MSEO

NetBackup Media Server
Encryption Option
Administrators Guide
UNIX and Windows
Release 6.1
NetBackup Media Server Encryption Option

Administrators Guide
Copyright 2006-2008 Symantec Corporation. All rights reserved.
NetBackup Media Server Encryption Option 6.1
Symantec, the Symantec logo, Veritas, and Media Server Encryption Option are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S.
and other countries. Other names may be trademarks of their respective owners.
Vormetric, CoreGuard, MetaClear are trademarks or registered trademarks of Vormetric,
Inc. in the U.S.A. and certain other countries. Other names and products are trademarks
or registered trademarks of their respective holders.
The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THIS DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED
CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID, SYMANTEC CORPORATION SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION
WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE
INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer
software and commercial computer software documentation as defined in FAR
Sections 12.212 and DFARS Section 227.7202.
Symantec Corporation
20330 Stevens Creek Blvd.
Cupertino, CA 95014
www.symantec.com
Vormetric, Inc.
3131 Jay St.
Santa Clara, CA 95054-3308
www.vormetric.com
Printed in the United States of America.
50-1000005-01R17
Third-party legal notices
Third-party software may be recommended, distributed, embedded, or bundled
with this Symantec product. Such third-party software is licensed separately by
its copyright holder. All third-party copyrights associated with this product are
listed in the accompanying release notes.
Licensing and registration
NetBackup Media Server Encryption Option is a licensed product. See the
installation chapter of this guide for licensing instructions.
Technical support
For technical assistance, visit
http://www.symantec.com/enterprise/support/index.jsp and select phone or
email support. Use the Knowledge Base search feature to access resources such
as TechNotes, product alerts, software downloads, hardware compatibility lists,
and our customer email notification service.
Powered by Vormetric
Contents
Chapter 1 Introduction
Easy to Use .............................................................................................................. 9
How it works ......................................................................................................... 10
Leaves NetBackup backup headers intact ........................................................ 14
Leverages existing NetBackup configuration .................................................. 15
Performance ......................................................................................................... 16
NetBackup Vault support ................................................................................... 16
Chapter 2 Installing NetBackup Media Server Encryption Option
Requirements ....................................................................................................... 19
UNIX installation file structure ................................................................. 22
Windows installation file structure .......................................................... 24
Installing MSEO Security Server on UNIX systems ....................................... 26
Installing MSEO Security Server on a Solaris media server ................. 27
Installing MSEO Security Server on a Linux media server ................... 32
Installing a secondary Security Server on UNIX systems ............................. 37
Installing MSEO Agent on UNIX systems ........................................................ 40
Installing MSEO Agent on a Solaris system ............................................ 41
Installing MSEO Agent on a Linux system ............................................... 45
Installing MSEO Security Server on Windows ................................................ 51
Installing a secondary Security Server on Windows ...................................... 58
Installing MSEO Agent on Windows ................................................................. 62
Upgrading MSEO ................................................................................................. 62
Upgrading MSEO Security Server on a UNIX host ................................. 62
Upgrading MSEO Security Server and Agent on a Windows host ....... 65
Removing Media Server Encryption Option .................................................... 67
Removing Media Server Encryption Option agent software ................ 67
Removing Media Server Encryption Option Security Server software 71
Chapter 3 Configuring MSEO Security Servers
Starting the MSEO Security Server Console .................................................... 76
Displaying the Server Console version ............................................................. 80
Refreshing the MSEO Server Console ............................................................... 80
Creating and managing encryption keys ......................................................... 80
The encryption/decryption process .......................................................... 81
6
Creating and managing AES keys ............................................................. 84
Creating and managing RSA keys ............................................................. 84
Creating and managing encryption key groups .............................................. 86
Creating key groups .................................................................................... 86
Editing key groups ....................................................................................... 86
Copying key groups ..................................................................................... 87
Deleting key groups ..................................................................................... 87
Creating and managing hosts ............................................................................ 88
Adding hosts ................................................................................................. 88
Renaming a host .......................................................................................... 88
Changing the host policy ............................................................................ 89
Copying hosts ............................................................................................... 89
Deleting hosts ............................................................................................... 90
Configuring MSEO policies ................................................................................ 90
Configuring general policy rules ............................................................... 90
Configuring match policy rules ................................................................. 93
Copying policies ........................................................................................... 95
Enabling audit logging ........................................................................................ 95
Sharing encryption keys between Security Servers ...................................... 96
Exporting encryption keys ......................................................................... 97
Importing encryption keys ......................................................................... 98
Starting, stopping, and restarting the MSEO Security Server ..................... 99
Displaying server and signer certificates ........................................................ 99
Configuring the Security Server database directory location .................... 100
Configuring the directory information displayed in the MSEO Server Console
102
Chapter 4 Configuring MSEO Drivers and Server Connections
Starting the MSEO Agent Console .................................................................. 107
MSEO Agent integrity checks .......................................................................... 110
Displaying the agent version and release ...................................................... 111
Configuring backup devices ............................................................................. 113
Displaying agent certificates ................................................................... 117
Starting, stopping, and restarting the MSEO Agent ............................ 117
Configuring server connections for the agent .............................................. 117
Configuring the servers for an agent ...................................................... 118
Changing server precedence .................................................................... 120
Testing the agent-to-server connection ................................................. 120
Increasing the agent access time-out interval ...................................... 121
Encrypting NetBackup backup headers ......................................................... 122
7
Chapter 5 Configuring NetBackup Media Server Encryption Option
Policies
What is in a policy .............................................................................................123
Parts of a policy ..........................................................................................124
A look at the default MSEO policies ................................................127
Built-in variables ................................................................................128
Configuring NetBackup to use MSEO policy protection ..............130
Configuring matching attributes .....................................................134
Building compound policies .............................................................135
Additional policies .............................................................................136
Configuring Vault duplication ........................................................138
Enabling audits ...................................................................................................139
Chapter 6 Maintaining and monitoring NetBackup Media Server
Encryption Option
Synchronizing MSEO installations .................................................................141
Logging ................................................................................................................142
Windows logging ........................................................................................145
UNIX logging (syslog file) .........................................................................146
UNIX logging (messages file) ...................................................................148
Making Backups .................................................................................................148
Automatic MSEO Agent Monitoring ...............................................................149
Manually renewing SSL certificates ..............................................................151
SSL error codes ..........................................................................................155
Adding SSL authentication ..............................................................................156
Chapter 7 Troubleshooting
Managing tape blocks .......................................................................................159
On UNIX systems ...............................................................................159
On Windows systems .........................................................................161
Adjusting agent-to-server timeout .................................................................162
Appendix A Using command line configuration
Command line interface reference ..................................................................166
cgadmin .......................................................................................................166
cgadmin add ........................................................................................166
cgadmin delete ....................................................................................171
cgadmin edit .......................................................................................172
cgadmin export ...................................................................................177
cgadmin generate ...............................................................................179
cgadmin help .......................................................................................182
8
cgadmin import .................................................................................. 183
cgadmin remove ................................................................................. 184
cgadmin show ..................................................................................... 185
cgadmin version ................................................................................. 187
cgadmin view ...................................................................................... 188
Sample MSEO administration flow ................................................. 191
cgconfig ....................................................................................................... 192
cgconfig device ................................................................................... 195
cgconfig help ...................................................................................... 198
cgconfig list ......................................................................................... 199
cgconfig server ................................................................................... 200
cgconfig release .................................................................................. 202
cgconfig version ................................................................................. 202
cgconfdevice ............................................................................................... 203
cgconnectserver ......................................................................................... 204
cginit ............................................................................................................ 207
sbadmin ....................................................................................................... 207
sbadmin generate .............................................................................. 208
sbadmin remove ................................................................................. 209
sbadmin version ................................................................................. 210
sbadmin view ...................................................................................... 210
sbinit ............................................................................................................ 214
sbnbucd ....................................................................................................... 214
sbnbusd ....................................................................................................... 215
Configuring MSEO virtual tape devices ......................................................... 215
Registering MSEO Agent hosts with the Security Server ................... 219
Chapter
1
Introduction
The NetBackup Media Server Encryption Option (MSEO) provides tape device
drivers that fit between the NetBackup master server and the client media
servers. These drivers are installed on each media sever in the NetBackup
configuration. When NetBackup sends a read or write request to or from the
storage medium, the request is intercepted by the MSEO virtual tape device and
evaluated by a MSEO Security Server. If the request successfully passes
evaluation, the request and protected data are passed to the real tape device.
Easy to Use
The Media Server Encryption Option provides two graphical interfaces to
configure MSEO Security Servers and their agents. One runs on the MSEO
Security Server, and the other runs on each MSEO Agent. These interfaces are a
convenient way to:
monitor and administer backup devices
compose and apply policies
create and apply encryption keys
configure backup devices to apply MSEO protection
configure and prioritize the Security Servers used by each agent
The MSEO interfaces are integrated with the NetBackup application. The same
device information, such as device name and target, is displayed in both the
MSEO and NetBackup interfaces; making it easy to locate and monitor
MSEO-enabled devices in the NetBackup Administration Console.
Additional NetBackup Administration Console parameters are passed to, and
used by, the Security Server to evaluate policies and provide seamless backup
protection. Job-specific parameters, such as pool number or keyword phrase,
can be configured in the MSEO Security Server interface to provide tighter
10 Introduction
How it works
control over policy resolution.Using the MSEO Agent Console interface is
described in Configuring MSEO Security Servers on page 75.
Using the MSEO Security Server Console is described in Configuring MSEO
Drivers and Server Connections on page 107.
The CLI can be used to perform the same tasks as the MSEO graphical interfaces,
as well as additional tasks which are beyond the scope of the interfaces. For
more information about command-line utilities, see Command line interface
reference on page 166.
How it works
During a write operation, the MSEO drivers do the following:
Intercept NetBackup write requests from media servers
Send the requests to a MSEO Security Server for evaluation
If approved, apply encryption and compression algorithms to the data
Pass the data to the tape device, which writes the data to tape
The inverse is true for restoring protected data from a storage medium. The
MSEO drivers do the following:
Intercept NetBackup read requests from media servers
Send the request and NetBackup metadata to a MSEO Security Server for
evaluation
If approved, use Security Server-supplied keys to decrypt MSEO metadata
Decrypt the tape data
11 Introduction
How it works
After configuration, MSEO operates transparently.
Figure 1-1 Backup environment with MSEO
The MSEO driver, VTD, is one of three components that can be installed on
media servers in a NetBackup configuration. The three components of MSEO
are:
MSEO Security Server (MSEOSS)
MSEO Agent
MSEO driver
NetBackup remains unaware of the changes. It keeps the same tape device
information, but, when it attempts to read or write a backup image, the read or
write request is intercepted by the MSEO driver. The MSEO driver passes the
read or write request, along with pertinent information, to the MSEO Agent.
Using signed certificates for encryption, the MSEO Agent passes that
DAS**
VTD*
/dev/tape
NetBackup
Individual backup
Tape library
Virtual tape library
* MSEO virtual tape driver
** Direct attached storage
Enterprise Backup Solution
12 Introduction
How it works
information to the MSEO Security Server. If the MSEO Security Server grants
access it passes the information needed to access and decrypt tape data back to
the MSEO Agent. The MSEO Agent retrieves the remaining information it needs
locally, then passes that onto the physical tape device.
Figure 1-2 The MSEO Agent in a standalone MSEO configuration
The MSEO Security Server can reside on the local media server with the MSEO
Agent and driver in a standalone configuration, or on a remote media server by
itself. This provides you the option to configure the MSEO Security Server
individually on each media server or administer all the media servers from one
central location. The optimum configuration comprises one Security Server on
the NetBackup master server and MSEO Agent on each media server in the
NetBackup configuration. Figure 1-2 depicts a MSEO Security Server in a local
MSEO Security Server
Media server
NetBackup request
MSEO Agent
Virtual tape driver
Physical tape driver
tape device
13 Introduction
How it works
configuration. Figure 1-3 depicts both standalone and distributed Security
Server configurations in one enterprise backup solution.
Figure 1-3 Encryption key storage and distribution
You can configure multiple media servers as standalone MSEO installations or
select one as the MSEO Security Server and all the others as MSEO Agents. The
DS
Agent
Media servers
SS = MSEO Security Server
TD = Tape Driver
Agt = MSEO Agent
DS = Data Store
Master server
NetBackup / Security Server
Security Server
Security Server
Agent
TD
Agt SS
SS
SS
DS
DS
Agt
Agt
Agt
Agt
TD
TD
TD
TD
Enterprise Backup Solution
14 Introduction
Leaves NetBackup backup headers intact
single MSEO Security Server approach is easier to maintain and, because the
keys and policies are centrally located, ensures the media servers have the keys
they need to archive or restore data. Backup images can be shared and decrypted
by other MSEO-enabled media servers if the key pairs and key groups originally
used to encrypt the tape are accessible. In a standalone configuration, the keys
from the media server used to make a tape have to be copied to the media server
trying to read the tape.
The Security Server is typically deployed on a centrally accessible NetBackup
server. In this configuration, each MSEO Agent obtains its configuration from
the centrally managed Security Server. The MSEO Agent is configured with an
ordered list of Security Servers. It uses the list to contact each Security Server in
sequence to obtain the permission and data necessary to perform a decrypt or
encrypt operation on a tape. When one Security Server is not available, the
MSEO Agent contacts the next one in the list to get the necessary permission to
perform the operation requested by the MSEO tape driver. Since the MSEO
Agent contacts the Security Server for each tape operation, the Security Server
administrator can revoke access to a tape immediately and at any time.
To prevent possible spoofing, software tools are provided to configure a secure
communication link between the MSEO Agent hosts and the Security Server via
an SSL tunnel. The MSEO Agent host authenticates itself to the Security Server
using an X.509 Web certificate. Web certificates are generated on the Security
Server and MSEO Agent host using a program provided with the MSEO
installation.
Leaves NetBackup backup headers intact
Metadata is administrative information that is added to a tape other than the
actual data being backed up. NetBackup needs this information to manage a tape
resource, such as when and how the resource was created, type of storage media,
and other technical information. This information is placed in the tape header.
MSEO keeps the NetBackup backup header in the clear. This allows NetBackup
to access the backup header of MSEO-encrypted backups. That is, there can be a
15 Introduction
Leverages existing NetBackup configuration
mix of NetBackup-only and MSEO-protected backups on one tape, and
NetBackup can access the backup headers of each backup.
Figure 1-4 NetBackup tape blocking with and without MSEO encryption
Each data block is encrypted, and each tape block comprises MSEO metadata
and the backup payload. The MSEO Security Server must grant permission and
supply the appropriate private key to decrypt the tape blocks. The private key is
used to decrypt each block, and the encryption key in the metadata is then used
to decrypt the payload.
Leverages existing NetBackup configuration
The MSEO Security Server does not have any cognizance of the NetBackup
master server and visa versa. The two do not communicate with each other;
rather, when NetBackup thinks it is reading or writing to a regular tape device,
the request is intercepted by the MSEO driver. MSEO piggy-backs on an existing
NetBackup installation and leverages the existing NetBackup configuration.
MSEO is placed between NetBackup and the actual device drivers on each media
server. MSEO supports whatever is already supported by NetBackup. The
highlights of MSEO are as follows:
Data
Block 1
Data
Block 2
Data
Block n
NBU
metadata
Volume
Header
MSEO
metadata
Data
Payload 1
Data
Payload 2
Data
Payload n
encrypted
clear
clear
16 Introduction
Performance
MSEO leverages device configurations to minimize customization
Blind-device configuration -- uses NetBackup configured drivers,
intercepting only the commands/parameters that MSEO requires
NetBackup does all the work
Performance
Performance is a major consideration for large-scale data processing operations.
Data needs to be processed quickly without slowing tape devices and it must do
so with minimal impact on media server system resources.
Streaming data with encryption, no matter how efficient, cannot be as fast as
streaming data without encryption. Some overhead has to be anticipated
because of the extra processing involved.
NetBackup Vault support
NetBackup Vault duplicates the backup image so that there is a local copy and a
a copy destined for off-site storage. The local copy can be backed-up without
encryption to permit continued use and access. The off-site copy is encrypted to
ensure protection before it is moved to the off-site location.
If you intend to use Vault duplication, configure the MSEO policy to indicate a
vault operation. For details, see Configuring Vault duplication on page 138.
Chapter
2
Installing NetBackup
Media Server Encryption
Option
The NetBackup Media Server Encryption Option (MSEO) components you can
install on a media server are:
Just the MSEO Security Server
Just the MSEO Agent, including device drivers
Both the Security Server and MSEO Agent
Choose the MSEO installation scheme that best suits your archival environment.
You can install everything on one media server in a standalone configuration.
You can do this across multiple media servers. The down side is the Security
Servers are isolated and it takes more effort to maintain consistency across all
the Security Servers. You can install additional Security Servers to act as backup
servers in the event the first Security Server fails. Install MSEO Agent software
on every media server in the NetBackup configuration that you want protected.
Figure 2-5 on page 18 shows a heterogeneous MSEO Security Server
configuration with the NetBackup master server and MSEO Security Server
configured on one host. The NetBackup master server administers all the media
servers in the enterprise backup solution. The Security Server administers the
top three media servers in the NetBackup configuration. The remaining two
media servers are independently configured with local MSEO Agents and
Security Servers.
18 Installing NetBackup Media Server Encryption Option
See Figure 1-2 on page 12 for a diagram showing interaction between the MSEO
Security Server and the media server.
Figure 2-5 Heterogeneous MSEO Security Server configuration
The Security Server is installed with a set of default configuration data to
facilitate tape encryption. It includes:
A default policy for general tape read and write requests that compresses
and encrypts backup data when the NetBackup job includes specific
parameters. The data is backed up without compression and encryption if
the parameters are not included. The default policy is described in A look at
the default MSEO policies on page 127. Configuring policies in general is
Media Servers
Master NetBackup
MSEO Agent
MSEO Agent
MSEO Agent
MSEO Agent
MSEO Agent
Requirements
described in Configuring NetBackup Media Server Encryption Option
Policies on page 123.
A sample policy for Vault operations. This policy uses the NetBackup pool
and copy information to determine the backups to encrypt and the backups
to make as clear text. The vault policy is described in Configuring Vault
duplication on page 138.
A public and private RSA key-pair to encrypt and decrypt MSEO metadata.
Keys are described in Creating and managing encryption keys on page 80.
A keygroup to consolidate the public keys used to encrypt and decrypt MSEO
metadata. Keygroups are described in Creating and managing encryption
key groups on page 86.
A Security Server graphic interface to conveniently manages hosts, host
groups, keys, and key groups. The Security Server interface also displays
server certificates. See Configuring MSEO Security Servers on page 75 for
a description of how to use the graphic interface to configure both servers
and agents.
An agent graphic interface to configure the backup devices that run on the
MSEO Agent system, and the Security Servers to which the agent connects.
See Configuring MSEO Drivers and Server Connections on page 107 for
details.
A template file for configuring audit messages. The audit template file is
described in Configuring audit logging on page 136.
You can create additional configurations using the Security Server command
line interface.
Requirements
Before proceeding with MSEO installation:
Install and configure NetBackup Enterprise Server 5.1 with Maintenance
Pack 3 (MP3) or higher, or NetBackup Enterprise Server 6.0 with MP3 or
higher, before you install MSEO. Other Maintenance Packs may work but
have not been tested.
The MSEO software is to be installed on Solaris, Linux, or Windows systems.
Supported platforms are:
Solaris versions 8, 9, and 10 (SPARC)
RedHat Linux 4, versions 2.6
Windows 2000 and Windows 2003 Server.
Solaris 8 requires software patch 112438-01 or higher. Solaris 9 does not
require updates. Solaris 10, running NetBackup 6.0, requires software
Requirements
update 2 or higher in order to support features like virtualized OS services
based on zones. Windows 2003 Server requires SP1 or higher. Windows
2000 requires SP4.
Note: It is possible to successfully run NetBackup 6.0 DQTS on a Solaris 10
without update 2 to test slower tape devices; however, to ensure accurate
testing of faster devices, you must install update 2. End-of-tape errors can
indicate the need for update 2.
The tape backup devices on the media servers must be SCSI and/or Fibre
Channel, not IDE.
The tape backup devices must be physically attached to the media servers on
which you will install MSEO Agent software. The MSEO device drivers and
system device drivers can reside on the same MSEO Agent host, or on other
MSEO Agent hosts in a SAN configuration. Fibre Channel tape backup
devices may be remotely located, relative to the agent/media server
installation, when the devices connect to the local system across a SAN.
A Security Server installation requires a minimum of 90 Mbytes of free disk
space.
A MSEO Agent installation requires a minimum of 265 Mbytes of free disk
space.
The media servers running MSEO Agent and Security Server software must
be behind the same firewall. No provision has been made for crossing
firewalls. If the MSEO Agent and Security Server are separated by a firewall,
you must first open the Security Server communications port. The default
SSL port number is 8084. You can use commands like lsof -i or
netstat -a to check port status on UNIX systems. Windows users can get
port configuration information from Web sites like
http://support.microsoft.com/kb/308127. Check with your
firewall vendor for more information.
SSL libraries are installed during Security Server and MSEO Agent
installation. SSL authentication between agent and server is optional but is
recommended to prevent man-in-the-middle attacks. See Adding SSL
authentication on page 156.
If you configure SSL, there are naming and networking issues to consider.
SSL certificates depend upon the network ID of the system, whether it is an
IP address or DNS name. Do not rely upon system commands, like
nslookup, to determine the appropriate network ID of the system. Execute
the get_names utility to list usable IDs. This utility is located in the ./bin
directories of the agent and server installations.
Requirements
Some system changes can affect authentication between a server and agent
when using SSL authentication. If you change the network identity of an
agent or server, new credentials must be generated. If you remove and
re-install agent or server software, new credentials must be generated. If
certificates expire, new credentials must be generated. See Manually
renewing SSL certificates on page 151 for details.
You must install Security Server and MSEO Agent software as the root or
administrative user. Administrative permissions are required because
system files and directories are accessed and modified during installation.
You may use a Certificate Authority (CA) to sign the certificate used to
authenticate MSEO Agent hosts to the Security Server. Locally-signed
certificates are supported and a mechanism is provided for you to locally
sign the certificates; however, locally signing is recommended for testing
purposes only.
The Security Server and MSEO Agent software can be installed in any order;
however, it is recommended that you install Security Server software first
because it is easier to configure a MSEO Agent installation while the
Security Server is running.
Security Server software may be installed on any system with network
access to the media servers in the NetBackup configuration. Usually it is
installed on the same system as the NetBackup master server only to
simplify maintenance.
If you configure SSL security for MSEO Agent and Security Server
intercommunication, you must specify a listening port number for the
media servers running Security Server software. This port is the
communication conduit between MSEO Agents and the Security Server. Port
numbers may range between 1025 and 65535. Verify port number
availability. It is recommended that you use the default port numbers and
that you use the same port number for every Security Server installed in the
enterprise backup solution.
You can install Security Server and MSEO Agent software while NetBackup
is operational and media servers are accessing tape devices. However, media
servers cannot be accessing tape drivers while configuring MSEO Agent
software.
Always backup the current MSEO installation before deleting or upgrading
MSEO software. If you delete MSEO software without making a backup of
the MSEO installation, you cannot reinstall the MSEO software at a later
time and restore old backups because you do not have copies of the keys that
were used to make those backups. Also, MSEO software upgrades, unlike the
configuration export/import utilities, overwrite the current default key. If
Requirements
you perform a software upgrade, and you made backups using the default
key, you must replace the new default key with the old default key in order to
restore those backups. See Importing encryption keys on page 98 for
additional details. A log file is not created during UNIX Security Server and
agent software installation or software upgrade. All messages generated
during software installation or upgrade are directed to standard output. You
can redirect the output to a file using a utility like tee to record
installation or upgrade activity.
UNIX installation file structure
The default MSEO UNIX installation directory is /opt/vormetric/mseo.
Security Server software is installed in ./mseo/server and MSEO Agent files
in ./mseo/agent. The primary installation directories, and some important
files they contain, are:
./mseo/server/bin
sbnbusd-- Security Server daemon
cgadmin-- CLI command used to perform most Security Server
administrative tasks, such as adding, deleting, and editing policies,
key groups, hosts, etc.
cginit-- CLI command to start and stop the Security Server
daemon.
get_names -- CLI command that displays the configured IP
addresses and DNS names of the local system. Use a displayed IP
address or DNS name to identify the local system during software
installation.
./mseo/server/db
A set of subdirectories audit, host, key, and policy which
comprise the MSEO data store. It contains audit templates,
host-to-policy associations, various encryption keys, and the
policy repository.
./mseo/server/etc
access -- Configuration file that associates passphrases to
encrypted keys.
MessageResource.rc -- Help file that associates error codes
with text messages.
./mseo/server/export
Empty by default, this directory is used as the staging area for
exporting local MSEO encryption keys and related configuration
files to other Security Servers.
./mseo/server/import
Requirements
importing the MSEO encryption keys and related configuration
files of other Security Servers.
./mseo/server/jre
Contains the Java Runtime files for the server.
./mseo/server/lib
libxml2.so.2 -- One of several MSEO shared library objects.
./mseo/server/pem
If you configure MSEO Agent/Security Server authentication, this
directory will contain Privacy Enhanced Mail certificates,
certificate requests, signer certificates, and more. Some of these
files control the SSL authentication of the server to the agent.
Contains certificates for communication between MSEO Agents
and the Security Server.
./mseo/agent/bin
sbnbucd-- MSEO Agent daemon
sbadmin-- CLI command to generate certificates and keys, and
create passphrases.
cgconfig-- CLI command to configure MSEO tape devices with
NetBackup.
cgconnectserver -- CLI command to configure the Security
Servers that the MSEO Agent may access.
sbinit-- CLI command to start and stop the MSEO Agent daemon.
installation.
./mseo/agent/drv
vmtape -- MSEO Agent tape driver. Linked from
/kernel/drv/vmtape .
sparcv9/vmtape -- MSEO Agent tape driver. Linked from
/kernel/drv/sparcv9/vmtape .
./mseo/agent/etc
with text messages.
MSEO Agent configuration files for accessing Security Servers,
most notably mseo_agent.conf and
mseo_agent_requests.conf.
Other MSEO Agent configuration files for Security Server access.
Requirements
./mseo/agent/jre
Contains the Java Runtime files for the agent.
./mseo/agent/lib
libxml2.so.2 -- One of several MSEO shared library objects.
./mseo/agent/pem
Privacy-Enhanced Mail that allows authentication between
sender and recipient.
Contains keys and certificates for communication between MSEO
Agents and Security Servers.
Note: You will see pem frequently in this document. pem refers to the name
of the Privacy Enhanced Mail directory and is also the file suffix added to
Privacy Enhanced Mail certificates. ./mseo/server/pem is the
server-side Privacy Enhanced Mail directory and ./mseo/agent/pem is
the agent-side equivalent. The NetBackup Policy Execution Manager (PEM)
is not described nor referred to in this document.
Windows installation file structure
The default MSEO installation directory is C:\Program
Files\Vormetric\MSEO. Security Server software is installed in
.\MSEO\server and MSEO Agent software in .\MSEO\agent. The primary
installation directories are:
.\MSEO\server\bin
sbnbusd-- Security Server daemon
cgadmin-- CLI command used to perform most Security Server
administrative tasks, such as adding, deleting, and editing policies,
key groups, hosts, etc.
cginit-- CLI command to start and stop the Security Server
daemon.
get_cert.exe -- CLI command used to regenerate and exchange
SSL certificates between Security Servers.
installation.
libxml2.dll and other library files -- MSEO dynamically linked
library files.
.\MSEO\server\etc
Requirements
access -- Configuration file that associates passphrases to
encrypted keys.
with text messages.
.\MSEO\server\db
A set of subdirectories audit, host, key, and policy which
comprise the MSEO data store. It contains audit templates,
host-to-policy associations, various encryption keys, and the
policy repository.
.\MSEO\server\export
exporting local Security Server keys to another Security Server.
.\MSEO\server\import
importing Security Server keys from another Security Server.
.\MSEO\server\jre
Contains the Java Runtime files for the server.
.\MSEO\server\pem
If you configure MSEO Agent/Security Server authentication, this
directory will contain Privacy Enhanced Mail certificates,
certificate requests, signer certificates, and more. Some of these
files control the SSL authentication of the server to the agent.
Contains certificates for communication between MSEO Agents
and the Security Server.
.\MSEO\agent\bin
cgconfig-- CLI command to configure MSEO tape devices with
NetBackup.
get_cert.exe -- -- CLI command used to regenerate and
exchange SSL certificates between the MSEO Agent and a Security
Server.
installation.
sbadmin-- CLI command to generate certificates and keys, and
create passphrases.
MseoConsole.jar -- Contains the Java files for the MSEO Agent
Console.
sbnbucd-- The MSEO Agent daemon.
Installing MSEO Security Server on UNIX systems
vmtape.inf -- The MSEO Agent tape driver.
.\MSEO\agent\config
with text messages.
MSEO Agent configuration files for accessing Security Servers,
most notably mseo_agent.conf and
mseo_agent_requests.conf.
.\MSEO\agent\etc
tape.cfg -- Tape device configuration file that can turn on debug
log messages, enable/disable asynchronous writes, pad tape
blocks, and set the media server to device timeout.
.\MSEO\agent\jre
Contains the Java Runtime files for the agent.
.\MSEO\agent\pem
Privacy-Enhanced Mail that allows authentication between
sender and recipient.
Contains keys and certificates for communication between MSEO
Agents and Security Servers.
Note: You will see pem frequently in this document. pem refers to the name
of the Privacy Enhanced Mail directory and is also the file suffix added to
Privacy Enhanced Mail certificates. ./mseo/server/pem is the
server-side Privacy Enhanced Mail directory and ./mseo/agent/pem is
the agent-side equivalent. The NetBackup Policy Execution Manager (PEM)
is not described nor referred to in this document.
The Security Server can reside on the local system or on a remote system. The
system is usually a NetBackup media server, though it can also be any regular
system with network access to the media servers in the NetBackup
configuration. For ease-of-use, the primary Security Server should be installed
on the same system hosting the NetBackup master server.
MSEO can be installed in a standalone configuration, with both Security Server
and MSEO Agent software running on the same host, or in a distributed
configuration, with a centralized Security Server installed on one host and the
MSEO Agent installed on all the other hosts. Standalone configurations are not
recommended for large-scale NetBackup configurations because of the ongoing
maintenance required to synchronize Security Servers. A distributed
configuration is intended for large-scale NetBackup configurations in order to
maintain policies and keys in one central repository, the Security Server
database directory.
Changes made in a standalone MSEO installation are only applied to the local
media server. Multiple standalone MSEO configurations in an enterprise backup
solution require you to propagate the configuration changes made on one media
server to the other standalone MSEO installations. Otherwise, the MSEO
installations become unsynchronized and the media servers in the NetBackup
configuration will not be able to restore a backup image that was created on a
different media server.
MSEO is divided between two software packages, MSEO-Agent for MSEO
Agent hosts and MSEO-Server for Security Servers. Install the MSEO-Server
package first, then install MSEO-Agent packages.
Some system changes can affect authentication between a server and agent
when using SSL authentication. If you change the network identity of an agent
or server, new credentials must be generated. If you remove and re-install agent
or server software, new credentials must be generated. If certificates expire, new
credentials must be generated. See Manually renewing SSL certificates on
page 151 for details.
The installation utility does the following:
Installs the Security Server binaries, executables, and libraries.
Installs database files in ./mseo/server/db during Security Server
installation.
Installs the resource file, MessageResource.rc, and the configuration file
cgadmin.cfg in ./mseo/server/etc.
Creates a default key-pair and policy.
Starts the Security Server daemon with the sbnbusd utility.
Creates linked files in /etc/init.d and /usr/bin to facilitate MSEO
command execution.
The default installation directory is /opt/vormetric/mseo.
Installing MSEO Security Server on a Solaris media server
To install the Solaris Security Server software:
1 Check Requirements on page 19 and the MSEO Release Notes before
proceeding.
2 Log onto the system to run the Security Server as the root user.
If you install the Security Server on more than one system, you will
configure one of those installations as the primary Security Server.
3 If the Media Server Encryption Option software is provided on external
media, such as a CD-ROM or DVD, insert the media in a local drive and
locate the installation software in a terminal window.
4 Copy the Security Server tar file onto the host system.
It is named mseo.sparc.server.tar.
5 Untar the package.
tar xvf mseo.sparc.server.tar
The installer, installmseo.server, and several system-specific software
packages are unpacked.
6 Run the server installation utility.
# ./installmseo.server
The installation utility displays the Symantec license agreement. You must
accept the terms of the license to complete installation:
END-USER SOFTWARE LICENSE AGREEMENT
PLEASE READ THE TERMS AND CONDITIONS OF THIS END USER
LICENSE AGREEMENT ("AGREEMENT") CAREFULLY BEFORE USING
...
...
server, agent or processor. The server or processor
tier defines the type of hardware on which the
software may be deployed.
Do you accept all the terms of the preceding License
Agreement? [yes/no] >
7 Enter yes to continue.
The installer prompts you to specify the port number the Security Server is
to use to listen for agent backup and restore requests.
Enter a port number for agents to access this security server
[8084] or type quit:
8 Enter the Security Server listening port number.
The default is 8084. It is recommended that you use the default port
number.
After you enter the port number, the installer prompts you to indicate if you
want to enable SSL authentication between the Security Server and the
agents it administers.
Do you want to configure port 8084 to use secure (SSL/TLS)
connections? (yes|no): yes
9 Enter yes to configure the Security Server SSL authentication certificates
so that the servers and agents can communicate across a secure network
connection, or, no to install the server software without the SSL
authentication feature.
There is no default selection. It is recommended that you enable
authentication to ensure the secure transmission of information between
agent and server.
Note: MSEO requires a homogenous network security environment. If the
Security Server is configured for SSL, then the other Security Servers that it
communicates with and its agents must also be configured for SSL. See
Adding SSL authentication on page 156 for details.
Note: SSL authentication requires certificates, and each certificate contains
a CN value. The SSL CN value is the agent or server network location. The
CN value must match the full DNS name, or IP address, of the agent or
server for which the SSL certificate is generated. Once the server network
location is configured, the agent must refer to the server using the same
configured location, partly because of the configured CN name and partly
because the server location is configured in the agent.conf file. However,
the server can refer to the agent using either the agent IP address of full
DNS name. Also, if you change the DNS name or IP address of an agent or
server, you must regenerate and re-exchange certificates.
The rest of this section assumes that you entered yes.
After you enter yes, the installer prompts you to enter the domain name or
IP address of the local server.
Enter this server's fully qualified domain name or IP address:
10 Enter the domain name or IP address of the Security Server you are logged
onto.
Only IP addresses and fully-qualified domain names are allowed. If you
enter just the hostname, such as win40130, configuration will complete but
NetBackup will fail. Appropriate examples are win40130.qa.com and
10.3.40.130.
The MSEO certificate generation utility configures the start date of the
signer certificate with the time and date the certificate is generated, minus
24 hours, to permit immediate agent-server communication, even when the
agent and server system clocks are off a little bit.
After entering the domain name or IP address, the installer prompts you to
indicate if you want the local server to generate the certificates for agents
and other servers.
Shall this server be enabled to generate certificates? (yes|no):
11 Enter yes to designate the local server as the primary server on which to
generate authentication certificates, or enter no if the local server is a
secondary server that is going to get its certificates from a remote primary
server. Enter yes if in a single-server configuration. Enter no only if the
local server is designated as a secondary server. If you enter no, stop here
and continue with Installing a secondary Security Server on UNIX
systems on page 37.
After entering yes, the installer prompts you for the local server signing
port number.
12 Enter the server signing port number.
Port 8085 is the default port for agent-server connections involving
configuration changes. It is recommended you use the default port number.
Port 8084 is the default primary agent-server connection across which
policies are sent and encryption keys are returned.
After you enter the signing port number, the installer begins to install the
server files.
Processing package instance <MSEO-Server> from
</home/bcobain/mseo_sparc-Build0056/mseo-server.sparc.5.8.pkg>
Media Server Encryption Option Security Server
(sparc) MSEO-6.1.0-Solaris-Sparc-64-Build56
Symantec, Inc.
## Executing checkinstall script.
## Processing package information.
## Processing system information.
Installing Media Server Encryption Option Security Server as
<MSEO-Server>
## Installing part 1 of 1.
/opt/vormetric/mseo/server/bin/ce
/opt/vormetric/mseo/server/bin/ce.jar
/opt/vormetric/mseo/server/bin/cgadmin
...
## Executing postinstall script.
syslog service starting.
Installation of <MSEO-Server> was successful.
Auto access initialized.
...........++++++
......++++++
LOG[AUDIT]MSEO.Server: Key default has been added successfully.
After the software is installed, you are prompted to specify the secondary
servers that may submit certificate requests to the local server.
Enter the fully qualified domain name or IP address of the next
server that will submit certificate requests to this server (or
just <Enter> if done):
13 Either, enter the domain name/IP address of a secondary server that is
allowed to submit certificates requests to the local primary server, or, just
press <Enter> to indicate that there are no other secondary servers allowed
to submit requests.
Each time after you enter a server domain name/IP address, you are
prompted to enter the domain name/IP address of the next secondary
server. This cycle continues until you press <Enter> by itself.
After you press just the <Enter> key, the installer prompts you for the agent
systems that can be serviced by the local server.
agent
14 Either, enter the domain name/IP address of an agent system that is allowed
to communicate with the local primary server, or, just press <Enter> to
indicate that you are done with server software installation.
Enter the domain names or IP addresses of currently configured agent
systems. If you want, you can skip this step and configure agent systems
later when you install the agent software.
After you press <Enter>, installation completes.
###################################################
# The Media Server Encryption Option Security #
# Server has been installed successfully. #
###################################################
15 Verify the installation by checking the MSEO directory for certificates:
# ls -c1 /opt/vormetric/mseo/server/pem
server-cert.pem
server.pem
signer-cert.pem
signer.pem
#
Check this directory to ensure that the MSEO installation directory
(/opt/vormetric/mseo/server) was created and populated, and that
server signer certificates were successfully generated. Your directory
should contain at least the files shown. There will be more if you configured
additional agents.
16 Alternatively, you can verify the installation with the pkginfo command.
Your output can be different. This is only an example:
# pkginfo -l MSEO-Server
PKGINST: MSEO-Server
NAME: Media Server Encryption Option Security Server
CATEGORY: system
ARCH: sparc
VERSION: MSEO-6.1.0-Solaris-Sparc-64-Build56
VENDOR: Symantec, Inc.
DESC: Media Server Encryption Option Security Server
INSTDATE: Jan 10 2008 14:48
STATUS: completely installed
FILES: 41 installed pathnames
12 directories
16 executables
43004 blocks used (approx)
#
17 Check that the server daemon is running.
# ps -aef | grep nbu
root 3324 ... /opt/vormetric/mseo/server/bin/sbnbusd
root 3350 ... grep nbu
#
18 Install the MSEO Agent software on media servers.
See Installing MSEO Agent on UNIX systems on page 40 or Installing
MSEO Agent on Windows on page 62.
19 Configure the Security Server, as described in Configuring MSEO Security
Servers on page 75.
Installing MSEO Security Server on a Linux media server
To install the Solaris Security Server software:
proceeding.
2 Log onto the system to run the Security Server as the root user.
If you install the Security Server on more than one system, you will
configure one of those installations as the primary Security Server.
4 Copy the Security Server installation package onto the host system.
The package comprises several files. The installation application is
installmseo.linux.server. It installs the Security Server from a Red
Hat Package Manager (.rpm) file that is named something like
mseo-server-6.1.0-rhel4.x86_64.rpm. The Security Server
installation package also includes a utility and the MSEO license.
5 Run the installation utility.
# installmseo.linux.server
The installation utility prepares the system for installation and then it
installs the software. Do not use the rpm command directly to install the
Security Server.
The installer prompts you to specify the port number that the Security
Server is to use to listen for agent backup and restore requests.
Enter port number that agents will access on this Security
Server [8084] or type quit:
The default is 8084. It is recommended that you use the default port
number.
want to enable SSL authentication between the Security Server and the
agents it administers.
Do you want to configure port 8084 to use secure (SSL/TLS)
connections? (yes|no): yes
8 Enter yes to configure the Security Server SSL authentication certificates
so that the servers and agents can communicate across a secure network
connection, or, no to install the server software without the SSL
authentication feature.
agent and server.
communicates with and its agents must also be configured for SSL. See
Adding SSL authentication on page 156 for details.
The rest of this section assumes that you entered yes.
After you enter yes, the installer evaluates the system network, returns
what it thinks is the network identity of the local system, and then prompts
you to enter the domain name or IP address of the local system.
Setting this server's fully qualified domain name or
IP address
1. lnx25138.qa.com
2. 10.3.25.138
3. Enter fully qualified domain name or IP address
Select one of the above options: 1
Choices 1 and 2 are what the installer determined are the fully qualified
domain name and the IP address of the system, respectively. Choice 3 allows
you to enter some other FQDN or IP address. Unless there is some
compelling reason to do otherwise, select either choice 1 or 2.
9 Enter the number for the network identity you want to use for the Security
Server.
Only IP addresses and fully-qualified domain names are allowed. The choice
you enter must be used from now on to identity the server. If you enter just
the hostname, such as lnx40130, configuration will complete but
NetBackup will fail. Appropriate examples are lnx40130.qa.com and
10.3.40.130.
Choice 1 is entered for this example, and the following message is displayed:
Note: You must always use the same string "lnx25138.qa.com"
whenever you refer to this Security Server from now on.
The installer then prompts you to indicate if you want the local server to
generate the certificates for agents and other servers.
If you want to configure multiple Security Servers, we
recommend using one to generate certificates for agents and
other servers.Shall this server be enabled to generate
certificates? (yes|no):
10 Enter yes to designate the local server as the primary server on which to
generate authentication certificates. Always enter yes if this is the first
Security Server installation or if you intend to install and configure just one
Security Server. Enter no if the local server is a secondary server that is
going to get its certificates from a remote primary server. Enter no only if
the local server is designated as a secondary server. If you enter no, stop
here and continue with Installing a secondary Security Server on UNIX
systems on page 37.
The MSEO certificate generation utility configures the start date of the
agent and server system clocks are off a little bit.
After entering yes, the installer prompts you for the local server signing
port number.
Enter port number for CA server lnx25138.qa.com [8085]
or type quit:
After you enter the signing port number, the installer prompts you for the
size of the default server key that will be used to sign certificates.
Enter the server key size [1024]:
12 Enter the bit-size for the server key.
Your choices are: 512, 1024, 2048, or 4096 . The default is 1024. Unless
you have a pressing need to increase the bit-size, use the default. The larger
the key size the longer the key generation time.
Software installation begins after you enter the bit-size.
Starting install

Preparing... ################################## [100%]
1:mseo-server ################################# [100%]
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
At this point a message is displayed that prompts you to enter the FQDN or
IP address of the secondary server and all the agents that you want to
communicate with this primary Security Server across a secure SSL
connection.
Enter the fully qualified domain name or IP address of a
secondary server or agent that will submit certificate
requests to this server (or just <Enter> if done):
13 Enter the FQDN or IP address of a MSEO secondary server or agent.
You may press the <Enter> key to skip registering a secondary server or
agents at this time. If you skip this step you will have to generate and
exchange certificates using the sbadmin, cgadmin, and get_cert
utilities.
If you enter an agent FQDN or IP address, the installation utility verifies it
by submitting the FQDN to the domainname server for resolution or by
pinging the IP address. A host record is created in the Security Server for
the agent and the agent is assigned the default policy. A warning is issued
if the FQDN cannot be resolved or if the IP address fails to ping, but the host
record is still created. You are prompted to continue entering additional
systems until you press the <Enter> key.
An FQDN, lnx25138.qa.com, is entered for this example, and the following
message is displayed:
LOG[AUDIT]MSEO.Server: Host lnx25138.qa.com has been
added successfully.
Enter the fully qualified domain name or IP address of a
secondary server or agent that will submit certificate
requests to this server (or just <Enter> if done):
14 Enter the FQDN or IP address of a secondary Security Server or another
agent, or press <Enter> to continue the installation process.
The <Enter> key is pressed in this example. When the <Enter> key is
pressed, the installation utility creates the server certificates and the agent
certificate requests.
The server is generating keys. Please wait...
########################################################
The Media Server Encryption Option Security Server
software has been installed successfully.
########################################################
It then prompts you to create symbolic links in /usr/bin to the Security
Server utilities in ./mseo/server/bin.
Create symbolic links in /usr/bin? (yes|no):
15 Enter yes when prompted to create symbolic links to the Security Server
utilities.
Enter yes because most users already have /usr/bin in their $PATH
definition and you can enter just the utility names to perform MSEO tasks.
Also, since they are links to utilities in the MSEO installation hierarchy,
they do not take up any disk space. If you enter no, you will have to add the
./mseo/server/bin directory to your $PATH variable, include the full
path with the utility name, or cd to the ./mseo/server/bin directory
each time you want to execute a MSEO utility.
Installing a secondary Security Server on UNIX systems
Installing a secondary Security Server on UNIX
systems
A secondary server is a MSEO Security Server that is used in the event the
primary Security Server becomes unavailable, or you want to balance the load
between multiple Security Servers.
A secondary Security Server can be configured with the same keys, policies, and
configuration as the primary server, with the exception of being able to sign
certificates. The secondary server and agent certificates are generated during
Security Server software installation. The keys and policies must be manually
copied.
To configure the local Security Server as a secondary Security Server:
1 Check that the primary Security Server is accessible on the network.
Certificates are exchanged between the primary and secondary servers
during software installation. You will need to specify the same fully
qualified domain name (FQDN) or IP address that was originally used to
configure the primary Security Server.
2 Check that the agents that are to use this Security Server are accessible on
the network.
Certificates can be exchanged between the secondary server and agents
during software installation. If you choose to do so at this time, you will
need the same fully qualified domain name (FQDN) or IP address that was
originally used to configure each agent. Specifying agents at this time is
optional but it is easier to configure agents and exchange certificates
automatically during Security Server installation than it is to configure
agents and exchange certificates manually later.
3 Log onto the primary Security Server.
4 Add the secondary Security Server to the primary Security Server database
directory.
Adding the secondary Security Server to the database allows the primary
Security Server to recognize and communicate with the secondary Security
Server. There are two ways to add the secondary Security Server:
Use the cgadmin command to add the secondary Security Server to the
primary Security Server database directory.
The syntax is:
# cgadmin add host hname policy pname
where, hname is the IP address or FQDN of the secondary Security
Server system and pname is the name of a policy on the primary
Security Server. For example,
# cgadmin add host 10.3.34.31 policy default
Open the MSEO Server Console; select Edit->Add->Host; enter the IP
address or FQDN of the secondary Security Server system; select the
policy to apply; and click Add Host.
5 Log onto the secondary Security Server.
6 Install the Security Server software as described in Installing MSEO
Security Server on a Solaris media server on page 27 or Installing MSEO
Security Server on a Linux media server on page 32.
7 Stop and return here when you get to the step that prompts you to indicate if
the local server is to sign certificates.
If you want to configure multiple Security Servers, we recommend
using one to generate certificates for agents and other servers.
Shall this server be enabled to generate certificates? (yes|no):
8 Enter no to designate the local server as a secondary server.
By entering no, you are indicating that the local server cannot sign
certificates and, therefore, this must be a secondary Security Server.
Because the local server is unable to sign certificates, you are prompted to
specify the network location of the server that can sign certificates, which is
the IP address or FQDN of the primary Security Server.
Enter certifcate signing server's fully qualified domain name or
IP address:
9 Enter the FQDN or IP address of the primary Security Server.
Enter the same FQDN or IP address that was originally used to configure the
primary Security Server.
The installation utility prompts you to specify the port on which the
primary and secondary Security Servers will exchange configuration
information. For example,
Enter port number for CA server lnx34031.qa.com [8085] or type
quit:
10 Enter the Security Server port number.
Note that this is not the same port number that is used by the server and
agents to exchange policies and keys (default is 8084) to perform
NetBackup backups and restores. This is the port on which configuration
data, such as signed certificates, are exchanged (default is 8085).
After you enter the signing port number, the installer prompts you for the
size of the default server key.
Enter the server key size [1024]:
Software installation begins after you enter the bit-size. The primary
Security Server signer certificate is displayed after a few minutes and you
are prompted to accept or decline the certificate.
...
Do you trust above CA certificate? [Yes|No]: Yes
12 Inspect the signer certificate information to ensure validity.
Check to verify that you are not receiving a spoofed signer certificate. Check
the date. If you had just generated the server certificates, the Not Before
field in the file will show yesterdays date. (The MSEO certificate generation
utility configures the start date of the signer certificate with the time and
date the certificate is generated, minus 24 hours, to permit immediate
agent-server communication, even when the agent and server system
clocks are off a little bit.) Check the Organization (O), Organizational Unit
(OU), and Common Name (CN) values. The Organization is always set to
CoreGuard. The Organizational Unit is always set to Signer on
hostName, where hostName is the name of the system that is running the
primary Security Server. The Common Name is the IP address or FQDN
name that was used to create the server certificates.
13 Enter yes to accept the signer certificate.
A message is displayed to indicate successful secondary server certificate
configuration and installation. The installation utility then prompts you to
specify the agents that are to access this Security Server.
LOG[AUDIT]MSEO.Server: SSL has been successfully configured.
You can now configure agents (which will use the default policy)
for this server.
agent (or just <Enter> if done):
14 Enter the FQDN or IP address of an agent.
agent. Or press the <Enter> key to configure the agents later.
If you enter an FQDN or IP address, a message is displayed to indicate
successful certificate exchange between secondary server and agent. For
example,
LOG[AUDIT]MSEO.Server: Host lnx25138.qa.com has been added
successfully.
The installation utility then prompts you for another agent FQDN or IP
address. Continue entering the agents you want serviced by this Security
Installing MSEO Agent on UNIX systems
Server. When you press the <Enter> key, installation completes with the
following message:
#########################################################
# The Media Server Encryption Option Security Server
# software has been installed successfully.
############################################################
The installer then prompts you to create symbolic links in /usr/bin to the
MSEO Security Server utilities in ./mseo/server/bin.
15 Enter yes when prompted to create symbolic links to the MSEO Security
Server utilities.
./mseo/server/bin directory to your $PATH variable, include the full
path with the utility name, or cd to the ./mseo/server/bin directory
each time you want to execute a MSEO utility.
Software installation is complete at this point, but the secondary server
does not contain encryption keys are policies yet.
16 Backup the primary Security Server keys and policies, and restore them on
the secondary Security Server, as described in Exporting encryption keys
on page 97 and Importing encryption keys on page 98.
MSEO comprises two software packages, MSEO-Agent for MSEO Agent hosts
and MSEO-Server for Security Servers.
The installation script does the following:
Installs the MSEO Agent binaries (executables and libraries)
sbadmin.cfg in ./mseo/agent/etc
Adds the MSEO tape drive module to the host kernel
Starts the MSEO Agent daemon with the sbnbucd utility
If you are installing both Security Server and MSEO Agent software on the same
system, install the Security Server package first, followed by the MSEO Agent
package. Both packages are installed in /opt/vormetric/mseo.
The agent software installation utility will issue a warning during the certificate
configuration stage of agent software installation if the agent certificate is
already present in the Security Server./mseo/server/pem directory. This
feature protects the Security Server from issuing certificates to fraudulent
entities. You must configure new agent certificates after re-installing agent
software. See Manually renewing SSL certificates on page 151 for details.
Installing MSEO Agent on a Solaris system
To install the Solaris Agent software:
proceeding.
2 Log onto the system to run the MSEO Agent as the root user.
This may be any media server in the NetBackup configuration, even the
media server that is running the Security Server.
3 Check that there are no active backup processes running on the current
media server.
The local tape devices should be idle. If necessary, wait for the media server
to complete all NetBackup tasks. If you run a MSEO command that is used to
modify the configuration of a NetBackup media server, and that media
server is active, the command is discarded and the following message is
displayed in the terminal window: NetBackup tape devices are currently
active. Launch this tool later.
5 Copy the MSEO-Agent package onto the host system.
It is named mseo.sparc.agent.tar.
6 Untar the package.
tar xvf mseo.sparc.agent.tar
Several files are extracted, most notably installmseo.agent and
mseo-agent.sparc.5.8.pkg.
7 Run the agent installation utility.
# installmseo.agent
END-USER SOFTWARE LICENSE AGREEMENT
PLEASE READ THE TERMS AND CONDITIONS OF THIS END USER
LICENSE AGREEMENT ("AGREEMENT") CAREFULLY BEFORE USING
...
...
server, agent or processor. The server or processor
tier defines the type of hardware on which the
software may be deployed.
After you enter yes, the installer prompts you for the Security Servers to
service this agent. You must configure the agent to use at least one Security
Server.
9 Enter the DNS name or IP address of the first Security Server for this agent.
After you enter the DNS name or IP address, you are prompted for the SSL
listening port on the Security Server.
10 Enter SSL listening port number for the Security Server.
You must enter the same SSL listening port number used to configure the
server. If the default listening port number is not used, or the listening port
number had been changed, you must enter the currently configured
number. The default is 8084.
If you are unsure of the listening port number of the server installation, you
can display the number by opening the MSEO Server Console on the server
or by viewing the ./mseo/server/etc/mseo_security_server.conf
file on the server. (The path on Windows is
.\MSEO\server\config\mseo_security_server.conf.)
After you enter the port number, you are prompted to enable SSL
authentication between the agent and server.
11 Enter yes to enable SSL authentication.
a CN value. The SSL CN value specifies the network ID of the agent or
server. The CN value must match the DNS name or IP address of the agent
or server for which the SSL certificate is generated. This means that once
configured, you must always refer to the agent or server using the same
configured IP address or DNS name. If you configure the agent or server
with an IP address, you cannot reference the agent or server with the
corresponding DNS name. If you configure the agent or server with DNS
name, you cannot reference the agent or server with the corresponding IP
address. Also, if you change the DNS name or IP address of an agent or
After you enter yes, you are prompted to add additional servers for this
agent.
12 Enter yes to configure additional servers or no if you are done adding
servers at this time.
If you enter yes, you are prompted to enter the DNS name or IP address of
the next server, its listening port number, and whether or not to enable SSL
authentication between the agent and server -- as you were in step 9
through step 12.
Once you indicate that there are no additional servers to add, you are
prompted for the local agent DNS name or IP address.
13 Enter the local agent DNS name or IP address.
14 Enter the DNS name or IP address of the server that is to sign certificates.
This must be a server that was been configured as the certificate signer in
step 11 on page 29. This is the primary server, not a secondary server.
15 Enter the listening port number of the server that is to sign certificates.
This must be a server that was been configured as the certificate signer in
step 12 on page 29.
You are prompted for the bit-size of the key used for signed agent
certificates.
16 Enter the agent key size.
Software installation begins after you enter the bit-size. The agent software
is installed and certificates generated and exchanged between the agent and
servers.
Processing package instance <MSEO-Agent> from
</home/bcobain/mseoInstBuild0092/mseo-agent.sparc.5.8.pkg>
Media Server Encryption Option
Vormetric, Inc.
Media Server Encryption Option as
<MSEO-Agent>
## Installing part 1 of 1.
/opt/vormetric/mseo/agent/bin/cgc.sol
/opt/vormetric/mseo/agent/bin/cgconfdevice
/opt/vormetric/mseo/agent/bin/cgconfig
...
/opt/vormetric/mseo/agent/lib/libstdc++.so.5
/opt/vormetric/mseo/agent/lib/libxml2.so.2
[ verifying class <none> ]
## Executing postinstall script.
Installation of <MSEO-Agent> was successful.
#########################################################
# #
# The Media Server Encryption Option Agent Software #
# has been Installed Successfully. #
# #
#########################################################
#
17 Verify the installation with the modinfo command. This is an example.
Your output may be different:
# modinfo | grep vmtape
229 782c6000 76d86 239 1 vmtape
(vmtape driver v1.0)
18 Alternately, you can verify the installation with the pkginfo command. For
example (your output can be different):
bash-3.00# pkginfo -l MSEO-Agent
PKGINST: MSEO-Agent
NAME: Media Server Encryption Option Agent
CATEGORY: system
ARCH: sparc
VERSION: MSEO-6.1.0-Solaris-Sparc-64-Build56
BASEDIR: /
VENDOR: Symantec, Inc.
DESC: Media Server Encryption Option Agent
INSTDATE: Jan 10 2008 12:36
STATUS: completely installed
FILES: 829 installed pathnames
115 directories
102 executables
244485 blocks used (approx)
#
19 Verify that the MSEO Agent daemon is running:
# ps -e | grep sbnbu
9687 ? 0:00 sbnbucd
20 With both agent and server software installed, replace the regular system
devices in NetBackup with MSEO devices. See Configuring backup devices
on page 113.
21 You must also configure the agent in the Security Server in order to apply
policy constraints. Configure the Security Server, as described in
Configuring MSEO Security Servers on page 75.
22 You may also need to adjust the NetBackup SIZE_DATA_BUFFERS
parameter downward on media servers that run MSEO Agent software. This
provides additional free space in the data buffer to accommodate MSEO
metadata without exceeding the maximum tape block size. See Managing
tape blocks on page 159.
Installing MSEO Agent on a Linux system
To install the Linux Agent software:
proceeding.
The Linux installation requirements are relaxed because the Linux
installation does not provide or require Java or SSL authentication.
2 Log onto the system to run the MSEO Agent as the root user.
This may be any media server in the NetBackup configuration, even the
media server that is running the Security Server.
3 Check that there are no active backup processes running on the current
media server.
5 Copy the MSEO Agent installation package onto the host system.
The package comprises several files. The installation application is
installmseo.linux.agent. It installs the MSEO Agent from a Red Hat
Package Manager (.rpm) file that is named something like
mseo-agent-6.1.0-rhel4.x86_64.rpm. The MSEO Agent installation
package also includes a utility and the MSEO license.
6 Run the installation utility.
# installmseo.linux.agent
The installation utility prepares the system for installation and then it
installs the software. Do not use the rpm command directly to install the
MSEO Agent.
Agreement?(yes|no)
After you enter yes, the installer evaluates the system network, returns
what it thinks is the network identity of the local system, and then prompts
you to enter the domain name or IP address of the local system.
Setting this agents fully qualified domain name or
IP address
1. lnx25138.qa.com
2. 10.3.25.138
3. Enter fully qualified domain name or IP address
Select one of the above options: 1
Choices 1 and 2 are what the installer determined are the fully qualified
domain name and the IP address of the system, respectively. Choice 3 allows
you to enter some other FQDN or IP address. Unless there is some
compelling reason to do otherwise, select either choice 1 or 2.
8 Enter the number for the network identity you want to use for the agent.
Only IP addresses and fully-qualified domain names are allowed. The choice
you enter must be used from now on to identity the agent. If you enter just
the hostname, such as lnx40130, configuration will complete but
NetBackup will fail. Appropriate examples are lnx40130.qa.com and
10.3.40.130.
Choice 1 is entered for this example.
Note: Both a MSEO Security Server and an MSEO Agent can be configured
on the same system. If you install both on the same system, use the same
network identity for both. That is, if you entered 1 for the FQDN of the
Security Server, you must also enter 1 for the FQDN of the agent.
After you specify the agent system identity, the installer prompts you for
the Security Servers to service this agent. You must configure the agent to
use at least one Security Server.
This agent must be configured to communicate with one or
more security servers. Enter a Security Server's fully
qualified domain name or IP address:
9 Enter the FQDN or IP address of the primary Security Server first.
You must enter the same FQDN or IP address that was used to configure the
Security Server.
lnx25138.qa.com is entered for this example.
After you specify the Security Server identity, the installer prompts you for
the listening port number for the Security Server.
Enter lnx25138.qa.com Security Server's port number [8084]
or type quit:
policies are sent and encryption keys are returned. It is recommended you
use the default port number.
want to enable SSL authentication between the local agent and the specified
Security Server.
Do you want to use a secure (SSL/TLS) connection to the
Security Server lnx25138.qa.com?(yes|no)
11 Enter yes to configure the agent SSL authentication certificates so that the
agent and its servers can communicate across a secure network connection,
or, no to install the agent software without the SSL authentication feature.
agent and server.
agent is configured for SSL, then the Security Servers that it communicates
with must also be configured for SSL. See Adding SSL authentication on
page 156 for details.
yes is entered for this example.
The installer prompts you to indicate if you want to add additional Security
Servers to the agent configuration (mseo_agent.conf).
Would you like to add additional Security Server to the server
list?(yes|no)
12 Enter yes to configure the agent to access additional Security Servers, or no
to just use the one.
no is entered for this example.
The installer prompts you for the network identity of the Security Server
that is to sign certificates.
Enter the fully qualified domain name or IP address for
the Security Server that is to sign certificates:
13 Enter the DNS name or IP address of the server that is to sign certificates.
This is the same primary Security Server you configured in step 10 on
page 34.
lnx25138.qa.com is entered in this example.
The installer prompts you for the local server signing port number.
Enter lnx25138.qa.com's port number [8085] or type quit:
14 Enter the signing-port number for the server.
8085 is entered in this example.
The installer prompts for the bit-size of the key that will be used to sign
agent certificates.
Enter the agent key size [1024]:
15 Enter the agent key size.
Software installation begins after you enter the bit-size. The agent software
is installed, and certificates are generated and exchanged between the agent
and server.
Upon completion, the installation utility displays the Security Server signer
certificate and it prompts you to accept or reject the signer certificate.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3d:b6:dd:12:94:82:85:4d
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=CoreGuard, OU=Signer on lnx25138,
CN=lnx25138.qa.com
Validity
Not Before: Jan 23 03:23:32 2008 GMT
Not After : Jan 24 03:23:32 2012 GMT
Subject: C=US, O=CoreGuard, OU=Signer on lnx25138,
CN=lnx25138.qa.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:aa:3c:db:6e:1a:96:8a:b3:1d:ae:3c:95:39:20:
d6:09:d9:e7:39:6b:e0:6a:46:89:cb:1f:00:c0:df:
fe:a8:5e:22:52:14:4b:b9:20:ce:52:0d:cd:90:86:
7e:e7:37:eb:c0:c3:d4:6c:9b:d8:45:16:3f:30:16:
d5:ab:2b:15:99:d8:33:2b:3b:ea:2e:76:14:60:70:
5d:60:d6:a6:44:e2:d6:6f:9f:0a:4a:6b:c4:b0:d6:
9c:dc:4c:31:3d:fb:4d:b7:93:cd:80:e3:9f:39:f8:
34:d8:ae:cc:e6:37:28:f8:c7:74:72:78:5b:88:bb:
0a:ea:f0:9d:19:73:c7:a3:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
EE:B5:66:E0:3C:CF:42:FE:23:F8:A7:95:24:87:84:5B:FD:
71:54:87
X509v3 Authority Key Identifier:
keyid:EE:B5:66:E0:3C:CF:42:FE:23:F8:A7:95:24:87:84:
5B:FD:71:54:87
DirName:/C=US/O=CoreGuard/OU=Signer on
lnx25138/CN=lnx25138.qa.com
serial:3D:B6:DD:12:94:82:85:4D
89:18:07:0e:ca:93:68:40:08:8b:ff:0a:79:b6:96:e0:d3:59:
61:b6:54:b2:9f:82:2b:96:ff:e9:1b:3c:da:29:34:90:71:32:
cb:9f:35:03:c0:3d:8a:1c:d3:48:6d:9f:d0:ef:c6:89:11:60:
80:d0:8f:e6:57:0e:b5:a1:f2:69:5c:82:64:ea:0f:b4:19:54:
7c:16:16:8f:db:b9:05:6e:d3:6f:fb:16:6f:42:5b:9e:b8:36:
8b:cf:7d:5f:98:66:bd:d7:87:40:26:34:6b:c0:f2:77:5d:16:
e2:5a:f6:18:38:26:65:e2:8b:3b:f3:ee:5d:72:b1:98:18:64:
f1:7f
Do you trust above CA certificate? [Yes|No]: Yes
Security Server. The Common Name is the IP address or DNS name that was
used to create the server certificates.
A message is displayed to indicate successful agent certificate configuration
and installation.
LOG[AUDIT]MSEO.Agent: SSL has been successfully configured.
############################################################
# Media Server Encryption Option Agent software has
# been installed successfully.
############################################################
The installer then prompts you to create symbolic links in /usr/bin to the
MSEO agent utilities in ./mseo/agent/bin.
18 Enter yes when prompted to create symbolic links to the MSEO Agent
utilities.
MSEO ./mseo/agent/bin directory to your $PATH variable, include the
full path with the utility name, or cd to the MSEO ./mseo/agent/bin
directory each time you want to execute a MSEO utility.
Installation is complete at this point.
19 (Optional) Verify the installation using the cgconfig command to list the
local backup devices.
This check also verifies that the software is installed and running. The
following example shows two local devices that are not configured for
MSEO protection, and the default Security Server IP address (localhost).
# cgconfig list
----------***----------***----------***----------
----------***----------***----------***----------
OS = LINUX
List of Non MSEO Devices on NBU:
Number Index PathName
Installing MSEO Security Server on Windows
( 1) - /dev/nst1
( 2) 0 /dev/nst0
List of MSEO Devices on NBU:
No MSEO device(s) on NBU.
No MSEO tape devices configured.
List of MSEO server connection(s):
----------------------------------
Address Port
==================================================
MSEO Server (1) https://lnx25138.qa.com 8084
----------***----------***----------***-----------
----------***----------***----------***-----------
#
20 Configure MSEO backup devices.
The devices must be configured to apply MSEO protection to NetBackup
backups. See Configuring MSEO Drivers and Server Connections on
page 107.
21 You can optionally configure additional Security Servers that the agent is to
contact.
The local agent must be able to access a working and configured Security
Server. See Configuring server connections for the agent on page 117.
22 Verify that the agent process, sbnbucd, is running on the agent system.
For example:
# ps -ae | grep nbu
1437 ? 00:00:01 sbnbucd
#
If sbnbucd is not running on the agent system, restart the process
manually.
MSEO can be installed in a standalone configuration, with both Security Server
and MSEO Agent software running on the same host, or in a distributed
configuration, with a centralized Security Server installed on one host and the
MSEO Agent installed on all the other hosts. Standalone configurations are not
recommended for large-scale NetBackup configurations because of the ongoing
maintenance required to synchronize Security Servers. A distributed
configuration is intended for large-scale NetBackup configurations in order to
maintain policies and keys in one central repository, the Security Server
database directory.
Changes made in a standalone MSEO installation are only applied to the local
media server. Multiple standalone MSEO configurations in an enterprise backup
solution requires you to propagate the configuration changes made on one
media server to the other standalone MSEO installations. Otherwise, the MSEO
installations become unsynchronized and the media servers in the NetBackup
configuration will not be able to restore a backup image that was created on a
different media server.
One installation utility is used to install either, or both, the MSEO Security
Server or MSEO Agent. The installation utility prompts you to select the
package(s) to install.
The agent software installation utility will issue a warning during the certificate
configuration stage of agent software installation if the agent certificate is
already present in the Security Server .\MSEO\server\pem directory. This
feature protects the Security Server from issuing certificates to fraudulent
entities. You must configure new agent certificates after re-installing agent
software. See Manually renewing SSL certificates on page 151 for details.
To anticipate the extra time required to generate large keys during MSEO
software installation, the time out period for the agent to submit a request, and
the Security Server to sign and return the agent certificate to the agent, is three
minutes.
The installation utility:
Prompts you to install just the Media Server Encryption Option Security
Server, the MSEO Agent, or both
Installs the binaries (executables and libraries)
If installing the Security Server, installs database files in
.\MSEO\server\db
.\MSEO\server\config\cgadmin.cfg for the Security Server or
.\MSEO\agent\conf\sbadmin.cfg for the MSEO Agent
Creates a default symmetric key and policy
Starts the MSEO Security Server and MSEO Agent services for continuous
background operation
The default installation directory is C:\Program Files\Vormetric\MSEO.
communicates with and its agents must also be configured for SSL. See Adding
SSL authentication on page 156 for details.
Note: The MSEO installation utility cannot perform incremental installations.
That is, if you install one package, such as the MSEO Security Server software,
you cannot rerun the installation utility a second time to install just the agent
software. The installation utility assumes you just want to update the existing
installation(s). See To install a MSEO software package on a host that already
has a MSEO installation: on page 57 for information about how to install one
package when one is already on the current system.
To install MSEO Security Server software and/or MSEO Agent software on a
Windows media server:
proceeding.
2 Log onto the system to run the Security Server as the administrative user.
This may be any media server in the NetBackup configuration.
3 Ensure that there are no active backup processes running on the current
media server.
4 If you are copying Media Server Encryption Option installation software
across the network, copy it onto the local system.
locate the installation software in a Windows Explorer window.
6 Double-click the installation executable for your system.
Three executable files are provided for installing Media Server Encryption
Option software, one of which is appropriate for your flavor of Windows.
The files are as follows:
MSEO_32bit.exe
MSEO_X64.exe
MSEO_IA64.exe
These correspond to 32-bit x86, 64-bit x86, and 64-bit Itanium hardware
systems, respectively. A dialog box opens if you select the wrong executable
and the executable then exits without making any system changes.
The Welcome window opens and prompts you to continue:
7 Click Next.
The License Agreement window opens.
8 Read the license agreement and click Yes to continue or No to cancel
installation.
Assuming you clicked Yes, the Customer Information window opens.
9 Enter a name or email address in the User Name text-entry box.
The default is the current system owner name.
10 Enter the name of your corporation or business name associated with this
installation in the Customer Name text-entry box.
The default is the current system company name.
11 Click Next.
The Setup Type window opens.
12 Select the software package or packages to install.
Your choice is Agent, Server, or Both. Agent installs just the MSEO Agent
software. Server installs just the Media Server Encryption Option server
software. Both installs both the MSEO Agent and Security Server software
packages on the local host.
Note: The following steps in this example assume you selected Both. If you
select Agent or Server you will skip some of the steps shown below.
13 Click Next.
The Choose Destination window opens.
14 Change the installation directory or use the default.
The default installation directory is
C:\Program Files\Vormetric\MSEO.
Note: If the Vormetric 3.x CoreGuard for Windows Policy Enforcement
Module (PEM) software is installed on a Windows media server and you are
about to install the MSEO Agent or MSEO Security Server software on the
same media server, you should install the agent or server software in a
different directory than the default; for, if you use the default MSEO
installation directory and then attempt to delete the Vormetric 3.x PEM
software, the MSEO software will also be removed.
15 Click Next.
The Input Server Information window opens.
16 Enter the SSL network information for the server.
This window configures the SSL server connection for agent-server
communication. Enter the fully-qualified domain name or IP address of the
local system. If you enter just the hostname, such as win40130,
configuration will complete but NetBackup will fail. Appropriate examples
are win40130.qa.com and 10.3.40.130. Also, enter the listening port
number for the server. The default is 8040.
a CN value. The SSL CN value specifies the network ID of the agent or
server. The CN value must match the DNS name or IP address of the agent
or server for which the SSL certificate is generated. This means that once
configured, you must always refer to the agent or server using the same
configured IP address or DNS name. If you configure the agent or server
with an IP address, you cannot reference the agent or server with the
corresponding DNS name. If you configure the agent or server with DNS
name, you cannot reference the agent or server with the corresponding IP
address. Also, if you change the DNS name or IP address of an agent or
17 Click Next.
A dialog box opens that prompts you to verify that you want to use the
specified SSL port.
18 Click Yes.
Another dialog box opens that prompts you to indicate if you want to
designate the local Security Server installation as the primary Security
Server on which to generate the authentication certificates for agents and
other Security Servers.
19 Click Yes to make the local server the signer server.
The signer server provides a digital signature with which to sign SSL
certificates that prove the server or agent is who it says it is. At least one
server must be designated as the signer server.
Click Yes if this is the only Security Server or if this is the first of several
Security Servers to be configured. Afterwards, the Input Server Information
window re-opens.
If you click No, stop here and continue with Installing a secondary Security
Server on Windows on page 58.
20 Enter the server port number to use for signing certificates.
The default is 8085.
21 Enter a bit-size for the key used to sign certificates.
Enter 512, 1024, 2048, or 4096 .The default is 1024.
22 Click Next.
If you are installing agent software, the Server-Agent Communication
window opens.
23 Enter the fully-qualified domain name or IP address of the local system.
24 Click Next.
The Server-Agent Communication window re-opens.
25 Enter the SSL network information of the server for the local agent.
Security Server system. If you enter just the hostname, such as win40130,
configuration will complete but NetBackup will fail. Appropriate examples
are win40130.qa.com and 10.3.40.130. Also, enter the listening port
number for the server. The default is 8040.
26 Click Next.
The Server-Agent Communication window re-opens.
27 Click Next.
A dialog box opens that prompts if you want to configure more servers for
the local agent.
28 Click Yes to configure secondary Security Servers for the agent to contact if
the primary server becomes unavailable.
If you click Yes, the Server-Agent Communication window re-opens for you
to enter the domain name/IP address and port number of another server.
Repeat this cycle for each additional secondary server to configure.
Click No if the agent is to contact just the one server you configured earlier.
You can click No now and configure secondary servers at a later time.
29 Click Next.
The Start Copying Files window opens to display the installation
parameters you had set.
30 Review the installation parameters before proceeding and click Back to
make any corrections.
31 Click Next.
Installation begins.
If you are configuring the local server as the primary server that will sign
agent-server certificates, the SSL Configuration for Security Servers
window opens. Leave the Host/IP text-entry box empty and click Next if you
do not want other servers to submit certificate requests to the local server.
If you want to configure other servers, enter the domain name/IP address of
a Security Server that will be allowed to submit certificate requests to the
local server, then click Next. This cycle repeats until you leave the Host/IP
text-entry box empty and click Next.
If you are installing agent software, the SSL Configuration for Agents
window opens. Leave the Host/IP text-entry box empty and click Next if you
do not want to configure agents to use the local server at this time. If you
want to configure agents now to access the local server, and use the default
MSEO policy, enter the domain name/IP address of the agent, then click
Next. This cycle repeats until you leave the Host/IP text-entry box empty
and click Next.
The Installation finished window opens.
32 Click Finish.
Installation is complete.
33 You may also need to adjust the NetBackup SIZE_DATA_BUFFERS
parameter downward on media servers that run MSEO Agent software. This
provides additional free space in the data buffer to accommodate MSEO
metadata without exceeding the maximum tape block size. See Managing
To install a MSEO software package on a host that already has a MSEO
installation:
MSEO installation comprises two software packages: Security Server and MSEO
Agent. If you already have one package installed, you cannot use the
MSEO-supplied installation utility to install the other package. If you use the
MSEO-supplied installer on Windows media servers, it will automatically
assume you are updating the existing software package, and it doesnt give you
the option to install the other package. You must resort to Add or Remove
Programs.
When you use Add or Remove Programs, you cannot specify the source file for
the package to be installed because a complete image of the MSEO installation is
stored under the C:\Windows directory hierarchy, and that image is loaded into
the installer. That is, if you have several builds on your system and you installed
a package from one of them, the other package from the same build will be
installed. This ensures that both the Security Server and MSEO Agent, when
installed on the same media server, will have identical version numbers.
1 Select Start->Control Panel->Add or Remove Programs.
Your actual path may vary.
2 Select Media Server Encryption Option.
3 Click Change/Remove.
The Media Server Encryption Option Welcome window opens.
4 Enable the Modify radio button.
The InstallShield Wizard Select Features window opens. The server or
agent checkbox should already be enabled.
5 Enable the checkbox for the packages to add.
Installing a secondary Security Server on Windows
Both packages (server and agent) should be enabled at this point. If a
package is already installed, and you disable the checkbox, it will be
removed.
6 Click Next.
The package you selected will be installed, and the package that was
enabled when you initially opened the Welcome window will be updated if
changes had occurred.
The new software is installed in the same directory as the existing software.
For example, assuming the server software is already installed and you just
added the MSEO Agent software: if the server installation is in C:\Program
Files\Vormetric\MSEO\server, the MSEO Agent software will be
installed in C:\Program Files\Vormetric\MSEO\agent.
7 Click Finish.
A secondary server is a MSEO Security Server that is used in the event the
primary Security Server becomes unavailable, or you want to balance the load
between multiple Security Servers.
A secondary Security Server can be configured with the same keys, policies, and
configuration as the primary server, with the exception of being able to sign
certificates. The secondary server and agent certificates are generated during
Security Server software installation. The keys and policies must be manually
copied.
The primary Security Server and secondary Security Servers can be on different
platforms with different operating systems.
To configure a Windows Security Server as a secondary Security Server:
1 Get the IP address or FQDN of the primary Security Server.
This is the same primary Security Server that is configured to sign
certificates. You will need to specify the same fully qualified domain name
(FQDN) or IP address that was originally used to configure the primary
Security Server. The primary Security Server must be accessible across the
network.
2 Check that the agents that are to use this Security Server are accessible on
the network.
Certificates are exchanged between the secondary server and agents during
software installation. You will need to specify the same fully qualified
domain name (FQDN) or IP address that was originally used to configure the
agents. Specifying agents now is optional but it is easier to configure agents
and exchange certificates automatically during Security Server installation
than it is to configure agents and exchange certificates manually later.
3 Log onto the primary Security Server.
4 Add the secondary Security Server to the primary Security Server database
directory.
Adding the secondary Security Server to the database allows the primary
Security Server to recognize and communicate with the secondary Security
Server. There are two ways to add the secondary Security Server:
Use the cgadmin command to add the secondary Security Server to the
primary Security Server database directory.
The syntax is:
# cgadmin add host hname policy pname
where, hname is the IP address or FQDN of the secondary Security
Server system and pname is the name of a policy on the primary
Security Server. For example,
Open the MSEO Server Console; select Edit->Add->Host; enter the IP
address or FQDN of the secondary Security Server system; select the
policy to apply; and click Add Host.
5 Log onto the secondary Security Server.
6 Run the Windows Security Server installation utility, as described in
Installing MSEO Security Server on Windows on page 51.
In this example, only Security Server software is installed.
7 Stop and return to this process flow when you are prompted to specify if the
local system, the secondary Security Server, is to sign certificates or not.
Figure 2-6 Making the local system a secondary Security Server
8 Click No.
The Signer Server Information window opens.
9 Enter the network identifier of the primary Security Server in the Host/IP
text-entry box.
Only IP addresses and fully-qualified domain names are allowed. You must
use the same network identification that was used to configure the primary
Security Server initially. If the primary Security Server is configured with
an FQDN, you must enter that same FQDN. If the primary Security Server is
configured with an IP address, you must enter that same IP address.
Appropriate examples are lnx40130.qa.com and 10.3.40.130.
Port 8085 is the default port for server-server connections involving
configuration changes and certificate exchange.
12 Click Next.
The Start Copying Files window opens to display the installation
parameters you had set.
13 Review the installation parameters before proceeding and click Back to
make any corrections.
14 Click Next.
Installation begins.
The primary Security Server signer certificate is displayed after a few
minutes and you are prompted to accept or decline the certificate.
Security Server. The Common Name is the IP address or DNS name that was
used to create the server certificates.
Figure 2-7 Inspecting the primary Security Server signer certificate
16 Click Next to accept the signer certificate.
You can also click Quit to decline the certificate and exit the installation
utility.
The Configuration for Agents window opens.
17 Enter the FQDN or IP address of an agent that you want to be serviced by the
secondary server in the Host/IP text-entry box.
agent, or leave the Host/IP text-entry box empty to configure agents later.
18 Click Next.
The Configuration for Agents window opens again if you had entered an
FQDN or IP address in the Host/IP text-entry box. This cycle repeats until
you leave the Host/IP text-entry box empty and click Next.
When you leave the Host/IP text-entry box empty and click Next the
installation utility starts the MSEO Security Server and opens the
Installation finished window.
19 Click Finish.
Installation is complete.
20 Backup the primary Security Server keys and policies, and restore them on
the secondary Security Server, as described in Exporting encryption keys
on page 97 and Importing encryption keys on page 98.
Installing MSEO Agent on Windows
Installing MSEO Agent on Windows
The same installation utility is used to install Security Server and/or MSEO
Agent software. See Installing MSEO Security Server on Windows on page 51.
Upgrading MSEO
This section describes the upgrade process.
The upgrade process does not overwrite existing database information. All the
MSEO database files remain intact when you upgrade the MSEO software on the
local system. All the default files created from a previous installation, such as
the default policy, key, group, access file, etc., are not regenerated and are not
overwritten. If you want to run MSEO as a fresh installation, backup the current
installation, remove the MSEO software, and then reinstall it from scratch.
Upgrading MSEO Security Server on a UNIX host
To upgrade MSEO Security Server on a UNIX host:
media server.
2 Save the current Security Server configuration. See Making Backups on
page 148.
The current configuration should remain intact during the upgrade
procedure. Backing up the configuration is only a precaution.
4 If necessary, untar the MSEO installation package.
For example,
# tar xvf mseo.sparc.server.tar
Depending upon the platform, files like installmseo.server and
mseo-server.sparc.5.10.pkg, or, installmseo.linux.server and
mseo-server-6.1.0-rhel4.x86_64.rpm, are extracted.
5 Run the server installation utility.
Upgrading MSEO
# ./installmseo.server (Solaris)
# ./installmseo.server.linux (Linux)
6 Enter yes to accept the license agreement or no to decline the license and
exit the installation wizard.
After you enter yes, the Media Server Encryption Option installation
wizard notices the existing Security Server installation and prompts you to
upgrade the existing installation. For example, on a Solaris Security Server
the prompt may look like:
Media Server Encryption Option Security Server with Version:
MSEO-6.1.0-Solaris-Sparc-64-Build8 is currently installed.
Do you want to upgrade? (yes|no):
7 Enter yes to commence upgrade or no to cancel upgrade and exit the
installation wizard.
If you enter yes, upgrade begins:
Starting Upgrade
Processing package instance <MSEO-Server> from
</home/bcobain/tmp/cgsbnbu_svrAgent_solaris-Build0056/
mseo-server.sparc.5.8.pkg>
Media Server Encryption Option Security Server
Symantec, Inc.syslog service starting.
...
Installation of <MSEO-Server> was successful.
Upon completion, you are prompted to enter the IP address or DNS name of
agents to configure with this Security Server.
You can now configure agents (which will use the default policy)
for this server.
agent (or just <Enter> if done):
8 Enter the IP addresses or DNS names of agent systems to be administered by
this Security Server.
Each time you enter an IP address or DNS name you are prompted to enter
the IP address or DNS name of the next agent. Press <Enter> when there are
no additional agents to configure at this time and for the installation
process to complete. For example:
agent (or just <Enter> if done): 10.2.0.169
LOG[AUDIT]Host 10.2.0.169 has been added successfully.
agent
(or just <Enter> if done):
###############################################################
# The Media Server Encryption Option Security Server has #
Upgrading MSEO
# been Installed Successfully. #
###############################################################
9 Verify the upgrade.
Check that the sbnbusd process is running and use the pkginfo command
to display the MSEO-Server installation. These are explained in Installing
MSEO Security Server on UNIX systems on page 26.
To upgrade MSEO agent on a UNIX host:
media server.
2 Run the agent installation utility as you would a new installation.
Agent installation is described in Installing MSEO Agent on a Solaris
system on page 41 and Installing MSEO Agent on a Linux system on
page 45.
3 Enter yes to accept the license agreement or no to decline the license and
exit the installation wizard.
After you enter yes, the Media Server Encryption Option installation utility
notices the existing agent installation and prompts you to upgrade the
existing installation. For example:
Media Server Encryption Option Agent with Version:
MSEO-6.1.0-Solaris-Sparc-64-Build26 is currently installed.
Do you want to upgrade? (yes|no):
4 Enter yes to commence upgrade or no to cancel upgrade and exit the
installation wizard.
If you enter yes, upgrade begins and completes without any additional user
input. For example:
Processing package instance <MSEO-Agent> from
</home/bcobain/tmp/mseo_sparc-Build0056/mseo-agent.sparc.5.8.pk
g>
Media Server Encryption Option Agent
Symantec, Inc.
115 package pathnames are already properly installed.
Upgrading MSEO
Installing Media Server Encryption Option Agent as <MSEO-Agent>
...
...
###############################################################
# Media Server Encryption Option Agent Software has been #
# Installed Successfully. #
###############################################################
#
5 Verify the upgrade.
Check that the sbnbucd process is running and use the pkginfo command
to display the MSEO-Agent installation. These are explained in Installing
MSEO Agent on UNIX systems on page 40.
Upgrading MSEO Security Server and Agent on a Windows host
To upgrade MSEO on a Windows host:
1 Log onto the Windows host as an administrative user.
media server.
The local tape devices should be idle. If you run a MSEO command that is
used to modify the configuration of a NetBackup media server, and that
media server is active, the command is discarded and the following message
is displayed in the terminal window: NetBackup tape devices are currently
3 Save the current Security Server configuration. See Making Backups on
page 148.
The current configuration should remain intact during the upgrade
procedure. Backing up the configuration is only a precaution.
4 If newer Media Server Encryption Option installation software is provided
by the network, copy it onto the local system.
5 If newer Media Server Encryption Option software is provided on external
locate the installation software in a Windows Explorer window.
6 Double-click the installation executable for your system.
Three executable files are provided for installing Media Server Encryption
Option software, one of which is appropriate for your flavor of Windows.
The files are as follows:
MSEO_32bit.exe
Upgrading MSEO
MSEO_X64.exe
MSEO_IA64.exe
These correspond to 32-bit x86, 64-bit x86, and 64-bit Itanium hardware
systems, respectively. A dialog box opens if you select the wrong executable
and the executable then exits without making any system changes.
When the correct file is executed, the installation utility notes if there is an
existing configuration on the host. If there is, the installation utility will
perform the following:
If the version of software being installed is newer than the version
currently on the system, a dialog box opens that prompts you to
continue with the message: This setup will perform an upgrade of
Media Server Encryption Option. Do you want to continue?
Figure 2-8 Upgrade continuation prompt
If the version of software being installed is the same as the version
currently on the system, the Welcome window opens in which to
specify a desired action.
Figure 2-9 Installation Welcome window to reinstall the same version
7 If the version of software being installed is newer than the version
currently on the system, click Yes in the dialog box.
Removing Media Server Encryption Option
No additional input is required. The installation utility upgrades the
current Security Server and/or MSEO Agent installations. Note that if a
newer version of MSEO software is being installed, and you already have
one software package (like Security Server or MSEO Agent) installed, you
are not given the option to add the other package at the same time. See To
install a MSEO software package on a host that already has a MSEO
installation: on page 57 for details.
Upon completion, a window opens prompting you to reboot now or defer
reboot until later. You must reboot to use the updated MSEO software.
8 If the version of software being installed is the same as the version currently
on the system, click Repair to reinstall MSEO software.
9 If the version of software being installed is the same as the version currently
on the system, click Next.
The installation utility begins to update the Media Server Encryption
Option installation. Upon completion, a window opens prompting you to
reboot now or defer rebooting until later. You must reboot to use the
updated Media Server Encryption Option software.
10 Enable the Yes, I want to restart my computer now. toggle.
11 Click Finish.
You can resume using Media Server Encryption Option after the system
boots up.
MSEO is divided between two software packages on UNIX systems,
MSEO-Agent for MSEO Agent hosts and MSEO-Server for Security Server
hosts.
Note: Backup the MSEO installation before you remove it. The removal process
can also remove the encryption keys that are required to restore MSEO backup
images. If you do not have the right keys, you cannot restore tape backups.
Backup the Security Server by exporting the MSEO database. Backup the agent
directory using standard system copy commands.
Removing Media Server Encryption Option agent software
The MSEO Agent removal process:
Changes all MSEO tape devices in NetBackup back to non-MSEO tape
devices.
Kills the MSEO Agent daemon, sbnbucd.
Removes the MSEO tape drive module from the host kernel.
Back up the MSEO installation directory before removing it. Back it up onto
a media from which you can retrieve the contents without running MSEO.
You may need this data later to re-install the MSEO software, or you may
need to download the keys and policies to a different MSEO Agent-enabled
media server to read a MSEO encrypted archive.
To remove the MSEO Agent software from a UNIX system:
media server.
Note: If you remove software while backups are in progress, the device
paths in NetBackup will not revert from /dev/mseo/... back to
/dev/rmt/.... The devices will complete the current backup jobs and
then become totally unusable for future jobs because the MSEO Agent
software is no longer installed. If you delete the MSEO Agent while MSEO
devices are in use, you must use the NetBackup Administration Console to
manually change the devices back to /dev/rmt/....
2 Log onto a MSEO Agent host as the root user.
In a standalone configuration, the MSEO Agent and Security Server run on
the same media server. In a mixed configuration, log onto and remove the
MSEO Agent from media servers running only MSEO Agent software first,
then log onto and remove the MSEO Agent from media servers running
both MSEO Agent and Security Server software.
3 On Linux systems, execute the rpm command with the name of the MSEO
Agent software package. This software package name can change between
releases, so look for installed packages with mseo in the name. For
example:
# rpm -qa | grep mseo
mseo-agent-6.1.0-rhel3
mseo-server-6.1.0-rhel3
# rpm -e mseo-agent-6.1.0-rhel3
Credentials 'default' successfully removed.
#
4 On Solaris systems, execute the pkgrm command with the name of the
MSEO Agent software package:
# pkgrm MSEO-Agent
The following package is currently installed:
MSEO-Agent Media Server Encryption Option Agent
The pkgrm command prompts you to remove the specified package: Do
you want to remove this package?
5 On Solaris systems, enter yes to continue package deletion or no to
cancel.
6 On Solaris systems, the pkgrm command prompts you a second time to
verify that you, indeed, want to remove the package:
Do you want to continue with the removal of this package
[y,n,?,q]
7 On Solaris systems, enter y to continue package deletion or n to cancel.
The pkgrm command proceeds to remove the current agent installation. No
additional input is required.
...
## Verifying package dependencies.
## Executing preremove script.
OS = Solaris
...
/opt/vormetric/mseo/agent/bin
/opt/vormetric/mseo/agent <non-empty directory not removed>
## Executing postremove script.
## Updating system information.
Removal of <MSEO-Agent> was successful.
#
8 Verify the MSEO Agent daemon is not running.
# ps -ef | grep sbnbucd
Nothing should be returned. Use the sbinit command with the stop
argument to stop the MSEO Agent daemon, if it is currently active.
9 Verify MSEO Agent removal using the UNIX modinfo command:
# modinfo | grep vmtape
Nothing should be returned.
To remove the MSEO Agent software from a Windows system:
1 Wait for all the MSEO Agent hosts that are registered with the Security
Server to complete their NetBackup tasks.
Do not proceed while any MSEO Agent is actively performing NetBackup
tasks.
2 Log onto a Security Server host.
The InstallShield Wizard Welcome window opens.
6 Select the Modify radio button.
If you select Remove, rather than Modify, you will remove all MSEO
software, including the keys.
7 Click Next.
The InstallShield Wizard Select Features window opens. server and/or
agent should be listed and the selection checkboxes enabled.
8 Enable the checkboxes for the packages to remove.
Both packages are enabled by default.
If you enable just the agent checkbox, only the MSEO Agent installation
is removed. The server portion remains intact, including the Security
Server keys.
If you enable just the server checkbox, most of the server installation is
removed. The keys in the .\MSEO\server\db\key directory remain
intact. This allows you to re-install the Security Server software at a
later time and re-use the old keys; however, if you remove the old keys
before re-installing the Security Server software, the installer will
generate a new set of keys when the server is installed again.
If you enable both checkboxes, all MSEO software will be removed
entirely, including the keys.
When MSEO is uninstalled the whole install directory, including the keys,
will be removed.
9 Click Next.
The Media Server Encryption Option package(s) are removed, and a window
opens prompting you to reboot the system.
10 Select the Yes, I want to restart my computer now radio button.
11 Click Finish.
You are done removing the software and the system will reboot.
12 When the system boots up, verify MSEO Agent removal by looking for
x:\Windows\system32\drivers\vmtape.sys and x:\Program
Files\Voremtric\MSEO. The file and the directory should be gone.
Removing Media Server Encryption Option Security Server software
The Security Server removal process does the following:
Kills the UNIX Security Server daemon, sbnbusd, or kills the Windows
MSEO Security Server service
Removes all symbolic links to the MSEO installation from files in system
directories such as /sbin and /etc, or removes MSEO entries in the
Windows registry and files in Windows system directories
Attempts to remove the /opt/vormetric/mseo directory, or remove
wherever you installed the Security Server on a Windows system (all the
files that you created after installing the server software, such as policies
and keys, remain intact to protect from accidental deletion -- you must
remove these files manually)
Note: Backup the MSEO installation directory before removing it. Back it up onto
a media from which you can retrieve the contents without running MSEO. You
may need this data later to re-install the MSEO software, or you may need to
download the keys and policies to a different MSEO Agent-enabled media server
to read a MSEO encrypted archive.
To remove the MSEO Security Server from a UNIX system:
tasks.
Note: If you de-install while there are backups are in progress, the device
paths in NetBackup will not revert from /dev/mseo/... back to
/dev/rmt/.... The devices will complete the current backup jobs and
then become totally unusable for future jobs because the Security Server
software is no longer installed. If you delete the Security Server while MSEO
devices are in use, you must use the NetBackup Administration Console to
manually change the devices back to /dev/rmt/....
2 Log onto a Security Server or MSEO Agent host as the root user.
3 On Linux systems, execute the rpm command with the name of the MSEO
Security Server software package. This software package name can change
between releases, so you just may want to look for installed packages with
mseo in the name. For example:
# rpm -qa | grep mseo
mseo-agent-6.1.0-rhel3
mseo-server-6.1.0-rhel3
# rpm -e mseo-server
Credentials 'default' successfully removed.
#
4 On Solaris systems, execute the UNIX pkgrm command with the name of the
MSEO Security Server software package:
# pkgrm MSEO-Server
The following package is currently installed:
MSEO-Server Media Server Encryption Option Security Server
The pkgrm command prompts you to remove the specified package: Do
you want to remove this package?
5 On Solaris systems, enter yes to continue package deletion or no to
cancel.
6 On Solaris systems, the pkgrm command prompts you a second time to
verify that you, indeed, want to remove the package:
Do you want to continue with the removal of this package
[y,n,?,q]
7 On Solaris systems, enter y to continue package deletion or n to cancel.
The pkgrm command proceeds to remove the current Security Server
installation. No additional input is required.
...
/opt/vormetric/mseo/server/bin/cgadmin
/opt/vormetric/mseo/server/bin
/opt/vormetric/mseo/server <non-empty directory not removed>
## Executing postremove script.
syslog service starting.
## Updating system information.
Removal of <MSEO-Server> was successful.
8 Verify the Security Server daemon is not running.
# ps -ef | grep sbnbusd
Nothing should be returned. Use the cginit command with the stop
argument to stop the server daemon, if it is currently active.
To remove the MSEO Security Server from a Windows system:
tasks.
2 Log onto a Security Server host.
The InstallShield Wizard Welcome window opens.
6 Select the Modify radio button.
If you select Remove, rather than Modify, you will remove all MSEO
software, including the keys.
7 Click Next.
The InstallShield Wizard Select Features window opens. server and/or
agent should be listed and the selection checkboxes enabled.
8 Enable the checkboxes for the packages to remove.
Both packages are enabled by default. ]
If you enable just the agent checkbox, only the MSEO Agent installation
is removed. The server portion remains intact, including the Security
Server keys.
If you enable just the server checkbox, most of the server installation is
removed. The keys in the ./mseo/server/db/key directory remain
intact. This allows you to re-install the Security Server software at a
later time and re-use the old keys; however, if you remove the old keys
before re-installing the Security Server software, the installer will
generate a new set of keys when the server is installed again.
If you enable both checkboxes, all MSEO software will be removed
entirely, including the keys.
When MSEO is uninstalled the whole install directory, including the keys,
will be removed.
9 Click Next.
The Media Server Encryption Option package(s) are removed, and a window
opens prompting you to reboot the system.
10 Select the Yes, I want to restart my computer now radio button.
11 Click Finish.
You are done removing the software and the system will reboot.
12 After the system reboots, check that the MSEO Agent and MSEO Security
Services services have been removed from the Windows Services editor
(Start->Control Panel->Administrative Tools->Services).
13 Check that the virtual driver, \Windows\System32\Drivers\vmtape,
and the directory in which you installed the MSEO software, have been
removed.
Chapter
3
Configuring MSEO
Security Servers
The MSEO Security Server component must be installed on one or more media
servers. The Security Server keeps and manages the encryption keys necessary
to read and write data.
NetBackup Media Server Encryption Option (MSEO) Agent software must be
installed on every media server placed under MSEO protection. Once installed,
media servers must be registered with the Security Server. MSEO can be
configured to run in either a standalone or distributed mode. The more effective
configuration is the distributed mode, where a centralized Security Server is
installed on one media server or one master server, with the other media servers
in the NetBackup configuration running only MSEO Agent software. You must
register the media server by adding it to the MSEO Security Server. Afterwards,
you have the option to configure X.509 certificate to authenticate the host to the
Security Server.
The Security Server Console is used to configure the:
agents to be administered by the Security Server
RSA keys with which to authenticate the server and agents
encryption keys with which to encrypt and decrypt backups
encryption key groups, comprised of encryption keys, and applied in policies
policies that determine whether or not to grant backup and restore requests
audit logs to closely monitor MSEO activity
Most of the functions performed by the MSEO Server Console can also be
performed by the MSEO CLI command cgadmin. The MSEO Server Console is an
easy-to-use alternative to the MSEO command-line interface. The MSEO Server
Console is faster and less prone to configuration errors. For the CLI equivalent
76 Configuring MSEO Security Servers
Starting the MSEO Security Server Console
of the functions performed by the MSEO Server Console, see cgadmin on
page 166 and Configuring MSEO policies on page 120.
To open the MSEO Server Console:
On Windows, select: Start->Programs->Media Server Encryption
Option->MSEO Server Console.
On UNIX, enter: ./mseo/server/bin/ce &
The MSEO Server Console window opens and lists information about the server.
These are:
The network identity of the local Security Server. It is either an IP address or
DNS name. This is the identity that agent systems use to contact the
Security Server and it is the identity used in SSL certificates.
The port number used by agents to communicate with the Security Server.
The status of SSL authentication, whether it is enabled or not.
The server type, whether primary or secondary, as indicated by whether or
not the server can act as its own Certificates Authority and sign SSL
certificates. If the local server can sign certificates, the text will say
Enabled on port portnum, where portnum is the local Security Server
listening port number. If the local server cannot sign certificates, the text
will display Directed to, followed by the network identity and port
number of the Security Server that can sign certificates.
The default key size to use when configuring agent SSL certificates.
The path to the installed Security Server software.
Number of agents configured to use this Security Server. (See Creating and
managing hosts on page 88 and Configuring the servers for an agent on
page 118 for information about configuring agents.)
Number of policies configured on this Security Server. (See Configuring
NetBackup Media Server Encryption Option Policies on page 123 for an
overview of policies and their use. See also Configuring MSEO policies on
page 90 for step-by-step configuration instructions.)
Number of key groups configured on this Security Server. (See Creating and
managing encryption key groups on page 86.)
Total number of keys on this Security Server. (See Creating and managing
encryption keys on page 80.)
Path to this Security Servers database. (See Configuring the Security
Server database directory location on page 100 for information about
changing the database location.)
Figure 3-10 Sample MSEO Server Console startup window
The MSEO Server Console comprises pull-down menus, a navigation frame, and
a work frame. The navigation frame displays the components used for Security
Server protection. Click an object in this panel to display the elements of a
component. Click an element of the component to display its attributes in the
work frame. The contents of the work frame change relative to the selected
object in the navigation frame. For example, click Policies in the navigation
frame to display configured policies, click a specific policy in the navigation
frame, and the rules for that policy are displayed in the work frame. The selected
policy in the navigation frame becomes the active object and the functions in the
menu become enabled (black) or disabled (grey) based upon the current active
object.
Figure 3-11 Parts of the MSEO Server Console
Note: There is no Save button. All changes are dynamic and take effect
immediately.
Note: There is no undo. When you delete an object or element, it is gone. Its not
kept in some temporary waste bin with the option to restore it at a later time.
Backup your configuration before making changes. To backup the Security
Server, export the keys using Tools->Export Keys, then copy the
./mseo/server/export and ./mseo/server/db directories to a secure
location.
Work frame Navigation frame
Menus
The pull-down menus are:
Figure 3-12 MSEO Server Console menu hierarchy
The Edit, Delete, Move, and Copy menu entries are context-dependent. That is,
they derive their purpose based upon the currently selected object(s). If a policy
is selected and Delete is selected, the selected policy is removed.
File
Edit
Tools
About
Exit
About MSEO Server Console
Add
Edit
Delete
Move
Up
Down
Host
Policy
Key Group
Key
Export Keys
Import Keys
Host
Policy
Policy name
Key group
Key list
Key name
Key size
Refresh
Copy
New name
Policy Rule
Matching Rule
Key list
Password
Key list
Password
View
Server Certificate
Signer Certificate
Displaying the Server Console version
Note: Names may contain up to 127 characters. Use standard alphanumeric
characters to name objects like policies, keys, certificates, etc. In addition to a-z,
A-Z, and 0-9, you can include hyphens (-) and underscores (_). Do not use any
other characters unless specifically directed to by the documentation or online
help.

The MSEO Agent Console and the CLI still allow you to enter as many characters
as are allowed by your operating system. Keep names short when specified in
the MSEO Agent Console and the CLI because the name you assign to the object
is also used to create the corresponding file for that object. For example, the
name of a policy is also the name of the file that contains that policy.
Displaying the Server Console version
You must know the MSEO software version to upgrade software or to discuss
problems with Customer Support.
Select About->About MSEO Server Console to display the currently installed
Security Server version.
Refreshing the MSEO Server Console
The MSEO Server Console notes each configured policy, key, and host in the
MSEO database when it starts. The MSEO Server Console is aware of all the
changes it makes to the MSEO database. If you use the MSEO Server Console to
delete a host or create a key group, the MSEO Server Console is aware of it.
Changes made outside of the MSEO Server Console, such as manually copying
policy files into the database and deleting key group files from the database, are
not dynamically updated in the MSEO Server Console. After you manually
change the database contents outside of the MSEO Server Console, select the
Refresh menu option in the MSEO Server Console to display the current
database contents.
Creating and managing encryption keys
Secure data archival revolves around data encryption and the keys used to
encrypt and decrypt that data. This section describes the keys and how they are
applied.
There are three primary encryption methods:
PKCS#8 for MSEO-only and MSEO/NetBackup header encryption
AES 128- and 256-bit for data encryption
RSA 512-, 1024-, 2048-, and 4096-bit for key group encryption
You can configure multiple media servers as standalone MSEO installations or
as MSEO Security Servers to other MSEO Agent-enabled media servers. Backup
images can be shared and decrypted by other MSEO-enabled media servers if the
key pairs and key groups originally used to encrypt the tape are copied to the
other MSEO Security Servers. Key pairs and key groups are easy to copy to other
media servers and archive for long-term storage. Copying and archiving this
information ensures access to encrypted data well into the future.
You can set the bit-size of encryption keys. Note that increasing the bit-size
increases security, but it also degrades performance because of increased
processing load.
The encryption/decryption process
The encryption process begins when a NetBackup write request is intercepted by
the MSEO Agent virtual driver. The MSEO Agent intercepts the encryption
request and passes the request and user information to the Security Server.
Examples of user information are the media server network address and
Keyword phrase variables. The Security Server uses a MSEO policy to evaluate
the request. The Security Server checks the IP address and/or DNS name of the
media server.
If the Security Server grants write permission with encryption, it returns the
following to the MSEO Agent:
A random File Encryption Key (FEK) to encrypt the backup image
A list of the public keys of affiliate sites that can decrypt the tape
Public and private RSA encryption key pairs are stored in the MSEO data
store, located on the MSEO Security Server. When the MSEO Agent checks
with the Security Server to determine if it can read a backup image, if the
Security Server grants permission, the Security Server returns the
following:
The private RSA key to decrypt FEK stored in the tape header and read
tape data
The public RSA key to encrypt the FEK stored in the tape header and
write tape data
The Security Server generates a new File Encryption Key (FEK) for each
write request. The FEK is encrypted with the public key of each media
server that is authorized to decrypt the tape, and the encrypted FEK is
stored in the tape volume header. The tape volume header itself is not
encrypted, so NetBackup can still read it. Because the tape volume header is
not encrypted, MSEO and non-MSEO files can exist on one tape. The key
group to use is specified in the MSEO policy.
Figure 3-13 Writing encrypted data
When you access the encrypted file, the system uses your private key to decrypt
the FEK in the tape header and then uses the decrypted FEK to decrypt the file.
The decryption process begins when the backup application accesses the MSEO
virtual driver. The MSEO Agent intercepts the decryption request, passes the
request and the MSEO metadata to the Security Server. The Security Server
evaluates the request based upon a MSEO policy. If the Security Server grants
read permission for an encrypted file, the Security Server returns the private
RSA key for the media server. The MSEO Agent uses that key to decrypt the FEK
from the header. The FEK, along with the encryption algorithm, is then passed
Security Server
MSEO Agent
MSEO
policy
NetBackup
write
request
Data
public and private
RSA keys public keys
key group
Device
Encrypted data
MSEO data store
File encryption key
generator
FEK
Header
AES key
FEK
Data
AES128/AES256
to the MSEO pseudo-driver to restore the data. The MSEO Agent logs all
attempted operations and their results are sent to the MSEO Security Server.
Figure 3-14 Reading encrypted data
The RSA keys used to encrypt and decrypt the File Encryption Key (FEK) in the
tape volume header reside in the data store on the local media server if MSEO is
configured as a standalone unit or on a remote media serve if configured as a
MSEO Agent. The AES key in the FEK is uniquely generated for each write job.
The only instance of the AES key is on the tape volume header. MSEO does not
maintain copies of AES keys.
The two encryption methodologies used are RSA and AES, the former for the
tape volume header and the later for the tape data:
RSA: 512-, 1024-, 2048-, and 4096-bit RSA encryption keys are used to
encrypt the tape volume header to prevent intruders from determining the
contents and access methods of the tape. The implementation of the RSA
method adheres to Public Key Infrastructure (PKI). PKI defines services and
protocols for managing public keys via digital signature technology, such as
Security Server
MSEO
policy
MSEO Agent
Header
FEK
Data
AES128/AES256
public and private
RSA keys public keys
key group
MSEO data store
NetBackup
read
request
Encrypted data
Decrypted
data
Decrypted FEK
Certification Authority (CA) and Registration Authority (RA). PKI is also
referred to as asymmetrical twin key encryption because it employs public
and private keys, referred to as a key pair. The RSA key pairs are generated
and managed by the user, and stored in a MSEO data store.
AES: 128- and 256-bit AES encryption keys are used to encrypt archive
data. An AES encryption key is randomly generated each time MSEO
encrypts data to tape. The AES key is written, in an encrypted form, in the
volume tape header. There is only one instance of the AES key. A copy is not
maintained in the MSEO data store.
Key distribution is affected by whether the MSEO Security Server is locally
installed or centrally configured on one Security Server server.
Media Server Encryption Option Security Servers run independently of each
other. Multiple Security Servers in an enterprise backup solution, and in
separate enterprise backup solutions, are unaware of each other. It is the MSEO
Agent host that determines the Security Server(s) to use. Policies, certificates,
keys, and key groups developed on one Security Server are particular to that
server. You must synchronize the data stores of all the servers so they share the
same policies, certificates, keys, and key groups. Otherwise, a backup made on a
media server configured with one Security Server will not be readable by
NetBackup media servers configured to another Security Server.
Synchronization consists of manually copying policies, certificates, keys, and
key group between Security Servers, as well as copying certificates between
Security Servers and the media servers they administer. (See also cgadmin add
on page 166. It is recommended you configure one media server to act as the
MSEO Security Server and every other media server as its agents. See also
Maintaining and monitoring NetBackup Media Server Encryption Option on
page 141.
Creating and managing AES keys
An AES key is created automatically each time you write a backup image, so the
AES key is unique to each write job. The AES key is encrypted by an RSA key and
becomes the FEK that is stored on the tape volume header.
There is no copy of the AES key other than in the backup image header. No
direct or deliberate user management of AES keys is possible.
Creating and managing RSA keys
Keep and maintain RSA keys in order to decrypt backup image headers. The
backup image header contains the AES key used to decrypt the data itself. You
cannot extract the AES key and decrypt backup data without the RSA keys.
You must configure keys and assign them to key groups for them to be used in a
policy. You may create and delete keys. You cannot edit keys. This process
generates an encrypted RSA key-pair. The keys are encrypted with the
AES256-CBC algorithm. The SHA1 hash is stored in the private key.
Note that increasing encryption bit-sizes improves security, but it takes longer
to generate larger keys, and it takes a bit longer to encrypt and decrypt data with
larger keys.
To create a key:
1 Select Edit->Add->Key.
The Add Key window opens and prompts you for the name and size of the
new key.
2 Enter the name to assign the key in the Key name text-entry box.
3 Select the bit-size of the key from the Key size scroll-list.
Available bit-sizes are: 512, 1024, 2048, and 4096. Larger key sizes take
longer to generate and process.
4 Click the Add Key button to commit the changes or Cancel to close the
window without adding the key.
The key is added to the Security Server database directory,
./mseo/server/db/key, as keyName.xml.
To delete a key:
1 Select a key in the navigation frame.
You can pick only one key at a time.
2 Select Edit->Delete.
You are prompted to verify key deletion. ]
3 Click Yes to delete the key.
The key is removed from the Security Server database directory.
To rename a key:
Currently you cannot rename keys in the graphical interface. If you want to
rename a key, see cgadmin edit on page 172.
To copy local keys to another Security Server:
See Sharing encryption keys between Security Servers on page 96.
Creating and managing encryption key groups
A key group is a collection of the keys. The keys in a key group are the RSA keys
used to encrypt and decrypt a randomly-generated AES key. The AES key
encrypts and decrypts the actual backup data. For an explanation of this
process, At least one key group must be configured in the policy for data
encryption. The recommended maximum number of keys in a keygroup is 50.
This is because the keygroup is stored in the MSEO metadata, which increases
the size of the tape header, which then increases the demand for tape buffer
space. For an explanation of tape buffers and how to adjust then, see Managing
Creating key groups
To create a key group:
1 Select Edit->Add->Key Group.
The Add Key Group window opens and prompts you for the name of the new
key group and the keys in the key group.
2 Enter the name to assign the key in the Key group text-entry box.
3 Select one or more keys in the Key list scroll-list to be members of this key
group.
All currently configured keys are displayed. Use standard Windows
selection techniques to select multiple keys.
4 Click the Add Key Group button to commit the changes or Cancel to close the
window without adding the key group.
The key group is added to the Security Server database directory,
./mseo/server/db/key, as keyGroupName.xml.
Editing key groups
To edit a key group:
1 Select a key group in the navigation frame.
2 Select Edit->Edit.
The Edit Key Group window opens. This window lists all the configured keys
on the MSEO Security Server.
Figure 3-15 Selecting keys to add to a key group
3 Select one or more keys in the Key list scroll-list to be members of this key
group.
All the keys in the Security Server database directory are displayed. Use
standard Windows selection techniques to select multiple keys.
You can change the keys in a key group but not the key group name.
4 Click Save.
Copying key groups
To copy a key group:
1 Select the key group that you want to copy from the navigation frame.
You can select only one key group at a time.
2 Select Edit->Copy.
The Copy Key Group window opens.
3 Enter the name to assign the duplicate key group in the New name
text-entry box.
4 Click Copy.
Deleting key groups
To delete a key group:
1 Select a key in the navigation frame.
You can select only one key group at a time.
The key is removed from the Security Server database directory.
Creating and managing hosts
Communication between an agent and server is a two-way street. In this section
you will add a host and assign a policy to it. After which, you must use the MSEO
Agent Console to configure the agent to communicate with the server. For agent
configuration, see Configuring server connections for the agent on page 117.
The MSEO Server Console creates X.509 Web certificates for the Security
Server. MSEO Agent hosts are identified by their names and authenticated by
their Web certificates. Each MSEO Agent-host/media server must be registered
with a Security Server to perform backup operations via a MSEO tape driver.
These are the hosts you installed, as described in Installing MSEO Agent on
UNIX systems on page 40.
Adding hosts
To add a host:
1 Select Edit->Add->Host.
A combo-box opens that prompts you for the name of the new host and the
policy to apply to that host.
2 Enter the name to assign the key in the Host name text-entry box.
The name may be the DNS name or IP address of a host. This must be the
name used to identify the agent system on the network. The name you
specify is used to connect to the host on the network, and the name
specified in the certificate is used to authenticate the agent, after the
connection is made.
3 Select a policy in the Policy scroll-list to apply to this host.
All currently configured policies are displayed. Policies are displayed in the
order they were generated. A policy must be selected. Only one policy may
be applied to a host in the MSEO Server Console. For instructions about how
to assign multiple policies to a host, see cgadmin add on page 166.
4 Click the Add Host button to commit the changes or Cancel to close the
window without adding the host.
The host is added to the Security Server database directory,
./mseo/server/db/host, as hostName.xml.
Renaming a host
You cannot rename hosts; however, you can copy a host to the desired name and
then delete the original host.
Changing the host policy
To assign a different policy to a host:
1 Select a host in the navigation frame.
The configured host name and policy name are displayed in the work frame.
2 Single-click the policy name in the work frame.
The policy selection window is now activated and ready for you to select a
different policy from the scroll-list.
Figure 3-16 Selecting the policy to assign a host
3 Select the policy to use from the Policy scroll-list.
The change takes immediate affect.
Copying hosts
To copy a host:
1 Select the host that you want to copy in the navigation frame.
You can select only one host at a time.
The Copy Host window opens.
3 Enter the name to assign the duplicate host in the New name text-entry box.
4 Click Copy.
The host is added to the Security Server database directory,
./mseo/server/db/host, as hostName.xml.
Configuring MSEO policies
Deleting hosts
To delete a host:
1 Select a host in the navigation frame.
The host is removed from the Security Server database directory.
A MSEO policy is a set of security rules. Each security rule is a collection of
attributes whose values are used by the Security Server to evaluate the read and
write requests issued by NetBackup. Once evaluated, the first security rule
whose attributes successfully match is used.
This section describes the mechanics of creating and administering policies. See
Configuring NetBackup Media Server Encryption Option Policies on page 123
for a detailed description of policies and their components.
help.
Configuring general policy rules
General policy rules are basic rules that do not require elaborate evaluation,
such as enabling audit tracking or specifying the key group to use. The Add
Policy window is used to configure general rules. It can also open the window in
which to configure match rules that evaluate variable expressions, such as if
the NetBackup pool number is greater than 1 or if the compression algorithm
specified in Netbackup Keyword phrase matches a desired string. See
Configuring match policy rules on page 93. Rules are order dependent. The
first rule evaluated that meets the criteria is the rule the Security Server uses.
To configure a general rule:
1 Perform one of the following:
If you are creating a new general rule for a new policy, start policy
creation by selecting Edit->Add->Policy, naming the policy, and
clicking Add Rule. The Add Rule window opens.
If you are creating a new general rule for an existing policy, select the
policy in the navigation frame, select Edit->Add->Policy Rule. The Add
Rule window opens.
If you are editing an existing general rule, select Edit->Add->Rule. The
Edit Rule window opens.
The Add Rule and Edit Rule windows are almost identical. The Add Rule
window may also contain a scroll-list from which to select the sequence of
the rule relative to the other rules in the policy. The Add Rule window is
also used to add match rules to the current general rule.
Figure 3-17 Differences between adding and editing rules
2 If the Rule Number scroll-list is displayed in the window, select the sequence
position of this rule relative to the other rules.
If you select 1, for example, the new general rule is placed in the number 1
position and all the other general rules are incremented by 1.
3 Indicate if this rule applies to a backup request, a restore request, or both, by
selecting read and/or write in the Action scroll-list. read corresponds to a
restore request and write to a backup request.
4 Indicate whether or not to allow the backup or restore request by selecting
either permit or deny in the Effect scroll-list.
Of the two, you can select only permit or deny. There are other choices that
may be selected in addition to permit or deny. These are audit and call.
audit enables audit logging. call references other policies in the MSEO
database. See Enabling audit logging on page 95 for a description of the
audit template file and how to use it. See Building compound policies on
page 135 for a description of the call feature.
5 Select the bit-size of the AES encryption key from the Key type
popup-menu. Your choice is none, aes128, aes256, or
|netbackup.keyword.KeyType|. The default is none. none indicates that
encryption is not to be applied. |netbackup.keyword.KeyType| indicates that
the keytype will be derived from the NetBackup Keyword phrase. See
Configuring NetBackup to use MSEO policy protection on page 130 for a
description of the Keyword phrase and its use.
6 Select the bit-size of the compression algorithm to apply to the backup from
the Compression popup-menu. Your choice is none, lzrw3, lzo1x,
text85.eng, or |netbackup.keyword.Compress|.
|netbackup.keyword.Compress| indicates that the compression algorithm
will be derived from the NetBackup Keyword phrase. The default is none.
none indicates that compression is not to be applied.
7 Select the key group to apply for encrypting/decrypting a backup from the
Key Group popup-menu. All configured key groups are displayed in the
popup-menu. Select one or more key groups to apply to this rule.
|netbackup.keyword.KeyGroup| indicates that the key group will be derived
from the NetBackup Keyword phrase.
8 Click one of the following:
Finish or Save to add the rule to the policy and close the window. Click
this button to save the single-rule policy and close the window. You are
done editing the current policy.
Next Rule to create a multi-rule policy. The current rule is added to the
policy and the window is refreshed with default values, ready for you to
add another rule. Click this button to refresh the window in
preparation to add another rule to the current policy. Note that rule
usage is order-dependent: the first rule that matches completely is
applied. Next Rule is only displayed when creating a new policy.
Add Matching to open the Add Matching Rule window in which to
configure additional attributes for the current rule. In effect, giving
greater granularity to the criteria defined in simple rules. Match
attributes use specific attributes and values derived from the backup
itself. Click this button to open a combo-box in which to specify
additional criteria to determine whether or not to apply the current
rule. See Configuring match policy rules on page 93 for match rule
configuration.
Cancel to discard all changes and close the window.
When the policy is saved, it is added to the Security Server database
directory, ./mseo/server/db/policy, as policyName.xml.
To delete a rule:
1 Select a rule in the navigation frame.
The entire rule, including any match rules, is removed from the Security
Server database directory.
To move a rule up or down in precedence:
Rules are used in the order they occur in the policy. The first rule in a policy has
the highest precedence. The last rule has the lowest precedence. You can change
the precedence of a rule by moving it up or down within the policy.
1 Select a rule in the navigation frame.
2 Select Edit->Move->Up to increase the precedence of a rule or
Edit->Move->Down to lower its precedence by one.
Configuring match policy rules
Match rules add more precision to general rules. Match rules evaluate variable
expressions, such as if the NetBackup pool number is greater than 1 or if the
compression algorithm specified in Netbackup Keyword phrase matches a
desired string. General rules are described in Configuring general policy rules
on page 90.
Match rules are order dependent. The first rule encountered that meets the
criteria defined by the rule is used.
Match rule configuration is equivalent to setting the AttributeMatch and
MatchOp attributes with the cgadmin add policy or cgadmin edit policy CLI
command.
To configure a match rule:
If you are creating a new match rule for a new policy, start policy
creation by selecting Edit->Add->Policy, naming the policy, clicking
Add Rule, completing the Add Rule window, then clicking the Add
Matching button. The Add Matching Rule window opens.
If you are creating a new match rule for an existing rule in an existing
policy, you cannot add a match rule directly to an existing rule. You
must edit the policy (click a policy in the navigation frame and select
Edit->Add->Policy Rule), create a new rule with the same configuration
as the original rule to which you wanted to add the match rule, and
then click the Add Matching button in the Add Rule window. The Add
Matching Rule window opens and you can create the desired match
rule. Afterwards, you can delete the original rule and move the new rule
up or down in the policy to change its order of precedence.
As you are editing or creating a policy, click Add Matching in the Add
Rule window to open the Add Matching Rule window.
Select a policy in the navigation frame, then select Edit->Add->Policy
Rule to open the Add Rule window, then click Add Matching to open the
Add Matching window.
Figure 3-18 Configuring a matching rule (foreground) and the configured rule
(background)
2 Select a built-in variable in the Name scroll-list. All built-in variables are
available in the scroll-list. Built-in variables are described in Built-in
variables on page 126.
3 Select the operation to apply in the Operation scroll-list. Your choices are
described in Evaluating attributes on page 131.
4 Enter the value the operation is to expected to return for a successful match
in the Value text-entry box.
Value is a text string. For example, set Name to "netbackup.policy", set
Operation to regex, and set Value to MSEO*. This match operation
evaluates to true if the NetBackup policy name begins with MSEO. The
string comparison evaluates to false and the security rule is not used if the
policy name begins with lower-case mseo.
5 Click one of the following:
Finish to add the match rule to the policy and close all policy editing
windows. Click this button to save the policy and close the window. You
are done editing the current policy.
Next Rule to create a multi-rule policy. The match rule is added to the
current rule and the window is refreshed with default values, ready for
you to add another rule. Click this button to refresh the window in
Enabling audit logging
preparation to add another rule to the current policy. Note that rule
usage is order-dependent: the first rule that matches completely is
applied. Next Rule is only displayed when creating a new policy.
Next Match to create a multi-match rule. The current match rule is
added to the regular rule. The Add Matching Rule window is refreshed
and ready for you to add another match rule.
Cancel to discard all changes and close the window.
To delete a match rule:
1 Select the match rule to be deleted in the navigation frame.
Select the string matching for the general rule whose match rule you
want to remove.
The entire match rule, including all the defined operations, are deleted.
You cannot delete the individual operations that comprise a match rule.
Copying policies
To copy a policy:
1 Select the policy that you want to copy in the navigation frame.
You can select only one policy at a time.
The Copy Policy window opens.
3 Enter the name to assign the duplicate policy in the New name text-entry
box.
4 Click Copy.
Enabling audit logging
Audit logging is enabled and disabled as part of general rule configuration.
This section describes enabling and disabling audit logging. For detailed
information about configuring and using audit logs, see Configuring audit
logging on page 136.
To enable audit logging:
Sharing encryption keys between Security Servers
If you are creating a new policy, start policy creation by selecting
Edit->Add->Policy, naming the policy, and clicking Add Rule. The Add
Rule window opens.
If you are editing an existing policy, select the policy in the navigation
frame, select the rule you want to modify, and then select Edit->Edit.
The Edit Rule window opens.
2 Select permit or deny, and select audit auditFile in the Effect scroll-list,
where auditFile is the name of a configured audit file.
Hold the <Ctrl> key down to select multiple effects, such as deny and audit.
You can select only deny or permit with audit. You cannot select call with
audit.
All audit template files are stored in the ./mseo/server/db/audit
directory. All files in this directory that end in .xml are displayed in the
scroll-list. For example, if you create an audit template file named
myAuditFile.xml, it is displayed in the Configuration Manager scroll-list
as audit myAuditFile.
The Configuration Manager cache may need to be updated if you just created or
copied the audit template file, and the audit template file is not displayed in the
Configuration Manager. Select File->Refresh to update the display.
You can share public and private RSA encryption keys between MSEO Security
Severs so that backups made on one server can be restored on other servers, and
vice versa.
The keys that you share are the MSEO database keys used to encrypt and
decrypt backup tape headers. These are not the keys used to encrypt the backup
data. Those are AES keys, and no copy of an AES key exists other than on the
tape itself.
Configuring a media server to access multiple Security Servers requires the
databases to be synchronized between all the Security Servers. That is, the
Security Servers need the same policies, keys, etc. to effectively and
transparently administer one or more media servers. If an alternate Security
Server is used in the event the primary Security Server is inaccessible, the
database must have the same keys and policies to effectively administer the
media server.
The keys are exported to other servers, or imported from another server, by
using the MSEO Server Console. The console exports the keys from the local
Security Server database directory and packages the keys in a secure manner for
transport to other servers, or the editor unpackages the keys from another
server and imports the keys into the local Security Server database directory.
Use only the procedures described in this document to exchange keys between
Security Servers.
Exporting encryption keys
You specify the keys you want to export in the MSEO Server Console. The editor
copies and encrypts those keys, and places the results into ./mseo/export.
Then you manually copy the contents of the ./mseo/export directory to the
./mseo/import directory of each server you want to configure with the
duplicate keys. For details about importing keys, see Importing encryption
keys on page 98.
At this time you can also copy the ./mseo/server/db/host, audit, and
policy directories. Later, when you import the keys on another server, you can
also copy these directories into their respective places on the other server. The
other server will have the same host configurations, audit templates, and policy
files as the current server.
To export encryption keys:
1 Select Tools->Export Keys.
The Export Keys window opens and prompts you for the keys you want to
export and a password for decrypting the key files.
2 Select the keys to export from the Key list scroll-list.
3 Enter the password to use to encrypt the keys in the Enter password and
Reenter password text-entry boxes.
The password can be from 8 to 50 characters in length. You will need this
password to import the keys later.
4 Click Export Keys.
All parts of keys, including the access file, are copied to the
./mseo/server/export directory.
If there are any keys currently in the ./mseo/export directory, a dialog
box opens that prompts you to remove the previous keys before adding the
new keys.
5 If you are prompted to discard existing keys in the export directory, either,
click Yes to remove the current keys so that the directory contains only the
new keys, or, click No to leave the current keys intact and add the new keys to
the directory.
6 Copy the contents of the ./mseo/export directory to the ./mseo/import
directory of each server that you want to use the keys.
It is recommended that you empty the ./mseo/import directory before
copying the keys into it to avoid using old key data.
7 It is recommended that you delete everything from the ./mseo/export
directory after you copy the key data to prevent unauthorized users from
copying and importing the key data.
Importing encryption keys
You specify the keys you want to import in the MSEO Server Console. The editor
unpackages the key data in the./mseo/import directory and imports it into
the local Security Server database directory. The key data must be exported
from another Security Server and must be present in the ./mseo/import
directory. For details about exporting keys, see Exporting encryption keys on
page 97.
If you import a key with the same name as a key in the local Security Server
database directory, and the encryption key hash value is different, the imported
key name is appended with -001. The number for the key name is
automatically incremented each time a key with the same name, but different
hash value, is imported. Inversely, imported keys with different names, but with
the same hash value as keys in the Security Server database directory, are not
copied, and the following error is returned: Error importing key keyName. Key
import failed. The offending key is skipped and the Security Server attempts to
import the remaining keys. Other than for renaming keys and importing the
same keys multiple times, these events are very rare.
If you had also copied the ./mseo/server/db/host, audit, and policy
directories from another server, import the keys as described in this section,
then copy the ./mseo/server/db/host, audit, and policy directories into
their respective locations on the current server. The current server will have the
same host configurations, audit templates, policy files, and encryption keys as
the other server.
To import encryption keys:
1 Select Tools->Import Keys.
The Import Keys window opens.
2 Select the keys to import from the Key list scroll-list.
3 Enter the password to use to decrypt the keys in the Enter password
text-entry box.
This is the same password used to encrypt the keys that are currently in the
./mseo/import directory.
Starting, stopping, and restarting the MSEO Security Server
4 Click Import Keys.
The keys are unpackaged and imported into the local Security Server
database directory. After which a dialog box opens that prompts you to
remove the keys in the ./mseo/import directory.
Would you like to discard imported data?
5 Click Yes to remove the key data in ./mseo/import or click No to leave the
key data intact.
It is recommended that you click Yes because the data is already in the
database and is of no further use to you, and it removes the opportunity for
unauthorized users to copy the keys.
After importing keys onto the local Security Server, you may need to change
local policies or manually copy policies from the originating Security Server.
Starting, stopping, and restarting the MSEO
Security Server
Currently, the MSEO Server Console is unable to start and stop the Security
Server process that runs on the server system. See cginit on page 207 for
information about how to start, stop, and restart the Security Server process.
Displaying server and signer certificates
If you configured SSL authentication, you can display details about the SSL
server certificates with which the server identifies itself to agents and other
servers. You can also display the SSL certificate that was used to validate, or
sign, the server and agent certificates.
You can display the server certificate if the Server Credentials field in the
Server Configuration block displays Present. SSL authentication is not
configured if it displays Not present. You can tell if it is a primary or
secondary server by the value of the Signing field in the Server Configuration
block. It is a primary server if it is set to Enabled on .... It is a secondary
server if it is set to Directed to ....
Select View->Server Certificate to display the server SSL credentials.
Configuring the Security Server database directory location
Figure 3-19 shows the server certificate of a secondary server. The primary
server is located at the address specified by the signer server ID.
Figure 3-19 Secondary server credentials
The RSA public key data that is included in each certificate is encrypted and
cannot be viewed. Private key data is not included.
You can also display the signing certificate if the Signing field in the Server
Configuration block displays Enabled on ... or Directed to ....
The primary server, and the secondary servers which access the primary server,
share the same signer certificate. The MSEO Server Console will display the
same signer certificate whether it is displayed on the primary server or a
secondary server.
Select View->Signer Certificate to display the signer certificate that is used to
validate SSL credentials.
Configuring the Security Server database directory
location
The default MSEO database is located at /opt/vormetric/mseo/server/db.
You can specify an alternate location for the database, even another mounted
Signer Server ID
Secondary Server ID
Configuring the Security Server database directory location
file system; however, be aware that the database is the repository for important
configuration information, such as policies, registered hosts, key-pairs, etc., and
it must be accessible for the Security Server to evaluate backup or restore
requests.
To specify an alternate database location:
1 Verify that the current MSEO installation is working correctly.
2 Export all the server keys using the MSEO Server Console.
See Exporting encryption keys on page 97.
3 Remove everything from the server import directory,
./mseo/server/import.
4 Copy the contents of ./mseo/server/export to
./mseo/server/import.
5 Delete all the keys using the MSEO Server Console.
See Creating and managing encryption keys on page 80.
6 Move or copy the MSEO database directory, ./mseo/server/db, to the
desired location.
7 Change the MSEO DB location specified in the
./mseo/server/etc/mseo_security_server.conf file on UNIX, or
the .\MSEO\server\config\mseo_security_server.conf file on
Windows.
Open this file in an editor and change the value of the dir variable. In some
cases the dir variable is not even set, so you have to add it. Use the path
notation that is appropriate for your operating system. For example, the
contents of this file on a UNIX system may be:
sslport 8084
mylocation 10.2.212.100
signerport 8085
keysize 1024
After adding or changing the dir value, the file may look like:
sslport 8084
signerport 8085
keysize 1024
dir /opt/mseo/newDB
8 Import the keys that you had exported earlier.
See Importing encryption keys on page 98.
9 Restart the Security Server.
Configuring the directory information displayed in
the MSEO Server Console
There are two groups of information displayed in the MSEO Server Console
startup window: Server Configuration on the top and Database Statistics on the
bottom. The information displayed in the Server Configuration group is derived
from the ./mseo/server/etc/mseo_security_server.conf, or
.\MSEO\server\config\mseo_security_server.conf, file. The
information displayed in the Database Statistics group is derived by counting
the various database objects in the ./mseo/server/db, or
.\MSEO\server\db, directory. Both groups contain a Directory field. This
section explains how the path displayed in the Directory field is derived on both
UNIX and Windows systems.
The Directory listed in the Server Configuration group is the server installation
directory. The Directory listed in the Database Statistics group is the path to
the Security Server database directory that contains policies, keys, etc. Unless
otherwise configured as described in Configuring the Security Server database
directory location on page 100, the second Directory is always the same as the
first Directory plus \db or /db. These are shown in Figure 3-20.
Figure 3-20 Server Configuration windows. (UNIX top. Windows bottom.)
You are not prompted to specify the server installation directory on UNIX
systems because the software installation path on UNIX is hardcoded to
/opt/vormetric/mseo/server. You can specify an alternate server
installation directory on Windows systems. Because of this installation
difference, the MSEO Server Console directories displayed on a Windows system
are different than the directories displayed in the MSEO Server Console on a
UNIX system.
Look at the ./mseo/server/bin/ce executable file on a UNIX installation.
You will see the Java command used to open the MSEO Server Console.
# cat ./mseo/server/bin/ce
/opt/vormetric/mseo/server/jre/bin/java -jar
/opt/vormetric/mseo/server/bin/ce.j
ar /opt/vormetric/mseo/server
#
The last argument in the ./mseo/server/bin/ce file is the path to the server
installation directory, and this argument is used as the value of the Directory
field in the Server Configuration group. The value of the Directory field in the
Database Statistics group is the value of the Directory field in the Server
Configuration group, appended with /db.
Windows paths are not hardcoded and Windows uses a different directory
scheme. Windows does not include the last Java argument in its ce.bat file.
C:\Program Files\MSEO\server\bin>type ce.bat
..\jre\bin\java -jar ce.jar
C:\Program Files\MSEO\server\bin>
The Java runtime and directories are relative to Start in field of the
Start->Programs->Media Server Encryption Option->MSEO Server Console
shortcut used to start the MSEO Server Console on Windows. For example, if you
install the server software in C:\Program Files\MSEO, and you display the
properties of the menu shortcut, you will see:
Target: "C:\Program Files\MSEO\server\bin\ce.bat"
Start in: "C:\Program Files\MSEO\server\bin\"
Therefore all path information displayed is relative to the Start in directory.
Figure 3-21 Paths in Windows
On Windows, you can set the set the value displayed in the Directory field for the
Database Statistics group. You cannot set the Directory field for the Server
Configuration group.
To set the Directory field for the Database Statistics group:
1 Exit the MSEO Server Console.
2 Open the .\MSEO\server\config\mseo_security_server.conf file
in a text editor.
3 Add the following line to the end of the file:
dir pathToDatabase
where pathToDatabase is the full Windows path to the
.\MSEO\server\db directory. For example, if MSEO is installed in
C:\Program Files, the mseo_security_server.conf file can look
something like:
sslport 8084
signer 10.3.34.31:8085
keysize 1024
dir C:\Program Files\Vormetric\MSEO\server\db
4 Save and exit the file.
5 Restart the MSEO Server Console.
Figure 3-22 MSEO Server Console after configuring the database path
Chapter
4
Configuring MSEO Drivers
and Server Connections
A Graphical User Interface is provided with the MSEO Agent installation that
configures the devices attached to the agent system, and it configures the
Security Servers to which the client connects for policy approval to perform the
requested backup or restore operation.
NetBackup must be configured to use MSEO devices. NetBackup requests to
read/write archive data are sent to the MSEO device. The MSEO Agent running
on the media server intercepts the request and forwards it, along with other
system parameters, to the Security Server. The Security Server either returns
the data needed to complete the request or denies the request.
MSEO protection is applied when NetBackup is configured to use MSEO drivers.
Inversely, MSEO protection ends when NetBackup is configured to use regular
system drivers. The MSEO Agent runs as a background process and does not poll
the NetBackup server for updates.
This section assumes NetBackup 5.1 or 6.0 is already installed, configured, and
running. It also assumes you have MSEO Agent software installed.
Starting the MSEO Agent Console
Open the MSEO Agent Console using the appropriate method for your operating
system:
Login as the administrative (root) user.
The user running the Agent Console must have administrative, or root,
permissions to the NetBackup and MSEO installation directories because it
can query NetBackup for configured tape devices, create system devices,
and change parameters in the MSEO database.
108 Configuring MSEO Drivers and Server Connections
On Windows systems, select Start->Programs->Media Server Encryption
Option->MSEO Agent Console.
Figure 4-23 Starting the Agent Console in Windows
On Windows systems, you can also:
Open a command window.
Change to the .\MSEO\agent\bin directory.
Enter .\jmseoconfig.
On UNIX systems, execute ./mseo/agent/bin/jmseoconfig.
The MSEO Agent Console comprises pull-down menus, a navigation frame, and a
work frame. The navigation frame displays the components used to configure
backup devices and server connections. Click an object in this panel to display
the elements of a component. Click an element of the component to display its
attributes in the work frame. For example, a component is either Device
Configuration or Server Connection. An element of Device Configuration is a
specific device. Attributes of a device component are the drive name, maybe the
drive path or SCSI bus number. The contents of the work frame change relative
to the selected object in the navigation frame.
Figure 4-24 Parts of the Security Server MSEO Agent Console
Work frame Navigation frame
Menus
MSEO Agent integrity checks
The pull-down menus displayed on the MSEO Agent Console are dependent
upon the UNIX operating system. The differences are noted below:
Figure 4-25 MSEO Agent Console menu hierarchy
MSEO Agent integrity checks
The MSEO Agent driver on Solaris, Windows, and Linux platforms performs
FIPS 140-2, Level 1, tests each time the MSEO Agent process is started. The tests
are:
The cryptographic algorithm is tested by submitting a set of input vectors
and comparing the calculated result against a known answer.
Hash Message Authentication Code (HMAC) test. Secure Hash Algorithm
(SHA1) known-answer test, where a hard-coded key, IP address, and
certificate are used to encrypt and decrypt sample data. This test verifies
that the AES encryption algorithm is functioning correctly.
An integrity test to verify that the installed MSEO Agent software and
device drivers have not been modified or corrupted.
These test are performed only when the drivers are loaded, not at the beginning
of each backup/restore job, so there is no impact on performance.
If a tests fails, the MSEO Agent process will not start and an error message is
sent to the respective event log. If the tests complete successfully, a success
message is sent to the respective event log, MSEO Agent process is started, and
you can proceed to backup and restore data.
Event logs are:
(Linux) /var/log/messages
(Solaris) /var/adm/messages
File
Edit *
Refresh !
About !
Exit
MSEO Version
Device Configuration
Server Configuration
* Linux only
! Solaris only
Refresh *
Displaying the agent version and release
(Windows) Usually, ...->System Tools->Event Viewer->System or
..->Administrative Tools->Computer Management->System Tools->Event
Viewer->System. View the details for a Source of type vmtape.
The FIPS test messages are:
FIPS AES Known Answer Test passed.
FIPS HMAC-SHA1 Known Answer Test passed.
FIPS Integrity Test passed.
To recover from a self-test failure, try once more to start the MSEO Agent
process. If it does not pass, remove and re-install the MSEO Agent software.
On Windows platforms, view FIPS test results in the Windows Event Viewer.
Figure 4-26 (Windows) Displaying a FIPS test log entry
The MSEO Agent has both a version number and a release number. The version
number is the FIPS driver version. This number should change infrequently and
is of little user value. The release number is the version number appended with
the build number. This number changes with each software update and it is
important for discussing issues with Customer Support.
There are several ways to display the MSEO Agent version and release
information:
On all platforms, select About->MSEO Version in the MSEO Agent Console
menu to display the currently installed agent release.
On all platforms, enter the cgconfig command with either the version or
release argument. Windows examples are shown below:
C:\Program Files\Vormetric\MSEO\agent\bin>cgconfig.exe version
MSEO Agent
Version: 6.1.0
Built on May 1 2008 at 16:25:51
C:\Program Files\Vormetric\MSEO\agent\bin>cgconfig.exe release
MSEO Agent
Release Version: 6.1.0.82
Built on May 1 2008 at 16:25:51
On Windows platforms, open the Properties->Version tab for vmtape.sys.
(The file is located at: x:\Windows\system32\drivers\vmtape.sys).
Select Product Version to display the MSEO Agent release version.
Select File Version to display the MSEO Agent kernel driver version.
Figure 4-27 (Windows) Displaying the MSEO Agent product (release) version
Configuring backup devices
There are regular system devices and MSEO devices. A regular system device on
UNIX is something that you would find in the /dev directory, like
/dev/rmt/0cbn. A MSEO device is the MSEO pseudo-driver that intercepts
backup and restore requests then, if the policy permits, the backup or restore
request is passed onto the regular system device for execution. At least one
device must be configured as a MSEO device to backup and restore data with
MSEO protection, and, with the exception of a Fibre Channel connection to
devices in a SAN, only locally attached devices can be configured.
Figure 4-28 Windows (background) and UNIX (foreground) Agent Consoles
The MSEO Agent Console displays all locally-configured tape devices, regardless
if they are configured in NetBackup or not. The Agent Console is used to switch
the backup device from a standard system device to a MSEO device. When you
switch to a MSEO device, a pseudo-device is created that intercepts read and
write requests to the tape device and passes the requests to the Security Server
for evaluation. If the policy allows, the NetBackup request is performed.
Note: Though the Agent Console can change local system devices from native
devices to MSEO devices, you must still configure the devices in NetBackup.
On a Solaris agent, the new MSEO pseudo-device retains the same name as the
original NetBackup device but it is placed in a different directory. For example,
on UNIX hosts, if the NetBackup device is configured in NetBackup as
/dev/rmt/2cbn, the generated MSEO device will be /dev/mseo/2cbn. The
NetBackup configuration is automatically updated to point to the new MSEO
device.
None of the description about the device name changes that occur when
switching between native and MSEO devices applies to Linux agents or Windows
agents. There is no name change on a Linux agent when switching from a native
device to a MSEO device, and vice versa. If the native device name is
/dev/nst0, that is how it is always displayed in log files, in the MSEO Agent
Console, and in NetBackup. To determine if a device is a MSEO or non-MSEO
device, you can:
Display the device configurations in the MSEO Agent Console
Run a CLI command that lists the agent devices, like cgconfig list
Use the ls -l command on the devices in question and check the
major number of the device. The major and minor device numbers
identify the device to the kernel. A major number of 254 indicates a
MSEO pseudo-device. Any other value for the major number, such as 9,
indicates a native device.
crw-rw---- 1 root disk 9, 128 Jan 25 03:51 /dev/nst0
crw-rw---- 1 root disk 254, 128 Jan 25 14:49 /dev/nst0
When switching back to the original device, the NetBackup configuration is
changed to point to the original device name and MSEO protection is no longer
provided for the media server using the original device. The MSEO
pseudo-device is left intact so you can select it in NetBackup when you wish to
resume MSEO protection.
Note: NetBackup, the MSEO tape driver, and the MSEO Agent, must all be
inactive to switch device drivers for MSEO and non-MSEO configured devices. If
you attempt to change a device while the device is in use, the Agent Console will
return a message stating that the device is busy and it will wait until the device
becomes available to make the change. Check the NetBackup master server to
verify inactivity.
Note: Do not use the NetBackup Administration Console to switch between
MSEO devices and regular devices. Use the MSEO Agent Console to switch from
MSEO devices to regular devices and visa versa.
Note: Changes made to a host configuration in the NetBackup master server are
not automatically displayed in the MSEO Agent Console. Restart the MSEO
Agent process to synchronize host information between NetBackup and MSEO.
See sbnbucd on page 214 for information about restarting the MSEO Agent.
The Device Configuration window is divided into two groups: regular system
devices on the top of the window (Non-MSEO Devices), and MSEO-configured
devices (MSEO Devices) on the bottom of the window.
The columns in the Device Configuration window are:
Column Description
Convert Changes the selected system devices into a MSEO devices. The original
system devices are left intact. You are only creating links to
pseudo-devices created and stored in /dev/mseo and system
directories, like /kernel.
Revert Changes the selected MSEO device back into a system device.
Async I/O Enables asynchronous write during backup. The default is
synchronous write.
Synchronous data streaming is slower but can successfully recover
from data interruption. Asynchronous data streaming provides faster
throughput but recovers unreliably from data interruption. When
asynchronous write is enabled, and data streaming is interrupted, such
as by disconnecting a network cable, NetBackup will attempt to recover
the job when the cable is replaced, and possibly fail to complete the
backup. If you enable asynchronous write, create the following
NetBackup touch file to disable NetBackup error recovery.
On UNIX:
/usr/openv/netbackup/db/config/NO_ERROR_RECOVERY
or
/opt/openv/netbackup/db/config/NO_ERROR_RECOVERY
On Windows:
\Program
Files\VERITAS\NetBackup\db\config\NO_ERROR_RECOVERY
Debug Generates debug entries for the device in the MSEO log. Enable this
option to troubleshoot a configuration. It can result in large log files.
Drive Name Displays the name of the device drive. This is the same name displayed
in the NetBackup Device Monitor window.
Bus (Windows only) Displays the SCSI bus number on which the device
resides.
Target (Windows only) Displays the SCSI target number.
LUN (Windows only) Displays the Logical Unit Number of the SCSI device.
Note: On Windows hosts, the MSEO Agent Console does not show unique device
names. For example,
QUANTUM.SDLT320.002
QUANTUM.SDLT320.003
can be displayed in the NetBackup console, but they can be displayed in the
MSEO Agent Console as,
QUANTUM.SDLT320.5252
QUANTUM.SDLT320.5252
Device names come from the Windows registry. The devices in the registry all
share the same name, and the devices are displayed with that name in the MSEO
Agent Console. It is unknown at this time as to how NetBackup creates unique
device names on Windows media servers. You must use the BUS, TARGET, LUN,
and the device name to uniquely identify the devices on a Windows host.
To configure agent devices:
1 Select Device Configuration in the MSEO Agent Console navigation frame.
All the local backup devices are displayed. Change just the devices that are
also configured in NetBackup.
2 If you want to make backups using asynchronous write operations, enable
the Async I/O checkbox for the device.
3 If you want to generate additional log data to debug or streamline a
configuration, enable the Debug checkbox for the device.
4 If you want to convert from system device drivers to MSEO device drivers, or
visa versa, enable the respective Convert or Revert checkbox for the device.
Index (UNIX only) Displays the index number. This is the same number
displayed in the NetBackup Device Monitor window.
Drive Path (UNIX only) Displays the full path of the driver for the backup device.
This is the same path displayed in the NetBackup Devices window. A
drive path that contains /dev/mseo indicates that the MSEO device
driver is being used and MSEO protection is applied. A drive path like
/dev/rmt indicates that a regular system driver is being used and
MSEO protection is not applied.
On a UNIX system, when you convert a device to a MSEO device, the
MSEO Agent Console creates a similarly named device in the
/dev/mseo directory and displays the path change in the NetBackup
Administration Console. On a Windows system, the drive path is
always vmtape.
Column Description
Configuring server connections for the agent
5 Repeat this process for all the devices you want to modify.
6 Click Apply.
The changes are applied immediately and are visible in the NetBackup
Device Manager.
A system reboot may be required on a Windows system after you add or remove
MSEO device drivers. You will be prompted to reboot the system after changing
agent devices if the Windows kernel requires a reboot to apply your changes.
Displaying agent certificates
The agent certificate is displayed when it is generated during installation and
after running the get_cert command on the agent system. The MSEO Agent
Console is does not display agent certificates. If you want to regenerate a new
agent certificate, see Manually renewing SSL certificates on page 151. If you
want to use the CLI to display the current certificate, see sbadmin view on
page 210.
Starting, stopping, and restarting the MSEO Agent
Currently, the MSEO Agent Console is unable to start and stop the agent process
that runs on each agent system. See sbinit on page 214 for information about
how to start, stop, and restart UNIX MSEO processes. On a Windows system, you
start and stop the service named MSEO Agent in the Windows Services window.
The MSEO Agent host is configured with a default Security Server during
installation. Use the Agent Console to configure the servers accessed by the
agent, as well as change server precedence, Web listening port, and server name.
Note: Changes to the network connection between the MSEO Agent and Security
Server are not dynamically updated. After changing the configuration, you must
restart the MSEO Agent process for the MSEO Agent to detect and use the new
configuration. See also sbnbucd on page 214.
The columns in the Server Connection window are:
Configuring the servers for an agent
Configuring a media server to access multiple Security Servers requires the
databases to be synchronized between all the Security Servers. That is, the
Security Servers need the same policies, keys, etc. to effectively and
transparently service one or more media servers. If an alternate Security Server
is used when the primary Security Server is inaccessible, the database must
have the same keys and policies to effectively administer the media server. See
Column Description
Up Server access is order dependent. The first server in the list is the first
server that is checked for a viable connection. If the agent successfully
connects to the server, that server is used. To change the order of
server precedence, click anywhere in a server line and click Up or
Down. to move the server up or down one place in the list. Each time
you click the Up button, the server is moved up one position.
Down Server access is order dependent. The first server in the list is the first
server that is checked for a viable connection. If the agent successfully
connects to the server, that server is used. To change the order of
server precedence, click anywhere in a server line and click Up or
Down. to move the server up or down one place in the list. Each time
you click the Down button, the server is moved down one position.
Use SSL This is both a checkbox and status indicator. In the top of the window,
next to Add Server button, this is a checkbox that you enable to
configure the new server to use SSL authentication for all agent-server
communication. This checkbox is enabled by default. In the List of
Server Connections area on the bottom of the window, Use SSL
indicates the SSL configuration status. If checked, it indicates that the
server is using SSL authentication. If not checked, the server is not
using SSL authentication. This option cannot be reset once it is
configured.
Server Name/IP This is both a text-entry box and status indicator. In the top of the
window, Server Name/IP is the DNS name or IP address of the server to
which this agent is to connect. You must enter a valid network name or
the agent will be unable to connect to the server. In the List of Server
Connections area on the bottom of the window, Server Name/IP lists
the network name of the server this host is to use.
Port The SSL port on which the server listens for agent requests.
Remove? Selection checkbox for removing a server from the list.
Sharing encryption keys between Security Servers on page 96 for information
about setting up multiple Security Servers.
To add Security Servers to the list of servers for the local agent:
1 Wait for the media server to complete all NetBackup tasks on the MSEO
Agent host.
Do not proceed while the MSEO Agent host is performing backup/restore
tasks.
2 Select Server Connection in the MSEO Agent Console navigation frame.
3 Enter the SSL network information of the server for the local agent in the
Server IP Address text-entry box.
Security Server system. Appropriate examples are win40130.qa.com and
10.3.40.130. If you enter just the hostname, such as win40130,
configuration will complete but NetBackup will fail. Do not include a URL
path prefix, like http:// or https://.
4 Enter the listening port number for the server in the Server Port Number
text-entry field.
The port number you enter must match the port number configured for the
server on the server. That is, if the Security Server is configured to listen on
port 8084, you must enter 8084. Otherwise, agent requests will be ignored.
The default is 8084.
5 Enable the Use SSL checkbox.
SSL can optionally be configured and certificates generated to provide
additional MSEO Agent and Security Server protection. Unless you have
some overriding need to leave the agent-server connection exposed, it is
recommended that you enable SSL.
6 Click Add Server.
The server is added to the list of servers for the local agent.
7 Repeat the process to add more servers to the list.
You can add multiple Security Servers. Add them if there are more in your
NetBackup configuration. The MSEO Agent checks for Security Servers in
sequential order, starting with the first server in the list. The Security
Server has 5 seconds to respond. If that Security Server is unresponsive, the
MSEO Agent tries the next, and so on. You can change Security Server order
using the Up or Down buttons.
Note: On Windows, agent configuration data is stored in C:\Program
files\Vormetric\MSEO\agent\config\mseo_agent.conf. This file may
be edited manually. Agent-to-server timeout access parameters are configured
in the mseo_agent_requests.conf file. If you suspect timeout problems,
stop the agent service on the MSEO Agent, open mseo_agent_requests.conf
in a text editor and increase the request_timeout interval to 20. See
Adjusting agent-to-server timeout on page 162 for information about
configuring time-outs. Restart the agent service. Run ipconfig /flushdns
on both the agent and server to refresh their DNS buffers. The agent and server
should now have sufficient time to establish network connections.
To remove Security Servers from the list of servers for the local agent:
1 Select Server Connection in the MSEO Agent Console navigation frame.
2 Enable the checkboxes for one or more servers that you want to remove from
the list of servers for the local agent.
3 Click Remove Server.
The server is removed from the list of servers for the local agent.
Changing server precedence
To change the precedence of Security Servers in the list of servers:
1 Click the line of a server listed in the List of Server Connections.
2 Click the Up or Down button once for each level you would like to raise or
lower the server.
Testing the agent-to-server connection
You can check that the agent can establish a network connection to the
configured servers, within an allotted period, and to a specific listening port.
The protocol used to perform the test is based upon whether or not SSL
authentication is used. The agent-server connection is verified using HTTP if
SSL authentication is not used. The agent-server connection is verified using
HTTPS if SSL authentication is used.
To test the network connection from the agent to the servers:
1 Open the Server Connection navigation frame of the MSEO Agent Console.
2 Enable the checkboxes in the Action column next to each server whose
connection you want to test.
3 Click Test Connectivity.
A dialog box opens that displays two lists: the selected servers that the
agent can successfully connect to, and the selected servers that the agent
cannot connect to.
4 Determine the cause of a server connection failure.
Check that the network address or DNS of the server is accessible from the
local system. If the system is accessible, check that the port number is
configured appropriately.
5 Click Ok to close the dialog box.
Figure 4-29 Testing agent-to-server connectivity on a Windows agent
Increasing the agent access time-out interval
See Adjusting agent-to-server timeout on page 162 to increase the time-out
interval for an agent to connect to a server.
2
3
4
1
Encrypting NetBackup backup headers
Encrypting NetBackup backup headers
By default, the header of each MSEO-encrypted backup is written in clear text so
the backup information remains available to NetBackup. You can configure
MSEO to encrypt the backup header and the data with the same encryption keys.
Note: Enable this feature to prevent any media server from accessing NetBackup
backup headers, except those configured for MSEO and with access to the
appropriate keys. Offsite facilities will be unable to catalog tape contents and
may be unable to locate specific archives in the event of mislabeling or loss of
inventory records.
To configure MSEO to encrypt the NetBackup header at the same time it
encrypts the backup data:
1 On UNIX, open the ./mseo/agent/etc/apps file in a text editor. On
Windows, open C:\Windows\System32\Drivers\apps or
C:\WinNT\System32\Drivers\apps in a text editor.
2 Delete the line that contains the string netbackup.
Note: Leave the netbackup line intact to create a backup with a clear
NetBackup backup header. Delete the line to encrypt the backup header.
4 Restart the MSEO Agent.
(UNIX) ./mseo/agent/bin/sbinit restart
(Windows) On a Windows system, you start and stop the service named
MSEO Agent in the Windows Services window.
Chapter
5
Configuring NetBackup
Option Policies
This chapter describes policies and their components. It describes how to use
the components as building blocks to construct policies that provide the access
control and protection you want. The actual mechanics of adding, modifying,
and deleting policies are described in Configuring MSEO policies on page 90.
What is in a policy
A MSEO policy is a set of security rules. Each security rule is a collection of
attributes whose values are used by the Security Server to evaluate the read and
write requests issued by NetBackup. Once evaluated, the first security rule
whose attributes successfully match is used.
124 Configuring NetBackup Media Server Encryption Option Policies
What is in a policy
Policies are composed and displayed in the Security Server Console. The
following figure shows a sample policy rule.
Figure 5-30 Sample matching policy rule
Parts of a policy
A security rule specifies a condition and an action. A condition is a quantifiable
property such as a compression scheme or key name. An action causes
something to happen, such as permitting tape reading or denying tape writing.
The condition of the security rule must be evaluated to true before the action is
performed. A security rule can have the following attributes:
Action: Indicates the requested access method. It specifies how the device is
being accessed. The attribute name is Action and has a value of read or
write.
Effect: Based upon the other components in the security rule, Effect
specifies whether or not to grant permission to perform the requested read
or write function. The attribute name is Effect and usually has a value of
permit or deny. Other values may be selected. See Building compound
policies on page 135 and Enabling audits on page 139 for details.
Compress: Indicates the compression algorithm to use when executing a
read or write function. The attribute name is Compress and has one of the
following values:
none (if compression is not specified, none is assumed)
lzrw3 (Lempel-Ziv read/write level-3)
lzo1x (Lempel-Ziv-Oberhumer, category 1, type x)
txt85.eng
|netbackup.keyword.Compress|
What is in a policy
txt85.eng is an proprietary compression method that is ideal for ASCII
text files. It provides high compression with marginal CPU load. Use this
method only for ASCII text. See Configuring NetBackup to use MSEO policy
protection on page 130 for an example of extracting the compression
method from the NetBackup master server rather than specifying it
directly. |netbackup.keyword.Compress| extracts the compression to
use from a NetBackup Keyword phrase.
KeyType: Indicates the file encryption method to use on the tape data. The
attribute name is KeyType and has a one of the following values:
none
aes128
aes256
|netbackup.keyword.KeyType|
none indicates no encryption is to be applied to the backup data. AES
encryption keys are automatically generated as needed, stored on the tape
media or other storage media, and are not managed by the user. In order to
preserve the integrity of AES data encryption keys, MSEO generates and
uses a new File Encryption Key (FEK) each time it encrypts data to tape. See
also The encryption/decryption process on page 81.
|netbackup.keyword.KeyType| extracts the key type to use from a
NetBackup Keyword phrase. See also Creating and managing encryption
keys on page 80 for additional details.
KeyGroup: Indicates the name of the key group that contains the RSA key
pair for encrypting and decrypting the tape volume header. The attribute
name is Key, and it takes a text string that names the default key group or
a user-generated key group. You can select existing key groups or
|netbackup.keyword.KeyGroup|.
|netbackup.keyword.KeyGroup| extracts the key group name to use
from a NetBackup Keyword phrase.
Attribute matching is a way to increase the level of policy control. An attribute
match is a Boolean-valued expression that compares one string against another
using a supported function or relation. You can, for example, evaluate a backup
request using the pool or copy number for that request. The example attribute
match rule in the foreground of Figure 5-30 on page 124 checks that the
NetBackup copy number is greater than 1. See also Configuring matching
attributes on page 134.
There are additional feature to configure policies that insert (or call) another
policy into the current policy. See Building compound policies on page 135.
The MSEO Tape Driver construct a list of attributes from a number of sources on
a media server to obtain fine-grain contextual information about each backup
operation. For example, the MSEO Agent will be able to read attribute
What is in a policy
information from the operating system and also from the backup application
itself. Typically, a backup application will write its own metadata to the tape
which summarizes the files that are being written to the tape, the particulars of
the backup policy being used to initiate the backup, and so on. The MSEO Tape
Driver will intercept this metadata and use parts of it as attribute information
that it then passes onto the MSEO Security Server to be matched against
configured policies.
For example, NetBackup includes the name of the backup policy in the metadata.
The MSEO product will intercept this information and use it to check whether
an access control policy has been defined that matches against the name of the
backup policy. If there is a match in an access control policy, the MSEO product
will use this access control policy to determine whether or not the requested
tape operation is permitted.
For each backup, the MSEO Tape Driver will be able to determine the following
attributes:
ID of the user running the backup program.
The IP address and DNS name of the media server.
The GUID and hardware ID of the media server and the physical tape device.
User-specified string from the command line invocation of the backup
application.
The backup application metadata.
Keywords specified in backup application.
Date & Time.
NetBackup exposes several metadata fields in their own GUI which can be
configured by users when they create a NetBackup policy. The product will allow
the user to enter specific keywords into these fields that will be subsequently
recognized by the Tape Driver during a backup operation. These keywords can
specify, for example, the name of a key group to use when performing a backup
operation using a particular NetBackup policy. This unique functionality will
allow the user to construct NetBackup policies in the NetBackup GUI and
provide information in that GUI which will be later understood by the MSEO
Tape Driver.
What is in a policy
Note: Only the access permissions of a policy are checked when restoring a
backup. The other policy attributes are extracted from the MSEO metadata in
the tape header. If the policy permits read access (i.e., Effect=permit,
Action=read), the encryption and compression parameters are extracted from
the header. This means that, though you use a complex security rule to evaluate
a backup request, you only need a simple rule to restore the backup.
A look at the default MSEO policies
A default policy is created during Security Server installation. The default policy
is a safe policy for novice MSEO administrators to use as they explore MSEO
features because NetBackup continues to read and write tape backups without
any noticeable change, unless you explicitly configure MSEO policy attributes.
Start by entering an XML expression in a NetBackup Keyword phrase text-entry
box. These expressions are described in Configuring NetBackup to use MSEO
policy protection on page 130.
Note: The syntax of the keyword phrase that you enter is not parsed nor verified
by MSEO. Double-check the password phrase you enter to ensure that the syntax
is correct.
The default policy is comprised of three rules. The first rule also uses attribute
matching, and is shown in Figure 5-31.
Figure 5-31 The first rule in the default policy
The first rule in the default policy evaluates write requests. If a write request is
submitted, the policy checks that the KeyType and Compress attributes are set
to something (i.e., not empty). These two attributes are set by extracting the
definitions from the NetBackup Keyword phrase. If these conditions are met, the
backup is granted using the compression algorithm and key type specified in the
What is in a policy
Keyword phrase, and the default key group, is used to encrypt the Backup
Encryption Key (BEK).
If there is no match using the first rule, the second rule is tried. The second rule
evaluates write requests rejected by the first rule. The second rule does not
check for key type or compression. And though the key group is set to default, it
is not used because the key type is not set. The second rule acts as a default rule
that grants permission to all write requests that are rejected by the first rule.
Figure 5-32 The second rule in the default policy
The third rule does not perform any checks. It permits all read requests. The
Security Server passes the matching private key to the agent. The agent decrypts
the MSEO metadata with the private key, then it uses the AES key that it just
extracted from the metadata to decrypt the backup data.
Figure 5-33 The third rule in the default policy
Regardless of which security rule in the default policy is used, an entry is added
to the audit log file.
Built-in variables
MSEO supports a set of variables you can use to write policy and audit template
files. The MSEO Agent binds values to the variables and forwards the bound
variables to the Security Server. The Security Server substitutes all variable
occurrences in the policy or audit template file with their actual value. Variables
are enclosed within pipe characters (|).
The built-in variables are listed in the table below:
Variable Description
client.ip The IP of the Host requesting policy evaluation.
What is in a policy
netbackup.copy Returns an integer value that identifies the NetBackup
copy number of the backup job. This value is extracted
from the MSEO metadata. The copy number can be used to
decide the jobs that should be handled in the clear and the
jobs that should be encrypted.
netbackup.image_id The backup ID in the NetBackup format. For example, an
entry like NetBackup BackupID=|netbackup.image_id| in
the audit file can return a log entry like NetBackup
BackupID=srv41001_1174500956.
netbackup.keyword This variable in MSEO policy and audit template files is
replaced with the value specified in the Keyword phrase
text-entry box on the NetBackup Policy->Attributes tab.
netbackup.media_head_id The raw header data from the piece of media itself,
example being "VOL1A00002".
netbackup.media_id The media ID used with NetBackup, example being
"A00002".
netbackup.policy The name of the NetBackup policy for this operation. For
example, NetBackupPolicy=100GB_1_c1e0.
netbackup.pool Returns an integer value that identifies the NetBackup
tape pool used to read or write a backup. This value is
extracted from the MSEO metadata. Use the NetBackup
Administration Console to cross-reference pool numbers
to pool names.
netbackup.schedule_name For example, NetBackup Schedule = Full.
po.allenckey The list of key names from the key group in the MSEO
policy. This variable is only used in the audit template file.
po.compress The compression requested in the policy. This variable is
only used in the audit template file.
po.enckey The key group requested in the policy. This variable is only
used in the audit template file.
po.keytype The encryption requested in the policy. This variable is
po.name The name of the policy being evaluated. This variable is
Variable Description
What is in a policy
Configuring NetBackup to use MSEO policy protection
You can also define custom variable:value pairs in the NetBackup Keyword
phrase text-entry box that are referenced by the netbackup.keyword
variable. This variable is placed in policy and audit template files and, when
encountered, is replaced with the variable:value pairs before the Security
Server evaluates the policy or audit template. The variable:value pairs are
XML-like expressions in the following form:
<mseo> var=value; [var=value;]* </mseo>
For example:
<mseo> KeyGroup=Keys_01; KeyType=aes128; Compress=lzrw3; </mseo>
In the example above, the MSEO Agent sends the variables KeyGroup,
KeyType, and Compression, and their values, to the Security Server. The
Security Server substitutes instances of '|netbackup.keyword.variable|'
in the policy or audit template file with the defined variable:value pairs. The
What is in a policy
Keyword phrase text-entry box on the Change Policy windows is shown in
Figure 5-34.
Figure 5-34 Configuring MSEO variables in the Change Policy window
The maximum number of characters allowed in a Keyword phrase text-entry
box is 128 characters. Keep this in mind, especially if you intend to mix MSEO
expressions and regular NetBackup expressions in one Keyword phrase
text-entry box.
MSEO
expression
What is in a policy
Note: Multiplexing is the writing of multiple backup jobs as one tape image. You
may configure a different NetBackup policy for each job in the multiplexed
backup; however, due to scheduling and other factors, you cannot determine
which NetBackup policy will be used to write the completed image to tape. To
ensure consistent and correct results, the MSEO expression in the Keyword
phrase text-entry box must be the same for every NetBackup policy used to
make the multiplexed image. This ensures that the variables MSEO extracts
from the Keyword phrase text-entry box are the same and produce the same
results, regardless of which NetBackup policy is used to write the image to tape.
Figure 5-35 Configuring MSEO variables in the Backup Files window
Keyword phrase text-entry boxes are located on the NetBackup Change Policy
and Backup Files windows, the Restore Files tab, and possibly in other places.
The MSEO expression entered in the Keyword phrase text-entry box on the
Change Policy window is applied to every job that uses the policy; however,
when you enter a MSEO expression in the Keyword phrase text-entry box on a
different window, the other window has precedence and its expression is applied
to the current job. That is, if you enter an expression in the Change Policy
MSEO
keyword entry
What is in a policy
window as well as in some other window, the expression in the other window is
used first. If there is no policy match, the expression in Change Policy is then
tried.
Note: If there is an error in the Keyword phrase expression, all keyword:value
pairs are discarded and the entire expression is skipped: All Keyword phrase
checking stops and an error message is generated. Keyword phrase expressions
in other NetBackup windows are not checked either. However, the security rules
in the policy are checked. The first security rule that matches the backup or
restore criteria, but does not reply upon Keyword phrase variable expansion, is
used.

The following error message was caused by an incorrect KeyType value.
Sep 20 16:52:43 srv33001 MSEO: [ID 705076 local0.crit] The key type aes127 is
not supported. Please check your policy for key type.
Sep 20 16:52:43 srv33001 MSEO: [ID 831163 local0.notice] The write request
from localhost has been declined because of (Access denied).
To use Keyword phrase data in a policy and audit log:
1 Put an XML-like string comprised of variable:value pairs in the
NetBackup Keyword phrase text-entry box.
For example:
<mseo> KeyGroup=Keys_01; KeyType=aes128; Compress=lzrw3; </mseo>
2 Configure a security rule in the policy that uses a specific variable:value
pair from Keyword phrase.
For example, rule 1 in the default policy uses attribute matching to
determine if compression and key type are set. If they are set the
compression algorithm and key type specified in Keyword phrase are used.
If they are set, write permission is granted using the default key group and
an audit log entry is generated.
3 Place a security rule in the audit template file that uses a specific
variable:value pair from Keyword phrase.
For example, to extract the value of a specific variable:value pair, such
as KeyGroup:
<AuditLine>using key group
'|netbackup.keyword.KeyGroup|'</AuditLine>
This evaluates to:
using key group Keys_01
What is in a policy
Note: Enter just '|netbackup.keyword|' without a variable name in the
audit template file to retrieve all the variable:value pairs defined in
Keyword phrase.
For information on using NetBackup Vault with additional keywords, see
Configuring Vault duplication on page 138.
Configuring matching attributes
When backup operations are performed on a media server, the MSEO Agent
collects contextual information, called attributes, about the requested operation
and sends the attributes to the Security Server for a policy decision.
The MSEO Agent constructs a list of attributes about read/write requests from
the operating system and NetBackup; the metadata generated by NetBackup and
written to the tape header is intercepted by the MSEO Agent. Metadata
comprises catalog information that describes the files being written, the backup
policy being used, etc. The MSEO Agent passes the collected information to the
Security Server and matches it against policies for the MSEO Agent host. If the
information and policy match, the Security Server then determines whether or
not to permit the operation.
Note: You cannot use match operations in an audit template file.
The table below described supported match operations (MatchOp):
Attribute Description
! Negation operator placed before other attributes. This operator may
be placed before any of the attributes in this table to use the inverse
of the operator to perform string comparisons. For example, !empty
indicates that the string cannot be empty or a NULL string for a
match to occur.
empty Returns a match if str1 does not exist or is a NULL (such as, empty)
string. Specify only one string when using the empty attribute.
exact Two strings must be identical for the comparison to be a valid match.
That is, if one string is abc123, the other string must also be
abc123.
exactnocase Two strings must be identical, except the case of the two strings is
not considered. That is, if one string is abc and the other is ABC,
and this attribute is specified, the two are considered a match.
What is in a policy
Building compound policies
Instead of building one large policy, you can use smaller policies as building
blocks with which to construct a larger and more complex policy. You can jump
from policy to another and, when the MSEO parser reaches the end of the other
policy, processing ends. You can also nest policies by calling another policy and,
when the MSEO parser reaches the end of the called policy, parsing continues
where it left off in the calling policy.
You build compound policies using the call keyword in an Effect statement. All
configured policies are listed in the Effect scroll-list and they are prefixed with
call.
The call keyword reads another policy and, when the other policy is completely
parsed, parsing resumes in the current policy after the instance of the call
keyword. Therefore, multiple call instances can be placed in one policy file.
greaterthan Specifies an integer that must be less than a literal or extracted value
for a match to occur.
regex Compares one string using a regular expression. Asterisks, periods,
and question marks are considered regular expressions. String one is
usually the result of pattern matching and usually string two
contains a portion of the string plus one or more wildcards. The
following configuration example evaluates to true, and the security
rule is used, if the NetBackup policy name begins with MSEO. The
string comparison evaluates to false and the security rule is not used
if the policy name begins with lower-case mseo.
regexnocase Compares two strings just like regex, except that with regexnocase
the case of the string is not used to compare the two strings. Using
the same example as regex above, except replace regex with
regexnocase, Any string that starts with the letters mseo,
regardless of their case, is a successful match. MseO, mseo, MSEO, etc
are all valid and matching strings.
Attribute Description
What is in a policy
Additional policies
A set of policies are included as part of the Security Server installation. On
UNIX, these files are:
./mseo/server/db/policy/default.xml
./mseo/server/db/policy/vault.xml
./mseo/server/db/policy/encrypt.xml
./mseo/server/db/policy/restore.xml
./mseo/server/db/policy/samplePolicy.xml
On Windows, these files are:
.\MSEO\server\db\policy\default.xml
.\MSEO\server\db\policy\vault.xml
.\MSEO\server\db\policy\encrypt.xml
.\MSEO\server\db\policy\samplePolicy.xml
The policy names are displayed without the .xml extension when you view
them in the Security Server Console. For example, vault.xml is displays as just
vault.
The default policy is described in A look at the default MSEO policies on
page 127.
The vault policy is described in Configuring Vault duplication on page 138.
The following policies are described here:
encrypt
restore
samplePolicy
Note: Only the access permissions of a policy are checked when restoring a
backup. The other policy attributes are extracted from the MSEO metadata in
the tape header. If the policy permits read access (i.e., Effect=permit,
Action=read), the encryption and compression parameters are extracted from
the header. This means that, though you use a complex security rule to evaluate
a backup request, you only need a simple rule to restore the backup.
encrypt
The encrypt policy performs the same checks and applies the same rules as the
default policy. The only difference between the two is that rule2 of the
What is in a policy
encrypt policy applies AES128 encryption, and rule2 for the default policy
does not. These are shown in Figure 5-36.
This means that if rule1 does not match, the default write action will be to
make the backup without encryption using the default policy or with
encryption using the vault policy.
Figure 5-36 Default rule2 (top) and encrypt rule2 (bottom)
restore
(UNIX only)
The restore policy comprises one rule that allows anyone to restore a backup.
samplePolicy
The samplePolicy policy performs the same checks and applies the same rules
as the default policy. The only difference between the two is that rule2 of the
samplePolicy policy applies AES128 encryption and lzrw3 compression, and
rule2 for the default policy does not. These are shown in Figure 5-37.
What is in a policy
This means that if rule1 does not match, the default write action will be to
make the backup without encryption using the default policy or with
encryption and compression using the samplePolicy policy.
Figure 5-37 Default rule2 (top) and samplePolicy rule2 (bottom)
Configuring Vault duplication
Media Server Encryption Option supports NetBackup Vault duplication. All you
need is a policy with a few Vault-related attributes and Media Server Encryption
Option can create an unencrypted and uncompressed copy for on-site storage
and multiple encrypted and compressed copies for off-site storage.
Media Server Encryption Option determines whether to make on-site or off-site
Vault copies based on the NetBackup copy number attribute. It targets the media
servers to copy or restore backups based on the NetBackup pool number
attribute. The NetBackup pool name attribute is not used because it is not
available in the backup metadata, and so cannot be used in a MSEO policy.
The NetBackup copy number is an integer that increments starting at 1. 1
indicates an on-site copy. Any number greater than 1 indicates an off-site copy.
The NetBackup pool number is an integer that increments starting at 0. The
volume pool number is displayed in NetBackup by opening Media and Device
Management -> Media -> Volume Pools. Using the pool number you can
cross-reference the pool name in the NetBackup Media Manager.
Figure 5-38 Displaying pool numbers
Enabling audits
You can include the copy and pool numbers in the policy evaluation. A sample
MSEO policy for Vault is provided with the Security Server installation. It uses
the copy number but not the pool number. You can copy the vault policy that
comes with the MSEO installation to another name, and easily add a regular rule
and an attribute match rule that checks the pool number during policy
evaluation. The steps for configuring policies and their attribute match rules are
presented in Configuring match policy rules on page 93.
If you include copy and pool numbers in your policy, you will want to update the
audit template file to include these attributes in its logs. Audit log file
configuration is described in Enabling audits on page 139.
Enabling audits
You can track MSEO Agent requests to the Security Server and record the
requests in a customizable output format. Auditing allows you to capture the
parameters used to read or write backup tapes. These may be NetBackup
parameters, MSEO parameters, system parameters, and even parameters
extracted from the backup image header.
Enable auditing by adding the audit auditFile keywords to the Effect
attribute of a policy. Auditing is enabled in Figure 5-30 on page 124. The Effect
attribute in the figure is set to permit audit netbackup. audit enables
auditing for this rule and netbackup is the name of the audit template file to
use. (netbackup is also the default template file. netbackup will be used if you
dont specify a template file name.)
The netbackup audit template file is included during installation. You can use
the default template file or configure your own. The default format reports only
the PolicyName, KeyGroup, KeyType, and Compress policy parameters. A
custom template can report much more.
You edit the template file and enter text strings and built-in variables to extract
the information that you want and print it to the log file. MSEO replaces the
variables with their values before logging the event.
The full name of the audit template file is netbackup.xml, and it is located in
the ./mseo/server/db/audit directory. All audit template files must reside
in this directory and each file must end in .xml. Audit messages are sent to
mseo.log on UNIX or MSEO Services on Windows. The mseo.log file is
described in UNIX logging (syslog file) on page 146.
Parameters can be assigned to a media server by entering them in a NetBackup
Keyword phrase text-entry box. You can extract those values in an audit
template file using MSEO variables. A list of variables and their use is provided
in Built-in variables on page 128.
Enabling audits
Note: Do not use attribute matching in an audit template file.
Audit template files must begin with the XML tags <Audit><AuditLog> and
end with </AuditLog></Audit>.
The following audit template file lists all the variables you can use in the
template file. The variables are enclosed within pipe (|) characters. The other
text are strings that will logged exactly as entered.
<Audit>
<AuditLog>Backup Policy: tape_=dev=|os.tapedev|.
client_info=|client.ip|. policy_name=|po.name|.
comp=|po.compress|. encryption=|po.keytype|.
keygroup=|po.enckey|. envelope_key=|po.allenckey|.
media=|netbackup.media|. media_id=|netbackup.media_id|.
media_head_id=|netbackup.media_head_id|.
image_id=|netbackup_image_id|.
NB_schedule=|netbackup.schedule_name|. NB_keywords=|netbackup
.keyword|. NB_policy=|netbackup.policy|</AuditLog>
</Audit>
The following audit template file has been customized to include NetBackup
pool and copy numbers, and is named myVault.xml. The Effect for the policy
rule is set to permit audit myVault.
<Audit>
<AuditLog>AUDIT ENTRY -- Backup Policy: PolicyName=|po.name|.
KeyType=|po.keytype|. Compress=|po.compress|.
EncKey=|po.enckey|. Asymetric Keys=|po.allenckey|.
Copynumber=|netbackup.copy|. Poolnumber=|netbackup.pool|.
</AuditLog>
</Audit>
When the conditions for this rule all match, the template file, myVault.xml, is
used to create the audit entry. The audit entry will look something like the
following:
Jun 22 18:42:58 srv33001 MSEO: [ID 919953 local0.notice] AUDIT
ENTRY -- Backup Policy: PolicyName=default. KeyType=aes128.
Compress=lzrw3. EncKey=default. Asymetric Keys=rsa.default.
Copynumber=1. Poolnumber=1.
If you use the default audit template, netbackup, the output will look something
like the following:
Jun 22 18:25:31 srv33001 MSEO: [ID 201891 local0.notice] BACKUP
[permit] PolicyName=default. KeyGroup=default. KeyType=aes128.
Compress=lzrw3.
Chapter
6
Maintaining and
monitoring NetBackup
Option
Synchronizing MSEO installations
Manual synchronization is required in NetBackup configurations with multiple
Security Server installations.
You must manually synchronize Security Servers. The keys and policies from
one Security Server should be the same on all the Security Servers in the
NetBackup configuration. This way a backup made on one media server
configured with one Security Server can be read on a different media server that
is configured with a different Security Server.
The suggested approach to synchronization is:
Select one Security Server as the primary server. This is done during
software installation.
Configure the Security Server with hosts, keys, policies, and so on. Make
sure it works.
Then install the secondary Security Servers or other, independent Security
Servers.
Use the MSEO Server Console export feature to package the keys for
transport to the other Security Servers. (This is described in Sharing
encryption keys between Security Servers on page 96.)
142 Maintaining and monitoring NetBackup Media Server Encryption Option
Logging
Copy the ./mseo/server/export directory of the primary server to the
./mseo/server/import directory of the other servers.
Copy the ./mseo/server/db directory of the primary server to the
./mseo/server/db directories of the other servers. The ./db directory
contains the host, key, policy, and audit log configurations.
Run the MSEO Server Console import feature on each of the other servers in
order to unpackage and install the primary server keys.
You may need to also modify policies and modify key groups.
Logging
No centralized logging is provided. MSEO Agent and Security Server
installations maintain their own logs. You must configure your own logging
method, such as syslog, to place logs in one centralized location.
Start your information quest with the NetBackup Job Details window. Use this
window to determine the general success or failure of a backup job, as viewed by
NetBackup. Then look at the Media Server Encryption Option log for details of
how the job was performed.
MSEO generates messages that you can use to debug and fine-tune MSEO
Security Server and MSEO Agent installations. There are 5 types of messages:
info: Generates statistical information about the Security Server and
MSEO Agent. You can ignore messages of this type.
audit: Generates a record of Security Server and MSEO Agent activity. This
information is very helpful to fine-tune and debug policy configuration.
error: Generates messages indicating critical failure that need to be
corrected in order to complete a MSEO function. This type generates
messages to let you know something is wrong and prompts you to correct it.
For example, if your policy has a syntax error, an error message is generated
prompting you to correct the policy.
critical: Critical messages indicate something seriously wrong, like out
of memory.
Logging
debug: Debug messages are for Vormetric design engineers and are of little
value to the end-user.
Type Possible Cause
info Server starts at such IP address and port number.
Proxy starts at such IP address and port number.
Server shut down.
Proxy shut down.
Indicate the database directory when server is started.
audit Policy used with all attributes in the rule used.
If a request is served successfully, give a message.
If a request cannot be approved, give a message including the reason.
Logging
error If parsing audit fails, ask user to check the audit file.
If no rule matched, ask user to check policy.
If the effect in the policy is empty, ask user to check policy.
If cannot parse an effect for unknown reason, ask user to check policy.
If no policy after call, ask user to check policy.
If policy is corrupted for unknown reason, ask user to check policy.
If a rule of a policy has double audit, ask user to check policy.
If the policy cannot be used to decide access, ask user to check policy.
If the effect cannot be parsed for unknown reason, ask user to check
policy.
If MATCH_OP cannot be parsed, ask user to check policy.
If recursive call is found, ask user to check policy.
If agent is not configured, ask user to check the database.
If the policy is not configured, ask user to check the database.
If a bad key type is detected, ask user to check policy.
When it cannot find the keygroup, ask user to check the database.
When it cannot find the key file, ask user to check the database.
When it cannot find the specified audit file, ask user to check the
database.
When doing restore and cannot find the key file, log a message.
When any configuration file is missing, log a message.
critical Out of memory.
When the proxy contacts the server but server does not response for a
fixed period of time, log a message.
When the proxy starts and driver is not running, log a message.
When the proxy cannot communicate with any server, log a message.
debug Most messages are debug messages.
Type Possible Cause
Logging
Windows logging
Messages about MSEO system interaction are logged to the Windows Event Log.
MSEO activity is logged in the Application, Security, System, and MSEO event
types. The Application, Security, and System event types are part of the
Windows operating system, and they log standard activity such as registry
changes and application status. The MSEO event type contain log entries for:
MSEO Agent backup and restore requests
media server identification
MSEO policy application, such the policy used and if the request was
allowed
changes to the MSEO configuration, such as adding hosts or removing keys
MSEO connection status, such as the connection between Security Servers
and agents
backup device status, such as tape device initialization
MSEO configuration errors, such as an improper CA signer location or a
SOAP call failure
and anything else having to do with MSEO activity
To view MSEO system messages:
1 Open the Windows Control Panel.
2 Select Administrative Tools.
3 Select Event Viewer.
4 Click MESO in the left navigation frame.
You can click the Application, Security, and System event types to view
higher, system-level MSEO events. Check these event types if the MSEO
software fails to operate. (Look for log entries in the Source column that are
named MSEO or search for log entries with MSEO in the Description field.)
The log entries are displayed in the right navigation frame.)
5 View the log events of interest to you.
Logging
The log entry Type varies based upon the event trigger. The example in
Figure 6-39 was triggered by an error condition.
Figure 6-39 Media Server Encryption Option Event Log entries
UNIX logging (syslog file)
All MSEO messages are sent to the same location and all share the same format.
The exception is audit messages. You can configure the format of audit
messages placed in the log file. See Configuring audit logging on page 136 for
details about audit message formatting. The default log files are
/var/log/mseo.log and /var/log/syslog. mseo.log is configured
through syslog.
syslog configuration is performed automatically during installation. It can
also be done manually.
To manually configure syslog to create a MSEO log:
1 Open /etc/syslog.conf in a text editor.
2 Add a line in the format of:
selector destination
For example:
local0.type /var/log/mseo.log
local0 is a local, special-use selector. Enter this string exactly as shown.
type is the type of messages you want to generate. The type may be info,
audit, error, critical, or debug. Messages of the specified type with a
selector of local0 are sent to the mseo.log file. destination is the full
path name of the log file for local0 messages of the specified type. The
Logging
default type is info and the default destination is
/var/log/mseo.log.
The message type you specify not only generates messages for the specified
type, but all the types that precede it. Note the order of message types in the
table on page 143. info generates only information-related messages.
audit generates info and audit messages. error generates info,
audit, and error messages. And so on.
3 Restart the syslog daemon.
Check the man pages for syslog.conf and syslogd for additional
information.
The following is a mseo.log excerpt:
Jun 4 16:39:23 sun-v440 MSEO: [ID 270322 local0.info] MSEO.Server:

Securityserver has been started at url: localhost:8084.
Security server has been started at url: localhost:8085.
The security server just accepted a connection from 10.2.212.100.
Jun 5 10:30:51 sun-v440 MSEO: [ID 428564 local0.notice]

MSEO.Server: Key group sanJoseKeyGroup has been added successfully.
Jun 5 10:31:57 sun-v440 MSEO: [ID 247403 local0.notice]
MSEO.Server: Key corpKey2048 has been added successfully.
The server failed to accept SSL connection from 10.2.60.25.
Jun 5 10:59:02 sun-v440 last message repeated 1 time
Jun 5 11:04:28 sun-v440 last message repeated 18 times
Jun 5 11:05:13 sun-v440 last message repeated 2 times
Looking at the log excerpt above, an attempt to start the Media Server
Encryption Option Security Server process succeeded, the Security Server
started and listens on ports 8084 and 8085. One attempt to accept an SSL
connection failed, but the Security Server tried again and succeeded.
The first place to look to troubleshoot a MSEO installation is mseo.log. Search
the mseo.log file for high-level errors, such as critical (local0.crit). Skim
over informational (local0.info) and notification (local0.notice)
messages.
Making Backups
UNIX logging (messages file)
Tape driver activity is reported on each MSEO Agent host and logged locally.
You can check the log file for Media Server Encryption Option virtual driver
status. The driver status information is used primarily for debug purposes and
contains little end-user information.
To view tape driver messages, open the system messages file on the agent
system. The following is an excerpt of a messages file:
# more /var/adm/messages
...
May 23 11:36:09 sun-v440 vmtape: [ID 763536 kern.notice] vm tape
config:
May 23 11:36:09 sun-v440 vmtape: [ID 832786 kern.notice]
dev_name(/devices/pci@1f,700000/scsi@2,1/st@3,0:cbn)
Asynchronous Write(ON)
May 23 11:36:09 sun-v440 vmtape: [ID 175655 kern.notice] debug(ON)
async_limit(0)
tape.c:vmtape_open: got VMTAPE_DEV_TAPE
tape_dev.c:vm_tape_tape dev_open: begin, flag:0x5
tape.c:vmtape_open: OPEN OK
tape.c:vmtape_ioctl begin -- get ioctl cmd:0x6d09, mode:0x100005,
credp:300318b8640
tape_dev.c:d_flush -- begin
tape_dev.c:d_ioctl -- begin, cmd:0x6d09, credp:300318b8640,
mode:0x100005 args: 0x0
May 23 11:36:09 sun-v440 vmtape: [ID 849974 kern.notice] Ioctl
return 0
tape.c:vmtape_close -- begin(major:269, minor:350)
tape.c:vmtape_close -- application read 0, wrote 0
tape_dev.c:d_close -- begin, driver read from tape 0, wrote to tape
0
...
#
Making Backups
The best-practice recommendation is to backup the Media Server Encryption
Option data store with sufficient frequency that no configuration data,
Automatic MSEO Agent Monitoring
especially keys, has the potential to be irretrievably lost. Be sure to backup the
data store in the clear: that is, do not encrypt the backup because you may not
have the keys to decrypt it in the future. Backup the keys using the key export
feature in the Security Server and copy them to a safe location. See also
Sharing encryption keys between Security Servers on page 96.
Technically, the data store is ./mseo/server/db, but it cant hurt and it
doesnt take up too much space to backup the entire ./mseo/server directory
hierarchy; however, be careful about restoring the ./mseo/server backup
because you do not want to overwrite existing ./mseo/server/pem and
./mseo/server/etc directories.
The MSEO Agent running on UNIX systems can revert from MSEO device
drivers back to standard UNIX device drivers without the changes being readily
obvious. For the most part, MSEO operates invisibly and independently of the
NetBackup GUI; however, if you run the Netbackup Device Wizard, or perform a
device scan on a UNIX host, the drivers can revert back to standard UNIX
drivers and backup/restore jobs can be run without MSEO policy enforcement.
Windows hosts do not encounter this problem.
A set of utilities is provided to automatically check the MSEO device status on a
UNIX MSEO Agent host. Automatic checks are performed at set intervals as a
cron job. If the check does not encounter at least one MSEO device configured,
an email message is sent to a pre-configured recipient.
You must be logged in as root to run these utilities.
The utilities are:
/opt/vormetric/mseo/agent/bin/start_mseo_monitoring.sh
This utility runs mseo_monitor.sh as a cron job and configures the email
recipient. You can only specify one email recipient. Configure an email alias
and specify the alias when prompted for an email address if you want more
than one person to get email notification. By default, the cron job runs once
every hour on the hour. You can change this interval with the crontab -e
command.
/opt/vormetric/mseo/agent/bin/stop_mseo_monitoring.sh
This utility cancels the cron job and stops monitoring the MSEO devices.
/opt/vormetric/mseo/agent/bin/mseo_monitor.sh
This utility runs the cgconfig list command on the host and searches
for the string No MSEO tape devices configured." If this string is
encountered, an email message is sent to the email recipient specified in the
start_mseo_monitoring.sh command. This utility also adds an entry to
the log file, /var/log/mseo.log, that indicates if MSEO devices are
configured (a.k.a.Active) or not configured (a.k.a. Inactive). Do not run
this utility manually.
The email format is shown in the example below:
Received: (from root@localhost) by srv41001.mslab.com
(8.12.10+Sun/8.12.2/Submit) id k93I31bB000090 for
bob@vormetric.com; Tue, 3 Oct 2006 11:03:01 -0700 (PDT)
Date: Tue, 3 Oct 2006 11:03:01 -0700 (PDT)
From: Super-User <root@srv41001.mslab.com>
Message-Id: <200610031803.k93I31bB000090@srv41001.mslab.com>
To: bob@vormetric.com
Subject: Media Server Encryption Option Inactive
Note a condition has been detected that no tape is using the
Netbackup Media Server Encryption Option (MSEO). This can occur
if you have recently used Netbackup Device Wizard or a scan has
happened for some other reason.
Please use the "cgconfig device" utility to ensure that your
tape devices are appropriately converted as before.
If you believe you are receiving these emails in error, please
use the stop_mseo_notification.sh utility to stop this
monitoring.
--k93I31iM000093.1159898581/srv41001.mslab.com
The log entries appear as shown in the examples below:
Oct 03 11:05:00 MSEO status check. Media Server Encryption Option is NOT
Active.
Oct 03 11:10:00 MSEO status check. Media Server Encryption Option is Active.
To start the cron job:
To start a cron job that checks every hour on the hour for non-MSEO devices and
sends email to a user named bob at vormetric.com when there are no
MSEO devices configured:
# /opt/vormetric/mseo/agent/bin/start_mseo_monitoring.sh
Enter email address for MSEO monitoring:
bob@vormetric.com
A cron job has been successfully added to execute on the
hour (eg. 1:00pm, 2:00pm, etc.).
To modify the timing, please use "crontab -e" edit the
setting for mseo_monitor.sh
#
Manually renewing SSL certificates
To stop the cron job:
To remove the cron job from the cronttab:
# /opt/vormetric/mseo/agent/bin/stop_mseo_monitoring.sh
The mseo_monitor.sh cron job has been successfully removed.
#
If you have SSL configured, new SSL credentials must be generated:
If you change the network identity of an agent or server
If you remove then re-install agent or server software
If certificates expire
The agent installation utility will issue a warning during the certificate
exchange phase of software installation if agent certificates already exist in the
Security Server./mseo/server/pem directory. For example:
...
...............................................................
.....................................++++++
................++++++
LOG[AUDIT]MSEO.Agent: Request denied.
SSL configuration failed (exit code 22 from get_cert.)
#
Exit code 22 indicates Request denied. SSL error codes are described in SSL
error codes on page 155. )
The Security Server has rejected the agent request to generate new certificates.
This feature protects the Security Server from issuing certificates to fraudulent
entities. You must remove the existing agent credentials from the Security
Server and regenerate the agent certificate on the agent system.
If the certificate expires, there will be no connection permitted between agent
and server. You must remove all credentials from the server and all configured
agents, and regenerate all new credentials.
This section describes how to address most certificate generation issues.
You can renew SSL certificates for one or more agents. If the signing certificate
credentials on the Security Server become invalid (e.g., the IP address of the
Security Server is changed), new certificates must be generated for the server
and all connected agents.
Note: SSL authentication requires certificates, and each certificate contains a
CN value. The SSL CN value specifies the network ID of the agent or server. The
CN value must match the DNS name or IP address of the agent or server for
which the SSL certificate is generated. This means that once configured, you
must always refer to the agent or server using the same configured IP address or
DNS name. If you configure the agent or server with an IP address, you cannot
reference the agent or server with the corresponding DNS name. If you
configure the agent or server with DNS name, you cannot reference the agent or
server with the corresponding IP address. Also, if you change the DNS name or
IP address of an agent or server, you must regenerate and re-exchange
certificates.
To configure new certificates for one or more agent systems after
re-installing agent software:
The process described below is sufficient to renew the certificates for a small
number of agent systems. The following process leaves the server certificates
intact, so the server and other agents are unaffected.
1 Log onto the Security Server system.
2 Change to the Security Server pem directory, ./mseo/server/pem.
3 Remove the existing agent credentials from the server by removing the
previously accepted agent request and corresponding agent certificate.
If, for example, there is a configured host named agent01, and you want to
renew credentials for it, remove client-agent01-req.pem and
client-agent01-cert.pem.
Remove the -req.pem and -cert.pem files for each agent whose
certificates you want to renew.
4 Log onto the agent system.
5 Execute the ./mseo/agent/bin/get_cert utility on the agent system.
The get_cert utility does not require any arguments. It extracts the server
network information from the ./mseo/agent/etc/mseo_agent.conf
file on UNIX systems or the .\MSEO\agent\config\mseo_agent.conf
file on Windows.
The certificate request will be accepted by the Security Server from the
agent system because there is no existing request for that agent on the
Security Server. The agent certificate will be generated because there no
existing certificate for that agent on the Security Server.
The get_cert utility displays the server signer certificate upon
completion and then prompts you to indicate whether or not you trust the
CA certificate that is being presented to the agent.
6 Inspect the certificate information that is displayed.
Basically, you are checking to verify that you are not receiving a spoofed
signer certificate. Check the date. If you had just generated the server
certificates, the Not Before field in the file will show yesterdays date.
(The MSEO certificate generation utility configures the start date of the
agent and server system clocks are off a little bit.) Check the Organization
(O), Organizational Unit (OU), and Common Name (CN) values. The
Organization is always set to CoreGuard. The Organizational Unit is
always set to Signer on hostName, where hostName is the name of the
system that is running the Security Server. The Common Name is the IP
address or DNS name that was used to create the server certificates.
A message is displayed to indicate successful agent certificate
configuration.
LOG[AUDIT]MSEO.Agent: SSL has been successfully configured.
8 Repeat step 4 through step 7 for each agent to be renewed.
To renew the certificates for a server and all its agents:
The process described below renews the certificates of a Security Server and all
the agents the Security Server manages. Use the cgadmin commands described
below to remove certificates. Do not simply delete the contents of the
./mseo/server/pem directory using a command like rm * because server
information is configured in other files, like ./mseo/server/etc/access,
and the cgadmin commands correctly remove this information from the other
files.
1 Log onto the Security Server system.
If you are going to renew the certificates for both the primary signing (CA)
server and secondary non-signing servers. Log onto and perform these
steps on the CA server first in order to renew the certificates. Then perform
these same steps later on the secondary servers to get the renewed signer
and server certificates from the primary server.
2 Stop the Security Server process.
On UNIX, enter ./mseo/server/bin/cginit stop.
On Windows, open the Services administration window, locate the service
MSEO Security Server, and change its status to Stop.
3 Remove all the credentials from the server.
On UNIX, enter cgadmin remove credentials.
On Windows, enter cgadmin remove credentials.
4 Remove other server requests and certificates.
rm ./pem/server-*
5 Remove agent requests and certificates.
rm ./pem/client-*
6 If this a secondary server, that is, a non-CA server, execute the
./mseo/server/bin/get_cert utility to obtain the server and signer
certificates from the CA server.
The get_cert utility does not require any arguments. It extracts the server
network information from the
./mseo/server/etc/mseo_security_server.conf file on UNIX
systems or the
.\MSEO\server\config\mseo_security_server.conf file on
Windows.
7 Start the Security Server process.
On UNIX, enter ./mseo/server/bin/cginit start.
MSEO Security Server, and change its status to Started.
Signer and server certificates are automatically generated when the server
process is started. The certificates will contain the same Owner,
Organizational Unit, Common Name, etc. as the original certificates.
8 Be sure that the primary server and all the secondary servers have been
renewed as described in the preceding steps before you continue.
9 Log onto an agent system.
10 Stop the agent process.
On UNIX, enter ./mseo/agent/bin/sbinit stop.
MSEO Agent, and change its status to Stop.
11 Remove the signer and agent credentials
On UNIX, enter sbadmin remove credentials.
On Windows, enter sbadmin remove credentials.
12 Execute the ./mseo/agent/bin/get_cert or
.\MSEO\agent\bin\get_cert utility to submit a certificate request, and
to obtain agent and signer certificates.
13 Restart the agent process.
On UNIX, enter ./mseo/agent/bin/sbinit start.
MSEO Agent, and change its status to Started.
14 Repeat step 9 through step 13 for each agent to be renewed.
SSL error codes
Errors can occur during the generation, use, and exchange of SSL credentials. If
an SSL function fails, check the error code, or exit status, to determine its
cause.
The following exit codes are returned by the Security Server.
21 - Invalid request
22 - Request denied
23 - Certificate generation failed
24 - Missing signing key
The following exit codes are returned by the get_cert utility. They can be the
result of running get_cert on the MSEO Agent or Security Server.
31 - SSL is already configured
32 - SSL is not requested
33 - Invalid configuration
34 - Invalid pass phrase
35 - Client/Server domain name or IP has not been configured
36 - Signer location is not configured
37 - Request generation failed
38 - Invalid request
39 - Missing client/server key
40 - Missing signer certificate
41 - Signer certificate already exists
42 - Incomplete credentials already present
43 - Signer certificate cannot be displayed
44 - Signer certificate has not been trusted
45 - Setting trust for signer certificate failed
46 - Certificate verification failed
47 - Failed to read signer certificate
48 - Failed to read server/agent certificate
49 - Failed to verify signer certificate signature
50 - Failed to verify server/agent certificate signature
51 - Failed to verify signer certificate issuer
Adding SSL authentication
52 - Failed to verify server/agent certificate issuer
53 - Signer certificate expired or not yet valid
54 - Server/agent certificate expired or not yet valid
55 - Failed to verify server/agent key
SSL authentication ensures that the data that is sent across the network
between servers and agents is encrypted and unusable to everyone but the
intended recipient. SSL is highly recommended in order to protect data while it
is in transit. The typical reasons why SSL is not configured are:
You are running MSEO 6.0
SSL authentication was declined during MSEO 6.1 installation
6.1 MSEO supports SSL authentication between servers and agents. 6.0 MSEO
does not. SSL authentication is a two-way transaction. Both the server and agent
must be configured with SSL in order for one to speak to the other. If one is not
configured with SSL, the other will deny the connection.
If you want to upgrade to MSEO 6.1 software without SSL authentication
because the other servers and agents are not configured for SSL, simply enter
no when prompted to enable SSL authentication during software installation.
The 6.1 server or agent that you install will be able to communicate with the 6.0
servers and agents in the backup environment. Note also that, if later you
change your mind, you cannot simply re-execute the installation utility to
enable SSL because the installation utility notes the existing installation,
determines that you are installing the same software version, and it reinstalls
the software without user input. That is, you are not prompted to enable SSL. In
this case, you need to backup the MSEO files, keys, policies, etc., delete the
current MSEO installation, and then install the software as you would a new
installation.
If you want to upgrade the servers and agents in your backup environment to
MSEO 6.1 and apply SSL authentication, the goal is to upgrade in a manner that
is the least disruptive to the backup environment.
The optimum approach uses a primary server and a secondary server that are
not SSL-enabled. Also, all the agents they service are not SSL-enabled. The
mseo_agent.conf file on every agent is configured to access the primary
server and then the secondary server.
The primary server is then SSL-enabled by installing the primary server 6.1
MSEO software and entering yes when prompted to configure SSL
authentication. The non-SSL-enabled agents will be unable to connect to the
primary server (1). With the connection to the primary server refused, the
agents will establish connections to the secondary server (2) and continue to
operate without SSL authentication.
Figure 6-40 Migrating to SSL-enabled MSEO 6.1
After the software is installed and the primary server is configured for SSL
authentication, install the 6.1 MSEO agent software on the agents in the backup
environment. Be sure to enter yes to configure SSL authentication. The next
backup or restore request by an SSL-enabled agent will be sent to the first server
in the mseo_agent.conf file. With both the primary server and agent now
configured for SSL, a connection between the two will be permitted, and the
agent will be serviced by the primary server (3). This approach ensures that
there is no disruption of service as agents are upgraded to 6.1. The SSL-enabled
agents will communicate with the primary server and the non-SSL-enabled
agents will communicate with the secondary server.
Note: To ensure that there is no disruption of service, both the primary and
secondary servers must remain accessible on the network until all the agents
have migrated to SSL-enabled MSEO. If a server drops off the network during
the migration process, either the SSL-enabled agents will not have an
SSL-enabled server to link with or the non-SSL-enabled agents will not have a
non-SSL-enabled server to link with.
Upgrade the secondary server to MSEO 6.1 after you upgrade all the agents in
the backup environment to MSEO 6.1.
If after installing or upgrading MSEO 6.1 software the agent and server fail to
communicate, it can be because of a mismatched network security environment.
Primary SS (6.1) Secondary SS (6.0)
Agent (6.0)
mseo_agent.conf
1 2 3
Verify the servers to which the agent connects. You can view and modify the
server connections for the agent in the MSEO Agent Console. This is
described in Configuring server connections for the agent on page 117.
Check the server mseo.log file for messages that include the string Access
denied. For example:
Mar 28 14:57:20 srv33001 MSEO: [ID 831163 local0.notice] The
write request from localhost has been declined because of
(Access denied).
A message like this indicates that the agent and server can communicate
but the server has denied a connection with that agent. This message is not
generated when there is no network connection between the agent and
server.
Check the agent mseo.log file for critical errors and having to do with
MSEO.Agent. For example:
Mar 28 14:57:21 srv33001 MSEO: [ID 511516 local0.crit]
MSEO.Agent: Missing file:
'/opt/vormetric/mseo/agent/pem/client.pem'.
A message like this indicates that the agent is not configured for SSL
authentication. This can be from not enabling SSH authentication during
software installation or someone having modified the contents of the
Privacy Enhanced Mail (pem) directory. The example is the result of a MSEO
6.0 agent trying to access a MSEO 6.1 server.
Chapter
7
Troubleshooting
Managing tape blocks
A portion of the space allocated for each NetBackup block written to the tape
header is required for NetBackup Media Server Encryption Option (MSEO)
metadata. The amount of space required varies based upon the number of MSEO
keys in the keygroup used to make the backup. By default, NetBackup is
configured on Windows systems for 64K tape blocks. On average, MSEO
metadata requires about 3K of that 64K-- the larger the MSEO keygroup, the
more space it requires. You may have to change the amount of buffer space
allocated for NetBackup metadata to include the metadata space requirements
of MSEO.
Some drives allow oversize write pass-through but you get a error during read.
Some drives will return an error at the beginning of a write. This can be the
result of an incorrect buffer size for the header blocks written to tape. If you
experience a read or write failure, check the log entries for messages regarding
buffer allocation. You may have to adjust the NetBackup tape buffer allocation
downward so there is sufficient space in each block to include the MSEO
metadata.
Buffer size is typically not an issue with newer tape devices. Frequently, the
problem arises by setting SIZE_DATA_BUFFERS to the same size as the
maximum tape-block size. Tack on the additional space needed for MSEO
metadata, and tape write will fail.
On UNIX systems
Check the log in /var/adm/messages for messages like the following:
Jun 14 13:57:47 shazam vmtape: [ID 926618 kern.notice] d_write
Error:buffer size 263168 exceeds maximum block size 262144
The error message shows the configured maximum NetBackup block-size and
the buffer size. Find the difference between the two and subtract it from the
SIZE_DATA_BUFFERS value. The initial adjustment for the example above will
160 Troubleshooting
be 1024. You may want to subtract even more if you anticipate considerable
MSEO keygroup growth; however, decreasing the buffer size also decreases
performance, so you may want to iteratively decrease the buffer size in small
increments.
MSEO errors are written to /var/adm/messages and to NetBackup log files in
./netbackup/logs/bptm directory.
An example NetBackup log entry is shown below:
10:36:09.656 [26573] <2> write_data: writing short block, 32768
bytes, remainder 0
10:36:09.656 [26573] <2> write_data: waited for full buffer 0
times, delayed 0 times
10:36:09.657 [26573] <2> write_backup: write_data() returned,
exit_status = 0, CINDEX = 0, TWIN_INDEX = 0, backup_status = 0
10:36:09.657 [26573] <2> io_terminate_tape: writing empty backup
header, drive index 0, copy 1
10:36:09.657 [26573] <2> io_ioctl: command (0)MTWEOF 1 from
(bptm.c.8083) on drive index 0
10:36:12.420 [26573] <2> io_write_back_header: drive index 0,
empty_file, file num = 2, mpx_headers = 0, copy 1
10:36:12.421 [26573] <2> io_close: closing
/usr/openv/netbackup/db/media/tpreq/drive_QUANTUM.SUPERDLT1.000
, from bptm.c.8222
To set the tape buffers on UNIX media servers:
1 Determine the overflow amount by subtracting the maximum_block_size
from the buffer_size.
buffer-size - maximum_block_size =Overflow amount
For example, if the NetBackup system overflow is 263168 bytes, and the
maximum buffer size is 262144 bytes, there is a difference of 1024 bytes.
2 Edit the NetBackup file used to set buffer size.
The file is /opt/openv/netbackup/db/config/SIZE_DATA_BUFFERS.
Create this file if it does not exist.
3 Subtract, at a minimum, the overflow amount from the
SIZE_DATA_BUFFERS value. For example, if the calculated overflow
amount is 1024 and the buffer value is 262144, set the new buffer value to
261120.
You can reduce it further, but this decreases performance. In other words,
the further you move away from an optimal buffer size, the more severe the
performance degradation.
5 Run the Netbackup job again.
If it succeeds, the quantity in SIZE_DATA_BUFFERS is OK; otherwise,
reduce the buffer size by the new overflow amount. You may need to try a
161 Troubleshooting
few times before setting the optimum size that allows the NetBackup
operation to complete successfully while minimizing the impact on
performance.
On Windows systems
On Windows systems, errors are written to the Event Log. Look for NetBackup
and MSEO entries. You will see errors like Socket write failed -
restore incomplete and The data block size exceeds the
maximum block size in the Event Log, if the buffer is incorrectly set.
To set the tape buffers on Windows media servers:
1 Edit the NetBackup file used to set buffer size.
The file is
C:\Program Files\Veritas\NetBackup\db\conf\SIZE_DATA_BUF
FERS. Create this file if it does not exist.
2 Change the existing value to 61000.
The default is 65535. If the keygroup is large and it contains large key files,
the size requirement can be considerably more. If this is the case, lower the
value further.
Some systems allow you to set the data buffer allocation size to 262144 (256K).
A problem can occur when the NetBackup SIZE_DATA_BUFFERS parameter is
set to 262144 and tape blocking is also set to 256K. An error will occur when
writing a backup because there is no additional space left for MSEO metadata.
An excerpt of a NetBackup error log is shown below:
6/5/2007 10:55:15 AM - started process bpbrm (5472)
6/5/2007 10:55:15 AM - connecting
6/5/2007 10:55:15 AM - connected; connect time: 00:00:00
6/5/2007 10:55:18 AM - mounting JFP001
6/5/2007 10:55:20 AM - mounted; mount time: 00:00:02
6/5/2007 10:55:23 AM - positioning JFP001 to file 11
6/5/2007 10:56:03 AM - Error bptm(pid=6216) cannot write image
to media id JFP001, drive index 0, The operation completed
successfully.
6/5/2007 10:56:04 AM - Error bpbrm(pid=5472) from agent test:
ERR - bpbkar exiting because backup is aborting
6/5/2007 10:56:03 AM - begin writing
6/5/2007 10:56:03 AM - positioned JFP001; position time:
00:00:40
6/5/2007 10:56:07 AM - end writing; write time: 00:00:04
media write error(84)
A similar error can occur when restoring the backup. Excerpts of the NetBackup
error log is shown below:
6/5/2007 10:20:10 AM - begin Restore
162 Troubleshooting
Adjusting agent-to-server timeout
...
6/5/2007 10:20:14 AM - restoring image win44103_1157130904
...
6/5/2007 10:21:12 AM - begin reading
6/5/2007 10:21:13 AM - Error bptm(pid=2476) cannot read image
from media id 000RB2, drive index 0, err = 234
6/5/2007 10:21:23 AM - Error bpbrm(pid=4084) from agent
win44103: UTF - /C/apps/
win44103: UTF - /C/apps/20060203-007-x86.exe
...
win44103: ERR - more than 10 files not restored, logging will
only continue in the progress log
6/5/2007 10:21:31 AM - restored image win44103_1157130904 -
(media read error(85)); restore time 00:01:17
...
6/5/2007 10:21:31 AM - end Restore; elapsed time: 00:01:21
the restore failed to recover the requested files(5)
The Windows Event Viewer reports that the data block size is greater than the
maximum allowed tape block size:
Error: The data block size exceeds the maximum block size.
Reduce the value of SIZE_DATA_BUFFERS to 257000 and try again. There
should now be sufficient free space for MSEO data to perform backups and
restores.
Attempts by MSEO Agents to access the MSEO Security Server can timeout on
slow or heavily used networks. Should an error occur, the first step is check the
log. Check the agent error log, /var/log/mseo.log on UNIX systems or the
Event Viewer on Windows agents. Look for errors with the string Timeout.
The following is an error log excerpt that shows a timeout problem:
Dec 13 16:22:17 srv41001 MSEO: [ID 852158 local0.info] The agent
will sleep a second and retry.
Dec 13 16:22:18 srv41001 MSEO: [ID 844935 local0.info] A request
has been sent to winbogus.mslab.com:8084.
Dec 13 16:22:18 srv41001 MSEO: [ID 777884 local0.crit] The
server winbogus.mslab.com:8084 did not response to the request.
Dec 13 16:22:18 srv41001 MSEO: [ID 852158 local0.info] The agent
will sleep a second and retry.
Dec 13 16:22:19 srv41001 MSEO: [ID 844935 local0.info] A request
has been sent to winbogus.mslab.com:8084.
Dec 13 16:22:19 srv41001 MSEO: [ID 777884 local0.crit] The
server winbogus.mslab.com:8084 did not response to the request.
Dec 13 16:22:19 srv41001 MSEO: [ID 802096 local0.crit] Timeout
while the Agent(proxy) waits for security server to reply.
163 Troubleshooting
The excerpt indicates that:
The agent tried at least twice to contact the server.
Both times the server failed to respond.
The last log entry indicates that the agent cannot connect to the server
within the allotted time and the backup or restore request failed.
Should you get timeout errors, you can increase the timeout interval and the
number of times to attempt a connection. To increase the interval and number
of attempts:
1 Open the agent configuration file in a text editor.
On UNIX, the default location is
/opt/vormetric/mseo/agent/etc/mseo_agent_requests.conf
On Windows, the default location is
C:\Program Files\Vormetric\MSEO\agent\config\mseo_agent_
requests.conf
2 Increase the values of the parameters in this file.
The two parameters in this file are request_timeout and
request_retries. By default, they are each set to 5. Start by increasing
the first parameter to 20 and the second to 10. For example,
request_timeout 20
request_retries 10
3 Save and exit this file.
4 Stop and restart the agent.
This refreshes the agent process so it uses the new parameter values.
On UNIX, execute ./mseo/agent/bin/sbinit restart
On Windows, execute .\MSEO\agent\bin\sbinit restart
5 Flush the local DNS cache on both the agent and server.
This optional step is recommended to optimize domain name resolution and
speed-up host location.
On UNIX, the command and method for flushing DNS cache is platform
dependent. Usually, you restart the nscd daemon.
On Windows, execute ipconfig /flushdns.
164 Troubleshooting
Appendix
A
Using command line
configuration
Note: The CLI is being deprecated in favor of the graphical management
interfaces, MSEO Server Console and MSEO Agent Console. Many of the
procedures described in this appendix, such as editing policy files directly and
creating passphrases, are no longer recommended. You should use the
interfaces instead. The interfaces are easier to use and are less prone to
syntactical and typographical errors. The interfaces are described in
Configuring MSEO Security Servers on page 75 and Configuring MSEO
Drivers and Server Connections on page 107.
This appendix describes the commands to enter in a terminal or command
window to configure and run NetBackup Media Server Encryption Option
(MSEO). The commands are:
cgadmin
cgconfig
cgconfdevice
cgconnectserver
cginit
sbadmin
sbinit
sbnbucd
sbnbusd
166 Using command line configuration
Command line interface reference
help.
cgadmin
The cgadmin command creates and manages the following MSEO components:
Web certificates
hosts
policies
keys
key groups
The options to the cgadmin command add, remove, modify, and display MSEO
database components. By default, the MSEO database directory is
./mseo/server/db, and the cgadmin command is located in
./mseo/server/bin.
Syntax
cgadmin add objType args
cgadmin delete objType args
cgadmin edit objType args
cgadmin export objType args
cgadmin generate objType args
cgadmin help [ add | del | show | version ]
cgadmin import objType args
cgadmin remove
cgadmin show [[ objType ]| [ objType args ]
cgadmin version
cgadmin view
cgadmin add
The cgadmin add command creates the following MSEO objects:
hosts
policies
keys
key groups
Syntax
cgadmin add objType args
objType is host, key, keygroup, or policy. The objType specified
determines the args that can be used.
cgadmin add host args
cgadmin add key args
cgadmin add keygroup args
cgadmin add policy args
Object Type Arguments
host host hostName [ policy polName ]
Registers an agent system with the MSEO Security Server and applies
zero, one, or more policies to the media server. host is a literal that you
enter exactly as shown. hostName is either an IP address or DNS name of
the media server to be managed by MSEO. Only IP addresses and
fully-qualified domain names are allowed when configuring hosts with
MSEO commands like cgadmin add host. If you enter just the
hostname, such as win40130, configuration will complete but NetBackup
will fail. Appropriate examples are win40130.qa.com and
10.3.40.130.
policy is a literal that is entered exactly as shown. polName is the name
of a policy. The policy does not have to exist at this time. You can also add
a host now without specifying a policy and then add the policies for that
host at a later time.
The following example adds a host to the host database with a policy
named bkupPolicy001:
# cgadmin add host mediaSvr002 policy bkupPolicy001
This command creates a file named
./mseo/server/db/host/host_ip.xml. The host_ip.xml file
specifies the policies to apply to the MSEO Agent host. The host_ip of
the local host is always 127.0.0.1.
key key keyName [keysize:512|1024|2048|4096]
[enc:no] [cn:cn_name]
Generates an encrypted RSA key-pair. The keys are encrypted with the
AES256-CBC algorithm. The SHA1 hash is stored in the private key.
key is a literal that you enter exactly as shown. keyName is the name to
assign the key-pair. The integers in square brackets are optional
encryption bit-sizes. The default is 1024. Only one key-pair can be
created at a time.
For example: cgadmin add key key001 keysize:2048, creates an
encrypted RSA 2048-bit public:private key-pair named key001.If you
include the enc:no argument the keys are generated in clear text. Note
that increasing encryption bit-sizes improves security, but it also reduces
system performance and throughput because it consumes more CPU
resources.
keygroup keygroup grpName [ key key* ]
Defines a group of public keys to use to encrypt or decrypt the FEK in the
tape header. keygroup is a literal that you enter exactly as shown.
grpName is the name to assign the key group. key is one or more keys to
include as members of the key group. You can specify one or more keys
now or at a later time. The keys do not have to exist at this time.
The recommended maximum number of keys in a keygroup is 50. This is
because the keygroup is stored in the MSEO metadata and increases
header size.
For example:
# cgadmin add keygroup keyGrp001 default key001
Example
To add a new key named RSAkey1024:
# cgadmin add key RSAkey1024 keysize:1024
........................++++++
..........++++++
# cgadmin show key
Keys:
default
A22A175CC179D0FD05CED9934DD0F335312AA1B8
RSA
1024 bit
ENCRYPTED
nKey1024
618858996F9047FCB802A306C99480670C04B0FA
RSA
1024 bit
ENCRYPTED
nKey2048
58ED8A58808453FE9872FD645D35ABDD4315CB88
RSA
2048 bit
ENCRYPTED
#
policy policy polName [rule [ Effect effect ]
[ Action action ]
[ Compress comp ] [ KeyGroup key ]
[ KeyType keyType]][ rule ... ]
Creates a policy to control a media server. policy is a literal that you
enter exactly as shown. polName is the name of the policy to apply to the
media server. The policy does not have to exist at this time. rule is a
literal that is entered exactly as shown. rule indicates that one or more
parameters follow. Begin each rule set with the keyword rule. The rule
parameters are Effect, Action, Compress, KeyGroup, and KeyType.
These parameters and their values are described in Parts of a policy on
page 121. Note that compound values, such as deny audit for Effect,
must be enclosed within double quotes ().
You can enter multiple rule sets. rule ... indicates an additional rule
set that uses the same syntax as the first rule set. The first rule set is
evaluated first, the second rule set is evaluated second, etc. When a
matching rule set is encountered, that rule set is used. See also
Evaluating attributes on page 131.
An example of generating a policy is shown below.
To add a new key group that contains both the default and RSAkey1024 keys:
# cgadmin add keygroup bkupKeyGrp002 default RSAkey1024
# cgadmin show keygroup
Key Groups:
default
default
bkupKeyGrp002
default
RSAkey1024
#
To add a policy comprised of two security rules and show the resulting policy:
# cgadmin add policy bkupPolicy001 rule Effect permit Action
"read write" Compress lzrw3 KeyGroup default KeyType aes128 rule
Effect permit Action write Compress txt85.eng KeyGroup group1
KeyType aes256
LOG[AUDIT]Policy bkupPolicy001 has been added successfully.
# cgadmin show policy bkupPolicy001
Policies:
bkupPolicy001
rules
rule 1
Effect=permit
Action=read write
Compress=lzrw3
KeyGroup=default
KeyType=aes128
rule 2
Effect=permit
Action=write
Compress=txt85.eng
KeyGroup=group1
KeyType=aes256
#
To add a more complex policy that evaluates attributes to determine the
action to take:
The following example adds a policy named test. The test policy permits tape
writing with encryption based upon two NetBackup parameters, the policy name
and the Vault copy number.
# ./cgadmin add policy test rule Effect permit Action write
KeyGroup default KeyType aes128 match MatchValue 1 Name
netbackup.copy MatchOp greaterthan match MatchValue vault*
Name netbackup.policy MatchOp regexnocase
#
# ./cgadmin show policy test
Policies:
test
rules
rule 1
Effect=permit
Action=write
KeyGroup=default
KeyType=aes128
match
MatchValue=1
Name=netbackup.copy
MatchOp=greaterthan
match
MatchValue=vault*
Name=netbackup.policy
MatchOp=regexnocase
The resulting test.xml file is shown below for you to compare command-line
syntax against the actual file structure:
# cat test.xml
<?xml version="1.0"?>
<SebPolicy>
<SebRules>
<SebRule Effect="permit" Action="write" KeyGroup="default"
KeyType="aes128">
<AttributeMatch Name="netbackup.copy"
MatchOp="greaterthan">1
</AttributeMatch>
<AttributeMatch Name="netbackup.policy"
MatchOp="regexnocase">vault*
</AttributeMatch>
</SebRule>
</SebRules>
</SebPolicy>
#
For additional examples, see Sample MSEO administration flow on page 191.
cgadmin delete
The cgadmin delete command removes the following MSEO objects:
hosts
policies
keys
key groups
Syntax
cgadmin delete objType objName
objType is host, key, keygroup, or policy. The objName is the name of
the object.
Only one object can be deleted at a time.
Example
To delete a key named key003:
cgadmin delete key key003
cgadmin edit
The cgadmin edit command is used to manage and modify the following
MSEO objects:
hosts
policies
keys
key groups
Syntax
cgadmin edit objType func args
objType is host, key, keygroup, or policy. The objType specified
determines the args that can be used.
func is add, delete, or replace, and sometimes followed by the order
number in which the object appears.
Object type Arguments
host host hostName del
host hostName add polName
host hostName replace polName
This command removes a host from the MSEO database, adds a policy to
the host, and replaces the current policy with a different policy.
The polName is the name of a policy. The policy does not have to exist at
this time. You can add only one policy if one is not already assigned. If one
is currently assigned, use the replace command to replace it with a
different policy.
For example:
# cgadmin show host mediaSvr001
Hosts:
mediaSvr001
policy
policy001
# cgadmin edit host mediaSvr001 replace policy003
# cgadmin show host mediaSvr001
Hosts:
mediaSvr001
policy
policy003
#
key key keyName newKeyName
This command renames a key pair. If newKeyName already exists, it is
overwritten by keyName and keyName is removed, effectively executing a
move function. You are not prompted to verify the overwrite.
For example:
# cgadmin show key
Keys:
key004
9BC34155B75DFEBDC16137FDFED59E90709D63F9
# cgadmin edit key key004 key003
# cgadmin show key
Keys:
key003
#
keygroup keygroup grpName add seq# key
keygroup grpName del seq#
keygroup grpName replace seq# replKey
This command adds, deletes, and replaces the keys in a keygroup.
grpName is the name of a key group in the MSEO database. key is the
name of a key in the key group. seq# is the sequence number in which the
key appears when listed or the sequence position in which to place the
key. replKey is the name of the key to replace the key in the sequential
position indicated by seq#. In other words, if you want to replace the
third key-pair in a key group, the seq# number should be 3.
For example:
# cgadmin edit keygroup keyGrp001 key001 key002
# cgadmin edit keygroup keyGrp002 add 2 key002
# cgadmin show keygroup keyGrp002
Key Groups:
keyGrp002
key001
key002
key003
#
policy policy polName add seq# args
policy polName del seq#
policy polName replace seq# args
seq# is the sequence number of a security rule in the policy or the
sequential position in which to insert a new security rule. Security rule
definitions begin with a SebRule tag.
When you add or replace a security rule, include all the attributes for the
complete rule definition. That is, if you want to delete or replace the
second security rule in a policy enter 2 as the value of seq#. If you want to
add an attribute to the second security rule in a policy enter 2 as the value
of seq#.
cgadmin edit policy with the replace argument replaces all the
policy attributes with those specified on the command line. Without the
replace argument, only a single attribute is changed.
args is a combination of one or more of the following:
Effect effect, Compress compress, Key key, and/or KeyType
keyType. The values for these attributes are described in Parts of a
policy on page 121. These attributes are specified in the same manner
described in cgadmin add on page 166. Attribute matches are added by
editing the policy XML file directory. Attribute matching is described in
Parts of a policy on page 121.
Object type Arguments
Example
The following examples create a single-rule policy, vmHost01_policy, display
that policy, and then add an additional rule to the same policy. The first
sequence of commands is for UNIX. Note that the exclamation point is escaped
by a leading backslash (\). On some UNIX systems you need to escape the
exclamation point on a command line or it will be evaluated and an error
message returned. The second sequence of commands is for Windows. Note the
syntactical differences. Command-line text is entered on one line but is
word-wrapped in the document due to format constraints.
UNIX:
# cgadmin add policy vmHost01_policy rule Effect "permit audit
netbackup" Action "read" Compress lzrw3 KeyGroup
bcKeyGroup1024 KeyType '|netbackup.keyword.KeyType|'
match Name netbackup.copy MatchOp '\!empty'
match Name netbackup.pool MatchOp '\!empty'
LOG[AUDIT]Policy vmHost01_policy has been added successfully.
# cgadmin show policy vmHost01_policy
Policies:
vmHost01_policy
rules
rule 1
Effect=permit audit netbackup
Action=read
Compress=lzrw3
KeyGroup=bcKeyGroup1024
KeyType=|netbackup.keyword.KeyType|
match
Name=netbackup.copy
MatchOp=!empty
match
Name=netbackup.pool
MatchOp=!empty
# cgadmin edit policy vmHost01_policy add 2 Effect "permit audit
netbackup" Action "write" Compress lzrw3 KeyGroup
bcKeyGroup1024 KeyType aes128
match Name netbackup.copy MatchOp '1'
Policy 'vmHost01_policy' successfully modified.
# cgadmin show policy vmHost01_policy
Policies:
vmHost01_policy
rules
rule 1
Action=read
Compress=lzrw3
match
Name=netbackup.copy
MatchOp=!empty
match
Name=netbackup.pool
MatchOp=!empty
rule 2
Action=write
Compress=lzrw3
KeyType=aes128
match
Name=netbackup.copy
MatchOp=1
#
Windows:
C:\Program Files\Vormetric\MSEO\server\bin\cgadmin add policy
vmHost01_policy rule Effect "permit audit netbackup" Action
"read" Compress lzrw3 KeyGroup bcKeyGroup1024 KeyType
"|netbackup.keyword.KeyType|" match Name netbackup.copy MatchOp
!empty match Name netbackup.pool MatchOp !empty
LOG[AUDIT]Policy vmHost01_policy has been added successfully.
C:\Program Files\Vormetric\MSEO\server\bin\cgadmin show policy
vmHost01_policy
Policies:
vmHost01_policy
rules
rule 1
Action=read
Compress=lzrw3
match
Name=netbackup.copy
MatchOp=!empty
match
Name=netbackup.pool
MatchOp=!empty
C:\Program Files\Vormetric\MSEO\server\bin\cgadmin edit policy
vmHost01_policy add 2 Effect "permit audit netbackup" Action
"write" Compress lzrw3 KeyGroup bcKeyGroup1024 KeyType aes128
match Name netbackup.copy MatchOp 1
Policy 'vmHost01_policy' successfully modified.
C:\Program Files\Vormetric\MSEO\server\bin\cgadmin show policy
vmHost01_policy
Policies:
vmHost01_policy
rules
rule 1
Action=read
Compress=lzrw3
match
Name=netbackup.copy
MatchOp=!empty
match
Name=netbackup.pool
MatchOp=!empty
rule 2
Action=write
Compress=lzrw3
KeyType=aes128
match
Name=netbackup.copy
MatchOp=1
C:\Program Files\Vormetric\MSEO\server\
Additional examples of the cgadmin edit command are presented in Sample
MSEO administration flow on page 191
cgadmin export
The cgadmin export command is the first step in the exchange of public and
private RSA encryption keys between MSEO Security Severs. The exported keys
are the MSEO database keys used to encrypt and decrypt backup tape headers.
These are not the keys used to encrypt the data placed on tape. Those are AES
keys, and no copy of an AES key exists other than on the tape itself. And these
are not the SSL keys used to control agent/server authentication.
Only the files in ./mseo/server/db/keys can be exported. The files are
exported to ./mseo/server/export. The export directory is automatically
emptied at the beginning of every export session. After you export the keys,
manually copy the files to the ./mseo/server/import directory on the
Security Server that you want to receive the keys. Once the keys are on in the
./mseo/server/import directory of the target Security Server, import the
keys on that Security Server with the cgadmin import keys command. See
cgadmin import on page 183 for details.
Do not use any other procedure to exchange keys between Security Servers.
Syntax
cgadmin export keys [objName]
objName is the name of one or more keys. If objName is not specified, all
the keys on the Security Server are exported.
Example
To export a key:
1 Display the keys on the current Security Server.
# cgadmin show key
2 Specify the keys you want to port to another Security Server.
# cgadmin export keys key003
Enter the name of a key (e.g., key003), enter multiple key names, or do not
enter any key names to export all the keys on the Security Server.
You will be prompted to specify a password. This password is used to
securely transport keys from one Security Server to another.
Enter export/import password:
3 Enter the password twice, as prompted.
Re-enter export/import password:
Key export is successfully completed.
The password can be from 8 to 50 characters in length. You will need this
password to import the keys later.
4 View the key in the export directory.
# ls export/
E796E471A792F4C8D0960DDC49CF257CC9A50342.name
E796E471A792F4C8D0960DDC49CF257CC9A50342.pem
E796E471A792F4C8D0960DDC49CF257CC9A50342.pub
access
key003.id
All parts of key, including the access file, are copied to the
./mseo/server/export directory.
5 Copy the entire contents of the ./mseo/server/export directory to some
transportation medium, such as a floppy, or directly to the
./mseo/server/import directory of the receiving Security Server.
6 See cgadmin import on page 183.
cgadmin generate
The cgadmin generate command creates X.509 Web certificates for the
Security Server. The sbadmin generate command is the MSEO Agent host
equivalent. MSEO Agent hosts are identified by their names and authenticated
by X.509 certificates. The fully qualified domain name of a host is used as the
Distinguished Name (DN) in the certificate. Each MSEO Agent-host/media
server must be registered with a Security Server to perform backup operations
via a MSEO tape driver. Each registered host references a policy which is used to
describe how backup operations should be carried out on the host. For
information about generating X.509 Web certificates on MSEO Agent hosts, see
sbadmin generate on page 208.
Syntax
cgadmin generate certificate server|client|signer
certname [req:reqname] [signer:signame]
[keysize:512|1024|2048|4096]
[enc:no] [cn:cn-name]
cgadmin generate file ask|random
cgadmin generate key name
[keysize:512|1024|2048|4096] [enc:no]
cgadmin generate request server|client|signer
name [keysize:<512|1024|2048|4096>] [enc:no]
[cn:cn-name]
Object Arguments
certificate If this certificate is to be submitted to an agent in response to a
request, you must create the agent request with cgadmin generate
request first.
certificate is a keyword to be entered exactly as shown.
The type of certificate to be generated can be server, client, or
signer.
certname is the name to assign the generated certificate. The
resulting certificate file name is automatically appended with
-cert.pem, as in signer-cert.pem.
Note: Some certificates must be specifically named. For example, the
name of the signer certificate must be signer.pem. There must also
be a signer-cert.pem and signer-key.pem. These names must be
entered exactly as shown. Some examples are shown in Enabling SSL
on page 114.
Include enc:no if you do not want to apply AES256-CBC encryption to
the public and private RSA key-pairs that comprise the certificate.
That is, the keys are stored in clear text.
You can optionally specify the SSL common name for the certificate
with the cn:cn-name argument. Set the common name to the server
IP address. Do not set it to localhost. localhost takes a different
connotation when evaluated on the MSEO Agent host and the SSL
connection will fail.
file Used to generate the master passphrase for the Security Server. The
SHA1 hash for the passphrase is stored in ./etc/access. The first
line of the access file contains the SHA1 hash of the master
passphrase. Each consecutive line contains the file name followed by
the encrypted file password. Do NOT remove this file. If you do, all the
backup data becomes irretrievable.
This command takes one of two additional arguments: ask or random.
The ask argument asks you to specify a password. You will be
prompted to supply this password when starting MSEO drivers or
creating keys. The random argument creates and uses a random
password. The randomly-generated password is not displayed nor will
you ever be prompted to specify it.
key Generates the RSA key-pair used to encrypt the MSEO portion of the
tape header. The resulting file is named:
./mseo/server/pem/name-key.pem
Examples
The following example creates a master passphrase file and prompts you for the
password to use to encrypt the passphrase file. If you use this option, be
prepared to specify this password each time you start daemons or create
encryption keys:
# cgadmin generate file ask
Enter password:
Re-enter password:
#
The following example creates a master passphrase file, with a random
password file. You are not prompted for a password when creating encryption
keys or starting daemons because the password file is automatically applied
towards decrypting the master passphrase:
# cgadmin generate file random
# #
The following example creates a 2048-bit, non-encrypted key for a host named
vmHost01, and places the results in ./pem/vmHost01-key.pem:
# cgadmin generate key vmHost01 keysize:2048 enc:no
......................................................
.............+++
..........+++
RSA key 'vmHost01' successfully generated.
# more vmHost01*
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA6TpnNMN2aEMSziDKctztuwIoN3/wPtOYnUOLCq7V/VJ8bYh4
/yhanSbOFZpJNWTVAIzZ4waMx7gnqx/fkXVzlTKjh8oIznEmffx9QmhzUdBAjehG
kCFPYLC+B1CSGaOUSRBY4LaLvL3mXh53S8zTYjKAjhIURkjycXf/ysPHvE38MZOi
...
GRrm3+ffeHBJRZ7q2dIQ6YBrJShUTd8j08FRH1pRCk3EAz1jrNrz5Q9+yJxQgYAn
d0frbwKBgC5QxzrQeLbNFUw2EvAfNjmqSIqUW7TZ1rEgVCR2I5Qg22nGiuR98Bcb
y0zjwBrkJo8UNS96Z9j8HmHNW7/hn0BEniLLnstW0TUjtN5jqz1PYiCxy6V49U9H
zv5vAeIKaOlfzBzffkJ8q4TzOkDxZC79afBn6GSiKKfmaRNaLjyG
-----END RSA PRIVATE KEY-----
#
The following example creates a agent certificate request:
# sbadmin generate request client vmHost01
.........++++++
request Creates a key file and a request file for a MSEO Agent to submit to the
Security Server for a signed certificate. Optionally, you can specify the
common name, CN, and key size. The generated files are
name-key.pem and name-req.pem.
Object Arguments
..........++++++
Enter password:
generate_random_password: len: 20 n: 15
SB Agent request 'vmHost01' successfully generated
#
The generated files are vmHost01-key.pem and vmHost01-req.pem.
See SSL for standalone MSEO configurations on page 115 and SSL for
distributed MSEO configurations on page 117 for more examples of cgadmin
generate.
cgadmin help
cgadmin help without arguments display terse syntax usage information.
You can display online help in the form:
cgadmin help
cgadmin help cmd
cmd is add, del, show, or edit. Do not include the cmd argument to display all
command options and their usage.
For example:
cgadmin help add
cgadmin help del
cgadmin help edit
cgadmin help
For example, cgadmin help add displays:
# cgadmin help add
cgadmin add <object-type> <object-name> [arguments ...]
<object-type> ::= key|keygroup|policy|host
<object-name> ::= name
cgadmin add key key-name [keysize:<512|1024|2048|4096>] [enc:no]
Generates RSA key pair referenced by the unique key-name.
'keysize' option allows to set key size. Default key size
is 1024. 'enc:no' option allows to store unencrypted key.
cgadmin add keygroup keygroup-name [*(key-name)]
Creates key group object named keygroup-name
which may contain any number of key names.
cgadmin add policy policy-name [*(rule [Effect effect-value]
[Action action-value] [Compress compress-value]
[KeyGroup key-group-name] [KeyType symmetric-key-type]
*([match [Name=name] [MatchOp match-op]
[MatchValue match-value]]))]
Creates policy object named policy-name, which may contain
any number of policy rules.
cgadmin add host host-name [policy policy-name]
Creates host object named host-name, which may contain policy
name.
#
cgadmin import
The cgadmin import command is the second step in the exchange of public
and private RSA encryption keys between MSEO Security Severs. The keys were
previously exported using the cgadmin export keys command. (See
cgadmin export on page 177.)
Only the files in ./mseo/server/import can be imported. The import directory is
automatically emptied at the beginning of every import session.
If a similarly named key already exists on the local Security Server, the imported
key name is appended with -001. The number for the key name is
automatically incremented each time the same key is imported .
Differently named keys with the same hash value are not copied . The key is not
imported and cgadmin returns: Error importing key keyName. Key
import failed. Import continues with the remaining keys if one should fail.
Other than for renaming keys and importing the same keys multiple times, this
event is very rare.
Do not use any other procedure to exchange keys between Security Servers.
After you import keys onto the local Security Server, verify the names of the
imported keys. You may have to modify MSEO key groups to include key-name
changes. (The key group specifies the keys a media server uses to decrypt a
backup.)
After importing keys onto the local Security Server, you may need to change
local policies or manually copy policies from the originating Security Server.
Syntax
cgadmin import keys [objName]
objName is the name of one or more keys. If objName is not specified, all
the keys in ./mseo/server/import are imported.
Example
To import a key:
1 If you have not done so already, copy the exported keys to
./mseo/server/import directory on the local Security Server.
2 Specify the keys you want to import onto the local Security Server.
# cgadmin import keys key003
Enter the name of a key, such as key003, multiple key names, or no key
name to import all the keys in the import directory.
You are prompted to specify a password.
Enter export/import password:
3 Enter the password that was used initially to export the keys.
Status information is then displayed as the import process completes.
Key 'key003' successfully imported.
Key import is successfully completed.
4 View the key in the Security Server.
# cgadmin show key
Keys:
key003
E796E471A792F4C8D0960DDC49CF257CC9A50342 ENCRYPTED
5 Note the corresponding files in /opt/vormetric/mseo/server.
# ls export/
E796E471A792F4C8D0960DDC49CF257CC9A50342.name
E796E471A792F4C8D0960DDC49CF257CC9A50342.pem
E796E471A792F4C8D0960DDC49CF257CC9A50342.pub
#
cgadmin remove
This command removes all or select portions of the server-side SSL
authentication credentials used to secure server and agent communications.
SSL credentials can comprise a key, certificate request, and certificate. This
command only removes the SSL credentials in ./mseo/server/pem. Use the
sbadmin command to remove agent-side SSL credentials. (See sbadmin on
page 207.)
This command also removes key information from the ./mseo/etc/access
file. (The access file should never be edited directly.)
Backup the installation before deleting any SSL credentials. You can restore a
backup if you restore it to the same place on the same system.
Syntax
cgadmin remove certificate name
cgadmin remove credentials name
cgadmin remove key name
cgadmin remove request name
Object Arguments
certificate Certificate credentials comprise the files name-cert.pem and
name.pem.
credentials Credentials are the certificates, keys, and requests for a given name.
Credential files are name-cert.pem, name.pem, name-req.pem, and
name-key.pem located in ./mseo/server/pem.
key These are SSL authentication keys, not RSA encryption keys you
display by executing the cgadmin show key command. Key
credentials is the file name-key.pem.
You may notice that after removing certificates, you can still view what appears
to be certificate information. For example:
cgadmin view certificate signer - 2 files are displayed: signer.pem and
signer-cert.pem
cgadmin remove certificate signer - deletes the signer certificate
information
cgadmin view certificate signer - 1 file is displayed: signer.pem
The signer.pem file is left intact, even though it contains a certificate,
because the signer.pem file contains both a certificate and key, and you
may not want to actually delete the key
If you want to remove all related information use cgadmin remove
credentials
Examples
The file names used in these examples are the result of SSL configuration
described earlier in this document.
To remove the certificate request for client:
# cgadmin remove request client
Credentials 'client' successfully removed.
#
To remove the signed certificate for client:
# cgadmin remove certificate client
#
cgadmin show
The cgadmin show command without additional arguments displays the entire
database. An argument can narrow the range of displayed contents by
specifying data type, which is one of the following: key, keygroup, policy,
host. To display specific object, the data type has to be followed by the name of
the object
Syntax
cgadmin show [ objType | objType name ]
objType is key, keygroup, policy, or host. Without objType, all MSEO
database objects and their attributes are displayed.
request Request credentials is the file name-req.pem.
Object Arguments
name is the name of a specific object of the specified object type. Without
name, all the objects of the specified object type are displayed.
Examples
The following example shows all the MSEO objects and their attributes:
# cgadmin show
Keys:
default <-- key named "default"
7EE2F0775AE66C4A7F8E444F916450B14FA92DDF
newkey12
A65B6557365E96C3775FE46197F2B10B46ED81E1
newkey13
5DA557973885AC4EA2DFA2B863D7FF3077A9F15D
newkey14
1E339DCAED4A3E1415CFF6949C61FCD3BB9706B6
Key Groups:
default <-- key group name
default <-- key pair in the key group
Policies:
default <-- policy name
rules
SebRule <-- first security rule in policy
Effect=permit
Action=read write
Compress=lzrw3
KeyGroup=default
KeyType=aes128
SebRule <-- second security rule in policy
Effect=deny audit
Action=read write
Hosts:
168.122.0.250 <-- media server IP/DNS
policy
default <-- policy applied to media server
#
Keys lists the names of RSA key pairs and their SHA hash. The default
key is created during installation. All other RSA key pairs are manually
created.
Key Groups lists the names of key groups and the key pairs they contain.
The default key group is created during installation, and it contains the
default key pair.
Policies lists the names of policies and their attributes.
Effect either grants or denies read and/or write permission to the
device. It can be permit or deny, and can also include audit.
Action indicates the type of access method being employed. It can be
read and/or write.
Compress is the compression algorithm to apply to data as it is written
to or read from tape. It can be lzrw3 or none.
KeyGroup is the name of the key group. In this case, the key group
name is default. This attribute is not related to the KeyType
attribute.
KeyType is the AES encryption algorithm used to generate the key pair
to encrypt the data protected by this policy. This attribute is not related
to the Key attribute.
Hosts lists the network IP address or DNS names of the media servers
registered with the local Security Server and the MSEO policies to use in
their administration.
The following example shows just the keys in the data store:
# cgadmin show key
Keys:
key001
2989F9F6890AA933A96855DDBF4FD7869FABBBD9
key002
F2EF5F978E57878AE3C0F11F80D7EAD87A65D838
key003
38B32C529FC0F7B5245E22B58D344EF0443EEFEF
key004
#
The following example shows a specific key group and its member keys:
# cgadmin show keygroup keyGrp001
Key Groups:
keyGrp001
default
key001
#
cgadmin version
The cgadmin version command displays the date that the cgadmin utility
was compiled. This command takes no arguments.
For example:
# cgadmin version
MSEO Server
Version 6.1.0.8
Built on May 9 2007 at 13:29:03.
#
cgadmin view
This command is used to view details about agent certificate requests and the
certificates used to encrypt and authenticate data sent across the SSL tunnel
between server and agent.
Keys are encrypted and cannot be viewed.
Syntax
cgadmin view certificate certName
cgadmin view request reqName
Wildcard specification of the root name is not allowed. For example,
# cgadmin view certificate \*
Certificate files '*-cert.pem' and '*.pem' are not available
# cgadmin view certificate *
Certificate files 'client-cert.pem-cert.pem' and
'client-cert.pem.pem' are not available
#
To view a certificate request named client-req.pem:
The following example shows an abbreviated form of the output.
# cgadmin view request client
Object Arguments
certificate cgadmin view certificate certName
This command searches ./mseo/server/pem for files with the
specified root name that ends in -cert.pem and .pem. certName is
the root name of the certificate files. You can view server, signer, and
agent (client) certificates. The examples in this document create
certificates named server.pem and server-cert.pem. Enter just
server as the value of reqName, and both server.pem and
server-cert.pem will be displayed.
If you are familiar with openssl, similar data can be displayed for a
certificate named signer-cert.pem by executing:
openssl x509 -in signer-cert.pem -noout -text
request cgadmin view request reqName
This command searches ./mseo/server/pem for a file with the
specified root name that ends in -req.pem. reqName is the root name
of the request file. The examples in this document create an agent
request file named is client-req.pem. Enter just client as the
value of reqName. The rest of the name, -req.pem, is assumed.
certificate request named client-req.pem by executing:
openssl req -in client-req.pem -noout -text
client-req.pem:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, O=CoreGuard, OU=SB Agent on sys-techpub,
CN=10.2.212.100
Modulus (1024 bit):
00:f7:67:91:c5:ed:f4:0c:ae:4a:c3:47:59:4f:d4:
a0:ec:e8:92:a4:5c:c5:1c:e5:5f:16:0d:b2:2f:78:
...
da:cd:bc:da:53:c3:27:d0:ca:69:e0:14:b5:10:92:
61:ec:e3:27:12:44:bb:1e:b3
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
Digital Signature, Non Repudiation, ...
8f:fd:54:56:15:ce:e6:32:aa:45:ca:48:23:26:82:5f:94:63:
...
3f:b3:9b:8e:07:97:8a:76:71:01:03:8e:28:0b:32:a9:03:7e:
8f:f7
#
To view the signer certificates, signer.pem and signer-cert.pem:
# cgadmin view certificate signer
signer.pem:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1379797577 (0x523e0a49)
Issuer: C=US, O=CoreGuard, OU=Signer on sys-techpub
Validity
Not Before: Oct 11 19:53:51 2006 GMT
Not After : Oct 11 19:53:51 2010 GMT
Subject: C=US, O=CoreGuard, OU=Signer on sys-techpub
Modulus (1024 bit):
00:ab:d4:55:01:86:11:e0:ae:b8:03:24:72:65:41:
64:02:87:ca:6e:2e:d8:73:d6:22:e0:8c:2e:4f:c4:
...
62:2e:7d:02:43:3d:36:01:47
Exponent: 65537 (0x10001)
X509v3 extensions:
CA:TRUE
F9:A7:AC:FA:8C:C4:14:1B:A0:09:FF:CB:87:...
keyid:F9:A7:AC:FA:8C:C4:14:1B:A0:09:FF:...
DirName:/C=US/O=CoreGuard/OU=Signer on ...
serial:52:3E:0A:49
40:bd:c4:d3:7b:7b:35:af:b5:a2:35:4b:19:9d:88:d9:8a:c0:
b3:97:35:56:4a:61:2a:ce:9c:ee:61:9d:47:b9:92:78:44:23:
...
a8:a9
signer-cert.pem:
Certificate:
Data:
Version: 3 (0x2)
Issuer: C=US, O=CoreGuard, OU=Signer on sys-techpub,
CN=10.2.212.100
Validity
Not After : Oct 11 19:53:51 2010 GMT
Subject: C=US, O=CoreGuard, OU=Signer on sys-techpub,
CN=10.2.212.100
Modulus (1024 bit):
00:ab:d4:55:01:86:11:e0:ae:b8:03:24:72:65:41:
...
16:58:b8:10:70:7e:85:53:b0:6c:bb:ef:a1:84:42:
62:2e:7d:02:43:3d:36:01:47
Exponent: 65537 (0x10001)
X509v3 extensions:
CA:TRUE
F9:A7:AC:FA:8C:C4:14:1B:A0:09:FF:CB:87:98:A1:...
keyid:F9:A7:AC:FA:8C:C4:14:1B:A0:09:FF:CB:87:...
DirName:/C=US/O=CoreGuard/OU=Signer on sys-te...
serial:52:3E:0A:49
...
a8:a9
#
Sample MSEO administration flow
MSEO provides the software tools you need to administer key pairs and key
groups.
To create, manage, and delete key groups:
1 Make keys aaa, bbb, ccc, and ddd:
# cgadmin add key aaa 1024
..............................++++++
..............++++++
# cgadmin add key bbb 1024
........++++++
...............................................................
.++++++
# cgadmin add key ccc 1024
.++++++
..................................++++++
# cgadmin add key ddd 1024
........++++++
............++++++
#
2 Add new key group xxx:
# cgadmin add keygroup xxx aaa bbb ccc ddd
# cgadmin show keygroup xxx
Key Groups:
xxx
aaa
bbb
ccc
ddd
#
3 Add a new key pair, zzz, to key group xxx and place the key pair first in the
key group.
A key pair does not have to exist to add it to a keygroup. This lets you
configure the key pair now and create the key pair at a later time.
# cgadmin edit keygroup xxx add 1 zzz
Key Groups:
xxx
zzz
aaa
bbb
ccc
ddd
#
4 Delete the second key pair from key group xxx:
# cgadmin edit keygroup xxx del 2
Key Groups:
xxx
zzz
bbb
ccc
ddd
#
5 Replace the third key pair in key group xxx with the new key pair qqq.
# cgadmin edit keygroup xxx replace 3 qqq
Key Groups:
xxx
zzz
bbb
qqq
ddd
#
6 Delete the entire key group xxx:
# cgadmin delete keygroup xxx
Key Groups:
Key group xxx does not exist
#
cgconfig
cgconfig configures and monitors the MSEO Agent and backup devices
running on each media server in the enterprise backup solution. It does the
following:
Configures the Security Servers that the MSEO Agent can contact for
policies and keys.
Configures the MSEO pseudo-devices that intercept read/write requests
from NetBackup.
Identifies current Security Servers and their access ports.
Displays the real devices and pseudo-devices used by the NetBackup media
server.
Provides kernel driver and application version numbers.
cgconfig is used to switch the NetBackup backup device from a standard
system device to a MSEO device. When you switch to a MSEO device, a
pseudo-device is created that can intercept read and write requests to the tape
device and pass the request to the Security Server for evaluation. The generated
pseudo-device uses the minor number of the original tape device and the major
number of the MSEO pseudo-device. This approach identifies the type of the
target device, while using the MSEO device driver.
The new MSEO pseudo-device retains the same name as the original NetBackup
device but it is placed in a different directory. For example, on UNIX hosts, if the
NetBackup device is configured in NetBackup as /dev/rmt/2cbn, the
generated MSEO device will be /dev/mseo/2cbn. The NetBackup configuration
is automatically updated to point to the new MSEO device.
The user running cgconfig must have administrative, or root, permissions to
the NetBackup and MSEO installation directories because cgconfig queries
NetBackup for configured tape devices, creates system devices, and changes
parameters in the MSEO database.
Note: Do not use the NetBackup Administration Console to switch between
MSEO devices and regular devices. Use the cgconfig utility to switch from
MSEO devices to regular devices and visa versa.
When switching back to the original device, the NetBackup configuration is
changed to point to the original device name and MSEO protection is no longer
provided for the media server using the original device. The MSEO
pseudo-device is left intact so you can select it in NetBackup when you wish to
resume MSEO protection.
The MSEO Agent running on the media server is configured to access specific
MSEO Security Servers for policies and keys. Run cgconfig to configure the IP
addresses or DNS names, and their listening ports, of the Security Servers to
service the MSEO Agent. This information is placed in
./mseo/agent/etc/mseo_agent.conf on UNIX hosts and
.\MSEO\agent\conf\mseo_agent.conf on Windows hosts. See SSL for
distributed MSEO configurations on page 117, step 8 and step 9, for details
about editing this file.
cgconfig without any arguments displays help information.
Syntax
cgconfig [list|device|server|help|release|version]
Option Description
device Accesses NetBackup for a list of backup devices and prompts you for
the devices you want to change to Security Server pseudo-devices and
pseudo-devices to revert back to regular system devices.
help Displays terse online help information. The same information is
displayed if you enter cgconfig by itself or with the help argument.
list Lists the devices used by NetBackup. Devices may be either regular
devices or MSEO pseudo-devices. The information includes
pseudo-device parameters, such as whether or not the device is
configured for asynchronous write.
server Lists the currently configured Security Servers for the MSEO Agent
and prompts you to revise existing Security Server information, as well
as to add new Security Servers.
release Displays the MSEO Agent software version. The value changes with
each software release. The release number is needed in order to discuss
software issues with Customer Support.
version Displays the MSEO Agent kernel driver version. This value changes
infrequently.
Note: NetBackup must be inactive before running the device or server
arguments to cgconfig. If you attempt to run cgconfig device while the
device is in use, cgconfig will return a message stating that the device is busy
and it will wait until the device becomes available to make the change. Check the
NetBackup master server to verify inactivity. NetBackup may be active to
execute cgconfig with the help or list arguments.
cgconfig device
The cgconfig device command locates all the tape devices in the NetBackup
master server configuration and prompts you to create a MSEO pseudo-device
for each regular device configured in the NetBackup master server. When you
enter y to create an equivalent MSEO tape device on a UNIX system,
cgconfig creates a similarly named device in the /dev/mseo directory and
displays the name change in the NetBackup Administration Console. The device
name in the NetBackup Administration Console does not change for a Windows
system.
All the local system tape devices are displayed and can be configured by
cgconfig. The cgconfig device command also changes the NetBackup
configuration to point to the new MSEO devices. The media servers that use the
MSEO pseudo-devices can be protected and the data can be encrypted.
When cgconfig device is called and NetBackup is configured with one or
more regular devices, cgconfig device also prompts you to revert configured
MSEO pseudo-devices back to regular devices.
Note: Do not run NetBackup devices when creating equivalent MSEO devices.
Verify that the NetBackup devices are inactive before creating and deleting
MSEO devices.
The cgconfig command is automatically run by the installation wizard during
installation. Execute the command after adding new devices to a MSEO
Agent-enabled media server.
Since the NetBackup Device GUI does not display any noticeable differences
between MSEO and non-MSEO devices, an alternate way to determine if MSEO
drivers are configured is to check the Windows registry and locate the
UpperFilters parameter for your SCSI devices. If they are set to vmtape, the
SCSI devices are configured for Media Server Encryption Option. For example, if
the driver for a SCSI device is
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Sequential
&Ven_IBM&Prod_ULT3580-TD3&Rev_57F7\6&1dca1cc&08&060, the registry
should show:
Figure 8-41 Checking the Windows registry for MSEO configuration
Syntax
cgconfig device
Examples
The following UNIX example shows what cgconfig device returns when all
the NetBackup devices are already configured as MSEO pseudo-devices:
# cgconfig device
OS = Solaris
List of Non MSEO Devices:
No NON-MSEO device(s) on NBU.
List of MSEO Devices:
=================================================
(1) 0 /dev/mseo/0cbn
All NBU device(s) is(are) converted to MSEO
device(s).
#
The following UNIX example shows how to create MSEO pseudo-devices for
NetBackup-configured devices. Enter y when prompted to convert the device.
In the example, NetBackup is configured with two devices: one regular and one
already converted to a MSEO pseudo-device. The example converts the regular
device to a MSEO pseudo-device. The example also uses the default Async
Write and Debug values.
# cgconfig device
OS = Solaris
=================================================
(1) 1 /dev/rmt/2cbn
=================================================
Device /dev/rmt/2cbn is not converted to MSEO Device
yet. Convert[y|n]? (Default y) y
Stopping MSEO
MSEO is running. Shutting down in 5 seconds!
... ... ... ... ...
Setting MSEO tape device /dev/mseo/2cbn parameters.
Async Write[on|off](Default=off)=<Enter key>
Debug[on|off](Default=off)=<Enter key>
Starting MSEO
Revert /dev/mseo/0cbn to none MSEO device[y|n]?
(Default y) n
/dev/mseo/0cbn is still a MSEO device!
(Default y) n
=================================================
#
The following Windows example shows how to create a MSEO pseudo-device for
an existing NetBackup-configured device. Enter y when prompted to convert
the device. The example converts a regular device to a MSEO pseudo-device. The
example also uses the default Async Write and Debug values.
C:\Program Files\Vormetric\MSEO\agent\bin>cgconfig device
Please ensure that there are no active backup processes running
before converting or reverting any devices.
1. IBM ULTRIUM II 3580 TAPE DRIVE
SCSI\SequentialIBM_____ULT3580-TD2_____53Y2
Bus Number 1, Target ID 0, LUN 0
This is NOT a MSEO device.
Convert to MSEO device [y|n]? (Default n): y
Async Write [on | off] (Default = off) =
Debug [on | off] (Default = off) =
The device has been converted.
The machine must be restarted in order for settings to
take effect.
C:\Program Files\Vormetric\MSEO\agent\bin>cgconfig server
Note: The cgconfig device command configures synchronous and
asynchronous data streaming. Synchronous data streaming (Async
Write=off) is slower but can successfully recover from data interruption.
Asynchronous data streaming (Async Write=on) provides faster throughput
but recovers unreliably from data interruption. When asynchronous write is
enabled, and data streaming is interrupted, such as by disconnecting a network
cable, NetBackup will attempt to recover the job when the cable is replaced, and
possibly fail to complete the backup. By default, asynchronous write is disabled
(off). If you enable asynchronous write, create the following NetBackup touch
file to disable NetBackup error recovery.
On UNIX:
On Windows:
\Program Files\VERITAS\NetBackup\db\config\NO_ERROR_RECOVERY
cgconfig help
The cgconfig help command displays a terse synopsis of cgconfig
command usage.
Syntax
cgconfig help
Examples
To display the online help information for this command on a UNIX system:
# cgconfig help
Usage:
# cgconfig [list|device|server|help]
list -- List current MSEO configurations.
device -- Convert/revert non-MSEO tape device(s)
to/from MSEO tape device(s).
server -- Add, revise and delete server
connection(s).
help -- This message.
#
To display the online help information for this command on a UNIX system:
C:\Program Files\Vormetric\MSEO\agent\bin>cgconfig help
usage:
cgconfig [list] [device] [server] [help]
C:\Program Files\Vormetric\MSEO\agent\bin>
cgconfig list
The cgconfig list command lists all the regular and MSEO pseudo-devices
currently used by the NetBackup master server. The listed MSEO tape devices
are linked to Vormetric pseudo-devices in /devices/pseudo.
cgconfig list does not change the existing configuration.
Syntax
cgconfig list
Example
The following UNIX example lists the regular system devices and
pseudo-devices used by the NetBackup master server:
# cgconfig list
OS = Solaris
(1) 1 /dev/rmt/0cbn
#
The following Windows example lists the regular system devices and
pseudo-devices configured on the media server:
# cgconfig list
1. IBM ULTRIUM III 3580 Tape Drive
SCSI\SequentialIBM_____ULT3580-TD3_____54K1
This is NOT a MSEO device.
2. Dell PowerVault 110T LTO2 Tape Drive
SCSI\SequentialIBM_____ULTRIUM-TD2_____37RH
This is a MSEO device.
cgconfig server
The cgconfig server command lists the MSEO Security Servers configured
for the local media server, then it prompts you to change or delete each one.
After cycling through the existing Security Servers, cgconfig server
prompts you to add more Security Servers to the MSEO database.
A Security Server is defined in the MSEO database as an IP address or DNS name
and a listening port number. The MSEO Agent checks the database in sequential
order, starting with the first entry. If that Security Server is unresponsive, the
MSEO Agent tries the next. The Security Server has 5 seconds to respond.
Configure multiple Security Servers to provide backup servers to use in the
event one Security Server should fail.
NetBackup, the MSEO tape driver, and the MSEO Agent, must all be inactive to
run this command. Check the NetBackup master server to verify inactivity.
After listing the Security Servers configured for the local media server,
cgconfig server prompts you to keep, change, or delete each configured
Security Server from the database. Deleting only removes the Security Server
from the list of Security Servers the local media server accesses. It does not
affect the actual Security Server installation. Security Servers entries are moved
to the end of the list when you change the IP address and/or port number. You
can rearrange the sequence position of Security Servers by editing
./mseo/agent/etc/mseo_agent.conf directly.
Syntax
cgconfig server
Examples
The following UNIX example:
Lists configured Security Servers
Deletes the first Security Server in the list (10.6.60.200)
Changes the IP address and port number of the second Security Server
(10.7.60.200)
Leaves the remaining Security Server configurations intact
Adds a new Security Server (10.2.60.7) to the database
# cgconfig server
Address Port
=================================================
MSEO server (1) 10.6.60.200 9999
MSEO server (2) 10.7.60.200 2222
MSEO server (3) localhost 8084
MSEO server (4) 196.168.10.10 9990
MSEO server (5) 10.8.60.200 9991
MSEO server (6) vormetric.com 9992
Server Address: 10.6.60.200 9999
[k]eep, [r]evise, [d]elete? (default=k) d
[k]eep, [r]evise, [d]elete? (default=k) r
Revised Address=192.168.60.7
Revise Port=7667
Server Address: localhost 8084
[k]eep, [r]evise, [d]elete? (default=k) k
Server Address: 196.168.10.10 9990
Server Address: vormetric.com 9992
Add a new server connection[y|n]? y
New address=10.2.60.7
New port=9998
Add a new server connection[y|n]? n
Address Port
=================================================
MSEO server (2) 196.168.10.10 9990
MSEO server (3) 10.8.60.200 9991
MSEO server (5) 192.168.60.7 7667
MSEO server (6) 10.2.60.7 9998
#
The following Windows example:
Lists configured Security Servers.
Leaves the current Security Server configuration intact.
Adds a new Security Server to the list of Security Servers the MSEO Agent
can access. The new Security Server IP address and port number must be
specified. Unless you had changed the default port number, specify port
number 8084.
C:\Program Files\Vormetric\MSEO\agent\bin>cgconfig server
----------------------------------
Address Port
=================================================
MSEO server (1) 10.3.43.182 8084
Add a new server connection[y|n]? (default n)y
New port=8084
Add a new server connection[y|n]? (default n) n
----------------------------------
Address Port
=================================================
MSEO server (1) 10.3.43.182 8084
MSEO server (2) 10.3.44.102 8084
C:\Program Files\Vormetric\MSEO\agent\bin>
cgconfig release
Displays the MSEO Agent software version.
Syntax
cgconfig release
Examples
See MSEO Agent integrity checks on page 110 for a more detailed description
and Displaying the agent version and release on page 111 for an example.
cgconfig version
Displays the MSEO Agent kernel driver version.
Syntax
cgconfig version
Examples
See MSEO Agent integrity checks on page 110 for a more detailed description
and Displaying the agent version and release on page 111 for an example.
cgconfdevice
The cgconfdevice command configures device properties, such as
asynchronous write and encryption type on UNIX media servers.
If MSEO pseudo-devices are not already configured, create them using
cgconfig device.
syntax
cgconfdevice [all|help|list|revise]
Example
The following example displays currently configured MSEO pseudo-devices for
the local media server. The example assumes you had created devices using
cgconfig device:
# cgconfdevice list
List of MSEO tape device(s) parameter settings:
-----------------------------------------------
(1) MSEO device /dev/mseo/2cbn:
Async write = off
Debug = off
#
Option Description
all Performs all functions provided by this command. In order, this
consists of displaying all configured pseudo-devices for the local media
server, followed by prompts to change the parameters of each
pseudo-device. There must be configured MSEO pseudo-devices to use
this command.
displayed if you enter cgconfdevice by itself or with the help
argument.
list Lists currently configured MSEO pseudo-devices and their properties.
To list currently configured MSEO pseudo-devices and regular devices,
execute the cgconfig list command.
revise Lists the currently configured MSEO pseudo-devices and prompts you
to revise them. Press the <Enter> key to leave a device parameter intact
and advance to the next parameter. Currently, you can turn
asynchronous write on or off and select the aes128 or aes256
encryption method.
The following example shows using cgconfdevice all to change the
properties of MSEO pseudo-device:
# cgconfigdevice all
OS = Solaris
-------------------------
---------------------
=================================================
Revert MSEO tape device(s) to non-MSEO tape
device(s).
---------------------------------------------------
(Default n) y
-------------------------
=================================================
(1) 0 /dev/rmt/0cbn
---------------------
#
cgconnectserver
The cgconnectserver command configures Security Server locations for the
local UNIX media server. A Security Server is specified as a DNS name or an IP
address, including the listening port number. This command adds and removes
Security Servers from the MSEO database, as well as modifies already
configured Security Servers.
A Security Server is defined in the MSEO database as an IP address or DNS name
and a listening port number. The MSEO Agent checks the database in sequential
order, starting with the first entry. If that Security Server is unresponsive, the
MSEO Agent tries the next. The Security Server has 5 seconds to respond.
Configure multiple Security Servers to access a secondary server if a Security
Server should fail.
NetBackup, the MSEO tape driver, and the MSEO Agent must all be inactive to
run this command. Check the NetBackup master server to verify inactivity.
This command is called by cgconfig server. See cgconfig server on
page 200 for additional details.
To determine driver activity:
(a) Run modinfo |grep vmtape to extract the module ID.
(b) Run modunload -i module ID.
If the MSEO driver is busy, unload will fail with a driver busy message.
Syntax
cgconnectserver [add|all|help|list|revise]
Option Description
add Prompts you for the IP address, or DNS name, and the port number of
Security Servers the local media server can access. Note: Order is
important. The first Security Server is accessed first then, if it is not
available, the second Security Server in the list is accessed, and so on,
until the MSEO Agent finds a Security Server it can communicate with.
all Performs all functions provided by this command. In order, this
consists of listing all configured Security Servers, then cycling through
each Security Server, prompting you to revise or delete each Security
Server; this is followed by an opportunity to add additional Security
Servers to the MSEO database.
displayed if you enter cgconnectserver by itself or with the help
argument.
list Lists the Security Servers that the local media server is configured to
access for permission to process read/write requests and to download
encryption keys. Each Security Server is specified as an addr:port
pair. addr is an IP address or DNS name. port is the listening port
number for the corresponding Security Server addr.
revise Lists the currently configured Security Servers for the MSEO Agent
and prompts you to revise existing Security Server information. This
command also allows you to remove Security Servers from the local
MSEO database. The Security Server itself remains intact. Note: When
you revise a configured Security Server, it is removed from its current
position in the MSEO database and moved to the end of the list.
Example
The following example displays current the Security Servers configured for the
local media server:
# cgconnectserver list
Address Port
=================================================
MSEO server (2) 196.168.10.10 9990
MSEO server (4) 192.168.60.7 7667
MSEO server (5) 10.2.60.7 9998
#
The following example adds a new Security Server to the MSEO database for the
local media server to access:
# cgconnectserver add
Add a new server connection[y|n]? y
New port=9993
Add a new server connection[y|n]? n
Address Port
=================================================
MSEO server (2) 196.168.10.10 9990
MSEO server (4) 192.168.60.7 7667
MSEO server (5) 10.2.60.7 9998
MSEO server (6) 10.3.60.7 9993
#
The following example changes the port number of a Security Server:
# cgconnectserver revise
[k]eep, [r]evise, [d]elete? (default=k)
Server Address: 196.168.10.10 9990
Server Address: vormetric.com 9992
Server Address: 192.168.60.7 7667
[k]eep, [r]evise, [d]elete? (default=k) r
Revised Address=10.3.60.7
Revise Port=9994
#
cginit
The cginit utility starts, stops, and restarts the MSEO Security Server.
Syntax
cginit restart|start|stop
A link is created from /etc/init.d/cginit to
./mseo/server/bin/cginit when MSEO is installed on Solaris systems. On
Linux systems, ./mseo/server/bin/cginit is copied to
/etc/init.d/cginit.mseo. cginit.mseo is the same executable and it
takes the same arguments as cginit.
Example
The following example refreshes the Security Server daemon:
# cginit restart
#
sbadmin
The sbadmin command creates X.509 Web certificate requests, public/private
keys, certificates, and password files on the MSEO Agent for SSL authentication.
It is also used to view and remove agent-side keys, requests, and certificates. The
sbadmin command also displays the MSEO Agent software version. sbadmin is
a subset of the cgadmin command. The notable difference is the former is used
on the MSEO Agent and the latter is used on the MSEO Security Server. For
information about removing server-side keys, requests, etc., see cgadmin
remove on page 184.
A host is identified by its name and authenticated by an X.509 certificate. SSL
authentication is optional and you can choose not to configure SSL
authentication.
MSEO Agent hosts are registered with a Security Server using the cgconfig
server or cgconnectserver command.
Argument Description
restart Stops the Security Server process and then immediately restarts it.
start Starts the Security Server process. This argument starts the Secure
Server daemon, sbnbusd. Use this argument to start the Security
Server process after having shut it down with cginit stop.
stop Stops the Security Server process.
Syntax
sbadmin generate file
sbadmin generate key name
sbadmin generate request server|client|signer
[cn:cn-name]
sbadmin help
sbadmin remove credentials|keys|request|certificate name
sbadmin version
sbadmin view request|certificate name
sbadmin generate
The sbadmin generate command creates RSA encryption keys, certificate
requests, and the MSEO Agent passphrase.
Syntax
sbadmin generate file
sbadmin generate key name
sbadmin generate request server|client|signer
[cn:cn-name]
Examples
To create a master passphrase file for the MSEO Agent host:
# sbadmin generate file
#
Object Arguments
generate
file
Used to generate the master passphrase for the MSEO Agent. The
passphrase is randomly generated. The passphrase is not displayed
nor will you ever be prompted to specify the passphrase. The SHA1
hash for the passphrase is stored in ./mseo/agent/etc/access.
The first line of the access file contains the SHA1 hash of the master
passphrase. Each consecutive line contains the file name followed by
the encrypted file password. Do NOT modify or remove this file. If you
do, all the backup data becomes irretrievable.
generate
key
Generates the RSA key-pair used to encrypt the MSEO metadata placed
in the backup. The resulting file is named:
./mseo/agent/pem/name-key.pem
generate
request
Creates a key file and a request file for a MSEO Agent to submit to the
Security Server. Optionally, you can specify the common name, CN, and
key size. The generated files are name-key.pem and name-req.pem.
If the master passphrase has already been set, the following message is
displayed:
Auto access already initialized.
To create an agent request file and a key file that will be used by the server to
generate agent credentials:
The example creates two files, vmHost01-req.pem and vmHost01-key.pem,
in the ./mseo/agent/pem directory. Replace vmHost01 with the name you
want to use to identify the credentials for a specific host.
# ./bin/sbadmin generate request client vmHost01
.......++++++
.....++++++
SB Agent request 'vmHost01' successfully generated
#
sbadmin remove
This command removes all or select portions of the agent-side SSL
authentication credentials used to secure server and agent communications.
SSL credentials can comprise a key, certificate request, and certificate. This
command only removes the SSL credentials in ./mseo/agent/pem. Use the
cgadmin command to remove server-side SSL credentials. (See cgadmin
remove on page 184.)
This command also removes key information from the ./mseo/etc/access
file. (The access file should never be edited directly.)
Backup the installation before deleting any SSL credentials. You can restore a
backup if you restore it to the same place on the same system.
Syntax
sbadmin remove certificate name
sbadmin remove credentials name
sbadmin remove key name
sbadmin remove request name
Object Arguments
certificate Certificate credentials comprise the files name-cert.pem and
name.pem.
credentials Credentials are the certificates, keys, and requests for a given name.
Credential files are name-cert.pem, name.pem, name-req.pem, and
name-key.pem, located in ./mseo/server/pem.
key These are SSL authentication keys, not RSA encryption keys. .The key
credential is in the name-key.pem file.
Examples
To remove the certificate request for client:
# sbadmin remove request client
#
To remove the signed certificate for client:
# sbadmin remove certificate client
#
sbadmin version
This command displays version information about the current MSEO Agent
installation.
Syntax
sbadmin version
Example
To display the MSEO Agent software version:
# sbadmin version
MSEO Agent
Version: 1.0.0.92
Built on Oct 5 2006 at 12:04:19
#
sbadmin view
This command is used to view details about the agent certificates used to
encrypt and authenticate data sent across the SSL tunnel through which agent
communicates with the server.
The view argument is used to display SSL authentication information, like
certificates. The show argument is used to display general MSEO configuration
information , such as key groups and policies.
Syntax
sbadmin view certificate certName
sbadmin view request reqName
request The request credential is in the name-req.pem file.
Object Arguments
Wildcard specification of the root name is not allowed. For example,
# sbadmin view certificate \*
Certificate files '*-cert.pem' and '*.pem' are not available
# sbadmin view certificate *
Certificate files 'client-cert.pem-cert.pem' and
'client-cert.pem.pem' are not available
#
Examples
To view a certificate request named client-req.pem:
# sbadmin view request client
client-req.pem:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, O=CoreGuard, OU=SB Agent on sys-techpub,
CN=10.2.212.100
Modulus (1024 bit):
Object Arguments
certificate sbadmin view certificate certName
This command searches ./mseo/agent/pem for files with the
specified root name that ends in -cert.pem and .pem. certName is
the root name of the certificate files. You can view server, signer, and
agent (client) certificates. If you set the value of reqName to server,
both server.pem and server-cert.pem will be displayed.
certificate named signer-cert.pem by executing:
openssl x509 -in signer-cert.pem -noout -text
request sbadmin view request reqName
This command searches ./mseo/agent/pem for a file with the
specified root name that ends in -req.pem. reqName is the root name
of the request file. The examples in this document create an agent
request file named client-req.pem. If you set the value of reqName
to client, client-req.pem will be displayed.
certificate request named client-req.pem by executing:
openssl req -in client-req.pem -noout -text
00:f7:67:91:c5:ed:f4:0c:ae:4a:c3:47:59:4f:d4:
a0:ec:e8:92:a4:5c:c5:1c:e5:5f:16:0d:b2:2f:78:
...
da:cd:bc:da:53:c3:27:d0:ca:69:e0:14:b5:10:92:
61:ec:e3:27:12:44:bb:1e:b3
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
Digital Signature, Non Repudiation, ...
8f:fd:54:56:15:ce:e6:32:aa:45:ca:48:23:26:82:5f:94:63:
...
3f:b3:9b:8e:07:97:8a:76:71:01:03:8e:28:0b:32:a9:03:7e:
8f:f7
#
To view the signer certificates, signer.pem and signer-cert.pem:
# sbadmin view certificate signer
signer.pem:
Certificate:
Data:
Version: 3 (0x2)
Issuer: C=US, O=CoreGuard, OU=Signer on sys-techpub
Validity
Not After : Oct 11 19:53:51 2010 GMT
Subject: C=US, O=CoreGuard, OU=Signer on sys-techpub
Modulus (1024 bit):
00:ab:d4:55:01:86:11:e0:ae:b8:03:24:72:65:41:
64:02:87:ca:6e:2e:d8:73:d6:22:e0:8c:2e:4f:c4:
...
62:2e:7d:02:43:3d:36:01:47
Exponent: 65537 (0x10001)
X509v3 extensions:
CA:TRUE
F9:A7:AC:FA:8C:C4:14:1B:A0:09:FF:CB:87:...
keyid:F9:A7:AC:FA:8C:C4:14:1B:A0:09:FF:...
DirName:/C=US/O=CoreGuard/OU=Signer on ...
serial:52:3E:0A:49
b3:97:35:56:4a:61:2a:ce:9c:ee:61:9d:47:b9:92:78:44:23:
...
a8:a9
signer-cert.pem:
Certificate:
Data:
Version: 3 (0x2)
Issuer: C=US, O=CoreGuard, OU=Signer on sys-techpub,
CN=10.2.212.100
Validity
Not After : Oct 11 19:53:51 2010 GMT
Subject: C=US, O=CoreGuard, OU=Signer on sys-techpub,
CN=10.2.212.100
Modulus (1024 bit):
00:ab:d4:55:01:86:11:e0:ae:b8:03:24:72:65:41:
...
16:58:b8:10:70:7e:85:53:b0:6c:bb:ef:a1:84:42:
62:2e:7d:02:43:3d:36:01:47
Exponent: 65537 (0x10001)
X509v3 extensions:
CA:TRUE
F9:A7:AC:FA:8C:C4:14:1B:A0:09:FF:CB:87:98:A1:...
keyid:F9:A7:AC:FA:8C:C4:14:1B:A0:09:FF:CB:87:...
DirName:/C=US/O=CoreGuard/OU=Signer on sys-te...
serial:52:3E:0A:49
...
a8:a9
#
Examples
The following example creates a master passphrase file for the MSEO Agent
host:
# sbadmin generate file
#
If the master passphrase has already been set, the following message is
displayed:
Auto access already initialized.
sbinit
The sbinit utility starts, stops, and restarts the MSEO daemon on MSEO
Agent-enabled media servers. It also adds and removes MSEO tape drivers.
Syntax
sbinit restart|start|stop
A link is created from /etc/init.d/sbinit to ./mseo/agent/bin/sbinit
when MSEO is installed on Solaris systems. On Linux systems,
./mseo/agent/bin/sbinit is copied to /etc/init.d/sbinit.mseo.
sbinit.mseo is the same executable and it takes the same arguments as
sbinit.
Example
The following example displays a running MSEO Agent daemon and starts it:
# ps -ef | grep sbnbu
# ./sbinit start
# ps -ef | grep sbnbu
9778 ? 0:00 sbnbucd
#
sbnbucd
sbnbucd is the daemon for the MSEO Agent on a UNIX media server. The
daemon must be running for the MSEO Agent to operate and communicate with
Argument Description
restart Stops the MSEO Agent and then immediately restarts it.
start Starts the MSEO Agent. This argument adds the MSEO tape driver
module to the kernel and starts the agent daemon, sbnbucd. Use this
argument to start the MSEO Agent after having shutdown the MSEO
Agent with sbinit stop.
stop Stops the MSEO Agent. This argument stops the agent daemon,
sbnbucd, and removes the MSEO tape driver module from the kernel.
Use this argument to completely shutdown the MSEO Agent.
Configuring MSEO virtual tape devices
the Security Server. Start and stop the daemon with the sbinit command. Do
not execute this command directly or you may end up with multiple daemons
and unexpected behavior.
The c in sbnbucd indicates client and the d indicates daemon.
This command takes no arguments.
To start the MSEO Agent daemon:
# ./sbnbucd &
LOG[INFO]The tape device has been opened
successfully.
LOG[INFO]Agent(proxy) has started and tape IO
initialization is successful.
#
sbnbusd
sbnbusd is the daemon for the Security Server on a UNIX media server. The
daemon must be running for the Security Server to operate and communicate
with the MSEO Agent. Start and stop the daemon with the cginit command. Do
not execute this command directly or you may end up with multiple daemons
and unexpected behavior.
The s in sbnbusd indicates server and the d indicates daemon.
This command takes no arguments.
To start the MSEO Security Server daemon:
# ./sbnbusd &
[3] 9786
LOG[INFO]The database directory for Security Server
is /opt/vormetric/mseo/db.
LOG[INFO]Security server has been started at URL: localhost:8084.
initialization is successful.
#
Note: The information in this section is being deprecated in favor of the MSEO
user interface for agent configuration. See Configuring MSEO Drivers and
Server Connections on page 107.
NetBackup must be configured to use MSEO devices. NetBackup requests to
read/write archive data are sent to the MSEO device. The MSEO Agent running
on the media server intercepts the request and forwards it, along with other
system parameters, to the Security Server. The Security Server either returns
the data needed to complete the request or it denies the request.
MSEO protection is possible when NetBackup is configured to use MSEO drivers.
Inversely, MSEO protection ends when NetBackup is configured to use regular
system drivers. NetBackup configuration is performed automatically using the
MSEO utility cgconfig.
Note: The NetBackup Device Configuration Wizard reverts MSEO devices back
to native devices automatically when it is run. It is recommended that you revert
all the MSEO devices manually on a UNIX media server with the cgconfig
device command, or cgconfig /remove on a Windows media server, before
running the Device Configuration Wizard. Run the Device Configuration Wizard
to discover and configure new devices on the media server. After the new
devices have been configured for NetBackup, use the cgconfig device
command, or cgconfig /install on a Windows media server, to convert the
native devices on the media server back to MSEO devices. It should still work if
you accidently run the Device Configuration Wizard without first reverting the
MSEO devices; however, this scenario has not been extensively tested.
This section assumes NetBackup 5.1 or 6.0 is already installed, configured, and
running. It also assumes you have MSEO Agent software installed. You can
configure certificates and register MSEO Agent hosts at a later time.
The original system devices are left intact. You are only creating links to
pseudo-devices created and stored in /dev/mseo and some system directories,
like /kernel and /dev/mseo.
To configure MSEO devices:
media server.
2 Log onto the MSEO Agent host.
Remember that this can this can also be the MSEO Security Server.
3 Execute cgconfig device.
All devices, both regular system and MSEO, are listed. You prompted to
convert each one. You are prompted to convert MSEO devices back to
regular system devices and regular system devices to MSEO devices. See
also cgconfig device on page 195.
# cgconfig device
OS = Solaris
-------------------------
=============================================
(1) 0 /dev/rmt/0cbn
---------------------
Convert non-MSEO tape device(s) to MSEO tape
device(s).
-------------------------------------------------
Device /dev/rmt/0cbn is not converted to MSEO
Device yet. Convert [y|n]? (Default n) y
4 You are prompted to convert regular devices to MSEO devices. If want to
convert them, enter y otherwise enter n or <Enter>.
If you enter y, you are prompted to set device parameters. If you enter n, the
next non-MSEO device is listed and you are prompted to convert it.
5 If you are converting a regular device to a MSEO device, you are prompted to
set the device parameters:
Setting MSEO tape device
/dev/mseo/0cbn parameters.
Async Write[on|off] (Default=off)=
Debug[on|off](Default=off)=
Note: The cgconfig device command configures synchronous and
asynchronous data streaming. Synchronous data streaming (Async
Write=off) is slower but can successfully recover from data interruption.
Asynchronous data streaming (Async Write=on) provides faster throughput
but recovers unreliably from data interruption. When asynchronous write is
enabled, and data streaming is interrupted, such as by disconnecting a network
cable, NetBackup will attempt to recover the job when the cable is replaced, and
possibly fail to complete the backup. By default, asynchronous write is disabled
(off). If you enable asynchronous write, create the following NetBackup touch
file to disable NetBackup error recovery.
On UNIX:
On Windows:
/Program Files/VERITAS/NetBackup/db/config/NO_ERROR_RECOVERY
6 If there are additional non-MSEO devices presents, you are prompted to
convert those to MSEO devices.
In this example, there are no more non-MSEO devices.
7 If there are any MSEO devices present, you are prompted to convert them
back to regular system devices. Enter n or <Enter> to keep the MSEO device
or y to change it back to a regular system device.
Revert /dev/mseo/0cbn to non-MSEO device[y|n]?
(Default n)n
-------------------------
---------------------
=================================================
8 Check the device drivers in the NetBackup Administration Console and
verify that the devices reference the /dev/mseo directory on UNIX systems
or tape0, tape1, etc. on Windows systems.
Figure 8-42 shows the NetBackup Administration Console after having
configured two UNIX system devices to MSEO devices. Note that the device
name remains the same; only the directory changes.
Figure 8-42 NetBackup configured with MSEO devices on a UNIX media server
Registering MSEO Agent hosts with the Security Server
Once installed, media servers must be registered with the Security Server. MSEO
can be configured to run in either a standalone or distributed mode. The more
effective configuration is the distributed mode, where a centralized Security
Server is installed on one media server with the other media servers in the
NetBackup configuration running only MSEO Agent software. You must register
the media server by adding it to the MSEO Security Server. Afterwards, you have
the option to configure X.509 certificate to authenticate the host to the Security
Server.
Communication between a MSEO Agent-enabled host and Security Server can be
sent through an SSL tunnel. To configure SSL authentication, you need an
available port through which to sent packets and an X.509 certificate to verify
the host. See SSL for distributed MSEO configurations on page 117 for
information about configuring the listening port and generating certificates.
Use the cgadmin add host command to register the media server. See
cgadmin add on page 166 for additional details about using this command and
Sample MSEO administration flow on page 191 for some related examples.
To add MSEO Agent hosts to the Security Server:
1 Log onto the system running the Security Server.
2 Display the hosts configured in the Security Server database directory.
# cgadmin show host
Hosts:
127.0.0.1
policy
default
The example shows the default configuration after a fresh installation. You
need to add the MSEO Agent hosts to the Security Server database
directory.
3 Add all the MSEO Agent hosts to the Security Server database directory with
the cgadmin utility.
These are the hosts you installed, as described in Installing MSEO Agent on
UNIX systems on page 40. For example, if the MSEO Agent host is running
on a media server with the IP address 10.3.34.4 and you want to use the
default policy, enter:
LOG[AUDIT]Host 10.3.34.4 has been added successfully.
#
This command creates a file named
./mseo/server/db/host/10.3.34.4.xml. It specifies the policies to
apply to the MSEO Agent host. See also cgadmin add on page 166.
4 Display the hosts configured in the Security Server database directory.
# cgadmin show host
Hosts:
127.0.0.1
policy
default
10.3.34.4
policy
default
5 Add the remaining MSEO Agent hosts to the Security Server database
directory in the same manner.
6 Log onto a MSEO Agent host.
Communication between MSEO Agent host and Security Server is a
two-way street. In steps 3 through 5 you had identified the MSEO Agent
hosts in the NetBackup configuration to the Security Server. Now you have
to identify the Security Server to each MSEO Agent host.
7 Configure a MSEO Agent host for a specific Security Server.
The MSEO Agent host is configured with a default Security Server during
installation. The default Security Server is only applicable in a standalone
MSEO configuration (that is, both the Security Server and theMSEO Agent
running on the same system). Skip the rest of this section if you are
configuring a standalone MSEO installation.
a Use the cgconfig utility to delete the default Security Server from the
MSEO Agent database and add the Security Server to the MSEO Agent
database.
# cgconfig server
-------------------------------------------------
Address Port
=================================================
b When prompted to delete the default Security Server, enter d.
[k]eep, [r]evise, [d]elete? (default=k) d
c When prompted to add a new Security Server, enter y. You will be
prompted to also specify the IP address and listening port for the new
server.
The port number is the SSL listening port to use for MSEO Agent and
Security Server communication. It is recommended you use the default
port number, 8084.
For example, if the Security Sever IP address is 10.3.34.3 and you
want to use the default SSL port, enter the following:
Add a new server connection[y|n]? (default n) y
New port=8084
d You will be prompted to add additional Security Servers. Add them if
there are more in the NetBackup configuration.
Enter y if you want to add more at this time. Otherwise, enter n.
Security Servers are order-dependent. The first Security Server in the
database is always used. If it becomes unavailable, the second Security
Server in the database is tried, and so on.
Add a new server connection[y|n]? (default n) n
----------------------------------
Address Port
=================================================
MSEO server (1) 10.3.34.3 8084
e View the new addition to the MSEO Agent database.
# more /opt/vormetric/mseo/agent/etc/mseo_agent.conf
10.3.34.3:8084
#
Note: Changes to the network connection between the MSEO Agent and Security
Server are not dynamically updated. After changing the configuration, you must
restart the MSEO Agent process for the MSEO Agent to detect and use the new
configuration. See also sbnbucd on page 214.
SSL can optionally be configured and certificates generated to provide
additional MSEO Agent and Security Server protection. See Creating and
managing certificates on page 109.
Index
A
apps file 122
AttributeMatch 171
AttributeMatch See also match
attributes
matching 138
Vault 138
C
cgconfig 192, 203, 204
cginit 207
cginit.mseo See cginit
commands
cgadmin
export 177
import 183
cgconfig 192, 203, 204
device 195
help 198
list 199
server 200, 202
D
data store 81, 82, 84
default policy 127
E
exporting RSA keys 177
G
get_names 20, 22
H
host_ip.host file 219
I
importing RSA keys 183
K
keys
SHA hash 186
Keyword phrase 129, 130, 131, 132, 133, 134
Keyword phrase window 127
L
licensing 3
logging
error levels 142
UNIX 146
Windows 145
M
match 170
media servers
registering 187
metadata encryption 122
mseo.log 162
mseo_agent.conf 221
mseo_agent_requests.conf 163
mseo_security_server.conf 101
N
NetBackup Administration Console 114, 193
NetBackup Device Configuration Wizard 216
nslookup 20
P
PEM
Policy Enforcement Module 54
Policy Execution Manager 24, 26
Privacy Enhanced Mail 23, 24, 25, 26
policies
default 127, 136
encrypt 136
restore 137
samplePolicy 137
vault 136
224 Index
Policy Enforcement Module 54
Policy Execution Manager 24, 26
port numbers 21
Privacy Enhanced Mail 23, 24, 25, 26
R
registration 187
S
security rule
description 124
SHA hash 186
SSL
configuring 156
error codes 155
renewing certificates 151
T
technical support 3
too many data blocks 159
V
Vault
Copy Number attribute 138, 170
Pool Number attribute 138, 170
using 138
X
X.509 certificate
cgadmin 166
purpose 14

MSEO

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

MSEO

Caricato da

Copyright:

Formati disponibili

NetBackup Media Server

Jun 4 16:39:23 sun-v440 MSEO: [ID 270322 local0.info] MSEO.Server:

Jun 5 10:30:51 sun-v440 MSEO: [ID 428564 local0.notice]

Potrebbero piacerti anche