SYNOPSIS
/usr/openv/netbackup/bin/bpnbat [-AddDomain | -RemoveDomain] Pri-
vate_Domain
/usr/openv/netbackup/bin/bpnbat [-AddMachine]
/usr/openv/netbackup/bin/bpnbat [-AddUser | -RemoveUser] Name Pri-
vate_Domain
/usr/openv/netbackup/bin/bpnbat -Execute [-cf credential_file] command
/usr/openv/netbackup/bin/bpnbat -GetBrokerCert Broker_Name Broker_Port
/usr/openv/netbackup/bin/bpnbat -Login -Info credential_file [-cf cre-
dential_file]
/usr/openv/netbackup/bin/bpnbat -LoginMachine
/usr/openv/netbackup/bin/bpnbat -Logout [-cf credential_file]
/usr/openv/netbackup/bin/bpnbat -RemoveBrokerCert server.name.com
/usr/openv/netbackup/bin/bpnbat -ShowBrokerCerts
/usr/openv/netbackup/bin/bpnbat -ShowMachines
/usr/openv/netbackup/bin/bpnbat -Version
/usr/openv/netbackup/bin/bpnbat -WhoAmI [-cf credential_file] [-Verify]
DESCRIPTION
The bpnbat command is a tool that enables a user to use the Symantec
Product Authentication and Authorization Service, which has two dis-
tinct pieces.
· Authentication - prove who you are
· Authorization - check what you can do
bpnbat enables a user to do authentication tasks from within NetBackup.
Note If a command requires a password, it doesn't echo the pass-
word or asterisks, which a shoulder surfer can use to narrow
the password search space significantly.
NetBackup Access Control requires the user's home directories to work
correctly.
OPTIONS
[-AddDomain | -RemoveDomain] Private_Domain
These options enable an administrator, that runs locally on
an Authentication server, to add or remove domains within the
NBU_Machines@<at.server.name>.
You must have superuser privileges to run this command.
[-AddUser | -RemoveUser] Private_Domain
These options enable an administrator, that runs locally on
an Authentication server, to add or remove users from domains
in the private Veritas Domain Database. These accounts only
are meaningful within Symantec Product Authentication and
Authorization Service. They are intended to be used in places
where a centralized naming authority (such as, PDC/AD or NIS
domain) is not available.
You must have superuser privileges to run this command.
-Execute [-cf credential_file] command
-GetBrokerCert
Obtains a broker certificate without authenticating to a
broker.
-Login -Info credential_file [-cf credential_file]
Identifies yourself to the system. When you run this command,
enter a Name, Password, Domain, Authentication type, and a
server to authenticate. The combination of a name, password,
domain, and domain type creates a unique identity within an
Enterprise-wide network. The first time a broker is con-
tacted, you are asked if you want to trust that broker and
authenticate them. You cannot use an untrusted broker.
-LoginMachine
Identifies a machine that uses an account within the Veritas
Security Subsystem private domain
NBU_Machines@<at.server.name>. Run this option on your
NetBackup Media, Master, and Clients. This option is similar
to when you log in as a user to an authentication broker.
You must have superuser privileges to run this command.
-Logout [-cf credential_file]
Invalidates the current user credentials that require the
user to log in again to continue. Without the -cf option, the
credential that is stored at the default location is expired.
The -cf option points to the actual credential file, which
allows a user to explicitly specify the credential to be
expired.
-RemoveBrokerCert server.name.com
Removes a trust of a specified authentication broker. You
cation broker (root +ab).
You must have superuser privileges to run this command.
-Version Retrieves the version of the executable.
-WhoAmI [-cf credential_file] [-Verify]
Specifies the identity you currently use within Symantec
Product Authentication and Authorization Service. It lists
the following:
· Your name
· Domain
· The authenticating broker who issued the credential
· The time a certificate expires
· The domain type that was used when the credential was
created
EXAMPLES
Example 1
In the following example, the user uses -Login and the default port
number to connect to the Authentication Broker that is called
test.domain.veritas.com. (Authentication Broker is the server that han-
dles the Authentication process.) In the following example, an NIS
account is used. Therefore, a domain name (associated with the NIS
account) is provided in addition to a user and password.
# bpnbat -Login
Authentication Broker: test.domain.veritas.com
Authentication port[ Enter = default]:
Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd): NIS
Domain: domain.veritas.com
Name: username
Password:
You do not currently trust the server: test.domain.veritas.com, do you
wish to trust it? (y/n): y
Operation completed successfully.
· The domain type that was used when the credential was
created.
# bpnbat -WhoAmI
Name: user name
Domain: domain.veritas.com
Issued by: /CN=broker/OU=root@eek.min.veritas.com/O=vx
Expiry Date: Oct 27 20:57:43 2003 GMT
Authentication method: NIS
Operation completed successfully.
Example 3
Adding a machine to the machine identities list:
# bpnbat -AddMachine
Machine Name: auto.domain.veritas.com
Password:
Operation completed successfully.
Showing the machine identities list:
# bpnbat -ShowMachines
auto.domain.veritas.com
Operation completed successfully
Logging in a machine to a specified authentication broker:
# bpnbat -LoginMachine
Does this machine use Dynamic Host Configuration Protocol (DHCP)? (y/n)
n
Authentication Broker: test.domain.veritas.com
If the user has a multi-NIC configuration or types the broker name
incorrectly, a second prompt appears. It gives the user a second chance
to enter the proper broker name. The following example assumes slee-
manNB is a private NIC name. The public NIC name that Symantec Product
Authentication and Authorization Service uses to build the authentica-
tion domain is sleeman.min.veritas.com. If a failure occurs using
-loginmachine, the user has a second chance to enter an explicit pri-
mary hostname for the authentication broker. (Failures include a bad
machine name, wrong password, or incorrect broker name). Refer to the
following example:
# bpnbat -LoginMachine
Does this machine use Dynamic Host Configuration Protocol (DHCP)? (y/n)
n
Authentication Broker: sleemanNB
Authentication port[ Enter = default]:
Machine Name: challenger
Password:
Primary host name of broker: sleeman.min.veritas.com
Operation completed successfully.
Example 4
This command is used to obtain a broker certificate without authenti-
cating to a broker. It expects a broker (test.domain.veritas.com) and a
port (0 for default)
# bpnbat -GetBrokerCert test.domain.veritas.com 0
Operation completed successfully.
Example 5
This command lists all the brokers that the user currently trusts
# bpnbat -ShowBrokerCerts
Name: root
Domain: root@test.domain.veritas.com
Expiry Date: Feb 17 19:05:39 2006 GMT
Authentication method: Symantec Private Security
Name: root
Domain: root@torpedo.domain.veritas.com
Issued by: /CN=root/OU=root@torpedo.domain.veritas.com/O=vx
Expiry Date: May 13 23:20:58 2006 GMT
Authentication method: Symantec Private Security
Operation completed successfully.
Example 6
The -RemoveBrokerCert option removes a broker when the user no longer
wants to trust it. In the following example, an authentication broker
is moved to a different corporate division.
# bpnbat -RemoveBrokerCert test.domain.veritas.com
Operation completed successfully.
The user can now use the -ShowBrokerCerts option to display current
certificates. The previously removed certificate is no longer dis-
played.
SEE ALSO
bpnbaz (1M)
24 Feb 2007 bpnbat(1M)