EMC® NetWorker® Security

Version 8.2

Configuration Guide
302-000-703
03
Copyright © 2014 EMC Corporation. All rights reserved. Published in USA.

Published October, 2014

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.

The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with
respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a
particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable
software license.

EMC², EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other
countries. All other trademarks used herein are the property of their respective owners.

For the most up-to-date regulatory document for your product line, go to EMC Online Support (https://support.emc.com).

EMC Corporation
Hopkinton, Massachusetts 01748-9103
1-508-435-1000 In North America 1-866-464-7381
www.EMC.com

2 EMC NetWorker Security 8.2 Configuration Guide

CONTENTS

Figures 5

Tables 7

Preface 9

Chapter 1 Introduction 13

Chapter 2 Access Control Settings 15

User authentication.......................................................................................16
Configuring the NMC server and the default user.............................. 16
Configuring the NetWorker server administrators list........................ 17
Configuring user access to NetWorker servers in NMC...................... 17
User authorization.........................................................................................38
NMC server authorization................................................................. 38
Server authorization.........................................................................39
Troubleshooting authorization errors and NetWorker server access
issues.............................................................................................. 50
Component access control............................................................................ 51
Component authentication...............................................................51
Component authorization.................................................................67

Chapter 3 Log Settings 71

NetWorker log files........................................................................................ 72
View log files.................................................................................................76
Rendering a raw file manually.......................................................... 76
Rendering raw log files at runtime.................................................... 78
Raw log file management.............................................................................. 79
Managing raw log file size for the daemon.raw, networkr.raw, and
gstd.raw files................................................................................... 81
Monitoring changes to the NetWorker server resources................................. 82
Configuring logging levels............................................................................. 83
Setting the debug level for NetWorker daemons .............................. 83
Run scheduled backups in debug mode........................................... 87
Running client-initiated backups in debug mode from command line
........................................................................................................ 88
Run Recoveries in debug mode........................................................ 88

Chapter 4 Communication Security Settings 93

Port usage and firewall support..................................................................... 94
Service ports.................................................................................... 94
Connection ports..............................................................................94
Special considerations for firewall environments...........................................94
Configuring TCP keep alives at the operating system level................ 95
Determining service port requirements..........................................................97

EMC NetWorker Security 8.2 Configuration Guide 3

CONTENTS

NetWorker client service port requirements...................................... 97

Service port requirements for NetWorker storage nodes................... 98
Service port requirements for the NetWorker server.......................... 99
Service port requirements for NMC Server...................................... 100
Configuring service port ranges in NetWorker.............................................. 101
Determine the available port numbers........................................... 101
Configuring the port ranges in NetWorker ...................................... 101
Configuring the service ports on the firewall................................................ 104
How to confirm the NMC server service ports..................................107
Determining service port requirement examples ......................................... 107
Troubleshooting.......................................................................................... 112

Chapter 5 Data Security Settings 115

Encrypting backup data...............................................................................116
Modifying the lockbox resource......................................................116
Defining the AES pass phrase.........................................................117
Configuring the client resource to use AES encryption.................... 117
Configure encryption for a client-initiated backup.......................... 118
Recover encrypted data..................................................................119
Federal Information Processing Standard Compliance.................... 120
Data integrity.............................................................................................. 122
Verifying the integrity of the backup data....................................... 122
Verifying the integrity of the NetWorker server media data and client
file indexes.................................................................................... 124
Data erasure............................................................................................... 125
NetWorker server media database and index data management.... 125
Manually erasing data on tape and VTL volumes............................ 126
Manually erasing data from an AFTD...............................................126
Security alert system settings......................................................................127
Monitoring changes to NetWorker server resources........................ 127
Security audit logging.................................................................... 127

Index 141

4 EMC NetWorker Security 8.2 Configuration Guide

FIGURES

1 LDAP User Container...................................................................................................... 27

2 LDAP Group Container................................................................................................... 27
3 Manage Authentication Authorities values for an LDAP configuration ............................ 28
4 ADSI Edit for User Container ..........................................................................................28
5 ADSI Edit Group Container ............................................................................................ 30
6 Manage Authentication Authorities values for AD configuration .................................... 31
7 Uni-directional firewall with storage nodes ................................................................. 108
8 Uni-directional firewall with storage nodes ................................................................. 109
9 Bi-directional firewall with Data Domain appliance ..................................................... 110
10 The audit log server manages a single data zone ........................................................ 129
11 The NMC server is the audit log server for multiple data zones..................................... 130
12 Each NetWorker server in a data zone is the audit log server........................................ 131
13 Security Audit Log resource .........................................................................................138

EMC NetWorker Security 8.2 Configuration Guide 5

FIGURES

6 EMC NetWorker Security 8.2 Configuration Guide

TABLES

1 Revision history............................................................................................................... 9
2 Authority configuration parameters ...............................................................................22
3 Hierarchy errors in the Configure Login Authentication wizard ....................................... 32
4 NMC user roles and associated privileges...................................................................... 38
5 Operations allowed for each NetWorker privilege .......................................................... 41
6 Privileges associated with each NetWorker User Group.................................................. 45
7 NetWorker log files........................................................................................................ 72
8 Raw log file attributes that manage log file size..............................................................80
9 Raw log file attributes that manage the log file trimming mechanism............................. 80
10 Setting TCP parameters for each operating system.........................................................95
11 Standard NetWorker Client port requirements to NetWorker server.................................97
12 Additional service port requirements for Snapshot clients............................................. 98
13 Service port requirements for storage nodes ................................................................. 98
14 NetWorker server program port requirements.................................................................99
15 Port requirements to NMC server to each NetWorker client .......................................... 101
16 nsrports options.......................................................................................................... 103
17 Port requirements for NetWorker communications with third-party applications ..........104
18 NetWorker supported platforms that contain RSA BSAFE FIPS compliant encryption
technologies................................................................................................................121
19 Levels available for the nsrck process..........................................................................124
20 Security audit log interoperability matrix .....................................................................134

EMC NetWorker Security 8.2 Configuration Guide 7

TABLES

8 EMC NetWorker Security 8.2 Configuration Guide

Preface

As part of an effort to improve its product lines, EMC periodically releases revisions of its
software and hardware. Therefore, some functions described in this document might not
be supported by all versions of the software or hardware currently in use. The product
release notes provide the most up-to-date information on product features.
Contact your EMC technical support professional if a product does not function properly
or does not function as described in this document.

Note

This document was accurate at publication time. Go to EMC Online Support (https://
support.emc.com) to ensure that you are using the latest version of this document.

Purpose
This document provides an overview of security settings available in the NetWorker
product.
Audience
This document is part of the EMC NetWorker documentation set, and is intended for use
by system administrators who are responsible for setting up and maintaining NetWorker
and managing a secure network.
Revision history
The following table presents the revision history of this document.
Table 1 Revision history

Revision Date Description

03 Oct 14, 2014 Updates to the following sections:
l Importing local host credentials into the NSR Peer
Information resource.
l Exporting local host credentials into the NSR Peer
Information resource.

02 Aug 29, 2014 GA release of this document for EMC NetWorker 8.2.
Include new information about common audit log error
messages.

01 June 18, 2014 First release of this document for EMC NetWorker 8.2.

Related documentation
The following EMC publications provide additional information:
l NetWorker Online Software Compatibility Guide
Provides a list of client, server, and storage node operating systems supported by the
EMC information protection software versions. You can access the Online Software
Compatibility Guide on the EMC Online Support site at support.emc.com. From the
Support by Product pages, search for NetWorker using "Find a Product", and then
select the Install, License, and Configure link.
l EMC NetWorker Administration Guide
Describes how to configure and maintain the NetWorker software.

EMC NetWorker Security 8.2 Configuration Guide 9

Preface

l EMC NetWorker Cluster Integration Guide

Contains information related to configuring NetWorker software on cluster servers
and clients.
l EMC NetWorker Installation Guide
Provides information on how to install, uninstall, and update the NetWorker software
for clients, storage nodes, and servers on all supported operating systems.
l EMC NetWorker Updating from a Previous Release Guide
Describes how to update the NetWorker software from a previously installed release.
l EMC NetWorker Release Notes
Contains information on new features and changes, fixed problems, known
limitations, environment, and system requirements for the latest NetWorker software
release.
l EMC NetWorker Avamar Devices Integration Guide
Provides planning and configuration information on the use of Avamar devices in a
NetWorker environment.
l EMC NetWorker Command Reference Guide
Provides reference information for NetWorker commands and options.
l EMC NetWorker Data Domain Deduplication Devices Integration Guide
Provides planning and configuration information on the use of Data Domain devices
for data deduplication backup and storage in a NetWorker environment.
l EMC NetWorker Disaster Recovery Guide
Contains information about preparing for a disaster and recovering NetWorker
servers, storage nodes, and clients.
l EMC NetWorker Error Message Guide
Provides information on common NetWorker error messages.
l EMC NetWorker Licensing Guide
Provides information about licensing NetWorker products and features.
l EMC NetWorker Performance Optimization Planning Guide
Contains basic performance sizing, planning, and optimizing information for
NetWorker environments.
l EMC NetWorker Management Console Online Help
Describes the day-to-day administration tasks performed in the NetWorker
Management Console and the NetWorker Administration window. To view Help, click
Help in the main menu.
l EMC NetWorker User Online Help
Describes how to use the NetWorker User program which is the Windows client
interface connect to a NetWorker server to back up, recover, archive, and retrieve files
over a network.
l Technical Notes/White Papers
Technical Notes and White Papers provide an in-depth technical perspective of a
product or products as applied to critical business issues or requirements. Technical
Notes and White paper types include technology and business considerations,
applied technologies, detailed reviews, and best practices planning.
Special notice conventions used in this document
EMC uses the following conventions for special notices:

NOTICE

Addresses practices not related to personal injury.

10 EMC NetWorker Security 8.2 Configuration Guide

 Preface

Note

Presents information that is important, but not hazard-related.

Typographical conventions
EMC uses the following type style conventions in this document:

Bold Use for names of interface elements, such as names of windows, dialog
boxes, buttons, fields, tab names, key names, and menu paths (what
the user specifically selects or clicks)

Italic Use for full titles of publications referenced in text

Monospace Use for:
l System code
l System output, such as an error message or script
l Pathnames, file names, prompts, and syntax
l Commands and options

Monospace italic Use for variables

Monospace bold Use for user input

[] Square brackets enclose optional values

| Vertical bar indicates alternate selections - the bar means “or”

{} Braces enclose content that the user must specify, such as x or y or z

... Ellipses indicate non-essential information omitted from the example

Where to get help

EMC support, product, and licensing information can be obtained as follows:
Product information
For documentation, release notes, software updates, or information about EMC products,
go to EMC Online Support at https://support.emc.com.
Technical support
Go to EMC Online Support and click Service Center. You will see several options for
contacting EMC Technical Support. Note that to open a service request, you must have a
valid support agreement. Contact your EMC sales representative for details about
obtaining a valid support agreement or with questions about your account.
Online communities
Visit EMC Community Network at https://community.emc.com for peer contacts,
conversations, and content on product support and solutions. Interactively engage online
with customers, partners, and certified professionals for all EMC products.
Your comments
Your suggestions will help us continue to improve the accuracy, organization, and overall
quality of the user publications. Send your opinions of this document to
[email protected]

EMC NetWorker Security 8.2 Configuration Guide 11

Preface

12 EMC NetWorker Security 8.2 Configuration Guide

CHAPTER 1
Introduction

® ®
EMC NetWorker is a heterogeneous backup application that addresses data protection
challenges. The centralized management capabilities of NetWorker provides effective
data protection for file systems, enterprise applications, storage arrays, and NAS filers to
a variety of target devices.
This guide provides an overview of security configuration settings available in NetWorker,
secure deployment, and physical security controls needed to ensure the secure operation
of the product.
This guide is divided into the following sections:
Access Control Settings
Access control settings enable the protection of resources against unauthorized
access. This chapter provides an overview of the settings available in the product to
ensure a secure operation of the product and describes how you can limit product
access by end-users or by external product components.

Log Settings
A log is a chronological record that helps you to examine the sequence of activities
surrounding or leading up to an operation, procedure, or event in a security-related
transaction from beginning to end. This chapter describes how to access and
manage the logs files available in NetWorker.

Communication Security Settings

Communication security settings enable the establishment of secure communication
channels between NetWorker components, NetWorker components and external
systems, and NetWorker components and external components. This chapter
describes how to ensure NetWorker uses secure channels for communication and
how to configure NetWorker in a firewall environment.

Data Security Settings

Data security settings enable you to define controls that prevent unauthorized
access and disclosure of data permanently stored by NetWorker. This chapter
describes the settings available to ensure the protection of the data handled by
NetWorker.

Introduction 13
Introduction

14 EMC NetWorker Security 8.2 Configuration Guide

CHAPTER 2
Access Control Settings

Access control settings enable the protection of resources against unauthorized access.
This chapter describes settings you can use to limit access by end-user or by external
product components.

l User authentication...............................................................................................16
l User authorization.................................................................................................38
l Component access control.................................................................................... 51

Access Control Settings 15

Access Control Settings

User authentication
User authentication settings control the processes that the NetWorker Management
Console (NMC) and the NetWorker software applications use to verify the identity claimed
by a user and to determine the level of access allowed to the user.
When you use a web browser on a host (NMC client) to connect to the NMC server, the
http daemon on the NMC server downloads the Java client to the NMC client. You do not
require a secure http (https) connection because only the Java client transfers
information and performs authentication between the NMC server and NMC client. The
NMC server uses SSL to encrypt the username and password that you specify in the login
window and authenticates the credentials. The first time an NMC client connects to the
NMC server, the NMC server uses Native NMC-based authentication to authenticate the
user credentials. After you connect to the NMC server for the first time, you can continue
to use the NMC-based authentication or you can configure access to the NMC server by
using an external authentication authority, such as LDAP or AD.
If the NetWorker server and the NMC server are on different hosts, then ensure that the
administrators list attribute on the NetWorker server includes the appropriate NMC user
accounts before you connect to a NetWorker server. Configuring the administrator list on
page 17 provides more information.

Configuring the NMC server and the default user

The NMC server has one default administrator account. When you use an NMC client to
connect to the NMC server for the first time, the configuration wizard prompts you to set
the password.
Before you begin
These steps assume that you have installed the NetWorker software and that you have
met all of the software and hardware requirements on the computer that will access the
NMC server. The NetWorker Installation Guide on the EMC Online Support site provides
more information.
Procedure
1. From a supported web browser, type the URL of the NMC server: http://
server_name:http_service_port

where:
l server_name is the name of the NMC server.
l http_service_port is the port for the embedded HTTP server. The default HTTP port is
9000.
For example: http://houston:9000
2. On the Welcome window, click Start.
3. On the Security Warning window, click Start to install and run NetWorker Console.
4. On the Licensing Agreement window, select Accept.
5. If you did not install the appropriate JRE version on the system, then a prompt to
install JRE appears. Follow the onscreen instructions to install JRE.
6. On the Welcome to the Console Configuration Wizard window, click Next.
7. On the Set Administrator password window, type the NMC password, and click Next.
8. On the Set Database Backup Server window, specify the name of the NetWorker
server that will backup the NMC server database, and then click Next.

16 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

9. On the Add NetWorker servers window, specify the names of the NetWorker server
that the NMC server will manage. When you specify more than one NetWorker server,
add one name per line. Leave the default options Capture Events and Gather
Reporting Data enabled.
l Enable the Capture Events option to allow the NMC server to monitor and record
alerts for events that occur on the NetWorker server.
l Enable the Gather Reporting Data option to allow the NMC server to automatically
collect data about the NetWorker server and generate reports. The NetWorker
Administration Guide on the EMC Online Support Site describes on how to run
reports and shows the reports that are available.
10.Click Finish.
Results
The Console window appears with a list of NetWorker servers.

Configuring the NetWorker server administrators list

The NetWorker server software provides administrator access by default to the root user
on a Unix NetWorker server and members of the Windows Administrators group on a
Windows NetWorker server. Administrator access gives a user all the NetWorker
privileges required to change the configuration of a NetWorker server.
Before you begin
Log in to the NetWorker server as an administrator on Windows or as root on UNIX.
When the NMC server and the NetWorker server are on the same host, the NetWorker
server install automatically adds the owner of the gstd process and the NMC
administrator user to the administrators list of the NetWorker server. When the NMC
server and the NetWorker server are on separate hosts, you must add the owner of the
gstd process and the NMC administrator user to the administrators list on the NetWorker
server.
Add the NMC administrator account to the Administrators list attribute to enable
the NMC administrator user to administer and monitor the NetWorker server. The owner of
the gstd process is the user that starts the gstd daemon on UNIX or the EMC GST
service on Windows. By default, the process owner is the SYSTEM user on Windows and
the root user on UNIX.
Procedure
1. From a command prompt, use the nsraddadmin command to add the gstd process
owner to the NetWorker server Administrators list attribute.

On Windows, type: nsraddadmin -u "user=SYSTEM, host=NMC_host"

On a UNIX, type: nsraddadmin -u "user=root, host=NMC_host"
2. Add the NMC administrator user to the Administrators list attribute on the NetWorker
server: nsraddadmin -u "user=administrator, host=NMC_host"
where NMC_host is the NMC server hostname.

Configuring user access to NetWorker servers in NMC

The NMC server allows you to restrict or grant access to a NetWorker server based on the
NMC username. Requests to NetWorker servers through the NetWorker Administration
window always come from the NMC server. The privileges assigned to a NMC user on the

Configuring the NetWorker server administrators list 17

Access Control Settings

NetWorker server are based on the entries present in the Users attribute of the User
Group resources, on the NetWorker server.
The NMC server controls how the NMC user accesses a managed NetWorker server. When
you enable the User Authentication for NetWorker system option on the NMC server, you
can grant and restrict NetWorker server access and privileges to individual NMC user
accounts. When you disable the User Authentication for NetWorker option, access
requests to a NetWorker server appear to come from the gstd process owner on the NMC
server. All NMC users that access the NetWorker server are granted the same access and
privilege rights that are assigned to the gstd process owner account. The NMC server
enables the User Authentication for NetWorker system option by default. When you
enable the option, the NMC server software creates a separate network connection from
the NMC server to a NetWorker server for each NMC user that has an Administration
window open to that server. Additional network connections might require access to
additional firewall service ports.
When you do not set the User Authentication for NetWorker system option, there is only
one network connection from the NMC server to the managed NetWorker server.
NetWorker supports the use Native NMC-based authentication or LDAP/AD authentication
to restrict or grant access to the NMC server and NetWorker servers.

Modifying the User Authentication for NetWorker system option

Use these steps to define how the NMC server controls the user account that requests
NetWorker server access.
Procedure
1. From the Console window, click Setup.
2. From the Setup menu, select System Options.
3. Set the Use Authentication for NetWorker option.
l When enabled, the NMC username determines the level of user access to the
NetWorker server.
l When disabled, the user id of the gstd process owner determines the level of user
access to the NetWorker server.
4. Click OK.

Configuring Native NMC-based authentication

Native NMC-based authentication uses a data store on the NMC server host to
authenticate NMC users. The NMC server maintains the NMC user names and passwords.
When you log in to the NMC Console for the first time, the NMC configuration wizard
creates the NMC administrator account.
Additional set up is not required to enable Native NMC-based authentication but you can
add new NMC user accounts, change Console role assignments, and manage existing
NMC users.

Adding NMC users

Perform the following steps to add additional NMC users when the NMC server uses
Native NMC login authentication.
Before you begin
Log in to the NMC server as a Console Security Administrator. The administrator account
is a Console Security Administrator.

18 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

Procedure
1. From the Console window, click Setup.
2. In the left pane, right-click Users, then select New.
The Create User dialog box appears.
3. Enter a username.
The username cannot:
l Exceed 64 characters.
l Use spaces, or any of these characters: : < > /
l Use characters with an ASCII value less than or equal to 32.
l Begin a username with an underscore (_) character.
4. Optionally, enter the full name of the user and a user description.
5. Select the Console user roles.
6. Enter the user password.
Ensure that you specify a password that meets the following requirements:
l Is a minimum of eight characters long
l Is not the same as the username
If you upgrade from a previous version of NetWorker that did not enforce these
password requirements, NetWorker will enforce these requirements when you attempt
to change the password.
7. In the Confirm Password attribute, re-enter the password.
8. Click OK.

Modifying NMC users

You can modify the password, descriptive information, and the roles of an existing NMC
user account.
Before you begin
Log in to the NMC server as a Console Security Administrator. The administrator account
is a Console Security Administrator.
Procedure
1. From the Console window, click Setup.
2. In the left pane, select Users.
3. Right-click the user and then select Properties.
4. On the Identification tab, modify the attributes as required.

Deleting an NMC user

This section describes how to remove NMC users. You cannot remove the administrator
user.
Procedure
1. Log into the Console server as a Console Security Administrator.
The NMC user administrator is a Console Security Administrator.
2. From the Console window, click Setup.

Configuring user access to NetWorker servers in NMC 19

Access Control Settings

3. In the left pane, select Users.

4. Right-click the user and then select Delete.
5. Click Yes to confirm the deletion.
If the user had saved customized reports, then a dialog box prompts for the username
to which to reassign those reports. Otherwise, the reports can be deleted.

Resetting the NMC administrator password

Use the GST_RESET_PW environment variable to reset the password for the NMC
administrator account.
Resetting the administrator password for an NMC server on Windows
Use the System applet in Control Panel to add theGST_RESET_PW variable and reset the
administrator password.
Procedure
1. On the Advanced tab of the System applet, select Environment Variables.
2. Create a new System variable.
a. In the Variable Name field, specify GST_RESET_PW.
b. In the Variable value field, specify 1.
3. Restart the EMC GST Service.
When the EMC GST Service starts, the NMC server administrator password resets.
4. Use a web browser to connect to the NMC server. When prompted, type
administrator in the username and password fields.

5. Return to the Environment Variables window in the System applet and remove the
GST_RESET_PW environment variable.
This step prevents a password reset each time the EMC GST Service starts.
Resetting the administrator password for an NMC server on UNIX
Use the GST_RESET_PW environment variable to reset a lost or forgotten administrator
password to the default value.
Before you begin
Perform the following steps as the root user.
Procedure
1. Set GST_RESET_PW to a non-null value by using the appropriate command for the
shell.
For example, in ksh shell, type the following command:

export GST_RESET_PW= “non_null_value”

2. Use one of the following commands to stop the NMC server daemon:
l Solaris and Linux: /etc/init.d/gst stop
l AIX: /etc/rc.gst stop
3. Use one of the following commands to start the NMC server daemon:
l Solaris and Linux: /etc/init.d/gst start
l AIX: /etc/rc.gst start
When the EMC GST Service starts, the NMC server administrator password resets.

20 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

4. Use a web browser to connect to the NMC server. When prompted, type
administrator in the username and password fields.

5. Set GST_RESET_PW back to null by using the appropriate command for the shell.
For example, in the ksh shell, type the following command:

export GST_RESET_PW=

This step prevents a password reset each time the EMC GST Service starts.

Configuring LDAP or AD authentication authorities

When you configure the NMC server to authenticate users by using an external
authentication authority, you log in to the NMC server with user names and passwords
that are maintained by a Lightweight Directory Access Protocol (LDAP), a Lightweight
Directory Access Protocol over SSL (LDAPS), or a Microsoft Active Directory server (AD).
You control user privileges by mapping LDAP or AD user roles or user names to NMC user
roles. You do not manually add user names and passwords on the NMC server.
The NetWorker software automatically distributes the LDAP or AD configuration file from
the NMC server to selected NetWorker servers. This automatically puts the managed
NetWorker servers in LDAP or AD mode.
When an LDAP or AD user logs into the NMC server and connects to a NetWorker server:
l The NetWorker server performs a look-up to get the LDAP or AD group that the OS
authenticated user belongs to in the external authority. The NetWorker server does
not authenticate the user against the LDAP authority.
l The privileges assigned to a user on the NetWorker server are based on the LDAP user
or the group entries present in the External roles attribute of the User Group resource
on the NetWorker server. User Group Management on page 46 provides more
information about the User Group resource.

Preparing the NMC server and NetWorker server for LDAPS

Before you configure the NMC and NetWorker servers to use LDAPS, ensure that a local
copy of the CA Certificate, Client Certificate, and Client Key reside in the same file system
path, on each NMC and NetWorker server.
Before you begin
Ensure that the LDAPS certificates use the PEM format.
When the operating system of the NMC server and any NetWorker server differs, perform
the following steps to ensure that each host can successfully communicate with the LDAP
server.
Procedure
1. Create a directory on the NMC server to store the certificate files:
l On a UNIX NMC server, create a subdirectory for the certificates in the
NMC_installation_directory/cst directory. For example, on a Solaris
NMC server, create a subdirectory called corpldap in the /opt/LGTOnmc/cst
directory.
l On a UNIX NetWorker server, create a subdirectory for the certificates in
the /opt/nsr/cst directory. For example, create a subdirectory called
corpldap in the /opt/nsr/cst directory.
l On a Windows NMC server, create a subdirectory for the certificates in the
NMC_installation_directory\cst directory. For example, create a

Configuring user access to NetWorker servers in NMC 21

Access Control Settings

subdirectory called corpldap in the C:\Program Files\EMC NetWorker

\Management\GST\cst directory.
l On a Windows NetWorker server, create a subdirectory for the certificates in the
NetWorker_installation_directory\cst directory. For example, create a
subdirectory called corpldap in C:\Program Files\EMC NetWorker\nsr
\cst.
2. Copy the CA Certificate to the new subdirectory on each host that will use LDAPS. If
the LDAPS configuration requires a certificate from the client side, then copy the Client
Certificate and Client Key to the new directory on each host.
3. Optionally, to secure the subdirectory, you can restrict access to the directory.
For a UNIX host, ensure that the root account on UNIX has access to the directory. For
a Windows host, ensure that the Administrator and Local System accounts have
access to the directory.

Configuring LDAP or AD authentication

After you connect to the Console server for the first time and configure the Native NMC
authentication based administrator account, you can configure the NMC server to use
LDAP, LDAPS, or AD authentication.
Before you begin
Log in to the NMC server with a user account that has the Console Security Administrator
role. The NMC user administrator is assigned to the Console Security Administrator role,
by default.
Procedure
1. From the Setup menu, select Configure Login Authentication.
2. On the Select Authentication Method window, select External Repository.
3. Click Add to add a new external authentication authority.
4. Define the LDAP attributes for your configuration in the Parameters section. The
following table summarizes and defines each attribute.

Table 2 Authority configuration parameters

Parameter name Parameter definition Configuration information

Authority Name Descriptive name for the LDAP or Required.
AD server.
This is a user defined field. If
you configured the LDAPS
certificate directories, ensure
that the authority name
matches the name of the
subdirectory you created on the
NMC server and the NetWorker
server.
For example, corpldap

Provider Server Name Hostname or IP address of the Required.

LDAP or AD server.
For LDAPS, ensure that you
specify the hostname exactly as
it appears in the ca.cert file.

22 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

Table 2 Authority configuration parameters (continued)

Parameter name Parameter definition Configuration information

Distinguished Name The dn of an LDAP or AD account
that you use to perform operations
such as searching for users and
groups in the LDAP or AD
hierarchy.
For example, if the ca.cert
file contains the FQDN of the
LDAPS server, you must specify
the FQDN in the Provider
Server Name field.
Required.
Specify an account on the LDAP
or AD server that has full read
access to the directory from
which the AD or LDAP server
accesses its data.

Password Password of the LDAP or AD Required.

account.

User Search Path The dn to use when searching for Required.

users on the LDAP or AD server.

Group search path The dn to use when searching for Required.

groups on the LDAP or AD server.

Group Name Attribute Identifies the LDAP or AD group Required.

name in the User Search Path Default value: cn
dn.

LDAP The time out for LDAP or AD calls. Required.

Timeout(millisecond)
Range is 0 to
2 000 000 000 ms.
A value of 0 indicates that calls
will never time out.
Default value: 30000

User ID Attribute The user ID associated with the Required.

users in the User Search Path dn.
For LDAP this attribute is usually
uid.
For AD, this attribute is usually
cn.
Default value: uid

User Object Class The object class that identifies Required.

users in the dn defined in the
User Search Path.
Group Object Class The object class that identifies Required.
groups in the LDAP or AD hierarchy
For LDAP, depending on the
of the dn defined in the User configuration, use
Search Path. groupOfNames or
groupOfUniqueNames.
For AD, use group.

Configuring user access to NetWorker servers in NMC 23

Access Control Settings
Table 2 Authority configuration parameters (continued)
Parameter name Parameter definition
Group Member Attribute The group membership of users in
dn that is defined in the User
Search Path.
LDAP Debug level Level of debug messages to log in
the gstd.raw file.
The default value is 0.
Protocol Communication protocol between
the NetWorker server and
authentication server.
Server Certificate (LDAPS The full path to the CA certificate
only) on the NMC server.
Client certificate (LDAPS The full path to the Client
only) certificate on the NMC server.
24 EMC NetWorker Security 8.2 Configuration Guide
Configuration information
Default value:
groupOfUniqueNames.
Required.
For LDAP:
l If the Group Object Class
is groupOfNames the
attribute is usually member.
l If the Group Object Class
is groupOfUniqueNames the
attribute is usually
uniquemember.
For AD the value is usually
member.
The default value is
uniquemember.
Note
Networker cannot validate the
Group Member Attribute.
Ensure that you specify the
correct value in the Group
Member attribute.
Change this value to 1 for
troubleshooting purposes only.
For LDAP or AD, select LDAP.
For secure communications,
select LDAPS.
Required for LDAPS. When the
NMC server and NetWorker
server are on different
platforms, use a forward slash
to specify the path.
For example: C:/Program
Files/EMC NetWorker/
Management/GST/cst/
corpldap/ca.cert
Required for LDAPS when the
LDAPS server requires a client
certificate.
When the NMC server and
NetWorker server are on
 Access Control Settings

Table 2 Authority configuration parameters (continued)

Parameter name Parameter definition Configuration information

different platforms, use a
forward slash to specify the
path.
For example: C:/Program
Files/EMC NetWorker/
Management/GST/cst/
corpldap/client.cert

Client key (LDAPS only) The full path to the Client key on
the NMC server.
Required for LDAPS when the
LDAPS server requires a client
certificate.
When the NMC server is a
Windows host, use a double
backslash to specify the path.
For example: C:/Program
Files/EMC NetWorker/
Management/GST/cst/
corpldap/client.key

Port value Port number of the LDAP server. Required.

Default value: 389

5. Click Next.
Troubleshooting authentication errors on page 31 describes common error
messages that might appear.
6. In the External Roles field, specify the LDAP or AD users and group to assign to the
NMC Console Security Administrator role.
7. Click Next.
If you specify a user or group that is not valid on the LDAP or AD server, then the
following message appears:

External role <user or group> is invalid

8. In the Distributed Authority Configuration File window, select the NetWorker servers
that will use LDAP or AD. This will copy the LDAP configuration file from the NMC
server to the NetWorker_install_path\nsr\cst directory on a Windows
NetWorker server or the NetWorker_install_path/nsr/cst folder on a UNIX
NetWorker server. The NMC server is selected by default.
9. Click Distribute.
If the value specified in the Distinguished Name field is not valid, then the following
error message appears:

Failed to validate authority option. Error code: -8, message:

Search for user name failed.

To resolve this issue, return to the Authority Configuration window, correct the value
in the Distinguished Name field and attempt to distribute the authority configuration
file again.

Configuring user access to NetWorker servers in NMC 25

Access Control Settings

10.In the Monitor Distribution Progress window, review the progress of the configuration
file distribution. Ensure that the authority configuration file distribution succeeds for
all of the NetWorker servers.
11.Click Ok.
Logging in to the NMC server after LDAP or AD configuration
The next time you use an NMC client to connect to the NMC server, you must specify the
appropriate LDAP or AD user. If you cannot log in to the NMC server, then you can revert
back to Native NMC authentication mode and reconfigure AD/LDAP authentication.
The NetWorker Installation Guide provides more information.
Consider the following:
l When the wizard distributes the authority file, the process adds each LDAP and AD
authenticated NMC user that has the NMC Console Security Administrator role to the
Security Administrators User Group on each NetWorker server that the NMC server
has the privilege to manage.

Note

Members of the Security Administrators User Group have permissions to modify the
Audit Log server and User Group resources only. “Modifying User Group privileges on
page 46” describes how to add a manually created LDAP or AD user to a User Group
on a NetWorker server.
l When an LDAP or AD user logs in for the first time, the login process automatically
creates a NMC user account for the user.
l When an LDAP or AD user logs into the NMC server for the first time, the NMC server
automatically creates an NMC user account for the user and assigns the NMC user to
the same NMC role as the LDAP or AD group.
l LDAP and AD authentication does not support the use of the administrator user
name.
l The NMC server cannot perform LDAP and AD administrative functions. Perform LDAP
and AD administrative functions such as creating new domain users and groups with
the appropriate LDAP and AD tools.
l The External Roles field for the Security Administrator User Group is not populated
until an LDAP or AD user logs in for the first time.
l Troubleshooting login errors on page 35 provides detailed information to
troubleshoot common login error messages.
Example: Configuring an LDAP authority
In this example, a third party LDAP management tool, LDAPAdmin is used to view the
properties of the LDAP configuration.
The following figure provides an example of the values required to specify the following
attributes:
l Provider Server Name
l Distinguished Name
l User ID Attribute
l User Search Path — a combination of the AD Distinguished name and User Container
name.
l User Object Class

26 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

Figure 1 LDAP User Container

The following figure provides an example of the values associated with following LDAP
group attributes:
l Group Search Path — a combination of the Distinguished Name and Group Container
name.
l Group Member Attribute
l Group Object Class
Figure 2 LDAP Group Container

The following image provides an example of the Manage Authentication Authorities

screen with configuration details related to an LDAP server installation specified in the
attribute fields.

Configuring user access to NetWorker servers in NMC 27

Access Control Settings

Figure 3 Manage Authentication Authorities values for an LDAP configuration

Example: Configuring an AD authority

In this example, the Active Directory Services Interfaces Editor (ADSI Edit) program is
used to view the properties of the AD configuration.
The following image provides an example of the values required to specify the following
attribute fields:
l Distinguished Name—a combination of the AD Distinguished name, User container,
and User ID Attribute.
l User Search Path — a combination of the Distinguished name and User Container
name.
l User Object Class
l User ID Attribute
Figure 4
ADSI Edit for User Container

28 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

The following figure provides an example of the values associated with following AD
group attributes:
l Provider Service Name
l Group Container
l Group Member Attribute
l Group Object Class
l Group Search Path — a combination of the Distinguished Name and Group Container
name.

Configuring user access to NetWorker servers in NMC 29

Access Control Settings

Figure 5 ADSI Edit Group Container

The following figure provides an example of the Manage Authentication Authorities

screen with configuration details related to an AD server installation specified in the
attribute fields.

30 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

Figure 6 Manage Authentication Authorities values for AD configuration

Troubleshooting authentication configuration error messages

This section provides a list of possible causes and resolutions for authentication
configuration error messages.
Authority definition must specify external authority attribute name
Appears in the Configure Login Authentication wizard when the Authority Name field is
blank.
LDAP bind failed due to invalid credentials
Appears in the Configure Login Authentication wizard when:
l The LDAP or AD user specified in Distinguished Name field is incorrect.
l The password specified for the LDAP or AD user is incorrect.
Failed to propagate external roles to NetWorker server
Appears when the distribution of the authority file fails for a NetWorker server because
the NMC user used to distribute the file is not a member of the Application Administrators
User Group on the NetWorker server.
To resolve this issue:
1. Close the Configure Login Authentication wizard.
2. Connect to the NetWorker server with a NMC user who is a member of the Security
Administrators User Group.
3. Add the appropriate LDAP or AD group to the Application Administrators User Group.
4. Launch the Configure Login Authentication wizard and configure the new LDAP or AD
authority.
No entry in hierarchy ‘ou=orgname, dc=domain_component1, dc=domain_component2
dc=domain_component3 ...
These error messages appear in the Configure Login Authentication window when the
attribute value referenced in the error message is incorrect or the LDAP or AD authority

Configuring user access to NetWorker servers in NMC 31

Access Control Settings

cannot validate the attribute value. The following table describes the messages that
appear and the attribute to correct.

Table 3 Hierarchy errors in the Configure Login Authentication wizard

No entry in hierarchy ‘ou=orgname, This error message appears in the Configure

dc=domain_component1, Login Authentication wizard when the value
dc=domain_component2 defined ...
dc=domain_component3 ..
...belongs to user object class ...in the User Object Class attribute is not valid for
‘user_object_class’ the value defined in User Search Path attribute.

...has a group name attribute ‘groupname’ ...in the Group Name Attribute field is not valid on
the LDAP or AD server.

...has a user id attribute ‘user_id’ ...in the User ID Attribute field is not valid on the
LDAP or AD server.

...belongs to object class ...in the Group Object Class field is not valid on the
‘group_object_class’ LDAP or AD server.

...has a group member attribute ...in the Group Member Attribute field is not valid
‘group_member_attribute’ on the LDAP or AD server.

User Search Path hierarchy

ou=orgname,dc=domain_component1,dc=domain_component2’ dc=domain_component3’
does not exist or is empty
Appears in the Configure Login Authentication wizard when the value defined in the User
Search Path attribute is not valid on the LDAP or AD server.
No ldap search path for usernames
Appears in the Configure Login Authentication wizard when the value defined in the User
Search Path attribute is not valid on the LDAP or AD server.
Group Search Path hierarchy
ou=orgname,dc=domain_component1,dc=domain_component2’ dc=domain_component3’
does not exist or is empty
Appears in the Configure Login Authentication wizard when the value defined in the
Group Search Path attribute is not valid on the LDAP or AD server.
Error querying for user groups
Appears in the Configure Login Authentication wizard when the value defined in the
Group Search Path attribute is not valid on the LDAP or AD server.
LDAP bind failed because the server is down
Appears in the Configure Login Authentication wizard when:
l The Port Number defined for the LDAP, LDAPS, or AD server is incorrect.
l The hostname specified in the Provider Server Name field is incorrect or the
hostname is not resolvable.
l When the LDAPS server requires a certificate but the Server certificate file or Client
certificate file field is empty.
networker_server (Permission denied, user 'LDAP_user' on 'NMC_server' does not have
'Configure NetWorker' OR 'Change Application Settings' privilege to configure this
resource) - NSR
This error message appears in two scenarios:

32 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

l While distributing the authority configuration file to a new NetWorker server, the new
NetWorker server cannot authenticate the LDAP user account.
To resolve this issue, configure the NMC server to use Native NMC-based
authentication and then reconfigure the LDAP or AD authorities and distribute them
to all the required servers.
For example:
1. In the Distribute Authority Configuration File window, click Finish.
2. Start the Configure Login Authentication wizard again.
3. In the Select Authentication Method window, click Next.
4. Record the values in each attribute field for the configured LDAP or AD authorities;
click Back.
5. In the Select Authentication Method window, select Native NetWorker
Management Consoleand click Next.
6. Select all servers with a status Requires Update and click Distribute.
7. Click Finish.
8. Start the Configure Login Authentication wizard again and recreate the LDAP or AD
authority configuration.
l When an LDAP or AD user tries to modify the Server resource (NSR) on a NetWorker
server but the user is not a member of the Application Administrators or the Security
Administrators User Group.
To resolve this issue:
1. Close the NetWorker server and NMC server browser windows.
2. Log in to the NMC server with an LDAP or AD account that is a member of the
Application Administrators or the Security Administrators User Group.
Failed to retrieve authentication control attributes from NetWorker server
[NetWorker_server]
Appears when an LDAP or AD user that is not a member of the Security Administrators
User Group on the NetWorker server attempts to distribute the authority configuration file
to the NetWorker server.
To resolve this issue:
1. In the Distribute Authority Configuration File window, click Finish.
2. Close the NMC server browser window.
3. Log in to the NMC server with an LDAP or AD user that is a member of the Security
Administrators User Group on the NetWorker server. LDAP or AD users that have the
Console Security Administrator role on the NMC server are a member of the Security
Administrators User Group on the NetWorker server by default.

Note

Members of the Security Administrators User Group on a NetWorker server only have
permissions to modify the Security Audit Log server and User Group resources.
Modifying User Group privileges on page 46 describes how to modify the User
Group membership on a NetWorker server.

Configuring user access to NetWorker servers in NMC 33

Access Control Settings

Could not validate external authority. Failed to get status of file (clientCertificate)
'full_path_to_client_certificate': No such file or directory. Provide valid path or copy the
certificates/key to the specified path
This message appears when the wizard attempts to distribute the authority configuration
file to the NetWorker server, but the paths that you specified to the certificate files are
incorrect.
To resolve this issue:
1. In the Distribute Authority Configuration File window, click Finish.
2. Start the Configure Login Authentication wizard again.
3. In the Select Authentication Method window, click Next.
4. Correct the pathnames in the certificate fields and retry the distribution.

Note

For Windows paths, use a forward slash (/) in the path. For example, c:/
my_ldap_server.

NSR Could not validate external authority LDAP bind failed because the server is down
This messages appears when there is an issue with the LDAPS certificate.
To troubleshoot LDAPS certificate issues, use the openssl program. By default, a
Windows host does not include the openssl program. http://www.openssl.org
describes how to obtain an openssl program from a third party provider.
1. Confirm that you can establish an SSL connection to the LDAPS server using the local
copy of the certificate files:
openssl s_client -connect ldaps_server_name:ssl_port -
CAfilefull_path_to_server_certificate -cert full_path_to_client_certificate -key
full_path_to_client_key_file
where:
l full_path_to_certificate is the full path to the Server Certificate file on the local
host. If the environment has a hierarchy of CA authorities, then specify the root CA
or the certificate file that contains all CA authority certificates.
l full_path_to_client_certificate_file specifies the full path to the Client Certificate file
on the local host. This option is only required when LDAPS requires a client
certificate.
l full_path_to_client_key_file specifies the full path to the Client Certificate file on
the local host. This option is only required when LDAPS requires a client key.
In another example, the LDAPS server, myldaps.emc.com requires a CA certificate
only. The certificate file, ca.cert, resides in the cst directory of a NMC server on
Windows. In this example, type the following command:

openssl s_client -connect myldaps.emc.com:636 -CAfile “C:

\Program Files\EMC NetWorker\Management\GST\cst\ca.cert”

Note

When the connection succeeds, the command returns the message:

Verify return code: 0 (ok)

34 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

For example: The LDAPS server, myldaps.emc.com requires a Client Certificate and a
Client Key. The certificate files and the key file resides in the cst directory of a NMC
server on Windows. In this example, type the following command:

openssl s_client -connect myldaps.emc.com:636 -CAfile “C:

\Program Files\EMC NetWorker\Management\GST\cst\ca.cert” -cert “C:
\Program Files\EMC NetWorker\Management\GST\cst\client.cert” -key
“C:\Program Files\EMC NetWorker\Management\GST\cst\client.key”

Note

When the connection succeeds, the command returns the message:

Verify return code: 0 (ok)

2. If the connection does not succeed, contact the LDAPS administrator to request new
copies of the certificate files. To manually copy the CA certificate file from the LDAP
server, perform the following steps:
a. Connect to the LDAPS server to display the Server Certificate (ca.cert) file:

openssl s_client -showcerts -connect

ldaps_server_name:ssl_port

Note

The openssl command may display two certificates. The second certificate is
usually the CA certificate.

b. Ensure that the certificate you receive matches the CA certificate on the LDAPS
server.

Troubleshooting login errors

This section provides a list of possible causes and resolutions for NMC login error
messages.
You do not have privileges to use NetWorker Management Console
Appears when a valid LDAP or AD account tries to log in to the NMC server, but the
account does not exist on the NMC server or is not assigned a Console role.
To resolve this issue, create the LDAP or AD account manually and try to log in again.
Adding LDAP or AD users to the NMC server manually on page 36 describes how to
create LDAP and AD user accounts manually.
Could not authenticate this user name and password, try again
Appears when you attempt to log into the NMC server with:
l An unrecognized username or an incorrect password. To resolve this issue, use the
correct user name and password combination for the configured NMC server
authentication method.
l An AD user that has the option User must change password at next login enabled. To
resolve this issue, change the password before attempting to log in to the NMC
server.
The specified user name is restricted and cannot be used to log into the system
Appears when you use the Administrator username to log in to the NMC server and the
NMC server authentication is LDAP or AD. An NMC server that uses AD or LDAP
authentication does not support the Administrator username.

Configuring user access to NetWorker servers in NMC 35

Access Control Settings

To resolve this issue, log in to the NMC server with a different LDAP or AD username.

Manage LDAP and AD users in NMC

Use the NMC Console to manually add, delete, and manage LDAP and AD users.

Add LDAP and AD users and groups to the NMC server

You can manually add new LDAP and AD users and groups to the NMC server manually or
by using the Configure Login Authentication wizard.
Adding LDAP or AD users by using the Configure Login Authentication Wizard
Use this method to add LDAP and AD users that require membership to the Security
Administrator User Groups on all of the managed NetWorker servers.
Before you begin
Log in to the NMC server with a user that has the Console Security Administrator role.
The Configure Login Authentication wizard automatically assigns the new LDAP or AD
users and groups to:
l The Console Security Administrators role on the NMC server.
l The Security Administrators User Group on each managed NetWorker server
Procedure
1. From the Console window, click Setup.
2. From the Setup menu, select Configure Login Authentication.
3. In the Select Authentication Method window, select External Repository.
4. Select the appropriate LDAP or AD Authority Name and click Next.
5. In the External Roles field, specify the new LDAP or AD users and groups and click
Next.
6. In the Distribute Authority Configuration window, select the NetWorker servers that
have the Requires Update status and click Distribute.
7. In the Monitor Distribution Progress window, review the progress of the configuration
file distribution. Ensure that the configuration file distribution succeeds for all
NetWorker servers.
8. Log out of the NMC server and log in with a user account in the new group.
Troubleshooting LDAP and AD login errors on page 35 describes how to troubleshoot
login errors.

Note

Members of the Security Administrators group have permission to modify the Security
Audit Log server and User Group resources only. Modifying User Group privileges on
page 46 describes how to add a manually created LDAP or AD user to a User Group
on a NetWorker server.

Adding LDAP or AD users to the NMC server manually

Use this method to add LDAP or AD users to manage the NMC server, but restrict
NetWorker server access.
Before you begin
Log into the NMC server with a user that has the Console Security Administrator role.

36 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

Procedure
1. On the Console window, click Setup.
2. In the left pane, right-click Users, then select New.
3. In the User Name attribute, enter the LDAP or AD username.
4. Optionally, enter the full name of the LDAP or AD user and a general description in the
remaining attributes.
5. Click OK.
The following image provides an example of the Create User window.

Note

When you manually assign a user or group to the Console Security Administrator role,
the NMC server does not automatically assign the user to the Security Administrators
User Group on the managed NetWorker servers. Modifying User Group privileges on
page 46 describes how to add a manually created LDAP or AD user to a User Group
on a NetWorker server.

Modifying an LDAP or AD NMC user

After you create an LDAP or AD user and assign it to an NMC console role, you can modify
the descriptive information about the user in the NMC console.
Before you begin
Log in to the NMC server as a Console Security Administrator. The administrator account
is a Console Security Administrator.
Procedure
1. From the Console window, click Setup.
2. In the left pane, select Users.
3. Right-click the user and select Properties.
4. On the Identity tab, modify the attributes as required.

Configuring user access to NetWorker servers in NMC 37

Access Control Settings

5. Click OK.

Deleting an LDAP or AD NMC user

After you create an LDAP or AD user and assign NMC console roles to the user, you can
delete the user in the NMC console.
Before you begin
Log in to the NMC server as a Console Security Administrator. The administrator account
is a Console Security Administrator.
Procedure
1. From the Console window, click Setup.
2. In the left pane, click Users.
3. Right-click a username and select Delete.
4. Click Yes to confirm the deletion.
5. If the user saved customized reports, then a dialog box prompts for the username to
which to reassign those reports. Otherwise, delete the reports.
6. If required, remove the user from the LDAP user role on the LDAP server and any
NetWorker User Groups.

User authorization
User authorization settings control rights or permissions that are granted to a user and
enable access to a resource managed by NetWorker.

NMC server authorization

The user that you use to connect to the NMC server determines the level of access to the
NMC server.
The Console server restricts user privileges based on three authorization roles. You
cannot delete the roles or change the privileges assigned to each role.

Table 4 NMC user roles and associated privileges

User role Privileges

Console Security l Add, delete, and modify NMC Users.

Administrator
l Configure login authentication such as configuring the NMC server to:
n Use LDAP authentication instead of Native NMC authentication.
n Use Native NMC authentication instead of LDAP authentication.
l Control user access to managed applications, such as a NetWorker
server.

Console Application l Configure Console system options.

Administrator
l Set retention policies for reports.
l View custom reports.
l Specify the NetWorker server to backup the NMC database.
l Specify a NetWorker License Manager server.

38 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

Table 4 NMC user roles and associated privileges (continued)

l Run the Console Configuration wizard.

l All tasks available to a Console User role.

Console User All tasks except for those tasks explicitly mentioned for the Console
Security Administrator and the Console Application Administrator.
Tasks include:
l Add and delete hosts and folders.
l Add and delete Managed applications for NetWorker, Data Domain,
and Avamar.
l Create and delete their own reports.
l Set features for Managed Applications.
l Manage a NetWorker server with the appropriate privilege levels.
l Dismiss events.

By default the NMC server adds users who are members of the Console Security
Administrators to the preconfigured Security Administrators user group on each
NetWorker server that the Console server manages. Members of the Security
Administrators user group only have privileges to modify the Security Audit Log server
and User Groups resources that the Console server can manage. User Group privileges on
page 41 summarizes the privileges assigned to users in each User Group.

Server authorization
The NetWorker server provides a mechanism to authorize users that perform operations
from a command prompt and from the NMC GUI.

Modifying an admin list by using NMC

The NetWorker server software provides administrator access by default to the root user
on a UNIX NetWorker server and members of the Windows Administrators group on a
Windows NetWorker server. Administrator access gives a user all the NetWorker
privileges required to change the configuration of a NetWorker server. NetWorker stores
the administrator list in the NSR resource on the NetWorker server. Modify the
administrators list by using the NMC console.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.
Procedure
1. From the Administration window, select Configuration.
2. From the View menu, select Diagnostic mode.
3. Right-click the NetWorker server name in the left navigation pane and then select
Properties.
4. In the Administrator attribute, specify the user accounts that require administrative
access to the NetWorker server in one of the following formats:
l username@hostname
l group@hostname

Server authorization 39
Access Control Settings

l user=username , host=hostname
l group=groupname, host=hostname

5. Click OK.

Restricting managed server view for a user

By default the NMC server adds members of the Console Security Administrators to the
Security Administrators user group on each NetWorker server that the NMC server
manages.
Before you begin
Log in to the NMC server with an account that has the Console Security Administrator
role.
To restrict the NetWorker servers that a user can view and manage, modify the privileges
on the user object.
Procedure
1. From the Console window, click Setup.
2. In the left pane, click Users.
3. Right-click a user, then select Permissions. The Edit User window appears and the
Permissions tab displays.
4. To grant the user privileges to view various hosts, use the arrow keys to select the
allowed hosts.
5. Click OK.
Results
The following implications result when you restrict the view for a user:
l In the Events window: The user sees only events from allowed NetWorker servers.
l In the Enterprise window: The user sees all the hierarchy folders, but only the allowed
NetWorker servers appear in the folders.
l In the Libraries window: The user sees only the devices controlled by allowed
NetWorker servers.
l In the Reports window: The user sees report data only from allowed NetWorker
servers.
l In the Setup window:
n The user sees properties for all users, in addition to its own properties and
privileges.
n The user can modify its own properties, but not privileges. Only the Console
Security Administrator can view and modify user privileges.
Each user can view and manage different sets of NetWorker servers and as a result, the
contents of the reports can vary among users. For example, a shared backup summary
report entitled “Building C Backups” will display different data for different users (even
each user runs the report simultaneously) when the privileges of the users include
different NetWorker servers. This applies to all report types, whether default or
customized, private or shared.
If no data is available for a particular server, that server will not appear in any lists or
reports, regardless of the user privileges.

40 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

NetWorker User Groups

User Groups provide you with the ability to assign privileges to a group of Native NMC,
LDAP, and AD users to perform operations on a NetWorker server.
The tasks that a user can perform on a NetWorker server depend on User Group
membership and the privileges assigned to the User Group.
When you use LDAP or AD authentication on the NMC server, use the External Roles
attribute in the User Group resource to define LDAP or AD membership for the User Group.
When you use Native NMC authentication on the NMC server, use the Users attribute to
define Native NMC membership for the User Group.
When you run command locally on the NetWorker server from a command prompt, use
the Users attribute to define OS user or group membership for the User Group.

User Group privileges

User privileges define the NetWorker operations and tasks that NMC, AD, and LDAP users
can perform on a NetWorker server. With the exception of the Application Administrators
user group and the Security Administrators user group, the privileges associated with a
User Group can be modified. The following table provides a summary of the available
privileges and the operations that each privilege enables for a user.

Table 5 Operations allowed for each NetWorker privilege

NetWorker Operations allowed

privilege
Change The ability to modify:
Security
l User groups
Settings
l Security Audit log resource
l Server resource

Note

The Change Security Settings privilege requires that you also set the following
prerequisite privileges: View Security Settings, Create Security Settings, and
Delete Security Settings.

View Security The ability to view:

Settings
l User groups
l Audit log resource
l Server resource

Create Security The ability to create new user group resources.

Settings
Note

The Create Security Settings privilege requires that you also set the following
prerequisite privileges: View Security Settings, Change Security Settings, and
Delete Security Settings.

Delete Security The ability to delete user created user groups. Preconfigured user groups cannot
Settings be deleted.

Server authorization 41
Access Control Settings

Table 5 Operations allowed for each NetWorker privilege (continued)

NetWorker Operations allowed

privilege

Note

The Delete Security Settings privilege requires that you also set the following
prerequisite privileges: View Security Settings, Change Security Settings, and
Delete Security Settings.

Remote Access The ability to:

All Clients
l Remotely browse and recover data associated with any client.
l View configurations for all client resources. This privilege is required to
perform directed recoveries.
This privilege supersedes the users defined in the Remote Access attribute of a
client resource.

Note

The Remote Access All Clients privilege requires that you also set the following
prerequisite privileges: Operate NetWorker, Monitor NetWorker, Operate
Devices and Jukeboxes, Backup Local Data, and Recover Local Data.

Configure The ability to configure resources associated with the NetWorker server, storage
NetWorker nodes, and clients. This includes creating, editing, and deleting resources.
Users with this privilege cannot configure User Group resources.

Note

The Configure NetWorker privilege requires that you also set the following
prerequisite privileges: Operate NetWorker, Monitor NetWorker, Operate
Devices and Jukeboxes, Backup Local Data, and Recover Local Data.

Operate The ability to perform NetWorker operations. For example, members can:
NetWorker
l Reclaim space in a client file index.
l Set a volume location or mode.
l Start or stop a savegroup.
l Query the media database and client file indexes.

Note

The Operate NetWorker privilege requires that you also set the following
prerequisite privileges: Monitor NetWorker, Operate Devices and Jukeboxes,
Backup Local Data, and Recover Local Data.

Monitor The ability to:

NetWorker
l Monitor NetWorker operations, including device status, save group status,
and messages.
l View media database information.
l View NetWorker configuration information (except the security settings
described in the Change Security Settings privilege).

42 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

Table 5 Operations allowed for each NetWorker privilege (continued)

NetWorker Operations allowed

privilege
This privilege is not required to back up and recover local data, although it may
be helpful for users to monitor messages and other information.

Operate The ability to perform device and autochanger operations, for example,
Devices and mounting, unmounting, and labeling. Users with this privilege can also view
Jukeboxes device status and pending messages, as well as view information in the media
database.
The Operate Devices and Jukebox privilege requires that you also set the
Monitor NetWorker privilege.

Recover Local The ability to:

Data
l Recover data from the NetWorker server to the local client.
l View most client configuration attributes.
l Query client save sets and browse the client file index.
This privilege does not provide permission to view information about other
clients and does not override file-based privileges.
Users can only recover files with the appropriate user privileges for that
operating system. To perform save set or NDMP recoveries, users with the
privilege must log in to the local host as root (UNIX) or administrator (Windows).

Backup Local The ability to:

Data
l Manually back up data from their local client to the NetWorker server.
l View most attributes in the client's configuration.
l Query the client save sets and browse the client file index.
This privilege does not provide permission to view information about other
clients and does not override file-based privileges.
Users can only back up files with the appropriate user privileges for that
operating system. To run the savegroup command or to perform NDMP
backups, users with this privilege must log into the local hosts as root (UNIX) or
administrator (Windows). To allow scheduled backups to operate correctly, the
root user (UNIX) or administrator (Windows) on the client has this privilege
automatically.

View The ability to view NetWorker resources including: Archive Requests, Client
Application resources, Device resources, Directives, Group, Jukebox, Label, License,
Settings Notification, Policies, Pool, Schedule, Staging, and Storage Node.
The View Application Settings privilege:
l Allows user group members to view the status of operations.
l Does not allow user group members to view the Server, User groups, or
Security Audit Log resources.

Server authorization 43
Access Control Settings

Table 5 Operations allowed for each NetWorker privilege (continued)

NetWorker Operations allowed

privilege

Note

The View Application Settings privilege requires that you also set the following
prerequisite privileges: Change Application Settings, Create Application
Settings, and Delete Application Settings.

Change The ability to change NetWorker resources including: Archive Requests, Client
Application resources, Device resources, Directives, Group, Jukebox, Label, License,
Settings Notification, Policies, Pool, Schedule, Staging, and Storage Node.
The Change Application Settings privilege:
l Allows user group members to view the status of operations.
l Does not allow user group members to change the Server, User groups, or
Security Audit Log resources.

Note

The Change Application Settings privilege requires that you also set the
following prerequisite privileges: Change Application Settings, Create
Application Settings, and Delete Application Settings.

Create The ability to create NetWorker resources including: Archive Requests, Client
Application resources, Device resources, Directives, Group, Jukebox, Label, License,
Settings Notification, Policies, Pool, Schedule, Staging, and Storage Node.
The Create Application Settings privilege:
l Allows user group members to view the status of operations.
l Does not allow user group members to change the Server, User groups, or
Security Audit Log resources.

Note

The Create Application Settings privilege requires that you also set the following
prerequisite privileges: Change Application Settings, Create Application
Settings, and Delete Application Settings.

Delete The ability to delete NetWorker resources including: Archive Requests, Client
Application resources, Device resources, Directives, Group, Jukebox, Label, License,
Settings Notification, Policies, Pool, Schedule, Staging, and Storage Node.
The Delete Application Settings privilege:
l Allows user group members to view the status of operations.
l Does not allow user group members to change the Server, User groups, or
Security Audit Log resources.

Note

The Delete Application Settings privilege requires that you also set the following
prerequisite privileges: Change Application Settings, Create Application
Settings, and Delete Application Settings.

44 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

Table 5 Operations allowed for each NetWorker privilege (continued)

NetWorker Operations allowed

privilege
Archive Data The ability to archive data. The NetWorker application administrator must have
configured NetWorker for a user with this privilege to execute this operation.
Only the client resource that pertains to the client that issues the archive
command is viewable.

Backup Remote Allows users to remotely back up data.

Data

Recover Allows users to recover data for a back up performed on another machine.
Remote Data

Preconfigured User Groups

By default, NetWorker provides preconfigured user groups with specific privileges. You
cannot delete preconfigured user groups.
The following table provides a summary of the preconfigured user groups and the default
privileges associated with each user group.

Note

By default, NMC, LDAP and AD users that have the NMC Console Security Administrator
role are automatically added to a preconfigured Security Administrators user group on
each NetWorker server that they have the right to manage.

Table 6 Privileges associated with each NetWorker User Group

NetWorker user group Associated privileges

Security Administrators l View Security Settings
l Change Security Settings
l Create Security Settings
l Delete Security Settings

Application l Remote Access All Clients l Backup Local Data

Administrators
l Configure NetWorker
l Operate NetWorker
l Monitor NetWorker
l Operate Devices and Jukeboxes
l Recover Local Data
l Recover Remote Data
l Backup Remote Data
l Create Application Settings
l View Application Settings
l Change Application Settings
l Delete Application Settings
l Archive Data

Monitors l Monitor NetWorker l Backup Local Data

l Operate Devices and Jukeboxes l Backup Remote Data
l Recover Local Data l Create Application Settings
l Recover Remote Data l View Application Settings

Server authorization 45
Access Control Settings

Table 6 Privileges associated with each NetWorker User Group (continued)

NetWorker user group Associated privileges

l Archive Data

Operators l Remote Access All Clients l Recover Local data

l View Application Settings l Recover Remote Data
l Operate NetWorker l Backup Local Data
l Monitor NetWorker l Backup Remote Data
l Operate Devices and Jukeboxes l Archive Data

Auditors l View Security Settings

Users l Monitor NetWorker

l Recover Local Data
l Backup Local Data

Database Operators l Remote Access All Clients l Recover Local Data

l Operate NetWorker l Recover Remote Data
l Monitor NetWorker l Backup Local Data
l Operate Devices and Jukeboxes l Backup Remote Data
l Archive Data

Database Administrators l Remote Access All Clients l Recover Local Data

l Configure NetWorker l Recover Remote Data
l Operate NetWorker l Backup Local Data
l Monitor NetWorker l Backup Remote Data
l Operate Devices and Jukeboxes l Archive Data

User Group management

Users assigned to the Configure NetWorker privilege can manage and modify User
Groups.
The Application Administrators and Database Administrators user groups contain the
Configure NetWorker privilege by default.
Modifying User Group privileges
You can change privileges associated with a user group, with the exception of the
Application Administrators and Security Administrators user groups.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.
Procedure
1. From the Administration window, click Configuration.
2. Click User Groups.

46 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

3. Right-click the user group to edit, then select Properties.

The Properties dialog box appears.
4. In the Privileges field, select or unselect the privileges as required.
5. Click OK.
If you select a privilege without selecting dependent privileges, then an error message
appears.
Creating User Groups
Use the NMC GUI to create user group resources.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.
Procedure
1. From the Administration window, click Configuration.
2. Click User Groups.
3. Right-click User Group, then select Create.
The Create User Group dialog box appears.
4. In the Name attribute, enter a name for the user group.
5. For native Console authentication only, specify the user names In the Users attribute.
6. For LDAP and AD users and groups authentication only, specify the users and groups
in the External roles attribute.
7. In the Privileges attribute, select the privileges to assign to the user group.
8. Click OK.
Copying User Groups
Use NMC to copy a User Group.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.
Procedure
1. From the Administration window, click Configuration.
2. Click User Groups.
3. Right-click the user group to edit, then select Copy.
The Create User Group dialog box appears, and contains the same information as the
user group that was copied, except for Name attribute.
4. In the Name attribute, enter a name for the new user group.
5. Edit the other attributes as appropriate, then click OK.
Deleting User Groups
Use the NMC GUI to delete User Groups.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.

Server authorization 47
Access Control Settings

Procedure
1. From the Administration window, click Configuration.
2. Click User Groups.
3. Right-click the user group to edit, then select Delete.
4. When prompted, click Yes to confirm the deletion.

Note

You cannot delete a preconfigured user group.

Modifying user group membership

Use the External Roles field to manage LDAP/AD user and group membership or the User
field to manage OS and NMC user and group membership.

Note

When a user belongs to a large number of groups, the total number of characters for all of
the group names can exceed the buffer size that NetWorker users to store the group
names. NetWorker excludes characters and group names that exceed the buffer size. If
you add a group to the External roles field or the Users file that is not in the buffer for a
userid, NetWorker will not consider the user to be a member of the User Group.

Modifying user group membership for LDAP/AD users and groups

The authority file distribution process adds LDAP and AD authenticated NMC users with
the Console Security Administrator role on the Console server to the Security
Administrators User Group on all NetWorker servers that the users have the privilege to
manage. These users can modify the Audit Log server and User Group resources only,
they cannot monitor back ups or manage other NetWorker resources. Use the External
roles field in the User Group resource to manage LDAP/AD user and group access to the
NetWorker server.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.
Procedure
1. From the Administration window, click Configuration.
2. Click User Groups.
3. Right-click the user group, then select Properties.
4. Modify the External roles attribute. When you add a user or group, use one of the
following formats:
l username
l groupname
l Group@LDAP_or_AD_hostname
l username@LDAP_or_AD_hostname
l host=LDAP_or_AD_hostname
l role=role,host=LDAP_or_AD_hostname
If the format of the object is invalid or the object is not found in the LDAP or AD
authority, an error is displayed:

Cannot find group or user object in any configured authority

48 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

Note

EMC recommends that you specify usernames when your user accounts are a member
of a large number of groups.

Modifying user group membership for OS users and groups

Use the Users field in the User Group resource to manage NMC and OS user and group
access to the NetWorker server.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.
Procedure
1. From the Administration window, click Configuration.

2. Click User Groups.

3. Right-click the user group, then select Properties.
4. In the Users field, specify the NMC user. Specify the username with the following
syntax: name=value[,name=value, ...]
where name can be one of the following:
l user
l group
l host
l domain
l domainsid
l domaintype (either NIS or WINDOMAIN)
For example, to specify a user named patrick on a host named jupiter, enter this line
in the Users attribute:

user=patrick,host=jupiter

Note

The formats user@host, host and user, and similar formats are ambiguous as to
whether host or domain is intended. EMC recommends that you use the name=value
format.

This example shows what to enter to provide NetWorker administrative privileges to

the following:
l The user root from any host.
l The user operator from the hosts mars and jupiter .
l Any users, valid hosts for the users, and valid domains for the users and host that
are included in the netgroup netadmins.
In the Users field, type the following information:
user=root

user=operator,host=jupiter

user=operator,host=mars

&netadmins

Server authorization 49
Access Control Settings

Consider the following information:

l If the value has spaces, then surround the value in quotation marks, for example:
domain="Domain Admins"
l When you specify a netgroup name, preceded the name with an ampersand (&).
l You can use wildcards in place of a value. However, use wildcards with caution
because they can compromise your enterprise security.
l You can specify local and global Windows domain names and groups. For
example, the Administrators group and Domain Admins group.
l When you log into the NetWorker server with a domain account, you can only
specify a global group.
l When you log into the NetWorker server locally, you can only specify local groups.
l When you log into the Networker server with a domain account but the NetWorker
server cannot contact the AD server to verify the username, use multiple names
and values to ensure that NetWorker assigns the correct users or groups the
appropriate privileges. For example, user=meghan, domain=Engineering or
group=development, domainsid=S-1-5-32-323121-123

Note

EMC recommends that you specify usernames when your user accounts are a member
of a large number of groups.

Troubleshooting authorization errors and NetWorker server access issues

This section provides a list of possible causes and resolutions for error messages related
to NetWorker server authorization issues.
Insufficient permissions
This message appears when you attempt to perform NetWorker operations, and the
userid that you used to log in to the NMC server is a member of a large number of
operating system groups.
When a user belongs to a large number of groups, the total number of characters in the
group names can exceed the buffer size that NetWorker uses to store the group names.
NetWorker excludes characters and group names that exceed the buffer size. If you add a
group to the External Roles field in the Configure Log in wizard which is not in the buffer
for a userid, log in attempts for that userid fail.
To resolve this issue, edit the Usergroup resource that the userid is a member of and
perform one of the following steps:
l If you use LDAP/AD authentication, then specify the userid in the External Roles field.
l If you use native NMC authentication, then specify the userid in the Users field.

Note

When you configure LDAP/AD authentication by using the Configure Login Authentication
wizard, specify the userid that is a member of a large number of groups in the External
Roles field.

50 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

Component access control

Component access control settings define how to control external and internal system or
component access to the product.

Component authentication
NetWorker hosts and daemons use the nsrauth mechanism to authenticate components
and users, and to prevent user and host impersonation. The nsrauth authentication
mechanism is a strong authentication that is based on the Secure Sockets Layer (SSL)
protocol. For Windows and most UNIX hosts, nsrauth uses the SSL protocol provided by
RSA BSAFE SSL. For some UNIX hosts, such as Darwin, HP-UX, Linux ppc64, Linux390,
nsrauth uses the SSL protocol provided by the OpenSSL library.
The nsrexecd service on each NetWorker host provides the component authentication
services. The first time the nsrexecd process starts on a host, the process creates the
following unique credentials for the host:
l 1024-bit RSA private key
l Self-signed certificate or public key
l NW Instance ID
l my hostname
NetWorker stores these credentials in the NSRLA resource found in the local NetWorker
client database, nsrexec. These credentials are known as local host authentication
credentials. NetWorker uses the local host authentication credentials to uniquely identify
the host, to other NetWorker hosts in the data zone.
When a NetWorker host communicates with other NetWorker hosts, the nsrauth process
creates an NSR Peer Information resource in the nsrexec database of the target host that
contains local host authentication credentials for the initiating host. When a NetWorker
host initiates a session connection to another host, the following steps occur:
1. The nsrexecd daemon on the initiating host contacts the nsrexecd daemon on
the target host.
2. The nsrexecd daemon on the initiating host sends the local host authentication
credentials to the target host.
3. The target host compares the local host authentication credentials with the
information stored in the local NSR Peer Information resource.
l If the information provided by the initiating host matches the information stored
in the NSR Peer Information resource on the remote host, then the nsrexecd
daemon creates a session key and establishes an SSL connection between the
two hosts. NetWorker uses AES-128 bit encryption to encrypt the data exchanged
between the two hosts.
l If the information provided by the initiating host does not match the information
stored in the NSR Peer Information resource on the remote host, then the remote
host requests the certificate from the initiating host.
n If the certificate provided by the initiated host matches the certificate stored
on the remote host, then the nsrexecd daemon creates a session key and
establishes an SSL connection between the two hosts. NetWorker uses
AES-128 bit encryption to encrypt the data exchanged between the two hosts.

Component access control 51

Access Control Settings

n If the certificate provided by the initiating host does not match the certificate
stored on the remote host, NetWorker drops the connection between the two
hosts.
l If the remote host does not contain an NSR Peer Information resource for the
initiating host, the remote host uses the information provided by the initiating
host to create a new NSR Peer Information resource. NetWorker uses the session
key to establish an SSL connection between the two host. Component
authentication uses the AES-128 bit encryption method.

Note

For compatibility with earlier NetWorker releases, NetWorker supports oldauth

authentication. EMC recommends that you use nsrauth authentication and only enable
oldauth authentication when two hosts cannot authenticate by using nsrauth.

Configuring access privileges to the NetWorker client database

To modify access to the client database (nsrexec), use the nsradmin program to edit the
administrators list.
Before you begin
Perform the following steps on the target host as the root user on a UNIX host or as an
administrator user on a Windows host.
By default, the administrator attribute provides access to the following users:
l On a UNIX host any root user on any host to modify the nsrexec database attributes.
l On a Windows host any user in the administrators group can modify the nsrexec
database attributes.
To modify attributes for a host by using the Local Hosts resource in the NMC GUI, the
administrator attribute of the target host must contain the account that starts the gstd
service on the NMC server.
Procedure
1. Connect to the nsrexec database:

nsradmin -p nsrexec
2. Set the query to the NSRLA resource:

. type: NSRLA
3. Display the NSRLA resource and view the current settings for the administrator
attribute:

print
4. Update the value of the administrator attribute to include the owner of the gstd
process on the NMC server:

append administrator:"user=gstd_owner,host=NMC_host"

where:
l gstd_owner is the user account that starts the gstd daemon on UNIX or the EMC
GST service on Windows. By default, the process owner is the SYSTEM user on
Windows and is the root user on UNIX.
l NMC host is the hostname of the NMC server.

52 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

For example, to add the SYSTEM account on a Windows NMC server named
win.emc.com to a UNIX NetWorker client named unix.emc.com, type:

update administrator: root,

"user=root,host=unix.emc.com","user=SYSTEM,host=win.emc.com"
5. Type Yes to confirm the change.
6. Type Quit to exit the nsradmin program.

Modifying the authentication methods used by NetWorker hosts

NetWorker enables you to restrict the authentication methods available for
communication between NetWorker hosts and define the priority of authentication
methods used by NetWorker hosts. Use the Configure Local Agent option in NMC or the
nsradmin command to modify the authentication method used by NetWorker hosts.

Using NMC to manage the authentication method

Use the Configure Local Agent option in NMC to manage the authentication method used
by a host.
Before you begin
The gstd process owner must have permission to update the nsrexec database on the
target host. Configuring NetWorker client database access privileges on page 52 provides
more information.
Procedure
1. On the Administration window, select Configuration.
2. In the left navigation pane, expand the NetWorker server, and then expand the Local
Hosts resource.
3. Right-click the target host and select Configure Local Agent.
4. On the Advanced tab, in the Auth Methods attribute, specify the authentication
methods that other NetWorker hosts (peer hosts) can use when initiating a
connection.
Use the following format to specify the Auth Methods value:

IP_Address[mask], authentication_method[/authentication_method]...

where:
l IP_Address[mask] is an single IP address, a single host name, or an IP address and
netmask range. You can specify the number of bits for the mask value or use the
full subnet mask address.
l authentication_method is nsrauth, for strong authentication or oldauth for legacy
authentication.

Note

When you specify more than one authentication method, NetWorker attempts to
communicate with the first method in the list. If the first method fails, then
NetWorker will attempt to communicate by using the second method in the list.
For example:
l To configure host mnd.emc.com to only use nsrauth when communicating with the
host, type:

mnd.emc.com,nsrauth

Component authentication 53
Access Control Settings

l To configure all hosts on the 137.69.168.0 subnet to only use nsrauth when
communicating with the host, type:

137.69.160.0/24, nsrauth
l To configure all hosts in the data zone to use nsrauth when communicating with
the host except for a host with the IP address 137.69.160.10, which should try
oldauth first, type the following two lines:

137.69.160.10, oldauth/nsrauth

0.0.0.0, nsrauth

Note

When you specify more than one authentication method, NetWorker attempts to
communicate with the first method in the list. If the first method fails, then
NetWorker will attempt to communicate by using the second method in the list.

5. Click OK.
6. Restart the NetWorker services or daemons on the target host.

Using nsradmin to manage the authentication method

Use the nsradmin program to manage the authentication method used by a host.
Before you begin
Connect to the target host with an account that has administrator access to the nsrexec
database. Configuring NetWorker client database access privileges on page 52 describes
how to update the administrator list in the NetWorker client database.
Procedure
1. Connect to the nsrexec database:

nsradmin -p nsrexec
2. Set the query type to the NSR Peer Information resource:

. type: nsr peer information

3. Display the current value for the auth methods attribute:

show auth methods

print
4. Update the auth methods attribute, by using the following format:

update auth methods: IP_Address[mask],authentication_method[/

authentication_method]

Where:
l IP_Address[mask] is an single IP address, a single host name, or an IP address and
netmask range. You can specify the number of bits for the mask value or use the
full subnet mask address.
l authentication_method is nsrauth, for strong authentication or oldauth for legacy
authentication.

54 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

Note

When you specify more than one authentication method, NetWorker attempts to
communicate with the first method in the list. If the first method fails, then
NetWorker will attempt to communicate by using the second method in the list.

For example:
l To configure host mnd.emc.com to only use the nsrauth when communicating with
the host, type:

update auth methods: mnd.emc.com,nsrauth

l To configure all hosts on the 137.69.168.0 subnet to only use the nsrauth when
communicating with the host, type:

update auth methods: 137.69.160.0/24,nsrauth

l To configure all hosts in the data zone to use the nsrauth when communicating
with the host except for a host with the IP address 137.69.160.10 which should try
oldauth first, type the following two lines:

update auth methods: 137.69.160.10,oldauth/nsrauth

0.0.0.0,nsrauth

Maintaining the NSRLA resource

The NSRLA resource in the nsrexec database contains unique information that identifies a
NetWorker host to other NetWorker hosts.
Use NMC or the nsradmin command to export and import the NSRLA resource. Use the
nwinstcreate program to create a customized private key and certificate.

Exporting the local host credentials

Export the local host credentials for a host to ensure that you have a copy of the unique
credential information. If data loss or corruption of the NSRLA resource occurs, you can
import the local host credentials and restore the original local host credentials to the
NSRLA resource.
Exporting the local host credentials by using NMC
Connect to the NetWorker server with NMC and export the local host credentials.
Before you begin
The gstd process owner must have permission to update the nsrexec database on the
target host. Configuring NetWorker client database access privileges on page 52 provides
more information.
You cannot use NMC to export the local host credentials for a NetWorker host that does
not have an existing client resource configured on the NetWorker server.
Procedure
1. On the Administration window, select Configuration.
2. In the left navigation pane, expand the NetWorker server, and then expand the Local
Hosts resource.
3. Right-click the target host and select Configure Local Agent.
4.
On the Advanced tab, in the NW instance info operations attribute, select Export.
5. In the NW instance info file attribute, specify the path and name of the file that will
contain the exported information.

Component authentication 55
Access Control Settings

For Windows paths, use a forward slash (/) when you specify the path. For example,
when the mnd_credentials.txt file is in c:\users, specify: c:/users/
mnd_credentials.txt.
6. Click OK.
Results
NetWorker exports the local host credential information to the file you specify, on the
target host.

Note

If you do not specify a path to the file, NetWorker creates the export file in the C:
\Windows\system32 directory on a Windows host and in the /nsr/cores/
nsrexecd directory on a UNIX host.

Exporting the local host credentials by using nsradmin

Use the nsradmin program to export the local host credentials.
Before you begin
Connect to the target host with an account that has administrator access to the nsrexec
database. Configuring NetWorker client database access privileges on page 52 describes
how to update the administrator list in the NetWorker client database.
Procedure
1. Connect to the nsrexec database:

nsradmin -p nsrexec
2. Set the query type to NSRLA:

. type: NSRLA
3. Configure the NW instance info operations attribute and the NW instance info file
attribute to export the resource information:

update "NW instance info operations: export", "NW instance info

file: pathname_filename"

For example, to export the information to the /home/root/export.txt file on a

UNIX host, type:

update NW instance info operations: export; NW instance info

file: /home/root/export.txt

For Windows paths, use a forward slash (/) when you specify the path.
For example, when the mnd_credentials.txt file is in c:\users, specify: c:/
users/mnd_credentials.txt.
Results
NetWorker exports the local host credential information to the file you specify, on the
target host.

Create a custom certificate and private key for a host

NetWorker automatically creates certificate and private keys for each NetWorker host.
However, you can create a certificate and a private key for a host manually.
You might want to do this in special cases, such as when your company policy stipulates
that a host must use a certificate and private key that a trusted random number

56 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

generation utility creates. You can import the new certificate and key information to the
NSRLA resource of the host and import the information into the NSR peer information
resource on each host within the enterprise.
Creating a custom certificate and private key
Use the nwinstcreate command to create a custom certificate and private key.
Perform the following steps from a command prompt on the host that will use the custom
certificate and private key. You can import the custom file into the NSRLA resource on the
local host or you can import the custom file into the NSR Peer Information resource for the
host, on other hosts in the data zone.
Procedure
1. Start the nwinstcreate program:

nwinstcreate -ix
2. On the Enter the file name to save NetWorker identify
information into prompt, specify the name of the file to save the custom
certificate and private key or accept the default file name and location.
3. On the Enter a unique NetWorker instance name to identify your
machine prompt, specify an instance name or accept the default value (hostname of
the machine).
NetWorker uses the specified value in the my hostname attribute by default.
4. On the Enter the NetWorker instance id prompt, specify a unique value to
identify the host or accept the default value.
5. On the Enter the file containing the private key prompt, specify the
path and file name of a PEM formatted file that contains the private key for this host. If
your organization does not have a private key, leave the prompt blank and NetWorker
will generate the private key for the host.
6. On Windows hosts only, ensure that the Windows Local System Account (System) has
read, write, and modify privileges for the file that contains the custom certificate and
key.

Importing local host credentials

If you used the nwinstcreate program to export the local host credentials for the host
or you created custom credentials, then you can use NMC or nsradmin to import the
information into the NSRLA resource on a host.
When NSRLA corruption occurs and the nsrexecd program creates new local host
credentials on a host, the nsrauth process will reject all connection attempts between the
host and all other hosts in the data zone that have communicated with the host prior to
the corruption. The nsrauth process rejects the connection because information in NSR
Peer Information resource for the host differs from the new local host credentials that the
host will provide when it attempts to establish a connection. To resolve this issue, import
a copy of the local host credentials for the host into the local NSRLA resource. This
ensures that the local host credentials for the host match the information stored in the
NSR Peer Information resource on all other hosts in the data zone. Resolving NSR Peer
Information conflicts on page 62 describes how to resole this issue if an exported copy
of the local host credential information is not available.

Component authentication 57
Access Control Settings

Importing local host credentials by using NMC

Connect to the NetWorker server with NMC and import the local host credentials.
Before you begin
The gstd process owner must have permission to update the nsrexec database on the
target host. Configuring NetWorker client database access privileges on page 52 provides
more information.
Procedure
1. Copy the file that contains the exported local host credentials to the target host.
2. On UNIX platforms, ensure that the root user has read and write permissions for the
credential file.
For example: chmod 600 export_file_name
3. On the Administration window, select Configuration.
4. In the left navigation pane, expand the NetWorker server, and then expand the Local
Hosts resource.
5. Right-click the target host and select Configure Local Agent.
6. On the Advanced tab, in the NW instance info operations attribute, select Import.
7. In the NW instance info file attribute, specify the path and name of the file that
contains the exported information.
For Windows paths, use a forward slash (/) when you specify the path.
For example, when the mnd_credentials.txt file is in c:\users, specify: c:/
users/mnd_credentials.txt.
8. Click OK.
Results
NetWorker imports the local host credential information to the target host.
Importing localhost credentials by using nsradmin
Use the nsradmin program to import local host credentials from a file into the NSRLA
resource of a host.
Before you begin
Connect to the target host with an account that has administrator access to the nsrexec
database. Configuring NetWorker client database access privileges on page 52 describes
how to update the administrator list in the NetWorker client database.
Procedure
1. Copy the file that contains the exported local host credentials to the target host.
2. On UNIX platforms, ensure that the root user has read and write permissions for the
credential file.
For example: chmod 600 export_file_name
3. Connect to the nsrexec database:

nsradmin -p nsrexec
4. Set the query type to NSRLA:

. type: NSRLA

58 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

5. Configure the NW instance info operations attribute and the NW instance info file
attribute to import the resource information:

update NW instance info operations: import; NW instance info file:

pathname_filename

For example, to export the information to the /home/root/

mnd_credentials.txt file on a UNIX host, type:

update NW instance info operations: import; NW instance info

file: /home/root/mnd_credentials.txt

For Windows paths, use a forward slash (/) when you specify the path.For example,
when the mnd_credentials.txt file is in c:\users, specify: c:/users/
mnd_credentials.txt.
For example, when the mnd_credentials.txt file is in c:\users, specify: c:/
users/mnd_credentials.txt.
6. When prompted to update the resource, type Yes.
7. Exit the nsradmin program:

quit

Maintaining nsrauth authentication credentials

This section describes how to maintain the local host credentials and the NSR Peer
Information resource.

Creating the NSR Peer Information resource manually

When a NetWorker host initiates a connection with another host for the first time,
NetWorker automatically creates an NSR Peer Information resource for the initiating host
in the nsrexec database on the target host. NetWorker uses the information contained in
the NSR Peer Information resource to verify the identity of the initiating host on
subsequent authentication attempts. Manually create the NSR Peer Information resource
on the target client before the two hosts communicate for the first time, to eliminate the
possibility that an attacker could compromise this process.
Creating the NSR Peer Information resource manually by using NMC
Connect to the NetWorker server with NMC to create a new NSR Peer Information resource
for a host.
Before you begin
The gstd process owner must have permission to update the nsrexec database on the
target host. Configuring NetWorker client database access privileges on page 52 provides
more information.
Review the contents of the file that contains the exported local host credentials for the
host and make note of the values in the Name, My hostname, and NW Instance ID
attributes.
Procedure
1. Copy the file that contains the exported local host credentials to the target host.
2. On the View menu, select Diagnostic mode.
3. On the Administration window, select Configuration.
4. Right-click on the target host and then select New.

Component authentication 59
Access Control Settings

5. On the Create certificate window, in the Change certificate drop-down menu, select
Load certificate from file.
6. In the Name attribute, enter the Name value from the credential file.
7. In the Instance ID attribute, enter the NW Instance ID value from the credential file.
8. In the Peer Hostname attribute, enter the My Hostname value from the credential file
9. In the Change certificate drop-down, select Load certificate from file.
10.In the Certificate file to load attribute, specify the path and name of the file that
contains the exported local host credentials.
For Windows paths, use a forward slash (/) when you specify the path. For example,
when the mnd_credentials.txt file is in c:\users, specify: c:/users/
mnd_credentials.txt.
11.On UNIX platforms, ensure that the root user has read and write permissions for the
credential file.
For example: chmod 600 export_file_name
12.Click OK.
Creating the NSR Peer Information by using nsradmin
Use the nsradmin program on a host to create and NSR Peer Information resource for a
host.
Before you begin
Connect to the target host with an account that has administrator access to the nsrexec
database. Configuring NetWorker client database access privileges on page 52 describes
how to update the administrator list in the NetWorker client database.
Procedure
1. Copy the file that contains the exported local host credentials to the target host.
2. Connect to the nsrexec database:

nsradmin -p nsrexecd
3. Create the NSR Peer Information resource:

create type: NSR Peer Information; name:hostname; NW Instance:

nw_instance_id; peer hostname: my_hostname

where:
l hostname is value that appears in the Name attribute in the credential file.
l NW_instance_id is the value that appears in the NW Instance ID attribute in the
credential file.
l my_hostname is the value that appears in the My hostname attribute in the
credential file.
4. When prompted to create the resource, type Yes.
5. Set the current query to the new NSR Peer Information resource:

. type: NSR Peer Information; name: hostname

6. Update the new NSR Peer Information resource to use the exported certificate:

update: change certificate: load certificate from file;

certificate file to load: pathname_filname

60 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

For Windows paths, use a forward slash (/) when you specify the path.For example,
when the mnd_credentials.txt file is in c:\users, specify: c:/users/
mnd_credentials.txt.
7. When prompted to update the resource, type Yes.
8. Display the hidden properties:

option hidden
9. Display the new NSR Peer Information resource:

print . type: NSR Peer Information;name: hostname

Deleting the NSR Peer Information resource

When the local host credentials for a NetWorker host change, authentication attempts to
other hosts fail because the credential information stored in the target host does not
match the local host credential information provided by the initiating host.
Use the nsradmin program or the Local Host window in NMC to delete the NSR Peer
Information resource for the initiating host on the target host. The next time the initiating
host attempts to connect to the target host, the nsrauth authentication process will use
the current local host credentials to create a new NSR Peer Information resource for the
initiating host.
Deleting the NSR Peer Information resource by using NMC
Use NMC to connect to the NetWorker server and delete the NSR Peer Information
resource for a NetWorker host.
Before you begin
The gstd process owner must have permission to update the nsrexec database on the
target host. Configuring NetWorker client database access privileges on page 52 provides
more information.

Note

You cannot use NMC to delete the NSR Peer Information resource for a NetWorker host
that does not have an existing client resource configured on the NetWorker server.

Procedure
1. On the Administration window, select Configuration.
2. In the left navigation pane, expand the NetWorker server, and then expand the Local
Hosts resource.
3. Select the NetWorker host with the NSR Peer Information resource that you want to
delete.

Note

The NetWorker host does not appear in the Local Hosts section when a client resource
does not exist on the NetWorker server.

The Certificate window displays a list of NSR Peer Information resources stored in the
nsrexec database on the host.
4. In the Certificate window, right-click the certificate that you want to delete and select
Delete.
5. When prompted to confirm the delete operation, select Yes.
If you receive the error, User username on machine hostname is not on
administrator list, you cannot modify the resource until you configure the

Component authentication 61
Access Control Settings

NSRLA access privileges on the target host. Configuring NSRLA access privileges on
page 52 provides more information.
Results
The target host creates a new NSR Peer Information resource for the initiating host the
next time that the initiating host attempts to establish a connection with the target host.
Deleting the NSR Peer Information resource by using nsradmin
Use the nsradmin command on the target host to delete the NSR Peer Information
resource for the initiating host.
Before you begin
Connect to the target host with an account that has administrator access to the nsrexec
database. Configuring NetWorker client database access privileges on page 52 describes
how to update the administrator list in the NetWorker client database.
Procedure
1. Connect to the nsrexec database:

nsradmin -p nsrexec
2. Set the query type to the NSR Peer Information resource of the initiating host:

. type: nsr peer information;name: initiating_host_name

For example, if the hostname of the initiating host is pwd.emc.com, type:

. type: nsr peer information;name: pwd.emc.com

3. Display all attributes for the NSR Peer Information resource:

show
4. Print the attributes for the NSR Peer Information resource and confirm that the name
and peer hostname attributes match the hostname of the initiating host:

print
5. Delete the NSR Peer Information resource:

delete
6. When prompted to confirm the delete operation, type y.
7. Quit the nsradmin program:

quit

Results
The target host creates a new NSR Peer Information resource for the initiating host the
next time that the initiating host attempts to establish a connection with the target host.

Resolving conflicts between the local host credentials and NSR Peer Information resource
After two NetWorker hosts successfully authenticate each other, the target host creates
an NSR Peer Information resource to store the local host credentials of the initiating host.
The Target host uses attributes stored in the NSR Peer Information resource to validate
connection requests from the target host. When unexpected data loss or corruption
occurs in the NSRLA resource of the initiating host, the nsrexecd process creates new
local host credentials. When a host with new local host credentials attempts to connect
another host, the target host rejects the connection request if an NSR Peer Information

62 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

resource exists for the initiating host because the credentials do not match the contents
of the NSR Peer Information resource.
When the local host credentials change for a host, all target hosts that have had a prior
connection with the host will reject a connection attempt. You can resolve this issue in
one of the following ways:
l Manually delete the NSR Peer Information resource for the initiating host in the
NetWorker client database of each target host.

Note

If the NetWorker server is the initiating host, you must delete the NSR Peer
Information resource on each host in the data zone.
l Import a backup copy of the local host credentials on the initiating host.

Deleting the NSR Peer Information resource

When the local host credentials for a NetWorker host change, authentication attempts to
other hosts fail because the credential information stored in the target host does not
match the local host credential information provided by the initiating host.
Use the nsradmin program or the Local Host window in NMC to delete the NSR Peer
Information resource for the initiating host on the target host. The next time the initiating
host attempts to connect to the target host, the nsrauth authentication process will use
the current local host credentials to create a new NSR Peer Information resource for the
initiating host.
Deleting the NSR Peer Information resource by using NMC
Use NMC to connect to the NetWorker server and delete the NSR Peer Information
resource for a NetWorker host.
Before you begin
The gstd process owner must have permission to update the nsrexec database on the
target host. Configuring NetWorker client database access privileges on page 52 provides
more information.

Note

You cannot use NMC to delete the NSR Peer Information resource for a NetWorker host
that does not have an existing client resource configured on the NetWorker server.

Procedure
1. On the Administration window, select Configuration.
2. In the left navigation pane, expand the NetWorker server, and then expand the Local
Hosts resource.
3. Select the NetWorker host with the NSR Peer Information resource that you want to
delete.

Note

The NetWorker host does not appear in the Local Hosts section when a client resource
does not exist on the NetWorker server.

The Certificate window displays a list of NSR Peer Information resources stored in the
nsrexec database on the host.
4. In the Certificate window, right-click the certificate that you want to delete and select
Delete.

Component authentication 63
Access Control Settings

5. When prompted to confirm the delete operation, select Yes.

If you receive the error, User username on machine hostname is not on
administrator list, you cannot modify the resource until you configure the
NSRLA access privileges on the target host. Configuring NSRLA access privileges on
page 52 provides more information.
Results
The target host creates a new NSR Peer Information resource for the initiating host the
next time that the initiating host attempts to establish a connection with the target host.
Deleting the NSR Peer Information resource by using nsradmin
Use the nsradmin command on the target host to delete the NSR Peer Information
resource for the initiating host.
Before you begin
Connect to the target host with an account that has administrator access to the nsrexec
database. Configuring NetWorker client database access privileges on page 52 describes
how to update the administrator list in the NetWorker client database.
Procedure
1. Connect to the nsrexec database:

nsradmin -p nsrexec
2. Set the query type to the NSR Peer Information resource of the initiating host:

. type: nsr peer information;name: initiating_host_name

For example, if the hostname of the initiating host is pwd.emc.com, type:

. type: nsr peer information;name: pwd.emc.com

3. Display all attributes for the NSR Peer Information resource:

show
4. Print the attributes for the NSR Peer Information resource and confirm that the name
and peer hostname attributes match the hostname of the initiating host:

print
5. Delete the NSR Peer Information resource:

delete
6. When prompted to confirm the delete operation, type y.
7. Quit the nsradmin program:

quit

Results
The target host creates a new NSR Peer Information resource for the initiating host the
next time that the initiating host attempts to establish a connection with the target host.

64 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

Importing local host credentials into the NSR Peer Information resource
Use the nsradmin program or the Local Host window in NMC to import the private key
and certificate into the NSR Peer Information resource for the initiating host, on the target
host.
The next time the initiating host attempts to connect to the target host, the nsrauth
authentication process uses the imported local host credentials to create a new NSR Peer
Information resource for the initiating host.
Importing local host credentials by using NMC
Use NMC to connect to the NetWorker server and import the certificate and private key
into the NSR Peer Information resource for a NetWorker host.
Before you begin
The gstd process owner must have permission to update the nsrexec database on the
target host. Configuring NetWorker client database access privileges on page 52 provides
more information.
Procedure
1. On the Administration window, select Configuration.
2. In the left navigation pane, expand the NetWorker server, and then expand the Local
Hosts resource.
3. Right-click the target host and select Configure Local Agent.
4. Select the NetWorker host with the NSR Peer Information resource that you want to
modify.
5. In the Certificate window, right-click the certificate that you want to delete and select
Properties.
6. On the Create certificate window, in the Change certificate drop-down, select Load
certificate from file.
7. In the Certificate file to load attribute, specify the path and name of the file that
contains the exported local host credentials.
If you receive the error, User username on machine hostname is not on
administrator list, you cannot modify the resource until you configure the
NSRLA access privileges on the target host. Configuring NSRLA access privileges on
page 52 provides more information.
8. Click OK.
Importing local host credentials by using nsradmin
Use nsradmin to import the certificate and private key into the NSR Peer Information
resource for a NetWorker host.
Before you begin
Connect to the target host with an account that has administrator access to the nsrexec
database. Configuring NetWorker client database access privileges on page 52 describes
how to update the administrator list in the NetWorker client database.
Procedure
1. Connect to the nsrexec database:

nsradmin -p nsrexec
2. Set the query type to the NSR Peer Information resource of the initiating host:

. type: nsr peer information;name: initiating_host_name

Component authentication 65
Access Control Settings

For example, if the hostname of the initiating host is pwd.emc.com, type:

. type: nsr peer information;name: pwd.emc.com

3. Display hidden resources:

option hidden
4. Print the attributes for the NSR Peer Information resource and confirm that the name
and peer hostname attributes match the hostname of the initiating host:

print
5. Update the new NSR Peer Information resource to use the exported certificate:

update: change certificate: load certificate from file;

certificate file to load: pathname_filname

For Windows paths, use a forward slash (/) when you specify the path.For example,
when the mnd_credentials.txt file is in c:\users, specify: c:/users/
mnd_credentials.txt.
6. When prompted to update the resource, type Yes.
7. Display the hidden properties:

option hidden
8. Display the new NSR Peer Information resource:

print . type: NSR Peer Information;name: hostname

Generating a new host certificate key

Use NMC to create a new host certificate key for a NetWorker host.
Before you begin
The gstd process owner must have permission to update the nsrexec database on the
target host. Configuring NetWorker client database access privileges on page 52 provides
more information.
Procedure
1. On the Administration window, select Configuration.
2. In the left navigation pane, expand the NetWorker server, and then expand the Local
Hosts resource.
3. Right-click the target host and select Configure Local Agent.
4. Select the Advanced tab.
5. From the NW Instance Info Operations attribute list, select New Keys.
6. Click OK.

Results
NetWorker generates a new certificate for the NetWorker host. You must delete all
existing Peer Information resources for the host, on other NetWorker hosts. Deleting the
Peer information resource on page 61 describes how to delete the resource.

66 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

Component authorization
NetWorker provides you with the ability to restrict remote program executions or client-
tasking rights on a NetWorker host.
You can also:
l Define users that can access the data of a NetWorker host and recover the data to a
different NetWorker host.
l Restrict client-initiated backups to the NetWorker server.
l Configure the NetWorker server to prevent the start up of new save and recover
sessions.

Restricting remote program executions and client-tasking rights

When a NetWorker host requests the right to perform a task on another NetWorker host,
the destination host compares the name of the requesting host to the list of host names
specified in the servers file on the destination NetWorker host. If the hostname of the
requesting host is not in the servers file, then the requesting host does not have client-
tasking rights and the destination host rejects the request.
The following table provides a list of tasks that require client-tasking rights.

Operation Entries required in the client servers file

Archive request Add the long and shortname of the NetWorker server.

Scheduled backup Add the long and shortname of the NetWorker server.
For a clustered NetWorker server, add the long and shortname of the
virtual NetWorker and all physical nodes.

Remote directed Add the long and shortname of the administering client to the server file
recovery on the destination client.

NDMP DSA backup Add the long and shortname of the NetWorker client that initiates the
backup.

The software installation process on Windows and Solaris allows you to specify a list of
hosts to add to the servers file. To change the servers file after the installation completes
or to specify hosts on operating systems that do not allow you to configure the file during
the installation process, use a text editor to edit the servers file. The servers file resides in
the following locations:
l On UNIX and Mac NetWorker hosts: /nsr/res
l On Windows NetWorker hosts:NetWorker_installation_path\res
When you add a NetWorker host to the server file, ensure that you perform the following
tasks:
l Specify both the short name and FQDN for the host.
l Specify one hostname on each line.
l Restart the nsrexecd service on the host, after you save the file.

Note

If the server file is empty or does not exist, then any NetWorker host has client-tasking
rights to the host.

Component authorization 67
Access Control Settings

On UNIX computers, you can start the nsrexecd daemon with the -s servername option
to assign client-tasking rights to a host. The use of the -s option to start the nsrexecd
daemon supersedes the use of the servers files to restrict client-tasking rights.

Configuring remote recover access rights

You can control client recover access through the Client resource. The Remote Access
attribute displays the user accounts that have that ability to recover save sets from the
NetWorker host to different NetWorker host. Add or remove user names depending on the
level of security the files require.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.
Only the users specified in the Remote Access attribute and the following user accounts
can perform remote or directed recoveries of the target client data:
l The root user on a target UNIX host.
l Member of the local ‘Administrators’ group on a target Windows host.
l Members of the ‘Application Administrator’ user group on the NetWorker Server.
l Members of a NetWorker Server user group that has the ‘Change Security Settings’
privilege.
The NetWorker Administration Guide describes how to configure and perform remote and
directed recoveries.
Procedure
1. From the Administration window, click Configuration.
2. In the left navigation pane, select Clients.
3. Right-click the client and select Properties
4. On the Globals (2 of 2) tab, in the Remote Access attribute, specify the user
accounts that you want to have remote recover access to the client, in one of the
following formats:
l user=username
l username@hostname
l hostname
l host=hostname
l user=username, host=hostname

Note

If you enter a hostname or host=hostname in the Remote Access attribute, then any
user on the specified host can recover the files for the client. To enter a username
without specifying the host, enter user=username.

5. Click OK.

68 EMC NetWorker Security 8.2 Configuration Guide

 Access Control Settings

Restrict backup and recover access to the NetWorker server

You can configure the NetWorker server to allow or prevent manual save operations,
accept or reject new save sessions, and accept or reject new recovery sessions.

Restricting manual save operations

Use the manual saves attribute in the NSR resource to allow or prevent client-initiated
backups to the NetWorker server. This option is enabled by default.
Before you begin
Connect to the NetWorker server with a user that is a member of the Application
Administrators or Database Administrators user group.
Procedure
1. From the Administration window, click Configuration.
2. In the left navigation pane, right-click the NetWorker server and select Properties.
3. On the Setup tab, clear Manual saves.
Results
Users cannot use the save command or the NetWorker User application (Windows
clients only) to perform backups from any NetWorker host to the NetWorker server.

Rejecting new save sessions

NetWorker 8.0 and later allows you to configure the NetWorker server to reject new save
sessions from an in-progress manual or scheduled backup. For example, the NetWorker
server can reject new save sessions and allow routine NetWorker Server maintenance,
such as a server reboot, to occur without cancelling in-progress backup operations during
the shutdown process. By default, the NetWorker server is configured to accept new save
sessions. Perform the following steps to prevent the NetWorker server from accepting
new save sessions.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.
Procedure
1. From the Administration window, click Configuration.
2. In the left navigation pane, right-click the NetWorker server and select Properties.
3. On the Miscellaneous tab, clear Accept new sessions.

Rejecting new recover and clone sessions

NetWorker 8.0 and later allows you to configure the NetWorker server to reject new
recover and clone sessions. For example, NetWorker can reject recover sessions and
allow routine NetWorker Server maintenance, such as a server reboot, to occur without
cancelling in-progress recover operations during the shutdown process. By default the
NetWorker server is configured to accept new recover sessions. Perform the following
steps to prevent the NetWorker server from accepting new recover sessions.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.

Component authorization 69
Access Control Settings

Procedure
1. From the Administration window, click Configuration.
2. In the left navigation pane, right-click the NetWorker server and select Properties.
3. On the Miscellaneous tab, clear Accept recover sessions.

70 EMC NetWorker Security 8.2 Configuration Guide

CHAPTER 3
Log Settings

This chapter describes how to access and manage the logs files available in NetWorker.

l NetWorker log files................................................................................................ 72

l View log files.........................................................................................................76
l Raw log file management...................................................................................... 79
l Monitoring changes to the NetWorker server resources......................................... 82
l Configuring logging levels..................................................................................... 83

Log Settings 71
Log Settings

NetWorker log files

This section provides a summary of the log files available on NetWorker hosts and log file
management.

Table 7 NetWorker log files

Component File name and default location Description

NetWorker server and UNIX: /nsr/logs/daemon.raw Main NetWorker log file.
client daemons Windows: C:\Program Files Use the nsr_render_log
\EMC NetWorker\nsr\logs program to view the contents
\daemon.raw of the log file.

NetWorker server UNIX: OS log file defined by system

generated syslog log configuration file.
messages and
Windows: C:\Program Files
daemon.notice
\EMC NetWorker\nsr\logs
\messages

NetWorker server Log file name and location defined UNIX only, OS log file.
generated syslog by the system log configuration file.
Unlike previous versions of the
messages NetWorker software,
local0.notice and NetWorker 8.0 and later does
local0.alert not modify the syslog.conf
file to configure
local0.notice and
local0.alert. Vendor
specific documentation
describes how to configure
local0.notice and
local0.alert

NetWorker server disaster UNIX: /nsr/logs/nsrdr.log Contains detailed information

recovery command line
Windows: C:\Program Files
wizard, nsrdr program
\EMC NetWorker\nsr\logs
\nsrdr.log
about the internal operations
performed by the nsrdr
program. NetWorker overwrites
this file each time you run the
nsrdr program.

Cloning UNIX: /nsr/logs/clone.log Contains completion

information about scheduled
Windows: C:\Program Files
clone operations. By default,
\EMC NetWorker\nsr\logs
the Scheduled clone
\clone.log
completion and Scheduled
clone failure notifications on
the NetWorker server send
information to the log file.

Index log UNIX: /nsr/logs/index.log Contains warnings about the

Windows: C:\Program Files size of the client file index and
\EMC NetWorker\nsr\logs low disk space on the file
\index.log system that contains the index

72 EMC NetWorker Security 8.2 Configuration Guide


Table 7 NetWorker log files (continued)
Component File name and default location
Report Home UNIX: /nsr/logs/
report_home/
DefaultReportHome_YYMMDDx
xxxxx
Windows: C:\Program Files
\EMC NetWorker\nsr\logs
\DefaultReportHome_YYMMDD
xxxxxx
Hypervisor UNIX: /nsr/logs/Hypervisor/
Windows: C:\Program Files
\EMC NetWorker\nsr\logs
\Hypervisor\
VMware protection UNIX: /nsr/logs/Policy/
policies VMware_protection_policy_name
Windows: C:\Program Files
\EMC NetWorker\nsr\logs
\Policy
\VMware_protection_policy_name
Policies UNIX: /nsr/logs/policy.log
Windows: C:\Program Files
\EMC NetWorker\nsr\logs
\policy.log
Snapshot management UNIX: /nsr/logs/nwsnap.raw
Windows: C:\Program Files
\EMC NetWorker\nsr\logs
\nwsnap.raw
Media management UNIX: /nsr/logs/media.log
Windows: C:\Program Files
\EMC NetWorker\nsr\logs
\media.log
Log Settings
Description
files. By default, the Index
size notification on the
NetWorker server sends
information to the log file.
Contains status information
about the delivery of the
Report Home output file to
EMC Support.
Contains status information
about VMware Protection
Policy actions. NetWorker
creates a separate log file for
each action.
Contains completion
information about VMware
Protection Policies. By default,
the VMware Protection
Policy Failure notification on
the NetWorker server sends
information to the log file.
Contains messages related to
snapshot management
operations. For example,
snapshot creation, mounting,
deletion, and rollover
operations. Use the
nsr_render_log program
to view the contents of the log
file.
Contains device related
messages. By default, the
device notifications on the
NetWorker server send device
related messages to the
media.log file on the
NetWorker server and each
storage node.
NetWorker log files 73
Log Settings
Table 7 NetWorker log files (continued)
Component File name and default location
Windows Bare Metal The following files in the X:
Recovery (BMR) \Program Files\EMC
NetWorker\nsr\logs\
directory:
ossr_director.raw
recover.log
winPE_wizard.log
winpe_nw_support.raw
winpe_os_support.log
Recovery Wizard UNIX: /nsr/logs/recovery/
recover_config_name_YYYYMMDDHH
MMSS
Windows: C:\Program Files
\EMC NetWorker\nsr\logs
\recovery
\recover_config_name_YYYYMMDDH
HMMSS
NMC server log files AIX & Linux: /opt/lgtonmc/
management/logs/gstd.raw
Solaris: /opt/LGTOnmc/
management/logs/gstd.raw
Windows: C:\Program Files
\EMC NetWorker\Management
\logs\gstd.raw
74 EMC NetWorker Security 8.2 Configuration Guide
Description
Contains the recovery workflow
of the DISASTER_RECOVERY:\
and any errors related to
recovering the save set files or
Windows ASR writer errors. Use
the nsr_render_log
program to view the contents
of the log file.
Contains the output generated
by the NetWorker
recover.exe program and
error messages related to
critical volume data recovery.
Contains work flow information
related to the NetWorker BMR
wizard user interface.
Contains output from the
winpe_nw_support.dll
library. The output provides
information about
communications between the
NetWorker BMR wizard and the
NetWorker server.
Use the nsr_render_log
program to view the contents
of the log file.
Contains output information
related to Microsoft native API
calls.
Contains information that can
assist you in troubleshooting
recovery failures. NetWorker
creates a log file on the
NetWorker server for each
recover job.
Contains information related to
NMC server operations and
management. Use the
nsr_render_log program
to view the contents of the log
file.
 Log Settings

Table 7 NetWorker log files (continued)

Component File name and default location Description

NMC server database Solaris: /opt/LGTOnmc/logs/ Contains the results of the
conversion gstdbupgrade.log NMC server database
conversion performed during
AIX and Linux: /opt/lgtonmc/
an upgrade of a 7.6.x and
logs/gstdbupgrade.log
earlier NMC server.
Windows: C:\Program Files
\EMC NetWorker\Management
\logs\gstdbupgrade.log

NMC web server AIX & Linux: /opt/lgtonmc/ Contains messages for the
management/logs/ embedded database server on
web_output the NMC server.

Solaris: /opt/LGTOnmc/
management/logs/
web_output

Windows: C:\Program Files

\EMC NetWorker\Management
\logs\web_output

NMC server database log AIX & Linux: /opt/lgtonmc/ Contains messages for the
files management/logs/db_output embedded Apache httpd web
server on the NMC server.
Solaris: /opt/LGTOnmc/
management/logs/
web_output

Windows: C:\Program Files

\EMC NetWorker\Management
\logs\web_output

Client push log UNIX: /nsr/logs/nsrcpd.raw Contains information related to

the Client Push wizard and the
Windows: C:\Program Files
nsrpush command. Use the
\EMC NetWorker\logs
nsr_render_log program
\nsrcpd.raw
to view the contents of the log
file.

Schedule group / UNIX: /nsr/logs/sg/ Contains completion

savegroup logs groupname information about a server-
initiated backup. By default,
Window: C:\Program Files
the Savegroup completion
\EMC NetWorker\logs\sg
\groupname and the Savegroup failure
notifications on the NetWorker
server send information to the
log file.

Rap log UNIX: /nsr/logs/rap.log Records configuration changes

that are made to the
Windows: C:\Program Files
NetWorker server resource
\EMC NetWorker\logs
database.
\rap.log

NetWorker log files 75

Log Settings

Table 7 NetWorker log files (continued)

Component File name and default location Description

Security Audit log UNIX: /nsr/logs/ Contains security audit related
NetWorker_server_sec_audi messages.
t.raw

Window: C:\Program Files

\EMC NetWorker\logs
\Networker_server_sec_aud
it.raw

User log C:\Program Files\EMC For Windows only, contains a

NetWorker\logs record of every file that was
\networkr.raw part of an attempted manual
backup or recovery operation
initiated by the NetWorker User
program. Subsequent manual
backup or recover operations
overwrite the file. Use the
nsr_render_log program
to view the contents of the log
file.

The EMC NetWorker Administration Guide describes how to configure log file notifications.

View log files

NetWorker sends messages to two types of logs. Plain text log files saved with the .log
extension and unrendered log files saved with the .raw extension.
The .log files and the messages that appear in NMC use the locale setting of the service
that generates the log message. To view the contents of .log files, use any text editor.
Before you can view .raw files in a text editor, render the .raw file into the locale of the
local machine. You can manually render the raw log files or configure NetWorker to render
the log files at runtime.

Rendering a raw file manually

The nsr_render_log program is non-interactive. When you use the
nsr_render_log program to render the contents of the .raw file to the locale of the
host where you run the command, nsr_render_log prints the output to stdout. You
can redirect this output to a file and view the output in a text editor.
Before you begin
The bin subdirectory in the NetWorker installation directory contains the
nsr_render_log program. If the bin directory is not in the search path of the host
where you run the command, include the full path when you use the nsr_render_log
program. If you do not run the nsr_render_log command from the directory that
contains the .raw file, include the path to the .raw file.
The nsr_render_log program supports a number of options that allow you to filter the
contents of a .raw file and render the contents into an easy to read format.

76 EMC NetWorker Security 8.2 Configuration Guide

 Log Settings

Procedure
l To render a raw file into a format similar to a .log file and redirect the output to a text
file, type: nsr_render_log -c -meapthy raw_filename 1>output_filename
2>&1

where:
n raw_filename is the name of the unrendered file. For example, daemon.raw
n output_filename is the name of the file to direct the output to.
n -c suppresses the category
n -m suppresses the message ID
n -e suppresses the error number
n -a suppresses the activity ID
n -p suppresses the process ID
n -t suppresses the thread ID
n -h suppresses the hostname
n -y suppresses the message severity
l To render a .raw file from a remote machine, type: nsr_render_log -c -meapthy
-R hostname raw_filename 1>output_filename 2>&1

where:
n hostname is the name of the host that contains the .raw file.
n raw_filename is the name of the unrendered file. For example, daemon.raw
n output_filename is the name of the file to direct the output to.
n -c suppresses the category
n -e suppresses the error number
n -m suppresses the message ID
n -p suppresses the process ID
n -a suppresses the activity ID
n -t suppresses the thread ID
n -h suppresses the hostname
n -y suppresses the message severity
l To render a .raw file and only view log file messages for a specific device, type:
nsr_render_log -c -meapthy -F devicename raw_filename
1>output_filename 2>&1

where: devicename is the name of the device.

The EMC Command Reference Guide provides detailed information about the
nsr_render_log program and the available options.
l To render only the most recently logged messages, type: nsr_render_log -c -
meapthy -B number raw_filename 1>output_filename 2>&1

where: number is the number of lines that you want to render.

The EMC Command Reference Guide provides detailed information about the
nsr_render_log program and the available options.

Rendering a raw file manually 77

Log Settings

Rendering raw log files at runtime

You can instruct the NetWorker software to render the daemon.raw and gstd.raw files
into the locale of the host at runtime, in addition to creating locale-independent log files.
This allows you to view the log file in a text editor without using the nsr_render_log
program to render the file first.
Before you begin
Log in to the NetWorker host with the root (UNIX) or administrator (Windows) user
account.
To instruct the NetWorker software to render logs in the locale of the machine hosting the
file, set the runtime rendered log file attribute in the NSRLA database. For backward
compatibility with previous releases of the NetWorker software, runtime rendered log files
contain the following attributes:
l Message ID
l Date and time of message
l Rendered message
Procedure
1. From a command prompt, use the nsradmin program to access the NSRLA database:

nsradmin -p nsrexec
2. Set the resource type to NSR log:

. type: NSR log

3. Display a list of all log file resources:

print

For example, on a Windows NMC server, output similar to the following appears:

nsradmin> print
type: NSR log;
administrator: Administrators,
"group=Administrators,host=bu-iddnwserver.iddlab.local";
owner: NMC Log File;
maximum size MB: 2;
maximum versions: 10;
runtime rendered log: ;
runtime rollover by size: Disabled;
runtime rollover by time: ;
name: gstd.raw;
log path: \
"C:\\Program Files\\EMC NetWorker\\Management\\GST\\logs\
\gstd.raw";

type: NSR log;

administrator: Administrators,
"group=Administrators,host=bu-iddnwserver.iddlab.local";
owner: NetWorker;
maximum size MB: 2;
maximum versions: 10;
runtime rendered log: ;
runtime rollover by size: Disabled;
runtime rollover by time: ;
name: daemon.raw;
log path: \
"C:\\Program Files\\EMC NetWorker\\nsr\\logs\\daemon.raw";

78 EMC NetWorker Security 8.2 Configuration Guide

 Log Settings

4. Define the log resource that you want to edit:

. type: NSR log; name: log_file_name

For example, to select the daemon.raw file, type the following:

. type: NSR log; name: daemon.raw

5. Use the Runtime rendered log attribute to define the path and filename for the
rendered log file.
For example, to save rendered messages to the file rendered.log in the default
NetWorker logs directory on a Windows host, type:

update runtime rendered log: "C:\\Program Files\\EMC NetWorker\\nsr

\\logs\\rendered.log"
6. When prompted to confirm the update, type: y
7. Verify that the attribute value update succeeds:

nsradmin> print

type: NSR log;

administrator: root, "user=administrator,host=bu-
iddnwserver.iddlab.local";
owner: NetWorker;
maximum size MB: 2;
maximum versions: 10;
runtime rendered log:C:\\Program Files\\EMC NetWorker\\nsr\\logs\
\daemon.log ;
runtime rollover by size: Disabled;
runtime rollover by time:;
name: daemon.raw;
log path: C:\\Program Files\\EMC NetWorker\\Management\\GST\\logs\
\daemon.raw;
8. Quit the nsradmin program.

Raw log file management

The NetWorker software manages the size and the rollover of the raw log files.
NetWorker automatically manages the nwsnap.raw and nsrcpd.raw files in the
following ways:
l nwsnap.raw: Before a process writes messages to the nwsnap.raw file, the
process checks the size of the .raw file. The process invokes the trimming
mechanism when the size of the log file is 100 MB or larger. Snapshot management
supports up to 10 .raw file versions.
l nsrcpd.raw: When the NetWorker daemons start on the machine, the startup
process checks the size of the raw file. The startup process invokes the trimming
mechanism when the size of the log file is 2 MB or larger. Client push supports 10 raw
file versions.
NetWorker enables you to customize the maximum file size, maximum number of file
versions, and the run time rollover of the daemon.raw, gstd.raw, networkr.raw,
and Networker_server_sec_audit.raw files. Use the nsradmin program to
access the NSRLA database, and modify the attributes that define how large the log file
becomes before NetWorker trims or renames the log file.
The following table describes the resource attributes that manage the log file sizes.

Raw log file management 79

Log Settings

Table 8 Raw log file attributes that manage log file size

Attribute Information
Maximum size Defines the maximum size of the log files.
MB
Default: 2 MB

Maximum Defines the maximum number of the saved log files.

versions
When the number of copied log files reaches the maximum version value,
NetWorker removes the oldest log when a new copy of the log file is created.
Default: 10

Runtime rollover When set, this attribute invokes an automatic hourly check of the log file size.
by size
When you configure the runtime rendered log attribute, NetWorker trims the
runtime rendered log file and the associated .raw file simultaneously.

Default: disabled

Runtime rollover When set, this attribute invokes an automatic trimming of the log file at the
by time defined time, regardless of the size. The format of the variable is HH:MM
(hour:minute).
When you configure the runtime rendered log attribute, NetWorker trims the
runtime rendered log file and the associated .raw file simultaneously.

Default: undefined

How the trimming mechanism trims the log files differs depending on the how you define
the log file size management attributes. The following table summarizes the trimming
behavior.

Table 9 Raw log file attributes that manage the log file trimming mechanism

Attribute Trimming behavior

configuration
When you configure l NetWorker copies the contents of the existing log file to a new file
runtime rollover by with the naming convention:daemondate_time.raw
time or runtime
rollover by size l NetWorker truncates the existing daemon.raw to 0 MB.

Note

When this mechanism starts on a NetWorker server that is under a heavy

load, this process may take some time to complete.

When you do not l NetWorker checks the log file size when the nsrexecd process starts
configure runtime on the computer.
rollover by time or
runtime rollover by
l When the log file size exceeds the size defined by the maximum size
size MB attribute, NetWorker renames the existing log file to
log_file_name_date_time.raw then creates a new empty log
file.

80 EMC NetWorker Security 8.2 Configuration Guide

 Log Settings

Table 9 Raw log file attributes that manage the log file trimming mechanism (continued)

Attribute Trimming behavior

configuration

Note

When the nsrd daemon or NetWorker Backup and Recover Server

service runs for a long time, the size of the log file can become much
larger than the value defined by maximum size MB.

Managing raw log file size for the daemon.raw, networkr.raw, and gstd.raw files
To configure the NetWorker software to rollover the .raw file by time, perform the
following steps.
Procedure
1. Log in to the NetWorker host with root on UNIX or with administrator for Windows.
2. Use the nsradmin program to access the NSRLA database:

nsradmin -p nsrexec
3. Set the resource type to NSR log:

. type: NSR log

4. Display a list of all log file resources:

print

For example, on a Windows NMC server, output similar to the following appears:

nsradmin> print
type: NSR log;
administrator: Administrators,
"group=Administrators,host=bu-iddnwserver.iddlab.local";
owner: NMC Log File;
maximum size MB: 2;
maximum versions: 10;
runtime rendered log: ;
runtime rollover by size: Disabled;
runtime rollover by time: ;
name: gstd.raw;
log path: \
"C:\\Program Files\\EMC NetWorker\\Management\\GST\\logs\
\gstd.raw";

type: NSR log;

administrator: Administrators,
"group=Administrators,host=bu-iddnwserver.iddlab.local";
owner: NetWorker;
maximum size MB: 2;
maximum versions: 10;
runtime rendered log: ;
runtime rollover by size: Disabled;
runtime rollover by time: ;
name: daemon.raw;
log path: \
"C:\\Program Files\\EMC NetWorker\\nsr\\logs\\daemon.raw";

Managing raw log file size for the daemon.raw, networkr.raw, and gstd.raw files 81
Log Settings

5. Define the log resource that you want to edit:

. type: NSR log; name: log_file_name

For example, to select the gstd.raw file, type the following:

. type: NSR log; name: gstd.raw

6. Update the runtime rollover by time attribute with the time that you want to rollover
the log file.
For example, to configure the gstd.raw file to rollover at 12:34 AM, type:

update runtime rollover by time: "00:34"

7. When prompted to confirm the update, type: y
8. Verify that the attribute value update succeeds:

nsradmin> print

type: NSR log;

administrator: root, "user=administrator,host=bu-
iddnwserver.iddlab.local";
owner: NMC Log File;
maximum size MB: 2;
maximum versions: 10;
runtime rendered log: ;
runtime rollover by size: Disabled;
runtime rollover by time: "00:34";
name: gstd.raw;
log path: C:\\Program Files\\EMC NetWorker\\Management\\GST\\logs\
\gstd.raw;
9. Quit the nsradmin program.

Monitoring changes to the NetWorker server resources

The Monitor RAP (resource allocation protocol) attribute in the NSR resource enables you
to track configuration modifications to the NetWorker server resources and attributes. The
NetWorker server records these changes in the rap.log file, located in the
NetWorker_install_dir\logs directory. Each entry in the rap.log file consists
of the user action, the name of the user that performed the action, the name of the source
computer, and the time of the change. NetWorker logs sufficient information in the
rap.log file to enable an administrator to undo any changes. The Monitor RAP attribute
is enabled by default. To disable the attribute setting, perform the following steps.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.

Note

In NetWorker 8.0 and later, the Security Audit Log feature provides the NetWorker server
and the NMC server with the ability to log specific security audit events related to their
operations.

Procedure
1. From the Administration window, select Configuration.
2. From the View menu, select Diagnostic mode.

82 EMC NetWorker Security 8.2 Configuration Guide

 Log Settings

3. Right-click the NetWorker server name in the left navigation pane and select
Properties.
4. On the Setup tab, select the Disabled button for the Monitor RAP attribute.

Configuring logging levels

This section describes how to modify the logging levels of the NetWorker and NMC
processes to troubleshoot issues.

Setting the debug level for NetWorker daemons

How you configure the NetWorker daemons to run in debug mode depends on the
daemon.
On a NetWorker server, you can configure the nsrd and nsrexecd to start in debug mode.
The nsrd daemon starts other daemons, as required. To capture debug output for the
daemons that the nsrd daemon starts use the dbgcommand.
On an NMC server, you can start the gstd daemon in debug mode.

Starting nsrd and nsrexecd daemons in debug mode on UNIX

The nsrd daemon is the main process for the NetWorker server. To debug problems with
the NetWorker server process, start the nsrd process in debug mode. The nsrexecd
process is the main process for NetWorker client functions. To debug problems related to
NetWorker client functions, start the nsrexecd process in debug mode.
Procedure
1. Log in to the NetWorker host with the root account and stop the NetWorker processes:
nsr_shutdown

2. Start the daemon from a command prompt and specify the debug level.
For example:
l To start the nsrexecd daemon in debug mode, type: nsrexecd -D9
1>filename 2>&1
l To start the nsrd daemon in debug mode, type: nsrd -D9 1>filename 2>&1
where filename is the name of the text file that NetWorker uses to store the debug
messages.
3. After you collect the necessary debug information, perform the following steps:
a. Stop the NetWorker processes by using the nsr_shutdown command.
b. Restart the processes by using the NetWorker startup script:
l On Solaris and Linux, type: /etc/init.d/networker start
l On HP-UX, type: /sbin/init.d/networker start
l On AIX, type: /etc/rc.nsr

Starting the NetWorker daemons in debug mode on Windows

The NetWorker Backup and Recovery service starts the nsrd process, which is the main
process for a NetWorker server. To debug problems with the NetWorker server process,
start the nsrd process in debug mode. The NetWorker Remote Exec service starts the
nsrexecd process which is the main process for NetWorker client functions. To debug

Configuring logging levels 83

Log Settings

problems related to NetWorker client functions, start the nsrexecd process in debug
mode.
Procedure
1. Open the Services applet, services.msc.
2. Stop the NetWorker Remote Exec service.
On a NetWorker server this also stops the NetWorker Backup and Recover service.
3. To put a nsrexecd process in debug mode:
a. Right-click the NetWorker Remote Exec service and select Properties.
b. In the Startup Parameters field, type -D x
where x is a number between 1 and 99.
c. Click the Start button.
4. To put the nsrd process in debug mode:
a. Right-click the NetWorker Backup and Recover service and select Properties.
b. In the Startup Parameters field, type -D x
where x is a number between 1 and 99.
c. Click the Start button.
Results
NetWorker stores the debug information in the daemon.raw file.
After you finish
After you capture the debug information, stop the NetWorker services, remove the -D
parameter, and then restart the services.

Starting the NMC server daemon in debug mode

When you can access the NMC GUI, use the Debug Level attribute in the System Options
window to start the gstd daemon in debug mode.
When you cannot access the NMC GUI, use environment variables to start the gstd
daemon in debug mode.

Starting the NMC server daemon in debug mode by using NMC

The gstd daemon is the main NMC server process. To troubleshoot NMC GUI issues, start
the gstd daemon in debug mode.
Before you begin
Log in to the NMC server with an administrator account.
Procedure
1. In the NMC Console, select Setup.
2. On the Setup menu, select System Options.
3. In the Debug Level field, select a number between 1 and 20.
Results
NMC stores the debug information in the gstd.raw file.

84 EMC NetWorker Security 8.2 Configuration Guide

 Log Settings

After you finish

After you capture the debug information, stop the NetWorker services, set the Debug
Level to 0, and then restart the services.

Starting the NMC server daemon in debug mode by using environment

variables
Use environment variable to put the gstd daemon in debug mode when you cannot
access the NMC GUI.
Setting the GST debug environment variable on Windows
To set the GST debug environment variable on Windows, use the Control Panel system
applet on the NMC server.
Procedure
1. Browse to Control Panel > System and Security > System > Advanced Settings.
2. On the General tab, click Environment Variables.
3. In the System variables section, click New.
4. In the Variable name field, type: GST_DEBUG
5. In the Variable value field, type a number between 1 and 20.
6. Stop and start the EMC gstd service.
Results
NMC stores the debug information in the gstd.raw file.
After you finish
After you capture the debug information, stop the EMC gstd service, remove the
environment variable from the startup file, and then restart the EMC gstd service.
Setting the GST debug environment variable on UNIX
Use a borne shell script to put the gstd daemon in debug mode.
Procedure
1. Modify the file permissions for the gst startup file. By default, the file is a read-only
file.
The file location varies depending on the operating system:
l Solaris and Linux: /etc/init.d/gst
l AIX: /etc/rc.gst
2. Edit the file and specify the following at beginning of the file:
GST_DEBUG=x
export GST_DEBUG
where x is a number between 1 and 20.
3. Stop and restart the gstd daemon:
l Solaris and Linux: Type: /etc/init.d/gst stop then /etc/init.d/gst
start
l AIX: Type: /etc/rc.gst start then /etc/rc.gst stop
Results
NMC stores the debug information in the gstd.raw file.

Setting the debug level for NetWorker daemons 85

Log Settings

After you finish

After you capture the debug information, stop the gstd daemon, remove the environment
variable from the startup file, and then restart the gstd daemon.

Using the dbgcommand program to put NetWorker process in debug mode

Use the dbgcommand program to generate debug messages for NetWorker daemons and
processes without the stopping and starting the NetWorker daemons. You can also use
the dbgcommand program to produce debug information for a process that another
process starts. For example, use the dbgcommand to put the nsrmmd process in debug
mode.
Procedure
1. From a command prompt on the NetWorker host, determine the process id (PID) of the
daemon or process that you want to debug.
l On Windows: Use the Task Manager to determine the PID.

Note

If you do not see the PID for each process on the Process tab, navigate to View >
Select Columns, and then select PID (Process Identifier)
l On UNIX, use the ps command. For example, type ps -ef | grep nsr to get a
list of all of the NetWorker processes that start with nsr.
2. From a command prompt, type:

dbgcommand -p PID -Debug x

where:
l PID is the process id of the process.
l x is a number between 0 and 9.

Note

0 turns off debugging.

Results
NetWorker logs the process debug information in the daemon.raw file.
After you finish
To turn off debugging, type:

dbgcommand -p PID -Debug=0

86 EMC NetWorker Security 8.2 Configuration Guide

 Log Settings

Run scheduled backups in debug mode

You can configure NetWorker to log verbose output for all of the client backups in
scheduled group. You can also configure individual clients in a scheduled group to run in
debug mode.

Running all client backups in a group in verbose mode

Modify the properties of a Group resource to send verbose backup information to the
daemon.raw file, for all clients in a group.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.
Procedure
1. On the Administration window, click Configuration.
2. Click Groups in the left navigation pane.
3. Right click the group and select Properties.
4. On the Advanced tab, in the Options section, select Verbose.
5. Click Ok.
Results
At the scheduled time, NetWorker logs debug information for each backup in the
daemon.raw file.
After you finish
When the group backup operations complete, edit the properties of the group and clear
the Verbose option.

Running individual clients in a group in debug mode

Modify the backup command attribute for a Client resource to send verbose backup
information to the daemon.raw file, for individual clients in a group.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.
Procedure
1. From the Administration window, click Configuration.
2. Click Clients in the left navigation pane.
3. Right click the client and select Modify Client Properties.
4. On the Apps & Modules tab, in the Backup command attribute, type:
save -Dx
where x is a number between 1 and 99.
5. Click OK.
Results
At the scheduled time, NetWorker logs debug information for the client backup in the
daemon.raw.

Run scheduled backups in debug mode 87

Log Settings

After you finish

When the group backup operations complete, edit the properties of the client and clear
the Backup Command field.

Running group backups manually in debug mode from command line

Use the savegrp command to manually run group backups from a command line in
debug mode and send the output to a log file.
Procedure
1. From a command prompt on the NetWorker server, type:
savegrp -Dx groupname 1>filename 2>&1
where:
l x is a number between 1 and 99.
l groupname is the name of the backup group.
l filename is the name of the file that stores the debug information.

Running client-initiated backups in debug mode from command line

Use the save program to perform a client-initiated backup from the command line.
On the host you want to backup, type the following command:
save -Dx file_sytem_objects 1>filename 2>&1
where:
l x is a number between 1 and 99.
l file_sytem_objects is the name of the files or directory to backup.
l filename is the name of the file that stores the debug information.

Note

The NetWorker Command Reference Guide provides detailed information about all of the
available backup options and how to use the save command.

Run Recoveries in debug mode

You can configure NetWorker to log verbose output for recoveries when you Recovery
Wizard, perform Windows disaster recoveries and by using the recover command.

Run Recovery Wizard recover jobs in debug mode

You can run recover jobs that you created in the Recovery Wizard by using the Recovery
Wizard or by using the nsrtask program from the command line.

Running a recovery job in debug mode

To send verbose recovery information to the recovery log file, set the debug level of a
recovery job.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.

88 EMC NetWorker Security 8.2 Configuration Guide

 Log Settings

Procedure
1. On the Administration window, click Recover.
2. On the Select the Recovery Options window, select Advanced Options.
l To modify a scheduled recover job, select the job in the Configured Recovers
section and then select Properties.
l To configure a new recover job, select New.

Note

You cannot modify an expired or failed recover job.

3. On the Select Recovery Options window, in the Debug level attribute, select the
debug level.
4. Complete the remaining steps in the Recovery Wizard.
Results
NetWorker logs the debug recovery information to the recover log file.

Running a recovery job in debug mode by using nsrtask

Use the nsrtask command to run a recovery job created by the Recovery Wizard, from a
command prompt.
Procedure
1. On the NetWorker server, type: nsradmin.
2. From the nsradmin prompt:
a. Set the resource attribute to the Recover resource:

. type: nsr recover

b. Display the attributes for the Recover resource that you want to troubleshoot:

print name:
recover_resource_name

where recover_resource_name is the name of the Recover resource.

c. Make note of the values in the recover, recovery options, and recover stdin
attributes. For example:

recover command: recover;

recover options: -a -s nw_server.emc.com -c mnd.emc.com -I - -i
R;
recover stdin:
“<xml>
<browsetime>
May 30, 2013 4:49:57 PM GMT -0400
</browsetime>
<recoverpath>
C:
</recoverpath>
</xml>”;

where:
l nw_server.emc.com is the name of the NetWorker server.
l mnd.emc.com is the name of the source NetWorker client.

Run Recoveries in debug mode 89

Log Settings

3. Confirm that the nsrd process can schedule the recover job:
a. Update the Recover resource to start the recover job:
update: name: recover_resource_name;start time: now
where recover_resource_name is the name of the Recover resource.
b. Quit the nsradmin application
c. Confirm that the nsrtask process starts.
If the nsrtask process does not start, the review the daemon.raw file on the
NetWorker server for errors.
4. To confirm that the NetWorker server can run the recover command on the remote
host, type the following command on the NetWorker server:
nsrtask -D3 -t ‘NSR Recover’ recover_resource_name
where recover_resource_name is the name of the Recover resource.
5. When the nsrtask command completes, review the nsrtask output for errors.
6. To confirm that the Recovery UI sends the correct recovery arguments to the recover
process:
a. Open a command prompt on the destination client.
b. Run the recover command with the recover options that the Recover resource uses.
For example:

recover -a -s nw_server.emc.com -c mnd_emc.com -I - -i R

c. At the Recover prompt, specify the value in the recover stdin attribute. Do not
include the “ ,” or the ";" that appears with the recover stdin attribute.
If the recover command appears to hang, then review the daemon.raw file for
errors.
d. When the recover command completes, review the recover output for errors. If
the recover command fails, then review the values specified in the Recover
resource for errors.
7. Use the jobquery command to review the details of the Recover job. From a
command prompt on the NetWorker server, type: jobquery
8. From the jobquery prompt, perform one of the following steps:
l Set the query to the Recovery resource and display the results of all recovery jobs
for a Recovery resource:

print name: recover_resource_name

where recover_resource_name is the name of the Recover resource.

l Set the query to a particular jobid and display the results of the job.

print job id: jobid

Where jobid is the jobid of the Recover job that you want to review.

90 EMC NetWorker Security 8.2 Configuration Guide

 Log Settings

Note

Review the daemon.raw file on the NetWorker server to obtain the jobid for the
recovery operation.

Running Windows BMR recoveries in debug mode

Use the WinPE registry to debug recoveries performed with the BMR Recovery Wizard.
Procedure
1. From a command prompt, type: regedit
2. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft
\Prefs\com\networker\win/P/E/Wizard

3. Change the Data value in the debug_mode attribute from 0 to 1.

4. Start the BMR Recovery Wizard.
Results
The Wizard logs the debug information related to the following in the X:\Program
Files\EMC NetWorker\nsr\logs\WinPE_Wizard.log file.
After you collect the debug information, to turn off debug mode, modify the data value for
the debug_mode attribute from 1 to 0.

Run Recoveries in debug mode 91

Log Settings

Running client-initiated recoveries in debug mode from command line

Use the recover program with the -D option to perform a client initiated backup from
the command line.
For example, on the host you want to recover the data to, type the following command:

recover -Dx file_sytem_objects 1>filename 2>&1

where:
l x is a number between 1 and 99.
l file_sytem_objects is the name of the files or directory to recover.
l filename is the name of the file that stores the debug information.

Note

The NetWorker Command Reference Guide provides detailed information about all of the
available recovery options and how to use the recover command.

92 EMC NetWorker Security 8.2 Configuration Guide

CHAPTER 4
Communication Security Settings

This chapter describes how to ensure NetWorker uses secure channels for
communication and how to configure NetWorker in a firewall environment.

l Port usage and firewall support............................................................................. 94

l Special considerations for firewall environments...................................................94
l Determining service port requirements.................................................................. 97
l Configuring service port ranges in NetWorker...................................................... 101
l Configuring the service ports on the firewall........................................................ 104
l Determining service port requirement examples ................................................. 107
l Troubleshooting.................................................................................................. 112

Communication Security Settings 93

Communication Security Settings

Port usage and firewall support

NetWorker uses a direct socket connection to communicate and move data across the
network to the required service with minimal overhead. While NetWorker opens some
ports for TCP and UDP, NetWorker only requires TCP ports. UDP ports are optional.
NetWorker uses two types of ports, service ports and connection ports.

Service ports
The TCP server processes that run on each NetWorker host use service ports to listen for
inbound connections. Service ports are also known as listener ports or destination ports.
NetWorker uses two types of service ports:
l Fixed ports—NetWorker uses two fixed ports: TCP/7937 and TCP/7938. You must
include these ports in the service port range of each NetWorker host. NetWorker uses
these ports to initiate connections.
l Variable ports—NetWorker dynamically opens ports. A NetWorker host can allocate
any port in the defined service port range and the NetWorker daemons select the
dynamic ports within that range randomly. The default range is 7937-9936 and you
can narrow or expand this range.
To increase security in the environment, reduce the variable ports range to specify only
the minimum number of service ports that the NetWorker software requires. The minimum
value depends on the installation type and the number of hosted NetWorker devices.
NetWorker stores the service port range for a host in the NSR Local Agent (NSRLA)
resource in the NetWorker client database (nsrexec).

Connection ports
NetWorker processes use connection ports to connect to a service. The NetWorker
software requires one connection port for any type of communication between the client,
storage node, and server. Connection ports are also known as communication ports,
source ports, or outbound ports.
NetWorker uses a default range, 0-0, to indicate that the NetWorker software allows the
operating system to select the port for TCP clients. The operating system reserves
connection ports for short-term use and reuses the ports as needed. The operating
system might allow you to configure the dynamic port range, for example, by using the
netsh program on Windows. NetWorker does not require modifications to this range and
EMC recommends that you use the default dynamic port range.
The use of the default port range does not cause security concerns. EMC recommends
that you do not change the range for any NetWorker hosts in the data zone. NetWorker
performance problems or random malfunctions can occur when the range is too narrow.

Special considerations for firewall environments

You can configure some firewall products to close an open connection that is inactive for
a defined period of time. NetWorker uses persistent connections between daemons to
transfer information as efficiently as possible.
Connections open at the start of communication, and close when the communication
finishes. For example, a running backup may have connections open with the following
daemons:

94 EMC NetWorker Security 8.2 Configuration Guide

 Communication Security Settings

l nsrmmd, to send the backup data.

l nsrindexd, to send the client file index information.
l nsrjobd, to send control and status information.
NetWorker connections between hosts can remain idle for periods of time that exceed the
idle timeout value on the firewall, and as a result, the firewall ends the connection. For
example, the status connection to nsrjobd is frequently idle during a backup. When there
are no error messages to report, the connection will not have traffic until the backup
completes and NetWorker generates the success message.
To prevent the firewall from closing a NetWorker connection prematurely, configure the
firewall to not close idle connections. If you cannot eliminate the firewall timeout, then
configure the data zone to send a keep alive signal between the hosts at an interval that
is shorter than the timeout period defined on the firewall. Configure the keep alive signal
at the operating system level.
When you configure TCP keep alives within NetWorker, NetWorker does not send a keep
alive signal across some connections, for example, between the save and nsrmmd
processes. EMC recommends that you configure TCP keep alive signals at the operating
system level to ensure all connections do not close prematurely. EMC does not
recommend reducing the TIME_WAIT and CLOSE_WAIT intervals on a host to reduce the
demand for connection or service ports. When the intervals are too low, the port for a
process might close while NetWorker is resending data packets to the process. In some
situations, a new instance of a process connects to the port and incorrectly receives the
data packet. This might corrupt the new process.

Configuring TCP keep alives at the operating system level

You can change the TCP KeepAlive parameters temporarily on UNIX or permanently on
UNIX and Windows operating systems. Restart all NetWorker services after you change
the TCP KeepAlive parameters.
Firewall configurations commonly define a one hour idle timeout. EMC recommends that
you set the Wait Time Before Probing and Interval Between Retry Probes
parameters to 57 minutes. The exact value you use to define these parameters depend
what unit of measure the operating system uses.
For example:

57 min = 3420 seconds = 6840 half seconds = 3420000 milliseconds

Note

If the firewall time out is shorter than the common one hour value, further decrease these
values. The network overhead as a result of enabling TCP KeepAlive is minimal.

The following table summarizes the Wait Time Before Probing and Interval
Between Retry Probes parameters for each operating system.

Table 10 Setting TCP parameters for each operating system

Operating Temporary setting Permanent setting

system
AIX # no -o tcp_keepidle = 6840 /etc/rc.net

# no -o tcp_keepintvl = 6840

Configuring TCP keep alives at the operating system level 95

Communication Security Settings

Table 10 Setting TCP parameters for each operating system (continued)

Operating Temporary setting Permanent setting

system
where the TCP parameter value is
defined in half-seconds.

HP-UX # ndd -set /dev/tcp /etc/rc.config.d/nddconf

tcp_time_wait_interval
3420000

# ndd -set /dev/tcp

tcp_keepalive_interval
3420000

where the TCP parameter value is

defined in milliseconds.

Linux # sysctl -w Add the

net.ipv4.tcp_keepalive_time net.ipv4.tcp_parameter=tcp_value
= 3420 commands to the /etc/sysctl.conf
# sysctl -w file, then issue the following command:
net.ipv4.tcp_keepalive_intvl RHEL: chkconfig sysctl on
= 3420
SLES: chkconfig boot.sysctl on
where the TCP parameter value is
defined in seconds.

Solaris # ndd -set /dev/tcp Add the ndd commands to the /etc/
tcp_time_wait_interval rc2.d/S69inet file.
3420000

# ndd -set /dev/tcp

tcp_keepalive_interval
3420000

where the TCP parameter value is

defined in milliseconds.

Windows n/a Modify the following registry keys:

HKLM\System\CurrentControlSet\
Services\Tcpip\Parameters
\KeepAliveTime
DWORD=3420000
HKLM\System\CurrentControlSet\Services
\Tcpip\Parameters\KeepAliveInterval
DWORD=3420000

96 EMC NetWorker Security 8.2 Configuration Guide

 Communication Security Settings

Determining service port requirements

Before you modify the service port range on the NetWorker host or on a firewall,
determine the minimum number of required service ports for the NetWorker host.
The number of ports that the NetWorker software daemons and processes require for
communication depends on the NetWorker installation type. This section describes how
to calculate the minimum number of service ports required for each NetWorker
installation type (Client, Storage Node, Server or NMC Server) and how to view or update
the service port range value.
When the data zone uses an external firewall, you must open the service port range in the
firewall for TCP connections. Some operating systems enable personal firewall software
on a host by default. For example, Windows 7 enables Windows Firewall and RedHat
Linux 6 enables iptables. The NetWorker installation process on Windows adds firewall
rules to the Windows firewall for NetWorker. The NetWorker installation process on UNIX
does not add firewall rules to a personal firewall. When you use personal firewall
software on a UNIX host, you must manually create the firewall rules for the NetWorker
software.
When the NetWorker software interacts with other applications in the environment, for
example, a Data Domain appliance, you must define additional service ports on a
firewall.

NetWorker client service port requirements

This section describes the port requirements for standard, NDMP, and Snapshot clients.

Service port requirements for a standard NetWorker client

A standard NetWorker client requires a minimum of 4 TCP service ports to communicate
with the NetWorker server. Snapshot services require two additional ports.
The following table summarizes the TCP service port requirements and the RPC program
number for each program on a NetWorker client.

Table 11 Standard NetWorker Client port requirements to NetWorker server

RPC program number Port number Daemon/program

TCP/390113 TCP/7937 nsrexecd/nsrexec

TCP/390113 TCP/7938 nsrexecd/portmap

TCP/390435 Dynamic TCP port from the service port range nsrexecd/res_minor

TCP/390436 Dynamic TCP port from the service port range nsrexecd/gss_auth

Service port requirements for an NDMP client

An NDMP client that sends data to an NDMP device requires access to TCP ports through
the firewall only.
The service port range in the NSRLA database on the host does not require modifications.

Determining service port requirements 97

Communication Security Settings

Service port requirements for Snapshot clients

When you configure a snapshot backup each Snapshot client requires 2 TCP ports for the
PowerSnap service, in addition to the 4 standard client ports.
The following table summarizes the two additional ports that a Snapshot client requires.

Table 12 Additional service port requirements for Snapshot clients

RPC program number Port number Daemon/program

TCP/390408 (Snapshot Dynamic TCP port from the service port nsrpsd
services) range

TCP/390409 (Snapshot Dynamic TCP port from the service port nsrpsd/nsrsnapckd
services) range

Service port requirements for NetWorker storage nodes

When you calculate the service port requirements for a storage node, only consider the
devices that the storage node manages. To accommodate growth in the environment and
the addition of new devices, EMC recommends that you allocate extra service ports for
the NetWorker storage node. The minimum number of service ports that a storage node
requires is 5. This number includes the four TCP service ports required for a NetWorker
client and one service port for the storage management process, nsrsnmd. NetWorker
requires additional ports and the amount differs for each device type used.
Use the following formulas to calculate storage node port requirements:
l For NDMP-DSA or SnapImage devices: 5 + #backup_streams
l For tape devices: 5+ #devices + #tape_libraries
l AFTD or Data Domain Boost devices: 5 + #nsrmmds
where:
l #devices is the number of devices connected to the storage node.
l #tape_libraries is the number of jukeboxes that the storage node accesses. The
storage node has one nsrlcpd process for each jukebox.
l #nsrmmdsis the sum of the Max nsrmmd count attribute value of each device that the
NetWorker storage node manages.
The following table summarizes the port requirements specific to the storage node
programs.

Table 13 Service port requirements for storage nodes

RPC program Port number Daemon/

number program
TCP/390111 Dynamic TCP port from the service port range. nsrnsmd

TCP/390429 Dynamic TCP port from the service port range. nsrlcpd

TCP/390104 Dynamic TCP port from the service port range. Total nsrmmd
port number depends on device type.

98 EMC NetWorker Security 8.2 Configuration Guide

 Communication Security Settings

Note

In enterprise environments that require the restriction of unattended firewall ports for
security reasons, configure the storage node attributes mmds for disabled devices and
Dynamic nsrmmds unselected (static mode) to prevent a listener from starting on an
inactive nsrmmd port. The NetWorker Administration Guide provides more information.

Service port requirements for the NetWorker server

The NetWorker server requires a minimum of 15 service ports.
Additional ports are required when the NetWorker server manages devices. Additional
port requirements differ for each device type used.
Use the following calculation to determine the service port range:
l For NDMP-DSA or SnapImage devices: 14 + #backup_streams
l For tape devices: 14 + #devices + #tape_libraries
l For AFTD or Data Domain Boost devices: 14 +#nsrmmds
where:
l #devices is the number of devices connected to the storage node.
l #tape_libraries is the number of jukeboxes that the storage node accesses. The
storage node has one nsrlcpd process for each jukebox.
l #nsrmmdsis the sum of the Max nsrmmd count attribute value of each device that the
NetWorker storage node manages.
To accommodate growth in the environment and the addition of new devices, allocate
extra service ports for the NetWorker server.

Note

The Software Configuration Wizard requires one service port. The port is dynamic and
closes when the wizard closes. If you use the Software Configuration Wizard, add one
additional port to the service port range.

The following table summarizes the port requirements specific to the Server programs.

Table 14 NetWorker server program port requirements

RPC program Port number Daemon/program

number
TCP/390103 Dynamic TCP port from the service port nsrd
range

TCP/390109 User-defined UDP nsrd/nsrstat

Service port requirements for the NetWorker server 99

Communication Security Settings

Table 14 NetWorker server program port requirements (continued)

RPC program Port number Daemon/program

number

Note

Optional, NetWorker uses this

port for internal communications.
For example, automatic discovery
and initial ping (is alive) checks of
the NetWorker server. Backup and
recovery operations do not use
this port. NetWorker does not
require this port through an
external firewall.

TCP/390105 Dynamic TCP port from the service port nsrindexd

range

TCP/390107 Dynamic TCP port from the service port nsrmmdbd

range

TCP/390437 Dynamic TCP port from the service port nsrcpd

range

TCP/390433 Dynamic TCP port from the service port nsrjobd/jobs

range

TCP/390439 Dynamic TCP port from the service port nsrjobd/rap

range

TCP/390438 Dynamic TCP port from the service port nsrlogd

range

TCP/390430 Dynamic TCP port from the service port nsrmmgd

range

Note

If you restrict unattended firewall for security reasons, then use the storage node
attributes mmds for disabled devices and Dynamic nsrmmds unselected (static mode) to
prevent a listener from starting on an inactive nsrmmd port.

Service port requirements for NMC Server

The minimum service port range for the NMC server to communicate with the NetWorker
server is the same as a standard NetWorker client.
The NMC server also requires two TCP service ports to communicate with the each
NetWorker client. The following table summarizes the TCP service port requirements and
the RPC program number for each program on a the NMC server.

100 EMC NetWorker Security 8.2 Configuration Guide

 Communication Security Settings

Table 15 Port requirements to NMC server to each NetWorker client

RPC program number Port number Daemon/program

TCP/390113 TCP/7937 nsrexecd/nsrexec

TCP/390113 TCP/7938 nsrexecd/portmap

Configuring service port ranges in NetWorker

After you determine the service port requirements for a NetWorker host, you must confirm
which port numbers are available between each host, and then configure the port range
on each NetWorker host and on the firewall.

Determine the available port numbers

Before you define ports in the service ports attribute for a NetWorker host, determine the
current service port allocations for the host by using the netstat -a command.
After you determine which ports are available, you can decide which ports to allocate for
NetWorker host communications. Before you select the ports, consider the following
information:
l The service port range for each NetWorker host must contain port 7937 and 7938.
The nsrexecd daemon reserves these ports and you cannot change the ports
numbers.
l EMC recommends that you select ports within the default range of 7937-9936.
l To avoid conflicts with other daemons or services on the host, do not assign ports
under 1024.

Configuring the port ranges in NetWorker

The service ports attribute in the NSRLA resource defines which TCP ports that the
NetWorker process can listen on and connect to.
Use NMC or the nsrports command to define the service port on each NetWorker host
in the data zone.

Enabling updates of the NSR system port ranges resource

The nsrexec database on each NetWorker host has its own administrators list. By default,
only users that login to the NetWorker host locally can update the NSR system port ranges
resource. Perform the following steps to add users to the administrator list of the NSR
system port ranges resource and enable remote updates of the attribute.
Procedure
1. Connect to the target NetWorker host.
2. From a command prompt, use the nsradmin program to connect to the nsrexec
database:
nsradmin -p nsrexec
3. Display the current administrators list:
p NSR system port ranges

Configuring service port ranges in NetWorker 101

Communication Security Settings

In this example, only the local users can update the attributes in the NSR system port
ranges resource:

NetWorker administration program.

Use the "help" command for help, "visual" for full-screen mode.
nsradmin> p NSR system port ranges
type: NSR system port ranges;
service ports: 7937-9936;
connection ports: 0-0;
administrator: *@localhost;
4. Update the administrator attribute to include a remote account:

update administrator: *@localhost, username@system

For example, if you connect to the NMC server with the NMC administrator from the
NMC client mnd.mydomain.com, type:

update administrator: *@localhost, [email protected]

5. When prompted, type y.
6. Exit the nsradmin program:
quit

Configuring the port ranges in NetWorker by using NMC

Use the NMC to view and modify the current port ranges for each NetWorker host.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.
Procedure
1. On the Configuration window, select Local Hosts.
2. Right-click the NetWorker host and select Configure Port Ranges.
3. On the General tab, review the value in the Administrators attribute:
l If you see the message:

No privilege to view administrator list

then the account that you used to log in to the NMC server does not have
permission to modify the port ranges. Enabling updates of the NSR system port
ranges resource on page 101describes how to provide user accounts with the
ability to modify the service port attribute.
l If you see accounts in the Administrators attribute, then update the Service ports
attribute with the calculated service port range. For multiple ranges, type one
range per line.
4. In the Service ports attribute, specify the calculated service port range. For multiple
ranges, type one range per line.

Note

EMC recommends that you do not change the Connection ports attribute from the
default value 0-0.

5. Click Ok.

102 EMC NetWorker Security 8.2 Configuration Guide

 Communication Security Settings

6. Stop and start the NetWorker services or daemons on the NetWorker host.

Configuring the port ranges in NetWorker by using nsrports

Use the nsrports program to view and modify the current port ranges for each
NetWorker host from a command prompt.

# nsrports -s target_hostname [-S|-C]range

Table 16 nsrports options

Option Description
-s target_hostname Optional. use this option when updating the port range for a remote
NetWorker host. Enabling updates of the NSR system port ranges resource on
page 101 describes how to enable remote access of the NSR system port
ranges resource.

-S range Sets the service port range to the value specified by range. The default range
is 7937-7941. If the range is not a consecutive set of ports, use a space to
separate the port values

-C range Sets the connection port range to the value specified by range. EMC
recommends that you do not change the connection ports attribute from the
default value 0-0.

For example, to modify the service port attribute in the NSR system port ranges resource
onmyclient.emc.com, perform the following steps:
Procedure
1. Display the current port range:
#nsrports -s myclient.emc.com

Service ports: 7937-7940

Connection ports: 0-0
2. Update the service port range. Separate multiple port ranges with a space. For
example:

nsrports -s myclient.emc.com -S 7937-7938 7978-7979

Note

If you do not have permission to update the NSR system port ranges attribute, an error
message similar to the following appears: nsrexecd: User 'username' on
machine 'hostname' is not on 'administrator' list. Enabling
updates of the NSR system port ranges resource on page 101 describes how to enable
user access to update the NSR system port ranges resource.

3. Confirm the service port attribute updated successfully. For example:

#nsrports -s myclient.emc.com

Service ports: 7937-7938 7978-7979

Connection ports: 0-0
4. Stop and start the NetWorker services or daemons on myclient.emc.com.

Configuring the port ranges in NetWorker 103

Communication Security Settings

Configuring the service ports on the firewall

To enable communication between the NetWorker host and other applications, configure
additional firewall rules.
The NetWorker software may communicate with other applications on ports outside of the
service port range, for example, to communicate with a Data Domain or Avamar Utility
node. The following table summarizes the firewall requirements for each NetWorker
installation type and third-party application.

Table 17 Port requirements for NetWorker communications with third-party applications

Source host Destination host Protocol Ports to open on the firewall

NetWorker client NetWorker Server TCP Port range determined in NetWorker client
service port requirements on page 97

NetWorker client NetWorker Storage TCP Port range determined in NetWorker client
Node service port requirements on page 97

NetWorker client NMC server TCP Port range determined in NetWorker client
service port requirements on page 97

NetWorker client Data Domain TCP 2049, 2052

TCP/UDP
111 (Portmapper)

NetWorker client Avamar - all nodes TCP 27000

TCP
29000 (For SSL only)

NetWorker client Avamar Utility Node TCP 28001

NetWorker storage NetWorker Client TCP Port range determined in NetWorker client
node service port requirements on page 97

NetWorker storage NetWorker Server TCP Port range determined in Service port
node requirements for NetWorker storage
nodes on page 98

NetWorker storage Data Domain TCP 2049, 2052

node TCP/UDP
111 (Portmapper)

NetWorker storage ESX Cluster TCP 902

node

NetWorker storage vCenter server TCP 443

node

NetWorker storage NetWorker Server TCP Port range determined in Service port
node (NDMP-DSA requirements for NetWorker storage
or SnapImage) nodes on page 98

NetWorker server ATMOS server 80, 443

NetWorker server AlphaStor 44475

NetWorker server NDMP filer TCP 10000

TCP One user-defined port in the range of
0-1024.

104 EMC NetWorker Security 8.2 Configuration Guide

 Communication Security Settings

Table 17 Port requirements for NetWorker communications with third-party applications

(continued)

Source host Destination host Protocol Ports to open on the firewall

NetWorker server NetWorker Storage TCP 10000
Node (NDMP-DSA
or SnapImage) Note

When a NetWorker server uses Windows

Firewall, manually create an inbound rule in
for the nsrdsa_save program to allow
communications over TCP port 10000.

Port range determined in Service port

requirements for NetWorker storage
nodes on page 98

NetWorker server NetWorker Client TCP Port range determined in NetWorker client
service port requirements on page 97

NetWorker server NetWorker Storage TCP Port range determined in Service port
Node UDP requirements for NetWorker server on page
99

Note

Open the 2 required UDP service ports on

the firewall for TCP connections but there is
no need to allow UDP connections through
the firewall.

NetWorker server Data Domain TCP 2049, 2052

TCP/UDP 111 (portmapper)
161 (Port used by SNMPd to query the Data
Domain system)

NetWorker server Avamar Utility Node TCP 7937, 7938

2 ports in range 7939-9936

NetWorker server DPA TCP 3916, 4001

NetWorker server vCenter server TCP 443

TCP Port range determined in NetWorker client
service port requirements on page 97

NetWorker server VMware Backup TCP 8543

Appliance (EBR/ Port range determined in NetWorker client
VBA) service port requirements on page 97

NetWorker server NMC Server TCP Port range determined in Service port
requirements for NMC server on page 100

NetWorker server NetWorker Module TCP 6278 (Control port)

for Microsoft
6279 (Data port)
Applications

Configuring the service ports on the firewall 105

Communication Security Settings

Table 17 Port requirements for NetWorker communications with third-party applications

(continued)

Source host Destination host Protocol Ports to open on the firewall

Port requirements determined in Service
port requirements for Snapshot clients on
page 15

NetWorker server AlphaStor server TCP 44475

NetWorker Module NetWorker Server TCP 6278 (Control port)

for Microsoft
6279 (Data port)
Port requirements determined in Service
port requirements for Snapshot clients on
page 15

Avamar Utility NetWorker Client TCP 28002

Node

NMC Server NetWorker server TCP Port range determined in Service port
requirements for NMC server on page 100

NMC Server NetWorker client TCP Port range determined in Service port
requirements for NMC server on page 100

NMC Server Data Domain TCP 161 (Port used by SNMPd to query the Data
TCP Domain system)
162 (Port used by SNMPtrapd to capture
Data Domain SNMP traps)

NMC Client NMC Server TCP 9000 (Port used by HTTPd to download the
Console user interface)
TCP
9001 (Port used to perform RPC for calls
from the Console Java client to the Console
UPD server)
2638 (Port used by Tabular Data Stream
(TDS) for database queries)
You can modify default ports values. How to
confirm NMC server service ports on page
107 provides more information.

DPA NetWorker Server TCP 3741

DPA Data Domain TCP 22

TCP/UDP 161 (Port used by SNMPd to query the Data
Domain system)

DPA Avamar Utility Node TCP 55555

Data Domain NMC Server TCP/UDP 162 (Port used by SNMPtrapd to capture
Data Domain SNMP traps)

Data Domain DPA TCP/UDP 162 (Port used by SNMPtrapd to capture

Data Domain SNMP traps)

106 EMC NetWorker Security 8.2 Configuration Guide

 Communication Security Settings

Table 17 Port requirements for NetWorker communications with third-party applications

(continued)

Source host Destination host Protocol Ports to open on the firewall

VMware Backup NetWorker Server TCP 8080
Appliance (VBA/ Port range determined in NetWorker client
EBR) service port requirements on page 97

How to confirm the NMC server service ports

The NMC server installation process prompts you to define the service ports that the NMC
server will use.
To confirm the defined port numbers, review the gstd.conf file and look for the
following lines:
l http_svc_port = http_service_port
l clnt_svc_port = client_service_port
l int db_svc_port = client_db_port
wherehttp_service_port, client_service_port, and client_db_port are port numbers. By
default, the HTTP service port is 9000 and the client service port used to make RPC calls
is 9001.
If you change the port values in the gstd.conf file, then you must restart the gstd
daemon.

Note

The gstd.conf file is located in the NMC_install_dir/GST/etc on UNIX and

NMC_install_dir\GST\etc on Windows.

Determining service port requirement examples

This section provides three examples to determine firewall port requirements. In each
example, the NetWorker Server resides in the secure network.
Each example uses the following IP addresses and host names:

192.167.10.101 client_A
192.167.10.102 client_B
192.167.10.103 client_C
192.167.10.104 client_D
192.167.10.105 client_E
192.167.10.106 client_F
196.167.10.124 storage_node_X
192.167.10.125 storage_node_Y
192.167.10.127 storage_node_Z
192.167.10.126 NW_server

Calculating service port ranges for a bi-directional firewall configuration

In this example:

Calculating service ports for a uni-directional firewall environment with storage nodes
This example describes how to apply the basic rules of service port calculations to a
sample network. In this example there is one NetWorker Storage Node on either side of

How to confirm the NMC server service ports 107

Communication Security Settings

the firewall. Clients D, E, and F in the secure network back up data to the storage node in
the secure network. Clients A, B, and C in the insecure network back up data to the
storage node in the insecure network. The firewall protects each host in the secure
network. The firewall does not protect hosts in the insecure network. The firewall blocks
network traffic from insecure to secure.
Figure 7 Uni-directional firewall with storage nodes

This example requires you to only open service ports for the NetWorker Server on the
firewall to allow inbound traffic. Calculate the service port requirements for the NetWorker
Server with this formula:
l The Service port attribute on each client specifies a minimum of four service ports, for
example: 7937–7940.

Note

To simplify the configuration, configure each client to use the same four service port
numbers.
l The firewall must allow outbound traffic, to the IP address of each NetWorker Client,
on each of the service ports defined in the Service port attribute on the NetWorker
Client. Because each client can specify the same port numbers, the firewall only
needs to allow four ports for each client IP address. These port numbers can be a
subset of the port numbers used by the NetWorker Server, as in this example.
l In pseudo syntax, the firewall rule for the service ports would look like this:

TCP, Service, src 192.167.10.*, dest 192.167.10.101, ports

7937-7940, action accept
TCP, Service, src 192.167.10.*, dest 192.167.10.102, ports
7937-7940, action accept
TCP, Service, src 192.167.10.*, dest 192.167.10.103, ports
7937-7940, action accept
...

108 EMC NetWorker Security 8.2 Configuration Guide

 Communication Security Settings

In the previous pseudo syntax, the firewall configuration allows:

l Incoming service connections to the IP address of the NetWorker server on ports
7937–7958, from the IP addresses of each storage node, client, and any other host
on the subnet.
l Connections to the IP addresses for each storage node on ports 7937–7948, and to
each client IP address on ports 7937–7940. Ensure that you configure each
NetWorker host with the appropriate port range, then restart the NetWorker services
each host.
This is the most stringent configuration possible, but difficult to maintain.
To simplify the configuration and administration of the data zone, assign a range of 22
ports, 7937–7958 to each host, and then configure the firewall to allow traffic to these
ports on any host, from any host.
In pseudo syntax, the firewall rule for the service ports would look like this:

TCP, Service, src 192.167.10.*, dest 192.167.10.*, ports 7937-7958,

action accept

Calculating service ports for a uni-directional firewall environment with storage nodes
This example describes how to apply the basic rules of service port calculations to a
sample network. In this example there is one NetWorker Storage Node on either side of
the firewall. Clients D, E, and F in the secure network back up data to the storage node in
the secure network. Clients A, B, and C in the insecure network back up data to the
storage node in the insecure network. The firewall protects each host in the secure
network. The firewall does not protect hosts in the insecure network. The firewall blocks
network traffic from insecure to secure.
Figure 8 Uni-directional firewall with storage nodes

Determining service port requirement examples 109

Communication Security Settings

This example requires you to only open service ports for the NetWorker Server on the
firewall to allow inbound traffic. Calculate the service port requirements for the NetWorker
Server with this formula:
14 +(num devices)+(num libraries) + 1 (client push)= 14 + 6 + 1 +1 = 22
In this example:
l The Service ports attribute of the NetWorker Server contains the range: 7937-7958.
l The firewall must allow inbound traffic to the IP address of the NetWorker Server on
each service port with the exception of the UDP port. In this example, 22 ports in the
range of 7937 to 7958 must allow inbound traffic to the NetWorker server.
l In pseudo syntax, the firewall rule for the service ports would look like this:

TCP, Service, src 192.167.10.*, dest 192.167.10.126, ports

7937-7958, action accept

Calculating service ports in a bi-directional firewall environment with Data Domain

This example shows how to apply the basic rules to a sample network with clients A, B
and C, one storage node X, and a Data Domain appliance in an insecure network. The
NetWorker server and NMC server are in a secure network. A single firewall separates the
secure network from the insecure network. The NetWorker server has a tape library and
six drives. The client sends backup data to the Data Domain appliance and each client
acts as a NMC client.
Figure 9 Bi-directional firewall with Data Domain appliance

System port requirements for the NetWorker Server

Calculate the service port requirements for the NetWorker Server with this formula:
14 + (num devices) + (num libraries) = 14 + 6 + 1 = 21 service
ports

110 EMC NetWorker Security 8.2 Configuration Guide

 Communication Security Settings

In this example:
l Configure the Service port attribute on the NetWorker Server to use a minimum of 21
service ports, for example: 7937–7957.
l Configure the firewall to allow inbound traffic, to the IP address of the NetWorker
Server:
n On the 21 service ports specified in Service port attribute of the NetWorker Server.
The UDP port is not required.
n On TCP ports 2049 and 2052 for Data Domain connectivity.
n On TCP ports 111 and 161 for Data Domain connectivity.
In pseudo syntax, the firewall rules for the service ports would look like this:

TCP, Service, src 192.167.10.*, dest 192.167.10.126, ports 7937-7957,

action accept
TCP, Service, src 192.167.10.*, dest 192.167.10.126, ports 2049,
action accept
TCP, Service, src 192.167.10.*, dest 192.167.10.126, ports 2052,
action accept
TCP, Service, src 192.167.10.*, dest 192.167.10.126, ports 111,
action accept
UDP, Service, src 192.167.10.*, dest 192.167.10.126, ports 111,
action accept
TCP, Service, src 192.167.10.*, dest 192.167.10.126, ports 161,
action accept
UDP, Service, src 192.167.10.*, dest 192.167.10.126, ports 161,
action accept

Service port requirements for the NetWorker storage node

The storage node is in the insecure network and uses a Data Domain appliance. There are
two data domain devices and each device uses a Max nsrmmd count value of 4. The
Dynamic nsrmmds attribute is enabled on the storage node.
Calculate the service port requirements for the NetWorker storage node with this formula:
5 + 8 = 13 service ports.
In this example:
l The Service port attribute on the NetWorker storage node must specify a minimum of
13 service ports, for example: 7937–7949.
l The firewall must allow outbound traffic, from the NetWorker server to the IP address
of the NetWorker storage node:
n On the 13 service ports specified in the Service port attribute of the NetWorker
storage node.
n On TCP ports 2049 and 2052 for Data Domain connectivity.
n On TCP/UDP port 111 for Data Domain connectivity.
In pseudo syntax, the firewall rules for the service ports would look like this:

TCP, Service, src 192.167.10.126, dest 192.167.12.125, ports

7937-7949, action accept
TCP, Service, src 192.167.126.*, dest 192.167.10.125, ports 2049,
action accept
TCP, Service, src 192.167.126.*, dest 192.167.10.125, ports 2052,
action accept
TCP, Service, src 192.167.126.*, dest 192.167.10.125, ports 111,
action accept
UDP, Service, src 192.167.126.*, dest 192.167.10.125, ports 111,
action accept

Determining service port requirement examples 111

Communication Security Settings

Service port requirements for the NetWorker Client

There are NetWorker clients in the insecure network. Each client requires four service
ports. Two ports must be 7937 and 7938.
In this example:
l The Service port attribute on each client specifies a minimum of four service ports, for
example: 7937–7940.

Note

To simplify the configuration, configure each client to use the same four service port
numbers.
l The firewall must allow outbound traffic, to the IP address of each NetWorker client,
on the four service ports defined in the Service port attribute of the NetWorker client.
These port numbers can be a subset of the port numbers that the NetWorker server
uses.
l In pseudo syntax, the firewall rules for the service ports would look like this:

TCP, Service, src 192.167.10.*, dest 192.167.10.101, ports

7937-7940, action accept
TCP, Service, src 192.167.10.*, dest 192.167.10.102, ports
7937-7940, action accept
TCP, Service, src 192.167.10.*, dest 192.167.10.103, ports
7937-7940, action accept

Troubleshooting
This section contains solutions to some common problems encountered when you
configure NetWorker in a firewalled environment.
Backups appear to stop responding or slow down dramatically
When you configure a firewall to drop packets outside an allowed range, but the firewall
configuration does not allow for proper NetWorker connectivity:
l NetWorker will not get proper notification that a connection is not possible.
l The socket connections might not close correctly and remain in a TCP FIN_WAIT state.
As a result, NetWorker will require more ports for client connectivity.
To avoid these issues, configure the firewall to reject packets outside the allowed range.
When the firewall rejects packets, NetWorker receives an immediate notification of any
connection failures and the remaining operations continue.
If you cannot configure the firewall to reject packets, reduce the TCP timeout values on
the NetWorker server’s operating system to reduce the impact of the problem. The
Performance Optimization and Planning Guide describes how to change TCP timeout
values.
Cannot bind socket to connection port range on system hostname
This message appears in the savegroup messages or in stdout during manual operations
when there are insufficient connection ports available and NetWorker cannot establish a
connection.
To resolve this issue, ensure that the Connection port attribute in the NSR System Port
ranges resource is 0-0 on the host specified by hostname.
Failed to bind socket for service_name service: Can't assign requested address
This messages appears when a NetWorker daemon cannot register to a port within the
service port range because all ports are in use by other daemons and process.

112 EMC NetWorker Security 8.2 Configuration Guide

 Communication Security Settings

To resolve this issue, increase port range in the Service ports attribute in the NSR System
port ranges resource on the NetWorker host and make a corresponding change in the
firewall rules.
Service is using port port_number which is outside of configured ranges: range
This message appears in the Logs window when a NetWorker daemon attempts to
register to a port that is not within the service port range. This can occur because the port
requirements of the NetWorker host exceed the number of service ports defined in the
range.
To resolve this issue, increase port range in the Service ports attribute in the NSR System
port ranges resource on the NetWorker host and make a corresponding change in the
firewall rules.

Note

Communications between NetWorker processes on the same host do not follow defined
rules. For example, the NetWorker server daemons communicate internally outside of the
defined port range. Do not configure a firewall to limit the range for TCP traffic inside a
single system.

Connection refused
This message appears when the NetWorker host cannot establish a portmapper
connection on port 7938.
To resolve this issue, ensure that the NetWorker software can register an RPC portmapper
connection on port 7938.
Connection reset by peer
This message appears when the connection between two NetWorker hosts closes
prematurely.
To resolve this issue, configure the data zone to send a keep alive signal between the
hosts at an interval that is shorter than the time out period defined on the firewall.
Special considerations for a firewall environment on page 94 describes how to configure
the TCP keep alive signal.
Unable to obtain a client connection to nsrmmgd (version #) on host hostname
This message appears on a Windows host when the Windows firewall Allow list on the
NetWorker server does not contain the nsrmmgd process.
When this error message appears:
l A library configured on the NetWorker storage node will not enter “ready” state.
l Multiple nsrlcpd processes are started on the storage node.
To resolve this issue, ensure that the firewall is turned on, then add the nsrmmgd process
to the Allow list of the Windows firewall on the NetWorker server host.
nsrndmp_save: data connect:failed to establish connection
This message appears during an NDMP-DSA backup when a Windows NetWorker server
uses Windows firewall, but an inbound rule for port 10000 does not exist.
To resolve this issue, perform the following steps:
1. Log in to the NetWorker server as a Windows administrator.
2. In the Windows Firewall application, on the Advanced properties select Inbound
Rules > New Rule.
3. Select Program and then click Next.
4. Select This Program Path.

Troubleshooting 113
Communication Security Settings

5. Click Browse. Select the binary nsrdsa_save.exe, and then click Next.
6. Select Allow the connection, and then click Next.
7. Leave the default Profiles selections enabled, and then click Next.
8. Provide a name for the rule and click Finish.
9. Edit the new rule.
10. On the Protocols and Ports tab, perform the following steps:
a. From the Protocol type drop-down, select TCP.
b. From the Local Port drop-down, select Specific Ports. Specify port number 10000.
c. Click OK.
Unable to execute savefs job on host hostname: Remote system error - No route to host
This messages appears during a scheduled backup when the NetWorker server can reach
the client but cannot contact the nsrexecd process to start the savefs process.
To resolve this issue, ensure that you configure the following:
l Any external firewall between the two hosts to allow communication on the required
service ports.
l A personal firewall on the client, for example, iptables on Linux, to allow
communication between the two hosts on the required service ports.

114 EMC NetWorker Security 8.2 Configuration Guide

CHAPTER 5
Data Security Settings

This chapter describes the settings available to ensure the protection of the data handled
by NetWorker.

l Encrypting backup data.......................................................................................116

l Data integrity...................................................................................................... 122
l Data erasure....................................................................................................... 125
l Security alert system settings..............................................................................127

Data Security Settings 115

Data Security Settings

Encrypting backup data

You can encrypt backup and archive data on UNIX and Windows hosts with the AES
Application Specific Module (ASM). The AES ASM provides 256-bit data encryption.
NetWorker encrypts the data based on a user-defined pass phrase, which you can
securely store and retrieve from a lockbox.
The NetWorker software comes with a preconfigured global directive that enables you to
encrypt backup and archive data with the AES ASM. To use AES, modify the default
NetWorker lockbox resource, set the data zone pass phrase for the NetWorker server, and
then apply the AES directive to clients in the data zone. Do not use AES encryption to:
l Backup files that are encrypting by EFS. NetWorker will report the backup successful,
but a recovery will fail with the following message:

recover: Error recovering <filename>. The RPC call completed

before all pipes were processed

The NetWorker Administration Guide provides more information about NetWorker

interoperability with EFS.
l Backup a client that sends data to an encryption-enabled cloud device. Backup
speeds decrease because the encryption functions occur twice.

Modifying the lockbox resource

By default, NetWorker creates a lockbox resource for the NetWorker server. The lockbox
allows NetWorker to store pass phrases securely and enables you to specify a list of users
that can store, retrieve, and delete AES pass phrases.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.
To edit the Lockbox resource, perform the following steps:
Procedure
1. On the Administration window, click Configuration.
2. Click Lockboxes in the left navigation pane.
3. Right-click the lockbox resource for the NetWorker server and then select Properties.
4. In the Users field, specify the list of users that will have access to the AES pass
phrases in one of the following formats:
l user=username
l username@hostname
l hostname
l host=hostname
l user=username, host=hostname

116 EMC NetWorker Security 8.2 Configuration Guide

 Data Security Settings

Note

If you enter a hostname or host=hostname in the Users attribute, then any user on
the specified host can recover the files for the client. To enter a username without
specifying the host, enter user=username.

5. Click OK.
Results
Only users that you specify in the Users field can modify the Datazone pass phrase
attribute in the NSR resource.

Defining the AES pass phrase

NetWorker uses a pass phrase to generate the data zone encryption key that backup and
recovery operations use. Specify the AES pass phrase in the NSR resource to enable
backup data encryption.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.
If you do not specify a data zone pass phrase and you configure clients to use the AES
directive to encrypt backups, NetWorker uses a default pass phrase. To define the AES
pass phrase that NetWorker uses to generate the data zone encryption key, perform the
following steps.
Procedure
1. On the Administration window, click Configuration.
2. Right-click the NetWorker server in the left navigation pane and select Properties.
3. On the Configuration tab in the Datazone pass phrase attribute, specify the pass
phrase.
4. Click OK.
Results
NetWorker generates the data zone encryption key based on the pass phrase. To recover
the data, you must know the data zone pass phrase that was in the Datazone pass
phrase attribute at the time of the backup.

Configuring the client resource to use AES encryption

To implement AES data encryption, apply the Encryption global directive to individual
clients by using the Directives attribute in the Client resource.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.
Procedure
1. On the Administration window, click Configuration.
2. In the left navigation pane, select Clients.
3. On the General tab, select Encryption Directive from the Directive attribute.
4. Click OK.

Defining the AES pass phrase 117

Data Security Settings

Configure encryption for a client-initiated backup

To configure a NetWorker client to use AES encryption, use the NetWorker User program
on Windows, or the save command.

Configuring encryption for client-initiated backups on Windows by using NetWorker User

You can use AES to encrypt data that you backup by using the NetWorker User program.
Procedure
1. On the Windows host, start the NetWorker User program.
2. On the NetWorker User toolbar, select Backup.
3. On the Options menu, select Password.
4. When prompted, specify a password, then click OK.
The NetWorker User program creates the C:\NETWORKR.CFG file, which contains the
password in an encrypted format.
5. On the Backup window, mark the files for backup.
6. On the Backup toolbar, select Encrypt.
An E appears in the Attributes column for each marked file and directory.
7. Start the backup operation.
Results
NetWorker uses AES encryption to backup the data based on the value specified in the
Datazone pass phrase attribute of the NSR resource on the NetWorker server at the time
of the backup.

Note

To recover the data, NetWorker will prompt you for the password that you defined for the
backup.

Configuring AES encryption by using the save command

To perform an AES encrypted backup from the command line, you must create a local AES
directive file that the save program uses during backup.
Procedure
1. Create a directive file on the host.
On Windows, create a text file named nsr.dir. On UNIX, create a text file
named .nsr.
You can create the file in any directory on the host.
2. Add the following lines to the directive file:

<< / >>
+aes: *
3. Save the directive file.
4. Perform the backup by using the save command with the -foption.
save -f full_path_to_directive_file backup_object
For example, to backup the directory c:\data on a Windows host where you created
the nsr.dir file in the c:\directives folder, type the following command:

118 EMC NetWorker Security 8.2 Configuration Guide

 Data Security Settings

save -f c:\directive c:\data

Results
The backup operation encrypts the backup data based on the value specified in the
Datazone pass phrase in the NSR resource, on the NetWorker server.

Recover encrypted data

You can recover AES encrypted data by using the NMC Recovery Wizard, the NetWorker
User program, or the recover command.

Recovering AES encrypted data by using NetWorker User

You can use the NetWorker User program to recover AES encrypted data on a Windows
host.
To decrypt backup data, the recovery operation must use the Datazone pass phrase value
that was used to encrypt the backup data. By default, a recovery operation will use the
current value of the Datazone pass phrase attribute to recover the data. If the current
Datazone pass phrase value differs from the Datazone pass phrase value that was
specified at the time of the backup, then the recovery operation fails.
To specify the Datazone pass phrase value that was used to encrypt the backup, perform
the following steps.
Procedure
1. Start the NetWorker User program with the following command:
winworkr -ppass_phrase....
where pass_phrase is the pass phrase specified in the Datazone pass phrase attribute
of the NSR resource on the NetWorker server at the time of the backup.
When you recover data that requires different pass phrases, use additional -p
pass_phrase options to specify each required pass phrase.
2. Confirm that the recover operation successfully recovers the data.
When you specify an incorrect pass phrase:
l NetWorker creates 0kb files but does not recover the data into the files.
l The recover output reports a message similar to the following:

Invalid decryption key specified

Recovering AES encrypted data by using the NMC Recovery Wizard

You can use the NMC Recovery Wizard to recover AES encrypted data.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.
To decrypt backup data, the recovery operation must use the Datazone pass phrase value
that was used to encrypt the backup data. By default, a recovery operation will use the
current value of the Datazone pass phrase attribute to recover the data. If the current
Datazone pass phrase value differs from the Datazone pass phrase value that was
specified at the time of the backup, then the recovery operation fails.
To specify the Datazone pass phrase value that was used to encrypt the backup, perform
the following additional steps on the Select the Recovery Options window:

Recover encrypted data 119

Data Security Settings

Procedure
1. Select Advanced Options.
2. In the Pass phrases attribute, specify the pass phrase(s) used at the time of the
backup .

Recovering AES encrypted data by using the recover command

Use the recover command to run recover AES encrypted data from a command line.
Before you begin
Perform the following steps with the root account on UNIX or an administrator account on
Windows.
To decrypt backup data, the recovery operation must use the Datazone pass phrase value
that was used to encrypt the backup data. By default, a recovery operation will use the
current value of the Datazone pass phrase attribute to recover the data. If the current
Datazone pass phrase value differs from the Datazone pass phrase value that was
specified at the time of the backup, then the recovery operation fails.
Procedure
1. To specify a pass phrase, use the -p option with the recover command. For
example:
recover -a -ppass_phrase.... filesystem_object
where:
l pass_phrase is the pass phrase specified in the Datazone pass phrase attribute of
the NSR resource on the NetWorker server at the time of the backup. When you
recover data that requires different pass phrases, use additional -p pass_phrase
options to specify each required pass phrase.
l filesystem_object is the full path to the data that you want to recover.
2. Confirm that the recover operation successfully recovers the data.
When you specify an incorrect pass phrase:
l NetWorker creates 0kb files but does not recover the data into the files.
l The recover output reports a message similar to the following:

Invalid decryption key specified

Federal Information Processing Standard Compliance

NetWorker utilizes encryption technologies from RSA BSAFE that are compliant with the
Federal Information Processing Standard (FIPS 140-2). RSA BSAFE is deemed compliant
under certificate 1092.
NetWorker 8.0 SP1 is the minimum NetWorker server version that contains the RSA BSAFE
FIPS compliant encryption technologies. To use FIPS, the NetWorker 8.0 SP1 server
requires NetWorker 7.6 SP4 and later clients. The following table displays the supported
platforms that contain RSA BSAFE FIPS compliant encryption technologies.

120 EMC NetWorker Security 8.2 Configuration Guide

 Data Security Settings

Table 18 NetWorker supported platforms that contain RSA BSAFE FIPS compliant encryption
technologies

Supported Supported server and Supported client OS versions and service

platform storage node OS versions
and service packs
Windows Windows Server 2008 (all
x86 editions) SP1,SP2 Storage Node
only
Windows Server 2008 R2 (all
editions) Storage Node only
Windows Server 2008 without
Hyper-V [Standard, Enterprise,
and Datacenter Edition], Storage
Node only
packs
Windows Server 2008 Core SP1, SP2
Windows Server 2008 (all editions) SP2
Windows Server 2008 R2 (all editions) SP1
Windows Server 2008 without Hyper-V
[Standard, Enterprise and Datacenter Edition]
Windows 7 SP1
Windows VISTA [Business, Ultimate Edition]
SP1, SP2

Windows Windows Server 2008 (all Windows Server 2008 Core SP1, SP2
x64 editions) SP1, SP2
Windows Server 2008 (all editions) SP1, SP2
Windows Server 2008 R2 (all
Windows Server 2008 R2 (all editions) SP1
editions) SP1
Windows 7 SP1
Windows VISTA [Business, Ultimate edition]
SP1, SP2

Linux x86 Red Hat Enterprise Linux AS, ES, Red Hat Enterprise Linux AS, ES, WS 5, 6
WS 5, 6
SuSE Linux Enterprise Server (SLES) 10, 11
SuSE Linux Enterprise Server
Oracle Linux 5
(SLES) 10, 11
Novell Open Enterprise Server (OES) OES, OES
Oracle Linux 5
SP2, OES 2, OES SP3
Novell Open Enterprise Server
Redflag Asianux Server 3
(OES) OES, OES SP2, OES 2, OES
SP3 CentOS Linux 5

Redflag Asianux Server 3

CentOS Linux 5

Linux x64 Red Hat Enterprise Linux AS, ES, Red Hat Enterprise Linux AS, ES, WS 5, 6
WS 5, 6
SuSE Linux Enterprise Server (SLES) 10, 11
SuSE Linux Enterprise Server
Oracle Linux OES, OES SP2, OES 2, OES SP3
(SLES) 10, 11
Oracle Linux OES, OES SP2, OES
2, OES SP3

Linux Red Hat Enterprise Linux AS, ES, WS 5

Itanium
SuSE Linux Enterprise Server (SLES) 10, 11

Oracle Sparc Oracle Solaris 10 Oracle Solaris 10

(64-bit)
Oracle Solaris Non-global zones Oracle Solaris Non-global zones 10
10

Federal Information Processing Standard Compliance 121

Data Security Settings

Table 18 NetWorker supported platforms that contain RSA BSAFE FIPS compliant encryption
technologies (continued)

Supported Supported server and Supported client OS versions and service

platform storage node OS versions packs
and service packs
Oracle x64 Oracle Solaris 10 Oracle Solaris 10
(AMD64 and
Intel EM64T )

HP Itanium HP-UX 11i v2, storage node only HP-UX 11i v2

HP-UX 11i v3, server only HP-UX 11i v3

IBM Power IBM AIX 6.1 IBM AIX 6.1

AIX (32-bit)
IBM AIX 7.1 IBM AIX 7.1
IBM Power
AIX (64-bit)

Data integrity
NetWorker enables you to verify the integrity of the backup data and the integrity of the
NetWorker server databases.

Verifying the integrity of the backup data

Use the Auto media verify attribute for a pool resource or the Verify files option in the
NetWorker User program to automatically verify the data that NetWorker writes to a
volume.

Configuring auto media verify for a pool

Media pools provide you with the ability to direct backups to specific devices. When you
label a volume, you specify the pool for the volume. To configure NetWorker to
automatically verify that the data written to media is valid, enable the Auto media verify
attribute for the Pool resource.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.
Procedure
1. On the Administration window, click Media.
2. In the left navigation pane, select Media Pools.
3. On the Media Pools window, right-click the pool and select Properties.
4. On the Configuration tab, select Auto media verify.
5. Click OK.

122 EMC NetWorker Security 8.2 Configuration Guide

 Data Security Settings

Configuring verify files in NetWorker User

Use the NetWorker Verify feature to ensure that backup data on the NetWorker server
matches the data on the local disk.
Before you begin
Connect to the NetWorker host as an administrator.
The Verify files feature compares the file types, file modification times, file sizes, and file
contents. The feature does not verify other system attributes, such as read-only, archive,
hidden, system, compressed, and file access control list (ACL). The NetWorker server
alerts you to any changes to your data since the backup. Verification also determines
whether a hardware failure kept the NetWorker server from completing a successful
backup. The Verify files feature provides a way to test the ability to recover data.

Note

The Verify files feature is not available for UNIX.

Procedure
1. In the NetWorker User program, select Verify Files from the Operation menu.
2. Select the data that you want to verify.
3. From the View menu, select Required volumes.
The Required Volumes window appears with the list of volumes that contain the data
that you want to verify. Mount the volumes in devices.
4. Click Start.
Results
The Verify Files status window appears and provides the progress and results of the Data
Verification process.

The following output provides an example where the Verify Files process verifies 3 files,
and reports that one file, recover_resource.txt has changed since the backup:

Verify Files
Requesting 4 file(s), this may take a while...
Verify start time: 28/10/2013 3:46:36 PM
Requesting 1 recover session(s) from server.
91651:winworkr: Successfully established AFTD DFA session for
recovering save-set ID '4285011627'.
C:\data\mnd.raw
C:\data\pwd.txt
C:\data\lad.txt
32210:winworkr: DATA MISMATCH FOR C:\data\lad.txt.
C:\data\
Received 4 file(s) from NSR server `bu-iddnwserver'
Verify completion time: 28/10/2013 3:46:48 PM

Verifying the integrity of the backup data 123

Data Security Settings

Verifying the integrity of the NetWorker server media data and client file indexes
NetWorker provides you with the ability to manually check the integrity and consistency
of the media database and client file index by using the nsrim and nsrck commands.

Using nsrim to check media database consistency

Use the nsrim -X command to check the consistency of the data structures of the save
set with the data structures of the volume.

Note

The nsrim -X process will also perform media database maintenance tasks.
NetWorker server media database and index data maangement on page 125 provides
more information.

Using nsrck to check consistency of the client file index

NetWorker uses the nsrck program to check the consistency of the client file index save
set records.
When the NetWorker server starts, the nsrindexd program starts the nsrck process to
perform consistency checks. You can also manually start the nsrck program to check
the consistency of the client file indexes.
For example: nsrck -L x [-C client_name]
where:
l -C client_name is optional. When you use the -C option, nsrck performs consistency
checks on client file index for the specified client.
l x is the consistency check level. The following table provides more information.

Table 19 Levels available for the nsrck process

Level Description
1 Validates the online file index header, merging a journal of changes with the existing
header.
Moves all save set record files and the corresponding key files to the appropriate folder
under the C:\Program Files\EMC NetWorker\nsr\index\client_name\db6
folder on Windows hosts or the /nsr/index/client_name/db6 directory on UNIX
hosts.

2 Performs a level 1 check and checks the online file index for new and cancelled saves.
Adds new saves to the client file index, and removes cancelled saves.

3 Performs a level 2 check and reconciles the client file index with the media database.
Removes records that have no corresponding media save sets.
Removes all empty subdirectories under db6 directory.

4 Performs a level 3 check and checks the validity of the internal key files for a client file
index. Rebuilds any invalid key files.

5 Performs a level 4 check and verifies the digest of individual save times against the key
files.

124 EMC NetWorker Security 8.2 Configuration Guide

 Data Security Settings

Table 19 Levels available for the nsrck process (continued)

Level Description
6 Performs a level 5 check and extracts each record from each save time, to verify that each
record can be extracted from the database. Re-computes the digest of each save time and
compares the results with the stored digest. Rebuilds internal key files.

The EMC NetWorker Command Reference Guide provides more information about how to
use the nsrck command and the available options.

Data erasure
During a backup operation, NetWorker stores data in save sets on physical or virtual
volumes. NetWorker stores information about the save sets in the media database and
client file indexes.
Based on user-defined policies, NetWorker automatically performs media database and
client file index management, which expires data on volumes and makes the data eligible
for erasure. You can also manually erase data and remove data from the media database
and client file indexes.

NetWorker server media database and index data management

The NetWorker server uses the nsrim program to manage and remove data from in the
media database and client file indexes.

Two NetWorker processes automatically start the nsrim process:

l The savegrp process, after a scheduled group backup completes.
l The nsrd process, when a user selects the Remove oldest cycle option in the
NetWorker Administration window.
The nsrim process uses policies to determine how to manage information about save
sets in the client file index and media database. When the savegrp process starts
nsrim, NetWorker checks the timestamp of the nsrim.prv file. If the timestamp of the
file is greater than or equal to 23 hours, then the nsrim process performs the following
operations:
l Removes entries that have been in an client file index longer than the period
specified by the browse policy from the client file index.
l Marks save sets that have existed longer than the period specified by the retention
policy for a client as recyclable in the media index.
l Deletes the data associated with recyclable save sets from an advanced file type
device and removes the save set entries from the media database.
l Marks a tape volume as recyclable when all of the save sets on the tape volume are
marked recyclable. NetWorker can select and relabel recyclable volumes when a
backup operation requires a writeable volume. When NetWorker relabels a recyclable
tape volume, NetWorker erases the label header of the volume and you cannot
recover the data.
NetWorker will relabel a volume at the time of a backup or clone when a set of defined
selection criteria is met. In NetWorker 8.0 or later, you can use the Recycle start and
Recycle interval attributes on the Miscellaneous tab of a Pool resource to schedule

Data erasure 125

Data Security Settings

automatic volume relabeling for eligible volumes in a pool. The NetWorker Administration
Guide provides more information.

Manually erasing data on tape and VTL volumes

To erase all data on a tape volume, relabel the volume.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Operators user group.
Procedure
1. On the Administration window, click Devices.
2. In the left navigation pane, right-click the appropriate library and select Label.
The Details window and Label Library Media appear.
3. Optionally, in the Target Media Pool field, select a different pool.
4. Click OK.
The Library Operation window appears, which states that the library operation has
started.
5. To track the status of the label operation, on the Operations tab, select Monitoring.
6. If prompted to overwrite label, right-click the label operation in the Operations Status
window to confirm intent to overwrite the existing volume label with a new label, then
select Supply Input.
A question window appears displaying this message:

Label <labelname> is a valid NetWorker label. Overwrite it with a

new label
7. Click Yes.

Manually erasing data from an AFTD

Relabel an AFTD volume to erase all of the data.
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.
Procedure
1. On the Administration window, click Devices.
2. In the left navigation pane, select Devices.
3. In the Device window, right-click on the AFTD device and select Label.
4. Optionally, in the Target Media Pool field, select a different pool.
5. Click OK.
6. If prompted to overwrite label, then right-click the label operation in the Operations
Status window to confirm intent to overwrite the existing volume label with a new
label, and then select Supply Input.
A question window appears displaying this message:

Label <labelname> is a valid NetWorker label. Overwrite it with a

new label

126 EMC NetWorker Security 8.2 Configuration Guide

 Data Security Settings

7. Click Yes.

Security alert system settings

NetWorker provides you with the ability to send security notifications, log and track
NetWorker server configuration changes to file, and provides a centralized logging
mechanism to log security related events that occur in a NetWorker data zone.

Monitoring changes to NetWorker server resources

The Monitor RAP (resource allocation protocol) attribute in the NetWorker Server resource
tracks both before and after information related to additions, deletions, or modifications
to NetWorker server resources and their attributes. NetWorker records these changes in
the NetWorker_install_dir\logs\rap.log file
Before you begin
Use NMC to connect to the NetWorker server with a user that is a member of the
Application Administrators or Database Administrators user group.
The rap.log file records the that name of the user that made the change, the source
computer, and the time the user made the change. NetWorker logs sufficient information
in the rap.log file to enable an administrator to undo any changes.
Procedure
1. In the left navigation pane, right-click the NetWorker server and select Properties.
2. On the Administration window, select View > Diagnostic mode.
3. On the Setup tab, select Enabled or Disabled for the Monitor RAP attribute.
4. Click OK.

Security audit logging

NetWorker provides a centralized logging mechanism to log security related events that
occur in a NetWorker data zone. This mechanism is called security audit logging.
The security audit log feature monitors and reports critical NetWorker events that relate to
the integrity of the data zone or host. The security audit log feature does not monitor
events that relate to the integrity of a backup.
When you install NetWorker in a data zone, each client is automatically configured to use
security audit logging. Any audit logging configuration changes that you set on the
NetWorker server are automatically communicated to all NetWorker 8.0 and later clients
in the data zone. NetWorker automatically configures existing NetWorker clients to send
security audit messages to the nsrlogd daemon when you:
l Update the NetWorker server software.
l Create new client resources.
Examples of security audit events that generate security audit messages include:
l Authentication attempts: Successful and unsuccessful attempts to log in to an NMC
Server.
l Account management events: Password changes, privilege changes and when users
are added to the list of remote administrators.
l Changes to program authorization: Deleting or adding peer certificates and redefining
which binaries a user can execute remotely.

Security alert system settings 127

Data Security Settings

l Changes to the daemon.raw and audit log configurations.

l Events that can lead to the general compromise or failure of the system.

Security audit logging overview

NetWorker 8.0 and later enables security audit logging by default.
The NetWorker 8.0 and later server in each data zone contains a new resource, NSR
auditlog. This resource configures security audit logging. The following actions occur
when security audit logging is enabled in a data zone:
l NetWorker assigns a severity to each security audit messages.
l NetWorker server mirrors the NSR auditlog resource to NetWorker 8.0 and later clients
in the data zone. The NetWorker Client database stores the client side security audit
log resource. The auditlog resource provides each client with the hostname of the
machine that hosts the nsrlogd daemon and the types of security audit messages
that the client should send to the nsrlogd daemon. The auditlog severity setting in the
NetWorker server auditlog resource determines how each client receives the
configuration information:
n When the audit severity level is information, warning, or notice, the NetWorker
server broadcasts the auditlog resource to each client when the nsrd daemon
starts.
n When the audit severity level is error, severe, or critical, the NetWorker server will
not broadcast the auditlog resource to each client when the nsrd daemon starts.
Instead the NetWorker clients request auditlog resource configuration updates
from the last NetWorker server that backed up the client data. This passive
method requires that the client has performed at least one backup to the
NetWorker server before the client can receive updates to the auditlog resource.
By default, the audit severity level is error.
l NetWorker records security audit messages in the security audit log when the
message severity level is at least as severe as the level defined in the NSR security
audit log resource.
l NetWorker clients process and send audit messages to the nsrlogd daemon.
l The nsrlogd daemon records the security audit messages to the security audit log
file.

Security audit logging configurations

While any NetWorker 8.0 or later client in the data zone can be configured to run the
nsrlogd daemon, there are certain performance and reliability advantages to using the
NetWorker server for this task.
The following sections provide examples of security audit logging configurations and the
advantages and disadvantages of each configuration.
Single data zone: The NetWorker server hosts the nsrlogd daemon
By default, the nsrlogd daemon runs on the NetWorker 8.0 or later server.
In this configuration, the nsrlogd daemon receives security audit messages from:
l The gstd and nsrexecd processes on the NMC server.
l The nsrexecd process on each NetWorker client in the data zone.
l The daemons that run on the NetWorker server.
Advantages:

128 EMC NetWorker Security 8.2 Configuration Guide

 Data Security Settings

l The NetWorker server daemons generate the majority of the security audit messages.
In this configuration, the audit log messages are not sent over the network and will
not increase network traffic.
l Security audit messages from each NetWorker client are sent to the NetWorker server.
Additional network ports and routes to other networks are not required to send
security audit messages.
The following figure provides and example of this configuration.
Figure 10 The audit log server manages a single data zone

Multiple data zones: The NMC server hosts the nsrlogd daemon
In this configuration, the nsrlogd daemon runs on the NMC server and the NMC server
manages multiple NetWorker data zones. The NMC server must be configured as a client,
on each NetWorker server.
Advantages:
l Centralized logging of the security audit messages. The security audit log for each
NetWorker server is stored on the NMC server.
Disadvantages:
l If the nsrlogd daemon is not accessible, either because the daemon fails or because
of a message routing difficulty, security related events are not recorded.
l The NetWorker server daemons generate the majority of the security audit messages.
In this scenario, the security audit log messages are sent over the network and will
increase network traffic.
l Each NetWorker host in each data zone must have a route to the NMC server.
The following figure provides an example of this configuration.

Security audit logging 129

Data Security Settings

Figure 11 The NMC server is the audit log server for multiple data zones

Multiple datazones: Each NetWorker server hosts the nsrlogd daemon

In this configuration, each NetWorker server acts runs the nsrlogd daemon and records
the messages for a single data zone.
Each NetWorker client in the data zone sends security audit messages to the NetWorker
server.
The NMC server is a client of the NetWorker server in Datazone 1.
Advantages:
l The NetWorker server daemons generate the majority of the security audit messages.
In this configuration, the audit log messages are not sent over the network and will
not increase network traffic.
l Security audit messages from each NetWorker client are sent to the NetWorker server.
Additional routes in other networks are not required to send security audit messages.
Disadvantages:
l You may not be able to access the security audit logs if the NetWorker server is
compromised.
l You must manage multiple security audit logs.
The following figure provides an example of this configuration.

130 EMC NetWorker Security 8.2 Configuration Guide

 Data Security Settings

Figure 12 Each NetWorker server in a data zone is the audit log server

Security events
The security audit log feature detects and reports configuration changes that can result in
inappropriate access or damage to a NetWorker host. NetWorker logs successful and
unsuccessful attempts to create and delete security-related resources and modifications
of security-related resource attributes in the audit log file.
Resource database
The following table summarizes which resources and attributes the security audit log
monitors in the resource database (RAP).

NSR Resource/NMC resource name Attribute

NSR/NSR Administrator
Authentication method
Datazone pass phrase

NSR Archive request/Archive request Grooming

NSR auditlog /Security Audit log Administrator

Auditlog filepath
Auditlog hostname
Auditlog maximum file size MB
Auditlog maximum file version
Auditlog rendered locale
Auditlog rendered service
Auditlog severity

NSR client/Client Aliases

Archive users

Security audit logging 131

Data Security Settings

NSR Resource/NMC resource name Attribute

Backup command
Executable path
Password
Remote access
Remote user
server network interface

NSR Device/Devices Remote user

Password
Encryption

NSR Data Domain /Data Domain devices Username

Password

NSR De-duplication Node /Avamar deduplication node Remote user

Password

NSR Hypervisor /Hypervisor Command

Password
Proxy
Username

NSR Lockbox/Lockbox Client

Name
Users

Notifications Action

NSR Operation Status command

NSR Report Home Command

Mail Program

NSR restricted data zone /Restricted Data Zone (RDZ) External roles
Privileges
Users

Storage Node Password

Remote user

Usergroup External Roles

Name
Privileges
Users
Resource identifier

132 EMC NetWorker Security 8.2 Configuration Guide

 Data Security Settings

NetWorker client database

The following table summarizes which resources and attributes the security audit log
monitors in the NetWorker client database (nsrexec).

Resource Attribute
NSR log Administrator
Log path
Maximum size MB
Maximum versions
Name
Owner
Runtime rendered log
Runtime rollover by size
Runtime rollover by time

NSR peer information Administrator

Certificate
Name
NW instance ID
Peer hostname

NSR remote agent Backup type

Backup type icon
Features
Name
Product version
Remote agent executable
Remote agent protocol version

NSR system port ranges Administrator

Connection ports
Service ports

NSRLA Administrator
Auth methods
Certificate
Disable directed recover
Max auth attempts
Max auth thread count
My hostname
Name
NW instance ID
NW instance info operations
NW instance info file

Security audit logging 133

Data Security Settings

Resource Attribute
private key
VSS writers

Security audit logging interoperability

The security audit log is a new feature in NetWorker 8.0 and later. NetWorker hosts that
use a previous version of the NetWorker software do not support logging security events
and cannot host the nsrlogd daemon.
The following table summarizes the interoperability matrix for security audit logging.

Table 20 Security audit log interoperability matrix

NetWorker NetWorker Security audit logging behavior

server version client version
8.0 and later 8.0 and later l Audit messages generated by the NetWorker server are
logged to the nsrlogd daemon.
l Audit messages generated by the NetWorker client are
logged to the nsrlogd daemon.

8.0 and later 7.6.x l Audit messages generated from the NetWorker server
are logged to the nsrlogd daemon.
l Audit message are not generated by the NetWorker
client.
l A NetWorker client cannot run the nsrlogd daemon.

7.6.x 8.0 and later l Audit messages are not generated by the NetWorker
server.
l Audit messages are generated by the client but without
a NetWorker 8.0 server or later, the client cannot be
configured to run the nsrlogd daemon.

Audit message format

The security audit log file contains the timestamp, the category, the program name, and
the unrendered message for each security audit message.
Use the nsr_render_log program to render the audit log file into a readable format.
For example:

nsr_render_log -pathyem Security_Audit_ Log_filename

03/03/12 14:28:39 0 nsrd Failed to modify Resource type: 'NSR

usergroup', Resource name: 'Users' for Attribute: 'users' by user:
'administrator' on host: 'nwserver.emc.com'

l The TimeStamp is: 03/03/12 14:28:39.

l The Category is 0.
l The ProgramName is nsrd.

134 EMC NetWorker Security 8.2 Configuration Guide

 Data Security Settings

l The RenderedMessage is: Failed to modify Resource type: 'NSR usergroup', Resource
name: 'Users' for Attribute: 'users' by user: 'administrator' on host:
'nwserver.emc.com'.

Security audit log messages

This section provides an list of common messages that appear in the security audit log
file when you set the severity level to information.
nsrd Permission denied, user 'username' on host: 'hostname' does not have 'privilege1' or
'privilege2' privilege to delete this resource - resource_type
This message appears when a user attempts to delete a security-related resource but
does not have the required privileges on the NetWorker server.
For example:

15/08/2014 8:56:31 AM 3 nsrd Permission denied, user 'debbie' on 'bu-

iddnwserver.iddlab.local' does not have 'Delete Application Settings'
or 'Configure NetWorker' privilege to delete this resource -
NSR client.

nsrd Permission denied, user 'username' on 'hostname' does not have 'privilege1' or
'privilege2' to create configure this resource - resource_type
This message appears when a user attempts to create a security-related resource but
does not have the required privileges on the NetWorker server.
For example:

15/08/2014 9:11:43 AM 3 nsrd Permission denied, user 'debbie' on 'bu-

iddnwserver.iddlab.local' does not have 'Create Application Settings'
or 'Configure NetWorker' privilege to create this resource -
NSR client.

nsrd Failed to create Resource type: 'resource_type', Resource name: 'resource_name' by

user: 'username' on host: 'hostname'
This message appears when a user cannot create a security-related resource. For
example, if a user attempts to create a new client resource but the client host name is not
valid, a message similar to the following appears:

15/08/2014 8:49:57 AM 3 nsrd Failed to create Resource type: 'NSR

client', Resource name: 'bu-exch1.lss.emc.com' by user: 'debbie' on
host: 'bu-iddnwserver.iddlab.local'

nsrd Permission denied, user 'username' on host: 'hostname' does not have privilege1' or
'privilege2 privilege to configure this resource - resource_type
This message appears when a user attempts to modify an security-related attribute in a
resource but does not have the required privileges.
For example:

15/08/2014 9:03:45 AM 3 nsrd Permission denied, user 'debbie' on 'bu-

iddnwserver.iddlab.local' does not have 'Configure NetWorker' OR
'Change Application Settings' privilege to configure this resource -
NSR client.

nsrd Successfully created Resource type: 'resource_type', Resource name:

'resource_name' by user: 'username' on host: 'hostname'
This message appears when a user successfully creates a new security-related resource.

Security audit logging 135

Data Security Settings

For example:

15/08/2014 1:57:54 PM 3 nsrd Successfully created Resource type:

'NSR notification', Resource name: 'new-notification' by user:
'administrator' on host: 'bu-iddnwserver.iddlab.local'

gstd Console: User 'username' failed to login to Console server on host 'hostname'
This message appears when you specify an incorrect username or password on the NMC
server login window.
For example:

14/08/2014 4:36:43 PM 0 gstd Console: User 'root' failed to login to

Console server on host 'bu-iddnwserver.iddlab.local'

gstd Console: User 'username' successfully logged in to Console server on host

'hostname'
This message appears when you successfully log in to the NMC server.
For example:

14/08/2014 4:36:49 PM 0 gstd Console: User 'administrator'

successfully logged in to Console server on host 'bu-
iddnwserver.iddlab.local'

gstd Console: User 'username' logged out of Console server on host 'hostname'
This message appears when a user closes the Console window and connection to the
Console server.
For example:
14/08/2014 4:36:21 PM 0 gstd Console: User 'administrator'
logged out of Console server on host 'bu-
iddnwserver.iddlab.local'

Modifying the security audit log resource

You can modify the audit security log resource on the audit log server. Changes that you
make in the resource are automatically copied to each client in the data zone that
supports audit logging.
Before you begin
Log in to the NMC server as a Console Security Administrator.
Procedure
1. Connect to the NetWorker server.
2. On the Configuration Window, select Security Audit log in the left pane.
3. Right click the Security Audit Log resource and select Properties.
4. Optionally, specify a hostname in the auditlog hostname attribute for the NetWorker
client that will run the security audit log service, nsrlogd.
Ensure that you specify the hostname of a client that is defined on the NetWorker
server and supports running the nsrlogd service . NetWorker 8.0 and higher clients
support the nsrlogd service.
5. Optionally, specify a valid path on the audit log server in the auditlog filepath
attribute.

136 EMC NetWorker Security 8.2 Configuration Guide

 Data Security Settings

This changes the location of the security audit log file. The default location is /nsr/
logs on a UNIX Audit Log server and NetWorker_install_path\nsr\logs on
a Windows Audit Log server.
6. Optionally, change the maximum size of the security audit log in the auditlog
maximum file size (MB) attribute.
When the log file reaches the maximum size, NetWorker renames the security audit
log file for archival purposes and creates a new security audit log file.
The default value for the auditlog maximum file size (MB) attribute is 2 MB.
7. Optionally, change the maximum number of the audit log file versions that NetWorker
maintains, in the auditlog maximum file version attribute.
When the log file version reaches the maximum number, NetWorker removes the
oldest archived version of the security audit log file before creating the new log file.
The default value for the auditlog maximum file version attribute is 0, which means
that NetWorker maintains all versions.
8. Optionally, change the audit message severity to increase or decrease the volume of
messages saved in the security audit log in the auditlog severity attribute.
The following severity levels are available:
l Information
l Notice
l Warning
l Error - selected by default
l Severe
l Critical
Changes to the attribute apply to each client that generates security related events.
For example, if the security audit log severity attribute is Information, all clients will
send messages with the Information severity level. The Information and Notice level
audit messages are very common. If the security audit log records too much or too
little detail, then adjust the severity level accordingly.

Note

This field also controls remote client security audit configuration. At the information,
notice and warning levels, nsrd broadcasts the security configuration to all clients
during startup. At other levels, supported clients request the security configuration
from the NetWorker server as needed, the nsrd daemon does not broadcast security
configuration during startup.

9. Optionally, use a third party logging service to send security audit log messages to by
using the auditlog rendered service attribute. The following table describes the
available options.

Option Description
None l The default value.
l Writes unrendered security audit log messages to the
NetWorker_server_sec_audit.raw file only.
l Use the nsr_render_log program to render the log file into a
readable format.

Security audit logging 137

Data Security Settings

Option Description
Local l Writes rendered security audit log messages to
theNetWorker_server_sec_audit.raw file.
l Writes unrendered security audit log messages to the
NetWorker_server_sec_audit.raw file.

syslog l Writes rendered security audit log messages to the UNIX syslog.
l Writes unrendered security audit log messages to the
NetWorker_server_sec_audit.raw file.

eventlog l Writes rendered security audit log messages to the Windows Event
Log.
l Writes unrendered security audit log messages to the
NetWorker_server_sec_audit.raw file.

10.Optionally, specify the locale for the rendered audit log file in the auditlog rendered
locale attribute. If this attribute is empty, the default locale en_US is used. The Multi-
locale data zone considerations section in the NetWorker Installation Guide describes
how to install and configure the NetWorker software on a machine that uses a non-
English locale.
The following figure provides and example of the Security Audit Log Properties
resource.
Figure 13 Security Audit Log resource

11.Click OK.
12.Review theMonitoring > Log > window to ensure that the configuration change
completes successfully.
For example:

138 EMC NetWorker Security 8.2 Configuration Guide

 Data Security Settings

l If the host specified in the auditlog hostname attribute supports security audit
logging and the nsrlogd daemon is successfully started, a message similar to the
following appears:

The process nsrlogd was successfully configured on host

'security_audit_log_hostname' for server 'NetWorker_server'.
l If the host specified in the auditlog hostname attribute does not support security
audit logging or the nsrlogd daemon does not start successfully, a message similar
to the following appears:

The security audit log daemon nsrlogd is probably not running.

'Unable to connect to the nsrexecd process on host
'client_name'. '355:Program not registered'.'. Ensure that the
host 'client_name' can be reached. If required, restart the
host.
l If a service port is not available on the host specified in the auditlog hostname
attribute, the nsrlogd daemon fails to start and a message similar to the following
appears:

Process nsrlogd was spawned on 'security_audit_log_hostname',

but nsrlogd could not open an RPC channel. 'Unable to connect
to the nsrlogd process on host 'security_audit_log_hostname'.
'352:Remote system error'
l If the path specified in the auditlog filepath attribute does not exist, a message
similar to the following appears:

Unable to open the output file '/proc/

NetWorker_server_sec_audit.raw' for the security audit log. No
such file or directory

Note

Users that belong to the Security Administrators User Group, but not the Application
Administrators User Group cannot see messages in the Logs window.

Security audit logging 139

Data Security Settings

140 EMC NetWorker Security 8.2 Configuration Guide

INDEX

A Recovery wizard 88
AD users, save command 88
Adding 36 Scheduled backups 87
Deleting 38 Starting NetWorker daemons on UNIX 83
Modifying 37 Starting NetWorker daemons on Windows 83
AD, Post configuration 26 Starting NMC server 84
Administrator list, modifying 39 Debug mode, Using savegrp 88
AES encryption
Configuring client resource 117 E
Defining pass phrase 117 Encrypting data 116
Recovering data 119 Environment variables, NMC server debug mode 85
Recovering with NetWorker User 119
Recovering with the NMC Recovery wizard 119
Recovering with the recover command 120 F
Using with NetWorker User 118 FIPS (Federal Information Processing Standard
Using with the save command 118 Compliance) 120
audience 9
Audit log server
G
Message format 134
gstd.raw, size management 81
single data zone 128
Multiple data zones 129, 130
Audit log server, L
modifying 136 LDAP users,
Authentication configuration issues, troubleshooting 31 Adding 36
Authentication methods, Deleting 38
Modifying 53 Modifying 37
Modifying with NMC 53 LDAP, Post configuration 26
Modifying with nsradmin 54 Lockbox resource, modifying 116
Auto media verify attribute 122 Log files
Configuring logging levels 83
Locations of 72
B rap.log 82
BSAFE 120
Rendering at runtime 78
Rendering manually 76
C Viewing 76
Centralized security logging 127 Login errors, troubleshooting 35
Certificate key
Creating 66
M
Client initiated backups, restricting 69
Manual save operations, restricting 69
comments 9
Manually erasing data
Component authentication 51
AFTD 126
Component authorization 67
Tape and VTL 126
conventions for publication 9
Monitor RAP 127

D N
daemon.raw, size management 81
NetWorker Server, authorization 39
Data integrity, Verifying 122
networkr.raw, size management 81
dbgcommand 86
NMC server service ports, Confirming 107
Debug levels
NMC users
Setting 83
Adding 18, 19
Debug mode
Deleting 19
dbgcommand 86
NSR Peer Information resource
nsrtask 89
Deleting 61, 63
Recoveries 88
Maintaining 59

EMC NetWorker Security 8.2 Configuration Guide 141

Index

Manually creating 59 Determining 97

Resolving conflicts 62 Service port requirements, NetWorker server 99
NSR Peer Information resource, importing 65 Service port requirements, NMC server 100
nsraddadmin 17 Service port requirements, Snapshot client 98
nsrexec database, configuring access 52 Service port requirements, Standard client 97
nsrim 125 Service port requirements, Storage node 98
NSRLA database Service ports
Exporting local host credentials 55 Configuring range in NetWorker 101
NSRLA database, Service ports, configuring 101
Creating certificate and private key 56 Service ports, Configuring on firewall 104
NSRLA resource support information 9
Importing local host credentials 57
Maintaining 55
nwcpd.raw, size management 79
T
nwsnap.raw, size management 79 TCP keep alives 94
TCP keep alives, Configuring 95
Troubleshooting
P Authorization errors 50
preface 9 Troubleshooting, Firewall configuration 112
Troubleshooting, login errors 35
R
Rejecting new save sessions 69 U
Rejecting recover and clone sessions 69 User group, external roles attribute 48
related documentation 9 User Group, users attribute 49
Resetting NMC administrator password User groups
UNIX 20 Modifying membership 48
Windows 20 User Groups
RSA BSAFE 120 Copying 47
RSA BSAFE SSL 51 Creating 47
Deleting 47
management of 46
S modifying privileges 46
Security audit logging Preconfigured 45
Overview 128 privileges 41
Configurations 128 User, authorization 38
Interoperability 134
servers file, configuring 68
servers file, introduction to 67 V
Service port requirements Verify files feature 123

142 EMC NetWorker Security 8.2 Configuration Guide