SYNOPSIS

       /usr/openv/netbackup/bin/bpnbat   [-AddDomain   |  -RemoveDomain]  Pri-
              vate_Domain

       /usr/openv/netbackup/bin/bpnbat [-AddMachine]

       /usr/openv/netbackup/bin/bpnbat  [-AddUser  |  -RemoveUser]  Name  Pri-
              vate_Domain

       /usr/openv/netbackup/bin/bpnbat -Execute [-cf credential_file] command

       /usr/openv/netbackup/bin/bpnbat -GetBrokerCert Broker_Name Broker_Port

       /usr/openv/netbackup/bin/bpnbat  -Login -Info credential_file [-cf cre-
              dential_file]

       /usr/openv/netbackup/bin/bpnbat -LoginMachine

       /usr/openv/netbackup/bin/bpnbat -Logout [-cf credential_file]

       /usr/openv/netbackup/bin/bpnbat -RemoveBrokerCert server.name.com

       /usr/openv/netbackup/bin/bpnbat -ShowBrokerCerts

       /usr/openv/netbackup/bin/bpnbat -ShowMachines

       /usr/openv/netbackup/bin/bpnbat -Version

       /usr/openv/netbackup/bin/bpnbat -WhoAmI [-cf credential_file] [-Verify]


DESCRIPTION

       The  bpnbat  command  is a tool that enables a user to use the Symantec
       Product Authentication and Authorization Service, which  has  two  dis-
       tinct pieces.

             Authentication - prove who you are

             Authorization - check what you can do

       bpnbat enables a user to do authentication tasks from within NetBackup.

       Note      If a command requires a password, it doesn't echo  the  pass-
                 word  or asterisks, which a shoulder surfer can use to narrow
                 the password search space significantly.

       NetBackup Access Control requires the user's home directories  to  work
       correctly.


OPTIONS

       [-AddDomain | -RemoveDomain] Private_Domain
                   These options enable an administrator, that runs locally on
                 an Authentication server, to add or remove domains within the
                 NBU_Machines@<at.server.name>.

                 You must have superuser privileges to run this command.

       [-AddUser | -RemoveUser] Private_Domain
                  These options enable an administrator, that runs locally  on
                 an Authentication server, to add or remove users from domains
                 in the private Veritas Domain Database. These  accounts  only
                 are  meaningful  within  Symantec  Product Authentication and
                 Authorization Service. They are intended to be used in places
                 where  a centralized naming authority (such as, PDC/AD or NIS
                 domain) is not available.

                 You must have superuser privileges to run this command.

       -Execute [-cf credential_file] command



       -GetBrokerCert
                  Obtains a broker certificate  without  authenticating  to  a
                 broker.

       -Login -Info credential_file [-cf credential_file]

                 Identifies yourself to the system. When you run this command,
                 enter a Name, Password, Domain, Authentication  type,  and  a
                 server  to authenticate. The combination of a name, password,
                 domain, and domain type creates a unique identity  within  an
                 Enterprise-wide  network.  The  first  time  a broker is con-
                 tacted, you are asked if you want to trust  that  broker  and
                 authenticate them. You cannot use an untrusted broker.

       -LoginMachine
                  Identifies a machine that uses an account within the Veritas
                 Security          Subsystem          private           domain
                 NBU_Machines@<at.server.name>.  Run this option on your
                 NetBackup Media, Master, and Clients. This option is  similar
                 to when you log in as a user to an authentication broker.

                 You must have superuser privileges to run this command.

       -Logout [-cf credential_file]
                   Invalidates  the  current user credentials that require the
                 user to log in again to continue. Without the -cf option, the
                 credential that is stored at the default location is expired.
                 The -cf option points to the actual  credential  file,  which
                 allows  a  user  to  explicitly  specify the credential to be
                 expired.

       -RemoveBrokerCert server.name.com
                  Removes a trust of a specified  authentication  broker.  You

                 cation broker (root +ab).

                 You must have superuser privileges to run this command.

       -Version   Retrieves the version of the executable.

       -WhoAmI [-cf credential_file] [-Verify]
                   Specifies  the  identity  you currently use within Symantec
                 Product Authentication and Authorization  Service.  It  lists
                 the following:

                       Your name

                       Domain

                       The authenticating broker who issued the credential

                       The time a certificate expires

                       The  domain type that was used when the credential was
                        created


EXAMPLES

       Example 1

       In the following example, the user uses -Login  and  the  default  port
       number   to  connect  to  the  Authentication  Broker  that  is  called
       test.domain.veritas.com. (Authentication Broker is the server that han-
       dles  the  Authentication  process.)  In  the following example, an NIS
       account is used. Therefore, a domain  name  (associated  with  the  NIS
       account) is provided in addition to a user and password.

       # bpnbat -Login

       Authentication Broker: test.domain.veritas.com

       Authentication port[ Enter = default]:

       Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd): NIS

       Domain: domain.veritas.com

       Name: username

       Password:

       You  do not currently trust the server: test.domain.veritas.com, do you
       wish to trust it? (y/n): y

       Operation completed successfully.



                    The domain type that was used  when  the  credential  was
                     created.

       # bpnbat -WhoAmI

       Name: user name

       Domain: domain.veritas.com

       Issued by: /CN=broker/OU=root@eek.min.veritas.com/O=vx

       Expiry Date: Oct 27 20:57:43 2003 GMT

       Authentication method: NIS

       Operation completed successfully.



       Example 3

       Adding a machine to the machine identities list:

       # bpnbat -AddMachine

       Machine Name: auto.domain.veritas.com

       Password:

       Operation completed successfully.



       Showing the machine identities list:

       # bpnbat -ShowMachines

       auto.domain.veritas.com

       Operation completed successfully



       Logging in a machine to a specified authentication broker:

       # bpnbat -LoginMachine

       Does this machine use Dynamic Host Configuration Protocol (DHCP)? (y/n)
       n

       Authentication Broker: test.domain.veritas.com
       If  the  user  has  a  multi-NIC configuration or types the broker name
       incorrectly, a second prompt appears. It gives the user a second chance
       to  enter  the  proper broker name. The following example assumes slee-
       manNB is a private NIC name. The public NIC name that Symantec  Product
       Authentication  and Authorization Service uses to build the authentica-
       tion domain is  sleeman.min.veritas.com.  If  a  failure  occurs  using
       -loginmachine,  the  user has a second chance to enter an explicit pri-
       mary hostname for the authentication broker. (Failures  include  a  bad
       machine  name,  wrong password, or incorrect broker name). Refer to the
       following example:

       # bpnbat -LoginMachine

       Does this machine use Dynamic Host Configuration Protocol (DHCP)? (y/n)
       n

       Authentication Broker: sleemanNB

       Authentication port[ Enter = default]:

       Machine Name: challenger

       Password:

       Primary host name of broker: sleeman.min.veritas.com

       Operation completed successfully.



       Example 4

       This  command  is used to obtain a broker certificate without authenti-
       cating to a broker. It expects a broker (test.domain.veritas.com) and a
       port (0 for default)

       # bpnbat -GetBrokerCert test.domain.veritas.com 0

       Operation completed successfully.



       Example 5

       This command lists all the brokers that the user currently trusts

       # bpnbat -ShowBrokerCerts

       Name: root

       Domain: root@test.domain.veritas.com

       Expiry Date: Feb 17 19:05:39 2006 GMT

       Authentication method: Symantec Private Security



       Name: root

       Domain: root@torpedo.domain.veritas.com

       Issued by: /CN=root/OU=root@torpedo.domain.veritas.com/O=vx

       Expiry Date: May 13 23:20:58 2006 GMT

       Authentication method: Symantec Private Security

       Operation completed successfully.



       Example 6

       The  -RemoveBrokerCert  option removes a broker when the user no longer
       wants to trust it. In the following example, an  authentication  broker
       is moved to a different corporate division.

       # bpnbat -RemoveBrokerCert test.domain.veritas.com

       Operation completed successfully.

       The  user  can  now  use the -ShowBrokerCerts option to display current
       certificates. The previously removed  certificate  is  no  longer  dis-
       played.


SEE ALSO

       bpnbaz (1M)





                                  24 Feb 2007                       bpnbat(1M)