Veritas NetBackup™ 53xx Appliance Initial Configuration Guide
- Preparing for initial configuration
- Initial configuration procedures
- Post configuration procedures
Performing the initial configuration on a NetBackup 53xx series appliance from the NetBackup Appliance Shell Menu
This topic describes how to configure a NetBackup 53xx series appliance that is new or has been reset to the factory defaults (factory reset).
This method requires that you connect a laptop directly to appliance port NIC1 (eth0). A NetBackup series 53xx appliance can only be configured as a media server.
Starting with NetBackup Appliance release 4.0, the initial configuration process requires that you change the default passwords for the admin, maintenance, and sysadmin (IPMI) user accounts. The default admin password is valid only for the initial appliance login. The prompt to change the default passwords appears when you enter the > command to set the appliance role.
Starting with release 3.2, external certificate authority certificates are supported. This feature provides an alternative to using the NetBackup Certificate Authority for host verification and security. This procedure includes the necessary information to deploy these certificates. For more information about security certificates, see the chapter "External CA support in NetBackup" in the NetBackup Security and Encryption Guide.
For high availability configurations, use this procedure to configure the node that you use for the setup procedure. After this appliance (compute node) is configured, see step 17 for details to continue and complete the high availability configuration.
Before you perform the initial configuration on this media server, verify that you have already performed the following tasks:
Verified that the primary server and this media server have compatible software versions.
Added the host name of this media server to the
SERVERS
list on the primary server that you plan to use with it.For high availability configurations, added the host name of the node that you use for the setup procedure.
Opened the appropriate ports on the primary server if a firewall exists between the primary server and this media server.
If you plan to use this media server in a NAT network, make sure to enable the DNAT feature on the primary server and to also add this media server name to the NAT servers list on the primary server.
The following link provides specific instructions about how to accomplish the above tasks:
See Configuring a primary server to communicate with an appliance media server.
To perform the initial configuration on a NetBackup 53xx media server appliance from the NetBackup Appliance Shell Menu
- Connect a laptop to appliance port NIC1. Next, navigate to the Local Area Connection Properties dialog box.
On the General tab, select Internet Protocol (TCP/IP) so that it is highlighted, then click Properties.
On the Alternate Configuration tab, perform the following tasks:
Click User Configured.
For the IP address, enter 192.168.229.nnn, where nnn is any number from 2 through 254 except for 233.
For the Subnet mask, enter 255.255.255.0.
Click OK.
- On the laptop that is connected to the appliance, open an SSH session to 192.168.229.233.
- Log on to the appliance with the default credentials as follows:
A welcome message appears in the shell menu and the prompt is at the Main_Menu view.
Note:
To continue with the initial configuration, you are not required to change the default password. However, to increase the security of your environment Veritas recommends that you change the password periodically. Make sure to keep a record of the current password in a secure location. To change the password when logged into the NetBackup Appliance Shell Menu, from the Main_Menu view, enter Settings > Password.
- Before you begin the initial configuration, check and verify the status of the connected hardware components by entering the following command:
Support > Test Hardware
A Warning indicates a problem that can be fixed later and lets you proceed with the initial configuration. However, such problems can prevent access to the affected devices.
An Error indicates a critical problem that requires immediate resolution before you can proceed with the initial configuration.
If the command output identifies any problems, check the following items:
Verify that all cables are connected correctly and secured.
Verify that all disk drives are installed and seated properly.
Verify that all units are turned on and have booted up completely.
Verify that you have checked all of the items on the hardware check list.
After you have verified the previous items, re-run the command. Any warning or error icons that disappear indicate that the problem has been fixed. Veritas recommends that you resolve all problems before you start the initial configuration.
Note:
If you cannot resolve any Error problems after verifying all of the previous items and re-running the command, stop here and contact Veritas Technical Support.
- From the Main_Menu > Network view, enter the following command to configure the IP address of a single network that you want your appliance to connect to.
Configure IPAddress Netmask GatewayIPAddress [InterfaceNames]
Where IPAddress is the new IP address, Netmask is the netmask, and GatewayIPAddress is the default gateway for the interface. The [InterfaceNames] option is optional.
The IP Address or the Gateway IP Address can be an IPv4 or IPv6 address. Only global-scope and unique-local IPv6 addresses are allowed.
Remember that you should not use both IPv4 and IPv6 address in the same command. For example, you cannot use Configure 9ffe::9 255.255.255.0 1.1.1.1.. You should use Configure 9ffe::46 64 9ffe::49 eth1
See About IPv4-IPv6-based network support.
If you want to configure multiple networks you must first configure the IP address of each network that you want to add. Then you configure the Gateway address for each network you added. You must make sure that you add the default Gateway address first. Use the following two commands:
- From the Main_Menu > Network view, use the following command to set the appliance DNS domain name.
Note:
If you do not use DNS, you can proceed to Step 9.
DNS Domain Name
Where Name is the new domain name for the appliance.
- From the Main_Menu > Network view, use the following command to add the DNS name server to your appliance configuration.
DNS Add NameServer IPAddress
Where IPAddress is the IP address of the DNS server.
The address can be either IPv4 or IPv6. Only global-scope and unique-local IPv6 addresses are allowed.
See About IPv4-IPv6-based network support.
To add multiple IP addresses, use a comma to separate each address and no space.
- From the Main_Menu > Network view, use the following command to add a DNS search domain to your appliance configuration so the appliance can resolve the host names that are in different domains:
DNS Add SearchDomain SearchDomain
Where SearchDomain is the target domain to add for searching.
- This step is optional. It lets you add the IP addresses of other hosts in the appliance hosts file.
From the Main_Menu > Network view, use the following command to add host entries to the hosts file on your appliance.
Hosts Add IPAddress FQHN ShortName
Where IPAddress is the IPv4 or IPv6 address, FQHN is the fully qualified host name, and ShortName is the short host name.
- From the Main_Menu > Network view, use the following command to set the host name for your appliance.
Hostname Set Name
Where Name is the short host name or the fully qualified domain name (FQDN) of this appliance.
The host name is applied to the entire appliance configuration with a few exceptions. The short name always appears in the following places:
NetBackup Appliance Shell Menu prompts
Deduplication pool catalog backup policy
Default storage unit and disk pool names
If this appliance has been factory reset and you want to import any of its previous backup images, the appliance host name must meet one of the following rules:
The host name must be exactly the same as the one used before the factory reset.
If you want to change the host name to an FQDN, it must include the short name that was used before the factory reset. For example, if "myhost" was used before the factory reset, use "myhost.domainname.com" as the new FQDN.
If you want to change the host name to a short host name, it must be derived from the FQDN that was used before the factory reset. For example, if "myhost.domainname.com" was used before the factory reset, use "myhost" as the new short host name.
Note:
The Domain Name Suffix is appended to the host name and cannot be changed after the initial configuration is completed. If you need to change the suffix or move the appliance to a different domain at a later time, you must perform a factory reset first, and then perform the initial configuration again.
With this step, NetBackup is re-configured to operate with the new host name. This process may take a while to complete.
For the command Hostname set to work, at least one IPv4 address is required. For example, you may want to set the host name of a specific host to v46. To do that, first ensure that the specific host has at least an IPv4 address and then run the following command.
Main_Menu > Network > Hostname set v46
- In addition to the above network configuration settings, you may also use the Main_Menu > Network view to create a bond and to tag a VLAN during the initial configuration of your appliance.
For detailed information about the LinkAggregation and the VLAN command options, refer to the NetBackup Appliance Command Reference Guide.
- From the Main_Menu > Network view, use the following commands to set the time zone, the date, and the time for this appliance:
Set the time zone by entering the following command:
TimeZone Set
Select the appropriate time zone from the displayed list.
Set the date and the time by entering the following command:
Date Set Month Day HHMMSS Year
Where Month is the name of the month.
Where Day is the day of the month from 0 to 31.
Where HHMMSS is the hour, minute, and seconds in a 24-hour format. The fields are separated by semi-colons (HH:MM:SS).
Where Year is the calendar year from 1970 through 2037.
- From the Main_Menu > Settings view, use the following commands to enter the SMTP server name and the email addresses for appliance failure alerts.
Email SMTP Add smtp [acct] [pass]
Where smtp is the host name of the target SMTP server, acct is the account name for authentication to the SMTP server, and pass is the password for authentication to the SMTP server.
Email Software Add eaddr
Where eaddr is the Email address where you want to receive failure alerts from the appliance.
To enter multiple addresses, separate each address with a semi-colon.
- If you plan to use this media server in a NAT network, perform the following tasks on the associated primary server before you set the appliance role:
Enable the DNAT feature on the primary server.
Add the name of this media server to the NetBackup Servers list on the primary server.
See Configuring a primary server to communicate with an appliance media server.
- Identify the primary server that you want to use with this media server.
Note:
Before you continue, make sure that you have added this media server name to the primary server. See Configuring a primary server to communicate with an appliance media server.
From the Main_Menu > Appliance view, run the following command:
Media PrimaryServer
The following prompt appears to change the default passwords:
- [Info] Default password change is required for the following user(s): admin, maintenance, sysadmin
Change each user account password as prompted.
Review the following password policy before setting a new password:
Passwords must contain at least eight characters.
Passwords must contain at least one lowercase letter (a-z) and one number (0-9).
Dictionary words are considered weak passwords and are not accepted.
Passwords for the sysadmin (IPMI) user must contain no more than 20 characters.
The last seven passwords cannot be reused and the new password cannot be similar to previous passwords.
Note:
If you enter five consecutive invalid passwords for any user account, the appliance aborts the initial configuration process automatically. You must start the initial configuration process again.
Note:
If you enable the STIG feature after completing the initial configuration, you may be prompted to change the new passwords you entered here to meet the requirements of the STIG password policy.
Where PrimaryServer is either a standalone primary server, a multihomed primary server, or a clustered primary server. The following defines each of these scenarios:
Standalone primary server
This scenario shows one primary server host name. This name does not need to be a fully qualified name as long as your appliance recognizes the primary server on your network. The following is an example of how the command would appear.
Media PrimaryServerName
Multihomed primary server
In this scenario, the primary server has more than one host name that is associated with it. You must use a comma as a delimiter between the host names. The following is an example of how the command would appear.
Media PrimaryNet1Name,PrimaryNet2Name
Clustered primary server
In this scenario, the primary server is in a cluster. Veritas recommends that you list the cluster name first, followed by the active node, and then the passive nodes in the cluster. This list requires you to separate the node names with a comma. The following is an example of how the command would appear.
Media PrimaryClusterName,ActiveNodeName,PassiveNodeName
Multihomed clustered primary server
In this scenario, the primary server is in a cluster and has more than one host name that is associated with it. Veritas recommends that you list the cluster name first, followed by the active node, and then the passive nodes in the cluster. This list requires you to separate the node names with a comma. The following is an example of how the command would appear.
Media PrimaryClusterName,ActiveNodeName,
PassiveNodeName,PrimaryNet1Name,PrimaryNet2Name
To prevent any future issues, when you perform the appliance role configuration, Veritas recommends that you provide all of the associated primary server names.
Certificate provisioning
Certificate revocation list (CRL)
After you have entered the primary server name, the appliance pings the primary server for the Certificate Authority (CA) status and shows the result. Each of the following bullet statements describes the possible status results. Follow the instructions that appear below the applicable status result to complete the certificate configuration.
If the primary server has an enabled External CA-signed certificate, the following appears:
The primary server <primary_server_name> has an enabled External CA-signed certificate. Do you want to import the External CA-signed certificate for this Media server now [yes,no](yes):
Press Enter to continue. The following message appears:
The following shares have been opened on the appliance for you to upload certificate files:
NFS share <media_server_name>:/inst/share
CIFS share \\<media_server_name>\general_share
Enter the following details for external certificate configuration:
Enter the certificate file path:
Enter the trust store file path:
Enter the private key path:
Enter the password for the passphrase file path or skip security configuration (default: NONE):
Enter the following details for CRL usage:
Should a CRL be honored for the external certificate?
1) Use the CRL defined in the certificate.
2) Use the specific CRL directory.
3) Do not use a CRL.
q) Skip security configuration.
CRL option: Enter 1, 2, 3, or q.
Verify the External CA details that you entered:
Certificate file name:
Trust store file name:
Private key file name:
CRL check level: (Shows the selected CRL option.)
Do you want to use the above certificate files? [yes, no](yes):
After verifying that the entered information is correct, press Enter to continue and answer the following prompt:
Is this correct? [yes, no](yes):
If all of the information is correct, press Enter to continue.
The appliance performs an ECA health check and shows the result of each validation check. When the health check has completed successfully, the following messages appear:
ECA health check was successful.
The external certificate has been registered successfully.
The primary server <primary_server_name> currently uses an external CA issued certificate and its own internal certificate. Would you like to proceed with the external CA issued certificate? [yes,no](yes):
If you select no, the following message appears:
This appliance will use a NetBackup issued certificate for secure communication.
If you select yes, enter the following details for external certificate configuration:
Enter the certificate file path:
Enter the trust store file path:
Enter the private key path:
Enter the password for the passphrase file path or skip security configuration (default: NONE):
Enter the following details for CRL usage:
Should a CRL be honored for the external certificate?
1) Use the CRL defined in the certificate.
2) Use the specific CRL directory.
3) Do not use a CRL.
q) Skip security configuration.
CRL option: Enter 1, 2, 3, or q.
Verify the External CA details that you entered:
Certificate file name:
Trust store file name:
Private key file name:
CRL check level: (Shows the selected CRL option.)
Do you want to use the above certificate files? [yes, no](yes):
After verifying that the entered information is correct, press Enter to continue and answer the following prompt:
Is this correct? [yes, no](yes):
If all of the information is correct, press Enter to continue.
The appliance performs an ECA health check and shows the result of each validation check. When the health check has completed successfully, the following messages appear:
ECA health check was successful.
The external certificate has been registered successfully.
This appliance will use an External Certificate for secure communication.
If the primary server has a disabled External CA-signed certificate, the following message appears:
The primary server <server_name> has a disabled External CA-signed certificate. Trust the certificate to continue the role configuration process.
Do you trust the certificate? [yes, no], If you select yes, this appliance will continue to do storage configuration. If you select no, the role configuration will be aborted.
This appliance will use a NetBackup issued certificate for secure communication.
No further certificate configuration is required. Click Next to continue.
For more information about security certificates, refer to the chapter Security certificates in NetBackup in the NetBackup Security and Encryption Guide.
Note:
If the host name of the primary server is an FQDN, Veritas recommends that you use the FQDN to specify the primary server for the media server.
Note:
After the role configuration completes, the storage initialization process begins. Depending on the number of disk drives in the system, storage initialization can take up to 46 hours to complete. As a result, appliance backup and restore performance is degraded until the storage initialization process has completed.
- When the storage initialization process begins, the disk storage prompts appear for the AdvancedDisk and the Deduplication (MSDP) partitions.
To configure storage partitions, you must do the following:
Enter a storage pool size in GB or TB.
To skip the storage pool size configuration for any partition, enter 0 when prompted to enter a size. To keep the storage pool at its current size, press Enter.
The default names are dp_adv_<hostname> for AdvancedDisk and dp_disk_<hostname> for Deduplication (MSDP). To keep the default names, press Enter.
The default names are stu_adv_<hostname> for AdvancedDisk and stu_disk_<hostname> for Deduplication (MSDP). To keep the default names, press Enter.
The storage prompts appear in the following order:
AdvancedDisk partition size in GB/TB: (1 GB) AdvancedDisk diskpool name: AdvancedDisk storage unit name: MSDP partition size in GB/TB: (5 GB) MSDP diskpool name: MSDP storage unit name: MSDP Catalog partition size in GB/TB:
After you configure the storage partitions, a summary of the storage configuration appears with the following prompt:
Do you want to make changes to the storage configuration shown above? [yes,no]:
Type yes to make any changes, or type no to keep the current configuration.
- For high availability solutions, you must set up a high availability configuration on this configured appliance (compute node) before you perform the initial configuration on the partner node. To continue and complete the high availability configuration, perform the following tasks in the order as shown:
See Configuring a NetBackup 53xx high availability setup.
See Adding the partner node to the NetBackup 53xx high availability configuration.
- After all appliances are configured and operational, you are ready to install client software on the computers that you want to back up.
See Downloading NetBackup client packages to a client from a NetBackup appliance.
See Installing NetBackup client software through an NFS share.
- If you want to configure the appliance for MSDP cloud, log in to the NetBackup web UI as the nbasecadmin user and configure the MSDP cloud storage as follows:
Create a disk pool.
Create a storage unit.
For details, see the NetBackup Web UI Administrator's Guide.