Home > Veritas Storage Foundation™ Volume Manager Manual Pages

VEACONFIG (1M)

Maintenance Commands

Table of contents


NAME

veaconfig - used primarily to assign security roles to SF Manager and VEA 3.3 users. It also allows you to view the identity and security settings for Veritas Provider Layer (VxPAL) agents.

SYNOPSIS

veaconfig -h [list_user | add_user | remove_user | agent_info]

veaconfig -c {list_users | add_user | remove_user}{ [-d domain] [-e port] [-u [broker:]user@domain.domain_type] [-p password] [-l SFSMhost] {-o host} {-n [broker:]user@domain.domain_type} {-r security_role} [-g] [-b basedir] }

veaconfig -c agent_info -a agent_name


DESCRIPTION

The veaconfig utility is used primarily to assign security roles to SF Manager and VEA 3.3 users. Using veaconfig, you determine which activities a user or a user group can perform on a particular managed host.

All users in an operating system domain authenticated by the Authentication Service, are granted Guest privileges by default. You can assign the same user different roles on a host-by-host basis; or, you can assign a user one role across all managed hosts in the security domain.

veaconfig uses security parameters defined in csf_resolve.conf by default.

See the section called FILES.


OPTIONS

-h, --help
Provides usage information for veaconfig. For more details about the options of each veaconfig command, type:
veaconfig -h command

list_users
Lists local and private domain users and their permissions on a host. Also lists operating system domain users that have been assigned security roles other than Guest.
add_user
Adds a private domain user and assigns a user role, or security level, to a particular host. In addition to add_user, specify -g if the user you are adding is an operating system user group.
remove_user
Removes a user or delete user permission from the object. In addition to remove_user, specify -g if the user you are removing is an operating system user group.
-d, --domain domain
Short name, IP address, or the fully-qualified domain name for the Domain Controller host. -d is optional, provided veaconfig can access csf_resolv.conf. See the section called FILES. It is recommended that you include this option within csf_resolv.conf file on the managed host, so that you do not need to specify it within the veaconfig command. Any values specified from the veaconfig command override values in csf_resolv.conf.
-e, --port port
Port through which to connect through on the Domain Controller host. If not specified, defaults to 1556---the port number for VxPBX. It is strongly recommended that you do not change this port setting.
-u, --user-id [broker:]user@domain.domain_type
Administrator username for the Authentication Broker. -u is optional, provided veaconfig can access csf_resolv.conf. See the section called FILES. It is recommended that you include this option within csf_resolv.conf file on the managed host, so that you do not need to specify it within the veaconfig command. Any values specified from the veaconfig command override values in csf_resolv.conf. broker is the fully-qualified host name for the Authentication Service broker host. user is a valid administrator account for the broker host. domain is a valid authentication domain for the broker host. domain_type is the type of authentication domain for the broker host, and can be the following: vx, nisplus, nis, nt, and unixpwd.
-p, --password password
Password for the specified administrator account. -p is optional, provided veaconfig can access csf_resolv.conf. See the section called FILES. It is recommended that you include this option within csf_resolv.conf file on the managed host, so that you do not need to specify it within the veaconfig command. Any values specified from the veaconfig command override values in csf_resolv.conf.
[--no-prompt]
If veaconfig does not find a password for the specified user account in its security store, it prompts for one---unless you specify --no-prompt. This option is useful in scripting situations, when user interaction is not sought.
-l, --host SFMShost
host is the short host name, IP address, or the fully-qualified host name for the Management Server host. -l is optional, provided veaconfig can access csf_resolv.conf. See the section called FILES. It is recommended that you include this option within csf_resolv.conf file on the managed host, so that you do not need to specify it within the veaconfig command. Any values specified from the veaconfig command override values in csf_resolv.conf.
-o, --OID host
The name of the centrally managed or standalone host on which you want to set authorization for a specified user or user group. host can be the IP address or fully-qualified host name for the centrally managed or standalone host. Specifying the virtual object, root$ for host, causes the action to affect all managed hosts in the security domain.
-n, --ac_name [broker:]user@domain.domain_type
The user or user group name that you want to perform the specified action on. broker is the fully-qualified host name for the Authentication Service broker host. If broker is omitted, veaconfig defaults to the value specified in csf_resolv.conf. user is a user account or user group name. domain is a valid authentication domain for the broker host. domain_type is the type of authentication domain for the broker host, and can be the following: vx, nisplus, nis, nt, and unixpwd.
-r, --role security_role
Associates a role with a user. (A role is a collection of access rights or permissions based on one or more product features.) security_role can be one of the following pre-defined roles, whose names are case-sensitive: Administrator, Operator, or Guest. Veritas Storage Foundation Manager does not support additional customization of these roles.
  • Administrator
    • The root user on a host is automatically granted Administrator privileges for that host. These privileges cannot be changed.
    • An Administrator user on a Management Server can assign and administer security roles to all the users listed in the Authentication Broker Private Domain Repository (PDR).
  • Operator A user assigned to this role can perform some management operations, such as performing backups, administrating the database, and making some limited configuration changes. For detailed information about what duties the Operator user can perform, refer to the specific documentation for your Storage Foundation and Disk Protection product.
  • Guest A user assigned to this role cannot make any changes to the configuration. A Guest can view the objects in the network and print reports. By default, all authenticated users belong to this role.
-g
Indicates that the account specified is an operating system user group name. This allows you to leverage the operating system access controls that you have already set up. The -g option lets you grant SF Manager access privileges to an existing operating system user group, rather than having to individually grant access privileges per individual username.
-b basedir
(Solaris only) Sets an alternative base output directory for merging object type information. Typically the -b option is used during Solaris Jumpstart installs where the basedir is not equal to root (/).
agent_info
Provides information about the VxPAL agent on the local host.
-a, --agent agent_name
agent_name can be one of the following: StorageAgent, StorageManager, DBEDAgent, actionagent, gridcentral, gridnode, VAILAgent, and so on. Check the latest list of VxPAL agents. See the Veritas Storage Foundation Manager Release Notes.

FILES

csf_resolve.conf is an optional file that contains the default security parameters for a VxPAL agent and the default domains for which an agent can be configured. Any values specified from the veaconfig command override values in csf_resolv.conf.

By default, csf_resolve.conf resides in: /etc/default/csf_resolv.conf

csf_resolv.conf resides on the Management Server host in: /etc/default

It is possible to override the default csf_resolv.conf by specifying the environment variable: CSF_RESOLV_CONF. In this manner you can manage domain settings for multiple users.

CSF_RESOLV_CONF should point to a file that uses the conventions defined in this man page.

See csf_resolv.conf(4).


EXAMPLES

This section provides usage examples for veaconfig.

EXAMPLE 1:

The following command lists all users and their security roles known to the Management Server my_SFMS_host.example.com:

veaconfig -c list_user -o my_SFMS_host.example.com

EXAMPLE 2:

The following command lists users and user groups with access to all managed hosts in the security domain:

veaconfig -c list_user -o root$

EXAMPLE 3:

The following command authorizes the user jane with administrator privileges on the host dbserver.enterprise.com:

veaconfig -c add_user -o dbserver. enterprise.com -n jane@
myserver.enterprise.com.unixpwd -r Administrator

EXAMPLE 4:

The following command authorizes the user john as an Administrator on a host whose IP address is: 10.180.148.137:

veaconfig -c add_user -o 10.180.148.137 -n
john@enterprise.com.nisplus -r Administrator

EXAMPLE 5:

The following command authorizes the user john as an Administrator on all managed hosts in the security domain:

veaconfig -c add_user -o root$ -n
john@enterprise.com.nisplus -r Administrator

EXAMPLE 6:

The following command authorizes members of the NT domain user group Backup operator as with operator privileges on a host whose IP address is: 10.180.148.137:

veaconfig -c add_user -o 10.180.148.137 -n "Backup
operator@enterprise.com.nt" -r Operator -g

EXAMPLE 7:

The following command removes the user jane from the SF Manager authorized user list:

veaconfig -c remove_user -n jane@enterprise.com.unixpwd

EXAMPLE 8:

The following command removes the user john from all managed hosts in the security domain:

veaconfig -c remove_user -o root$ -n
 john@enterprise.com.nisplus

EXAMPLE 9:

The following command:

veaconfig -c agent_info -a my_agent

fetches and displays configuration information about a VxPAL agent (my_agent), similar to the following:

Configuration information for the agent my_agent
Security Information:
         Security ID:devgiri.example.com:vea_agent/vea_domain.vx
            Protocol:VSSIIOP    PBX_PORT:0 Mode: 2
Membership Information:
habsol9-03.example.com {3014e67c-1dd2-11b2-933d-0003bac6b8f1}

EXIT STATUS

0---Success

1---Failure

2---Authentication broker is down

3---Authentication failure

4---Access denied

5---Domain Controller (SF Manager host) is down

6---Authentication configuration failed

7---Domain Controller configuration failed


DIAGNOSTICS

For troubleshooting you can refer to the veaconfig log file /var/vx/isis/veaconfig.log


SEE ALSO

csf_resolv.conf(4)

veainfo(1m)


COPYRIGHTS

Copyright (c) 2007 Symantec Corporation. All rights reserved.

Last updated: 05/17/2007
Copyright ©2009 Symantec Corporation
All rights reserved.