the Wait Time Before Probing and Interval Between Retry Probesparameters to 57 minutes. The exact value you use to define these parameters dependwhat unit of measure the operating system uses.

For example:

57 min = 3420 seconds = 6840 half seconds = 3420000 milliseconds

Note

If the firewall time out is shorter than the common one hour value, further decrease thesevalues. The network overhead as a result of enabling TCP KeepAlive is minimal.

The following table summarizes the Wait Time Before Probing and IntervalBetween Retry Probes parameters for each operating system.

Table 10 Setting TCP parameters for each operating system

Operatingsystem

Temporary setting Permanent setting

AIX # no -o tcp_keepidle = 6840# no -o tcp_keepintvl = 6840

/etc/rc.net


Configuring TCP keep alives at the operating system level 95

Table 10 Setting TCP parameters for each operating system (continued)

Operatingsystem

Temporary setting Permanent setting

where the TCP parameter value isdefined in half-seconds.

HP-UX # ndd -set /dev/tcptcp_time_wait_interval3420000# ndd -set /dev/tcptcp_keepalive_interval3420000where the TCP parameter value isdefined in milliseconds.

/etc/rc.config.d/nddconf

Linux # sysctl -wnet.ipv4.tcp_keepalive_time= 3420# sysctl -wnet.ipv4.tcp_keepalive_intvl= 3420where the TCP parameter value isdefined in seconds.

Add the

net.ipv4.tcp_parameter=tcp_value

commands to the /etc/sysctl.conffile, then issue the following command:

RHEL: chkconfig sysctl onSLES: chkconfig boot.sysctl on

Solaris # ndd -set /dev/tcptcp_time_wait_interval3420000# ndd -set /dev/tcptcp_keepalive_interval3420000where the TCP parameter value isdefined in milliseconds.

Add the ndd commands to the /etc/rc2.d/S69inet file.

Windows n/a Modify the following registry keys:

HKLM\System\CurrentControlSet\

Services\Tcpip\Parameters\KeepAliveTime

DWORD=3420000

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveInterval

DWORD=3420000



Determining service port requirementsBefore you modify the service port range on the NetWorker host or on a firewall,determine the minimum number of required service ports for the NetWorker host.

The number of ports that the NetWorker software daemons and processes require forcommunication depends on the NetWorker installation type. This section describes howto calculate the minimum number of service ports required for each NetWorkerinstallation type (Client, Storage Node, Server or NMC Server) and how to view or updatethe service port range value.

When the data zone uses an external firewall, you must open the service port range in thefirewall for TCP connections. Some operating systems enable personal firewall softwareon a host by default. For example, Windows 7 enables Windows Firewall and RedHatLinux 6 enables iptables. The NetWorker installation process on Windows adds firewallrules to the Windows firewall for NetWorker. The NetWorker installation process on UNIXdoes not add firewall rules to a personal firewall. When you use personal firewallsoftware on a UNIX host, you must manually create the firewall rules for the NetWorkersoftware.

When the NetWorker software interacts with other applications in the environment, forexample, a Data Domain appliance, you must define additional service ports on afirewall.

NetWorker client service port requirementsThis section describes the port requirements for standard, NDMP, and Snapshot clients.

Service port requirements for a standard NetWorker clientA standard NetWorker client requires a minimum of 4 TCP service ports to communicatewith the NetWorker server. Snapshot services require two additional ports.

The following table summarizes the TCP service port requirements and the RPC programnumber for each program on a NetWorker client.

Table 11 Standard NetWorker Client port requirements to NetWorker server

RPC program number Port number Daemon/program

TCP/390113 TCP/7937 nsrexecd/nsrexec

TCP/390113 TCP/7938 nsrexecd/portmap

TCP/390435 Dynamic TCP port from the service port range nsrexecd/res_minor

TCP/390436 Dynamic TCP port from the service port range nsrexecd/gss_auth

Service port requirements for an NDMP clientAn NDMP client that sends data to an NDMP device requires access to TCP ports throughthe firewall only.

The service port range in the NSRLA database on the host does not require modifications.


Determining service port requirements 97

Service port requirements for Snapshot clientsWhen you configure a snapshot backup each Snapshot client requires 2 TCP ports for thePowerSnap service, in addition to the 4 standard client ports.

The following table summarizes the two additional ports that a Snapshot client requires.

Table 12 Additional service port requirements for Snapshot clients


TCP/390408 (Snapshotservices)

Dynamic TCP port from the service portrange

nsrpsd

TCP/390409 (Snapshotservices)

Dynamic TCP port from the service portrange

nsrpsd/nsrsnapckd

Service port requirements for NetWorker storage nodesWhen you calculate the service port requirements for a storage node, only consider thedevices that the storage node manages. To accommodate growth in the environment andthe addition of new devices, EMC recommends that you allocate extra service ports forthe NetWorker storage node. The minimum number of service ports that a storage noderequires is 5. This number includes the four TCP service ports required for a NetWorkerclient and one service port for the storage management process, nsrsnmd. NetWorkerrequires additional ports and the amount differs for each device type used.

Use the following formulas to calculate storage node port requirements:

l For NDMP-DSA or SnapImage devices: 5 + #backup_streamsl For tape devices: 5+ #devices + #tape_librariesl AFTD or Data Domain Boost devices: 5 + #nsrmmdswhere:

l #devices is the number of devices connected to the storage node.

l #tape_libraries is the number of jukeboxes that the storage node accesses. Thestorage node has one nsrlcpd process for each jukebox.

l #nsrmmdsis the sum of the Max nsrmmd count attribute value of each device that theNetWorker storage node manages.

The following table summarizes the port requirements specific to the storage nodeprograms.

Table 13 Service port requirements for storage nodes

RPC programnumber

Port number Daemon/program

TCP/390111 Dynamic TCP port from the service port range. nsrnsmd

TCP/390429 Dynamic TCP port from the service port range. nsrlcpd

TCP/390104 Dynamic TCP port from the service port range. Totalport number depends on device type.

nsrmmd



Note

In enterprise environments that require the restriction of unattended firewall ports forsecurity reasons, configure the storage node attributes mmds for disabled devices andDynamic nsrmmds unselected (static mode) to prevent a listener from starting on aninactive nsrmmd port. The NetWorker Administration Guide provides more information.

Service port requirements for the NetWorker serverThe NetWorker server requires a minimum of 15 service ports.

Additional ports are required when the NetWorker server manages devices. Additionalport requirements differ for each device type used.

Use the following calculation to determine the service port range:

l For NDMP-DSA or SnapImage devices: 14 + #backup_streamsl For tape devices: 14 + #devices + #tape_librariesl For AFTD or Data Domain Boost devices: 14 +#nsrmmdswhere:

l #devices is the number of devices connected to the storage node.

l #tape_libraries is the number of jukeboxes that the storage node accesses. Thestorage node has one nsrlcpd process for each jukebox.

l #nsrmmdsis the sum of the Max nsrmmd count attribute value of each device that theNetWorker storage node manages.

To accommodate growth in the environment and the addition of new devices, allocateextra service ports for the NetWorker server.

Note

The Software Configuration Wizard requires one service port. The port is dynamic andcloses when the wizard closes. If you use the Software Configuration Wizard, add oneadditional port to the service port range.

The following table summarizes the port requirements specific to the Server programs.

Table 14 NetWorker server program port requirements

RPC programnumber


TCP/390103 Dynamic TCP port from the service portrange

nsrd

TCP/390109 User-defined UDP nsrd/nsrstat


Service port requirements for the NetWorker server 99

Table 14 NetWorker server program port requirements (continued)

RPC programnumber


Note

Optional, NetWorker uses thisport for internal communications.For example, automatic discoveryand initial ping (is alive) checks ofthe NetWorker server. Backup andrecovery operations do not usethis port. NetWorker does notrequire this port through anexternal firewall.


nsrindexd


nsrmmdbd


nsrcpd


nsrjobd/jobs


nsrjobd/rap


nsrlogd


nsrmmgd

Note

If you restrict unattended firewall for security reasons, then use the storage nodeattributes mmds for disabled devices and Dynamic nsrmmds unselected (static mode) toprevent a listener from starting on an inactive nsrmmd port.

Service port requirements for NMC ServerThe minimum service port range for the NMC server to communicate with the NetWorkerserver is the same as a standard NetWorker client.

The NMC server also requires two TCP service ports to communicate with the eachNetWorker client. The following table summarizes the TCP service port requirements andthe RPC program number for each program on a the NMC server.



Table 15 Port requirements to NMC server to each NetWorker client


TCP/390113 TCP/7937 nsrexecd/nsrexec

TCP/390113 TCP/7938 nsrexecd/portmap

Configuring service port ranges in NetWorkerAfter you determine the service port requirements for a NetWorker host, you must confirmwhich port numbers are available between each host, and then configure the port rangeon each NetWorker host and on the firewall.

Determine the available port numbersBefore you define ports in the service ports attribute for a NetWorker host, determine thecurrent service port allocations for the host by using the netstat -a command.

After you determine which ports are available, you can decide which ports to allocate forNetWorker host communications. Before you select the ports, consider the followinginformation:

l The service port range for each NetWorker host must contain port 7937 and 7938.The nsrexecd daemon reserves these ports and you cannot change the portsnumbers.

l EMC recommends that you select ports within the default range of 7937-9936.

l To avoid conflicts with other daemons or services on the host, do not assign portsunder 1024.

Configuring the port ranges in NetWorkerThe service ports attribute in the NSRLA resource defines which TCP ports that theNetWorker process can listen on and connect to.

Use NMC or the nsrports command to define the service port on each NetWorker hostin the data zone.

Enabling updates of the NSR system port ranges resourceThe nsrexec database on each NetWorker host has its own administrators list. By default,only users that login to the NetWorker host locally can update the NSR system port rangesresource. Perform the following steps to add users to the administrator list of the NSRsystem port ranges resource and enable remote updates of the attribute.

Procedure

1. Connect to the target NetWorker host.

2. From a command prompt, use the nsradmin program to connect to the nsrexecdatabase:

nsradmin -p nsrexec3. Display the current administrators list:

p NSR system port ranges


Configuring service port ranges in NetWorker 101

In this example, only the local users can update the attributes in the NSR system portranges resource:

NetWorker administration program.Use the "help" command for help, "visual" for full-screen mode.nsradmin> p NSR system port ranges type: NSR system port ranges; service ports: 7937-9936; connection ports: 0-0; administrator: *@localhost;

4. Update the administrator attribute to include a remote account:

update administrator: *@localhost, username@system

For example, if you connect to the NMC server with the NMC administrator from theNMC client mnd.mydomain.com, type:

update administrator: *@localhost, [email protected]

5. When prompted, type y.

6. Exit the nsradmin program:

quit

Configuring the port ranges in NetWorker by using NMCUse the NMC to view and modify the current port ranges for each NetWorker host.

Before you begin


Procedure

1. On the Configuration window, select Local Hosts.

2. Right-click the NetWorker host and select Configure Port Ranges.

3. On the General tab, review the value in the Administrators attribute:

l If you see the message:

No privilege to view administrator list

then the account that you used to log in to the NMC server does not havepermission to modify the port ranges. Enabling updates of the NSR system portranges resource on page 101describes how to provide user accounts with theability to modify the service port attribute.

l If you see accounts in the Administrators attribute, then update the Service portsattribute with the calculated service port range. For multiple ranges, type onerange per line.

4. In the Service ports attribute, specify the calculated service port range. For multipleranges, type one range per line.

Note

EMC recommends that you do not change the Connection ports attribute from thedefault value 0-0.



5. Click Ok.

6. Stop and start the NetWorker services or daemons on the NetWorker host.

Configuring the port ranges in NetWorker by using nsrportsUse the nsrports program to view and modify the current port ranges for eachNetWorker host from a command prompt.

# nsrports -s target_hostname [-S|-C]range

Table 16 nsrports options

Option Description

-s target_hostname Optional. use this option when updating the port range for a remoteNetWorker host. Enabling updates of the NSR system port ranges resource onpage 101 describes how to enable remote access of the NSR system portranges resource.

-S range Sets the service port range to the value specified by range. The default rangeis 7937-7941. If the range is not a consecutive set of ports, use a space toseparate the port values

-C range Sets the connection port range to the value specified by range. EMCrecommends that you do not change the connection ports attribute from thedefault value 0-0.

For example, to modify the service port attribute in the NSR system port ranges resourceonmyclient.emc.com, perform the following steps:

Procedure

1. Display the current port range:

#nsrports -s myclient.emc.com

Service ports: 7937-7940Connection ports: 0-0

2. Update the service port range. Separate multiple port ranges with a space. Forexample:

nsrports -s myclient.emc.com -S 7937-7938 7978-7979

Note

If you do not have permission to update the NSR system port ranges attribute, an errormessage similar to the following appears: nsrexecd: User 'username' onmachine 'hostname' is not on 'administrator' list. Enabling

updates of the NSR system port ranges resource on page 101 describes how to enableuser access to update the NSR system port ranges resource.

3. Confirm the service port attribute updated successfully. For example:

#nsrports -s myclient.emc.com

Service ports: 7937-7938 7978-7979Connection ports: 0-0


Configuring the port ranges in NetWorker 103

4. Stop and start the NetWorker services or daemons on myclient.emc.com.

Configuring the service ports on the firewallTo enable communication between the NetWorker host and other applications, configureadditional firewall rules.

The NetWorker software may communicate with other applications on ports outside of theservice port range, for example, to communicate with a Data Domain or Avamar Utilitynode. The following table summarizes the firewall requirements for each NetWorkerinstallation type and third-party application.

Table 17 Port requirements for NetWorker communications with third-party applications

Source host Destination host Protocol Ports to open on the firewall

NetWorker client NetWorker Server TCP Port range determined in NetWorker clientservice port requirements on page 97

NetWorker client NetWorker StorageNode

TCP Port range determined in NetWorker clientservice port requirements on page 97

NetWorker client NMC server TCP Port range determined in NetWorker clientservice port requirements on page 97

NetWorker client Data Domain TCPTCP/UDP

2049, 2052

111 (Portmapper)

NetWorker client Avamar - all nodes TCPTCP

27000

29000 (For SSL only)

NetWorker client Avamar Utility Node TCP 28001

NetWorker storagenode

NetWorker Client TCP Port range determined in NetWorker clientservice port requirements on page 97


NetWorker Server TCP Port range determined in Service portrequirements for NetWorker storagenodes on page 98


Data Domain TCPTCP/UDP

2049, 2052

111 (Portmapper)


ESX Cluster TCP 902


vCenter server TCP 443

NetWorker storagenode (NDMP-DSAor SnapImage)

NetWorker Server TCP Port range determined in Service portrequirements for NetWorker storagenodes on page 98

NetWorker server ATMOS server 80, 443

NetWorker server AlphaStor 44475

NetWorker server NDMP filer TCPTCP

10000One user-defined port in the range of0-1024.



Table 17 Port requirements for NetWorker communications with third-party applications (continued)


NetWorker server NetWorker StorageNode (NDMP-DSAor SnapImage)

TCP 10000

Note

When a NetWorker server uses WindowsFirewall, manually create an inbound rule infor the nsrdsa_save program to allow

communications over TCP port 10000.

Port range determined in Service portrequirements for NetWorker storagenodes on page 98

NetWorker server NetWorker Client TCP Port range determined in NetWorker clientservice port requirements on page 97

NetWorker server NetWorker StorageNode

TCPUDP

Port range determined in Service portrequirements for NetWorker server on page99

Note

Open the 2 required UDP service ports onthe firewall for TCP connections but there isno need to allow UDP connections throughthe firewall.

NetWorker server Data Domain TCP

TCP/UDP

2049, 2052

111 (portmapper)

161 (Port used by SNMPd to query the DataDomain system)

NetWorker server Avamar Utility Node TCP 7937, 7938

2 ports in range 7939-9936

NetWorker server DPA TCP 3916, 4001

NetWorker server vCenter server TCPTCP

443Port range determined in NetWorker clientservice port requirements on page 97

NetWorker server VMware BackupAppliance (EBR/VBA)

TCP 8543Port range determined in NetWorker clientservice port requirements on page 97

NetWorker server NMC Server TCP Port range determined in Service portrequirements for NMC server on page 100

NetWorker server NetWorker Modulefor MicrosoftApplications

TCP 6278 (Control port)

6279 (Data port)


Configuring the service ports on the firewall 105



Port requirements determined in Serviceport requirements for Snapshot clients onpage 15

NetWorker server AlphaStor server TCP 44475

NetWorker Modulefor Microsoft

NetWorker Server TCP 6278 (Control port)

6279 (Data port)

Port requirements determined in Serviceport requirements for Snapshot clients onpage 15

Avamar UtilityNode

NetWorker Client TCP 28002

NMC Server NetWorker server TCP Port range determined in Service portrequirements for NMC server on page 100

NMC Server NetWorker client TCP Port range determined in Service portrequirements for NMC server on page 100

NMC Server Data Domain TCPTCP


162 (Port used by SNMPtrapd to captureData Domain SNMP traps)

NMC Client NMC Server TCP

TCP

UPD

9000 (Port used by HTTPd to download theConsole user interface)

9001 (Port used to perform RPC for callsfrom the Console Java client to the Consoleserver)

2638 (Port used by Tabular Data Stream(TDS) for database queries)

You can modify default ports values. How toconfirm NMC server service ports on page107 provides more information.

DPA NetWorker Server TCP 3741

DPA Data Domain TCPTCP/UDP


DPA Avamar Utility Node TCP 55555

Data Domain NMC Server TCP/UDP 162 (Port used by SNMPtrapd to captureData Domain SNMP traps)

Data Domain DPA TCP/UDP 162 (Port used by SNMPtrapd to captureData Domain SNMP traps)





VMware BackupAppliance (VBA/EBR)

NetWorker Server TCP 8080Port range determined in NetWorker clientservice port requirements on page 97

How to confirm the NMC server service portsThe NMC server installation process prompts you to define the service ports that the NMCserver will use.

To confirm the defined port numbers, review the gstd.conf file and look for thefollowing lines:l http_svc_port = http_service_portl clnt_svc_port = client_service_portl int db_svc_port = client_db_portwherehttp_service_port, client_service_port, and client_db_port are port numbers. Bydefault, the HTTP service port is 9000 and the client service port used to make RPC callsis 9001.

If you change the port values in the gstd.conf file, then you must restart the gstddaemon.

Note

The gstd.conf file is located in the NMC_install_dir/GST/etc on UNIX and

NMC_install_dir\GST\etc on Windows.

Determining service port requirement examplesThis section provides three examples to determine firewall port requirements. In eachexample, the NetWorker Server resides in the secure network.

Each example uses the following IP addresses and host names:

192.167.10.101 client_A192.167.10.102 client_B192.167.10.103 client_C192.167.10.104 client_D192.167.10.105 client_E192.167.10.106 client_F196.167.10.124 storage_node_X192.167.10.125 storage_node_Y192.167.10.127 storage_node_Z192.167.10.126 NW_server

Calculating service port ranges for a bi-directional firewall configurationIn this example:

Calculating service ports for a uni-directional firewall environment with storage nodesThis example describes how to apply the basic rules of service port calculations to asample network. In this example there is one NetWorker Storage Node on either side of


How to confirm the NMC server service ports 107

the firewall. Clients D, E, and F in the secure network back up data to the storage node inthe secure network. Clients A, B, and C in the insecure network back up data to thestorage node in the insecure network. The firewall protects each host in the securenetwork. The firewall does not protect hosts in the insecure network. The firewall blocksnetwork traffic from insecure to secure.

Figure 8 Uni-directional firewall with storage nodes

This example requires you to only open service ports for the NetWorker Server on thefirewall to allow inbound traffic. Calculate the service port requirements for the NetWorkerServer with this formula:

l The Service port attribute on each client specifies a minimum of four service ports, forexample: 7937–7940.

Note

To simplify the configuration, configure each client to use the same four service portnumbers.

l The firewall must allow outbound traffic, to the IP address of each NetWorker Client,on each of the service ports defined in the Service port attribute on the NetWorkerClient. Because each client can specify the same port numbers, the firewall onlyneeds to allow four ports for each client IP address. These port numbers can be asubset of the port numbers used by the NetWorker Server, as in this example.

l In pseudo syntax, the firewall rule for the service ports would look like this:

TCP, Service, src 192.167.10.*, dest 192.167.10.101, ports 7937-7940, action acceptTCP, Service, src 192.167.10.*, dest 192.167.10.102, ports 7937-7940, action acceptTCP, Service, src 192.167.10.*, dest 192.167.10.103, ports 7937-7940, action accept...



In the previous pseudo syntax, the firewall configuration allows:

l Incoming service connections to the IP address of the NetWorker server on ports7937–7958, from the IP addresses of each storage node, client, and any other hoston the subnet.

l Connections to the IP addresses for each storage node on ports 7937–7948, and toeach client IP address on ports 7937–7940. Ensure that you configure eachNetWorker host with the appropriate port range, then restart the NetWorker serviceseach host.

This is the most stringent configuration possible, but difficult to maintain.

To simplify the configuration and administration of the data zone, assign a range of 22ports, 7937–7958 to each host, and then configure the firewall to allow traffic to theseports on any host, from any host.

In pseudo syntax, the firewall rule for the service ports would look like this:

TCP, Service, src 192.167.10.*, dest 192.167.10.*, ports 7937-7958, action accept

Calculating service ports for a uni-directional firewall environment with storage nodesThis example describes how to apply the basic rules of service port calculations to asample network. In this example there is one NetWorker Storage Node on either side ofthe firewall. Clients D, E, and F in the secure network back up data to the storage node inthe secure network. Clients A, B, and C in the insecure network back up data to thestorage node in the insecure network. The firewall protects each host in the securenetwork. The firewall does not protect hosts in the insecure network. The firewall blocksnetwork traffic from insecure to secure.

Figure 9 Uni-directional firewall with storage nodes


Determining service port requirement examples 109

This example requires you to only open service ports for the NetWorker Server on thefirewall to allow inbound traffic. Calculate the service port requirements for the NetWorkerServer with this formula:

14 +(num devices)+(num libraries) + 1 (client push)= 14 + 6 + 1 +1 = 22In this example:l The Service ports attribute of the NetWorker Server contains the range: 7937-7958.l The firewall must allow inbound traffic to the IP address of the NetWorker Server on

each service port with the exception of the UDP port. In this example, 22 ports in therange of 7937 to 7958 must allow inbound traffic to the NetWorker server.

l In pseudo syntax, the firewall rule for the service ports would look like this:

TCP, Service, src 192.167.10.*, dest 192.167.10.126, ports 7937-7958, action accept

Calculating service ports in a bi-directional firewall environment with Data DomainThis example shows how to apply the basic rules to a sample network with clients A, Band C, one storage node X, and a Data Domain appliance in an insecure network. TheNetWorker server and NMC server are in a secure network. A single firewall separates thesecure network from the insecure network. The NetWorker server has a tape library andsix drives. The client sends backup data to the Data Domain appliance and each clientacts as a NMC client.

Figure 10 Bi-directional firewall with Data Domain appliance

System port requirements for the NetWorker ServerCalculate the service port requirements for the NetWorker Server with this formula:

14 + (num devices) + (num libraries) = 14 + 6 + 1 = 21 serviceports



In this example:

l Configure the Service port attribute on the NetWorker Server to use a minimum of 21service ports, for example: 7937–7957.

l Configure the firewall to allow inbound traffic, to the IP address of the NetWorkerServer:

n On the 21 service ports specified in Service port attribute of the NetWorker Server.The UDP port is not required.

n On TCP ports 2049 and 2052 for Data Domain connectivity.


In pseudo syntax, the firewall rules for the service ports would look like this:

TCP, Service, src 192.167.10.*, dest 192.167.10.126, ports 7937-7957, action acceptTCP, Service, src 192.167.10.*, dest 192.167.10.126, ports 2049, action acceptTCP, Service, src 192.167.10.*, dest 192.167.10.126, ports 2052, action acceptTCP, Service, src 192.167.10.*, dest 192.167.10.126, ports 111, action acceptUDP, Service, src 192.167.10.*, dest 192.167.10.126, ports 111, action acceptTCP, Service, src 192.167.10.*, dest 192.167.10.126, ports 161, action acceptUDP, Service, src 192.167.10.*, dest 192.167.10.126, ports 161, action accept

Service port requirements for the NetWorker storage nodeThe storage node is in the insecure network and uses a Data Domain appliance. There aretwo data domain devices and each device uses a Max nsrmmd count value of 4. TheDynamic nsrmmds attribute is enabled on the storage node.

Calculate the service port requirements for the NetWorker storage node with this formula:5 + 8 = 13 service ports.

In this example:

l The Service port attribute on the NetWorker storage node must specify a minimum of13 service ports, for example: 7937–7949.

l The firewall must allow outbound traffic, from the NetWorker server to the IP addressof the NetWorker storage node:

n On the 13 service ports specified in the Service port attribute of the NetWorkerstorage node.


n On TCP/UDP port 111 for Data Domain connectivity.

In pseudo syntax, the firewall rules for the service ports would look like this:

TCP, Service, src 192.167.10.126, dest 192.167.12.125, ports 7937-7949, action accept TCP, Service, src 192.167.126.*, dest 192.167.10.125, ports 2049, action acceptTCP, Service, src 192.167.126.*, dest 192.167.10.125, ports 2052, action acceptTCP, Service, src 192.167.126.*, dest 192.167.10.125, ports 111, action acceptUDP, Service, src 192.167.126.*, dest 192.167.10.125, ports 111, action accept


Determining service port requirement examples 111

Service port requirements for the NetWorker ClientThere are NetWorker clients in the insecure network. Each client requires four serviceports. Two ports must be 7937 and 7938.

In this example:

l The Service port attribute on each client specifies a minimum of four service ports, forexample: 7937–7940.

Note

To simplify the configuration, configure each client to use the same four service portnumbers.

l The firewall must allow outbound traffic, to the IP address of each NetWorker client,on the four service ports defined in the Service port attribute of the NetWorker client.These port numbers can be a subset of the port numbers that the NetWorker serveruses.

l In pseudo syntax, the firewall rules for the service ports would look like this:

TCP, Service, src 192.167.10.*, dest 192.167.10.101, ports 7937-7940, action acceptTCP, Service, src 192.167.10.*, dest 192.167.10.102, ports 7937-7940, action acceptTCP, Service, src 192.167.10.*, dest 192.167.10.103, ports 7937-7940, action accept

TroubleshootingThis section contains solutions to some common problems encountered when youconfigure NetWorker in a firewalled environment.

Backups appear to stop responding or slow down dramaticallyWhen you configure a firewall to drop packets outside an allowed range, but the firewallconfiguration does not allow for proper NetWorker connectivity:

l NetWorker will not get proper notification that a connection is not possible.

l The socket connections might not close correctly and remain in a TCP FIN_WAIT state.As a result, NetWorker will require more ports for client connectivity.

To avoid these issues, configure the firewall to reject packets outside the allowed range.When the firewall rejects packets, NetWorker receives an immediate notification of anyconnection failures and the remaining operations continue.

If you cannot configure the firewall to reject packets, reduce the TCP timeout values onthe NetWorker server’s operating system to reduce the impact of the problem. The EMCNetWorker Performance Optimization Planning Guide describes how to change TCP timeoutvalues.

Cannot bind socket to connection port range on system hostnameThis message appears in the savegroup messages or in stdout during manual operationswhen there are insufficient connection ports available and NetWorker cannot establish aconnection.

To resolve this issue, ensure that the Connection port attribute in the NSR System Portranges resource is 0-0 on the host specified by hostname.

Failed to bind socket for service_name service: Can't assign requested addressThis messages appears when a NetWorker daemon cannot register to a port within theservice port range because all ports are in use by other daemons and process.



To resolve this issue, increase port range in the Service ports attribute in the NSR Systemport ranges resource on the NetWorker host and make a corresponding change in thefirewall rules.

Service is using port port_number which is outside of configured ranges: rangeThis message appears in the Logs window when a NetWorker daemon attempts toregister to a port that is not within the service port range. This can occur because the portrequirements of the NetWorker host exceed the number of service ports defined in therange.

To resolve this issue, increase port range in the Service ports attribute in the NSR Systemport ranges resource on the NetWorker host and make a corresponding change in thefirewall rules.

Note

Communications between NetWorker processes on the same host do not follow definedrules. For example, the NetWorker server daemons communicate internally outside of thedefined port range. Do not configure a firewall to limit the range for TCP traffic inside asingle system.

Connection refusedThis message appears when the NetWorker host cannot establish a portmapperconnection on port 7938.

To resolve this issue, ensure that the NetWorker software can register an RPC portmapperconnection on port 7938.

Connection reset by peerThis message appears when the connection between two NetWorker hosts closesprematurely.

To resolve this issue, configure the data zone to send a keep alive signal between thehosts at an interval that is shorter than the time out period defined on the firewall. Special considerations for a firewall environment on page 94 describes how to configurethe TCP keep alive signal.

Unable to obtain a client connection to nsrmmgd (version #) on host hostnameThis message appears on a Windows host when the Windows firewall Allow list on theNetWorker server does not contain the nsrmmgd process.

When this error message appears:

l A library configured on the NetWorker storage node will not enter “ready” state.

l Multiple nsrlcpd processes are started on the storage node.

To resolve this issue, ensure that the firewall is turned on, then add the nsrmmgd processto the Allow list of the Windows firewall on the NetWorker server host.

nsrndmp_save: data connect:failed to establish connectionThis message appears during an NDMP-DSA backup when a Windows NetWorker serveruses Windows firewall, but an inbound rule for port 10000 does not exist.

To resolve this issue, perform the following steps:

1. Log in to the NetWorker server as a Windows administrator.

2. In the Windows Firewall application, on the Advanced properties select InboundRules > New Rule.

3. Select Program and then click Next.

4. Select This Program Path.


Troubleshooting 113

5. Click Browse. Select the binary nsrdsa_save.exe, and then click Next.

6. Select Allow the connection, and then click Next.

7. Leave the default Profiles selections enabled, and then click Next.

8. Provide a name for the rule and click Finish.

9. Edit the new rule.

10. On the Protocols and Ports tab, perform the following steps:

a. From the Protocol type drop-down, select TCP.

b. From the Local Port drop-down, select Specific Ports. Specify port number 10000.

c. Click OK.

Unable to execute savefs job on host hostname: Remote system error - No route to hostThis messages appears during a scheduled backup when the NetWorker server can reachthe client but cannot contact the nsrexecd process to start the savefs process.

To resolve this issue, ensure that you configure the following:

l Any external firewall between the two hosts to allow communication on the requiredservice ports.

l A personal firewall on the client, for example, iptables on Linux, to allowcommunication between the two hosts on the required service ports.

Modifying the port number of the NetWorker portmapper serviceNetWorker contains a fully functional RPC portmapper service within the client daemonnsrexecd. The service runs by default on port 7938, and is used almost exclusivelythroughout NetWorker.

To modify the port number, perform the following steps:

1. Edit the services file on the NetWorker host. The services file is located in thefollowing directory:

l On UNIX and Linux — /etc/servicesl On Windows—%WINDIR%\system32\drivers\etc\services

2. Add the following entries:nsrrpc 7938/tcp lgtomapper #EMC NetWorker RPCnsrrpc 7938/udp lgtomapper #EMC NetWorker RPCReplace the port number with the desired port. Ensure that you choose a new portthat is not already in use.

3. Restart the NetWorker services on the host.



CHAPTER 5

Data Security Settings

This chapter describes the settings available to ensure the protection of the data handledby NetWorker.

l Encrypting backup data.......................................................................................116l Data integrity...................................................................................................... 122l Data erasure....................................................................................................... 125l Security alert system settings..............................................................................127

Data Security Settings 115

Encrypting backup dataYou can encrypt backup and archive data on UNIX and Windows hosts with the AESApplication Specific Module (ASM). The AES ASM provides 256-bit data encryption.NetWorker encrypts the data based on a user-defined pass phrase, which you cansecurely store and retrieve from a lockbox.

The NetWorker software comes with a preconfigured global directive that enables you toencrypt backup and archive data with the AES ASM. To use AES, modify the defaultNetWorker lockbox resource, set the data zone pass phrase for the NetWorker server, andthen apply the AES directive to clients in the data zone. Do not use AES encryption to:

l Backup files that are encrypting by EFS. NetWorker will report the backup successful,but a recovery will fail with the following message:

recover: Error recovering <filename>. The RPC call completed before all pipes were processed

The NetWorker Administration Guide provides more information about NetWorkerinteroperability with EFS.

l Backup a client that sends data to an encryption-enabled cloud device. Backupspeeds decrease because the encryption functions occur twice.

Modifying the lockbox resourceBy default, NetWorker creates a lockbox resource for the NetWorker server. The lockboxallows NetWorker to store pass phrases securely and enables you to specify a list of usersthat can store, retrieve, and delete AES pass phrases.

Before you begin


To edit the Lockbox resource, perform the following steps:

Procedure


2. Click Lockboxes in the left navigation pane.

3. Right-click the lockbox resource for the NetWorker server and then select Properties.

4. In the Users field, specify the list of users that will have access to the AES passphrases in one of the following formats:

l user=usernamel username@hostnamel hostname

l host=hostnamel user=username, host=hostname



Note

If you enter a hostname or host=hostname in the Users attribute, then any user onthe specified host can recover the files for the client. To enter a username withoutspecifying the host, enter user=username.

5. Click OK.

Results

Only users that you specify in the Users field can modify the Datazone pass phraseattribute in the NSR resource.

Defining the AES pass phraseNetWorker uses a pass phrase to generate the data zone encryption key that backup andrecovery operations use. Specify the AES pass phrase in the NSR resource to enablebackup data encryption.

Before you begin


If you do not specify a data zone pass phrase and you configure clients to use the AESdirective to encrypt backups, NetWorker uses a default pass phrase. To define the AESpass phrase that NetWorker uses to generate the data zone encryption key, perform thefollowing steps.

Procedure


2. Right-click the NetWorker server in the left navigation pane and select Properties.

3. On the Configuration tab in the Datazone pass phrase attribute, specify the passphrase.

4. Click OK.

Results

NetWorker generates the data zone encryption key based on the pass phrase. To recoverthe data, you must know the data zone pass phrase that was in the Datazone passphrase attribute at the time of the backup.

Configuring the client resource to use AES encryptionTo implement AES data encryption, apply the Encryption global directive to individualclients by using the Directives attribute in the Client resource.

Before you begin


Procedure


2. In the left navigation pane, select Clients.

3. On the General tab, select Encryption Directive from the Directive attribute.

4. Click OK.


Defining the AES pass phrase 117

Configure encryption for a client-initiated backupTo configure a NetWorker client to use AES encryption, use the NetWorker User programon Windows, or the save command.

Configuring encryption for client-initiated backups on Windows by using NetWorker UserYou can use AES to encrypt data that you backup by using the NetWorker User program.

Procedure

1. On the Windows host, start the NetWorker User program.

2. On the NetWorker User toolbar, select Backup.

3. On the Options menu, select Password.

4. When prompted, specify a password, then click OK.

The NetWorker User program creates the C:\NETWORKR.CFG file, which contains thepassword in an encrypted format.

5. On the Backup window, mark the files for backup.

6. On the Backup toolbar, select Encrypt.

An E appears in the Attributes column for each marked file and directory.

7. Start the backup operation.

Results

NetWorker uses AES encryption to backup the data based on the value specified in theDatazone pass phrase attribute of the NSR resource on the NetWorker server at the timeof the backup.

Note

To recover the data, NetWorker will prompt you for the password that you defined for thebackup.

Configuring AES encryption by using the save commandTo perform an AES encrypted backup from the command line, you must create a local AESdirective file that the save program uses during backup.

Procedure

1. Create a directive file on the host.

On Windows, create a text file named nsr.dir. On UNIX, create a text filenamed .nsr.

You can create the file in any directory on the host.

2. Add the following lines to the directive file:

<< / >> +aes: *

3. Save the directive file.

4. Perform the backup by using the save command with the -foption.

save -f full_path_to_directive_file backup_object



For example, to backup the directory c:\data on a Windows host where you createdthe nsr.dir file in the c:\directives folder, type the following command:

save -f c:\directive c:\data

Results

The backup operation encrypts the backup data based on the value specified in theDatazone pass phrase in the NSR resource, on the NetWorker server.

Recover encrypted dataYou can recover AES encrypted data by using the NMC Recovery Wizard, the NetWorkerUser program, or the recover command.

Recovering AES encrypted data by using NetWorker UserYou can use the NetWorker User program to recover AES encrypted data on a Windowshost.

To decrypt backup data, the recovery operation must use the Datazone pass phrase valuethat was used to encrypt the backup data. By default, a recovery operation will use thecurrent value of the Datazone pass phrase attribute to recover the data. If the currentDatazone pass phrase value differs from the Datazone pass phrase value that wasspecified at the time of the backup, then the recovery operation fails.

To specify the Datazone pass phrase value that was used to encrypt the backup, performthe following steps.

Procedure

1. Start the NetWorker User program with the following command:

winworkr -ppass_phrase....

where pass_phrase is the pass phrase specified in the Datazone pass phrase attributeof the NSR resource on the NetWorker server at the time of the backup.

When you recover data that requires different pass phrases, use additional -ppass_phrase options to specify each required pass phrase.

2. Confirm that the recover operation successfully recovers the data.

When you specify an incorrect pass phrase:

l NetWorker creates 0kb files but does not recover the data into the files.

l The recover output reports a message similar to the following:

Invalid decryption key specified

Recovering AES encrypted data by using the NMC Recovery WizardYou can use the NMC Recovery Wizard to recover AES encrypted data.

Before you begin




Recover encrypted data 119

To specify the Datazone pass phrase value that was used to encrypt the backup, performthe following additional steps on the Select the Recovery Options window:

Procedure

1. Select Advanced Options.

2. In the Pass phrases attribute, specify the pass phrase(s) used at the time of thebackup .

Recovering AES encrypted data by using the recover commandUse the recover command to run recover AES encrypted data from a command line.

Before you begin

Perform the following steps with the root account on UNIX or an administrator account onWindows.


Procedure

1. To specify a pass phrase, use the -p option with the recover command. Forexample:

recover -a -ppass_phrase.... filesystem_object

where:

l pass_phrase is the pass phrase specified in the Datazone pass phrase attribute ofthe NSR resource on the NetWorker server at the time of the backup. When yourecover data that requires different pass phrases, use additional -p pass_phraseoptions to specify each required pass phrase.

l filesystem_object is the full path to the data that you want to recover.

2. Confirm that the recover operation successfully recovers the data.

When you specify an incorrect pass phrase:

l NetWorker creates 0kb files but does not recover the data into the files.

l The recover output reports a message similar to the following:

Invalid decryption key specified

Federal Information Processing Standard ComplianceNetWorker utilizes encryption technologies from RSA BSAFE that are compliant with theFederal Information Processing Standard (FIPS 140-2). RSA BSAFE is deemed compliantunder certificate 1092.

NetWorker 8.0 SP1 is the minimum NetWorker server version that contains the RSA BSAFEFIPS compliant encryption technologies. To use FIPS, the NetWorker 8.0 SP1 serverrequires NetWorker 7.6 SP4 and later clients. The following table displays the supportedplatforms that contain RSA BSAFE FIPS compliant encryption technologies.



Table 18 NetWorker supported platforms that contain RSA BSAFE FIPS compliant encryptiontechnologies

Supportedplatform

Supported server andstorage node OS versionsand service packs

Supported client OS versions and servicepacks

Windowsx86

Windows Server 2008 (alleditions) SP1,SP2 Storage Nodeonly

Windows Server 2008 R2 (alleditions) Storage Node only

Windows Server 2008 withoutHyper-V [Standard, Enterprise,and Datacenter Edition], StorageNode only

Windows Server 2008 Core SP1, SP2

Windows Server 2008 (all editions) SP2

Windows Server 2008 R2 (all editions) SP1

Windows Server 2008 without Hyper-V[Standard, Enterprise and Datacenter Edition]

Windows 7 SP1

Windows VISTA [Business, Ultimate Edition]SP1, SP2

Windowsx64

Windows Server 2008 (alleditions) SP1, SP2

Windows Server 2008 R2 (alleditions) SP1

Windows Server 2008 Core SP1, SP2

Windows Server 2008 (all editions) SP1, SP2

Windows Server 2008 R2 (all editions) SP1Windows 7 SP1

Windows VISTA [Business, Ultimate edition]SP1, SP2

Linux x86 Red Hat Enterprise Linux AS, ES,WS 5, 6

SuSE Linux Enterprise Server(SLES) 10, 11

Oracle Linux 5

Novell Open Enterprise Server(OES) OES, OES SP2, OES 2, OESSP3

Redflag Asianux Server 3

CentOS Linux 5

Red Hat Enterprise Linux AS, ES, WS 5, 6

SuSE Linux Enterprise Server (SLES) 10, 11

Oracle Linux 5

Novell Open Enterprise Server (OES) OES, OESSP2, OES 2, OES SP3

Redflag Asianux Server 3

CentOS Linux 5

Linux x64 Red Hat Enterprise Linux AS, ES,WS 5, 6

SuSE Linux Enterprise Server(SLES) 10, 11

Oracle Linux OES, OES SP2, OES2, OES SP3

Red Hat Enterprise Linux AS, ES, WS 5, 6


Oracle Linux OES, OES SP2, OES 2, OES SP3

LinuxItanium

Red Hat Enterprise Linux AS, ES, WS 5


Oracle Sparc(64-bit)

Oracle Solaris 10

Oracle Solaris Non-global zones10

Oracle Solaris 10

Oracle Solaris Non-global zones 10


Federal Information Processing Standard Compliance 121

Table 18 NetWorker supported platforms that contain RSA BSAFE FIPS compliant encryptiontechnologies (continued)

Supportedplatform

Supported server andstorage node OS versionsand service packs

Supported client OS versions and servicepacks

Oracle x64(AMD64 andIntel EM64T )

Oracle Solaris 10 Oracle Solaris 10

HP Itanium HP-UX 11i v2, storage node only

HP-UX 11i v3, server only

HP-UX 11i v2

HP-UX 11i v3

IBM PowerAIX (32-bit)

IBM PowerAIX (64-bit)

IBM AIX 6.1

IBM AIX 7.1

IBM AIX 6.1

IBM AIX 7.1

Data integrityNetWorker enables you to verify the integrity of the backup data and the integrity of theNetWorker server databases.

Verifying the integrity of the backup dataUse the Auto media verify attribute for a pool resource or the Verify files option in theNetWorker User program to automatically verify the data that NetWorker writes to avolume.

Configuring auto media verify for a poolMedia pools provide you with the ability to direct backups to specific devices. When youlabel a volume, you specify the pool for the volume. To configure NetWorker toautomatically verify that the data written to media is valid, enable the Auto media verifyattribute for the Pool resource.

Before you begin


Procedure

1. On the Administration window, click Media.

2. In the left navigation pane, select Media Pools.

3. On the Media Pools window, right-click the pool and select Properties.

4. On the Configuration tab, select Auto media verify.

5. Click OK.



Configuring verify files in NetWorker UserUse the NetWorker Verify feature to ensure that backup data on the NetWorker servermatches the data on the local disk.

Before you begin

Connect to the NetWorker host as an administrator.

The Verify files feature compares the file types, file modification times, file sizes, and filecontents. The feature does not verify other system attributes, such as read-only, archive,hidden, system, compressed, and file access control list (ACL). The NetWorker serveralerts you to any changes to your data since the backup. Verification also determineswhether a hardware failure kept the NetWorker server from completing a successfulbackup. The Verify files feature provides a way to test the ability to recover data.

Note

The Verify files feature is not available for UNIX.

Procedure

1. In the NetWorker User program, select Verify Files from the Operation menu.

2. Select the data that you want to verify.

3. From the View menu, select Required volumes.

The Required Volumes window appears with the list of volumes that contain the datathat you want to verify. Mount the volumes in devices.

4. Click Start.

Results

The Verify Files status window appears and provides the progress and results of the DataVerification process.

The following output provides an example where the Verify Files process verifies 3 files,and reports that one file, recover_resource.txt has changed since the backup:

Verify FilesRequesting 4 file(s), this may take a while...Verify start time: 28/10/2013 3:46:36 PMRequesting 1 recover session(s) from server.91651:winworkr: Successfully established AFTD DFA session for recovering save-set ID '4285011627'.C:\data\mnd.rawC:\data\pwd.txtC:\data\lad.txt32210:winworkr: DATA MISMATCH FOR C:\data\lad.txt.C:\data\Received 4 file(s) from NSR server `bu-iddnwserver'Verify completion time: 28/10/2013 3:46:48 PM


Verifying the integrity of the backup data 123

Verifying the integrity of the NetWorker server media data and client file indexesNetWorker provides you with the ability to manually check the integrity and consistencyof the media database and client file index by using the nsrim and nsrck commands.

Using nsrim to check media database consistencyUse the nsrim -X command to check the consistency of the data structures of the saveset with the data structures of the volume.

Note

The nsrim -X process will also perform media database maintenance tasks.

NetWorker server media database and index data maangement on page 125 providesmore information.

Using nsrck to check consistency of the client file indexNetWorker uses the nsrck program to check the consistency of the client file index saveset records.

When the NetWorker server starts, the nsrindexd program starts the nsrck process toperform consistency checks. You can also manually start the nsrck program to checkthe consistency of the client file indexes.

For example: nsrck -L x [-C client_name]where:

l -C client_name is optional. When you use the -C option, nsrck performs consistencychecks on client file index for the specified client.

l x is the consistency check level. The following table provides more information.

Table 19 Levels available for the nsrck process

Level Description

1 Validates the online file index header, merging a journal of changes with the existingheader.

Moves all save set record files and the corresponding key files to the appropriate folderunder the C:\Program Files\EMC NetWorker\nsr\index\client_name\db6folder on Windows hosts or the /nsr/index/client_name/db6 directory on UNIX

hosts.

2 Performs a level 1 check and checks the online file index for new and cancelled saves.

Adds new saves to the client file index, and removes cancelled saves.

3 Performs a level 2 check and reconciles the client file index with the media database.

Removes records that have no corresponding media save sets.

Removes all empty subdirectories under db6 directory.

4 Performs a level 3 check and checks the validity of the internal key files for a client fileindex. Rebuilds any invalid key files.

5 Performs a level 4 check and verifies the digest of individual save times against the keyfiles.



Table 19 Levels available for the nsrck process (continued)

Level Description

6 Performs a level 5 check and extracts each record from each save time, to verify that eachrecord can be extracted from the database. Re-computes the digest of each save time andcompares the results with the stored digest. Rebuilds internal key files.

The EMC NetWorker Command Reference Guide provides more information about how touse the nsrck command and the available options.

Data erasureDuring a backup operation, NetWorker stores data in save sets on physical or virtualvolumes. NetWorker stores information about the save sets in the media database andclient file indexes.

Based on user-defined policies, NetWorker automatically performs media database andclient file index management, which expires data on volumes and makes the data eligiblefor erasure. You can also manually erase data and remove data from the media databaseand client file indexes.

NetWorker server media database and index data managementThe NetWorker server uses the nsrim program to manage and remove data from in themedia database and client file indexes.

Two NetWorker processes automatically start the nsrim process:

l The savegrp process, after a scheduled group backup completes.

l The nsrd process, when a user selects the Remove oldest cycle option in theNetWorker Administration window.

The nsrim process uses policies to determine how to manage information about savesets in the client file index and media database. When the savegrp process startsnsrim, NetWorker checks the timestamp of the nsrim.prv file. If the timestamp of thefile is greater than or equal to 23 hours, then the nsrim process performs the followingoperations:

l Removes entries that have been in an client file index longer than the periodspecified by the browse policy from the client file index.

l Marks save sets that have existed longer than the period specified by the retentionpolicy for a client as recyclable in the media index.

l Deletes the data associated with recyclable save sets from an advanced file typedevice and removes the save set entries from the media database.

l Marks a tape volume as recyclable when all of the save sets on the tape volume aremarked recyclable. NetWorker can select and relabel recyclable volumes when abackup operation requires a writeable volume. When NetWorker relabels a recyclabletape volume, NetWorker erases the label header of the volume and you cannotrecover the data.

NetWorker will relabel a volume at the time of a backup or clone when a set of definedselection criteria is met. In NetWorker 8.0 or later, you can use the Recycle start andRecycle interval attributes on the Miscellaneous tab of a Pool resource to schedule


Data erasure 125

automatic volume relabeling for eligible volumes in a pool. The NetWorker AdministrationGuide provides more information.

Manually erasing data on tape and VTL volumesTo erase all data on a tape volume, relabel the volume.

Before you begin

Use NMC to connect to the NetWorker server with a user that is a member of theOperators user group.

Procedure

1. On the Administration window, click Devices.

2. In the left navigation pane, right-click the appropriate library and select Label.

The Details window and Label Library Media appear.

3. Optionally, in the Target Media Pool field, select a different pool.

4. Click OK.

The Library Operation window appears, which states that the library operation hasstarted.

5. To track the status of the label operation, on the Operations tab, select Monitoring.

6. If prompted to overwrite label, right-click the label operation in the Operations Statuswindow to confirm intent to overwrite the existing volume label with a new label, thenselect Supply Input.

A question window appears displaying this message:

Label <labelname> is a valid NetWorker label. Overwrite it with a new label

7. Click Yes.

Manually erasing data from an AFTDRelabel an AFTD volume to erase all of the data.

Before you begin


Procedure

1. On the Administration window, click Devices.

2. In the left navigation pane, select Devices.

3. In the Device window, right-click on the AFTD device and select Label.

4. Optionally, in the Target Media Pool field, select a different pool.

5. Click OK.

6. If prompted to overwrite label, then right-click the label operation in the OperationsStatus window to confirm intent to overwrite the existing volume label with a newlabel, and then select Supply Input.

A question window appears displaying this message:

Label <labelname> is a valid NetWorker label. Overwrite it with a new label



7. Click Yes.

Security alert system settingsNetWorker provides you with the ability to send security notifications, log and trackNetWorker server configuration changes to file, and provides a centralized loggingmechanism to log security related events that occur in a NetWorker data zone.

Monitoring changes to NetWorker server resourcesThe Monitor RAP (resource allocation protocol) attribute in the NetWorker Server resourcetracks both before and after information related to additions, deletions, or modificationsto NetWorker server resources and their attributes. NetWorker records these changes inthe NetWorker_install_dir\logs\rap.log file

Before you begin


The rap.log file records the that name of the user that made the change, the sourcecomputer, and the time the user made the change. NetWorker logs sufficient informationin the rap.log file to enable an administrator to undo any changes.

Procedure


2. On the Administration window, select View > Diagnostic mode.

3. On the Setup tab, select Enabled or Disabled for the Monitor RAP attribute.

4. Click OK.

Security audit loggingNetWorker provides a centralized logging mechanism to log security related events thatoccur in a NetWorker data zone. This mechanism is called security audit logging.

The security audit log feature monitors and reports critical NetWorker events that relate tothe integrity of the data zone or host. The security audit log feature does not monitorevents that relate to the integrity of a backup.

When you install NetWorker in a data zone, each client is automatically configured to usesecurity audit logging. Any audit logging configuration changes that you set on theNetWorker server are automatically communicated to all NetWorker 8.0 and later clientsin the data zone. NetWorker automatically configures existing NetWorker clients to sendsecurity audit messages to the nsrlogd daemon when you:

l Update the NetWorker server software.

l Create new client resources.

Examples of security audit events that generate security audit messages include:

l Authentication attempts: Successful and unsuccessful attempts to log in to an NMCServer.

l Account management events: Password changes, privilege changes and when usersare added to the list of remote administrators.

l Changes to program authorization: Deleting or adding peer certificates and redefiningwhich binaries a user can execute remotely.


Security alert system settings 127

l Changes to the daemon.raw and audit log configurations.

l Events that can lead to the general compromise or failure of the system.

Security audit logging overviewNetWorker 8.0 and later enables security audit logging by default.

The NetWorker 8.0 and later server in each data zone contains a new resource, NSRauditlog. This resource configures security audit logging. The following actions occurwhen security audit logging is enabled in a data zone:

l NetWorker assigns a severity to each security audit messages.

l NetWorker server mirrors the NSR auditlog resource to NetWorker 8.0 and later clientsin the data zone. The NetWorker Client database stores the client side security auditlog resource. The auditlog resource provides each client with the hostname of themachine that hosts the nsrlogd daemon and the types of security audit messagesthat the client should send to the nsrlogd daemon. The auditlog severity setting in theNetWorker server auditlog resource determines how each client receives theconfiguration information:

n When the audit severity level is information, warning, or notice, the NetWorkerserver broadcasts the auditlog resource to each client when the nsrd daemonstarts.

n When the audit severity level is error, severe, or critical, the NetWorker server willnot broadcast the auditlog resource to each client when the nsrd daemon starts.Instead the NetWorker clients request auditlog resource configuration updatesfrom the last NetWorker server that backed up the client data. This passivemethod requires that the client has performed at least one backup to theNetWorker server before the client can receive updates to the auditlog resource.By default, the audit severity level is error.

l NetWorker records security audit messages in the security audit log when themessage severity level is at least as severe as the level defined in the NSR securityaudit log resource.

l NetWorker clients process and send audit messages to the nsrlogd daemon.

l The nsrlogd daemon records the security audit messages to the security audit logfile.

Security audit logging configurations

While any NetWorker 8.0 or later client in the data zone can be configured to run thensrlogd daemon, there are certain performance and reliability advantages to using theNetWorker server for this task.

The following sections provide examples of security audit logging configurations and theadvantages and disadvantages of each configuration.

Single data zone: The NetWorker server hosts the nsrlogd daemonBy default, the nsrlogd daemon runs on the NetWorker 8.0 or later server.

In this configuration, the nsrlogd daemon receives security audit messages from:

l The gstd and nsrexecd processes on the NMC server.

l The nsrexecd process on each NetWorker client in the data zone.

l The daemons that run on the NetWorker server.

Advantages:



l The NetWorker server daemons generate the majority of the security audit messages.In this configuration, the audit log messages are not sent over the network and willnot increase network traffic.

l Security audit messages from each NetWorker client are sent to the NetWorker server.Additional network ports and routes to other networks are not required to sendsecurity audit messages.

The following figure provides and example of this configuration.

Figure 11 The audit log server manages a single data zone

Multiple data zones: The NMC server hosts the nsrlogd daemonIn this configuration, the nsrlogd daemon runs on the NMC server and the NMC servermanages multiple NetWorker data zones. The NMC server must be configured as a client,on each NetWorker server.

Advantages:

l Centralized logging of the security audit messages. The security audit log for eachNetWorker server is stored on the NMC server.

Disadvantages:

l If the nsrlogd daemon is not accessible, either because the daemon fails or becauseof a message routing difficulty, security related events are not recorded.

l The NetWorker server daemons generate the majority of the security audit messages.In this scenario, the security audit log messages are sent over the network and willincrease network traffic.

l Each NetWorker host in each data zone must have a route to the NMC server.

The following figure provides an example of this configuration.


Security audit logging 129

Figure 12 The NMC server is the audit log server for multiple data zones

Multiple datazones: Each NetWorker server hosts the nsrlogd daemonIn this configuration, each NetWorker server acts runs the nsrlogd daemon and recordsthe messages for a single data zone.

Each NetWorker client in the data zone sends security audit messages to the NetWorkerserver.

The NMC server is a client of the NetWorker server in Datazone 1.

Advantages:

l The NetWorker server daemons generate the majority of the security audit messages.In this configuration, the audit log messages are not sent over the network and willnot increase network traffic.

l Security audit messages from each NetWorker client are sent to the NetWorker server.Additional routes in other networks are not required to send security audit messages.

Disadvantages:

l You may not be able to access the security audit logs if the NetWorker server iscompromised.

l You must manage multiple security audit logs.

The following figure provides an example of this configuration.



Figure 13 Each NetWorker server in a data zone is the audit log server

Security events

The security audit log feature detects and reports configuration changes that can result ininappropriate access or damage to a NetWorker host. NetWorker logs successful andunsuccessful attempts to create and delete security-related resources and modificationsof security-related resource attributes in the audit log file.

Resource databaseThe following table summarizes which resources and attributes the security audit logmonitors in the resource database (RAP).

Table 20 Security event resources and attributes

NSR Resource/NMC resource name Attribute

NSR/NSR Administrator

Authentication method

Datazone pass phrase

NSR Archive request/Archive request Grooming

NSR auditlog /Security Audit log Administrator

Auditlog filepath

Auditlog hostname

Auditlog maximum file size MB

Auditlog maximum file version

Auditlog rendered locale

Auditlog rendered service

Auditlog severity

NSR client/Client Aliases

Archive users



Table 20 Security event resources and attributes (continued)


Backup command

Executable path

Password

Remote access

Remote user

server network interface

NSR Device/Devices Remote user

Password

Encryption

NSR Data Domain /Data Domain devices Username

Password

NSR De-duplication Node /Avamar deduplication node Remote user

Password

NSR Hypervisor /Hypervisor Command

Password

Proxy

Username

NSR Lockbox/Lockbox Client

Name

Users

Notifications Action

NSR Operation Status command

NSR Report Home Command

Mail Program

NSR restricted data zone /Restricted Data Zone (RDZ) External roles

Privileges

Users

Storage Node Password

Remote user

Usergroup External Roles

Name

Privileges

Users



Table 20 Security event resources and attributes (continued)


Resource identifier

NetWorker client databaseThe following table summarizes which resources and attributes the security audit logmonitors in the NetWorker client database (nsrexec).

Resource Attribute

NSR log Administrator

Log path

Maximum size MB

Maximum versions

Name

Owner

Runtime rendered log

Runtime rollover by size

Runtime rollover by time

NSR peer information Administrator

Certificate

Name

NW instance ID

Peer hostname

NSR remote agent Backup type

Backup type icon

Features

Name

Product version

Remote agent executable

Remote agent protocol version

NSR system port ranges Administrator

Connection ports

Service ports

NSRLA Administrator

Auth methods

Certificate

Disable directed recover

Max auth attempts



Resource Attribute

Max auth thread count

My hostname

Name

NW instance ID

NW instance info operations

NW instance info file

private key

VSS writers

Security audit logging interoperabilityThe security audit log is a new feature in NetWorker 8.0 and later. NetWorker hosts thatuse a previous version of the NetWorker software do not support logging security eventsand cannot host the nsrlogd daemon.

The following table summarizes the interoperability matrix for security audit logging.

Table 21 Security audit log interoperability matrix

NetWorkerserver version

NetWorkerclient version

Security audit logging behavior

8.0 and later 8.0 and later l Audit messages generated by the NetWorker server arelogged to the nsrlogd daemon.

l Audit messages generated by the NetWorker client arelogged to the nsrlogd daemon.

8.0 and later 7.6.x l Audit messages generated from the NetWorker serverare logged to the nsrlogd daemon.

l Audit message are not generated by the NetWorkerclient.

l A NetWorker client cannot run the nsrlogd daemon.

7.6.x 8.0 and later l Audit messages are not generated by the NetWorkerserver.

l Audit messages are generated by the client but withouta NetWorker 8.0 server or later, the client cannot beconfigured to run the nsrlogd daemon.



Audit message formatThe security audit log file contains the timestamp, the category, the program name, andthe unrendered message for each security audit message.

Use the nsr_render_log program to render the audit log file into a readable format.For example:

nsr_render_log -pathyem Security_Audit_ Log_filename

03/03/12 14:28:39 0 nsrd Failed to modify Resource type: 'NSR usergroup', Resource name: 'Users' for Attribute: 'users' by user: 'administrator' on host: 'nwserver.emc.com'

l The TimeStamp is: 03/03/12 14:28:39.

l The Category is 0.

l The ProgramName is nsrd.

l The RenderedMessage is: Failed to modify Resource type: 'NSR usergroup', Resourcename: 'Users' for Attribute: 'users' by user: 'administrator' on host:'nwserver.emc.com'.

Security audit log messagesThis section provides an list of common messages that appear in the security audit logfile when you set the severity level to information.

nsrd Permission denied, user 'username' on host: 'hostname' does not have 'privilege1' or'privilege2' privilege to delete this resource - resource_typeThis message appears when a user attempts to delete a security-related resource butdoes not have the required privileges on the NetWorker server.

For example:

15/08/2014 8:56:31 AM 3 nsrd Permission denied, user 'debbie' on 'bu-iddnwserver.iddlab.local' does not have 'Delete Application Settings' or 'Configure NetWorker' privilege to delete this resource - NSR client.

nsrd Permission denied, user 'username' on 'hostname' does not have 'privilege1' or'privilege2' to create configure this resource - resource_typeThis message appears when a user attempts to create a security-related resource butdoes not have the required privileges on the NetWorker server.

For example:

15/08/2014 9:11:43 AM 3 nsrd Permission denied, user 'debbie' on 'bu-iddnwserver.iddlab.local' does not have 'Create Application Settings' or 'Configure NetWorker' privilege to create this resource - NSR client.



nsrd Failed to create Resource type: 'resource_type', Resource name: 'resource_name' byuser: 'username' on host: 'hostname'This message appears when a user cannot create a security-related resource. Forexample, if a user attempts to create a new client resource but the client host name is notvalid, a message similar to the following appears:

15/08/2014 8:49:57 AM 3 nsrd Failed to create Resource type: 'NSR client', Resource name: 'bu-exch1.lss.emc.com' by user: 'debbie' on host: 'bu-iddnwserver.iddlab.local'

nsrd Permission denied, user 'username' on host: 'hostname' does not have privilege1' or'privilege2 privilege to configure this resource - resource_typeThis message appears when a user attempts to modify an security-related attribute in aresource but does not have the required privileges.

For example:

15/08/2014 9:03:45 AM 3 nsrd Permission denied, user 'debbie' on 'bu-iddnwserver.iddlab.local' does not have 'Configure NetWorker' OR 'Change Application Settings' privilege to configure this resource - NSR client.

nsrd Successfully created Resource type: 'resource_type', Resource name:'resource_name' by user: 'username' on host: 'hostname'This message appears when a user successfully creates a new security-related resource.

For example:

15/08/2014 1:57:54 PM 3 nsrd Successfully created Resource type: 'NSR notification', Resource name: 'new-notification' by user: 'administrator' on host: 'bu-iddnwserver.iddlab.local'

gstd Console: User 'username' failed to login to Console server on host 'hostname'This message appears when you specify an incorrect username or password on the NMCserver login window.

For example:

14/08/2014 4:36:43 PM 0 gstd Console: User 'root' failed to login to Console server on host 'bu-iddnwserver.iddlab.local'

gstd Console: User 'username' successfully logged in to Console server on host'hostname'This message appears when you successfully log in to the NMC server.

For example:

14/08/2014 4:36:49 PM 0 gstd Console: User 'administrator' successfully logged in to Console server on host 'bu-iddnwserver.iddlab.local'

gstd Console: User 'username' logged out of Console server on host 'hostname'This message appears when a user closes the Console window and connection to theConsole server.

For example:

14/08/2014 4:36:21 PM 0 gstd Console: User 'administrator'logged out of Console server on host 'bu-iddnwserver.iddlab.local'



Modifying the security audit log resourceYou can modify the audit security log resource on the audit log server. Changes that youmake in the resource are automatically copied to each client in the data zone thatsupports audit logging.

Before you begin

Log in to the NMC server as a Console Security Administrator.

Procedure

1. Connect to the NetWorker server.

2. On the Configuration Window, select Security Audit log in the left pane.

3. Right click the Security Audit Log resource and select Properties.

4. Optionally, specify a hostname in the auditlog hostname attribute for the NetWorkerclient that will run the security audit log service, nsrlogd.

Ensure that you specify the hostname of a client that is defined on the NetWorkerserver and supports running the nsrlogd service . NetWorker 8.0 and higher clientssupport the nsrlogd service.

5. Optionally, specify a valid path on the audit log server in the auditlog filepathattribute.

This changes the location of the security audit log file. The default location is /nsr/logs on a UNIX Audit Log server and NetWorker_install_path\nsr\logs ona Windows Audit Log server.

6. Optionally, change the maximum size of the security audit log in the auditlogmaximum file size (MB) attribute.

When the log file reaches the maximum size, NetWorker renames the security auditlog file for archival purposes and creates a new security audit log file.

The default value for the auditlog maximum file size (MB) attribute is 2 MB.

7. Optionally, change the maximum number of the audit log file versions that NetWorkermaintains, in the auditlog maximum file version attribute.

When the log file version reaches the maximum number, NetWorker removes theoldest archived version of the security audit log file before creating the new log file.

The default value for the auditlog maximum file version attribute is 0, which meansthat NetWorker maintains all versions.

8. Optionally, change the audit message severity to increase or decrease the volume ofmessages saved in the security audit log in the auditlog severity attribute.

The following severity levels are available:

l Information

l Notice

l Warning

l Error - selected by default

l Severe

l Critical

Changes to the attribute apply to each client that generates security related events.For example, if the security audit log severity attribute is Information, all clients will



send messages with the Information severity level. The Information and Notice levelaudit messages are very common. If the security audit log records too much or toolittle detail, then adjust the severity level accordingly.

Note

This field also controls remote client security audit configuration. At the information,notice and warning levels, nsrd broadcasts the security configuration to all clients

during startup. At other levels, supported clients request the security configurationfrom the NetWorker server as needed, the nsrd daemon does not broadcast securityconfiguration during startup.

9. Optionally, use a third party logging service to send security audit log messages to byusing the auditlog rendered service attribute. The following table describes theavailable options.

Table 22 Auditlog rendered service attributes

Option Description

None l The default value.

l Writes unrendered security audit log messages to theNetWorker_server_sec_audit.raw file only.

l Use the nsr_render_log program to render the log file into a readable format.

Local l Writes rendered security audit log messages totheNetWorker_server_sec_audit.raw file.

l Writes unrendered security audit log messages to theNetWorker_server_sec_audit.raw file.

syslog l Writes rendered security audit log messages to the UNIX syslog.


eventlog l Writes rendered security audit log messages to the Windows Event Log.


10.Optionally, specify the locale for the rendered audit log file in the auditlog renderedlocale attribute. If this attribute is empty, the default locale en_US is used. The Multi-locale data zone considerations section in the NetWorker Installation Guide describeshow to install and configure the NetWorker software on a machine that uses a non-English locale.

The following figure provides and example of the Security Audit Log Propertiesresource.



Figure 14 Security Audit Log resource

11.Click OK.

12.Review theMonitoring > Log > window to ensure that the configuration changecompletes successfully.

For example:

l If the host specified in the auditlog hostname attribute supports security auditlogging and the nsrlogd daemon is successfully started, a message similar to thefollowing appears:

The process nsrlogd was successfully configured on host 'security_audit_log_hostname' for server 'NetWorker_server'.

l If the host specified in the auditlog hostname attribute does not support securityaudit logging or the nsrlogd daemon does not start successfully, a message similarto the following appears:

The security audit log daemon nsrlogd is probably not running. 'Unable to connect to the nsrexecd process on host 'client_name'. '355:Program not registered'.'. Ensure that the host 'client_name' can be reached. If required, restart the host.

l If a service port is not available on the host specified in the auditlog hostnameattribute, the nsrlogd daemon fails to start and a message similar to the followingappears:

Process nsrlogd was spawned on 'security_audit_log_hostname', but nsrlogd could not open an RPC channel. 'Unable to connect to the nsrlogd process on host 'security_audit_log_hostname'. '352:Remote system error'



l If the path specified in the auditlog filepath attribute does not exist, a messagesimilar to the following appears:

Unable to open the output file '/proc/NetWorker_server_sec_audit.raw' for the security audit log. No such file or directory

Note

Users that belong to the Security Administrators User Group, but not the ApplicationAdministrators User Group cannot see messages in the Logs window.



INDEX

AAD users,

Adding 36Deleting 38Modifying 38

AD, Post configuration 26Administrator list, modifying 39AES encryption

Configuring client resource 117Defining pass phrase 117Recovering data 119Recovering with NetWorker User 119Recovering with the NMC Recovery wizard 119Recovering with the recover command 120Using with NetWorker User 118Using with the save command 118

audience 9Audit log server

Message format 135single data zone 128Multiple data zones 129, 130

Audit log server,modifying 137

Authentication configuration issues, troubleshooting 31Authentication methods,

Modifying 53Modifying with NMC 53Modifying with nsradmin 54

Auto media verify attribute 122

BBSAFE 120

CCentralized security logging 127Certificate key

Creating 67Client initiated backups, restricting 69comments 9Component authentication 51Component authorization 67conventions for publication 9

Ddaemon.raw, size management 81Data integrity, Verifying 122dbgcommand 86Debug levels

Setting 83Debug mode

dbgcommand 86nsrtask 89Recoveries 88

Recovery wizard 88save command 88Scheduled backups 87Starting NetWorker daemons on UNIX 83Starting NetWorker daemons on Windows 83Starting NMC server 84

Debug mode, Using savegrp 88

EEncrypting data 116Environment variables, NMC server debug mode 85

FFIPS (Federal Information Processing Standard

Compliance) 120

Ggstd.raw, size management 81

LLDAP users,

Adding 36Deleting 38Modifying 38

LDAP, Post configuration 26Lockbox resource, modifying 116Log files

Configuring logging levels 83Locations of 72rap.log 82Rendering at runtime 78Rendering manually 76Viewing 76

Login errors, troubleshooting 35

MManual save operations, restricting 69Manually erasing data

AFTD 126Tape and VTL 126

Monitor RAP 127

NNetWorker Server, authorization 39networkr.raw, size management 81NMC server service ports, Confirming 107NMC users

Adding 18, 19Deleting 19

NSR Peer Information resourceDeleting 61, 63Maintaining 59


Manually creating 59Resolving conflicts 63

NSR Peer Information resource, importing 65nsraddadmin 17nsrexec database, configuring access 52nsrim 125NSRLA database

Exporting local host credentials 55NSRLA database,

Creating certificate and private key 57NSRLA resource

Importing local host credentials 57Maintaining 55

nwcpd.raw, size management 79nwsnap.raw, size management 79

Ppreface 9

RRejecting new save sessions 69Rejecting recover and clone sessions 70related documentation 9Resetting NMC administrator password

UNIX 20Windows 20

RSA BSAFE 120RSA BSAFE SSL 51

SSecurity audit logging

Overview 128Configurations 128Interoperability 134

servers file, configuring 68servers file, introduction to 67Service port requirements

Determining 97Service port requirements, NetWorker server 99Service port requirements, NMC server 100Service port requirements, Snapshot client 98Service port requirements, Standard client 97Service port requirements, Storage node 98Service ports

Configuring range in NetWorker 101Service ports, configuring 101Service ports, Configuring on firewall 104support information 9

TTCP keep alives 94TCP keep alives, Configuring 95Troubleshooting

Authorization errors 50Troubleshooting, Firewall configuration 112Troubleshooting, login errors 35

UUser group, external roles attribute 48User Group, users attribute 49User groups

Modifying membership 48User Groups

Copying 47Creating 47Deleting 48management of 46modifying privileges 47Preconfigured 45privileges 41

User, authorization 38

VVerify files feature 123

Index


emc networker 8.2 sp1 security configuration guide

Documents