EMC NetWorker. Security Configuration Guide. Version 8.2 SP REV 02

(1)

EMC NetWorker

Version 8.2 SP1

Security Configuration Guide

302-001-577 REV 02

(2)

Published February, 2015

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

EMC², EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners.

For the most up-to-date regulatory document for your product line, go to EMC Online Support (https://support.emc.com).

EMC Corporation

Hopkinton, Massachusetts 01748-9103

1-508-435-1000 In North America 1-866-464-7381 www.EMC.com

(3)

5 7 9

Introduction 13

Access Control Settings 15

User authentication...16

Configuring the NMC server and the default user... 16

Configuring the NetWorker server administrators list... 17

Configuring user access to NetWorker servers in NMC... 17

User authorization...38

NMC server authorization... 38

Server authorization...39

Troubleshooting authorization errors and NetWorker server access issues... 50

Component access control... 51

Component authentication...51

Component authorization...67

Log Settings 71 NetWorker log files... 72

View log files...76

Rendering a raw file manually... 76

Rendering raw log files at runtime... 78

Raw log file management... 79

Managing raw log file size for the daemon.raw, networkr.raw, and gstd.raw files... 81

Monitoring changes to the NetWorker server resources... 82

Configuring logging levels... 83

Setting the debug level for NetWorker daemons ... 83

Run scheduled backups in debug mode...87

Running client-initiated backups in debug mode from command line ... 88

Run Recoveries in debug mode... 88

Communication Security Settings 93 Port usage and firewall support... 94

Service ports...94

Connection ports...94

Special considerations for firewall environments...94

Configuring TCP keep alives at the operating system level... 95

Determining service port requirements...97 Figures

Tables Preface Chapter 1 Chapter 2

Chapter 3

Chapter 4

EMC NetWorker8.2 SP1 Security Configuration Guide 3

(4)

NetWorker client service port requirements... 97

Service port requirements for NetWorker storage nodes... 98

Service port requirements for the NetWorker server...99

Service port requirements for NMC Server... 100

Configuring service port ranges in NetWorker... 101

Determine the available port numbers... 101

Configuring the port ranges in NetWorker ... 101

Configuring the service ports on the firewall... 104

How to confirm the NMC server service ports...107

Determining service port requirement examples ... 107

Troubleshooting...112

Data Security Settings 115 Encrypting backup data...116

Modifying the lockbox resource...116

Defining the AES pass phrase...117

Configuring the client resource to use AES encryption... 117

Configure encryption for a client-initiated backup... 118

Recover encrypted data...119

Federal Information Processing Standard Compliance...120

Data integrity... 122

Verifying the integrity of the backup data... 122

Verifying the integrity of the NetWorker server media data and client file indexes... 124

Data erasure... 125

NetWorker server media database and index data management.... 125

Manually erasing data on tape and VTL volumes... 126

Manually erasing data from an AFTD...126

Security alert system settings...127

Monitoring changes to NetWorker server resources... 127

Security audit logging... 127

141 Chapter 5

Index

(5)

LDAP User Container...27

LDAP Group Container... 27

Manage Authentication Authorities values for an LDAP configuration ... 28

ADSI Edit for User Container ...28

ADSI Edit Group Container ... 30

Manage Authentication Authorities values for AD configuration ... 31

Create user window... 37

Uni-directional firewall with storage nodes ... 108

Uni-directional firewall with storage nodes ... 109

Bi-directional firewall with Data Domain appliance ... 110

The audit log server manages a single data zone ... 129

The NMC server is the audit log server for multiple data zones... 130

Each NetWorker server in a data zone is the audit log server... 131

Security Audit Log resource ...139 1

2 3 4 5 6 7 8 9 10 11 12 13 14

(6)

(7)

Revision history... 9

Authority configuration parameters ...23

Hierarchy errors in the Configure Login Authentication wizard ... 32

NMC user roles and associated privileges...38

Operations allowed for each NetWorker privilege ... 41

Privileges associated with each NetWorker User Group... 45

NetWorker log files... 72

Raw log file attributes that manage log file size...80

Raw log file attributes that manage the log file trimming mechanism... 80

Setting TCP parameters for each operating system...95

Standard NetWorker Client port requirements to NetWorker server...97

Additional service port requirements for Snapshot clients... 98

Service port requirements for storage nodes ... 98

NetWorker server program port requirements...99

Port requirements to NMC server to each NetWorker client ... 101

nsrports options... 103

Port requirements for NetWorker communications with third-party applications ...104

NetWorker supported platforms that contain RSA BSAFE FIPS compliant encryption technologies...121

Levels available for the nsrck process...124

Security event resources and attributes... 131

Security audit log interoperability matrix ...134

Auditlog rendered service attributes... 138 1

2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

(8)

(9)

As part of an effort to improve its product lines, EMC periodically releases revisions of its software and hardware. Therefore, some functions described in this document might not be supported by all versions of the software or hardware currently in use. The product release notes provide the most up-to-date information on product features.

Contact your EMC technical support professional if a product does not function properly or does not function as described in this document.

Note

This document was accurate at publication time. Go to EMC Online Support (https://

support.emc.com) to ensure that you are using the latest version of this document.

Purpose

This document provides an overview of security settings available in the NetWorker product.

Audience

This document is part of the EMC NetWorker documentation set, and is intended for use by system administrators who are responsible for setting up and maintaining NetWorker and managing a secure network.

Revision history

The following table presents the revision history of this document.

Table 1 Revision history

Revision Date Description

01 Jan 28, 2015 First release of this document for EMC NetWorker 8.2 SP1.

02 Feb 20, 2015 Updated the Access Control chapter to include information about how to change the NMC database connection credentials that previously appeared in the EMC NetWorker Administration Guide.

Introduction

EMC^®NetWorker^® is a heterogeneous backup application that addresses data protection challenges. The centralized management capabilities of NetWorker provides effective data protection for file systems, enterprise applications, storage arrays, and NAS filers to a variety of target devices.

This guide provides an overview of security configuration settings available in NetWorker, secure deployment, and physical security controls needed to ensure the secure operation of the product.

This guide is divided into the following sections:

Access Control Settings

Access control settings enable the protection of resources against unauthorized access. This chapter provides an overview of the settings available in the product to ensure a secure operation of the product and describes how you can limit product access by end-users or by external product components.

Log Settings

A log is a chronological record that helps you to examine the sequence of activities surrounding or leading up to an operation, procedure, or event in a security-related transaction from beginning to end. This chapter describes how to access and manage the logs files available in NetWorker.

Communication Security Settings

Communication security settings enable the establishment of secure communication channels between NetWorker components, NetWorker components and external systems, and NetWorker components and external components. This chapter describes how to ensure NetWorker uses secure channels for communication and how to configure NetWorker in a firewall environment.

Data Security Settings

Data security settings enable you to define controls that prevent unauthorized access and disclosure of data permanently stored by NetWorker. This chapter describes the settings available to ensure the protection of the data handled by NetWorker.

Introduction 13

(14)

(15)

Access Control Settings

Access control settings enable the protection of resources against unauthorized access.

This chapter describes settings you can use to limit access by end-user or by external product components.

l User authentication...16

l User authorization...38

l Component access control... 51

Access Control Settings 15

(16)

User authentication

User authentication settings control the processes that the NetWorker Management Console (NMC) and the NetWorker software applications use to verify the identity claimed by a user and to determine the level of access allowed to the user.

When you use a web browser on a host (NMC client) to connect to the NMC server, the http daemon on the NMC server downloads the Java client to the NMC client. You do not require a secure http (https) connection because only the Java client transfers

information and performs authentication between the NMC server and NMC client. The NMC server uses SSL to encrypt the username and password that you specify in the login window and authenticates the credentials. The first time an NMC client connects to the NMC server, the NMC server uses Native NMC-based authentication to authenticate the user credentials. After you connect to the NMC server for the first time, you can continue to use the NMC-based authentication or you can configure access to the NMC server by using an external authentication authority, such as LDAP or AD.

If the NetWorker server and the NMC server are on different hosts, then ensure that the administrators list attribute on the NetWorker server includes the appropriate NMC user accounts before you connect to a NetWorker server. Configuring the administrator list on page 17 provides more information.

Configuring the NMC server and the default user

The NMC server has one default administrator account. When you use an NMC client to connect to the NMC server for the first time, the configuration wizard prompts you to set the password.

Before you begin

These steps assume that you have installed the NetWorker software and that you have met all of the software and hardware requirements on the computer that will access the NMC server. The EMC NetWorker Installation Guide on the EMC Online Support site provides more information.

Procedure

1. From a supported web browser, type the URL of the NMC server: http://

server_name:http_service_port where:

l server_name is the name of the NMC server.

l http_service_port is the port for the embedded HTTP server. The default HTTP port is 9000.

For example: http://houston:9000 2. On the Welcome window, click Start.

3. On the Security Warning window, click Start to install and run NetWorker Console.

4. On the Licensing Agreement window, select Accept.

5. If you did not install the appropriate JRE version on the system, then a prompt to install JRE appears. Follow the onscreen instructions to install JRE.

6. On the Welcome to the Console Configuration Wizard window, click Next.

7. On the Set Administrator password window, type the NMC password, and click Next.

8. On the Set Database Backup Server window, specify the name of the NetWorker server that will backup the NMC server database, and then click Next.

(17)

9. On the Add NetWorker servers window, specify the names of the NetWorker server that the NMC server will manage. When you specify more than one NetWorker server, add one name per line. Leave the default options Capture Events and Gather Reporting Data enabled.

l Enable the Capture Events option to allow the NMC server to monitor and record alerts for events that occur on the NetWorker server.

l Enable the Gather Reporting Data option to allow the NMC server to automatically collect data about the NetWorker server and generate reports. The NetWorker Administration Guide on the EMC Online Support Site describes on how to run reports and shows the reports that are available.

10.Click Finish.

Results

The Console window appears with a list of NetWorker servers.

Configuring the NetWorker server administrators list

The NetWorker server software provides administrator access by default to the root user on a Unix NetWorker server and members of the Windows Administrators group on a Windows NetWorker server. Administrator access gives a user all the NetWorker privileges required to change the configuration of a NetWorker server.

Before you begin

Log in to the NetWorker server as an administrator on Windows or as root on UNIX.

When the NMC server and the NetWorker server are on the same host, the NetWorker server install automatically adds the owner of the gstd process and the NMC administrator user to the administrators list of the NetWorker server. When the NMC server and the NetWorker server are on separate hosts, you must add the owner of the gstd process and the NMC administrator user to the administrators list on the NetWorker server.

Add the NMC administrator account to the Administrators list attribute to enable the NMC administrator user to administer and monitor the NetWorker server. The owner of the gstd process is the user that starts the gstd daemon on UNIX or the EMC GST service on Windows. By default, the process owner is the SYSTEM user on Windows and the root user on UNIX.

Procedure

1. From a command prompt, use the nsraddadmin command to add the gstd process owner to the NetWorker server Administrators list attribute.

On Windows, type: nsraddadmin -u "user=SYSTEM, host=NMC_host"

On a UNIX, type: nsraddadmin -u "user=root, host=NMC_host"

2. Add the NMC administrator user to the Administrators list attribute on the NetWorker server: nsraddadmin -u "user=administrator, host=NMC_host"

where NMC_host is the NMC server hostname.

Configuring user access to NetWorker servers in NMC

The NMC server allows you to restrict or grant access to a NetWorker server based on the NMC username. Requests to NetWorker servers through the NetWorker Administration window always come from the NMC server. The privileges assigned to a NMC user on the

Configuring the NetWorker server administrators list 17

(18)

NetWorker server are based on the entries present in the Users attribute of the User Group resources, on the NetWorker server.

The NMC server controls how the NMC user accesses a managed NetWorker server. When you enable the User Authentication for NetWorker system option on the NMC server, you can grant and restrict NetWorker server access and privileges to individual NMC user accounts. When you disable the User Authentication for NetWorker option, access requests to a NetWorker server appear to come from the gstd process owner on the NMC server. All NMC users that access the NetWorker server are granted the same access and privilege rights that are assigned to the gstd process owner account. The NMC server enables the User Authentication for NetWorker system option by default. When you enable the option, the NMC server software creates a separate network connection from the NMC server to a NetWorker server for each NMC user that has an Administration window open to that server. Additional network connections might require access to additional firewall service ports.

When you do not set the User Authentication for NetWorker system option, there is only one network connection from the NMC server to the managed NetWorker server.

NetWorker supports the use Native NMC-based authentication or LDAP/AD authentication to restrict or grant access to the NMC server and NetWorker servers.

Modifying the User Authentication for NetWorker system option

Use these steps to define how the NMC server controls the user account that requests NetWorker server access.

Procedure

1. From the Console window, click Setup.

2. From the Setup menu, select System Options.

3. Set the Use Authentication for NetWorker option.

l When enabled, the NMC username determines the level of user access to the NetWorker server.

l When disabled, the user id of the gstd process owner determines the level of user access to the NetWorker server.

4. Click OK.

Configuring Native NMC-based authentication

Native NMC-based authentication uses a data store on the NMC server host to

authenticate NMC users. The NMC server maintains the NMC user names and passwords.

When you log in to the NMC Console for the first time, the NMC configuration wizard creates the NMC administrator account.

Additional set up is not required to enable Native NMC-based authentication but you can add new NMC user accounts, change Console role assignments, and manage existing NMC users.

Adding NMC users

Perform the following steps to add additional NMC users when the NMC server uses Native NMC login authentication.

Before you begin

Log in to the NMC server as a Console Security Administrator. The administrator account is a Console Security Administrator.

(19)

Procedure

2. In the left pane, right-click Users, then select New.

The Create User dialog box appears.

3. Enter a username.

The username cannot:

l Exceed 64 characters.

l Use spaces, or any of these characters: : < > /

l Use characters with an ASCII value less than or equal to 32.

l Begin a username with an underscore (_) character.

4. Optionally, enter the full name of the user and a user description.

5. Select the Console user roles.

6. Enter the user password.

Ensure that you specify a password that meets the following requirements:

l Is a minimum of eight characters long

l Is not the same as the username

If you upgrade from a previous version of NetWorker that did not enforce these password requirements, NetWorker will enforce these requirements when you attempt to change the password.

7. In the Confirm Password attribute, re-enter the password.

8. Click OK.

Modifying NMC users

You can modify the password, descriptive information, and the roles of an existing NMC user account.

Before you begin

Procedure

2. In the left pane, select Users.

3. Right-click the user and then select Properties.

4. On the Identification tab, modify the attributes as required.

Deleting an NMC user

This section describes how to remove NMC users. You cannot remove the administrator user.

Procedure

1. Log into the Console server as a Console Security Administrator.

The NMC user administrator is a Console Security Administrator.

Configuring user access to NetWorker servers in NMC 19

(20)

4. Right-click the user and then select Delete.

5. Click Yes to confirm the deletion.

If the user had saved customized reports, then a dialog box prompts for the username to which to reassign those reports. Otherwise, the reports can be deleted.

Resetting the NMC administrator password

Use the GST_RESET_PW environment variable to reset the password for the NMC administrator account.

Resetting the administrator password for an NMC server on Windows

Use the System applet in Control Panel to add theGST_RESET_PW variable and reset the administrator password.

Procedure

1. On the Advanced tab of the System applet, select Environment Variables.

2. Create a new System variable.

a. In the Variable Name field, specify GST_RESET_PW. b. In the Variable value field, specify 1.

3. Restart the EMC GST Service.

When the EMC GST Service starts, the NMC server administrator password resets.

4. Use a web browser to connect to the NMC server. When prompted, type administrator in the username and password fields.

5. Return to the Environment Variables window in the System applet and remove the GST_RESET_PW environment variable.

This step prevents a password reset each time the EMC GST Service starts.

Resetting the administrator password for an NMC server on UNIX

Use the GST_RESET_PW environment variable to reset a lost or forgotten administrator password to the default value.

Before you begin

Perform the following steps as the root user.

Procedure

1. Set GST_RESET_PW to a non-null value by using the appropriate command for the shell.

For example, in ksh shell, type the following command:

export GST_RESET_PW= “non_null_value”

2. Use one of the following commands to stop the NMC server daemon:

l Solaris and Linux: /etc/init.d/gst stop

l AIX: /etc/rc.gst stop

3. Use one of the following commands to start the NMC server daemon:

l Solaris and Linux: /etc/init.d/gst start

l AIX: /etc/rc.gst start

When the EMC GST Service starts, the NMC server administrator password resets.

(21)

4. Use a web browser to connect to the NMC server. When prompted, type administrator in the username and password fields.

5. Set GST_RESET_PW back to null by using the appropriate command for the shell.

For example, in the ksh shell, type the following command:

export GST_RESET_PW=

This step prevents a password reset each time the EMC GST Service starts.

Changing database connection credentials

When the NMC server starts for the first time, it automatically generates the login credentials used to log into the NetWorker Console database. The NMC server stores this information internally and the user does not need to know the required credentials.

However, it may be necessary to force the NMC server to change the database connection credentials.

Procedure

1. Stop the GST Service.

2. Set the environment variable GST_RESET_DBPWD to any value.

For Windows system, set this value as a System Variable, then reboot the system after you set the variable.

3. Restart the GST Service.

4. Delete the GST_RESET_DBPWD environment variable. On Windows system, reboot the machine after you delete the variable.

Configuring LDAP or AD authentication authorities

When you configure the NMC server to authenticate users by using an external

authentication authority, you log in to the NMC server with user names and passwords that are maintained by a Lightweight Directory Access Protocol (LDAP), a Lightweight Directory Access Protocol over SSL (LDAPS), or a Microsoft Active Directory server (AD).

You control user privileges by mapping LDAP or AD user roles or user names to NMC user roles. You do not manually add user names and passwords on the NMC server.

The NetWorker software automatically distributes the LDAP or AD configuration file from the NMC server to selected NetWorker servers. This automatically puts the managed NetWorker servers in LDAP or AD mode.

When an LDAP or AD user logs into the NMC server and connects to a NetWorker server:

l The NetWorker server performs a look-up to get the LDAP or AD group that the OS authenticated user belongs to in the external authority. The NetWorker server does not authenticate the user against the LDAP authority.

l The privileges assigned to a user on the NetWorker server are based on the LDAP user or the group entries present in the External roles attribute of the User Group resource on the NetWorker server. User Group Management on page 46 provides more information about the User Group resource.

(22)

Preparing the NMC server and NetWorker server for LDAPS

Before you configure the NMC and NetWorker servers to use LDAPS, ensure that a local copy of the CA Certificate, Client Certificate, and Client Key reside in the same file system path, on each NMC and NetWorker server.

Before you begin

Ensure that the LDAPS certificates use the PEM format.

When the operating system of the NMC server and any NetWorker server differs, perform the following steps to ensure that each host can successfully communicate with the LDAP server.

Procedure

1. Create a directory on the NMC server to store the certificate files:

l On a UNIX NMC server, create a subdirectory for the certificates in the

NMC_installation_directory/cst directory. For example, on a Solaris NMC server, create a subdirectory called corpldap in the /opt/LGTOnmc/cst directory.

l On a UNIX NetWorker server, create a subdirectory for the certificates in the /opt/nsr/cst directory. For example, create a subdirectory called corpldap in the /opt/nsr/cst directory.

l On a Windows NMC server, create a subdirectory for the certificates in the NMC_installation_directory\cst directory. For example, create a subdirectory called corpldap in the C:\Program Files\EMC NetWorker

\Management\GST\cst directory.

l On a Windows NetWorker server, create a subdirectory for the certificates in the NetWorker_installation_directory\cst directory. For example, create a subdirectory called corpldap in C:\Program Files\EMC NetWorker\nsr

\cst.

2. Copy the CA Certificate to the new subdirectory on each host that will use LDAPS. If the LDAPS configuration requires a certificate from the client side, then copy the Client Certificate and Client Key to the new directory on each host.

3. Optionally, to secure the subdirectory, you can restrict access to the directory.

For a UNIX host, ensure that the root account on UNIX has access to the directory. For a Windows host, ensure that the Administrator and Local System accounts have access to the directory.

Configuring LDAP or AD authentication

After you connect to the Console server for the first time and configure the Native NMC authentication based administrator account, you can configure the NMC server to use LDAP, LDAPS, or AD authentication.

Before you begin

Log in to the NMC server with a user account that has the Console Security Administrator role. The NMC user administrator is assigned to the Console Security Administrator role, by default.

Procedure

1. From the Setup menu, select Configure Login Authentication.

2. On the Select Authentication Method window, select External Repository.

(23)

3. Click Add to add a new external authentication authority.

4. Define the LDAP attributes for your configuration in the Parameters section. The following table summarizes and defines each attribute.

Table 2 Authority configuration parameters

Parameter name Parameter definition Configuration information Authority Name Descriptive name for the LDAP or

AD server.

Required.

This is a user defined field. If you configured the LDAPS certificate directories, ensure that the authority name matches the name of the subdirectory you created on the NMC server and the NetWorker server.

For example, corpldap Provider Server Name Hostname or IP address of the

LDAP or AD server.

Required.

For LDAPS, ensure that you specify the hostname exactly as it appears in the ca.cert file.

For example, if the ca.cert file contains the FQDN of the LDAPS server, you must specify the FQDN in the Provider Server Name field.

Distinguished Name The dn of an LDAP or AD account that you use to perform operations such as searching for users and groups in the LDAP or AD hierarchy.

Required.

Specify an account on the LDAP or AD server that has full read access to the directory from which the AD or LDAP server accesses its data.

Password Password of the LDAP or AD account.

Required.

User Search Path The dn to use when searching for users on the LDAP or AD server.

Required.

Group search path The dn to use when searching for groups on the LDAP or AD server.

Required.

Group Name Attribute Identifies the LDAP or AD group name in the User Search Path dn.

Required.

Default value: cn

LDAP

Timeout(millisecond)

The time out for LDAP or AD calls. Required.

Range is 0 to 2 000 000 000 ms.

A value of 0 indicates that calls will never time out.

(24)

Table 2 Authority configuration parameters (continued)

Parameter name Parameter definition Configuration information Default value: 30000 User ID Attribute The user ID associated with the

users in the User Search Path dn.

Required.

For LDAP this attribute is usually uid.

For AD, this attribute is usually cn.

Default value: uid User Object Class The object class that identifies

users in the dn defined in the User Search Path.

Required.

Group Object Class The object class that identifies groups in the LDAP or AD hierarchy of the dn defined in the User Search Path.

Required.

For LDAP, depending on the configuration, use

groupOfNames or groupOfUniqueNames.

For AD, use group.

Default value:

groupOfUniqueNames.

Group Member Attribute The group membership of users in dn that is defined in the User Search Path.

Required.

For LDAP:

l If the Group Object Class is groupOfNames the attribute is usually member.

l If the Group Object Class is groupOfUniqueNames the attribute is usually uniquemember.

For AD the value is usually member.

The default value is uniquemember.

Note

Networker cannot validate the Group Member Attribute.

Ensure that you specify the correct value in the Group Member attribute.

LDAP Debug level Level of debug messages to log in the gstd.raw file.

The default value is 0.

Change this value to 1 for troubleshooting purposes only.

(25)

Table 2 Authority configuration parameters (continued)

Parameter name Parameter definition Configuration information Protocol Communication protocol between

the NetWorker server and authentication server.

For LDAP or AD, select LDAP.

For secure communications, select LDAPS.

Server Certificate (LDAPS only)

The full path to the CA certificate on the NMC server.

Required for LDAPS. When the NMC server and NetWorker server are on different platforms, use a forward slash to specify the path.

For example: C:/Program Files/EMC NetWorker/

Management/GST/cst/

corpldap/ca.cert Client certificate (LDAPS

only)

The full path to the Client certificate on the NMC server.

Required for LDAPS when the LDAPS server requires a client certificate.

When the NMC server and NetWorker server are on different platforms, use a forward slash to specify the path.

Management/GST/cst/

corpldap/client.cert Client key (LDAPS only) The full path to the Client key on

the NMC server.

Required for LDAPS when the LDAPS server requires a client certificate.

When the NMC server is a Windows host, use a double backslash to specify the path.

Management/GST/cst/

corpldap/client.key Port value Port number of the LDAP server. Required.

Default value: 389

5. Click Next.

Troubleshooting authentication errors on page 31 describes common error messages that might appear.

6. In the External Roles field, specify the LDAP or AD users and group to assign to the NMC Console Security Administrator role.

7. Click Next.

(26)

If you specify a user or group that is not valid on the LDAP or AD server, then the following message appears:

External role <user or group> is invalid

8. In the Distributed Authority Configuration File window, select the NetWorker servers that will use LDAP or AD. This will copy the LDAP configuration file from the NMC server to the NetWorker_install_path\nsr\cst directory on a Windows NetWorker server or the NetWorker_install_path/nsr/cst folder on a UNIX NetWorker server. The NMC server is selected by default.

9. Click Distribute.

If the value specified in the Distinguished Name field is not valid, then the following error message appears:

Failed to validate authority option. Error code: -8, message:

Search for user name failed.

To resolve this issue, return to the Authority Configuration window, correct the value in the Distinguished Name field and attempt to distribute the authority configuration file again.

10.In the Monitor Distribution Progress window, review the progress of the configuration file distribution. Ensure that the authority configuration file distribution succeeds for all of the NetWorker servers.

11.Click Ok.

Logging in to the NMC server after LDAP or AD configuration

The next time you use an NMC client to connect to the NMC server, you must specify the appropriate LDAP or AD user. If you cannot log in to the NMC server, then you can revert back to Native NMC authentication mode and reconfigure AD/LDAP authentication.

The NetWorker Installation Guide provides more information.

Consider the following:

l When the wizard distributes the authority file, the process adds each LDAP and AD authenticated NMC user that has the NMC Console Security Administrator role to the Security Administrators User Group on each NetWorker server that the NMC server has the privilege to manage.

Note

Members of the Security Administrators User Group have permissions to modify the Audit Log server and User Group resources only. “Modifying User Group privileges on page 47” describes how to add a manually created LDAP or AD user to a User Group on a NetWorker server.

l When an LDAP or AD user logs in for the first time, the login process automatically creates a NMC user account for the user.

l When an LDAP or AD user logs into the NMC server for the first time, the NMC server automatically creates an NMC user account for the user and assigns the NMC user to the same NMC role as the LDAP or AD group.

l LDAP and AD authentication does not support the use of the administrator user name.

l The NMC server cannot perform LDAP and AD administrative functions. Perform LDAP and AD administrative functions such as creating new domain users and groups with the appropriate LDAP and AD tools.

(27)

l The External Roles field for the Security Administrator User Group is not populated until an LDAP or AD user logs in for the first time.

l Troubleshooting login errors on page 35 provides detailed information to troubleshoot common login error messages.

Example: Configuring an LDAP authority

In this example, a third party LDAP management tool, LDAPAdmin is used to view the properties of the LDAP configuration.

The following figure provides an example of the values required to specify the following attributes:

l Provider Server Name

l Distinguished Name

l User ID Attribute

l User Search Path — a combination of the AD Distinguished name and User Container name.

l User Object Class Figure 1 LDAP User Container

The following figure provides an example of the values associated with following LDAP group attributes:

l Group Search Path — a combination of the Distinguished Name and Group Container name.

l Group Member Attribute

l Group Object Class Figure 2 LDAP Group Container

The following image provides an example of the Manage Authentication Authorities screen with configuration details related to an LDAP server installation specified in the attribute fields.

(28)

Figure 3 Manage Authentication Authorities values for an LDAP configuration

Example: Configuring an AD authority

In this example, the Active Directory Services Interfaces Editor (ADSI Edit) program is used to view the properties of the AD configuration.

The following image provides an example of the values required to specify the following attribute fields:

l Distinguished Name—a combination of the AD Distinguished name, User container, and User ID Attribute.

l User Search Path — a combination of the Distinguished name and User Container name.

l User Object Class

l User ID Attribute Figure 4

ADSI Edit for User Container

(29)

The following figure provides an example of the values associated with following AD group attributes:

l Provider Service Name

l Group Container

l Group Member Attribute

l Group Object Class

l Group Search Path — a combination of the Distinguished Name and Group Container name.

(30)

Figure 5 ADSI Edit Group Container

The following figure provides an example of the Manage Authentication Authorities screen with configuration details related to an AD server installation specified in the attribute fields.

(31)

Figure 6 Manage Authentication Authorities values for AD configuration

Troubleshooting authentication configuration error messages

This section provides a list of possible causes and resolutions for authentication configuration error messages.

Authority definition must specify external authority attribute name

Appears in the Configure Login Authentication wizard when the Authority Name field is blank.

LDAP bind failed due to invalid credentials

Appears in the Configure Login Authentication wizard when:

l The LDAP or AD user specified in Distinguished Name field is incorrect.

l The password specified for the LDAP or AD user is incorrect.

Failed to propagate external roles to NetWorker server

Appears when the distribution of the authority file fails for a NetWorker server because the NMC user used to distribute the file is not a member of the Application Administrators User Group on the NetWorker server.

To resolve this issue:

1. Close the Configure Login Authentication wizard.

2. Connect to the NetWorker server with a NMC user who is a member of the Security Administrators User Group.

3. Add the appropriate LDAP or AD group to the Application Administrators User Group.

4. Launch the Configure Login Authentication wizard and configure the new LDAP or AD authority.

(32)

No entry in hierarchy ‘ou=orgname, dc=domain_component1, dc=domain_component2 dc=domain_component3 ...

These error messages appear in the Configure Login Authentication window when the attribute value referenced in the error message is incorrect or the LDAP or AD authority cannot validate the attribute value. The following table describes the messages that appear and the attribute to correct.

Table 3 Hierarchy errors in the Configure Login Authentication wizard No entry in hierarchy ‘ou=orgname,

dc=domain_component1, dc=domain_component2 dc=domain_component3 ..

This error message appears in the Configure Login Authentication wizard when the value defined ...

...belongs to user object class

‘user_object_class’

...in the User Object Class attribute is not valid for the value defined in User Search Path attribute.

...has a group name attribute ‘groupname’ ...in the Group Name Attribute field is not valid on the LDAP or AD server.

...has a user id attribute ‘user_id’ ...in the User ID Attribute field is not valid on the LDAP or AD server.

...belongs to object class

‘group_object_class’

...in the Group Object Class field is not valid on the LDAP or AD server.

...has a group member attribute

‘group_member_attribute’

...in the Group Member Attribute field is not valid on the LDAP or AD server.

User Search Path hierarchy

ou=orgname,dc=domain_component1,dc=domain_component2’ dc=domain_component3’ does not exist or is empty

Appears in the Configure Login Authentication wizard when the value defined in the User Search Path attribute is not valid on the LDAP or AD server.

No ldap search path for usernames

Appears in the Configure Login Authentication wizard when the value defined in the User Search Path attribute is not valid on the LDAP or AD server.

Group Search Path hierarchy

ou=orgname,dc=domain_component1,dc=domain_component2’ dc=domain_component3’ does not exist or is empty

Appears in the Configure Login Authentication wizard when the value defined in the Group Search Path attribute is not valid on the LDAP or AD server.

Error querying for user groups

Appears in the Configure Login Authentication wizard when the value defined in the Group Search Path attribute is not valid on the LDAP or AD server.

LDAP bind failed because the server is down

Appears in the Configure Login Authentication wizard when:

l The Port Number defined for the LDAP, LDAPS, or AD server is incorrect.

l The hostname specified in the Provider Server Name field is incorrect or the hostname is not resolvable.

l When the LDAPS server requires a certificate but the Server certificate file or Client certificate file field is empty.

(33)

networker_server (Permission denied, user 'LDAP_user' on 'NMC_server' does not have 'Configure NetWorker' OR 'Change Application Settings' privilege to configure this resource) - NSR

This error message appears in two scenarios:

l While distributing the authority configuration file to a new NetWorker server, the new NetWorker server cannot authenticate the LDAP user account.

To resolve this issue, configure the NMC server to use Native NMC-based

authentication and then reconfigure the LDAP or AD authorities and distribute them to all the required servers.

For example:

1. In the Distribute Authority Configuration File window, click Finish.

2. Start the Configure Login Authentication wizard again.

3. In the Select Authentication Method window, click Next.

4. Record the values in each attribute field for the configured LDAP or AD authorities;

click Back.

5. In the Select Authentication Method window, select Native NetWorker Management Consoleand click Next.

6. Select all servers with a status Requires Update and click Distribute.

7. Click Finish.

8. Start the Configure Login Authentication wizard again and recreate the LDAP or AD authority configuration.

l When an LDAP or AD user tries to modify the Server resource (NSR) on a NetWorker server but the user is not a member of the Application Administrators or the Security Administrators User Group.

1. Close the NetWorker server and NMC server browser windows.

2. Log in to the NMC server with an LDAP or AD account that is a member of the Application Administrators or the Security Administrators User Group.

Failed to retrieve authentication control attributes from NetWorker server [NetWorker_server]

Appears when an LDAP or AD user that is not a member of the Security Administrators User Group on the NetWorker server attempts to distribute the authority configuration file to the NetWorker server.

2. Close the NMC server browser window.

3. Log in to the NMC server with an LDAP or AD user that is a member of the Security Administrators User Group on the NetWorker server. LDAP or AD users that have the Console Security Administrator role on the NMC server are a member of the Security Administrators User Group on the NetWorker server by default.

(34)

Note

Members of the Security Administrators User Group on a NetWorker server only have permissions to modify the Security Audit Log server and User Group resources.

Modifying User Group privileges on page 47 describes how to modify the User Group membership on a NetWorker server.

Could not validate external authority. Failed to get status of file (clientCertificate) 'full_path_to_client_certificate': No such file or directory. Provide valid path or copy the certificates/key to the specified path

This message appears when the wizard attempts to distribute the authority configuration file to the NetWorker server, but the paths that you specified to the certificate files are incorrect.

2. Start the Configure Login Authentication wizard again.

3. In the Select Authentication Method window, click Next.

4. Correct the pathnames in the certificate fields and retry the distribution.

Note

For Windows paths, use a forward slash (/) in the path. For example, c:/

my_ldap_server.

NSR Could not validate external authority LDAP bind failed because the server is down This messages appears when there is an issue with the LDAPS certificate.

To troubleshoot LDAPS certificate issues, use the openssl program. By default, a Windows host does not include the openssl program. http://www.openssl.org describes how to obtain an openssl program from a third party provider.

1. Confirm that you can establish an SSL connection to the LDAPS server using the local copy of the certificate files:

openssl s_client -connect ldaps_server_name:ssl_port -

CAfilefull_path_to_server_certificate -cert full_path_to_client_certificate -key full_path_to_client_key_file

where:

l full_path_to_certificate is the full path to the Server Certificate file on the local host. If the environment has a hierarchy of CA authorities, then specify the root CA or the certificate file that contains all CA authority certificates.

l full_path_to_client_certificate_file specifies the full path to the Client Certificate file on the local host. This option is only required when LDAPS requires a client certificate.

l full_path_to_client_key_file specifies the full path to the Client Certificate file on the local host. This option is only required when LDAPS requires a client key.

In another example, the LDAPS server, myldaps.emc.com requires a CA certificate only. The certificate file, ca.cert, resides in the cst directory of a NMC server on Windows. In this example, type the following command:

openssl s_client -connect myldaps.emc.com:636 -CAfile “C:

\Program Files\EMC NetWorker\Management\GST\cst\ca.cert”

(35)

Note

When the connection succeeds, the command returns the message:

Verify return code: 0 (ok)

For example: The LDAPS server, myldaps.emc.com requires a Client Certificate and a Client Key. The certificate files and the key file resides in the cst directory of a NMC server on Windows. In this example, type the following command:

openssl s_client -connect myldaps.emc.com:636 -CAfile “C:

\Program Files\EMC NetWorker\Management\GST\cst\ca.cert” -cert “C:

\Program Files\EMC NetWorker\Management\GST\cst\client.cert” -key

“C:\Program Files\EMC NetWorker\Management\GST\cst\client.key”

Note

When the connection succeeds, the command returns the message:

Verify return code: 0 (ok)

2. If the connection does not succeed, contact the LDAPS administrator to request new copies of the certificate files. To manually copy the CA certificate file from the LDAP server, perform the following steps:

a. Connect to the LDAPS server to display the Server Certificate (ca.cert) file:

openssl s_client -showcerts -connect

ldaps_server_name:ssl_port

Note

The openssl command may display two certificates. The second certificate is usually the CA certificate.

b. Ensure that the certificate you receive matches the CA certificate on the LDAPS server.

Troubleshooting login errors

This section provides a list of possible causes and resolutions for NMC login error messages.

You do not have privileges to use NetWorker Management Console

Appears when a valid LDAP or AD account tries to log in to the NMC server, but the account does not exist on the NMC server or is not assigned a Console role.

To resolve this issue, create the LDAP or AD account manually and try to log in again.

Adding LDAP or AD users to the NMC server manually on page 37 describes how to create LDAP and AD user accounts manually.

Could not authenticate this user name and password, try again Appears when you attempt to log into the NMC server with:

l An unrecognized username or an incorrect password. To resolve this issue, use the correct user name and password combination for the configured NMC server authentication method.

(36)

l An AD user that has the option User must change password at next login enabled. To resolve this issue, change the password before attempting to log in to the NMC server.

The specified user name is restricted and cannot be used to log into the system Appears when you use the Administrator username to log in to the NMC server and the NMC server authentication is LDAP or AD. An NMC server that uses AD or LDAP

authentication does not support the Administrator username.

To resolve this issue, log in to the NMC server with a different LDAP or AD username.

Manage LDAP and AD users in NMC

Use the NMC Console to manually add, delete, and manage LDAP and AD users.

Add LDAP and AD users and groups to the NMC server

You can manually add new LDAP and AD users and groups to the NMC server manually or by using the Configure Login Authentication wizard.

Adding LDAP or AD users by using the Configure Login Authentication Wizard Use this method to add LDAP and AD users that require membership to the Security Administrator User Groups on all of the managed NetWorker servers.

Before you begin

Log in to the NMC server with a user that has the Console Security Administrator role.

The Configure Login Authentication wizard automatically assigns the new LDAP or AD users and groups to:

l The Console Security Administrators role on the NMC server.

l The Security Administrators User Group on each managed NetWorker server Procedure

2. From the Setup menu, select Configure Login Authentication.

3. In the Select Authentication Method window, select External Repository.

4. Select the appropriate LDAP or AD Authority Name and click Next.

5. In the External Roles field, specify the new LDAP or AD users and groups and click Next.

6. In the Distribute Authority Configuration window, select the NetWorker servers that have the Requires Update status and click Distribute.

7. In the Monitor Distribution Progress window, review the progress of the configuration file distribution. Ensure that the configuration file distribution succeeds for all NetWorker servers.

8. Log out of the NMC server and log in with a user account in the new group.

Troubleshooting LDAP and AD login errors on page 35 describes how to troubleshoot login errors.

Note

Members of the Security Administrators group have permission to modify the Security Audit Log server and User Group resources only. Modifying User Group privileges on page 47 describes how to add a manually created LDAP or AD user to a User Group on a NetWorker server.

(37)

Adding LDAP or AD users to the NMC server manually

Use this method to add LDAP or AD users to manage the NMC server, but restrict NetWorker server access.

Before you begin

Log into the NMC server with a user that has the Console Security Administrator role.

Procedure

1. On the Console window, click Setup.

2. In the left pane, right-click Users, then select New.

3. In the User Name attribute, enter the LDAP or AD username.

4. Optionally, enter the full name of the LDAP or AD user and a general description in the remaining attributes.

5. Click OK.

The following image provides an example of the Create User window.

Figure 7 Create user window

Note

When you manually assign a user or group to the Console Security Administrator role, the NMC server does not automatically assign the user to the Security Administrators User Group on the managed NetWorker servers. Modifying User Group privileges on page 47 describes how to add a manually created LDAP or AD user to a User Group on a NetWorker server.

(38)

Modifying an LDAP or AD NMC user

After you create an LDAP or AD user and assign it to an NMC console role, you can modify the descriptive information about the user in the NMC console.

Before you begin

Procedure

3. Right-click the user and select Properties.

4. On the Identity tab, modify the attributes as required.

5. Click OK.

Deleting an LDAP or AD NMC user

After you create an LDAP or AD user and assign NMC console roles to the user, you can delete the user in the NMC console.

Before you begin

Procedure

2. In the left pane, click Users.

3. Right-click a username and select Delete.

4. Click Yes to confirm the deletion.

5. If the user saved customized reports, then a dialog box prompts for the username to which to reassign those reports. Otherwise, delete the reports.

6. If required, remove the user from the LDAP user role on the LDAP server and any NetWorker User Groups.

User authorization

User authorization settings control rights or permissions that are granted to a user and enable access to a resource managed by NetWorker.

NMC server authorization

The user that you use to connect to the NMC server determines the level of access to the NMC server.

The Console server restricts user privileges based on three authorization roles. You cannot delete the roles or change the privileges assigned to each role.

Table 4 NMC user roles and associated privileges User role Privileges

(39)

Table 4 NMC user roles and associated privileges (continued) Console Security

Administrator

l Add, delete, and modify NMC Users.

l Configure login authentication such as configuring the NMC server to:

n Use LDAP authentication instead of Native NMC authentication.

n Use Native NMC authentication instead of LDAP authentication.

l Control user access to managed applications, such as a NetWorker server.

Console Application Administrator

l Configure Console system options.

l Set retention policies for reports.

l View custom reports.

l Specify the NetWorker server to backup the NMC database.

l Specify a NetWorker License Manager server.

l Run the Console Configuration wizard.

l All tasks available to a Console User role.

Console User All tasks except for those tasks explicitly mentioned for the Console Security Administrator and the Console Application Administrator.

Tasks include:

l Add and delete hosts and folders.

l Add and delete Managed applications for NetWorker, Data Domain, and Avamar.

l Create and delete their own reports.

l Set features for Managed Applications.

l Manage a NetWorker server with the appropriate privilege levels.

l Dismiss events.

By default the NMC server adds users who are members of the Console Security Administrators to the preconfigured Security Administrators user group on each NetWorker server that the Console server manages. Members of the Security

Administrators user group only have privileges to modify the Security Audit Log server and User Groups resources that the Console server can manage. User Group privileges on page 41 summarizes the privileges assigned to users in each User Group.

Server authorization

The NetWorker server provides a mechanism to authorize users that perform operations from a command prompt and from the NMC GUI.

Modifying an admin list by using NMC

The NetWorker server software provides administrator access by default to the root user on a UNIX NetWorker server and members of the Windows Administrators group on a Windows NetWorker server. Administrator access gives a user all the NetWorker privileges required to change the configuration of a NetWorker server. NetWorker stores the administrator list in the NSR resource on the NetWorker server. Modify the

administrators list by using the NMC console.

Server authorization 39