Veritas NetBackup Hotfix Guide

Veritas NetBackup Hotfix
Guide
For NetBackup and OpsCenter
versions 7.5.0.7, 7.6.0.4, 7.6.1.2, 7.7,
and 7.7.2
For NetBackup Appliance versions

2.5.4, 2.6.0.4, 2.6.1.2, and 2.7.2
Veritas NetBackup Hotfix Guide

Legal Notice
Copyright 2016 Veritas Technologies LLC. All rights reserved.
Veritas, the Veritas Logo, and NetBackup are trademarks or registered trademarks of Veritas
Technologies LLC or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners.
This product may contain third party software for which Veritas is required to provide attribution
to the third party (Third Party Programs). Some of the Third Party Programs are available
under open source or free software licenses. The License Agreement accompanying the
Software does not alter any rights or obligations you may have under those open source or
free software licenses. Refer to the third party legal notices document accompanying this
Veritas product or available at:
https://www.veritas.com/about/legal/license-agreements
The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be
reproduced in any form by any means without prior written authorization of Veritas Technologies
LLC and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED
CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC
SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN
CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS
SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq.
"Commercial Computer Software and Commercial Computer Software Documentation," as
applicable, and any successor regulations, whether delivered by Veritas as on premises or
hosted services. Any use, modification, reproduction release, performance, display or disclosure
of the Licensed Software and Documentation by the U.S. Government shall be solely in
accordance with the terms of this Agreement.
Veritas Technologies LLC
500 E Middlefield Road
Mountain View, CA 94043
http://www.veritas.com
Technical Support
Technical Support maintains support centers globally. All support services will be delivered
in accordance with your support agreement and the then-current enterprise technical support
policies. For information about our support offerings and how to contact Technical Support,
visit our website:
https://www.veritas.com/support
You can manage your Veritas account information at the following URL:
https://my.veritas.com
If you have questions regarding an existing support agreement, please email the support
agreement administration team for your region as follows:
Worldwide (except Japan)
CustomerCare@veritas.com
Japan
CustomerCare_Japan@veritas.com
Documentation feedback
Your feedback is important to us. Suggest improvements or report errors or omissions to the
documentation. Include the document title, document version, chapter title, and section title
of the text on which you are reporting. Send feedback to:
NB.docs@veritas.com
You can also see documentation information or ask a question on the Veritas community site:
http://www.veritas.com/community/
Contents
Chapter 1
Introduction
........................................................................... 5
About the NetBackup hotfix .............................................................. 5

For additional hotfix information ........................................................ 5
Chapter 2
Installing and configuring NetBackup

hotfixes ............................................................................. 6
Overview of the installation process ................................................... 6
NetBackup, OpsCenter, and appliance patch versions ........................... 7
Hotfix installation progression ........................................................... 9
Installing the hotfix on NetBackup and the NetBackup Remote Java
Console ............................................................................... 12
Installing the hotfix on OpsCenter .................................................... 13
Installing the hotfix on a NetBackup appliance .................................... 14
Post-installation procedures ............................................................ 14
Operational differences once the hotfix is installed .............................. 15
Chapter 3
Deploying security certificates ....................................... 17

About security certificates for NetBackup hosts ...................................
Verifying the NetBackup Certificate Authority (CA) ...............................
Verifying a security certificate ....................................................
Deploying a security certificate on a NetBackup host ..........................
User authentication when NBAC or Enhanced Auditing is
enabled ................................................................................
Updates to the bpnbaz command ....................................................
Appendix A
17
18
20
21
24
26
Hotfix download lists ......................................................... 27

About the download packages ........................................................
NetBackup 7.7.2, NetBackup appliance 2.7.2 .....................................
NetBackup and OpsCenter 7.7 ........................................................
NetBackup and OpsCenter 7.6.1.2, NetBackup appliance 2.6.1.2 ...........
NetBackup and OpsCenter 7.6.0.4, NetBackup appliance 2.6.0.4 ...........
NetBackup and OpsCenter 7.5.0.7, NetBackup appliance 2.5.4 .............
27
27
28
30
31
33
Chapter
Introduction
This chapter includes the following topics:
About the NetBackup hotfix
For additional hotfix information
About the NetBackup hotfix

This document describes the tasks that are necessary to successfully install and
use the hotfix:
1.
Install the NetBackup hotfix on NetBackup master servers, media servers,

clients, NetBackup Java administration consoles, OpsCenter servers, and
NetBackup appliances that run the versions that are indicated in the following
topic:
See Overview of the installation process on page 6.
2.
Deploy security certificates on the NetBackup hosts for successful Change

Server operations and shared access.
For example, it is mandatory to have a security certificate present on a
NetBackup host when connecting to the NetBackup host through the Java
NetBackup Administration Console or the Java Backup, Archive, and
Restore client interface.
See About security certificates for NetBackup hosts on page 17.
For additional hotfix information

For the latest information, such as frequently asked questions, see the following
article:
http://www.veritas.com/docs/000108183
Chapter
Installing and configuring

NetBackup hotfixes
Overview of the installation process
NetBackup, OpsCenter, and appliance patch versions
Hotfix installation progression
Installing the hotfix on NetBackup and the NetBackup Remote Java Console
Installing the hotfix on OpsCenter
Installing the hotfix on a NetBackup appliance
Post-installation procedures
Operational differences once the hotfix is installed
Overview of the installation process

You must apply the updates in this hotfix to all NetBackup computers in your
NetBackup environment. Apply this hotfix to NetBackup master servers, media
servers, and clients; OpsCenter servers; the NetBackup Remote Java Console;
and NetBackup appliances.
Table 2-1 shows the overview of the hotfix process.
Installing and configuring NetBackup hotfixes

Table 2-1
Hotfix application process
Step
Process
Additional information
Generate a list of all NetBackup servers Use the article that is shown to
and clients.
generate a list of all clients from all
NetBackup policies:
Use the command that is shown to list
all master and all media servers:
nbemmcmd -listhosts
-nbservers
The nbemmcmd is located in
install_path\Veritas\NetBackup\bin\admincmd
for Windows and
/usr/openv/netbackup/bin/admincmd
for UNIX and Linux.
Determine what patches must be

applied before the installation of the
hotfix.
See NetBackup, OpsCenter, and

appliance patch versions on page 7.
Install NetBackup patches as

necessary.
3
Install the hotfix to the NetBackup

See Hotfix installation progression
servers and clients, OpsCenter servers, on page 9.
and NetBackup appliances in the
See Verifying the NetBackup
correct order.
Certificate Authority (CA) on page 18.
Confirm the fix is applied correctly.
Perform all required post-installation

procedures
Provision a security certificate for each See Deploying a security certificate on

computer that requires a security
a NetBackup host on page 21.
certificate.
See Post-installation procedures

on page 14.
NetBackup, OpsCenter, and appliance patch

versions
The first step in applying the hotfix is to apply the appropriate NetBackup, OpsCenter,
or appliance patch to all your systems. Table 2-2 lists the version of NetBackup,
OpsCenter, and the appliance, as well as the required patch level for the hotfix.

Table 2-2
Required patch version for hotfix
NetBackup,
OpsCenter, and
appliance version
NetBackup 7.0.x.x and No version of the hotfix is available for these versions of NetBackup.
7.1.x.x
You must upgrade to a version of NetBackup for which the hotfix
is available.
Appliance 2.5.3 and
below
All NetBackup 7.5
versions
For NetBackup, you must apply the 7.5.0.7 patch. More information
about the 7.5.0.7 patch is available.
Appliance 2.5.4
Note: For 7.5.0.7 Microsoft Cluster Server environments, you must

run an additional command before applying the hotfix. More
information is available.
For the NetBackup appliance, you must apply the 2.5.4 patch. More
information about the 2.5.4 patch is available.
More information about the Etrack numbers associated with the
7.5.0.7 and 2.5.4 hotfix is available.
See Table A-5 on page 34.
All NetBackup 7.6
versions
You must apply the 7.6.0.4 patch. More information about the
7.6.0.4 patch is available.
All appliance 2.6

versions
For the NetBackup appliance, you must apply the 2.6.0.4 patch.
More information about the 2.6.0.4 patch is available.
7.6.0.4 and 2.6.0.4 hotfix is available.

Table 2-2
Required patch version for hotfix (continued)
NetBackup,
OpsCenter, and
appliance version
All NetBackup 7.6.1

versions
You must apply the 7.6.1.2 patch. More information about the
7.6.1.2 patch is available.
All appliance 2.6.1

versions
For the NetBackup appliance, you must apply the 2.6.1.2 patch.
More information about the 2.6.1.2 patch is available.
7.6.1.2 and 2.6.1.2 hotfix is available.
NetBackup 7.7 version No patch is required. You can apply the appropriate hotfix directly
to NetBackup version 7.7.
7.7 hotfix is available.
NetBackup 7.7.1
No hotfix is available for NetBackup 7.7.1. You must upgrade to

NetBackup 7.7.2 and then apply the NetBackup 7.7.2 hotfix.
Note: Veritas does not have a 7.7.2 package for either Mac OS
or FreeBSD. You must uninstall the 7.7.1 package and install 7.7
and the hotfix. See the NetBackup 7.7 version row in this table.
NetBackup 7.7.2
No patch is required. You can apply the appropriate hotfix directly

to NetBackup version 7.7.2.
7.7.2 hotfix is available.
Note: The 7.7.2 hotfix delivers back-level Java support for the
older releases that require the hotfix.

Due to the nature of the hotfix, there is a specific order in which the NetBackup
computers must be updated. The update order depends on the computer's

NetBackup role. Upgrade the computers based on their NetBackup role. The update
order is as follows:
Upgrade order based on computer role
Table 2-3
Step
number
Computer role to upgrade
(Conditional) You may wish to apply the hotfix to client systems first. More
information is available.
See Installing the hotfix on NetBackup and the NetBackup Remote Java
Console on page 12.
This step may require a patch to bring the system to the correct version.
Then apply the hotfix.
If clients are required to run the Java Backup, Archive, and Restore
client interface, provision a certificate on each of these clients. More
information on how to provision these certificates is available.
See Deploying a security certificate on a NetBackup host on page 21.
Any remote console systems that connect to these clients must also
have the hot fix applied to allow the Java Backup, Archive, and Restore
client interface to function.
You can pause upgrade activities here and NetBackup continues to operate successfully.
The hotfix is not, however, fully installed until all steps in this procedure are completed.
2
Upgrade all OpsCenter servers. More information is available.

See Installing the hotfix on OpsCenter on page 13.
This step may require an OpsCenter patch to bring it to the correct version.
Then apply the hotfix.
3
Upgrade all master servers and all computers that use the NetBackup Java
interface to connect to those master servers. These computers can be
media servers, clients, or Windows systems that use the Remote console.
More information is available.
Console on page 12.
See Installing the hotfix on a NetBackup appliance on page 14.
This step may require a NetBackup patch to each system to bring it to the
correct version. Then apply the hotfix.
10

Upgrade order based on computer role (continued)
Table 2-3
Step
number
For each master server, run the command shown. If NetBackup Access
Control (NBAC) is enabled and configured, before you run the command,
set USE_VXSS from REQUIRED to AUTOMATIC. Return the value to its
previous state after you run the command.
This command performs any required initialization, configuration, and
certificate renewal operations on the master server only. Certificates for
other systems are deployed or renewed later in the procedure.
bpnbaz ConfigureAuth force
On UNIX and Linux systems, the directory path to this command is
/usr/openv/netbackup/bin/admincmd/.
On Windows systems, the directory path to this command is
install_path\NetBackup\bin\admincmd\.
Stop and restart all NetBackup processes and services
Stop all NetBackup processes and services as follows:
On UNIX and Linux systems:

/usr/openv/netbackup/bin/bp.kill_all
On Windows systems:
install_path\NetBackup\bin\bpdown -f
Start all NetBackup processes and services as follows:

/usr/openv/netbackup/bin/bp.start_all
On Windows systems:
install_path\NetBackup\bin\bpup -f
Note: This operation is a one-time only operation. Once you run this
command, you do not need to run it again.
5
Confirm that the hotfix is applied correctly. More information is available.

See Verifying the NetBackup Certificate Authority (CA) on page 18.
Provision a certificate on every media server or client computer from steps

1 or 3. A non-patched NetBackup Java interface cannot log into a patched
master server.
11

Installing the hotfix on NetBackup and the NetBackup Remote Java Console
Table 2-3
Upgrade order based on computer role (continued)
Step
number
Upgrade all media servers. More information is available.

Console on page 12.
After you apply the hotfix to a media server, provision a certificate on each
media server.
8
Upgrade all remaining clients. More information is available.

Console on page 12.
After you apply the hotfix to each client, provision a certificate on the client.
If your environment contains multiple master servers, you have two choices on how
to proceed.
1.
You perform steps 3 through 7 on one master domain and then move on and
perform steps 3 through 7 on all other domains.
2.
You can perform step 3 on all masters at the same time. Then perform all
subsequent steps on all systems that match as well.
Installing the hotfix on NetBackup and the

NetBackup Remote Java Console
Veritas has information on how to install the hotfix on NetBackup.
12

Note: For 7.5.0.7 Microsoft Cluster Server environments, you must run an additional
command before applying the hotfix. More information is available.
Caution: Please refer to the differences that are noted in this section as there are
some important differences that apply to this hotfix.
Three primary differences exist between the information in the article that is shown
and what is required for this hotfix.
First, Veritas created a single package that contains both the server and the client
binaries. You do not need separate binary packages for servers and clients. The
same installation works for both servers and clients.
Second, you must patch the Remote Java Administration Console. This requirement
only applies to Windows computers that use the Remote Java Administration
Console.
Finally, where the article indicates you should stop specific services, you must stop
all NetBackup services.

On Windows systems:
Other than these differences, please follow the instructions that are listed in the
article shown.
Uninstalling the hotfix

Veritas does not recommend that you uninstall the hotfix. If, however, that is
necessary, Veritas developed instructions for the uninstall. More information is
available.

Veritas has information on how to install the hotfix on an OpsCenter server. Those
instructions are included in the readme file that is bundled with the OpsCenter
binaries. Please follow the information that is included in the readme file.
13


Veritas has information on how to install the hotfix on the NetBackup appliance.
Post-installation procedures
Veritas recommends that you deploy a security certificate on a NetBackup host
after you finish installing the hotfix on it. You must have the security certificate when
you connect to a NetBackup host through the Java NetBackup Administration
Console or the Java Backup, Archive, and Restore user interface. The NetBackup
Certificate Authority (CA) issues NetBackup host security certificates. More
information about NetBackup hosts security certificates and deploying these
certificates is available.
Veritas NetBackup Administrators Guide, Volume I
http://www.veritas.com/docs/DOC5332
Once the hotfix is correctly installed, you must deploy security certificates to all
NetBackup hosts. More information about security certificates is available.
See Deploying a security certificate on a NetBackup host on page 21.
Post-installation procedures specific to master servers

You must run an additional command on NetBackup master servers. You run this
command once to initialize and configure the NetBackup Authentication Service. If
NBAC is enabled and configured, before you run the command, set USE_VXSS from
REQUIRED to AUTOMATIC. Return the value to its previous state after you run the
command.
This command renews any expired certificates on the master server only. After you
run the command on a master server, certificates are automatically renewed before
they expire. Please be sure the NetBackup services are started before you run the
command shown.
Windows:
install_directory\bin\admincmd\bpnbaz.exe -ConfigureAuth -force
UNIX or Linux
/usr/openv/netbackup/bin/admincmd/bpnbaz -ConfigureAuth -force
When the command completes, stop and restart all NetBackup processes and
services.
14


On Windows systems:
Start all NetBackup processes and services as follows:

/usr/openv/netbackup/bin/bp.start_all
On Windows systems:
install_path\NetBackup\bin\bpup -f

After you install the hotfix, there are some differences in NetBackup operations.
Veritas updated various dialog boxes.
Operational changes
If NetBackup Access Control (NBAC) is used in the AUTOMATIC mode: If a

user tries to log into a media server but the master server cannot authenticate
it, the user is limited to the Backup, Archive, and Restore client interface on
the media server.
See User authentication when NBAC or Enhanced Auditing is enabled
on page 24.
If NBAC is used in the REQUIRED mode: - If a user tries to log into a media
server but the master server cannot authenticate it, the login fails.
See User authentication when NBAC or Enhanced Auditing is enabled
on page 24.
If the user tries to connect to a host with the hotfix from a host without the hotfix,
the login fails. This login error is non-specific and does not deliver exact
information about error condition.
If a user tries to connect to a host without the hotfix from a host with the hotfix,
the user receives a message indicating that the connection is not secure. If the
user selects Yes and connects over an insecure channel, the user name and
password are sent in clear text to the NetBackup host. If the user selects No,
the connection attempt is aborted.
For MacOS, FreeBSD, IBM POWERPC Red Hat, and IBM POWERPC SuSE
hosts, the connection is insecure regardless of the status of the hotfix on those
hosts.
15

After catalog recovery on a master server, you may need to perform specific
tasks to reestablish trust with this master. More information is available.
Expected messages during client uninstall

Veritas does not recommend uninstalling the hotfix, as it contains necessary security
fixes. If you uninstall the hotfix from a client computer, you can ignore any messages
similar to the following:
Cannot read source file directory_name/filename for uninstall
Cannot access destination file directory_name/filename for
uninstall, continuing since this file was not installed.
These messages are informational in nature and do not affect the uninstall.
16
Chapter
Deploying security
certificates
About security certificates for NetBackup hosts
Verifying the NetBackup Certificate Authority (CA)
Deploying a security certificate on a NetBackup host
User authentication when NBAC or Enhanced Auditing is enabled
Updates to the bpnbaz command
About security certificates for NetBackup hosts

NetBackup uses security certificates for authentication of NetBackup hosts for some
use cases. The NetBackup security certificates conform to the X.509 public key
infrastructure standard. A NetBackup Certificate Authority (CA) issues the
certificates.
Once the hotfix post-installation procedures are performed as described in this
document, by default, individual NetBackup master servers are provisioned with a
security certificate during a successful installation. Also, during a NetBackup push
installation to a Windows Server Failover Cluster (WSFC), security certificates are
deployed to all of the nodes in the failover cluster.
See Post-installation procedures on page 14.
Other NetBackup use cases may require that you deploy a security certificate to
NetBackup hosts so that NetBackup functions correctly, as follows:
Deploying security certificates

NetBackup master server cluster For a NetBackup master server in a cluster solution other
installation
than WSFC, you must deploy a security certificate to all
of the nodes in the cluster.
See Deploying a security certificate on a NetBackup
host on page 21.
Change Server operation in the
NetBackup Administration
Console
For a Change Server operation to succeed, the target

NetBackup host must have a security certificate installed.
To use the NetBackup Java

graphical user interfaces to
connect to media servers and
clients
To connect to a media server with the NetBackup

Administration Console, the media server must have
a security certificate installed. Similarly, to connect to a
NetBackup UNIX or Linux client with the Backup, Archive,
and Restore user interface, the client must have a
security certificate installed.

host on page 21.

host on page 21.
NetBackup Access Control
(NBAC)
If NBAC is enabled on a NetBackup host, the host

requires a security certificate. These certificates are
automatically deployed when you enable NBAC.
See the NetBackup Security and Encryption Guide:
http://www.veritas.com/docs/DOC5332

The Java NetBackup Administration Console or the Backup, Archive, and
Restore user interface communicates with NetBackup hosts (master server, media
server, or client) over a secure channel. This channel is secured using a NetBackup
host security certificate that is issued by the NetBackup Certificate Authority (CA).
The following message displays when you attempt to connect to a NetBackup host
whose security certificate was issued by a CA that is not in your NetBackup trust
store.
18

Figure 3-1
Message asking whether the CA should be added to the trust

store
Note: Once you trust the CA certificate, the message is not displayed again when
you connect to any NetBackup host in the same NetBackup domain.
The authenticity of the Certificate Authority can be verified using the following
procedure:
19

To verify the NetBackup Certificate Authority
Log in to the AT broker host (master server) that owns this certificate and run
the following command:
On Windows:
install_path\NetBackup\sec\at\bin\vssat showcred -p nbatd
On UNIX:
/usr/openv/netbackup/sec/at/bin/vssat showcred p nbatd
The details of the root CA certificate are displayed.
Check the output to confirm that the Certificate Hash matches the Root
Certificate Authority fingerprint that is contained in the message.
For example, if the Root Certificate Authority fingerprint in the message
displays the following fingerprint:
88:28:9C:13:A2:24:D2:BC:08:7D:DB:6C:4B:66:05:A7:D3:A7:58:R6
The Certificate Hash field should display the following:

88289C13A224D2BC087DDB6C4B6605A7D3A758R6
Verifying a security certificate

Use the following procedure to verify that NetBackup security is deployed.
20

To verify the security certificate
Check the contents of the following directory on the NetBackup host:

On Windows:
install_path\NetBackup\var\VxSS\credentials
On UNIX:
/usr/openv/var/vxss/credentials
The directory might list multiple certificate files. A single host can have a
certificate for each name that it is referred to as.
For example, the NetBackup host can have a fully qualified name
(v-123.acme.com) or it can also be referred to as v-123. The host would have
two certificates.
For each certificate file, run the following command to view the details of the
certificate:
Note: Expired or invalid certificates can cause connection failures.
On Windows:
install_path\NetBackup\bin\bpnbat -whoami -cf path_name\file_name
On UNIX:
/usr/openv/netbackup/bin/bpnbat -whoami -cf path_name/file_name
For example, bpnbat -whoami cf /tmp/v-123.acme.com

Verify the contents of the certificate. If both the host name and the expiration
date of the certificate are correct, the certificate is valid. If the certificate has
expired, you must generate a new certificate.
Deploying a security certificate on a NetBackup

host
NetBackup hosts may require a security certificate for authentication for various
purposes. If so, you must use a NetBackup command to deploy a certificate for
each host that requires one.
See About security certificates for NetBackup hosts on page 17.
When using the NetBackup Administration Console to log into a host that does
not have a security certificate installed, the following message appears, stating that
a security certificate is mandatory.
21

Figure 3-2
No security certificate is installed message
Choose one of the following procedures to deploy a security certificate on NetBackup

hosts. You must be a NetBackup administrator to deploy certificates.
Deploying a security certificate This procedure uses IP address verification to identify the
for media servers or clients
target NetBackup host and then deploy the certificate.
With this procedure, you can deploy a certificate for an
individual host, for all media servers, or for all clients.
See Deploying a security certificate for media servers or
clients.
Creating a host identity and
then deploying a security
certificate for a media server or
client
This procedure requires that you run a command on the

NetBackup master server to create an identity for the target
host. Then, you must run a command on the target host to
obtain the certificate from the master server.
With this procedure, you can deploy a certificate for an
individual host.
See Creating a host identity and then deploying a security
certificate for a media server or client.
Note: Deploying a security certificate is a one-time activity for a given NetBackup

host.
Choose one of the following procedures to deploy a security certificate on NetBackup
hosts:
22

Deploying a security certificate for media servers or clients

This procedure works well when deploying certificates to many hosts at one time.
As with NetBackup deployment in general, this method assumes that the network
is secure.
To deploy a security certificate for media servers or clients
Run the following command on the master server, depending on your

environment. To specify the name of an individual host, specify
-AllMediaServers, or specify -AllClients.
Windows: install_path\NetBackup\bin\admincmd\bpnbaz -ProvisionCert
host_name|-AllMediaServers|-AllClients
UNIX: /usr/openv/netbackup/bin/admincmd/bpnbaz -ProvisionCert

host_name|-AllMediaServers|-AllClients
NetBackup appliance (as a NetBackupCLI user): bpnbaz -ProvisionCert

Media_server_name
Restart the NetBackup Service Layer service on the master server.

No services need to be restarted if the target host is a NetBackup client.
Creating a host identity and then deploying a security

certificate for a media server or client
This procedure works best when deploying certificates to a small number of hosts.
The same password must be entered once on the master server, and then again
on the target host, so this method is considered to be more secure.
23

To create a host identity and then deploy a security certificate for a media
server or client
Run the following command on the master server to create an identity for the
target NetBackup host.
Windows: install_path\NetBackup\bin\bpnbat addmachine
target_hostname
UNIX: /usr/openv/netbackup/bin/bpnbat addmachine target_hostname

Enter a password of your choice when prompted and make a note of it.
Run the following command on the target NetBackup host to obtain a certificate
from the master server and deploy it:
Windows: install_path\NetBackup\bin\bpnbat loginmachine
UNIX: /usr/openv/netbackup/bin/bpnbat loginmachine
Enter the master server name as the authentication broker name when
prompted. Enter the same computer name and password that were used to
create the target host identity on the master server.
Note: If a target host has multiple host names, repeat the steps for each host
name.
User authentication when NBAC or Enhanced

Auditing is enabled
When a user logs in to a NetBackup media server or client that has NetBackup
Access Control (NBAC) or Enhanced Auditing enabled, the user must be
authenticated by the NetBackup master server. If the NetBackup Authentication
daemon fails to authenticate the user, the user may have limited access to
NetBackup or the user login can fail.
If the NetBackup Authentication daemon fails to authenticate the user, either the
user's login fails or the user has access only to the Backup, Archive, and Restore
client interface, depending on whether NBAC is in AUTOMATIC or REQUIRED
mode.
24

Figure 3-3
Login failed message when NBAC is in REQUIRED mode and

the user cannot be authenticated by the master server
Figure 3-4
Redirection to client interface message when NBAC is in

AUTOMATIC mode and the user certificate is not available
These certificates are required when NBAC or Enhanced Auditing are enabled on
NetBackup. The NetBackup Authentication daemon on the master server generates
the user certificates. If the user certificate is not generated, you may have limited
access to NetBackup or your login can fail.
The following are possible reasons why the authentication can fail and the corrective
actions that the user can take:
The NetBackup Authentication daemon is down or cannot be reached.
The NetBackup Authentication daemon does not have access to an identity

provider that can authenticate the user.
Note: The NetBackup Authentication daemon cannot authenticate users that
are local to a media server or client.
25

Make sure that you log in using valid credentials that can be authenticated by
the NetBackup Authentication daemon.

Installation of the hotfix updates the bpnbaz command, which is necessary to deploy
certificates.
26
Appendix
Hotfix download lists

This appendix includes the following topics:
About the download packages
NetBackup 7.7.2, NetBackup appliance 2.7.2
NetBackup and OpsCenter 7.7
NetBackup and OpsCenter 7.6.1.2, NetBackup appliance 2.6.1.2
NetBackup and OpsCenter 7.5.0.7, NetBackup appliance 2.5.4
About the download packages

Veritas developed multiple versions of the hotfix since you must apply the fix to all
versions of the Veritas software. Apply this hotfix to NetBackup master servers,
media servers, and clients; OpsCenter servers; the NetBackup Remote Java
Console; and NetBackup appliances.
Use the tables in this appendix to find the installation files that match both your
operating system and your version of NetBackup.
NetBackup 7.7.2, NetBackup appliance 2.7.2

Table A-1 shows the files to download and install if you are applying the hotfix to
the following:
NetBackup 7.7.2 Java consoles: Remote Administration Console and NetBackup

Administration Console (jnbSA)
NetBackup 7.7.2 master servers, media servers, and clients

NetBackup Appliance 2.7.2

7.7.2 hotfix installation files
Table A-1
Product and bundle name
Operating
System
Installation files
Java console:
Windows x64
eebinstaller.3871155.1.AMD64.exe
NB_7.7.2_ET3871155_1.zip
Readme file
NB_7_7_2_ET3871155_1.README
NetBackup:
Windows x64
NB_7.7.2_ET3871154_1.zip
HP-UX Itanium
eebinstaller.3871154.1.hpia11.31
RedHat x64
eebinstaller.3871154.1.linuxR_x86_2.6.18
SuSE x64
eebinstaller.3871154.1.linuxS_x86_2.6.16
AIX
eebinstaller.3871154.1.rs6000_61
Solaris SPARC
eebinstaller.3871154.1.solaris10
Solaris x64
eebinstaller.3871154.1.solaris_x86_10_64
IBMZ Redhat
eebinstaller.3871154.1.zlinuxR_2.6.18
IBMZ SuSE
eebinstaller.3871154.1.zlinuxS_3.0.76
Windows x86
Once NetBackup for Windows x86 is upgraded to 7.7.2,

no hotfix is required.
Readme file
NB_7_7_2_ET3871154_1.README
OpsCenter
All operating
systems
Once the OpsCenter server is upgraded to 7.7.2, no

hotfix is required.
Appliance:
Appliance
SYMC_NBAPP_EEB_ET3871154-2.7.2.0-1.x86_64.rpm
SYMC_NBAPP_EEB_ET38711542.7.2.0-1.x86_64.rpm

the following:
NetBackup 7.7 Java consoles: Remote Administration Console and NetBackup

Administration Console (jnbSA)
NetBackup 7.7 master servers, media servers, and clients
28

OpsCenter 7.7 servers

7.7 hotfix installation files
Table A-2
Operating
System
Installation files
Java consoles:
Windows x64
NB_7.7_ET3864872_1.zip
Readme file
NB_7_7_ET3864872_1.README
NetBackup:
HP-IA64
NB_7.7_ET3864869_1.zip
AIX
Solaris 10 x86/x64 eebinstaller.3864869.1.solaris_x86_10_64

Solaris 10 SPARC eebinstaller.3864869.1.solaris10
RedHat Enterprise eebinstaller.3864869.1.zlinuxR_2.6.18
zLinux
SuSE Linux
Enterprise
x64 RedHat
Enterprise Linux
SuSE zLinux
Windows x64
Windows x86
eebinstaller.3864869.1.x86.exe
Mac OS
eebinstaller.3864869.1.macosx10_8
FreeBSD
eebinstaller.3864869.1.freebsd9.2
Readme file
OpsCenter:
Windows x64
OpsCenter_windows_AMD64_77EEB_ET3864871_1.zip
NB_7.7_ET3864871_1.zip
x64 RedHat
Enterprise Linux
OpsCenter_LinuxR_x86_x86_64_77EEB_ET3864871_1.tar.gz
x64 SuSE
Enterprise Linux
OpsCenter_LinuxS_x86_x86_64_77EEB_ET3864871_1.tar.gz
Readme file
29

NetBackup and OpsCenter 7.6.1.2, NetBackup

appliance 2.6.1.2
the following:
NetBackup 7.6.1.2 Java consoles: Remote Administration Console and

NetBackup Administration Console (jnbSA)
NetBackup 7.6.1.2 master servers, media servers, and clients
OpsCenter 7.6.1.2 servers
NetBackup Appliance 2.6.1.2
Table A-3
7.6.1.2 hotfix installation files
Operating
System
Installation files
Java consoles:
Windows x64
eebinstaller.3865356.1.AMD64
NB_7.6.1.2_ET3865356_1.zip
Readme file
NB_7_6_1_2_ET3865356_1.README
NetBackup:
Windows x64
NB_7.6.1.2_ET3865353_1.zip
FreeBSD
HP-UX Itanium
RedHat/Debian
SuSE x64
MacOS
Solaris SPARC
Solaris x64
Windows x86
IBMZ Redhat
IBMZ SuSE
Readme file
NB_7_6_1_2_ET3865353_1.README
30

Table A-3
7.6.1.2 hotfix installation files (continued)
Operating
System
Installation files
OpsCenter:
RedHat x64
OpsCenter_LinuxR_x86_x86_64_7612EEB_
ET3865355_1.tar.gz
SuSE x64
OpsCenter_LinuxS_x86_x86_64_7612EEB_
ET3865355_1.tar.gz
Solaris x86_64
OpsCenter_SunOS_i386_7612EEB_
ET3865355_1.tar.gz
Solaris SPARC
OpsCenter_SunOS_sparc_7612EEB_
ET3865355_1.tar.gz
Windows x64
OpsCenter_windows_AMD64_7612EEB_
ET3865355_1.zip
Readme file
NB_7_6_1_2_ET3865355_1.README
Appliance
NB_7.6.1.2_ET3865355_1.zip
Appliance:
SYMC_NBAPP_EEB_ET3865353
-2.6.1.2-1.x86_64.rpm

appliance 2.6.0.4
the following:

NetBackup Appliance 2.6.0.4
31

Table A-4
Operating
System
Installation files
Java consoles:
Windows x64
eebinstaller.3865361.1.AMD64
NB_7.6.0.4_ET3865361_1.zip
Readme file
NB_7_6_0_4_ET3865361_1.README
NetBackup:
Windows x64
NB_7.6.0.4_ET3865357_1.zip
FreeBSD
HP-UX PA-RISC
eebinstaller.3865357.1.hp11.11
HP-UX Itanium
RedHat/Debian
SuSE x64
MacOS
IBM POWERPC
RedHat
eebinstaller.3865357.1.plinuxR_2.6
IBM POWERPC
SuSE
eebinstaller.3865357.1.plinuxS_2.6
AIX
Solaris SPARC
Solaris x64
Windows x86
IBMZ Redhat
IBMZ SuSE
Readme file
NB_7_6_0_4_ET3865357_1.README
32

Table A-4
Operating
System
Installation files
OpsCenter:
RedHat x64
ET3865360_1.tar.gz
SuSE x64
ET3865360_1.tar.gz
Solaris x86_64
ET3865360_1.tar.gz
Solaris sparc
ET3865360_1.tar.gz
Windows x64
ET3865360_1.zip
Readme file
NB_7_6_0_4_ET3865360_1.README
Appliance
NB_7.6.0.4_ET3865360_1.zip
Appliance:
SYMC_NBAPP_EEB_ET3865357
-2.6.0.4-1.x86_64.rpm
Note: Veritas does not recommend that you uninstall

the hotfix. If, however, that is necessary, additional steps
are required for the 2.6.0.4 appliance. More information
is available.

appliance 2.5.4
the following:

NetBackup Appliance 2.5.4
33

Table A-5
Operating
System
Installation files
Java consoles:
Windows x64
NB_7.5.0.7_ET3865365_1.zip
Windows x86
Readme file
NB_7_5_0_7_ET3865365_1.README
NetBackup:
Windows x64
NB_7.5.0.7_ET3865362_1.zip
FreeBSD
HP-UX PA-RISC
eebinstaller.3865362.1.hp11.11
HP-UX Itanium
RedHat Itanium
eebinstaller.3865362.1.linuxR_ia64_2.6
RedHat/Debian
SuSE Itanium
eebinstaller.3865362.1.linuxS_ia64_2.6
SuSE x64
Mac OS
IBM POWERPC
RedHat
eebinstaller.3865362.1.plinuxR_2.6
IBM POWERPC
SuSE
eebinstaller.3865362.1.plinuxS_2.6
AIX
Solaris 10
Solaris 9
Solaris x64
Windows x86
IBMZ Redhat
IBMZ SuSE
Readme file
NB_7_5_0_7_ET3865362_1.README
34

Table A-5
Operating
System
Installation files
OpsCenter:
AIX
OpsCenter_AIX_powerpc_7507EEB_
ET3865364_1.tar.gz
HP-UX
OpsCenter_HP-UX_ia64_7507EEB_
ET3865364_1.tar.gz
RedHat
ET3865364_1.tar.gz
SuSE
ET3865364_1.tar.gz
Solaris x86_64
ET3865364_1.tar.gz
Solaris SPARC
ET3865364_1.tar.gz
Windows x64
ET3865364_1.zip
Windows x86
OpsCenter_windows_x86_7507EEB_ET3865364_1.zip
Readme file
NB_7_5_0_7_ET3865364_1.README
Appliance
NB_7.5.0.7_ET3865364_1.zip
Appliance:
SYMC_NBAPP_EEB_ET38653622.5.4.0-1.x86_64.rpm
35

Veritas NetBackup Hotfix Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Veritas NetBackup Hotfix Guide

Uploaded by

Copyright:

Available Formats

Veritas NetBackup Hotfix

For NetBackup Appliance versions

Veritas NetBackup Hotfix Guide

About the NetBackup hotfix .............................................................. 5

Installing and configuring NetBackup

Deploying security certificates ....................................... 17

Hotfix download lists ......................................................... 27

About the NetBackup hotfix

For additional hotfix information

About the NetBackup hotfix

Install the NetBackup hotfix on NetBackup master servers, media servers,

Deploy security certificates on the NetBackup hosts for successful Change

For additional hotfix information

Installing and configuring

Overview of the installation process

NetBackup, OpsCenter, and appliance patch versions

Hotfix installation progression

Installing the hotfix on OpsCenter

Installing the hotfix on a NetBackup appliance

Operational differences once the hotfix is installed

Overview of the installation process

Installing and configuring NetBackup hotfixes

Hotfix application process

Determine what patches must be

See NetBackup, OpsCenter, and

Install NetBackup patches as

Install the hotfix to the NetBackup

Perform all required post-installation

Provision a security certificate for each See Deploying a security certificate on

See Post-installation procedures

NetBackup, OpsCenter, and appliance patch

Installing and configuring NetBackup hotfixes

Required patch version for hotfix

Required patch version for hotfix

Note: For 7.5.0.7 Microsoft Cluster Server environments, you must

All appliance 2.6

Installing and configuring NetBackup hotfixes

Required patch version for hotfix (continued)

Required patch version for hotfix

All NetBackup 7.6.1

All appliance 2.6.1

No hotfix is available for NetBackup 7.7.1. You must upgrade to

No patch is required. You can apply the appropriate hotfix directly

Hotfix installation progression

Installing and configuring NetBackup hotfixes

Computer role to upgrade

Upgrade all OpsCenter servers. More information is available.

Installing and configuring NetBackup hotfixes

Upgrade order based on computer role (continued)

Computer role to upgrade

On UNIX and Linux systems:

Start all NetBackup processes and services as follows:

On UNIX and Linux systems:

Confirm that the hotfix is applied correctly. More information is available.

Provision a certificate on every media server or client computer from steps

Installing and configuring NetBackup hotfixes

Upgrade order based on computer role (continued)

Computer role to upgrade

Upgrade all media servers. More information is available.

Upgrade all remaining clients. More information is available.

Installing the hotfix on NetBackup and the

Installing and configuring NetBackup hotfixes

On UNIX and Linux systems:

Uninstalling the hotfix