NetBackup™ Security and

Encryption Guide

UNIX, Windows, and Linux

Release 10.5
NetBackup™ Security and Encryption Guide
Last updated: 2024-09-23

Legal Notice
Copyright © 2024 Veritas Technologies LLC. All rights reserved.

Veritas, the Veritas Logo, Veritas Alta, and NetBackup are trademarks or registered trademarks
of Veritas Technologies LLC or its affiliates in the U.S. and other countries. Other names may
be trademarks of their respective owners.

This product may contain third-party software for which Veritas is required to provide attribution
to the third party (“Third-party Programs”). Some of the Third-party Programs are available
under open source or free software licenses. The License Agreement accompanying the
Software does not alter any rights or obligations you may have under those open source or
free software licenses. Refer to the Third-party Legal Notices document accompanying this
Veritas product or available at:

https://www.veritas.com/about/legal/license-agreements

The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be
reproduced in any form by any means without prior written authorization of Veritas Technologies
Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED

CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Veritas Technologies Corporation
SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN
CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS
SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq.
"Commercial Computer Software and Commercial Computer Software Documentation," as
applicable, and any successor regulations, whether delivered by Veritas as on premises or
hosted services. Any use, modification, reproduction release, performance, display or disclosure
of the Licensed Software and Documentation by the U.S. Government shall be solely in
accordance with the terms of this Agreement.

Veritas Technologies Corporation

2625 Augustine Drive
Santa Clara, CA 95054

http://www.veritas.com
Technical Support
Technical Support maintains support centers globally. All support services will be delivered
in accordance with your support agreement and the then-current enterprise technical support
policies. For information about our support offerings and how to contact Technical Support,
visit our website:

https://www.veritas.com/support

You can manage your Veritas account information at the following URL:

https://my.veritas.com

If you have questions regarding an existing support agreement, please email the support
agreement administration team for your region as follows:

Worldwide (except Japan) [email protected]

Japan [email protected]

Documentation
Make sure that you have the current version of the documentation. Each document displays
the date of the last update on page 2. The latest documentation is available on the Veritas
website:

https://sort.veritas.com/documents

Documentation feedback
Your feedback is important to us. Suggest improvements or report errors or omissions to the
documentation. Include the document title, document version, chapter title, and section title
of the text on which you are reporting. Send feedback to:

[email protected]

You can also see documentation information or ask a question on the Veritas community site:

http://www.veritas.com/community/

Veritas Services and Operations Readiness Tools (SORT)

Veritas Services and Operations Readiness Tools (SORT) is a website that provides information
and tools to automate and simplify certain time-consuming administrative tasks. Depending
on the product, SORT helps you prepare for installations and upgrades, identify risks in your
datacenters, and improve operational efficiency. To see what services and tools SORT provides
for your product, see the data sheet:

https://sort.veritas.com/data/support/SORT_Data_Sheet.pdf
 Contents

Chapter 1 Read this first for secure communications in

NetBackup ..................................................................... 23
About secure communication in NetBackup ....................................... 24
How NetBackup CA-signed certificates (or host ID-based certificates)
are deployed during installation ................................................ 25
How secure communication works with primary server cluster nodes
........................................................................................... 28
About NetBackup clients installed on nodes of a clustered application
........................................................................................... 28
How NetBackup certificates are deployed on hosts during upgrades
........................................................................................... 29
When an authorization token is required during certificate deployment
........................................................................................... 29
Why do you need to map host names (or IP addresses) to host IDs
........................................................................................... 30
How to reset host attributes or host communication status .................... 32
What has changed for catalog recovery ............................................ 32
What has changed with Auto Image Replication .................................. 35
How the hosts with revoked certificates work ...................................... 35
Are NetBackup certificates backed up ............................................... 35
Can you configure external certificates for primary server ..................... 36
How secure communication works with primary server cluster nodes
using external certificates ......................................................... 36
How revocation lists work for external certificates ................................ 36
How communication happens when a host cannot directly connect to
the primary server .................................................................. 36
How NetBackup 8.1 or later hosts communicate with NetBackup 8.0
and earlier hosts .................................................................... 37
How communication with legacy media servers happens in the case
of cloud configuration .............................................................. 37
Communication failure scenarios ..................................................... 38
Failure during communication with 8.0 or earlier hosts ................... 38
Catalog backup failure ............................................................. 38
Secure communication support for other hosts in NetBackup domain
........................................................................................... 38
 Contents 5

Secure communication support for BMR ........................................... 38

Configuration for VMware backups that protect SQL Server and
backups with SQL Servers that use multiple NICs ......................... 39

Chapter 2 Increasing NetBackup security ...................................... 40

About NetBackup security and encryption .......................................... 41
NetBackup security implementation levels ......................................... 41
World-level security ...................................................................... 42
Enterprise-level security ................................................................. 43
Datacenter-level security overview ................................................... 45
NetBackup Access Control (NBAC) .................................................. 45
Combined world, enterprise, and datacenter levels .............................. 50
NetBackup security implementation types .......................................... 51
Operating system security .............................................................. 52
NetBackup security vulnerabilities .................................................... 53
Standard NetBackup security .......................................................... 53
Client side encryption security ......................................................... 54
NBAC on primary, media server, and graphical user interface security
........................................................................................... 56
NBAC complete security ................................................................ 58

Chapter 3 Security deployment models .......................................... 60

Workgroups ................................................................................ 60
Single datacenters ........................................................................ 61
Multi-datacenters .......................................................................... 61
Workgroup with NetBackup ............................................................ 61
Single datacenter with standard NetBackup ....................................... 64
Single datacenter with client side encryption ...................................... 66
Single datacenter with NBAC on primary and media servers ................. 69
Single datacenter with NBAC complete ............................................. 73
Multi-datacenter with standard NetBackup ......................................... 76
Multi-datacenter with client side encryption ........................................ 78
Multi-datacenter with NBAC on primary and media servers ................... 83
Multi-datacenter with NBAC complete ............................................... 87

Chapter 4 Auditing NetBackup operations ..................................... 92

About NetBackup auditing .............................................................. 92
Viewing the current audit settings .................................................... 96
About audit events ........................................................................ 96
Viewing audit events ............................................................... 97
 Contents 6

Troubleshooting auditing issues related to the Access History tab

..................................................................................... 98
Audit retention period and catalog backups of audit records .................. 98
Viewing the detailed NetBackup audit report ...................................... 99
User identity in the audit report ...................................................... 101
Disabling auditing ....................................................................... 102
Audit alert notification for audit failures (NetBackup Administration
Console) ............................................................................. 102
Send audit events to system logs ................................................... 103
SYSLOG_AUDIT_USE_OCSF_FORMAT for NetBackup primary server
.......................................................................................... 104

Section 1 Identity and access management ................ 105

Chapter 5 About identity and access management ................... 106
About access control in NetBackup ................................................ 106

Chapter 6 AD and LDAP domains .................................................. 108

Adding AD or LDAP domains in NetBackup ...................................... 108
Troubleshooting AD or LDAP domain configuration issues ................. 110
Certificate authorities trusted by the NetBackup Authentication Service
.......................................................................................... 119

Chapter 7 Access keys ...................................................................... 120

Access keys .............................................................................. 120

Access codes ............................................................................ 120
Request CLI access through web UI authentication ........................... 121
Approve the CLI access request of another user ............................... 122
Edit the settings for command-line access ....................................... 123

Chapter 8 API keys ............................................................................. 124

About API keys .......................................................................... 124

Creating API keys ....................................................................... 125
Managing an API key .................................................................. 125
Using an API key ........................................................................ 126
Setting an API key environment variable to run NetBackup
commands .................................................................... 126

Chapter 9 Auth.conf file ..................................................................... 128

Authorization file (auth.conf) characteristics ...................................... 128

 Contents 7

Chapter 10 Role-based access control ........................................... 132

RBAC features ........................................................................... 132

RBAC settings ........................................................................... 133
Configuring RBAC ...................................................................... 133
Role permissions ........................................................................ 134
Notes for using NetBackup RBAC .................................................. 135
Add AD or LDAP domains ............................................................ 136
Default RBAC roles ..................................................................... 136
Add a custom RBAC role for a PaaS administrator ...................... 139
Add a custom RBAC role to restore Azure-managed instances
.................................................................................... 140
Add a custom RBAC role .............................................................. 141
Edit or remove a role a custom role ................................................ 143
View users in RBAC .................................................................... 144
Add a user to a role (non-SAML) .................................................... 145
Add a smart card user to a role (non-SAML, without AD/LDAP) ............ 146
Add a user to a role (SAML) .......................................................... 146
Remove a user from a role ........................................................... 147

Chapter 11 NetBackup interface access for OS

Administrators ............................................................. 148
Disable command-line (CLI) access for operating system (OS)
administrators ...................................................................... 148
Disable web UI access for operating system (OS) administrators .......... 149

Chapter 12 Smart card or digital certificate .................................... 150

Configure user authentication with smart cards or digital certificates
.......................................................................................... 150
Configure smart card authentication with a domain ............................ 150
Configure smart card authentication without a domain ........................ 152
Edit the configuration for smart card authentication ............................ 153
Add or delete a CA certificate that is used for smart card authentication
.......................................................................................... 154
Disable or temporarily disable smart card authentication ..................... 155

Chapter 13 Single Sign-On (SSO) .................................................... 156

About single sign-on (SSO) configuration ......................................... 156

Configure NetBackup for single sign-on (SSO) .................................. 157
Configure the SAML KeyStore ................................................. 158
 Contents 8

Configure the SAML keystore and add and enable the IDP
configuration .................................................................. 161
Enroll the NetBackup primary server with the IDP ........................ 163
Manage an IDP configuration .................................................. 164

Chapter 14 NetBackup Access Control Security (NBAC) .......... 167

About using NetBackup Access Control (NBAC) ............................... 168
NetBackup access management administration ................................ 171
About NetBackup Access Control (NBAC) configuration ..................... 171
Configuring NetBackup Access Control (NBAC) ................................ 172
NBAC configuration overview .................................................. 172
Configuring NetBackup Access Control (NBAC) on standalone
primary servers .............................................................. 173
Installing the NetBackup primary server highly available on a
cluster .......................................................................... 174
Configuring NetBackup Access Control (NBAC) on a clustered
primary server ................................................................ 175
Configuring NetBackup Access Control (NBAC) on media servers
.................................................................................... 176
Installing and configuring access control on clients ...................... 178
About including authentication and authorization databases in the
NetBackup hot catalog backups ......................................... 178
NBAC configure commands summary ....................................... 178
Unifying NetBackup Management infrastructures with the
setuptrust command ........................................................ 183
Using the setuptrust command ................................................ 183
Configuring Access Control host properties for the primary and media
server ................................................................................. 184
Authentication Domain tab ...................................................... 184
Authorization Service tab ........................................................ 185
Network Attributes tab ........................................................... 185
Access Control host properties dialog for the client ............................ 185
Authentication Domain tab for the client ..................................... 185
Network Attributes tab for the client .......................................... 186
Using NetBackup Access Control (NBAC) with Auto Image Replication
.......................................................................................... 186
Troubleshooting Access Management ............................................. 187
Troubleshooting NBAC issues ................................................. 187
Configuration and troubleshooting tips for NetBackup
Authentication and Authorization ........................................ 189
Windows verification points ..................................................... 195
UNIX verification points .......................................................... 204
 Contents 9

Verification points in a mixed environment with a UNIX primary

server ........................................................................... 211
Verification points in a mixed environment with a Windows primary
server ........................................................................... 217
About the nbac_cron utility ...................................................... 224
Using the nbac_cron utility ...................................................... 224
Using the Access Management utility .............................................. 226
About determining who can access NetBackup ................................. 227
Individual users .................................................................... 228
User groups ........................................................................ 228
NetBackup default user groups ................................................ 228
Configuring user groups ......................................................... 230
About defining a user group and users ...................................... 232
Viewing specific user permissions for NetBackup user groups .............. 234
Granting permissions ............................................................. 235
Authorization objects ............................................................. 235
Media authorization object permissions ..................................... 235
Policy authorization object permissions ..................................... 236
Drive authorization object permissions ...................................... 237
Report authorization object permissions .................................... 237
NBU_Catalog authorization object permissions ........................... 237
Robot authorization object permissions ..................................... 238
Storage unit authorization object permissions ............................. 239
DiskPool authorization object permissions ................................. 239
BUAndRest authorization object permissions .............................. 240
Job authorization object permissions ........................................ 240
Service authorization object permissions ................................... 241
HostProperties authorization object permissions ......................... 242
License authorization object permissions ................................... 242
Volume group authorization object permissions ........................... 243
VolumePool authorization object permissions ............................. 243
DevHost authorization object permissions .................................. 244
Security authorization object permissions .................................. 244
Fat server authorization object permissions ................................ 245
Fat client authorization object permissions ................................. 245
Vault authorization object permissions ....................................... 246
Server group authorization object permissions ............................ 246
Key management system (kms) group authorization object
permissions ................................................................... 247
Upgrading NetBackup Access Control (NBAC) ................................. 247
Configuration requirements if using Change Server with NBAC ............ 248
 Contents 10

Chapter 15 Minimizing security configuration risk ........................ 250

About security configuration risk .................................................... 250
Security settings to be configured to minimize risk ............................. 251
Set the current posture as security baseline ..................................... 253

Chapter 16 Configuring multifactor authentication ....................... 254

About multifactor authentication ..................................................... 254

Configure multifactor authentication for your user account ................... 255
Disable multifactor authentication for your user account ...................... 256
Enforce multifactor authentication for all users .................................. 256
Configure multifactor authentication for your user account when it is
enforced in the domain .......................................................... 257
Reset multifactor authentication for a user ....................................... 257

Chapter 17 Configuring multi-person authorization ..................... 259

About multi-person authorization .................................................... 259

Workflow to configure multi-person authorization for NetBackup
operations ........................................................................... 261
RBAC roles and permissions for multi-person authorization ................. 262
Multi-person authorization process with respect to roles ...................... 263
NetBackup operations that need multi-person authorization ................. 266
Configure multi-person authorization ............................................... 268
View multi-person authorization tickets ............................................ 269
Manage multi-person authorization tickets ....................................... 269
Add exempted users ................................................................... 269
Schedule expiration and purging of multi-person authorization tickets
.......................................................................................... 270
Disable multi-person authorization .................................................. 271

Section 2 Encryption of data-in-transit ............................. 272

Chapter 18 NetBackup CA and NetBackup certificates ............. 273

Overview of security certificates in NetBackup .................................. 274

About secure communication in NetBackup ...................................... 274
About the Security Management utilities .......................................... 276
About login activity ................................................................ 276
About host management .............................................................. 277
Hosts tab ............................................................................ 278
Adding host ID to host name mappings ..................................... 279
Add or Remove Host Mappings dialog box ................................. 280
 Contents 11

Removing host ID to host name mappings ................................. 281

Mappings for Approval tab ...................................................... 282
Viewing auto-discovered mappings .......................................... 283
Mapping Details dialog box ..................................................... 283
Approving host ID to host name mappings ................................. 284
Rejecting host ID to host name mappings .................................. 285
Adding shared or cluster mappings .......................................... 285
Add Shared or Cluster Mappings dialog box ............................... 287
Resetting NetBackup host attributes ......................................... 288
Allowing or disallowing automatic certificate reissue ..................... 289
Adding or deleting comment for a host ...................................... 291
About global security settings ........................................................ 292
About secure communication settings ....................................... 292
Disabling insecure communication ........................................... 294
About insecure communication with 8.0 and earlier hosts .............. 295
About communication with 8.0 or earlier host in multiple NetBackup
domains ....................................................................... 295
Automatically mapping host ID to host names and IP addresses
.................................................................................... 296
About disaster recovery settings .............................................. 296
Disaster recovery packages .................................................... 298
Setting a passphrase to encrypt disaster recovery packages ......... 298
Validate the disaster recovery package passphrase ..................... 300
About host name-based certificates ................................................ 301
Deploying host name-based certificates .................................... 301
About host ID-based certificates .................................................... 303
Web login requirements for nbcertcmd command options .............. 303
Using the Certificate Management utility to issue and deploy host
ID-based certificates ........................................................ 304
About NetBackup certificate deployment security levels ................ 307
Automatic host ID-based certificate deployment .......................... 310
Managing passphrases and passphrase keys for encryption of
private key of host ID-based certificates .............................. 310
Deploying host ID-based certificates ......................................... 312
Deploying host ID-based certificates in an asynchronous manner
.................................................................................... 313
Implication of clock skew on certificate validity ............................ 314
Setting up trust with the primary server (Certificate Authority)
.................................................................................... 316
Forcing or overwriting certificate deployment .............................. 319
Retaining host ID-based certificates when reinstalling NetBackup
on non-primary hosts ....................................................... 321
 Contents 12

Deploying certificates on a client that has no connectivity with the

primary server ................................................................ 321
About host ID-based certificate expiration and renewal ................. 322
Deleting sensitive certificates and keys from media servers and
clients .......................................................................... 323
Cleaning host ID-based certificate information from a host before
cloning a virtual machine .................................................. 324
About reissuing host ID-based certificates .................................. 325
About Token Management for host ID-based certificates ..................... 329
Creating authorization tokens .................................................. 330
Deleting authorization tokens .................................................. 332
Viewing authorization token details ........................................... 332
About expired authorization tokens and cleanup ......................... 333
About the host ID-based certificate revocation list .............................. 333
Refreshing the CRL on the primary server ................................. 335
Refreshing the CRL on a NetBackup host .................................. 335
About revoking host ID-based certificates ........................................ 336
Removing trust between a host and a primary server ................... 336
Revoking a host ID-based certificate ......................................... 338
Determining a NetBackup host's certificate state ......................... 340
Getting a list of NetBackup hosts that have revoked certificates
.................................................................................... 343
Deleting host ID-based certificates ................................................. 343
Host ID-based certificate deployment in a clustered setup ................... 345
About deployment of a host ID-based certificate on a clustered
NetBackup host .............................................................. 345
Deploying host ID-based certificates on cluster nodes .................. 346
Revoking a host ID-based certificate for a clustered NetBackup
setup ........................................................................... 347
Deploying a host ID-based certificate on a clustered NetBackup
setup using reissue token ................................................. 348
Creating a reissue token for a clustered NetBackup setup ............. 348
Renewing a host ID-based certificate on a clustered NetBackup
setup ........................................................................... 349
Viewing certificate details of a clustered NetBackup setup ............. 350
Removing CA certificates from a clustered NetBackup setup ......... 350
Generating a certificate on a clustered primary server after disaster
recovery installation ........................................................ 351
About the communication between a NetBackup client located in a
demilitarized zone and a primary server through an HTTP tunnel
.......................................................................................... 352
Adding a NetBackup host manually ................................................ 355
Migrating NetBackup CA .............................................................. 355
 Contents 13

Setting the required key strength before installation or upgrade

using the NB_KEYSIZE environment variable ....................... 357
Migrating NetBackup CA when the entire NetBackup domain is
upgraded ...................................................................... 357
Manually migrating NetBackup CA after installation or upgrade
.................................................................................... 359
Establishing communication with clients that do not have new CA
certificates after CA migration ............................................ 360
Viewing a list of NetBackup CAs in the domain ........................... 360
Viewing the CA migration summary .......................................... 361
Decommissioning the inactive NetBackup CA ............................ 361

Chapter 19 Configuring data-in-transit encryption (DTE) ........... 362

About the data channel ................................................................ 362
Data-in-transit encryption support ................................................... 363
Workflow to configure data-in-transit encryption ................................ 364
Configure the global data-in-transit encryption setting ......................... 365
Configure the DTE mode on a client ............................................... 367
DTE_CLIENT_MODE for clients .............................................. 367
View the DTE mode of a NetBackup job .......................................... 368
View the DTE-specific attributes of a NetBackup image and an image
copy .................................................................................. 368
Configure the DTE mode on the media server .................................. 370
Modify the DTE mode on a backup image ........................................ 371
DTE_IGNORE_IMAGE_MODE for NetBackup servers ................. 372
Media device selection (MDS) and resource allocation ....................... 373
How DTE configuration settings work in various NetBackup operations
.......................................................................................... 375
Backup ............................................................................... 375
Restore .............................................................................. 377
MSDP backup, restore, and optimized duplication ....................... 381
Universal-Share policy backup ................................................ 382
Catalog backup and recovery .................................................. 383
Duplication .......................................................................... 387
Synthetic backup .................................................................. 388
Verify ................................................................................. 390
Import ................................................................................ 391
Replication .......................................................................... 394
 Contents 14

Chapter 20 External CA and external certificates ........................ 396

About external CA support in NetBackup ......................................... 397

Command-line options used for external certificate configuration
.................................................................................... 399
Workflow to use external certificates for NetBackup host communication
.......................................................................................... 400
Configuration options for external CA-signed certificates ..................... 402
ECA_CERT_PATH for NetBackup servers and clients .................. 403
ECA_TRUST_STORE_PATH for NetBackup servers and clients
.................................................................................... 406
ECA_PRIVATE_KEY_PATH for NetBackup servers and clients
.................................................................................... 407
ECA_KEY_PASSPHRASEFILE for NetBackup servers and clients
.................................................................................... 408
ECA_CRL_CHECK for NetBackup servers and clients ................. 409
ECA_CRL_PATH for NetBackup servers and clients .................... 410
ECA_CRL_PATH_SYNC_HOURS for NetBackup servers and
clients .......................................................................... 411
ECA_CRL_REFRESH_HOURS for NetBackup servers and clients
.................................................................................... 412
ECA_DISABLE_AUTO_ENROLLMENT for NetBackup servers
and clients ..................................................................... 413
ECA_DR_BKUP_WIN_CERT_STORE for NetBackup servers and
clients .......................................................................... 414
MANAGE_WIN_CERT_STORE_PRIVATE_KEY option for
NetBackup primary servers ............................................... 415
Limitations of Windows Certificate Store support when NetBackup
services are running in Local Service account context .................. 416
About certificate revocation lists for external CA ................................ 417
How CRLs from ECA_CRL_PATH are used ............................... 418
How CRLs from CDP URLs are used ........................................ 419
About certificate enrollment ........................................................... 420
About automatic enrollment of an external certificate ................... 420
About viewing enrollment status of primary servers ............................ 420
Configure an external certificate for the NetBackup web server ............ 421
Update or renew the external certificate for the web server ............ 423
Remove the external certificate configured for the web server
.................................................................................... 423
Configuring the primary server to use an external CA-signed certificate
.......................................................................................... 424
Configuring a NetBackup host (media server, client, or cluster node)
to use an external CA-signed certificate after installation ............... 427
 Contents 15

Enrolling an external certificate for a remote host .............................. 429

Viewing the certificate authorities that your NetBackup domain supports
.......................................................................................... 430
Viewing external CA-signed certificates in the NetBackup web UI ......... 430
Renewing a file-based external certificate ........................................ 430
Removing certificate enrollment ..................................................... 431
Disabling the NetBackup CA in a NetBackup domain ......................... 431
Enabling the NetBackup CA in a NetBackup domain .......................... 433
Disabling an external CA in a NetBackup domain .............................. 433
Changing the subject name of an enrolled external certificate .............. 434
About external certificate configuration for a clustered primary server
.......................................................................................... 434
Workflow to use external certificates for a clustered primary server
.................................................................................... 435
Configuration options for external CA-signed certificates for a
virtual name ................................................................... 436
Configuring an external certificate for a clustered primary server
.................................................................................... 439

Chapter 21 Regenerating keys and certificates ............................ 441

About regenerating keys and certificates ......................................... 441
Regenerating NetBackup authentication broker keys and certificates
.......................................................................................... 442
Regenerating host identity keys and certificates ................................ 442
Regenerating web service keys and certificates ................................ 442
Regenerating nbcertservice keys and certificates .............................. 443
Regenerating tomcat keys and certificates ....................................... 443
Regenerating JWT keys ............................................................... 444
Regenerating NetBackup gateway certificates .................................. 444
Regenerating web trust store certificates ......................................... 444
Regenerating VMware vCenter plug-in certificates ............................. 445
Regenerating NetBackup Administrator Console session certificates
.......................................................................................... 446
Regenerating NetBackup encryption key file .................................... 446

Section 3 Encryption of data at rest ................................... 447

Chapter 22 Data at rest encryption security ................................... 448
Data at rest encryption terminology ................................................ 448
Data at rest encryption considerations ............................................. 449
Destination types for encryption of data at rest .................................. 450
 Contents 16

Encryption security questions to consider ........................................ 451

Comparison of encryption options .................................................. 451
About NetBackup client encryption ................................................. 452
Installation prerequisites for encryption security .......................... 452
About running an encryption backup ......................................... 453
NetBackup standard encryption restore process .......................... 455
NetBackup legacy encryption restore process ............................. 456
Configuring standard encryption on clients ....................................... 457
Managing standard encryption configuration options .................... 457
Managing the NetBackup encryption key file .............................. 458
About configuring standard encryption from the server ................. 460
Restoring an encrypted backup file to another client ..................... 462
About configuring standard encryption directly on clients ............... 463
Setting standard encryption attribute in policies ........................... 463
Changing the client encryption settings from the NetBackup server
.................................................................................... 463
Configuring legacy encryption on clients .......................................... 464
About configuring legacy encryption from the client ...................... 464
About configuring legacy encryption from the server .................... 467
Restoring a legacy encrypted backup created on another client
.................................................................................... 470
About setting legacy encryption attribute in policies ...................... 471
Changing client legacy encryption settings from the server ........... 472
Additional legacy key file security for UNIX clients ....................... 472

Chapter 23 NetBackup key management service ........................ 475

About FIPS enabled KMS ............................................................. 475
About Federal Information Processing Standards (FIPS) ............... 477
Installing KMS ............................................................................ 478
Using KMS with NBAC ........................................................... 481
About installing KMS with HA clustering .................................... 481
Enabling the monitoring of the KMS service ............................... 482
Disabling the monitoring of the KMS service ............................... 482
Configuring KMS ........................................................................ 482
Creating the key database ...................................................... 483
About key groups and key records ........................................... 484
Overview of key record states ................................................. 485
About backing up the KMS database files .................................. 488
About recovering KMS by restoring all data files .......................... 489
Recovering KMS by restoring only the KMS data file .................... 489
Recovering KMS by regenerating the data encryption key ............. 490
Problems backing up the KMS data files .................................... 491
 Contents 17

Solutions for backing up the KMS data files ................................ 491

Creating a key record ............................................................ 492
Listing keys from a key group .................................................. 492
Configuring NetBackup to work with KMS .................................. 493
Configuring NetBackup KMS using the KMS web application ......... 496
About using KMS for encryption ..................................................... 497
About importing KMS encrypted images .................................... 497
Example of running an encrypted tape backup ............................ 497
Example of verifying an encryption backup ................................. 498
KMS database constituents .......................................................... 499
Creating an empty KMS database ............................................ 499
Importance of the KPK ID and HMK ID ...................................... 499
About periodically updating the HMK and KPK ............................ 500
Backing up the KMS keystore and administrator keys ................... 500
KMS operations using command-line interface (CLI) .......................... 500
CLI usage help ..................................................................... 503
Create a new key group ......................................................... 503
Create a new key .................................................................. 504
Modify key group attributes ..................................................... 504
Modify key attributes ............................................................. 505
Get details of key groups ........................................................ 505
Get details of keys ................................................................ 506
Delete a key group ................................................................ 506
Delete a key ........................................................................ 507
Recover a key ...................................................................... 507
About exporting and importing keys from the KMS database .......... 508
Modify host master key (HMK) ................................................. 512
Get host master key (HMK) ID ................................................. 512
Get key protection key (KPK) ID .............................................. 512
Modify key protection key (KPK) .............................................. 512
Get keystore statistics ............................................................ 513
Quiesce KMS database ......................................................... 513
Unquiesce KMS database ...................................................... 513
Key creation options .............................................................. 513
Troubleshooting KMS .................................................................. 514
Solution for backups not encrypting .......................................... 515
Solution for restores that do not decrypt .................................... 515
Troubleshooting example - backup with no active key record ......... 515
Troubleshooting example - restore with an improper key record
state ............................................................................ 518
 Contents 18

Chapter 24 External key management service ............................. 520

About external KMS .................................................................... 521

Certificate configuration and authorization ........................................ 521
Workflow for external KMS configuration ......................................... 521
Validating KMS credentials ........................................................... 522
Configuring KMS credentials ......................................................... 523
Listing KMS credentials .......................................................... 524
Updating KMS credentials ...................................................... 525
Deleting KMS credentials ....................................................... 525
Configuring KMS ........................................................................ 525
Listing KMS configurations ..................................................... 526
Updating KMS configuration .................................................... 526
Deleting KMS configuration ..................................................... 526
Configuring keys in an external KMS for NetBackup consumption
.......................................................................................... 527
Creating keys in an external KMS .................................................. 528
Listing keys ......................................................................... 528
Determining a key group name during storage configuration ................ 528
Working with multiple KMS servers ................................................. 529
Migrating one KMS server to another KMS server ....................... 530
Using a separate KMS server for each storage configuration ......... 530
Working with external KMS during backup and restore ....................... 532
Checking the compatibility of KMS vendor with NetBackup .................. 532
Key rotation .............................................................................. 534
Disaster recovery when catalog backup is encrypted using an external
KMS server ......................................................................... 534
Alerts for expiration of KMS credentials ........................................... 535

Chapter 25 Ciphers used in NetBackup for secure

communication ........................................................... 536

Ciphers used in NetBackup ........................................................... 536

Chapter 26 FIPS compliance in NetBackup ................................... 539

About FIPS ................................................................................ 539
About FIPS support in NetBackup .................................................. 540
Prerequisites ............................................................................. 541
Specify entropy randomness in NetBackup ...................................... 542
Configure FIPS mode in your NetBackup domain .............................. 542
Enable FIPS mode on NetBackup during installation .......................... 543
Enable FIPS mode on a NetBackup host after installation ................... 544
 Contents 19

Enable FIPS mode for the NetBackup Authentication Broker service

.......................................................................................... 545
Enable FIPS mode for the NetBackup Administration Console ............. 546
Disable FIPS mode for NetBackup ................................................. 548
Disable FIPS mode for a NetBackup host .................................. 548
Disable FIPS mode for NetBackup Authentication broker (nbatd)
.................................................................................... 549
Disable FIPS mode for the NetBackup Administration Console
.................................................................................... 551
NB_FIPS_MODE option for NetBackup servers and clients ................. 551
USE_URANDOM for NetBackup servers and clients .......................... 552

Chapter 27 NetBackup web services account ............................... 554

About the NetBackup web services account ..................................... 554
Changing the web service user account .......................................... 555

Chapter 28 Running NetBackup services with non-privileged

user (service user) account .................................... 557
About a NetBackup service user account ......................................... 557
Important considerations for using a service user account ............. 557
Configuring a service user account ................................................. 559
Changing a service user account after installation or upgrade .............. 559
Giving access permissions to service user account on external paths
.......................................................................................... 560
NetBackup services that run with the service user account .................. 561

Chapter 29 Running NetBackup commands with

non-privileged user account ................................... 563
Running NetBackup commands using the nbcmdrun wrapper command
.......................................................................................... 563
How does nbcmdrun function ................................................... 564
Disable the nbcmdrun command .............................................. 565
Reenable the nbcmdrun command ........................................... 565

Chapter 30 Immutability and indelibility of data in NetBackup

.......................................................................................... 567

About immutable and indelible data ................................................ 567

Workflow to configure immutable and indelible data ........................... 569
Deleting an immutable image from storage using the bpexpdate
command ............................................................................ 570
 Contents 20

Removing an immutable image from the catalog using the bpexpdate

command ............................................................................ 571

Chapter 31 Anomaly detection ........................................................... 573

About backup anomaly detection ................................................... 573

How a backup anomaly is detected .......................................... 574
Configure backup anomaly detection settings ............................. 575
Detecting backup anomalies on the primary server ...................... 577
Detecting backup anomalies on the media server ........................ 578
View backup anomalies ......................................................... 579
About system anomaly detection .................................................... 581
Configure system anomaly detection settings ............................. 581
Configure rules-based anomaly detection .................................. 582
Configure risk engine-based anomaly detection .......................... 583
View system anomalies .......................................................... 584
Anomaly configuration to enable automatic scanning ......................... 585
Computation of entropy and file attributes in NetBackup ..................... 587
Support information for computation of entropy and file attributes
.................................................................................... 588
COMPUTE_IMAGE_ENTROPY for NetBackup primary servers
.................................................................................... 589
Disable backup anomaly detection and computation of entropy
and file attributes for a client ............................................. 590

Section 4 Malware scanning ................................................... 592

Chapter 32 Introduction ........................................................................ 593

About malware scanning .............................................................. 593

Workflow for malware scanning ............................................... 595
About dynamic scan .................................................................... 599
Limitations ................................................................................. 600

Chapter 33 How to setup Malware scanning ................................. 601

How to set up malware scanning .................................................... 601

Chapter 34 Instant Access configurations ...................................... 603

About Instant Access configurations ............................................... 603

MSDP build-your-own (BYO) server prerequisites and hardware
requirements to configure Instant Access ................................... 604
Instant Access tuning parameters for malware scanning (BYO) ............ 606
 Contents 21

Configuration for scan instances .................................................... 606

Chapter 35 Malware tools configurations ........................................ 608

Supported malware tools .............................................................. 608
Configuring NetBackup Malware Scanner (Avira) .............................. 609
Configuration of mirror server for Signature update ...................... 609
Configure a proxy server on Windows or Linux ........................... 613
Configure the NetBackup Malware Scanner on scan host ............. 614
Configuring Symantec Protection Engine ......................................... 618
Configuring Microsoft Defender Antivirus ......................................... 619

Chapter 36 Scan host configurations ............................................... 620

NetBackup malware scan host capabilities ....................................... 620

Prerequisites for a scan host ......................................................... 621
Prerequisites for Windows scan host ........................................ 622
Prerequisites for Linux scan host ............................................. 624
Limitations and considerations for scan host using NFS share ............. 626
Configuring scan host .................................................................. 627
Automated scan host configuration ........................................... 628
Manual scan host configuration ............................................... 631
Configuring a scan host pool ......................................................... 636
Prerequisites for scan host pool ............................................... 636
Configure a new scan host pool ............................................... 637
Add a new host in a scan host pool .......................................... 637
Managing a scan host ................................................................. 638
Add an existing scan host ....................................................... 638
Validating the scan host pool configuration ................................. 639
Remove the scan host ........................................................... 639
Deactivate the scan host ........................................................ 640
Managing credentials for malware scanning ............................... 640
Configure resource limits for malware detection ................................ 642

Chapter 37 Performing malware scan ............................................. 644

Performing malware scan before recovery ....................................... 644

Perform a malware scan .............................................................. 646
Backup images .......................................................................... 648
Assets by policy type ................................................................... 650
Assets by workload type ............................................................... 652
 Contents 22

Chapter 38 Managing scan tasks ...................................................... 654

View the malware scan status ....................................................... 654
Actions for malware scanned images .............................................. 655
Recover from malware-affected images (clients protected by protection
plan) .................................................................................. 658
Recover from malware-affected images (clients protected by policies)
.......................................................................................... 659
Clean file recovery for virtual workload (VMware) .............................. 661

Chapter 39 Malware scan configuration parameters ................... 663

MALWARE_SCAN_OPERATION_TIMEOUT .................................... 663
MALWARE_DETECTION_CLEANUP_PERIOD ................................ 664
MALWARE_DETECTION_TIMEOUT_PERIOD option for NetBackup
servers ............................................................................... 665
FAIL_SAFE_SCAN_RETRY_COUNT ............................................. 666

Chapter 40 Troubleshooting ................................................................ 667

Troubleshooting issues with malware scanning ................................. 667
 Chapter 1
Read this first for secure
communications in
NetBackup
This chapter includes the following topics:

■ About secure communication in NetBackup

■ How NetBackup CA-signed certificates (or host ID-based certificates) are

deployed during installation

■ How secure communication works with primary server cluster nodes

■ About NetBackup clients installed on nodes of a clustered application

■ How NetBackup certificates are deployed on hosts during upgrades

■ When an authorization token is required during certificate deployment

■ Why do you need to map host names (or IP addresses) to host IDs

■ How to reset host attributes or host communication status

■ What has changed for catalog recovery

■ What has changed with Auto Image Replication

■ How the hosts with revoked certificates work

■ Are NetBackup certificates backed up

■ Can you configure external certificates for primary server

■ How secure communication works with primary server cluster nodes using
external certificates
 Read this first for secure communications in NetBackup 24
About secure communication in NetBackup

■ How revocation lists work for external certificates

■ How communication happens when a host cannot directly connect to the primary
server

■ How NetBackup 8.1 or later hosts communicate with NetBackup 8.0 and earlier
hosts

■ How communication with legacy media servers happens in the case of cloud
configuration

■ Communication failure scenarios

■ Secure communication support for other hosts in NetBackup domain

■ Secure communication support for BMR

■ Configuration for VMware backups that protect SQL Server and backups with
SQL Servers that use multiple NICs

About secure communication in NetBackup

This chapter provides critical information about secure communication in NetBackup.
It is strongly recommended that you read this information before you upgrade
NetBackup to a version that supports secure communication (8.1 or later).
NetBackup 8.1 and later hosts can communicate with each other only in a secure
mode.
NetBackup uses Transport Layer Security (TLS) protocol for host communication
where each host needs to present its security certificate and validate the peer host's
certificate against the certificate authority (CA) certificate. NetBackup security
certificates that are used to authenticate NetBackup hosts conform to the X.509
Public Key Infrastructure (PKI) standard. NetBackup supports two types of
certificates:
■ NetBackup CA-signed certificates: A NetBackup primary server acts as the
certificate authority (CA) and issues digital certificates to hosts.
See “Overview of security certificates in NetBackup” on page 274.
■ External CA-signed certificates: Starting with NetBackup 8.2, you can also
configure external CA-signed certificates (or external certificates) on the
NetBackup hosts.
See “About external CA support in NetBackup” on page 397.
Depending on the configuration of NetBackup, a host needs one or both types of
certificates for successful communication with other hosts.
 Read this first for secure communications in NetBackup 25
How NetBackup CA-signed certificates (or host ID-based certificates) are deployed during installation

You can choose to deploy a certificate on a host during NetBackup installation. If,
for some reason, a certificate cannot be deployed on a host during installation, the
host cannot communicate with other hosts. In that case, you must manually deploy
a NetBackup certificate on the host using the nbcertcmd command to start host
communication after installation.
Alternatively, you can configure external CA-signed certificates.
The following nodes in the NetBackup Administration Console provide secure
communication settings: Host Management and Global Security Settings.
The following commands provide options to manage certificate deployment and
other security settings: nbhostmgmt, nbhostidentity, nbcertcmd, and nbseccmd.
If you have NetBackup 8.0 or earlier hosts in your environment, you can enable
legacy communication with them.
See “How NetBackup 8.1 or later hosts communicate with NetBackup 8.0 and earlier
hosts” on page 37.

Note: A host name-based certificate is required in the following scenarios:

■ NetBackup Access Control or NBAC-enabled hosts require host name-based

certificates.
■ The NetBackup CloudStore Service Container requires that the host name-based
certificate be installed on the media server.

How NetBackup CA-signed certificates (or host

ID-based certificates) are deployed during
installation
The following diagram illustrates how NetBackup CA-signed certificates are deployed
on hosts during installation:
 Read this first for secure communications in NetBackup 26
How NetBackup CA-signed certificates (or host ID-based certificates) are deployed during installation

Certificate deployment security level is High

Certificate Host ID-based certificate

Authority (CA) on the Master Server

Host ID-based Master Server

Host ID-based
certificate and CA 1 certificate and CA
certificate on Host 1 certificate on Host 2

2 3
Verify the master Verify the master
server fingerprint server fingerprint
during installation Host 1 Host 2 during installation

Host 1 is known – Host 2 is not known –

authorization token is authorization token is
not required required

NetBackup certificate deployment occurs in the following order:

1. A NetBackup certificate is automatically deployed on the NetBackup primary
server during installation. The primary server is the NetBackup CA.
2. A NetBackup certificate is deployed on Host 1 during installation after confirming
the CA fingerprint that is made available by the installation wizard or the script.
An authorization token is not required because the certificate deployment
security level on the primary server is set to High and Host 1 is known to the
primary server.
 Read this first for secure communications in NetBackup 27
How NetBackup CA-signed certificates (or host ID-based certificates) are deployed during installation

Note: A fingerprint is used to authenticate the CA of the primary server before

it is added to the trust store of a host. The primary server administrator
communicates the CA fingerprint to the host administrators by email or file, or
publishes it on a website.

Note: An authorization token is used as a mechanism to authorize a host’s

certificate request that is sent to the NetBackup primary server. An authorization
token is confidential and only the primary server administrator can create it.
The primary server administrator then passes it on to the administrator of the
host where you want to deploy a certificate. A reissue token is a special
authorization token that is used to redeploy a certificate on a host to which a
certificate was previously issued.

If you continued with the NetBackup installation without confirming the primary
server fingerprint, you need to carry out manual steps before backups and
restores can occur.
https://www.veritas.com/support/en_US/article.000127129
3. A NetBackup certificate is deployed on Host 2 during installation after the
primary server fingerprint is confirmed. An authorization token is required,
because the certificate deployment security level on the primary server is set
to High and Host 2 is not known to the primary server.
The host-ID based certificate is generated using the encrypted private key for all
the hosts.
The private key of the NetBackup certificate is stored in an encrypted format using
AES_256_CBC encryption. The password that is used to encrypt the private keys
is stored in file storage and is encrypted using AES_256_GCM encryption.
The form factors of NetBackup such as NetBackup Appliance, NetBackup Flex,
NetBackup Flex Scale, NetBackup Scale Out are fully secured on on-disk using
the host-ID based certificate. ITA Data Collector 11.4.03 enables the consumption
of the encrypted private keys. The ITA Data Collector must be 11.4.03 or later if
the collection method is set to the Data Collector installed on NetBackup Primary
Server option for successful data collections from NetBackup 10.4.1 primary server.
Older versions of ITA Data Collector are able to collect data if the collection method
is SSH or WMI protocol to communicate with NetBackup primary server.
 Read this first for secure communications in NetBackup 28
How secure communication works with primary server cluster nodes

How secure communication works with primary

server cluster nodes
Review the following scenarios about certificate deployment if you have a clustered
primary server:
■ In the case of fresh NetBackup installation, the certificate on an active node is
deployed automatically. You must manually deploy certificates on all inactive
nodes.
The private key of the NetBackup host ID-based certificate is stored in an
encrypted format using AES_256_CBC encryption.
■ In the case of disaster recovery, certificates for active and inactive nodes are
not recovered. After you install NetBackup in a disaster recovery mode after a
disaster, you must manually deploy certificates on all nodes using a reissue
token.
■ In the case of upgrade, active or inactive nodes may already have a certificate.
You can verify whether a cluster node has a certificate or not by viewing the
certificate details with the nbcertcmd -listCertDetails command.
The private key of the host ID-based certificate is stored in an encrypted state,
which can be verified using the nbcertcmd -listCertDetails command. The
'Private Key Encryption State' field in the command output shows the encrypted
status of the private key.

Note: If you have configured NetBackup Access Control (NBAC) on a primary

server cluster node, you also need to manually deploy host name-based certificates
on all nodes.

In a cluster setup, the same virtual name is used across multiple cluster nodes.
Therefore, the virtual name should be mapped with all associated cluster nodes.

About NetBackup clients installed on nodes of a

clustered application
Review the following scenarios about secure communication with NetBackup clients
installed on nodes of a clustered application:
■ For successful communication, you need to simultaneously upgrade all cluster
nodes.
■ Ensure that the virtual name is mapped to all cluster nodes to avoid backup
failures after a failover. Veritas recommends that you monitor the Security
 Read this first for secure communications in NetBackup 29
How NetBackup certificates are deployed on hosts during upgrades

Management > Host Management > Mappings for approval tab for any
conflicts that are detected and approve the required mappings.

How NetBackup certificates are deployed on hosts

during upgrades
During a NetBackup upgrade, NetBackup deploys NetBackup certificates before
the upgrade. If the certificates cannot be deployed, you can terminate the upgrade
process. The upgrade script retains the existing NetBackup setup that you can use.
If you have upgraded NetBackup from 8.0 to 8.1 or later, NetBackup certificates
may already be present on the hosts. In such a case, certificates are not deployed
during the upgrade process.
If you have upgraded NetBackup from 8.x to 10.4, the private keys are in an
unencrypted state. After the upgrade, the new encrypted private keys are created
and certificates are reissued.
Certificates are not deployed during the upgrade process, if the software is upgraded
using a utility (that downloads and installs security updates and software patches).
You need to manually deploy the certificates.

When an authorization token is required during

certificate deployment
The information in this section applies only to NetBackup CA-signed certificates.
External CA-signed certificates do not require authorization tokens.
The security level setting determines whether an authorization token is required to
deploy a certificate. You can set the security level on the primary server to different
levels, depending on your needs. Use the Security Management > Global Security
Settings > Secure Communication tab in the NetBackup Administration
Console.
The following settings are available. The default setting is High.
■ Medium - The primary server fingerprint must be confirmed during certificate
deployment. An authorization token is not required.
■ High - The primary server fingerprint must be confirmed during certificate
deployment. An authorization token is not required if the host is known to the
primary server.
■ Very High - The primary server fingerprint must be confirmed during certificate
deployment. An authorization token is mandatory for every host.
 Read this first for secure communications in NetBackup 30
Why do you need to map host names (or IP addresses) to host IDs

Note: Certificate deployment in certain scenarios always requires a token, such as

in the case of clients in a demilitarized zone or for certificate reissue.

See “About NetBackup certificate deployment security levels” on page 307.

Why do you need to map host names (or IP

addresses) to host IDs
Hosts can be referenced with multiple names.
For example: In the case of multiple network interfaces or if hosts are referenced
by both short names and Fully Qualified Domain Names (FQDN).
For successful secure communication in NetBackup 8.1 or later, you should map
all associated host names to the respective host ID. The NetBackup-configured
client name of a host (or the primary name) is automatically mapped to its host ID
during certificate deployment. Additional host names are discovered during
communication and may be automatically mapped to the respective host ID or may
appear in the Mappings for Approval list. Perform this configuration in the Host
Management properties on the primary server.
See “Adding host ID to host name mappings” on page 279.
Examples of configurations that have multiple host names include:
■ If you have multiple network interfaces, a host has both a public and a private
host name.
■ A host can have a short name and a fully qualified domain name (FQDN).
■ A host can be associated with its IP address.
■ For a file system or database that is clustered, a host is associated with its node
name and the virtual name of the cluster.
Note the following:
■ The Exchange, SharePoint, and SQL Server agents also require that you
configure host information in the Distributed Application Restore Mapping
host properties on the primary server.
■ For highly available environments, the SQL Server agent no longer requires a
second policy that contains the cluster or AG node names. You also do not need
to configure permissions for redirected restores for the cluster or AG nodes. For
successful backups and restores of a SQL Server cluster or AG, you need only
configure the mappings in the Host Management properties and the Distributed
Application Restore Mapping host properties.
 Read this first for secure communications in NetBackup 31
Why do you need to map host names (or IP addresses) to host IDs

The following diagram illustrates the host ID-to-host name mapping process:

4
Perform host ID to host name mapping

Master Server

Host 1 sends host ID Host 2 uses

Host mapping
and host name of FQDN as client
Host 2 to master 3 Short name 1 name
server for validation Host ID of (Hostnames)
Host 2
FQDN

Certificates are exchanged

Host 1 Connection is established if mapping is approved Host 2

Host name-to-host ID mapping occurs in the following order:

1. The FQDN of Host 2 is mapped to its host ID during certificate deployment.
2. Host 1 initiates a secure connection to Host 2 using the short name. Both hosts
exchange their NetBackup certificates as part of the TLS handshake.
3. Host 1 sends the host ID and short name of Host 2 to the primary server for
validation.
4. The primary server looks up the host ID and the short name in its database.
Since the provided short host name is not already mapped to the host ID of
Host 2, one of the following occurs:
■ If the Automatically map host ID to host names option in the NetBackup
web UI is selected and the short name is not already mapped to another
host ID, the discovered short name is automatically mapped to the host ID
of Host 2, and Host 1 is instructed to continue the connection.
■ If the Automatically map host ID to host names option is not selected or
the short name is already mapped to another host ID, the discovered
 Read this first for secure communications in NetBackup 32
How to reset host attributes or host communication status

mapping is added to the pending approval list and Host 1 is instructed to

drop the connection. The mapping should be manually approved before
any connections to Host 2 using the same short name can succeed.

5. Connection is established between the hosts if the mapping is approved. If the

mapping is not approved, the connection is dropped.

How to reset host attributes or host

communication status
The Reset Host Attributes option deletes host properties and host name-to-host
ID mappings information. The primary host name and NetBackup certificate are
not deleted.
Resetting host attributes is useful in the following scenarios:
■ If you have downgraded a host to 8.0 or earlier to enable insecure (or back-level)
communication.
■ If you experience host communication issues and you want to delete the host
information.
See “Resetting NetBackup host attributes” on page 288.

What has changed for catalog recovery

In NetBackup 8.1 or later, the primary server requires you to recover its host identity
when you restore NetBackup after a disaster. The host identity includes certificate
information, security settings, and other information.
With the earlier host identity in place, the primary server can communicate with
media server and clients in the new NetBackup instance. A disaster recovery
package is created during each catalog backup that retains the primary server host
identity. As the disaster recovery package contains sensitive data such as security
certificates and security settings, it is encrypted with a passphrase.
The following diagram shows the workflow for the catalog recovery.
 Read this first for secure communications in NetBackup 33
What has changed for catalog recovery

Catalog Backup Catalog Recovery

Install NetBackup in a DR
5
1 Set DR package passphrase and mode
configure catalog backup policy

When catalog backup job is Import the DR package

2 6 using the passphrase. The
run, a DR package is created
master server host identity
4 is recovered.

After the catalog backup job is

3 completed, DR file and DR package 7 Perform the catalog
are emailed recovery

1. Set a passphrase for the disaster recovery package and then configure a
catalog backup policy. Catalog backups use the passphrase that is configured
at the time of policy execution.
To set a passphrase, in the NetBackup web UI open Settings > Global
security. Then click the Disaster recovery.
You can also set the passphrase constraints using the nbseccmd
-setpassphraseconstraints command option. For more information on the
commands, see the NetBackup Commands Reference Guide.
If you do not set the passphrase constraints using the command, the default
constraints are applicable: Minimum of 8 and a maximum of 1024 characters.
If you change the passphrase at any time, the passphrase of the disaster
recovery packages that were created earlier is not changed. It only changes
the passphrase of the disaster recovery packages that are created
subsequently.
To recover older catalogs, you must use the corresponding passphrase.
 Read this first for secure communications in NetBackup 34
What has changed for catalog recovery

Caution: You must set the passphrase before you configure the catalog backup
policy. If the passphrase is not set, catalog backups fail. If the catalog backup
policy is upgraded from a version earlier than 8.1, catalog backups continue
to fail until the passphrase is set.

2. A disaster recovery package is created during each catalog backup.

To verify that the passphrase after the catalog backup is successful, run the
following command:
nbhostidentity -testpassphrase -infile dr_package_location

3. Disaster recovery packages are stored along with the disaster recovery files
and emailed to the recipient that you have specified during policy configuration.
4. Disaster strikes.
5. After a disaster, install NetBackup on the primary server in a disaster recovery
mode. This process prompts you to specify the disaster recovery package path
and passphrase.
6. If the appropriate passphrase is specified, the primary server host identity is
recovered. You must provide the passphrase that corresponds to the disaster
recovery package that you want to recover.
If you lost the passphrase, you must deploy security certificates on all
NetBackup hosts manually.
For more details, refer to the following article:
http://www.veritas.com/docs/000125933
7. You should perform the catalog recovery immediately after you have recovered
the host identity. This action avoids any information loss specific to the
certificate-related activities that may take place after the host identity restore.
Use the appropriate disaster recovery (DR) file and recover the required catalog.
The passphrase is not recovered during the host identity (or disaster recovery
package) restore or during catalog recovery. You must set it again in the new
NetBackup instance.

Note: If you need to restore the host identity after the normal NetBackup
installation (when the disaster recovery mode is not selected), you can use the
nbhostidentity command.

To restore the host identity of NetBackup Appliance, you must use the
nbhostidentity command after the normal installation.
 Read this first for secure communications in NetBackup 35
What has changed with Auto Image Replication

What has changed with Auto Image Replication

To use NetBackup Auto Image Replication (A.I.R.) with secure communications,
you must establish trust from both the source and the target primary servers.
When you upgrade both the source and the target primary servers to 8.1 or later,
you must update the trust relationship on both primary servers.

Note: After the upgrade, if the trust is not re-established on both the servers, new
storage lifecycle policies (SLP) do not work.

You can configure the trust relationship using the NetBackup web UI or the
nbseccmd -setuptrustedmaster command.

For more information on trusted primary servers for Auto Image Replication, refer
to the NetBackup Deduplication Guide.

How the hosts with revoked certificates work

NetBackup certificates can be revoked by the primary server administrator for
various reasons. A certificate revocation list (CRL) that contains information about
the revoked certificates is created by the primary server and is periodically fetched
by all hosts. The time interval to update the CRLs is determined by the certificate
deployment security level on the primary server.
During communication between hosts, CRLs are verified. The host that uses a
revoked certificate is no longer trusted. Communication with such hosts is terminated.
See “About the host ID-based certificate revocation list” on page 333.

Are NetBackup certificates backed up

For security reasons, NetBackup certificates are not backed up during backups.
Certificates are automatically deleted when NetBackup is uninstalled. If required,
you can manually back them up along with the respective private keys before you
uninstall NetBackup.
See “Retaining host ID-based certificates when reinstalling NetBackup on
non-primary hosts” on page 321.
 Read this first for secure communications in NetBackup 36
Can you configure external certificates for primary server

Can you configure external certificates for primary

server
You can use X.509 certificates that your trusted certificate authority (CA) has issued.
NetBackup supports file-based certificates and Windows certificate store as sources
for external certificates for NetBackup hosts. It supports certificates in PEM, DER,
and P7B formats.
See “Workflow to use external certificates for NetBackup host communication”
on page 400.

How secure communication works with primary

server cluster nodes using external certificates
You can use X.509 certificates that your trusted certificate authority (CA) has issued,
for a clustered primary server.
You should first enable your NetBackup domain to use external CA-signed
certificates by configuring the NetBackup web server. You can then configure the
NetBackup clustered primary server to use external CA-signed certificates for secure
host communication.
See “Workflow to use external certificates for a clustered primary server” on page 435.

How revocation lists work for external certificates

Certificate revocation list (CRL) for an external certificate authority (CA) contains
a list of digital certificates that the external CA has revoked before the scheduled
expiration date and should no longer be trusted.
See “About certificate revocation lists for external CA” on page 417.

How communication happens when a host cannot

directly connect to the primary server
In a demilitarized zone (DMZ), NetBackup clients may not be able to directly send
requests (for certificate deployment and so on) to the primary server. The HTTP
tunnel on the media server is used to accept the web service requests sent by the
client hosts and forward them to the primary server. The configuration of the HTTP
tunneling is automatic and no setup is required. The NetBackup client and the media
server must be 8.1 or later for HTTP tunneling to work.
 Read this first for secure communications in NetBackup 37
How NetBackup 8.1 or later hosts communicate with NetBackup 8.0 and earlier hosts

Irrespective of the certificate deployment security level that is set on the primary
server, you require an authorization token to deploy a NetBackup CA-signed
certificate on a host in a demilitarized zone.
See “About the communication between a NetBackup client located in a demilitarized
zone and a primary server through an HTTP tunnel” on page 352.

How NetBackup 8.1 or later hosts communicate

with NetBackup 8.0 and earlier hosts
NetBackup 8.1 or later hosts can communicate with other 8.1 or later hosts only in
a secure mode. For 8.1 or later host to communicate with hosts at 8.0 or earlier,
you need to allow insecure communication.
By default, the Enable insecure communication with NetBackup 8.0 and earlier
hosts option is enabled. The option is available in the NetBackup Administration
Consoleon the Security Management > Global Security Settings > Secure
Communication tab.
If you disable the option to allow only secure communication, you must restart the
NetBackup services on the primary server to terminate any insecure communications
and allow only secure communications.
During insecure communication, the NetBackup host first connects to the primary
server for host validation. The primary server verifies whether insecure
communication is enabled or not. If the option is enabled, the communication
between the two hosts is established. If the option is disabled, the communication
is dropped.

How communication with legacy media servers

happens in the case of cloud configuration
If the Enable insecure communication with NetBackup 8.0 and earlier hosts
option is disabled, NetBackup cannot communicate with legacy media servers that
you use for cloud storage irrespective of the value of the
CSSC_LEGACY_AUTH_ENABLED cloud configuration option.

The Enable insecure communication with NetBackup 8.0 and earlier hosts
option is available in the NetBackup web UI on the Setting > Global Security >
Secure Communication tab.
 Read this first for secure communications in NetBackup 38
Communication failure scenarios

Communication failure scenarios

Review the following scenarios to resolve host communication issues that you may
face in NetBackup 8.1 or later.

Failure during communication with 8.0 or earlier hosts

If insecure communication is not allowed in NetBackup, communication with 8.0
and earlier hosts fails. For successful communication with 8.0 and earlier NetBackup
hosts, use one of the following methods:
■ In the NetBackup Administration Console on the primary server host, select
the Security Management > Global Security > Hosts > Enable insecure
communication with NetBackup 8.0 and earlier hosts option.
■ On the primary server host, run the following command: nbseccmd
-setsecurityconfig -insecurecommunication on.

Catalog backup failure

If the disaster recovery package passphrase is not set, catalog backups fail with
status code 2524. The following error message is displayed:

Catalog backup failed because the passphrase for the disaster recovery
package is not set.

To set a passphrase, use the Setting > Global Security > Disaster Recovery tab
in NetBackup web UI.

Secure communication support for other hosts

in NetBackup domain
Use this section to learn about how NetBackup 8.1 supports communication with
BMR (Bare Metal Restore) hosts.

Secure communication support for BMR

NetBackup Bare Metal Restore (BMR) 8.1.1 and later versions support NetBackup
secure communication. The Allow Auto Reissue Certificate option enables the
autoreissue parameter of a NetBackup host that in turn allows you to deploy a
certificate on the host without requiring a reissue token.
See “Allowing or disallowing automatic certificate reissue” on page 289.
 Read this first for secure communications in NetBackup 39
Configuration for VMware backups that protect SQL Server and backups with SQL Servers that use multiple
NICs

For more information on BMR, refer to the NetBackup Bare Metal Restore
Administrator's Guide.

Configuration for VMware backups that protect

SQL Server and backups with SQL Servers that
use multiple NICs
Certain environments require that you configure host information in the Distributed
Application Restore Mapping host properties on the primary server. If you have
multiple NICs, you must map the hosts in that host property (or, in the altnames
directory). For VMware backups, if you use a Primary VM identifier other than VM
hostname, then you must map the Primary VM identifier to the client host name.
 Chapter 2
Increasing NetBackup
security
This chapter includes the following topics:

■ About NetBackup security and encryption

■ NetBackup security implementation levels

■ World-level security

■ Enterprise-level security

■ Datacenter-level security overview

■ NetBackup Access Control (NBAC)

■ Combined world, enterprise, and datacenter levels

■ NetBackup security implementation types

■ Operating system security

■ NetBackup security vulnerabilities

■ Standard NetBackup security

■ Client side encryption security

■ NBAC on primary, media server, and graphical user interface security

■ NBAC complete security

 Increasing NetBackup security 41
About NetBackup security and encryption

About NetBackup security and encryption

NetBackup security and encryption provide protection for all parts of NetBackup
operations on NetBackup primary servers, media servers, and attached clients.
Also made secure are the operating systems on which the servers and clients are
running. The backup data is protected through encryption processes and vaulting.
NetBackup data that is sent over the network is protected by dedicated and secure
network ports.
The various level and implementation of NetBackup security and encryption are
included in the following topics.
See “NetBackup security implementation levels” on page 41.
See “NetBackup Access Control (NBAC)” on page 45.
See “Operating system security” on page 52.
See “Standard NetBackup security” on page 53.
See “Client side encryption security” on page 54.
See “NBAC on primary, media server, and graphical user interface security”
on page 56.
See “NBAC complete security” on page 58.

NetBackup security implementation levels

The NetBackup security implementation perspective begins in a very broad sense
at the world level and becomes more detailed at the enterprise level. Security
becomes very specific at the datacenter level.
Table 2-1 shows how NetBackup security levels can be implemented.

Table 2-1 NetBackup security implementation levels

Security level Description

World level Specifies the web server access and the encrypted tapes that are transported and vaulted

Enterprise level Specifies internal users and security administrators

Datacenter level Specifies NetBackup operations

 Increasing NetBackup security 42
World-level security

World-level security
World-level security lets external users access corporate web servers behind
firewalls and allows encrypted tapes to be transported and vaulted off site.
World-level security encompasses the enterprise level and the datacenter level.

Figure 2-1 World-level security scope

World Level

Transport

Vault off-site

External Users
Internet
 Increasing NetBackup security 43
Enterprise-level security

Table 2-2 Types of world-level security

Type Description

World-level external users Specifies that external users can access web servers behind firewalls. External
users cannot access or use NetBackup functionality from the Internet, because the
external firewall prevents NetBackup ports from being accessed.

World-level Internet Specifies a collection of interconnected computer networks that are linked by copper
wires, fiber cables, and wireless connections. Corporate web servers can be
accessed from the Internet by using HTTP ports through firewalls.

World-level WAN The Wide Area Network (WAN) is not shown in the security overview illustration.
The WAN is a dedicated high-speed connection used to link NetBackup data centers
that are geographically distributed.

World-level transport Specifies that a transport truck can move encrypted client tapes off-site to secure
vault facilities.

World-level vault off-site Specifies that encrypted tape can be vaulted at secure storage facilities other than
the current data center.

Enterprise-level security
Enterprise-level security contains more tangible parts of the NetBackup security
implementation. It encompasses internal users, security administrators, and the
datacenter level.
 Increasing NetBackup security 44
Enterprise-level security

Figure 2-2 Enterprise-level security scope

Security Overview

Enterprise Level
Internal Users

Data Center

Security
Administrator
 Increasing NetBackup security 45
Datacenter-level security overview

Table 2-3 Types of enterprise-level security

Type Description

Internal users Specifies the users who have permissions to access and use NetBackup
functionality from within the datacenter. Internal users are typically a
combination of individuals such as database administrators, backup
administrators, operators, and general system users.

Security Specifies a user who has been granted administrator permissions to

administrator access and manage the NetBackup security functionality from within the
data center.

Datacenter-level security overview

Datacenter-level security comprises the core of NetBackup security functionality.
It can consist of a workgroup, a single datacenter, or a multi-datacenter.
Table 2-4 describes the deployment models unique to datacenter-level security.

Table 2-4 Deployment models for datacenter-level security

Type Description

Workgroup A small group of systems (less than 50) used with NetBackup in a wholly internal fashion.

Single datacenter A medium-to-large group of hosts (greater than 50) and can back up hosts within the
demilitarized zone (DMZ).

Multi-datacenter Specifies a medium to large group of hosts (greater than 50) that span two or more
geographic regions. They can connect by WAN. This configuration can also include hosts
in the DMZ that are backed up.

See “NetBackup security implementation levels” on page 41.

NetBackup Access Control (NBAC)

The NetBackup Access Control (NBAC) functionality incorporates the NetBackup
Product Authentication and Authorization into NetBackup, increasing security for
the primary servers, media servers, and clients.
See “About NetBackup security and encryption” on page 41.
Important points about NBAC include:
■ Authentication and Authorization are used together
 Increasing NetBackup security 46
NetBackup Access Control (NBAC)

■ NBAC uses authentication identities from a trusted source to reliably identify

involved parties. Access decisions can then be made for manipulation of
NetBackup based on those identities. Note that NetBackup Security Services
are now embedded.
■ The NetBackup Product Authentication and Authorization consist of the root
broker, authentication broker, authorization engine, and the graphical user
interface.
■ Oracle, Oracle Archiver, DB2, Informix, Sybase, SQL Server, SAP and EV
Migrator are not supported with NBAC.
■ NBAC is not supported on Appliances.
■ The NetBackup catalog backup is supported with NBAC.
The following table describes the NetBackup components that are used in security.

Table 2-5 NetBackup components used in security

Component Description

Root broker The NetBackup primary server is the root broker in a datacenter installation. There
is no provision to use another root broker. The recommendation is to allow trust
between root brokers.

The root broker authenticates the authentication broker. The root broker does not
authenticate clients.

Authentication broker
Authenticates the primary server, media server, graphical user interface, and clients
by establishing credentials with each one of them. The authentication broker also
authenticates a user when operating a command prompt. There can be more than
one authentication broker in a datacenter installation. The authentication broker
can be combined with the root broker.

Authorization engine
Communicates with the primary server and the media server to determine the
permissions of an authenticated user. These permissions determine the functionality
available to a given server. The authorization engine also stores user groups and
permissions. Only one authorization engine is required in a datacenter installation.
The authorization engine also communicates over the WAN to authorize other
media servers in a multi-datacenter environment.

graphical user interface Specifies a Remote Administration Console that receives credentials from the
authentication brokers. The graphical user interface then may use the credentials
to gain access to functionality on the clients, media, and primary servers.

Master server Communicates with the root broker and authentication broker, graphical user
interface, authorization engine, media server, and clients.
 Increasing NetBackup security 47
NetBackup Access Control (NBAC)

Table 2-5 NetBackup components used in security (continued)

Component Description

NetBackup administrator Specifies a user who has been granted administrator permissions to access and
manage the NetBackup functionality from within the data center.

Media server Communicates with the primary server, root broker and authentication broker,
authorization engine, and clients 1 through 6. The media server writes unencrypted
data to tape for client 5 and encrypted data to tape for client 6.

Clients Specifies that clients 1 through 4 are standard NetBackup types. Client 5 is a web
server type located in the DMZ. Client 6 is a client side encrypted type also located
in the DMZ. All client types are managed by the primary server and have their data
backed up to tape through the media server. Clients 5 and 6 communicate to
NetBackup using NetBackup only ports through the internal firewall. Client 5 also
receives connections from the Internet using HTTP only ports through the external
firewall.

Tapes Specifies that the tape security in NetBackup can be increased by adding the
following:

■ Client side encryption

■ Encryption of data at rest

Unencrypted and encrypted data tapes are produced in the datacenter. The
unencrypted tape data is written for clients 1 through 5 and stored on-site at the
datacenter. The encrypted tapes are written for client 6 and are transported off-site
to a vault for disaster recovery protection.

Encryption Specifies that NetBackup encryption can increase security by providing the
following:

■ Greater data confidentiality

■ The loss of physical tape is not as critical if all the data is effectively encrypted
■ The best risk mitigation strategy

For more information about encryption:

See “Encryption security questions to consider” on page 451.

 Increasing NetBackup security 48
NetBackup Access Control (NBAC)

Table 2-5 NetBackup components used in security (continued)

Component Description

Data over the wire security Includes the communication between primary servers, media servers, clients, and
communication using ports through firewalls and over WANs.

For more information about ports, see the NetBackup Network Ports Reference
Guide:

The data over the wire part of NetBackup can help increase security in the following
ways:

■ NetBackup Access Control (NBAC)

■ Classic NetBackup daemons employ authentication when NBAC is enabled
■ CORBA daemons use the fully encrypted channels that support confidentiality,
and provide data integrity
■ Firewalls
■ Disabling the unused ports in NetBackup and in other products:
■ PBX and VNETD dedicated ports provide increased NetBackup security
■ Central set of ports to monitor and open through firewalls

Note: Communication between NetBackup 8.1 and later hosts is secure.

See “About secure communication in NetBackup” on page 274.

Firewall security Specifies that the NetBackup firewall support can help increase security.
Important points about firewall security include the following:

■ It is recommended to use firewall and intrusion detection protection for

NetBackup.
■ Firewall protection relates to general network security from a NetBackup
standpoint. It focuses on reducing the possible "door locks" for a thief to try to
pick. It may be helpful to review the possibility of blocking NFS, telnet, FTP,
email ports. They are not strictly needed for NetBackup use and can provide
an "open door" for unwanted access.
■ Secure the primary server as much as possible
■ Firewalls can include internal firewalls and external firewalls, as follows:
■ Internal firewall - allows NetBackup to access web server client 5 and
encrypted client 6 in the DMZ. Only selected NetBackup ports and possibly
other application ports are enabled for data communication through the
internal firewall and into and out of the DMZ. The HTTP ports are open in
the External Firewall and are not allowed to pass through the internal firewall.
■ External firewall - allows external users to access the web server client 5
located in the DMZ from the Internet over HTTP ports. NetBackup ports are
open for web server client 5 to communicate through the internal firewall to
NetBackup. The NetBackup ports are not allowed to pass through the
external firewall to the Internet. Only the HTTP ports of web server client 5
can pass through the external firewall to the Internet.
 Increasing NetBackup security 49
NetBackup Access Control (NBAC)

Table 2-5 NetBackup components used in security (continued)

Component Description

Demilitarized zone (DMZ) Specifies that the demilitarized zone (DMZ) increases security as follows:

■ The DMZ is a restricted area in which the number of ports that are allowed for
specific hosts is highly controlled
■ The DMZ exists between the external firewall and the internal firewall. The
common area in this example is the web server. The external firewall blocks
all ports except for the HTTP (standard) and HTTPS (secure) web ports. The
internal firewall blocks all ports except for NetBackup and database ports. The
DMZ eliminates the possibility of external Internet access to internal NetBackup
server and database information.

The DMZ provides a "safe" area of operation for the web server client 5 and
encrypted client 6 between the internal firewall and external firewall. The web
server client 5 in the DMZ can communicate to NetBackup through the internal
firewall using designated NetBackup ports. The web server client 5 can also
communicate through the external firewall to the Internet using only HTTP ports.

Figure 2-3 shows an example internal and external firewall with DMZ.

The following figure shows an example of the internal and the external firewall with
DMZ.
 Increasing NetBackup security 50
Combined world, enterprise, and datacenter levels

Figure 2-3 Example firewalls and DMZ

Minimum Firewall Configuration

Back End Corporate

NetBackup
Database
Server

NetBackup Ports Database Ports

Internal Firewall
NetBackup Ports Database Ports
Web Server
Http Ports Https Ports DMZ
External Firewall
Http Ports Https Ports

Internet

Combined world, enterprise, and datacenter levels

The combined world, enterprise, and datacenter levels model is the area where
typical full-functioning NetBackup operations occur. Through the outermost world
level, external users can access corporate web servers behind firewalls and
encrypted tapes are transported and vaulted off-site. At the next level deeper, the
enterprise level, functions related to internal users, security administrators, and the
datacenter level occur. At the deepest level, the datacenter level, the core NetBackup
security functionality occurs through a workgroup, single datacenter, or
multi-datacenter.
The following figure shows the combined world, enterprise, and datacenter levels
model.
 Increasing NetBackup security 51
NetBackup security implementation types

Figure 2-4 Combined world, enterprise, and data level

Enterprise Level
Internal Users
Root Broker & Datacenter Level
Authentication
Broker GUI Authorization
Engine World Level
`

Master
Security Server Media
Administrator Server
NetBackup
Administrator Encrypted
Client Data Transport

` ` ` ` Unencrypted
Client Data
Client 1 Client 2 Client 3 Client 4
Internal Firewall - NetBackup ports allowed
Vault off-site
Demilitarized Zone
`
(DMZ) Client 6
Client 5 Encryption
External Firewall - Http ports allowed

Legend
Credential
External Users Encrypted
Internet Keystore

NetBackup security implementation types

The following table shows the NetBackup security implementation types,
characteristics, complexity, and potential security deployment models.
 Increasing NetBackup security 52
Operating system security

Table 2-6 Security implementation types

Security implementation type Characteristics Complexity Security deployment

models

See “Operating system security” ■ Operating system Variable Workgroup

on page 52. dependent
Single datacenter
■ Varies based on system
components Multi-datacenter

See “Standard NetBackup security” ■ Manage as root or Low Workgroup with NetBackup
on page 53. administrator
Single datacenter with
■ Data is not encrypted standard NetBackup

Multi-datacenter with
standard NetBackup

See “Client side encryption security”
on page 54.
■ Data is encrypted on the Medium Single datacenter with client
client side encryption
■ Encrypted data is sent Multi-datacenter with client
over the wire side encryption
■ Can affect CPU
performance on the client
■ Location of keys

See “NBAC on primary, media server, ■ NBAC gives authorization Medium
and graphical user interface security” to access primary and
on page 56. media servers
■ Authenticates the system
and users to access
primary and media
servers
Single datacenter with NBAC
on primary and media
servers
Multi-datacenter with NBAC
on primary and media
servers

See “NBAC complete security” ■ NBAC gives authorization High Single datacenter with NBAC
on page 58. throughout the system complete
■ NBAC gives Multi-datacenter with NBAC
authentication throughout complete
the entire system
(servers, clients, and
users)

Operating system security

Operating system security can be enhanced for primary servers, media servers,
and clients by doing the following:
 Increasing NetBackup security 53
NetBackup security vulnerabilities

■ Installing operating system patches

Operating system patches include the upgrades applied to the operating system
to keep it running at the highest level of system integrity. Upgrades and patches
should be kept at the level that is specified by the vendor.
■ Following safe firewall procedures
■ Employing least privilege administration
■ Limiting root users
■ Applying the security protocol over IP (IPSEC) hardware
■ Turning off unused ports of the outward facing applications
■ Providing a secure base on which to run NetBackup
■ Adding a first line of intelligence in an investigation to determine if the operating
system has been compromised
■ Making sure that security implementation is the same for all operating systems
■ Adding full interoperability between various systems using NBAC in a
heterogenous environment

NetBackup security vulnerabilities

It is recommended to have protective measures in place to guard against the rare
instance of a possible NetBackup security vulnerability as follows:
■ A full NetBackup update is provided with the next NetBackup maintenance patch
■ The importance of accumulative NetBackup updates
■ Use the following websites for information on possible security vulnerability
issues:
https://www.veritas.com/content/support/en_US/security.html
https://www.veritas.com/security
■ Use email contacts for possible security vulnerability issues:
[email protected]

Standard NetBackup security

The standard NetBackup security only includes the security that is offered by the
operating system and the hardware components of the datacenter. The authorized
NetBackup users administer as root or administrator. Client data is not encrypted.
The primary server, media server, and client are all run within a local enterprise
datacenter. Unencrypted data is usually stored on site, presenting a relatively high
 Increasing NetBackup security 54
Client side encryption security

risk for no disaster recovery plan. Data that is sent off-site could be subject to a
violation of confidentiality if it is intercepted.
The following figure shows an example of the standard NetBackup configuration.

Figure 2-5 Standard NetBackup

Data Center

Master
Server

Media
Server
Enterprise
Internal Firewall

`
Client
Encrypted Data

Legend

Encrypted Tape

Transport Keystore
Vault off-site Clear text
Encrypted

Client side encryption security

Client side encryption security is used to ensure data confidentiality across the wire
as well as on tape. This encryption helps to mitigate the risk of passive wire tapping
within the organization. The risk of data exposure is reduced as the tapes are moved
off site. The encryption key is located on the client. Data communication is encrypted
over the wire between the client and the media server. Data encryption by the client
can be CPU intensive.
 Increasing NetBackup security 55
Client side encryption security

The following backup policy types support the use of the client encryption option.
■ AFS
■ DB2
■ DataStore
■ DataTools-SQL-BackTrack
■ Informix-On-BAR
■ LOTUS_NOTES
■ MS-Exchange
■ MS-SharePoint
■ MS-SQL-Server
■ MS-Windows
■ Oracle
■ PureDisk-Export
■ SAP
■ Split-Mirror
■ Standard
■ Sybase
The following backup policy types do not support the Client Encryption Option. You
cannot select the encryption check box in the policy attributes interface for these
policy types.
■ FlashBackup
■ FlashBackup-Windows
■ NDMP
■ NetWare
■ OS/2
■ Vault
Note that VMS and OpenVMS clients do not support the client encryption option.
These clients use the Standard policy type.
The following figure shows an example of the client side encryption configuration.
 Increasing NetBackup security 56
NBAC on primary, media server, and graphical user interface security

Figure 2-6 Client side encryption

Data center

Master server Media

server

Enterprise Internal Firewall

Encrypted
data
Client Legend

Encrypted
tape

Key store

Clear text

Vault off-site Encrypted

Transport

NBAC on primary, media server, and graphical

user interface security
The NBAC on primary server, media server, and graphical user interface security
method uses the authentication broker. The broker provides credentials to the
primary server, the media server, and the graphical user interface. This datacenter
 Increasing NetBackup security 57
NBAC on primary, media server, and graphical user interface security

example uses the NetBackup Access Control on the primary and the media servers
to limit access to portions of NetBackup. Non-root administration of NetBackup can
also be done using this example. NBAC is configured for use between the servers
and the graphical user interfaces. Non-root users can log on to NetBackup using
the operating system. Use the UNIX password or the Windows local domain to
administer NetBackup. The global user repositories (NIS/NIS+ or Active Directory)
can also be used to administer NetBackup. In addition, NBAC can be used to limit
the level of access to NetBackup for certain individuals. For example, you can
segregate day to day operational control from environmental configuration such as
adding new policies, robots, etc.
The following figure shows an example NBAC on primary and media server
configuration.
 Increasing NetBackup security 58
NBAC complete security

Figure 2-7 NBAC on primary and media server

Data Center
Root Broker &
Authentication Authorization
Broker Engine

Master
Server GUI
Enterprise `

Media
Server

` Client

Legend

Tape

Credential
Authentication
Clear Text
Authorization
Authenticated
Connection

NBAC complete security

The NBAC complete security method uses the authentication broker to provide
credentials to the primary server, media server, and client. This environment is very
similar to the NBAC primary, media server, and graphical user interface model. The
main differences are that all hosts participating in the NetBackup environment are
reliably identified using credentials. And non-root administrators have the ability to
manage the NetBackup clients based on configurable levels of access. Note that
user identities can exist in global repositories such as Active Directory in Windows
 Increasing NetBackup security 59
NBAC complete security

or NIS in UNIX. Identities can also exist in local repositories (UNIX password, local
Windows domain) on those hosts supporting an authentication broker.
The following figure shows an example of the NBAC complete configuration.

Figure 2-8 NBAC complete

Data Center
Root Broker &
Authentication Authorization
Broker Engine

Master
Server GUI
Enterprise `

Media
Server

Client
`

Legend

Tape

Credential
Authentication
Clear Text
Authorization
Authenticated Connection
 Chapter 3
Security deployment
models
This chapter includes the following topics:

■ Workgroups

■ Single datacenters

■ Multi-datacenters

■ Workgroup with NetBackup

■ Single datacenter with standard NetBackup

■ Single datacenter with client side encryption

■ Single datacenter with NBAC on primary and media servers

■ Single datacenter with NBAC complete

■ Multi-datacenter with standard NetBackup

■ Multi-datacenter with client side encryption

■ Multi-datacenter with NBAC on primary and media servers

■ Multi-datacenter with NBAC complete

Workgroups
A workgroup is a small group of systems (less than 50) that is used internally with
NetBackup.
An example workgroup is shown as follows:
 Security deployment models 61
Single datacenters

■ See “Workgroup with NetBackup” on page 61.

Single datacenters
A single datacenter is defined as a medium to large group of hosts (greater than
50).
Example single datacenters are shown in the following list:
■ See “Single datacenter with standard NetBackup” on page 64.
■ See “Single datacenter with client side encryption” on page 66.
■ See “Single datacenter with NBAC on primary and media servers” on page 69.
■ See “Single datacenter with NBAC complete” on page 73.

Multi-datacenters
A multi-datacenter contains a medium to a large group of hosts (greater than 50).
The hosts can span two or more geographic regions that are connected by a Wide
Area Network (WAN).
Example multi-datacenters are shown in the following list:
■ See “Multi-datacenter with standard NetBackup” on page 76.
■ See “Multi-datacenter with client side encryption” on page 78.
■ See “Multi-datacenter with NBAC on primary and media servers” on page 83.
■ See “Multi-datacenter with NBAC complete” on page 87.

Workgroup with NetBackup

A workgroup with NetBackup is classified as a small group of systems (less than
50). The workgroup is used with NetBackup internally. Typically, this configuration
does not have a unified naming service such as NIS or Active Directory. It may not
have an authoritative host naming service such as DNS or WINS. This configuration
is typically found in the test labs of large corporations, or as environments in small
corporations.
The workgroup with NetBackup includes the following highlights:
■ Very few NetBackup servers
■ Small computer environments
■ No externally facing equipment involved
 Security deployment models 62
Workgroup with NetBackup

Figure 3-1 shows an example workgroup with NetBackup.

Figure 3-1 Workgroup with NetBackup

Master
Server

Media
Server

` ` `
Client 1 Client 2 Client 3

Unencrypted
Data for
` Clients
1, 2, 3, 4
Client 4

Internal Firewall – NetBackup Ports allowed

DMZ

External Firewall – Only Http Ports allowed

Internet

The following table describes the NetBackup parts that are used with the workgroup.
 Security deployment models 63
Workgroup with NetBackup

Table 3-1 NetBackup parts used with the workgroup

Part Description

Master server Communicates with the media server and clients 1, 2, 3, and 4.

Media server Communicates with the primary server and clients 1, 2, 3, and 4. The media server manages
the writing of unencrypted data to tape for clients 1, 2, 3 and 4.

Tape Contains unencrypted backup data that is written for clients 1, 2, 3, and 4.

Clients Specifies that clients 1, 2, 3, and 4 are Standard NetBackup clients managed by the primary
server. They have their unencrypted data backed up to tape by the media server.

Internal firewall Allows NetBackup to have access to clients in the DMZ. Only selected NetBackup ports
and possibly other application ports are enabled for data communication into and out of the
DMZ. HTTP ports that are open in the external firewall are not allowed to pass through the
internal firewall from the Internet. The internal firewall is not used with the Workgroup
deployment model. In this example, no clients access the internal firewall so the NetBackup
ports should not be opened through it.
Note: In this example, there are no clients beyond the internal firewall. So the NetBackup
ports should not be open through the internal firewall.

Demilitarized Zone Provides a "safe" area of operation for NetBackup clients existing between the internal
(DMZ) firewall and external firewall. Possible clients operating in the DMZ include Web server
NetBackup clients using either standard NetBackup clients or encrypted NetBackup clients.
Clients in the DMZ can communicate to NetBackup through the internal firewall using
designated NetBackup ports. Web server NetBackup clients can receive connections from
the external firewall to the Internet using typical HTTP ports. The DMZ is not accessible by
clients in the Workgroup deployment model.

External firewall Allows external users to access Web server NetBackup clients that are located in the DMZ
from the Internet typically over HTTP ports. NetBackup ports open for clients to communicate
through the internal firewall are not allowed to pass through the external firewall to the
Internet.

Internet Specifies a collection of interconnected computer networks linked by copper wires, fiber-optic
cables, and wireless connections. Clients do not use the Internet in the Workgroup
deployment model.
Caution: Customers should never put NetBackup clients outside the DMZ and directly in
the Internet. You must use an external firewall to block the outside world from NetBackup
ports at all times.
 Security deployment models 64
Single datacenter with standard NetBackup

Single datacenter with standard NetBackup

A single datacenter with standard NetBackup is defined as a medium to large group
of hosts (greater than 50). It includes the hosts that are both internal only and those
that expand through the DMZ to the Internet. This configuration typically has
centralized naming service for hosts (such as DNS or WINS). It also has a
centralized naming service for users (such as NIS or Active Directory).
The single datacenter with standard NetBackup includes the following highlights:
■ Externally facing hosts
■ Centralized naming services typically exist
■ Greater than 50 hosts in size
■ Simplest to configure requiring only general NetBackup knowledge
■ Typical configuration that is used for NetBackup customers
■ Assumes no fear of passive data interception on the wire as the backup runs
Figure 3-2 shows an example single datacenter with standard NetBackup.
 Security deployment models 65
Single datacenter with standard NetBackup

Figure 3-2 Single datacenter with standard NetBackup

Single data center – standard NetBackup

Master server
Media server
Unencrypted
data for
clients
4 and 5

Client 4
Standard NetBackup

Internal Firewall – NetBackup ports allowed

Client 5
Web Server
External Firewall – Only Https ports allowed

Internet
 Security deployment models 66
Single datacenter with client side encryption

The following table describes the NetBackup parts that are used for a single
datacenter with standard NetBackup.

Table 3-2 NetBackup parts for a single datacenter with standard NetBackup

Part Description

Master server Communicates with the media server, standard NetBackup client 4 and Web server
NetBackup client 5 in the DMZ.

Media server Communicates with the primary server, standard NetBackup client 4 and Web server
NetBackup client 5 in the DMZ. The media server manages the writing of unencrypted data
to tape for clients 4 and 5.

Tape Contains unencrypted backup data that is written for clients 4 and 5.

Clients Specifies that client 4 is a standard NetBackup type and client 5 is a Web server type. The
primary server manages both clients and have their unencrypted data backed up to tape
by the media server. Client 4 exists in the datacenter. Client 5 exists in the DMZ. Client 5
communicates to NetBackup using NetBackup only ports through the internal firewall. Client
5 receives connections from the Internet using HTTP only ports through the external firewall.
Note that all NetBackup traffic for the lookup is sent unencrypted over the wire.

Internal firewall Enables NetBackup to access Web server NetBackup client 5 in the DMZ. Only selected
NetBackup ports and possibly other application ports are enabled for data communication
into and out of the DMZ. HTTP ports that are open in the external firewall cannot pass
through the internal firewall from the Internet.

Demilitarized Zone Provides a "safe" area of operation for NetBackup client 5, Web server , that exists between
(DMZ) the internal firewall and external firewall. Client 5 in the DMZ can communicate to NetBackup
through the internal firewall using designated NetBackup ports. The Web server client 5 can
communicate through the external firewall to the Internet using HTTP ports.

External firewall Allows external users to access the Web server client 5 located in the DMZ from the Internet
over HTTP ports. NetBackup ports are open for client 5 to communicate through the internal
firewall.
Caution: NetBackup ports are not allowed to pass through the external firewall to the
Internet. Only the HTTP ports to client 5 are open in the external firewall to the Internet.

Internet Specifies a collection of interconnected computer networks that are linked by copper wires,
fiber-optic cables and wireless connections. The Web server client 5 can receive connections
over the Internet using HTTP ports through the external firewall.

Single datacenter with client side encryption

This single datacenter with client side encryption example uses the client side
encryption to ensure data confidentiality across the wire as well as on tape. The
 Security deployment models 67
Single datacenter with client side encryption

client side encryption mitigates the risk of passive wire tapping within the
organization. The risk of data exposure is reduced as tapes are moved off site. This
datacenter model assures a medium to large number (greater than 50) of managed
hosts. Clients inside the datacenter as well as the DMZ can use centralized naming
services for hosts and user identities.
The single datacenter with client side encryption includes the following highlights:
■ Useful for protecting off-site data
■ Data from client is encrypted and eliminates passive interception of the data on
the wire
■ Key management is de-centralized on to the clients
■ The original NetBackup encryption option
■ Client CPU is used to perform encryption
■ Must have the key to get data back. A lost key means lost data.
■ Useful when you need to scan tapes off-site and/or you need confidentiality on
the wire
Figure 3-3 shows an example single datacenter with client side encryption.
 Security deployment models 68
Single datacenter with client side encryption

Figure 3-3 Single datacenter with client side encryption

Master
Server Media
Server

En a fo 6
D
at
cr r C
yp li
te en
d t
` ` ` Transport
Encrypted Tape
for
Client 1 Client 2 Client 3
Client 6

Vault off-
site

Internal Firewall – NetBackup Ports allowed

`
Client 5 Client 6
Web Server DMZ Encryption

External Firewall – Only Http Ports allowed

Internet

The following table describes the NetBackup parts that are used for a single
datacenter with client side encryption.
 Security deployment models 69
Single datacenter with NBAC on primary and media servers

Table 3-3 NetBackup parts for a single datacenter with client side encryption

Part Description

Demilitarized Zone (DMZ) Provides a "safe" area of operation for Web server client 5 and encrypted client 6. These
clients exist between the internal firewall and external firewall. The Web server client 5
and encrypted client 6 in the DMZ can communicate to NetBackup through the internal
firewall using designated NetBackup ports. The Web server client 5 and encrypted client
6 can communicate through the external firewall to the Internet using HTTP ports. The
encrypted client 6 in the DMZ can communicate to NetBackup through the internal
firewall using designated NetBackup ports.

External firewall Allows external users to access the Web server client 5 and encrypted client 6. These
clients can be accessed in the DMZ from the Internet over HTTP ports. NetBackup ports
are open for Web server client 5 and encrypted client 6 to communicate through the
internal firewall. However, NetBackup ports are not allowed to pass through the external
firewall to the Internet. Only the HTTP ports of Web server client 5 and encrypted client
6 can pass through the external firewall to the Internet. The external firewall limits client
5 and 6 from bidirectional communication over the Internet.

Internet Specifies a collection of interconnected computer networks that are linked by copper
wires, fiber-optic cables, and wireless connections. The Web server client 5 can
communicate over the Internet using HTTP ports through the external firewall.

Single datacenter with NBAC on primary and

media servers
The single datacenter with NBAC on primary servers and media servers example
uses the NetBackup Access Control on the primary servers and media servers.
This configuration limits access to portions of NetBackup and provides non-root
administration of NetBackup. NBAC is configured for running between the servers
and the GUIs. Non-root users can log in to NetBackup with operating system (UNIX
password or Windows local domain) or global user repositories (NIS/NIS+ or Active
Directory) to administer NetBackup. NBAC can be used to limit the level of access
to NetBackup for certain individuals. For example, you can segregate day to day
operational control from environmental configuration such as adding new policies,
robots, etc.
The single datacenter with NBAC on primary and media servers includes the
following highlights:
■ Administer non-root users
■ Administer UNIX with a Windows User ID
■ Administer Windows with a UNIX account
 Security deployment models 70
Single datacenter with NBAC on primary and media servers

■ Segregate and limit the actions of specific users

■ Root or Administrator or client hosts can still do local client backups and restores
■ Can be combined with other security-related options
■ All servers must have the required NetBackup version
Figure 3-4 shows an example single datacenter with NBAC on primary and media
servers.
 Security deployment models 71
Single datacenter with NBAC on primary and media servers

Figure 3-4 Single datacenter with NBAC on primary and media servers

Root Broker &

Authentication
Broker
GUI Authorization
Engine
`
Master
Server
Media
Server

Unencrypted
Data for
Clients
1, 2, 3, 5

` ` `
Client 1 Client 2 Client 3

Internal Firewall – NetBackup Ports allowed

`
Client 5
Web Server DMZ

External Firewall – Only Http Ports allowed

Internet

The following table describes the NetBackup parts that are used for a single
datacenter with NBAC on the primary and media servers.
 Security deployment models 72
Single datacenter with NBAC on primary and media servers

Table 3-4 NetBackup parts for a single datacenter with NBAC on the primary
and media servers

Part Description

Primary server Communicates with the media server, root, and authentication broker. It also communicates
with the authorization engine, clients 1, 2, 3, and client 5, Web server, in the DMZ. The
primary server also communicates with and receives a credential from the authentication
broker.

When a CLI or GUI accesses a daemon on a primary server, a credential is exchanged to

identify the user. The authorization engine is then contacted to determine accessibility to
the daemons functions.

Media server Communicates with the primary server, clients 1, 2, 3, and client 5, Web server, in the DMZ.
The media server also communicates with the authorization engine and receives a credential
from the authentication broker. The media server enables the writing of unencrypted data
to tape for clients 1, 2, 3, and 5.

When a CLI or GUI accesses a daemon on a media server, a credential is exchanged to

identify the user. The authorization engine is then contacted to determine accessibility to
the daemons functions.

GUI Specifies that this remote administration console GUI receives a credential from the
authentication broker. The GUI then uses this credential to gain access to functionality on
the media servers and primary servers.

Root broker Authenticates the authentication broker but not the clients. In this example, the root broker
and authentication broker are shown as the same component.

Authentication broker Authenticates the primary server, media server, and GUI by establishing credentials with
each. If a command prompt is used, the authentication broker also authenticates a user.

Authorization engine Communicates with the primary server and media server to determine permissions of an
authenticated user. These permissions determine the functionality available to the user. It
also stores user groups and permissions. Only one authorization engine is needed.
Note: The authorization engine resides on the primary server as a daemon process. It is
shown in the figure as a separate image for the example only.

Tape Contains unencrypted backup data that is written for clients 1, 2, 3, and 5.

Clients Specifies that clients 1, 2, and 3 are standard NetBackup types and client 5 is a Web server
type. Both types are managed by the primary server and have their unencrypted data backed
up to tape through the media server. Clients 1, 2, and 3 exist in the datacenter. Client 5
exists in the DMZ. Client 5 communicates to NetBackup using NetBackup only ports through
the internal firewall. Client 5 receives connections from the Internet using HTTP only ports
through the external firewall.
 Security deployment models 73
Single datacenter with NBAC complete

Table 3-4 NetBackup parts for a single datacenter with NBAC on the primary
and media servers (continued)

Part Description

Internal firewall Allows NetBackup to access Web server Client 5 in the DMZ. Only selected NetBackup
ports and possibly other application ports are enabled for data communication into and out
of the DMZ. HTTP ports that are open in the external firewall are not allowed to pass through
the internal firewall.

Demilitarized Zone Provides a "safe" area of operation for Web server client 5 that exists between the internal
(DMZ) firewall and external firewall. The Web server client 5 in the DMZ can communicate to
NetBackup through the internal firewall using designated NetBackup ports. The Web server
client 5 can communicate through the external firewall to the Internet using HTTP ports.

External firewall Allows external users to access the Web server client 5 located in the DMZ from the Internet
over HTTP ports. NetBackup ports are open for client 5 to communicate through the internal
firewall. NetBackup ports are not allowed to pass through the external firewall to the Internet.
Only the HTTP ports of client 5 can pass through the external firewall to the Internet.

Internet Specifies a collection of interconnected computer networks, linked by copper wires, fiber-optic
cables, and wireless connections. Client 5 can communicate over the Internet using HTTP
ports through the external firewall.

Single datacenter with NBAC complete

The single datacenter with NBAC complete environment is very similar to the single
datacenter with NBAC primary and media server. The main differences are that all
of the hosts that participate in the NetBackup environment are reliably identified
using credentials. And non-root administrators can manage the NetBackup clients
based on configurable levels of access. Note that user identities may exist in global
repositories, such as Active Directory in Windows or NIS in UNIX. Identities can
also exist in local repositories (UNIX passwd, local Windows domain) on those
hosts that support an authentication broker.
The single datacenter with NBAC complete includes the following highlights:
■ Similar to highlights for single datacenter with NBAC primary and media server,
except for root or administrator on client
■ On client systems, non-root / administrator users may be configured to do local
backup and restores (setup by default)
■ The environment facilitates trusted identification of all hosts participating in
NetBackup
■ All hosts should have the required NetBackup version
Figure 3-5 shows an example single datacenter with NBAC complete.
 Security deployment models 74
Single datacenter with NBAC complete

Figure 3-5 Single datacenter with NBAC complete

Root Broker &

Authentication
Broker
GUI Authorization
Engine
`
Master
Server
Media
Server

Unencrypted
Data for Clients
1, 2, 3, 5

` ` `
Client 1 Client 2 Client 3

Internal Firewall – NetBackup Ports allowed

`
Client 5
Web Server DMZ
External Firewall – Only Http Ports allowed

Internet
 Security deployment models 75
Single datacenter with NBAC complete

The following table describes the NetBackup parts that are used with a single
datacenter with NBAC complete.

Table 3-5 NetBackup parts for a single datacenter with NBAC complete

Part Description

Primary server Communicates with the media server, root broker, authentication broker. It also communicates
with the authorization engine, clients 1, 2, 3, and client 5, Web server, in the DMZ. The
primary server further communicates with and receives a credential from the authentication
broker.

When a CLI or GUI accesses a daemon on a primary server, a credential is exchanged to

identify the user. The authorization engine is contacted to determine accessibility to the
daemons functions.

Media server Communicates with the primary server, clients 1, 2, 3, and client 5, Web server, in the DMZ.
The media server also communicates with the authorization engine and receives a credential
from the authentication broker. The media server enables the writing of unencrypted data
to tape for clients 1, 2, 3, and 5.

When a CLI or GUI accesses a daemon on a media server, a credential is exchanged to

identify the user. The authorization engine is contacted to determine accessibility to the
daemons functions.

GUI Specifies that the remote administration console, GUI, receives a credential from the
authentication broker. The GUI then uses this credential to gain access to functionality on
the media servers and primary servers.

Root broker Authenticates the authentication broker but not the clients. Figure 3-5, shows the root broker
and the authentication broker as the same component.

Authentication broker Authenticates the primary server, media server, GUI, clients, and users by establishing
credentials with each.

Authorization engine Communicates with the primary server and media server to determine permissions of an
authenticated user. It also stores user groups and permissions. Only one authorization
engine is needed.
Note: The authorization engine resides on the primary server as a daemon process. It is
shown in the figure as a separate image for the example only.

Tape Contains unencrypted backup data that is written for clients 1, 2, 3, and 5.
 Security deployment models 76
Multi-datacenter with standard NetBackup

Table 3-5 NetBackup parts for a single datacenter with NBAC complete
(continued)

Part Description

Clients Specifies that clients 1, 2, and 3 are standard NetBackup types and client 5 is a Web server
type. When receiving credentials from the authentication broker, clients 1, 2, 3, and 5 are
authenticated to the NetBackup Product Authentication Service domain. Both standard
server and Web server types are managed by the primary server and have their unencrypted
data backed up to tape through the media server. Clients 1, 2, and 3 exist in the datacenter.
Client 5 exists in the DMZ. Client 5 communicates to NetBackup using NetBackup only ports
through the internal firewall. Client 5 receives connections from the Internet using HTTP
only ports through the external firewall.

Internal firewall Allows NetBackup to access Web server client 5 in the DMZ. Only selected NetBackup ports
and possibly other application ports are enabled for data communication into and out of the
DMZ. HTTP ports that are open in the external firewall cannot pass through the internal
firewall.

Demilitarized Zone Provides a "safe" area of operation for Web server client 5 that exists between the internal
(DMZ) firewall and external firewall. The Web server client 5 in the DMZ can communicate to
NetBackup through the internal firewall using designated NetBackup ports. The Web server
client 5 can communicate through the external firewall to the Internet using HTTP ports.

External firewall Allows external users to access the Web server client 5 located in the DMZ from the Internet
over HTTP ports. NetBackup ports are open for client 5 to communicate through the internal
firewall. NetBackup ports are not allowed to pass through the external firewall to the Internet.
Only the HTTP ports of client 5 can pass through the external firewall to the Internet.

Internet Specifies a collection of interconnected computer networks, linked by copper wires, fiber-optic
cables, and wireless connections. Client 5 can communicate over the Internet using HTTP
ports through the external firewall.

Multi-datacenter with standard NetBackup

A multi-datacenter with standard NetBackup is defined as a medium to large group
of hosts (greater than 50). These hosts can span two or more geographic regions
and can be connected by a Wide Area Network (WAN). In this example one
datacenter is located in London and the other datacenter is located in Tokyo. Both
datacenters are connected through a dedicated WAN connection.
A multi-datacenter includes the hosts that are both internal only and those that
expand through the DMZ to the Internet. This configuration typically has centralized
naming service for hosts (such as DNS or WINS). It also has a centralized naming
service for users (such as NIS or Active Directory).
The multi-datacenter with standard NetBackup includes the following highlights:
 Security deployment models 77
Multi-datacenter with standard NetBackup

■ NetBackup spans two or more geographic regions through a WAN

■ Centralized naming services typically exist
■ Greater than 50 hosts in size
■ Simplest to configure; requires only general NetBackup knowledge
■ Assumes no fear of passive data interception on the wire as the backup runs
The following table describes the NetBackup parts that are used with a
multi-datacenter that has implemented standard NetBackup.

Table 3-6 NetBackup parts for a multi-datacenter with standard NetBackup

implemented

Part Description

London datacenter Contains the primary server, media server 1, client 4 standard NetBackup, and the
unencrypted data tape for client 4. The London datacenter connects to the Tokyo
datacenter through a dedicated WAN connection.

Tokyo datacenter Contains the media server 2, client 10 standard NetBackup, and the unencrypted data
tape for client 10. The Tokyo datacenter connects to the London datacenter through
a dedicated WAN connection.

Wide Area Network (WAN) Specifies the dedicated WAN link that connects the London datacenter to the Tokyo
datacenter. The WAN provides connectivity between the primary server and media
server 2 and client 10.

Primary server Specifies that it is located in London and communicates with media server 1 in London.
The primary server also communicates over the WAN with the media server 2 in
Tokyo. The primary server communicates with standard NetBackup client 4 in London
and client 10 over the WAN in Tokyo.

Media servers Specifies that the multi-datacenter can have two media servers. One media server is
in London and the other is in Tokyo. The media server 1 in London communicates
with the primary server and standard NetBackup client 4 also in London. Media server
1 manages the writing of unencrypted data to tape for client 4 in London.

The media server 2 in Tokyo communicates with the primary server in London and
standard NetBackup client 10 in Tokyo. Media server 2 manages the writing of
unencrypted data to tape for client 10 in Tokyo.

Tapes Specifies that tapes are produced in both the London and Tokyo datacenters. The
London tape contains unencrypted backup data that is written for client 4. The Tokyo
tape contains unencrypted backup data that is written for client 10.
 Security deployment models 78
Multi-datacenter with client side encryption

Table 3-6 NetBackup parts for a multi-datacenter with standard NetBackup

implemented (continued)

Part Description

Clients Specifies that the clients are located in both the London and Tokyo datacenters. Clients
4 and 10 are standard NetBackup types. Both clients can be managed by the primary
server that is located in London. Their unencrypted data is backed up to tape by the
media server. Unencrypted data is written to both client 4 tape in London and client
10 tape in Tokyo. Note that all NetBackup traffic for client 10 lookup is sent unencrypted
over the wire (WAN) from Tokyo to London.

Internal firewalls Specifies that internal firewalls are not used at the London or Tokyo datacenter with
standard NetBackup.

Demilitarized Zones (DMZs) Specifies that DMZs are not used at the London or Tokyo datacenter with standard
NetBackup.

External firewalls Specifies that external firewalls are not used at the London or Tokyo datacenter with
standard NetBackup.

Internet Specifies that the Internet is not used at the London or Tokyo datacenter with standard
NetBackup.

Multi-datacenter with client side encryption

A multi-datacenter with client side encryption option is defined as a medium to large
group of hosts (greater than 50). These hosts can span two or more geographic
regions and can be connected by a Wide Area Network (WAN). In this example
one datacenter is located in London and the other datacenter is located in Tokyo.
Both datacenters are connected through a dedicated WAN connection.
The example multi-datacenter can use client side encryption to ensure data
confidentiality across the wire as well as on tape. This encryption helps to mitigate
the risk of passive wire tapping within the organization. Risk of data exposure as
the tapes are moved off site. This datacenter model assures a medium to large
number (greater than 50) of managed hosts. Clients inside the datacenter as well
as the DMZ, can have the potential for centralized naming services for hosts and
user identities.
The multi-datacenter with client side encryption includes the following highlights:
■ NetBackup spans two or more geographic regions through a WAN
■ Useful for protecting off-site data
■ Data from client is encrypted and eliminates the passive interception of the data
on the wire
 Security deployment models 79
Multi-datacenter with client side encryption

■ Key management is de-centralized on to the clients

■ The original NetBackup encryption option
■ Client CPU is used to perform encryption
■ Must have the key to get data back. A lost key means lost data.
■ Useful when you need to scan tapes off-site or you need confidentiality on the
wire
The following table describes the NetBackup parts that are used for a
multi-datacenter with client side encryption implemented.

Table 3-7 NetBackup parts for a multi-datacenter with client side encryption
implemented

Part Description

London datacenter Contains the primary server, media server 1 and clients 4, 5, and 6. The London
datacenter also contains the encrypted data tape for clients 6 and 7 and unencrypted
data tape for clients 4 and 5. The London datacenter connects to the Tokyo datacenter
through a dedicated WAN connection.

Tokyo datacenter Contains the media server 2 and clients 7, 10, 11, and 12. The Tokyo datacenter also
contains the encrypted data tape for clients 7 and 12 and unencrypted data tape for
clients 10 and 11. The Tokyo datacenter connects to the London datacenter through a
dedicated WAN connection.

Wide Area Network (WAN) Specifies that the dedicated WAN link connects the London datacenter with the Tokyo
datacenter. The WAN provides connectivity between the primary server in London to
media server 2 with clients 7, 10, 11, and 12 in Tokyo. The WAN also provides
connectivity between media server 1 in London to client 7 in London.

Primary server Specifies that the primary server is located in the London datacenter and communicates
with media server 1 and clients 4, 5, and 6. The primary server also uses the WAN to
communicate with media server 2, and clients 7, 10, 11, and 12 in Tokyo.
 Security deployment models 80
Multi-datacenter with client side encryption

Table 3-7 NetBackup parts for a multi-datacenter with client side encryption
implemented (continued)

Part Description

Media servers Specifies that the multi-datacenter uses two media servers. Media server 1 is located
in the London datacenter and media server 2 is located in the Tokyo datacenter. In
London, media server 1 communicates with the primary server and clients 4, 5, and 6.
Media server 1 also communicates with client 7 in Tokyo. Media server 1 writes
unencrypted data to tape for clients 4 and 5. Media server 1 writes encrypted data to
tape for clients 6 and 7. Note that client 7 is located in Tokyo but its tape backup is
located in London. The encrypted tape for clients 6 and 7 is transported off-site to a
vault in London.

In Tokyo, media server 2 communicates with the primary server in London through the
WAN and clients 7, 10, 11, and 12 in Tokyo. Media server 2 writes unencrypted data to
tape for clients 10 and 11. Media server 2 also writes encrypted data to tape for clients
7and 12. Note that even though client 7 is located in Tokyo and is backed up in London,
client 7 is also backed up in Tokyo. The encrypted tape for clients 7 and 12 is transported
off-site to a vault in Tokyo.

Client side encryption Specifies that the client side encryption (not shown in the figure) ensures data
confidentiality across the wire as well as on tape.

Tapes Specifies that both unencrypted and encrypted data tapes are produced in the London
datacenter and in the Tokyo datacenter. The encrypted tape contains client side encrypted
backup data. In London, the unencrypted tape is written for clients 4 and 5 and stored
on-site at the London datacenter. The encrypted tape is written for clients 6 and 7. The
encrypted tape is transported off-site to a vault in London for disaster recovery protection.

In Tokyo, the unencrypted tape is written for clients 10 and 11 and stored on-site at the
Tokyo datacenter. The encrypted tape is written for clients 7 and 12. Note that even
though client 7 is located in Tokyo and is backed up in Tokyo, client 7 is also backed
up in London. The encrypted tape is transported off-site to a vault in Tokyo for disaster
recovery protection.
Note: To decrypt the data, the key(s) used to encrypt the data must be made available.

Transports Specifies that the multi-datacenter uses two transports. One transport is located in
London and the other is located in Tokyo. The transport truck in London moves the
encrypted tape for clients 6 and 7 off-site to a secure London vault facility. The transport
truck in Tokyo moves the encrypted tape for clients 7 and 12 off-site to a secure Tokyo
vault facility. Note that a backup copy of client 7 is vaulted both in London and in Tokyo.
Note: If in the remote case a tape is lost during transport, the datacenter manager has
potentially reduced the risk of a data breach. The breach is reduced through the use of
client side data encryption.
 Security deployment models 81
Multi-datacenter with client side encryption

Table 3-7 NetBackup parts for a multi-datacenter with client side encryption
implemented (continued)

Part Description

Vaults off-site Specifies that the multi-datacenter uses two vaults off-site. One vault is located in London
and the other is located in Tokyo. Both vaults provide safe encrypted tape storage
facilities off-site at different locations than the datacenters.
Note: Storing the encrypted tapes at locations separate from the datacenters promotes
good disaster recovery protection.

Clients Specifies that the clients are located in both the London and Tokyo datacenters. In
London, client 4 is a standard NetBackup type. Client 5 is a Web server type located in
the DMZ. Client 6 is client side encrypted and is also located in the DMZ. All client types
can be managed by the primary server and have their data backed up to tape through
media server 1. Clients 5 and 6 communicate to NetBackup using NetBackup only ports
through the internal firewall. Client 6 receives connections from the Internet using HTTP
only ports through the external firewall.

In Tokyo, client 7 is a client side encrypted client but outside of the DMZ. Client 10 is a
standard NetBackup type. Client 11 is a Web server type located in the DMZ. Client 12
is client side encrypted also located in the DMZ. All client types can be managed by the
primary server in London. Client 7 data is backed up to tape through media server 1
and 2. Client 10, 11, and 12 data is backed up to tape through media server 2. Clients
11 and 12 communicate to NetBackup using NetBackup only ports through the internal
firewall. Client 12 receives connections from the Internet using HTTP only ports through
the external firewall.

Internal firewalls Specifies that the multi-datacenter uses two internal firewalls. One internal firewall is
located in London and the other is located in Tokyo. In London, the internal firewall
allows NetBackup to access Web server client 5 and client side encrypted client 6 in
the DMZ. In Tokyo, the internal firewall lets NetBackup access Web server client 11 and
client side encrypted client 12 in the DMZ. Only selected NetBackup ports and possibly
other application ports are enabled for data communication into and out of the DMZ.
HTTP ports that are open in the external firewall cannot pass through the internal firewall.
 Security deployment models 82
Multi-datacenter with client side encryption

Table 3-7 NetBackup parts for a multi-datacenter with client side encryption
implemented (continued)

Part Description

Demilitarized Zones (DMZs) Specifies that the multi-datacenter uses two DMZs. One DMZ is located in London and
the other is located in Tokyo. In London, the DMZ provides a "safe" area of operation
for the Web server client 5 and client side encrypted client 6. That client exists between
the internal firewall and the external firewall. The Web server client 5 and client side
encrypted client 6 in the DMZ can communicate to NetBackup. Both clients communicate
through the internal firewall using designated NetBackup ports. The Web server client
5 can also communicate through the external firewall to the Internet using only HTTP
ports.

In Tokyo, the DMZ provides a "safe" area of operation for the Web server client 11 and
client side encrypted client 12. The client 12 exists between the internal firewall and
external firewall. The Web server client 11 in the DMZ can communicate to NetBackup
through the internal firewall using designated NetBackup ports. The Web server client
11 can also communicate through the external firewall to the Internet using only HTTP
ports.

External firewalls Specifies that the multi-datacenter can use two external firewalls. One external firewall
is located in London and the other is located in Tokyo. In London, the external firewall
lets external users access the Web server client 5 located in the DMZ from the Internet
over HTTP ports. The NetBackup ports are open for Web server client 5 to communicate
through the internal firewall to NetBackup. The NetBackup ports are not allowed to pass
through the external firewall to the Internet. Only the HTTP ports of Web server client 5
can pass through the external firewall to the Internet. The client side encrypted client 6
cannot be accessed from the Internet.

In Tokyo, the external firewall external users access the Web server client 11 located
in the DMZ from the Internet over HTTP ports. NetBackup ports are open for Web server
client 11 to communicate through the internal firewall to NetBackup. The NetBackup
ports are not allowed to pass through the external firewall to the Internet. Only the HTTP
ports of Web server client 11 can pass through the external firewall to the Internet. The
client side encrypted client 12 cannot be accessed from the Internet.

Internet Specifies that there is only one Internet but there are two Internet connections in this
multi-datacenter example. One Internet connection is located in London and the other
is located in Tokyo. The Internet is a collection of interconnected computer networks
that are linked by copper wires, fiber-optic cables and wireless connections. In London,
the Web server client 5 can communicate over the Internet using HTTP ports through
the external firewall. In Tokyo, the Web server client 11 can communicate over the
Internet using HTTP ports through the external firewall.
 Security deployment models 83
Multi-datacenter with NBAC on primary and media servers

Multi-datacenter with NBAC on primary and media

servers
A multi-datacenter with NBAC on the primary server and media server example is
defined as a medium to large group of hosts (greater than 50). These hosts span
two or more geographic regions and can be connected by a Wide Area Network
(WAN). In this example one datacenter is located in London and the other datacenter
is located in Tokyo. Both datacenters are connected through a dedicated WAN
connection.
This datacenter example uses NetBackup Access Control on the primary servers
and media servers. The datacenter limits access to portions of NetBackup and can
use non-root administration of NetBackup. Within this environment, NBAC is
configured for use between the servers and the GUIs. Non-root users can log in to
NetBackup using operating system (UNIX password or Windows local domain). Or
global user repositories (NIS/NIS+ or Active Directory) can be used to administer
NetBackup. In addition, NBAC can be used to limit the level of access to NetBackup
for certain individuals. For example, you can segregate day to day operational
control from environmental configuration such as adding new policies, robots, etc.
The multi-datacenter with NBAC on primary and media servers includes the following
highlights:
■ NetBackup spans two or more geographic regions through a WAN
■ Administer as non-root users
■ Administer UNIX with a Windows User ID.
■ Administer Windows with a UNIX account.
■ Segregate and limit the actions of specific users.
■ Root or Administrator or client hosts can still perform local client backups and
restores
■ Can be combined with other security-related options
■ All servers must be NetBackup version 7.7 or later.
The following table describes the NetBackup parts that are used for a
multi-datacenter with NBAC on the primary and media servers.
 Security deployment models 84
Multi-datacenter with NBAC on primary and media servers

Table 3-8 NetBackup parts used for a multi-datacenter with NBAC on the
primary and media servers

Part Description

London datacenter Specifies that the London datacenter contains the root broker, authentication broker 1,
GUI 1, authorization engine, primary server, media server 1, and clients 4 and 5. The
London datacenter also contains the unencrypted data tape for clients 4 and 5. The
London datacenter connects to the Tokyo datacenter through a dedicated WAN
connection.

Tokyo datacenter Specifies that the Tokyo datacenter contains authentication broker 2, GUI 2, media
server 2, and clients 10 and 11. The Tokyo datacenter also contains the unencrypted
data tape for clients 10 and 11. The Tokyo datacenter connects to the London datacenter
through a dedicated WAN connection.

Wide Area Network (WAN) Specifies that the dedicated WAN link connects the London datacenter with the Tokyo
datacenter. The WAN provides connectivity between the root broker and authentication
broker 1 and authentication broker 2. In addition, the WAN provides connectivity between
the root broker and authentication broker 1 and GUI 2 along with media server 2. The
WAN also connects the authorization engine to media server 2. Finally, the WAN connects
the primary server with GUI 2, media server 2, and clients 10 and 11.

Primary server Specifies that the primary server, located in the London datacenter, communicates with
the root broker and authentication broker 1. It also communicates with GUI 1,
authorization engine, and media server 1. The primary server communicates with clients
4 and 5 in London. The primary server also communicates with GUI 2, media server 2,
and clients 10 and 11 in Tokyo.

Media servers Specifies that in this multi-datacenter example, there are two media servers. Media
server 1 is located in the London datacenter and media server 2 is located in the Tokyo
datacenter. In London, media server 1 communicates with the primary server, root broker
and authentication broker 1, authorization engine, and clients 4 and 5. Media server 1
writes unencrypted data to tape for clients 4 and 5.

In Tokyo, media server 2 communicates with the primary server and authorization engine
in London through the WAN. Media server 2 also communicates with GUI 2 and clients
10 and 11 in Tokyo. Media server 2 writes unencrypted data to tape for clients 10 and
11.

GUIs Specifies that in this multi-datacenter example, there are two GUIs. The GUI 1 is in
London and GUI 2 is in Tokyo. These remote administration console GUIs receive
credentials from the authentication brokers. The GUIs then use the credentials to gain
access to functionality on the media servers and primary servers. In London, GUI 1
receives a credential from authentication broker 1. GUI 1 has access to functionality on
the primary server and media servers 1 and 2. In Tokyo, GUI 2 receives a credential
from the authentication broker 2. GUI 2 has access to functionality on the primary server
and media servers 1 and 2.
 Security deployment models 85
Multi-datacenter with NBAC on primary and media servers

Table 3-8 NetBackup parts used for a multi-datacenter with NBAC on the
primary and media servers (continued)

Part Description

Root broker Specifies that in a multi-datacenter installation there is only one root broker required.
Sometimes, the root broker is combined with the authentication broker. In this example,
the root broker and authentication broker are shown as the same component and are
located in the London datacenter. In London, the root broker authenticates the
authentication broker 1 also in London and the authentication broker 2 in Tokyo. The
root broker does not authenticate clients.

Authentication brokers Specifies that there can be more than one authentication broker in a multi-datacenter
installation. Sometimes the authentication broker can be combined with the root broker.
In this datacenter installation, two authentication brokers are used. The authentication
broker authenticates the primary server, media server, and GUI by establishing
credentials with each. The authentication broker also authenticates a user who specifies
a command prompt. In London, authentication broker 1 authenticates a credential with
the primary server, media server 1, and GUI 1. All NetBackup servers and clients in
Tokyo and London authenticate to authentication broker 1 in London. GUI 1 authenticates
to authentication broker 1 in London. GUI 2 authenticates to authentication broker 2 in
Tokyo.

Authorization engine Specifies that in a multi-datacenter installation there is only one authorization engine
required. The authorization engine communicates with the primary server and media
server to determine permissions of an authenticated user. These permissions determine
the functionality available to the user. The authorization engine also stores user groups
and permissions. The authorization engine resides in London and communicates with
the primary server, and media server 1. The authorization engine also communicates
over the WAN to authorize access to media server 2 in Tokyo.
Note: The authorization engine resides on the primary server as a daemon process.
It is shown in the figure as a separate image for example only.

Tapes Specifies that unencrypted data tapes are produced in the London datacenter and in
the Tokyo datacenter. In London, the unencrypted tape is written for clients 4 and 5 and
stored on-site at the London datacenter. In Tokyo, the unencrypted tape is written for
clients 10 and 11 and stored on-site at the Tokyo datacenter.
 Security deployment models 86
Multi-datacenter with NBAC on primary and media servers

Table 3-8 NetBackup parts used for a multi-datacenter with NBAC on the
primary and media servers (continued)

Part Description

Clients Specifies that clients are located in both the London and Tokyo datacenters. In London,
client 4 is a standard NetBackup type. Client 5 is a Web server type located in the DMZ.
All client types can be managed by the primary server and have their data backed up
to tape through media server 1. Client 5 communicates to NetBackup using NetBackup
only ports through the internal firewall. Client 5 also receives connections from the
Internet using HTTP only ports through the external firewall.

In Tokyo, client 10 is a standard NetBackup type. Client 11 is a Web server type located
in the DMZ. All client types can be managed by the primary server and have their data
backed up to tape through media server 2. Client 11 communicates to NetBackup using
NetBackup only ports through the internal firewall. Client 11 also receives connections
from the Internet using HTTP only ports through the external firewall

Internal firewalls Specifies that in this multi-datacenter example there are two internal firewalls. One
internal firewall is located in London and the other is located in Tokyo. In London, the
internal firewall lets NetBackup access Web server client 5 in the DMZ. In Tokyo, the
internal firewall lets NetBackup access Web server client 11 in the DMZ. Only selected
NetBackup ports and possibly other application ports are enabled for data communication
through the internal firewall and into and out of the DMZ. HTTP ports that are open in
the external firewall are not allowed to pass through the internal firewall.

Demilitarized Zones (DMZs) Specifies that in this multi-datacenter example there are two DMZs. One DMZ is located
in London and the other is located in Tokyo. In London, the DMZ provides a "safe" area
of operation for the Web server client 5 that exists between the internal firewall and
external firewall. The Web server client 5 and client side encrypted client 6 in the DMZ
can communicate to NetBackup through the internal firewall using designated NetBackup
ports. The Web server client 5 can also communicate through the external firewall to
the Internet using only HTTP ports.

In Tokyo, the DMZ provides a "safe" area of operation for the Web server client 11 that
exists between the internal firewall and external firewall. The Web server client 11 in
the DMZ can communicate to NetBackup through the internal firewall using designated
NetBackup ports. The Web server client 11 can also communicate through the external
firewall to the Internet using only HTTP ports.
 Security deployment models 87
Multi-datacenter with NBAC complete

Table 3-8 NetBackup parts used for a multi-datacenter with NBAC on the
primary and media servers (continued)

Part Description

External firewalls Specifies that in this multi-datacenter example there are two external firewalls. One
external firewall is located in London and the other is located in Tokyo. In London, the
external firewall lets external users access the Web server client 5 located in the DMZ
from the Internet over HTTP ports. NetBackup ports are open for Web server client 5
to communicate through the internal firewall to NetBackup. The NetBackup ports are
not allowed to pass through the external firewall to the Internet. Only the HTTP ports of
Web server client 5 can pass through the external firewall to the Internet.

In Tokyo, the external firewall lets external users access the Web server client 11 located
in the DMZ from the Internet over HTTP ports. NetBackup ports are open for Web server
client 11 to communicate through the internal firewall to NetBackup. The NetBackup
ports are not allowed to pass through the external firewall to the Internet. Only the HTTP
ports of Web server client 11 can pass through the external firewall to the Internet.

Internet Specifies that there is only one Internet but two Internet connections in this
multi-datacenter example. One Internet connection is located in London and the other
is located in Tokyo. The Internet is a collection of interconnected computer networks,
tha are linked by copper wires, fiber-optic cables and wireless connections. In London,
the Web server client 5 can communicate over the Internet using HTTP ports through
the external firewall. In Tokyo, the Web server client 11 can communicate over the
Internet using HTTP ports through the external firewall.

Multi-datacenter with NBAC complete

The multi-datacenter with NBAC complete example is defined as a medium to large
group of hosts (greater than 50) that span two or more geographic regions and can
be connected by a Wide Area Network (WAN). In this example, one datacenter is
in London and the other datacenter is in Tokyo. Both datacenters are connected
through a dedicated WAN connection.
This environment is very similar to the multi-datacenter with NBAC primary and
media server. The main differences are that all hosts participating in the NetBackup
environment are reliably identified using credentials and non-root administrators
can manage the NetBackup clients based on configurable levels of access. Note
that user identities may exist in global repositories such as Active Directory in
Windows or NIS in UNIX. Identities can also exist in local repositories (UNIX passwd,
local Windows domain) on those hosts supporting an authentication broker.
The multi-datacenter with NBAC complete includes the following highlights:
■ NetBackup spans two or more geographic regions through a WAN
 Security deployment models 88
Multi-datacenter with NBAC complete

■ Similar to highlights for multi-datacenter with NBAC primary and media server
except for root or administrator on client. The non-root administration of clients
and servers is permitted in this configuration.
■ On client systems, non-root / administrator users can be configured to perform
local backup and restores (setup by default)
■ The environment facilitates trusted identification of all hosts participating in
NetBackup
■ Requires all hosts to be at NetBackup version 7.7 or later.
The following table describes the NetBackup parts that are used for a
multi-datacenter with NBAC complete implemented.

Table 3-9 NetBackup parts used for a multi-datacenter with NBAC complete
implemented

Part Description

London datacenter Specifies that the London datacenter contains the root broker, authentication broker 1,
GUI 1, authorization engine, primary server, media server 1, and clients 1 and 5. The
London datacenter also contains the unencrypted data tape for clients 1, 5, and 10. The
London datacenter connects to the Tokyo datacenter through a dedicated WAN connection.

Tokyo datacenter Specifies that the Tokyo datacenter contains the authentication broker 2, GUI 2, media
server 2, and clients 10 and 11. The Tokyo datacenter also contains the unencrypted data
tape for clients 10 and 11. The Tokyo datacenter connects to the London datacenter
through a dedicated WAN connection.

Wide Area Network Specifies that the dedicated WAN link connects the London datacenter with the Tokyo
(WAN) datacenter. The WAN provides connectivity between the root broker and authentication
broker 1 and authentication broker 2. In addition, the WAN provides connectivity between
the root broker and authentication broker 1 and GUI 2 along with media server 2. The WAN
connects the authorization engine to media server 2. The WAN connects the primary server
to GUI 2, media server 2, and clients 10 and 11. Finally the WAN connects media server
1 to client 10.

Primary server Specifies that the primary server, located in the London datacenter, communicates with
the root broker and authentication broker 1. It also communicates with GUI 1, authorization
engine, and media server 1. The primary server further communicates with GUI 2 and
media server 2, and clients 10 and 11 in Tokyo.
 Security deployment models 89
Multi-datacenter with NBAC complete

Table 3-9 NetBackup parts used for a multi-datacenter with NBAC complete
implemented (continued)

Part Description

Media servers Specifies that in this multi-datacenter example there are two media servers. Media server
1 is located in the London datacenter and media server 2 is located in the Tokyo datacenter.
In London, media server 1 communicates with the primary server, root broker and
authentication broker 1, authorization engine, and clients 1, 5, and 10. Media server 1
writes unencrypted data to tape for clients 1, 5, and 10.

In Tokyo, media server 2 communicates with the primary server, root broker, and
authentication broker 1 and authorization engine in London through the WAN. Media server
2 also communicates with GUI 2, and clients 10 and 11 in Tokyo. Media server 2 writes
unencrypted data to tape for clients 10 and 11.

GUIs Specifies that in this multi-datacenter example, there are two GUIs. GUI 1 is in London
and GUI 2 is in Tokyo. These remote administration console GUIs receive credentials from
the authentication brokers. The GUIs then use the credentials to gain access to functionality
on the media servers and primary servers. In London, GUI 1 receives a credential from
authentication broker 1. GUI 1 has access to functionality on the primary server and media
servers 1 and 2. In Tokyo, GUI 2 receives a credential from the authentication broker 2.
GUI 2 has access to functionality on the primary server and media servers 1 and 2.

Root broker Specifies that there is only one root broker required in a multi-datacenter installation.
Sometimes the root broker is combined with the authentication broker. In this example the
root broker and authentication broker are shown as the same component and are located
in the London datacenter. In London, the root broker authenticates the authentication
broker 1, also in London, and authentication broker 2 in Tokyo. The root broker does not
authenticate clients.

Authentication brokers Specifies that there can be more than one authentication broker in a datacenter installation.
Sometimes the authentication broker can be combined with the root broker. In this
datacenter installation, there are two authentication brokers. The authentication broker
authenticates the primary server, media server, GUI, and clients by establishing credentials
with each. The authentication broker also authenticates a user through a command prompt.
In London, authentication broker 1 authenticates a credential with the primary server,
media server 1, GUI 1, and clients 1 and 5. All NetBackup servers and clients in Tokyo
and London authenticate to authentication broker 1 in London. GUI 1 authenticates to
authentication broker 1 in London. GUI 2 authenticates to authentication broker 2 in Tokyo.
 Security deployment models 90
Multi-datacenter with NBAC complete

Table 3-9 NetBackup parts used for a multi-datacenter with NBAC complete
implemented (continued)

Part Description

Authorization engine Specifies that there is only one authorization engine required in a datacenter installation.
The authorization engine communicates with the primary server and media server to
determine permissions of an authenticated user. These permissions determine the
functionality available to the user. The authorization engine also stores user groups and
permissions. The authorization engine resides in London and communicates with the
primary server, and media server 1. The authorization engine also communicates over the
WAN to authorize access to media server 2 in Tokyo.
Note: The authorization engine resides on the primary server as a daemon process. It is
shown in the figure as a separate image for example only.

Tapes Specifies that the unencrypted data tapes are produced in both the London and Tokyo
datacenters. In London, the unencrypted tape is written for clients 1, 5 and 10 and stored
on-site at the London datacenter. In Tokyo, the unencrypted tape is written for clients 10
and 11 and stored on-site at the Tokyo datacenter. Note that even though client 10 is
located in Tokyo and is backed up in Tokyo, client 10 is also backed up in London.

Clients Specifies that the clients are located in both the London and Tokyo datacenters. In London,
client 1 is a standard NetBackup type. Client 5 is a Web server type located in the DMZ.
All client types can be managed by the primary server and have their data backed up to
tape through media server 1. Client 5 communicates to NetBackup using NetBackup only
ports through the internal firewall. Client 5 also receives connections from the Internet
using HTTP only ports through the external firewall.

In Tokyo, client 10 is a standard NetBackup type. Client 11 is a Web server type located
in the DMZ. All client types can be managed by the primary server and have their data
backed up to tape through media server 2. Client 11 communicates to NetBackup using
NetBackup only ports through the internal firewall. Client 11 also receives connections
from the Internet using HTTP only ports through the external firewall

Internal firewalls Specifies that there can be two internal firewalls in this multi-datacenter example. One
internal firewall is located in London and the other is located in Tokyo. In London, the
internal firewall lets NetBackup access Web server client 5 in the DMZ. In Tokyo, the
internal firewall lets NetBackup access Web server client 11 in the DMZ. Only selected
NetBackup ports and possibly other application ports are enabled for data communication
through the internal firewall and into and out of the DMZ. HTTP ports that are open in the
external firewall are not allowed to pass through the internal firewall.
 Security deployment models 91
Multi-datacenter with NBAC complete

Table 3-9 NetBackup parts used for a multi-datacenter with NBAC complete
implemented (continued)

Part Description

Demilitarized Zones Specifies that there can be two DMZs in this multi-datacenter example. One DMZ is located
(DMZs) in London and the other is located in Tokyo. In London, the DMZ provides a "safe" area
of operation for the Web server client 5 that exists between the internal firewall and external
firewall. The Web server client 5 in the DMZ can communicate to NetBackup through the
internal firewall using designated NetBackup ports. The Web server client 5 can also
communicate through the external firewall to the Internet using only HTTP ports.

In Tokyo, the DMZ provides a "safe" area of operation for the Web server client 11 that
exists between the internal firewall and external firewall. The Web server client 11 in the
DMZ can communicate to NetBackup through the internal firewall using designated
NetBackup ports. The Web server client 11 can also communicate through the external
firewall to the Internet using only HTTP ports.

External firewalls Specifies that there can be two external firewalls in this multi-datacenter example. One
external firewall is located in London and the other is located in Tokyo. In London, the
external firewall lets external users access the Web server client 5 located in the DMZ
from the Internet over HTTP ports. NetBackup ports are open for Web server client 5 to
communicate through the internal firewall to NetBackup. The NetBackup ports are not
allowed to pass through the external firewall to the Internet. Only the HTTP ports of Web
server client 5 can pass through the external firewall to the Internet.

In Tokyo, the external firewall lets external users access the Web server client 11 located
in the DMZ from the Internet over HTTP ports. NetBackup ports are open for Web server
client 11 to communicate through the internal firewall to NetBackup. The NetBackup ports
are not allowed to pass through the external firewall to the Internet. Only the HTTP ports
of Web server client 11 can pass through the external firewall to the Internet.

Internet Specifies that there can be only one Internet but there are two Internet connections in this
multi-datacenter example. One Internet connection is located in London and the other is
located in Tokyo. The Internet is a collection of interconnected computer networks that are
linked by copper wires, fiber-optic cables and wireless connections. In London, the Web
server client 5 can communicate over the Internet using HTTP ports through the external
firewall. In Tokyo, the Web server client 11 can communicate over the Internet using HTTP
ports through the external firewall.
 Chapter 4
Auditing NetBackup
operations
This chapter includes the following topics:

■ About NetBackup auditing

■ Viewing the current audit settings

■ About audit events

■ Audit retention period and catalog backups of audit records

■ Viewing the detailed NetBackup audit report

■ User identity in the audit report

■ Disabling auditing

■ Audit alert notification for audit failures (NetBackup Administration Console)

■ Send audit events to system logs

■ SYSLOG_AUDIT_USE_OCSF_FORMAT for NetBackup primary server

About NetBackup auditing

Auditing is enabled by default in new installations. NetBackup auditing can be
configured directly on a NetBackup primary server.
Auditing of NetBackup operations provides the following benefits:
■ Customers can gain insight from audit trails while they investigate unexpected
changes in a NetBackup environment.
■ Regulatory compliance.
 Auditing NetBackup operations 93
About NetBackup auditing

The record complies with guidelines such as those required by the

Sarbanes-Oxley Act (SOX).
■ A method for customers to adhere to internal change management policies.
■ Help for NetBackup Support in troubleshooting problems for customers.

About the NetBackup Audit Manager

The NetBackup Audit Manager (nbaudit) runs on the primary server and audit
records are maintained in the Enterprise Media Manager (EMM) database.
An administrator can search specifically for:
■ When an action occurred
■ Failed actions in certain situations
■ The actions that a specific user performed
■ The actions that were performed in a specific content area
■ Changes to the audit configuration
Note the following:
■ The audit record truncates any entries greater than 4096 characters. (For
example, policy name.)
■ The audit record truncates any restore image IDs greater than 1024 characters.

Actions that NetBackup audits

NetBackup records the following user-initiated actions.

Activity monitor actions Canceling, suspending, resuming, restarting, or deleting any type of job
creates an audit record.

Alerts and email notifications If an alert cannot be generated or an email notification cannot be sent for
NetBackup configuration settings. For example, SMTP server configuration
and the list of excluded status codes for alerts.

Anomalies When a user reports an anomaly as false positive, the action is audited and
logged for that user.

Malware detection When malware scan is triggered, malware scan status and malware scan
configuration actions are audited.

Asset actions Deleting an asset, such as a vCenter server, as part of the asset cleanup
process is audited and logged.

Creating, modifying, or deleting an asset group as well any action on an

asset group for which a user is not authorized is audited and logged.
 Auditing NetBackup operations 94
About NetBackup auditing

Authorization failure Authorization failure is audited when you use the NetBackup web UI, or the
NetBackup APIs.

Catalog information This information includes:

■ Verifying and expiring images.

■ Read the requests that are sent for the front-end usage data.

Certificate management Creating, revoking, renewing, and deploying of NetBackup certificates and
specific NetBackup certificate failures.

Certificate Verification Failures (CVFs) Any failed connection attempts that involve SSL handshake errors, revoked
certificates, or host name validation failures.

For certificate verification failures (CVFs) that involve SSL handshakes and
revoked certificates, the timestamp indicates when the audit record is posted
to the primary server. (Rather than when an individual certificate verification
fails.) A CVF audit record represents a group of CVF events over a time
period. The record details provide the start and the end times of the time
period as well as the total number of CVFs that occurred in that period.

Disk pools and Volume pools actions Adding, deleting, or updating disk or volume pools.

Hold operations Creating, modifying, and deleting hold operations.

Host database NetBackup operations that are related to the host database.

IRE configuration and states Adding, updating, and deleting IRE allowed subnets or schedule. IRE external
network is opened or closed by IRE schedule or by an administrator.

Logon attempts Any successful or any failed logon attempts for the NetBackup web UI or
the NetBackup APIs.

Policies actions Adding, deleting, or updating policy attributes, clients, schedules, and backup
selections lists.

Restore and browse image user actions All the restore and browse image content (bplist) operations that a user
performs are audited with the user identity.

To set an interval to periodically add audit records of the browse image

(bplist) operations from the cache into the NetBackup database, use the
DATAACCESS_AUDIT_INTERVAL_HOURS configuration option. Setting this
configuration option prevents the NetBackup database size from increasing
exponentially because of the bplist audit records.

See the NetBackup Administrator's Guide Volume I.

To add all the bplist audit records from the cache into the NetBackup
database, run the following command on the primary server:

nbcertcmd -postAudit -dataAccess

 Auditing NetBackup operations 95
About NetBackup auditing

Security configuration Information that is related to changes that are made to the security
configuration settings.

Starting a restore job NetBackup does not audit when other types of jobs begin. For example,
NetBackup does not audit when a backup job begins.

Starting and stopping the NetBackup Starting and stopping of the nbaudit manager is always audited, even if
Audit Manager (nbaudit). auditing is disabled.

Storage lifecycle policy actions Attempts to create, modify, or delete a storage lifecycle policy (SLP) are
audited and logged. However, activating and suspending an SLP using the
command nbstlutil are not audited. These operations are audited only
when they are initiated from a NetBackup graphical user interface or API.

Storage servers actions Adding, deleting, or updating storage servers.

Storage units actions Adding, deleting, or updating storage units.

Note: Actions that are related to storage lifecycle policies are not audited.

Token management Creating, deleting, and cleanup of tokens and specific token issuing failures.

User action that fails to create an audit If auditing is enabled but a user action fails to create an audit record, the
record audit failure is captured in the nbaudit log. NetBackup status code 108 is
returned (Action succeeded but auditing failed). The NetBackup
does not return an exit status code 108 when auditing fails.

Actions that NetBackup does not audit

The following actions are not audited and do not display in the audit report:

Any failed actions. NetBackup logs failed actions in NetBackup error logs. Failed actions do not
display in audit reports because a failed attempt does not bring about a
change in the NetBackup system state.

The effect of a configuration change The results of a change to the NetBackup configuration are not audited. For
example, the creation of a policy is audited, but the jobs that result from its
creation are not.

The completion status of a manually While the act of initiating a restore job is audited, the completion status of
initiated restore job the job is not audited. Nor is the completion status of any other job type,
whether initiated manually or not. The completion status is displayed in the
Activity Monitor.

Internally initiated actions NetBackup-initiated internal actions are not audited. For example, the
scheduled deletion of expired images, scheduled backups, or periodic image
database cleanup is not audited.
 Auditing NetBackup operations 96
Viewing the current audit settings

Rollback operations Some operations are carried out as multiple steps. For example, creating
an MSDP-based storage server consists of multiple steps. Every successful
step is audited. Failure in any of the steps results in a rollback, or rather, the
successful steps may need to be undone. The audit record does not contain
details about rollback operations.

Host properties actions Changes made with the bpsetconfig or the nbsetconfig commands,
or the equivalent property in host properties, are not audited. Changes that
are made directly to the bp.conf file or to the registry are not audited.

Viewing the current audit settings

To view the current audit configuration, use the nbseccmd command on the
NetBackup primary server.
Alternatively, sign-in to the NetBackup web UI, go to Global Security settings >
Security Controls > Configure audit retention period, and view the audit retention
period.
To view the current audit settings
1 Log on to the primary server.
2 Open the following directory:
Windows: install_path\NetBackup\bin\admincmd\nbauditreport
Linux: /usr/openv/netbackup/bin/admincmd
3 Run the following command:
nbseccmd -getsecurityconfig -auditretentionperiod

4 The following configuration setting is listed:

Audit Retention Period: 90

About audit events

Events that are specific to the following security parameters are audited:
■ Certificate
■ Connection
■ Host
■ Login
■ Security Configuration
 Auditing NetBackup operations 97
About audit events

■ Token
See “Viewing the detailed NetBackup audit report” on page 99.

Viewing audit events

The Audit Events tab displays NetBackup events according to the audit categories
that you select with the filter. NetBackup records a number of events that occur
while you work with the product. For example, a security certificate is issued to a
host, an authorization token is deleted, connection between hosts is established
and so on.
To view status of audit events
1 Open the NetBackup web UI.
2 On the left, click Security > Security events.
3 Click the Audit events tab.
4 Click the filter icon to select the audit event categories that you want to view.
5 The following information is displayed.

Event A brief description for the audit event that took place.

User The user name and details related to the audit event.

Description Full description of the audit event that took place.

Reason The reason for the audit event, if provided by the user.

6 To see the details for an audit event, click on the name of the event.

Note: If you see audit records in the Connection category, make sure to review
the record details. For certain records in this category, the Date field that is displayed
in the details indicates when the audit record was posted to the primary server. It
does not necessarily indicate when an individual event occurred. This type of audit
record (for example, a certificate verification failure (CVF) record) represents a
group of events that have occurred over a time period. The audit record details
provide the Beginning Event Time and Ending Event Time of the time period as
well as the Event Count (the total number of events that occurred in that time
period).
 Auditing NetBackup operations 98
Audit retention period and catalog backups of audit records

Troubleshooting auditing issues related to the Access History tab

In the NetBackup web UI, open Security > Security events. Click the Access
History tab. NetBackup displays the details about the login activities that the current
user has performed.
If you observe that the required audit records are not being displayed on the Access
History tab, ensure that the bprd service is running on the primary server.

Audit retention period and catalog backups of

audit records
The audit records are kept as part of the NetBackup database, for as long as the
retention period indicates. The records are backed up as part of the NetBackup
catalog backup. The NetBackup Audit Service (nbaudit) deletes expired audit
records once every 24 hours at 12:00 A.M. (local time).
If no audit retention period is indicated, audit records are retained for 90 days, which
is a default value. Set the audit retention period to 0 (zero) if you do not want to
delete the audit records.
To configure the audit retention period
1 Log on to the primary server.
2 Run the following command:
bpnbat -login

3 Open the following directory:

Windows: install_path\NetBackup\bin\admincmd
UNIX: /usr/openv/netbackup/bin/admincmd
 Auditing NetBackup operations 99
Viewing the detailed NetBackup audit report

4 Enter the following command:

nbseccmd -setsecurityconfig -auditretentionperiod number_of_days

The audit report is retained for the value that is specified for the
number_of_days option.
In the following example, the records of user actions are retained for 30 days
and then deleted.
nbseccmd -setsecurityconfig -auditretentionperiod 30

To ensure that audit records are backed up during catalog backups, configure
the catalog backup frequency to be less frequent or equal to the value that you
specify for -auditretentionperiod.
5 To check the current audit retention period, run the following command:
nbseccmd -getsecurityconfig -auditretentionperiod

Viewing the detailed NetBackup audit report

You can view the actions NetBackup audits from a primary server using the
NetBackup web UI. You can see full audit event details with the nbauditreport
command.
To view the full audit report
1 Log on to the primary server.
2 Enter the following command to display the audit report in the summary format.
Windows: install_path\NetBackup\bin\admincmd\nbauditreport
UNIX: /usr/openv/netbackup/bin/admincmd\nbauditreport

Or, run the command with the following options.

-sdate The start date and time of the report data you want
to view.
<"MM/DD/YY
[HH:[MM[:SS]]]">

-edate The end date and time of the report data you want
to view.
<"MM/DD/YY
[HH:[MM[:SS]]]">
 Auditing NetBackup operations 100
Viewing the detailed NetBackup audit report

-ctgy category The category of user action that was performed.

Categories such as POLICY may contain several
sub-categories such as schedules or backup
selections. Any modifications to a sub-category
are listed as a modification to the primary category.

See the NetBackup Commands Guide for -ctgy

options.

-user Use to indicate the name of the user for whom

you'd like to display audit information.
<username[:domainname]>

-fmt DETAIL The -fmt DETAIL option displays a

comprehensive list of audit information. For
example, when a policy is changed, this view lists
the name of the attribute, the old value, and the
new value. This option has the following
sub-options:

■ [-notruncate] . Display the old and new

values of a changed attribute on separate lines
in the details section of the report.
■ [-pagewidth <NNN>] . Set the page width
for the details section of the report.

-fmt PARSABLE The -fmt PARSABLE option displays the same

set of information as the DETAIL report but in a
parsable format. The report uses the pipe character
(|) as the parsing token between the audit report
data. This option has the following sub-options:

■ [-order <DTU|DUT|TDU|TUD|UDT|UTD>].
Indicate the order in which the information
appears.
D (Description)
T (Timestamp)
U (User)
 Auditing NetBackup operations 101
User identity in the audit report

3 The audit report contains the following details:

DESCRIPTION The details of the action that was performed.

USER The identity of the user who performed the action.

See “User identity in the audit report” on page 101.

TIMESTAMP The time that the action was performed.

The following information only displays if you use the -fmt DETAIL or the -fmt
PARSABLE options.

CATEGORY The category of user action that was performed.

ACTION The action that was performed.

REASON The reason that the action was performed. A reason displays if a
reason was specified for the operation that created the change.

DETAILS An account of all of the changes, listing the old values and the
new values.

Example of the audit report:

[root@server1 admincmd]# ./nbauditreport

TIMESTAMP USER
04/20/2018 11:52:43 root@server1
04/20/2018 11:52:42 root@server1
04/20/2018 11:52:41 root@server1
04/20/2018 11:52:08 root@server1
04/20/2018 11:17:00 root@server1
DESCRIPTION
Policy 'test_pol_1'
Schedule 'full' was
Policy 'test_pol_1'
Policy 'test_pol_1'
Audit setting(s) of
was saved but no changes were detected
added to Policy 'test_pol_1'
was saved but no changes were detected
was created
master server 'server1' were modified

Audit records fetched: 5

User identity in the audit report

The audit report indicates the identity of the user who performed a specific action.
The full identity of the user includes the user name and the domain or the host
name that is associated with the authenticated user. A user’s identity appears in
the audit report as follows:
 Auditing NetBackup operations 102
Disabling auditing

■ Audit events always include the full user identity. Root users and administrators
are logged as “root@hostname” or “administrator@hostname”.
■ In NetBackup 8.1.2 and later, image browse and image restore events always
include the user ID in the audit event. NetBackup 8.1.1 and earlier log these
events as “root@hostname” or “administrator@hostname”.
■ The order of the elements for the user principal is
"domain:username:domainType:providerId". The domain value does not
apply for Linux computers. For that platform, the user principal is
:username:domainType:providerId.

■ For any operations that do not require credentials or require the user to sign in,
operations are logged without a user identity.

Disabling auditing
NetBackup auditing is enabled by default. To disable auditing, see the following:
To disable auditing
1 Log on to the primary server.
2 Open the following directory:
Windows: install_path\NetBackup\bin\admincmd
UNIX: /usr/openv/netbackup/bin/admincmd
3 Enter the following command:

nbemmcmd -changesetting -AUDIT DISABLED -machinename primaryserver

In the following example, auditing has been turned off for server1.

nbemmcmd -changesetting -AUDIT DISABLED -machinename server1

Audit alert notification for audit failures

(NetBackup Administration Console)
Use the alert notification option to choose if you want to be notified when an auditable
action fails to create an audit record. This option is located in the status bar of the
NetBackup Administration Console.
 Auditing NetBackup operations 103
Send audit events to system logs

Table 4-1 Audit alert notification options

Turn on A pop-up message appears to alert the administrator about the

failure.

Blink The icon blinks in the event of an auditing failure. Click the icon
to display the failure message.

Turn off An auditing failure does not display a notification. The icon appears
gray.

Send audit events to system logs

You can send NetBackup audit events to system logs. You must have the NetBackup
Security Administrator role or similar RBAC permissions to perform this task.
By default, NetBackup sends the audit events to system logs in native format. You
can now export audit events with the Open Cybersecurity Schema Framework
(OCSF) format to Security Information and Event Management (SIEM) platforms.
See this article for more information.
Use the SYSLOG_AUDIT_USE_OCSF_FORMAT configuration option to send the
NetBackup audit events to system logs in the OCSF format.
See “SYSLOG_AUDIT_USE_OCSF_FORMAT for NetBackup primary server”
on page 104.
To send audit events to system logs
1 Open the NetBackup web UI.
2 On the left, select Security > Security events.
3 On the top right, click Security event settings.
4 Enable the Send the audit events to the system logs option.
 Auditing NetBackup operations 104
SYSLOG_AUDIT_USE_OCSF_FORMAT for NetBackup primary server

5 Select Select audit event categories. Then select the audit categories for
which you want to send the audit events to the system logs.
To send audit events for all audit categories to the system logs, select the
Audit event categories check box.
6 Select Save.
You can view NetBackup audit events in the system logs. For example:
On a Windows system, use Windows Event Viewer to view NetBackup audit
events.
On a Linux system, you can view the system logs on the configured location.

SYSLOG_AUDIT_USE_OCSF_FORMAT for
NetBackup primary server
By default, NetBackup sends the audit events to system logs in native format.
Use the SYSLOG_AUDIT_USE_OCSF_FORMAT option to send the NetBackup audit
events to system logs in the Open Cybersecurity Schema Framework (OCSF)
format.
You can view NetBackup audit events in the system logs. For example, on a
Windows system, use Windows Event Manager to view NetBackup audit events.

Table 4-2 SYSLOG_AUDIT_USE_OCSF_FORMAT

Usage Description

Where to use On NetBackup primary servers.

How to use Use the nbgetconfig and the nbsetconfig commands

to view, add, or change the option.

For information about these commands, see the NetBackup

Commands Reference Guide.

Use the following format:

SYSLOG_AUDIT_USE_OCSF_FORMAT = TRUE

Equivalent NetBackup web No equivalent property on the web UI

UI property
 Section 1
Identity and access
management

■ Chapter 5. About identity and access management

■ Chapter 6. AD and LDAP domains

■ Chapter 7. Access keys

■ Chapter 8. API keys

■ Chapter 9. Auth.conf file

■ Chapter 10. Role-based access control

■ Chapter 11. NetBackup interface access for OS Administrators

■ Chapter 12. Smart card or digital certificate

■ Chapter 13. Single Sign-On (SSO)

■ Chapter 14. NetBackup Access Control Security (NBAC)

 Chapter 5
About identity and access
management
This chapter includes the following topics:

■ About access control in NetBackup

About access control in NetBackup

NetBackup provides the following types of access control:
■ Role Based Access Control (RBAC) in the NetBackup web UI
Beginning with the NetBackup 8.1.2 release, the NetBackup web user interface
provides role-based access control for the settings and workloads in NetBackup.
Refer to the NetBackup Web UI Administrator's Guide for more information.
■ Application access in the NetBackup Administration Console (default)
NetBackup administrators can control who can view the various applications in
NetBackup. Root users and administrators have full access to the NetBackup
Administration Console. A non-root or non-administrator user can access the
Backup, Archive, and Restore application. This user can also access additional
applications, as defined for that user in the auth.conf file.
Access control is view-based, not role-based. The administrator can control the
applications that a user can view and manage, but cannot control which tasks
a user can perform based on their role in the organization. Access control is
limited to the NetBackup Administration Console. (Interfaces like the Backup,
Archive, and Restore client and the NetBackup MS SQL Client are not affected.)
For detailed information about access control with the NetBackup
Administration Console, refer to the NetBackup Administrator's Guide, Volume
I.
■ NetBackup Access Control (NBAC)
 About identity and access management 107
About access control in NetBackup

NBAC is the original role-based access control provided with NetBackup for the
NetBackup Administration Console and the CLIs. It is recommended that
you use one of the other methods of access control to manage your NetBackup
environment.

Access control methods for NetBackup Administration

Console and the CLIs
Refer to the following table for key differences between the access control methods
available for the NetBackup Administration Console and CLIs. (The RBAC feature
in the NetBackup web UI only provides access control for the web UI and for the
NetBackup APIs.) For information on NBAC, refer to the NetBackup documentation
for 8.1.2 and earlier releases.

Table 5-1
Access and auditing NetBackup Admin Console and auth.conf

Who can use the NetBackup Administration
Console?
Root users and administrators have full access to the Admin Console.
Non-root users or non-administrators are limited to the Backup,
Archive, and Restore application by default. Otherwise, these users
can access the applications that are defined for them in the
auth.conf file.

Who can use the CLI? Root users and administrators have full access to the CLI.

How is a user audited? As root or administrator

Refer to the following flowcharts for details about the access control methods for
the NetBackup Administration Console and the CLIs.
 Chapter 6
AD and LDAP domains
This chapter includes the following topics:

■ Adding AD or LDAP domains in NetBackup

■ Troubleshooting AD or LDAP domain configuration issues

■ Certificate authorities trusted by the NetBackup Authentication Service

Adding AD or LDAP domains in NetBackup

NetBackup supports Active Directory (AD) or Lightweight Directory Access Protocol
(LDAP) domain users.
If an AD domain or an LDAP domain is added in NetBackup, the respective domain
users can logon to a NetBackup primary server and Security Administrator can
assign role-based access control (RBAC) roles to these domain users.
See “RBAC features” on page 132.
The following procedure describes how to add an existing AD or LDAP domain in
NetBackup and authenticate the domain users to access NetBackup.
 AD and LDAP domains 109
Adding AD or LDAP domains in NetBackup

To add an AD domain or an LDAP domain in NetBackup

1 Run the following command to add an AD domain or an LDAP domain in the
NetBackup primary server:

vssat addldapdomain -d DomainName -s server_URL -u user_base_DN

-g group_base_DN [-f trusted_CA_file_name] [-tp TLS_protocol_version_to_be_disabled]
[-cs cipher_suite_list] [-t rfc2307 | msad | {-c user_object_class -a user_attribute
-q user_GID_attribute -un user_display_name_attribute -ui user_ID_attribute[:value_type]
-ud user_description_attribute -x group_object_class -y group_attribute
-z group_GID_attribute -gn group_display_name_attribute -gi group_ID_attribute[:value_type]
-gd group_description_attribute [-k DN | UID]]} [-b FLAT | BOB] -m admin_user_DN
[-w admin_user_password] [-p SUB | ONE | BASE] [-F]

Note: Ensure that the user name that is specified in the -m option has the
required rights to query the AD or the LDAP server.
In case of LDAPS, if the Authentication Service (nbatd) does not trust the
certificate authority (CA) that has signed the server's certificate, use the -f
option to add the CA certificate in the nbatd trust store.
See “Certificate authorities trusted by the NetBackup Authentication Service”
on page 119.

For more information about the vssat command, see the NetBackup
Commands Reference Guide.
Contact your AD administrator for the correct values for these command-line
options. The values may vary based on how your AD is setup.
An example to add an AD domain:

vssat addldapdomain -d domain1 -s ldap://domain1.veritas.com -u

"CN=Users,DC=domain1,DC=veritas,DC=com" -g "CN=Users,DC=domain1,DC=veritas,DC=com" -t msad -m
"CN=user1,CN=Users,DC=domain1,DC=veritas,DC=com" -b BOB
 AD and LDAP domains 110
Troubleshooting AD or LDAP domain configuration issues

2 Run the vssat validateprpl command on the primary server to verify whether
the specified AD or LDAP domain is successfully added or not.
validateprpl -p username -d ldap:domain_name -b
localhost:1556:nbatd

An example to validate an AD or LDAP domain:

vssat validateprpl -p user1 -d ldap:domain1 -b localhost:1556:nbatd

The domain name must match the one that is used in the addldapdomain
command option.
For more information about the vssat command, see the NetBackup
Commands Reference Guide.
If the AD or LDAP domain is added and the vssat validateprpl or vssat
validategroup command fails, you need to carry out certain troubleshooting
steps to resolve the issue.
See “Troubleshooting AD or LDAP domain configuration issues ” on page 110.

Reconfigure the AD/LDAP domain for the nbatd

containerized service
This procedure is applicable only for the AD/LDAP domain user. The local OS user
and PAM authentication type are not supported.
Starting with NetBackup 10.5, in Cloud Scale deployment, the nbatd containerized
service runs on a separate Kubernetes Pod cluster server instead of the primary
server Kubernetes Pod. Therefore, the existing AD/LDAP domain configuration on
the primary server Kubernetes Pod does not work. You must reconfigure the
AD/LDAP domain.
To reconfigure the AD/LDAP domain
1 Delete the existing AD/LDAP domain from the nbatd Kubernetes Pod.
2 Add AD/LDAP domains in NetBackup.
See “Adding AD or LDAP domains in NetBackup” on page 108.

Troubleshooting AD or LDAP domain

configuration issues
After you added an AD or LDAP domain configuration, verify the configuration using
the vssat validateprpl and vssat validategroup commands. The commands
validate the existing AD / LDAP user and group respectively.
 AD and LDAP domains 111
Troubleshooting AD or LDAP domain configuration issues

A successful execution of the vssat validateprpl and the vssat validategroup

commands implies that the associated AD or LDAP domain is successfully added.
For information about these commands, see the NetBackup Commands Reference
Guide.
If the commands fail, the following error message is displayed:
The principal or group does not exist.

Validation of AD or LDAP domain can fail because of any of the following reasons:
■ Connection cannot be established with the AD or LDAP server
■ Invalid user credentials
■ Invalid user base DN or group base DN
■ Multiple users or groups exist with the same name under the user base DN or
the group base DN
■ User or group does not exist
 AD and LDAP domains 112
Troubleshooting AD or LDAP domain configuration issues

Connection cannot be established with the AD or LDAP

server
To troubleshoot the issue
1 Check if the nbatd logs contain the following error:
(authldap.cpp) CAuthLDAP::validatePrpl - ldap_simple_bind_s()
failed for user 'CN=Test User,OU=VTRSUsers,DC=VRTS,DC=com', error
= -1, errmsg = Can’t contact LDAP server,9:debugmsgs,1
 AD and LDAP domains 113
Troubleshooting AD or LDAP domain configuration issues

2 Check if any of the following scenarios is true and carry out the steps provided
for that scenario.

The LDAP server URL (-s Run the following command to validate:
option) that is provided with
ldapsearch -H <LDAP_URI> -D "<admin_user_DN>" -w <passwd> -d
the vssat addldapdomain
<debug_level> -o nettimeout=<seconds>
may be wrong
Example:

ldapsearch -H ldaps://example.veritas.com:389 -D "CN=Test

User,OU=VRTSUsers,DC=VRTS,DC=com" -w ******** -d 5 -o
nettimeout=60

TLS: can't connect: TLS error -8179:Peer's Certificate issuer

is not recognized. ldap_sasl_bind(SIMPLE): Can't contact LDAP
server (-1)

The server certificate issuer This is applicable if the ldaps option is used and can be validated using the
is not a trusted CA ldapsearch command:

set env var LDAPTLS_CACERT to cacert.pem

ldapsearch -H <LDAPS_URI> -D "<admin_user_DN>" -w <passwd> -d

<debug_level> -o nettimeout=<seconds>

File path for cacert.pem:

On Windows:

<Install_path>\NetBackup\var\global\vxss\eab\data\systemprofile\certstore\trusted\pluggins\ldap\cacert.pem

On Unix:
/usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile/certstore/trusted/pluggins/ldap/cacert.pem

Example:

ldapsearch -H ldaps://example.veritas.com:389 -D "CN=Test

User,OU=VRTSUsers,DC=VRTS,DC=com" -w ******** -d 5 -o
nettimeout=60

TLS: can't connect: TLS error -8179:Peer's Certificate issuer

is not recognized.. ldap_sasl_bind(SIMPLE): Can't contact LDAP
server (-1)
 AD and LDAP domains 114
Troubleshooting AD or LDAP domain configuration issues

The NetBackup Authentication Use the -f option of the vssat addldapdomain command to add the CA certificate
Service (nbatd) does not in the Authentication Service (nbatd) trust store.
trust the certificate authority
that has signed the LDAP
server’s security certificate

See “Certificate authorities

trusted by the NetBackup
Authentication Service”
on page 119.
 AD and LDAP domains 115
Troubleshooting AD or LDAP domain configuration issues

TLS cipher suite list that is By default, NetBackup authentication service communicates with the LDAP server
provided for the LDAP server using the cipher suite list:
may be wrong
“ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:

ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA”

Run the following command to view the TLS cipher suite list that is provided for the
LDAP server:

On UNIX:

/usr/openv/netbackup/sec/at/bin/vssat listldapdomains

On Windows:

Install_path\NetBackup\sec\at\bin\vssat listldapdomains

Use any utility like sslscan to find out the cipher suites that the LDAP server supports.

Modify the value of TLS cipher suite list as required for the LDAP server by running
the following command:

On UNIX:

/usr/openv/netbackup/sec/at/bin/vssregctl -s -f
/usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile/VRTSatlocal.conf
-b "Security\Authentication\Authentication
Broker\AtPlugins\ldap\ServerInfos\LDAP_server_name" -k
"SSLCipherSuite" -t string -v LDAP_server_supported_cipher_suites

On Windows:

Install_path\NetBackup\sec\at\bin\vssregctl -s -f
Install_path\NetBackup\var\global\vxss\eab\data\systemprofile\VRTSatlocal.conf
-b "Security\Authentication\Authentication
Broker\AtPlugins\ldap\ServerInfos\LDAP_server_name" -k
"SSLCipherSuite" -t string -v LDAP_server_supported_cipher_suites

Example:

/usr/openv/netbackup/sec/at/bin/vssregctl -s -f
/usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile/VRTSatlocal.conf
-b "Security\Authentication\Authentication
Broker\AtPlugins\ldap\ServerInfos\example.veritas.com" -k
"SSLCipherSuite" -t string -v
"DHE-RSA-AES256-SHA:AES256-GCM-SHA384"
 AD and LDAP domains 116
Troubleshooting AD or LDAP domain configuration issues

TLS protocol version that is By default, NetBackup authentication service communicates with the LDAP server
disabled for the LDAP server using the TLS 1.2 or later protocol. TLS protocols with versions earlier than 1.2 are
may be wrong disabled.

Run the following command to view the TLS protocol version that is disabled for the
LDAP server.

On UNIX:

/usr/openv/netbackup/sec/at/bin/vssat listldapdomains

On Windows:

Install_path\NetBackup\sec\at\bin\vssat listldapdomains

Modify the value of TLS protocol version that is disabled for the LDAP server using
the given command. The specified version and all the earlier versions of the TLS
protocol are disabled. Supported values are: "SSLv2", "SSLv3", "TLSv1" and "TLSv1.1".

Run the following command:

On UNIX:

/usr/openv/netbackup/sec/at/bin/vssregctl -s -f
/usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile/VRTSatlocal.conf
-b "Security\Authentication\Authentication
Broker\AtPlugins\ldap\ServerInfos\LDAP_server_name" -k
"DisableTLSProtocol" -t string -v
TLS_protocol_version_to_be_disabled

On Windows:

Install_path\NetBackup\sec\at\bin\vssregctl -s -f
Install_path\NetBackup\var\global\vxss\eab\data\systemprofile\VRTSatlocal.conf
-b "Security\Authentication\Authentication
Broker\AtPlugins\ldap\ServerInfos\LDAP_server_name" -k
"DisableTLSProtocol" -t string -v
TLS_protocol_version_to_be_disabled

Example:

/usr/openv/netbackup/sec/at/bin/vssregctl -s -f
/usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile/VRTSatlocal.conf
-b "Security\Authentication\Authentication
Broker\AtPlugins\ldap\ServerInfos\example.veritas.com" -k
"DisableTLSProtocol" -t string -v “TLSv1”
 AD and LDAP domains 117
Troubleshooting AD or LDAP domain configuration issues

Invalid user credentials

To troubleshoot the issue
1 Check if the nbatd logs contain the following error:
CAuthLDAP::validatePrpl - ldap_simple_bind_s() failed for user
'CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com', error = 49, errmsg =
Invalid credentials,9:debugmsgs,1

2 Check if the following scenario is true and carry out the steps provided for the
scenario.

Invalid admin user DN or Run the following command to validate:

password provided while
ldapsearch -H <LDAP_URI> -D "<admin_user_DN>" -w <passwd> -d
adding an LDAP domain
<debug_level> -o nettimeout=<seconds>
using the vssat
addldapdomain command Example:

ldapsearch -H ldap://example.veritas.com:389 -D "CN=Test

User,OU=VRTSUsers,DC=VRTS,DC=com" -w ******** -d 5 –o
nettimeout=60 ldap_bind: Invalid credentials (49)

Invalid user base DN or group base DN

To troubleshoot the issue
1 Check if the nbatd logs contain the following error:
CAuthLDAP::validatePrpl - ldap_search_s() error = 10, errmsg =
Referral,9:debugmsgs,1 CAuthLDAP::validatePrpl - ldap_search_s()
error = 34, errmsg = Invalid DN syntax,9:debugmsgs,1

2 You may see the errors in the logs if user base DN (the -u option) or group
base DN (the -g option) values are incorrect.
Run the following command to validate:
Example:
ldapsearch -H ldap://example.veritas.com:389 -D "CN=Test
User,OU=VRTSUsers,DC=VRTS,DC=com" -w ****** -b
"OU=VRTSUsers,DC=VRTS,DC=con" "(&(cn=test
user)(objectClass=user))"

ldapsearch -H ldap://example.veritas.com:389 -D "CN=Test

User,OU=VRTSUsers,DC=VRTS,DC=com" -w ****** -b "VRTS" "(&(cn=test
user)(objectClass=user))"
 AD and LDAP domains 118
Troubleshooting AD or LDAP domain configuration issues

Multiple users or groups exist with the same name under

user base DN or group base DN
To troubleshoot the issue
1 Check if the nbatd logs contain the following error:
CAuthLDAP::validateGroup - search returned '2' entries for group
name 'team_noone', even with referrals set to OFF,9:debugmsgs,1

2 This is applicable if user search attribute (-a option) and group search attribute
(-y option) do not have unique values for the existing user base DN and group
base DN respectively.
Validate the number of matching entries for the existing base DN using the
ldapsearch command.

ldapsearch -H <LDAP_URI> -D "<admin_user_DN>" -w <passwd> -d

<debug_level> -o nettimeout=<seconds> -b <BASE_DN> <search_filter>

Example:
ldapsearch -H ldap://example.veritas.com:389 -D "CN=Test
User,OU=VRTSUsers,DC=VRTS,DC=com" -w ****** -b "DC=VRTS,DC=com"
"(&(cn=test user)(objectClass=user))" # LDAPv3 # base <DC=VRTS,DC=com>
with scope subtree # filter: (cn=Test User) # requesting: ALL # Test
User, VRTSUsers, VRTS.com dn: CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com
# Test User, RsvUsers, VRTS.com dn: CN=Test
User,OU=RsvUsers,DC=VRTS,DC=com # numEntries: 2

User or group does not exist

To troubleshoot the issue
1 Check if the nbatd logs contain the following error:
CAuthLDAP::validatePrpl - user ‘test user’ NOT found,9:debugmsgs,4
CAuthLDAP::validateGroup - group 'test group' NOT
found,9:debugmsgs,4

2 If a user or group exists in the LDAP domain, but the vssat validateprpl or
the vssat validategroup command fails with this error, validate if the user
or the group exists in the current base DNs (-u and -g options) using the
following command.
ldapsearch -H <LDAP_URI> -D "<admin_user_DN>" -w <passwd> -d
<debug_level> -o nettimeout=<seconds> -b <BASE_DN> <search_filter>
 AD and LDAP domains 119
Certificate authorities trusted by the NetBackup Authentication Service

Certificate authorities trusted by the NetBackup

Authentication Service
The NetBackup Authentication Service (nbatd) trusts the following certificate
authorities:
■ CyberTrust
■ DigiCert GeoTrust
■ Certification Services Division
■ VeriSign Trust Network
■ RSA Security Inc.
■ GlobalSign
■ Symantec Corporation
 Chapter 7
Access keys
This chapter includes the following topics:

■ Access keys

■ Access codes

■ Request CLI access through web UI authentication

■ Approve the CLI access request of another user

■ Edit the settings for command-line access

Access keys
NetBackup access keys provide access the NetBackup interfaces through API keys
and access codes.
See “About API keys” on page 124.
See “Access codes” on page 120.

Access codes
To run certain NetBackup administrator commands, for example bperror, you need
to authenticate through the web UI. You need to generate an access code through
the command-line interface, get the access request approved from the administrator,
and then access the command.
With the web UI authentication for CLI access, NetBackup administrators can
delegate the associated privileges to other users. By default, only a root administrator
or an administrator can perform NetBackup operations through the command-line
interface. The web UI authentication support allows non-root users to administer
NetBackup who have CLI access that the Security Administrator has granted. You
 Access keys 121
Request CLI access through web UI authentication

can also administer NetBackup with a non-RBAC user role (such as Operating
System Administrator) even though you are not registered as a NetBackup user.
Each time you need to generate a new access code to access CLIs.

Request CLI access through web UI authentication

To run NetBackup commands using the NetBackup CLI, the following requirements
exist for the user:
■ The user must have the RBAC role Default NetBackup Command Line (CLI)
Administrator or a role with similar permissions.
■ The user must submit a request for temporary access to the CLI. By default, a
CLI access session is valid for 24 hours.
The command that the user runs for the request depends on whether or not
they have access to the NetBackup web UI.
See the section called “Request CLI access when you have access to the
NetBackup web UI” on page 121.
See the section called “Request CLI access from the security administrator”
on page 122.

Request CLI access when you have access to the

NetBackup web UI
If you have access to the NetBackup web UI, you can use the web UI to approve
a CLI access request using the access code from the bpnbat command.
To request CLI access
1 Run the following command:
bpnbat -login -logintype webui

An access code is generated.

2 Open the NetBackup web UI.
3 On the top right, select the profile icon.
4 Select Approve access request.
5 Enter the CLI access code that was created when you ran the bpnbat command.
Then select Review.
6 Review the access request details.
7 Select Approve.
8 After you approve the request, you can use the command-line interface to run
the wanted commands.
 Access keys 122
Approve the CLI access request of another user

Request CLI access from the security administrator

If you do not have access to the NetBackup web UI, you must submit a request for
a CLI access to the security administrator. A user with the Default Security
Administrator role or a role with similar permissions must approve the request.
To request CLI access from the security administrator
1 Run the following command:
bpnbat -login -logintype webui -requestApproval

An access code is generated.

2 Contact the security administrator and give them the access code to approve
the CLI access request.
See “Approve the CLI access request of another user” on page 122.
3 After the request is approved, you can use the command-line interface to run
the wanted commands.

Approve the CLI access request of another user

If you have the Default Security Administrator role or a role with similar permissions,
you can approve the request of another user who needs CLI access. Note that to
run commands, that user must also have the RBAC role Default NetBackup
Command Line (CLI) Administrator or a role with similar permissions.
To approve the CLI access request of another user
1 The user that requires CLI access must first run the following command to
request approval:
bpnbat -login -logintype webui -requestApproval

2 Sign in to the NetBackup web UI.

3 On the left, select Security > Access keys. Then select the Access codes
tab.
4 Enter the CLI access code that you have received from the user who requires
CLI access and select Review.
5 Review the access request details.
6 (Optional) Provide any comments.
7 Select Approve.
 Access keys 123
Edit the settings for command-line access

Edit the settings for command-line access

You can configure the default time that is set for a CLI session when a user requests
CLI access.
To edit the settings for command-line access
1 Sign in to the web UI.
2 On the left, select Security > Access keys.
3 On the right, select Access settings.
4 Select Edit.
5 Enter the time in minutes or hours that you want the CLI access session to be
valid. 1 minute is the minimum value and 24 hours is the maximum value.
 Chapter 8
API keys
This chapter includes the following topics:

■ About API keys

■ Creating API keys

■ Managing an API key

■ Using an API key

About API keys

NetBackup supports user authentication through API keys.
A NetBackup API key is a pre-authenticated token that lets a NetBackup user run
NetBackup commands (such as nbcertcmd -createToken or nbcertcmd
-revokeCertificate) or access NetBackup RESTful APIs.

API key operations with multi-person authorization

Note: Starting with NetBackup 10.5, if multi-person authorization is enabled for API
key operations, a ticket is generated. After the multi-person authorization ticket is
approved, the user needs to execute the ticket using the Execute ticket option in
the NetBackup web UI and then the required API key operation is executed.
For NetBackup releases earlier than 10.5, if multi-person authorization is enabled,
you cannot perform API key operations.

Unlike a password, an API key can exist for a long time and you can configure its
expiration. Therefore, operations like automation that need authentication can run
for a long time using API keys.
See “Creating API keys” on page 125.
 API keys 125
Creating API keys

See “Using an API key” on page 126.

See “Managing an API key” on page 125.

Note: It is recommended that you delete an API key that was generated for a
principal user after the user becomes inactive, or is blocked, or removed from the
authentication system (AD or LDAP).

Creating API keys

A user can have only one API key.

Note: The 'View' RBAC permission is required to create an API key.

You can create API keys in one of the following ways:

■ Using the netbackup/security/api-keys POST API
Any user can create an API key using the api-keys API
■ Using the NetBackup web UI
For more details on creating API keys using the web UI or RBAC roles, refer to
the NetBackup Web UI Administrator's Guide.
See “Using an API key” on page 126.
See “Managing an API key” on page 125.

Managing an API key

Each API key is associated with an API key tag. You can update or delete an API
key using its API key tag in one of the following ways:
■ Using the netbackup/security/api-keys API
You can update or delete an API key using its API key tag.
■ Using the NetBackup web UI
For more details on managing API keys using the web UI, refer to the NetBackup
Web UI Administrator's Guide.
See “Creating API keys” on page 125.
See “Using an API key” on page 126.
 API keys 126
Using an API key

Using an API key

Once an API key is created, you can use it while you access RESTful APIs or run
commands:
See “Creating API keys” on page 125.
Using an API key while accessing NetBackup RESTful APIs
◆ Pass the API key in the API request header to access other NetBackup APIs.
Using an API key while you run NetBackup commands
1 Do one of the following:
■ Run the following command:
bpnbat -Login -LoginType APIKEY
You can run NetBackup commands that require authentication for the next
24 hours without requiring to run bpnbat -Login.
■ Set a new environment variable called NETBACKUP_APIKEY for the API key.
See “Setting an API key environment variable to run NetBackup commands”
on page 126.
You can run NetBackup commands that require authentication until the API
key is valid and the environment variable is set.

2 Run a command such as nbcertcmd -createToken.

For more details on NetBackup commands, refer to the NetBackup Commands
Reference Guide.

Setting an API key environment variable to run NetBackup commands

To use an API key while running NetBackup commands that need user
authentication, you need to create an API key and set an environment variable for
the API key. Once the environment variable is set, you can run the commands until
the API key is valid and the environment variable is set.
On Windows platform, set the API key environment variable in the user context.
Example of an environment variable for an API key:
NETBACKUP_APIKEY = MasterServer1:APIKEY1

If you want to set multiple API keys, specify the primary server and API key mappings
in a comma-separated format.
For example:
NETBACKUP_APIKEY =
MasterServer1:APIKEY1,MasterServer2:APIKEY2,MasterServer3:APIKEY3
 API keys 127
Using an API key

You can also specify the mappings in a file and the file should be specified with
prefix '@'.
For example:
NETBACKUP_APIKEY = @file_path/file_name

The contents of the file should be as follows:

MasterServer1:APIKEY1

MasterServer2:APIKEY2

MasterServer3:APIKEY3

See “Creating API keys” on page 125.

 Chapter 9
Auth.conf file
This chapter includes the following topics:

■ Authorization file (auth.conf) characteristics

Authorization file (auth.conf) characteristics

By default, the authorization file or auth.conf file grants access for the following
functions in the NetBackup Administration Console:

On NetBackup Administrator applications and capabilities for the root user. User
servers backup and restore capabilities for all other users.

On NetBackup clients User backup and restore capabilities for all users.

Auth.conf file location

Windows NetBackup auth.conf.win.template in install_path\NetBackup\Java

servers
Use this template file to create an auth.conf file at the same
location. The template file contains an example of giving permissions
to a user.

UNIX NetBackup auth.conf in install_path/NetBackup/Java

servers
Contains the following entries:

root ADMIN=ALL JBP=ALL

* ADMIN=JBP JBP=ENDUSER+BU+ARC

Configuring the auth.conf file

Configure the auth.conf file as follows:
 Auth.conf file 129
Authorization file (auth.conf) characteristics

■ If the auth.conf file exists, it must contain an entry. Provide an entry for each
user or use an asterisk (*) to indicate all users except OS administrators, and
RBAC administrators.
Users without entries in the file cannot access any NetBackup applications.
■ Use an asterisk (*) to indicate any user name except OS administrator, and
RBAC administrator.
■ An asterisk in the first field indicates that any user name except OS administrator,
and RBAC administrator is accepted and the user is allowed to use the
applications as specified.
■ Entries for specific users must be listed first, followed by any entries with an
asterisk (*).
■ Use the first field of each entry to indicate the user name that is granted or
denied access rights. Use an asterisk to indicate any user name.
■ The remaining fields specify the specific access rights for the user or users. You
cannot use an asterisk (*) authorize all users for all applications. Each user (or
all users) must have specific application keywords. To deny all capabilities to a
specific user, do not provide any keywords for the interface. For example:

mydomain\ray ADMIN= JBP=

■ You can specify user groups that need access to certain UI functions.
The <GRP> tag is used to specify a user group in the auth.conf file. For example:

<GRP> domain1\BackupAdmins ADMIN=SUM JBP=BU

In this example, domain1 is a NetBackup domain and BackupAdmins is a user

group. All users in the BackupAdmins user group can access the Storage Unit
Management (SUM) UI node and can carry out backup (BU) tasks.

ADMIN keyword Specifies the applications that the user can access. ADMIN=ALL allows access to all
NetBackup applications and the related administrator-related capabilities.

JBP keyword Specifies what the user can do with the Backup, Archive, and Restore client application
(jbpSA). JBP=ALL allows access to all Backup, Archive, and Restore capabilities, including
those for administration.

Asterisk (*) An asterisk in the first field indicates that any user name is accepted and the user is allowed
to use the applications as specified. The second line of the released version contains an
asterisk in the first field. The asterisk means that NetBackup validates any user name for
access to the Backup, Archive, and Restore client application jbpSA.
JBP=ENDUSER+BU+ARC allows users to back up, archive, and restore files only.
 Auth.conf file 130
Authorization file (auth.conf) characteristics

User authentication
The credentials that are entered in the logon screen must be valid on the computer
that is specified in the host field. The NetBackup application server authenticates
with the specified computer. The user name is the account used to back up, archive,
or restore files. To perform remote administration or user operations with jbpSA, a
user must have valid accounts on the NetBackup UNIX server or client computer.
The Backup, Archive, and Restore application (jbpSA) relies on system file
permissions of when to browse directories and files to back up or restore.
The password must be the same password that was used upon logon at that
computer. For example, assume you log on with the following information:

username = joe
password = access

You must use this same user name and password to log into NetBackup.
You can log on to the NetBackup application server under a different user name
than the name used to log on to the operating system. For example, if you log on
to the operating system with a user name of joe, you can subsequently log on to
jnbSA as root.

Support for user groups

Active Directory (AD) groups are supported in the auth.conf file only for primary
servers.
User groups are defined using the <GRP> tag in the auth.conf file.

Note: Run the vssat validateprpl command to verify the format of the group
names that you have defined in the auth.conf file.
For more information on the command, see the NetBackup Commands Reference
Guide.

■ If a user is part of multiple groups, the access rights for the user are combined.
For example user1 is part of the user groups called BackupAdmins and
StorageUnitAdmins.

<GRP> domain1\BackupAdmins ADMIN=SUM JBP=BU

<GRP> domain1\StorageUnitAdmins ADMIN=CAT JBP=RAWPART

Access rights for user1 are combined as follows: ADMIN=SUM+CAT

JBP=BU+RAWPART
 Auth.conf file 131
Authorization file (auth.conf) characteristics

■ If a user and the user group that the user is part of exist in the auth.conf file,
the combined access rights are assigned to the user. For example: user1 is part
of is part of the user groups called BackupAdmins and StorageUnitAdmins.

domain\user1 ADMIN=JBP JBP=ENDUSER

<GRP> domain\BackupAdmins ADMIN=CAT JBP=BU
<GRP> domain\StorageUnitAdmins ADMIN=SUM JBP=RAWPART

Access rights for user1 are as follows: ADMIN=JBP+SUM+CAT

JBP=BU+RAWPART+ENDUSER

■ If duplicate entries of a user, a user group, or both exist in the auth.conf file -
The first entry of the user, the user group, or both are taken into account and
the combined access rights are assigned to the user. For example: user1 is part
of the BackupAdmins user group and the auth.conf file contains two entries
of the BackupAdmins user group.

<GRP> domain1\BackupAdmins ADMIN=CAT JBP=BU

<GRP> domain1\BackupAdmins ADMIN=SUM JBP=RAWPART

Access rights for user1 are as follows: ADMIN=CAT JBP=BU

Application state information

Upon exit, some application state information is automatically saved in the directory
of joe $HOME/.java/.userPrefs/vrts directory. (For example, table column order.)
The information is restored the next time you log on to the operating system under
account joe and initiate the NetBackup application. This logon method is useful if
there is more than one administrator because it saves the state information for each
administrator.

Note: NetBackup creates a user’s $HOME/.java/.userPrefs/vrts directory the

first time an application is exited. Only NetBackup applications use the
.java/.userPrefs/vrts directory.
 Chapter 10
Role-based access control
This chapter includes the following topics:

■ RBAC features

■ RBAC settings

■ Configuring RBAC

■ Role permissions

■ Notes for using NetBackup RBAC

■ Add AD or LDAP domains

■ Default RBAC roles

■ Add a custom RBAC role

■ Edit or remove a role a custom role

■ View users in RBAC

■ Add a user to a role (non-SAML)

■ Add a smart card user to a role (non-SAML, without AD/LDAP)

■ Add a user to a role (SAML)

■ Remove a user from a role

RBAC features
The NetBackup web user interface provides the ability to apply role-based access
control in your NetBackup environment. Use RBAC to provide access for the users
that do not currently have access to NetBackup. Or, for current NetBackup users
 Role-based access control 133
RBAC settings

with administrator access you can provide limited access and permissions, based
on their role in your organization.
For information on access control and auditing information for root users and
administrators, refer to the NetBackup Security and Encryption Guide.

Table 10-1 RBAC features

Feature Description

Roles allow users to perform Add users to one or more default RBAC roles or create custom roles to fit the role
specific tasks of your users. Add a user to the Administrator role to give full NetBackup
permissions to that user.

See “ Default RBAC roles” on page 136.

Users can access NetBackup RBAC users can perform common tasks for their business role, but are restricted
areas and the features that fit their from accessing other NetBackup areas and features. RBAC also controls the
role assets that users can view or manage.

Auditing of RBAC events NetBackup audits RBAC events.

DR ready RBAC settings are protected with the NetBackup catalog.

RBAC settings
You can configure access control settings based on user roles. The following RBAC
settings can be configured:
■ Web UI access for Operating System Administrator
■ CLI access for Operating System Administrator

Configuring RBAC
To configure role-based access control for the NetBackup web UI, perform the
following steps.

Table 10-2 Steps to configure role-based access control

Step Action Description

1 Configure any Active Before you can add domain users, Active Directory or LDAP domains must
Directory or LDAP domains. be authenticated with NetBackup.

See the NetBackup Security & Encryption Guide.

 Role-based access control 134
Role permissions

Table 10-2 Steps to configure role-based access control (continued)

Step Action Description

2 Determine the permissions
that your users need.
Determine the permissions that your users need to perform their daily tasks.
You can use the default RBAC roles or use a default role as a template to
create a new role. Or, you can create a completely custom role to fit your
needs.

See “Role permissions” on page 134.

See “ Default RBAC roles” on page 136.

See “Add a custom RBAC role” on page 141.

3 Add users to the appropriate See “Add a user to a role (non-SAML)” on page 145.
roles.
See “Add a user to a role (SAML)” on page 146.

See “Add a smart card user to a role (non-SAML, without AD/LDAP)”

on page 146.

4 Determine the permissions See “Disable web UI access for operating system (OS) administrators”
that you want for OS on page 149.
administrators
See “Disable command-line (CLI) access for operating system (OS)
administrators” on page 148.

Role permissions
Role permissions define the operations that roles users have permission to perform.
For details on individual RBAC permissions and dependencies, refer to the
NetBackup API documentation.
http://sort.veritas.com
 Role-based access control 135
Notes for using NetBackup RBAC

Table 10-3 Role permissions for NetBackup RBAC

Category Description

Global Global permissions apply to all assets or objects.

BMR - Configuration and management of BMR.

NetBackup Web Management Console Administration - With guidance

from Veritas Support, create diagnostic files to troubleshoot NetBackup and
perform JVM garbage collection.

These operations are only available from the NetBackup APIs. Refer to the
following guides for information on JVM tuning options: NetBackup Installation
Guide, NetBackup Upgrade Guide.

NetBackup management - Configuration and management of NetBackup.

Protection - NetBackup backup policies and storage lifecycle policies.

Security - NetBackup security settings.

Storage - Manage backup storage settings.

Assets Manage one or types of assets. For example, VMware assets.

Protection plans Manage how backups are performed with protection plans.

Credentials Manage credentials for assets and for other features of NetBackup.

Notes for using NetBackup RBAC

Note the following when you configure the permissions for RBAC roles:
■ RBAC only controls access to the web UI and not the NetBackup Administration
Console.
■ When you create roles, be sure to enable the minimal number of permissions
so the user can sign in to and use the web UI. Some individual permissions do
not have a direct correlation with a screen in the web UI. Users that attempt to
sign in but that only have a permission of this kind receive an “Unauthorized”
message.
■ If a user is added to or removed from a role, the user must sign out and sign in
again before the user’s permissions are updated.
■ Most permissions are not implicit.
In most cases a Create permission does not give a user View permission. A
Recovery permission does not give a user View permission or other recovery
options like Overwrite.
 Role-based access control 136
Add AD or LDAP domains

■ Not all RBAC-controlled operations can be used from the NetBackup web UI.
These types of operations are included in RBAC so a role administrator can
create roles for API users as well as for web UI users.
■ Some tasks require a user to have permissions in multiple RBAC categories.
For example, to establish a trust relationship with a remote primary server, a
user must have permissions for both Remote primary servers and Trusted
primary servers.

Add AD or LDAP domains

NetBackup supports Active Directory (AD) or Lightweight Directory Access Protocol
(LDAP) domain users. Before you can add domain users to RBAC roles, you must
add the AD or the LDAP domain. A domain also must be added before you can
configure that domain for smart card authentication.
You can use the POST /security/domains/vxat API or the vssat command to
configure domains.
For more information on the vssat command and more of its options, see the
NetBackup Command Reference Guide.

Default RBAC roles

The NetBackup web UI provides the following default RBAC roles with preconfigured
permissions and settings.

Table 10-4 Default RBAC roles in the NetBackup web UI

Role name Description

Administrator The Administrator role has full permissions for NetBackup and can manage all aspects
of NetBackup.

Default AHV Administrator This role has all the permissions that are necessary to manage Nutanix Acropolis
Hypervisor and to back up those assets with protection plans.

Default Apache Cassandra This role has all the permissions that are necessary to manage and protect Apache
Administrator Cassandra assets with protection plans.
 Role-based access control 137
Default RBAC roles

Table 10-4 Default RBAC roles in the NetBackup web UI (continued)

Role name Description

Default Cloud Administrator This role has all the permissions that are necessary to manage cloud assets and to
back up those assets with protection plans.

Note that a PaaS administrator requires some additional permissions that you can add
to a custom role.

Cloud administrators also need additional permissions to manage cloud and PaaS
assets using intelligent groups.

See “Add a custom RBAC role for a PaaS administrator” on page 139.

Default Cloud Object Store This role has all the permissions to manage the protection for cloud objects using
Administrator classic policies.

Default DB2 Administrator This role provides the ability to view and restore DB2 backups with the nbdb2adutl
command. The administrator can also view and manage DB2 jobs.

Default IRE SLP Manages IRE (Isolated Recovery Environment) SLP (Storage lifecycle policies)
Administrator functionalities.

Default Kubernetes
Administrator
This role has all the permissions that are necessary to manage Kubernetes and to
back up those assets with protection plans. The permissions for this role give a user
the ability to view and manage jobs for Kubernetes assets. To view all jobs for this
asset type, a user must have the default role for that workload. Or, a similar custom
role must have the following option applied when the role is created: Apply selected
permissions to all existing and future workload assets.

Default Microsoft Sentinel This role has all the permissions necessary to add Microsoft Sentinel credentials in
Administrator NetBackup and to send NetBackup audit events to Microsoft Sentinel.

Default Microsoft SQL Server This role has all the permissions that are necessary to manage SQL Server databases
Administrator and to back up those assets with protection plans. In addition to this role, the NetBackup
user must meet the following requirements:

■ Member of the Windows administrator group.

■ Have the SQL Server “sysadmin” role.

Default MongoDB Ops MongoDB Ops Manager Functionalities.

Manager

Default Multi-Person This role has permissions to manage MPA tickets.

Authorization (MPA) Approver

Default MySQL Administrator This role has all the permissions that are necessary to manage MySQL instances and
databases and to back up those assets with protection plans.
 Role-based access control 138
Default RBAC roles

Table 10-4 Default RBAC roles in the NetBackup web UI (continued)

Role name Description

Default NAS Administrator This role has all the permissions that are necessary to perform the backup and restore
of NAS volumes using a NAS-Data-Protection policy. To view all jobs for the backups
and restores of a NAS volume, a user must have this role. Or, the user must have a
custom role with same permissions applied when the role was created.

Default NetBackup Command This role has all the permissions that are necessary to manage NetBackup using the
Line (CLI) Administrator NetBackup command line (CLI). With this role a user can run most of the NetBackup
commands with a non-root account.

Note: A user that has only this role cannot sign into the web UI.

Default Oracle Administrator This role has all the permissions that are necessary to manage Oracle databases and
to back up those assets with protection plans.

Default PostgreSQL This role has all the permissions that are necessary to manage PostgreSQL instances
Administrator and databases and to back up those assets with protection plans.

Default Resiliency This role has all the permissions to protect the Veritas Resiliency Platform (VRP) for
Administrator VMware assets.

Default RHV Administrator This role has all the permissions that are necessary to manage Red Hat Virtualization
computers and to back up those assets with protection plans. This role gives a user
the ability to view and manage jobs for RHV assets.

To view all jobs for RHV assets, a user must have this role. Or, the user must have a
similar custom role with following option applied when the role was created: Apply
selected permissions to all existing and future RHV assets.

Default SaaS Administrator This role has all the permissions to view and manage SaaS assets.

Default Security Administrator This role has permissions to manage NetBackup security including role-based access
control (RBAC), certificates, hosts, identity providers and domains, global security
settings, and other permissions. This role can also view settings and assets in most
areas of NetBackup: workloads, storage, licensing, and other areas.

Default Storage Administrator This role has permissions to configure disk-based storage and storage lifecycle policies.
SLP settings are managed with the Administrator role.

Default Universal Share This role has the permissions to manage policies and storage servers. It can also
Administrator manage the assets for Windows and Standard client types and for universal shares.

Default Veritas Alta View This role has all the permissions that are necessary to manage Veritas Alta View
Administrator functionalities.
 Role-based access control 139
Default RBAC roles

Table 10-4 Default RBAC roles in the NetBackup web UI (continued)

Role name Description

Default VMware Administrator This role has all the permissions that are necessary to manage VMware virtual machines
and to back up those assets with protection plans. To view all jobs for VMware assets,
a user must have this role. Or, the user must have a similar custom role with following
option applied when the role was created: Apply selected permissions to all existing
and future VMware assets.

NetBackup Read-Only This role provides the read-only permissions to the IT Analytics Operator, Multi-Person
Operator Authorization Approver, and other operators in NetBackup, with no permissions for
security.

Note: Veritas reserves the right to update the RBAC permissions for default roles
in future releases. Any revised permissions are automatically applied to users of
these roles when NetBackup is upgraded. If you have copies of default roles these
roles are not updated automatically. (Or, if you have any custom roles that are
based on default roles.) If you want these custom roles to include changes to default
roles, you must manually apply the changes or recreate the custom roles.

Add a custom RBAC role for a PaaS administrator

A PaaS administrator needs additional storage permissions. You can use the Default
Cloud Administrator role as a template to create a custom role.
To add a custom RBAC role
1 On the left, select Security > RBAC and click Add.
2 Select Default Cloud Administrator.
3 Provide a Role name and a description.
For example, you may want to indicate that the role is for any users that are
PaaS administrators.
4 Under Permissions, click Assign.
5 On the Global tab, expand the Storage section. Select the following
permissions.

Disk pools View

Storage servers View

Storage universal View, Create

shares
 Role-based access control 140
Default RBAC roles

6 On the Assets tab, under desired policy type / workload section select the
following permissions:
■ Instant access
■ Restore from malware-infected images (Required to restore from malware
infected images)

7 Click Assign.
8 Under Users, click Assign. Then add each user that you want to have access
to this custom role.
9 When you are done configuring the role, click Add role.

Add a custom RBAC role to restore Azure-managed instances

To restore Azure-managed instances, users must have the view permission for
these instances. Administrators and similar users can provide other users with a
custom role and this permission.
To assign the view permission for Azure-managed instances
1 To get the access control ID of the managed instance, enter the following
command:

GET /asset-service/workloads/cloud/assets?filter=extendedAttributes/
managedInstanceName eq 'managedInstanceName'

Search for accessControlId field in the response. Note down the value of this
field.
2 To get the role ID, enter the following command:
GET /access-control/roles

Search for the id field in the response. Note down the value of this field.
3 Create an access definition, as follows:
POST /access-control/managed-objects/{objectId}/access-definitions

Request payload

"data": {
"type": "accessDefinition",
"attributes": {
"propagation": "OBJECT_AND_CHILDREN"
},
 Role-based access control 141
Add a custom RBAC role

"relationships": {
"role": {
"data": {
"id": "<roleId>",
"type": "accessControlRole"
}
},
"operations": {
"data": [
{
"id": "|OPERATIONS|VIEW|",
"type": "accessControlOperation"
}
]
},
"managedObject": {
"data": {
"id": "<objectId>",
"type": "managedObject"
}
}
}
}
}

Use the following values:

■ objectId: Use the value of accessControlId obtained from step 1.

■ roleId: Use the value of id obtained from step 2.

Note: For an alternate restore, provide the

|OPERATIONS|ASSETS|CLOUD|RESTORE_DESTINATION| permission in the
operations list.

Add a custom RBAC role

Create a custom RBAC role if you want to manually define the permissions and the
access that users have to workload assets, protection plans, or credentials.
 Role-based access control 142
Add a custom RBAC role

Note: Veritas reserves the right to update the RBAC permissions for default roles
in future releases. Any revised permissions are automatically applied to users of
these roles when NetBackup is upgraded. Any copies of default roles (or any custom
roles that are based on default roles) are not automatically updated.

To add a custom RBAC role

1 Sign in to the NetBackup web UI.
2 On the left, select Security > RBAC.
3 Select the Add button
4 Select the type of role that you want to create.
You can make a copy of a default role that contains all the preconfigured
permissions and settings for that type of role. Or, select Custom role to
manually configure all the permissions for a role.
5 Provide a Role name and a description.
For example, you may want to indicate that the role is for any users that are
backup administrators for a particular department or region.
6 Under Permissions, select the Edit button or the Assign button.
The permissions that you select determine the other settings that you can
configure for the role.
If you select a default role type, certain permissions are enabled only if they
are required for that type of role. (For example, the Default Storage
Administrator does not require permissions for protection plans. The Default
Microsoft SQL Server Administrator requires credentials.)
■ Workloads are enabled when you select Asset permissions.
■ Protection plans are enabled when you select Protection plans
permissions.
■ Credentials are enabled when you select Credentials permissions.

7 Configure the permissions for the role.

See “Role permissions” on page 134.
See “Notes for using NetBackup RBAC” on page 135.
 Role-based access control 143
Edit or remove a role a custom role

8 Under Users, select the Assign button.

9 When you are done configuring the role, select the Save button.
Note: After a role is created, you must edit permissions for assets, protection
plans, or credentials directly from the applicable node in the web UI. For
example, to edit permissions for all VMware assets, go to Workloads > VMware
and then select VMware settings > Manage permissions. Or, select a VM
and select Manage permissions.
Note: After a role is created, you must edit permissions for assets, protection
plans, or credentials directly from the applicable node in the web UI. For
example, to edit permissions for VMware, go to Workloads > VMware and
then select VMware settings > Manage permissions. Or, open the details
for a VM and click on the Permissions tab.

Edit or remove a role a custom role

You can edit or remove a custom role when you want to change or remove
permissions for users with that role. Default roles cannot be edited or removed.
You can only add or remove users from default roles.

Edit a custom role

Note: When you change permissions for a custom role, the changes affect all users
that are assigned to that role.

To edit a custom role

1 Sign in to the NetBackup web UI.
2 On the left, click Security > RBAC.
3 On the Roles tab, locate and click on the custom role that you want to edit.
4 To edit the role description, click Edit name and description.
 Role-based access control 144
View users in RBAC

5 Edit the permissions for the role. You can edit the following details for a role:

Global permissions for the role On the Global permissions tab, click
Edit.

Users for the role Click the Users tab.

Access definitions for the role Click the Access definitions tab.

See “Role permissions” on page 134.

See “Notes for using NetBackup RBAC” on page 135.
6 To add or remove users for the role, click the Users tab.
See “Add a user to a role (non-SAML)” on page 145.
See “Remove a user from a role” on page 147.
7 Permissions for assets, protection plans, and credentials must be edited directly
in the applicable node in the web UI.

Remove a custom role

Note: When you remove a role, any users that are assigned to that role lose the
permissions that the role provided.

To remove a custom role

1 Sign in to the NetBackup web UI.
2 On the left, click Security > RBAC.
3 Click the Roles tab.
4 Locate the custom role that you want to remove and select the check box for
it.
5 Click Remove > Yes.

View users in RBAC

You can view the users that have been added to RBAC and the roles that they are
assigned to. The Users list is view-only. To edit the users that are assigned to a
role, you must edit the role.
 Role-based access control 145
Add a user to a role (non-SAML)

To view the users in RBAC

1 Sign in to the NetBackup web UI.
2 On the left, click Security > RBAC.
3 Click on the Users tab.
4 The Roles column indicates each role to which the user is assigned.

Add a user to a role (non-SAML)

This topic describes how to add a non-SAML user or group to a role.
Non-SAML users use one of the following sign-in methods: Sign in with username
and password or Sign in with smart card.
To add a user to a role (non-SAML)
1 Sign in to the NetBackup web UI.
2 On the left, click Security > RBAC.
3 Click the Roles tab.
4 Click on the role name, then click on the Users tab.
5 (Conditional) From the Sign-in type list, select from the following:
■ Default sign-in. For a user that signs into NetBackup with their username
and password.
■ Smart card user. For a user that uses a smart card to sign into NetBackup.
Note: The Sign-in type list is only available if there is an IDP configuration
available for NetBackup.
6 Enter the user or the group name that you want to add.

For this type of Use this format Example

user

Local user or group username jane_doe

groupname admins

Windows user or group DOMAIN\username WINDOWS\jane_doe

DOMAIN\groupname WINDOWS\Admins

UNIX user or group username@domain john_doe@unix

groupname@domain admins@unix
 Role-based access control 146
Add a smart card user to a role (non-SAML, without AD/LDAP)

7 Click Add to list.

8 The user must sign out and sign in again before the user’s permissions are
updated.

Add a smart card user to a role (non-SAML,

without AD/LDAP)
This topic describes how to add a smart card user to a role. In this case the user
is a non-SAML user and there is no AD or no LDAP domain association or mapping.
User groups are not supported with this type of configuration.
This type of user uses the following sign-in method: Sign in with smart card.
To add a smart card user to a role (non-SAML, without AD/LDAP)
1 Sign in to the NetBackup web UI.
2 On the left, click Security > RBAC.
3 Click the Roles tab.
4 Click on the role name, then click on the Users tab.
5 (Conditional) From the Sign-in type list, select Smart card user.

Note: The Sign-in type list is available only if there is an IDP configuration
available for NetBackup. The smart card user option in the Sign-in type list is
available when the smart card configuration is done without AD or LDAP domain
mapping.

6 Enter the username that you want to add.

Provide the exact common name (CN) or the universal principal name (UPN)
that is available in the certificate.
7 Click Add to list.
8 The user must sign out and sign in again before the user’s permissions are
updated.

Add a user to a role (SAML)

This topic describes how to add a SAML user or group to a role.
SAML users use one of the following sign-in methods: SAML user or SAML group.
 Role-based access control 147
Remove a user from a role

To add a user to a role (SAML)

1 Sign in to the NetBackup web UI.
2 On the left, click Security > RBAC.
3 Click the Roles tab.
4 Click on the role name, then click on the Users tab.
5 From the Sign-in type list, select the sign-in method SAML user or SAML
group.
6 Enter the user or the group name that you want to add.
For example, [email protected].
If your Identity Provider (IDP) returns group information in the format of
(CN=groupname, DC=domainname) or domainname\groupname, you should
add the group using the format groupname@domainname. However, it is also
possible to configure SAML Groups in Role-Based Access Control (RBAC)
without including the domain name. If your IDP returns group names without
domain information, you can add those groups as plain text. Please note that
using the email format is not mandatory for SAML groups.
7 Click Add to list.
8 The user must sign out and sign in again before the user’s permissions are
updated.

Remove a user from a role

You can remove a user from a role when you want to remove permissions for that
user.
If a user is removed from a role, the user must sign out and sign in again before
the user’s permissions are updated.
To remove a user from a role
1 Sign in to the NetBackup web UI.
2 On the left, click Security > RBAC.
3 Click the Roles tab.
4 Click on the role that you want to edit, select the Users tab.
5 Locate the user you want to remove and click Actions > Remove > Remove.
 Chapter 11
NetBackup interface
access for OS
Administrators
This chapter includes the following topics:

■ Disable command-line (CLI) access for operating system (OS) administrators

■ Disable web UI access for operating system (OS) administrators

Disable command-line (CLI) access for operating

system (OS) administrators
By default, an OS administrator (user or group member) has access to the
NetBackup CLI and does not need to be a member of an RBAC role.
This option prevents OS administrators from accidentally running NetBackup CLIs.
A malicious user with the OS administrator access of the primary server can still
bypass this restriction.
After you can disable the option, the OS administrator must log in with bpnbat
-login to access the CLI.

To disable CLI access for OS administrators

1 Sign in to the web UI.
2 On the top right, click Settings > Global security.
3 On the Security controls tab, turn off the CLI access for Operating System
Administrator option.
 NetBackup interface access for OS Administrators 149
Disable web UI access for operating system (OS) administrators

Disable web UI access for operating system (OS)

administrators
By default, an OS administrator (user or group member) has access to the
NetBackup web UI and does not need to be a member of an RBAC role.
If you do not want an OS administrator to automatically have this access, you can
disable it. An OS administrator must then have the RBAC Administrator role to be
able to access the web UI.
To disable web UI access control for the OS administrators
1 Sign in to the web UI.
2 On the top right, click Settings > Global security.
3 On the Security controls tab, turn off the Web UI access for Operating
System Administrator option.
 Chapter 12
Smart card or digital
certificate
This chapter includes the following topics:

■ Configure user authentication with smart cards or digital certificates

■ Configure smart card authentication with a domain

■ Configure smart card authentication without a domain

■ Edit the configuration for smart card authentication

■ Add or delete a CA certificate that is used for smart card authentication

■ Disable or temporarily disable smart card authentication

Configure user authentication with smart cards

or digital certificates
You can map a smart card or certificate with an AD or an LDAP domain for user
validation. Alternatively, you can configure a smart card or certificate without an
AD or an LDAP domain.
See “Configure smart card authentication with a domain” on page 150.
See “Configure smart card authentication without a domain” on page 152.

Configure smart card authentication with a domain

You can configure NetBackup to validate users with smart cards or certificates with
an AD or an LDAP domain.
 Smart card or digital certificate 151
Configure smart card authentication with a domain

Note the following prerequisites:

■ Before you add the authentication method you must add the domain that is
associated with your NetBackup users. See the NetBackup Security & Encryption
Guide.
■ Ensure that you complete the role-based access control (RBAC) configuration
for the NetBackup users before you configure smart card or certificate
authentication.
See “Configuring RBAC” on page 133.
To configure smart card authentication with a domain
1 Sign in to the NetBackup web UI.
2 At the top right, select Settings > Smart card authentication.
3 Turn on Smart card authentication.
4 Select the required AD or LDAP domain from the Select the domain option.
5 Select a Certificate mapping attribute: Common name (CN) or Universal
principal name (UPN).
6 Optionally, enter the OCSP URI.
If you do not provide the OCSP URI, the URI in the user certificate is used.
7 Select Save.
8 To the right of CA certificates, click Add.
9 Browse for or drag and drop the CA certificates and click Add.
Smart card authentication requires a list of trusted root or intermediate CA
certificates. Add the CA certificates that are associated with the user digital
certificates or the user smart cards.
Certificate file types must be .crt, .cer, .der, .pem, or PKCS #7 format and
less than 64KB in size.
10 On the Smart card authentication page, verify the configuration information.
After configuring smart card authentication, you must restart the NetBackup
Web Management Console (nbwmc) service.
 Smart card or digital certificate 152
Configure smart card authentication without a domain

11 Before users can use a digital certificate that is not installed on a smart card,
the certificate must be uploaded to the browser’s certificate manager.
See the browser documentation for instructions or contact your certificate
administrator for more information.
12 When users sign in, they now see an option to Sign in with certificate or
smart card.
If you do not want users to have this sign-in option yet, turn off Smart card
authentication. (For example, if all users do not yet have their certificates
configured on their hosts.). The settings that you configured are retained even
if you turn off smart card authentication.
For such users, the domain name and domain type are smart card.

Configure smart card authentication without a

domain
You can configure NetBackup to validate users with smart cards or certificates
without an associated AD or LDAP domain. Only users are supported for this
configuration. User groups are not supported.
To configure smart card authentication without a domain
1 Sign in to the NetBackup web UI.
2 At the top right, select Settings > Smart card authentication.
3 Turn on Smart card authentication.
4 (Conditional step) If AD or LDAP domain is configured in your environment,
select Continue without the domain option.
5 Select a Certificate mapping attribute: Common name (CN) or Universal
principal name (UPN).
6 Optionally, enter the OCSP URI.
If you do not provide the OCSP URI, the URI in the user certificate is used.
7 Select Save.
8 To the right of CA certificates, click Add.
9 Browse for or drag and drop the CA certificates and click Add.
 Smart card or digital certificate 153
Edit the configuration for smart card authentication

10 Smart card authentication requires a list of trusted root or intermediate CA

certificates. Add the CA certificates that are associated with the user digital
certificates or the user smart cards.
Certificate file types must be .crt, .cer, .der, .pem, or PKCS #7 format and
less than 64KB in size.
11 On the Smart card authentication page, verify the configuration information.
After configuring smart card authentication, you must restart the NetBackup
Web Management Console (nbwmc) service.
Before users can use a digital certificate that is not installed on a smart card,
the certificate must be uploaded to the browser’s certificate manager.
12 When users sign in, they now see an option to Sign in with certificate or
smart card.
If you do not want users to have this sign-in option yet, turn off Smart card
authentication. (For example, if all users do not yet have their certificates
configured on their hosts.). The settings that you configured are retained even
if you turn off smart card authentication.

Edit the configuration for smart card

authentication
If the configuration changes for smart card authentication, you can edit the
configuration details.
To edit user authentication configuration with domain
1 Sign in to the NetBackup web UI.
2 At the top right, select Settings > Smart card authentication.
3 You may want to edit the AD or LDAP domain selection in the following cases:
■ To select a domain that is different than the existing one
■ The existing domain is deleted and you want to select a new domain
■ You want to continue without the domain
Select Edit.
4 Select a domain.
Only the domains that are configured for NetBackup display in this list.
If you do not want to validate the users with domain, you can select Continue
without the domain.
 Smart card or digital certificate 154
Add or delete a CA certificate that is used for smart card authentication

5 Edit the Certificate mapping attribute.

6 Leave the OCSP URI field empty if you want to use the URI value from the
user certificate. Or, provide the URI that you want to use.

Add or delete a CA certificate that is used for

smart card authentication
Add a CA certificate
Smart card authentication requires a list of trusted root or intermediate CA
certificates. Add the CA certificates that are associated with the user digital
certificates or the user smart cards.
To add a CA certificate
1 Sign in to the NetBackup web UI.
2 At the top right, select Settings > Smart card authentication.
3 Locate CA certificates and select the Add button.
4 Browse for or drag and drop the CA certificates. Then select the Add button.
Smart card authentication requires a list of trusted root or intermediate CA
certificates. Add the CA certificates that are associated with the user digital
certificates or the user smart cards.
Certificate file types must be in DER, PEM, or PKCS #7 format and no more than
1 MB in size.

Delete a CA certificate
You can delete a CA certificate if it is no longer used for smart card authentication.
Note that if a user attempts to use the associated digital certificate or smart card
certificate, they are not able to sign in to NetBackup.
To delete a CA certificate
1 Sign in to the NetBackup web UI.
2 At the top right, select Settings > Smart card authentication.
3 Select the CA certificates that you want to delete.
4 Select Delete > Delete.
 Smart card or digital certificate 155
Disable or temporarily disable smart card authentication

Disable or temporarily disable smart card

authentication
You can disable smart card authentication if you no longer want to use that
authentication method for the primary server. Or, if you need to complete other
configuration before users can use smart cards.
To disable smart card authentication
1 Sign in to the NetBackup web UI.
2 At the top right, select Settings > Smart card authentication.
3 Turn off Smart card authentication.
The settings that you configured are retained even if you turn off smart card
authentication.
 Chapter 13
Single Sign-On (SSO)
This chapter includes the following topics:

■ About single sign-on (SSO) configuration

■ Configure NetBackup for single sign-on (SSO)

About single sign-on (SSO) configuration

You can configure single sign-on (SSO) with any identity provider (IDP) that uses
the SAML 2.0 protocol for exchanging authentication and authorization information.
Note that you can configure an IDP with more than one Veritas product. For example,
the same IDP can be configured with NetBackup and with APTARE.
Note the following requirements and limitations:
■ To use SSO, you must have a SAML 2.0 compliant identity provider configured
in your environment.
■ Only identity providers that use AD or LDAP directory services are supported.
■ Configuration of the IDP requires the NetBackup APIs or the NetBackup
command nbidpcmd.
■ SAML users cannot use the APIs. API keys are used to authenticate a user and
therefore cannot be used with a SAML-authenticated user.
■ Global logout is not supported.
 Single Sign-On (SSO) 157
Configure NetBackup for single sign-on (SSO)

Configure NetBackup for single sign-on (SSO)

This section provides steps to set up trust and exchange configuration information
between the IDP and the NetBackup primary server. Before proceeding with the
steps, ensure that the following prerequisites are met in your environment:
■ An IDP is set up and deployed in your environment.
■ The IDP is configured to authenticate domain users of Active Directory (AD) or
Lightweight Directory Access Protocol (LDAP).

Table 13-1 Steps to configure NetBackup for single sign-on

Step Action Description

1. Download the IDP Download and save the IDP metadata XML file from the
metadata XML file IDP.

SAML metadata that is stored in XML files is used to share

configuration information between the IDP and the
NetBackup primary server. The IDP metadata XML file is
used to add the IDP configuration to the NetBackup primary
server.

2. Configure the SAML See “Configure the SAML KeyStore” on page 158.
keystore, and add and
See “Configure the SAML keystore and add and enable
enable the IDP
the IDP configuration” on page 161.
configuration on the
NetBackup primary
server

3. Download the service The NetBackup primary server is the SP in the NetBackup
provider (SP) environment. You can access the SP metadata XML file
metadata XML file from the NetBackup primary server by entering the following
URL in your browser:

https://primaryserver/netbackup/sso/saml2/metadata

Where primaryserver is the IP address or host name of the

NetBackup primary server.

4. Enroll the NetBackup See “Enroll the NetBackup primary server with the IDP”
primary server as a on page 163.
service provider (SP)
with the IDP
 Single Sign-On (SSO) 158
Configure NetBackup for single sign-on (SSO)

Table 13-1 Steps to configure NetBackup for single sign-on (continued)

Step Action Description

5. Add SAML users and SAML users and SAML user groups are available in RBAC
the SAML groups that only if the IDP is configured and enabled on the NetBackup
use SSO to the primary server. For steps on adding RBAC roles, see the
necessary RBAC roles following topic.

See “Add a user to a role (non-SAML)” on page 145.

After the initial setup, you can choose to enable, update, disable, or delete the IDP
configuration.
See “Manage an IDP configuration” on page 164.
After the initial setup, you can choose to update, renew, or delete the NetBackup
CA SAML keystore . You can also configure and manage the ECA SAML keystore.

Configure the SAML KeyStore

To establish a trust between the NetBackup primary server and the IDP server, you
must configure an SAML KeyStore on the NetBackup primary server. Depending
on whether you are using the NetBackup CA or an external certificate authority
(ECA), refer to either of the following sections:

Note: If you are using a combination of an ECA and NetBackup CA in your

environment, by default, the ECA is considered while establishing trust with the IDP
server.

Note: The SAML KeyStore configuration using batch files, such as

configureCerts.bat, configureCerts, configureSAMLECACert.bat,
configureSAMLECACertand their corresponding options is deprecated.

Configure a NetBackup CA KeyStore

If you are using the NetBackup CA, create the NetBackup CA KeyStore on the
NetBackup primary server.
To create a NetBackup CA KeyStore
1 Log on to the NetBackup primary server as root or administrator.
2 Run the following command:
nbidpcmd -cCert -M master_server -f

-f is optional. Use the option for the forceful update.

 Single Sign-On (SSO) 159
Configure NetBackup for single sign-on (SSO)

Once the NetBackup CA KeyStore is created, ensure that you update the NetBackup
CA KeyStore every time the NetBackup CA certificate is renewed.
To renew the NetBackup CA KeyStore
1 Log on to the NetBackup primary server as root or administrator.
2 Run the following command:
nbidpcmd -rCert -M master_server

3 Download the new SP metadata XML file from the NetBackup primary server
by entering the following URL in your browser:
https://primaryserver/netbackup/sso/saml2/metadata
Where primaryserver is the IP address or host name of the NetBackup primary
server.
4 Upload the new SP metadata XML file to the IDP.
See “Enroll the NetBackup primary server with the IDP” on page 163.
To remove the NetBackup CA KeyStore
1 Log on to the NetBackup primary server as root or administrator.
2 Run the following command
nbidpcmd -dCert -M master_server

3 Download the new SP metadata XML file from the NetBackup primary server
by entering the following URL in your browser:
https://primaryserver/netbackup/sso/saml2/metadata
Where primaryserver is the IP address or host name of the NetBackup primary
server.
4 Upload the new SP metadata XML file to the IDP.
5 See “Enroll the NetBackup primary server with the IDP” on page 163.

Configure an ECA KeyStore

If you are using an ECA, import the ECA KeyStore to the NetBackup primary server.

Note: If you are using a combination of an ECA and the NetBackup CA in your
environment, by default, the ECA is considered while establishing trust with the IDP
server. To use the NetBackup CA, you must first remove the ECA KeyStore.
 Single Sign-On (SSO) 160
Configure NetBackup for single sign-on (SSO)

To configure an ECA KeyStore

1 Log on to the primary server as root or administrator.
2 Depending on whether you want to configure SAML ECA keystore using the
configured NetBackup ECA KeyStore or you want to provide the ECA certificate
chain and private key, run the following commands:
■ Run the following command to use NetBackup ECA configured KeyStore:
nbidpcmd -cECACert -uECA existing ECA configuration [-f] [-M
primary_server]

■ Run the following command to use ECA certificate chain and private key
provided by the user:
nbidpcmd -cECACert -certPEM certificate chain file -privKeyPath
private key file [-ksPassPath Keystore Passkey File] [-f] [-M
<master_server>]

■ Certificate chain file specifies the certificate chain file path. The file must
be in PEM format and must be accessible to the primary server on which
the configuration is being performed.
■ Private key file specifies the private key file path. The file must be in PEM
format and must be accessible to the primary server on which the
configuration is being performed.
■ KeyStore passkey file specifies the KeyStore password file path and must
be accessible to the primary server on which the configuration is being
performed.
■ Primary server is the host name or IP address of primary server on which
you want to perform SAML ECA KeyStore configuration. The NetBackup
primary server where you run the command is selected by default.

To remove the ECA KeyStore

1 Log on to the primary server as root or administrator.
2 Download the new SP metadata XML file from the NetBackup primary server
by entering the following URL in your browser:
https://primaryserver/netbackup/sso/saml2/metadata
Where primaryserver is the IP address or host name of the NetBackup primary
server.
3 Upload the new SP metadata XML file to the IDP.
See “Enroll the NetBackup primary server with the IDP” on page 163.
 Single Sign-On (SSO) 161
Configure NetBackup for single sign-on (SSO)

Configure the SAML keystore and add and enable the IDP
configuration
Before proceeding with the following steps, ensure that you have downloaded the
IDP metadata XML file and saved it on the NetBackup primary server.
To configure SAML keystore and add and enable an IDP configuration
1 Log on to the primary server as root or administrator.
2 Run the following command.
For IDP and NetBackup CA SAML KeyStore configuration:
nbidpcmd -ac -n IDP configuration name -mxp IDP XML metadata file
[-t SAML2] [-e true | false] [-u IDP user field] [-g IDP user
group field] [-cCert] [-f] [-M primary server]

Alternatively for IDP and ECA SAML KeyStore configuration:

Depending on whether you want to configure SAML ECA KeyStore using the
configured NetBackup ECA KeyStore or you want to provide the ECA certificate
chain and private key, run the following commands:
■ Use NetBackup ECA configured keystore:
nbidpcmd -ac -n IDP configuration name -mxp IDP XML metadata
file[-t SAML2] [-e true | false] [-u IDP user field] [-g IDP
user group field] -cECACert -uECA existing ECA configuration
[-f] [-M Primary Server]

■ Use ECA certificate chain and private key provided by the user:
nbidpcmd -ac -n IDP configuration name -mxp IDP XML metadata
file[-t SAML2] [-e true | false] [-u IDP user field] [-g IDP
user group field] -cECACert -certPEM certificate chain file
-privKeyPath private key file [-ksPassPath KeyStore passkey
file] [-f] [-M primary server]

Replace the variables as follows:

■ IDP configuration name is a unique name provided to the IDP
configuration.
■ IDP XML metadata file is the path to the XML metadata file, which
contains the configuration details of the IDP in Base64URL-encoded format.
■ -e true | false enables or disables the IDP configuration. An IDP
configuration must be added and enabled, otherwise users cannot sign in
with the single sign-on (SSO) option. Even though you can add multiple
IDP configurations on a NetBackup primary server, only one IDP
configuration can be enabled at a time.
 Single Sign-On (SSO) 162
Configure NetBackup for single sign-on (SSO)

■ The SAML attribute names IDP user field and IDP user group field are used
to map user identity information and group information in the Identity
Provider. These fields are optional, and if not provided, they are mapped
to the userPrincipalName and memberOf SAML attributes by default.
For instance, if you have customized the attribute mapping in the Identity
Provider to use attributes like email and groups, when configuring the SAML
configuration, you need to provide the -u option for email and -g option for
groups.
If you have not provided values for these attributes during configuration,
ensure that the Identity Provider returns the values against the
userPrincipalName and memberOf attributes.
For Example:
If SAML response is as follows:
saml:AttributeStatement <saml:Attribute Name="userPrincipalName">
<saml:AttributeValue>username@domainname</saml:AttributeValue>
</saml:Attribute> <saml:Attribute Name="memberOf">
<saml:AttributeValue>CN=group name,
DC=domainname</saml:AttributeValue> </saml:Attribute>
</saml:AttributeStatement>
It implies that you need to map the -u and -g options against the fields
"saml:Attribute Name".

Note: Ensure that the SAML attribute values are returned in the format of
username@domainname for the field mapped to the -u option that defaults
to userPrincipalName. If you include the domain name when returning
group information, it should follow the format "(CN=group name,
DC=domainname)" or "(domainname\groupname).
However, if you return the group name as plain text without domain
information, it should be mapped without the domain name in the SAML
RBAC group.

■ primary Server is the host name or IP address of primary server to which

you want to add or modify the IDP configuration. The NetBackup primary
server where you run the command is selected by default.
■ Certificate Chain File is the certificate chain file path. The file must
be in PEM format and must be accessible to the primary server on which
the configuration is being performed.
Private Key File is the private key file path. The file must be in PEM
format and must be accessible to the primary server on which the
configuration is being performed.
 Single Sign-On (SSO) 163
Configure NetBackup for single sign-on (SSO)

KeyStore Passkey File is the KeyStore passkey file path and must be
accessible to the primary server on which the configuration is being
performed.
If your Identity Provider is already configured with SAML attribute names as
userPrincipalName and memberOf, you do not have to provide the -u and -g
option while configuration. If you are using any other custom attributes name,
provide those names against -u and -g as follows:
For example:
If the Identity Provider SAML attribute names are mapped as "email"
and"groups", use the following command for configuration:
nbidpcmd -ac -n veritas_configuration -mxp file.xml -t SAML2 -e
true -u email -g groups -cCert -Mprimary_server.abc.com

-u and -g are optional and it depends on the Identity Provider configuration.

Ensure that you specify the same parameter values that you have provided at
the time of configuration.

Enroll the NetBackup primary server with the IDP

The NetBackup primary server must be enrolled with the IDP as a service provider
(SP). For step-by-step procedures that are specific to a particular IDP, see the
following table:

Table 13-2 IDP-specific steps for enrolling the NetBackup primary server

IDP name Link to steps

ADFS https://www.veritas.com/docs/100047744

Okta https://www.veritas.com/docs/100047745

PingFederate https://www.veritas.com/docs/100047746

Azure https://www.veritas.com/docs/100047748

Shibboleth https://www.veritas.com/docs/00047747

Enrolling an SP with an IDP typically involves the following operations:

Uploading the SP metadata XML file to the IDP

The SP metadata XML file contains the SP certificate, the entity ID, the Assertion
Consumer Service URL (ACS URL), and a log out URL (SingleLogoutService). The
SP metadata XML file is required by the IDP to establish trust, and exchange
authentication and authorization information with the SP.
 Single Sign-On (SSO) 164
Configure NetBackup for single sign-on (SSO)

Mapping the SAML attributes to their AD or LDAP attributes

Attribute mappings are used to map SAML attributes in the SSO with its
corresponding attributes in the AD or LDAP directory. The SAML attribute mappings
are used for generating SAML responses, which are sent to the NetBackup primary
server. Ensure that you define SAML attributes that map to the userPrincipalName
and the memberOf attributes in the AD or LDAP directory. The SAML attributes must
adhere to the following formats:

Table 13-3
Corresponding AD SAML attribute format
or LDAP attribute

userPrincipalName username@domainname

memberOf (CN=group name, DC=domainname)

Note: While adding the IDP configuration to the NetBackup primary server, the
values entered for the user (-u) and user group (-g) options must match the SAML
attribute names that are mapped to the userPrincipalName and the memberOf
attributes in the AD or LDAP.
See “Configure the SAML keystore and add and enable the IDP configuration”
on page 161.

Manage an IDP configuration

You can manage the identity provider (IDP) configurations on the NetBackup primary
server by using the enable (-e true), update (-uc), disable (-e false). and delete
(-dc) options of the nbidpcmd command.

Enable an IDP configuration

By default, an IDP configuration is not enabled in the product environment. If you
did not enable the IDP when you added it, you can use the -uc -e true options
to update and enable the IDP configuration.
To enable an IDP configuration
1 Log on to the primary server as root or administrator.
2 Run the following command:
nbidpcmd -uc -n IDP configuration name -e true

Where IDP configuration name is a unique name provided to the IDP

configuration.
 Single Sign-On (SSO) 165
Configure NetBackup for single sign-on (SSO)

Note: Even though you can configure multiple IDPs on a NetBackup primary server,
only one IDP can be enabled at a time.

Update an IDP configuration

You can update the XML metadata file associated with an IDP configuration.
To update the IDP XML metadata file in an IDP configuration
1 Log on to the primary server as root or administrator.
2 Run the following command:
nbidpcmd -uc -n IDP configuration name -mxp IDP XML metadata file

Replace the variables as described below:

■ IDP configuration name is a unique name provided to the IDP
configuration.
■ IDP XML metadata file is the path to the XML metadata file, which
contains the configuration details of the IDP in Base64URL-encoded format.

If you want to update the IDP user or IDP user group values in an IDP configuration,
you must first delete the configuration. The single sign-on (SSO) option is not
available for users until you re-add the configuration with the updated IDP user or
IDP user group values.
To update IDP user or IDP user group in an IDP configuration
1 Log on to the primary server as root or administrator.
2 Delete the IDP configuration.
nbidpcmd -dc -n IDP configuration name

Where IDP configuration name is a unique name provided to the IDP

configuration.
3 To add and enable the configuration again, run the following command:
nbidpcmd -ac -n IDP configuration name -mxp IDP XML metadata file
[-t SAML2] [-e true | false] [-u IDP user] [-g IDP user group
field] [-M Master Server

Replace the variables as described below:

■ IDP configuration name is a unique name provided to the IDP
configuration.
■ IDP XML metadata file is the path to the XML metadata file, which
contains the configuration details of the IDP in Base64URL-encoded format.
 Single Sign-On (SSO) 166
Configure NetBackup for single sign-on (SSO)

■ -e true | false enables or disables the IDP configuration. An IDP must

be available and enabled otherwise users cannot sign in with the single
sign-on (SSO) option. Even though you can add multiple IDP configurations
on a NetBackup primary server, only one IDP configuration can be enabled
at a time.
■ Master Server is the host name or IP address of the primary server to
which you want to add or modify the IDP configuration. The NetBackup
primary server where you run the command is selected by default.

Disable an IDP configuration

If an IDP configuration is disabled in the product environment, the single sign-on
(SSO) option of that IDP is not available for users when they sign in.
To disable an IDP configuration
1 Log on to the primary server as root or administrator.
2 Run the following command:
nbidpcmd -uc -n IDP configuration name -e false

Where IDP configuration name is a unique name provided to the IDP

configuration.

Delete an IDP configuration

If an IDP configuration is deleted, the single sign-on (SSO) option of that IDP is not
available for users when they sign in.
To delete an IDP configuration
1 Log on to the primary server as root or administrator.
2 Run the following command:
nbidpcmd -dc -n IDP configuration name

Where IDP configuration name is a unique name provided to the IDP

configuration.
 Chapter 14
NetBackup Access Control
Security (NBAC)
This chapter includes the following topics:

■ About using NetBackup Access Control (NBAC)

■ NetBackup access management administration

■ About NetBackup Access Control (NBAC) configuration

■ Configuring NetBackup Access Control (NBAC)

■ Configuring Access Control host properties for the primary and media server

■ Access Control host properties dialog for the client

■ Using NetBackup Access Control (NBAC) with Auto Image Replication

■ Troubleshooting Access Management

■ Using the Access Management utility

■ About determining who can access NetBackup

■ Viewing specific user permissions for NetBackup user groups

■ Upgrading NetBackup Access Control (NBAC)

■ Configuration requirements if using Change Server with NBAC

 NetBackup Access Control Security (NBAC) 168
About using NetBackup Access Control (NBAC)

About using NetBackup Access Control (NBAC)

NetBackup Access Control (NBAC) is the legacy access control method for
NetBackup and is no longer being updated. It is recommended that you use
role-based access control (RBAC) with the web UI.
The NetBackup Access Control (NBAC) is the role-based access control that is
used for primary servers, media servers, and clients. NBAC can be used in situations
where you want to:
■ Use a set of permissions for different levels of administrators for an application.
A backup application can have operators (perhaps load and unload tapes). It
can have local administrators (manage the application within one facility). It can
also have overall administrators who may have responsibility for multiple sites
and determine backup policy. Note that this feature is very useful in preventing
user errors. If junior level administrators are restricted from certain operations,
they are prevented from making inadvertent mistakes.
■ Separate administrators so that root permission to the system is not required
to administer the system. You can then separate the administrators for the
systems themselves from the ones who administer the applications.
The following table lists the NBAC considerations.

Table 14-1 NBAC considerations

Consideration or issue Description or resolution

Prerequisites before you configure NBAC This prerequisites list can help you before you start to
configure NBAC. These items ensure an easier installation.
The following list contains the information for this installation:

■ User name or password for primary server (root or

administrator permission).
■ Name of primary server
■ Name of all media servers that are connected to the
primary server
■ Name of all clients to be backed up
■ Host name or IP address
Note: Host names should be resolvable to a valid IP
address.
■ Use the ping or traceroute command as one of the
tools to ensure that you can see the hosts. Using these
commands ensures that you have not configured a firewall
or other obstruction to block access.
 NetBackup Access Control Security (NBAC) 169
About using NetBackup Access Control (NBAC)

Table 14-1 NBAC considerations (continued)

Consideration or issue Description or resolution

Determine if the primary server, media server, or client Determine if the primary server, media server, or client is to
is to be upgraded be upgraded as follows:

■ Some features are provided by upgrading primary servers,

some by media servers, and some from upgrading clients.
■ NetBackup works with a higher revision primary server
and lower revision clients and media servers.
■ Feature content determines what is deployed.
■ Deployment can be step wise if required.

Information about roles Determine the roles in the configuration as follows:

■ Who administers the hosts (root permission on primary

server equals head administrator).
■ Determine roles to start and then add on the roles as
required.

NBAC license requirements No license is required to turn on the access controls.

NBAC and KMS permissions Typically when using NBAC and when the Setupmaster
command is run, the NetBackup related group permissions
(for example, NBU_Admin and KMS_Admin) are created.
The default root and administrator users are also added to
those groups. In some cases the root and administrator users
are not added to the KMS group when NetBackup is
upgraded. The solution is to grant the root and the
administrator users NBU_Admin and KMS_Admin permissions
manually.

Windows Server Failover Clustering (WSFC) error
messages while unhooking shared security services
from PBX
In WSFC environments running the bpnbaz
-UnhookSharedSecSvcsWithPBX <virtualhostname>
command can trigger error messages. However the shared
Authentication and Authorization services are successfully
unhooked from PBX and the errors can be ignored.

Possible cluster node errors In a clustered environment when the command bpnbaz
-setupmaster is run in the context of local Administrator
the AUTHENTICATION_DOMAIN entries may not contain the
other cluster node entries. In such case these entries must
be manually added from Host Properties into the bp.conf
file.
 NetBackup Access Control Security (NBAC) 170
About using NetBackup Access Control (NBAC)

Table 14-1 NBAC considerations (continued)

Consideration or issue Description or resolution

Catalog recovery fails when NBAC is set to REQUIRED NetBackup does not support catalog recovery when NBAC
mode is set to the REQUIRED mode.

To perform catalog recovery, you must first ensure that the

NBAC setting on the primary server and all media servers is
configured to PROHIBITED or AUTOMATIC.

Policy validation fails in NBAC mode (USE_VXSS = Back up, restore, and verification of policy for snapshot can
REQUIRED) fail in NBAC enabled mode if one of the following has been
done.

■ Authenticated Principle is removed from the NBAC group:

NBU_Users group
■ Back up and restore permissions of NBU_User group
have been removed

The bpnbaz -setupmaster command fails with an error If a user other than an Administrator tries to modify NetBackup
"Unable to contact Authorization Service" security, the bpnbaz –setupmaster fails.

Only a user ‘Administrator’ who is a part of the Administrator’s

group has permissions to modify the NetBackup security and
enable NBAC.

Failure of authentication broker configuration during Invalid domain name configuration of the system causes
installation. failure during configuration of authentication broker.

To correct this problem, use the bpnbaz -configureauth

command to configure the authentication broker.

For information about the bpnbaz command, see the

NetBackup Commands Reference Guide:

NetBackup GUI errors may occur if NBAC is enabled When switching the NetBackup server from Enhanced
on a system that previously had Enhanced Auditing Auditing to NBAC, make sure that all directories that are
enabled. named after users are deleted in the following directory:

Windows: install_path\NetBackup\logs\user_ops

UNIX, Linux: /usr/openv/netbackup/logs/user_ops

The following topic contains more details:

See “Troubleshooting NBAC issues” on page 187.

 NetBackup Access Control Security (NBAC) 171
NetBackup access management administration

Table 14-1 NBAC considerations (continued)

Consideration or issue Description or resolution

NBAC requires the Reverse Hostname Lookup option For NBAC to function properly and to allow communication
to be set to Allowed with NBAC-enabled systems, do the following on the primary
server, media servers and all clients:

■ In the NetBackup Administration Console, go to Host

Properties > Network Settings.
In the NetBackup web UI, go to Host Properties > Edit
client > Network settings.
■ Ensure that the Reverse Hostname Lookup option is
set to Allowed.

NetBackup access management administration

The access to NetBackup can be controlled by defining the user groups and granting
explicit permissions to these groups. You can configure the user groups and assign
permissions. Select Access Management in the NetBackup Administration
Console.

Note: In order for the NetBackup Administration Console to function, the user
must have permission to log on to the system remotely.

Note: If some media servers are not configured with access control,
non-root/non-administrator users cannot manage those servers.

About NetBackup Access Control (NBAC)

configuration
Note: NBAC is already installed as part of the NetBackup installation. Only the
NBAC configuration is required for this release.

The NBAC configuration instructions are for an NBAC configuration in non-HA

environments. NetBackup supports a wide variety of HA environments across Linux,
Solaris, and Windows environments. The NBAC configuration is as follows:
■ If required, build a cluster for the primary server. HA information is described in
the NetBackup in Highly Available Environments Administrator's Guide for
 NetBackup Access Control Security (NBAC) 172
Configuring NetBackup Access Control (NBAC)

replication and disaster recovery. Clustering information is described in the

NetBackup Clustered Primary Server Administrator's Guide.
■ Configure NBAC for operation by using the instructions provided.
See “Configuring NetBackup Access Control (NBAC)” on page 172.

Configuring NetBackup Access Control (NBAC)

Note: The manual authentication and authorization client installs need to be done
for older media servers and client hosts. NetBackup has the authentication clients
and authorization clients that are embedded in them. No authentication servers and
authorization servers are needed on media servers and clients.

For information on the NBAC configuration sequence, see the following procedure.
Configuring NetBackup Access Control (NBAC)
1 Configure the primary server for NetBackup Access Control (NBAC).
See “Configuring NetBackup Access Control (NBAC) on standalone primary
servers” on page 173.

Note: The primary server can be installed in a standalone mode or in a highly

available configuration on a cluster.

2 Configure media servers for NBAC.

See “Configuring NetBackup Access Control (NBAC) on media servers”
on page 176.
3 Configure clients for NBAC.
See “Installing and configuring access control on clients” on page 178.

NBAC configuration overview

This topic contains recommendations for configuring NetBackup Access Control
(NBAC) using the bpnbaz command. This command is available under the
install_path/bin/admincmd directory.

The bpnbaz utility is required to configure NBAC on the primary servers, media
servers, and clients. This tool also configures NBAC for all the back revision media's
and client's hosts. Note that the services should be restarted on each of the servers
and clients after configuration. For an example of how to use these commands with
specific details on recommended usage, see the following topic:
 NetBackup Access Control Security (NBAC) 173
Configuring NetBackup Access Control (NBAC)

See “NBAC configure commands summary” on page 178.

Since the configuration is done from the primary server, ensure that operational
communications links exist between the primary server, the media servers, and the
clients. Review the prerequisites to ensure that you have noted all the associated
media servers, clients, and the addresses to communicate with them.
See “About using NetBackup Access Control (NBAC)” on page 168.
A set of OS commands and one NetBackup command is useful for the first level of
troubleshooting. The OS commands are ping, traceroute, and telnet. The
NetBackup command is bpclntcmd. Use these commands to establish that the
hosts can communicate with each other. See the following topic for troubleshooting
information:
See “Configuration and troubleshooting tips for NetBackup Authentication and
Authorization” on page 189.

Configuring NetBackup Access Control (NBAC) on standalone

primary servers
The following procedures describe how to configure NetBackup Access Control
(NBAC) on the primary servers that are installed on a single computer. A primary
server requires an authentication server and authorization server.
The following table describes the host names for the NBAC configuration examples.

Table 14-2 Example host names

Host name Windows UNIX

Primary servers win_primary unix_primary

Media servers win_media unix_media

Clients win_client unix_client

The following procedure describes how to configure NBAC on standalone primary

servers.

Note: Use -setupmaster and set USE_VXSS = AUTOMATIC on the primary server.
If USE_VXSS = REQUIRED is set on the primary server and an attempt is made to
configure NBAC on media server, the following error can occur: NetBackup primary
server is configured in REQUIRED Mode. Please change the mode to AUTOMATIC to
complete configuration of the media server.
 NetBackup Access Control Security (NBAC) 174
Configuring NetBackup Access Control (NBAC)

Configuring NBAC on standalone primary servers

1 Complete all of the NetBackup primary server installations or upgrades.
2 Run the bpnbaz -setupmaster command.
Enter y. The system begins to gather configuration information. Then, the
system begins to set up the authorization information.
3 Restart the NetBackup services on this computer after the bpnbaz
-setupmaster command completes successfully.

4 Proceed to set up the media servers. See “Configuring NetBackup Access

Control (NBAC) on media servers” on page 176.

Installing the NetBackup primary server highly available on a cluster

You can use the following procedure to install the NetBackup primary server highly
available on a cluster.
Installing NetBackup with clustering
1 Configure the cluster system on which the NetBackup primary server is to be
installed.
2 Install the NetBackup primary server on all nodes of the cluster.
3 Cluster the NetBackup primary server.
HA information for replication and disaster recovery is described in the
NetBackup in Highly Available Environments Administrator's Guide
Clustering information is described in the NetBackup Clustered Primary Server
Administrator's Guide.
4 Do a test backup to ensure that it works within the NetBackup domain without
having NBAC enabled.
 NetBackup Access Control Security (NBAC) 175
Configuring NetBackup Access Control (NBAC)

Configuring NetBackup Access Control (NBAC) on a clustered

primary server

Note: In a Windows clustered environment, after setting up primary server, the

AUTHENTICATION_DOMAIN entry in the passive nodes can be the same as the active
node name. This is not acceptable. After a failover on a passive node, when MFC
UI is launched (using <[local machine name] > \[Administrator user]), an
authentication-related pop-up error message is displayed. The workaround for this
issue is to add the local node name as authentication domain into the
AUTHENTICATION_DOMAIN on passive nodes after setting up primary server (before
failover). Before updating the value of AUTHENTICATION_DOMAIN, get the current
value using the bpgetconfig command. Then add the local node name as
authentication domain in the existing domain list using the bpsetconfig command.
To exit and save from the bpsetconfig command prompt press Ctrl + Z and then
press theEnter key.

Note: Reverting the NBAC mode from REQUIRED to PROHIBITED on the active node
of a cluster, can lead the cluster into a faulted state. The workaround for this issue
is to do the following. On an active node run the bpclusterutil -disableSvc
nbazd command followed by the bpclusterutil -disableSvc nbatd command.
Change the bp.conf USE_VXSS=AUTOMATIC or REQUIRED value to PROHIBITED using
the bpsetconfig command. Run the bpclusterutil -enableSvc nbazd command
followed by the bpclusterutil -enableSvc nbatd command on the active node
while turning NBAC to REQUIRED mode to monitor the security services.

You can use the following procedure to configure NetBackup Access Control (NBAC)
on a clustered primary server.
Configuring NetBackup Access Control (NBAC) on a clustered primary server
1 Log on to the primary cluster node.
2 If you use Windows, open a command console.
3 For UNIX, change the directory to /usr/openv/netbackup/bin/admincmd.
For Windows, change the directory to
install_path\NetBackup\bin\admincmd.

4 Run bpnbaz -setupmaster on the active node.

5 Log on to the administration console on the primary server.
6 Restart the NetBackup services to ensure that the NBAC settings take place.
 NetBackup Access Control Security (NBAC) 176
Configuring NetBackup Access Control (NBAC)

Configuring NetBackup Access Control (NBAC) on media servers

The following procedure describes how to configure NetBackup Access Control
(NBAC) on media servers in a NetBackup configuration. These steps are needed
for the media servers that are not co-located with the primary server.

Note: Use -setupmedia set USE_VXSS = AUTOMATIC on the primary server. If

USE_VXSS = REQUIRED is set on the primary server and an attempt is made to
configure NBAC on media server, the following error can occur: NetBackup primary
server is configured in REQUIRED Mode. Please change the mode to AUTOMATIC to
complete configuration of the media server.
 NetBackup Access Control Security (NBAC) 177
Configuring NetBackup Access Control (NBAC)

Configuring access control on media servers

1 Log on to the primary server computer.
2 Run the bpnbat -login command.
Make sure that you run the bpnbat -login command before the bpnbaz
-setupmedia command to avoid a command failure.

The bpnbaz -setupmedia command has a number of options.

This command does not work without an extension for either the individual
host, or the -all option.
See “NBAC configure commands summary” on page 178.
It is recommended to do a dry run of the configuration first, with the -dryrun
option. It can be used with both -all and a single-server configuration. By
default, the discovered host list is written to the file SetupMedia.nbac. You can
also provide your own output file name using the -out <output file> option.
If you use your own output file, then it should be passed for the subsequent
runs with the -file option. The dry-run command would look something like
the following:
bpnbaz -SetupMedia -all -dryrun [-out <outfile>] or

bpnbaz -SetupMedia <media.server.com> -dryrun [-out <outfile>].

If all of the media servers that you want to update are in the log file, use the
-dryrun option. You can proceed with the -all command to do them all at
once. For example, you can use:
bpnbaz -SetupMedia -all or

bpnbaz -SetupMedia -file <progress file>.

Note that the -all option updates all of the media servers seen each time it
runs. If you want to run it for a selected set of media servers, can you do it.
Keep only the media server host names that you wanted to configure in a file,
and pass that file using the -file option. This input file would either be
SetupMedia.nbac or the custom file name you provided with the -out option
in the previous dry run. For example, you may have used: - bpnbaz
-SetupMedia -file SetupMedia.nbac.

To configure a single media server, specify the media server host name as the
option. For example, use:
bpnbaz -SetupMedia <media.server.com>.
 NetBackup Access Control Security (NBAC) 178
Configuring NetBackup Access Control (NBAC)

3 Restart the NetBackup services on the target media servers after the command
completes successfully.
It sets up NBAC on the target hosts. If the configuration of some target hosts
did not complete, you can check the output file.
Proceed to the access control configuration for the client hosts after this step.
See “Installing and configuring access control on clients” on page 178.

Installing and configuring access control on clients

The following steps describe installing and configuring NetBackup Access Control
on clients in a NetBackup configuration. A client requires authentication client
software.
Use the following procedure to install and configure access control on clients.
1 Make sure that no backups are currently running.
2 To set up the client, run the following command on the master server:

bpnbaz -setupClient

About including authentication and authorization databases in the

NetBackup hot catalog backups
If you have a NetBackup environment that uses the online hot catalog backup
method, no additional configuration is needed to include the NetBackup
Authentication and Authorization databases in the catalog backup.

NBAC configure commands summary

The following table summarizes the commands that are used in the NBAC quick
configure sequences.
The following conventions are frequently used in the synopsis of command usage.
Brackets [ ] indicate that the enclosed command-line component is optional.
Vertical bar or pipe (|) -indicate separates optional arguments to choose from. For
example, when a command has the format: command arg1|arg2 you can select
either the arg1 or arg2 variable.
 NetBackup Access Control Security (NBAC) 179
Configuring NetBackup Access Control (NBAC)

Table 14-3 NBAC configure commands summary

Command Description

bpnbaz -GetConfiguredHosts The bpnbaz -GetConfiguredHosts command is used to obtain NBAC

[target.server.com [-out file] status on the host. Either the -all or target.server.com options are
| -all [-outfile] | -file required for this command.
progress.file] The syntax is:

■ target.server.com is the name of a single target host. If for example

you want to find out NBAC status on single host, then use this option.
■ -out option is used to specify a custom output file name. By default,
the output is written to the SetupMedia.nbac file. This option can be
used with -all and the single host configuration options.
■ -all is an option that goes through all the policies and collects all
unique host names. These host names are found in the policies. It also
collects all configured media server(s) and captures the NBAC status
of each host in ConfiguredHosts.nbac file.
■ -file progress.file is an option used to specify host name(s) to
be read from progress_file. This option expects one host name
per line in the progress_file.CLI updates the progress_file with the
host's NBAC status. It appends # after hostname followed by the
NBAC status.
■ When used with target.server.com or -all option, status of the
host(s) is captured in the ConfiguredHosts.nbac file.
 NetBackup Access Control Security (NBAC) 180
Configuring NetBackup Access Control (NBAC)

Table 14-3 NBAC configure commands summary (continued)

Command Description

bpnbaz -SetupMaster [-fsa The bpnbaz -SetupMaster command is run to set up the primary server
[<domain type>:<domain for using NBAC. The authorization server and authentication broker are
name>:]<user name>] expected to be installed and running on the primary server.

Use the bpnbaz -SetupMaster -fsa command with the First Security
Administrator option to provision a particular OS user as NBU Administrator.
The syntax is:

■ -fsa option is used for provisioning a specific OS user as NBU

Administrator. When using this option you are asked for the password
for your current OS user identity.
■ domain type is the type of network domain you are using. For example
the bpnbaz -SetupMaster -fsa nt:ENTERPRISE:jdoe
command provisions the Windows enterprise domain user jdoe as
NBU Administer.
■ domain name is the name of the particular domain you are using. For
example the bpnbaz -SetupMaster -fsa jdoecommand takes
the current logged on user domain type (Windows/UNIXPWD), domain
name, and provisions jdoe user in that domain.
■ user name is the particular OS user name you are designating as an
NBU Administrator.
Note: The user is verified for the existence in the specified domain.
Existing behavior of provisioning the logged-on Administrator or root
as NBU Admin is preserved.
 NetBackup Access Control Security (NBAC) 181
Configuring NetBackup Access Control (NBAC)

Table 14-3 NBAC configure commands summary (continued)

Command Description

bpnbaz -SetupMedia [ The bpnbaz -SetupMedia command is run by an NBU_Administrator

media.server.com [-out file] | group member on the primary server. It should not be run until a bpnbaz
-all [-out file] | -file -SetupMaster has been completed successfully. It expects connectivity
progress.file ] [-dryrun] between the primary server and target media server systems. Either the
[-disable] -all or target.server.com options are required for this command.
The syntax is:

■ media.server.com is the name of a single target host. Use this option

to add a single additional host for use with NBAC.
■ -out option is used to specify a custom output file name. By default,
the output is written to the SetupMedia.nbac file. This option can be
used with -all and the single host configuration options.
■ -all goes through all the storage units and collect all unique host
names that are found in the storage unites. These can be tried in a
sorted order. The results are written to the progress file.
■ -file progress_file option is used to specify an input file with a
specific set of media server host names. After the run, status for each
media server is updated in the progress file. Successfully completed
ones are commented out for the subsequent runs. This command can
be repeated until all the media servers in the input file are successfully
configured.
■ -dryrun can generate the list of media server names and write them
to the log. This option can work with media.server.com but it is intended
to be used with the -all option.
■ -disable option can disable NBAC (USE_VXSS = PROHIBITED )
on targeted hosts.

Table 14-3
Command
bpnbaz -SetupClient [
client.server.com [-out file]
| -all [-images] [-out file] |
-file progress.file ] [-dryrun]
[-disable]
NetBackup Access Control Security (NBAC) 182
Configuring NetBackup Access Control (NBAC)
NBAC configure commands summary (continued)
Description
The bpnbaz -SetupClient command is used for setting up NBAC on
the clients. It should not be run until thebpnbaz -SetupMaster command
has been completed successfully. The bpnbaz -SetupClient needs
to run from the primary server. It expects connectivity between the primary
server and target client systems. Either the -all or target.server.com
options are required for this command.
The syntax is:
■ client.server.com is the name of a single target host. If for example you
wished to add a single additional host for use with NBAC, then this
name is the option for you.
■ -out is an option that is used to specify a custom output file name. By
default, the output is written to the SetupClient.nbac file. This option
can be used with -all and the single host configuration options. The
-out option is used to specify a custom output file name. By default,
the output is written to the SetupClient.nbac file. This option can
be used with -all and the single host configuration options.
■ -all is an option that goes through all the policies and collects all
unique host names that are found within the policies. The policies are
tried in a sorted order. The results are written to the progress file.
■ -images is an option that searches all images for unique host names.
This option cannot be recommended for customers with large catalogs
unless they add the -dryrun option. This option yields all unique clients
that are contained in the image catalog. Older catalogs can contain a
larger number of decommissioned hosts, hosts that are moved to new
primarys, or are renamed. Run time of the command can increase as
attempts are made to contact unreachable hosts.
■ -dryrun is an option that generates the list of client names and writes
them to the log. It does not result in actual configuration of the target
systems.
■ -disable is an option that disables NBAC (USE_VXSS =
PROHIBITED) on targeted hosts.
■ -file progress.file is an option used to specify a different file
name for the progress log. The CLI reads the host names from the
progress_file. The status is appended next to each host name with a
[# separated value]. Successfully completed ones are commented out.
This command can be run multiple times until all the clients in the
progress_file are successfully configured.
 NetBackup Access Control Security (NBAC) 183
Configuring NetBackup Access Control (NBAC)

Unifying NetBackup Management infrastructures with the setuptrust

command
The Veritas products management servers need to communicate so that an
administrator for one product has permission to administer another product. This
communication ensures that application processes in one management server work
with another server. One way of ensuring that communication is to use a common
independent security server called a root broker. If all of the management servers
point to a common root broker, the permission for each server is based on a common
certificate. Another way of ensuring communication is to use the setuptrust
command. This command is used to establish trust between the two management
servers. The command is issued from the management server that needs to trust
another management server. The security information is transferred from that host
to the one requesting the trust establishment. A one-way trust is established. Setting
up two way (mutual) trust is performed by issuing the setuptrust command from
each of the two servers involved.
Details on the setuptrust command are described in the NetBackup Commands
Reference Guide. See “Using the setuptrust command” on page 183.

Using the setuptrust command

You can use the setuptrust command to contact the broker to be trusted, obtain
its certificate or details over the wire, and add to the trust repository if the furnished
details are trustworthy. The security administrator can configure one of the following
levels of security for distributing root certificates:
■ High security (2): If a previously untrusted root is acquired from the peer (that
is, if no certificate with the same signature exists in our trust store), the user is
prompted to verify the hash.
■ Medium security (1): The first authentication broker is trusted without prompting.
Any attempts to trust subsequent authentication brokers causes the user to be
prompted for a hash verification before the certificate is added to the trusted
store.
■ Low security (0): The authentication broker certificate is always trusted without
any prompting. The vssat CLI is located in the authentication service 'bin'
directory.
The setuptrust command uses the following syntax:
vssat setuptrust --broker <host[:port]> --securitylevel high [-F]

The setuptrust command uses the following arguments:

 NetBackup Access Control Security (NBAC) 184
Configuring Access Control host properties for the primary and media server

The broker, host, and port arguments are first. The host and port of the broker
to be trusted. The registered port for Authentication is 2821. If the broker has been
configured with another port number, consult your security administrator for
information.
Use the -F (--enable_fips) option to run the vssat command in the FIPS mode.
By default, the FIPS mode is disabled.

Configuring Access Control host properties for

the primary and media server
To configure the access control host properties for the primary server or media
server, expand NetBackup Management > Host Properties > Master Servers
or Media Servers > server name > Access Control.
Set NetBackup Product Authentication and Authorization to either Required
or Automatic. A setting of Automatic takes into account that there may be hosts
within the configuration that are not yet configured for NBAC. The server attempts
to negotiate the most secure connection possible when it communicates to other
NetBackup systems. The Automatic setting should be used until all of the clients
and servers are configured for NBAC.
When Automatic is selected, you can specify computers or the domains required
to use NetBackup Product Authentication and Authorization. Otherwise, you
can specify the computers that are prohibited from using the NetBackup Product
Authentication and Authorization.

Authentication Domain tab

The Authentication Domain tab is used to define the following:
■ Which authentication servers support which authentication mechanisms
■ What each domain supports.
Add the domain that you want users to authenticate against.
The following examples contain six authentication domains.

Note: When a UNIX authentication domain is used, enter the fully qualified domain
name of the host that performed the authentication.

Note: The authentication types that are supported are NIS, NISPLUS, WINDOWS, vx,
and unixpwd (unixpwd is default).
 NetBackup Access Control Security (NBAC) 185
Access Control host properties dialog for the client

Authorization Service tab

Note: No changes are allowed from this tab. It is read only.

Within the Access Control host properties, on the Authorization Service tab, you
can see the host name. All of this information is grayed out because it is read only.
You cannot make any changes to this screen.

Network Attributes tab

View the Access Control host properties on the Network Attributes tab. Add the
primary server to the Networks list. Then, set the NetBackup Product
Authentication and Authorization to Required.
Each new NetBackup client or media server that is added to the NetBackup primary
needs to have the Access Control properties configured. These properties are
configured on both itself and the primary. This configuration can be done through
the host properties on the primary server.

Access Control host properties dialog for the

client
Select the NetBackup client in the host properties. (On the primary server, in the
NetBackup Administration Console, expand NetBackup Management > Host
Properties > Clients > Selected clients > Access Control.)
Set the NetBackup Product Authentication and Authorization to Required or
Automatic. In this example, Automatic is selected.

Authentication Domain tab for the client

Select the NetBackup client in the host properties. It can be used to control which
systems require or prohibit the use of NetBackup Product Authentication and
Authorization on a per-machine basis. Note that both systems must have matching
settings to communicate.
Within the Access Control host properties, on the Authentication Domain tab,
add the list of domains a client can use to authenticate. You can click Find to get
a list of available authentication domains. Then, click Add to create a list of selected
authentication domains.
 NetBackup Access Control Security (NBAC) 186
Using NetBackup Access Control (NBAC) with Auto Image Replication

Network Attributes tab for the client

Within the Access Control host properties, on the Network Attributes tab, add
the list of networks that the client can use to authenticate.

Using NetBackup Access Control (NBAC) with

Auto Image Replication
If Auto Image Replication is configured for two domains and NetBackup Access
Control (NBAC) is used, it must be used in both the source domain and the target
domain. The configuration for the primary servers must be either USE_VXSS =
REQUIRED or USE_VXSS = AUTOMATIC. (However, the setting may be REQUIRED in
one domain and AUTOMATIC in the other.
Auto Image Replication is not supported between primary server domains where
one primary server is configured to use NBAC and NBAC is disabled on the other
primary server. That is, the configuration for one primary server is USE_VXSS =
AUTOMATIC or USE_VXSS = REQUIRED and on the other primary server it is USE_VXSS
= PROHIBITED (disabled).

The following configuration is necessary if NBAC is used in the primary server

domains:
■ In the source primary server domain:
The administrator should make sure that the target primary server has the
permissions set correctly before configuration for the operation begins.
■ In the target primary server domain:
The security administrator in the target domain must give the administrator in
the source domain the correct set of permissions. The source domain
administrator needs Browse, Read, and Configure permissions on the following
objects: HostProperties, DiskPool, and DevHost.
The source domain administrator can be added as a member to any existing
group which has all three permissions.
Consider the following example:
Two NBAC domains each contain a primary server:
■ Replication source NBAC domain: DomainA contains Master-A
■ Replication target NBAC domain: DomainB contains Master-B
NBAC is enabled in both the domains. (If NBAC is used in one domain, it must be
used in the other domain.)
 NetBackup Access Control Security (NBAC) 187
Troubleshooting Access Management

For UserA to create an Auto Image Replication SLP with Master-B as the target,
UserA needs permission on Master-B to do so.
A security administrator (UserB) in DomainB must create a user group
(NB_InterDomainUsers, for example) and give Browse, Read, and Configure
permissions in the following areas:
■ HostProperties
■ DiskPool
■ DevHost
The security administrator in DomainB (UserB) then assigns NB_InterDomainUsers
to DomainA\UserA using the bpnbaz -AddUser command.

Troubleshooting Access Management

To troubleshoot access management and to determine if certain processes and
functionality are operating correctly:
See “Configuration and troubleshooting tips for NetBackup Authentication and
Authorization” on page 189.
These verification points include:
■ Windows verification points
See “Windows verification points” on page 195.
■ UNIX verification points
See “UNIX verification points” on page 204.
■ Verification points in a mixed environment with a UNIX primary server
See “Verification points in a mixed environment with a UNIX primary server”
on page 211.
■ Verification points in a mixed environment with a Windows primary server
See “Verification points in a mixed environment with a Windows primary server”
on page 217.

Troubleshooting NBAC issues

The following table lists the issues and solutions that are related to NBAC:

Table 14-4 NBAC issues
Issue and Cause
A user directed backup or restore fails
A user-directed backup or restore fails with NBAC in the
automated mode. The Backup, Archive, and Restore
interface shows some errors in the Windows interface
when NBAC is configured.
A backup or restore failure can happen when a NetBackup
setup on a UNIX primary server is configured with NBAC
and you try to use the Windows interface without first
configuring the interface for such a setup. Another reason
may be that there is an expired certificate in the home
directory.
Authentication failure with error 116
The authentication fails with ‘error 116-VxSS
authentication’ when you try to set up NBAC on a
target host.
Error when a non-admin user from the NBU_Operator The users from the NBU_Operator group have limited
group tries to use Access Management permissions.
A non-admin user is added to the NBU_Operator group.
Read, Browse, and Configure permissions are assigned
along with the permission to configure the Host Properties.
However, when the user tries to open the Access
Management utility, an error displays.
The authorization file (auth.conf) functionality does not
work in an NBAC-enabled environment. By default, the
auth.conf file is supported by the Java interface in
non-NBAC environments only.
NetBackup Access Control Security (NBAC) 188
Troubleshooting Access Management
Solution
Configure the Windows interface to support the setup.
There should be at least one Microsoft Windows system
that acts as an Authentication Broker to authenticate users
from the Active Directory domain.
Refer to the TECH199281 for steps to configure the
Windows interface to make use of existing users from
Active Directory to manage or operate or use a NetBackup
environment that is primarily on UNIX/Linux platforms.
After you correctly configure the setup run the bpnbat
-logout command to log out from the setup before you
restart the interface.
Check whether NBAC authentication is configured correctly
and also if you have a valid usable credential for the target
host.
The user would require a different set of permissions to
use the Access Management utility. For the required
permissions, add the user to the NBU_Security_Admin
group.
For more information about user groups:
See “NetBackup default user groups” on page 228.
For the auth.conf file to work in an NBAC-enabled
environment, use the nbgetconfig and nbsetconfig
commands to add the USE_AUTH_CONF_NBAC entry to
the Windows registry or the bp.conf file on UNIX. The entry
must be set to YES, as follows:
USE_AUTH_CONF_NBAC = YES
For more details about the auth.conf file, refer to the
NetBackup Administrators Guide, Volume I.
 NetBackup Access Control Security (NBAC) 189
Troubleshooting Access Management

Table 14-4 NBAC issues (continued)

Issue and Cause Solution

Error when switching NetBackup server from
Enhanced Auditing to NBAC
The NetBackup Administration Console creates user
directories with user name as directory name, in
netbackup/logs/user_ops. For Enhanced Auditing,
these directories are used by NetBackup processes that
run with root privileges. For NBAC, these directories are
used by NetBackup processes that run without root
privileges.
NetBackup GUI errors may occur in the following case:
1 On each NetBackup server that the users log on to
by means of the GUI, delete the user directories in
the following directory:
Windows:
install_path\NetBackup\logs\user_ops
UNIX, Linux:
/usr/openv/netbackup/logs/user_ops
2 When the directories are deleted, restart the
NetBackup GUI.

■ The user directories that were created when Enhanced

Auditing was enabled still exist when NBAC is enabled,
and
■ Any of those users do not have root privileges.
Some examples of errors:

■ In the Backup, Archive, and Restore interface, no jobs

appear on the Task Progress tab.
■ For a VMware VM restore, the pre-recovery check
reports error 12.

Configuration and troubleshooting tips for NetBackup Authentication

and Authorization
The following table lists helpful configuration and troubleshooting tips for NetBackup
Authentication and Authorization. In addition, the table also contains information
about a few known issues and tips to resolve them:
 NetBackup Access Control Security (NBAC) 190
Troubleshooting Access Management

Table 14-5 Configuration and troubleshooting tips for NetBackup

Authentication and Authorization

Topic Configuration tips

Verifying primary server settings Running bpnbat -whoami and specifying the computer credentials, tells in
what domain a host is registered and the name of the computer the certificate
represents.

bpnbat -whoami -cf

"install_path\netbackup\var\vxss\credentials\
primary.company.com
"Name: primary.company.com
Domain: [email protected]
Issued by: /CN=broker/[email protected]/O=vx
Expiry Date: Oct 31 20:17:51 2007 GMT
Authentication method: Veritas Private Security
Operation completed successfully.

If the domain listed is not [email protected], consider

running bpnbat -addmachine for the name in question (primary). The command
is run on the computer that serves the NBU_Machines domain (primary).

Then, on the computer where you want to place the credentials, run: bpnbat
-loginmachine

Establishing root credentials If you have problems setting up either the authentication server or authorization
server, and the application complains about your credentials as root: ensure
that the $HOME environmental variable is correct for root.

Use the following command to detect the current value:

echo $HOME

This value should agree with root’s home directory, which can be typically found
in the /etc/passwd file.

Note that when switching to root, you may need to use:

su -

instead of only su to correctly condition the root environment variables.

Expired credentials message If your credential has expired or is incorrect, you may receive the following
message while running a bpnbaz or bpnbat command:

Supplied credential is expired or incorrect. Please

reauthenticate and try again.

Run bpnbat -Login to update an expired credential.

 NetBackup Access Control Security (NBAC) 191
Troubleshooting Access Management

Table 14-5 Configuration and troubleshooting tips for NetBackup

Authentication and Authorization (continued)

Topic Configuration tips

Useful debug logs The following logs are useful to debug NetBackup Access Control:

On the primary: admin, bpcd, bprd, bpdbm, bpjobd, bpsched

On the client: admin, bpcd

Access control: nbatd, nbazd.

See the NetBackup Troubleshooting Guide for instructions on proper logging.

Where credentials are stored The NetBackup Authentication and Authorization credentials are stored in the
following directories:

UNIX:

User credentials: $HOME/.vxss

Computer credentials: /usr/openv/var/vxss/credentials/

Windows:

<user_home_dir>\Application Data\VERITAS\VSS

How system time affects access Credentials have a birth time and death time. Computers with large discrepancies
control in system clock time view credentials as being created in the future or prematurely
expired. Consider synchronizing system time if you have trouble communicating
between systems.
 NetBackup Access Control Security (NBAC) 192
Troubleshooting Access Management

Table 14-5 Configuration and troubleshooting tips for NetBackup

Authentication and Authorization (continued)

Topic Configuration tips

NetBackup Authentication and The NetBackup Authentication and Authorization daemon services use ports
Authorization ports 13783 and 13722 for back-level media server and clients. The services use PBX
connections.

You can verify that the processes are listening with the following commands:

Authentication:

UNIX

netstat -an | grep 13783

Windows

netstat -a -n | find "13783"

Authorization:

UNIX

netstat -an | grep 13722

Windows

netstat -a -n | find "13722"

 NetBackup Access Control Security (NBAC) 193
Troubleshooting Access Management

Table 14-5 Configuration and troubleshooting tips for NetBackup

Authentication and Authorization (continued)

Topic Configuration tips

Stopping NetBackup Authentication When the NetBackup Authentication and Authorization services are stopped,
and Authorization daemons for stop authorization first, then stop authentication.
Shared Services
UNIX -Use the following commands.

To stop authorization use the term signal as shown in the example:

# ps -fed |grep nbazd

root 17018 1 4 08:47:35 ? 0:01 ./nbazd
root 17019 16011 0 08:47:39 pts/2 0:00 grep nbazd
# kill 17018

To stop authentication use the term signal as shown in the example:

# ps -fed |grep nbatd

root 16018 1 4 08:47:35 ? 0:01 ./nbatd
root 16019 16011 0 08:47:39 pts/2 0:00 grep nbatd
# kill 16018

Windows

Use the Services utility that Windows provides, since these services do not appear
in the NetBackup Activity Monitor.

If you lock yourself out of You can lock yourself out of the NetBackup Administration Console if access
NetBackup control is incorrectly configured.

If this lockout occurs, use vi to read the bp.conf entries (UNIX) or regedit
(Windows) to view the Windows registry in the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\NetBackup\
CurrentVersion\config

You can look to see if the following entries are set correctly:
AUTHORIZATION_SERVICE, AUTHENTICATION_DOMAIN, and USE_VXSS.

The administrator may not want to use NetBackup Access Control or does not
have the authorization libraries installed. Make certain that the USE_VXSS entry
is set to Prohibited, or is deleted entirely.

Backups of storage units on media The host name of a system in NetBackup domain (primary server, media server,
servers might not work in an NBAC or client) and host name that is specified in the bp.conf file should be the same.
environment

Table 14-5
Topic
Using the nbac_cron utility
Enabling NBAC after a recovery on Use the following procedure to manually enable NBAC after a recovery on
Windows Windows.
In cluster installations the
setupmaster might fail
Known issue on a cluster if shared
security services (vxatd or vxazd)
are clustered along with the primary
server
Known issue in a clustered primary
server upgrade with NBAC, that all
the AUTHENTICATION_DOMAIN
entries in thebp.conf file are
updated with the primary server
virtual name as the authentication
broker
NetBackup Access Control Security (NBAC) 194
Troubleshooting Access Management
Configuration and troubleshooting tips for NetBackup
Authentication and Authorization (continued)
Configuration tips
Use the nbac_cron.exe utility to create identities under which to run cron or
at jobs.
For more information about the nbac_cron utility:
See “About the nbac_cron utility” on page 224.
nbac_cron.exe is found in the following location:
UNIX -/opt/openv/netbackup/bin/goodies/nbac_cron
Windows -install_path\netbackup\bin\goodies\nbac_cron.exe
For detailed information about using the nbac_cron utility:
See “Using the nbac_cron utility” on page 224.
■ Add AUTHENTICATION_DOMAIN, AUTHORIZATION_SERVICE, and USE_VXSS
entries in Registry.
■ Change the service type of NetBackup Authentication and Authorization
services to AUTOMATIC.
■ Restart the NetBackup services.
■ Verify that the nbatd and nbazd services are running.
Note: On a cluster run the bpclusterutil -enableSvc nbatd and
bpclusterutil -enable nbazd commands.
A known issue exists in the case of cluster installations, where the configuration
file is on a shared disk, the setupmaster might fail.
A known issue exists on a cluster if shared security services (vxatd or vxazd)
are clustered along with the primary server. When executing the bpnbaz
-SetupMaster command and setting up security (NBAC), freeze the shared
security services service groups persistently where applicable or offline the
services (but make sure their shared disk is online), and run the setupmaster
command.
A known issue exists where in a clustered primary server upgrade with NBAC,
all the AUTHENTICATION_DOMAIN entries in thebp.conf file are updated with
the primary server virtual name as the authentication broker. If any domain entry
is present that refers to a different authentication broker other than the primary
server (and the primary server does not service that domain), that entry needs
to be manually removed from the bp.conf file.
 NetBackup Access Control Security (NBAC) 195
Troubleshooting Access Management

Table 14-5 Configuration and troubleshooting tips for NetBackup

Authentication and Authorization (continued)

Topic Configuration tips

Known issue relating to access A known issue exists that includes failures with respect to access control.
control failures and short and long Determine if the short and long host names are properly resolvable and are
host names resolving to the same IP address.

Known issue in a cluster upgrade
with NBAC when the broker profile
has ClusterName set to the virtual
name of AT
A known issue exists in a cluster upgrade with NBAC when the broker profile has
ClusterName set to the virtual name of AT. This is migrated as-is to the
embedded broker. The embedded broker has UseClusterNameAsBrokerName
set to 1 in its profile. When a request is sent for broker domain maps, it uses the
virtual name of the shared AT as the broker name. The bpnbaz
-GetDomainInfosFromAuthBroker returns none. In upgrades, the bp.conf
file is updated to have the NetBackup virtual name.

Known issue of multiple instances
of bpcd causing a possible error
A known issue exists where the bpnbaz -SetupMedia command, bprd uses
the AT_LOGINMACHINE_RQST protocol to talk with bpcd on the destination box.
A new instance of bpcd is spawned. After the command completes it tries to free
a char array as a regular pointer possibly causing bpcd to core dump on the
client side. Functionality should not be lost as this bpcd instance is only created
temporarily and exits normally. The parent bpcd is unaffected.

Known issue with clusters using
shared AT with configuration files
on the shared drive
A known issue exists with clusters that use a shared AT with configuration files
on the shared drive. Unhooking shared services only works on the node where
this shared drive is accessible. Unhook fails on the remaining nodes. The
implication of this is that while doing a bpnbaz -SetupMaster to manage
remote broker parts fail. You will have to manually configure passive nodes. Run
bpnbaz -SetupMedia for each passive node.

Known issue relating to database A known issue exists in which some database utilities support and other database
utilities supporting NBAZDB utilities do not.

The following database utilities support NBAZDB: nbdb_backup, nbdb_move,

nbdb_ping, nbdb_restore, nbdb_unload, and nbdb_admin.

The dbadm utility does not support NBAZDB.

Windows verification points

The following configuration procedures can help you verify that the primary server,
media server, and client are configured correctly for access control.
These Windows verification points include:
■ See “Primary server verification points for Windows” on page 196.
■ See “Media server verification points for Windows” on page 200.
 NetBackup Access Control Security (NBAC) 196
Troubleshooting Access Management

■ See “Client verification points for Windows” on page 202.

Figure 14-1 shows an example configuration containing Windows systems only.

Figure 14-1 Example configuration containing Windows systems only

authentication
server NBU master server (Windows) win_server.min.com

Root Broker
authorization Authentication Broker
server Authorization Service

Private Veritas Product Authentication and Authorization domain called:

NBU_Machines@win_server.min.com
contains the following host accounts:
win_server.min.com
win_media.min.com
win_client.min.com

Media server (Windows) win_media.min.com

authentication client, authorization client

win_media.min.com
Windows User accounts authenticate
via Windows authentication Broker

Client (Windows) win_client.min.com

authentication client

win_client.min.com

Note:
Each machine has a private domain account that is created for it. Using these accounts allows NetBackup to
more reliably identify machines as they communicate with each other.

Primary server verification points for Windows

The following topics describe procedures to:
■ Verify Windows primary server settings.
■ Verify which computers are permitted to perform authorization lookups.
■ Verify that the database is configured correctly.
 NetBackup Access Control Security (NBAC) 197
Troubleshooting Access Management

■ Verify that the nbatd and nbazd processes are running.

■ Verify that the host properties are configured correctly.
The following table describes the primary server verification procedures for Windows.

Table 14-6 Primary server verification procedures for Windows

Procedure Description

Verify Windows primary server
settings
You can determine the domain in which a host is registered (where the primary
authentication broker resides). Or you can determine the name of the computer
the certificate represents. Run bpnbat with -whoami and specify the host
credential file. The server credentials are located in the c:\Program
Files\Veritas\Netbackup\var\vxss\credentials\... directory.

For example:

bpnbat -whoami -cf

"c:\Program
Files\Veritas\Netbackup\var\vxss\credentials\
win_primary"
Name: win_primary.company.com
Domain: NBU_Machines@win_primary.company.com
Issued by: /CN=broker/OU=root@win_primary.company.com/
O=vx
Expiry Date: Oct 31 20:17:51 2007 GMT
Authentication method: Veritas Private Security
Operation completed successfully.

If the domain listed is not NBU_Machines@win_primary.company.com, consider

running bpnbat -addmachine for the name in question (win_primary). This
command is run on the computer with the authentication broker that serves the
NBU_Machines domain (win_primary).

Then, on the computer where we want to place the certificate (win_primary), run:

bpnbat -loginmachine

Note: As you determine when a user’s credentials expire, keep in mind that the
output displays the expiration time in GMT, not local time.

Note: For the remaining procedures in this verification section, assume that the
commands are performed from a console window. And that the user identity in
question has run bpnbat -login from that window. The user is an identity that
is a member of NBU_Security Admin. This identity is usually the first identity with
which the security was set up.
 NetBackup Access Control Security (NBAC) 198
Troubleshooting Access Management

Table 14-6 Primary server verification procedures for Windows (continued)

Procedure Description

Verify which computers are To verify which computers are present in the authentication broker, log on as a
present in the authentication member of the Administrators group and run the following command:
broker
bpnbat -ShowMachines

This command shows the computers for which you have run bpnbat
-AddMachine.
Note: If a host is not on the list, run bpnbat -AddMachine from the primary.
Then run bpnbat -loginMachine from the host in question.

Verify which computers are To verify which computers are permitted to perform authorization lookups, log on
permitted to perform authorization as a member of the Administrators group and run the following command:
lookups
bpnbaz -ShowAuthorizers

This command shows that win_primary and win_media (primary and media servers)
are permitted to perform authorization lookups. Note that both servers are
authenticated against the same Private Domain (domain type vx),
NBU_Machines@win_primary.company.com.
Note: Run this command by local administrator or by root. The local administrator
must be a member of the NBU_Security Admin user group.

bpnbaz -ShowAuthorizers
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@win_primary.company.com
Name: win_primary.company.com
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@win_primary.company.com
Name: win_media.company.com
Operation completed successfully.

If a primary server or media server is not on the list of authorized computers, run
bpnbaz -allowauthorization server_name to add the missing computer.
 NetBackup Access Control Security (NBAC) 199
Troubleshooting Access Management

Table 14-6 Primary server verification procedures for Windows (continued)

Procedure Description

Verify that the database is To make sure that the database is configured correctly, run bpnbaz
configured correctly -listgroups:

bpnbaz -listgroups
NBU_Operator
NBU_Admin
NBU_SAN Admin
NBU_User
NBU_Security Admin
Vault_Operator
Operation completed successfully.

If the groups do not appear, or if bpnbaz -listmainobjects does not return

data, you may need to run bpnbaz -SetupSecurity.

Verify that the nbatd and nbazd Use the Windows Task Manager to make sure that nbatd.exe and nbazd.exe
processes are running are running on the designated host. If necessary, start them.

Verify that the host properties are In the access control host properties, verify that the NetBackup Authentication
configured correctly and Authorization property is set correctly. (The setting should be either Automatic
or Required, depending on whether all computers use NetBackup Authentication
and Authorization or not. If all computers do not use NetBackup Authentication
and Authorization, set it to Automatic.

The host properties can also be verified by looking at USE_VXSS in the registry
at:

HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\NetBackup\
CurrentVersion\config.

Figure 14-2 shows an example of the host properties settings on the

Authentication domain tab.

In the Access Control host properties, verify that the listed authentication domains
are spelled correctly and point to the proper servers (valid authentication brokers).
If all of the domains are Windows-based, they should point to a Windows computer
that runs the authentication broker.

The following figure shows the host properties settings on the Authentication
domain tab.
 NetBackup Access Control Security (NBAC) 200
Troubleshooting Access Management

Figure 14-2 Host properties settings

Media server verification points for Windows

The following topics describe the media server verification procedures for Windows:
■ Verify the media server.
■ Verify that the server has access to the authorization database.
■ Unable to load library message
The following table describes the media server verification procedures for Windows.
 NetBackup Access Control Security (NBAC) 201
Troubleshooting Access Management

Table 14-7 Media server verification procedures for Windows

Procedure Description

Verify the media server To determine which authentication broker the media server is authenticated
against, run bpnbat -whoami with -cf for the media server’s credential file.
The server credentials are located in the c:\Program
Files\Veritas\Netbackup\var\vxss\credentials\... directory.

For example:

bpnbat -whoami -cf "c:\Program

Files\Veritas\Netbackup\var\vxss\credentials\
win_media.company.com"
Name: win_media.company.com
Domain: NBU_Machines@win_primary.company.com
Issued by: /CN=broker/OU=root@win_primary.company.com/
O=vx
Expiry Date: Oct 31 20:11:40 2007 GMT
Authentication method: Veritas Private Security
Operation completed successfully.

If the domain listed is not NBU_Machines@win_primary.company.com, consider

running bpnbat -addmachine for the name in question (win_media). This
command is run on the computer with the authentication broker that serves the
NBU_Machines domain (win_primary).

Then, on the computer where we want to place the certificate (win_media),

run:

bpnbat -loginmachine
 NetBackup Access Control Security (NBAC) 202
Troubleshooting Access Management

Table 14-7 Media server verification procedures for Windows (continued)

Procedure Description

Verify that the server has access to To make sure that the media server is able to access the authorization database
the authorization database as it needs, run bpnbaz -ListGroups -CredFile
"machine_credential_file"

For example:

bpnbaz -ListGroups -CredFile "C:\Program

Files\Veritas\NetBackup\var\vxss\credentials\
win_media.company.com"
NBU_Operator
NBU_Admin
NBU_SAN Admin
NBU_User
NBU_Security Admin
Vault_Operator
Operation completed successfully.

If this command fails, run bpnbaz -AllowAuthorization on the primary

server that is the authorization server (win_primary.company.com).

Unable to load library message
Verify the media server and that it has access to the proper database. This
verification indirectly informs you that the NetBackup Authentication and
Authorization client libraries for both authentication and authorization are
properly installed. If either of these procedures fail with a message "unable to
load libraries": Check to make certain the authentication client libraries and
authorization client libraries are installed.

You may also verify that the authentication domains are correct by viewing the
access control host properties for this media server.

Client verification points for Windows

The following topics describe the client verification procedures for Windows:
■ Verify the credential for the client.
■ Verify that the authentication client libraries are installed.
■ Verify correct authentication domains.
The following table describes the client verification procedures for Windows.
 NetBackup Access Control Security (NBAC) 203
Troubleshooting Access Management

Table 14-8 Client verification procedures for Windows

Procedure Description

Verify the credential for the client Check that the credential for the client is indeed for the correct client and comes
from the correct domain. Run bpnbat -whoami with -cf for the client’s credential
file.

For example:

bpnbat -whoami -cf "install_path

\Netbackup\var\vxss\credentials\
win_client.company.com
"
Name: win_client.company.com
Domain: NBU_Machines@win_primary.company.com
Issued by: /CN=broker/OU=root@win_primary.company.com/
O=vx
Expiry Date: Oct 31 20:11:45 2007 GMT
Authentication method: Veritas Private Security
Operation completed successfully.

If the domain listed is not NBU_Machines@win_primary.company.com, consider

running bpnbat -addmachine for the name in question (win_client). This
command is run on the computer with the authentication broker that serves the
NBU_Machines domain (win_primary).

Then, on the computer where we want to place the certificate (win_client), run:
bpnbat -loginmachine

Verify that the authentication client

Note:
libraries are installed
Run bpnbat -login on the client to verify that the authentication client libraries
are installed.

bpnbat -login
Authentication Broker: win_primary
Authentication port [Enter = default]:
Authentication type (NIS, NIS+, WINDOWS, vx, unixpwd)
: WINDOWS
Domain: ENTERPRISE
Name: Smith
Password:Operation completed successfully.

If the libraries are not installed, a message displays: The NetBackup

Authentication and Authorization libraries are not installed. This verification can
also be done by looking at the Windows Add/Remove Programs.
 NetBackup Access Control Security (NBAC) 204
Troubleshooting Access Management

Table 14-8 Client verification procedures for Windows (continued)

Procedure Description

Verify correct authentication domains Check that any defined authentication domains for the client are correct either
in the Access Control host properties or by using regedit. Ensure that the
domains are spelled correctly. Ensure that the authentication brokers that are
listed for each of the domains is valid for that domain type.

UNIX verification points

Use the following procedures (and the following figure) to verify that the UNIX
primary server, media server, and client are configured correctly for access control:
■ UNIX primary server verification
See “UNIX primary server verification” on page 205.
■ UNIX media server verification
See “UNIX media server verification” on page 208.
■ UNIX client verification
See “UNIX client verification” on page 210.
The following example shows an example configuration that contains UNIX systems
only.
 NetBackup Access Control Security (NBAC) 205
Troubleshooting Access Management

Figure 14-3 Example configuration containing UNIX systems only

authentication
NBU master server (UNIX) unix_master.min.com
server
Root Broker
Authentication Broker
authorization
server Authorization Service

Private Veritas Product Authentication and Authorization domain called:

NBU_Machines@unix_master.min.com
contains the following credentials:
unix_master.min.com
unix_media.min.com
unix_client.min.com

Media server (UNIX) unix_media.min.com

authentication client, authorization client
unix_media.min.com
UNIX User accounts authenticate via
UNIX authentication Broker

Client (UNIX) unix_client.min.com

authentication client
unix_client.min.com
Note:
Each machine has a private domain account that are created for it. Using these accounts
allows NetBackup to more reliably identify machines as they communicate with each other.

UNIX primary server verification

Use the following procedures to verify the UNIX primary server:
■ Verify UNIX primary server settings.
■ Verify which computers are permitted to perform authorization lookups.
■ Verify that the database is configured correctly.
■ Verify that the nbatd and nbazd processes are running.
■ Verify that the host properties are configured correctly.
The following table describes the verification process for the UNIX primary server.
 NetBackup Access Control Security (NBAC) 206
Troubleshooting Access Management

Table 14-9 Verification process for the UNIX primary server

Process Description

Verify UNIX primary Determine in what domain a host is registered (where the primary authentication broker resides),
server settings and determine the name of the computer the certificate represents. Run bpnbat with -whoami
with -cf for the primary server’s credential file. The server credentials are located in the
/usr/openv/var/vxss/credentials/ directory.

For example:

bpnbat -whoami -cf

/usr/openv/var/vxss/credentials/unix_primary.company.com
Name: unix_primary.company.com
Domain: NBU_Machines@unix_primary.company.com
Issued by: /CN=broker/OU=root@unix_primary/O=vx
Expiry Date: Oct 31 15:44:30 2007 GMT
Authentication method: Veritas Private Security
Operation completed successfully.

If the domain listed is not NBU_Machines@unix_primary.company.com, or the file does not

exist, consider running bpnbat -addmachine for the name in question (unix_primary). Run
this command on the computer that serves the NBU_Machines domain (unix_primary).

Then, on the computer where we want to place the certificate (unix_primary), run: bpnbat
-loginmachine
Note: When determining if a credential has expired, remember that the output displays the
expiration time in GMT, not local time.

Note: For the remaining procedures in this verification topic, assume that the commands are
performed from a console window. The window in which the user identity is in question has run
bpnbat -login using an identity that is a member of NBU_Security Admin. This identity is
usually the first identity with which the security was set up.

Verify which To verify which computers are present in the authentication broker, log on as a member of the
computers are Administrators group and run the following command:
present in the
authentication broker bpnbat -ShowMachines

The following command shows which computers you have run:

bpnbat -AddMachine
 NetBackup Access Control Security (NBAC) 207
Troubleshooting Access Management

Table 14-9 Verification process for the UNIX primary server (continued)

Process Description

Verify which To verify which computers can perform authorization lookups, log on as root on the authorization
computers are broker and run the following command:
permitted to perform
authorization lookups bpnbaz -ShowAuthorizers
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@unix_primary.company.com
Name: unix_primary.company.com

==========
Type: User
Domain Type: vx
Domain:NBU_Machines@unix_primary.company.com
Name: unix_media.company.com

Operation completed successfully.

This command shows that unix_primary and unix_media are permitted to perform authorization
lookups. Note that both servers are authenticated against the same vx (Veritas Private Domain)
Domain, NBU_Machines@unix_primary.company.com.

If a primary server or media server is not part of the list of authorized computers, run bpnbaz
-allowauthorization <server_name> to add the missing computer.

Verify that the To make sure that the database is configured correctly, run bpnbaz -listgroups:
database is
configured correctly bpnbaz -listgroups
NBU_Operator
NBU_Admin
NBU_SAN Admin
NBU_User
NBU_Security Admin
Vault_Operator
Operation completed successfully.

If the groups do not appear, or if bpnbaz -listmainobjects does not return data, run
bpnbaz -SetupSecurity.
 NetBackup Access Control Security (NBAC) 208
Troubleshooting Access Management

Table 14-9 Verification process for the UNIX primary server (continued)

Process Description

Verify that the nbatd Run the ps command to ensure that the nbatd and nbazd processes are running on the
and nbazd designated host. If necessary, start them.
processes are
For example:
running
ps -fed |grep vx
root 10716 1 0 Dec 14 ? 0:02 /usr/openv/netbackup/bin/private/nbatd
root 10721 1 0 Dec 14 ? 4:17 /usr/openv/netbackup/bin/private/nbazd

Verify that the host In the Access Control host properties, verify that the NetBackup Authentication and
properties are Authorization property is set correctly. (The setting should be either Automatic or Required,
configured correctly depending on whether all of the computers use NetBackup Authentication and Authorization
or not. If all computers do not use NetBackup Authentication and Authorization, set it to
Automatic.

In the Access Control host properties, verify that the authentication domains on the list are
spelled correctly. Also make sure that they point to the proper servers (valid authentication
brokers). If all domains are UNIX-based, they should point to a UNIX machine that is running
the authentication broker.

This process can also be verified in bp.conf using cat.

cat bp.conf
SERVER = unix_primary
SERVER = unix_media
CLIENT_NAME = unix_primary
AUTHENTICATION_DOMAIN = company.com "default company
NIS namespace"
NIS unix_primary 0
AUTHENTICATION_DOMAIN = unix_primary "unix_primary password file"
PASSWD unix_primary 0
AUTHORIZATION_SERVICE = unix_primary.company.com 0
USE_VXSS = AUTOMATIC
#

UNIX media server verification

Perform the following to verify the UNIX media server:
■ Verify the media server.
■ Verify that the server has access to the authorization database.
■ Understand the unable to load library message.
The following table describes the verification procedures for the UNIX media server.
 NetBackup Access Control Security (NBAC) 209
Troubleshooting Access Management

Table 14-10 Verification process for the UNIX media server

Process Description

Verify the media server To determine which authentication broker the media server is authenticated against,
run bpnbat -whoami with -cf for the media server’s credential file. The server
credentials are located in the /usr/openv/var/vxss/credentials/ directory.

For example:

bpnbat -whoami -cf

/usr/openv/var/vxss/credentials/unix_media.company.com
Name: unix_media.company.com
Domain: NBU_Machines@unix_primary.company.com
Issued by: /CN=broker/OU=root@unix_primary.company.com/
O=vx
Expiry Date: Oct 31 14:48:08 2007 GMT
Authentication method: Veritas Private Security
Operation completed successfully.

If the domain listed is not NBU_Machines@unix_primary.company.com, consider

running bpnbat -addmachine for the name in question (unix_media). This command
is run on the computer with the authentication broker that serves the NBU_Machines
domain (unix_primary).

Then, on the computer where we want to place the certificate, run (unix_primary):
bpnbat -loginmachine

Verify that the server has To make sure that the media server is able to access the authorization database as
access to the authorization it needs, run bpnbaz -ListGroups
database
"machine_credential_file"

For example:

bpnbaz -ListGroups -CredFile

/usr/openv/var/vxss/credentials/unix_media.company.com
NBU_User
NBU_Operator
NBU_Admin
NBU_Security Admin
Vault_Operator
Operation completed successfully.

If this command fails, run bpnbaz -AllowAuthorization on the primary server

that is the authorization server (unix_primary). Note that you need to run as root or
administrator.
 NetBackup Access Control Security (NBAC) 210
Troubleshooting Access Management

Table 14-10 Verification process for the UNIX media server (continued)

Process Description

Unable to load library Verify the media server and that it has access to the proper database. This verification
message indirectly informs us that the NetBackup Authentication and Authorization client libraries
for both authentication and authorization are properly installed. If either of these
procedures fail with the message "unable to load libraries," check to make certain the
Authentication and Authorization client libraries are installed.

You may also verify that the authentication domains are correct. Do this verification
viewing the access control host properties for this media server, or by cat(1)ing
the bp.conf file.

UNIX client verification

The following procedures are used to verify the UNIX client:
■ Verify the credential for the UNIX client.
■ Verify that the authentication client libraries are installed.
■ Verify correct authentication domains.
The following table describes the verification procedures for the UNIX client.

Table 14-11 Verification procedures for the UNIX client

Procedures Description

Verify the credential for Check that the credential for the client is indeed for the correct client and comes from the
the UNIX client correct domain. Run bpnbat -whoami with -cf for the client’s credential file.

For example:

bpnbat -whoami -cf

/usr/openv/var/vxss/credentials/unix_client.company.com
Name: unix_client.company.com
Domain: NBU_Machines@unix_primary.company.com
Issued by: /CN=broker/OU=root@unix_primary.company.com/O=vx
Expiry Date: Oct 31 14:49:00 2007 GMT
Authentication method: Veritas Private Security
Operation completed successfully.

If the domain listed is not NBU_Machines@unix_primary.company.com, consider running

bpnbat -addmachine for the name in question (unix_client). This command is run on
the computer with the authentication broker that serves the NBU_Machines domain
(unix_primary).

Then, on the computer where we want to place the certificate (unix_client), run: bpnbat
-loginmachine
 NetBackup Access Control Security (NBAC) 211
Troubleshooting Access Management

Table 14-11 Verification procedures for the UNIX client (continued)

Procedures Description

Verify that the
authentication client
libraries are installed
Run bpnbat -login on the client to verify that the authentication client libraries are
installed.
bpnbat -login
Authentication Broker: unix_primary.company.com
Authentication port [Enter = default]:
Authentication type (NIS, NIS+, WINDOWS, vx, unixpwd): NIS
Domain: min.com
Name: Smith
Password:
Operation completed successfully.

Verify correct Check that any defined authentication domains for the client are correct in the Access
authentication domains Control host properties or by using cat(1). Ensure that the domains are spelled correctly.
Also ensure that the authentication brokers on the list for each of the domains are valid for
that domain type.

This process can also be verified in bp.conf using cat(1).

cat bp.conf
SERVER = unix_primary
SERVER = unix_media
CLIENT_NAME = unix_primary
AUTHENTICATION_DOMAIN = min.com "default company
NIS namespace"
NIS unix_primary 0
AUTHENTICATION_DOMAIN = unix_primary.company.com "unix_primary
password file" PASSWD unix_primary 0
AUTHORIZATION_SERVICE = unix_primary.company.com 0
USE_VXSS = AUTOMATIC

Verification points in a mixed environment with a UNIX primary server

The following procedures can help you verify that the primary server, media server,
and client are configured correctly. These should be configured for a heterogeneous
NetBackup Access Control environment. The primary server is a UNIX machine.
■ Primary server verification points for mixed UNIX primary
■ Media server verification points for mixed UNIX primary
■ Client verification points for mixed UNIX primary
 NetBackup Access Control Security (NBAC) 212
Troubleshooting Access Management

Figure 14-4 is an example of a mixed configuration that contains a UNIX primary

server.

Figure 14-4 Example mixed configuration containing a UNIX primary server

NBU master server (UNIX) unix_master.min.com
authentication Root Broker
server Authentication Broker
authorization
Authorization Service
server
Private Veritas Product Authentication and Authorization domain
called NBU_Machines@unix_master.min.com Host (Windows)
contains the following credentials: win_server.min.com
unix_master.min.com authentication Authentication Broker
win_media.min.com server
win_client.min.com win_server.min.com
unix_media.min.com
unix_client.min.com
Windows hosts
authenticate via
Windows
Authentication
Broker

Media server (Windows) win_media.min.com

authentication client, authorization client

See note. win_media.min.com

Client (Windows) win_client.min.com

authentication client
win_client.min.com

Media server (UNIX) unix_media.min.com

authentication client, authorization client
unix_media.min.com

UNIX hosts authenticate via

UNIX authentication Broker
Client (UNIX) unix_client.min.com
authentication client
unix_client.min.com
Note:
Each machine has a private domain account. Using these accounts allows NetBackup to more reliably
identify machines as they communicate with each other.
 NetBackup Access Control Security (NBAC) 213
Troubleshooting Access Management

Primary server verification points for a mixed UNIX primary

server
See the following topic for the verification procedure for a UNIX primary server:
See “UNIX primary server verification” on page 205.

Media server verification points for a mixed UNIX primary

server
The following table describes the media server verification procedures for a mixed
UNIX primary server.

Table 14-12 Verification procedures for a mixed UNIX primary server

Procedure Description

Verify the UNIX media server See the following topic for the verification procedure for a UNIX media server:

See “UNIX media server verification” on page 208.

Verify the Windows media server Check that the computer certificate comes from the root authentication broker,
which is found on the UNIX primary server (unix_primary).
If there is a missing certificate, run the following commands to correct the
problem:

■ bpnbat -addmachine on the root authentication broker (in this example,

unix_primary)
■ bpnbat -loginmachine (in this example, win_media)

For example:

bpnbat -whoami -cf "install_path

\Netbackup\var\vxss\credentials\
win_media.company.com"
Name: win_media.company.com
Domain: NBU_Machines@unix_primary.company.com
Issued by: /CN=broker/OU=root@
unix_primary.company.com/O=vx
Expiry Date: Oct 31 20:11:04 2007 GMT
Authentication method: Veritas Private Security
Operation completed successfully.

Table 14-12
Procedure
Verify that a media server is permitted
to perform authorization lookups
Unable to load library message
Verify authentication domains
NetBackup Access Control Security (NBAC) 214
Troubleshooting Access Management
Verification procedures for a mixed UNIX primary server
(continued)
Description
Ensure that the media server is allowed to perform authorization checks by
running bpnbaz -listgroups -CredFile.
For example:
bpnbaz -listgroups -CredFile "install_path
\Netbackup\var\vxss\credentials\
win_media.company.com"
NBU_User
NBU_Operator
NBU_Admin
NBU_Security Admin
Vault_Operator
Operation completed successfully.
If the media server is not allowed to perform authorization checks, run bpnbaz
-allowauthorization on the primary server for the media server name
in question.
Verify the Windows media server and that it can perform authorization checks
indirectly. This verification informs us that the NetBackup Authentication
and Authorization client libraries for both authentication and authorization
are properly installed. If either of these procedures fail with a message "unable
to load libraries," make certain the authentication client libraries and
authorization client libraries are installed.
Verify that the authentication domains are correct by viewing the access
control host properties for this media server.
You can also use regedit (or regedit32) directly on the media server in
the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\NetBackup\
CurrentVersion\config\AUTHENTICATION_DOMAIN
 NetBackup Access Control Security (NBAC) 215
Troubleshooting Access Management

Table 14-12 Verification procedures for a mixed UNIX primary server

(continued)

Procedure Description

Cross platform authentication domains Take extra care in mixed environments to ensure that the appropriate domain
types point to the correct authentication brokers.

The example Authentication domain tab shows available authentication

Windows domains that can be added to the Windows broker. In this case, it
is not a mixed environment as both systems are Windows based. If there
were a combination of Windows and UNIX domains it is important to match
the brokers to the most useful authentication domains.

Figure 14-5 for a display on how to match the platform to the most useful
authentication domains.
 NetBackup Access Control Security (NBAC) 216
Troubleshooting Access Management

Figure 14-5 Cross platform authentication domains

Client verification points for a mixed UNIX primary server

See the following topic for procedures to verify the UNIX client computers:
See “UNIX client verification” on page 210.
The following table describes the procedures to verify Windows clients.
 NetBackup Access Control Security (NBAC) 217
Troubleshooting Access Management

Table 14-13 Procedures to verify Windows clients

Procedures Description

Verify the credential for the Windows Check that the credential for the client is indeed for the correct client and
client comes from the correct domain. Run bpnbat -whoami with -cf for the client’s
credential file.

For example:

bpnbat -whoami -cf "c:\Program

Files\Veritas\Netbackup\var\vxss\credentials\
win_client.company.com
Name: win_client.company.com
Domain: NBU_Machines@unix_primary.company.com
Issued by: /CN=broker/OU=root@unix_primary.company.com/
O=vx
Expiry Date: Oct 31 19:50:50 2007 GMT
Authentication method: Veritas Private Security
Operation completed successfully.

Verify that the authentication client Run bpnbat -login on the client to verify that the authentication client
libraries are installed libraries are installed.

For example:

bpnbat -login
Authentication Broker: unix_primary.company.com
Authentication port [Enter = default]:
Authentication type (NIS, NIS+, WINDOWS, vx, unixpwd)
: NIS
Domain: min.com
Name: Smith
Password:
Operation completed successfully.

Verify the Windows authentication Ensure that the Windows authentication broker has mutual trust with the main
broker UNIX authentication broker. Also, make sure that the broker uses the UNIX
broker as its root broker.

Verification points in a mixed environment with a Windows primary

server
The following procedures can help you verify that the primary server, media server,
and client are configured correctly. They should be configured for a heterogeneous
NetBackup Access Control environment. The primary server is a Windows computer.
 NetBackup Access Control Security (NBAC) 218
Troubleshooting Access Management

■ Primary server verification points for mixed Windows primary

See “Primary server verification points for a mixed Windows primary server”
on page 220.
■ Media server verification points for mixed Windows primary
See “Media server verification points for a mixed Windows primary server”
on page 220.
■ Client verification points for mixed Windows primary
See “Client verification points for a mixed Windows primary server” on page 222.
Figure 14-6 is an example configuration that contains a Windows primary server.
 NetBackup Access Control Security (NBAC) 219
Troubleshooting Access Management

Figure 14-6 Example mixed configuration containing a Windows primary

server
authentication NBU master server (Windows) win_master.min.com
server Root Broker
Authentication Broker
authorization
Authorization Service
server
Private Veritas Product Authentication and Authorization
domain called NBU_Machines@win_server.min.com MediaServer (UNIX)
contains the following credentials: unix.media2min.com
win_master.min.com authentication Authentication Broker
unix_media2.min.com server
unix_media.min.com unix_media2.min.com
unix_client.min.com
win_media.min.com
win_client.min.com
UNIX user accounts
authenticate via UNIX
Authentication Broker

Media server (UNIX) unix_media.min.com

authentication client, authorization client

See note. unix_media.min.com

Client (UNIX) unix_client.min.com

authentication client
unix_client.min.com

Media server (Windows) win_media.min.com

authentication client, authorization client

Windows user accounts win_media.min.com

authenticate via Windows
authentication broker
Client (Windows) win_client.min.com
authentication client
win_client.min.com
Note:
Each machine has a private domain account. Using these accounts allows NetBackup to more
reliably identify machines as they communicate with each other.
 NetBackup Access Control Security (NBAC) 220
Troubleshooting Access Management

Primary server verification points for a mixed Windows

primary server
See the following topic for the verification procedures for a mixed Windows primary:
See “Primary server verification points for Windows” on page 196.

Media server verification points for a mixed Windows

primary server
The following table describes the media server verification procedures for a mixed
Windows primary server.

Table 14-14 Media server verification procedures for a mixed Windows primary
server

Procedure Description

Verify the Windows media server for See the following topic for the verification procedures for a Windows media
a mixed Windows primary server server:

See “Media server verification points for Windows” on page 200.

Verify the UNIX media server Check that the computer certificate is issued from the root authentication broker,
found on the Windows primary server (win_primary). To determine which
authentication broker the media server is authenticated against, run bpnbat
-whoami with -cf for the media server’s credential file.

For example:

bpnbat -whoami -cf

/usr/openv/var/vxss/credentials/unix_media.company.com
Name: unix_media.company.comDomain: NBU_Machines@
win_primary.company.com
Issued by: /CN=broker/OU=root@win_primary.company.com/
O=vx
Expiry Date: Oct 31 14:48:08 2007 GMT
Authentication method: Veritas Private Security
Operation completed successfully.

Table 14-14
Procedure
Verify that the server has access to To make sure that the media server is able to access the authorization database
the authorization database
Unable to load library message
NetBackup Access Control Security (NBAC) 221
Troubleshooting Access Management
Media server verification procedures for a mixed Windows primary
server (continued)
Description
it needs to perform authorization checks. Run bpnbaz -ListGroups
-CredFile "/usr/openv/var/vxss/credentials/<hostname>"
For example:
bpnbaz -ListGroups -CredFile\
/usr/openv/var/vxss/credentials/unix_media.company.com
NBU_Operator
NBU_AdminNBU_SAN Admin
NBU_UserNBU_Security Admin
Vault_Operator
Operation completed successfully.
If the media server is not allowed to perform authorization checks, run bpnbaz
-allowauthorization on the primary server for the media server name in
question.
Verify the media server and that it has access to the proper database indirectly.
This verification informs us that the NetBackup Authentication and Authorization
client libraries for both authentication and authorization are properly installed.
If either of these procedures fail with a message "unable to load libraries": Check
to make certain the authentication client libraries and authorization client libraries
are installed.
 NetBackup Access Control Security (NBAC) 222
Troubleshooting Access Management

Table 14-14 Media server verification procedures for a mixed Windows primary
server (continued)

Procedure Description

Cross platform authentication You may also verify that the authentication domains are correct by viewing the
domains access control host properties for this media server. Or, you may also verify by
cat(1)ing the bp.conf file.

Take extra care in mixed environments to ensure that the appropriate domain
types point to the correct authentication brokers.

In the example, note that the PASSWD domains and NIS domains point to
unix_media2.company.com, which, in this example, is the UNIX authentication
broker:

cat bp.conf
SERVER = win_primary.company.com
MEDIA_SERVER = unix_media.company.com
MEDIA_SERVER = unix_media2.company.com
CLIENT_NAME = unix_media
AUTHENTICATION_DOMAIN = win_primary "win_primary domain"
WINDOWS win_primary.company.com
0
AUTHENTICATION_DOMAIN = enterprise "enterprise domain"
WINDOWS win_primary.company.com 0
AUTHENTICATION_DOMAIN = unix_media2.company.com "local
unix_media2 domain" PASSWD unix_media2.company.com 0
AUTHENTICATION_DOMAIN = min.com "NIS domain" NIS
unix_media.company.com 0
AUTHORIZATION_SERVICE = win_primary.company.com 0
USE_VXSS = AUTOMATIC

Client verification points for a mixed Windows primary

server
The following table describes the client verification procedures for a mixed Windows
primary server.

Table 14-15 Verification procedures for a mixed Windows primary server

Procedure Description

Verify the credential for the Windows See the following topic for the verification procedures for Windows clients:
client
See “Client verification points for Windows” on page 202.
 NetBackup Access Control Security (NBAC) 223
Troubleshooting Access Management

Table 14-15 Verification procedures for a mixed Windows primary server

(continued)

Procedure Description

Verify the credential for the UNIX Check that the credential for the client is indeed for the correct client and comes
client from the correct domain. Run bpnbat -whoami with -cf for the client’s credential
file.

For example:

bpnbat -whoami -cf \

"/usr/openv/var/vxss/credentials/
unix_client.company.com"
Name: unix_client.company.com
Domain: NBU_Machines@win_primary.company.com
Issued by: /CN=broker/OU=root@
win_primary.company.com/O=vx
Expiry Date: Oct 31 21:16:01 2007 GMT
Authentication method: Veritas Private Security
Operation completed successfully.

Verify that the authentication client Run bpnbat -login on the client to verify that the authentication client libraries
libraries are installed are installed.

bpnbat -login
Authentication Broker: unix_media2.company.com
Authentication port [Enter = default]:
Authentication type (NIS, NIS+, WINDOWS, vx, unixpwd)
: NIS
Domain: min.com
Name: Smith
Password:
You do not currently trust the server:
unix_media.company.com, do
you wish to tr
ust it? (y/n):
y
Operation completed successfully.

Verify the UNIX authentication broker Ensure that the UNIX authentication broker has mutual trust with the main
windows authentication broker or ensure that it uses the Windows broker as its
root broker.
 NetBackup Access Control Security (NBAC) 224
Troubleshooting Access Management

About the nbac_cron utility

NetBackup operations can be performed as scheduled jobs by using the cron utility.
When NBAC is enabled, these jobs can be run in the context of an OS user who
has the privileges to run the required commands. You can use the nbac_cron.exe
utility to create the credentials that are needed to run cron or AT jobs. These
credentials are valid for a longer period of time as compared to the credentials that
are obtained when a user performs a bpnbat logon. Here the validity is a year.
The utility is found in the following location:
-/opt/openv/netbackup/bin/goodies/nbac_cron

For detailed steps to configure the nbac_cron utility and run a cron job, see the
following topic:
See “Using the nbac_cron utility” on page 224.

Using the nbac_cron utility

The following steps help you to create credentials to execute cron jobs.
Using the nbac_cron utility to run cron jobs
1 Run the command nbac_cron-addCron as root or administrator on the primary
server.
root@amp# /usr/openv/netbackup/bin/goodies/nbac_cron -AddCron

# nbac_cron -AddCron

This application will generate a Veritas private domain identity

that can be used in order to run unattended cron and/or at jobs.

User name to create account for (e.g. root, JSmith etc.): Dan

Password:*****

Password:*****

Access control group to add this account to [NBU_Admin]:

Do you with to register this account locally for root(Y/N) ? N

In order to use the account created please login as the OS

identity that will run the at or cron jobs. Then run nbac_cron
-setupcron or nbac_cron -setupat. When nbac_cron -setupcron or
nbac_cron -setupat is run the user name, password and
authentication broker will need to be supplied. Please make note
of the user name, password, and authentication broker. You may
 NetBackup Access Control Security (NBAC) 225
Troubleshooting Access Management

rerun this command at a later date to change the password for an

account.

Operation completed successfully.

If you do not explicitly specify an access control group (for example,

NBU_Operator or Vault_Operator) to add the user to, the cron user (Dan here),
is added to the NBU_Admin group.
If you respond with a 'Yes' to register the account locally for root, the nbac_cron
–SetupCron command is automatically executed for the cron_user as root. If
you plan to run the cron jobs as a non-root OS user then you should say 'No'
here and manually run the nbac_cron –SetupCron command as that non-root
OS user.
An identity is generated in the Veritas private domain. This identity can be used
to run the cron jobs.
2 Now, run the nbac_cron-SetupCron command as the OS user who wants to
execute the cron jobs to obtain credentials for this identity.
[dan@amp ~]$ /usr/openv/netbackup/bin/goodies/nbac_cron -SetupCron

This application will now create your cron and/or at identity.

Authentication Broker: amp.sec.punin.sen.veritas.com

Name: Dan

Password:*****

You do not currently trust the server:

amp.sec.punin.sen.veritas.com, do you wish to trust it? (Y/N): Y

Created cron and/or at account information. To use this account

in your own cron or at jobs make sure that the environment
variable VXSS_CREDENTIAL_PATH is set to
"/home/dan/.vxss/credentials.crat"

Operation completed successfully.

The 'You do not currently trust' the server message is only shown once if you
have not already trusted the broker.
The credential is created in the user’s home directory
atuser/.vxss/credentials.crat. The credential is valid for a year from the
time when it is generated.
If required, you can check the credential details as shown:
dan@amp~]$ /usr/openv/netbackup/bin/bpnbat -whoami -cf
~dan/.vxss/credentials.crat
 NetBackup Access Control Security (NBAC) 226
Using the Access Management utility

Name: CronAt_dan

Domain: [email protected]

Issued by: /CN=broker/OU=amp.sec.punin.sen.veritas.com

Expiry Date: Feb 4 13:36:08 2016 GMT

Authentication method: Veritas Private Domain

Operation completed successfully.

You must re-run the SetupCron operation (Step 2) to renew the credential
before it expires.
3 You can now create your own cron jobs. Ensure that the
VXSS_CREDENTIAL_PATH path is set to point to the credentials you created
above before you schedule any new job.

Using the Access Management utility

The users that are assigned to the NetBackup Security Administrator user group
have access to the Access Management node in the NetBackup Administration
Console. The users and the NetBackup Administrators who are assigned to any
other user group can see the Access Management node. This node is visible in
the NetBackup Administration Console, but you cannot expand it.
If a user other than a Security Administrator tries to select Access Management,
an error message displays. The toolbar options and menu items that are specific
to Access Management are not displayed.
Upon successful completion, the default NetBackup user groups should display in
the NetBackup Administration Console > Access Management > NBU user
groups window.
To list the groups on the command line, run the bpnbaz -ListGroups command
on the computer where the authorization server software is installed.
UNIX
bpnbaz is located in directory /usr/openv/netbackup/bin/admincmd

Windows
bpnbaz is located in directory Install_path\Veritas\NetBackup\bin\admincmd

(You must be logged on as the Security Administrator by using bpnbat -login)

bpnbaz -ListGroups
NBU_User
NBU_Operator
 NetBackup Access Control Security (NBAC) 227
About determining who can access NetBackup

NBU_Admin
NBU_Security Admin
Vault_Operator
NBU_SAN Admin
NBU_KMS Admin
Operation completed successfully.

The NetBackup user groups are listed. This process verifies that the Security
Administrator can access the user groups.

About determining who can access NetBackup

The Access Management utility allows only one user group. By default, the
NBU_Security Admin user group defines the following aspects of NetBackup Access
Management:
■ The permissions of individual users.
See “Individual users” on page 228.
■ The creation of user groups.
See “User groups” on page 228.
First, determine which NetBackup resources your users need to access. For
resources and associated permissions:
See “Viewing specific user permissions for NetBackup user groups” on page 234.
The Security Administrator may want to first consider what different users have in
common, then create user groups with the permissions that these users require.
User groups generally correspond to a role, such as administrators, operators, or
end users.
Consider basing user groups on one or more of the following criteria:
■ Functional units in your organization (UNIX administration, for example)
■ NetBackup resources (drives, policies, for example)
■ Location (East Coast or West coast, for example)
■ Individual responsibilities (tape operator, for example)
Note that permissions are granted to individuals in user groups, not to individuals
on a per-host basis. They can only operate to the extent that they are authorized
to do so. No restrictions are based on computer names.
 NetBackup Access Control Security (NBAC) 228
About determining who can access NetBackup

Individual users
The NetBackup Access Management utility uses your existing OS-defined users,
groups, and domains. The Access Management utility maintains no list of users
and passwords. When members of groups are defined, the Security Administrator
specifies existing OS users as members of user groups.
Every authenticated user belongs to at least one authorization user group. By
default, every user belongs to the user group NBU_Users, which contains all of the
authenticated users.
All authenticated users are implicit members of the NBU_Users user group. All
other groups must have members defined explicitly. The NetBackup Security
Administrator can delete a manually added member to other groups. However, the
Security Administrator may not delete the predefined implicit members of the
NBU_Security Admin groups. The OS groups and OS users can be added to an
authorization group.

User groups
NetBackup Access Management can be configured by assigning permissions to
user groups and then assigning users to the user groups. Assigning permissions
to groups is done rather than assigning permissions directly to individual users.
Upon successful installation, NetBackup provides default user groups that
complement how sites often manage the duties of NetBackup operation. The user
groups are listed under Access Management > NBU User Groups. The contents
of Access Management are only visible to members of the NBU_Security Admin
group.
The Security Administrator can use the default NetBackup user groups or create
custom user groups.

NetBackup default user groups

The users that are granted permissions in each of the default user groups relate
directly to the group name. Essentially, an authorization object correlates to a node
in the NetBackup Administration Console tree.
The following table describes each NetBackup default user group.

Table 14-16
Default user group
Operator (NBU_Operator)
Administrator (NBU_Admin)
SAN Administrator (NBU_SAN Admin)
User (NBU_User)
Security administrator (NBU_Security
Admin)
NetBackup Access Control Security (NBAC) 229
About determining who can access NetBackup
NetBackup default user groups
Description
The main task of the NBU_Operator user group is to monitor jobs. For
example, members of the NBU_Operator user group might monitor jobs
and notify a NetBackup administrator if there is a problem. Then, the
administrator can address the problem. Using the default permissions, a
member of the NBU_Operator user group would probably not have enough
access to address larger problems.
Members of the NBU_Operator user group have the permissions that allow
them to perform tasks such as moving tapes, operating drives, and
inventorying robots.
Members of the NBU_Admin user group have full permission to access,
configure, and operate any NetBackup authorization object. Some
exceptions exist for SAN Administrators. In other words, members have
all of the capabilities that are currently available to administrators without
Access Management in place. However, as members of this group, you
do not necessary log on as root or administrator in the OS.
Note: Members of the NBU_Admin user group cannot see the contents
of Access Management, and therefore, cannot ascribe permissions to other
user groups.
By default, members of the NBU_SAN Admin user group have full
permissions to browse, read, operate, and configure disk pools and host
properties. These permissions let you configure the SAN environment and
NetBackup’s interaction with it.
The NBU_User user group is the default NetBackup user group with the
fewest permissions. Members of the NBU_User user group can only back
up, restore, and archive files on their local host. NBU_User user group
members have access to the functionality of the NetBackup client interface
(BAR).
Usually very few members exist in the NBU_Security Admin user group.
The only permission that the Security Administrator has, by default, is to
configure access control within Access Management. Configuring access
control includes the following abilities:
■ To see the contents of Access Management in the NetBackup
Administration Console
■ To create, modify, and delete users and user groups
■ To assign users to user groups
■ To assign permissions to user groups
 NetBackup Access Control Security (NBAC) 230
About determining who can access NetBackup

Table 14-16 NetBackup default user groups (continued)

Default user group Description

Vault operator (Vault_Operator) The Vault_Operator user group is the default user group that contains
permissions to perform the operator actions necessary for the Vault
process.

KMS Administrator (NBU_KMS Admin) By default, members of the NBU_KMS Admin user group have full
permissions to browse, read, operate and configure encryption key
management properties. These permissions make sure that you can
configure the KMS environment and NetBackup’s interaction with it.

Additional user groups
The Security Administrator (member of NBU_Security Admin or equivalent)
can create user groups as needed. The default user groups can be
selected, changed, and saved. It is recommended that the groups be
copied, renamed, and then saved to retain the default settings for future
reference.

Configuring user groups

The Security Administrator can create new user groups. Expand Access
Management > Actions > New Group or select an existing user group and expand
Access Management > Actions > Copy to New Group.

Creating a new user group

You can use the following procedure to create a new user group.
To create a new user group
1 As a member of the NBU_Security Admin user group (or equivalent), expand
Access Management > NBU User Groups.
2 Select Actions > New User Group. The Add New user group dialog displays,
opened to the General tab.
3 Type the name of the new group in the Name field, then click the Users tab.
4 Select the defined users that you want to assign to this new user group. Then
click Assign. Or, to include all the defined users in the group, click Assign All.
To remove users from the assigned users list, select the user name, then click
Remove.
5 Click the Permissions tab.
6 Select a resource from the Resources list and an Authorization Object. Then
select the permissions for the object.
7 Click OK to save the user group and the group permissions.
 NetBackup Access Control Security (NBAC) 231
About determining who can access NetBackup

Creating a new user group by copying an existing user

group
You can use the following procedure to create a new user group by copying an
existing user group.
To create a new user group by copying an existing user group
1 As a member of the NBU_Security Admin user group (or equivalent), expand
Access Management > NBU User Groups.
2 Select an existing user group in the Details pane. (The pane on the left side
of the NetBackup Administration Console.)
3 Select Actions > Copy to New User Group. A dialog that is based on the
selected user group displays, opened to the General tab.
4 Type the name of the new group in the Name field, then click the Users tab.
5 Select the defined users that you want to assign to this new user group. Then
click Assign. Or, to include all the defined users in the group, click Assign All.
To remove users from the assigned users list, select the user name, then click
Remove.
6 Click the Permissions tab.
7 Select a resource from the Resources list and Authorization Object, then select
the permissions for the object.
8 Click OK to save the user group and the group permissions. The new name
for the user group appears in the Details pane.

Renaming a user group

Once a NetBackup user group has been created, the user group cannot be renamed.
The alternative to directly renaming a user group is to follow these steps: copy the
user group, give the copy a new name, ensure the same membership as the original,
then delete the original NetBackup user group.

Adding a new user to the user group

Click New User to add a user to the Defined Users list. After you add a user, the
name appears in the Defined Users list and the Security Administrator can assign
the user to the user group.
See “Assigning a user to a user group” on page 233.
 NetBackup Access Control Security (NBAC) 232
About determining who can access NetBackup

About defining a user group and users

NetBackup authenticates existing users of the operating system instead of requiring
that NetBackup users be created with a NetBackup password and profile.
Users can belong to more than one user group and have the combined access of
both groups.
Figure 14-7 shows defining a user group.

Figure 14-7 Defining a user group

User_Group_1

Users

Users can belong in more

than one user group User_Group_2

Users

Users can be members of multiple user groups simultaneously, but NetBackup

does not allow user groups to be nested. For example, members of a user group
can belong to more than one user group, but a user group cannot belong to another
user group.
The following figure shows that nested user groups are not allowed.

Figure 14-8 Nested user groups are not allowed

User_Group_1

Users

Nested user groups are

not allowed User_Group_2

Users

Logging on as a new user

You can use the following procedure to log on as a new user.
 NetBackup Access Control Security (NBAC) 233
About determining who can access NetBackup

To log on as a new user

◆ Expand File > Login as New User (Windows). This option is only available
on computers that are configured for access control. It is useful to employ the
concept of operating with least privileges and an individual needs to switch to
using an account with greater privilege.

Assigning a user to a user group

You can use the following procedure to assign a user to a user group. A user is
assigned from a pre-existing name space (NIS, Windows, etc.) to an NBU user
group. No new user accounts are created in this procedure.
To add a user to a user group
1 As a member of the NBU_Security Admin user group (or equivalent), expand
Access Management > NBU User Groups.
2 Double-click on the user group to which you want to add a user.
3 Select the Users tab and click Add User.
4 Enter the user name and the authentication domain. Select the domain type
of the user: NIS, NIS+, PASSWD, Windows, or Vx.
5 Select the Domain Type of the user:
■ NIS
Network Information Services
■ NIS+
Network Information Services Plus
■ PASSWD
UNIX password file on the authentication server
■ Windows
Primary domain controller or Active Directory
■ Vx
Veritas private database

6 For the User Type, select whether the user is an individual user or an OS
domain.
7 Click OK. The name is added to the Assigned Users list.

About authorization objects and permissions

In general, an authorization object correlates to a node in the NetBackup
Administration Console tree.
 NetBackup Access Control Security (NBAC) 234
Viewing specific user permissions for NetBackup user groups

The Authorization Objects pane contains the NetBackup objects to which

permissions can be granted.
The Permissions for "DevHost" pane indicates the permission sets for which the
selected user group is configured.
An authorization object may be granted one of these permission sets:
■ Browse/Read
■ Operate
■ Configure
A lowercase letter in the Permissions for "DevHost" column indicates some (but
not all) of the permissions in a permission set. Permissions have been granted for
the object.

Viewing specific user permissions for NetBackup

user groups
The permissions that are granted to each of the NBU user groups correlate to the
name of the authorization object. The NBU default user groups include the
NBU_Operator, NBU_Admin, NBU_SAN Admin, NBU_User, NBU_Security Admin,
and Vault_Operator.
Due to the complexities of interdependencies between resources, in some places
it is not possible to map access to a resource or to a single permission. There might
be multiple underlying permissions across resources that need to be evaluated to
make an access check decision. This mix of permissions can cause some
discrepancies between resource permissions and resource access. This possible
discrepancy is mostly limited to read access. For example, a Security_Admin might
not have permissions to list or browse policies. The administrator needs access to
policies as they contain client information that is required to configure security for
clients.

Note: There can be a permissions anomaly. The NBU_User, NBU_KMS_Admin,

NBU_SAN Admin, and Vault_Operator users are not able to access host properties
from the Java GUI. To fetch data for host properties reference is made to the policy
object as well. This anomaly means that to access the host properties the user
requires Read/Browse access on the policy object. Manually giving read access to
the policy object resolves the issue.
 NetBackup Access Control Security (NBAC) 235
Viewing specific user permissions for NetBackup user groups

Note: More information on this subject can be found by referring to the Veritas
Technical Support wesite.

To View specific user permissions

1 In the NetBackup Administration Console, expand Access Management
> NBU User Groups.
2 Double click on the appropriate NBU_Operator, NBU_Admin, NBU_SAN Admin,
NBU_User, NBU_Security Admin, or Vault_Operator in the Security window.
3 In the NBU_Operator window, select the Permissions tab.
4 In the Authorization Objects pane, select the desired authorization object.
The Permissions pane displays the permissions for that authorization object.

Granting permissions
You can use the following procedure to grant a permission to the members of a
user group.
To grant a permission to the members of a user group
1 Select an authorization object.
2 Then place a check in front of a permission that you want to grant the members
of the user group currently selected.
When a user group is copied to create a new user group, the permission settings
are also copied.

Authorization objects
The following tables show the authorization objects in the order that they appear
in the NetBackup Administration Console, NBU_Operator window.
The tables also show the relationships between the authorization objects and default
permissions for each of the NBU user groups as follows:
■ The "X" indicates that the specified user group has permission to perform the
activity.
■ The "---" indicates that the specified user group does not have permission to
perform the activity.

Media authorization object permissions

The following table shows the permissions that are associated with the Media
authorization object.
 NetBackup Access Control Security (NBAC) 236
Viewing specific user permissions for NetBackup user groups

Table 14-17 Media authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse X X --- --- --- X ---

Read Read X X --- --- --- X ---

Operate Update X X --- --- --- X ---

barcodes
X X --- --- --- X ---
Eject
X X --- --- --- X ---
Move
X X --- --- --- X ---
Assign
X X --- --- --- X ---
Deassign
X X --- --- --- X ---
Update
Database

Configure New --- X --- --- --- X ---

Delete --- X --- --- --- X ---

Expire --- X --- --- --- X ---

Policy authorization object permissions

The following table shows the permissions that are associated with the Policy
authorization object.

Table 14-18 Policy authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse X X --- --- --- --- ---

Read Read X X --- --- --- --- ---

Operate Back up X X --- --- --- --- ---

Configure Activate --- X --- --- --- --- ---

Deactivate --- X --- --- --- --- ---

New --- X --- --- --- --- ---

Delete --- X --- --- --- --- ---

 NetBackup Access Control Security (NBAC) 237
Viewing specific user permissions for NetBackup user groups

Drive authorization object permissions

The following table shows the permissions that are associated with the Drive
authorization object.

Table 14-19 Drive authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse X X X --- --- X ---

Read Read X X X --- --- X ---

Operate Up X X --- --- --- --- ---

Down X X --- --- --- --- ---

Reset X X --- --- --- --- ---

Assign X --- --- --- --- --- ---

Deassign X --- --- --- --- --- ---

Configure New --- X --- --- --- --- ---

Delete --- X --- --- --- --- ---

Report authorization object permissions

The following table shows the permissions that are associated with the Report
authorization object. Reports include only the Access permission set, and do not
include a Configure or Operate permission set.

Table 14-20 Report authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse --- X --- --- --- X ---

Read Read --- X --- --- --- X ---

NBU_Catalog authorization object permissions

The following table shows the permissions that are associated with the NetBackup
catalog authorization object.
 NetBackup Access Control Security (NBAC) 238
Viewing specific user permissions for NetBackup user groups

Table 14-21 NBU_Catalog authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse --- X --- --- --- X ---

Read Read --- X --- --- --- X ---

Operate Back up --- X --- --- --- --- ---

Restore --- X --- --- --- --- ---

Verify --- X --- --- --- --- ---

Duplicate --- X --- --- --- --- ---

Import --- X --- --- --- --- ---

Expire --- X --- --- --- --- ---

Configure New --- X --- --- --- --- ---

Delete --- X --- --- --- --- ---

Read --- X --- --- --- --- ---

Configuration
--- X --- --- --- --- ---
Set
Configuration

Robot authorization object permissions

The following table shows the permissions that are associated with the robot
authorization object.

Table 14-22 Robot authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse X X X --- --- X ---

Read Read X X X --- --- X ---

Operate Inventory X X --- --- --- X ---

Configure New --- X --- --- --- X ---

Delete --- X --- --- --- X --

 NetBackup Access Control Security (NBAC) 239
Viewing specific user permissions for NetBackup user groups

Storage unit authorization object permissions

The following table shows the permissions that are associated with the storage unit
authorization object.

Table 14-23 Storage unit authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse X X --- --- --- --- ---

Read Read X X --- --- --- --- ---

Configure Assign --- X --- --- --- --- ---

New --- X --- --- --- --- ---

Delete --- X --- --- --- --- ---

DiskPool authorization object permissions

The following table shows the permissions that are associated with the disk pool
authorization object.

Table 14-24 DiskPool authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse X X X --- --- --- ---

Read Read X X X --- --- --- ---

Operate New --- X X --- --- --- ---

Delete --- X X --- --- --- ---

Modify --- X X --- --- --- ---

Mount --- X X --- --- --- ---

Unmount --- X X --- --- --- ---

Configure Read --- X X --- --- --- ---

Configuration
--- --- X --- --- --- ---
Set
Configuration
 NetBackup Access Control Security (NBAC) 240
Viewing specific user permissions for NetBackup user groups

BUAndRest authorization object permissions

The following table shows the permissions that are associated with the backup and
restore authorization object.

Table 14-25 BUAndRest authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse X X X X --- --- X

Read Read X X X X --- --- X

Operate Back up X X X X --- --- X

Restore X X X X --- --- X

Alternate Client X X --- --- --- --- ---

Alternate X X --- --- --- --- ---

Server
X X --- --- --- --- ---
Admin Access
--- --- --- --- --- --- ---
Database
--- --- X X --- --- X
Agent

List

Job authorization object permissions

The following table shows the permissions that are associated with the Job
authorization object.

Table 14-26 Job authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse X X --- --- --- X ---

Read Read X X --- --- --- X ---

 NetBackup Access Control Security (NBAC) 241
Viewing specific user permissions for NetBackup user groups

Table 14-26 Job authorization object permissions (continued)

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Operate Suspend X X --- --- --- X ---

Resume X X --- --- --- X ---

Cancel X X --- --- --- X ---

Delete X X --- --- --- X ---

Restart X X --- --- --- X ---

New X X --- --- --- X ---

Service authorization object permissions

The following table shows the permissions that are associated with the Service
authorization object.

Table 14-27 Service authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse X X --- --- --- X ---

Read Read X X --- --- --- X ---

Operate Stop X X --- --- --- --- ---

The Read and Browse permissions do not have an effect on the Daemons tab. This
information is harvested from the server using user level calls. The calls are used
to access the process task list and is displayed to all users for informational
purposes.
If a user is not a member of the NBU_Admin user group, but is logged on as an OS
administrator (Administrator or root), then:
■ The user is able to restart a service from within the NetBackup Administration
Console or from the command line.
■ The user is able to stop a service from within the NetBackup Administration
Console but not from the command line.
 NetBackup Access Control Security (NBAC) 242
Viewing specific user permissions for NetBackup user groups

If a user is not a member of the NBU_Admin user group, but is logged on as an OS

administrator (root). That user is able to restart a daemon from the command line
only:

/etc/init.d/netbackup start

If a user is a member of the NBU_Admin user group, but is not logged on as an OS

administrator (Administrator), then:
■ The user is not able to restart a service from within the NetBackup
Administration Console or from the command line.
■ The user is not able to stop a service from within the NetBackup Administration
Console but the user can use the command line.
(For example, bprdreq -terminate, bpdbm -terminate, or stopltid.)
If a user is a member of the NBU_Admin user group, but is not logged on as an OS
administrator (root). That user is not able to restart a daemon from the NetBackup
Administration Console or from the command line.

HostProperties authorization object permissions

The following table shows the permissions that are associated with the host
properties authorization object.

Table 14-28 HostProperties authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse X X X X X X X

Read Read X X X X X X X

Configure New --- X --- --- --- --- ---

Delete --- X --- --- --- --- --

License authorization object permissions

The following table shows the permissions that are associated with the License
authorization object.
 NetBackup Access Control Security (NBAC) 243
Viewing specific user permissions for NetBackup user groups

Table 14-29 License authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse X X X X X X X

Read Read X X X X X X X

Configure Assign --- X --- --- --- --- ---

New --- X --- --- --- --- ---

Delete --- X --- --- --- --- ---

Volume group authorization object permissions

The following table shows the permissions that are associated with the volume
group authorization object.

Table 14-30 Volume group authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse X X --- --- --- X ---

Read Read X X --- --- --- X ---

Configure New --- X --- --- --- --- ---

Delete --- X --- --- --- --- ---

VolumePool authorization object permissions

The following table shows the permissions that are associated with the volume pool
authorization object.

Table 14-31 VolumePool authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse X X --- --- --- X ---

Read Read X X --- --- --- X ---

 NetBackup Access Control Security (NBAC) 244
Viewing specific user permissions for NetBackup user groups

Table 14-31 VolumePool authorization object permissions (continued)

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Configure Assign --- X --- --- --- --- ---

New --- X --- --- --- --- ---

Delete --- X --- --- --- --- ---

DevHost authorization object permissions

The following table shows the permissions that are associated with the device host
authorization object.

Note: The DevHost object controls access to the Media and Device Management
> Credentials node.

Table 14-32 DevHost authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse X X X --- --- X ---

Read Read X X X --- --- X ---

Operate Stop X X --- --- --- --- ---

Synchronize X X --- --- --- --- ---

Configure New --- X --- --- --- --- ---

Delete --- X --- --- --- --- ---

Security authorization object permissions

The following table shows the permissions that are associated with the security
authorization object.
 NetBackup Access Control Security (NBAC) 245
Viewing specific user permissions for NetBackup user groups

Table 14-33 Security authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse --- --- --- --- X --- ---

Read Read --- --- --- --- X --- ---

Configure Security --- --- --- --- X --- ---

Fat server authorization object permissions

The following table shows the permissions that are associated with the Fat server
authorization object.

Table 14-34 Fat server authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse X X X --- --- --- ---

Read Read X X X --- --- --- ---

Configure Modify --- X X --- --- --- ---

Modify SAN --- --- X --- --- --- ---

Configuration

Fat client authorization object permissions

The following table shows the permissions that are associated with the Fat client
authorization object.

Table 14-35 Fat client authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse X X X --- --- --- ---

Read Read X X X --- --- --- --

Operate Discover --- X X --- --- --- ---

 NetBackup Access Control Security (NBAC) 246
Viewing specific user permissions for NetBackup user groups

Table 14-35 Fat client authorization object permissions (continued)

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Configure Modify --- X X --- --- --- ---

Vault authorization object permissions

The following table shows the permissions that are associated with the vault
authorization object.

Table 14-36 Vault authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse --- X --- --- --- X ---

Read Read --- X --- --- --- X ---

Operate Manage --- X --- --- --- X ---

Containers
--- X --- --- --- X ---
Run Reports

Configure Modify --- X --- --- --- --- ---

Run Sessions --- X --- --- --- --- ---

Server group authorization object permissions

The following table shows the permissions that are associated with the server group
authorization object.

Table 14-37 Server group authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse X X --- --- --- X ---

Read Read X X --- --- --- X ---

 NetBackup Access Control Security (NBAC) 247
Upgrading NetBackup Access Control (NBAC)

Table 14-37 Server group authorization object permissions (continued)

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Configure New --- X --- --- --- --- ---

Delete --- X --- --- --- --- ---

Modify --- X --- --- --- --- ---

Key management system (kms) group authorization object

permissions
The following table shows the permissions that are associated with the Key
management system group authorization object.

Table 14-38 Key management system group authorization object permissions

Set Activity NBU_ NBU_ NBU_ NBU_ NBU_ Vault_ NBU_KMS

Operator Admin SAN User Security Operator Admin
Admin Admin

Browse Browse --- X --- --- --- --- X

Read Read --- X --- --- --- --- X

Configure New --- --- --- --- --- --- X

Delete --- --- --- --- --- --- X

Modify --- --- --- --- --- --- X

Upgrading NetBackup Access Control (NBAC)

Note: If NBAC is enabled, it is upgraded as part of the NetBackup upgrade. Refer
to the NetBackup Upgrade Guide for instructions about how to upgrade NetBackup.
Make sure that current AT and AZ services are running when the upgrade is
performed. If NetBackup is running in a cluster server, make sure that both services
are running in the active node where NetBackup is running and the upgrade is
performed.

The following procedure describes how to upgrade NetBackup Access Control

(NBAC).
 NetBackup Access Control Security (NBAC) 248
Configuration requirements if using Change Server with NBAC

Upgrading NetBackup Access Control (NBAC)

1 On the primary server, stop NetBackup.
2 Upgrade NetBackup.
On the media servers and client computers, first stop NetBackup and then
upgrade NetBackup. Note that the shared authentication and authorization
packages are no longer used on media servers and client computers. These
products can be removed if no other Veritas product uses them.

Configuration requirements if using Change

Server with NBAC
Additional configuration is required to perform the Change Server operation if
NetBackup Access Control is used.
The following steps assume that NBAC is already configured.

Configuration to support the Change Server operation:

fromServer -> toServer
■ Add fromServer to the host properties Additional Servers list on toServer.
■ If fromServer and toServer are from different NetBackup domains (media servers
of different primary servers):
■ Use the vssat command to set up trust between the primary servers of
fromServer and toServer.
■ Add the primary server of fromServer to the host properties Additional Servers
list on toServer.

■ If fromServer or toServer are media servers:

■ Use the bpnbaz –ProvisionCert command to deploy the security (Machine)
certificate if needed.

Additional configuration steps

To use the auth.conf file:
■ Add the USER entry to the auth.conf file on each server.
■ If NBAC is enabled, run the nbsetconfig on each server to add the entry:
USE_AUTH_CONF_NBAC = YES

To use the Remote Administration Console:

■ Set up trust with each primary server by using either the vssat command or
explicitly log on to each server at least once.
 NetBackup Access Control Security (NBAC) 249
Configuration requirements if using Change Server with NBAC

To troubleshoot the configuration after setup, use nslookup and bptestnetconn

-a -s to check server communications.
 Chapter 15
Minimizing security
configuration risk
This chapter includes the following topics:

■ About security configuration risk

■ Security settings to be configured to minimize risk

■ Set the current posture as security baseline

About security configuration risk

Security configuration risk depends on the status of the security settings in your
NetBackup domain. A higher configuration risk score indicates weaker security
configurations. To minimize the risk, enable all the required security settings. The
security configuration risk score is determined based on these settings.
See “Security settings to be configured to minimize risk” on page 251.
For more information on how to minimize the security configuration risk, see the
article.
The NetBackup web UI dashboard shows the security configuration risk score.
When you change any of the security settings, the risk score is updated on the
dashboard.
The following parameters help you learn the current security scenario in your domain
and how you can minimize the security configuration risk.
Use the NetBackup web UI dashboard to see these parameters.
 Minimizing security configuration risk 251
Security settings to be configured to minimize risk

Current posture
Current posture comprises the current values of NetBackup security settings. It is
recommended that you enable all security settings to minimize the security
configuration risk.
See “Security settings to be configured to minimize risk” on page 251.

Security baseline
Security baseline is a collection of recommended security settings for your
NetBackup domain. For the first time, you configure the security settings as per the
recommendation, and use this current posture as your security baseline.
By default, security baseline is not configured.
See “Security settings to be configured to minimize risk” on page 251.
See “Set the current posture as security baseline” on page 253.
The security baseline is managed by the NetBackup Administrator or the Security
Administrator.
For primary servers that are registered with Veritas Alta View server, the security
baseline is managed by the Veritas Alta View Administrator.

Compliance status
If a NetBackup security setting (current posture) does not comply with the security
baseline, it is shown in the compliance status as 'Not compliant with the baseline'.
You should review the compliance status and modify the security settings to minimize
the risk.

RBAC roles and permissions

To view the Security configuration risk card on the NetBackup web UI dashboard,
you should have the following roles and permissions:
See “Configuring RBAC” on page 133.

RBAC roles Permissions

Custom View, update global security settings

Security settings to be configured to minimize

risk
Configure the following security settings to minimize the security configuration risk.
 Minimizing security configuration risk 252
Security settings to be configured to minimize risk

See “About security configuration risk” on page 250.

Table 15-1
Security settings Description Reference

Secure control This setting enforces secure communication in NetBackup See “About secure
communication domain, which is recommended. communication settings”
on page 292.

Secure certificate This setting is considered enabled if the security level for See “About NetBackup
deployment certificate deployment is set to High or Very High, which is certificate deployment security
recommended. levels” on page 307.

Secure data-in-transit This setting enables all the hosts in the NetBackup domain See “Configure the global
encryption to use data-in-transit encryption, , which is recommended. data-in-transit encryption
setting” on page 365.

Enforce multifactor This setting adds an additional layer of protection beyond See “Enforce multifactor
authentication just passwords that significantly reduces the risk of malicious authentication for all users”
access. on page 256.

Configuring multi-factor authentication for all users is

recommended.

Configure multi-person This setting ensures that critical actions or decisions are See “Configure multi-person
authorization approved by multiple authorized individuals, minimizing the authorization” on page 268.
risk of errors, fraud, or misuse of privileges.

Enabling this setting is recommended.

Malware scan This setting scans backup images and detects malware. See “How to set up malware
configuration scanning” on page 601.
Configuring this setting is recommended.

Anomaly detection This setting detects any unusual deviation in backup job or See “ Configure backup
configuration system attributes and notifies it as an anomaly. anomaly detection settings”
on page 575.
Enabling backup and system anomaly detection is
recommended. See “Configure system
anomaly detection settings”
on page 581.

Service user Having NetBackup services configured to run under service See “Configuring a service
configuration user (non-privileged user) account is highly recommended. user account” on page 559.

Security configuration risk can be reduced if more hosts are

configured to run NetBackup services under service user
account.

Primary server, media server, and client hosts are considered

for service user configuration.
 Minimizing security configuration risk 253
Set the current posture as security baseline

Set the current posture as security baseline

Current posture comprises the current values of NetBackup security settings. It is
recommended that you enable all security settings to minimize the security
configuration risk.
See “About security configuration risk” on page 250.
Security baseline is a collection of recommended security settings for your
NetBackup domain. For the first time, you configure the security settings as per the
recommendation, and use this current posture as your security baseline.
At any point of time, a user with the 'View, update global security settings'
permissions can set the current configuration posture as the security baseline.
Set the current posture as security baseline
1 Enable the security settings to minimize the security configuration risk.
See “Security settings to be configured to minimize risk” on page 251.
2 On the Global security settings > Overview tab, click Use current posture
values as security baseline.
After the security baseline is set, if a NetBackup security setting is modified
and therefore it no longer complies with the security baseline, it is flagged in
the compliance status on the Global security settings > Overview tab.
 Chapter 16
Configuring multifactor
authentication
This chapter includes the following topics:

■ About multifactor authentication

■ Configure multifactor authentication for your user account

■ Disable multifactor authentication for your user account

■ Enforce multifactor authentication for all users

■ Configure multifactor authentication for your user account when it is enforced

in the domain

■ Reset multifactor authentication for a user

About multifactor authentication

Multifactor authentication is a multiple-step account login process that requires you
to enter a 6-digit one-time password along with your password.
It is strongly recommended that you configure multifactor authentication to protect
the security of your environment.

Note: User logins that are based on the following authentication types do not support
multifactor authentication: SAML, smart card, and API keys.

See “Configure multifactor authentication for your user account” on page 255.
 Configuring multifactor authentication 255
Configure multifactor authentication for your user account

If multifactor authentication is configured, you may need to reauthenticate yourself

by entering the one-time password that you see in the authenticator application on
your smart device before you perform the following operations:
■ Manage the global security settings for the primary server
■ Adding an API key

If multifactor authentication is enforced in the NetBackup domain, all users must

configure multifactor authentication for their user accounts for successful sign-in.
See “Configure multifactor authentication for your user account when it is enforced
in the domain” on page 257.

Configure multifactor authentication for your user

account
For enhanced security, you can configure multifactor authentication for your user
account. You must first install and configure authenticator application on your smart
device that provides you with the one-time password.
Configuring multifactor authentication in NetBackup does not require internet
connectivity on your smart device.
If the NetBackup administrator has enforced multifactor authentication in the
NetBackup domain, you must configure it for your user account for successful
sign-in.
See “Disable multifactor authentication for your user account” on page 256.
To configure multifactor authentication for your user account
1 Sign in to the NetBackup web UI.
2 On the top right, click the profile icon and click Configure multifactor
authentication.
3 On the Configure multifactor authentication screen, click Configure.
4 On the next screen, follow the given steps.
Install and configure authenticator application on your smart device. It generates
one-time password and sends it on your smart device.
Supported authenticator applications
5 Scan the QR code with the authenticator application or enter the key manually.
 Configuring multifactor authentication 256
Disable multifactor authentication for your user account

6 Enter the one-time password that you see in the authenticator application on
your smart device.
7 Select Configure.
At the time of next sign-in, you need to enter the one-time password along with
the username and password.

Disable multifactor authentication for your user

account
If multifactor authentication is not enforced, you can disable it for your user account.
However, it is strongly recommended that you configure multifactor authentication
to protect the security of your account.
See “Configure multifactor authentication for your user account” on page 255.
To disable multifactor authentication for your user account
1 Sign in to the NetBackup web UI.
2 On the top right, click the profile icon and select Configure multifactor
authentication.
3 If you have already configured multifactor authentication for your user account,
you can see the Disable option.
4 Select Disable.
5 Enter the one-time password and click Confirm.

Enforce multifactor authentication for all users

Only the NetBackup administrator can enforce multifactor authentication for all
NetBackup users.
To enforce multifactor authentication for all users
1 Sign in to the NetBackup web UI.
2 On the top right, click Settings > Global security.
3 On the Security controls tab, turn on Enforce multifactor authentication.
Select Confirm to enforce multifactor authentication for all NetBackup users.
Notify all users that they must configure multifactor authentication for their user
accounts to be able to successfully sign in.
See “Configure multifactor authentication for your user account” on page 255.
 Configuring multifactor authentication 257
Configure multifactor authentication for your user account when it is enforced in the domain

Configure multifactor authentication for your user

account when it is enforced in the domain
After multifactor authentication is enforced in the domain, you must configure it for
your user account if you have not already configured it. If you do not configure
multifactor authentication for your account after the enforcement, you cannot sign-in.
To configure multifactor authentication after the enforcement
1 Open a web browser and go to the following URL.
https://primaryserver/webui/login
The primaryserver is the host name or IP address of the NetBackup primary
server that you want to sign in to.
2 Go to the NetBackup sign-in screen.
3 Enter the Username and Password.

4 Select Sign in. The Configure multifactor authentication screen is displayed.

5 On the next screen, follow the given steps.
Install and configure an authenticator application on your smart device. It
generates a one-time password and sends it to your smart device.
Supported authenticator applications
6 Scan the QR code with the authenticator application or enter the key manually.
7 Enter the one-time password that you see in the authenticator application on
your smart device.
8 Select Configure.
Successful configuration takes you back to the sign-in screen.
Enter the username, password, and one-time password for successful sign-in.

Reset multifactor authentication for a user

Only the NetBackup administrator can reset multifactor authentication for other
NetBackup users.
To reset multifactor authentication for a NetBackup user
1 Sign in to the NetBackup web UI.
2 On the top right, click Settings > Global security.
3 Go to the Security controls tab.
 Configuring multifactor authentication 258
Reset multifactor authentication for a user

4 Locate the section Reset multifactor authentication for a user. Then select
Reset.
5 Select the user for whom you want to reset multifactor authentication.
6 Select Reset.
7 At the prompt, enter the one-time password and select Confirm.
 Chapter 17
Configuring multi-person
authorization
This chapter includes the following topics:

■ About multi-person authorization

■ Workflow to configure multi-person authorization for NetBackup operations

■ RBAC roles and permissions for multi-person authorization

■ Multi-person authorization process with respect to roles

■ NetBackup operations that need multi-person authorization

■ Configure multi-person authorization

■ View multi-person authorization tickets

■ Manage multi-person authorization tickets

■ Add exempted users

■ Schedule expiration and purging of multi-person authorization tickets

■ Disable multi-person authorization

About multi-person authorization

NetBackup Security Administrator can configure multi-person authorization that
helps protect primary servers from an undesirable or a malicious act, in a proactive
manner. Multi-person authorization ensures that a second authorized user approves
actions before they are performed.
 Configuring multi-person authorization 260
About multi-person authorization

To configure multi-person authorization in NetBackup, you need to have two users:

one is the requester and the other is the approver.
A requester cannot be an approver of their own tickets.

Support information
■ Multi-person authorization is not supported in a domain where NetBackup Access
Control (NBAC) is enabled.
■ Multi-person authorization is not supported for catalog maintenance operations
by certain database agents.
As part of the database catalog synchronization, the database may initiate an
image expiration request through command-line or other interfaces to the
NetBackup catalog, which does not generate multi-person authorization ticket.
To prevent the direct expiration of backup images by database agents see the
'About preventing the direct expiration of backup images' topic in the NetBackup
for Oracle Administrator's Guide.

Terminology
■ Ticket - Ticket is a multi-person authorization request to perform a critical
operation.
■ Requester - A requester is a user who wants to perform a critical operation that
requires multi-person authorization.
■ Approver - An approver is an individual who reviews and allows an operation
that requires multi-person authorization by approving a ticket.
■ Exempted user - An exempted user is not required to go through the multi-person
authorization workflow. This user must only be used to perform critical operations
like image expiration and image hold removal.
For additional security, it is recommended that there are no exempted users.

Command-line options that need multi-person

authorization
The following operations and the associated command-line options need
multi-person authorization:
■ Expiring images expiration:
■ bpexpdate

■ nbdecommission

■ bpimage -deleteCopy

■ Removing image hold:

 Configuring multi-person authorization 261
Workflow to configure multi-person authorization for NetBackup operations

■ nbholdutil -delete

■ Modifying global security settings:

■ nbcertcmd -setsecconfig

■ nbseccmd -setsecurityconfig

Workflow to configure multi-person authorization

for NetBackup operations
Here are the high-level steps to configure multi-person authorization for NetBackup
operations:

Table 17-1
Step Description

Step 1 Identify critical NetBackup operations that require multi-person

authorization.

See “NetBackup operations that need multi-person authorization”

on page 266.

Step 2 Identify the approvers who can approve requests or multi-person

authorization tickets.

Step 3 Assign the Default multi-person authorization approver RBAC

role to the approvers.

See “RBAC roles and permissions for multi-person authorization”

on page 262.

Step 4 Configure multi-person authorization using the NetBackup web

UI.

See “Configure multi-person authorization” on page 268.

Step 5 When a user or a requester tries to perform an operation that

requires multi-person authorization (for example, expiring an
image), a ticket is generated.

Initially, the ticket is in the pending state.

Step 6 The ticket is visible to all multi-person authorization approvers in

the NetBackup web UI where they can review the ticket
information and approve or reject the ticket.
 Configuring multi-person authorization 262
RBAC roles and permissions for multi-person authorization

Table 17-1 (continued)

Step Description

Step 7 When the approver approves or rejects the ticket, the requester
is notified. If the ticket is approved, the associated operation is
executed.
Note: For API key operations, the requester needs to execute
the operation using the web UI after the ticket is approved.

Multi-person authorization configuration begins when the Administrator or the

Security Administrator enables critical operations that require multi-person
authorization and specifies other settings like expiration period and purge period.
A multi-person authorization configuration ticket is generated. After the approver
approves the ticket, multi-person authorization configuration comes into effect.

Initial multi-person authorization configuration

Configuring multi-person authorization for the first time involves adding users to
the Default Multi-Person Authorization Approver role. To start using the multi-person
authorization for additional data security, the Security Administrator must enable
the multi-person authorization for critical pre-defined operations that require an
additional approval from a user with the Default Multi-Person Authorization Approver
role.
Initially, the Security Administrator should configure multi-person authorization that
results into a multi-person authorization ticket. After the approver approves the
ticket, multi-person authorization becomes mandatory for the specified NetBackup
operation (such as image expiry). The Administrator or Security Administrator can
add users to the Default Multi-Person Authorization Approver role at any point in
time.

RBAC roles and permissions for multi-person

authorization
Multi-person authorization configuration requires the users to be assigned to the
following RBAC roles:
■ Administrator
■ Default Security Administrator
■ Default Multi-Person Authorization Approver
Users with these RBAC roles should have the following permissions.
 Configuring multi-person authorization 263
Multi-person authorization process with respect to roles

Table 17-2
RBAC role Permissions

Administrator View, update multi-person authorization configuration,

and delegate the configuration permissions to other
users.

View, update tickets, and delegate ticket permissions to

other users.

Default Security Administrator View, update multi-person authorization configuration,

and delegate the configuration permissions to other
users.

Default Multi-person Authorization View and update tickets.

Approver

Default Operator View all NetBackup entities.

Multi-person authorization process with respect

to roles
Users can be requesters and approvers at the same time, however they cannot
approve their own tickets.
The multi-person authorization process flow with respect to roles is as follows:
 Configuring multi-person authorization 264
Multi-person authorization process with respect to roles

Table 17-3
Component Description

Multi-person When a requester performs a critical NetBackup operation that is

authorization ticket protected by multi-person authorization, a ticket is generated that
requires an approval from the approver before a specific action can be
executed.

This ticket is used within NetBackup to ensure that critical actions

undergo thorough review process by multiple people before they are
executed.

The following sample flow is for the image expiry operation that requires
multi-person authorization:

1 A requester expires an image using the NetBackup web UI.

2 A ticket is created.

3 The ticket is pending for approval.

4 Approvers review the ticket.

5 Approvers either approve or reject the ticket.

6 After the approval, the ticket is scheduled by NetBackup and finally

marked Done after the execution.

7 The ticket activity log, request, and response details can be viewed
by the approver or the requester using the web UI, on the Ticket
details page.

8 A ticket is expired after it ages beyond the expiration period. Such

tickets cannot be approved unless they are renewed by the
Requester.

9 Tickets in the Done, Rejected, Expired, and Canceled states are

purged when no action is performed on them for the specified
purge period in days.
 Configuring multi-person authorization 265
Multi-person authorization process with respect to roles

Table 17-3 (continued)

Component Description

Requester role 1 A requester is a user who initiates an operation that requires

multi-person authorization.

2 A ticket is created for the operation if the user is not in the

exempted users' list.

3 The ticket requires an approval from an approver before the

operation is performed.

4 A requester is not allowed to self approve even if the requester is

also an approver, an Administrator, or a Security Administrator.

5 Once the ticket is created it is in the Pending state.

6 The requester can cancel a ticket only if it is in the Pending state.

7 If the ticket ages beyond the expiry period, the ticket is moved to
the Expired state.

8 Only the requester can renew such tickets. A new expiry period
is calculated for the renewed ticket based on the configuration
settings multi-person authorization.

Approver role 1 An approver is an authorized individual who reviews and provides

approval for tickets.

2 The approver evaluates the details of the ticket and either approves
or rejects the ticket based on the assessment.

3 After the approval, the ticket is scheduled for execution.

4 To be an approver, the user should have RBAC permissions like

Update Ticket, View Ticket or the user should have the Default
Multi-Person Authorization Approver role.

5 When a ticket is in the Pending State, it can be approved or

rejected.
 Configuring multi-person authorization 266
NetBackup operations that need multi-person authorization

Table 17-3 (continued)

Component Description

Exempted users 1 An exempted user is an individual who does not need multi-person
authorization for operations except the following:
■ To modify multi-person authorization configuration
■ To modify security properties

2 User groups cannot be exempted.

3 This eliminates the necessity for any approvals, however it must

be used with caution.

4 If the exempted user account is hacked, the multi-person

authorization process can be of no use as it is bypassed for this
user.

5 For example, if user1 is an exempted user and she attempts to

expire an image (an operation that needs multi-person
authorization), the image expires without ticket generation and
additional approvals.

NetBackup operations that need multi-person

authorization
The following operations require multi-person authorization and therefore a ticket
is generated for these operations:
■ Configuring multi-person authorization
■ Enabling and disabling operations that require multi-person authorization
■ Adding exempted users
■ Changing any multi-person authorization settings
■ Expiring images
■ Updating image expiration time
■ Changing the MSDP WORM configuration
■ Removing the MSDP WORM retention lock
■ Removing hold applied on the images
■ Updating CLI expiration period
■ Adding, updating, and deleting an API key
■ Adding, updating, and deleting KMS configuration, keys, and key groups
 Configuring multi-person authorization 267
NetBackup operations that need multi-person authorization

■ Updating the following global security settings:

■ Enabling and disabling NetBackup host communication with insecure hosts
■ Adding host aliases with or without NetBackup administrator's approval
■ Setting automatic deployment of certificates on a host
■ Enabling and disabling CAC/PIV authentication
■ Setting values for CAC/PIV certificate mapping attribute
■ Setting the value of the CAC/PIV certificate mapping attribute that is used
to perform a search in active directory
■ Setting the value of the CAC/PIV certificate mapping attribute that is used
to perform a search in LDAP directory
■ Enabling and disabling AD/LDAP domain mapping
■ Setting the value of the domain name that is used for user look-ups in active
directory or LDAP
■ Setting the value of the OCSP URI that is used for certificate revocation
checks with respect to CAC/PIV authentication
■ Enabling and disabling the data-in-transit encryption (DTE)
■ Setting unique identifier for external certificates
■ Allowing or disallowing the NetBackup web UI access to Operating System
Administrators
■ Allowing or disallowing the default CLI access to OS administrators
■ Pausing client protection
■ Pausing client image expiration
■ Enabling and disabling TLS session resumption
■ Enabling and disabling rule engine for anomaly detection
■ Changing multifactor authentication configuration settings
■ Setting audit retention period for audit report

Even if multi-person authorization is configured for image expiry, the following

operations do not require multi-person authorization:
■ Changing values for image retention level
■ Modifying retention levels in policy and SLP
■ Canceling incomplete SLPs using the nbstlutil command:
Refer to the NetBackup Commands Reference Guide.
 Configuring multi-person authorization 268
Configure multi-person authorization

Configure multi-person authorization

The configuration of multi-person authorization for NetBackup operations is
supported only from the NetBackup web UI. A user with the Administrator or the
Security Administrator role can configure multi-person authorization for critical
NetBackup operations.
To configure multi-person authorization for NetBackup operations
1 Sign into the NetBackup web UI using the security administrator account.
2 On the left, select Security > Multi-person authorization.
3 At the top right, select the option Configure multi-person authorization.
4 Go to Operations for multi-person authorization. Then select Edit.
5 Select all or any of the following critical operations for which you want to
configure multi-person authorization.
■ Images
■ Image expiry
■ Remove image hold

■ Security
■ Global security settings
■ Encryption key management
■ API keys

Note: Starting with NetBackup 10.5, if multi-person authorization is

enabled for API key operations, a ticket is generated. After the
multi-person authorization ticket is approved, the user needs to execute
the ticket using the Execute ticket option in the NetBackup web UI and
then the required API key operation is executed.
For NetBackup releases earlier than 10.5, if multi-person authorization
is enabled, you cannot perform API key operations.

■ MSDP WORM
■ WORM retention lock removal
■ WORM configuration change

6 Select Save.
7 Configure the users to exempt from multi-person authorization.
 Configuring multi-person authorization 269
View multi-person authorization tickets

8 Go to Schedules. Then select Edit.

9 Specify the settings for when you want to expire and purge the multi-person
authorization tickets.
10 Select Save.
11 Select Configure.

View multi-person authorization tickets

Users can view their own multi-person authorization tickets.
1 Sign into the NetBackup web UI.
2 On the left pane, click Security > Multi-person authorization. The list of
multi-person authorization tickets is displayed.
Select the ticket ID to see more details.

Manage multi-person authorization tickets

Users with the approver role can approve or reject the multi-person authorization
tickets.
To manage multi-person authorization tickets
1 Sign into the NetBackup web UI.
2 On the left pane, click Security > Multi-person authorization. The list of
multi-person authorization tickets is displayed.
3 Select the ticket ID to view the request details.
4 Select Review ticket and enter the respective ticket ID to approve or reject
the ticket.
5 Add comments and click Approve or Reject.

Add exempted users

Your organization may need to exempt certain users from multi-person authorization
so that operations like image expiry and image hold removal can proceed without
second-level approval.
Add such users to the exempted users' list.
 Configuring multi-person authorization 270
Schedule expiration and purging of multi-person authorization tickets

Note: User groups cannot be added to the exempted list. Only individual users can
be exempted.

The exempted users also need to go through the multi-person authorization workflow
for the following operations:
■ Modifying multi-person authorization configuration
■ Modifying global security settings
■ Modifying risk engine-based anomaly detection configuration
An exempted user is generally an automation user or a script that does not require
multi-person authorization. By default, multi-person authorization configuration does
not have exempted users and that is a recommended security setting.
To add exempted users
1 Sign into the NetBackup web UI.
2 On the left pane, select Security > Multi-person authorization.
3 On the top right, select Configure multi-person authorization.
4 In the Exempted users section, select the Add button.
5 Specify the name of the user whom you want to exempt from the multi-person
authorization process.
6 Select Add to list and then Save.
7 Select Save.

Schedule expiration and purging of multi-person

authorization tickets
Expiration period is configurable option defines the duration for which a multi-person
authorization ticket can be in the Pending state. A ticket expires if it is in the Pending
state for more than the configured expiry period.
For multi-person authorization configuration, expiration period can vary from
minimum 24 hours to 168 hours. By default, tickets expire after 72 hours.
Purge period is a configurable option defines the duration for which a ticket resides
in the tickets database. Purging a ticket ensures that the database does not grow
exponentially. Purge period can vary from minimum 3 days to 30 days.
By default, tickets purge after 72 hours. All the Done, Expired, Rejected, and
Canceled tickets are purged after the given purge period.
 Configuring multi-person authorization 271
Disable multi-person authorization

To schedule expiration and purging of tickets

1 Sign into the NetBackup web UI.
2 On the left pane, click Security > Multi-person authorization.
3 On the top right, click Configure multi-person authorization.
4 In the Schedules section, click Edit.
5 Specify the expiration period (in hours) for the Expire ticket after option.
Specify the purge period (in days) for the Purge ticket after option.
6 Select Save.
7 Select Save.

Disable multi-person authorization

In certain cases, you may need to temporarily disable multi-person authorization
for the associated operations.
To disable multi-person authorization for all the associated operations, run the
following command after bpnbat -login -loginType WEB using the root or
Administrator account.
nbseccmd -disableMPA

You can disable multi-person authorization for a specific operation using the
NetBackup web UI
To disable multi-person authorization for a specific operation
1 Sign into the NetBackup web UI.
2 On the left pane, click Security > Multi-person authorization.
3 On the top right, click Configure multi-person authorization.
4 In the Operations for multi-person authorization section, click Edit.
5 Clear the check box for the operation for which you want to disable multi-person
authorization.
6 Select Save.
7 Select Save.
This generates a ticket that is shown on the ticket details page with the operation
name as MPA Configuration.
Multi-person authorization will be disabled for the associated operation only
after the approval of the respective ticket.
 Section 2
Encryption of data-in-transit

■ Chapter 18. NetBackup CA and NetBackup certificates

■ Chapter 19. Configuring data-in-transit encryption (DTE)

■ Chapter 20. External CA and external certificates

■ Chapter 21. Regenerating keys and certificates

 Chapter 18
NetBackup CA and
NetBackup certificates
This chapter includes the following topics:

■ Overview of security certificates in NetBackup

■ About secure communication in NetBackup

■ About the Security Management utilities

■ About host management

■ About global security settings

■ About host name-based certificates

■ About host ID-based certificates

■ About Token Management for host ID-based certificates

■ About the host ID-based certificate revocation list

■ About revoking host ID-based certificates

■ Deleting host ID-based certificates

■ Host ID-based certificate deployment in a clustered setup

■ About the communication between a NetBackup client located in a demilitarized

zone and a primary server through an HTTP tunnel

■ Adding a NetBackup host manually

■ Migrating NetBackup CA
 NetBackup CA and NetBackup certificates 274
Overview of security certificates in NetBackup

Overview of security certificates in NetBackup

NetBackup uses security certificates to authenticate NetBackup hosts. The security
certificates conform to the X.509 Public Key Infrastructure (PKI) standard. A primary
server acts as the Certificate Authority (CA) and issues digital certificates to hosts.
Any security certificates that were generated before NetBackup 8.0 are referred to
as host name-based certificates. NetBackup is in the process of replacing these
older certificates with newer host ID-based certificates. The transition will be
completed in future releases and the use of host name-based certificates will be
eliminated.
However, the transition is on-going and NetBackup continues to require the older
host name-based certificates for some operations. The following table lists various
operations where host name-based certificate is required.

Note: All NetBackup 8.1 hosts must have a host ID-based certificate.

Table 18-1 Host name-based certificate requirements for NetBackup 8.1

hosts

Operation or Type of certificate required

component

NetBackup Access If NBAC is enabled on a NetBackup host, the host requires a host name-based certificate.
Control (NBAC) These are automatically deployed when NBAC is enabled.

Cloud storage This is applicable to NetBackup media server versions 8.0 to 8.1.2 only.

The NetBackup CloudStore Service Container requires that the host name-based certificate
be installed on the media server. If the certificate is not installed, the Service Container cannot
start.

See “Deploying host name-based certificates” on page 301.

About secure communication in NetBackup

NetBackup 8.1 and later hosts can communicate with each other only in a secure
mode. NetBackup 8.1 hosts must have a Certificate Authority (CA) certificate and
a host ID-based certificate for successful communication. NetBackup uses Transport
Layer Security (TLS) protocol for host communication where each host needs to
present its security certificate and validate the peer host's certificate against the
Certificate Authority (CA) certificate.
All control communication (or control channel) between NetBackup hosts are secured
using Transport Layer Security (TLS) protocol version 1.2 and X.509 certificates.
 NetBackup CA and NetBackup certificates 275
About secure communication in NetBackup

The NetBackup software uses Control communication to initiate, control, and monitor
backup, archive, and restore operations.
Data communication consists of the data that is backed up using NetBackup. The
security policies require the Backup Administrators to ensure that the channel on
which NetBackup clients send metadata and data to NetBackup servers be secure.
In NetBackup 10.0 and later, the backup images and metadata are encrypted over
the wire by secure communications. This feature is referred to as Data Channel
Encryption or Data In-Transit Encryption (DTE).
The following channels are classified as data channels:
■ Tar stream (client to media server): This channel is the channel over which the
tar or the data stream flows between the client and the media server. During a
backup operation, the media server receives the data from the client and sends
it to storage (for example, by an OST plug-in). The direction is reversed during
a restore.
■ Tar stream (media server to media server): This channel is used during
duplication.
■ Catalog Info (client to media server): This channel is the channel over which
the catalog information and control commands flow between the client and the
media server. The amount of data that is transmitted over this channel is
proportional to the number of files and directories that are part of the backup.
The media server sends the catalog information that is received from the client
to the primary server.
■ Catalog Info (media server to primary server): This channel is the channel over
which the catalog information flows from the media server to the primary server.
Secure communication settings are available in Settings > Global security.
See “About host management” on page 277.
See “Adding host ID to host name mappings” on page 279.
See “About global security settings” on page 292.
See “About secure communication settings” on page 292.
See “About disaster recovery settings” on page 296.
Two commands, nbhostmgmt and nbhostidentity, along with enhancements to
nbcertcmd and nbseccmd, provide options to manage certificate deployment and
other security settings.
 NetBackup CA and NetBackup certificates 276
About the Security Management utilities

About the Security Management utilities

The NetBackup Administration Console > Security Management node is visible
only to administrators on the NetBackup primary server.
Security Management contains the utilities to view login activity, manage host
ID-based certificates, and configure secure communications in the domain.
■ Use Security Events to view the login details about the current administrator
and the user-initiated changes that are made to certificates, tokens, hosts, and
security configurations. You can also view details about host connections.
■ Use the Host Management node to carry out NetBackup host operations, such
as adding or approving host ID to host name mappings, resetting host, or adding
comments for a host.
See “Hosts tab” on page 278.
■ Use the Certificate Management node to carry out operations specific to
certificates such as viewing, revoking, or reissuing.
See “Using the Certificate Management utility to issue and deploy host ID-based
certificates” on page 304.
■ Use the Global Security Settings node to configure security settings like enable
insecure communication, disaster recovery package passphrase, certificate
deployment level and so on.
See “About global security settings” on page 292.

About login activity

NetBackup captures information about the access history of users and keeps a
track of when a user's password will expire. The information is displayed in the My
Recent Login Activity window at the top right corner of the NetBackup
Administration Console.
 NetBackup CA and NetBackup certificates 277
About host management

The My Recent Login Activity window closes after you begin to use the NetBackup
Administration Console.
The password expiration information is not available in the following scenarios:
■ If you have remotely logged in to the primary server using the single sign-on
(SSO) feature of the NetBackup Administration Console
■ If you have logged in to the UNIX or Linux primary server using the NetBackup
Administration Console

Note: The login and the password expiration details are displayed only after the
first successful login and logout from the NetBackup Administration Console.
The login details are not automatically refreshed. You must log off from the
NetBackup Administration Console and log in again to view the latest information
about the last login details.

This information is also displayed in Security Events on the Access History tab.

About host management

The Security Management > Host Management node lets you map host names
to their respective host IDs. Appropriate mapping between host ID-to-host names
is important for secure host communication.
See “About secure communication in NetBackup” on page 274.
See “Adding host ID to host name mappings” on page 279.
 NetBackup CA and NetBackup certificates 278
About host management

See “Resetting NetBackup host attributes” on page 288.

Hosts tab
The Hosts tab provides the following information:

Host The name of the host.

Note: The Host Management node shows only those hosts that
have a host ID.

Mapped Host Names Host names or IP addresses that are mapped to the host ID of the
/ IP Addresses selected client.

See “Add or Remove Host Mappings dialog box” on page 280.

Version The NetBackup version that is installed on the host.

Allow Auto Reissue The time until which certificate can be reissued on the host without
Certificate Validity requiring a reissue token.

By default, the Allow Auto Reissue Certificate option has a validity

of 48 hours.

See “Allowing or disallowing automatic certificate reissue”

on page 289.

Operating System The operating system version that is installed on the host.

OS Type The type of operating system (Windows or UNIX) that is installed

on the host.

CPU Architecture The architecture of the central processing unit that is used on the
host.

Secure States whether the communication status of the host is secure or

not.

If the host is 8.1, the communication status is secure and it can

communicate securely.

Comment Comment or additional information that you have added for the host.

Hardware Description The hardware that is used on the host.

NetBackup Host ID A unique identifier for the host.

NetBackup EEBs States whether the NetBackup EEBs (Emergency Engineering

Binary) are installed or not.

Servers Additional servers that are associated with the host.

 NetBackup CA and NetBackup certificates 279
About host management

Master Server Primary server host that is associated with the host.

Issued On Date when the host ID-based certificate was issued to the host.

Last Updated On Date when the host ID-based certificate was updated.

VxUpdate Platform Identifies the VxUpdate package that is needed to upgrade the host.

Installed Packages The NetBackup packages that are installed on the host.

Adding host ID to host name mappings

Hosts may have multiple host names or IP addresses associated with them. For
successful communication between hosts, all relevant host names and IP addresses
need to be mapped to the respective host IDs.
During communication, NetBackup may detect new host names or IP addresses
with respect to a host ID. These host names or IP addresses can be automatically
or manually mapped to the respective host ID for successful communication.
The host names or IP addresses that NetBackup detects are automatically mapped
to the respective host ID, if the Automatically map host names to their NetBackup
host ID option is selected in Settings > Global security > Secure communication.
See “Automatically mapping host ID to host names and IP addresses” on page 296.

Important notes
Review the following notes specific to host ID to host name mappings:
■ In the case of DHCP (Dynamic Host Configuration Protocol) hosts, NetBackup
may detect dynamic IP addresses during communication and added as host ID
to host name mappings. You should delete such mappings.
■ In the case of a cluster setup, host name, and FQDN (Fully Qualified Domain
Name) of virtual name are discovered during host communication.
■ You may choose to redeploy a certificate on a host using a host name that is
not mapped with the existing host ID. In this case a new certificate is deployed
and a new host ID is issued to the host. This action occurs because NetBackup
considers it as a different host. To avoid this situation, you should map all
available host names with the existing host ID.
■ When you register NetBackup Snapshot Manager to NetBackup, the certificates
that are generated are exchanged between them. Hence the NetBackup
Snapshot Manager's Host Mapping displays the details of the NetBackup
Snapshot Manager container instead of the NetBackup Snapshot Manager host.
Use the following procedure to manually map a specific host ID to the corresponding
host names or IP addresses.
 NetBackup CA and NetBackup certificates 280
About host management

See “Add or Remove Host Mappings dialog box” on page 280.

See “Removing host ID to host name mappings” on page 281.
To add host ID to host name mappings
1 On the left, select Security > Host mappings.
2 On the Hosts tab, locate the host that you want to modify.
3 Select Actions > Manage mappings.
The host ID of the client host is displayed along with the existing mappings.
4 Select Add.
5 Provide the following details:

Mapping name Specify the host ID-to-host name mapping.

Note: The host ID-to-host name mappings are not
case-sensitive.

Audit reason For auditing purposes, specify the reason or additional

information for why you want to add this mapping.

To add a host ID to host name mapping using the command-line interface

1 Run the following command to authenticate your web services logon:
bpnbat -login -loginType WEB

2 Run the following command to add a host ID to host name mapping:

nbhostmgmt -add -hostid host_ID -mappingname mapping_name

Add or Remove Host Mappings dialog box

Hosts may have multiple host names or IP addresses associated with them. For
successful communication between hosts, all relevant host names and IP addresses
need to be mapped to the respective host IDs.
On the Security Management > Host Management > Hosts tab, right-click the
host that you want to modify, and click the Add or Remove Host Mappings option
to open the dialog box.
Only System Administrator can access the Add or Remove Host Mappings
properties for a NetBackup host.
See “Adding host ID to host name mappings” on page 279.
See “Removing host ID to host name mappings” on page 281.
 NetBackup CA and NetBackup certificates 281
About host management

The Add or Remove Host Mappings dialog box contains the following properties.

NetBackup Host ID Displays the host ID of the selected host.

Mapped Host Names / Lists host names and IP addresses that are mapped to the host
IP Addresses ID of the client host.

Auto-discovered States whether the mapped host name or IP address was

automatically discovered by the system or not.

Created On Date and time when the mapping was created.

Last Updated On Date and time when the mapping was last updated.

Add Click to add new host ID to host name mappings for the client
host.

The Add Mapping dialog box is displayed.

See “Adding host ID to host name mappings” on page 279.

Remove Click to remove the selected host ID to host name mapping for
the client host.

The Remove Mapping dialog box is displayed.

See “Removing host ID to host name mappings” on page 281.

Note: The operations that you carry out on the Add Mapping
and Remove Mapping dialog boxes directly update the NetBackup
database.

Close Click to close the Add or Remove Host Mappings dialog box.

Help Click to see help.

Removing host ID to host name mappings

Use the following procedure to remove host ID to host name mappings.
See “Add or Remove Host Mappings dialog box” on page 280.
See “Adding host ID to host name mappings” on page 279.
To remove host ID to host name mappings
1 In the NetBackup Administration Console, expand Security Management
> Host Management.
2 In the details pane, on the Hosts tab, right-click the client host that you want
to modify.
3 Click the Add or Remove Host Mappings option.
 NetBackup CA and NetBackup certificates 282
About host management

4 On the Add or Remove Host Mappings screen, host ID of the selected client
host is displayed along with the existing mappings.
5 Select the mapping that you want to remove.
6 Click Remove.
7 On the Remove Mapping dialog box, specify the audit reason for removing
the selected mapping for auditing purpose.
8 Click Yes.
To remove host ID to host name mapping using the command-line interface
1 Run the following command to authenticate your web services login:
bpnbat -login -loginType WEB

2 Run the following command to remove a host ID to host name mapping:

nbhostmgmt -delete -hostid host_ID-mappingname mapping_name

Mappings for Approval tab

Use the Security Management > Host Management > Mappings for Approval
tab to view host ID-to-host name mappings that are pending for approval.
The following options are available on the Mappings for Approval tab:

Host Name of the selected host.

Auto-discovered Host ID-to-host name mapping that was discovered with respect
Mapping to the host during communication.

Conflict States if there is any conflict in the mappings. For example, in a

cluster setup, a mapping can be shared across host IDs.

Discovered On Date and time when the mapping was discovered by the system.

NetBackup Host ID Host ID of the host.

See “Viewing auto-discovered mappings” on page 283.

See “Add or Remove Host Mappings dialog box” on page 280.

Note: If the Automatically map host ID to host names option on the Security
Management > Global Security Settings > Secure Communication tab is
selected, the Mappings for Approval tab shows only conflicting mappings.
See “Automatically mapping host ID to host names and IP addresses” on page 296.
 NetBackup CA and NetBackup certificates 283
About host management

Viewing auto-discovered mappings

During communication, NetBackup may detect new host names or IP addresses
with respect to a host ID. You can view the host ID-to-host name mappings that
are automatically discovered.
See “Add or Remove Host Mappings dialog box” on page 280.
To view auto-discovered host ID-to-host name mappings
1 In the NetBackup Administration Console, expand Security Management
> Host Management.
2 In the details pane, click the Mappings for Approval tab.
See “Mappings for Approval tab” on page 282.

Note: If the Automatically map host ID to host names option on the Security
Management > Global Security Settings > Secure Communication tab is
selected, the Mappings for Approval tab shows only conflicting mappings.
See “Automatically mapping host ID to host names and IP addresses”
on page 296.

Mapping Details dialog box

Use the Mapping Details dialog box to approve or reject the pending host ID-to-host
name mappings.
On the Security Management > Host Management > Mappings for Approval
tab, right-click the host ID-to-host name mapping that you want to approve or reject,
and click Mapping Details to open the dialog box.
See “Add or Remove Host Mappings dialog box” on page 280.
See “Approving host ID to host name mappings” on page 284.
See “Rejecting host ID to host name mappings” on page 285.
See “Mappings for Approval tab” on page 282.
The following options are available on the dialog box:

Host Displays name of the host for which you want to approve or reject
the mapping.

Mapped Host Names / IP Lists the existing mappings that are associated with the host.
Addresses
 NetBackup CA and NetBackup certificates 284
About host management

NetBackup Host ID Displays the host ID of the host.

Conflict in mapping -
Note: This information is displayed if the selected mapping is
Shared with hosts
already associated with other hosts.

This table lists information of all hosts across which the selected
mapping is shared.

For example, in a cluster set up, multiple host IDs share the same
virtual name.

If a mapping is added for a host ID and if the same mapping is

discovered against a different host ID, it is listed on the Mappings
for Approval tab. You can either approve this mapping or reject
it using the Mapping Details dialog box.

■ Host - Displays the name of the host with which the selected
mapping is already associated.
■ NetBackup Host ID - Displays host ID of the host with which
the selected mapping is already associated.

See “About shared or cluster mapping scenarios” on page 286.

Reason Provide the reason for approving or rejecting the mapping.

Approve Click to approve the pending mapping.

Reject Click to reject the pending mapping.

Close Click to close the dialog box without saving the changes.

Help Click to see help.

Approving host ID to host name mappings

This section provides a procedure for approving host ID to host name mappings
that are pending for approval.
See “Add or Remove Host Mappings dialog box” on page 280.
See “Rejecting host ID to host name mappings” on page 285.
To approve host ID to host name mapping
1 In the NetBackup Administration Console, expand Security Management
> Host Management.
2 In the details pane, click the Mappings for Approval tab.
 NetBackup CA and NetBackup certificates 285
About host management

3 Select the mapping that you want to approve and right-click.

4 On the right-click options, click Approve. The selected mappings are approved.
Alternatively, click Mapping Details on the right-click options. Use the Mapping
Details dialog box to approve the selected mapping.
See “Mapping Details dialog box” on page 283.

Rejecting host ID to host name mappings

This section provides a procedure for rejecting host ID to host name mappings that
are pending for approval.
See “Add or Remove Host Mappings dialog box” on page 280.
See “Approving host ID to host name mappings” on page 284.
To reject host ID to host name mapping
1 In the NetBackup Administration Console, expand Security Management
> Host Management.
2 In the details pane, click the Mappings for Approval tab.
3 Select the mapping that you want to reject and right-click.
4 On the right-click options, click Reject. The selected mappings are rejected.
Alternatively, click Mapping Details on the right-click options. Use the Mapping
Details dialog box to reject the selected mapping.

Adding shared or cluster mappings

In certain scenarios, host ID to host name mappings are shared across host IDs.
For example, in a cluster setup, virtual name is shared across all nodes. You need
to add these shared mappings using the NetBackup Administration Console so
that the primary server can successfully communicate with the nodes.
See “Add or Remove Host Mappings dialog box” on page 280.
To add shared mappings
1 In the NetBackup Administration Console, expand Security Management
> Host Management.
2 On the Hosts tab, in the details pane, right-click to view the options.
3 On the right-click options, select Add Shared or Cluster Mappings.
4 On the Add Shared or Cluster Mappings dialog box, specify the shared
mapping name.
See “Add Shared or Cluster Mappings dialog box” on page 287.
 NetBackup CA and NetBackup certificates 286
About host management

5 Select host IDs to be mapped with the specified shared mapping name.
6 Click Save.

About shared or cluster mapping scenarios

Host ID to host name mappings can be shared across multiple hosts in the following
scenarios:
■ If multiple hosts from different domains use the same host name
■ In a cluster setup where the same virtual name is used by multiple cluster nodes
However, in a scenario where the associated hosts do not have the same
communication status (some are 8.0 or earlier and can communicate insecurely
and some are 8.1 or later and communicate securely), communication may fail.
See “Add or Remove Host Mappings dialog box” on page 280.

Scenario 1 - If multiple hosts from different domains use

the same host name
Consider the following example:
■ Host1 – abc.secure.domain1.com, version – 8.1, policy – P1
■ Host2 – abc.insecure.domain2.com, version – 7.7.3, policy – P2
■ Host1 and Host 2 use the same name – abc – as their host name. Security
Administrator adds abc as a shared mapping for Host2.
See “Adding shared or cluster mappings” on page 285.
■ Insecure communication with 8.0 and earlier hosts is enabled.
See “About insecure communication with 8.0 and earlier hosts” on page 295.
■ When Host2 initiates communication with another host, the primary server
validates the communication status of host2 (which is insecure), which is different
than Host1 (which is secure). Because both hosts use the same host name, but
their communication status do not match, the communication with Host2 fails.
■ Recommendation – Host2 should be upgraded to 8.1 or later.

Scenario 2 - In a cluster setup where the same virtual name

is used by multiple cluster nodes
Consider the following example:
■ Host1 – abc.secure.domain1.com, active cluster node, version – 8.1
■ Host2 – abc.secure.domain1.com, inactive cluster node, version – 8.0
■ Host1 and Host2 use the same virtual name that is abc. Security Administrator
adds abc as a shared or cluster mapping for Host2.
 NetBackup CA and NetBackup certificates 287
About host management

See “Adding shared or cluster mappings” on page 285.

■ Insecure communication with 8.0 and earlier hosts is enabled.
See “About insecure communication with 8.0 and earlier hosts” on page 295.
■ Host1 fails over to Host2. The primary server validates the communication status
of host2 (that is insecure), which is different than Host1 (that is secure). Because
communication status for both hosts do not match, the communication with
Host2 fails.
■ Recommendation – Host2 should be upgraded to 8.1.
■ Workaround – Delete the host ID-to-host name mapping abc for Host1. In case
of shared mapping, if the associated hosts do not have the same communication
status (secure), communication fails for the host that has insecure communication
status.

Add Shared or Cluster Mappings dialog box

Use this option to add shared or cluster mappings. On the Security Management
> Host Management > Hosts tab, on the right-click options, click Add Shared or
Cluster Mappings to open the dialog box.
The following options are available on the Add Shared or Cluster Mappings dialog
box:

Shared mapping name or Enter the mapping name that needs to be shared by multiple
virtual name of cluster host IDs.

Select Hosts Click the button to list all hosts and select the ones that you
want to map with the specified mapping name.

The Select Hosts pop-up screen lists all available hosts. Select
the required hosts and click Add to list.

The selected hosts appear in the list on the Add Shared or

Cluster Mappings dialog box.

Host Name of the host that you want to map with the specified shared
name.

NetBackup Host ID Host ID of the host that you want to map with the specified
shared name.

Save Click to save the mapping.

Cancel Click to close the dialog box without saving the changes.

Help Click to see help.

 NetBackup CA and NetBackup certificates 288
About host management

See “Adding shared or cluster mappings” on page 285.

See “About shared or cluster mapping scenarios” on page 286.

Resetting NetBackup host attributes

In certain scenarios, you may need to clean up or reset host attributes: For example,
you have downgraded the host.
In such cases, you need to reset host ID to host name mapping information,
communication status and so on for successful communication.

Review the following notes before resetting host attributes

■ You must reset the host attributes of the downgraded host if you want the primary
server to communicate with the host in an insecure mode.
■ Resetting host attributes resets host ID to host name mapping information,
communication status and so on. It does not reset the host ID, host name, or
security certificates of the host.
■ After you reset the host attributes, the connection status (is secure flag) is set
to insecure state. At the time of the next host communication, the connection
status is updated appropriately.
■ If you have inadvertently used the Reset Host Attributes option, you can undo
the changes by restarting the bpcd service. Else the host attributes are
automatically updated with the appropriate values after 24 hours.
See “Add or Remove Host Mappings dialog box” on page 280.

About resetting host attributes

NetBackup 8.1 primary server can communicate securely with all 8.1 hosts. However,
it communicates insecurely with 8.0 and earlier hosts.
In certain scenarios, you may need to downgrade a NetBackup client from 8.1
version to 8.0 or earlier. After the downgrade, the primary server cannot
communicate with the client, because the communication status for the client is still
set to secure mode. The communication status is not automatically updated to
insecure mode after the downgrade.
Use one of the following options to reset a host:
 NetBackup CA and NetBackup certificates 289
About host management

To reset a host using the NetBackup Administration Console

1 Expand Security Management > Host Management.
2 On the Hosts tab, in the details pane, right-click the host that you have
downgraded and which you want to reset, and click Reset Host Attributes.

Note: To resume insecure communication with downgraded hosts, ensure that

the Enable insecure communication with 8.0 and earlier hosts option on
the Security Management > Global Security Settings > Secure
Communication tab is selected.

To reset host attributes using the command-line interface

1 Run the following command to authenticate your web services login:
bpnbat -login -loginType WEB

2 Run the following command to reset the host:

nbemmcmd -resethost

Allowing or disallowing automatic certificate reissue

This section provides the procedures for allowing and disallowing automatic
certificate reissue.
The Allow Auto Reissue Certificate option enables the autoreissue parameter
of a host that in turn allows you to deploy a certificate on the host without requiring
a reissue token.
See “Deploying host ID-based certificates” on page 312.
By default, the autoreissue parameter is enabled for 2880 minutes (or 48 hours
or 2 days). After this duration, the parameter is disabled and the certificate reissue
operation requires a reissue token.
See “Configuring validity of the autoreissue parameter for a host” on page 290.
To manually disable the autoreissue parameter, use the Disallow Auto Reissue
Certificate option.

Note: During the Bare Metal Restore (BMR) process, the autoreissue flag is
automatically set.
For more information about Bare Metal Restore, refer to the NetBackup Bare Metal
Restore Administrator's Guide.
 NetBackup CA and NetBackup certificates 290
About host management

To allow automatic certificate reissue using the NetBackup Administration

Console
1 Expand Security Management > Host Management.
2 In the right pane, select the host for which you want to allow automatic certificate
reissue.
3 Right-click the host and select the Allow Auto Reissue Certificate option.
To allow automatic certificate reissue using the command-line interface
1 Run the following command to authenticate your web services login:
bpnbat -login -loginType WEB

2 Run the following command to enable the autoreissue parameter, which in

turn allows automatic certificate reissue:
nbhostmgmt -allowautoreissuecert -hostid host_ID -autoreissue 1

To disallow automatic certificate reissue using the NetBackup Administration

Console
1 Expand Security Management > Host Management.
2 In the right pane, select the host for which you want to disallow automatic
certificate reissue.
3 Right-click the host and select the Disallow Auto Reissue Certificate option.
To disallow automatic certificate reissue using the command-line interface
1 Run the following command to authenticate your web services login:
bpnbat -login -loginType WEB

2 Run the following command to disable the autoreissue parameter, which in

turn disallows automatic certificate reissue:
nbhostmgmt -allowautoreissuecert -hostid host_ID -autoreissue 0

Configuring validity of the autoreissue parameter for a

host
When you allow automatic reissue of a host ID-based certificate, the autoreissue
parameter is by default enabled for 2880 minutes (or 48 hours or 2 days). After this
duration, the parameter is reset and the certificate reissue operation requires a
reissue token.
You can configure the duration for automatic reissue of certificate or the time-to-live
(TTL) setting for the autoreissue parameter by updating the web.conf file.
 NetBackup CA and NetBackup certificates 291
About host management

To configure validity of the autoreissue parameter or the TTL setting

1 Open the web.conf file. Location for the file is as follows:
On Windows: Install_Path\var\global\wsl\config\web.conf
On Linux: /usr/openv/var/global/wsl/config/web.conf
2 Configure the TTL setting for the autorissue parameter in minutes. For
example:
ttl.autoReissue.minutes = 1440

Note: Valid range for the autoreissue TTL setting is 0 min to 43200 min (or
30 days).
If the TTL value that you have configured is not within the valid range, the
server continues using the last configured TTL value.

3 For the new autoreissue TTL value to take effect, do one of the following:
■ Restart the NetBackup Web Management Console (WMC) service.
■ Run the following command:
On Windows: Install_Path/bin/nbhostdbcmd -reloadconfig -host
On UNIX: NETBACKUP_INSTALL_DIR\bin\nbhostdbcmd -reloadconfig
-host

Adding or deleting comment for a host

You can provide additional information about a NetBackup host using the Add or
Edit Comment dialog box. For example, if a host is decommissioned, you can add
a comment to explain why and when it was decommissioned.
To add or edit a comment for a host
1 Expand Security Management > Host Management.
2 On the Hosts tab, in the details pane, right-click the host for which you want
to provide additional information, and click Add or Edit Comment.
3 On the Add or Edit Comment dialog box, in the Comment pane, enter the
required information or comments.
Click Save.
 NetBackup CA and NetBackup certificates 292
About global security settings

To delete a comment for a host

1 Expand NetBackup Management > Security Management > Host
Management.
2 On the Hosts tab, in the details pane, right-click the host for which you want
to delete comment, and click Delete Comment.

About global security settings

The options in Settings > Global security let you configure the settings that are
crucial for secure communication in NetBackup.
See “About secure communication in NetBackup” on page 274.
See “About disaster recovery settings” on page 296.
See “About secure communication settings” on page 292.

About secure communication settings

NetBackup provides settings that you can configure for secure communication
between hosts.

Table 18-2 Secure communication settings

Setting Description

Certificate Authority Displays the certificate authorities that your NetBackup

domain supports.

The NetBackup web server can be configured to enable

the NetBackup domain to use:

■ NetBackup CA-signed certificates only

■ External CA-signed certificates only
■ NetBackup CA-signed certificates and external
CA-signed certificates

Use the -configureWebServerCerts command for

certificate configuration for the web server.

For more information, refer to the NetBackup Commands

Reference Guide.
 NetBackup CA and NetBackup certificates 293
About global security settings

Table 18-2 Secure communication settings (continued)

Setting Description

Enable communication with 8.0 NetBackup communicates insecurely with 8.0 and earlier
and earlier hosts hosts.

For increased security, upgrade all your hosts to the

current version and disable this setting. This ensures that
only secure communication is possible between
NetBackup hosts.

The option allows NetBackup to communicate with hosts

including 8.0 and earlier hosts that may be present in the
existing NetBackup environment.

This option also allows communication between

NetBackup 8.1 or later primary server.

See “Disabling insecure communication” on page 294.

See “About insecure communication with 8.0 and earlier

hosts” on page 295.

If you have configured Auto Image Replication, ensure

the following before you clear the option:

The trusted primary server that you have specified for

image replication is of the version that is later than
NetBackup 8.0.

For more information, refer to the NetBackup

Administrator's Guide, Volume I.

Automatically map NetBackup Hosts may have multiple host names or IP addresses
host ID to host names associated with them. For successful communication
between hosts, all relevant host names and IP addresses
need to be mapped to the respective host IDs.

During communication, NetBackup may detect new host

names or IP addresses with respect to a host ID.

Select this option to automatically map the host ID to host

names or IP addresses that are detected by the system.

By default, the option is selected.

For increased security, clear this option so that the

NetBackup Administrator can manually verify the mappings
and approve them.

See “Automatically mapping host ID to host names and

IP addresses” on page 296.
 NetBackup CA and NetBackup certificates 294
About global security settings

Table 18-2 Secure communication settings (continued)

Setting Description

Security level for certificate Based on the security level that is configured on the
deployment NetBackup primary server, the certificate deployment
approach is determined.

For example, if the security level is set to Very High, an

authorization token is a must for certificate deployment.
Note: Security levels for certificate deployment are
specific to NetBackup CA-signed certificates. If the
NetBackup web server is not configured to use NetBackup
certificates for secure communication, this option cannot
be accessed.

See “About NetBackup certificate deployment security

levels” on page 307.

See “Configuring the certificate deployment security levels”

on page 309.

Disabling insecure communication

NetBackup communicates with 8.0 and earlier hosts in an insecure manner. For
increased security, you should upgrade all hosts to the current version and disable
NetBackup communication with 8.0 and earlier hosts.
See “About secure communication settings” on page 292.
To disable insecure communication
1 On the right pane, select Setting > Global security.
2 In the Global security settings page, select Secure Communication tab
3 Turn off the Enable insecure communication with 8.0 and earlier hosts
option.
4 Click Save.

Note: If you disable insecure communications, it is recommended that you

restart services to ensure that the insecure connections that are already
established are terminated.
 NetBackup CA and NetBackup certificates 295
About global security settings

About insecure communication with 8.0 and earlier hosts

NetBackup communicates insecurely with 8.0 or earlier hosts.
If you have NetBackup 8.0 or earlier hosts in your environment, you can allow
insecure communication with them using the Enable insecure communication
with 8.0 and earlier hosts option in the NetBackup Administration Console.
The option is available on the Setting > Global Security > Secure communication
tab.
This option also allows communication between NetBackup 8.1 or later primary
server .
For increased security, you should upgrade all hosts to the current version and
disable communication with 8.0 and earlier hosts.
See “Disabling insecure communication” on page 294.
See “About communication with 8.0 or earlier host in multiple NetBackup domains”
on page 295.

Note: If you have configured Auto Image Replication, ensure the following before
you disable insecure communication: The trusted primary server that you have
specified for image replication is of the version that is later than NetBackup 8.0.

See “About secure communication in NetBackup” on page 274.

About communication with 8.0 or earlier host in multiple NetBackup

domains
This section provides information on what is the impact of the Enable insecure
communication with 8.0 and earlier hosts option on the host communication
when one of the NetBackup hosts is in multiple domains.
Consider the following scenario:
■ Host A is of version 8.1, which is present in multiple NetBackup domains called
M1 and M2.
■ Host B is of version 8.0, which is present in a NetBackup domain called M3.
■ The Enable insecure communication with 8.0 and earlier hosts option is
cleared on primary server M1, which means hosts that are associated with M1
cannot communicate with hosts that are 8.0 or earlier.
 NetBackup CA and NetBackup certificates 296
About global security settings

■ The Enable insecure communication with 8.0 and earlier hosts option is
selected on primary server M2, which means hosts that are associated with M2
can communicate with hosts that are 8.0 or earlier.
■ The configuration file (bp.conf file on UNIX or registry keys on Windows) for
Host A contains 'M2' as the first entry in the primary server list.
When Host A initiates communication with Host B, the status of the Enable insecure
communication with 8.0 and earlier hosts option is verified for the first primary
server that appears in the configuration file of Host A, which is M2. As per the option
set for M2, communication with 8.0 or earlier hosts is allowed. Therefore,
communication between Host A and Host B is successful.

Automatically mapping host ID to host names and IP addresses

For successful communication between NetBackup hosts, all relevant host names
and IP addresses need to be mapped to the respective host IDs. You can choose
to automatically map the host ID to the respective host names (and IP addresses)
or allow the NetBackup Administrator to verify the mappings before approving them.
See “Add or Remove Host Mappings dialog box” on page 280.

Note: For increased security, clear this option so that the NetBackup Administrator
can manually verify the mappings and approve them.

To automatically map host ID to host names or IP addresses

1 At the top right, select Settings > Global security.
2 Select the Secure Communication tab.
3 Select the Automatically map NetBackup host ID to host names option.
4 Click Save.
See “About secure communication settings” on page 292.

About disaster recovery settings

For increased security, a disaster recovery package is created during each catalog
backup.
See “Disaster recovery packages” on page 298.
During each catalog backup, a disaster recovery package is created and encrypted
with the passphrase that you set. You need to provide this encryption passphrase
while you install NetBackup on the primary server in a disaster recovery mode after
a disaster.
 NetBackup CA and NetBackup certificates 297
About global security settings

The following options are displayed on the Disaster recovery tab:

Table 18-3 Disaster recovery settings

Setting Description

Enter passphrase Enter the passphrase to encrypt disaster recovery packages.

■ By default, the passphrase must contain a minimum of 8

and a maximum of 1024 characters.
You can set the passphrase constraints using the
nbseccmd -setpassphraseconstraints command
option.
■ The existing passphrase and the new passphrase must
be different.
■ Only the following characters are supported for the
passphrase: White spaces, uppercase characters (A to
Z), lowercase characters (a to z), numbers (0 to 9), and
special characters. Special characters include: ~ ! @ #
$%^&*()_+-=`{}[]|:;',./?<>"

Confirm passphrase Re-enter the passphrase for confirmation.

Caution: Ensure that the passphrase contains only the supported characters. If
you enter a character that is not supported, you may face problems during disaster
recovery package restore. The passphrase may not be validated and you may not
be able to restore the disaster recovery package.

Note the following before you modify the passphrase for

the disaster recovery packages:
■ Subsequent disaster recovery packages are encrypted with the new passphrase
that you set.
■ If you change the passphrase anytime, it is not changed for the previous disaster
recovery packages. Only new disaster recovery packages are associated with
the new passphrase.
■ The passphrase that you provide when you install NetBackup on the primary
server in the disaster recovery mode after a disaster must correspond to the
disaster recovery package from which you want to recover the primary server
host identity.
 NetBackup CA and NetBackup certificates 298
About global security settings

Disaster recovery packages

For increased security, a disaster recovery package is created during each catalog
backup. The disaster recovery package file has .drpkg extension.
The disaster recovery (DR) package stores the identity of the primary server host.
NetBackup requires this package to get the identity of the primary server back after
a disaster. Once you have recovered the host identity, you can perform the catalog
recovery.
The disaster recovery package contains the following information:
■ NetBackup CA-signed certificates and private keys of the primary server
certificate and the NetBackup certificate authority (CA) certificate
■ Information about the hosts in the domain
■ Security settings
■ External CA-signed certificates
External CA-signed certificates from Windows certificate store, if applicable
■ NetBackup configuration options that are specific to external CA-signed
certificates
■ Key management service (KMS) configuration

Note: By default, the KMS configuration is not backed up during catalog backup.
Set the KMS_CONFIG_IN_CATALOG_BKUP configuration option to 1 to include
the KMS configuration as part of the disaster recovery package during catalog
backup.

Note: You must set a passphrase for the disaster recovery package for the catalog
backups to be successful.

Setting a passphrase to encrypt disaster recovery packages

During each catalog backup, a disaster recovery package is created and encrypted
with the passphrase that you set.
See “Disaster recovery packages” on page 298.
 NetBackup CA and NetBackup certificates 299
About global security settings

Workflow to set a passphrase to encrypt disaster recovery

packages and use it after a disaster:
Review the following workflow to learn about disaster recovery package restore:
1. Set an encryption passphrase for disaster recovery packages.
2. Create a catalog policy.
Consider the following scenarios:
■ If you have not set the passphrase earlier, NetBackup prevents you from
configuring a new catalog backup policy.
■ If the catalog backup policy is upgraded from a previous version, catalog
backups continue to fail until the passphrase is set.

Note: Catalog backups may fail with status code 144 even though the
passphrase is set. This issue occurs because the passphrase may be
corrupted. To resolve this issue, you must reset the passphrase.

3. After a disaster, when you install NetBackup on the primary server in a disaster
recovery mode, provide the passphrase that you have set earlier. NetBackup
decrypts the disaster recovery package using this passphrase and gets the
identity of the primary server back during installation.

Caution: Special action is required if you fail to provide the appropriate

passphrase when you install NetBackup on the primary server after a disaster.
You may need to redeploy the security certificates on all NetBackup hosts. For
more details, refer to the following article:
https://www.veritas.com/content/support/en_US/article.100033743

4. Once the primary server identity is back in place, the secure communication
between the primary server and the media server is established and you can
perform catalog recovery.
5. After successful catalog recovery, you must set the disaster recovery package
passphrase again, because the passphrase is not recovered during the catalog
recovery. Catalog backups that you configure in a new NetBackup instance
continue to fail until you set the passphrase.
To set or modify a passphrase
1 Open the NetBackup web UI.
2 At the top right, select Settings > Global security.
 NetBackup CA and NetBackup certificates 300
About global security settings

3 Select Disaster recovery.

See “About disaster recovery settings” on page 296.
4 Enter and confirm a passphrase.
Review the following password rules:
■ The existing passphrase and the new passphrase must be different.
■ By default, the passphrase must contain a minimum of 8 and a maximum
of 1024 characters.
You can set the passphrase constraints using the nbseccmd
-setpassphraseconstraints command option.

■ Only the following characters are supported for the passphrase: White
spaces, uppercase characters (A to Z), lowercase characters (a to z),
numbers (0 to 9), and special characters. Special characters include: ~ !
@#$%^&*()_+-=`{}[]|:;',./?<>"

Caution: If you enter a character that is not supported, you may face
problems during disaster recovery package restore. The passphrase may
not be validated and you may not be able to restore the disaster recovery
package.

5 Select Save. If the passphrase already exists, it is overwritten.

To set or modify a passphrase using the command-line interface
1 The NetBackup administrator must be logged on to the NetBackup Web
Management Service to perform this task. Use the following command to log
on:
bpnbat -login -loginType WEB

2 Run the following command to set a passphrase to encrypt disaster recovery

packages:
nbseccmd -drpkgpassphrase

3 Enter the passphrase.

If a passphrase already exists, it is overwritten.

Validate the disaster recovery package passphrase

Veritas strongly recommends that you validate the disaster recovery (DR) package
passphrase every 30 days. It helps you recall the passphrase when you need to
recover the primary server identity using the DR package.
 NetBackup CA and NetBackup certificates 301
About host name-based certificates

If validation fails, the specified passphrase is set as your DR package passphrase.

To validate the disaster recovery package passphrase
1 At the top right, select Settings > Global security.
2 Go to the Disaster recovery tab.
3 Locate the Passphrase Validation section and select Validate.
4 Enter and confirm the passphrase that you set earlier.
5 Select the check box Notify me to validate passphrase every 30 days. This
option is recommended.
6 Select Validate.

About host name-based certificates

By default, individual NetBackup primary servers are provisioned with a host
name-based certificate during installation. To provision a host name-based certificate
on a media server or client, the NetBackup administrator runs the bpnbaz command
on the primary server to push the certificate to other hosts.
See “Overview of security certificates in NetBackup” on page 274.

Deploying host name-based certificates

Choose one of the following procedures to deploy a host name-based security
certificate on NetBackup hosts. Only a NetBackup administrator can deploy
certificates.

Table 18-4 Deploying host name-based certificates

Procedure Description and link to procedure

Deploying a host name-based Use this procedure to deploy the host name-based security certificates on all of the
security certificate for a primary nodes in a NetBackup primary server cluster.
server in a cluster

Deploying a host name-based
security certificate for media
servers or clients
This procedure uses IP address verification to identify the target NetBackup host and
then deploy the certificate.
With this procedure, you can deploy a host name-based certificate for an individual
host, for all media servers, or for all clients.
 NetBackup CA and NetBackup certificates 302
About host name-based certificates

Note: Deploying a host name-based certificate is a one-time activity for a host. If

a host name-based certificate was deployed for an earlier release or for a hotfix, it
does not need to be done again.

Deploying a host name-based certificate for a primary

server in a cluster
Use this procedure to deploy host name-based certificates on all cluster nodes.
Ensure the following before you deploy a host-name based certificate:
■ All nodes of the cluster have a host ID-based certificate.
■ All Fully Qualified Domain Names (FQHN) and short names for the cluster nodes
are mapped to their respective host IDs.
To deploy a host name-based security certificate for a NetBackup primary
server in a cluster
1 Run the following command on the active node of the primary server cluster:
On Windows: Install_path\NetBackup\bin\admincmd\bpnbaz -setupat
On UNIX: /usr/openv/netbackup/bin/admincmd/bpnbaz -setupat
2 Restart the NetBackup Service Layer (nbsl) service and the NetBackup Vault
Manager (nbvault) service on the active node of the primary server.

Deploying a host name-based certificate on media servers

or clients
This procedure works well when you deploy host name-based security certificates
to many hosts at one time. As with NetBackup deployment in general, this method
assumes that the network is secure.
To deploy a host name-based security certificate for media servers or clients
1 Run the following command on the primary server, depending on your
environment. Either specify a host name, or deploy to all media servers or
clients.
On Windows: Install_path\NetBackup\bin\admincmd\bpnbaz
-ProvisionCert host_name|-AllMediaServers|-AllClients

On UNIX: /usr/openv/netbackup/bin/admincmd/bpnbaz -ProvisionCert

host_name|-AllMediaServers|-AllClients

2 Restart the NetBackup Service Layer (nbsl) service on the media server.
No services need to be restarted if the target host is a NetBackup client.
 NetBackup CA and NetBackup certificates 303
About host ID-based certificates

Note: In you use dynamic IPs on the hosts (DHCP), ensure that the host name and
the IP address are correctly listed on the primary server. To do so, run the following
NetBackup bpclient command on the primary server:
On Windows: Install_path\NetBackup\bin\admincmd\bpclient -L -All
On UNIX: /usr/openv/netbackup/bin/admincmd/bpclient -L -All

About host ID-based certificates

Each host in a NetBackup domain has a unique identity, which is referred to as a
host ID or a Universally Unique Identifier (UUID). The primary server is the Certificate
Authority (CA). It assigns host ID-based certificates to hosts and stores the host
information in the nbdb database. The CA maintains a list of all of the host IDs that
have certificates (or revoked certificates). The host ID is used in many certificate
management operations to identify the host.
Host IDs are randomly generated by the system and are not tied to any property
of the hardware.
NetBackup provides a list of host ID-based certificates that you have revoked.
See “About the host ID-based certificate revocation list” on page 333.
See “Overview of security certificates in NetBackup” on page 274.
Only a NetBackup administrator can control the settings that are related to certificate
deployment and revocation.
The host ID remains the same even when the host name changes.
If a host obtains certificates from multiple NetBackup domains, it has multiple host
IDs that correspond to each NetBackup domain.
When the primary server is configured as part of a cluster, each node in the cluster
receives a unique host ID. An additional host ID is assigned for the virtual name.
For example, if the primary server cluster is comprised of N nodes, the number of
host IDs that are allocated for the primary server cluster is N + 1.

Web login requirements for nbcertcmd command options

The nbcertcmd command can be used to perform all of the operations that are
associated with host-ID based certificates. However, some of the nbcertcmd options
require that the user first logs in to the NetBackup Web Management Service
(nbwmc).
■ To log in to the NetBackup Web Management Service, run the following
command:
 NetBackup CA and NetBackup certificates 304
About host ID-based certificates

bpnbat -login -logintype WEB

The account must have NetBackup administrator privileges.
The following shows an example WEB login:

bpnbat -login -LoginType WEB

Authentication Broker: server.domain.com
Authentication port [0 is default]: 0
Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd, ldap): unixpwd
Domain: server.domain.com
Login Name: root
Password: ********
Operation completed successfully.

■ The bpnbat -login -logintype AT command creates a session with the

NetBackup Authentication Broker (nbatd). (The NetBackup Authentication Broker
may not always be the primary server.)

Note: An nbatd session is not necessary to run the nbcertcmd commands.

■ If neither WEB nor AT is indicated, bpnbat -login creates a login session for
both nbatd and nbwmc. (This is true if the Authentication Broker is located on
the primary server.)

Note: The authentication broker for a WEB login is the primary server as the nbwmc
service runs only on the primary server.

The NetBackup Commands Reference Guide lists the privilege details that each
nbcertcmd option requires. This guide also contains detailed information about
running the bpnbat command.

Using the Certificate Management utility to issue and deploy host

ID-based certificates
The process for host ID-based certificate deployment varies based on the certificate
deployment security level configured on the primary server. The levels are Medium,
High, and Very High. By default, the security level is High.
A host ID-based certificate is automatically deployed on the primary server during
upgrade or installation.
Host ID-based certificates are deployed on hosts after confirming the fingerprint.
Whether an authorization token is required or not depends on the security level.
 NetBackup CA and NetBackup certificates 305
About host ID-based certificates

These levels determine the nature of the Certificate Authority (CA) checks that are
performed when the CA receives a certificate request from a NetBackup host. Select
the certificate deployment level according to the security requirements of your
NetBackup environment.
See “About NetBackup certificate deployment security levels” on page 307.
In some scenarios, certificate deployment requires the use of authorization tokens
that are managed by a NetBackup administrator. The NetBackup administrator
creates and shares these tokens with the administrators of individual hosts for
certificate deployment on their local hosts. Certificate deployment can happen
easily, allowing for scalable deployment across multiple NetBackup hosts without
requiring NetBackup administrator intervention.

Table 18-5 Deployment requirements at each certificate deployment level

or scenario

Certificate Is an authorization token required? Deploy host ID-based certificate?

deployment
level or
scenario

Certificate Yes. All certificate requests require an The host administrator of the non-primary server
deployment authorization token. The primary server host must obtain an authorization token from the
level setting at administrator creates a token to be used on the primary server administrator and use it to deploy
Very High non-primary host: the host ID-based certificate.

See “Creating authorization tokens” on page 330. See “Deploying host ID-based certificates”
on page 312.

Certificate Maybe. Certificates are deployed without tokens If a host ID-based certificate is deployed, no further
deployment on hosts that are known to the primary server. action is required.
level setting at
The following topic explains what it means to be If a token is required, the host administrator of the
High (default)
known to the primary server: non-primary server host must to obtain one from
the primary server administrator and use it to
See “About NetBackup certificate deployment
deploy the host ID-based certificate.
security levels” on page 307.
See “Deploying host ID-based certificates”
If the host is not known to the primary server, the
on page 312.
certificate must be deployed using an authorization
token. The primary server administrator creates a
token to be used on the non-primary server host.

See “Creating authorization tokens” on page 330.

 NetBackup CA and NetBackup certificates 306
About host ID-based certificates

Table 18-5 Deployment requirements at each certificate deployment level

or scenario (continued)

Certificate Is an authorization token required? Deploy host ID-based certificate?

deployment
level or
scenario

Certificate No. Certificates may be deployed on all hosts that
deployment request one.
level setting at
See “Automatic host ID-based certificate
Medium
deployment” on page 310.
Note: A certificate may not be deployed if the
primary server cannot verify that the requested
host name matches the IP from which the
certificate request originated.
If a host ID-based certificate is deployed, no further
action is required.
If the primary server cannot verify the host name,
a host ID-based certificate must be deployed using
a token.
See “Deploying host ID-based certificates”
on page 312.

Certificate Yes. A certificate reissue requires a reissue token See “Creating a reissue token” on page 326.
reissue in most cases.

Hosts that Yes. NetBackup can automatically detect whether See “Deploying certificates on a client that has no
cannot a host has connectivity with the primary server or connectivity with the primary server” on page 321.
communicate not. If there is no connectivity, NetBackup attempts
with the to use the built-in HTTP tunnel on a media server
primary server to route the certificate request to the primary
directly (an server.
example of
See “About the communication between a
this is
NetBackup client located in a demilitarized zone
NetBackup
and a primary server through an HTTP tunnel”
hosts in a
on page 352.
demilitarized
zone (DMZ)).

Certificate Yes. During NetBackup certificate deployment on For more information about the support for NAT
deployment a NAT client, you must provide an authorization clients in NetBackup, refer to the NetBackup
and token is must, irrespective of the certificate Administrator's Guide, Volume I.
generation for deployment security level that is set on the primary
NAT clients server. This is because, the primary server cannot
resolve the host name to the IP address from
which the request is sent.

Viewing host ID-based certificate details

Details for each host ID-based certificate can be viewed in the NetBackup web UI
or with the nbcertcmd command or the NetBackup APIs.
 NetBackup CA and NetBackup certificates 307
About host ID-based certificates

To view certificate details in the NetBackup web UI

1 Open the NetBackup web UI.
2 On the left, click Security > Certificates.
The certificate details are displayed in the right pane.
3 Select the host name and click View details.
To view certificate details using the nbcertcmd command
◆ To view all of the host IDs that are assigned to a host from different primary
servers, run the following command on a NetBackup host:
nbcertcmd -listCertDetails

About NetBackup certificate deployment security levels

Security levels for certificate deployment are specific to NetBackup CA-signed
certificates. If the NetBackup web server is not configured to use NetBackup
certificates for secure communication, the security levels cannot be accessed.
The NetBackup certificate deployment level determines the checks that are
performed before the NetBackup CA issues a certificate to a NetBackup host. It
also determines how frequently the NetBackup Certificate Revocation List (CRL)
is refreshed on the host.
NetBackup certificates are deployed on hosts during installation (after the host
administrator confirms the primary server fingerprint) or with the nbcertcmd
command. Choose a deployment level that corresponds to the security requirements
of your NetBackup environment.

Note: During NetBackup certificate deployment on a NAT client, you must provide
an authorization token irrespective of the certificate deployment security level that
is set on the primary server. This is because, the primary server cannot resolve the
host name to the IP address from which the request is sent.
For more information about NAT support in NetBackup, refer to the NetBackup
Administrator's Guide, Volume I.

See “Using the Certificate Management utility to issue and deploy host ID-based
certificates” on page 304.
See “Configuring the certificate deployment security levels” on page 309.
 NetBackup CA and NetBackup certificates 308
About host ID-based certificates

Table 18-6 Description of NetBackup certificate deployment security levels

Security level Description CRL refresh

Very High An authorization token is required for every new NetBackup The CRL that is present on the host
certificate request. is refreshed every hour.

See “Creating authorization tokens” on page 330. See “About the host ID-based
certificate revocation list” on page 333.

High (default) No authorization token is required if the host is known to The CRL that is present on the host
the primary server. A host is considered to be known to the is refreshed every 4 hours.
primary server if the host can be found in the following
entities:

1 The host is listed for any of the following options in

the NetBackup configuration file (Windows registry or
the bp.conf file on UNIX):
■ APP_PROXY_SERVER
■ DISK_CLIENT
■ ENTERPRISE_VAULT_REDIRECT_ALLOWED
■ MEDIA_SERVER
■ NDMP_CLIENT
■ SERVER
■ SPS_REDIRECT_ALLOWED
■ TRUSTED_MASTER
■ VM_PROXY_SERVER
■ MSDP_SERVER

For more details on the NetBackup configuration

options, refer to the NetBackup Administrator's Guide,
Volume I.

2 The host is listed as a client name in the altnames

file (ALTNAMESDB_PATH).

3 The host appears in the EMM database of the primary

server.

4 At least one catalog image of the client exists. The

image must not be older than 6 months.

5 The client is listed in at least one backup policy.

6 The client is a legacy client. This is a client that was

added using the Client Attributes host properties.

See “Creating authorization tokens” on page 330.

 NetBackup CA and NetBackup certificates 309
About host ID-based certificates

Table 18-6 Description of NetBackup certificate deployment security levels

(continued)

Security level Description CRL refresh

Medium The certificates are issued without an authorization token The CRL that is present on the host
if the primary server can resolve the host name to the IP is refreshed every 8 hours.
address from which the request was originated.

Configuring the certificate deployment security levels

Use the NetBackup web UI or the nbcertcmd command to configure the certificate
deployment security level in the NetBackup domain.
These security levels are specific to NetBackup CA-signed certificates.
To configure the certificate deployment level
1 At the top right, click Settings > Global security.
2 Click the Secure communication tab.
3 Under Security level for certificate deployment, select the security level:
Very High, High (default), or Medium.
4 Click Save.
To configure the certificate deployment level using the command line
1 The primary server administrator must be logged in to the NetBackup Web
Management Service to perform this task. Use the following command to log
in:
bpnbat -login -logintype WEB

See “Web login requirements for nbcertcmd command options” on page 303.
2 Run the following command to view the current security level:
nbcertcmd -getSecConfig -certDeployLevel -server
primary_server_name

3 Run the following command to change the security level:

nbcertcmd -setSecConfig -certDeployLevel 0-2 -server
primary_server_name

Where 0 is Very High, 1 is High (default), and 2 is Medium.

For information about nbcertcmd, see the NetBackup Commands Reference Guide.
 NetBackup CA and NetBackup certificates 310
About host ID-based certificates

Automatic host ID-based certificate deployment

A host ID-based certificate is automatically deployed on the NetBackup primary
server as part of NetBackup installation.
These certificates are deployed on other NetBackup hosts (after confirming the
fingerprint) depending on the certificate deployment level.
The Certificate Authority (CA) on the NetBackup primary server can accept or reject
the certificate request depending on the certificate deployment level and the ability
of the primary server to verify the host information.
You can check the list of the deployed certificates on any NetBackup host by using
the following command:
nbcertcmd -listCertDetails

When a certificate request is rejected, the host administrator must request the
NetBackup administrator to generate and share an authorization token to deploy
the certificate manually.
See “Creating authorization tokens” on page 330.
See “About NetBackup certificate deployment security levels” on page 307.

Managing passphrases and passphrase keys for encryption of private

key of host ID-based certificates
Randomly-generated passphrases are used to encrypt and decrypt the private keys
of NetBackup host ID-based certificates. Passphrase keys are used to encrypt and
decrypt these passphrases. There is one passphrase - passphrase key pair that is
used to encrypt and decrypt all the private keys in a keystore. The passphrase that
is used to encrypt the private keys is itself encrypted using another passphrase
key. The passphrase - passphrase key pair is generated when the first key in the
keystore is created and stored.
Using a passphrase key to encrypt passphrases adds an additional layer of security
as only those users who have access to the passphrase key can decrypt and access
the encrypted passphrases. A passphrase key protects a passphrase from
unauthorized access and enables centralized management of passphrases. With
easy rotation of passphrases, organizations can maintain the security in their
NetBackup environment.
Passphrase rotation is the process of updating the existing passphrases. The
process makes the system more secure by ensuring that the compromised private
keys or passphrases are updated. Rotating the passphrase also encrypts the private
keys that are currently in plain text.
 NetBackup CA and NetBackup certificates 311
About host ID-based certificates

Rotating passphrases is essential to reduce the risk of unauthorized access by

limiting the time an attacker can exploit a compromised passphrase. It helps protect
against brute-force attacks and mitigates the impact of insider threats. Additionally,
regular passphrase rotation is often a requirement for compliance with various
security standards and regulatory frameworks that helps organizations maintain a
secure and compliant environment.

Advantages of 2-level encryption

Rotation of a passphrase key: This allows to re-encrypt the passphrase with new
passphrase key at regular intervals without hampering the ongoing NetBackup
operations.
Rotation of passphrase: If the administrators encounter a security threat, they can
rotate the passphrase. This creates a new passphrase - passphrase key pair.
Re-encrypt all private keys with the new passphrase. All NetBackup services must
be stopped before this operation.

Rotating a passphrase
To rotate a passphrase
1 Stop the NetBackup services.
Ensure that all NetBackup services are stopped before you proceed.
2 Run the following command to rotate passphrase:
nbcertcmd -rotatePassphrase

Note: The default passphrase length is 64 characters.

Run the following command to specify the passphrase length:

nbcertcmd -rotatePassphrase -length 1023

The length ranges from 32 to 1023.

3 Start the NetBackup services.

Rotating a passphrase key

To rotate the passphrase key
◆ Run the following command:
nbcertcmd -rotatePassphraseKey
 NetBackup CA and NetBackup certificates 312
About host ID-based certificates

Deploying host ID-based certificates

Depending on the certificate deployment security level, a non-primary host may
require an authorization token before it can obtain a host ID-based certificate from
the Certificate Authority (primary server). When certificates are not deployed
automatically, they must be deployed manually by the administrator on a NetBackup
host using the nbcertcmd command.
The following topic describes the deployment levels and whether the level requires
an authorization token.

Deploying when no token is needed

Use the following procedure when the security level is such that a host administrator
can deploy a certificate on a non-primary host without requiring an authorization
token.
To generate and deploy a host ID-based certificate when no token is needed
1 The host administrator runs the following command on the non-primary host
to establish that the primary server can be trusted:
nbcertcmd -getCACertificate

2 Run the following command on the non-primary host:

nbcertcmd -getCertificate

Note: To communicate with multiple NetBackup domains, the administrator of

the host must request a certificate from each primary server using the -server
option.

Run the following command to get a certificate from a specific primary server:
nbcertcmd -getCertificate -server primary_server_name

3 To verify that the certificate is deployed on the host, run the following command:
nbcertcmd -listCertDetails

Deploying when a token is needed

Use the following procedure when the security level is such that a host requires an
authorization token before it can deploy a host ID-based certificate from the CA.
 NetBackup CA and NetBackup certificates 313
About host ID-based certificates

To generate and deploy a host ID-based certificate when a token is required

1 The host administrator must have obtained the authorization token value from
the CA before proceeding. The token may be conveyed to the administrator
by email, by file, or verbally, depending on the various security guidelines of
the environment.
2 Run the following command on the non-primary host to establish that the
primary server can be trusted:
nbcertcmd -getCACertificate

3 Run the following command on the non-primary host and enter the token when
prompted:
nbcertcmd -getCertificate -token

Note: To communicate with multiple NetBackup domains, the administrator of

the host must request a certificate from each primary server using the -server
option.

If the administrator obtained the token in a file, enter the following:

nbcertcmd -getCertificate -file authorization_token_file

4 To verify that the certificate is deployed on the host, run the following command:
nbcertcmd -listCertDetails

Use the -cluster option to display cluster certificates.

Deploying host ID-based certificates in an asynchronous manner

Host ID-based certificates are automatically deployed on NetBackup hosts during
installation or upgrade. For successful automatic certificate deployment, the host
where the certificate needs to be deployed should be connected to the primary
server.
In certain scenarios, you may want to create, sign, and deploy host ID-based
certificates in an asynchronous manner where the host and the primary server do
not need to be connected at the time of certificate deployment.
 NetBackup CA and NetBackup certificates 314
About host ID-based certificates

To deploy host ID-based certificate in an asynchronous manner

1 This command can be run only by the host administrator.
Create a certificate signing request. Run the following command on the
non-primary server host where you want to deploy the certificate:
nbcertcmd -createCertRequest -requestFile request_file_name
-server primary_server_name

Optionally, copy the Certificate Signing Request (CSR) file to any NetBackup
host.
2 Get a signed certificate from the primary server on the host. An authorization
token is mandatory. If the host already has a certificate, a reissue token is
required.
Run the following command on the host:
nbcertcmd -signCertificate -requestFile request_file_name
-certificateFile certificate_file_name -token

Note: Be sure to use the -signCertificate option on a host with the same
or higher NetBackup version where the certificate signing request (CSR) was
generated.

3 Copy the signed certificate that is generated in step 2 and provide it to the host
administrator.
4 This command can be run only by the host administrator.
To deploy the signed certificate on the host, run the following command on the
client:
nbcertcmd -deployCertificate -certificateFile
certificate_file_name

Implication of clock skew on certificate validity

When a primary server issues a certificate, it determines for how long the certificate
will be valid for the host to use. The primary server sets the validity of the certificate
based on its own time, recording two timestamps: Not before and Not after. The
certificate is valid only between these two timestamps.
The clock on the primary server and the clock on the host that will receive the
certificate should be in sync so that the certificate is valid for as long as is expected,
given the timestamps.
 NetBackup CA and NetBackup certificates 315
About host ID-based certificates

The hosts can reside in different time zones, as long as the clock on each host is
set to the correct time for that host's timezone. As a general practice, it is
recommended using a service such as Network Time Protocol (NTP) to automatically
keep all clocks on all hosts in the NetBackup domain synchronized.
If the clocks are not in sync, the difference can result in the following consequences:
■ If the host clock is ahead of the primary server, the validity period of the certificate
will be less than expected on that particular host. If the difference is extreme
and the clocks vary by more than the certificate's validity period, it is possible
that if the primary server issued a fresh certificate, it could be treated as expired.
■ If the host clock is behind the primary server, a fresh certificate issued by the
primary server could be considered as unusable by the host because the host
considers the certificate as not yet valid.
To determine whether the primary server clock and the host clock are in sync
1 Run the following command on the host to determine whether the host clock
is in sync with the primary server clock:
nbcertcmd -checkClockSkew -server primary_server_name

2 The command returns one of the following results:

■ If both clocks are in sync, the following displays:
The current host clock is in sync with the primary server.

■ If the current host is behind the primary server, the command reports the
difference in seconds:
The current host clock is behind the primary server by 36
seconds(s).

■ If the current host is ahead of the primary server, the command reports the
difference in seconds:
The current host clock is ahead of the primary server by 86363
second(s).

■ If the command is run on the primary server, the command skips the check
and displays the following:
Specified server is same as the current host. Clock skew check
is skipped.

If the clock skew on the host is causing a problem with the certificate validity,
take corrective actions as necessary.
 NetBackup CA and NetBackup certificates 316
About host ID-based certificates

Setting up trust with the primary server (Certificate Authority)

Each NetBackup host must first trust the NetBackup primary server, which acts as
the Certificate Authority (CA). Trust is essential so that the host can request a host
ID-based certificate. The CA certificate can be used to authenticate other hosts in
the domain, and is stored in the trust store of each host. Setting up trust involves
requesting a certificate from the primary server.
See “Automatic host ID-based certificate deployment” on page 310.

Adding a CA certificate to a host's trust store

Run the nbcertcmd -listCACertDetails command to see the list of CA certificates
that are in the host's trust store. The output displays all of the primary servers that
the host already trusts.
To establish trust with the primary server (CA)
1 The host administrator must have the Root Certificate Fingerprint that was
communicated to them through an authentic source. The source was most
likely the primary server administrator, who communicated the fingerprint by
email, by file, or on an internal website. The following topic describes that
process:
See “Finding and communicating the fingerprint of the certificate authority”
on page 318.
2 From the NetBackup host, run the following command:
nbcertcmd -getCACertificate -server master_server_name
 NetBackup CA and NetBackup certificates 317
About host ID-based certificates

3 In the confirmation output, enter y to proceed.

For example:

nbcertcmd -getCACertificate -server master1

Authenticity of root certificate cannot be established.
The SHA1 fingerprint of root certificate is B8:2B:91:E1:4E:78:D2:
25:86:4C:29:C5:92:16:00:8D:E8:2F:33:DD.

Note: The fingerprint that is displayed must match the Root Certificate
Fingerprint that the host administrator has received from the primary server
administrator. Enter y to give consent to add the CA certificate to the trust store
of the host.

Are you sure you want to continue using this certificate ? (y/n): y
The validation of root certificate fingerprint is successful.
CA certificate stored successfully.

4 Next, the administrator performs the following task:

See “Deploying host ID-based certificates” on page 312.
For information about this command, see the NetBackup Commands Reference
Guide.

Adding a CA certificate via message in the NetBackup

Administration Console
The NetBackup Administration Console and the Backup, Archive, and Restore
user interfaces communicate with NetBackup hosts (primary server, media server,
or client) over a secure channel. NetBackup secures this channel using a NetBackup
host ID-based or a host name-based security certificate that the NetBackup
Certificate Authority (CA) issues.
Figure 18-1 displays in the NetBackup Administration Console in the following
situation: A user is running the NetBackup Administration Console on a
NetBackup host. The user tries to connect to another NetBackup host (a target
host) using the NetBackup Administration Console. However, the CA that issued
the security certificate to the target host is not in the trust store of the host where
the user launched the console.
 NetBackup CA and NetBackup certificates 318
About host ID-based certificates

Figure 18-1 Message inquiring whether to add a Certificate Authority (CA) to

the trust store

To verify the CA fingerprint that the dialog displays, see the following topic:
See “Finding and communicating the fingerprint of the certificate authority”
on page 318.
If the user selects Yes in this message, the CA is added to the trust store of the
host where the console is running. This host will then trust all hosts that have a
certificate signed by the CA that is listed in the message.

Finding and communicating the fingerprint of the

certificate authority
The primary server administrator must find the fingerprint of the CA certificate and
communicate it to the administrator of the individual host so that the host can add
the CA certificate to its trust store.
Both SHA-1 or SHA-256 fingerprints are supported.
To find the fingerprint of the CA certificate
1 The primary server administrator can find the fingerprint using the NetBackup
web UI or the command line:
Using the NetBackup web UI:
■ Select Security > Certificates.
■ Select Certificate Authority.
■ The following information is displayed:

Subject name Identifies the certificate for the desired primary server.
 NetBackup CA and NetBackup certificates 319
About host ID-based certificates

Start date The date when the certificate is activated.

Expires The date when the certificate expires.

SHA-1 fingerprint The hash value of the certificate that is calculated using
the SHA-1 algorithm. Click Copy to clipboard to help
the administrator communicate the fingerprint to the host
administrator.

SHA-256 fingerprint The hash value of the certificate that is calculated using
the SHA-256 algorithm. Click Copy to clipboard to help
the administrator communicate the fingerprint to the host
administrator.

Using the command line:

■ Run the following command on the primary server to view the Root
Certificate Fingerprint:
nbcertcmd -listCACertDetails

If multiple CA certificates are displayed, use the Subject name.

2 The primary server administrator communicates the fingerprint to the host
administrator by email, by file, or on an internal web site.
The host administrator uses the fingerprint value to verify the fingerprint that
is displayed when the host runs nbcertcmd -getCACertificate. This verifies
the authenticity of the CA certificate.

Using the vssat command to view the CA certificate

fingerprint
The vssat command can also be used to view the CA certificate fingerprint. Use
vssat with the following options:

vssat showcred -p nbatd

However, note the following differences between using nbcertcmd

-listCACertDetails and vssat:

■ vssat displays the fingerprint as a hash and does not include colon separators.

■ If the host trusts multiple Certificate Authorities, the nbcertcmd command displays
all CA certificates. The Subject Name displays the identity of the CA.

Forcing or overwriting certificate deployment

In some situations it may be necessary to use the -force option with the nbcertcmd
-getCertificate command. For example, to force certificate deployment to a host
 NetBackup CA and NetBackup certificates 320
About host ID-based certificates

or to overwrite the existing host ID-based certificate information and fetch a new
certificate.

Forcing certificate deployment

A host may already have a host ID-based certificate, but needs to overwrite the old
certificate with a new one. This is required, for example, when a primary server is
replaced with a new server. Since the clients have the old certificate to the old
server, when the nbcertcmd -getCertificate command is run on the clients, it
fails with the following error:
Certificate already exists for the server.

Use the following procedure to overwrite the existing host ID-based certificate
information and fetch a new certificate.
To force certificate deployment on a host
◆ The host administrator runs the following command on the non-primary host:
nbcertcmd -getCertificate -server primary_server_name -force

■ Depending on the security setting on the primary server, a token may also
need to be specified.
See “Creating authorization tokens” on page 330.
■ Use the -cluster option to deploy a cluster certificate.

Overwrite the existing host ID-based certificate information

and fetch a new certificate
A host may have been issued a certificate, but over time the certificate has become
corrupted or the certificate file has been deleted.
The administrator of the non-primary host can run the following command to confirm
the condition of the certificate:
nbcertcmd -listCertDetails

■ If the certificate is corrupt, the command fails with the following error:
Certificate could not be read from the local certificate store.

■ If no certificate details display, the certificate is not available.

Use the following procedure to overwrite the existing host ID-based certificate
information and to fetch a new certificate.
To fetch a new host ID-based certificate
◆ The host administrator runs the following command on the non-primary host:
nbcertcmd -getCertificate -force
 NetBackup CA and NetBackup certificates 321
About host ID-based certificates

■ Depending on the security setting on the primary server, a token may also
need to be specified.
See “Creating authorization tokens” on page 330.
■ Use the -cluster option to deploy a cluster certificate.

Retaining host ID-based certificates when reinstalling NetBackup on

non-primary hosts
Administrators may want to uninstall NetBackup from a host, and then perform a
clean installation on the same host. See the following procedure for instructions on
how to retain the identity of a host through the uninstall/reinstall process.
To retain host ID-based certificates when reinstalling NetBackup
1 Stop all NetBackup services on the host.
2 Back up the following directories including the hidden files:
On Windows:
Install_path\NetBackup\var\VxSS

Install_path\NetBackup\var\webtruststore

On UNIX:
/usr/openv/var/vxss

/usr/openv/var/webtruststore

3 Where NetBackup Cluster Server is used, also back up the following directories:
Shared_disk\var\global\vxss

Shared_disk\var\global\webtruststore

4 Reinstall NetBackup on the host.

5 Restore the data that was backed up in step 2 and step 3.

Deploying certificates on a client that has no connectivity with the

primary server
NetBackup can detect whether a host has connectivity with the primary server or
not. If there is no connectivity, NetBackup automatically attempts to use the built-in
HTTP tunnel on a media server to route the connection request to the primary
server.
 NetBackup CA and NetBackup certificates 322
About host ID-based certificates

If NetBackup cannot automatically detect the host connectivity with the primary
server or find an appropriate media server to route the connection request, you
need to manually configure the HTTP tunnel options.
See “About the communication between a NetBackup client located in a demilitarized
zone and a primary server through an HTTP tunnel” on page 352.
To deploy a certificate on a client that has no connectivity with the primary server,
refer to the following topic:
See “Deploying host ID-based certificates” on page 312.

Note: As the request is routed via a different host, the primary server cannot validate
the authenticity of the certificate request, therefore an authorization token is a must.

About host ID-based certificate expiration and renewal

NetBackup host ID-based certificates expire one year after their issue date. They
are automatically renewed 180 days before the expiration date. A certificate renewal
request is sent periodically until a certificate is successfully renewed. Automatic
renewal ensures that the renewal process is transparent to the users.

Note: You can disable automatic renewal of host-ID based certificates using the
DISABLE_CERT_AUTO_RENEW parameter from the NetBackup configuration file (the
Windows registry or the bp.conf file on UNIX).
For more information, see the NetBackup Administrator's Guide, Volume I.

The renewal request is always authenticated using the existing certificate. Hence,
the renewal process does not require the use of an authorization token, regardless
of the certificate deployment security level.
If the existing certificate has not expired, the host administrator can initiate a manual
renewal request, as described in the following procedure.
To renew a host ID-based certificate manually
◆ The host administrator runs the following command on the non-primary host:
nbcertcmd -renewCertificate

■ Certificates corresponding to NetBackup domains other than the primary

domain can be manually renewed by specifying the -server option.
■ Use the -cluster option to renew the cluster certificate of NetBackup
clustered server.
 NetBackup CA and NetBackup certificates 323
About host ID-based certificates

In a scenario where the certificate has expired, the administrator of the host must
manually reissue the certificate.
See “About reissuing host ID-based certificates” on page 325.

Deleting sensitive certificates and keys from media servers and

clients
In the cloning process, use the following command to remove certain sensitive
certificates and keys from NetBackup media servers and clients in the following
scenarios:
■ Run the command on the cloned virtual machine, which is cloned from an active
NetBackup host.
■ Run the command before creating a gold image of a virtual machine for cloning.
nbcertcmd -deleteAllCertificates

Note: This command is allowed only on media servers and clients. The command
is not allowed on primary servers.

This operation deletes or shreds the appropriate sensitive information (certificates

and keys) from the following locations:
On Windows:
■ C:\Program Files\Veritas\NetBackup\var\VxSS\certmapinfo.json

■ C:\Program
Files\Veritas\NetBackup\var\VxSS\credentials\<certificate>
For example:
C:\Program Files\Veritas\NetBackup\var\VxSS\credentials\
6d92d4dd-ed2d-43de-adb1-bf333aa2cc3c

■ C:\Program
Files\Veritas\NetBackup\var\VxSS\credentials\keystore\PrivKeyFile.pem
(shredded)
■ C:\Program
Files\Veritas\NetBackup\var\VxSS\at\systemprofile\certstore\<certificate>
For example:
C:\Program Files\Veritas\NetBackup\var\VxSS\at\systemprofile\
certstore\9345b05e-lilycl2nb!1556!nbatd!1556.0
 NetBackup CA and NetBackup certificates 324
About host ID-based certificates

■ C:\Program
Files\Veritas\NetBackup\var\VxSS\at\systemprofile\certstore\keystore\PrivKeyFile.pem
(shredded)
■ C:\Program
Files\Veritas\NetBackup\var\VxSS\at\systemprofile\certstore\keystore\PubKeyFile.pem

On UNIX:
■ /usr/openv/var/vxss/certmapinfo.json

■ /usr/openv/var/vxss/credentials/<certificate>
For example:
/usr/openv/var/vxss/credentials/
f4f72ef3-2cfc-42a4-ab5a-65fd09e8b63e

■ /usr/openv/var/vxss/credentials/keystore/PrivKeyFile.pem (shredded)

■ /var/vxss/at/root/.VRTSat/profile/certstore/<certificate>

■ /var/vxss/at/root/.VRTSat/profile/certstore/keystore/PubKeyFile.pem

■ /var/vxss/at/root/.VRTSat/profile/certstore/keystore/PrivKeyFile.pem
(shredded)

Cleaning host ID-based certificate information from a host before

cloning a virtual machine
Cloning a virtual machine can present the opportunity for identity theft. Multiple
hosts should not have the same key pair. This procedure ensures that each copy
of the host gets a unique key pair and identity.
Perform the following procedure before cloning a virtual machine (or before creating
a gold image of a machine for cloning) if it is a one-time operation.
 NetBackup CA and NetBackup certificates 325
About host ID-based certificates

To clean the host ID-based certificate information from a host before cloning
1 Stop all NetBackup services on the host.
2 Delete all files and directories from the following locations:
On Windows:
Install_path\NetBackup\var\VxSS\at\*

Install_path\NetBackup\var\VxSS\credentials\*

Install_path\NetBackup\var\webtruststore\*

On UNIX:
/usr/openv/var/vxss/at/*

/usr/openv/var/vxss/credentials/*

/usr/openv/var/webtruststore/*

3 Delete the following file:

On Windows: Install_path\NetBackup\var\VxSS\certmapinfo.json
On UNIX: /usr/openv/var/vxss/certmapinfo.json
4 Where NetBackup Cluster Server is used, perform the following steps in
addition:
5 Delete all files and directories from the following locations:
Shared_disk\var\global\vxss\at\*

Shared_disk\var\global\vxss\credentials\*

Shared_disk\var\global\webtruststore\*

6 Delete the following file:

Shared_disk\var\global\vxss\certmapinfo.json

7 Proceed to clone the virtual machine.

About reissuing host ID-based certificates

A certificate must be reissued in any of the following cases:
■ The certificate was revoked, and you later determine that you can trust that host
again.
■ The certificate expired.
■ NetBackup was reinstalled on the host where a certificate was already issued.
■ The name of the host was changed.
 NetBackup CA and NetBackup certificates 326
About host ID-based certificates

■ The key pair for the host was changed.

Reissuing a certificate is one way to prevent malicious users from assuming the
identity of an existing NetBackup host that is already registered with the NetBackup
primary server. In most cases, a reissue token is required for certificate reissue.
■ Reissuing a host ID-based certificate for a NetBackup host is different from
deploying the certificate for the first time. Use the following procedure to reissue
a certificate.
See “Creating a reissue token” on page 326.
■ Once a reissue token is obtained, the certificate reissue process is similar to
manual certificate deployment with an authorization token.
See “Deploying host ID-based certificates” on page 312.
When the primary server receives a certificate reissue request, it first revokes all
the previously valid certificates for that host and then generates a new certificate
when required.

Creating a reissue token

A host ID-based certificate can be reissued if the non-primary host is already
registered with the primary server but its host ID-based certificate is no longer valid.
For example, a certificate is not valid when it has expired, is revoked, or is lost.
A reissue token is a type of token that can be used to reissue a certificate. It is a
special type of token because it retains the same host ID as the original certificate.
Since a reissue token is bound to a specific host, the token cannot be used to
request certificates for additional hosts.
To create a reissue a token
1 Open the NetBackup web UI.
2 On the left, select Security > Certificates.
3 Select the host that requires a reissue token.
4 Click Generate Reissue Token.
5 Enter the name for the token.
6 Select a date for token validity from the Valid for option.
7 In the Reason field, enter a reason for the reissue token. The reason appears
in the log as an audit event.
8 Click Generate.
 NetBackup CA and NetBackup certificates 327
About host ID-based certificates

9 Click Copy to clipboard to copy the token value.

10 Convey the token value to the administrator of the non-primary host. How the
token is conveyed depends on various security factors in the environment. The
token may be transmitted by email, by file, or verbally.
The administrator of the non-primary host deploys the token to obtain another
host ID-based certificate. See the following topic for instructions:
See “Deploying host ID-based certificates” on page 312.
To create a reissue a token using the nbcertcmd command
1 The primary server administrator must be logged in to the NetBackup Web
Management Service to perform this task. Use the following command to login:
bpnbat -login -logintype WEB

See “Web login requirements for nbcertcmd command options” on page 303.
2 Run one of the following commands on the primary server:
Use the host name for which the certificate needs to be reissued:
nbcertcmd -createToken -name token_name -reissue -host host_name

Note: You must provide the primary name of the host for which you want to
reissue the certificate. If you provide any of the host ID-to-host name mappings
that are added for the host, the certificate cannot be reissued.

Use the host ID for which the certificate needs to be reissued:

nbcertcmd -createToken -name token_name -reissue -hostId host_id

Additional parameters can be used to indicate validity duration and the reason
for creation.
For information about the nbcertcmd command, see the NetBackup Commands
Reference Guide.

Additional steps to request a certificate for a renamed

NetBackup host
In addition to reissuing a token, the following steps are required to request a
certificate for a renamed NetBackup host.
 NetBackup CA and NetBackup certificates 328
About host ID-based certificates

To request a certificate for a host after a host name change

1 The NetBackup administrator of the primary server generates a reissue token
for the renamed NetBackup host.
2 Add the new host name as one of the approved host ID-to-host name mappings
by using NetBackup web UI.
See “Adding host ID to host name mappings” on page 279.
Alternatively, you can use the nbhostmgmt -add command-line interface option.
For more information about the command, see the NetBackup Commands
Reference Guide.
3 The NetBackup administrator must revoke the host ID-based certificate for the
renamed host.
See “Revoking a host ID-based certificate” on page 338.

Note: After the certificate is revoked, the host is unable to communicate with
the NetBackup Web Management Console service (nbwmc). When the host
obtains a new certificate using the reissue token, the host can communicate
with nbwmc again.

4 After the certificate is revoked, the administrator of the non-primary host must
use the reissue token to get a certificate for the renamed host.
See “Deploying host ID-based certificates” on page 312.

Changing the key pair for a host

Consider changing a key pair only if a key is compromised or leaked. Changing a
key pair results in both a new host ID-based certificate and a new host name-based
certificate.
The following procedure describes changing a key pair for a host, and then getting
a new certificate using the new key pair.
Do not perform the procedure for a primary server, only a non-primary server host.
To change a key pair for a host
1 The NetBackup host administrator backs up the following directories:
On Windows: Install_path\NetBackup\var\VxSS\at\systemprofile
On UNIX: /usr/openv/var/vxss/at/root
2 The NetBackup host administrator removes the directory from the host.
 NetBackup CA and NetBackup certificates 329
About Token Management for host ID-based certificates

3 Restart the NetBackup services on the host.

4 The primary server administrator performs the following steps:
■ Log in to the NetBackup Web Management Service:
bpnbat -login -logintype WEB
See “Web login requirements for nbcertcmd command options” on page 303.
■ Revoke the host ID-based certificate:
nbcertcmd -revokeCertificate -host host_name

■ Generate a reissue token for the NetBackup host where the key pair is to
be changed.
See “Creating a reissue token” on page 326.
■ Deploy a new host name-based certificate:
bpnbaz –ProvisionCert host_name

5 The NetBackup host administrator uses the reissue token to deploy a new host
ID-based certificate with an updated key pair.
Use the following command to enter the token directly:
nbcertcmd -getCertificate -force -token

Use the following command if the token is in a file:

nbcertcmd -getCertificate -force -file /directory/token_file

6 If the host has more than one primary server, repeat the process beginning at
step 4 for each primary server.
7 Restart the NetBackup services on the NetBackup host where the key was
changed.

About Token Management for host ID-based

certificates
Master server administrators use the Token Management utility to perform the
following tasks:
■ Create new authorization tokens
Depending on the security level, an authorization token may be required for a
non-primary NetBackup host to obtain a host ID-based certificate. The NetBackup
administrator of the primary server generates the token and shares it with the
administrator of the non-primary host. That administrator can then deploy the
certificate without the presence of the primary server administrator.
See “Creating authorization tokens” on page 330.
 NetBackup CA and NetBackup certificates 330
About Token Management for host ID-based certificates

■ Delete authorization tokens

See “Deleting authorization tokens” on page 332.
■ View authorization token details
See “Viewing authorization token details” on page 332.
■ Clean up invalid or expired authorization tokens
See “About expired authorization tokens and cleanup” on page 333.

Creating authorization tokens

Depending on the certificate deployment security setting, NetBackup hosts may
require an authorization token to obtain a host ID-based certificate from the
Certificate Authority (primary server).
See “Creating a reissue token” on page 326.
■ If the security setting is Very High, all certificate requests require a token.
Perform the procedure that is described in this topic.
■ If the security setting is High, certificates are automatically deployed to hosts
that are known to the primary server. If the host is not known to the primary
server, the certificate must be deployed using an authorization token. In that
case, perform the procedure that is described in this topic.
To understand what it means to be known to the primary server, see the following
topic:
See “About NetBackup certificate deployment security levels” on page 307.
■ If the security setting is Medium, this procedure may be less likely because
certificates are automatically deployed to all hosts that request one. However,
the primary server must be able to cross verify the IP and host name of the host
that is requesting a certificate.

Note: A token is required to request a certificate on behalf of a host that has no

connectivity with the primary server.
See “Deploying certificates on a client that has no connectivity with the primary
server” on page 321.

Note: Do not use this procedure to create an authorization token for a NetBackup
host whose current certificate is not in a valid state because it is lost, corrupt, or
expired. In these cases, a reissue token must be used.
See “About reissuing host ID-based certificates” on page 325.
 NetBackup CA and NetBackup certificates 331
About Token Management for host ID-based certificates

The NetBackup administrator of the primary server can use the NetBackup web UI
or the command line to create the token.
To create a token using the NetBackup web UI
1 On the left, select Security > Tokens.
2 Select Add.
3 Enter a unique and meaningful name for the token. The field cannot be left
blank.
For example, to create a token to request certificates for multiple hosts that
belong to primary_server_1, name the token Token1_MS1. A good practice is
to write a useful description in the Reason field for the token.
4 Enter a number for the Maximum uses allowed option for the number of times
the token can be used. The default is 1, which indicates that one host can use
the token one time.
To use the same token for multiple hosts, enter any value between 1 and
99999. For example, to use the token for 8 hosts, enter 8. The ninth host that
attempts to use the token will not succeed.
5 Use the Valid for option to indicate how long the token can be used before it
is invalid and cannot be used. After the Valid for date, the primary server must
generate another token.
Select a period between 1 and 999 hours or days.
6 Optionally, enter the reason for creating the token. The reason appears in the
audit logs, along with the other entries in the dialog.
7 Select Create.
8 Select the Copy to clipboard button to save the token value to the clipboard.
9 Convey the token value to the administrator of the non-primary host. How the
token is conveyed depends on various security factors in the environment. The
token may be transmitted by email, by file, or verbally.
10 The administrator of the non-primary host uses the token to obtain a host
ID-based certificate from the Certificate Authority. See the following procedure
for instructions:
See “Deploying host ID-based certificates” on page 312.
 NetBackup CA and NetBackup certificates 332
About Token Management for host ID-based certificates

To create a token using the nbcertcmd command

◆ Run the following command on the host:
nbcertcmd -createToken -name token_name

For example:
nbcertcmd -createToken -name testtoken

Token FCBVYUTDUIELUDOE created successfully.

Additional parameters can be used to indicate maximum uses, validity duration,

and the reason for creation.
For information about the nbcertcmd command, see the NetBackup Commands
Reference Guide.

Deleting authorization tokens

Use the NetBackup web UI or the command line to delete specific authorization
tokens. A token can be deleted even though it has not expired and the Maximum
Uses Allowed count has not yet been exhausted.
To delete a token using the NetBackup Administration web UI
1 On the left pane, select Security > Tokens.
2 In the right pane, select the token to be deleted.
3 Click Delete.
4 Click Yes in the confirmation dialog box to delete the token.
To delete a token using the command line
◆ Run the nbcertcmd -deleteToken command (with additional parameters).
For information about the nbcertcmd command, see the NetBackup Commands
Reference Guide.

Viewing authorization token details

Details for each authorization token can be viewed in the NetBackup
Administration Console or from the command line.
To view token details using the NetBackup Administration web UI
1 On the left pane, select Security > Tokens.
2 On the Token Management page, the token details will be displayed.
 NetBackup CA and NetBackup certificates 333
About the host ID-based certificate revocation list

To view token details using the nbcertcmd command

◆ On the primary server, run the nbcertcmd -listToken command (with
additional parameters) to view the token details.
The token details are displayed.

About expired authorization tokens and cleanup

An authorization token expires in either of the following situations (whichever
happens first):
■ When the current date-time combination is later than the token’s Valid for
amount.
■ When the token is used for Maximum Uses Allowed requests.
An expired authorization token remains in the token database, but cannot be used
to authorize certificate deployment requests.
Expired tokens can be deleted one by one, or they can be cleaned up all at once
by using the Cleanup operation. The Cleanup operation deletes all expired tokens
from the token database.
To clean up expired authorization tokens using the NetBackup Administration
web UI
1 On the left pane, select Security > Tokens.
2 On the Token Management page, select Cleanup.
3 Click Yes to clean up all expired tokens and delete them from the token
database.
To clean up tokens using the command line
◆ Use the nbcertcmd -cleanupToken command to delete all the expired tokens.
See “Deleting authorization tokens” on page 332.

About the host ID-based certificate revocation list

The NetBackup certificate revocation list (CRL) is a list of host ID-based digital
security certificates that have been revoked before their expiration date. The hosts
that own revoked certificates should no longer be trusted.
 NetBackup CA and NetBackup certificates 334
About the host ID-based certificate revocation list

The NetBackup certificate revocation list conforms to the Certificate Revocation

List profile that the Internet Engineering Task Force publishes in RFC 5280 at
https://www.ietf.org. The NetBackup certificate authority signs the CRL. The
NetBackup primary server is the certificate authority. The CRL is public and does
not require secure transmission. The CRL endpoint is open, free for anyone to
access.
Every NetBackup host must have a valid security certificate and a valid CRL so
that it can communicate with other NetBackup hosts.

How often NetBackup generates a new CRL

The NetBackup primary server generates a new CRL as follows:
■ On startup.
■ Sixty minutes since the CRL was last generated.
■ NetBackup checks every 5 minutes for a newly revoked certificate. It can take
NetBackup up to 5 minutes to update the web server after a certificate is revoked.
A CRL expires after 7 days.

How often a NetBackup host gets a CRL

A NetBackup host obtains a CRL when NetBackup is installed on the host. A
NetBackup host also obtains a fresh CRL during an upgrade of the NetBackup
software.
After installation or upgrade, each host requests a new CRL on a time interval since
the host was started. (NetBackup uses a pull method to refresh host CRLs.) The
NetBackup primary server certificate deployment security level determines the time
interval, as shown in the following table.

Table 18-7 CRL refresh interval

Security level CRL refresh interval

Very high Hourly

High 4 hours

Medium 8 hours

See “About NetBackup certificate deployment security levels” on page 307.

You can get a new CRL before its scheduled refresh period.
See “Refreshing the CRL on the primary server” on page 335.
See “Refreshing the CRL on a NetBackup host” on page 335.
 NetBackup CA and NetBackup certificates 335
About the host ID-based certificate revocation list

For more information

See “Overview of security certificates in NetBackup” on page 274.
See “About host ID-based certificates” on page 303.
See “About revoking host ID-based certificates” on page 336.

Refreshing the CRL on the primary server

Use the following procedure to refresh the CRL on the primary server. The procedure
gets the current CRL from the NetBackup certificate authority and copies it to the
primary server. If a host in the environment was recently revoked, you must wait
up to 5 minutes before the CRL reflects that the host was revoked.
See “About the host ID-based certificate revocation list” on page 333.
To refresh the CRL on the primary server
1 Log in to the primary server as an administrator.
For a clustered primary server, log in to the active node.
2 For a clustered primary server, run the following command:
nbcertcmd -getCRL -cluster [-server primary_server_name]

To get a CRL from a NetBackup domain other than the default, specify the
-server primary_server_name option and argument.

3 Run the following command:

nbcertcmd -getCRL [-server primary_server_name]

Refreshing the CRL on a NetBackup host

Use the following procedure to refresh the CRL on a NetBackup host. The procedure
gets the current CRL from the NetBackup certificate authority and copies it to the
local host. If a host in the environment was recently revoked, you must wait up to
5 minutes before the CRL reflects that the host was revoked.
See “About the host ID-based certificate revocation list” on page 333.
To refresh the CRL on a NetBackup host
1 Log on as an administrator on the NetBackup host that requires a fresh CRL.
2 Run the following command:
nbcertcmd -getCRL [-server primary_server_name]

To get a CRL from a NetBackup domain other than the default, specify the
-server primary_server_name option and argument.
 NetBackup CA and NetBackup certificates 336
About revoking host ID-based certificates

About revoking host ID-based certificates

When you revoke a NetBackup digital security certificate, NetBackup revokes any
other certificates for that host. NetBackup ceases to trust the host, and it no longer
can communicate with other NetBackup hosts.
If you revoke a certificate, you must select one of the following reasons:

Affiliation Changed The host changes affiliation to a different NetBackup domain.

CA Compromise The certificate authority is compromised.

Cessation of Operation The host ceases to be a NetBackup host. For example, you
decommission a NetBackup media server or client.

Key Compromise The certificate key is compromised.

Superseded A new certificate supersedes the certificate to be revoked.

Unspecified Other, unspecified reasons. Perhaps you want to suspend

privileges temporarily while you investigate a security event.

If you revoke a certificate and later determine that you can trust the host, provision
a new certificate on that host. You do so by using a reissue token.
See “About reissuing host ID-based certificates” on page 325.

Note: Do not revoke a certificate of the primary server. If you do, NetBackup
operations may cease.

After you revoke a host’s certificate, you should consider doing the following actions
in NetBackup:
■ Remove the host from backup policies.
■ For a NetBackup media server, deactivate it.
You should also consider any actions that are not related to NetBackup to ensure
that someone with malicious intent cannot use the certificate and key.
See “About the host ID-based certificate revocation list” on page 333.

Removing trust between a host and a primary server

A NetBackup host can trust multiple Certificate Authorities (primary servers) at any
time. For various reasons, it may be necessary for a NetBackup host to remove
trust from a primary server that previously had been trusted.
 NetBackup CA and NetBackup certificates 337
About revoking host ID-based certificates

For example, if a NetBackup client is moved from one primary server to another, it
is advisable to remove trust from the first primary server. Security best practices
suggest trusting the fewest entities required to function correctly. Also, if a NetBackup
host no longer needs to communicate with hosts from a specific NetBackup domain,
remove the CA certificate for that primary from the trust store of the host.

Note: Removing a CA certificate does not remove the host ID-based or host
name-based certificates that the host may have obtained from that CA. The
nbcertcmd -listCertDetails continues to show the host ID-based certificate.

When the CA certificate is removed from a host, the host ID-based certificate issued
by that CA will not automatically renew because the host no longer trusts the CA.
The host ID-based certificate eventually expires.
 NetBackup CA and NetBackup certificates 338
About revoking host ID-based certificates

Removing trust between a host and a primary server

1 The administrator of the non-primary host runs the following command on the
host to determine the CA certificate fingerprint of the primary server:
nbcertcmd -listCACertDetails

In this example output, the host has certificates from two primary servers:

nbcertcmd -listCACertDetails
Subject Name : /CN=nbatd/[email protected]/O=vx
Start Date : Aug 23 14:16:44 2016 GMT
Expiry Date : Aug 18 15:31:44 2036 GMT
SHA1 Fingerprint : 7B:0C:00:32:96:20:36:52:92:E8:62:F3:56:
74:8B:E3:2E:4F:22:4C

Subject Name : /CN=nbatd/[email protected]/O=vx

Start Date : Aug 25 12:09:55 2016 GMT
Expiry Date : Aug 20 13:24:55 2036 GMT
SHA1 Fingerprint : 7A:C7:6E:68:71:6B:82:FD:7E:80:FC:47:F6:
8D:B2:E1:40:69:9C:8C

2 The administrator wants to remove trust to the second primary server and runs
the following command on the host:

nbcertcmd -removeCACertificate –fingerprint 7A:C7:6E:68:71:

6B:82:FD:7E:80:FC:47:F6:8D:B2:E1:40:69:9C:8C

Include the entire fingerprint, including the colons.

Warning: This command removes the CA certificate from the trust store. The
trust store is referred to by NetBackup services and by the NetBackup Web
Management Console service (nbwebsvc).

3 The NetBackup Administration Console on the primary server displays the

certificate state as Active. However, that certificate does not automatically
renew and eventually expires. The NetBackup administrator should revoke the
certificate of the host if the host is no longer going to be part of the NetBackup
domain.

Revoking a host ID-based certificate

NetBackup administrators may consider revoking a host ID-based certificate under
various conditions. For example, if the administrator detects that client security has
been compromised, if a client is decommissioned, or if NetBackup is uninstalled
 NetBackup CA and NetBackup certificates 339
About revoking host ID-based certificates

from the host. A revoked certificate cannot be used to communicate with primary
server web services.
See “About revoking host ID-based certificates” on page 336.
Security best practices suggest that the administrator explicitly revoke the certificates
for any host that is no longer active, regardless of whether the certificate is still
deployed on the host, or whether it has been successfully removed from the host.

Note: Do not revoke a certificate of the primary server. If you do, NetBackup
operations may cease.

To revoke a host ID-based certificate using the NetBackup Administration

web UI
1 On the left pane, select Security > Certificates.
2 On the NetBackup certificates tab, select the certificate to be revoked.
3 Select Revoke Certificate.
4 Select a reason from the drop-down list and click Yes.
5 After you revoke a host’s certificate, do the following actions in NetBackup:
■ Remove the host from backup policies.
■ For a NetBackup media server, deactivate it.

To revoke a host ID-based certificate using the command line

1 The primary server administrator must be logged in to the NetBackup Web
Management Service to perform this task. Use the following command to log
in:
bpnbat -login -logintype WEB

See “Web login requirements for nbcertcmd command options” on page 303.
2 Run one of the following commands to revoke the certificate using the host
name or the host ID.
Revoke using the host name:
nbcertcmd -revokeCertificate -host host_name

Note: You must provide the primary name of the host for which you want to
revoke the certificate. If you provide any of the host ID-to-host name mappings
that are added for the host, the certificate cannot be revoked.

Revoke using the host ID:

 NetBackup CA and NetBackup certificates 340
About revoking host ID-based certificates

nbcertcmd -revokeCertificate -hostID host_id

Additional parameters can be used to indicate a revocation reason code and

the primary server.
3 After you revoke a host’s certificate, do the following actions in NetBackup:
■ Remove the host from backup policies.
■ For a NetBackup media server, deactivate it.

Note: Revoking a certificate does not delete the certificate from the local store of
the non-primary host.

Determining a NetBackup host's certificate state

If NetBackup CA-signed certificate is used
You can determine the state of a NetBackup certificate: Active or Revoked. Doing
so may help troubleshoot connection and communication problems. Three methods
exist to determine a certificate state, as follows:

Verify a host certificate from The method uses the NetBackup nbcertcmd command.
the host itself
See “To verify the host's certificate state from the host”
on page 341.

Verify a host certificate from The method uses the NetBackup bptestbpcd command.
a NetBackup server
See “To verify from a NetBackup server if a different host’s
certificate is revoked” on page 341.

Verify a host certificate from See “To verify a host’s certificate” on page 342.
the host itself

See “About the host ID-based certificate revocation list” on page 333.
 NetBackup CA and NetBackup certificates 341
About revoking host ID-based certificates

To verify the host's certificate state from the host

1 Optionally, on the NetBackup host run the following command as an
administrator to get the most recent certificate revocation list:
UNIX: /usr/openv/netbackup/bin/nbcertcmd -getCRL [-server
primary_server_name]

Windows: install_path\NetBackup\bin\nbcertcmd -getCRL [-server

primary_server_name]

To get a CRL from a NetBackup domain other than the default, specify the
-server primary_server_name option and argument.

2 On the NetBackup host, run the following command as an administrator:

UNIX: /usr/openv/netbackup/bin/nbcertcmd -hostSelfCheck [-cluster]
[-server primary_server_name]

Windows: install_path\NetBackup\bin\nbcertcmd -hostSelfCheck

[-cluster] [-server primary_server_name]

Use one or both of the following options if necessary:

-cluster Use this option on the active node of a NetBackup primary server cluster
to verify the certificate of the virtual host.

-server Use this option with the primary_server_name argument to verify a

certificate from a primary server other than the default.

3 Examine the command output. The output indicates that either the certificate
is or is not revoked.
To verify from a NetBackup server if a different host’s certificate is revoked
1 As an administrator on the NetBackup primary server or a NetBackup media
server, run the following command:
UNIX: /usr/openv/netbackup/bin/admincmd/bptestbpcd –host hostname
-verbose

Windows: install_path\NetBackup\bin\bptestbpcd –host hostname

-verbose

For –host hostname, specify the host for which you want to verify the certificate.
2 Examine the command output. If the certificate on the specified host is revoked,
the command output includes the string The Peer Certificate is revoked.
If the command output does not include that string, the certificate is valid.
 NetBackup CA and NetBackup certificates 342
About revoking host ID-based certificates

To verify a host’s certificate

1 Open the NetBackup web UI.
2 On the left, click Security > Certificates.
3 Click the certificate name to examine the status of the certificate.

If external CA-signed certificate is used

You can determine the state of an external CA-signed host certificate: Active or
Revoked. Doing so may help troubleshoot connection and communication problems.
Two methods exist to determine a certificate state, as follows:

Verify a host See “To verify a host certificate from the host itself” on page 342.
certificate from
the host itself

Verify a host See “To verify from a NetBackup server if a different host’s certificate is
certificate from revoked” on page 343.
a NetBackup
server

To verify a host certificate from the host itself

1 Refresh the CRLs in the NetBackup CRL cache.

2 On the NetBackup host, run the following command as an administrator:

UNIX: /usr/openv/netbackup/bin/nbcertcmd -hostSelfCheck [-cluster]
Windows: install_path\NetBackup\bin\nbcertcmd -hostSelfCheck
[-cluster]

Use the -cluster option on the active node of a clustered primary server to
verify the certificate of the virtual name.
3 Examine the command output. The output indicates whether the certificate is
revoked or not.
 NetBackup CA and NetBackup certificates 343
Deleting host ID-based certificates

To verify from a NetBackup server if a different host’s certificate is revoked

1 As an administrator on the NetBackup primary server or a NetBackup media
server, run the following command:
UNIX: /usr/openv/netbackup/bin/admincmd/bptestbpcd -host hostname
-verbose

Windows: install_path\NetBackup\bin\bptestbpcd -host hostname

-verbose

For -host hostname, specify the host for which you want to verify the certificate.
2 Examine the command output. If the certificate on the specified host is revoked,
the command output includes the string 'The Peer Certificate is revoked'. If the
command output does not include that string, the certificate is valid.

Getting a list of NetBackup hosts that have revoked certificates

Use the following procedure to obtain a list of NetBackup hosts that have a revoked
certificate.
See “About the host ID-based certificate revocation list” on page 333.
To get a list of NetBackup hosts with revoked certificates
1 In a command window, log on to the NetBackup Web Management Service
on the primary server, as follows (the logon account must have NetBackup
administrator privileges):
UNIX: /usr/openv/netbackup/bin/bpnbat -login -loginType WEB
Windows: install_path\NetBackup\bin\bpnbat -login -loginType WEB
2 Run the following command to extract from the CRL a list of certificates that
are not expired and then filter the results for the word “Revoked”:
UNIX: /usr/openv/netbackup/bin/nbcertcmd -listAllDomainCertificates
| grep Revoked

Windows: install_path\NetBackup\bin\nbcertcmd
-listAllDomainCertificates | findstr Revoked

Deleting host ID-based certificates

Use this topic to manually delete host ID-based certificate of a NetBackup host.
You may need to delete certificates in certain scenarios, for example: A NetBackup
host is moved from one NetBackup domain to another NetBackup domain. In this
scenario, the current host ID-based certificate needs to be deleted and the host
 NetBackup CA and NetBackup certificates 344
Deleting host ID-based certificates

must have a certificate issued by the new Certificate Authority (CA) that is the new
primary server.

Caution: Manually deleting the host ID-based certificates may adversely impact
NetBackup functionality.

Note: During NetBackup software removal, host ID-based certificates are

automatically deleted.

To delete a host ID-based certificate from a NetBackup host

1 Run the following command on the NetBackup host to view the details of all
associated host ID-based certificates.
UNIX: /usr/openv/netbackup/bin/nbcertcmd -listCertDetails
Windows: install_path\NetBackup\bin\nbcertcmd -listCertDetails
2 To delete a certificate, run the following command on the host:
UNIX: /usr/openv/netbackup/bin/nbcertcmd -deleteCertificate -hostid
host_ID

Windows: install_path\NetBackup\bin\nbcertcmd -deleteCertificate

-hostid host_ID

To delete a host ID-based certificate from an active node in a cluster setup

1 Run the following command on the active node to view the details of all
associated host ID-based certificates.
UNIX: /usr/openv/netbackup/bin/nbcertcmd -listCertDetails -cluster
Windows: install_path\NetBackup\bin\nbcertcmd -listCertDetails
-cluster

2 To delete a certificate, run the following command on the active node of the
cluster:
nbcertcmd -deleteCertificate -hostid host_ID -cluster

UNIX: /usr/openv/netbackup/bin/nbcertcmd -hostid host_ID -cluster]

Windows: install_path\NetBackup\bin\nbcertcmd -hostid host_ID
-cluster
 NetBackup CA and NetBackup certificates 345
Host ID-based certificate deployment in a clustered setup

Host ID-based certificate deployment in a

clustered setup
This section provides information on deployment of host name-based and host
ID-based certificates in a NetBackup clustered setup.
For more information about NetBackup clusters, see the NetBackup Clustered
Primary Server Administrator's Guide.

About host ID-based certificate deployment on a

NetBackup cluster
In a clustered NetBackup primary server setup, the host ID-based certificates are
deployed as follows:
■ One certificate for each cluster node: A certificate resides on the local disk of
each node.
■ One certificate for the virtual name: A certificate resides on the shared disk of
the cluster.
Consider the following example:
If a cluster setup consists of 4 nodes, 5 host ID-based certificates are deployed.
One certificate is deployed on each of the 4 nodes and one on the shared disk,
which is used for the virtual name of the primary server.

Note: Only primary servers can be clustered in NetBackup.

About host name-based certificate deployment on a

NetBackup cluster
In a clustered NetBackup primary server setup, the host name-based certificates
are deployed as follows:
■ One certificate for each cluster node: A certificate resides on the local disk of
each node.
■ One certificate for the virtual name on each node: A certificate resides on the
local disk of each node.
See “Deploying host name-based certificates” on page 301.

About deployment of a host ID-based certificate on a clustered

NetBackup host
Review the following scenarios for certificate deployment on cluster nodes:
 NetBackup CA and NetBackup certificates 346
Host ID-based certificate deployment in a clustered setup

■ In case of fresh NetBackup installation, certificate on an active node is deployed

automatically. You must manually deploy certificates on all inactive nodes.
■ In case of disaster recovery, certificates for active and inactive nodes are not
recovered. After you install NetBackup in a disaster recovery mode after a
disaster, you must manually deploy certificates on all nodes.
See “Generating a certificate on a clustered primary server after disaster recovery
installation” on page 351.

Note: In case of upgrade, active or inactive nodes may already have a certificate.
You can verify whether a cluster node has a certificate or not.
See “Viewing certificate details of a clustered NetBackup setup” on page 350.

See “Host ID-based certificate deployment on the active primary server node”
on page 346.
See “Host ID-based certificate deployment on inactive primary server nodes”
on page 346.

Host ID-based certificate deployment on the active primary

server node
During NetBackup installation, host ID-based certificates are deployed on the active
primary server node and the virtual name. The certificate for the active node is
deployed on a local disk. The certificate for the virtual name is deployed on the
shared disk.

Host ID-based certificate deployment on inactive primary

server nodes
Certificates on inactive nodes are not deployed during installation. You must
manually deploy certificates on all inactive nodes after the installation.
See “Deploying host ID-based certificates on cluster nodes” on page 346.

Deploying host ID-based certificates on cluster nodes

You must manually deploy certificates on all inactive nodes.
In certain scenarios, you need to manually deploy host ID-based certificates also
on active nodes.
To manually deploy a host ID-based certificate on a primary server cluster
node
◆ Run the following commands on the primary server cluster node:
 NetBackup CA and NetBackup certificates 347
Host ID-based certificate deployment in a clustered setup

■ nbcertcmd -getCACertificate

■ nbcertcmd -getCertificate [-file authorization_token_file]

See “About Token Management for host ID-based certificates” on page 329.

Revoking a host ID-based certificate for a clustered NetBackup setup

NetBackup administrators may consider revoking a host ID-based certificate under
various conditions. For example, if the administrator detects that client security has
been compromised, if a client is decommissioned, or if NetBackup is uninstalled
from the host. A host with a revoked certificate cannot communicate with other
hosts. Every NetBackup host must have a valid security certificate and a valid
Certificate Revocation List (CRL) for successful communication.
See “About the host ID-based certificate revocation list” on page 333.
The NetBackup administrator can revoke certificates for a cluster node or the virtual
name from any host in a NetBackup domain.
Ensure that you revoke the appropriate certificate.
After the certificate is revoked, you may need to deploy a new host ID-based
certificate. Create a reissue token on the clustered node and deploy a new certificate
using the reissue token.
See “Creating a reissue token for a clustered NetBackup setup” on page 348.
See “Deploying a host ID-based certificate on a clustered NetBackup setup using
reissue token” on page 348.
To revoke a certificate from a cluster node
1 Log in to the NetBackup Web Management Service:
bpnbat -login -logintype WEB

See “Web login requirements for nbcertcmd command options” on page 303.
2 Run the following command to revoke a certificate for a cluster node:
nbcertcmd -revokeCertificate -host host_name

See “Revoking a host ID-based certificate” on page 338.

 NetBackup CA and NetBackup certificates 348
Host ID-based certificate deployment in a clustered setup

To revoke a certificate for the virtual name

1 Log in to the NetBackup Web Management Service:
bpnbat -login -logintype WEB

2 Run the following command to revoke a host ID-based certificate for the virtual
name:
nbcertcmd -revokeCertificate -host virtual_name

See “Revoking a host ID-based certificate” on page 338.

Deploying a host ID-based certificate on a clustered NetBackup setup

using reissue token
After a host ID-based certificate is revoked, you can deploy new certificates on a
clustered NetBackup setup using reissue tokens.
See “Creating a reissue token for a clustered NetBackup setup” on page 348.
To deploy a new host ID-based certificate on a cluster node
◆ Run the following command to deploy a new certificate on the cluster node
using the reissue token:
nbcertcmd -getCertificate -file reissue_token_file -force

To deploy a new host ID-based certificate for the virtual name

◆ Run the following command to deploy a new certificate for the virtual name
using the reissue token:
nbcertcmd -getCertificate -file reissue_token_file_virtual -force
-cluster

Creating a reissue token for a clustered NetBackup setup

You need to reissue a certificate to a host in certain scenarios, for example a
certificate is revoked for a host and you need to reissue a new certificate to the
host.
See “Deploying a host ID-based certificate on a clustered NetBackup setup using
reissue token” on page 348.
You need a reissue token to reissue a new certificate to a host.
See “About Token Management for host ID-based certificates” on page 329.
 NetBackup CA and NetBackup certificates 349
Host ID-based certificate deployment in a clustered setup

To create a reissue token for a cluster node

1 Log in to the NetBackup Web Management Service with the following command:
bpnbat -login -logintype WEB

See “Web login requirements for nbcertcmd command options” on page 303.
2 Run the following command to create a reissue token for the required cluster
node:
nbcertcmd -createToken -name token_name -reissue -host host_name

See “Creating a reissue token” on page 326.

To create a reissue token for the virtual name
1 Log in to the NetBackup Web Management Service with the following command:
bpnbat -login -logintype WEB

See “Web login requirements for nbcertcmd command options” on page 303.
2 Run the following command to create a reissue token for the virtual name.
nbcertcmd -createToken -name token_name_virtual -reissue -host
virtual_name

See “Creating a reissue token” on page 326.

Renewing a host ID-based certificate on a clustered NetBackup setup

Host ID-based certificates for the cluster nodes and the virtual name are
automatically renewed. The certificates are automatically renewed 180 days before
the expiration date.
You can also renew the certificates manually, if required.
See “About host ID-based certificate expiration and renewal” on page 322.
To manually renew certificate for a cluster node
◆ Run the following command from a cluster node to renew the certificate for the
node:
nbcertcmd -renewCertificate

To manually renew certificate for the virtual name

◆ Run the following command on the active node to manually renew the certificate
for the virtual name:
nbcertcmd -renewCertificate -cluster
 NetBackup CA and NetBackup certificates 350
Host ID-based certificate deployment in a clustered setup

Viewing certificate details of a clustered NetBackup setup

Run the following commands to view the certificate details of a cluster node or the
virtual name.
To view certificate details of a cluster node
◆ Run the following command on a cluster node:
nbcertcmd -listCertDetails

See “Viewing host ID-based certificate details” on page 306.

To view certificate details for the virtual name
◆ Run the following command on the active node to view certificate details for
the virtual name:
nbcertcmd -listCertDetails -cluster

See “Viewing host ID-based certificate details” on page 306.

Removing CA certificates from a clustered NetBackup setup

Run the following commands to remove the CA (Certificate Authority) certificates
from a clustered setup.

Caution: Removing the CA certificate from a primary server node can adversely
impact the NetBackup functionality.

To remove the CA certificates from a cluster node

1 Run the following command on a cluster node to view the fingerprints of the
CA certificates:
nbcertcmd -listCACertDetails

2 Run the following command to remove the CA certificate by providing the

appropriate fingerprint:
nbcertcmd -removeCACertificate -fingerprint fingerprint
 NetBackup CA and NetBackup certificates 351
Host ID-based certificate deployment in a clustered setup

To remove the CA certificates for the virtual name

1 Run the following command on the active node to view the fingerprints of the
CA certificates for the virtual name:
nbcertcmd -listCACertDetails -cluster

2 Run the following command on the active node to remove the CA certificate
for the virtual name by providing the appropriate fingerprint:nbcertcmd
-removeCACertificate -fingerprint fingerprint_virtual -cluster

Generating a certificate on a clustered primary server after disaster

recovery installation
After you complete the disaster recovery of a clustered primary server, you must
generate a certificate on the active node as well as all inactive nodes. Additionally,
failover to the secondary node is expected behavior in a cluster environment. This
procedure is required for successful backups and restores of the cluster.
For additional information on deploying certificates on primary server nodes see
the NetBackup Security and Encryption Guide.
Generating the local certificate on each cluster node after disaster recovery
installation
1 Add all inactive nodes to the cluster.
If all the nodes of the cluster are not currently part of the cluster, start by adding
them to the cluster. Consult with your operating system cluster instructions for
assistance with this process.
More information about supported cluster technologies is available. See the
NetBackup Clustered Primary Server Administrator's Guide.
2 Run the nbcertcmd command to store the Certificate Authority certificate.
UNIX: /usr/openv/netbackup/bin/nbcertcmd -getCACertificate
Windows: install_path\Veritas\NetBackup\bin\nbcertcmd
-getCACertificate

3 Use the bpnbat command as shown to authorize the necessary changes.

When you are prompted for the authentication broker, enter the virtual server
name, not the local node name.
bpnbat -login -loginType WEB
 NetBackup CA and NetBackup certificates 352
About the communication between a NetBackup client located in a demilitarized zone and a primary server
through an HTTP tunnel

4 Use the nbcertcmd command to create a reissue token. The hostname is the
local node name. When the command runs, it displays the token string value.
A unique reissue token is needed for each cluster node.
nbcertcmd -createtoken -name token_name -reissue -host hostname

5 Use the reissue token with the nbcertcmd command to store the host certificate.
This command prompts you for the token string value. Enter the token string
from the nbcertcmd -createToken command.
nbcertcmd -getCertificate -token

About the communication between a NetBackup

client located in a demilitarized zone and a primary
server through an HTTP tunnel
In a NetBackup deployment setup, the client computers can be in a demilitarized
zone (DMZ) where the communication takes place only through specific web ports.
All NetBackup clients must be able to communicate with the web management
service on the primary server to deploy security certificates and authorize peers for
secure connections. For example, the NetBackup client sends requests to the
primary server for deploying certificates, which is essential for secure NetBackup
communication. In a DMZ setup, the client might not be able to send web service
requests directly to the primary server. In this scenario, a NetBackup client sends
a connection request and a web service request to the HTTP tunnel on the media
server by the HTTP CONNECT proxy method. The HTTP tunnel accepts the
connection request and forwards the web service request to the primary server.
The HTTP tunneling feature allows the NetBackup clients in a DMZ to send web
service requests to the primary server. The NetBackup media server forms an HTTP
tunnel that forwards the web service request from the NetBackup client to the
primary server. The further web service communication uses Secure Socket Layer
(SSL).

Note: The port number 1556 on the media server must be accessible by the
NetBackup client for sending web service requests.
 NetBackup CA and NetBackup certificates 353
About the communication between a NetBackup client located in a demilitarized zone and a primary server
through an HTTP tunnel

Figure 18-2 NetBackup client and primary server communication in a DMZ

setup

Private Network
Master server

One-way Media server

communication
(HTTP tunnel)

Internal Firewall

Demilitarized zone
NetBackup client Or
Restricted Network

External Firewall

In a single domain or multi-domain environment, when the NetBackup client in a

DMZ tries to send a web service connection request to the primary server, it follows
a particular sequence::

Table 18-8 Sequence to send a connection request

Sequence Description

1. The NetBackup client tries to send the In a DMZ, the web service connection request
connection request directly to the primary might not succeed.
server.
 NetBackup CA and NetBackup certificates 354
About the communication between a NetBackup client located in a demilitarized zone and a primary server
through an HTTP tunnel

Table 18-8 Sequence to send a connection request (continued)

Sequence Description

2. If the direct connection fails, then the client

checks if a media server is specified to use
HTTP tunneling to send the web service
connection request to the primary server.

3. If a media server is not specified, then the
client refers to a list of media servers that is
available in the NetBackup configuration and
uses them for sending web service
connection requests.
NetBackup client maintains an internal cache
file (websvctunnels.cache) that contains
a list of media servers that are automatically
updated based on previous successful
connections. The cache file is available in the
same location as the bp.conf file for both
Windows and UNIX.

Additional information
■ The following additional options are available for configuring the HTTP Tunnel
feature:
■ WEB_SERVER_TUNNEL_USE - You can use this option on the NetBackup
clients to configure the default communication behavior using the HTTP
Tunnel.
■ WEB_SERVER_TUNNEL_ENABLE - By default, HTTP Tunnel is enabled
on the media server. You can use this option on the media servers to disable
the HTTP Tunnel feature.
For more information, refer to the NetBackup Administrator's Guide Volume I.
■ If your NetBackup client configuration does not contain information about the
media servers in the domain, run the nbsetconfig command on the primary
server. The registry on a Windows client or the bp.conf file on a UNIX client
includes the primary and the media servers that the client selects to send
connection and web service requests.
■ If you use the nbcertcmd -getCertificate command on the NetBackup client
in a DMZ, and if you see one of the following errors:
■ EXIT STATUS 5955: The host name is not known to the primary server.
■ EXIT STATUS 5954: The host name could not be resolved to the requesting
host's IP address.
Use a token to deploy the security certificate because the primary server cannot
match the IP address of the HTTP tunnel to the identity of the host that requests
the certificate.
 NetBackup CA and NetBackup certificates 355
Adding a NetBackup host manually

■ NetBackup audit report lists the media server as the user if an HTTP tunnel is
used to send a certificate request to the primary server.

Adding a NetBackup host manually

It is not recommended to manually add a host in the host database except for
specific scenarios. For example, you may need to manually add a host when you
recover a Bare Metal Restore (BMR) client to other NetBackup domain using Auto
Image Replication (AIR).
For more information about Bare Metal Restore, refer to the NetBackup Bare Metal
Restore Administrator's Guide.

Note: Before adding a host, you must ensure that the host entry that you want to
add does not already exist in the host database.
You can add a host using the command-line interface only.

To add a host in the host database using the command-line interface

1 Run the following command to authenticate your web services login on the
primary server:
bpnbat -login -loginType WEB

2 Run the following command to add a host:

nbhostmgmt -addhost -host host name -server primary server

Migrating NetBackup CA
In certain scenarios, you may need to migrate your existing NetBackup certificate
authority (CA) hierarchy to a new one. NetBackup supports migrating the existing
NetBackup CA. This chapter provides information on the NetBackup CA migration
process.
NetBackup security certificates that are used to authenticate NetBackup hosts
conform to the X.509 Public Key Infrastructure (PKI) standard. A NetBackup primary
server acts as the certificate authority (CA) and issues digital certificates to hosts.
NetBackup uses the NetBackup authentication daemon (NBATD) as its PKI provider.
NBATD and its client implementation generate the RSA private key that is used for
authentication.
NetBackup now supports certificate authorities with the following key strengths:
2048 bits, 3072 bits, 4096 bits, 8192 bits, and 16384 bits.
 NetBackup CA and NetBackup certificates 356
Migrating NetBackup CA

Note: After NetBackup primary server installation or upgrade, by default a new root
CA with 2048-bits key strength is deployed. With upgrade, you need to migrate the
existing CA to a new CA.

Table 18-9 NetBackup CA migration procedures for various use cases

Use case Description

When you need a NetBackup CA See “Setting the required key strength before installation
with a key strength other than the or upgrade using the NB_KEYSIZE environment
default one (2048 bits) variable” on page 357.

See “Manually migrating NetBackup CA after installation

or upgrade” on page 359.

When you want to migrate the See “Migrating NetBackup CA when the entire
existing NetBackup CA after the NetBackup domain is upgraded” on page 357.
entire NetBackup domain is
upgraded to 8.3

The NetBackup CA migration process comprises the following phases:

1. Initiating NetBackup CA migration

Note: Run the following command:

vssat setuptrust --broker nb_master_server_name:1556:nbatd
--securitylevel high

For information about commands, see the NetBackup Commands Reference

Guide.
The vssat command resides at the following location:

Windows INSTALL_PATH\NetBackup\sec\at\bin\vssat

UNIX /usr/openv/netbackup/sec/at/bin

2. Activating the new NetBackup CA

3. Completing NetBackup CA migration
4. Decommissioning the old NetBackup CA

Note: Decommissioning the old NetBackup CA is an optional clean-up task.

 NetBackup CA and NetBackup certificates 357
Migrating NetBackup CA

See the video NetBackup CA migration for details.

Setting the required key strength before installation or upgrade using

the NB_KEYSIZE environment variable
After NetBackup installation or upgrade, by default a new root CA with 2048-bits
key strength is deployed. If you want a larger key strength, you can set an
environment variable to a value larger than 2048 bits before installation or upgrade.
To have a NetBackup CA with a key strength larger than 2048 bits
1 Set the NB_KEYSIZE environment variable on the primary server before you
start NetBackup installation or upgrade.
For example: NB_KEYSIZE = 4096
The NB_KEYSIZE environment variable can have the following values: 2048,
3072, 4096, 8192, or 16384.

Note: If the FIPS mode is enabled on the primary server, you can specify only
2048 and 3072 bits as a value for the NB_KEYSIZE environment variable.

Caution: You should carefully choose the key size for your environment.
Choosing a large key size may reduce performance. A key size of 2048 offers
security for most use cases.

2 Install or upgrade NetBackup on hosts.

In case of upgrade, continue with the CA migration.
See “Migrating NetBackup CA when the entire NetBackup domain is upgraded”
on page 357.

Migrating NetBackup CA when the entire NetBackup domain is

upgraded
With NetBackup 8.3 upgrade, by default a new root CA with 2048 bits key strength
is deployed and the CA migration process is automatically initiated. You can also
set the NB_KEYSIZE environment variable to a value larger than 2048 bits before
installation or upgrade.
See “Setting the required key strength before installation or upgrade using the
NB_KEYSIZE environment variable” on page 357.
 NetBackup CA and NetBackup certificates 358
Migrating NetBackup CA

Note: If you have media servers earlier than NetBackup 8.2 that are configured as
cloud storage servers, the CA migration process is not initiated. Ensure that all
NetBackup hosts are upgraded to 8.3 or later for successful host communication.

When all hosts in your NetBackup domain are upgraded to NetBackup 8.3 or later,
use the following procedure to complete the CA migration process:
To migrate NetBackup CA when all hosts are upgraded to NetBackup 8.3
1 Run the following command to ensure that all hosts have the new CA certificates
in their trust stores.
nbseccmd -nbcaMigrate -hostsPendingTrustPropagation

2 Ensure that the command returns zero (0) hosts as the output.
For information about commands, see the NetBackup Commands Reference
Guide.
3 Warning: If one or more NetBackup hosts are at 8.2 or earlier versions, backups
of such hosts fail after activation. Therefore, you must ensure that all NetBackup
hosts in the domain are upgraded to 8.3 before activating the new CA.

Run the following command to activate the new CA that can start issuing
NetBackup certificates going forward:
nbseccmd -nbcaMigrate -activateNewCA

4 Run the following command to ensure that all hosts have certificates that the
new CA has renewed:
nbseccmd -nbcaMigrate -hostsPendingRenewal

Ensure that the command returns zero (0) hosts as the output.
5 Restart the NetBackup Messaging Broker (nbmqbroker) service on this host.
6 Run the following command to complete the CA migration process:
nbseccmd -nbcaMigrate -completeMigration

7 After completing the NetBackup CA migration process and ensuring that the
hosts use certificates that the new CA has issued, you can safely decommission
the old NetBackup CA.
This clean-up task is optional.
See “Decommissioning the inactive NetBackup CA ” on page 361.
 NetBackup CA and NetBackup certificates 359
Migrating NetBackup CA

Manually migrating NetBackup CA after installation or upgrade

With fresh NetBackup installation or upgrade, by default a new root CA with 2048-bits
key strength is deployed. However, if you want to use a CA with a different key size
or move to a new CA after installation or upgrade, you should manually initiate the
CA migration process.
See “Setting the required key strength before installation or upgrade using the
NB_KEYSIZE environment variable” on page 357.
To migrate NetBackup CA after installation or upgrade
1 Run the following command to initiate the CA migration process:
nbseccmd -nbcaMigrate -initiateMigration -keysize key_value

A new NetBackup CA is deployed with this command.

For information about commands, see the NetBackup Commands Reference
Guide.
2 Run the following command to reissue certificates to the host.
nbcertcmd -reissueCertificates

3 Stop the NetBackup Web Management Console (nbwmc) service before

reissuing the certificate to the NetBackup web server.
4 Run the following command to reissue the certificate to the NetBackup web
server:
configureCerts -renew_webserver_keys

5 Start the nbwmc service.

6 Run the following command to ensure that all hosts have the new CA certificates
in their trust stores.
nbseccmd -nbcaMigrate -hostsPendingTrustPropagation

7 Ensure that the command returns zero (0) hosts as the output.
8 Warning: If one or more NetBackup hosts are at 8.2 or earlier versions, backups
of such hosts fail after activation. Therefore, you must ensure that all NetBackup
hosts in the domain are upgraded to 8.3 before activating the new CA.

Run the following command to activate the new CA that can start issuing
NetBackup certificates going forward:
nbseccmd -nbcaMigrate -activateNewCA
 NetBackup CA and NetBackup certificates 360
Migrating NetBackup CA

9 Run the following command to renew host certificates using the new CA.
nbcertcmd -renewCertificate

10 Run the following command to ensure that all hosts have certificates that the
new CA has renewed:
nbseccmd -nbcaMigrate -hostsPendingRenewal

Ensure that the command returns zero (0) hosts as the output.
11 Restart the NetBackup Messaging Broker (nbmqbroker) service on this host.
12 Run the following command to complete the CA migration process:
nbseccmd -nbcaMigrate -completeMigration

13 After completing the NetBackup CA migration process and ensuring that the
hosts use certificates that the new CA has issued, you can safely decommission
the old NetBackup CA.
This clean-up task is optional.
See “Decommissioning the inactive NetBackup CA ” on page 361.

Establishing communication with clients that do not have new CA

certificates after CA migration
In certain scenarios, for example network issue, NetBackup clients may be
unreachable during NetBackup CA migration. Such clients may not have new CA
certificates and communication with such clients may fail.
To successfully communicate with NetBackup clients that were unreachable
during CA migration
1 Run the following command on the client to get certificate:
nbcertcmd -getcacertificate -server master_server_name

2 Run the following command on the client to renew certificates:

nbcertcmd -renewcertificate -server master_server_name

For information about commands, see the NetBackup Commands Reference

Guide.

Viewing a list of NetBackup CAs in the domain

You can view a list of NetBackup CAs that are available in your NetBackup domain.
To view list of NetBackup CAs in the domain
◆ Run the following command:
 NetBackup CA and NetBackup certificates 361
Migrating NetBackup CA

nbseccmd -nbcaList

For information about commands, see the NetBackup Commands Reference Guide.
If you want to view CAs with a specific state - for example, ABANDONED, ACTIVE,
or DECOMMISSIONED - run the following command:
nbseccmd -nbcaList -state CA_state]

Viewing the CA migration summary

You can view the NetBackup CA migration summary at different stages. Information
in the CA migration summary includes the current CA migration status and the
fingerprint of the current certificate-issuing NetBackup CA.
To view the CA migration summary
◆ Run the following command:
nbseccmd -nbcaMigrate -summary

For information about commands, see the NetBackup Commands Reference

Guide.

Decommissioning the inactive NetBackup CA

After completing the NetBackup CA migration process and ensuring that the hosts
use certificates that the new CA has issued, you can safely decommission the old
NetBackup CA.
To decommission the old NetBackup CA
1 Run the following command:
nbseccmd -nbcaMigrate -decommissionCA -fingerprint
certificate_fingerprint

For information about commands, see the NetBackup Commands Reference

Guide.
2 This step is mandatory if your NetBackup domain is enabled for NetBackup
Access Control (NBAC):
Restart the NetBackup services on the primary server.
 Chapter 19
Configuring data-in-transit
encryption (DTE)
This chapter includes the following topics:

■ About the data channel

■ Data-in-transit encryption support

■ Workflow to configure data-in-transit encryption

■ Configure the global data-in-transit encryption setting

■ Configure the DTE mode on a client

■ View the DTE mode of a NetBackup job

■ View the DTE-specific attributes of a NetBackup image and an image copy

■ Configure the DTE mode on the media server

■ Modify the DTE mode on a backup image

■ Media device selection (MDS) and resource allocation

■ How DTE configuration settings work in various NetBackup operations

About the data channel

Data communication consists of the data that is backed up using NetBackup. The
security policies require the Backup Administrators to ensure that the channel on
which NetBackup clients send metadata and data to NetBackup servers be secure.
In NetBackup 10.0 and later, the data and metadata are encrypted over the wire.
This feature is referred to as data channel encryption or data in-transit encryption
(DTE).
 Configuring data-in-transit encryption (DTE) 363
Data-in-transit encryption support

The following channels are classified as data channels:

■ Tar stream - client to media server: Over this channel, the tar / data stream flows
between the client and the media server. During a backup operation, the media
server receives the data from the client and sends it to storage (for example,
an OST plug-in). The direction is reversed during a restore.
■ Tar stream - media server to media server: This channel is used during
duplication.
■ Catalog information - client to media server: Over this channel, the catalog
information and control commands are transferred between the client and the
media server. The amount of data that is transmitted over this channel is
proportional to the number of files and directories that are part of the backup.
The media server sends the catalog information that the client has sent to the
primary server.
■ Catalog information - media server to primary server: Over this channel, the
catalog information is transferred from the media server to the primary server.

Note: In case of fresh NetBackup 10.3 installation, the data in-transit encryption is
set to Preferred On by default. In case of upgrade, the previous setting is retained.
You can configure data in-transit encryption at various levels: global level (primary
server-level) and client level.

Data-in-transit encryption support

Data-in-transit encryption is supported for the following NetBackup data and
metadata operations:
■ Data flow from a client to a media server
■ Data flow from a media server to a client
■ Metadata transfer from a media server to the primary server
■ Data flow from one media server to another during duplication and synthetic
backup
Data-in-transit encryption is not supported for the following NetBackup operations
or communications:
■ Communication between an OST plug-in and the underlying storage provider
is not supported. It includes the following:
■ Communication between NetBackup and cloud storage
 Configuring data-in-transit encryption (DTE) 364
Workflow to configure data-in-transit encryption

■ Communication between NetBackup and the third-party OST providers such

as DataDomain, NetApp, and so on

■ Data-in-transit encryption is not supported for the following MSDP workflows:

■ Optimized Duplication
■ AIR replication
For these two operations, you need to explicitly configure the following option
on both storage servers:
OPTDUP_ENCRYPTION=1
The DTE configuration in NetBackup does not control the data channel between
two storage servers.
■ Communication between NetBackup and workload applications such as VMware,
Hyper-V, Microsoft Exchange, SharePoint, and Nutanix are not supported.
Once the data is transferred from a workload application to NetBackup, it is then
securely transferred over the TLS channel within the NetBackup boundary.
■ NDMP communication
■ SAN client communication
■ Communication with the NBFSD process
The process uses the standard NFS or CIFS protocol.

Workflow to configure data-in-transit encryption

This topic provides the steps to carry out data-in-transit encryption (DTE) in your
NetBackup environment. The DTE configuration comprises the following two primary
options:
■ Global DTE mode
■ Client DTE mode

Table 19-1 Workflow of DTE configuration

Step Step Reference topic

number

Step 1 Review the configuration settings of the See “Configure the global data-in-transit
global DTE mode option and configure encryption setting” on page 365.
the option as per your DTE
requirements
 Configuring data-in-transit encryption (DTE) 365
Configure the global data-in-transit encryption setting

Table 19-1 Workflow of DTE configuration (continued)

Step Step Reference topic

number

Step 2 Review the configuration settings of the See “Configure the DTE mode on a
client DTE mode option and configure client” on page 367.
the option as per your DTE
requirements

Step 3 Review how the decision about data
encryption is made based on the
NetBackup operation that you want to
perform and the DTE configuration
settings.
See “How DTE configuration settings
work in various NetBackup operations”
on page 375.
Note: If you plan to modify any existing
DTE configuration settings, you must
review this topic to understand the
impact on the NetBackup operations.

Apart from the primary DTE configuration settings, the following settings are used
in certain scenarios:
■ Media server DTE mode
See “Configure the DTE mode on the media server” on page 370.
■ Backup image DTE mode
See “Modify the DTE mode on a backup image” on page 371.
See “DTE_IGNORE_IMAGE_MODE for NetBackup servers” on page 372.

Configure the global data-in-transit encryption

setting
To configure the data-in-transit encryption (DTE) in your NetBackup environment,
you need to first set the global DTE configuration setting (or global DTE mode) and
then the client DTE mode.
Data-in-transit encryption decision for various NetBackup operations is carried out
based on the global DTE mode, the client DTE mode, and the image DTE mode.
The supported values for the global DTE mode are as follows:
■ Preferred Off: Specifies that the data-in-transit encryption is disabled in the
NetBackup domain. This setting can be overridden by the NetBackup client
setting.
■ Preferred On: Specifies that the data-in-transit encryption is enabled only for
NetBackup 9.1 and later clients.
 Configuring data-in-transit encryption (DTE) 366
Configure the global data-in-transit encryption setting

In case of fresh NetBackup installation, the global DTE mode is set to Preferred
On by default.
In case of NetBackup upgrade, the previous setting is retained.
This setting can be overridden by the NetBackup client setting.
■ Enforced: Specifies that the data-in-transit encryption is enforced if the
NetBackup client setting is either 'Automatic' or 'On'. With this option selected,
jobs fail for the NetBackup clients that have the data-in-transit encryption set to
'Off' and for the hosts earlier than 9.1.

Note: By default, the DTE mode for 9.1 clients is set to Off and for 10.0 and later
clients, it is set to Automatic.
See “DTE_CLIENT_MODE for clients” on page 367.

RESTful API to be used for the global DTE configuration:

■ GET - /security/properties
■ POST - /security/properties
To set or view the global DTE mode using the NetBackup web UI
1 Sign in to the NetBackup web UI.
2 At the top right, select Security > Global security.
3 On the Secure communication tab, select one of the following global DTE
settings:
■ Preferred Off

■ Preferred On

■ Enforced

To set and view the global DTE mode using the command-line interface
1 Run the following command to set the global DTE mode:
nbseccmd -setsecurityconfig -dteglobalmode 0|1|2

Where the value 0 represents Preferred Off, 1 represents Preferred On,

and 2 represents Enforced.
2 Run the following command to view the value that is set for the global DTE
mode:
nbseccmd -getsecurityconfig -dteglobalmode
 Configuring data-in-transit encryption (DTE) 367
Configure the DTE mode on a client

Configure the DTE mode on a client

The DTE_CLIENT_MODE configuration option specifies the data-in-transit encryption
(DTE) mode that is set on the NetBackup client.
See “DTE_CLIENT_MODE for clients” on page 367.
You can update and view the client DTE mode using the following commands:
bpsetconfig/nbsetconfig and bpgetconfig/nbgetconfig

DTE_CLIENT_MODE for clients

The DTE_CLIENT_MODE option specifies the data-in-transit encryption (DTE) mode
that is set on the NetBackup client.

Table 19-2 DTE_CLIENT_MODE information

Usage Description

Where to use On NetBackup clients.

How to use Use the nbgetconfig and the nbsetconfig commands to view, add,
or change the option.

For information about these commands, see the NetBackup Commands

Reference Guide.

Use the following format:

DTE_CLIENT_MODE = AUTOMATIC | ON | OFF

By default, the DTE mode for 9.1 clients is set to OFF and for 10.0 and later
clients, it is set to AUTOMATIC.

■ If the DTE_CLIENT_MODE option is set to AUTOMATIC, the client follows

the DTE mode that is set at the global level: Enforced, Preferred
On, or Preferred Off.
■ If the option is set to ON, data-in-transit encryption is enabled for the
client.
■ If the option is set to OFF, data-in-transit encryption is disabled for the
client. This setting can be used to exclude a client for encryption if the
global DTE mode is set to Preferred On.
Note: If the global DTE mode is set to Enforced, jobs fail for the
NetBackup clients that have the DTE_CLIENT_MODE option set to 'OFF'
and also for the hosts earlier than 9.1.
 Configuring data-in-transit encryption (DTE) 368
View the DTE mode of a NetBackup job

Table 19-2 DTE_CLIENT_MODE information (continued)

Usage Description

Equivalent No equivalent exists.

NetBackup
Global settings are configured in Settings > Global security > Secure
web UI
communication > Data-in-transit encryption.
property

View the DTE mode of a NetBackup job

Primarily, the global DTE mode and the client DTE mode decide whether the
data-in-transit encryption takes place or not for a NetBackup operation. If the data
is encrypted when a NetBackup job runs, the 'DTE mode' attribute of the job is set
to On.
If the data is not encrypted when a NetBackup job runs, the 'DTE mode' attribute
of the job is set to Off.
RESTful API to view the DTE mode of a job:
■ GET - /admin/jobs
■ GET - /admin/jobs/{jobId}
To view the DTE mode of a job using the NetBackup web UI
1 Sign in to the NetBackup web UI.
2 On the left, select Activity Monitor > Jobs.
You can see the Data-in-transit encryption column that determines the
DTE mode of the job.
To view the DTE mode of a job using the command-line interface
◆ Run the following command:
bpdbjobs -dtemode Off|On

The command lists the jobs according to the DTE mode that is set.

View the DTE-specific attributes of a NetBackup

image and an image copy
Primarily, the global DTE mode and the client DTE mode decide whether the
data-in-transit encryption takes place or not for a backup operation. If the data is
 Configuring data-in-transit encryption (DTE) 369
View the DTE-specific attributes of a NetBackup image and an image copy

encrypted during a backup operation, the DTE mode attribute of the associated
NetBackup image is set to On.
Based on the global DTE mode and the client DTE mode, if the data cannot be
encrypted during a backup operation, the DTE mode attribute of the image is set
to Off.
See “Modify the DTE mode on a backup image” on page 371.
An image copy has two DTE-specific attributes:

Copy DTE mode Specifies whether the data is transferred over a secure
channel when the current image copy is created.

Copy Hierarchical DTE mode Specifies whether the data is transferred over a secure
channel when the current image copy and all its parent
copies in the hierarchy are created.

If the data is transferred over an insecure channel when

one of the parent copies in the hierarchy is created, the
current copy’s hierarchical DTE mode is set to Off.

If the copy hierarchical DTE mode is Off, the copy is

said to be insecure. It indicates that any parent copy in
the hierarchy can be compromised and copying from a
compromised copy is not secure even if the current
copy is generated securely.

Note: The image DTE mode is always shown as Off if the media server that is
involved in the data transfer is earlier than 9.1. Copy DTE and Copy Hierarchical
DTE modes are always shown as Off if the media server that is involved in the
data transfer is earlier than 10.0.

RESTful API to be used to view the image attributes:

■ GET - /catalog/images
■ GET - /catalog/images/{backupId}
 Configuring data-in-transit encryption (DTE) 370
Configure the DTE mode on the media server

To view the DTE attributes of an image and an image copy using the
NetBackup web UI
1 Sign in to the NetBackup web UI.
2 On the left, select Catalog.
When you search for backup images, the image list displays at the bottom of
the screen. The DTE-specific attributes of the image and the image copy -
Image DTE mode, Copy DTE mode, and Copy Hierarchical DTE mode - are
also displayed.
To view the DTE attributes of an image and an image copy using the
command-line interface
◆ Use the following commands: bpimagelist, bpclimagelist and bpimmedia.
For more details on the commands, see the NetBackup Commands Reference
Guide.
To view the DTE attributes of an image using the NetBackup Administration
Console
◆ In the NetBackup Administration Console, see the following reports to verify
the DTE mode (Data-in-transit encryption column) of the image:
■ NetBackup Management > Reports > Images on Media
■ NetBackup Management > Reports > Tape Reports > Images on Tape
■ NetBackup Management > Reports > Disk Reports > Images on Disk

Configure the DTE mode on the media server

The media server setting can be used only to turn off data-in-transit encryption
(DTE) for NetBackup operations.
In a NetBackup configuration where a media server is slow because of the old
hardware, you can turn off the media server DTE mode so that there is no
performance issue. However, it is recommended that you upgrade the old media
server hardware. This setting is available for media servers with NetBackup 10.0
and later.
RESTful API to be used for the global DTE configuration:
■ GET - /config/media-servers/{hostName}
■ PATCH - /config/media-servers/{hostName}
 Configuring data-in-transit encryption (DTE) 371
Modify the DTE mode on a backup image

To set or view the media server DTE mode

1 Ensure that you have an RBAC role with the following permissions on the
media server resource:
■ View
■ Update
■ Manage access
See “ Default RBAC roles” on page 136.
2 Run the following command to set the media server DTE mode:
nbseccmd -setsecurityconfig -dtemediamode off|on -mediaserver
media_server_name

3 Run the following command to view the media server DTE mode:
nbseccmd -getsecurityconfig -dtemediamode -mediaserver
media_server_name

Note: For 9.1 media servers, you can only view the DTE mode as On, but you
cannot set it.

Modify the DTE mode on a backup image

The data-in-transit (DTE) feature of NetBackup introduces an additional image
attribute (DTE mode) when a backup image is created.
Primarily, the global DTE mode and the client DTE mode decide whether the
data-in-transit encryption takes place or not for a NetBackup operation. If the data
is encrypted during backup, the DTE mode attribute of the associated NetBackup
image is set to On.
If based on the global DTE mode and the client DTE mode, the data cannot be
encrypted during backup, the DTE mode attribute of the image is set to Off.
The image DTE mode should be honored and retained for all subsequent operations
on that image. For example, restore and secondary operations like duplication,
replication, import and so on. If the image DTE mode is set to On, subsequent
operations always encrypt the data for DTE supported hosts.
If the host does not support DTE, then the job fails. If the image DTE mode is set
to Off, the DTE for subsequent operations is decided based on the global and client
DTE modes at that point of time. This is the default behavior.
 Configuring data-in-transit encryption (DTE) 372
Modify the DTE mode on a backup image

In certain cases, you may want to modify the image DTE mode that was set at the
time of its creation.
RESTful API to be used to modify the image DTE mode:
■ PATCH - /catalog/images/{backupId}
To modify the image DTE mode
◆ Run the following command:
bpimage -update -image_dtemode Off|On

You can also change the image DTE mode using the NetBackup Web UI >
Catalog node.
See “DTE_IGNORE_IMAGE_MODE for NetBackup servers” on page 372.
See “View the DTE-specific attributes of a NetBackup image and an image copy”
on page 368.

DTE_IGNORE_IMAGE_MODE for NetBackup servers

Use the DTE_IGNORE_IMAGE_MODE option if you do not want the data to be encrypted
even if the data-in-transit encryption (DTE) mode of the backup image is enabled.
The DTE_IGNORE_IMAGE_MODE option is applicable for all backup images.

Table 19-3 DTE_IGNORE_IMAGE_MODE information

Usage Description

Where to use On NetBackup servers.

 Configuring data-in-transit encryption (DTE) 373
Media device selection (MDS) and resource allocation

Table 19-3 DTE_IGNORE_IMAGE_MODE information (continued)

Usage Description

How to use Use the nbgetconfig and the nbsetconfig commands to

view, add, or change the option.

For information about these commands, see the NetBackup

Commands Reference Guide.

Use the following format:

DTE_IGNORE_IMAGE_MODE = NEVER | ALWAYS |

WHERE_UNSUPPORTED

The default value of the DTE_IGNORE_IMAGE_MODE option is

NEVER.

■ NEVER - Use this option to specify that the data-in-transit

encryption takes place based on the DTE mode of the
image.
■ ALWAYS - Use this option to specify that the DTE mode of
the image is always ignored during data-in-transit encryption
irrespective of whether the NetBackup host supports the
encryption or not. Data-in-transit encryption takes place
based on the global DTE mode and client DTE mode.
■ WHERE_UNSUPPORTED - Use this option if you have
NetBackup hosts earlier than 9.1 in your environment and
you do not want the jobs to fail for these hosts when the
DTE mode is enabled for the image. With this configuration,
data-in-transit encryption happens based on the global and
client DTE mode settings. The image DTE mode is ignored.

Equivalent NetBackup web No equivalent exists.

UI property

Media device selection (MDS) and resource

allocation
Based on the global DTE mode, client DTE mode, media server DTE mode, and
image DTE mode, the resources are allocated.
For dynamic storage units, like MSDP or Storage Unit Group, a media server with
the DTE mode On is preferred if that is a requirement for the job.
 Configuring data-in-transit encryption (DTE) 374
Media device selection (MDS) and resource allocation

Note: For Snapshot Manager backup and recovery work flows, if DTE is required
to be On, you need to ensure that DTE is configured to be On for each media server
that is configured for the respective storage unit.

If the job demands a media server with the DTE mode On, but such a media server
is not available, NetBackup falls back on the original resource allocation decisions.
In such cases, it is possible that the job goes ahead and sees a failure later on
during job execution (in nbjm or bprd or other such daemons and CLIs), where
NetBackup the DTE is required by media server.
The following process describes how the media device selection and DTE validations
take place:
1 In case of a backup operation, directly go to step 2. For any other operations
such as restore, duplication, replication, import, verify, the source image DTE
mode is taken into consideration:
■ If the DTE mode of an image is ON, the media server DTE media server is
ON, irrespective of any other DTE configuration.

■ If DTE mode of an image is OFF, check for global, client and media server
DTE modes.

2 If the global DTE setting is ENFORCED, then a DTE enabled media server is
preferred.
3 If the global DTE setting is PREFERRED ON or PREFERRED OFF, a client DTE
mode is taken into consideration.
■ If the client DTE mode is ON – DTE enabled media server is preferred.
■ If the client DTE mode is OFF – any available media server can be selected.
■ If the client DTE mode is Automatic – the decision is made based on the
global DTE setting. It means if the global DTE setting is set to PREFERRED
OFF, select any available media server, else select the DTE enabled media
server.

During resource allocation, many parameters play an important role. Following are
the special conditions:
■ If the client name is blank, it signifies a secondary operation such as duplication,
replication, import, verify and so on. The image DTE mode or global DTE mode
are honored.
■ If the client name is not blank, however it is not present in the host database as
the client is earlier than 8.0, the client does not support DTE. Hence, any media
server can be selected.
 Configuring data-in-transit encryption (DTE) 375
How DTE configuration settings work in various NetBackup operations

■ After the global and client DTE settings, media server's version and its DTE
setting are checked:
■ NetBackup 9.1 and later media servers are by default DTE capable and DTE
enabled.

■ DTE_IGNORE_IMAGE_MODE setting (for any secondary operations based on an

image)
■ If the image DTE mode is ON, and if the DTE_IGNORE_IMAGE_MODE option is
applied, the global, client, and media server settings are used for the media
server selection.

How DTE configuration settings work in various

NetBackup operations
This topic provides information on how you can change the DTE configuration
settings to achieve the required data-in-transit encryption with respect to various
NetBackup operations.
Review the following reference topics before you modify any DTE configuration
settings.
The following tables show how DTE setting (unencrypted or encrypted) is decided
for a certain NetBackup workflow under different NetBackup configurations along
with DTE configuration settings.

Backup
In the backup workflow, data is transferred between a media server and a client as
part of a backup job.
 Configuring data-in-transit encryption (DTE) 376
How DTE configuration settings work in various NetBackup operations

Figure 19-1 Backup workflow

Table 19-4 The media server DTE mode is On (default)

Global DTE DTE mode of NetBackup client 9.1 or later NetBackup host
mode (media server or
On Off Automatic client) earlier
than 9.1

Preferred Off Data is encrypted Data is not encrypted Data is not encrypted Data is not encrypted

Preferred On Data is encrypted Data is not encrypted Data is encrypted Data is not encrypted

Enforced Data is encrypted Operation fails Data is encrypted Operation fails

Table 19-5 The media server DTE mode is Off (default)

Global DTE DTE mode of NetBackup client 9.1 or later NetBackup host
mode (media server or
On Off Automatic client) earlier
than 9.1

Preferred Off Operation fails Data is not encrypted Data is not encrypted Data is not
encrypted
 Configuring data-in-transit encryption (DTE) 377
How DTE configuration settings work in various NetBackup operations

Table 19-5 The media server DTE mode is Off (default) (continued)

Global DTE DTE mode of NetBackup client 9.1 or later NetBackup host
mode (media server or
On Off Automatic client) earlier
than 9.1

Preferred On Operation fails Data is not encrypted Data is not encrypted Data is not
encrypted

Enforced Operation fails Operation fails Operation fails Operation fails

Restore
In the restore workflow, there can be two DTE scenarios:
■ When the image DTE mode is Off
■ When the image DTE mode is On
In either of the scenarios, there can be one or more media servers involved (if
multiple images are selected) while restoring data on a client for single NetBackup
job.

Image DTE mode is Off

Table 19-6 Media server DTE mode is On (default)

Global DTE mode DTE mode of NetBackup client 9.1 or later NetBackup host
(media server or
On Off Automatic client) earlier
than 9.1

Preferred Off Data is encrypted Data is not encrypted Data is not encrypted Data is not encrypted

Preferred On Data is encrypted Data is not encrypted Data is encrypted Data is not encrypted

Enforced Data is encrypted Operation fails Data is encrypted Operation fails

Table 19-7 Media server DTE mode is Off

Global DTE mode DTE mode of NetBackup client 9.1 or later NetBackup host
(media server or
On Off Automatic client) earlier
than 9.1

Preferred Off Operation fails Data is not encrypted Data is not encrypted Data is not encrypted

Preferred On Operation fails Data is not encrypted Data is not encrypted Data is not encrypted
 Configuring data-in-transit encryption (DTE) 378
How DTE configuration settings work in various NetBackup operations

Table 19-7 Media server DTE mode is Off (continued)

Global DTE mode DTE mode of NetBackup client 9.1 or later NetBackup host
(media server or
On Off Automatic client) earlier
than 9.1

Enforced Operation fails Operation fails Operation fails Operation fails

Table 19-8 Mixed media servers (9.1 and 10.0 or later) - Media1: DTE mode
On, Media2: DTE mode Off

Global DTE DTE mode of NetBackup client 9.1 or later NetBackup host
mode (media server or
On Off Automatic client) earlier than
9.1

Preferred Off Media1 - Data is Media1- Data is not Media1- Data is not Media1- Data is not
encrypted encrypted encrypted encrypted

Media2 - Operation fails Media2 - Data is not Media2 - Data is not Media2 - Data is not
encrypted encrypted encrypted
Job state - Partial
Success

Job DTE mode - On

Preferred On Media1- Data is Media1- Data is not Media1 - Data is Media1- Data is not
encrypted encrypted encrypted encrypted

Media2- Operation fails Media2 - Data is not Media2 - Data is not Media2 - Data is not
encrypted encrypted encrypted
Job state - Partial
Success Job DTE mode - Off

Job DTE mode - On

Enforced Media1 - Data is Media1 - Operation fails Media1 - Data is Media1 - Operation
encrypted encrypted fails
Media2 - Operation fails
Media2 - Operation fails Media2 - Operation Media2 - Operation
Job state - Fail
fails fails
Job state - Partial
Success Job state - Partial Job state - Operation
Success fails
Job DTE mode - On
Job DTE mode - On

Image DTE mode is On

If the image DTE mode is On, the default behavior is to restore with data-in-transit
encryption for 9.1 and later hosts and to fail the job if any DTE unsupported host
 Configuring data-in-transit encryption (DTE) 379
How DTE configuration settings work in various NetBackup operations

involves in the workflow . However, you can still restore by ignoring the image DTE
mode.
Use the DTE_IGNORE_IMAGE_MODE configuration option that is to be set on the primary
server. Possible values: NEVER (default) | ALWAYS | WHERE_UNSUPPORTED

Table 19-9 When the image DTE mode is On and the media server DTE
mode is On

Global DTE Host Value of the DTE_IGNORE_IMAGE_MODE configuration

mode option

NEVER (default) WHERE_UNSUPPORTED ALWAYS

Preferred Off NetBackup client 9.1 or later Data is encrypted Data is encrypted Data is encrypted
with DTE mode ON

NetBackup client 9.1 or later Operation fails Operation fails Data is not
with DTE mode OFF encrypted

NetBackup client 9.1 or later Data is encrypted Data is encrypted Data is not
with DTE mode AUTOMATIC encrypted

NetBackup host earlier than Operation fails Data is not encrypted Data is not
9.1 (either media server or encrypted
client)

Preferred On NetBackup client 9.1 or later Data is encrypted Data is encrypted Data is encrypted
with DTE mode ON

NetBackup client 9.1 or later Operation fails Operation fails Data is not
with DTE mode OFF encrypted

NetBackup client 9.1 or later Data is encrypted Data is encrypted Data is encrypted
with DTE mode AUTOMATIC

NetBackup host earlier than Operation fails Data is not encrypted Data is not
9.1 (either media server or encrypted
client)
 Configuring data-in-transit encryption (DTE) 380
How DTE configuration settings work in various NetBackup operations

Table 19-9 When the image DTE mode is On and the media server DTE
mode is On (continued)

Global DTE Host Value of the DTE_IGNORE_IMAGE_MODE configuration

mode option

NEVER (default) WHERE_UNSUPPORTED ALWAYS

Enforced NetBackup client 9.1 or later Data is encrypted Data is encrypted Data is encrypted
with DTE mode ON

NetBackup client 9.1 or later Operation fails Operation fails Operation fails
with DTE mode OFF

NetBackup client 9.1 or later Data is encrypted Data is encrypted Data is encrypted
with DTE mode AUTOMATIC

NetBackup host earlier than Operation fails Operation fails Operation fails
9.1 (either media server or
client)

Table 19-10 When the image DTE mode is On and the DTE setting on 10.0
and later media server is Off

Global DTE Host Value of the DTE_IGNORE_IMAGE_MODE configuration option

mode
NEVER (default) WHERE_UNSUPPORTED ALWAYS

Preferred Off NetBackup Client 9.1 or Operation fails Operation fails Operation fails
later with DTE mode ON

NetBackup Client 9.1 or Operation fails Operation fails Data is not

later with DTE mode OFF encrypted

NetBackup Client 9.1 or Operation fails Operation fails Data is not

later with DTE mode encrypted
AUTOMATIC

NetBackup host earlier Operation fails Data is not encrypted Data is not
than 9.1 (either media encrypted
server or client)
 Configuring data-in-transit encryption (DTE) 381
How DTE configuration settings work in various NetBackup operations

Table 19-10 When the image DTE mode is On and the DTE setting on 10.0
and later media server is Off (continued)

Global DTE Host Value of the DTE_IGNORE_IMAGE_MODE configuration option

mode
NEVER (default) WHERE_UNSUPPORTED ALWAYS

Preferred On NetBackup Client 9.1 or Operation fails Operation fails Operation fails
later with DTE mode ON

NetBackup Client 9.1 or Operation fails Operation fails Data is not

later with DTE mode OFF encrypted

NetBackup Client 9.1 or Operation fails Operation fails Data is not

later with DTE mode encrypted
AUTOMATIC

NetBackup host earlier Operation fails Data is not encrypted Data is not
than 9.1 (either media encrypted
server or client)

Enforced NetBackup Client 9.1 or Operation fails Operation fails Operation fails
later with DTE mode ON

NetBackup Client 9.1 or Operation fails Operation fails Operation fails

later with DTE mode OFF

NetBackup Client 9.1 or Operation fails Operation fails Operation fails

later with DTE mode
AUTOMATIC

NetBackup host earlier Operation fails Operation fails Operation fails

than 9.1 (either media
server or client)

Note: If the DTE_IGNORE_IMAGE_MODE is set to ALWAYS, the DTE decision is as per

the table - Table 19-7.

MSDP backup, restore, and optimized duplication

Data-in-transit encryption (DTE) feature is now integrated with MSDP storage server
for backup and restore workflows.
For backup on MSDP disk pool, the encryption of data path from client to media
server is controlled by the NetBackup DTE settings (global and client DTE modes).
If the MSDP storage server has multiple load balancing media servers attached to
it and if the selected media server is 10.0.0.1 or later, the storage server must be
 Configuring data-in-transit encryption (DTE) 382
How DTE configuration settings work in various NetBackup operations

10.0.0.1 or later. Else, backup job fails. You must upgrade the 10.0 storage server
to 10.0.0.1. If the load balancing media server is 10.0 or earlier, the data may be
transferred in plain text and job is always successful, even if DTE was to be honored.
Ideally, you must have load balancing media servers and storage servers with
10.0.0.1 or later when DTE is enabled.
These given conditions are also valid for the optimized duplication workflow.
In case of mixed environment, where either storage server or one of the load
balancing media servers is earlier than 10.0, the following configuration will be
required in order to honor an end-to-end encryption:
■ DTE should be enabled from NetBackup side based on DTE configurations i.e.
Global/Media Server/Client Settings
■ Encryption should be enabled from MSDP side using ENCRYPTION flag in
pd.conf
See the NetBackup Deduplication Guide for details on enabling the encryption
using MSDP.

Note: If data-in-transit encryption is enabled in NetBackup and the ENCRYPTION

flag in pd.conf is also enabled, MSDP encryption takes the precedence over
NetBackup DTE. It results into data-at-rest encryption and not in data-in-transit
encryption.

Universal-Share policy backup

For Universal-Share policy type, client selection can either be storage server name
where the Universal Share resides or the host name where the Universal Share is
mounted. So the client for this policy type can be a host where the NetBackup client
software is not installed.
Because of this limitation, NetBackup cannot check the client DTE mode. It checks
for the global and media server DTE modes for Universal-Share policy backup and
works as per the following table:

Table 19-11 DTE for Universal-Share policy backup

Global DTE mode DTE mode of media server 9.1 or later Media server earlier
than 9.1
On Off

Preferred Off Data is not encrypted Data is not encrypted Data is not encrypted

Preferred On Data is encrypted Data is not encrypted Data is not encrypted

 Configuring data-in-transit encryption (DTE) 383
How DTE configuration settings work in various NetBackup operations

Table 19-11 DTE for Universal-Share policy backup (continued)

Global DTE mode DTE mode of media server 9.1 or later Media server earlier
than 9.1
On Off

Enforced Data is encrypted Operation fails Operation fails

Catalog backup and recovery

Media server should be of the same NetBackup version as the primary server for
catalog backup and recovery workflow.
Review the following points:
■ DTE mode for catalog backup jobs is similar to the file system workflow and
DTE decision is similar to the backup workflow described above.
■ DTE mode in catalog backup jobs:
■ Parent catalog backup job does not have DTE mode set.
■ Database staging child job does not have DTE mode set.
■ Other two child jobs have DTE mode set as per the configured DTE settings.

■ DTE mode in catalog recovery jobs:

■ First 2 jobs have the DTE mode set as per the following tables depending
on the image DTE mode.
■ The first two jobs replace the global DTE setting and primary server's bp.conf
values, so the 3rd job DTE mode is set as per the recovered global DTE
setting and primary server's bp.conf values.

The image DTE mode is Off

Table 19-12 When the image DTE mode is Off and the media server DTE
setting is On

Global DTE mode NetBackup Primary server 9.1 and later with DTE mode

On Off Automatic

Preferred Off Data is encrypted Data is not encrypted Data is not encrypted

Preferred On Data is encrypted Data is not encrypted Data is encrypted

Enforced Data is encrypted Data is encrypted Data is encrypted

 Configuring data-in-transit encryption (DTE) 384
How DTE configuration settings work in various NetBackup operations

Note: When the global DTE setting is set to ENFORCED and the DTE_CLIENT_MODE
is Off, DTE is preferred over failure in case of catalog recovery.

Table 19-13 When the image DTE mode is Off and the media server DTE
setting is Off

Global DTE mode NetBackup Primary server 9.1 and later with DTE mode

On Off Automatic

Preferred Off Data is encrypted * Data is not encrypted Data is not encrypted

Preferred On Data is encrypted * Data is not encrypted Data is not encrypted

Enforced Data is encrypted * Data is encrypted * Data is encrypted *

* signifies that DTE is preferred over failure during catalog recovery. It ignores the
DTE setting on the media server, that is Off unless the client DTE mode is set to
Automatic.

The image DTE mode is On

Table 19-14 When the image DTE mode is On and the media server DTE
setting is On

Global DTE Host Value of the DTE_IGNORE_IMAGE_MODE configuration

mode option

NEVER (default) WHERE_UNSUPPORTED ALWAYS

Preferred Off Primary server with Data is encrypted Data is encrypted Data is encrypted
DTE_CLIENT_MODE as
ON

Primary server with Data is encrypted Data is encrypted Data is not

DTE_CLIENT_MODE as encrypted
OFF

Primary server with Data is encrypted Data is encrypted Data is not

DTE_CLIENT_MODE as encrypted
AUTOMATIC
 Configuring data-in-transit encryption (DTE) 385
How DTE configuration settings work in various NetBackup operations

Table 19-14 When the image DTE mode is On and the media server DTE
setting is On (continued)

Global DTE Host Value of the DTE_IGNORE_IMAGE_MODE configuration

mode option

NEVER (default) WHERE_UNSUPPORTED ALWAYS

Preferred On Primary server with Data is encrypted Data is encrypted Data is encrypted
DTE_CLIENT_MODE as
ON

Primary server with Data is encrypted Data is encrypted Data is not

DTE_CLIENT_MODE as encrypted
OFF

Primary server with Data is encrypted Data is encrypted Data is encrypted

DTE_CLIENT_MODE as
AUTOMATIC

Enforced Primary server with Data is encrypted Data is encrypted Data is encrypted
DTE_CLIENT_MODE as
ON

Primary server with Data is encrypted Data is encrypted Data is encrypted

DTE_CLIENT_MODE as
OFF

Primary server with Data is encrypted Data is encrypted Data is encrypted

DTE_CLIENT_MODE as
AUTOMATIC

Note: If DTE_IGNORE_IMAGE_MODE is set to ALWAYS, the DTE decision is as per the

table - Table 19-12.
 Configuring data-in-transit encryption (DTE) 386
How DTE configuration settings work in various NetBackup operations

Table 19-15 When the image DTE mode is On and the media server DTE
setting is Off

Global DTE Host Value of the DTE_IGNORE_IMAGE_MODE configuration

mode option

NEVER WHERE_UNSUPPORTED ALWAYS

(default)

Preferred Off Primary server with Data is encrypted Data is encrypted * Data is encrypted
DTE_CLIENT_MODE as ON * *

Primary server with Data is encrypted Data is encrypted * Data is not

DTE_CLIENT_MODE as * encrypted
OFF

Primary server with Data is encrypted Data is encrypted * Data is not

DTE_CLIENT_MODE as * encrypted
AUTOMATIC

Preferred On Primary server with Data is encrypted Data is encrypted * Data is encrypted
DTE_CLIENT_MODE as ON * *

Primary server with Data is encrypted Data is encrypted * Data is not

DTE_CLIENT_MODE as * encrypted
OFF

Primary server with Data is encrypted Data is encrypted * Data is not

DTE_CLIENT_MODE as * encrypted
AUTOMATIC

Enforced Primary server with Data is encrypted Data is encrypted * Data is encrypted
DTE_CLIENT_MODE as ON * *

Primary server with Data is encrypted Data is encrypted * Data is encrypted

DTE_CLIENT_MODE as *
OFF

Primary server with Data is encrypted Data is encrypted * Data is encrypted

DTE_CLIENT_MODE as * *
AUTOMATIC

* signifies that DTE is preferred over failure during catalog recovery. It ignores the
DTE setting on the media server, that is Off unless the client DTE mode is set to
Automatic.
 Configuring data-in-transit encryption (DTE) 387
How DTE configuration settings work in various NetBackup operations

Duplication
In the duplication workflow, a backup copy is copied from one storage unit to another
storage unit, so there is no client that comes into picture. The hosts that participate
are source media server and target media server from the same domain.

Table 19-16 The image DTE mode is Off

Global DTE mode Both media servers are 9.1 or later with DTE One of the media servers
mode is earlier than 9.1

On Off

Preferred Off Data is not encrypted Data is not encrypted Data is not encrypted

Preferred On Data is encrypted Data is not encrypted Data is not encrypted

Enforced Data is encrypted Operation fails Operation fails

Table 19-17 When the image DTE mode is On and the media server DTE
setting is On

Global DTE Host Value of the DTE_IGNORE_IMAGE_MODE configuration

mode option

NEVER (default) WHERE_UNSUPPORTED ALWAYS

Preferred Off Both NetBackup media Data is encrypted Data is encrypted Data is not
servers 9.1 or later encrypted

Any NetBackup media Operation fails Data is not encrypted Data is not
server earlier than 9.1 encrypted

Preferred On Both NetBackup media Data is encrypted Data is encrypted Data is encrypted
server 9.1 or later

Any NetBackup media Operation fails Data is not encrypted Data is not
server earlier than 9.1 encrypted

Enforced Both NetBackup media Data is encrypted Data is encrypted Data is encrypted
server 9.1 or later

Any NetBackup media Operation fails Operation fails Operation fails

server earlier than 9.1

Note: If DTE_IGNORE_IMAGE_MODE is set to ALWAYS, the DTE decision is as per the

table - Table 19-16.
 Configuring data-in-transit encryption (DTE) 388
How DTE configuration settings work in various NetBackup operations

Table 19-18 When the image DTE mode is On and the media server DTE
setting on 10.0 or later is Off

Global DTE mode Value of the DTE_IGNORE_IMAGE_MODE configuration option

NEVER WHERE_UNSUPPORTED ALWAYS

Preferred Off Operation fails Operation fails Data is not encrypted

Preferred On Operation fails Operation fails Data is not encrypted

Enforced Operation fails Operation fails Operation fails

Synthetic backup
A synthetic backup can be a synthetic full or a synthetic cumulative backup. The
images that are used to create the synthetic image are known as component images.
For instance, the component images in a synthetic full backup are the previous full
image and the subsequent incremental images. A typical NetBackup backup process
accesses the client to create a backup. A synthetic backup is a backup image
created without using the client. Instead, a synthetic backup process creates a full
or a cumulative incremental image by using previously created backup images
called component images. In the synthetic backup workflow, images are fetched
from different source storage units, synthesized, and copied to a target storage
unit.
The hosts that come into the picture are source media servers and target media
server from the same domain.

Table 19-19 DTE mode is OFF in the image

Global DTE mode All NetBackup media server 9.1 and later Any NetBackup media server
with DTE mode earlier than 9.1

On Off

Preferred Off Data is not encrypted Data is not encrypted Data is not encrypted

Preferred On Data is encrypted Data is not encrypted Data is not encrypted

Enforced Data is encrypted Operation fails Operation fails

 Configuring data-in-transit encryption (DTE) 389
How DTE configuration settings work in various NetBackup operations

Table 19-20 When DTE mode is On for any one of the images and media
server DTE setting is On

Global DTE Host Value of the DTE_IGNORE_IMAGE_MODE configuration

mode option

NEVER WHERE_UNSUPPORTED ALWAYS

(default)

Preferred Off All NetBackup media Data is encrypted Data is encrypted Data is not
server 9.1 or later encrypted

Any NetBackup media Operation fails Data is not encrypted Data is not
server earlier than 9.1 encrypted

Preferred On All NetBackup media Data is encrypted Data is encrypted Data is encrypted
server 9.1 or later

Any NetBackup media Operation fails Data is not encrypted Data is not
server earlier than 9.1 encrypted

Enforced All NetBackup media Data is encrypted Data is encrypted Data is encrypted
server 9.1 or later

Any NetBackup media Operation fails Operation fails Operation fails

server earlier than 9.1

Note: If DTE_IGNORE_IMAGE_MODE is set to ALWAYS, the DTE decision is as per the

table - Table 19-19.

Table 19-21 When the image DTE mode is On and the media server DTE
setting on 10.0 or later is Off

Global DTE mode Value of the DTE_IGNORE_IMAGE_MODE configuration option

NEVER (default) WHERE_UNSUPPORTED ALWAYS

Preferred Off Operation fails Operation fails Data is not encrypted

Preferred On Operation fails Operation fails Data is not encrypted

Enforced Operation fails Operation fails Operation fails

Note: If DTE_IGNORE_IMAGE_MODE is set to ALWAYS, the DTE decision is as per the

table - Table 19-19.

Note:
 Configuring data-in-transit encryption (DTE) 390
How DTE configuration settings work in various NetBackup operations

Verify
In the verification workflow, backup image header is read, and its integrity is checked
with the catalog. Therefore, a client does not come into picture. The hosts that
participate are media server and primary server from the same domain.

Table 19-22 The image DTE mode is Off

Global DTE mode NetBackup media server 9.1 and later with NetBackup media server
DTE mode earlier than 9.1

On Off

Preferred Off Data is not encrypted Data is not encrypted Data is not encrypted

Preferred On Data is encrypted Data is not encrypted Data is not encrypted

Enforced Data is encrypted Operation fails Operation fails

Table 19-23 When the image DTE mode is On and the media server DTE
setting is On

Global DTE DTE mode of Value of the DTE_IGNORE_IMAGE_MODE configuration option

mode NetBackup client
9.1 or later NEVER (default) WHERE_UNSUPPORTED ALWAYS

Preferred Off Media server 9.1 or Data is encrypted Data is encrypted Data is not
later encrypted

Media server earlier Operation fails Data is not encrypted Data is not
than 9.1 encrypted

Preferred On Media server 9.1 or Data is encrypted Data is encrypted Data is encrypted
later

Media server earlier Operation fails Data is not encrypted Data is not
than 9.1 encrypted

Enforced Media server 9.1 or Data is encrypted Data is encrypted Data is encrypted
later

Media server earlier Operation fails Operation fails Operation fails

than 9.1
 Configuring data-in-transit encryption (DTE) 391
How DTE configuration settings work in various NetBackup operations

Table 19-24 When the image DTE mode is On and the media server DTE
setting on 10.0 or later is Off

Global DTE mode Value of the DTE_IGNORE_IMAGE_MODE configuration option

NEVER (default) WHERE_UNSUPPORTED ALWAYS

Preferred Off Operation fails Operation fails Data is not encrypted

Preferred On Operation fails Operation fails Data is not encrypted

Enforced Operation fails Operation fails Operation fails

Import
In the import workflow, backup image is read from the storage unit and the
NetBackup catalog is created. Therefore, a client does not come into picture. The
hosts that participate are the media server and the primary server from the same
domain.

Note: If you want to retain the DTE controls based on the image, you must upgrade
the media servers that are to be used for the import operations to NetBackup 10.0
before you perform the import operation.

The following table is applicable for all import workflows such as phase-1 import,
phase-2 import and Storage Lifecycle Policy (SLP) import.

Table 19-25 DTE mode is OFF in the image

Global DTE Media server 9.1 or later with DTE mode Media server earlier
mode than 9.1
On Off

Preferred Off Data is not encrypted Data is not encrypted Data is not encrypted

Preferred On Data is encrypted Data is not encrypted Data is not encrypted

Enforced Data is encrypted Operation fails Operation fails

 Configuring data-in-transit encryption (DTE) 392
How DTE configuration settings work in various NetBackup operations

Table 19-26 When the image DTE mode is On and the media server DTE
setting is On

Global DTE Host Value of the DTE_IGNORE_IMAGE_MODE configuration option

mode
NEVER (default) WHERE_UNSUPPORTED ALWAYS

Preferred Off NetBackup media Data is encrypted Data is encrypted Data is not
server 9.1 and later encrypted

NetBackup media Data is not Data is not encrypted Data is not

server earlier than 9.1 encrypted encrypted

Preferred On NetBackup media Data is encrypted Data is encrypted Data is encrypted

server 9.1 and later

NetBackup media Data is not Data is not encrypted Data is not

server earlier than 9.1 encrypted encrypted

Enforced NetBackup media Data is encrypted Data is encrypted Data is encrypted

server 9.1 and later

NetBackup media Operation fails Operation fails Operation fails

server earlier than 9.1

Note: For phase-1 import, you need to set DTE_IGNORE_IMAGE_MODE on the media
server to ignore the DTE mode of the image for 9.1 and later media servers.
For phase-1 import scenario, NetBackup media server earlier than 9.1 is not aware
of the DTE mode in the image. If the image was created with the DTE mode set to
On, for phase-1 import, the job does not fail for media servers with version earlier
than 9.1 and the image DTE mode is set to Off in the catalog.

Note: When DTE_IGNORE_IMAGE_MODE is set to ALWAYS, DTE decision is as per

Table 19-25.

Table 19-27 When the image DTE mode is On and the media server DTE
setting on 10.0 or later is Off

Global DTE mode Value of the DTE_IGNORE_IMAGE_MODE configuration option

NEVER (default) WHERE_UNSUPPORTED ALWAYS

Preferred Off Operation fails Operation fails Data is not encrypted

Preferred On Operation fails Operation fails Data is not encrypted

 Configuring data-in-transit encryption (DTE) 393
How DTE configuration settings work in various NetBackup operations

Table 19-27 When the image DTE mode is On and the media server DTE
setting on 10.0 or later is Off (continued)

Global DTE mode Value of the DTE_IGNORE_IMAGE_MODE configuration option

NEVER (default) WHERE_UNSUPPORTED ALWAYS

Enforced Operation fails Operation fails Operation fails

Note: If DTE_IGNORE_IMAGE_MODE is set to ALWAYS, the DTE decision is as per the

table - Table 19-25.

MSDP SLP import at target domain

In this case, the image is already replicated in the target disk pool and now the
intention is to create a catalog out of that image through SLP import policy. As this
operation happens in the target domain and no cross-domain operation happens,
the target DTE global setting comes into the picture.
If the replicated image has the DTE mode On, then irrespective of other DTE
configurations, the import operation is carried out with DTE mode On.
If the replicated image has the DTE mode Off, the DTE mode is derived based on
the target domain global DTE setting and import is carried out based on the derived
DTE mode.
Review the following MSDP limitations that need to be considered for this workflow:
■ If the MSDP storage server has multiple load balancing media servers attached
to it and if the selected media server is 10.0.0.1 or later, the storage server must
be 10.0.0.1 or later. Else, backup job fails. You must upgrade the 10.0 storage
server to 10.0.0.1.
If the load balancing media server is 10.0 or earlier, the data may be transferred
in plain text and job is always successful, even if DTE was to be honored.
Ideally, you must have load balancing media servers and storage servers with
10.0.0.1 or later when DTE is enabled.
■ In case of mixed environment, where either storage server or even one of the
load balancing media servers is of version earlier than 10.0, the following
configuration is required in order to honor end-to-end encryption:
■ DTE should be enabled from NetBackup side based on the DTE configuration
settings - global / media server / client DTE mode
■ Encryption should be enabled from MSDP side using the ENCRYPTION flag
in pd.conf
 Configuring data-in-transit encryption (DTE) 394
How DTE configuration settings work in various NetBackup operations

Refer to the NetBackup Deduplication Guide for details on enabling encryption

using MSDP.

Note: If you set DTE On for NetBackup, but the ENCRYPTION flag in pd.conf is
not enabled, the data path from the load balancing media server to the storage
server is not encrypted. However, the job DTE mode and the image DTE mode
may be On.
If DTE is enabled at the NetBackup side and encryption is enabled from MSDP
side (ENCRYPTION flag in pd.conf), MSDP encryption takes the precedence over
NetBackup DTE. It results in data-at-rest encryption and not data-in-transit
encryption.

Replication
If the MSDP storage server is used for replication, the following considerations need
to be reviewed:
■ The Data-in-transit (DTE) encryption feature is not integrated with MSDP storage
for replication workflows and it is controlled by the OPTDUP_ENCRYPTION flag in
pd.conf.
■ The job DTE mode depends on the image DTE mode or the global DTE setting
of the source domain.
■ The correct values must be set for the DTE configuration settings and the
OPTDUP_ENCRYPTION flag for the source and target domains.

For details on enabling encryption using MSDP, see the NetBackup Deduplication
Guide.

Table 19-28 The image DTE mode is Off

Global DTE mode Media server 9.1 or later with DTE mode Media server earlier than
9.1
On Off

Preferred Off Data is not encrypted Data is not encrypted Data is not encrypted

Preferred On Data is encrypted Data is not encrypted Data is encrypted

Enforced Data is encrypted Operation fails Data is encrypted

 Configuring data-in-transit encryption (DTE) 395
How DTE configuration settings work in various NetBackup operations

Table 19-29 When the image DTE mode is On and media server DTE setting
is On

Global Host Value of the DTE_IGNORE_IMAGE_MODE configuration option

DTE mode
NEVER (default) WHERE_UNSUPPORTED ALWAYS

Preferred Off NetBackup media server Data is encrypted Data is encrypted Data is not
9.1 or later encrypted

NetBackup media server Data is encrypted Data is encrypted Data is not

earlier than 9.1 encrypted

Preferred On NetBackup media server Data is encrypted Data is encrypted Data is encrypted
9.1 or later

NetBackup media server Data is encrypted Data is encrypted Data is encrypted

earlier than 9.1

Enforced NetBackup media server Data is encrypted Data is encrypted Data is encrypted
9.1 or later

NetBackup media server Data is encrypted Data is encrypted Data is encrypted

earlier than 9.1

Note: If DTE_IGNORE_IMAGE_MODE is set to ALWAYS, the DTE decision is as per the

table - Table 19-28.

Table 19-30 When the image DTE mode is On and the media server DTE
setting on 10.0 or later is Off

Global DTE Value of the DTE_IGNORE_IMAGE_MODE configuration option

mode
NEVER (default) WHERE_UNSUPPORTED ALWAYS

Preferred Off Operation fails Operation fails Data is not encrypted

Preferred On Operation fails Operation fails Data is not encrypted

Enforced Operation fails Operation fails Operation fails

Note: If DTE_IGNORE_IMAGE_MODE is set to ALWAYS, the DTE decision is as per the

table - Table 19-28.
 Chapter 20
External CA and external
certificates
This chapter includes the following topics:

■ About external CA support in NetBackup

■ Workflow to use external certificates for NetBackup host communication

■ Configuration options for external CA-signed certificates

■ Limitations of Windows Certificate Store support when NetBackup services are

running in Local Service account context

■ About certificate revocation lists for external CA

■ About certificate enrollment

■ About viewing enrollment status of primary servers

■ Configure an external certificate for the NetBackup web server

■ Configuring the primary server to use an external CA-signed certificate

■ Configuring a NetBackup host (media server, client, or cluster node) to use an

external CA-signed certificate after installation

■ Enrolling an external certificate for a remote host

■ Viewing the certificate authorities that your NetBackup domain supports

■ Viewing external CA-signed certificates in the NetBackup web UI

■ Renewing a file-based external certificate

■ Removing certificate enrollment

 External CA and external certificates 397
About external CA support in NetBackup

■ Disabling the NetBackup CA in a NetBackup domain

■ Enabling the NetBackup CA in a NetBackup domain

■ Disabling an external CA in a NetBackup domain

■ Changing the subject name of an enrolled external certificate

■ About external certificate configuration for a clustered primary server

About external CA support in NetBackup

You can now use X.509 certificates that your trusted certificate authority (CA) has
issued.
NetBackup supports file-based certificates and Windows certificate store as sources
for external certificates for NetBackup hosts. It supports certificates in PEM, DER,
and P7B formats.

Note: NetBackup does not support Windows certificate store as source for the
NetBackup web server certificate.

About the terminology used for certificates in NetBackup

The following terms that are specific to security certificates are used in NetBackup:
■ A certificate authority (CA) other than the NetBackup CA is referred to as an
external CA.
■ Certificates that are issued by a CA other than the NetBackup CA are referred
to as external CA-signed certificates or external certificates.
■ Certificates that the NetBackup CA has issued are referred to as NetBackup
CA-signed certificates or NetBackup certificates.
■ A NetBackup certificate that is used for secure communications over control
channel is also referred to as host ID-based certificate.

Important notes about host certificates

■ A host ID-based certificate is deployed on the primary server during NetBackup
installation. You need to manually configure an external certificate on the primary
server after installation.
See “Configuring the primary server to use an external CA-signed certificate”
on page 424.
■ You can configure an external certificate on a NetBackup host (media server or
client) either during installation or after installation.
 External CA and external certificates 398
About external CA support in NetBackup

See “Configuring a NetBackup host (media server, client, or cluster node) to

use an external CA-signed certificate after installation” on page 427.
■ Host ID-based certificates are required on all NetBackup 8.1 and higher hosts
for enabling mutually authenticated secure communications. Starting 8.2,
NetBackup CA-signed host ID-based certificates can be replaced by external
CA-signed certificates.
In addition to the host ID-based certificate, a host name-based certificate may
need to be deployed on some hosts in domains that have NetBackup Access
Control (NBAC) enabled. The host name-based certificates are issued by the
NetBackup CA.
See “Overview of security certificates in NetBackup” on page 274.

Requirements for external certificate configuration

■ On Windows platform, if external certificates are used for host communication,
the NT AUTHORITY\SYSTEM user must be able to access the certificates that are
located at ECA_CERT_PATH. The ECA_CERT_PATH configuration option is available
in the Windows registry.
■ On Windows platform, Universal Naming Convention (UNC) paths (or network
paths) are not supported for the following external CA parameters: Certificate
chain, certificate's private key, trust store, passphrase file for certificate's private
key, and CRL cache.
■ The following requirement is applicable for the NetBackup web server certificate:
If the subject alternative name (SAN) is not empty, the certificate should contain
all host names that the primary server is known by (the host names that are
listed in the SERVER configuration option entries of other hosts in the domain) in
the SAN field of the certificate.
■ Requirements for the subject name of the certificate:
■ Subject name should not be empty.
■ Common name of the subject name should not be empty.
■ Subject name should be unique for each host.
■ Subject name should be fewer than 255 characters.

■ Only ASCII 7 characters are supported for the certificate subject and the subject
alternative name (SAN).
■ Requirements for key usage purposes:
If the certificate has a X509v3 Key Usage extension present, it must include the
following key usage purposes:
 External CA and external certificates 399
About external CA support in NetBackup

■ For the web server certificate: At least one of the Digital Signature or Key
Encipherment should be present.
■ For a NetBackup host certificate: Digital Signature purpose should be present.
Key Encipherment may or may not be present.
■ For a certificate that is used for both web server and NetBackup host: Digital
Signature purpose should be present. Key Encipherment may or may not
be present.
■ The certificate may have other key usage purposes listed in addition to the
purposes specified here. These additional purposes are ignored.
■ The X509v3 Key Usage extension may be either critical or non-critical.
■ A certificate without a X509v3 Key Usage extension is also usable with
NetBackup.
If the certificate has a X509v3 Extended Key Usage extension present, it must
include the following key usage purposes:
■ For the web server certificate: TLS Web Server Authentication.
■ For a NetBackup host certificate: TLS Web Server Authentication and TLS
Web Client Authentication.
■ For a certificate that is used for both web server and NetBackup host: TLS
Web Server Authentication and TLS Web Client Authentication.
■ The certificate may have other key usage purposes listed in addition to the
purposes specified here. These additional purposes are ignored.
■ The X509v3 Extended Key Usage extension may be either critical or
non-critical.
■ A certificate without a X509v3 Extended Key Usage extension is also usable
with NetBackup.
■ If the certificate does not meet these requirements, contact your certificate
provider to obtain a new certificate.

Command-line options used for external certificate configuration

Use the following command-line options are specific to external certificate
configuration:
 External CA and external certificates 400
Workflow to use external certificates for NetBackup host communication

nbcertcmd ■ -cleanupCRLCache
■ -createECACertEntry
■ -deleteECACertEntry
■ -ecaHealthCheck
■ -enrollCertificate
■ -getExternalCertDetails
■ -listEnrollmentStatus
■ -removeEnrollment
■ -updateCRLCache

configureWebServerCerts ■ -addExternalCert
■ -removeExternalCert
■ -validateExternalCert

The following command-line options are used for both external and NetBackup
certificate configurations:

nbcertcmd ■ -listCertDetails - This command option is by default

applicable for NetBackup CA-signed certificate. When used with
-ECA option, it is applicable for external CA-signed certificates.
■ -listCACertDetails - This command option is by default
applicable for NetBackup CA-signed certificate. When used with
-ECA option, it is applicable for external CA-signed certificates.

For more information about the commands, refer to the NetBackup Commands
Reference Guide.

Workflow to use external certificates for

NetBackup host communication
To configure NetBackup to use external CA-signed certificates for secure
communication, you should carry out the following steps in the given order:
 External CA and external certificates 401
Workflow to use external certificates for NetBackup host communication

Table 20-1 Workflow to use external certificates for NetBackup host

communication

Step Description

Step 1 Ensure the following:

■ The external certificates for the web server, primary server, and all hosts are
placed at the appropriate locations.
■ In case of file-based certificates, the private key files for the external certificates
are placed at the appropriate locations.
See “ECA_PRIVATE_KEY_PATH for NetBackup servers and clients”
on page 407.
If the private keys are encrypted, passphrase files should be placed at the
appropriate locations.
See “ECA_KEY_PASSPHRASEFILE for NetBackup servers and clients”
on page 408.
■ The CRLs are placed at the required locations on the hosts as per their CRL
configuration options and they are accessible.
See “About certificate revocation lists for external CA” on page 417.

Step 2 Install the NetBackup software on the primary server (or upgrade the primary server).

Step 3 Enable the NetBackup domain to use external certificates by configuring the
NetBackup web server.

See “Configure an external certificate for the NetBackup web server” on page 421.

Step 4 Configure an external certificate for the NetBackup primary server host.
See “Configuring the primary server to use an external CA-signed certificate”
on page 424.

Step 5 Install the NetBackup software on the media server and clients (or upgrade the
media server and clients). If the primary server is configured to use external
certificates, the Installer prompts you to provide external certificate information for
the host.
 External CA and external certificates 402
Configuration options for external CA-signed certificates

Table 20-1 Workflow to use external certificates for NetBackup host

communication (continued)

Step Description

Step 6
Note: This step is required for the hosts (media server and clients) that have the
current NetBackup software, but are not configured to use external certificate.

NetBackup hosts may not have external certificate configuration because of the
following reasons:

■ You did not provide the external certificate information during installation or
upgrade of the host.
■ The NetBackup primary server was not configured to use external certificates
during installation or upgrade of the host.

Configure an external certificate for a NetBackup host (media server or client) after
installation.

See “Configuring a NetBackup host (media server, client, or cluster node) to use
an external CA-signed certificate after installation” on page 427.

Configuration options for external CA-signed

certificates
To configure a NetBackup primary server, media server, or client to use external
CA-signed certificate for host communication, you must define certain configuration
options in the NetBackup configuration file (bp.conf on UNIX platform or Windows
registry).

About the mandatory and optional configuration options

■ For external certificate configuration, for file-based certificates, the following
configuration options are mandatory:
■ ECA_CERT_PATH

■ ECA_TRUST_STORE_PATH

■ ECA_PRIVATE_KEY_PATH
If the private key of the external certificate is encrypted,
ECA_KEY_PASSPHRASEFILE is also mandatory:

■ For Windows certificate store, the following configuration options are mandatory:
■ ECA_CERT_PATH

■ The following options are optional:

 External CA and external certificates 403
Configuration options for external CA-signed certificates

■ ECA_CRL_CHECK
If the option is set to DISABLE (or 0) the ECA_CRL_PATH option is ignored and
revocation status of a peer host's certificate is not verified.
If the option is set to a value other than DISABLE and 0, revocation status of
a peer host's certificate is verified based on ECA_CRL_PATH.
■ ECA_DR_BKUP_WIN_CERT_STORE
For Windows certificate store, specify this option if you want to backup the
external certificates during catalog backup.
■ ECA_CRL_PATH_SYNC_HOURS
This option is used when ECA_CRL_CHECK is enabled and ECA_CRL_PATH is
defined.
■ ECA_CRL_REFRESH_HOURS
This option is used when ECA_CRL_CHECK is enabled, but ECA_CRL_PATH is
not defined (when CDP is used as a CRL source).
See “About certificate revocation lists for external CA” on page 417.

ECA_CERT_PATH for NetBackup servers and clients

The ECA_CERT_PATH option specifies the path to the external CA-signed certificate
of the host. This option is mandatory.
NetBackup supports the following certificate sources for host certificates:
■ Windows certificate store

Note: The Windows certificate store is not supported for clustered primary
servers.

■ File-based certificates

Certificate order in the certificate file

A certificate file must have a certificate chain with certificates in the correct order.
The chain starts with the server certificate (also known as the leaf certificate) and
is followed by zero or more intermediate certificates. The chain must contain all
intermediate certificates up to the Root CA certificate but should not contain the
Root CA certificate itself. The chain is created such that each certificate in the chain
signs the previous certificate in the chain.
The certificate file should be in one of the following formats:
■ PKCS #7 or P7B file that is either DER or PEM encoded that has certificates in
the specified order
 External CA and external certificates 404
Configuration options for external CA-signed certificates

■ A file with the PEM certificates that are concatenated together in the specified
order

Table 20-2 ECA_CERT_PATH information

Usage Description

Where to use On NetBackup servers or clients.

How to use Use the nbgetconfig and the nbsetconfig commands to

view, add, or change the option.

For information about these commands, see the NetBackup

Commands Reference Guide.

For file-based certificates, use the following format:

ECA_CERT_PATH = Path to the external certificate

of the host

For example: c:\server.pem

If you use this option on a Flex Appliance application instance,

the path must be /mnt/nbdata/hostcert/.

For Windows certificate store, use the following format:

ECA_CERT_PATH = Certificate store name\Issuer

name\Subject name

You can specify multiple certificate selection queries in a

comma-separated format.

ECA_CERT_PATH = Store name1\Issuer name1\Subject

name1,Store name2\Issuer name2\Subject name2

See “Specifying Windows certificate store for ECA_CERT_PATH”

on page 404.

Equivalent NetBackup No equivalent exists.

web UI property

Specifying Windows certificate store for ECA_CERT_PATH

NetBackup selects a certificate from any of the local machine certificate stores on
a Windows host.
In case of Windows certificate store, ECA_CERT_PATH is a list of comma-separated
clauses.
Each clause is of the form Store name\Issuer\Subject. Each clause element contains
a query.
 External CA and external certificates 405
Configuration options for external CA-signed certificates

$hostname is a keyword that is replaced with the fully qualified domain name of the
host. Use double quotes when a \ is present in the actual path. For example,
MY\Veritas\"NetBackup\$hostname".

$shorthostname is a keyword that is replaced with the short name of the host. Use
double quotes when a \ is present in the actual path. For example,
MY\Veritas\"NetBackup\$shorthostname".

The 'Store name' should be the exact name of the store where the certificate resides.
For example: 'MY'
The 'Issuer' is optional. If this is provided, NetBackup picks the certificates for which
the Issuer DN contains the provided substring.
The 'Subject' is mandatory. NetBackup picks the certificate for which the Subject
DN contains the provided substring.
You must ensure to:
■ Add the root certificate to Trusted Root Certification Authorities or Third-Party
Root Certification Authorities in the Windows certificate store.
■ If you have any intermediate CAs, add their certificates to the Intermediate
Certification Authorities in the Windows certificate store.

Example - Certificate locations with WHERE CLAUSE:

■ My\Veritas\$hostname, My\ExampleCompany\$hostname
Where (certificate store is MY, Issuer DN contains Veritas, Subject DN contains
$hostname) OR (certificate store name is MY, Issuer DN contains
ExampleCompany, Subject DN contains $hostname)

■ MY\Veritas\"NetBackup\$hostname"
Where certificate store name is MY, Issuer DN contains Veritas, Subject DN
contains NetBackup\$hostname
■ MY\\$hostname
Where certificate store name is MY, any Issuer DN, Subject DN contains
$hostname

■ MY\\$shorthostname
Where certificate store name is MY, any Issuer DN, Subject DN contains
$shorthostname

■ MY\Veritas\NetBackup $hostname
Where certificate store name is MY, Issuer DN contains Veritas, Subject DN
contains NetBackup $hostname
If you provide a space between words, it is considered as a valid character.
 External CA and external certificates 406
Configuration options for external CA-signed certificates

Example - Certificate locations with invalid data:

■ MY\\
The Subject DN should have some value.
■ My\$hostname
The Subject DN should have some value.
■ \\$hostname
The certificate store name should have exact value of the store in which the
certificate resides.
■ MY\CN=Veritas\CN=$hostname
The Subject DN and issuer DN cannot contain =, and also specific tags like
CN=.

ECA_TRUST_STORE_PATH for NetBackup servers and clients

The ECA_TRUST_STORE_PATH option specifies the file path to the certificate bundle
file that contains all trusted root CA certificates.
This certificate file should have one or more certificates in PEM format.
Do not specify the ECA_TRUST_STORE_PATH option if you use the Windows certificate
store.
The trust store supports certificates in the following formats:
■ PKCS #7 or P7B file having certificates of the trusted root certificate authorities
that are bundled together. This file may either be PEM or DER encoded.
■ A file containing the PEM encoded certificates of the trusted root certificate
authorities that are concatenated together.
This option is mandatory for file-based certificates.
The root CA certificate in Cloudera distribution can be obtained from the Cloudera
administrator. It may have a manual TLS configuration or an Auto-TLS enabled for
the Hadoop cluster. For both cases, NetBackup needs a root CA certificate from
the administrator.
The root CA certificate from the Hadoop cluster can validate the certificates for all
nodes and allow NetBackup to run the backup and restore process in case of the
secure (SSL) cluster. This root CA certificate is a bundle of certificates that has
been issued to all such nodes.
Certificate from root CA must be configured under ECA_TRUST_STORE_PATH in case
of self-signed, third party CA or Local/Intermediate CA environments. For example:
In case of AUTO-TLS enabled Cloudera environments, you can typically find the
root CA file named with cm-auto-global_cacerts.pem at path
 External CA and external certificates 407
Configuration options for external CA-signed certificates

/var/lib/cloudera-scm-agent/agent-cert. For more details, refer Cloudera

documentation.

Table 20-3 ECA_TRUST_STORE_PATH information

Usage Description

Where to use On NetBackup servers or clients.

If certificate validation is required for VMware, Red Hat

Virtualization servers, or Nutanix AHV, this option must be set
on the NetBackup primary server and respective access hosts,
irrespective of the certificate authority that NetBackup uses for
host communication (NetBackup CA or external CA).

How to use Use the nbgetconfig and the nbsetconfig commands to

view, add, or change the option.

For information about these commands, see the NetBackup

Commands Reference Guide.

Use the following format:

ECA_TRUST_STORE_PATH = Path to the external CA

certificate

For example: c:\rootCA.pem

If you use this option on a Flex Appliance application instance,

the path must be /mnt/nbdata/hostcert/.

Equivalent UI property No equivalent exists.

ECA_PRIVATE_KEY_PATH for NetBackup servers and clients

The ECA_PRIVATE_KEY_PATH option specifies the file path to the private key for the
external CA-signed certificate of the host.
This option is mandatory for file-based certificates.
If the private key of the certificate is encrypted, you should specify the
ECA_KEY_PASSPHRASEFILE option.

See “ECA_KEY_PASSPHRASEFILE for NetBackup servers and clients” on page 408.

NetBackup supports PKCS #1 and PKCS #8 formatted private keys that are either
plain text or encrypted. These may either be PEM or DER encoded. However, if it
is PKCS #1 encrypted, it must be PEM encoded.
For encrypted private keys, NetBackup supports the following encryption algorithms:
■ DES, 3DES, and AES if the private key is in the PKCS #1 format
 External CA and external certificates 408
Configuration options for external CA-signed certificates

■ DES, 3DES, AES, RC2, and RC4 if the private key is in the PKCS #8 format

Note: You should not specify the ECA_PRIVATE_KEY_PATH option if Windows

certificate store is specified for the ECA_CERT_PATH option.
See “ECA_CERT_PATH for NetBackup servers and clients” on page 403.

Table 20-4 ECA_PRIVATE_KEY_PATH information

Usage Description

Where to use On NetBackup servers or clients.

How to use Use the nbgetconfig and the nbsetconfig commands to view,
add, or change the option.

For information about these commands, see the NetBackup

Commands Reference Guide.

Use the following format:

ECA_PRIVATE_KEY_PATH = Path to the private key

of the external certificate

For example: c:\key.pem

If you use this option on a Flex Appliance application instance, the

path must be /mnt/nbdata/hostcert/.

Equivalent UI property No equivalent exists.

ECA_KEY_PASSPHRASEFILE for NetBackup servers and clients

The ECA_KEY_PASSPHRASEFILE option specifies the path to the text file where the
passphrase for the external certificate’s private key is stored.
You should specify the ECA_KEY_PASSPHRASEFILE option only if the certificate’s
private key is encrypted.
See “ECA_PRIVATE_KEY_PATH for NetBackup servers and clients” on page 407.

Note: You should not specify the ECA_KEY_PASSPHRASEFILE option if you use
Windows certificate store.
See “ECA_CERT_PATH for NetBackup servers and clients” on page 403.
 External CA and external certificates 409
Configuration options for external CA-signed certificates

Note: Do not use the ECA_KEY_PASSPHRASEFILE on the MSDP servers that

are used for MSDP direct cloud tiering as it is not supported with MSDP direct cloud
tiering.

Table 20-5 ECA_KEY_PASSPHRASEFILE information

Usage Description

Where to use On NetBackup servers or clients.

How to use Use the nbgetconfig and the nbsetconfig commands to

view, add, or change the option.

For information about these commands, see the NetBackup

Commands Reference Guide.

Use the following format:

ECA_KEY_PASSPHRASEFILE = Path to the passphrase

file

Equivalent UI property No equivalent exists.

ECA_CRL_CHECK for NetBackup servers and clients

The ECA_CRL_CHECK option lets you specify the revocation check level for external
certificates of the host. It also lets you disable the revocation check for the external
certificates. Based on the check, revocation status of the certificate is validated
against the Certificate Revocation List (CRL) during host communication.
You can choose to use the CRLs from the directory that is specified for the
ECA_CRL_PATH configuration option in the configuration file (bp.conf on UNIX or
Windows registry) or the CRL Distribution Point (CDP).
See “ECA_CRL_PATH for NetBackup servers and clients” on page 410.

Table 20-6 ECA_CRL_CHECK information

Usage Description

Where to use On NetBackup servers or clients.

 External CA and external certificates 410
Configuration options for external CA-signed certificates

Table 20-6 ECA_CRL_CHECK information (continued)

Usage Description

How to use Use the nbgetconfig and the nbsetconfig commands to

view, add, or change the option.

For information about these commands, see the NetBackup

Commands Reference Guide.

Use the following format:

ECA_CRL_CHECK = CRL check

You can specify one of the following:

■ DISABLE (or 0) - Revocation check is disabled. Revocation

status of the certificate is not validated against the CRL during
host communication.
■ LEAF (or 1) - Revocation status of the leaf certificate is
validated against the CRL. This is the default value.
■ CHAIN (or 2) - Revocation status of all certificates from the
certificate chain are validated against the CRL.

Equivalent web UI No equivalent exists.

property

ECA_CRL_PATH for NetBackup servers and clients

The ECA_CRL_PATH option specifies the path to the directory where the Certificate
Revocation Lists (CRL) of the external certificate authority (ECA) are located.
These CRLs are copied to NetBackup CRL cache. Revocation status of the external
certificate is validated against the CRLs from the CRL cache.
CRL in the CRL cache is periodically updated with the CRL on the location that is
specified for ECA_CRL_PATH based on the ECA_CRL_PATH_SYNC_HOURS option.
If the ECA_CRL_CHECK or HADOOP_CRL_CHECK option is not set to DISABLE (or 0) and
the ECA_CRL_PATH option is not specified, NetBackup downloads the CRLs from
the URLs that are specified in the CRL distribution point (CDP) and uses them to
verify revocation status of the peer host's certificate.

Note: For validating the revocation status of a virtualization server certificate, the
VIRTUALIZATION_CRL_CHECK option is used.

For validating the revocation status of a Hadoop server certificate, the

HADOOP_CRL_CHECK option is used.
 External CA and external certificates 411
Configuration options for external CA-signed certificates

Table 20-7 ECA_CRL_PATH information

Usage Description

Where to use On NetBackup servers or clients.

If certificate validation is required for VMware, Red Hat
Virtualization servers, Nutanix AHV, or Hadoop, this option
must be set on the NetBackup primary server and respective
access or backup hosts, irrespective of the certificate authority
that NetBackup uses for host communication (NetBackup CA
or external CA).

If certificate validation is required for VMware, Red Hat

Virtualization servers, or Hadoop, this option must be set on
the NetBackup primary server and respective access or
backup hosts, irrespective of the certificate authority that
NetBackup uses for host communication (NetBackup CA or
external CA).

How to use Use the nbgetconfig and the nbsetconfig commands

to view, add, or change the option.

For information about these commands, see the NetBackup

Commands Reference Guide.

Use the following format to specify a path to the CRL directory:

ECA_CRL_PATH = Path to the CRL directory

For example:

ECA_CRL_PATH = /usr/eca/crl/eca_crl_file.crl

If you use this option on a Flex Appliance application instance,

the path must be /mnt/nbdata/hostcert/crl.

Equivalent UI property No equivalent exists.

ECA_CRL_PATH_SYNC_HOURS for NetBackup servers and clients

The ECA_CRL_PATH_SYNC_HOURS option specifies the time interval in hours to update
the Certificate revocation lists (CRL) in the NetBackup CRL cache with the CRLs
in the directory that is specified for the ECA_CRL_PATH configuration option.
See “ECA_CRL_PATH for NetBackup servers and clients” on page 410.
The ECA_CRL_PATH_SYNC_HOURS option is not applicable if CDP is used for CRLs.
By default, CRLs in the cache are updated every one hour.
During host communication, revocation status of the external certificate is validated
against the CRLs from the CRL cache.
 External CA and external certificates 412
Configuration options for external CA-signed certificates

Table 20-8 ECA_CRL_PATH_SYNC_HOURS information

Usage Description

Where to use On NetBackup servers or clients.

How to use Use the nbgetconfig and the nbsetconfig commands to

view, add, or change the option.

For information about these commands, see the NetBackup

Commands Reference Guide.

Use the following format:

ECA_CRL_PATH_SYNC_HOURS = Number of hours

Minimum number of hours that you can specify - 1 hour

Maximum number of hours that you can specify - 720 hour

The default value is one hour.

Equivalent UI property No equivalent exists.

ECA_CRL_REFRESH_HOURS for NetBackup servers and clients

The ECA_CRL_REFRESH_HOURS option specifies the time interval in hours to download
the CRLs from the URLs that are specified in the peer host certificate's CRL
distribution points (CDP).
The ECA_CRL_REFRESH_HOURS option is applicable when you use CDP for CRLs.
See “ECA_CRL_PATH for NetBackup servers and clients” on page 410.
After the specified time interval, CRLs of the certificate authority are downloaded
from the URLs that are available in CDP.
By default, the CRLs are downloaded from the CDP after every 24 hours.

Table 20-9 ECA_CRL_REFRESH_HOURS information

Usage Description

Where to use On NetBackup servers or clients.

 External CA and external certificates 413
Configuration options for external CA-signed certificates

Table 20-9 ECA_CRL_REFRESH_HOURS information (continued)

Usage Description

How to use Use the nbgetconfig and the nbsetconfig commands to

view, add, or change the option.

For information about these commands, see the NetBackup

Commands Reference Guide.

Use the following format:

ECA_CRL_REFRESH_HOURS = Number of hours

Minimum number of hours that you can specify - 0 hour, which

indicates that CRLs from the CDP are not periodically
downloaded.

Maximum number of hours that you can specify - 4380 hours

The default value for the option is 24 hours.

Note: CRLs are also downloaded from the CDP during host
communication if they are expired or not available in the CRL
cache, irrespective of the time interval set for the
ECA_CRL_REFRESH_HOURS option.

Equivalent UI property No equivalent exists.

ECA_DISABLE_AUTO_ENROLLMENT for NetBackup servers and

clients
When NetBackup is configured to use the certificates that an external CA has
signed, such certificates are automatically enrolled with the primary server during
host communication. If you want to disable automatic enrollment of such certificates,
set the ECA_DISABLE_AUTO_ENROLLMENT to '1'.
When automatic enrollment is disabled, you can enroll the external certificates
manually using the nbcertcmd -enrollCertificate command.
A certificate must be enrolled with the primary server before it can be used for host
communication.
By default, automatic certificate enrollment is enabled.

Table 20-10 ECA_DISABLE_AUTO_ENROLLMENT information

Usage Description

Where to use On NetBackup servers or clients.

 External CA and external certificates 414
Configuration options for external CA-signed certificates

Table 20-10 ECA_DISABLE_AUTO_ENROLLMENT information (continued)

Usage Description

How to use Use the nbgetconfig and the nbsetconfig commands to view,
add, or change the option.

For information about these commands, see the NetBackup

Commands Reference Guide.

Use the following format:

ECA_DISABLE_AUTO_ENROLLMENT = 1

Equivalent UI property No equivalent exists.

ECA_DR_BKUP_WIN_CERT_STORE for NetBackup servers and

clients
The ECA_DR_BKUP_WIN_CERT_STORE option specifies whether you want to take a
backup of the Windows certificate store information during catalog backup or not.
By default, Windows certificate store information is backed up during catalog backup.

Note: If the Windows certificate store information is not exportable, it cannot be

backed up during catalog backup.

Table 20-11 ECA_DR_BKUP_WIN_CERT_STORE information

Usage Description

Where to use On NetBackup servers or clients.

How to use Use the nbgetconfig and the nbsetconfig commands to

view, add, or change the option.

For information about these commands, see the NetBackup

Commands Reference Guide.

If you do not want the catalog backup operation to take a backup

of the Windows certificate store information, use the following
format:
ECA_DR_BKUP_WIN_CERT_STORE = NO

Equivalent UI property No equivalent exists.

 External CA and external certificates 415
Configuration options for external CA-signed certificates

MANAGE_WIN_CERT_STORE_PRIVATE_KEY option for

NetBackup primary servers
The MANAGE_WIN_CERT_STORE_PRIVATE_KEY option lets you disable the automatic
permission management of the private key of the certificate in Windows Certificate
Store.
This option is applicable for Windows Certificate Store and only when the NetBackup
services are running in the Local Service account context.
When NetBackup services are running in the Local Service account context, the
services need to have permissions to read the private key for certificate in Windows
Certificate Store.
When the MANAGE_WIN_CERT_STORE_PRIVATE_KEY option is set to Automatic, the
NetBackup service that is running in the privileged user account context grants
access to all other NetBackup services for reading the private key whenever
required.
By default, permissions for the private key are automatically managed. When the
MANAGE_WIN_CERT_STORE_PRIVATE_KEY option is set to Disabled, the permissions
of the private key need to be managed manually.

Note: It is not recommended to set the MANAGE_WIN_CERT_STORE_PRIVATE_KEY

option to Disabled.

To manually update the permissions when this option is Disabled, run the following
command:
nbcertcmd -setWinCertPrivKeyPermissions -reason audit reason -force

Refer to the NetBackup Commands Reference Guide for more details on the
command-line options.

Table 20-12 MANAGE_WIN_CERT_STORE_PRIVATE_KEY information

Usage Description

Where to use On NetBackup primary server.

How to use Use the nbgetconfig and the nbsetconfig commands

to view, add, or change the option.

For information about these commands, see the NetBackup

Commands Reference Guide.

Use the following format:

MANAGE_WIN_CERT_STORE_PRIVATE_KEY = Automatic
 External CA and external certificates 416
Limitations of Windows Certificate Store support when NetBackup services are running in Local Service
account context

Table 20-12 MANAGE_WIN_CERT_STORE_PRIVATE_KEY information

(continued)

Usage Description

Equivalent NetBackup web No equivalent exists.

UI property

Limitations of Windows Certificate Store support

when NetBackup services are running in Local
Service account context
When NetBackup services are running in Local Service account context, the services
need to have read access to the private key. NetBackup updates permissions of
the private key during certificate enrollment so that NetBackup services have read
access to the private key.
To set the permissions the Cryptographic Service Provider (CSP) or Key Storage
Provider (KSP) of the certificate being used must support security descriptors.
To know if the security descriptors are supported by the provider, run the following
command:
nbcertcmd -ecaHealthCheck -serviceUser LocalService

Refer to the NetBackup Commands Reference Guide for more details on the
command-line options.
If security descriptors are not supported by the provider, you need to use a provider
that supports security descriptors or use an administrator account to run NetBackup
services.
To change your provider, you need to re-deploy your certificate. Provider cannot
be changed once the certificate is deployed. Providers that support security
descriptors: Microsoft Software Key Storage Provider, Microsoft Enhanced
Cryptographic Provider v1.0, Microsoft Enhanced RSA and AES Cryptographic
Provider, Microsoft Strong Cryptographic Provider and so on.
If you have PFX file, you can re-import it to change your provider.
1 Remove certificate and private key from Windows Certificate Store.
2 Import the pfx file using certutil command:
C:\Windows\System32\certutil.exe -importPfx -csp provider name
pfxfile
 External CA and external certificates 417
About certificate revocation lists for external CA

For an ADCS deployed certificate, the provider can be changed from the certificate
template and then deploying the certificate again.
You can also select a provider while requesting a new certificate depending on the
configuration.
To use administrator account to run NetBackup services, run the following command:
nbserviceusercmd.exe -changeUser

Refer to the NetBackup Commands Reference Guide for more details on the
command-line options.

About certificate revocation lists for external CA

Certificate revocation list (CRL) for an external certificate authority (CA) contains
a list of digital certificates that the external CA has revoked before the scheduled
expiration date and should no longer be trusted.
NetBackup supports PEM and DER formats for CRLs for external CA.
CRLs for all CRL issuers or external CAs are stored in the NetBackup CRL cache
that resides on each host.
During secure communication, each NetBackup host verifies the revocation status
of the peer host's external certificate with the CRL that is available in the NetBackup
CRL cache, based on the ECA_CRL_CHECK configuration option.
See “ECA_CRL_CHECK for NetBackup servers and clients” on page 409.
The NetBackup CRL cache is updated with the required CRLs using one of the
following CRL sources:

ECA_CRL_PATH A NetBackup configuration option (from bp.conf file on UNIX or Windows

configuration registry) that specifies the path where the CRL exists.
option
See “ECA_CRL_PATH_SYNC_HOURS for NetBackup servers and
clients” on page 411.

See “How CRLs from ECA_CRL_PATH are used” on page 418.

CRL distribution If you have not specified ECA_CRL_PATH, NetBackup downloads the
point (CDP) CRLs from the URLs that are specified in the peer host certificate's CDP
and caches them in the NetBackup CRL cache.

See “How CRLs from CDP URLs are used” on page 419.

NetBackup supports downloading CRLs from HTTP and HTTPS URLs

that are specified in CDP.
 External CA and external certificates 418
About certificate revocation lists for external CA

The NetBackup CRL cache contains only the latest copy of a CRL for each CA
(including root and intermediate CAs).
The bpclntcmd -crl_download service updates the CRL cache during host
communication in the following scenarios irrespective of the time interval set for
the ECA_CRL_PATH_SYNC_HOURS or ECA_CRL_REFRESH_HOURS options:
■ When CRLs in the CRL cache are expired
■ If CRLs are available in the CRL source (ECA_CRL_PATH or CDP), but they are
missing from the CRL cache

Note: Once the bpclntcmd -crl_download service updates the CRLs in the CRL
cache, it does not download the CRLs for the same CA for the next 15 min even
though a valid download scenario has occurred. If you want to update the CRL
within 15 min, terminate the bpclntcmd -crl_download service.

How CRLs from ECA_CRL_PATH are used

Use this section if you want to use ECA_CRL_PATH as the CRL source for the
NetBackup CRL cache.
To use CRLs from ECA_CRL_PATH
1 Ensure that the CRLs for external CAs are stored in a directory and the directory
path is accessible by the host.
If you have a Flex Appliance application instance, the files must be stored in
the following directory on the instance: /mnt/nbdata/hostcert/crl
You can specify the CRL details that are required for external CA configuration
during NetBackup installation or upgrade on the host.
Select one of the following certificate revocation list (CRL) options during
installation or upgrade:
■ Use the CRL defined in the certificate - No additional information is
required.
■ Use the CRL at the following path - You are prompted to provide a path
to the CRL.
If you choose to use the Do not use a CRL option, peer host's certificate
is not verified with the CRL during host communication.
 External CA and external certificates 419
About certificate revocation lists for external CA

For more information, refer to the NetBackup Installation Guide.

2 Specify the CRL directory path for the ECA_CRL_PATH configuration option.
3 Ensure that the ECA_CRL_CHECK configuration option is set to a value other
than DISABLE.
During host communication, the revocation status of the external certificate is
verified with the CRL in the NetBackup CRL cache that contains the CRLs from
ECA_CRL_PATH.

By default, CRLs from the cache are updated every one hour. To change the
time interval, set the ECA_CRL_PATH_SYNC_HOURS option to a different value.
To manually update the CRL cache with the ECA_CRL_PATH CRLs, run the
nbcertcmd -updateCRLCache command.

To manually delete the CRLs from the CRL cache, run the nbcertcmd
-cleanupCRLCache command.

How CRLs from CDP URLs are used

Use this section if you want to use CRL Distribution Point (CDP) as the CRL source
for the NetBackup CRL cache.
To use CRLs from CDP
1 Ensure that the ECA_CRL_PATH configuration option is not specified.
2 Ensure that the host can access the URLs that are specified in the peer host's
CDP.
3 Ensure that the ECA_CRL_CHECK configuration option is set to a value other
than DISABLE.
During host communication, the revocation status of the external certificate is
verified with the CRL in the NetBackup CRL cache that contains the CRLs from
CDP URLs.
By default, CRLs are downloaded from the CDP after every 24 hours and
updated in the CRL cache. To change the time interval, set the
ECA_CRL_REFRESH_HOURS configuration option to a different value.

To manually delete the CRLs from the CRL cache, run the nbcertcmd
-cleanupCRLCache command.
 External CA and external certificates 420
About certificate enrollment

About certificate enrollment

In case of NetBackup CA, certificates are automatically enrolled with the primary
server during certificate deployment.
In case of external CA, certificates are automatically enrolled with the primary server
during host communication if the ECA_DISABLE_AUTO_ENROLLMENT option is enabled.
You can enroll the certificate manually using the nbcertcmd -enrollCertificate
command.
The enrolled certificates are used for host communication.
See “Removing certificate enrollment” on page 431.

About automatic enrollment of an external certificate

An external certificate of a host is automatically enrolled with a primary server when
communication takes place for the first time. You can disable the automatic certificate
enrollment process and enroll the certificates manually as and when required using
the nbcertcmd -enrollCertificate command.
See “ECA_DISABLE_AUTO_ENROLLMENT for NetBackup servers and clients”
on page 413.
If automatic enrollment is enabled for communicating hosts and both hosts have
external certificates configured, NetBackup tries to enroll the external certificates.
The external certificates are enrolled with the associated primary server. During
any subsequent communications between the hosts associated with this primary
server, the enrolled external certificates are used.
External certificates are not automatically enrolled in the following scenarios:
■ Communication with NAT clients
For more information about NAT client support in NetBackup, refer to the
NetBackup Administrator's Guide Volume I.
■ Communication between media servers as part of media server deduplication
(MSDP) image replication
■ Communication with the NetBackup Administration Console

About viewing enrollment status of primary

servers
To configure a NetBackup host to use an external certificate, you need to define
the required configuration options and then enroll a certificate for the host. The
 External CA and external certificates 421
Configure an external certificate for the NetBackup web server

enrolled certificate is used for communication between the host and the primary
server domain that exists in the SERVER option.
See “Configuring the primary server to use an external CA-signed certificate”
on page 424.
See “Configuring a NetBackup host (media server, client, or cluster node) to use
an external CA-signed certificate after installation” on page 427.
You can view the enrollment status by running the nbcertcmd
-listEnrollmentStatus command. The command lists only those records where
the subject name matches that of the certificate that is configured for the
ECA_CERT_PATH option.

The following enrollment statuses are displayed:

■ Not enrolled - The external certificate is not enrolled with this primary server
domain. The primary server is present in primary server list in the SERVER option.
■ To be updated - The external certificate is required to be enrolled again with
this primary server domain.
■ Enrolled - The external certificate is enrolled with the primary server.
See “Enrolling an external certificate for a remote host” on page 429.

Configure an external certificate for the

NetBackup web server
Note: Before enrolling the certificate for the primary server, ensure that you complete
the prerequisite steps as described in the following topic.
See “Workflow to use external certificates for NetBackup host communication”
on page 400.

By default, NetBackup uses the security certificates that the NetBackup CA has
issued. If you have a certificate that an external CA has issued, you can configure
the NetBackup web server to use it for secure communication.

Note: Windows certificate store is not supported as certificate source for the
NetBackup web server.

The API that you can use to configure the external certificate for the NetBackup
web server: POST security/web-certificates/{certificate_id}.
 External CA and external certificates 422
Configure an external certificate for the NetBackup web server

If external certificate for the web server is configured using the API, the configuration
process is audited.
To configure an external certificate for the web server
1 Ensure that you have valid certificate, private key of the certificate, and trusted
CA bundle.
2 Ensure that the NetBackup Web Management Console service is up and
running.
3 Run the following command:
configureWebServerCerts -addExternalCert -nbHost -certPath
certificate path -privateKeyPath private key path -trustStorePath
CA bundle path [-passphrasePath passphrase file path]

The configureWebServerCerts command does not support use of Windows

certificate store paths.
Refer to the NetBackup Commands Reference Guide for more details on the
command-line options.
■ In a clustered setup, to avoid a failover run the following command on the
active node:
install_path/netbackup/bin/bpclusterutil -freeze

■ If the FIPS mode is enabled on the primary server, you can use only the
PEM-formatted files for the configureWebServerCerts command.

4 Restart the NetBackup Web Management Console service to reflect the

changes.
On UNIX, run the following commands:
■ install_path/netbackup/bin/nbwmc -terminate

■ install_path/netbackup/bin/nbwmc start

On Windows, use the Services application in the Windows Control Panel.

Location of the commands:

Windows install_path\NetBackup\wmc\bin\install\

UNIX install_path/wmc/bin/install

■ In a clustered setup, unfreeze the cluster using the following command on

the active node:
install_path/netbackup/bin/bpclusterutil -unfreeze
 External CA and external certificates 423
Configure an external certificate for the NetBackup web server

5 Restart the NetBackup Messaging Queue Broker (nbmqbroker) service as

follows:
On Windows:
Go to the Services application in the Windows Control Panel and manually
restart the NetBackup Messaging Queue Broker service.
On UNIX:
Run the following command:
nbmqbroker stop; nbmqbroker start

6 Verify that you can access the NetBackup web user interface using a browser,
without a certificate warning message.

Update or renew the external certificate for the web server

You can update or renew the external certificate that you configured for the web
server.
To update or renew the external certificate for the web server
1 Ensure that you have the latest external certificate, the matching private key,
and the CA bundle file.
2 Run the following command (in a clustered setup, run the command on the
active node):
configureWebServerCerts -addExternalCert -nbHost -certPath
certificate path -privateKeyPath private key path -trustStorePath
CA bundle path

Remove the external certificate configured for the web server

You can remove the external certificate that is configured for the NetBackup web
server. NetBackup then uses the NetBackup CA-signed certificate for secure
communication.
The API that you can use to remove the external certificate for the NetBackup web
server: DELETE security/web-certificates/{certificate_id}.
To remove the external certificate configured for the web server
1 Ensure that the NetBackup Web Management Console service is up and
running.
2 Run the following command (in a clustered primary server setup, run this
command on the active node):
 External CA and external certificates 424
Configuring the primary server to use an external CA-signed certificate

configureWebServerCerts -removeExternalCert -nbHost

Refer to the NetBackup Commands Reference Guide for more details on the
command-line options.
■ In a clustered primary server setup, run the following command on the
active node to freeze the cluster to avoid a failover:
install_path/netbackup/bin/bpclusterutil -freeze

3 Restart the NetBackup Web Management Console service.

■ In a clustered primary server setup, run the following command on the
active node to unfreeze the cluster:
install_path/netbackup/bin/bpclusterutil -unfreeze

4 Restart the NetBackup Messaging Queue Broker (nbmqbroker) service as

follows:
On Windows:
Go to the Services application in the Windows Control Panel and manually
restart the NetBackup Messaging Queue Broker service.
On UNIX:
Run the following command:
nbmqbroker stop; nbmqbroker start

Configuring the primary server to use an external

CA-signed certificate
A NetBackup host ID-based certificate is deployed on the primary server during
installation or upgrade. You can configure the primary server to use an external
CA-signed certificate after installation. It includes:
■ Defining the external certificate configuration options
See “Configuration options for external CA-signed certificates” on page 402.
■ Enrolling the external certificate for the primary server host
The enrolled certificate is used for communication between the host and the
primary server domain that is listed in the SERVER configuration option on the
host.
See “Viewing external CA-signed certificates in the NetBackup web UI” on page 430.
See “Configuring an external certificate for a clustered primary server” on page 439.
 External CA and external certificates 425
Configuring the primary server to use an external CA-signed certificate

Important notes
■ Ensure that the NetBackup domain is enabled to use external CA-signed
certificates by configuring the NetBackup web server.
See “Configure an external certificate for the NetBackup web server” on page 421.
■ External certificates for the NetBackup web server and the primary server must
be issued by the same root certificate authority.
If the two certificate authorities do not match, communication between the
NetBackup Administration Console and the NetBackup Web Management
Console service (nbwmc service) fails.
■ Ensure that the certificate revocation lists (CRLs) for the external CA are stored
at the required location.
If CRL distribution point (CDP) is used, ensure that the URLs that are specified
in the CDP are accessible.
See “About certificate revocation lists for external CA” on page 417.
■ When NetBackup primary server is configured to use the service user
(non-privileged user on UNIX and Local Service on Windows) to start most of
the daemons or services, you must ensure that the following ECA paths are
accessible to the service user:
■ ECA_CERT_PATH
■ ECA_PRIVATE_KEY_PATH
■ ECA_TRUST_STORE_PATH
■ ECA_KEY_PASSPHRASEFILE (optional)
■ ECA_CRL_PATH (optional)
See “About a NetBackup service user account” on page 557.
To grant access to the service user, do the following:
On Unix, use the chmod or the chown command.
On Windows run the following command:
install_path\NetBackup\bin\goodies\nbserviceusercmd.exe -addAcl
ECA path -reason reason

To configure the primary server to use an external certificate

1 Update the NetBackup configuration file (bp.conf file on UNIX or Windows
registry) on the primary server with the external certificate-specific parameters.
See “Configuration options for external CA-signed certificates” on page 402.
 External CA and external certificates 426
Configuring the primary server to use an external CA-signed certificate

For Windows Use the nbsetconfig command to configure the following

certificate store parameters:

■ ECA_CERT_PATH
■ ECA_CRL_CHECK (optional)
■ ECA_CRL_PATH (optional)
■ ECA_CRL_PATH_SYNC_HOURS (optional)
■ ECA_CRL_REFRESH_HOURS (optional)
■ ECA_DR_BKUP_WIN_CERT_STORE (optional)

For file-based Use the nbsetconfig command to configure the following

certificates parameters:

■ ECA_CERT_PATH
■ ECA_PRIVATE_KEY_PATH
■ ECA_TRUST_STORE_PATH
■ ECA_KEY_PASSPHRASEFILE (optional)
■ ECA_CRL_CHECK (optional)
■ ECA_CRL_PATH (optional)
■ ECA_CRL_PATH_SYNC_HOURS (optional)
■ ECA_CRL_REFRESH_HOURS (optional)

Note: If you have a Flex Appliance application instance, the

certificate files must be stored in the following directories on the
instance:

ECA_CERT_PATH, ECA_PRIVATE_KEY PATH, and

ECA_TRUST_STORE_PATH: /mnt/nbdata/hostcert/

ECA_CRL_PATH: /mnt/nbdata/hostcert/crl

2 Run the following command on the primary server to enroll an external certificate
with the primary server domain that is defined in the SERVER option:
nbcertcmd -enrollCertificate

For more details on the command, refer to the NetBackup Commands

Reference Guide.
 External CA and external certificates 427
Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate
after installation

Configuring a NetBackup host (media server,

client, or cluster node) to use an external
CA-signed certificate after installation
A NetBackup host (media server or client) is configured to use an external certificate
during installation or upgrade. You may choose to do the configuration after
installation.
Use this section to configure a host to use an external certificate.
You can use this section to configure an external certificate for a cluster node.
See “About external certificate configuration for a clustered primary server”
on page 434.
The configuration steps include:
■ Defining the external certificate configuration options
See “Configuration options for external CA-signed certificates” on page 402.
■ Ensuring that automatic enrollment is enabled - ECA_DISABLE_AUTO_ENROLLMENT
is set to TRUE - or enrolling the external certificate manually for the host
See “Enrolling an external certificate for a remote host” on page 429.
The enrolled certificate is used for communication between the host and the
primary server domain that is listed in the SERVER configuration option on the
host.
The enrolled certificate is used for host communication.
See “Viewing external CA-signed certificates in the NetBackup web UI” on page 430.

Important notes
■ Ensure that the NetBackup domain is enabled to use external CA-signed
certificates by configuring the NetBackup web server.
See “Configure an external certificate for the NetBackup web server” on page 421.
■ It is recommended that you enroll an external certificate for the primary server
host before you enroll one for other hosts.
See “Configuring the primary server to use an external CA-signed certificate”
on page 424.
■ Ensure that the certificate revocation lists (CRLs) for the external CA are stored
at the required location.
If CRL distribution point (CDP) is used, ensure that the URLs that are specified
in the CDP are accessible.
See “About certificate revocation lists for external CA” on page 417.
 External CA and external certificates 428
Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate
after installation

To configure a host (media server or client) to use an external certificate

1 Update the configuration file (bp.conf file or Windows registry) with the required
external certificate-specific parameters on the host:
See “Configuration options for external CA-signed certificates” on page 402.

For Windows Use the nbsetconfig command to configure the following

certificate store parameters:

■ ECA_CERT_PATH
■ ECA_CRL_CHECK (optional)
■ ECA_CRL_PATH (optional)
■ ECA_CRL_PATH_SYNC_HOURS (optional)
■ ECA_CRL_REFRESH_HOURS (optional)
■ ECA_DR_BKUP_WIN_CERT_STORE (optional)
 External CA and external certificates 429
Enrolling an external certificate for a remote host

For file-based Use the nbsetconfig command to configure the following

certificates parameters:

■ ECA_CERT_PATH
■ ECA_PRIVATE_KEY_PATH
■ ECA_TRUST_STORE_PATH
■ ECA_KEY_PASSPHRASEFILE (optional)
■ ECA_CRL_CHECK_LEVEL (optional)
■ ECA_CRL_PATH (optional)
■ ECA_CRL_PATH_SYNC_HOURS (optional)
■ ECA_CRL_REFRESH_HOURS (optional)

Note: If you have a Flex Appliance application instance, the

certificate files must be stored in the following directories on the
instance:

ECA_CERT_PATH, ECA_PRIVATE_KEY PATH, and

ECA_TRUST_STORE_PATH: /mnt/nbdata/hostcert/

ECA_CRL_PATH: /mnt/nbdata/hostcert/crl

2 Ensure that the ECA_DISABLE_AUTO_ENROLLMENT option is set to TRUE using

the nbgetconfig command. This ensures that automatic enrollment is enabled.
If the option is disabled and you want to manually enroll the certificate, run the
following command on the host to enroll an external certificate with the primary
server domain that is defined in the SERVER configuration option on the host:
nbcertcmd -enrollCertificate

See “About viewing enrollment status of primary servers” on page 420.

For more details on the command, refer to the NetBackup Commands
Reference Guide.

Enrolling an external certificate for a remote host

Use this section to enroll an external certificate for a NetBackup host remotely. This
lets the security administrator to enroll external certificate for multiple remote hosts
from the same host.
To enroll an external certificate for a remote host (or to perform an enrollment sync
operation on a remote host), ensure that the server from which you want to enroll
the certificate is listed in the SERVER configuration option on the remote host.
 External CA and external certificates 430
Viewing the certificate authorities that your NetBackup domain supports

To enroll certificate for a remote host

◆ Run the following command on the local host:
nbcertcmd -enrollCertificate -remoteHost remote_host_name -server
primary_server_name

An external certificate is enrolled for the specified remote host with the primary
server that you provide with the -server option. This primary server must be
available in the remote host’s SERVER configuration option.
See “Configuration options for external CA-signed certificates” on page 402.
For more details on the commands, refer to the NetBackup Commands Reference
Guide.

Viewing the certificate authorities that your

NetBackup domain supports
The Master server certificate configuration option in the NetBackup
Administration Console and on the NetBackup Web UI displays the certificate
authorities - NetBackup CA, external CA, or both - that your NetBackup domain
supports.
■ In the NetBackup Administration Console, expand Security Management
> Global Security Settings and click the Secure Communication tab to view
the supported certificate authorities.
■ On the NetBackup Web UI, click the Global Security Settings option to view
the supported certificate authorities.

Viewing external CA-signed certificates in the

NetBackup web UI
You can view a list of external certificates that are issued to hosts in your domain
using the NetBackup web UI > Security > Certificates screen.
For more information, refer to the NetBackup Web UI Administrator's Guide.

Renewing a file-based external certificate

Use this section to renew a file-based external certificate.
While you replace the certificate, private key, and passphrase files one by one with
all the services up, communication may fail because of mismatch in the certificate
 External CA and external certificates 431
Removing certificate enrollment

- private key pair. To avoid any communication failure, create copies of the files
that NetBackup can use if there is a mismatch in the files.
To renew a file-based external certificate
1 Make a copy of the certificate file and rename it with .old extension.
For example, if the certificate file name is cert.pem, rename it as
cert.pem.old.

2 Make a copy of the private key file and rename it with .old extension.
3 Carry out the following step if the certificate's private key is encrypted.
Make a copy of the passphrase file and rename it with .old extension.
4 Replace the original certificate, private key, and passphrase files with the
renewed certificate, private key, and passphrase files.
5 Restart the NetBackup services.
6 Ensure that the host communication is successful with the renewed certificate
and then delete the old certificate files.

Removing certificate enrollment

You can remove the external certificate enrollment with a certain primary server if
you do not want to use the certificate for host communication.
To remove certificate enrollment
◆ Run the following command:
nbcertcmd -removeEnrollment -server primary_server_name

Disabling the NetBackup CA in a NetBackup

domain
Use this section to disable the existing NetBackup CA support from your domain
when all the hosts in your domain are configured to use external certificates for
host communication.

Note: If you have NAT clients in your environment and the NetBackup Messaging
Broker (nbmqbroker) service is enabled, you may need to restart the service after
you disable the NetBackup CA to use external certificates only.
For more information about NAT support in NetBackup, refer to the NetBackup
Administrator's Guide, Volume I.
 External CA and external certificates 432
Disabling the NetBackup CA in a NetBackup domain

If you have hosts that can communicate securely but cannot be configured to use
external certificates (NetBackup 8.1, 8.1.1, or 8.1.2), you should not disable
NetBackup CA configuration to avoid communication failure.
To disable NetBackup CA support in your domain
1 Ensure that all the hosts in your domain are configured to use external
certificates.
See “Configure an external certificate for the NetBackup web server”
on page 421.
See “Configuring the primary server to use an external CA-signed certificate”
on page 424.
See “Configuring a NetBackup host (media server, client, or cluster node) to
use an external CA-signed certificate after installation” on page 427.
2 After each host in the domain is configured to use external certificates, remove
the NetBackup CA support from each host (media servers and clients) in the
domain.
Run the following commands on each host in the given order:
■ nbcertcmd -removeCACertificate -fingerPrint NetBackup CA
certificate fingerprint

■ nbcertcmd -deleteCertificate -hostid host ID of the host

3 Remove the NetBackup CA support from the primary server.

Run the following commands on the primary server in the given order:
■ nbcertcmd -removeCACertificate -fingerPrint NetBackup CA
certificate fingerprint

■ nbcertcmd -deleteCertificate -hostid host ID of the primary

server

4 Revoke all host ID-based certificates in the domain. This is an optional step.
See “Revoking a host ID-based certificate” on page 338.
5 Remove the NetBackup CA support from the web server. Ensure that you do
not need the NetBackup certificates for host communication.
Run the following command on the web server:
configureWebServerCerts -removeNBCert

For more information about the commands, refer to the NetBackup Commands
Reference Guide.
6 Restart the NetBackup Web Management Console (nbwmc) service.
 External CA and external certificates 433
Enabling the NetBackup CA in a NetBackup domain

Enabling the NetBackup CA in a NetBackup

domain
Use this section to enable a NetBackup domain to use NetBackup CA-signed
certificates (or host ID-based certificates) for host communication.
To enable a NetBackup domain to support NetBackup CA configuration
1 Configure the NetBackup web server to use NetBackup (host ID-based)
certificates.
■ Run the following command:
configureWebServerCerts -addNBCert
See “Configure an external certificate for the NetBackup web server”
on page 421.
■ Restart the NetBackup Web Management Console (nbwmc) service.

2 Deploy a NetBackup host ID-based certificate on the primary server:

See “Deploying host ID-based certificates” on page 312.
3 Deploy a NetBackup host ID-based certificate on each host.
See “Deploying host ID-based certificates” on page 312.

Disabling an external CA in a NetBackup domain

Use this section to disable an external CA in a NetBackup domain.
To disable an external CA
1 Ensure that each host in the domain is configured to use NetBackup host
ID-based certificates.
2 Remove all the external certificate configuration options from the configuration
file (bp.conf on UNIX or Windows registry), which exists on the host.
For example, ECA_CERT_PATH.
See “Configuration options for external CA-signed certificates for a virtual
name” on page 436.
3 Remove the external CA support from the primary server.
■ Remove all the external certificate configuration options from the
configuration file (bp.conf on UNIX or Windows registry), which exists on
the primary server.
For example, ECA_CERT_PATH.
 External CA and external certificates 434
Changing the subject name of an enrolled external certificate

See “Configuration options for external CA-signed certificates for a virtual

name” on page 436.

4 Delete all external certificate entries from the NetBackup database.

Run the following command:
nbcertcmd -deleteECACertEntry -subject subject name of the
certificate

5 Remove the external CA support from the web server.

configureWebServerCerts -removeExternalCert

For more information about the commands, refer to the NetBackup Commands
Reference Guide.
6 Remove the certificate enrollment using the following command:
nbcertcmd -removeEnrollment

Changing the subject name of an enrolled external

certificate
Use this section if you want to change the subject name of an already enrolled
external certificate of a host.
To change the subject name of an enrolled external certificate
1 Change the subject name of the certificate.
2 If the host is part of multiple primary server domains, you need to carry out this
step for all primary servers.
Do one of the following:
■ Run the following command to manually enroll the certificate:
Install_Path/bin/nbcertcmd -enrollCertificate

■ Run following command to remove the existing enrollment:

Install_Path/bin/nbcertcmd -removeEnrollment

About external certificate configuration for a

clustered primary server
You can now use X.509 certificates that your trusted certificate authority (CA) has
issued, for a clustered primary server.
 External CA and external certificates 435
About external certificate configuration for a clustered primary server

You should first enable your NetBackup domain to use external CA-signed
certificates by configuring the NetBackup web server.
You can then configure the NetBackup clustered primary server to use external
CA-signed certificates for secure host communication.
See “Workflow to use external certificates for a clustered primary server” on page 435.

Important notes
Review the following notes before you configure NetBackup to use external
certificates:
■ NetBackup certificate or host ID-based certificate is deployed on the primary
server during NetBackup installation. You need to manually configure an external
certificate on the clustered primary server after installation.
■ In a clustered primary server setup, you require to configure one external
certificate for each cluster node, which resides on the local disk of each node.
Additionally, you need to configure one certificate for the virtual name, which
resides on the shared disk of the cluster.
■ The NetBackup configuration options (for example, CLUSTER_ECA_CERT_PATH)
that are required for external certificate enrollment for the virtual name are stored
in the nbcl.conf file. This file resides on the shared disk and external certificate
configuration options for each cluster node are stored in the bp.conf file or
Windows registry.
■ Windows certificate store is not supported as an external certificate source for
virtual name. It can be used as a source for certificates for cluster nodes.
■ There is no separate CRL configuration option for the virtual name. Based on
the ECA_CRL_CHECK configuration option on the node, certificate revocation lists
(CRLs) - ECA_CRL_PATH or CDP - of the cluster nodes are used to verify the
revocation status of the peer host's certificate during communication. Therefore,
the CRL configuration options should be set before using an external certificate
for the primary server virtual name.
See “About certificate revocation lists for external CA” on page 417.

Workflow to use external certificates for a clustered primary server

To configure NetBackup to use external CA-signed certificates for secure
communication, you should carry out the following steps in the given order:
 External CA and external certificates 436
About external certificate configuration for a clustered primary server

Table 20-13 Workflow to use external certificates in a cluster setup

Step Process

1 Ensure the following:

■ The certificate for the virtual name is placed at the appropriate
location on the shared disk.
■ The external certificates for cluster nodes are placed at the
appropriate locations on the nodes.
■ The CRLs are placed at the required locations on the nodes as
per their CRL configuration options and are accessible.
See “About certificate revocation lists for external CA” on page 417.

2 Install NetBackup software or upgrade the existing software on each

cluster node.

3 Enable the NetBackup domain to use external certificates by

configuring the NetBackup web server.

See “Configure an external certificate for the NetBackup web server”

on page 421.

4 Configure an external certificate for the virtual name and for each
cluster node.

See “Configuring an external certificate for a clustered primary server”

on page 439.

Configuration options for external CA-signed certificates for a virtual

name
To configure a clustered NetBackup primary server to use external CA-signed
certificate for host communication, you must define certain configuration options in
the nbcl.conf file.

CLUSTER_ECA_CERT_PATH for clustered primary server

The CLUSTER_ECA_CERT_PATH option is specific to clustered primary server. It
specifies the path to the external CA-signed certificate of the virtual name.

Table 20-14 CLUSTER_ECA_CERT_PATH information

Usage Description

Where to use On clustered primary server.

 External CA and external certificates 437
About external certificate configuration for a clustered primary server

Table 20-14 CLUSTER_ECA_CERT_PATH information (continued)

Usage Description

How to use Use the nbgetconfig and the nbsetconfig commands to

view, add, or change the option.

For information about these commands, see the NetBackup

Commands Reference Guide.

Use the following format:

CLUSTER_ECA_CERT_PATH = Path to the certificate

of the virtual identity

Equivalent NetBackup No equivalent exists in the host properties.

web UI property

CLUSTER_ECA_TRUST_STORE_PATH for clustered

primary server
The CLUSTER_ECA_TRUST_STORE_PATH option is specific to clustered primary server.
It specifies the path to the certificate bundle file that contains all trusted root CA
certificates in PEM format.

Table 20-15 CLUSTER_ECA_TRUST_STORE_PATH information

Usage Description

Where to use On clustered primary server.

How to use Use the nbgetconfig and the nbsetconfig commands to view,
add, or change the option.

For information about these commands, see the NetBackup

Commands Reference Guide.

Use the following format:

CLUSTER_ECA_TRUST_STORE_PATH = Path to the

external CA certificate

Equivalent NetBackup No equivalent exists in the host properties.

web UI property
 External CA and external certificates 438
About external certificate configuration for a clustered primary server

CLUSTER_ECA_PRIVATE_KEY_PATH for clustered

primary server
The CLUSTER_ECA_PRIVATE_KEY_PATH option is specific to clustered primary server.
It specifies the path to the private key for the external CA-signed certificate of the
virtual name.
If the virtual name certificate's private key is encrypted, you should define the
CLUSTER_ECA_KEY_PASSPHRASEFILE option.

See “CLUSTER_ECA_KEY_PASSPHRASEFILE for clustered primary server”

on page 438.

Table 20-16 CLUSTER_ECA_PRIVATE_KEY_PATH information

Usage Description

Where to use On clustered primary server.

How to use Use the nbgetconfig and the nbsetconfig commands to

view, add, or change the option.

For information about these commands, see the NetBackup

Commands Reference Guide.

Use the following format:

CLUSTER_ECA_PRIVATE_KEY_PATH = Path to the

private key of the external certificate

Equivalent NetBackup No equivalent exists in the host properties.

web UI property

CLUSTER_ECA_KEY_PASSPHRASEFILE for clustered

primary server
The CLUSTER_ECA_KEY_PASSPHRASEFILE option is specific to clustered primary
server. It specifies the path to the text file where the passphrase for the virtual name
certificate's private key is stored.
CLUSTER_ECA_KEY_PASSPHRASEFILE is optional. You should define this option if the
virtual name certificate's private key is encrypted.
See “CLUSTER_ECA_PRIVATE_KEY_PATH for clustered primary server”
on page 438.
 External CA and external certificates 439
About external certificate configuration for a clustered primary server

Table 20-17 CLUSTER_ECA_KEY_PASSPHRASEFILE information

Usage Description

Where to use On clustered primary server.

How to use Use the nbgetconfig and the nbsetconfig commands to

view, add, or change the option.

For information about these commands, see the NetBackup

Commands Reference Guide.

Use the following format:

CLUSTER_ECA_KEY_PASSPHRASE_FILE = Path to the

passphrase file

Equivalent NetBackup No equivalent exists in the host properties.

web UI property

Configuring an external certificate for a clustered primary server

Use this section to configure an external CA-signed certificate for a clustered primary
server. The enrolled certificate is used for host communication.

Requirements
■ Ensure that the NetBackup domain is enabled to use external CA-signed
certificates by configuring the NetBackup web server.
See “Configure an external certificate for the NetBackup web server” on page 421.
■ Ensure that external certificates for the NetBackup web server and the virtual
name are issued by the same certificate authority.
If the two certificate authorities do not match, communication between the
NetBackup Administration Console and the NetBackup Web Management
Console service (nbwmc service) fails.
To enroll an external certificate for a clustered primary server
1 Update the NetBackup configuration file that is present on the shared disk
(nbcl.conf) with the external certificate configuration options.
See “Configuration options for external CA-signed certificates for a virtual
name” on page 436.
Use the nbsetconfig command to configure the following options:
■ CLUSTER_ECA_CERT_PATH

■ CLUSTER_ECA_TRUST_STORE_PATH
 External CA and external certificates 440
About external certificate configuration for a clustered primary server

■ CLUSTER_ECA_PRIVATE_KEY_PATH

■ CLUSTER_ECA_KEY_PASSPHRASEFILE (optional)

You need to configure the certificate revocation list (CRL) configuration options
for each node.
See “About certificate revocation lists for external CA” on page 417.
2 Run the following command on the primary server:
nbcertcmd -enrollCertificate -cluster

The enrolled certificate is used for communication between the active node
and the primary server domain that is listed in the SERVER configuration option
on the host.
For more details on the command, refer to the NetBackup Commands
Reference Guide.
3 Configure an external certificate on each cluster node.
See “Configuring a NetBackup host (media server, client, or cluster node) to
use an external CA-signed certificate after installation” on page 427.
 Chapter 21
Regenerating keys and
certificates
This chapter includes the following topics:

■ About regenerating keys and certificates

■ Regenerating NetBackup authentication broker keys and certificates

■ Regenerating host identity keys and certificates

■ Regenerating web service keys and certificates

■ Regenerating nbcertservice keys and certificates

■ Regenerating tomcat keys and certificates

■ Regenerating JWT keys

■ Regenerating NetBackup gateway certificates

■ Regenerating web trust store certificates

■ Regenerating VMware vCenter plug-in certificates

■ Regenerating NetBackup Administrator Console session certificates

■ Regenerating NetBackup encryption key file

About regenerating keys and certificates

Some of the keys and certificates can be recreated by simply restarting the
NetBackup services. If you encounter any error related to keys or certificates, as a
best practice, restart the NetBackup services and verify if the keys or the certificate
 Regenerating keys and certificates 442
Regenerating NetBackup authentication broker keys and certificates

is recreated. If the key or certificate is not created proceed with the procedures
mentioned in the following sections.

Regenerating NetBackup authentication broker

keys and certificates
Follow the steps to regenerate NetBackup Authentication Brokers:
■ Public and private keys on primary server and media server.
■ Certificates on the media server and clients.
To regenerate NetBackup authentication broker keys and certificates
1 Restart the NetBackup Authentication service. Ensure that the service is up
and running.
2 Run the following command:
bpnbaz -ConfigureAuth

Answer y when prompted.

For information on the command, see NetBackup Commands Reference Guide.
3 Restart all the NetBackup services. Before you restart the services, ensure
that no jobs are running.
For information on how to restart the services, see the NetBackup
Administrator's Guide, Volume I.

Regenerating host identity keys and certificates

To regenerate host identity public keys, private keys, and certificates on the primary
server, media server, and clients:
■ Change the key pair for a host.
Changing a key pair results in both a new host ID-based certificate and a new
host name-based certificate.
See “Changing the key pair for a host” on page 328.

Regenerating web service keys and certificates

Follow the steps to regenerate web service public key and certificate on the primary
server.
 Regenerating keys and certificates 443
Regenerating nbcertservice keys and certificates

To regenerate web service keys and certificates

1 Generate the security certificate. Run the following command:
■ Windows
set WEBSVC_PASSWORD=<Password of User>
nbcertconfig -t -user <User Name>

■ UNIX
export WEBSVC_PASSWORD=<Password of User>
nbcertconfig -t -user <User Name>

2 Configure NetBackup Authentication service for the web service user and web
service. Run the following command:
nbcertconfig -u -user <username>

nbcertconfig -m -user <username>

3 Restart the NetBackup Authentication service.

Regenerating nbcertservice keys and certificates

Follow the steps to regenerate nbcertservice keys and certificates on the primary
server.
To regenerate nbcertservice keys and certificates
1 Remove the old folder with user name.
2 Generate the security certificate. Run the following command:
■ Windows
set WEBSVC_PASSWORD=<Password of User>
nbcertconfig -u -user <User Name>

■ UNIX
export WEBSVC_PASSWORD=<Password of User>
nbcertconfig -u -user <User Name>

Regenerating tomcat keys and certificates

Follow the steps to regenerate tomcat public key, private key, and certificates on
the primary server.

Note: The jkskey is a key to decrypt the keystore used by tomcat and is backed up
as part of the catalog backup. There is no need to regenerate it.
 Regenerating keys and certificates 444
Regenerating JWT keys

To regenerate tomcat keys and certificates

1 Generate the security certificate. Run the following command:
■ Windows
set WEBSVC_PASSWORD=<Password of User>
nbcertconfig -t -user <User Name>

■ UNIX
export WEBSVC_PASSWORD=<Password of User>
nbcertconfig -t -user <User Name>

2 Regenerate other files in tomcatcreds folder apart from the keystore and the
credentials file. Run the following command:

■ Windows
c:\Program
Files\Veritas\NetBackup\wmc\bin\install>configurecerts.bat

■ UNIX
/usr/openv/wmc/bin/install/configurecerts

Regenerating JWT keys

To regenerate JWT public and private keys on the primary server:
■ Close the NetBackup web UI and restart all the NetBackup services.
For information on how to restart the services, see NetBackup Administrator's
Guide, Volume I.

Regenerating NetBackup gateway certificates

To regenerate nbgateway certificates on the primary server:
■ Restart all the NetBackup service.
For information on how to restart the services, see NetBackup Administrator's
Guide, Volume I.

Regenerating web trust store certificates

To regenerate web trust store certificates on the primary and media server, run the
following command:
nbcertcmd -getCACertificate

Answer y when prompted.

 Regenerating keys and certificates 445
Regenerating VMware vCenter plug-in certificates

For information on the nbcertcmd command, see NetBackup Commands Reference

Guide.

Regenerating VMware vCenter plug-in certificates

Follow the steps to regenerate vCenter plug-in certificates on the primary server.
To regenerate VMware vCenter plug-in certificates
1 List the existing certificates and identify the existing entry for invalid certificates.
Run the following command:
■ Windows
C:\Program
Files\Veritas\NetBackup\wmc\bin\install\manageClientCerts.bat
-list

■ UNIX
/usr/openv/wmc/bin/install/manageClientCerts -list

2 Delete the invalid certificate. Run the following command:

■ Windows
C:\Program
Files\Veritas\NetBackup\wmc\bin\install\manageClientCerts.bat
-delete

■ UNIX
/usr/openv/wmc/bin/install/manageClientCerts -delete

3 Generate a new certificate. Run the following command:

■ Windows
C:\Program
Files\Veritas\NetBackup\wmc\bin\install\manageClientCerts.bat
-create <master_server_name>

■ UNIX
/usr/openv/wmc/bin/install/manageClientCerts -create
<master_server_name>

4 Register the newly created certificate with the vCenter plug-in.

For more information, see NetBackup Plugin-in for VMware vCenter Guide.
 Regenerating keys and certificates 446
Regenerating NetBackup Administrator Console session certificates

Regenerating NetBackup Administrator Console

session certificates
To regenerate session certificates on the primary server:
■ Close the NetBackup Administrator Console and restart all the NetBackup
services.
For information on how to restart the services, see NetBackup Administrator's
Guide, Volume I.

Regenerating NetBackup encryption key file

To regenerate NetBackup encryption key file, run the following command:
bpkeyutil –clients client_name1,client_name2,...,client_namen

When you are prompted to enter the passphrase, enter the passphrase you had
saved originally.
For more information about key files, see See “About creating encryption key files
on the clients” on page 460.
To perform this task using the bpkeyutil, see NetBackup Commands Reference
Guide.
 Section 3
Encryption of data at rest

■ Chapter 22. Data at rest encryption security

■ Chapter 23. NetBackup key management service

■ Chapter 24. External key management service

 Chapter 22
Data at rest encryption
security
This chapter includes the following topics:

■ Data at rest encryption terminology

■ Data at rest encryption considerations

■ Destination types for encryption of data at rest

■ Encryption security questions to consider

■ Comparison of encryption options

■ About NetBackup client encryption

■ Configuring standard encryption on clients

■ Configuring legacy encryption on clients

Data at rest encryption terminology

The following table describes the data at rest encryption terminology.

Table 22-1 Data at rest encryption terminology

Term Description

Advanced Encryption Standard Specifies the synchronous encryption algorithm that replaced DES.
(AES)

Asynchronous encryption Includes the encryption algorithms that use both a public key and private key.
 Data at rest encryption security 449
Data at rest encryption considerations

Table 22-1 Data at rest encryption terminology (continued)

Term Description

Data Encryption Standard (DES) Specifies the accepted synchronous data encryption standard from the 1970s
until 1998.

Initialization vector Specifies a seed value that is used to prime an encryption algorithm. Priming is
done to obscure any patterns that would exist when using the same key to encrypt
a number of data files. These files begin with the same pattern.

Public Key Encryption Uses asynchronous encryption.

Synchronous encryption Includes the encryption algorithms that use the same key for both encryption and
decryption. For the same key size, synchronous algorithms are faster and more
secure than their asynchronous counterparts.

Data at rest encryption considerations

The following table describes the data at rest encryption limitations.

Table 22-2 Data at rest encryption limitations

Limitation Description

Computer performance effect of data Encryption algorithms are like data compressions algorithms in that they are
encryption very CPU intensive. Compressing data without the addition of computer
hardware (either dedicated or shared), can affect computer and NetBackup
performance.

Data compression must be performed Data compression algorithms look for data patterns to compress the data.
before data encryption Encryption algorithms scramble the data and remove any patterns. Therefore
if data compression is desired, it must be done before the data encryption
step.

Choice of an encryption algorithm There are many encryption algorithms and associated key sizes. What should
a user choose for data encryption? AES (Advanced Encryption Standard)
is the standard for data encryption and supports 128, 192, or 256 -bit
encryption keys.

Suggested key size Generally, the larger key the more secure, and the longer into the future the
data will stay secure. AES is one of the best choices because it is deemed
secure with all three supported (128, 192, 256 bit) key sizes.
 Data at rest encryption security 450
Destination types for encryption of data at rest

Table 22-2 Data at rest encryption limitations (continued)

Limitation Description

FIPS certification for my encryption While FIPS certification may be required for use by the US government, it
solution should not be the only criteria that is used to evaluate an encryption solution.
Other considerations should be part of any decision-making process as
follows:

■ FIPS certificates only apply to the named version of a product. And then
only when the product is used in conformance with the "FIPS security
policy" the document that is submitted when the product was validated.
Future product versions and non-standard uses would be subject to
questioned validation.
■ The security of algorithms like AES is not in the obscurity of how they
work. Rather the security is in the difficulty to deduce an unknown
encryption key. The years of scrutiny and peer review for AES, have lead
to mature implementations. In fact, tests exist for AES where specific
keys and data sets are input, and verified against the expected output.
■ Data encryption is much like automobile security. Most problems are
related to lost or misplaced keys and not related to malfunctioning locks.
■ Since misuse is more likely to lead to problems, the usability of an
encryption product should be part of the consideration.
Usability considerations include the following:
■ Encryption integration with the product
■ Encryption integration with business processes.
■ Appropriate encryption key granularity
■ Recoverability

Appropriate encryption key granularity
The appropriate encryption key granularity is best explained with the example
of home security. A single house key is convenient. You can enter the garage,
front door, or backdoor all using the same key. This security is good until
the key is compromised (for example, if the key is stolen). Then you need
to change all the locks that used the key. An extreme example is to have a
key for every drawer and cupboard in a house. Then, a lost key would require
the changing of on a single lock.

The correct solution is somewhere in between. You must understand your

tolerance for a compromised or lost key from your business process
perspective. A lost key implies all the data that is encrypted with that key is
destroyed. A compromised key implies all the data that is encrypted with
that key must be decrypted and reencrypted to become secure.

Destination types for encryption of data at rest

The following destination types for encryption of data at rest are available:
 Data at rest encryption security 451
Encryption security questions to consider

■ Client-side encryption
See “About NetBackup client encryption” on page 452.
■ MSDP encryption
See the 'About MSDP encryption' topic from the NetBackup Deduplication Guide.
■ Tape drive encryption - The volume pool name must have ENCR_ as a prefix for
NetBackup to enable encryption for tapes.
■ Cloud encryption
See the 'About data encryption for cloud storage' topic from the NetBackup
Cloud Administrator's Guide.
■ AdvancedDisk

Encryption security questions to consider

Before considering encryption security, the following questions should be asked.
The answers depend upon your particular encryption needs as follows:
■ How do I choose the best encryption?
■ Why would I use encryption security?
■ What protection do I need from possible inside attacks?
■ What protection do I need from possible outside attacks?
■ What are the specific areas of NetBackup that encryption security protects?
■ Do I need to create drawings of NetBackup architecture showing encryption
security at work?
■ What are my deployment use cases for encryption security?

Comparison of encryption options

The following NetBackup options exist for data at rest encryption:
■ NetBackup client encryption, with standard encryption
■ NetBackup client encryption, with legacy encryption
■ Third-party encryption appliances and hardware devices
The following table shows the available encryption options along with their potential
advantages and disadvantages.
 Data at rest encryption security 452
About NetBackup client encryption

Table 22-3 Encryption options comparison

Encryption option Potential advantages Potential disadvantages

Client encryption, standard
encryption
See “Configuring standard
encryption on clients”
on page 457.
■ The encryption key is on the client ■ The encryption key on the client does
computer and not controlled by the not scale well to environments where
NetBackup administrator each client must have a unique
■ Can be deployed without affecting the encryption key and individual
NetBackup primary and media servers encryption key
■ Can be deployed on a per client basis ■ Encryption and compression taking
place on the client can affect client
performance

Client encryption, legacy Same advantages as client encryption with Same disadvantages as client encryption
encryption standard encryption. with standard encryption.

See “Configuring legacy

encryption on clients”
on page 464.

Third-party encryption
appliances and hardware
devices
■ Little or no performance effect due to
added hardware.
■ Generally NIST FIPS 140 certified.
■ The NetBackup Compatibility lab tests
some of these solutions. This testing is
neither an endorsement or rejection or
a particular solution. This effort verifies
that basic functionality was verified
when used with a specific version of
NetBackup.
■ No integration with NetBackup
configuration, operation, or diagnostics.
■ The Disaster recovery scenario is
provided by the appliance or device.

About NetBackup client encryption

The NetBackup client encryption option is best for the following:
■ Clients that can handle the CPU burden for compression / encryption
■ Clients that want to retain control of the data encryption keys
■ Situations where the tightest integration of NetBackup and encryption is desired
■ Situations where encryption is needed in terms of a per client basis

Installation prerequisites for encryption security

Encrypted backups require the NetBackup encryption software, which is included
in NetBackup server and client installations. To use encryption, you must have a
 Data at rest encryption security 453
About NetBackup client encryption

valid license. Refer to the NetBackup Administrator's Guide, Volume I for details
on how to administer NetBackup licenses.
NetBackup Administrator's Guide, Volume I
For a list of the platforms on which you can configure NetBackup Encryption, see
the NetBackup Release Notes.

About running an encryption backup

You can run an encryption backup as follows:
■ Choosing encryption for a backup
See “About choosing encryption for a backup” on page 453.
■ Standard encryption backup process
See “Standard encryption backup process” on page 454.
■ Legacy encryption backup process
See “Legacy encryption backup process” on page 455.

About choosing encryption for a backup

When a backup is started, the server determines from a policy attribute whether
the backup should be encrypted. The server then connects to bpcd on the client to
initiate the backup and passes the Encryption policy attribute on the backup request.
The client compares the Encryption policy attribute to the CRYPT_OPTION in the
configuration on the client as follows:
■ If the policy attribute is yes and CRYPT_OPTION is REQUIRED or ALLOWED,
the client performs an encrypted backup.
■ If the policy attribute is yes and CRYPT_OPTION is DENIED, the client performs
no backup.
■ If the policy attribute is no and CRYPT_OPTION is ALLOWED or DENIED, the
client performs a non-encrypted backup.
■ If the policy attribute is no and CRYPT_OPTION is REQUIRED, the client does
not perform the backup.
The following table shows the type of backup that is performed for each condition:

Table 22-4 Type of backup performed

CRYPT_OPTION Encryption policy attribute with Encryption policy attribute without

CRYPT_OPTION CRYPT_OPTION

REQUIRED Encrypted None

 Data at rest encryption security 454
About NetBackup client encryption

Table 22-4 Type of backup performed (continued)

CRYPT_OPTION Encryption policy attribute with Encryption policy attribute without

CRYPT_OPTION CRYPT_OPTION

ALLOWED Encrypted Non-encrypted

DENIED None Non-encrypted

See “Standard encryption backup process” on page 454.

See “NetBackup standard encryption restore process” on page 455.
See “Legacy encryption backup process” on page 455.
See “NetBackup legacy encryption restore process” on page 456.

Standard encryption backup process

The prerequisites for encrypting a standard backup are as follows:
■ The encryption software is automatically installed with the NetBackup UNIX or
Linux server and client installations.
■ A key file must exist. The key file is created when you run the bpkeyutil
command from the server or from the client.
■ The Encryption attribute must be selected on the NetBackup policy that includes
the client.
If the prerequisites are met, the backup takes place as follows:
■ The client takes the latest key from the key file.
For each file that is backed up, the following occurs:
■ The client creates an encryption tar header. The tar header contains a
checksum of the key and the cipher that NetBackup used for encryption.
■ To write the file data that was encrypted with the key, the client uses the
cipher that the CRYPT_CIPHER configuration entry defines. (The default
cipher is AES-128-CFB.)

Note: Only file data is encrypted. File names and attributes are not encrypted.

■ The backup image on the server includes a flag that indicates whether the
backup was encrypted.
 Data at rest encryption security 455
About NetBackup client encryption

Legacy encryption backup process

The prerequisites for encrypting a legacy backup are as follows:
■ The encryption software must include the appropriate DES library, as follows:
■ For 40-bit DES encryption, libvdes40.suffix; the suffix is so, sl, or dll,
depending on the client platform.
■ For 56-bit DES encryption, libvdes56.suffix; the suffix is so, sl, or dll,
depending on the client platform.

Note: The encryption software is automatically installed with the NetBackup

UNIX server and client installations.

■ A key file must exist as specified with the CRYPT_KEYFILE configuration option.
You create the key file when you specify a NetBackup pass phrase with the
server bpinst command or the client bpkeyfile command.
■ You must select the Encryption attribute on the NetBackup policy that includes
the client.
If the prerequisites are met and the backup is to be encrypted, the following occurs:
■ The client takes the latest data from its key file and merges it with the current
time (the backup time) to generate a DES key. For 40-bit DES, 16 bits of the
key are always set to zero.
For each backed-up file, the following occurs:
■ The client creates an encryption tar header. The tar header contains a
checksum of the DES that NetBackup used for encryption.
■ The client writes the file data that was encrypted with the DES key. Note that
only file data is encrypted. File names and attributes are not encrypted.

■ The server reads the file names, attributes, and data from the client and writes
them to a backup image on the server. The server DOES NOT perform any
encryption or decryption of the data. The backup image on the server includes
the backup time and a flag that indicates whether the backup was encrypted.

NetBackup standard encryption restore process

The prerequisites for restoring a standard encrypted backup are as follows:
■ The encryption software must be loaded onto the client.
 Data at rest encryption security 456
About NetBackup client encryption

Note: The encryption software is automatically installed with the NetBackup

UNIX server and client installations.

■ A key file must exist. The key file is created when you run the bpkeyutil
command from the server or from the client.
When the restore occurs, the server determines from the backup image whether
the backup was encrypted. The server then connects to bpcd on the client to initiate
the restore. The server sends to the client an encryption flag on the restore request.
When a backup takes place properly, the restore occurs as follows:
■ The server sends file names, attributes, and encrypted file data to the client to
be restored.
■ If the client reads an encryption tar header, the client compares the checksum
in the header with the checksums of the keys in the key file. If the one of the
keys’ checksum matches the header’s checksum, NetBackup uses that key to
decrypt the file data. It uses the cipher that is defined in the header.
■ The file is decrypted and restored if a key and cipher are available. If the key or
cipher is not available, the file is not restored and an error message is generated.

NetBackup legacy encryption restore process

The prerequisites for restoring a legacy encrypted backup are as follows:
■ The legacy encryption software must be loaded on the client.

Note: The encryption software is automatically installed with the NetBackup

UNIX server and client installations.

■ The encryption software must include the 40-bit DES library. The name of the
40-bit DES library is libvdes40.suffix; the suffix is so, sl, or dll depending on
the client platform.
■ If the CRYPT_STRENGTH configuration option is set to DES_56, the encryption
software must also include the 56-bit DES library. The name of the 56-bit DES
library is libvdes56.suffix; the suffix is so, sl, or dll depending on the client
platform.
■ A key file must exist as specified with the CRYPT_KEYFILE configuration option.
You create the key file when you specify a NetBackup pass phrase with the
server bpinst command or the client bpkeyfile command.
 Data at rest encryption security 457
Configuring standard encryption on clients

The server determines from the backup image whether the backup was encrypted.
The server then connects to bpcd on the client to initiate the restore. The server
sends to the client an encryption flag and backup time from the backup image on
the restore request.
If the prerequisites are met, the following occurs:
■ The server sends file names, attributes, and encrypted file data to the client to
be restored.
■ The client takes its key file data and merges it with the backup time to generate
one or more 40-bit DES keys. If the 56-bit DES library is available, the client
also generates one or more 56-bit DES keys.
■ If the client reads an encryption tar header, the client compares the checksum
in the header with the checksums of its DES keys. If the checksum of a DES
key matches the checksum in the header, NetBackup uses that DES key to
decrypt the file data.
The file is decrypted and restored if a DES key is available. If the DES key is not
available, the file is not restored and an error message is generated.

Configuring standard encryption on clients

This topic describes how to configure standard NetBackup encryption.
The following configuration options are in the bp.conf file on UNIX clients, and in
the registry on Windows clients.
The configuration options are as follows:
■ CRYPT_OPTION
■ CRYPT_KIND
■ CRYPT_CIPHER
You can also use the NetBackup Administration Console to configure the options
from the server. They are on the Encryption tab in the Client Properties dialog
box.
See the NetBackup Administrator's Guide, Volume I for details.

Managing standard encryption configuration options

The following table describes the three encryption-related configuration options for
the standard encryption that can exist on a NetBackup client.
Ensure that the options are set to the appropriate values for your client.
 Data at rest encryption security 458
Configuring standard encryption on clients

Table 22-5 Three encryption-related configuration options

Option Value Description

CRYPT_OPTION = option Defines the encryption options on NetBackup

clients. The possible values for option follow:

denied|DENIED Specifies that the client does not permit encrypted

backups. If the server requests an encrypted
backup, it is considered an error.

allowed|ALLOWED (the default value) Specifies that the client allows

either encrypted or unencrypted backups.

required|REQUIRED Specifies that the client requires encrypted backups.

If the server requests an unencrypted backup, it is
considered an error.

CRYPT_KIND = kind Defines the encryption kind on NetBackup clients.

The kind option can be set to any of the following
option values.

NONE Neither standard encryption nor legacy encryption

is configured on the client.

STANDARD Specifies that you want to use the cipher-based

128-bit encryption or 256-bit encryption. This option
is the default value if standard encryption is
configured on the client.

LEGACY Specifies that you want to use the legacy-based

encryption, with 40-bit DES or 56-bit DES.

CRYPT_CIPHER = cipher Defines the cipher type to use. It can be set to any
of the following option values.

AES-128-CFB 128-bit Advanced Encryption Standard. This is the

default value.

BF-CFB 128-bit Blowfish

DES-EDE-CFB Two Key Triple DES

AES-256-CFB 256-bit Advanced Encryption Standard

Managing the NetBackup encryption key file

This topic describes how to manage the NetBackup encryption key file.
 Data at rest encryption security 459
Configuring standard encryption on clients

Note: The key file must be the same on all nodes in a cluster.

Use the bpkeyutil command to set up the cipher-based encryption key file and
pass phrase on the NetBackup Encryption client.
■ For a Windows client, the full command path is as follows

install_path\NetBackup\bin\bpkeyutil

■ For a UNIX client, the full command path is as follows

/usr/openv/netbackup/bin/bpkeyutil

You are prompted to add a pass phrase for that client.

NetBackup uses the pass phrase you specify to create the key file, as follows:
■ NetBackup uses a combination of the following two algorithms to create a key
from the pass phrase that is up to 256 bits.
■ Secure hashing algorithm, or SHA1
■ Message digest algorithm, or MD5

■ NetBackup uses the NetBackup private key and 128-bit AES algorithm to encrypt
the key.
■ The key is stored in the key file on the client.
■ At run time, NetBackup uses the key and a random initialization vector to encrypt
the client data. The initialization vector is stored in the header of the backup
image.
Previous pass phrases remain available in the key file to allow restores of the
backups that were encrypted by using those phrases.

Caution: You must remember the pass phrases, including the old pass phrases.
If a client’s key file is damaged or lost, you need all of the previous pass phrases
to recreate the key file. Without the key file, you cannot restore the files that were
encrypted with the pass phrases.

The key file must be accessible only to the administrator of the client machine.
For a UNIX client, you must ensure the following:
■ The owner is root.
■ The mode bits are 600.
■ The file is not on a file system that can be NFS mounted.
 Data at rest encryption security 460
Configuring standard encryption on clients

About configuring standard encryption from the server

You can configure most NetBackup clients for encryption by using the bpkeyutil
command from the server.
Prerequisites include the following:
■ The NetBackup client software must be running on the platforms that support
NetBackup encryption (see the NetBackup Release Notes).
■ The NetBackup clients must be running the required NetBackup version.

About creating encryption key files on the clients

Use the following guidelines to create encryption key files on the clients:
■ If the server is in a cluster and is also an encryption client, all nodes in the cluster
must have the same key file.
■ The bpkeyutil command sets the cipher-based encryption key file and pass
phrase on each NetBackup Encryption client.
■ For a Windows server, the full path to the command is as follows:

install_path\NetBackup\bin\bpkeyutil

■ For a UNIX server, the full path to the command is as follows:

/usr/openv/netbackup/bin/bpkeyutil

Creating the key files

For each encryption client, run the following command:

bpkeyutil -clients client_name

You are prompted for a new pass phrase to add to that client’s key file.
To set up several clients to use the same pass phrase, specify a comma-separated
list of client names, as follows:

bpkeyutil -clients client_name1,client_name2,...,client_namen

To create the key file, NetBackup uses the pass phrase you specify.
NetBackup uses the pass phrase you specify to create the key file, as follows:
■ NetBackup uses a combination of the following two algorithms to create a key
from the pass phrase that is up to 256 bits.
■ Secure hashing algorithm, or SHA1
 Data at rest encryption security 461
Configuring standard encryption on clients

■ Message digest algorithm, or MD5

■ NetBackup uses the NetBackup private key and 128-bit AES algorithm to encrypt
the key.
■ The key is stored in the key file on the client.
■ At run time, NetBackup uses the key and a random initialization vector to encrypt
the client data. The initialization vector is stored in the header of the backup
image.
Previous pass phrases remain available in the file for restores of the backups that
were encrypted with those phrases.

Caution: You must ensure that pass phrases, whether they are new or were in use
previously, are secure and retrievable. If a client’s key file is damaged or lost, you
need all of the previous pass phrases to recreate the key file. Without the key file,
you cannot restore the files that were encrypted with the pass phrases.

The key file must only be accessible to the administrator of the client machine. For
a UNIX client, you must ensure the following:
■ The owner is root.
■ The mode bits are 600.
■ The file is not on a file system that can be NFS mounted.

Best practices for key file restoration

Even when an encrypted backup does not have a key file available, you may be
able to restore the files.

Manual retention to protect key file pass phrases

Manual retention is the most secure method for protecting your key file pass phrases.
When you add a phrase by using the bpkeyutil command, complete manual
retention as follows:
■ Write the phrase on paper.
■ Seal the paper in an envelope
■ Put the envelope into a safe.
If you subsequently need to restore from encrypted backups and you have lost the
key file, do the following:
■ Reinstall NetBackup.
 Data at rest encryption security 462
Configuring standard encryption on clients

■ Use bpkeyutil to create a new key file by using the pass phrases from the
safe.

Automatic backup of the key file

The automatic backup method is less secure, but it ensures that a backup copy of
your key file exists.
This method requires that you create a non-encrypted policy to back up the key
file. If the key file is lost, you can restore it from the non-encrypted backup.
The problem with this method is that a client's key file can be restored on a different
client.
If you want to include the key file in the back up to a client, add the key file's path
name to the client's include list.
Redirected restores require special configuration changes to allow a restore.

Restoring an encrypted backup file to another client

Redirected restores are described in the following procedure.
To restore an encrypted backup to another client
1 The server must allow redirected restores, and you (the user) must be
authorized to perform such restores.
See the NetBackup Administrator's Guide, Volume I for details on redirected
restores.
2 Obtain the pass phrase that was used on the other client when the encrypted
backup was made. Without that pass phrase, you cannot restore the files.
Note if the pass phrase is the same on both clients, skip to step 5.
3 To preserve your own (current) key file, move or rename it.
4 Use the bpkeyutil command to create a key file that matches the other client’s.
When the bpkeyutil process prompts you for the pass phrase, specify the
other client’s pass phrase.
5 Restore the files to the other client.
After you restore the encrypted files from the client, rename or delete the key
file that you created in step 4.
Next, you move or rename the original key file to its original location or name.
If you do not re-establish your key file to its original location and name, you
may not be able to restore your own encrypted backups.
 Data at rest encryption security 463
Configuring standard encryption on clients

About configuring standard encryption directly on clients

You can also configure NetBackup encryption directly on clients as explained in
the following topics:
■ Setting standard encryption attribute in policies
See “Setting standard encryption attribute in policies” on page 463.
■ Changing client encryption settings from the server
See “Changing the client encryption settings from the NetBackup server”
on page 463.

Setting standard encryption attribute in policies

You must set the Encryption attribute on your NetBackup policy as follows:
■ If the attribute is set, the NetBackup server requests that NetBackup clients in
that policy perform encrypted backups.
■ If the attribute is not set, the NetBackup server does not request that NetBackup
clients in that policy perform encrypted backups.
You can use the Attributes tab of the policy in the NetBackup Administration
Consoleto set or clear the Encryption attribute for a policy.
Refer to the NetBackup Administrator's Guide, Volume I for more information on
how to configure policies.

Changing the client encryption settings from the NetBackup server

You can change the encryption settings for a NetBackup client in the Encryption
host properties for the client on the NetBackup server.
To change the client encryption settings from the NetBackup server
1 On the left pane, select Host > Host properties.
2 Select the name of the client you want to change. Click Connect and then Edit
client.
3 Click Encryption.
See the following topic for information about the configuration options that
correspond to the settings in the Encryption pane:
See “Managing standard encryption configuration options” on page 457.
For additional explanations of the settings, see the NetBackup Administrator's
Guide, Volume I.
 Data at rest encryption security 464
Configuring legacy encryption on clients

Configuring legacy encryption on clients

This topic discusses configuring legacy NetBackup encryption.
The configuration options are in the bp.conf file on UNIX clients and in the registry
on Windows clients.
The options are as follows:
■ CRYPT_OPTION
■ CRYPT_STRENGTH
■ CRYPT_LIBPATH
■ CRYPT_KEYFILE
You can also use the NetBackup web UI to configure the options from the server.
They are on the Encryption tab in the Client Properties dialog box.
Refer to the NetBackup Administrator's Guide, Volume I for details.
You can set the CRYPT_OPTION and CRYPT_STRENGTH options on the bpinst
-LEGACY_CRYPT command. The equivalent option settings are -crypt_option,
-crypt_strength, respectively.

About configuring legacy encryption from the client

The following table contains the legacy encryption-related configuration options
that are on a NetBackup client. Ensure that these options are set to the appropriate
values for your client. These are set if you run the bpinst -LEGACY_CRYPT command
from the server to the client name.

Table 22-6 Legacy encryption configuration options

Option Value Description

CRYPT_OPTION = Defines the encryption options on NetBackup clients.

option The possible values for option follow:

denied|DENIED Specifies that the client does not permit encrypted

backups. If the server requests an encrypted backup,
it is considered an error.

allowed|ALLOWED (The default value) Specifies that the client allows either
encrypted or unencrypted backups.

required|REQUIRED Specifies that the client requires encrypted backups.

If the server requests an unencrypted backup, it is
considered an error.
 Data at rest encryption security 465
Configuring legacy encryption on clients

Table 22-6 Legacy encryption configuration options (continued)

Option Value Description

CRYPT_KIND = kind Defines the encryption type on NetBackup clients. The

possible values for kind follow:

NONE Neither standard encryption nor legacy encryption is

configured on the client.

LEGACY Specifies the legacy encryption type, either 40-bit DES

or 56-bit DES. This option is the default if the legacy
encryption type is configured on the client, and the
standard encryption type is not configured.

STANDARD Specifies the cipher encryption type, which can be

either 128-bit encryption or 256-bit encryption.

CRYPT_STRENGTH = Defines the encryption strength on NetBackup clients.

strength The possible values for strength follow:

des_40|DES_40 (The default value) Specifies 40-bit DES encryption.

des_56|DES_56 Specifies the 56-bit DES encryption.

CRYPT_LIBPATH = Defines the directory that contains the encryption

directory_path libraries on NetBackup clients.

The install_path is the directory where NetBackup is

installed and by default is C:\VERITAS.

/usr/openv/lib/ The default value on UNIX systems.

install_path\NetBackup\ The default value on Windows systems

bin\

CRYPT_KEYFILE = Defines the file that contains the encryption keys on

file_path NetBackup clients.

/usr/openv/var/keyfile The default value on UNIX systems.

install_path\NetBackup\var\ The default value on Windows systems.

keyfile.dat

Managing legacy encryption key files

This topic describes managing legacy encryption key files.

Note: The key file must be the same on all nodes in a cluster.
 Data at rest encryption security 466
Configuring legacy encryption on clients

Each NetBackup client that does encrypted backups and restores needs a key file.
The key file contains the data that the client uses to generate DES keys to encrypt
backups.
You can use the bpkeyfile command on the client to manage the key file. Check
the bpkeyfile command description in the NetBackup Commands Reference
Guide for a detailed description.
The first thing that you need to do is to create a key file if it does not already exist.
The key file exists if you set a pass phrase from the bpinst -LEGACY_CRYPT
command from the server to this client name.
The file name should be the same as the file name that you specified with the
CRYPT_KEYFILE configuration option as follows:
■ For Windows clients, the default key file name is as follows

install_path\NetBackup\var\keyfile.dat

■ For UNIX clients, the default key file name is as follows

/usr/openv/var/keyfile

NetBackup uses a key file pass phrase to generate a DES key, and it uses the DES
key to encrypt a key file.
Generally, you use the key file pass phrase that is hard-coded into NetBackup
applications. However, for added security you may want to use your own key file
pass phrase.
See “Additional legacy key file security for UNIX clients” on page 472.

Note: If you do not want to use your own key file pass phrase, do not enter a new
key file pass phrase. Instead, use the standard key file pass phrase and enter a
new NetBackup pass phrase.

You must decide what NetBackup pass phrase to use. The NetBackup pass phrase
is used to generate the data that is placed into the key file. That data is used to
generate DES keys to encrypt backups.
To create the default key file on a UNIX client that is encrypted with the standard
key file pass phrase, enter a command such as the following:

bpkeyfile /usr/openv/var/keyfile
Enter new keyfile pass phrase: (standard keyfile pass phrase)
Re-enter new keyfile pass phrase: (standard keyfile pass phrase)
 Data at rest encryption security 467
Configuring legacy encryption on clients

Enter new NetBackup pass phrase: ***********************

Re-enter new NetBackup pass phrase: ***********************

You may enter new NetBackup pass phrases fairly often. Information about old
pass phrases is kept in the key file. This method lets you restore any data that was
encrypted with DES keys generated from old pass phrases. You can use the
-change_netbackup_pass_phrase (or -cnpp) option on the bpkeyfile command
to enter a new NetBackup pass phrase.
If you want to enter a new NetBackup pass phrase on a Windows client, enter a
command similar to the following example:

bpkeyfile.exe -cnpp install_path\NetBackup\var\keyfile.dat

Enter old keyfile pass phrase: (standard keyfile pass phrase)
Enter new NetBackup pass phrase: **********
Re-enter new NetBackup pass phrase: **********

Caution: You must ensure that pass phrases, whether they are new or were in use
previously, are secure and retrievable. If a client’s key file is damaged or lost, you
need all of the previous pass phrases to recreate the key file. Without the key file,
you cannot restore the files that were encrypted with the pass phrases.

The key file must only be accessible to the administrator of the client machine.
For a UNIX client, you must ensure the following:
■ The owner is root.
■ The mode bits are 600.
■ The file is not on a file system that can be NFS mounted.
You must consider whether to back up your key file. For encrypted backups, such
a backup has little value, because the key file can only be restored if the key file is
already on the client. Instead, you can set up a NetBackup policy that does
non-encrypted backups of the key files of the clients. This policy is useful you require
an emergency restore of the key file. However, this method also means that a
client's key file can be restored on a different client.
If you want to prevent the key file from being backed up, add the key file's path
name to the client's exclude list.

About configuring legacy encryption from the server

You can configure most NetBackup clients for encryption by using the bpinst
command from the server.
Prerequisites for this method include the following:
 Data at rest encryption security 468
Configuring legacy encryption on clients

■ The NetBackup client software must be running on a platform that supports

NetBackup encryption.
Refer to the NetBackup Release Notes for details on supported platforms.
■ The NetBackup clients must be running the required NetBackup version.
■ If a clustered server is a client for NetBackup encryption, ensure that all nodes
in the cluster have the same key file.
The bpinst command is loaded into the NetBackup bin directory on the server as
follows:
■ For a Windows server, the bin directory is as follows

install_path\NetBackup\bin

■ For a UNIX server, the bin directory is as follows

/usr/openv/netbackup/bin

See the bpinst command description in the NetBackup Commands Reference

Guide for details about the options that are available with the bpinst command.
For examples about how to use bpinst:
See “About pushing the legacy encryption configuration to clients” on page 468.
See “About pushing the legacy encryption pass phrases to clients” on page 469.
Normally, you specify client names in the bpinst command. However, if you include
the -policy_names option, you specify policy names instead. The option affects all
clients in the specified policies.

About pushing the legacy encryption configuration to

clients
You can use the -crypt_option and -crypt_strength options on the bpinst command
to set encryption-related configuration on NetBackup clients as follows:
■ The -crypt_option option specifies whether the client should deny encrypted
backups (denied), allow encrypted backups (allowed), or require encrypted
backups (required).
■ The -crypt_strength option specifies the DES key length (40 or 56) that the client
should use for encrypted backups.
To install the encryption client software and require encrypted backups with a 56-bit
DES key, use the following command from the server:
 Data at rest encryption security 469
Configuring legacy encryption on clients

bpinst -LEGACY_CRYPT -crypt_option required -crypt_strength des_56 \

-policy_names policy1 policy2

The example uses a UNIX continuation character (\) because it is long. To allow
either encrypted or non-encrypted backups with a 40-bit DES key, use the following
command:

bpinst -LEGACY_CRYPT -crypt_option allowed -crypt_strength des_40 \

client1 client2

In clustered environments you can do the following:

■ Push the configuration to the client only from the active node.
■ Specify the host names of the individual nodes (not the virtual names) in the list
of clients.

Note: The primary server USE_VXSS setting in bp.conf should be set to AUTOMATIC.
Use this setting when pushing from an NBAC enabled primary to a host that does
not have NetBackup previously installed. Also use this setting when NBAC has not
enabled the primary server'sUSE_VXSS setting in bp.conf.

About pushing the legacy encryption pass phrases to

clients
To send a pass phrase to a NetBackup client, you can use the bpinst options
-passphrase_prompt or -passphrase_stdin. The NetBackup client uses the pass
phrase to create or update data in its key file.
The key file contains the data that the client uses to generate DES keys to encrypt
backups as follows:
■ If you use the -passphrase_prompt option, you are prompted at your terminal
for a zero to 62 character pass phrase. The characters are hidden while you
type the pass phrase. You are prompted again to retype the pass phrase to
make sure that is the one you intended to enter.
■ If you use the -passphrase_stdin option, you must enter the zero to 62 character
pass phrase twice through standard input. Generally, the -passphrase_prompt
option is more secure than the -passphrase_stdin option, but -passphrase_stdin
is more convenient if you use bpinst in a shell script.
To enter a pass phrase for the client named client1 from a NetBackup server through
standard input, you would enter commands like the following:

bpinst -LEGACY_CRYPT -passphrase_stdin client1 <<EOF

This pass phase is not very secure
 Data at rest encryption security 470
Configuring legacy encryption on clients

This pass phase is not very secure

EOF

To enter a pass phrase for the client named client2 from a NetBackup server, you
would enter commands like the following:

bpinst -LEGACY_CRYPT -passphrase_prompt client2

Enter new NetBackup pass phrase: ********************
Re-enter new NetBackup pass phrase: ********************

You may enter new pass phrases fairly often. The NetBackup client keeps
information about old pass phrases in its key file. It can restore the data that was
encrypted with DES keys generated from old pass phrases.

Caution: You must ensure that pass phrases, whether they are new or were in use
previously, are secure and retrievable. If a client’s key file is damaged or lost, you
need all of the previous pass phrases to recreate the key file. Without the key file,
you cannot restore the files that were encrypted with the pass phrases.

You must decide whether to use the same pass phrase for many clients. Using the
same pass phrase is convenient because you can use a single bpinst command
to specify a pass phrase for each client. You can also do redirected restores between
clients when they use the same pass phrase.

Note: If you want to prevent redirected restores, you should specify different pass
phrases by entering a separate bpinst command for each client.

For clustered environments you can do the following:

■ Push the configuration to the client only from the active node.
■ Specify the host names of the individual nodes (not the virtual names) in the list
of clients.

Note: The primary server USE_VXSS setting in bp.conf should be set to AUTOMATIC.
Use this setting when pushing from an NBAC enabled primary server to a host that
does not have NetBackup previously installed. Also use this setting when NBAC
has not enabled the primary server'sUSE_VXSS setting in bp.conf.

Restoring a legacy encrypted backup created on another client

If a server allows redirected restores, you (the user) must be authorized to perform
such restores.
 Data at rest encryption security 471
Configuring legacy encryption on clients

Refer to the NetBackup Administrator's Guide, Volume I for details on redirected

restores.
To restore an encrypted backup that was created on another client:
1 Obtain the pass phrase that was used on the other client when the encrypted
backup was made. Without that pass phrase, you cannot restore the files.
Note if the pass phrase is the same on both clients, skip to step 4.
2 To preserve your own (current) key file, move or rename it.
3 Use the bpkeyfile command to create a key file that matches the other client’s.
When the bpkeyutil process prompts you for the pass phrase, specify the
other client’s pass phrase.

bpkeyfile -change_key_file_pass_phrase key_file_path

The key_file_path is the path for a new key file on your client. This key file
matches the other client’s.
After you enter the command, bpkeyfile prompts you for the client’s pass
phrase (obtained in step 1).
For more information about the bpkeyfile command, refer to the NetBackup
Commands Reference Guide.
4 Restore the files to the other client.
After you restore the encrypted files from the client, rename or delete the key
file that you created in step 3.
Next, you move or rename the original key file to its original location or name.
If you do not re-establish your key file to its original location and name, you
may not be able to restore your own encrypted backups.

About setting legacy encryption attribute in policies

You must set the Encryption attribute in your NetBackup policy according to the
following:
■ If the attribute is set, the NetBackup server requests that NetBackup clients in
that policy perform encrypted backups.
■ If the attribute is not set, the NetBackup server does not request that NetBackup
clients in that policy perform encrypted backups.
You can use the Attributes tab of the policy in the NetBackup Administration
Console to set or clear the Encryption attribute for a policy.
Refer to the NetBackup Administrator's Guide, Volume I for more information on
how to configure policies.
 Data at rest encryption security 472
Configuring legacy encryption on clients

You can also use the bpinst command to set or clear the Encryption attribute for
NetBackup policies. This method is convenient if you want to set or clear the attribute
for several policies.
For example, to set the Encryption attribute for policy1 and policy2 from a
NetBackup server, enter a command like the following:

bpinst -LEGACY_CRYPT -policy_encrypt 1 -policy_names policy1 policy2

The 1 parameter sets the encryption attribute (0 would clear it).

Changing client legacy encryption settings from the server

You can change the encryption settings for a NetBackup client from the Client
Properties dialog on the NetBackup server.
To change the client encryption settings from the NetBackup server
1 On the left pane, select Host > Host properties.
2 Select the name of the client you want to change and click Edit client.
3 In the Properties pane, click Encryption to display the encryption settings for
that client.
For additional explanation of the settings, click the Help option on the dialog,
or refer to the NetBackup Administrator's Guide, Volume I.

Additional legacy key file security for UNIX clients

This topic applies only to UNIX NetBackup clients. The additional security is not
available for Windows clients.

Note: It is not recommended to use the additional key file security feature in a
cluster.

The key file for an encryption client is encrypted using a DES key that is generated
from a key file pass phrase. By default, the key file is encrypted using a DES key
that is generated from the standard pass phrase that is hard-coded into NetBackup.
Using the standard key file pass phrase lets you perform automated encrypted
backups and restores the same way you perform non-encrypted backups and
restores.
This method has potential problems, however, if an unauthorized person gains
access to your client’s key file. That person may be able to figure out what encryption
keys you use for backups or use the key file to restore your client’s encrypted
 Data at rest encryption security 473
Configuring legacy encryption on clients

backups. For this reason, you must ensure that only the administrator of the client
has access to the key file.
For extra protection, you can use your own key file pass phrase to generate the
DES key to encrypt the key file. An unauthorized person may still gain access to
this key file, but the restore is more difficult.
If you use your own key file pass phrase, backup, and restore are no longer as
automated as before. Following is a description of what happens on a UNIX
NetBackup client if you have used your own key file pass phrase.
To start a backup or restore on a client, the NetBackup server connects to the bpcd
daemon on the client and makes a request.
To perform an encrypted backup or restore, bpcd needs to decrypt and read the
key file.
If the standard key file pass phrase is used, bpcd can decrypt the key file
automatically.
If you use your own key file pass phrase, bpcd can no longer decrypt the key file
automatically, and the default bpcd cannot be used. You must initiate bpcd with a
special parameter. See “Running the bpcd -keyfile command” on page 473.

Note: In a clustered environment, if you change the key file on one node, you must
make the same change in the key file on all nodes.

Running the bpcd -keyfile command

This topic describes running the bpcd command as a stand-alone program.
 Data at rest encryption security 474
Configuring legacy encryption on clients

To run bpcd as a stand-alone program

1 Use the -change_key_file_pass_phrase (or -ckfpp) option on the bpkeyfile
command to change the key file pass phrase, as in the following example:

bpkeyfile -ckfpp /usr/openv/var/keyfile

Enter old keyfile pass phrase: (standard keyfile pass phrase)
Enter new keyfile pass phrase: (standard keyfile pass phrase)
******
Re-enter new keyfile pass phrase: (standard keyfile pass
phrase) ******

If you type a carriage return at the prompt, NetBackup uses the standard key
file pass phrase.
2 Stop the existing bpcd by issuing the bpcd -terminate command.
3 Initiate the bpcd command with the -keyfile option. Enter the new key file pass
phrase when prompted.

bpcd -keyfile
Please enter keyfile pass phrase: ******

bpcd now runs in the background, and waits for requests from the NetBackup
server.
You can change the key file pass phrase at any time with the bpkeyfile
command and the -ckfpp option. The new key file pass phrase does not take
effect until the next time you start bpcd.
You can also change the NetBackup pass phrase that is used to generate the
DES keys to encrypt backups. Change this phrase at any time with the
bpkeyfile command and the -cnpp option. Note, however, that the new
NetBackup pass phrase does not take effect until you kill the current bpcd
process and restart bpcd.

Terminating bpcd on UNIX clients

To terminate bpcd on UNIX clients, use the bpcd -terminate command.
 Chapter 23
NetBackup key
management service
This chapter includes the following topics:

■ About FIPS enabled KMS

■ Installing KMS

■ Configuring KMS

■ About using KMS for encryption

■ KMS database constituents

■ KMS operations using command-line interface (CLI)

■ Troubleshooting KMS

About FIPS enabled KMS

NetBackup KMS can now be operated in the FIPS mode, wherein the encryption
keys that you create are always FIPS approved. FIPS configuration is enabled by
default.
See “About Federal Information Processing Standards (FIPS)” on page 477.
When you create a new key, a salt is always generated with the new key. Providing
the salt value is mandatory when you want to recover a key.
Consider the following example; hrs09to12hrs is a key created using an older
version of NetBackup:
Key Group Name : ENCR_Monday

Supported Cipher : AES_256

 NetBackup key management service 476
About FIPS enabled KMS

Number of Keys : 8

Has Active Key : Yes

Creation Time : Wed Feb 25 22:46:32 2015

Last Modification Time: Wed Feb 25 22:46:32 2015

Description : -

Key Tag :
5e16a6ea988fc8ec7cc9bdbc230811b65583cdc0437748db4521278f9c1bbdf9

Key Name : hrs09to12hrs

Current State : ACTIVE

Creation Time : Wed Feb 25 22:50:01 2015

Last Modification Time: Wed Feb 25 23:14:18 2015

Description : active

The key hrs09to12hrs is moved from key group ENCR_Monday to a new key group
ENCR_77.

C:\Program Files\Veritas\NetBackup\bin\admincmd>nbkmsutil -modifykey

-keyname hrs09to12hrs -kgname ENCR_Monday -move_to_kgname ENCR_77

Key details are updated successfully

Now list all the keys of the ENCR_77 key group. Note that the new key Fips77 would
be FIPS approved, but not hrs09to12hrs that was created using an older version
of NetBackup.
C:\Program Files\Veritas\NetBackup\bin\admincmd>nbkmsutil -listkeys
-kgname NCR_77

Key Group Name : ENCR_77 Supported

Cipher : AES_256

Number of Keys : 2

Has Active Key : Yes

Creation Time : Thu Feb 26 04:44:12 2015

Last Modification Time: Thu Feb 26 04:44:12 2015

Description : -

Key Tag :
5e16a6ea988fc8ec7cc9bdbc230811b65583cdc0437748db4521278f9c1bbdf9
 NetBackup key management service 477
About FIPS enabled KMS

Key Name : hrs09to12hrs

Current State : ACTIVE

Creation Time : Wed Feb 25 22:50:01 2015

Last Modification Time: Thu Feb 26 04:48:17 2015

Description : active

FIPS Approved Key : No

Key Tag :
4590e304aa53da036a961cd198de97f24be43b212b2a1091f896e2ce3f4269a6

Key Name : Fips77

Current State : INACTIVE

Creation Time : Thu Feb 26 04:44:58 2015

Last Modification Time: Thu Feb 26 04:48:17 2015

Description : active

FIPS Approved Key : Yes

Salt : 53025d5710ab36ac1099194fb97bad318da596e27fdfe1f2

Number of Keys: 2

The new key Fips77 is FIPS approved and also has a Salt value.
KMS with FIPS compliance is supported on the following platforms:
■ MS Windows Server 2012
■ Linux.2.6.16 x86-64 Suse-10
■ Linux.2.6.18 x86-64 RHEL-5

About Federal Information Processing Standards (FIPS)

The Federal Information Processing Standards (FIPS) define U.S. and Canadian
Government security and interoperability requirements for computer systems. The
FIPS 140-2 standard specifies the security requirements for cryptographic modules.
It describes the approved security functions for symmetric and asymmetric key
encryption, message authentication, and hashing.
For more information about the FIPS 140-2 standard and its validation program,
see the National Institute of Standards and Technology (NIST) and the
Communications Security Establishment Canada (CSEC) Cryptographic Module
Validation Program website at http://csrc.nist.gov/groups/STM/cmvp.
 NetBackup key management service 478
Installing KMS

The NetBackup Cryptographic Module is now FIPS validated. NetBackup KMS

uses the NetBackup Cryptographic Module and can now be operated in FIPS mode.
See “About FIPS enabled KMS” on page 475.

Installing KMS
The following procedure describes how to install KMS.

Note: For more information about configuring KMS in a Cloud storage environment
refer to the NetBackup Cloud Administrator's Guide.

The KMS service is called nbkms.

The service does not run until the data file has been set up, which minimizes the
effect on environments not using KMS.
To install KMS
1 Run the nbkms -createemptydb command.
2 Enter a pass phrase for the host master key (HMK). You can also press Enter
to create a randomly generated key.
3 Enter an ID for the HMK. This ID can be anything descriptive that you want to
use to identify the HMK.
4 Enter a pass phrase for the key protection key (KPK).
5 Enter an ID for the KPK. The ID can be anything descriptive that you want to
use to identify the KPK.
The KMS service starts when after you enter the ID and press Enter.
6 Start the KMS service as follows:
On UNIX, run the following command:
/usr/openv/netbackup/bin/nbkms

On Windows, do the following:

Start > Run > Services.msc > Start the NetBackup Key Management
Service

7 Use the grep command to ensure that the service has started, as follows: ps
-ef | grep nbkms
 NetBackup key management service 479
Installing KMS

8 Run the following command to register the nbkms service with NetBackup web
services:
nbkmscmd -discovernbkms

9 Create the key group. The key group name must be an identical match to the
volume pool name. All key group names must have a prefix ENCR_.

Note: When using key management with Cloud storage and PureDisk, the
ENCR_ prefix is not required for the key group name.

To create a (non-Cloud storage) key group use the following command syntax.
nbkmsutil -createkg -kgname ENCR_volumepoolname

The ENCR_ prefix is essential. When BPTM receives a volume pool request
that includes the ENCR_ prefix, it provides that volume pool name to KMS. KMS
identifies it as an exact match of the volume pool and then picks the active key
record for backups out of that group.
To create a Cloud storage key group use the following command syntax.
nbkmsutil -createkg -kgname storage_server_name:volume_name

10 Create a key record by using the -createkey option.

nbkmsutil -createkey -kgname ENCR_volumepool -keyname keyname
-activate -desc "message"

The key name and message are optional; they can help you identify this key
when you display the key.
The -activate option skips the prelive state and creates this key as active.
11 Provide the pass phrase again when the script prompts you.
In the following example the key group is called ENCR_pool1 and the key name
is Q1_2008_key. The description explains that this key is for the months January,
February, and March.
nbkmsutil -createkey -kgname ENCR_pool1 -keyname Q1_2008_key
-activate -desc "key for Jan, Feb, & Mar"
 NetBackup key management service 480
Installing KMS

12 You can create another key record using the same command; a different key
name and description help you distinguish they key records: nbkmsutil
-createkey -kgname ENCR_pool1 -keyname Q2_2008_key -activate -desc
"key for Apr, May, & Jun"

Note: If you create more than one key record by using the command nbkmsutil
-kgname name -activate, only the last key remains active.

13 To list all of the keys that belong to a key group name, use the following
command:
nbkmsutil -listkeys -kgname keyname

Note: You need the passphrase, salt (if applicable), key group name, and key
tag to recover this key if it is lost. You must store all this information at a secure
place. Salt, key group name, and key tag can be found in the output of the
nbkmsutil -listkeys command execution.

The following command and output use the examples in this procedure.

See “About installing KMS with HA clustering” on page 481.

 NetBackup key management service 481
Installing KMS

See “Using KMS with NBAC” on page 481.

Using KMS with NBAC

The following changes have been made to NBAC to support the introduction of
KMS:
■ Addition of the new authorization object KMS
■ Addition of the new NetBackup user group NBU_KMS Admin
The permissions a user has on the KMS object determines the KMS-related tasks
you are allowed to perform.
Table 23-1 shows the default KMS permissions for each of the NetBackup user
groups.

Table 23-1 Default KMS permissions for NetBackup user groups

Set Activity NBU_ NBU_ NBU_ NBU_ Vault_ NBU_ NBU_

User Operator Admin Security Operator SAN KMS
Admin Admin Admin

Browse Browse --- --- X --- --- --- X

Read Read --- --- X --- --- --- X

Configure New --- --- --- --- --- --- X

Configure Delete --- --- --- --- --- --- X

Configure Modify --- --- --- --- --- --- X

Besides the KMS permissions listed above, the NBU_KMS admin group also has
the following permissions on other authorization objects:
■ BUAndRest has Browse, Read, Backup, Restore, List
■ HostProperties has Browse, Read
■ License has Browse, Read

About installing KMS with HA clustering

In a typical NetBackup environment, it is possible that not all the optional packages
are installed, licensed or configured. In such scenarios, any services that pertain
to these optional products may not be active all the time. These services are hence
not monitored by default and do not cause a NetBackup to failover if they fail. If at
a future time an optional product is installed, licensed and configured, its services
 NetBackup key management service 482
Configuring KMS

can be manually configured then NetBackup can failover. In this section, we

document the manual steps that set up KMS to get cluster monitored.

Enabling the monitoring of the KMS service

You can enable the monitoring of the KMS service and failover NetBackup when
the service fails.
To enable monitoring of the KMS service and failover NetBackup if it fails
1 Open a command prompt on the active node of the cluster.
2 Change the directory, as follows:
On Windows: <NetBackup_install_path>\NetBackup\bin
On UNIX: /usr/openv/netbackup/bin
3 Run the following command.
On Windows: bpclusterutil -enableSvc "NetBackup Key Management
Service"

On UNIX: bpclusterutil -enableSvc nbkms

Disabling the monitoring of the KMS service

You can disable monitoring of the KMS service.
To disable monitoring of the KMS service
1 Open a command prompt on the active node of the cluster.
2 Change the directory, as follows:
On Windows: <NetBackup_install_path>\NetBackup\bin
On UNIX: /usr/openv/netbackup/bin
3 Run the following command:
On Windows: bpclusterutil -disableSvc "NetBackup Key Management
Service"

On UNIX: bpclusterutil -disableSvc nbkms

Configuring KMS
The configuration of KMS is done by creating the key database, key groups, and
key records. Then NetBackup is configured to work with KMS.
 NetBackup key management service 483
Configuring KMS

To configure and initialize KMS

1 Create the key database, the host master key (HMK), and the key protection
key (KPK).
2 Create a key group that matches the volume pool.
3 Create an active key record.

Creating the key database

Use the following procedure to create an empty key database. A key database is
created by invoking the service name with the -createemptydb option. This process
checks and ensures that an existing key database does not already exist, and then
proceeds with the creation. Two protection keys need to be created when the KMS
is initialized. They are the Host Master Key (HMK) and the Key Protection Key
(KPK).
As with all KMS key creation activities, the user is presented with the following
options for creating these keys:
■ Keys are generated by pass phrases
■ Randomly generated pass phrases
You are prompted to provide a logical ID to be associated with each key. At the
end of this operation, the key database and protection keys are established.
On a Windows system they can be found in the following files:

NetBackup_install_path\kms\db\KMS_DATA.dat
NetBackup_install_path\kms\key\KMS_HMKF.dat
NetBackup_install_path\kms\key\KMS_HKPKF.dat

On a UNIX system, they can be found in the following files:

/usr/openv/kms/db/KMS_DATA
/usr/openv/kms/key/KMS_HMKF
/usr/openv/kms/key/KMS_HKPKF

To create the key database

1 Run the following command:

nbkms -createemptydb.

2 Enter a pass phrase for the Host Master Key, or press Enter to use a randomly
generated key. Re-enter the pass phrase at the following prompt.
 NetBackup key management service 484
Configuring KMS

3 Enter an HMK ID. This ID is associated with the HMK; you can use it to find
this particular key in the future.
4 Enter a pass phrase for the Key Protection Key, or press Enter to use a
randomly generated key. Re-enter the pass phrase at the following prompt.
5 Enter a KPK ID. The ID can be anything descriptive that you want to use to
identify the KPK.

About key groups and key records

A key group is a logical collection of key records where no more than one record
is in the active state.
A key group definition consists of the following:
■ Name
Given to a key group. Should be unique within the keystore. Renaming of the
key group is supported if the new name is unique within the keystore.
■ Tag
Unique key group identifier (not mutable).
■ Cipher
Supported cipher. All keys belonging to this key group are created with this
cipher in mind (not mutable).
■ Description
Any description (mutable).
■ Creation Time
Time of creation of this key group (not mutable).
■ Last Modification Time
Time of last modification to any of the mutable attributes (not mutable).

About creating key groups

The first step for setting up encryption is to create a key group.
In the following example, the key group ENCR_mygroup is created:

nbkmsutil -createkg -kgname ENCR_mygroup

Note: For AdvancedDisk and tape storage, it is important that the group name you
create (i.e., mygroup), is prefixed with ENCR_.
 NetBackup key management service 485
Configuring KMS

About creating key records

The next step is to create an active key record. The key record can either be created
in the prelive state and then transferred to the active state. Or the key record can
be created directly in the active state.
A key record consists of the following critical pieces of information:
■ Name
Name that is given to a Key, should be unique within a KG. The renaming of a
Key is supported if the new name is unique within the KG.
■ Key Tag
Unique Key identifier (not mutable).
■ Key Group Tag
Unique KG identifier, to which this Key belongs (not mutable).
■ State
Key's current state (mutable).
■ Encryption key
Key, used to encrypt or decrypt the backup or restore data (not mutable).
■ Description
Any description (mutable).
■ Creation Time
Time of Key creation (not mutable).
■ Last Modification Time
Time of last modification to any of the mutable attributes (not mutable).
The following key record states are available:
■ Prelive, which indicates that the record has been created, but has not been used
■ Active, which indicates that the record and key are used for encryption and
decryption
■ Inactive, which indicates that the record and key cannot be used for encryption.
But they can be used for decryption
■ Deprecated, which indicates that the record cannot be used for encryption or
decryption
■ Terminated, which indicates that the record can be deleted

Overview of key record states

The key record states include the prelive, active, inactive, deprecated, and
terminated. Key record states adhere to a key record life cycle. Once a key has
 NetBackup key management service 486
Configuring KMS

entered the active state (that is set up for encryption), the key must progress in
proper order through the lifestyle. The proper order includes passing from one state
to its adjacent state. A key cannot bypass any of the states.
Between the active state and terminated state, the record can move one state at a
time in either direction. Outside of this state range, the transitions are one directional.
Deleted key records cannot be recovered (unless they were created using a pass
phrase), and active keys cannot be moved back to prelive state.

Note: Keys can be created in either the prelive state or the active state. Active key
records are available for both backup and restore operations. An inactive key is
only available for restore operations. Deprecated keys are not available for use. If
your key record is in the deprecated state and you attempt to do a backup or restore
with that key record, it can fail. A key record that is in the terminated state can be
removed from the system.

The following figure shows the process flow for creating keys in a prelive state or
an active state.

Figure 23-1 States possible for key creation

 NetBackup key management service 487
Configuring KMS

Key record state considerations

The following considerations can be followed for key record states.
■ Key record state transitions are well-defined and you must go through the whole
path of states to delete a key record.
■ Setting a key record to active bumps the active key record to the inactive state
for that group. There can only be one active record in a group.
■ The deprecated state is useful for saving a key and restricting its use. If as an
administrator you think that a key has been compromised, you can manually
put a hold on anyone using that key without that key being deleted from the
system. You can set the key record to the deprecated state and someone
attempting to do a backup or restore with this deprecated key would get an error.
■ The key record deletion involves two steps helping to reduce the possibility of
accidentally deleting a key. You must first set deprecated keys to terminated
and then you can delete the key record. Only terminated key records can be
deleted (other than the keys which are in the prelive state).
■ You can use the prelive state to create a key record before use.

Prelive key record state

A key record that is created in the prelive state can be made active or deleted.
The prelive state can be used in the following way:
■ The KMS administrator wants to test the creation of a key record without affecting
the system. If the record is created correctly it can then be activated. If not
created correctly the record can be deleted.
■ The KMS administrator wants to create a key record, but then only activate it
at some time in the future. The reasons for this issue may include delay setting
the record active until the KMS keystore has been backed up (or the pass phrase
has been recorded). Or delay setting the record active until some future time.
Key records in the prelive state can be made active or deleted from the system.

Active key record state

Active key records can be used to encrypt and decrypt data. If necessary, the active
key record could be made inactive. The active state is one of the three most
important data management states. The inactive state and deprecated state are
the other two important data management states.
Key records can be created directly in the active state bypassing the prelive state.
Key records in the active state can either stay active or be made inactive. Active
records cannot go back to the prelive state.
 NetBackup key management service 488
Configuring KMS

Inactive key record state

Inactive key records can be used to decrypt data. If necessary, the inactive key
record could be made active again or moved to the deprecated state. The inactive
state is one of the three most important data management states. The active state
and deprecated state are the other two important data management states.
Key records in the inactive state can either stay inactive, be made active, or be
made deprecated.

Deprecated key record state

Deprecated key records cannot be used to encrypt or decrypt data. If necessary,
key records in the deprecated state could be made inactive or terminated. The
deprecated state is one of the three most important data management states. The
active state and inactive state are the other two important data management states.
The deprecated state can be used in the following ways:
■ The use of a key needs to be tracked or regulated. Any attempt to use a
deprecated key can fail, until its state is changed to the appropriate state.
■ A key should not be needed any longer, but to be safe is not set to the terminated
state.
Key records in the deprecated state can either stay deprecated, be made inactive,
or terminated.

Terminated key record state

The terminated state adds a second step or safety step for deleting a deprecated
state key record. A terminated key record can be moved to the deprecated state
and ultimately made active again as needed. A terminated key record can also be
deleted from the KMS.

Caution: Before deleting a key, make sure that no valid image exists which was
encrypted with this key

Key records in the terminated state can either stay terminated, be made deprecated,
or physically deleted.

About backing up the KMS database files

Backing up the KMS database involves backing up the KMS files.
The KMS utility has an option for quiescing the database files or temporarily
preventing anyone from modifying the data files. It is important to run the quiesce
 NetBackup key management service 489
Configuring KMS

option if you plan to copy the KMS_DATA, KMS_HMKF, and KMS_KPKF files to another
location for backing up purposes.
During quiesce, NetBackup removes write access from these files; only read access
is allowed.
When you run nbkmsutil -quiescedb, it returns with a quiesce successful
statement and an indication of the number of outstanding calls. The outstanding
calls number is more of a count. A count is placed on the file for the number of
outstanding requests on this file.
After quiesce, you can then back up the files by copying them to another directory
location.
After you have copied the files, you can unquiesce the KMS database files by using
nbkmsutil -unquiescedb.

After the outstanding quiesce calls count goes to zero, the KMS can run the
commands that can modify the KMS_DATA, KMS_HMKF, and KMS_KPKF files. Write
access is once again returned to these files.

About recovering KMS by restoring all data files

If you have made backup copies of the KMS_DATA, KMS_HMKF, and KMS_KPKF files,
it is just a matter of restoring these three files. Then startup the nbkms service and
the KMS system will be up and running again.

Recovering KMS by restoring only the KMS data file

You can restore the backed-up copy of the KMS data file kms/db/KMS_DATA by
regenerating the KMS_HMKF and KMS_KPKF files with pass phrases. So, if you have
written down pass phrases for the host master key and key protection key, you can
run a command to regenerate those files. The system prompts you for the pass
phrase and if the pass phrase you now enter matches the pass phrase originally
entered, you will be able to reset the files.
To recover KMS by restoring only the KMS data file
1 Run the nbkms –resetkpk command.
2 Run the nbkms –resethmk command.
3 Startup the nbkms service.
 NetBackup key management service 490
Configuring KMS

Recovering KMS by regenerating the data encryption key

You can regenerate the complete KMS database by regenerating the data encryption
keys. The goal is to create a brand new empty KMS database and then repopulate
it with all your individual key records.

Note: A randomly-generated key cannot be recovered if it is lost.

To recover KMS by regenerating the data encryption key

1 Create an empty KMS database by running the following command

nbkms -createemptydb

You do not have to use the same host master key and key protection key. You
can choose new keys.
2 Run the nbkmsutil -recoverkey command and specify the key group, key
name, and tag.

nbkmsutil -recoverkey -kgname ENCR_pool1 -keyname Q1_2008_key

-tag
d5a2a3df1a32eb61aff9e269ec777b5b9092839c6a75fa17bc2565f725aafe90

If you did not keep an electronic copy of the output of the nbkmsutil -listkey
command when you created the key, you must enter all 64 characters manually.
3 Enter the passphrase (and salt) at the prompt. It must be an exact match with
the original passphrase you previously provided.
Salt (if applicable) must match the salt corresponding to the key that you want
to recover.

Note: If the tag you enter already exists in the KMS database, you cannot
recreate the key.
 NetBackup key management service 491
Configuring KMS

4 If the recovered key is the key that you want to use for backups, run the
following command to make the key active:

nbkmsutil -modifykey -kgname ENCR_pool1 -keyname Q1_2008_key

-state active

The -recoverkey option places the key record in the inactive state, and it is
brought into the KMS database in the inactive state.
5 If this is a key record that is to be deprecated, run the following command:

nbkmsutil -modifykey -kgname ENCR_pool1 -keyname Q1_2008_key

-state deprecated

Problems backing up the KMS data files

There can be problems backing up the KMS data files with the normal NetBackup
tapes or with the catalog backup.

Caution: The KMS data files are not included in the NetBackup catalog backups.

If the KPK, HMK, and key files were included in a catalog backup, and the catalog
backup tape is lost, the keystore is compromised because the tape contains
everything needed to gain access to the keys.
Significant problems can exist if both the catalog backup and data tapes are lost
together on the same transport truck, for example. If both tapes are lost together
then that situation is not be any better than not ever encrypting the tape in the first
place.
Encrypting the catalog is not a good solution either. If the KPK, HMK, and key file
were included in a catalog backup, and the catalog backup itself is encrypted, you
have done the equivalent of locking the keys in the car. To protect from this problem
is why KMS has been established as a separate service for NetBackup and why
the KMS files are in a separate directory from the NetBackup directories. However,
there are solutions for backing up the KMS data files.

Solutions for backing up the KMS data files

The best solution for backing up KMS data files is to do so outside of the normal
NetBackup process, or rely on pass phrase generated encryption keys to manually
rebuild KMS. All of the keys can be generated by pass phrases. So if you have
recorded all of the pass phrases, then you can recreate the KMS manually from
 NetBackup key management service 492
Configuring KMS

the information you have written down. One way to back up KMS is to place the
KMS information on a separate CD, DVD, or USB drive.

Creating a key record

The following procedure shows how to create a key record using a pass phrase
and bypassing the prelive state and creating an active key.

Note: If an attempt is made to add a key to a group that already has an active key,
the existing key is automatically moved to the inactive state.

To create a key record and create an active key

1 To create a key record enter the following command:

nbkmsutil -createkey -usepphrase -kgname ENCR_mygroup -keyname

my_latest_key -activate -desc "key for Jan, Feb, March data"

2 Enter a pass phrase.

Listing keys from a key group

Use the following procedure to list all or selected keys that you created in a particular
key group.
To list the keys in a key group
◆ To list the keys in a key group enter the following command:

nbkmsutil -listkeys -kgname ENCR_mygroup

The nbkmsutil outputs the list in the verbose format by default. Following is
a non-verbose listing output.

KGR ENCR_mygroup AES_256 1 Yes 134220503860000000

134220503860000000 -
KR my_latest_key Active 134220507320000000 134220507320000000
key for Jan, Feb, March data
Number of keys: 1

The following options helps to list all keys from a specific key group or a specific
key from a particular key group:
nbkmsutil -listkeys -all | -kgname <key_group_name> [ -keyname
<key_name> | -activekey ]
 NetBackup key management service 493
Configuring KMS

[ -noverbose | -export ]

The -all option lists down all the keys from all the key groups. The keys are listed
in a verbose format.
The -kgname option lists the keys from the specified key group.
The -keyname option lists a specific key from the specified key group. It must
however be used with the option -kgname.
The -activekey option lists an active key from the specified key group name. It
must however be used with the -kgname option.

Note: The -activekey and -keyname options are mutually exclusive.

The -noverbose option lists the details of the keys and key groups in a formatted
form (non-readable). The default is a verbose list.
The -export option generates an output that the key_file requires. (The key_file
is used in nbkmsutil -export -path <key_container_path > -key_file file.
You can use the output for another key_file.
Run the following command to list all the keys from a specific key group:
nbkmsutil –listkeys -kgname <key_group_name>

Run the following command to list specific keys from a specific key group:
nbkmsutil –listkeys -kgname <key_group_name> -keyname <key_name>

Run the following command to list all keys from all groups:
nbkmsutil -listkeys -all

Run the following command to list all keys from a specific key group:
nbkmsutil –listkeys -kgname <key_group_name>

Run the following command to list the active keys from a specific key group:
nbkmsutil –listkeys -kgname <key_group_name> -activekey

Configuring NetBackup to work with KMS

Configuring NetBackup to work with KMS involves the following topics:
■ NetBackup getting key records from KMS
See “NetBackup and key records from KMS” on page 494.
■ Setting up NetBackup to use encryption
See “Example of setting up NetBackup to use tape encryption” on page 494.
 NetBackup key management service 494
Configuring KMS

NetBackup and key records from KMS

The first step in configuring NetBackup to work with KMS is to set up a
NetBackup-supported, encryption-capable tape drive and the required tape media.
The second step is to configure NetBackup as you would normally, except that the
encryption-capable media must be placed in a volume pool with the identical name
as the key group you created when you configured KMS.

Note: For AdvancedDisk and tape storage, the Key Management feature requires
the key group name and NetBackup volume pool name match identically and both
be prefixed with ENCR_. For Cloud Storage and PureDisk key group name should
be storage_server_name:volume_name. This method of configuration-enabled
encryption support to be made available without requiring major changes to the
NetBackup system management infrastructure.

Example of setting up NetBackup to use tape encryption

The following example sets up two NetBackup volume pools created for encryption
(with the ENCR_ prefix).
The following figure shows the NetBackup Administration Console with two
volume pools with the correct naming convention to use KMS.
 NetBackup key management service 495
Configuring KMS

Figure 23-2 NetBackup Administration Console with two volume pools set up
to use KMS

Figure 23-3 shows a NetBackup Policy that is configured to use the volume pool
ENCR_testpool, which is the same name as the key group that you configured
earlier.
 NetBackup key management service 496
Configuring KMS

Figure 23-3 NetBackup Change Policy dialog box with KMS volume pool

When a NetBackup image has been encrypted, the key tag is recorded and
associated with the image. You can see this information through the NetBackup
Administration Console reports, or in the output of the bpimmedia and
bpimagelist commands.

Configuring NetBackup KMS using the KMS web application

If you configure NetBackup KMS (NBKMS), NetBackup does not use it for key
operations. To activate the KMS server, run the following command:
 NetBackup key management service 497
About using KMS for encryption

nbkmscmd -configureKMS -type NBKMS

About using KMS for encryption

You can use KMS to run an encrypted tape backup, verify an encrypted tape backup,
and manage keys. The following topics provide examples for each of these
scenarios:
■ Example of running an encrypted tape backup
See “Example of running an encrypted tape backup” on page 497.
■ Example of verifying an encryption backup
See “Example of verifying an encryption backup” on page 498.
■ About importing KMS encrypted images
See “About importing KMS encrypted images” on page 497.

About importing KMS encrypted images

Importing KMS encrypted images is a two-phase operation. In phase one, the media
header and each fragment backup header is read. This data is never encrypted.
However, the backup headers indicate if the fragments file data is encrypted with
KMS or not. In summary, phase one does not require a key.
Phase two rebuilds the catalog .f file, which requires it to read the encrypted data.
The key-tag (KAD in SCSI terms) is stored on the tape by the hardware. The
NBU/BPTM reads the key-tag from the drive, and sends it to KMS for a key lookup.
If KMS has a key, then the phase two processes continues to read the encrypted
data. If KMS has no key, the data is not readable until the KMS has the key
recreated. This is when the pass phrase is important.
If you do not destroy keys, then KMS contains all the keys ever used and you can
import any encrypted tape. Move the keystore to your DR site and you do not need
to recreate it.

Example of running an encrypted tape backup

To run an encrypted tape backup, you must have a policy that is configured to draw
from a volume pool with the same name as your key group.
Figure 23-4 shows a NetBackup Policy that you have configured to use the volume
pool ENCR_pool1.
 NetBackup key management service 498
About using KMS for encryption

Figure 23-4 NetBackup Change Policy dialog box with KMS volume pool
ENCR_pool1

Example of verifying an encryption backup

When NetBackup runs a tape-encrypted backup, and you view the Images on
Media, you see the encryption key tag that is registered with the record. This key
tag is your indication that what was written to tape was encrypted. The encryption
key tag uniquely identifies which key was used to encrypt the data. You can run a
report and read down the policy column to determine whether everything on a
particular tape was encrypted.
 NetBackup key management service 499
KMS database constituents

KMS database constituents

The KMS database consists of three files:
■ The keystore file (KMS_DATA) contains all the key group and key records along
with some metadata.
■ The KPK file (KMS_KPKF) contains the KPK that is used to encrypt the ciphertext
portions of the key records that are stored in the keystore file.
■ The HMK file (KMS_HMKF) contains the HMK that is used to encrypt the entire
contents of the keystore file. The keystore file header is an exception. It contains
some metadata like the KPK ID and HMK ID that is not encrypted).

Creating an empty KMS database

An empty KMS database can be created by executing the command nbkms
-createemptydb.

This command prompts you for the following information:

■ HMK pass phrase (leave empty for a random HMK)
■ HMK ID
■ KPK pass phrase (leave empty for a random KPK)
■ KPK ID
The KMS database backup and disaster recovery procedures vary for random and
pass phrase-generated KPK and HMK as described below.
To recover when the HMK and KPK were generated randomly
1 Restore the keystore file from a backup.
2 Execute the command nbkms -info to find out the KPK ID and HMK ID of the
KPK and HMK needed to decrypt this keystore file. The output should also
inform you that the HMK and KPK for this keystore file were generated
randomly.
3 Restore the HMK file corresponding to the HMK ID from a secure backup.
4 Restore the KPK file corresponding to the KPK ID from a secure backup.

Importance of the KPK ID and HMK ID

To decipher the contents of a keystore file, it is essential to identify the right KPK
and HMK that will do the job. The KPK ID and HMK ID enable you to make this
identification. Since these IDs are stored unencrypted in the keystore file header,
they can be determined even if you only have access to the keystore file. It is
 NetBackup key management service 500
KMS operations using command-line interface (CLI)

important to choose unique IDs and remember the association of IDs to pass phrases
and files to be able to perform a disaster recovery.

About periodically updating the HMK and KPK

The HMK and KPK can be updated periodically using the modifyhmk and modifykpk
options of the KMS CLI. These operations prompt you for a new pass phrase and
ID and then update the KPK/HMK. You can choose either a random or a pass
phrase-based KPK/HKM at each such invocation.

Note: It is a best practice to use the -usepphrase option when modifying the HMK
and KPK so that you are required to use a known pass phrase for future recovery.
With the -nopphrase option, KMS generates a random pass phrase that is unknown
and eliminates the possibility of future recovery if needed.

Backing up the KMS keystore and administrator keys

The important KMS data files can be backed up by making copies of the key
database KMS_DATA, the Host Master Key KMS_HMKF, and the Key Protection
Key KMS_HKPKF.
On Windows these files are as follows:

NetBackup_install_path\kms\kms\db\KMS_DATA.dat
NetBackup_install_path\Veritas\kms\key\KMS_HMKF.dat
NetBackup_install_path\Veritas\kms\key\KMS_KPKF.dat

On UNIX these files are at this location:

/usr/openv/kms/db/KMS_DATA
/usr/openv/kms/key/KMS_HMKF
/usr/openv/kms/key/KMS_KPKF

KMS operations using command-line interface

(CLI)
The following topics describe the KMS operations that can be performed using
command-line interface (CLI):
■ CLI usage help
See “CLI usage help” on page 503.
■ Create a new key group
 NetBackup key management service 501
KMS operations using command-line interface (CLI)

See “Create a new key group” on page 503.

■ Create a new key
See “Create a new key” on page 504.
■ Modify key group attributes
See “Modify key group attributes” on page 504.
■ Modify key attributes
See “Modify key attributes” on page 505.
■ Get details of key groups
See “Get details of key groups” on page 505.
■ Get details of keys
See “Get details of keys” on page 506.
■ Delete a key group
See “Delete a key group” on page 506.
■ Delete a key
See “Delete a key” on page 507.
■ Recover a key
See “Recover a key” on page 507.
■ Modify host master key (HMK)
See “Modify host master key (HMK)” on page 512.
■ Get host master key (HMK) ID
See “Get host master key (HMK) ID” on page 512.
■ Modify key protection key (KPK)
See “Modify key protection key (KPK)” on page 512.
■ Get key protection key (KPK) ID
See “Get key protection key (KPK) ID” on page 512.
■ Get keystore statistics
See “Get keystore statistics” on page 513.
■ Quiesce KMS database
See “Quiesce KMS database” on page 513.
■ Unquiesce KMS database
See “Unquiesce KMS database” on page 513.

KMS operations with multi-person authorization

The following KMS operations support multi-person authorization:
 NetBackup key management service 502
KMS operations using command-line interface (CLI)

Starting with NetBackup 10.5, if multi-person authorization is enabled for a key

management operation, bpnbat -login is required for this operation. A multi-person
authorization ticket is generated and after the ticket is approved, an empty key
database is created. For NetBackup releases earlier than 10.5, if multi-person
authorization is enabled, you cannot perform the -createemptydb operation.
nbkms

■ -createemptydb

Starting with NetBackup 10.5, if multi-person authorization is enabled for a key

management operation, a ticket is generated. After the multi-person authorization
ticket is approved, KMS is configured. For NetBackup releases earlier than 10.5,
if multi-person authorization is enabled, you cannot perform nbkmsutil operations.
nbkmsutil

■ -createkg

■ -createkey

■ -modifykg

■ -modifykey

■ -deletekg

■ -deletekey

■ -modifyhmk

■ -modifykpk

■ -export

■ -import

■ -recoverkey

Starting with NetBackup 10.5, if multi-person authorization is enabled for a key

management operation, bpnbat -login is required for all the nbkmscmd operations.
A multi-person authorization ticket is generated and after the ticket is approved,
the KMS operation is performed. For NetBackup releases earlier than 10.5, if
multi-person authorization is enabled, you cannot perform nbkmscmd operations.
bpnbat -login is required for the nbkmscmd operations that modify or delete the
KMS configuration.
nbkmscmd

■ -configureKMS

■ -deleteKMSConfig
 NetBackup key management service 503
KMS operations using command-line interface (CLI)

■ -updateKMSConfig

■ -deleteCredential

■ -updateCredential

■ -createKey

CLI usage help

To get CLI usage help, use the NetBackup Key Management Service (KMS) utility
command (the nbkmsutil command) with the included arguments.
Use nbkmsutil -help -option for help on an individual option.

# nbkmsutil -help
nbkmsutil [ -createkg ] [ -createkey ]
[ -modifykg ] [ -modifykey ]
[ -listkgs ] [ -listkeys ]
[ -deletekg ] [ -deletekey ]
[ -modifyhmk ] [ -modifykpk ]
[ -gethmkid ] [ -getkpkid ]
[ -quiescedb ] [ -unquiescedb ]
[ -recoverkey]
[ -export ]
[ -import ]
[ -recoverkey ]
[ -ksstats ]
[ -help ]

Create a new key group

To create a new key group, use the NetBackup Key Management Service (KMS)
utility command (the nbkmsutil command) with the included arguments.

# nbkmsutil -help -createkg

nbkmsutil -createkg -kgname <key_group_name>
[ -cipher <type> ]
[ -desc <description> ]

Note: The default Cipher is AES_256.

-kgname Specifies the name of the new key group (it has to be unique within the
keystore).
 NetBackup key management service 504
KMS operations using command-line interface (CLI)

-cipher Specifies the type of cipher that is supported by this key group.

Create a new key

To create a new key, use the NetBackup Key Management Service (KMS) utility
command (the nbkmsutil command) with the included arguments.

# nbkmsutil -help -createkey

nbkmsutil -createkey [ -nopphrase ]
-keyname <key_name>
-kgname <key_group_name>
[ -activate ]
[ -desc <description> ]

Note: The default key state is prelive.

-nopphrase Creates the key without using a pass phrase. If this option is not
specified, the user is prompted for a pass phrase.

-keyname Specifies the name of the new key (it should be unique within the key
group to which it belongs).

-kgname Specifies the name of an existing key group to which the new key should
be added.

-activate Sets the key state to active (default key state is prelive).

Note: A salt is generated when you create a new key using a pass phrase. In the
event where you try to recover a key, the system prompts you for a salt along with
the pass phrase and key tag.

Modify key group attributes

To modify the key group attributes, use the NetBackup Key Management Service
(KMS) utility command (the nbkmsutil command) with the included arguments.

# nbkmsutil -help -modifykg

nbkmsutil -modifykg -kgname <key_group_name>
[ -name <new_name_for_the_key_group> ]
[ -desc <new_description> ]

-kgname Specifies the name of the key group to be modified.

 NetBackup key management service 505
KMS operations using command-line interface (CLI)

-name Specifies the new name of the key group (should be unique within the
keystore).

Modify key attributes

To modify the key attributes use the NetBackup Key Management Service (KMS)
utility command (the nbkmsutil command) with the included arguments.

# nbkmsutil -help -modifykey

nbkmsutil -modifykey -keyname <key_name>
-kgname <key_group_name>
[ -state <new_state> | -activate ]
[ -name <new_name_for_the_key> ]
[ -desc <new_description> ]
[ -move_to_kgname <key_group_name> ]

Note: The -state and -activate options are mutually exclusive.

-keyname Specifies the name of the key to be modified.

-kgname Specifies the name of the key group to which this key belongs.

-name Specifies the new name of the key (it should be unique within the key
group).

-state Specifies the new state of the key (see valid key state transition order).

-activate Sets the key state to active.

-desc Adds the new description to the key.

-move_to_kgname Specifies the name of the key group that the key has to be moved to.

Get details of key groups

To get details of key groups, use the NetBackup Key Management Service (KMS)
utility command (the nbkmsutil command) with the included arguments.

nbkmsutil -help -listkgs

nbkmsutil -listkgs [ -kgname <key_group_name> |
-cipher <type> |
-emptykgs |
-noactive ]
[ -noverbose ]
 NetBackup key management service 506
KMS operations using command-line interface (CLI)

Note: By default all of the key groups are be listed. If no option is specified, the
details of all of the key groups are returned.

-kgname Specifies the name of a key group.

-cipher Gets the details of all the key groups which support specific cipher type.

-emptykgs Gets the details of all the key groups with zero keys in it.

-noactive Gets the details of all the key groups in which there is no active key.

-noverbose Prints the details in formatted form (non-readable) format. The default
is verbose. The output is displayed in a human readable form.

Get details of keys

To get details of the keys, use the NetBackup Key Management Service (KMS)
utility command (the nbkmsutil command) with the included arguments.

#nbkmsutil -help -listkeys

nbkmsutil -listkeys -all | -kgname <key_group_name>
[ -keyname <key_name> | -activekey ]
[ -noverbose | -export ]

-kgname Specifies the key group name. The details of all of the keys belonging
to a key group are returned.

-keyname Gets the details of the specific key which belongs to a specific key
group.

-activekey Gets the details of a specific key group's active key.

-noverbose Prints the details in formatted form (non-readable) format. The default
is verbose. The output is displayed in a human readable form.

-export Generates an output that the key_file requires. The key_file is used in
the nbkmsutil -export -path <key_container_path >
-key_file file. The output can be used for another key_file.

Delete a key group

To delete a key group, use the NetBackup Key Management Service (KMS) utility
command (the nbkmsutil command) with the included arguments.

Note: Only empty key groups can be deleted.

 NetBackup key management service 507
KMS operations using command-line interface (CLI)

# nbkmsutil -help -deletekg

nbkmsutil -deletekg -kgname <key_group_name> -force

-kgname Specifies the name of the key group to be deleted. Only empty key
groups can be deleted.

-force All the keys from the key group are deleted.

Only empty key groups can be deleted with -deletekg option. You can however,
also force delete a key group even if it is not empty. Run the following command
to force delete a key group:
# nbkmsutil -deletekg -kgname <key_group_name> -force

Delete a key
To delete a key, use the NetBackup Key Management Service (KMS) utility
command (the nbkmsutil command) with the included arguments.

# nbkmsutil -help -deletekey

nbkmsutil -deletekey -keyname <key_name>
-kgname <key_group_name>

Note: Keys in either prelive state or terminated state can be deleted.

-keyname Specifies the name of the key to be deleted (to delete, key state has to
be in one of prelive, or terminated).

-kgname Specifies the name of the key group to which this key belongs.

Recover a key
To recover a key, use the NetBackup Key Management Service (KMS) utility
command (the nbkmsutil command) with the included arguments.

# nbkmsutil -help -recoverkey

nbkmsutil -recoverkey -keyname <key_name>
-kgname <key_group_name>
-tag <key_tag>
[ -desc <description> ]

Note: The key state would be set to inactive.

 NetBackup key management service 508
KMS operations using command-line interface (CLI)

The restore could fail if a key that is used in encrypting the backup data is lost (and
no copy of it is available). These keys can be recovered (re-created) with the
knowledge of the original key's attributes (tag, passphrase, and salt).

-keyname Specifies the name of the key to be recovered (re-created).

-kgname Specifies the name of the key group to which this key should belong.

-tag Specifies the tag that identifies the original key (we need to use the
same tag).

Note: The user is prompted to enter the correct pass phrase to get the right key
(the system does not verify the validity of entered pass phrases).

Note: Whenever you recover a key, the system prompts you for a salt. A salt is
generated for pass phrase derived keys in this version of KMS. To recover the keys
that were generated with an older version of KMS, leave the salt field blank.

About exporting and importing keys from the KMS database

The export and import of keys allows the user to quickly sync multiple NetBackup
domains to use the same set of keys or quickly move a set of keys from one domain
to another domain. This feature is especially helpful for a disaster recovery-induced
restore on a different NetBackup domain.

Exporting keys
The -export command helps to export keys and keys groups across domains. The
following list contains important information about exporting keys and key groups:
■ Keys are always exported along with their key group.
■ Keys and key groups are exported in an encrypted key container (file) on the
host where the Key Management Service (KMS) utility (nbkmsutil) is executed.
The key container is pass phrase protected.

Note: The same pass phrase must be provided when you want to import the
keys and key groups.

■ Multiple ways of specifying the export contents are to select specific key groups
or to selectively export keys.
Use the -export command as specified:
 NetBackup key management service 509
KMS operations using command-line interface (CLI)

nbkmsutil -export -path <secure_key_container>

[ -key_groups <key_group_name_1 ...> | -key_file <key_file_name> ]

By default, the entire keystore is exported.

The -path command refers to a fully qualified path where the secure key container
is stored.
The -key_groups command helps to list the key groups names that separated by
spaces.
The -key_file command is the file path that lists the keys to be exported in a
specific format.
The <key_group_name>/<key_name>command helps the user to export keys
selectively. You can use a '*' to export all the keys from a particular group as shown:
<key_group_name>/*

You can use the nbkmsutil –listkeys –export command to generate an output
in a format that this option requires. Refer nbkmsutil –listkeys –export for more
details.
For more details about listing keys:
See “Listing keys from a key group” on page 492.

Note: The -key_groups and -key_file commands are mutually exclusive.

Run the following command to export the entire keystore:

nbkmsutil -export -path <secure_key_container>

Run the following command to export selected key groups:

nbkmsutil -export -path

<secure_key_container> -key_groups

<key_group_name_1 key_group_name_2 ...>

Run the following command to export selectively export keys:

nbkmsutil -export -path

<secure_key_container> -key_file

<key_file_name>
 NetBackup key management service 510
KMS operations using command-line interface (CLI)

Troubleshooting common errors during an export

A set of errors that occur when you export the keys and key groups. This section
helps you to troubleshoot them.
■ The export can fail when the key container that you specify already exists on
the host.
Specify a different key container file and rerun the export operation.
■ Export also fails when you mention incorrect keys or key group names.
You must correct the keys or key group names and export them again.

Importing keys
The -import command helps to import keys and keys groups across domains. The
following list contains important information about importing keys and key groups:
■ When importing keys and key groups, you must have the key container file that
is created during the export operation. You also need the same pass phrase
that is used during the export.
■ Importing keys is an atomic operation. It reverts backs all updates on encounter
of any error during operation.
■ Partial import is not supported.
■ A preview of the import output is available. Run the -preview command to
preview the results of the import.
■ The import operation can have two modes, one that includes the
-preserve_kgname command and another that excludes the -preserve_kgname
command.
By default, the key groups are imported with following name format:
< Original_Kgname_<timestamp> >
You can opt to preserve the key group name by explicitly specifying the
<-preserve_kgname> option.

■ Duplicate keys such as the keys with the same key tag or the same key are not
imported.
■ The import does not support key group merging.
You can however merge the keys, import the key group without using the
<-preserve_kgname> command. Run the nbkmsutil -modifykey -keyname
<key_name> -kgname <key_group_name> command to move key from current
group to the required group.
For more information about moving keys:
See “Modify key attributes” on page 505.
 NetBackup key management service 511
KMS operations using command-line interface (CLI)

If the same key(s) or key(s) that have the same key tags exist in a key group, they
are ignored during import. Run the following commands to import the keys and key
groups:
# nbkmsutil -import -path <secure_key_container>

[-preserve_kgname]

[ -desc <description> ]

[ -preview ]

The -preserve_kgname command preserves the key group names during import.
The -desc <description> command is a description that is associated with the
key groups during import.
The -preview command display a preview of the import results.
Run the import operation with the -preserve_kgname as follows:
nbkmsutil –import -path

<secure_key_container>

[-preserve_kgname]

When you run the -import command with the -preserve_kgname command, the
import operation tries to import the original key groups names from the key container.
If a key group with the same name exists, the import operation fails.
Run the import operation without the -preserve_kgname as follows:
nbkmsutil –import -path

<secure_key_container>

When you run the -import command without the -preserve_kgname it imports the
key groups, but the key group names are renamed using a suffix, for example a
timestamp. Each key group that is renamed always has a unique name.

Troubleshooting common errors during an import

A set of errors that occur when you import the keys and key groups. This section
helps you to troubleshoot them.
■ During an import, when you import key groups with the [-preserve_kgname ]
option, and if that group already exists in KMS, the entire operation fails.
You must either delete or rename the existing key groups or exclude the
[-preserve_kgname ] option and rerun the import operation.

■ NetBackup KMS has a limit of 100 key groups. Each group has a limit of 30
keys. The operation fails if more than 100 key groups are imported.
 NetBackup key management service 512
KMS operations using command-line interface (CLI)

You must delete existing unwanted key groups and rerun the import operation.

Modify host master key (HMK)

To modify the host master key, use the NetBackup Key Management Service (KMS)
utility command (the nbkmsutil command) with the included arguments.
The HMK is used to encrypt the keystore. To modify the current HMK, the user
should provide an optional seed or pass phrase. An ID (HMK ID) should also be
provided that can remind them of the specified pass phrase. Both the pass phrase
and HMK ID are read interactively.

# nbkmsutil -help -modifyhmk

nbkmsutil -modifyhmk [ -nopphrase ]

Get host master key (HMK) ID

To get the HMK ID, use the NetBackup Key Management Service (KMS) utility
command (the nbkmsutil command) with the included arguments. The HMK ID is
then returned.

# nbkmsutil -help -gethmkid

nbkmsutil -gethmkid

Get key protection key (KPK) ID

To get the KPK ID, use the NetBackup Key Management Service (KMS) utility
command (the nbkmsutil command) with the included arguments. The command
returns the current KPK ID.

# nbkmsutil -help -getkpkid

nbkmsutil -getkpkid

Modify key protection key (KPK)

To modify the key protection key, use the NetBackup Key Management Service
(KMS) utility command (the nbkmsutil command) with the included arguments.
The KPK is used to encrypt the KMS keys. Currently, the KPK is per keystore. To
modify the current KPK, the user should provide an optional seed or pass phrase.
Also, provide an ID (KPK ID) that can remind us of the specified pass phrase. Both
the pass phrase and KPK ID are read interactively.

# nbkmsutil -help -modifykpk

nbkmsutil -modifykpk [ -nopphrase ]
 NetBackup key management service 513
KMS operations using command-line interface (CLI)

Get keystore statistics

To get the keystore statistics, use the NetBackup Key Management Service (KMS)
utility command (the nbkmsutil command) with the included arguments.
This command returns the following keystore statistics:
■ Total number of key groups
■ Total number of keys
■ Outstanding quiesce calls

# nbkmsutil -help -ksstats

nbkmsutil -ksstats [ -noverbose ]

Quiesce KMS database

To quiesce the KMS database, use the NetBackup Key Management Service (KMS)
utility command (the nbkmsutil command) with the included arguments.
This command sends the quiesce request to KMS. If the command succeeds, the
current outstanding quiesce count is returned as multiple backup jobs might quiesce
the KMS database.

# nbkmsutil -help -quiescedb

nbkmsutil -quiescedb

Unquiesce KMS database

To unquiesce the KMS database, use the NetBackup Key Management Service
(KMS) utility command (the nbkmsutil command) with the included arguments.
This command sends an unquiesce request to KMS. If the command succeeds,
the current outstanding quiesce count is returned. A count of zero (0) means that
the KMS database is completely unquiesced.

# nbkmsutil -help -unquiescedb

nbkmsutil -unquiescedb

Key creation options

Any use of the NetBackup KMS feature should include creating a backup of the
kms/db and kms/key directories. The protection keys and the key database exist
in two separate subdirectories to facilitate splitting these when creating a backup
copy.
 NetBackup key management service 514
Troubleshooting KMS

Note: Due to the small size of these files, that they change infrequently, and that
they must not be included on any NetBackup tape that itself is encrypted, the files
should be manually copied to backup media.

Note: The recommended approach for creating keys with this version of KMS is to
always create keys from pass phrases. This includes both the protection keys (Host
Master Key and Key Protection Key), and the data encryption keys associated with
the key records). It is recommended that the pass phrases used to create the keys
are recorded and stored for recovery purposes.

While allowing the KMS system to randomly generate the encryption keys provides
a stronger solution, this usage cannot recover from the loss or corruption of all
copies of the keystore and protection keys, and therefore is not encouraged.

Troubleshooting KMS
Use the following procedure to initiate troubleshooting for KMS.
To initiate troubleshooting for KMS
1 Determine what error code and description are encountered.
2 Check to determine if KMS is running and that the following KMS data files
exist:

kms/db/KMS_DATA
kms/key/KMS_HMKF
kms/key/KMS_KPKF

If the files do not exist, then KMS has not been configured, or the configuration
has been removed. Find out what happened to the files if they do not exist. If
KMS has not been configured, the nbkms service is not running. If KMS is not
running or is not configured, it does not affect NetBackup operation. If you have
previously used the ENCR_ prefix for a volume pool name, this name must be
changed as ENCR_ now has special meaning to NetBackup.
3 Get the KMS configuration information:
Get a key group listing by running the command nbkmsutil –listkgs. Get a
listing of all the keys for a key group by running the command nbkmsutil
–listkeys –kgname key_group_name.

4 Get operational log information such as KMS logs by way of VxUL OID 286
and BPTM logs.
 NetBackup key management service 515
Troubleshooting KMS

5 Evaluate the log information. The KMS errors are handed back to BPTM.
6 Evaluate the KMS errors that are recorded in the KMS log.

Solution for backups not encrypting

If tape backups are not encrypted, consider the following solutions:
■ Verify that a backup is not encrypted by checking that the encryption key tag
field is not set in the image record.
■ Verify that the key group and volume pool names are an exact match.
■ Verify that there is a key record in the key group with an active state.
Other non-KMS configuration options to look at include:
■ Verify that everything that is related to traditional media management is
configured properly.
■ Is the NetBackup policy drawing a tape from the correct volume pool.
■ Does the encryption-capable tape drive have encryption capable media available.
For example is LTO4 media installed in the LTO4 tape drive?

Solution for restores that do not decrypt

If the encrypted tape restores are not decrypting, consider the following solutions:
■ Verify that the original backup image was encrypted to begin with by viewing
the encryption key tag field in the image record.
■ Verify that the key record with the same encryption key tag field is in a record
state that supports restores. Those states include active or inactive states.
■ If the key record is not in the correct state change the key back to the inactive
state.
Other non-KMS configuration solution options to consider:
■ Verify that the drive and media support encryption.
■ Is the encrypted media being read in an encryption-capable tape drive?

Troubleshooting example - backup with no active key record

The following example shows what happens when you attempt a backup when
there is no active key record.
Figure 23-5 shows a listing of key records. Three of them have the key group
ENCR_mygroup and the same volume pool name. One key group named Q2_2008_key
 NetBackup key management service 516
Troubleshooting KMS

was active. At the end of the command sequence, the state of the Q2_2008_key
key group is set to inactive.

Figure 23-5 Listing of key records

Figure 23-6 shows the listing of key records that are produced again, and you can
see that the Q2_2008_key state is now listed as inactive.
 NetBackup key management service 517
Troubleshooting KMS

Figure 23-6 Listing of key records with active key group modified

With no active key, what happens to the backup?

Figure 23-7 shows the BPTM log output. It logs the message within the 1227 error
code in the BPTM log.

Figure 23-7 Output from bptm command

 NetBackup key management service 518
Troubleshooting KMS

The Job Details dialog box shows the detailed status. You can see a message
stating what failed and the detailed status. With the information in the previous
diagnostics, you can determine the particular problem or to identify what a given
problem is related to.

Troubleshooting example - restore with an improper key record state

The following example shows a restore with a key record in an improper state.
Figure 23-8 shows that a record you need is set to deprecated. This following shows
the listing. The same command is used to change the state from inactive to
deprecated.

Figure 23-8 Listing of key records with key group deprecated

Figure 23-9 shows the bptm log output with the 1242 error returned.
 NetBackup key management service 519
Troubleshooting KMS

Figure 23-9 bptm log output with error 1242

 Chapter 24
External key management
service
This chapter includes the following topics:

■ About external KMS

■ Certificate configuration and authorization

■ Workflow for external KMS configuration

■ Validating KMS credentials

■ Configuring KMS credentials

■ Configuring KMS

■ Configuring keys in an external KMS for NetBackup consumption

■ Creating keys in an external KMS

■ Determining a key group name during storage configuration

■ Working with multiple KMS servers

■ Working with external KMS during backup and restore

■ Checking the compatibility of KMS vendor with NetBackup

■ Key rotation

■ Disaster recovery when catalog backup is encrypted using an external KMS

server

■ Alerts for expiration of KMS credentials

 External key management service 521
About external KMS

About external KMS

The external KMS support offers an alternative to the NetBackup key management
service (KMS) for data-at-rest encryption keys.
Backup images that are stored on storage configurations like tape, cloud, MSDP,
and AdvancedDisk can be encrypted using the keys that the external KMS server
maintains.
NetBackup supports the communication with external KMS using Key Management
Interoperability Protocol (KMIP).
See the NetBackup Compatibility List for the KMIP versions that NetBackup supports.
NetBackup supports the authentication with external KMS server using security
certificates. During each operation, NetBackup presents the certificate to the external
KMS and requests to perform the required operation. External KMS validates the
certificate and performs that operation if the user has the required permissions.
See the video External KMS support in NetBackup for details.
Video link

Certificate configuration and authorization

Before configuring any certificate to be used with NetBackup, you should do certain
configurations on the external KMS server to ensure that NetBackup has the required
permissions to perform key-specific operations. Configuration steps may vary for
different external KMS solutions.
Ensure the following:
■ An entity (user) is created in the external KMS that represents NetBackup primary
server.
■ The primary server host has a certificate that the external KMS server trusts.
■ The certificate common name (CN) is associated with the entity that represents
the primary server.

Workflow for external KMS configuration

For external KMS integration, centralized configuration on the NetBackup primary
server is used. The primary server should establish an outbound connection with
the KMIP port on the external KMS server. Configure the communication channel
with external KMS on the primary server with certificate credentials. The primary
server then sends all the requests to the external KMS servers on behalf of other
servers such as media servers.
 External key management service 522
Validating KMS credentials

Table 24-1 Workflow to configure a KMS

Step Step Reference topic

number

Step 1 Validate KMS credentials See “Validating KMS credentials” on page 522.

Step 2 Configure KMS credentials See “Configuring KMS credentials”

on page 523.

Step 3 Configure KMS See “Configuring KMS” on page 525.

Step 4 Create keys See “Creating keys in an external KMS”

on page 528.

Step 5 Configure storage Refer to the NetBackup Administrator's Guide,

Volume I.

Step 6 Configure policy Refer to the NetBackup Administrator's Guide,

Volume I.

Validating KMS credentials

If incorrect credentials are configured in NetBackup, communication with external
KMS server may fail. To avoid such failures, you can carry out certain validations
before a credential can be configured for the KMS use. If a validation check is not
passed, the credential cannot be configured.
See “Configuring KMS credentials” on page 523.
See “Checking the compatibility of KMS vendor with NetBackup” on page 532.
The -validate command option is useful when the KMS vendor is listed as a
supported KMS vendor in the NetBackup hardware compatibility list.
The following validations are carried out while you configure a new credential or
update an existing one.
It is not recommended to configure credentials if one or more checks fail:
■ The certificate path is valid
■ The truststore path is valid
■ The private key path is valid
■ The certificates in certificate chain are readable
■ The certificates in a truststore are readable
■ The private key is readable
 External key management service 523
Configuring KMS credentials

■ The Common Name field is not empty

■ The certificate is not expired
■ The certificate is currently valid
■ The private key matches the certificate
■ The certificates are in the appropriate order
■ The following CRL validation checks are performed, if the ECA_CRL_PATH is
configured and the CRL check level is other than DISABLE:
■ The CRL directory consists of CRL files
■ The CRL check level is valid
■ The CRL path is valid
■ The available CRLs are readable

To validate KMS credentials and KMS functionality

1 Run the following command:
nbkmiputil -validate -kmsServer kms_server_name -port port
-certPath cert_path -privateKeyPath private_key_path
-trustStorePath trust_store_path

The nbkmiputil command validates the KMS functionality including connection

to the KMS server.
It also tests operations like list keys, fetch keys, set attributes, and fetch
attributes. For set attributes, you must have the 'write' permission for the KMS
server. The nbkmiputil command also validates CA fingerprint on the server
certificate that is exchanged through TLS handshake. nbkmiputil uses TLS
1.2 or later protocol for secure communication with external KMS server.
2 If the check fails, contact Veritas Technical Support.

Configuring KMS credentials

To configure external KMS in NetBackup, you need to first configure the credentials
that NetBackup uses to authenticate with the external KMS server. As part of this
step, you need to specify the path for public key Infrastructure (PKI) artifacts that
are required for certificate-based authentication. The following information is
required:
■ Certificate file path
■ Keystore file path
 External key management service 524
Configuring KMS credentials

■ Trust store file path

■ Passphrase or passphrase file path

Note: After external KMS configuration or keys are updated, NetBackup may take
several minutes to consume appropriate key in backup or restore workflow. This is
because NetBackup caches the key for 10 minutes (for external KMS). To
immediately consume a key, cache can be cleared by executing the following
command on the respective media server:
bpclntcmd -clear_host_cache

To configure KMS credentials

◆ Run the nbkmscmd -configureCredential command:
This command creates a copy of files that are provided on the command-line
interface and stores them into the credentials database. When the command
is successfully executed, you can delete these files if you do not need them.
NetBackup does not track any updates to these files. If the certificate needs
to be updated, typically in case of renewal, you need to run the nbkmscmd
-updateCredential command again with new certificate files.

nbkmscmd -configureCredential -credName credential_name -certPath

certificate_file_path -privateKeyPath private_key_file_path
-trustStorePath CA_certificate_file_path [-passphrasePath
private_key_passphrase_file_path] [-crlCheckLevel LEAF | CHAIN |
DISABLE] [-server master_server_name] [-description description]

Listing KMS credentials

To list all credential details
◆ Run the following command:
nbkmscmd -listCredential

To list specific credential details

◆ Run the following command:
nbkmscmd -listCredential -credName credential_name
 External key management service 525
Configuring KMS

Updating KMS credentials

To update credential details
◆ Run the following command:
nbkmscmd -updateCredential -credName credential_name -certPath
certificate_file_path -privatekeyPath private_key_file_path
-trustStorePath CA_certificate_file_path -crlCheckLevel DISABLE

Deleting KMS credentials

To delete credential details
◆ Run the following command:
nbkmscmd -deleteCredential -credName credential_name

Configuring KMS
To configure NetBackup KMS (NBKMS)
◆ Run the following command:
nbkmscmd -configureKMS -name configuration_name -type NBKMS -hmkId
host_master_key_ID_to_identify_HMK_passphrase -kpkId
key_protection_key_ID_to_identify_KPK_passphrase
[-useRandomPassphrase 0 | 1] [-enabledForBackup 0 | 1] [-priority
priority_of_KMS_server] [-server master_server_name] [-description
description]

To configure external KMS

◆ Run the following command:
nbkmscmd -configureKMS -name configuration_name -type KMIP -port
port_to_connect_to_external_KMS_server -kmsServerName
network_name_of_external_KMS_server -credId credential_ID |
-credName credential_name [-enabledForBackup 0 | 1] [-priority
priority_of_KMS_server] [-server master_server_name] [-description
description]
 External key management service 526
Configuring KMS

Listing KMS configurations

To list configuration details for all KMS servers
◆ Run the following command:
nbkmscmd -listKMSConfig

To list configuration details for a specific KMS server

◆ Run the following command:
nbkmscmd -listKMSConfig -name configuration_name

Updating KMS configuration

Update priority of a KMS
To update priority of KMS, run the following command: nbkmscmd -updateKMSConfig
-name configuration_name -priority priority

Disable a KMS configuration for backup

To disable keys from specified KMS to be used for backup, run the following
command: nbkmscmd -updateKMSConfig -name configuration_name
-enabledForBackup 0

Disable a KMS configuration temporarily for all operations

To disable a configured KMS for all operations, run the following command:
nbkmscmd -updateKMSConfig -name configuration_name -status 0

Note: After any update in external KMS configuration or keys, NetBackup may take
several minutes to consume appropriate key in backup or restore workflow. This is
because NetBackup caches the key for 10 minutes (for external KMS). To
immediately consume a key, cache can be cleared by executing the following
command on the respective media server:
bpclntcmd -clear_host_cache

Deleting KMS configuration

To delete KMS configuration, run the following command: nbkmscmd
-deleteKMSConfig -name configuration_name
 External key management service 527
Configuring keys in an external KMS for NetBackup consumption

Configuring keys in an external KMS for

NetBackup consumption
NetBackup can use the keys that are already created in an external KMS or you
can create keys in an external KMS using NetBackup, for which the NetBackup
primary server needs to be authorized to create keys.
NetBackup can discover the keys that are created in an external KMS for the
NetBackup use. Specify custom attributes x-application and x-keygroup while
generating keys or associate these attributes to the existing keys, so NetBackup
can determine the keys to be used. NetBackup uses any key that has these attributes
for encryption purpose.
Key group name for tape volume pool must have ENCR_ as a prefix.
Consider the following example: You have configured a tape volume pool with name
ENCR_P1. The volume pool name suggests that the backup images in this volume
pool are encrypted.
x-keygroup is case-sensitive and it should exactly match the volume pool name.

To configure keys
1 Create a key in an external KMS with the custom attribute x-keygroup and its
value as ENCR_P1.
2 Set the custom attribute x-application with its value as NetBackup to indicate
that this key belongs to NetBackup.
3 For the keys that are already created and are to be used for encryption for this
volume pool, you can create the custom attributes.
4 To set these attributes, you can use the user interface that the respective KMS
vendor has specified.
If the user interface of the KMS vendor does not support adding and setting
custom attributes, you can use the nbkmiputil command to set the attributes
for the keys.
nbkmiputil -kmsServer kms_server_name -port 5696 -certPath
cert_path -privateKeyPath private_key_path -trustStorePath
caCertificatePath -setAttribute -attributeName attributeName
-attributeValue attributeVal

See the NetBackup Commands Reference Guide for more information on the
command.
 External key management service 528
Creating keys in an external KMS

Creating keys in an external KMS

You can use NetBackup to create keys in an external KMS. NetBackup must have
the required permissions to create keys in the external KMS.
To create keys in an external KMS
◆ Run the following command:
nbkmscmd -createkey -name configuration_name -keyGroupName
keygroup_name -keyName key_name -comment comments

The createKey command creates a key in active state. For external KMS, you
can have multiple active keys in a key group. NetBackup uses the latest active
key. The command also sets all the required attributes for the key.

Note: After any update in external KMS configuration or key related changes,
NetBackup may take some time to consume appropriate key in backup or
restore workflow. This is because NetBackup caches the key for 10 min (for
external KMS). To consume the key immediately, run the following command
on the respective media server to clear the cache:
bpclntcmd -clear_host_cache.

Listing keys
Use the given procedure to list key IDs from the specified KMS.
To list key IDs
◆ nbkmscmd -listKeys -name configuration_name

Determining a key group name during storage

configuration
NetBackup uses the preconfigured keys from an external KMS during storage
configuration.
Ensure that the keys are created in an external KMS server with an attribute
x-keygroup and are assigned to a key group name.

For every storage configuration, NetBackup determines the key group name as
follows:

MSDP Specify the key group name

 External key management service 529
Working with multiple KMS servers

Cloud The key group name is Name_of_storage_server:Name_of_disk_volume

Tapes The volume pool name is used as a key group name

For tapes, the volume pool should have ENCR as a prefix.

AdvancedDisk For UNIX: Name_of_storage_server:Name_of_disk_volume

For Windows: Name_of_storage_server

Working with multiple KMS servers

NetBackup supports multiple KMS servers. You can use multiple KMS servers and
migrate from one KMS server to another. You can also use a separate KMS server
for each storage configuration like tape, cloud, and MSDP.
See “Migrating one KMS server to another KMS server” on page 530.
See “Using a separate KMS server for each storage configuration” on page 530.
To use multiple KMS servers effectively, you need to define the following KMS
configuration attributes:

enableForBackup Specifies whether keys from this KMS should be used for backup or not.
The default value is 1.

Provide 0 if the keys from this KMS server should not be used for backup.

This attribute does not affect restores. If there is backup image, that was
encrypted using the key from this KMS, during restore NetBackup uses
this KMS server and fetches the keys to restore the data. These KMS
servers can still be used for restoring an image. So, if you want to delete
the KMS configuration, ensure that there are no images that are
encrypted with keys of this KMS server. If the key is lost, the data cannot
be restored from that image and it will be lost. During KMS server
migration, at least one KMS configuration should have this property set
to 1 else all the backups will fail.

priority Specifies the KMS server to be used when NetBackup checks for keys
during encryption or decryption. By default, the KMS server priority is
set to 0. A KMS server with the highest value gets the first priority to be
used during encryption or decryption.

During backup or restore, NetBackup uses the ordered list of KMS

servers, based on their priority to fetch keys. So, KMS with highest priority
is used first to fetch keys. If multiple KMS servers have the same priority,
one of them is used.
 External key management service 530
Working with multiple KMS servers

While configuring a KMS (using CLI or API) in NetBackup you can choose a value
for these attributes. The options to set these attributes are available in the
configureKMS and updateKMSConfig options in the nbkmscmd CLI operation.

See “Configuring KMS” on page 525.

See “Updating KMS configuration” on page 526.

Migrating one KMS server to another KMS server

If you have a KMS server configured in your environment (for example NetBackup
KMS - KMS1) and you want to migrate to another KMS server (for example external
KMS - KMS2), use the following procedure:
To migrate from one KMS server (KMS1) to another KMS server (KMS2)
1 Create required keys in KMS2 to ensure all storage pools in the domain that
are enabled for encryption have keys in KMS2.
2 Run the following command to add the KMS2 configuration in NetBackup:
nbkmscmd -configureKMS -name KMS2 -type KMIP -port
port_to_connect_to_external_KMS_server -kmsServerName
network_name_of_external_KMS_server -credId credential_ID
-credNamecredential_name -enabledForBackup 1 -priority
priority_of_KMS_server -server master_server_name -description
description

3 Run the following command to update the enabledForBackup flag for KMS1:
nbkmscmd -updatekmsconfig -name KMS1 -enabledForBackup 0

So hence forth, none of the backups will be encrypted using keys from KMS1.
If a key is required and is not found in KMS2, NetBackup does not fall back to
KMS1.
4 Ensure that none of the existing backup images are encrypted using KMS1.
5 Delete the KMS1 configuration from NetBackup configuration.
If you have the images that were encrypted using the deleted KMS server
(KMS1), you cannot restore the data from such images. Reconfigure the KMS
server (KMS1) and ensure that the respective keys are available in that KMS
server before restoring the data.

Using a separate KMS server for each storage configuration

You may want to use separate KMS servers for different storage configurations.
For example, you can use one KMS server for tape storage and another for cloud
 External key management service 531
Working with multiple KMS servers

storage. You can also use separate KMS servers for different tape volumes or for
different MSDP storage servers.
NetBackup looks for keys from key groups. Each key group is associated with one
storage. For example, every encryption-enabled tape volume has a corresponding
key group.
To use separate KMS servers for tape and cloud storage
1 Add the first KMS configuration in NetBackup, say KMS1. The default value
of the enableForBackup attribute for KMS1 is 1.
2 Add the second KMS configuration in NetBackup, say KMS2. The default value
of the enableForBackup attribute for KMS2 is 1.
See “Configuring KMS” on page 525.
3 Create all the required key groups and keys for tapes in KMS1. Ensure that
none of the key groups correspond to cloud storage.
4 Create all the required key groups and keys for cloud storage in KMS2. Ensure
that none of the key groups correspond to tape.
See “Configuring keys in an external KMS for NetBackup consumption”
on page 527.
See “Creating keys in an external KMS” on page 528.
5 To verify the configuration, run backups using tape and cloud storage.
Encryption-enabled storage servers of type tape and cloud use different KMS
servers. During backup, NetBackup fetches the ordered KMS list and looks for
the key group in the first KMS server and then the other one.
So, if KMS1 has higher priority than KMS2, KMS1 is first searched for the
required key. Even for backups going on cloud storage, the key request first
goes to KMS1 and then KMS2. Therefore, you need to ensure that KMS1 does
not have any key group that corresponds to cloud storage.
During restores as well, the keys are searched in the available KMS servers
based on the priority.
 External key management service 532
Working with external KMS during backup and restore

Working with external KMS during backup and

restore
Backup
KMS workflow during backup
1 When you run a backup job, the media server sends the key request based
on the key group name or disk pool name to the KMS web service.
2 Keys in an external KMS server are created with an attribute x-keygroup.
Key group names for tape volume pools must have ENCR_ as a prefix.
3 The KMS web service connects with the external KMS server and validates if
an active key with custom attribute x-keyGroup is present. If the key is present,
the key is retrieved and returned to the media server.
4 If the external KMS is not configured or no such key is available in the external
KMS, the web service falls back to nbkms for the key lookup.

Restore
KMS workflow during restore
1 During restore, the media server sends Key ID or KAD (key associated data)
to the KMS web service to retrieve the key.
2 The KMS web service connects to all the KMS servers and retrieves all the
possible keys that match KAD.
3 The media server uses all the keys to find the matching key and uses that key
to decrypt the image.
4 If the KMS is configured and used for backup and restore, you can see the
KMS configuration details in the job details for tape, AdvancedDisk, and cloud
storage types.

Note: The KMS configuration details do not appear in the job details in case
of MSDP.

Checking the compatibility of KMS vendor with

NetBackup
Check the compatibility of the KMS vendor with NetBackup for successful
configuration of KMS in your environment.
 External key management service 533
Checking the compatibility of KMS vendor with NetBackup

See “Configuring KMS credentials” on page 523.

See “Configuring KMS” on page 525.
To check the compatibility of KMS vendor with NetBackup
1 Ensure that you to have the administrative privileges or the permissions from
the KMS administrator to perform KMIP compatibility operations on the KMS.
2 Run the following command:
nbkmiputil -ekmsCheckCompat|-ecc -extended -kmsServer
kms_server_name -port port -certPath cert_path -privateKeyPath
private_key_path -truststorepath trust_store_path

The -ekmsCheckCompat command option is useful when the KMS vendor is

not listed as a supported KMS vendor in the NetBackup hardware compatibility
list and you want to verify the compatibility of the vendor with NetBackup.
The command checks for issues related to execution of the KMIP operation
on the given KMS sever and the supported KMIP protocol versions.
The following validations and tasks are carried out when you run the command:
■ Checking KMIP version compatibility
■ Fetching server details
■ Validating KMIP operation
■ Creating keys
■ Deactivating keys
■ Compromising keys
■ Fetching active keys by key groups
■ Fetching NetBackup keys by key IDs
■ Setting key attributes
■ Fetching NetBackup keys based on attributes
■ Retrieving attributes that are set for a key from the server and verifying
them
■ Destroying keys that were created by this command option

3 If a check fails, contact Veritas Technical Support.

4 If the check passes, contact Veritas Technical Support to add this KMS vendor
in the NetBackup hardware compatibility list.
 External key management service 534
Key rotation

Key rotation
With external KMS, you can have one or more keys in a key group that are in active
state. NetBackup always picks up the most recent key from the active keys for data
encryption. If you want to change key for encryption (rotate key), create a new
active key under a specific key group. The most recently created key is used for
subsequent encryption request for that key group.

Note: After any update in external KMS configuration or keys, NetBackup may take
some time to consume appropriate key in backup or restore workflow. This is
because NetBackup caches the key for 10 minutes (for external KMS).
To immediately consume a key, cache can be cleared by executing the following
command on the respective media server:
bpclntcmd -clear_host_cache

Disaster recovery when catalog backup is

encrypted using an external KMS server
As part of a catalog backup, an email notification is sent that contains the disaster
recovery (DR) package information. If the catalog backup image is encrypted, the
email also contains KMS information. You need to configure the KMS servers that
are listed in the email before the catalog restore.
 External key management service 535
Alerts for expiration of KMS credentials

To restore a catalog when the catalog backup is encrypted using an external

KMS server
1 Install NetBackup using the appropriate DR package.
2 The disaster recovery email contains KMS-specific information as follows:
The primary server ms1.example.veritas.com is configured to use
the following Key Management Servers.

KMS Server Name = kms1.example.veritas.com, KMS Server Type =

KMIP

KMS Server Name = kms2.example.veritas.com, KMS Server Type =

KMIP

KMS Server Name = ms1.example.veritas.com, KMS Server Type = NBKMS

Configure the KMS servers that are listed in the email.

3 Perform catalog restore.
Refer to the NetBackup Troubleshooting Guide.

Alerts for expiration of KMS credentials

NetBackup uses the certificates that are stored in credential manager service to
connect to KMS server. If this certificate is expired, jobs fail. To avoid job failures,
you can configure the notifications that you can receive when the credential
certificate is about to expire.
Refer to the NetBackup Administrator's Guide, Volume I to configure notifications.
 Chapter 25
Ciphers used in
NetBackup for secure
communication
This chapter includes the following topics:

■ Ciphers used in NetBackup

Ciphers used in NetBackup

This section lists the ciphers that NetBackup uses for secure communication.
 Ciphers used in NetBackup for secure communication 537
Ciphers used in NetBackup

Table 25-1 Ciphers used in NetBackup for web access

Product Local account password Web access

encryption
Connections Enabled transmission ciphers

NetBackup NetBackup typically does not use TLSv1.2
10.x local accounts. Instead, accounts
that are defined on the local OS or
an external identity provider
(SAML, AD, or LDAP) are used.
Web Services (ports 443 and 1556):
ECDHE_RSA_WITH_AES_128_GCM_SHA256
DHE_RSA_WITH_AES_128_GCM_SHA256
ECDHE_RSA_WITH_AES_256_GCM_SHA384

DHE_RSA_WITH_AES_256_GCM_SHA384

Secure communications (control and data

channels):

ECDHE-RSA-AES256-GCM-SHA384

RabbitMQ (port 13781):

ECDHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

Table 25-2 Ciphers used in NetBackup for authentication

Product Local account Authentication services connections

password
encryption Active Directory LDAP Ciphers
Domain Controllers authentication

NetBackup NetBackup typically If configured, NetBackup Simple ECDHE-RSA-AES256-GCM-SHA384

10.2 does not use local uses Openldap to connect authentication
DHE-RSA-AES256-GCM-SHA384
accounts. Instead, directly to LDAP or AD
accounts that are servers. Both LDAP and ECDHE-RSA-AES256-SHA384
defined on the local LDAPS (LDAP over TLS) ECDHE-RSA-AES256-SHA
OS or an external are supported
identity provider DHE-RSA-AES256-SHA
(SAML, AD, or
LDAP) are used.
 Ciphers used in NetBackup for secure communication 538
Ciphers used in NetBackup

Table 25-3 Ciphers used in NetBackup for data at rest encryption

Product Local account Data at rest encryption

password
encryption Hardware or software-based Ciphers
encryption

NetBackup 10.x NetBackup typically Software based except for tape MSDP: AES-256-CTR
does not use local drive encryption
Legacy cloud connector and
accounts. Instead,
Advanced Disk Crypt:
accounts that are
defined on the local AES-256-CFB
OS or an external Client encryption (selected by
identity provider customer):
(SAML, AD, or LDAP)
are used. AES-128-CFB (default)

BF-CFB

DES-EDE-CFB

AES-256-CFB

Tape drive encryption

(hardware-based):

AES-256
 Chapter 26
FIPS compliance in
NetBackup
This chapter includes the following topics:

■ About FIPS

■ About FIPS support in NetBackup

■ Prerequisites

■ Specify entropy randomness in NetBackup

■ Configure FIPS mode in your NetBackup domain

■ Enable FIPS mode on NetBackup during installation

■ Enable FIPS mode on a NetBackup host after installation

■ Enable FIPS mode for the NetBackup Authentication Broker service

■ Enable FIPS mode for the NetBackup Administration Console

■ Disable FIPS mode for NetBackup

■ NB_FIPS_MODE option for NetBackup servers and clients

■ USE_URANDOM for NetBackup servers and clients

About FIPS
The Federal Information Processing Standards (FIPS) define U.S. and Canadian
Government security and interoperability requirements for computer systems. The
FIPS 140-2 standard specifies the security requirements for cryptographic modules.
It describes the approved security functions for symmetric and asymmetric key
 FIPS compliance in NetBackup 540
About FIPS support in NetBackup

encryption, message authentication, and hashing. For more information about the
FIPS 140-2 standard and its validation program, see the National Institute of
Standards and Technology (NIST) and the Communications Security Establishment
Canada (CSEC) Cryptographic Module Validation Program website at the following
location:
http://csrc.nist.gov/groups/STM/cmvp

About FIPS support in NetBackup

By default, FIPS mode is disabled in NetBackup.
The following workloads are supported in FIPS-compliant mode:
■ Oracle, MS-SQL, SAP HANA, DB2, VMware, Hyper-V, RHV, Nutanix,
DynamicNAS, MongoDB, Hadoop, HBase, MySQL, PostgreSQL, SQLite,
MariaDB, SharePoint
■ Cassandra, Sybase, Informix, MS-Exchange, Enterprise Vault, BMR, Universal
Shares, OpenStack (cloud-based solution)
The following operating system-level support is available in FIPS mode:
■ Once you enable FIPS mode on RHEL 8, the operating system requires that
each RPM package has a SHA-256 digest. RPMs that do not have this digest
will fail to install. The RPMs that are built using the native toolchain present on
RHEL 6 or RHEL 7 platforms do not include a SHA-256 digest and therefore
can fail to install on RHEL 8 when FIPS mode is enabled. This issue affects
NetBackup 9.1 and earlier setups as packages for these versions are built using
the OS native toolchain on RHEL 7 or earlier.
Starting with NetBackup 10.0, the packages are built using a toolchain that adds
the SHA-256 digest and these can be installed on RHEL 8 with FIPS mode
enabled.
The following components, configurations, or operations are not supported in FIPS
mode:
■ Client-side encryption

Note: To perform a backup with client-side encryption, you need to disable FIPS
mode on the client host.

■ NDMP backups
■ Scripts (Perl, batch, shell, python) that are executed within NetBackup
 FIPS compliance in NetBackup 541
Prerequisites

■ Binaries or utilities: restore_spec_utility, nbcallhomeproxyconfig, nbbsdtar,

nbrepo

■ NetBackup domain with NBAC enabled

If NBAC is configured in the NetBackup domain, it is recommended that you do
not enable FIPS mode.
■ The MQBROKER processes do not support NetBackup-level FIPS configuration
on Windows.
■ MIT Kerberos used by Hadoop and HBase does not operate with a FIPS-enabled
OpenSSL. To perform backup with Kerberos authentication, you need to disable
FIPS on the backup host.
■ NetBackup CloudPoint does not support the CloudPoint host that is configured
in FIPS mode.
■ SharePoint internally uses encryption algorithms that do not comply with FIPS
standards. The Windows FIPS policy blocks the MD5 hashing algorithms that
SharePoint uses. Therefore, the OS-level FIPS policy should be disabled for
the SharePoint restores for successful operation.
Note that NetBackup-FIPS is supported for protecting SharePoint.
See the following articles for more details:
FIPS and SharePoint Server
SharePoint 2016 and FIPS

Prerequisites
Review the given prerequisites before you configure FIPS in your NetBackup
environment.
■ Ensure the following before FIPS mode is enabled in the NetBackup domain
and on the NetBackup clients.
■ The NetBackup primary server and media servers are 10.0 or later.
■ NetBackup clients are 8.1 or later.
■ You have reviewed FIPS support information.
See “About FIPS support in NetBackup” on page 540.

Note: If FIPS mode is enabled and the backups are targeted to the media server
deduplication pool (MSDP), the CPU consumption of your system may increase.

■ For seamless SSL communication among the NetBackup processes while FIPS
mode is enabled, ensure the following:
 FIPS compliance in NetBackup 542
Specify entropy randomness in NetBackup

■ The NetBackup CA private key is in a FIPS-compliant encryption format that

is PKCS 8.
■ The private key is generated with a FIPS-compliant algorithm for example,
RSA.
■ The private key strength of the NetBackup CA is set to 2048 or 3072 bits.
If the private key strength does not match the supported value, migrate the
CA.
See “Migrating NetBackup CA” on page 355.
If you have configured external CA, contact the concerned security
administrator.
See “About external CA support in NetBackup” on page 397.
■ The ongoing NetBackup CA migration process is complete.

Warning: If the prerequisites are not met, some of the NetBackup functions
may not work.

Specify entropy randomness in NetBackup

In computing, entropy is the randomness collected by an operating system or
application for use in cryptography or other uses that require random data.
This requirement is only for Linux platforms and with Java programs or processes.
You need to specify which randomness to use with JVM arguments. If not specified,
it uses dev/random by default.
The following is specified as JVM arguments to the Java program:
-DjavaDjava.security.egd=file:/dev/./random

Enable the use_urandom configuration option to make use of dev/urandom and

restart the services or re-launch the NetBackup Administration Console.
See “USE_URANDOM for NetBackup servers and clients” on page 552.

Configure FIPS mode in your NetBackup domain

This section provides steps to enable FIPS mode in your NetBackup domain. Before
proceeding with the steps, ensure that the prerequisites are met in your environment.
See “Prerequisites” on page 541.
See “About FIPS support in NetBackup” on page 540.
 FIPS compliance in NetBackup 543
Enable FIPS mode on NetBackup during installation

Configure FIPS mode on NetBackup during installation

You can configure FIPS mode on NetBackup during installation. Refer to the
following topics:
1. See “Enable FIPS mode on NetBackup during installation” on page 543.
2. See “Enable FIPS mode for the NetBackup Administration Console” on page 546.

Configure FIPS mode on NetBackup after installation

You can configure FIPS mode on NetBackup after installation. Refer to the following
topics:

Note: Ensure that the required configuration steps are carried out on every
NetBackup host as applicable.

1. Enable FIPS mode for each host in the NetBackup domain.

See “Enable FIPS mode on a NetBackup host after installation” on page 544.
■ You must carry out the following step if the host is a primary server:
You must enable FIPS mode for the NetBackup Authentication Broker (AT)
by updating the VRTSatlocal.conf configuration file on the primary server.
See “Enable FIPS mode for the NetBackup Authentication Broker service”
on page 545.

2. Enable FIPS mode for the NetBackup Administration Console.

See “Enable FIPS mode for the NetBackup Administration Console” on page 546.

Enable FIPS mode on NetBackup during

installation
NetBackup lets you enable FIPS mode during installation. For more information,
refer to the NetBackup Installation Guide.
After you enable FIPS mode on NetBackup during installation, enable FIPS mode
for the NetBackup Administration Console.
See “Enable FIPS mode for the NetBackup Administration Console” on page 546.
 FIPS compliance in NetBackup 544
Enable FIPS mode on a NetBackup host after installation

Enable FIPS mode on a NetBackup host after

installation
This section provides steps to enable FIPS mode on a primary server, a media
server, or a client in a NetBackup domain. You should do the following configurations
on each host to enable FIPS.
If the host is a primary server, enable FIPS mode for the NetBackup Authentication
Broker (AT) by updating the VRTSatlocal.conf configuration file on the primary
server.
See “Enable FIPS mode for the NetBackup Authentication Broker service”
on page 545.
To enable FIPS mode on a NetBackup host
1 Enable the NB_FIPS_MODE flag in the NetBackup configuration file.
See “NB_FIPS_MODE option for NetBackup servers and clients” on page 551.
2 Restart the NetBackup services.
To verify if a certain daemon or a command runs in FIPS mode, check the respective
logs. The log lines are available only for the daemons and commands that use
cryptography.
Example 1: To verify if the nbcertcmd command runs in FIPS mode
1 Run the following command:
nbcertcmd -ping

Location of the command:

Windows: install_path\NetBackup\bin\nbcertcmd
UNIX: /usr/openv/netbackup/bin/nbcertcmd
2 Check the nbcertcmd logs.
Location of the log directory:
Windows: install_path\NetBackup\logs\nbcert
UNIX: /usr/openv/netbackup/logs/nbcert
The following log lines should be present:

<2> nbcertcmd: ./nbcertcmd -ping ProcessContext: ProcessName:[nbcertcmd],

FipsMode:[ENABLED], Username:[root], IsServiceAdmin:[0], UserID:[0], GroupID:[0]
 FIPS compliance in NetBackup 545
Enable FIPS mode for the NetBackup Authentication Broker service

Example 2: To verify if the NetBackup Web Management Console runs in FIPS

mode
◆ By default, FIPS mode is disabled when the NetBackup Web Management
Console (nbwmc) service runs. FIPS mode is enabled for the nbwmc service
after you enable it for the NetBackup host.
Check the catalina log file on the NetBackup primary server host to verify if
the nbwmc service runs in FIPS mode.
Location of the log file:
Windows:
install_path\NetBackup\wmc\webserver\logs\catalina-date.log

UNIX: /usr/openv/wmc/webserver/logs/catalina-date.log
The following log lines should be present:

The nbwmc service is running in FIPS approved mode

Enable FIPS mode for the NetBackup

Authentication Broker service
The NetBackup Authentication Broker (nbatd) service runs only on the NetBackup
primary server, therefore you need to enable FIPS mode on the primary server to
enable it for the nbatd service.
FIPS mode is disabled by default.

Note: From version 10.5 and later, for Cloud Scale deployment, the nbatd
containerized service is running in a separate Kubernetes Pod cluster server rather
than the NetBackup primary server Pod. To enable the FIPS mode for the NetBackup
Authentication Broker service, execute the same steps on the nbatd containerized
service mentioned in the section Enable FIPS mode for the NetBackup
Authentication Broker service.
 FIPS compliance in NetBackup 546
Enable FIPS mode for the NetBackup Administration Console

To enable FIPS mode for the nbatd service or the nbatd containerized service
1 Open the following directory on the primary server:
On UNIX: /usr/openv/netbackup/sec/at/bin/
On Windows: install_path\NetBackup\sec\at\bin\
2 Run the following command:
On UNIX: run vssregctl -s -f
/usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile/VRTSatlocal.conf
-b "Security\Authentication\Client" -k FipsMode -t int -v 1

On Windows: run vssregctl -s -f

"install_path\NetBackup\var\global\vxss\eab\data\systemprofile\VRTSatlocal.conf"
-b "Security\Authentication\Client" -k FipsMode -t int -v 1

For example:
If the install_path is "C:\Program Files\VERITAS" location, run the following
command on Windows:
vssregctl -s -f "C:\Program
Files\VERITAS\NetBackup\var\global\vxss\eab\data\systemprofile\VRTSatlocal.conf"
-b "Security\Authentication\Client" -k FipsMode -t int -v 1 3

Check the nbatd logs.

Location of the nbatd logs:
On UNIX:
/usr/openv/logs/nbatd

On Windows:
install_path\NetBackup\logs\nbatd

The following log lines should be present:

*** Trying to start Broker In FIPS mode ***

*** Broker In FIPS mode already ***

3 Restart the NetBackup services.

Enable FIPS mode for the NetBackup

Administration Console
By default, FIPS mode for the NetBackup Administration Console is disabled.
 FIPS compliance in NetBackup 547
Enable FIPS mode for the NetBackup Administration Console

To enable FIPS mode for the NetBackup Administration Console (on local or
remote host)
1 Open the NetBackup Administration Console configuration file.
■ On Windows computers, the file containing configuration options for the
NetBackup Administration Console is: install_path\java\nbj.conf
■ On UNIX computers, the file containing configuration options for the
NetBackup Administration Console is: /usr/openv/java/nbj.conf

2 In the configuration file, enable the NB_FIPS_MODE option. Use the following
format:
NB_FIPS_MODE = true

3 Save the changes.

4 Restart the NetBackup Administration Console.
To verify if the NetBackup Administration Console runs in FIPS mode
◆ Check the NetBackup Administration Console logs.
Log location:
On Windows:
install_path\logs\user_ops\nbjlogs\jbp.root.jnbSA.pid.log

On UNIX: /usr/openv/netbackup/logs/user_ops/nbjlogs/jbp.root.jnbSA.
pid.log

On a standalone console, create a directory structure and check the logs.

If the log file contains the following log lines, it means the console runs in FIPS
mode:

com.safelogic.cryptocomply.fips.approved_only: true

It should have the following log lines:

JavaPresentationLayer- FIPS mode enforced. Reconfiguring SunJSSE.

JavaPresentationLayer- Administration console is running in FIPS approved

Note: This FIPS mode configuration does not affect the NetBackup KMS FIPS
mode. NetBackup KMS continues to run in FIPS mode by default.
 FIPS compliance in NetBackup 548
Disable FIPS mode for NetBackup

Disable FIPS mode for NetBackup

The following configurations are required to disable FIPS mode in your NetBackup
domain:
■ Disable FIPS mode for each NetBackup host.
See “Disable FIPS mode for a NetBackup host” on page 548.
■ Disable FIPS mode for the NetBackup Authentication Broker (nbatd) service.
See “Disable FIPS mode for NetBackup Authentication broker (nbatd) ”
on page 549.
■ Disable FIPS mode for the NetBackup Administration Console.
See “Disable FIPS mode for the NetBackup Administration Console” on page 551.

Disable FIPS mode for a NetBackup host

Carry out the following steps on each NetBackup host to disable FIPS mode.
To disable FIPS mode for a host
1 Disable the NB_FIPS_MODE flag in the NetBackup configuration file.
See “NB_FIPS_MODE option for NetBackup servers and clients” on page 551.
2 Restart the NetBackup services.
To verify if FIPS mode is disabled for a certain daemon or a command, check the
respective logs. The log lines are available only for the daemons and commands
that use cryptography.
Example 1: To verify if FIPS mode is disabled for the nbcertcmd command
1 Go to the following directory:
UNIX: /usr/openv/netbackup/bin
Windows: install_path\NetBackup\bin
2 Run the following command: nbcertcmd -ping
3 Go to the nbcertcmd logs at the following directory:
UNIX: /usr/openv/netbackup/logs/nbcert
Windows: install_path\NetBackup\logs\nbcert
4 Check the logs. The log file should contain the following log lines:

ProcessContext: ProcessName:[nbcertcmd], FipsMode:[DISABLED], Username:[ro

IsServiceAdmin:[0], UserID:[0], GroupID:[0]
 FIPS compliance in NetBackup 549
Disable FIPS mode for NetBackup

Example 2: To verify if FIPS mode is disabled for the NetBackup Web

Management Console (nbwmc) service
1 Disabling FIPS mode for NetBackup services also disable FIPS mode for nbwmc
service running on the primary server host.
Open the following log file on the NetBackup primary server host:
UNIX: /usr/openv/wmc/webserver/logs/catalina-date.log
Windows:
install_path\NetBackup\wmc\webserver\logs/catalina-date.log

2 Check if the log file contains the following log line:

The nbwmc service is running in non-FIPS mode

Disable FIPS mode for NetBackup Authentication broker (nbatd)

Carry out the following steps to disable FIPS mode for nbatd that runs on NetBackup
primary server host.
 FIPS compliance in NetBackup 550
Disable FIPS mode for NetBackup

To disable FIPS mode for nbatd

1 Open the following directory on the primary server.
On UNIX:
/usr/openv/netbackup/sec/at/bin/

On Windows:
install_path\NetBackup\sec\at\bin\

2 Run the following command:

On UNIX:
run vssregctl -s -f
/usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile/VRTSatlocal.conf
-b "Security\Authentication\Client" -k FipsMode -t int -v 0

On Windows
run vssregctl -s -f
"install_path\NetBackup\var\global\vxss\eab\data\systemprofile\VRTSatlocal.conf"
-b "Security\Authentication\Client" -k FipsMode -t int -v 0

Suppose the install_path is "C:\Program Files\VERITAS", run the following

command on Windows:
vssregctl -s -f "C:\Program
Files\VERITAS\NetBackup\var\global\vxss\eab\data\systemprofile\VRTSatlocal.conf"
-b "Security\Authentication\Client" -k FipsMode -t int -v 0

3 Restart the NetBackup services.

To verify if FIPS mode is disabled for the nbatd service
1 Go to the nbatd logs at:
UNIX:
/usr/openv/logs/nbatd/

Windows:
install_path\NetBackup\logs\nbatd\

2 Check if the log file has the following log line:

Broker Not In FIPS mode

 FIPS compliance in NetBackup 551
NB_FIPS_MODE option for NetBackup servers and clients

Disable FIPS mode for the NetBackup Administration Console

Carry out the following steps on each NetBackup host to disable FIPS mode.
To disable FIPS mode for the NetBackup Administration Console (on a local
or a remote host)
1 Open the NetBackup Administration Console configuration file.
On Windows computers, the file containing configuration options for the
NetBackup Administration Console is: install_path\java\nbj.conf
On UNIX computers, the file containing configuration options for the NetBackup
Administration Console is: /usr/openv/java/nbj.conf
2 In the configuration file, disable the NB_FIPS_MODE option. Use the following
format:
NB_FIPS_MODE = false
3 Save the changes.
4 Restart the NetBackup Administration Console.
To verify if FIPS mode is disabled for the NetBackup Administration Console
◆ Check the NetBackup Administration Console logs.
Log location:
On UNIX: /usr/openv/netbackup/logs/user_ops/nbjlogs/jbp.root.jnbSA.
pid.log

On Windows:
install_path\logs\user_ops\nbjlogs\jbp.root.jnbSA.pid.log

On a standalone console, create a directory structure (for example, C:\Program

Files\Veritas\NetBackup\logs\user_ops\nbjlogs) and check the logs.

If the log file contains the following log lines, it means FIPS mode is disabled
for the console:

JavaPresentationLayer- Fips approved mode system property is - false

JavaPresentationLayer- Administration console is running in non-FIPS mode

NB_FIPS_MODE option for NetBackup servers

and clients
Use the NB_FIPS_MODE option to enable the FIPS mode in your NetBackup domain.
 FIPS compliance in NetBackup 552
USE_URANDOM for NetBackup servers and clients

Table 26-1 NB_FIPS_MODE information

Usage Description

Where to use On NetBackup servers or clients.

How to use Use the nbgetconfig and the nbsetconfig commands

to view, add, or change the option.

For information about these commands, see the NetBackup

Commands Reference Guide.

By default, the NB_FIPS_MODE option is disabled.

To enable the option, use the following format:

NB_FIPS_MODE = ENABLE

To disable the option, use the following format:

NB_FIPS_MODE = DISABLE

Equivalent NetBackup web UI No equivalent exists in the host properties.

property

USE_URANDOM for NetBackup servers and

clients
In computing, entropy is the randomness collected by an operating system or
application for use in cryptography or other uses that require random data.
Enable the USE_URANDOM option to specify /dev/urandom as the character device
to provide cryptographically secure random output in your NetBackup environment.

Table 26-2 USE_URANDOM information

Usage Description

Where to use On NetBackup servers or clients.

 FIPS compliance in NetBackup 553
USE_URANDOM for NetBackup servers and clients

Table 26-2 USE_URANDOM information (continued)

Usage Description

How to use Use the nbgetconfig and the nbsetconfig commands

to view, add, or change the option.

For information about these commands, see the NetBackup

Commands Reference Guide.

The default value of the USE_URANDOM option is 0. When

the USE_URANDOM option is set to default, the character
device to be used is based on the value of the
NB_FIPS_MODE option. If NB_FIPS_MODE is enabled,
dev/random is used. If NB_FIPS_MODE is disabled,
dev/urandom is used.

See “NB_FIPS_MODE option for NetBackup servers and

clients” on page 551.

To enable the USE_URANDOM option, use the following

format:

USE_URANDOM = 1

If USE_URANDOM is set to 2 (or is disabled), the dev/random

character device is used to provide cryptographically secure
random output.

Equivalent NetBackup web UI No equivalent exists in the host properties.

property
 Chapter 27
NetBackup web services
account
This chapter includes the following topics:

■ About the NetBackup web services account

■ Changing the web service user account

About the NetBackup web services account

Beginning with NetBackup 8.0, the NetBackup primary server includes a configured
web server to support critical backup operations. This web server operates under
user account elements with limited privileges. These user account elements must
be available on each primary server (or each node of a clustered primary server).
NetBackup requires account information for web services as part of the NetBackup
primary server installation.
More information is available on configuring this account prior to installation and
on how to change the account after installation.
See the NetBackup Installation Guide for information on how to create the web
server user and group.
See “Changing the web service user account” on page 555.

Note: For security purposes, do not allow the web server users or groups to have
administrator or superuser privileges.
 NetBackup web services account 555
Changing the web service user account

Changing the web service user account

To support changing web service user accounts, use the utility script wmcUtils.
This utility script does not validate if a web service user and group exist. Before
you use this utility, you must ensure that the web service user and the group exist
and the user is part of the group. Consider the following when changing the web
service user account:
■ If your environment uses Windows domain users, use the DOMAIN\USER format.
■ If you use a clustered environment on a Windows platform, the NetBackup web
services user account must be a DOMAIN user. (Example: AD user)
■ If you use non-clustered environments, the NetBackup web service user can
be a local or a domain user.
■ If you use a clustered environment on Linux or UNIX platforms, the NetBackup
web service user can be a local user. Additionally, the group can be a local
group. The NetBackup web service user must have the same name and UID
on all nodes of the cluster. Also, the group must have the same name and GID
on all nodes of the cluster. It is recommended to use domain users (Example:
NIS) for clustered environments.

Note: Do not use the logged on user to run the wmcUtils utility script. If you are
logged into an environment as my_domain\my_user, you cannot use this account
to run the NetBackup Web Management Console service. NetBackup does not
support this scenario.

To change the web service user account on Windows

1 Open command prompt.
2 Change the directory to: install_path\wmc\bin\install
3 Run wmcUtils.bat -changeUser to change the web service user.
Example: (nbwebsvc1 is the web service user and nbwebgrp1 is the user group
that nbwebsvc1 is a member of)

wmcUtils.bat -changeUser nbwebsvc1 nbwebgrp1

For more information about the wmcUtils.bat utility script, use the
wmcUtils.bat -help option.

4 (Conditional) If using a clustered environment, run wmcUtils.bat -changeUser

on the active and the inactive nodes.
 NetBackup web services account 556
Changing the web service user account

5 Enter the web service user password (example: nbwebsvc1) when prompted
by the script.
The NetBackup Web Management Console service is restarted when the correct
password is entered. If you enter an incorrect password, a Logon failure error
is displayed before the NetBackup Web Management Console service starts.
6 To verify that the web service user is changed, ensure that
install_path\bin\nbcertcmd.exe -ping works.

Note: The output of wmcUtils.bat utility script is captured in the

nbwmc_support.log. The log is located here:
install_path\wmc\webserver\logs\nbwmc_support.log

To change the web service user account on Linux or UNIX

1 Open a shell.
2 Change the directory to: /usr/openv/wmc/bin/install
3 Run wmcUtils -changeUser to change the web service user.
Example: (nbwebsvc1 is the web service user and nbwebgrp1 is the user group
that nbwebsvc1 is a member of)

usr/openv/wmc/bin/install/wmcUtils -changeUser nbwebsvc1 nbwebgrp1

For more information about the wmcUtils utility script, use the wmcUtils -help
option.
4 (Conditional) If using a clustered environment, run wmcUtils.bat -changeUser
on the active and the inactive nodes.
5 Enter the web service user password (example: nbwebsvc1) when prompted
by the script.
The NetBackup Web Management Console service is restarted when the correct
password is entered. If you enter an incorrect password, a Logon failure error
is displayed before the NetBackup Web Management Console service starts.
6 To verify that the web service user is changed, ensure that
/usr/openv/netbackup/bin/nbcertcmd -ping works.

Note: The output of wmcUtils utility script is captured in the nbwmc_support.log.

The log is located here: /usr/openv/wmc/webserver/logs/nbwmc_support.log
 Chapter 28
Running NetBackup
services with
non-privileged user
(service user) account
This chapter includes the following topics:

■ About a NetBackup service user account

■ Configuring a service user account

■ Changing a service user account after installation or upgrade

■ Giving access permissions to service user account on external paths

■ NetBackup services that run with the service user account

About a NetBackup service user account

Starting with NetBackup 9.1, most of the primary server services can be run with
a non-privileged user, which is highly recommended. The non-privileged user is
referred to as service user and is intended only to run NetBackup services.

Important considerations for using a service user account

Review the following to run NetBackup services with the service user account.
■ Do not use the service user account to perform any NetBackup operations. The
service user account is intended only to run NetBackup services.
 Running NetBackup services with non-privileged user (service user) account 558
About a NetBackup service user account

■ It is recommended that the primary group of the service user must only be for
the service user.
■ It is not recommended to use the root user as the service user.
■ The nbwebsvc user should not be used as the service user.
■ nbwebgrp must be a secondary group of the service user.

■ Number of processes that can be run with the service user must be same as
the processes that run with the root user.
Use ulimit -u to find the maximum number of user processes that can run
with the service user.
■ Number of files that can be opened with the service user must be same as the
files that are opened with the root user.
Use the ulimit -Hn command to view the maximum number of files that can
be open with the service user.
■ Using a service user account other than the root user account involves a one-time
conversion that may significantly increase the upgrade time based on your
catalog size.
■ Other than the installation directory, all external paths must be accessible by
the service user.
See “Giving access permissions to service user account on external paths”
on page 560.
■ Environment variable paths must be accessible by the service user.
■ The service user must have access to the OS temporary directory that is usually
/tmp or /var/tmp. This may be dictated by P_tmpdir macro.

■ Service user account can be a password-less account.

■ If a service user is configured, legacy log files (/user/openv/netbackup/logs
on UNIX or C:\Program Files\Veritas\NetBackup\logs on Windows) have
a prefix as SERVICE_USER.
For example: SERVICE_USER.040921_00001.log
■ The service user name must contain less than 32 characters and must have
English characters only.
■ If the bpcd and vnetd processes run under an application account such as
Oracle Admin, you must not change that account to the service user account.
 Running NetBackup services with non-privileged user (service user) account 559
Configuring a service user account

Configuring a service user account

The service user must be created in advance and must have nbwebgrp as the
secondary group.

Configuring a service user account on UNIX

During installation or upgrade of the primary server on UNIX, you can see a new
prompt to specify a new user - preferably a non-root user - that can be used as a
service user. Most daemons on the primary server now run with the new service
user.
To create the local user account on UNIX, run the following command:
useradd -c 'NetBackup Services account' -d /usr/openv/
service_user_name

To add the service user to the nbwebgrp secondary group, run the following
command:
usermod -a -G nbwebgrp service_user_name

Review the following:

■ In a clustered environment, ensure that local accounts are defined consistently
on all cluster nodes. If you use a clustered environment on Linux or UNIX
platforms, the NetBackup service user can be a local user. The NetBackup
service user must have the same name and UID on all nodes of the cluster.
■ It is recommended to use domain users (for example: NIS) in a clustered
environment. LDAP accounts are supported and can be used on UNIX.
■ The NetBackup service account must use a POSIX compliant shell.

Configuring a service user account on Windows

On Windows, fresh installation uses the Local Service built-in account. There is no
change in the upgrade process.

Changing a service user account after installation

or upgrade
On UNIX, you can change service user account to any other user account using
the nbserviceusercmd command.
On Windows, you can change service user account to Administrator, Local System
or Local Service using nbserviceusercmd command.
Refer to the NetBackup Commands Reference Guide for more details.
 Running NetBackup services with non-privileged user (service user) account 560
Giving access permissions to service user account on external paths

Giving access permissions to service user

account on external paths
NetBackup operations fail if the service user account does not have access
permissions on directory paths that are external to NetBackup and their contents.
Other than the installation directory, all external paths must be accessible by the
service user account, for example:
■ Disaster recovery (DR) path
■ External CA certificate paths
■ External paths that are used as parameters to the following commands:
■ nbdb_admin

■ create_nbdb

■ nbdb_move

■ nbdb_backup

■ nbdb_restore

■ nbdb_unload

■ cat_export

■ cat_import

To give access permissions to service user account on external paths

1 Ensure that the paths that are specific to NetBackup operations are not shared
across multiple users on the host.
■ On UNIX, ensure that the paths are not as follows:
/tmp, /root, or home directory of any other non-root user
■ On Windows, ensure that the paths are not directories of a different user
account that resides in C:\users.

2 Run the following command to give access to the service user account on
external paths and their contents:
■ On UNIX: chown -R service_user_name path
After the chown command is run, verify if the service user can write to the
specified path using the following command:
su service_user_name -c "touch path/test.txt"

■ On Windows:
netbackup_install_path\NetBackup\bin\goodies\nbserviceusercmd.exe
-addacl path -reason reason
 Running NetBackup services with non-privileged user (service user) account 561
NetBackup services that run with the service user account

NetBackup services that run with the service user

account
Windows UNIX

NetBackup Request Daemon bprd

NetBackup Database Manager bpdbm

- bpjobd

NetBackup Compatibility Service bpcompatd

NetBackup Audit Manager nbaudit

NetBackup Event Manager nbevtmgr

NetBackup Enterprise Media Manager nbemm

NetBackup Resource Broker nbrb

NetBackup Job Manager nbjm

NetBackup Policy Execution Manager nbpem

NetBackup Service Layer nbsl

NetBackup Storage Lifecycle Manager nbstserv

NetBackup Proxy Service nbproxy

NetBackup Indexing Manager nbim

NetBackup Agent Request Server nbars

NetBackup Key Management Service nbkms

NetBackup Vault Manager nbvault

Anomaly Detection Management Service nbanomalymgmt

 Running NetBackup services with non-privileged user (service user) account 562
NetBackup services that run with the service user account

Windows UNIX

vnetd-child-proxies vnetd-child-proxies

■ vnetd -proxy inbound_proxy -number 0 ■ vnetd -proxy inbound_proxy

■ vnetd -proxy outbound_proxy -number 0 -number 0
■ vnetd -proxy http_api_tunnel -number 0 ■ vnetd -proxy outbound_proxy
■ vnetd -proxy http_pbx_tunnel -number 0 -number 0
■ vnetd -proxy
Note: If you have selected Administrator account as a privileged service
http_api_tunnel -number 0
account (the user account that the vnetd standalone service uses) then the
■ vnetd -proxy
vnetd child proxies run with the same Administrator account.
http_pbx_tunnel -number 0
 Chapter 29
Running NetBackup
commands with
non-privileged user
account
This chapter includes the following topics:

■ Running NetBackup commands using the nbcmdrun wrapper command

Running NetBackup commands using the

nbcmdrun wrapper command
nbcmdrun is a wrapper command that is used to run other NetBackup commands
on a NetBackup host. The NetBackup host can be a primary server, a media server,
or a client.
Certain NetBackup commands can be run only by the Operating System (OS)
Administrator. A user with the NetBackup administrator role that is defined in
NetBackup role-based access (RBAC) system cannot run these commands.
With the nbcmdrun utility, a non-privileged OS user can run these commands based
on RBAC permissions. With the NetBackup Command-line Administrator role, a
non-privileged OS user can run most of the NetBackup commands.
Use the nbcmdrun -listcommands to list all commands that nbcmdrun supports.
See the NetBackup Commands Reference Guide for more information on the
nbcmdrun command.
 Running NetBackup commands with non-privileged user account 564
Running NetBackup commands using the nbcmdrun wrapper command

How does nbcmdrun function

To run a NetBackup command with nbcmdrun, the nbcmdrun command and service
user must be enabled on the NetBackup host.
By default, the nbcmdrun command is enabled. However, if nbcmdrun is disabled,
you can reenable it.
See “Reenable the nbcmdrun command” on page 565.
You should do a web login in the current NetBackup domain using the bpnbat
-login -loginType web command. The current NetBackup domain is commonly
referred to as the domain of the first server entry in the NetBackup configuration
(bp.conf file on UNIX or Windows registry).
You should run nbcmdrun from a directory on which you have read and write access.
You need to provide the base name of the command, followed by the command
arguments.
For example: nbcmdrun mklogdir -create bpcd.

Workflow of nbcmdrun
Figure 29-1 nbcmdrun workflow diagram

User context (John) Service context (NBPas or vnetd)

nbcmdrun <command> NBPas or vnetd

- User authorization
- Input validation
- Auditing
- Command execution
nbcmdrun nbdb_move Runs in service user
context (vnetd)
nbcmdrun tpconfig Runs in privileged
user context
nbcmdrun bppolicynew (NBPas)

Runs in user context

(John)

1. nbcmdrun validates the input command and retrieves the JSON web token
(JWT) of the user.
 Running NetBackup commands with non-privileged user account 565
Running NetBackup commands using the nbcmdrun wrapper command

2. nbcmdrun connects to NBPas and presents the user JWT to NBPas.

3. NBPas validates the user JWT, input command, and arguments. It invokes the
input command in the service user context or the privileged user context.
The commands that are run by NBpas are audited.

Caution: When a NetBackup command is run using nbcmdrun, the password that
is provided for certain commands may be visible on the screen.

Disable the nbcmdrun command

Use this topic to disable the nbcmdrun command.
See “Reenable the nbcmdrun command” on page 565.
To disable the nbcmdrun command
1 The system administrator should create a touch file called ENABLE_NBCMDRUNwith
content 0.

Note: The ENABLE_NBCMDRUN file should be created without any extension.

2 Run the following command:

On UNIX:
echo 0 > /usr/openv/var/ENABLE_NBCMDRUN

On Windows:
echo 0 > install path\NetBackup\var\ENABLE_NBCMDRUN

Reenable the nbcmdrun command

By default, the nbcmdrun command is enabled.
If you have disabled the nbcmdrun command and you want to reenable it, use the
following procedure.

Note: To use the nbcmdrun command, the command and the NetBackup service
user must be enabled on the NetBackup host.

See “Configuring a service user account” on page 559.

 Running NetBackup commands with non-privileged user account 566
Running NetBackup commands using the nbcmdrun wrapper command

To reenable nbcmdrun
1 The system administrator should update the touch file called ENABLE_NBCMDRUN
with content 1.

Note: The ENABLE_NBCMDRUN file does not have any extension.

2 Run the following command:

On UNIX:
echo 1 > /usr/openv/var/ENABLE_NBCMDRUN

On Windows:
echo 1 > install path\NetBackup\var\ENABLE_NBCMDRUN
 Chapter 30
Immutability and indelibility
of data in NetBackup
This chapter includes the following topics:

■ About immutable and indelible data

■ Workflow to configure immutable and indelible data

■ Deleting an immutable image from storage using the bpexpdate command

■ Removing an immutable image from the catalog using the bpexpdate command

About immutable and indelible data

NetBackup protects your data from being encrypted, modified, and deleted using
WORM properties.
WORM is the acronym for Write Once Read Many.
WORM properties provide two additional levels of security for backup images:
■ Immutability - this protection ensures that the backup image is read-only and
cannot be modified, corrupted, or encrypted after backup.
■ Indelibility - this property protects the backup image from being deleted before
it expires. The data is protected from malicious deletion.
Configuring these WORM properties protects your data from certain malware attacks
to some extent, for example ransomware.
NetBackup provides the ability to write backups to WORM storage devices so their
data cannot be corrupted. Additionally, it lets you take advantage of advanced
options available from your storage vendors to ensure backups are retained
unaltered on storage platforms to meet regulatory and compliance requirements.
 Immutability and indelibility of data in NetBackup 568
About immutable and indelible data

All NetBackup image copies have an Expiration Time. This time is calculated by
using the configured retention level in the schedule and the start time of the backup
job.
When a NetBackup image is written to a WORM-enabled storage unit, the data
cannot be altered or deleted until the WORM Unlock Time for that image has
elapsed. Unlike the Copy Expiration time that is calculated from the start time of
the backup job, the WORM Unlock Time is associated with the WORM storage.
The WORM Unlock Time value is calculated using the configured retention level
and the write completion timestamp for the backup image onto WORM storage.
When you use bpimagelist to view an image that is written to WORM storage, the
timestamp that is associated with the Copy Expiration time precedes the WORM
Unlock Time for that copy of the backup image. For longer-running backups or
duplication jobs, the difference is greater between Copy Expiration Time and WORM
Unlock Time.
As part of normal operations, copies of backup images on WORM storage are not
removed from the catalog and storage until both Copy Expiration Time and Worm
Unlock Time timestamps have elapsed. The WORM Unlock Time of a copy that is
written to WORM storage can only be extended and cannot be shortened. To extend
the expiration date, use the bpexpdate -extend_worm_locks command.
In special circumstances, the bpexpdate -try_expire_worm_copy option can be
used to force an attempted removal of a WORM indelible image from the NetBackup
catalog. This option is only recommended to be used after removing WORM locks
directly on the storage device. Only use this option with assistance from Veritas
technical support.
When duplicating an image onto WORM storage, the WORM Unlock Time can be
configured to match the Copy Expiration Time by running the bpduplicate command
using the -worm_unlock_match_expiration option that was introduced in
NetBackup 10.1.
If older backup images are duplicated to WORM storage without using this command
option, the WORM Unlock Time for the duplicated copy is calculated using the
configured retention level, and the timestamp when the duplication job was complete.
The bpduplicate -worm_unlock_match_expiration command option is not used
for SLP driven duplications. For SLP driven duplications, the retention period is
applied from the end of the duplication job to calculate WORM Unlock Time of the
new copy. The Copy Expiration Time for the new copy is calculated from the
retention period that is applied to the backup time (for copy 1).
For AIR jobs, the retention period is applied from the end of the import job to
calculate the WORM Unlock Time of the imported copy. The Copy Expiration Time
 Immutability and indelibility of data in NetBackup 569
Workflow to configure immutable and indelible data

is calculated as the retention period that is applied from the beginning of the import
job.
For more information about the bpduplicate command and the bpexpdate
command, see the NetBackup Commands Reference Guide.

Note: When you use the bpduplicate -worm_unlock_match_expiration and

bpexpdate -extend_worm_locks command options, they rely on the accuracy of
the NetBackup primary server clock. That is because the WORM Unlock Time
mirrors the Image Expiration timestamp for that copy.
For more information about how to base the WORM Unlock Time on the original
backup time, see the following knowledge base article:
Images duplicated to WORM storage have unlock time calculated from duplication
date not backup date

Workflow to configure immutable and indelible

data
Carry out the following steps in the given order to protect your data by configuring
immutability and indelibility.

Table 30-1 Workflow to configure immutable and indelible data

Step Description

1 Configure the following WORM settings on the storage server. The storage administrator configures
these settings outside of NetBackup.

■ WORM capable - If the storage unit and the associated disk pool are enabled to use the WORM
property at the time of backup image creation, the backup images are set to be immutable and
indelible.
■ Lock Minimum Duration - Specifies the minimum allowed duration for which the data for a backup
image is indelible. The storage administrator sets this duration on the Logical Storage Unit (LSU)
or the Domain Volume (DV), which NetBackup discovers.
■ Lock Maximum Duration - Specifies the maximum allowed duration for which the data for a backup
image is indelible. The storage administrator sets this duration on the Logical Storage Unit (LSU)
or the Domain Volume, which NetBackup discovers.

Refer to the OST vendor plug-in documentation.

2 Configure a disk pool using WORM-capable volumes.

3 Configure a storage unit with the Use WORM option enabled.

 Immutability and indelibility of data in NetBackup 570
Deleting an immutable image from storage using the bpexpdate command

Table 30-1 Workflow to configure immutable and indelible data (continued)

Step Description

4 Configure a backup policy using the WORM-enabled storage unit.

Note: In case of storage changes or third-party OST vendor software upgrades,

you need to manually update the storage servers and the disk pools. See the
'Completing your system update after an upgrade' section from the NetBackup
Upgrade Guide.

Deleting an immutable image from storage using

the bpexpdate command
Deletion of an immutable image can only happen when storage is used that allows
for lock deletion. The lock deletion can be done using the Enterprise mode on Flex
Appliance, Flex Scale Appliance, Access Appliance, or a third-party storage device
that supports lock deletion. When an immutable image is deleted, the storage that
you use is responsible for the lock deletion and NetBackup is responsible for the
image deletion.
When you use Flex Appliance, Flex Scale Appliance, or Access Appliance, you
must use the command line or an SSH session to remove the lock on the image.
If you use a third-party storage device, refer to that vendor’s documentation for
steps on removing locked images.
To delete the immutable image on the appliance
1 Verify that the appliance is in Enterprise mode.
2 From the NetBackup Command Line, use bpimagelist command to find the
image ID.
This procedure uses the following example image ID:

Backup ID: server123.veritas.com_1234567890

3 Delete the image lock on storage using the command line option or the SSH
session option.
■ For Flex Appliance: You must use the default msdpadm user to run the
following options.
■ For Flex Scale Appliance and Access Appliance: You must use an appliance
user with the appliance administrator role.
 Immutability and indelibility of data in NetBackup 571
Removing an immutable image from the catalog using the bpexpdate command

Command line option:

■ Open the /usr/openv/pdde/pdcr/bin/ directory.
■ Use the following command to query and modify the catalog database for
the given backup ID (Example: server123.veritas.com_1234567890).
The -worm disable option disables the retention lock for an image using
the backup ID.
sudo -u msdpsvc /usr/openv/pdde/pdcr/bin/catdbutil -worm
disable -backupid

SSH session option:

■ Open an SSH session to the WORM storage server instance.
■ Use the retention policy disable command to query and modify the
catalog database for the given policy. The policydisable arguments
disable the retention lock for an image using the policy ID used for the
image retention that has a retention lock.
For more information about the command options in this step, see the
NetBackup Deduplication Guide.
4 Add the image ID to bpexpdate with the -try_expire_worm_copy option.

bpexpdate -d 0 backupid server123.veritas.com_1234567890

-try_expire_worm_copy -copy 1

5 Use y or n to confirm deletion.

If the storage lock is not removed, NetBackup returns an error indicating that
there is a WORM lock error.
See “Removing an immutable image from the catalog using the bpexpdate
command” on page 571.
See “ About immutable and indelible data” on page 567.

Removing an immutable image from the catalog

using the bpexpdate command
You can remove an immutable image from the NetBackup catalog and have that
image remain on storage.
 Immutability and indelibility of data in NetBackup 572
Removing an immutable image from the catalog using the bpexpdate command

To remove an immutable image from the catalog

1 Open the NetBackup Command Line Interface (CLI).
2 Delete the image from the catalog using the bpexpdate command with the
-try_expire_worm_copy and the -nodelete options.

bpexpdate -d 0 -backupid server123.veritas.com_1234567890

-copy 1 -try_expire_worm_copy -nodelete

Using the-try_expire-worm_copy and -nodelete options together removes

the image from the catalog only and does not affect storage.
3 Use y or n to confirm deletion.
See “Deleting an immutable image from storage using the bpexpdate command”
on page 570.
See “ About immutable and indelible data” on page 567.
 Chapter 31
Anomaly detection
This chapter includes the following topics:

■ About backup anomaly detection

■ About system anomaly detection

■ Anomaly configuration to enable automatic scanning

■ Computation of entropy and file attributes in NetBackup

About backup anomaly detection

NetBackup can now detect anomalies in backup metadata. It can detect any unusual
job data in the data backup flow. For example, it can detect a file count or a file size
that is different than the usual count or size.

Note: By default, the anomaly detection algorithm runs on the NetBackup primary
server. If you see any impact on the primary server because of the anomaly detection
process, you can configure a media server to detect anomalies.

The following backup job metadata, attributes, or features are verified during backup
anomaly detection:
■ Backup image size
■ Number of backup files
■ Data that is transferred in KB
■ Deduplication rate
■ Backup job completion time
 Anomaly detection 574
About backup anomaly detection

Any unusual deviation in these backup job attributes is considered to be an anomaly

and is notified using the NetBackup web UI.
Starting with 10.4, NetBackup can detect anomalies for Oracle workload only for
the image size attribute. If an Oracle workload job fails multiple times with status
code 5407, NetBackup flags it as an anomaly.

Workflow of backup anomaly detection and notification

The workflow of the backup anomaly detection and notification is as follows:

Table 31-1 Workflow

Step Description

Step 1 Install or upgrade NetBackup software on the primary server and the media
server.

See the NetBackup Installation or Upgrade Guide.

Step 2 Enable the primary server to detect backup anomalies.

See “Detecting backup anomalies on the primary server” on page 577.

By default, the anomaly detection algorithm runs on the NetBackup primary

server. If you see any impact on the primary server because of the anomaly
detection process, you can configure a media server to detect anomalies.

See “Detecting backup anomalies on the media server” on page 578.

Step 3 Configure anomaly detection settings using the NetBackup web UI.

See “ Configure backup anomaly detection settings” on page 575.

Step 4 View the anomalies using the NetBackup web UI.

See “View backup anomalies” on page 579.

How a backup anomaly is detected

Consider the following example:
In an organization, around 1 GB of data is backed up every day for a given client
and backup policy with the schedule type FULL. On a particular day, 10 GB of data
is backed up. This instance is captured as an image size anomaly and notified. The
anomaly is detected because the current image size (10 GB) is much greater than
the usual image size (1 GB).
Significant deviation in the metadata is termed as an anomaly based on its anomaly
score.
 Anomaly detection 575
About backup anomaly detection

An anomaly score is calculated based on how far the current data is from the cluster
of similar observations of the data in the past. In this example, a cluster is of 1 GB
of data backups. You can determine the severity of anomalies based on their scores.
For example:
Anomaly score of Anomaly_A = 7
Anomaly score of Anomaly_B = 2
Conclusion - Anomaly_A is severer than Anomaly_B
NetBackup takes anomaly detection configuration settings (default and advanced
if available) into account during anomaly detection.

Configure backup anomaly detection settings

After you enable anomaly detection, anomaly data gathering, detection service,
and events are enabled. Basic and advanced backup anomaly detection settings
are available to be configured.
See “About backup anomaly detection” on page 573.
See “View backup anomalies” on page 579.
To configure backup anomaly detection settings
1 Sign in to the NetBackup web UI.
2 On the left, click Detection and reporting > Anomaly detection.
3 On the top right, click Anomaly detection settings > Backup anomaly
detection settings.
4 Click Edit on the right to configure the following Anomaly detection > Enable
anomaly detection activities settings:
■ Enable only for unstructured data - Enables anomaly detection for the
following policy types: Standard, MS-Windows, NAS-Data-Protection, and
Universal share.

Note: This is the default configuration for fresh NetBackup 10.4 installation.

■ Enable - Enables anomaly detection for all policy types except for the ones
that are excluded in the Advanced settings > Disable policy type or
specific features for machine learning.
■ Disable - Disables anomaly detection in NetBackup for all workload types.
■ Click Save.
 Anomaly detection 576
About backup anomaly detection

In the case of NetBackup 10.4 upgrade, the value of the Anomaly detection
option is set based on the previous setting.
■ If the option was set to Enable anomaly data collection, detection
service, and events in the previous version, the option is set to Enable
after the upgrade.
■ If the option was set to a value other than Enable anomaly data collection,
detection service, and events in the previous version, the option is set to
Disable after the upgrade.

5 Click Edit on the right to configure the Anomaly detection > Enable automatic
scan for imported copy setting.
■ On the Enable automatic scan for imported copy pop-up screen, select
the Turn on automatic scan for imported copy check box.
This setting modifies the anomaly configuration file to configure the scan
host pool and the clients that need to be scanned.
■ Click Save.

6 Select Edit to modify the following Basic Settings:

■ Anomaly detection sensitivity
Use this setting to increase or decrease the sensitivity with which anomalies
are detected. If the sensitivity is low, anomalies are detected based on less
number of anomalous events.
If the sensitivity is high, anomalies are detected based on a large number
of anomalous events.
■ Data retention settings
Use this setting to specify how long you want to retain the anomaly data
(in months).
■ Data gathering settings
Use this setting to specify the time interval (in minutes) after which the
anomaly data is gathered for analysis.
■ Anomaly proxy server settings
Use this setting to specify the NetBackup media server where the anomalies
are going to be processed. If not specified, the processing takes place on
the primary server.
■ Click Save.

7 Expand the Advanced settings section to configure the following settings:

■ Click Edit on the right to configure the Disable anomaly settings for
clients settings.
 Anomaly detection 577
About backup anomaly detection

See “Disable backup anomaly detection and computation of entropy and

file attributes for a client” on page 590.
Click Save.
■ Click Edit on the right to configure the Disable policy type or specific
features for machine learning settings.
On the pop-up screen, all the policies are listed.
Use the action menus to disable one or all of the following anomaly features
for machine learning for the given policy: Backup files count, Data
transferred, Deduplication ratio, Image size, and Total time.
■ Disable all - Use this option to disable all of the anomaly features for
machine learning for the given policy.
■ Disable specific features - Use this option to select specific anomaly
features that you want to disable for machine learning.
■ Click Save.

■ Click Edit on the right to configure the Suspicious file extension settings.
■ Select the Turn on suspicious file extension detection to enable
NetBackup to detect files with suspicious file extensions.
A malware such as ransomware attacks the data and encrypts it. After
the file encryption, the ransomware renames the files with a specific
extension such as .lockbit. NetBackup detects such known suspicious
file extensions during backups and generates an anomaly.
■ Files with suspicious extensions (in %)
Select the percentage (1 to 50) of files with suspicious extensions from
the Percent drop-down list, which is acceptable in your environment.
When the percentage of the files with suspicious extensions exceeds
this threshold, an anomaly is generated.

■ You can add or remove the suspicious file extensions from the list.
■ Click Save.

Client offline anomaly type

As part of backup anomaly detection, clients that are offline under suspicious
circumstances (with error code 7647) are detected and anomalies are generated.

Detecting backup anomalies on the primary server

This topic provides the procedure to enable the primary server to detect backup
anomalies.
 Anomaly detection 578
About backup anomaly detection

To enable the primary server to detect backup anomalies

1 Install the NetBackup primary server software on your system (or upgrade the
primary server software).
After the installation, the following configurations are automatically done on
the primary server:
■ The NetBackup Anomaly Detection Management service (nbanomalymgmt)
is started on the primary server.
The anomaly detection and alert services do not run by default.

Note: The NetBackup Anomaly Detection Management service stops if

the proxy server takes more than 45 minutes to connect to the primary
server.

2 Configure the backup anomaly settings using the NetBackup web UI. NetBackup
takes these settings into account during anomaly detection.
See “ Configure backup anomaly detection settings” on page 575.
See “How a backup anomaly is detected” on page 574.
If any anomalies are detected, they are notified through the NetBackup web
UI.
See “View backup anomalies” on page 579.

Detecting backup anomalies on the media server

This topic provides the workflow and the procedure that enable the media server
to detect backup anomalies.

Note: By default, the anomaly detection algorithm runs on the NetBackup primary
server. If you see any impact on the primary server because of the anomaly detection
process, you can configure a media server to detect anomalies.

To enable the media server to detect backup anomalies

1 Install the NetBackup media server software on your system (or upgrade the
media server software).
2 On the primary server, add anomaly proxy server details. The proxy server
should be the media server where you want the anomaly algorithms to be run.
See “ Configure backup anomaly detection settings” on page 575.
 Anomaly detection 579
About backup anomaly detection

3 (Optional) If you want to preserve the data that the primary server has gathered
earlier, do the following:
■ Ensure that the nbanomalymgmt service is disabled using the web UI.
■ Ensure that the nbanomalymgmt service on the media server is stopped.
■ Go to the following directory:
On Windows: Install_Path\NetBackup\var\global
On UNIX: /usr/openv/var/global
The directory resides on the shared disk on a clustered primary server.
■ Copy the NB_Anomaly.db, NB_Anomaly.db-shm, and NB_Anomaly-wal files
from the anomaly_detection folder on the primary server to the
anomaly_detection folder on the media server.
You can copy the anomaly_config.conf file to preserve the automatic
malware scan settings.
■ Start the nbanomalymgmt service on the media server.

4 On the media server, start the nbanomalymgmt service manually. Use the
following script:
nbanomalymgmt -start

5 Configure the backup anomaly settings in the NetBackup web UI. NetBackup
takes these settings into account during anomaly detection.
See “ Configure backup anomaly detection settings” on page 575.
See “How a backup anomaly is detected” on page 574.
If any anomalies are detected, they are notified using the NetBackup web UI.
See “View backup anomalies” on page 579.

View backup anomalies

NetBackup can now detect anomalies in backup metadata. It can detect any unusual
job data in the data backup flow. For example, it can detect a file count or a file size
that is different than the usual count or size.
Consider the following example:
An anomaly of the image size type is displayed as 100MB (Usual 350MB, 450MB).
This information implies that the current image size that is reported as anomaly is
100 MB. However, the usual image size range is 350 MB - 450 MB that is derived
from the analysis of past data. Because of the significant difference between the
current image size and usual image size range, NetBackup notifies it as an anomaly.
See “About backup anomaly detection” on page 573.
 Anomaly detection 580
About backup anomaly detection

Note: Anomaly count of 0 indicates that there are no anomalies generated or that
the anomaly detection services are not running.

To view backup anomalies

1 Sign in to the NetBackup web UI.
2 On the left, select Detection and reporting > Anomaly detection > Backup
anomalies.
The following columns are displayed:
■ Job ID - ID of the job for which the anomaly is detected
All child jobs and the associated anomaly details are also shown when you
expand the parent job.
■ Severity - Severity of the anomalies that are notified for this job
■ Asset name - Name of the NetBackup client where the anomaly is detected
■ Summary - For the parent job, details like types of anomalies, number of
anomalies, and increase or decrease in the number of anomalies are shown.
For child jobs, types of anomalies are shown.
■ Anomaly type - Type of the anomaly such as Image entropy, Job metadata,
Suspicious file extension, Client offline
■ Backup selection - The backup selection (client or file to be backed up) that
is specified in the policy
■ Policy name - The policy name of the associated backup job
■ Policy type - The policy type of the associated backup job
■ Schedule type - The schedule type of the associated backup job
■ Impacted number of jobs - The number jobs for which anomalies are
detected
■ Review status - The anomaly status that indicates whether the detected
anomaly is reported as a false positive or an actual anomaly, or it can be
ignored.
■ Last updated - The date and time when the anomaly status is updated

3 Select the job ID to see the job details in the Activity monitor. Expand a parent
job to see the details of each child job.
4 You can perform the following actions on the anomaly record:
■ Select Report as false positive if the anomaly is a false positive. Similar
anomalies are not shown in the future.
 Anomaly detection 581
About system anomaly detection

The Review status of the anomaly record appears as False positive.

■ Select Confirm as anomaly when you want to take some action on the
anomaly condition.
The Review status of the anomaly record appears as Anomaly.
■ Select Mark as ignore when you can ignore the anomaly condition.
The Review status of the anomaly record appears as Ignore.

About system anomaly detection

NetBackup can detect system anomalies during critical operations as follows:
■ Rule-based system anomaly
See “Configure rules-based anomaly detection” on page 582.
■ Risk engine-based system anomaly
See “Configure risk engine-based anomaly detection” on page 583.
See “View system anomalies” on page 584.

Configure system anomaly detection settings

After you enable anomaly detection, anomaly data gathering, detection service,
and events are enabled. You can configure specific settings to detect system
anomalies in your domain.
See “About system anomaly detection” on page 581.
To configure system anomaly detection settings
1 Sign in to the NetBackup web UI.
2 On the left, click Detection and reporting > Anomaly detection.
3 On the top right, click Anomaly detection settings > System anomaly
detection configuration.
4 On the System anomaly detection configuration screen, configure the
following settings:
■ Risk engine-based anomaly detection
See “Configure risk engine-based anomaly detection” on page 583.
■ Rules-based anomaly detection
See “Configure rules-based anomaly detection” on page 582.
 Anomaly detection 582
About system anomaly detection

Configure rules-based anomaly detection

Rules engine-based anomaly detection allows you to define certain rules. If the
threshold values defined in the rule are exceeded, anomalies are generated. For
example, an anomaly is generated if a certain number of failed login attempts occur
in a specified time period.
For each rule, you can configure the following parameters: execution frequency,
query period, and threshold.
To modify the rule parameters, use the /security/anomaly/rules/{ruleId} API.
To configure rules-based anomaly detection
1 Go to the Veritas Download Center and download the rules file (.zip) for which
you want to generate anomalies.
For example: Storage server is set to null STU, Clients removed from the policy,
or Token deleted by user.
Store the rules file on your local computer.

Note: NetBackup does not ship any standard rules by default.

2 Sign in to the NetBackup web UI.

3 On the left, click Detection and reporting > Anomaly detection.
4 On the top right, click Anomaly detection settings > System anomaly
detection configuration.
5 On the System anomaly detection configuration screen, select the Detect
anomalies using NetBackup anomaly detection rules check box to generate
anomalies based on the rules that you select.
The following details for each of the predefined rules are displayed:
■ Rule name
■ Description
■ Severity
■ Version
■ Enabled
 Anomaly detection 583
About system anomaly detection

Select Upload rules to select the rules file that you have downloaded. All the
latest rules are listed in the Rules-based anomaly detection section.
6 Select the rules that you want to enable and for which you want to generate
anomalies.
Select Enable.
NetBackup generates anomalies for the conditions that meet the rule criteria.

Configure risk engine-based anomaly detection

The NetBackup risk engine detects certain system anomalies in a proactive manner
and sends appropriate alerts. It helps you take corrective action before you face
any security threat in your environment.
You can configure the following options that the risk engine uses to detect anomalies
for the given operations:

Detect suspicious image expiration

Use this option to detect when images are expired in an unusual or a suspicious
manner.
By default, a system anomaly is generated when the risk engine detects an unusual
or a suspicious image expiration attempt and allows the operation to proceed.
However, for additional security, you can configure multi-person authorization for
such image expiration attempts, where an MPA approver needs to approve the
operation.
Important notes on the Detect suspicious image expiration option
■ If the audit retention period is set to less than 3 months, this option accumulates
data of 3 months and then becomes active.
■ This option supports full backup schedules. Other types of schedule are not
considered. The retention level of an image is also not considered for this rule.
■ Images are expired by media ID, server name, or by recalculating the retention
period.
Select Edit and select the Generate multi-person authorization ticket if images
are deleted in a suspicious manner option.

Note: To successfully review the multi-person authorization tickets, ensure that

one or more MPA approvers are available in your environment.

See “About multi-person authorization” on page 259.

 Anomaly detection 584
About system anomaly detection

See “RBAC roles and permissions for multi-person authorization” on page 262.

Secure critical operations

Use this option to protect critical operations such as modifying global security
settings and creating API key. When you select this option, you are required to
reautneticate yourself by entering the one-time password that you see in the
authenticator application on your smart device before you perform the given critical
operations.
Ensure that you have configured multifactor authentication for your user account.
If multifactor authentication is not configured, you are not prompted to reauthenticate.

Note: It is strongly recommended that you configure multifactor authentication in

your environment to prevent security threats by malicious sources.

See “Configure multifactor authentication for your user account” on page 255.

Detect possible session hijack

Use this option to detect if there is a possible user session hijack by a malicious
source.
The risk engine detects if the same user session token is used by another IP
address, and sends a maximum of 10 alerts per day.
Select Edit and select the check box to terminate the user session when the risk
engine detects that there is a possible session hijack.

View system anomalies

NetBackup can detect system anomalies. This anomaly detection is enabled by
default for all policy types.
To view system anomalies
1 Sign in to the NetBackup web UI.
2 On the left, select Detection and reporting > Anomaly detection > System
anomalies.
The following columns are displayed:
■ Detected on - The date when the anomaly is detected
■ Review status - Anomaly status that indicates whether the detected anomaly
is reported as a false positive or an actual anomaly, or it can be ignored.
■ Anomaly type - Type of the anomaly
 Anomaly detection 585
Anomaly configuration to enable automatic scanning

■ Severity - Severity of the anomaly

■ Description - Additional information about the anomaly
■ Anomaly ID - ID of the anomaly record

3 Expand a row to see the details of the selected anomaly.

4 You can perform the following actions on the anomaly record:
■ Select Report as false positive if the anomaly is a false positive. Similar
anomaly conditions are not reported in the future.
■ Select Confirm as anomaly when you want to take some action on the
anomaly condition.
■ Select Mark as ignore when you can ignore the anomaly condition.

Anomaly configuration to enable automatic

scanning
In NetBackup prior to 10.1, the anomaly detection process can trigger automatic
malware scan for those anomalies that have high severity. Use the configuration
file on the primary server to do the required settings.
In NetBackup 10.1 and later, the anomaly detection process can trigger automatic
malware scan for all anomalies based on the configuration file settings. Use the
configuration file on the anomaly proxy server to do the required settings.
You need to modify the anomaly configuration file to specify values for the scan
host and trigger parameters.
See “About malware scanning” on page 593.
See “Prerequisites for a scan host” on page 621.
You can enable automatic malware scan on secondary domain for anomalous
imported images using the Enable automatic scan for imported copy option on
the web UI.
See “ Configure backup anomaly detection settings” on page 575.
 Anomaly detection 586
Anomaly configuration to enable automatic scanning

To enable automatic malware scan for the images on which an anomaly was
detected
1 Create the anomaly_config.conf configuration file on the primary server on
the given location:
On Windows : Install_Path\NetBackup\var\global\anomaly_detection
On UNIX : /usr/openv/var/global/anomaly_detection
2 Add the following contents in the anomaly_config.conf configuration file:
#Use this setting to start malware scan on anomaly detected image
automatically.

[AUTOMATED_MALWARE_SCAN_SETTINGS]

TRIGGER_SCAN_FOR_RANSOMWARE_EXT_IMAGES=1

#1 = Enable 0 = Disable

ENABLE_AUTOMATED_SCAN=1

# Enable all clients. In this case pool mentioned

SCAN_HOST_POOL_NAME will be used for clients not mentioned

# under batch

ENABLE_ALL_CLIENTS=1

SCAN_HOST_POOL_NAME=<scan_host_pool_name> # Default pool name

#Use specific pool for mentioned clients

NUM_CLIENTS_BATCH_SPECIFIED=2

ENABLE_SCAN_ON_SPECIFIC_CLIENT_1=client1,client2

SCAN_HOST_POOL_NAME_1=<scan_host_pool_for_batch_1>

ENABLE_SCAN_ON_SPECIFIC_CLIENT_2=client3,client4

SCAN_HOST_POOL_NAME_2=<scan_host_pool_for_batch_2>

3 Note that SCAN_HOST_POOL_NAME is a mandatory field.

For the ENABLE_SCAN_ON_SPECIFIC_CLIENT_n option, you should specify
complete client names.
 Anomaly detection 587
Computation of entropy and file attributes in NetBackup

4 Ensure that all settings are under [AUTOMATED_MALWARE_SCAN_SETTINGS].

Review the following descriptions of the settings:
ENABLE_AUTOMATED_SCAN=1

Starts malware scan on anomalies with high score.

ENABLE_ALL_CLIENTS=1

Enable all clients for scan. If this value is 0, scanning happens only on the
clients that are mentioned for the following option:
ENABLE_SCAN_ON_SPECIFIC_CLIENT_<Batch_Number>

NUM_CLIENTS_BATCH_SPECIFIED=<batches> - This option specifies the number

of batches for different scan host pool. For example, if you want to use a specific
scan host pool for a set of clients, use this setting.
5 Do the following to automatically trigger malware scan for various severity
levels of anomalies:
■ For low severity anomaly, set the TRIGGER_SCAN_FOR_LOW_SEVERITY option
as follows:
TRIGGER_SCAN_FOR_LOW_SEVERITY=1

■ For medium severity anomaly, set the TRIGGER_SCAN_FOR_MEDIUM_SEVERITY

option as follows:
TRIGGER_SCAN_FOR_MEDIUM_SEVERITY=1

■ To automatically trigger malware scan for the anomaly score that is greater
than or equal to the given value, set the
TRIGGER_SCAN_FOR_SCORE_GREATER_THAN option to a positive value.
For example:
TRIGGER_SCAN_FOR_SCORE_GREATER_THAN=2.5
To automatically trigger malware scan to detect suspicious file extensions,
set the TRIGGER_SCAN_FOR_RANSOMWARE_EXT_IMAGES option as follows:
TRIGGER_SCAN_FOR_RANSOMWARE_EXT_IMAGES = 1

Computation of entropy and file attributes in

NetBackup
NetBackup 10.3 and later clients compute an additional risk signal in-line, called
entropy. It improves the quality of detected anomalies. Entropy is a measure of
randomness of file contents. Threat vectors that encrypt files tend to abruptly change
the entropy. The entropy metric is used with the anomaly detection in Veritas Alta
View to help you detect such potential malicious activity. When this indicates
 Anomaly detection 588
Computation of entropy and file attributes in NetBackup

anomaly activities, it is recommended to check the system for potential malicious

actors and not to use those images as a recovery point if suspicious activities are
found.
NetBackup 10.4 and later servers run a real-time, in-line ransomware detection
process (nbinlinerwdetect) that analyzes the entropy and the following file
attributes, and detects anomalies:
■ File size
■ File extension
■ File permission
■ File access time
■ File modified time
■ File change time

Enable computation of entropy and file attributes in

NetBackup
Use the COMPUTE_IMAGE_ENTROPY option in NetBackup to enable computation of
entropy and file attributes in NetBackup that enhances cyber resiliency in the
NetBackup - Veritas Alta™ View environment.
See “COMPUTE_IMAGE_ENTROPY for NetBackup primary servers” on page 589.
See the Veritas Alta View Help to learn more about entropy score and how to view
it in the Veritas Alta View UI. Entropy score helps you identify potential anomalies
in your NetBackup - Veritas Alta View environment.

Disable computation of entropy and file attributes for a

NetBackup client
Computation of entropy and file attributes can be disabled for specific NetBackup
clients.
See “Disable backup anomaly detection and computation of entropy and file
attributes for a client” on page 590.

Support information for computation of entropy and file attributes

To use the computation of entropy and file attributes feature, NetBackup primary
server, and media server must be 10.4 or later, and NetBackup clients must be
10.3 or later.
 Anomaly detection 589
Computation of entropy and file attributes in NetBackup

Job types that the computation of entropy and file

attributes feature supports
■ Backup
■ Backup from Snapshot

Policy types that the computation of entropy and file

attributes feature supports
■ Cloud-Object-Store
■ FlashBackup
■ FlashBackup-Windows
■ MS-Windows
■ Standard
■ VMware (excluding Continuous Data Protection plan)

Protection plans that the computation of entropy and file

attributes feature supports
■ VMware (excluding Continuous Data Protection)

Note: The computation of entropy and file attributes feature does not support Ushare
policy type.

COMPUTE_IMAGE_ENTROPY for NetBackup primary servers

Use the COMPUTE_IMAGE_ENTROPY option to enable computation of entropy and file
attributes in NetBackup that enhances cyber resiliency in NetBackup - Veritas Alta™
View environment.
The entropy metric is used with the anomaly detection in Veritas Alta View to help
you detect potential malicious activity.

Table 31-2 COMPUTE_IMAGE_ENTROPY information

Usage Description

Where to use On NetBackup primary servers.

 Anomaly detection 590
Computation of entropy and file attributes in NetBackup

Table 31-2 COMPUTE_IMAGE_ENTROPY information (continued)

Usage Description

How to use Use the nbgetconfig and the nbsetconfig commands to view, add,
or change the option.

For information about these commands, see the NetBackup Commands

Reference Guide.

Use the following format:

COMPUTE_IMAGE_ENTROPY = Value

You can specify one of the following values for the

COMPUTE_IMAGE_ENTROPY option:

■ ALWAYS - Computation of entropy and file attributes is always enabled.

This is the default value.
■ NEVER - Computation of entropy and file attributes is always disabled.
■ IF_MANAGED_BY_ALTA - Computation of entropy and file attributes
is enabled if Veritas Alta™ View manages the associated NetBackup
primary server. If Veritas Alta™ View does not manage the primary
server, computation is disabled.
Note: After the NetBackup primary server is registered with the Veritas
Alta View server, computation of entropy and file attributes starts within
the next 24 hours with the new backup jobs.

Equivalent No equivalent exists.

NetBackup web
UI property

Disable backup anomaly detection and computation of entropy and

file attributes for a client
You can disable backup anomaly detection and computation of entropy and file
attributes for certain NetBackup clients.
To disable backup anomaly detection and computation of entropy and file
attributes
1 Sign in to the NetBackup web UI.
2 On the left, click Detection and reporting > Anomaly detection.
3 On the top right, click Anomaly detection settings > Backup anomaly
detection settings.
4 Expand the Advanced settings section.
 Anomaly detection 591
Computation of entropy and file attributes in NetBackup

5 Select the respective Edit option to modify Disable anomaly settings for
clients.
6 On the Disable anomaly settings for clients pop-up screen, specify the
NetBackup client for which you do not want to generate anomalies and compute
entropy.
7 In the search results, click the Add to list option next to the required client.
8 Select Save.
The selected clients are added in the excluded clients' list.

Note: After the client is excluded or included again, the computation of entropy
and file attributes stops or starts within the next 24 hours with the new backup
jobs.
 Section 4
Malware scanning

■ Chapter 32. Introduction

■ Chapter 33. How to setup Malware scanning

■ Chapter 34. Instant Access configurations

■ Chapter 35. Malware tools configurations

■ Chapter 36. Scan host configurations

■ Chapter 37. Performing malware scan

■ Chapter 38. Managing scan tasks

■ Chapter 39. Malware scan configuration parameters

■ Chapter 40. Troubleshooting

 Chapter 32
Introduction
This chapter includes the following topics:

■ About malware scanning

■ About dynamic scan

■ Limitations

About malware scanning

NetBackup finds malware in supported backup images and finds the last good-known
image that is malware free. This feature is supported for Standard, MS-Windows,
NAS-Data-Protection, Cloud, Cloud-Object-Store, Universal shares, Kubernetes
and VMware workloads.
Malware scanning provides the following benefits:
■ You can select one or more backup images of the supported policy-types for
an on-demand scan. You can use a predefined list of scan hosts.
■ If malware is detected during the scanning, a notification is generated in the
Web UI.
■ In case files are skipped due to not being accessible to scanner or failure from
malware scanner, then following respective notifications are generated with
information about number and list of skipped files:
■ Critical severity: In case malware is found in the backup image and some of
the files were skipped during scan.
■ Warning severity: In case no malware found in the backup image but some
of the files were skipped during scan.
This information can be obtained by clicking on Actions > Export unscannable
files list.
 Introduction 594
About malware scanning

Note: The malware scan job in Activity monitor takes few minutes to reflect the
final state of the scan operation running for multiple backup images.
For example, if scan operation runs for 5 backup images in a single request, then
the malware scan job in Activity monitor would take 5 minutes to reflect the final
state which is after completing the last (fifth) backup image scan job.

Note: During recovery if user starts recovery from a malware-affected backup

image, a warning message is shown and confirmation is required for proceeding
with recovery. Only users with permission to restore from malware-affected images
can proceed with recovery.

For more information on best practices for malware scanning, refer to Smart use
of Malware Scanning in NetBackup.

Malware scanning before recovery

■ User can trigger malware scan of the selected files/folders for recovery as part
of recovery flow from Web UI and decide the recovery actions based on malware
scan results.
■ Catalog entry for the backup image is not updated after recovery time scan as
only subset of files are scanned in the backup. Notification would be generated
if malware is found as part of recovery time scan.
■ During recovery time scan all the images in the start and end date are scanned
for malware. Malware scanning of backup image may take long time depending
on the number of files selected for recovery. It is recommended to set the Start
/End date to include only images which are intended to be used for recovery.
■ User can trigger multiple recovery time scan for same backup image.
■ Malware scan as part of recovery may take minimum 15-20 minutes for small
size backup based on availability of scan host and number of scan jobs in
progress. User can track the progress using Activity monitor > Jobs. Scan
results would be displayed incrementally in the malware detection page. List of
backup images in start and end date would be picked up for malware scan
incrementally in batches.
■ Supported policy types for recovery time scan: Standard, MS-Windows,
Cloud-Object-Store, Universal Share, and NAS-Data-Protection.

Note: For successful recovery time malware scan operation, the media server
version must be 10.4 or later.
 Introduction 595
About malware scanning

Workflow for malware scanning

This section describes the workflow for malware scanning for the following:
■ MSDP backup images
■ OST and AdvancedDisk

Malware scanning workflow for MSDP backup images

The following figure displays the workflow of malware scanning for MSDP backup
images:

The following steps depict the workflow for malware scanning for MSDP backup
images:
1. After triggering On Demand Scan, primary server will validate backup images
and create scan jobs for each eligible backup image and identify available scan
host for them. Following are few of the criteria's on which the backup images
are validated:
■ Backup image must be supported for malware detection.
■ Backup image must have a valid Instant Access copy.
■ For an on-demand scan, no existing scan must be running for same backup
image. For DNAS the related streams are also considered.
■ Malware detection does not support media server associated with storage.
■ Unable to get information for backup image from catalog.
 Introduction 596
About malware scanning

2. After the backup images are queued for an on-demand scan, the primary server
identifies the storage server. An instant access mount is created on the storage
server of the configured share type that is specified in scan host pool.

Note: Currently the primary server starts 50 scan threads at a time. After the
thread is available it processes the next job in the queue. Until then the queued
jobs are in the pending state.
For NetBackup version 10.3 and later, large backups are scanned in batches
of 500K files. Each batch is scanned by a separate scan thread.
For recovery time scan, scan in batches feature is not supported.

3. Primary server identifies available and supported MSDP media server and
instructs the media server to initiate the malware scan.
4. MSDP media server deploys the thin client on the scan host over SSH.
5. Thin client mounts the instant access mount on the scan host.
6. Scan is initiated using the malware tool that is configured in the scan host pool.
Media server fetches the progress of scan from scan host and update the
primary server.
7. After the scan is completed, the scan host unmounts the instant access mount
from the scan host.
8. Malware scan status is updated to the media server over SSH. Scan logs are
copied to the media server log directory.
9. Media server updates the scan status and the infected file list along with skipped
file list (if any infected files) to the primary server.
10. Primary server updates the scan results and deletes instant access.
11. Malware scan status notification is generated.
12. Malware scan will timeout in case there is no update on scan. Default timeout
period is 48 hours.
Malware detection performs an automated cleanup of eligible scan jobs that are
older than 30 days.

Note: The infected scan jobs would be cleaned automatically.

See “MALWARE_DETECTION_CLEANUP_PERIOD” on page 664.

 Introduction 597
About malware scanning

Note: You can download a malware scanner from the Microsoft Azure Marketplace
and the AWS Marketplace. Follow the instructions on how to install, configure, and
use the malware scanner for AWS and Azure.
Refer to the following for more information:
AWS: AWS Marketplace and NetBackup Marketplace Deployment on AWS Cloud
Microsoft Azure: Microsoft Azure Marketplace and Microsoft Azure Marketplace

Malware scanning workflow for OST and AdvancedDisk

For a complete list of supported OpenStorage servers, see the 'OST Storage
Servers' section in NetBackup Hardware and Cloud Storage Compatibility List
(HCL).
The following figure displays the workflow of malware scanning for OST and
AdvancedDisk.

The following prerequisites exist for malware scanning of OST and AdvancedDisk:
■ MSDP component for example, SPWS, VPFSD are required for an instant
access mount. Hence for OST and AdvancedDisk storage, any one of the media
servers must be configured as MSDP storage server so that it can serve the
instant access API.
■ Primary servers and media servers must be upgraded to NetBackup version
10.4 or later.
■ Media servers must be accessible to the OST or AdvancedDisk storage server.
■ OST plug-in must be deployed on instant access (host with MSDP components)
hosts. No new version of OST plug-ins is required.
■ Compatible instant access host (RHEL).
 Introduction 598
About malware scanning

■ The throttling limit on concurrent instant access from OST and AdvancedDisk
STU is same as instant access from MSDP.

The following steps depict the workflow for malware scanning for OST and
AdvancedDisk.
1. Using the On Demand Scan APIs, the backup image is added to the worklist
table on Primary server.
Primary server identifies the available scan host from the specified scan host
pool.
2. As part of processing the work list:
(2.1) Create media server for instant access:
■ From the backup images, it finds out the storage server.
■ From the storage server it finds out the eligible media server.
Media server with instant access capability.
Media server with NetBackup version 10.3 or later.
■ Sends the instant access API request to the selected media server.
■ If multiple media servers are eligible for an instant access mount request,
it selects the media server with minimum number of ongoing instant access
requests. This way it can distribute the instant access requests and achieve
the load balance.
(2.2) Get IM & TIR
■ On the selected media server, in the context of instant access API, it fetches
the IM and TIR information from the primary server. It stores the information
in the same format that the OS requires for mounting the backup image by
VPFSD.
■ After instant access mount, for IO file, VPFSD uses OST API to read backup
image from storage server.
■ Update worklist with images for which instant access was performed with
mountId, exportPath, storageserver, and status.

3. The primary server identifies the available MSDP media server and instructs
the media server to initiate the malware scan.

Note: The media server that is selected for the instant access mount and the
server that is selected for communication with the scan host can be the same
server or a different server.
 Introduction 599
About dynamic scan

4. When it receives the scan request, the scan manager from the media server
initiates the malware scan on the scan host using thin client (nbmalwareutil)
through remote communication using SSH.

Note: In NetBackup 10.5 or later, the hash values (SHA-256) of infected files
are computed when infected files are found by the NetBackup Malware Scanner.
The values can be viewed when exported through Export infected files list.

5. Depending on the configuration of scan host, from the scan host it mounts the
export using either NFS or SMB from the media server. This media server is
where the backup image is mounted using instant access API.
6. Scan is initiated using the malware tool that is configured in the scan host pool.

Note: VPFSD on the media server, uses STS_XXX APIs to open and read the
backup images from the OST or AdvancedDisk storage server.

7. After the scan is completed, the scan host unmounts the export path from the
media server where backup image is mounted using instant access API.
8. Malware scan status is updated to the media server over SSH. Scan logs are
copied to the media server log directory.
9. Media server updates the scan status and the infected file list (if there are any
infected files) to the primary server.
10. Primary server updates the scan results and deletes instant access request to
the selected media.
11. Malware scan status notification is generated.

About dynamic scan

For malware scanning on Standard, MS-Windows, Cloud-Object-Store and
NAS-Data-Protection workloads, NetBackup 10.3 or later provides support for
dynamic scan feature.
This feature provisions all files in the backup images on demand unless the file is
accessed and read or there is no overhead on the file's provisioning.
In comparison to malware scan using Instant Access mount points in NetBackup
versions prior to 10.3, dynamic scan optimizes instant access and scan performance
for MSDP (for large number of files in the backup). This improves the instant access
time as well as the scan performance.
 Introduction 600
Limitations

NetBackup Media/Storage server 10.3 or later supports Instant Access on OST

target volumes backup for malware scanning, and support malware scanning for
big ADS information.
■ For MSDP storage, dynamic scan feature is applied on platform BYO, NBA,
Flex, Flex-worm, FlexScale, Azure Kubernetes Services Cluster / Amazon Elastic
Kubernetes Cluster.
■ For OST and Advanced Disk storage, dynamic scan feature is applied only on
platform BYO, NBA and Flex appliance.

Limitations
■ Client-side encryption and client-based compressed backups are unavailable
for scanning using Instant Access mount points. MSDP KMS-based encryption
techniques are recommended and can be configured (See the NetBackup
Security and Encryption Guide.)
■ User archive backups and synthetic backups are unavailable for scanning using
Instant Access mount points.
■ For VMware: Incremental backup images without accelerator feature enabled
are not supported for VMware workload.
■ Windows EFS files/folders are unavailable for scanning using Instant Access
mount points.
■ (For OST and AdvancedDisk) Supports malware scan for unstructured data
only. For more information, see the NetBackup Software Compatibility List.
■ NetBackup does not support SMB share type on AKS/EKS Active Directory
platform. For more information, see the NetBackup Deduplication Guide.
■ NetBackup images replicated to different NetBackup domain must be scanned
in the target domain again. Malware scan detailed status (for example, infected
file list, malware scanner used, signature information) of the backup images in
the source domain is not preserved during replication.
■ Back-level compatibility for media servers and old backup images on upgraded
media servers is only supported from NetBackup version 10.3 onwards. This
support is applicable to workload type support provided in NetBackup version
10.4 or later.
■ Clean file recovery is not supported for True image backups type of restore.
■ Starting with NetBackup 10.3, if malware scan is run for a client-side encrypted
backup, all the files are skipped. A notification is generated for the skipped file
and displayed in the NetBackup Web UI.
 Chapter 33
How to setup Malware
scanning
This chapter includes the following topics:

■ How to set up malware scanning

How to set up malware scanning

Table 33-1 describes a high level process for setting up malware scanning.

Table 33-1 Process for setting up malware scanning

Steps Description

Step 1 Install or upgrade NetBackup software on the primary server, the media
server, and MSDP storage server to version 10.0 or later.

NetBackup Installation or Upgrade Guide

Step 2 For BYO setup, Instant access must be configured on MSDP storage server.

See “MSDP build-your-own (BYO) server prerequisites and hardware

requirements to configure Instant Access” on page 604.
 How to setup Malware scanning 602
How to set up malware scanning

Table 33-1 Process for setting up malware scanning (continued)

Steps Description

Step 3 On the scan host (scan host is a separate entity with no NetBackup
footprint), configure any of the following malware tool:

■ NetBackup Malware Scanner (Avira)

Note: (Applicable only for Avira) Avira is configured automatically when
using the automated scripts as described in Step 4 below.
■ Symantec Protection Engine
■ Microsoft Defender Antivirus

Note: Ensure that the host user has required permission to scan with
configured malware tool and is able to access the mount on the storage
server.

See “Supported malware tools” on page 608.

Step 4 Malware scanning feature requires additional configurations on scan host.

The scan host configuration can be performed through automated scripts
or manually.

■ Automated scripts: See “Automated scan host configuration” on page 628.

■ Manual configuration: See “Manual scan host configuration” on page 631.
Scenario based scan host configuration:
■ See “Configure malware scan host for Windows NFS share type and
Microsoft Defender” on page 632.
■ See “Configure malware scan host for Linux NFS share type and
Avira” on page 634.

Step 5 On the NetBackup Web UI, configure the malware detection settings.

See “Configuring a scan host pool” on page 636.

 Chapter 34
Instant Access
configurations
This chapter includes the following topics:

■ About Instant Access configurations

■ MSDP build-your-own (BYO) server prerequisites and hardware requirements

to configure Instant Access

■ Instant Access tuning parameters for malware scanning (BYO)

■ Configuration for scan instances

About Instant Access configurations

Perform the steps provided in the following sections for configuring the Instant
Access for malware scanning:
■ MSDP build-your-own (BYO) server prerequisites and hardware requirements
to configure Instant Access
■ Instant Access tuning parameters for malware scanning (BYO)
■ Configuration for scan instances
The procedures mentioned in the above three sections are also applicable for Media
server of OST storage server which is configured as a MSDP storage (for Instant
Access capability) which is described in the following section:
See “Malware scanning workflow for OST and AdvancedDisk” on page 597.
 Instant Access configurations 604
MSDP build-your-own (BYO) server prerequisites and hardware requirements to configure Instant Access

MSDP build-your-own (BYO) server prerequisites

and hardware requirements to configure Instant
Access
The following are prerequisites for using the Instant Access MSDP build-your-own
(BYO) server feature:
■ The Instant Access feature is supported on an MSDP BYO storage server with
Red Hat Enterprise Linux 7.6 or later.
■ The Instant Access feature is not supported on SUSE Linux.
■ You must set up Active Directory-based user authentication for the Instant
Access.
For more information, see Active Directory-based authentication section in the
Veritas NetBackup™ Deduplication Guide.
■ NFS services must be installed and running if you want to use the instant access
over NFS.
■ Samba services must be installed and running if you want to use instant access
over CIFS/SMB.
You must configure Samba users on the corresponding storage server and enter
the credentials on the client.
For more information, see Active Directory-based authentication section in the
Veritas NetBackup™ Deduplication Guide.
■ (For NFS) Ensure that the nfs-utils is installed using the following command:
yum install nfs-utils -y

■ (For SMB)
■ Ensure that the Linux samba and samba winbind packages are installed
using the following command:
yum install samba samba-common samba-winbind
samba-winbind-clients samba-winbind-modules -y

■ Ensure that the following commands are run to grant permissions to the SMB
shares:
setsebool -P samba_export_all_rw on
setsebool -P samba_export_all_ro on

■ NGINX is installed and running.

■ Installing NGINX from Red Hat Software Collections:
Refer to https://www.softwarecollections.org/en/scls/rhscl/rh-nginx114/ for
instructions.
 Instant Access configurations 605
MSDP build-your-own (BYO) server prerequisites and hardware requirements to configure Instant Access

Because the package name depends on the NGINX version, run yum search
rh-nginx to check if a new version is available. (For NetBackup 8.3, an EEB
is required if NGINX is installed from Red Hat Software Collections.)
■ Installing NGINX from the EPEL repository:
Refer to https://fedoraproject.org/wiki/EPEL for installation instructions of
the repository and further information.
The EPEL repository is a volunteer-based community effort and not
commercially supported by Red Hat.
■ Before you start the storage configuration, ensure that the new BYO NGINX
configuration entry /etc/nginx/conf.d/byo.conf is included as part of the
HTTP section of the original /etc/nginx/nginx.conf file.
■ If SE Linux has been configured, ensure that the policycoreutils and
policycoreutils-python packages are installed from the same RHEL yum
source (RHEL server), and then run the following commands:
semanage port -a -t http_port_t -p tcp 10087
setsebool -P httpd_can_network_connect 1
Enable the logrotate permission in SE Linux using the following command:
semanage permissive -a logrotate_t

■ After NGINX is installed, the HTTP web service at port 80 is enabled by default.
Remove /etc/nginx/conf.d/default.conf or edit the file to disable the HTTP
web service if it is not needed.
■ Ensure that the /mnt folder on the storage server is not directly mounted by any
mount points. Mount points should be mounted to its subfolders.
■ If you configure the Instant Access feature on BYO after storage is configured
or upgraded without the NGINX service installed, run the command:
/usr/openv/pdde/vpfs/bin/vpfs_config.sh --configure_byo

■ Ensure that the required network ports are open.

See "NetBackup media server ports" in the NetBackup Network Ports Reference
Guide.
 Instant Access configurations 606
Instant Access tuning parameters for malware scanning (BYO)

CPU Memory Disk

■ Minimum 2.2-GHz clock ■ 16 GB (For 8 TBs to 32 ■ Disk size depends on the

rate.
■ 64-bit processor.
■ Minimum 4 cores; 8 cores ■
recommended. For 64
TBs of storage, the Intel ■
x86-64 architecture
requires eight cores.
■ Enable the VT-X option in
the CPU configuration.
TBs of storage - 1GB size of your backup. Refer
RAM for 1TB of storage). to the hardware
32 GBs of RAM for more requirements for
than 32 TBs of storage. NetBackup and Media
An additional 500MB of Server Deduplication Pool
RAM for each live mount. (MSDP).
■ If a system has multiple
data partitions, all the
partitions must be the
same size. Example: If a
BYO server has a first
partition at 4TB, all
additional data partitions
must be at 4TB in size.

Instant Access tuning parameters for malware

scanning (BYO)
■ Perform the following to update the Linux kernel vm.max_map_count parameter:
■ Add the following to parameter with value to the /etc/sysctl.conf file:
vm.max_map_count=262144

■ Reload the configuration file using the following command:

root: sysctl -p

■ Verify the updated new value of vm.max_map_count parameter using the

following command:
cat /proc/sys/vm/max_map_count

Configuration for scan instances

The traditional malware scan using Instant Access is based on vpfsd instance.
NetBackup 10.3 and later uses a separate vpfsd instance for malware scanning
which is configurable. This configuration is done using the numOfScanInstance
parameter. By default, malware scan uses one instance. In most cases, scan
instance is adequate but increasing the number of scan instances improves scan
performance, although it also requires more CPU and memory. You can increase
the number of scan instances from 1 to 4 and distribute the malware scan shares
cross all the scan instances.
 Instant Access configurations 607
Configuration for scan instances

To change the number of scan instances

1 Stop NetBackup on the media server using the following command:
systemctl stop netbackup

Or
/usr/openv/netbackup/bin/goodies/netbackup stop

2 Modify the number of scan instances as follows:

Change the value of numOfScanInstance parameter in the
vpfsd_config.json file. The value must be an integer between 1 and 4.

For example:
# grep numOfInstance /msdp/vol1/etc/puredisk/vpfsd_config.json
"numOfScanInstance": 2,

BYO (build-your-own): <storage path>/etc/puredisk/vpfsd_config.json

NetBackup Appliance and NetBackup Flex Scale:
/msdp/data/dp1/pdvol/etc/puredisk/vpfsd_config.json

NetBackup Flex: /mnt/msdp/vol0/etc/puredisk/vpfsd_config.json

3 Modify the number of vpfsd instances (numOfInstance), the value must be
an integer between 2 and 16. Ensure that the value of numOfInstance is
greater than numOfScanInstance.
4 Start NetBackup on the media server using the following command:
systemctl start netbackup

Or
/usr/openv/netbackup/bin/goodies/netbackup start

Note: Malware scan instances are part of vpfsd instances, which are reserved only
for malware scanning.
 Chapter 35
Malware tools
configurations
This chapter includes the following topics:

■ Supported malware tools

■ Configuring NetBackup Malware Scanner (Avira)

■ Configuring Symantec Protection Engine

■ Configuring Microsoft Defender Antivirus

Supported malware tools

Note: Ensure that scan jobs are cancelled before upgrading any malware scanner
tool or restarting the master server.

NetBackup provides support for the following malware detection tools:

■ NetBackup Malware Scanner (Avira)
See “Configure the NetBackup Malware Scanner on scan host” on page 614.

Note: The malware signature gets updated before every scan. If scan host does
not have access to internet, then user must first configure the mirror server. For
more information, refer to the following section:
See “Configuration of mirror server for Signature update” on page 609.

■ Symantec Protection Engine

See “Configuring Symantec Protection Engine” on page 618.
 Malware tools configurations 609
Configuring NetBackup Malware Scanner (Avira)

■ Microsoft Defender Antivirus

See “Configuring Microsoft Defender Antivirus” on page 619.

Note: When using any other malware scanner tool on Windows scan host, user
must disable the Real time protection option of the Windows Defender while
malware scan is in progress.

Configuring NetBackup Malware Scanner (Avira)

This section includes the following:
■ Mirror server configuration for signature update of malware scanner tool (Avira)
when internet connectivity is not there on scan host.
■ Proxy server configuration for malware scanner tool (Avira) when no direct
internet connectivity.
■ NetBackup malware scanner configuration on scan host.
NetBackup Malware Scanner configuration can also be performed using automated
scripts. For more information, refer to the following section:
See “Automated scan host configuration” on page 628.

Note: Automated scripts do not include mirror server and proxy server configuration.
If required, then manually perform the steps in the following:
Configuration of mirror server for Signature update
Configure a proxy server on Windows or Linux

Note: Ensure that you have the latest version of NetBackup Malware Scanner
(Avira) downloaded.

Configuration of mirror server for Signature update

NetBackup Malware Scanner (Avira) mirror server must be configured for signature
update only when scan host does not have access to internet.
 Malware tools configurations 610
Configuring NetBackup Malware Scanner (Avira)

Creating local mirror server

1 A designated host with NetBackup Malware Scanner must be installed.
2 Login with the same user credentials used to install the NetBackup Malware
scanner and run the following command:
cd $NB_MALWARE_SCANNER_PATH

./avupdate.bin --mirror --config=avupdate-savapilib-product.conf

--install-dir=<update_path>

3 Publish the <update_path> over HTTP.

For example, https://<local_mirror_server>/<update_path>.

Note: Periodically run ./avupdate.bin --mirror command to keep the

signature data up-to-date on the mirror server.
 Malware tools configurations 611
Configuring NetBackup Malware Scanner (Avira)

Using local mirror server during signature update

1 The update.sh script refers to avupdate-savapilib-product.conf file which
is at the same location as that of update.sh, that is
$NB_MALWARE_SCANNER_PATH.

2 Update the internet-srvs entry in .conf file to point to the URL served by the
local mirror server mentioned above.

~/savapi-sdk-linux64/bin> cat avupdate-savapilib-product.conf

#This configuration updates the entire SAVAPI Library (binaries,
engine, signatures)
#internet-srvs=https://oem.avira-update.com/update
internet-srvs=https://<local_mirror_server>/<update_path>
master-file=/idx/master.idx
product-file=/idx/savapi4lib-linux64-en.info.gz
install-dir=./
temp-dir=./tmp
check-product
 Malware tools configurations 612
Configuring NetBackup Malware Scanner (Avira)

3 Run the update.sh script to ensure that the update is working correctly.
The avupdate.log file displays the following entries:

~/savapi-sdk-linux64/bin> head avupdate.log

18/09/2022 23:31:47 pndch32bl10-09 avupdate.bin[10929]: UPD: INFO:
Avupdate Version: 2.6.10.36
18/09/2022 23:31:47 pndch32bl10-09 avupdate.bin[10929]: UPD: INFO:
Operating System: LINUX X86_64 5.3.18-22-DEFAULT
18/09/2022 23:31:47 pndch32bl10-09 avupdate.bin[10929]: UPD: INFO:
Installation Directory: .
18/09/2022 23:31:47 pndch32bl10-09 avupdate.bin[10929]: UPD: INFO:
Backup Directory: ./avupdate_backup
18/09/2022 23:31:47 pndch32bl10-09 avupdate.bin[10929]: UPD: INFO:
Temp Directory: ./tmp/avupdate_tmp_njoOb5
18/09/2022 23:31:47 pndch32bl10-09 avupdate.bin[10929]: UPD: INFO:
Cache Modules Directory: ./idx
18/09/2022 23:31:47 pndch32bl10-09 avupdate.bin[10929]: UPD: INFO:
Proxy settings: Direct connection
18/09/2022 23:31:47 pndch32bl10-09 avupdate.bin[10929]: UPD: INFO:

Downloading
https://local_mirror_server/<update_path>/idx/master.idx
to ./tmp/avupdate_tmp_njoOb5/idx/master.idx
18/09/2022 23:31:48 pndch32bl10-09 avupdate.bin[10929]: UPD: INFO:

Downloading
https://<local_mirror_server>/<update_path>/idx/savapi4lib-linux64-en.info.gz

to ./tmp/avupdate_tmp_njoOb5/idx/savapi4lib-linux64-en.info.gz
18/09/2022 23:31:49 pndch32bl10-09 avupdate.bin[10929]: UPD: INFO:

Downloading
https://<local_mirror_server>/<update_path>/idx/xvdf.info.gz
to ./tmp/avupdate_tmp_njoOb5/idx/xvdf.info.gz
 Malware tools configurations 613
Configuring NetBackup Malware Scanner (Avira)

Manually updating local mirror server during no internet connectivity

1 On system with internet connectivity, download the signature database.

Note: The NBAntiMalwareClient must be installed on the system with internet

connectivity.

./avupdate.bin --config=avupdate-savapilib-product.conf --mirror

--install-dir=<mirror_dir>

2 Copy the contents of <mirror_dir> from above to the mirror server:

./avupdate.bin --config=avupdate-savapilib-product.conf
--internet-srvs=<local_copy_of_mirror_dir>

Configure a proxy server on Windows or Linux

To configure a proxy server on Windows
1 Add the proxy server entry in the environment variable with the http_proxy
name and the <proxy_server> value.
For example:
http_proxy=http://<username>:<password>@proxy_server_ip:<port>

2 Add the proxy server details in the avupdate-savapilib-product.conf file

which is available at NetBackup malware scanner installed path.
For example:

proxy-username=<username>
proxy-password=<password_paintext>
proxy-host=<proxy_server_ip>
proxy-port=<proxy_server_port>
update-auth-type=any
receive-timeout=600000
connect-timeout=600000
 Malware tools configurations 614
Configuring NetBackup Malware Scanner (Avira)

To configure a proxy server on Linux

1 Add proxy server entry in the environment variable with http_proxy name.
For example:
http_proxy=http://<username>:<password>@proxy_server_ip:<port>

This variable should be added in the .bashrc file of the scan host.
2 Add the proxy server details in the avupdate-savapilib-product.conf file.
For example:

proxy-username=<username>
proxy-password=<password_paintext>
proxy-host=<proxy_server_ip>
proxy-port=<proxy_server_port>
update-auth-type=any
receive-timeout=600000
connect-timeout=600000

3 In the savapi logs, verify if the correct proxy settings are used for malware
scanning.

Configure the NetBackup Malware Scanner on scan host

Recommendation for Avira
It is recommended not to change the name of the EICAR test file downloaded from
EICAR website.
Avira does not detect files with .txt extension. Avira considers these as simple
text files and skips malware scan of such files.
The description and purpose of the EICAR test file is as follows:
The EICAR Anti-Virus test file, also known as the EICAR test file, is a computer file
developed by the European Institute for Computer Antivirus Research (EICAR) and
the Computer Antivirus Research Organization (CARO). Its purpose is to test the
response of computer antivirus (AV) programs without using real malware that could
cause actual damage. Instead of using harmful viruses, the EICAR test file allows
people to safely evaluate their antivirus software.
 Malware tools configurations 615
Configuring NetBackup Malware Scanner (Avira)

Configure the NetBackup Malware Scanner for Windows

To configure the NetBackup Malware Scanner for Windows
1 Download the NetBackup Malware Scanner from Veritas Download Center.
2 Extract the downloaded zip files. Extracted files must have the following
structure:

NBAntiMalwareClient_version number
Readme.txt

NBAntiMalwareClient_version number_AMD64
savapi-sdk-win64.zip
setup.bat
cleanup.bat

3 Refer to the Readme.txt file for install, upgrade, or uninstall processes.

To install or upgrade the NetBackup Malware scanner on a Windows computer:
■ Navigate to NBAntiMalwareClient_version number_AMD64 folder and run
the setup.bat file.
■ Enter the target location to install the NetBackup Malware scanner.

Note: If NetBackup Malware Scanner is already installed, then

setup.bat/setup.sh overwrites the existing binary files.

To uninstall NetBackup Malware scanner from Windows computer:

■ Run the cleanup.bat file.

4 An optional setting can be used to increase number of threads in scanning.

Update the aviraconf.txt file. Add the following entry:
NumThreads = Number of threads

Where Number of threads is the number of threads for the scanning. The default
value is the number of CPU cores. (Minimum value is 1. Maximum value is
300).

Note: If the number of CPUs on the scan host is less than 16, then number of
threads defaults to the number of CPUs. If greater than 16, then the number
of threads defaults to 16 threads. If NumThreads is configured, that value
determines the number of threads for scanning.
 Malware tools configurations 616
Configuring NetBackup Malware Scanner (Avira)

5 To validate that the scan works with NetBackup Malware Scanner on a Windows
setup, perform the following:
■ Run the ./update.bat command to get the latest signature update.
■ Navigate to the NetBackup Malware Scanner installed path and run the
avira_lib_dir_scan.exe file with the required scan_path and conf_path
parameters.

6 Configuration file must be present in NetBackup Malware Scanner installed

path.
For example:
avira_lib_dir_scan.exe “c:\malwarescample” -log_path
“C:\NBMalwareScanner.log” -conf_path
“C:\NBMalwareScannerInstallPath\savapi-sdk-win64\bin\aviraconf.txt

Ensure that the output of the command is successful. For the existing sample
malware files, the output must be a list of infected files. Else the output must
be empty.
7 (Optional) The MALWARE_LOG environment variable can be used to increase
the logging level.
For example, the setting MALWARE_LOG=2 sets the logging level to WARNING.

0 DEBUG
1 INFO
2 WARNING
3 ALERT
4 ERROR
 Malware tools configurations 617
Configuring NetBackup Malware Scanner (Avira)

Configure a NetBackup Malware Scanner Linux

To configure a NetBackup Malware Scanner for Linux
1 Download NetBackup Malware Scanner from Veritas Download Center.
2 Extract the downloaded zip file. Files must contain the following structure;

NBAntiMalwareClient_version number_LinuxR_x86
savapi-sdk-linux64.zip
setup.sh
cleanup.sh

NBAntiMalwareClient_version number_LinuxS_x86 ->

NBAntiMalwareClient_version number_LinuxR_x86
savapi-sdk-linux64.zip
setup.sh
cleanup.sh

Warning: The setup.sh script modifies the bashrc file on Linux.

3 Refer to the Readme.txt file for install, upgrade, or uninstall processes.

To install or upgrade NetBackup Malware Scanner on Linux RHEL computer.
■ Navigate to NBAntiMalwareClient_ version number_LinuxR_x86 folder
and run the setup.sh script using scanuser.
■ Enter the target location to install the NetBackup Malware Scanner.
To install or upgrade NetBackup Malware Scanner on Linux SUSE computer:
■ Navigate to NBAntiMalwareClient_version number_LinuxS_x86 folder
and run the setup.shscript using scanuser.
■ Enter the target location to install the NetBackup Malware Scanner.

Note: For Linux SUSE computer, if .bashrc file is not present then create an
emtpy .bashrc file in users home directory.

To uninstall NetBackup Malware Scanner from Linux computer:

■ Run the cleanup.sh script.

4 To validate that the scan works with the NetBackup Malware Scanner on a
Linux setup, perform the following:
■ Run the ./update.sh script to get the latest signature update.
 Malware tools configurations 618
Configuring Symantec Protection Engine

■ Navigate to NetBackup Malware Scanner installed path and run the

avira_lib_dir_scan binary with the required scan path and conf_path
parameters.
■ Configuration file must be present in NetBackup Malware Scanner installed
path.
For example,
avira_lib_dir_scan “/root/malwareSample” -log_path
“/root/NBMalwareScanner.log” -conf_path
“/root/NBMalwareScannerInstalledPath/savapi-sdk-linux64/bin/
aviraconf.txt
Ensure that the output of the command is successful. For existing sample
malware files, the output must be a list of infected files. Else the output
must be empty.

Configuring Symantec Protection Engine

Windows
Configuring Symantec Protection Engine for Windows
1 Set Command-line executable path in PATH environment variable.
For example: C:\Program Files\Symantec\Scan Engine\CmdLineScanner\C
2 Run the following command on command prompt and verify the output:
ssecls -mode scan -scantype S C:\

Note: For license error, apply the updated licenses.

3 (Optional) Set the SCAN_FILE_BUCKET_SIZE environment variable.

For example:

SCAN_FILE_BUCKET_SIZE = 40

If SCAN_FILE_BUCKET_SIZE not set then default

SCAN_FILE_BUCKET_SIZE is 20.

Note: The ssecls scanner CLI supports multiple files to be scanned at a time which
are specified on command line. The SCAN_FILE_BUCKET_SIZE environment
variable can be updated to change the default value which is 20.
 Malware tools configurations 619
Configuring Microsoft Defender Antivirus

Linux
Configuring Symantec Protection Engine for Linux
1 Set executable path to LD_LIBRARY_PATH and path in bashrc file.
For example: LD_LIBRARY_PATH=
$LD_LIBRARY_PATH:/opt/SYMCScan/ssecls/C:/root/clientserver-2.10.97.234/bin

2 Run the following command on command prompt and verify the output:
ssecls -mode scan -scantype F /

Note: For license error, apply the updated licenses.

3 (Optional) Set the SCAN_FILE_BUCKET_SIZE environment variable.

For example:

SCAN_FILE_BUCKET_SIZE = 40

If SCAN_FILE_BUCKET_SIZE not set then default

SCAN_FILE_BUCKET_SIZE is 20.

Configuring Microsoft Defender Antivirus

Configuring Microsoft Windows Defender Antivirus
1 Navigate to Control Panel > System and Security > System. Select
Advanced System and set executable path in PATH environment variable.
For example: C:\Program Files\Windows Defender
2 Run the following command in command prompt:
MpCmdRun -Scan -ScanType 3 -DisableRemediation -File <filepath>
check if result is proper

For example:

C:\Program Files\Windows Defender>MpCmdRun -Scan -ScanType 3

-DisableRemediation -File "C:\Program Files\Windows Defender"
Scan starting...
Scan finished.
Scanning C:\Program Files\Windows Defender found no threats.
 Chapter 36
Scan host configurations
This chapter includes the following topics:

■ NetBackup malware scan host capabilities

■ Prerequisites for a scan host

■ Limitations and considerations for scan host using NFS share

■ Configuring scan host

■ Configuring a scan host pool

■ Managing a scan host

■ Configure resource limits for malware detection

NetBackup malware scan host capabilities

The NetBackup malware scan host that is configured on stand-alone Windows vs
Linux operating system will differ slightly in its capabilities and behavior. Windows
and Linux hosts can be used as a stand-alone scan host for on-demand malware
scan. The prerequisites for a scan host, for Windows and Linux operating system
hosts are mentioned in the following section:
See “Prerequisites for a scan host” on page 621.

Note: For faster scans, better resource utilizations (supports multiple scans in
parallel) and consistent scan performance, it is recommended to use the Linux scan
host using the NFS share type and NetBackup Malware Scanner (Avira).
See “Configure malware scan host for Linux NFS share type and Avira” on page 634.
 Scan host configurations 621
Prerequisites for a scan host

Windows and Linux scan host will not be able to scan the following file types (these
will be skipped):
■ Password protected files
■ Encrypted files
■ Compressed and password protected file archives (zip, tar, gzip)
■ Corrupted files
Windows and Linux scan host will skip a file if the scanner is unable to determine
the file type.

Prerequisites for a scan host

A scan host is a host machine that has the required malware tool configured. Once
it is integrated with NetBackup, NetBackup initiates scanning on the scan host.
Ensure that you meet the following prerequisites:
■ The minimum required configuration for the scan host is 8 CPU and 32-GB
RAM.
■ The malware tool must be installed and configured.
■ For the supported operating systems of the scan host, refer to the Software
Compatibility List.
■ The scan host must have a share type configured, that is, an NFS or an SMB
client.
■ NetBackup footprint is not required on the scan host. The existing systems with
the NetBackup client or media server can be used as scan host, too.
■ The scan host must be reachable from the media server over SSH.

Note: SSH connection to scan host from the media server must be successful
and this can be verified by running the following command from media server:
ssh scanuser@scanhost

■ The malware tool extracts the archives to a temporary location for scanning
purposes.
Linux scan host: /tmp
Windows scan host: %TEMP%
For archive scanning purposes, it is recommended to have the free disk space
of 10 GB on the scan host.
 Scan host configurations 622
Prerequisites for a scan host

Note: (Applicable for NetBackup version 10.0 and later) Any other malware
scanner tools that are installed on the scan host with on-access/real time
protection enabled can interfere with backup scanning. Disable or add NFS/SMB
mounts on the scan host to the exclusion list of the scanner.
For example, on a Windows scan host, the user must disable the Real time
protection option of the Windows Defender while the malware scan is in
progress.

■ Depending on the platform, ensure that the following additional prerequisites

are met:
Windows: See “Prerequisites for Windows scan host” on page 622.
Linux: See “Prerequisites for Linux scan host” on page 624.

Note: It is recommended to keep only the required ports open for malware scanning.
Allow NFS/SMB read from NetBackup storage srver. Refer to NetBackup Network
Ports Reference Guide.
Allow SSH From NetBackup media server (used for connecting to scan host).
Allow Malware signature updates. This depends on malware scanner used. For
NetBackup Malware Scanner, update happens over HTTPS
(https://oem.avira-update.com/update).

Prerequisites for Windows scan host

In addition to the prerequisites listed in Prerequisites for a scan host, ensure that
you meet the following requirements for Windows platform:
■ For a non-administrator user on Windows: A non-administrator user of a Windows
scan host must be added to the administrators group.
■ For supporting non-English characters on the Windows scan host, enable
multibyte characters support.
For more information on enabling multibyte characters support in Microsoft
Windows Server 2019, refer to the article Retrieve Data in UTF-8 on Windows.
■ For supporting long paths on the Windows scan host, enable long path support.
For more information on enabling maximum path length support, refer to
Maximum Path Length Limitation.
■ OpenSSH must be configured on windows scan host. Create the firewall rule for
OpenSSH so that scan host is accessible from the media server.

Note the following:

 Scan host configurations 623
Prerequisites for a scan host

■ For Windows 2016, get OpenSSH from the GIT hub repository and for Windows
2019, enable the OpenSSH server feature. For more details, refer to the Microsoft
documentation.
■ Microsoft Visual C/C++ Redistributable is an additional dependency if the media
server is updated to 10.1.1 or later.
The Visual C/C++ run-time library DLL is required to run the nbmalwareutil
utility on a windows scan host. The run-time DLL can be obtained from the
Microsoft Visual C++ Redistributable latest supported downloads.

Prerequisites for Windows scan host for NFS share type

Note: Run the scan host credential validation again from the Web UI if changes
are done to ID mapping.
For VMware and Cloud workload policy scanning, UID and GID mapping must be
set to 0. This requires a separate scan host pool having separate scan host.

Perform the following

1 Enable local passwd file mapping using PowerShell:

C:\Users\Administrator> Set-NfsMappingStore -EnableUNMLookup

$True -UNMServer localhost
C:\Users\Administrator> nfsadmin mapping

The following are the settings on localhost

Mapping Server Lookup : Enabled

Mapping Server : localhost
AD Lookup : Disabled
AD Domain :

2 Install NFS client by running the following command on PowerShell:

Install-WindowsFeature -Name NFS-Client
 Scan host configurations 624
Prerequisites for a scan host

3 The entry must be as follows in the respective files (in file type format):

Note: Ensure that the scanuser and scangroup are created. The scanuser
must be part of the scangroup and Administrators group.

In C:\Windows\System32\drivers\etc\passwd file:

scanuser:x:1001:1001:Description:C:\Users\scanuser

In C:\Windows\System32\drivers\etc\group file:

scangroup:x:1001:1001

4 Restart nfsadmin client as follows:

nfsadmin client stop

nfsadmin client start

5 Verify the ID (UID/GID) mapping for user by running the following command
using PowerShell:

Get-NfsMappedIdentity -AccountName scanuser -AccountType User

UserIdentifier : 1001
GroupIdentifier : 1001
UserName : scanuser
PrimaryGroup :
SupplementaryGroups :

Prerequisites for Linux scan host

In addition to the prerequisites listed in Prerequisites for a scan host, ensure that
you meet the following requirements for Linux platform:
■ For a Linux scan host the default login shell must be bash.
■ For RHEL 9 (and above) scan host, ensure that the SCP Linux command is not
disabled.
■ Install the following:
For NFS share type: nfs-utils
For SMB share type: cifs-utils
■ For NetBackup malware detection utility to run on scan host, install libnsl.so.1
library on scan host. If the latest version of libnsl library file is present (for
 Scan host configurations 625
Prerequisites for a scan host

example, /usr/lib64/libnsl.so.2), then create a soft link file

/usr/lib64/libnsl.so.1 which points to /usr/lib64/libnsl.so.2 file.
Example to create a soft link file:
# cd /usr/lib64 # ln -sf libnsl.so.2 libnsl.so.1

Note: For assistance on installing the libnsl* library file, contact operating
system administrator.

■ (Optional) A new variable entry ($TMPDIR) having a value equal to the desired
location can be added for malware scan temp directory in the scan user's bashrc
file.
For example, $TMPDIR=/mytempdirectory/malware to overwrite the default
/tmp/malware temporary location. If user specifies $TMPDIR=/home/scanuser
as the temporary directory, then /home/scanuser/tmp/malware directory would
be used as the temporary directory for all the malware related files.

Note: Ensure that the scanuser has the required permissions to $TMPDIR folder
for performing the malware scan successfully.

■ For a non-root user on Linux:

■ Allow the ssh connection with a non-root user.
For example: Add the Allow Users root scanuser entry in the
/etc/ssh/sshd_config file.

Note: A scan user is a non-root user that is created in the system.

■ Provide user permission to mount and umount. Add the user permission
entry in sodoers file.
For example: In the /etc/sudoers file add one of the following:
■ scanuser ALL=(ALL) NOPASSWD:ALL
■ scanuser ALL=(ALL) NOPASSWD:/bin/umount, /bin/mount

■ Configure the malware tool with a non-root user on the scan host.

Note: If scanning is done using the root user, then change the permission
of the /tmp/malware folder to provide write permissions to the non-root user.
For example: chmod a+rwx /tmp/malware
 Scan host configurations 626
Limitations and considerations for scan host using NFS share

Note: For VMware and Cloud workload policy scanning, UID and GID mapping
must be set to 0.

(If scan host is created in Azure or AWS from marketplace images) Enable root
access for scan host as follows:
■ Change the root password using the following command:
- sudo -i passwd

■ Change /etc/ssh/sshd_config file to provide the permit for root login as follows:

"PermitRootLogin yes"
"PasswordAuthentication yes"

■ Restart the service with the following command:

- service sshd reload

■ Change /etc/cloud/cloud.cfg file as follows to enable root user:

disable_root 0

Limitations and considerations for scan host

using NFS share
Limitations specific to a Windows scan host using NFS
share
Following is a limitation for Windows operating system and NetBackup Malware
Scanner (Avira) version 2.3:
A Windows scan host with Windows Defender malware tool, file paths having
non-English characters will not get scanned. These are skipped during a scan.
Thus, the number of files scanned reported on Web UI could be less than the total
files in that image.
If the malware scan encountered files could not be scanned for any reason, then
the following message is displayed:

Malware scan encountered <number of files> files which could not be

scanned.

A report of files that were skipped can be obtained by clicking on Actions > Export
unscannable files list.
 Scan host configurations 627
Configuring scan host

Considerations specific to a Windows scan host using

NFS share
■ The built-in administrator account can be used as the scan user and would be
able to scan all types of images. This account would be disabled on production
servers for security consideration.
Hence a non-administrator local user (for example, name: scan-user) must be
created and added to the Administrators group. To enhance the security, map
the account identity to secure the interactions with NFS shares. Active Directory
integration is not required when using the local passwd and group files located
at the following location:

C:\windows\system32\drivers\etc\passwd
C:\windows\system32\drivers\etc\group

■ When scanning images of Standard and MS-Windows policy type, the local
scan-user account must have UserIdentifier (UID) permissions set to non-zero
value.
For example, UID 1001 is added to the passwd and group file:
passwd file: scan-user:x:1001:1001:Description:C:\Users\scan-user
group file: scangroup:x:1001:1001
■ When scanning images of VMware and cloud workloads, the scan-user account
must have UserIdentifier (UID) permissions set to 0 value. Modify the passwd
and group files as follows:
passwd file: scan-user:x:0:0:Description:C:\Users\scan-user
group file: scangroup:x:0:0
■ As the permissions differ for the scan-user account (depending on the type of
image to be scanned), it is required to have 2 separate Windows scan hosts for
provisioning, each with a unique local account and UID permissions.
Prior to initiating an on-demand scan, select specific scanhost pool which has
the desired scan host. To avoid provisioning two separate Windows scan hosts,
use a non-admin user account (nfsnobody), then set the UID mapping to 0 value.

Configuring scan host

NetBackup malware scanning feature requires configuration of an additional host
(scan host). The scan host configuration can be performed through one of the
following methods:
■ Automated scripts: See “Automated scan host configuration” on page 628.
■ Manually: See “Manual scan host configuration” on page 631.
 Scan host configurations 628
Configuring scan host

Automated scan host configuration

Scan host can be configured automatically using one of the following options:
■ PowerShell: PowerShell scripts can be used to configure Windows scan host.
See “Scan host configuration using PowerShell” on page 628.
■ Shell: Shell scripts can be used to configure Linux scan host by copying the
required script to scan host.
See “Scan host configuration using Shell” on page 629.
■ Ansible: Ansible playbook can be used to configure one or more Linux and
Windows scan hosts remotely.
See “Scan host configuration using Ansible” on page 630.

Note: The above automated configuration scripts currently only support installation
of NetBackup Malware Scanner (Avira).

Scan host configuration using PowerShell

This utility installs and configures the prerequisites required to run a malware scan
on the scan host (Windows Server 2016 and above). Additionally, this utility can
be used to install NetBackup Malware Scanner on the scan host.
For more information, refer to the ReadMe.md file located at PowerShell ReadMe.md.
Prerequisites
■ For installing prerequisite software using the package managers, software
repositories must be configured.
■ Windows Server version: 2016 and above
■ Internet connectivity is required.
Steps to configure scan host using PowerShell
1 Clone the repository from GitHub and move it to your scan host as follows:
git clone
https://github.com/VeritasOS/netbackup-scanhost-config.git

2 Provide the scan host details in the inputs.json file. Refer to the Terminologies
section in ReadMe.md file for the complete list of options.
3 Open powershell.exe as Administrator.
4 Navigate to netbackup-scanhost-config\powershell\ folder as follows:
cd netbackup-scanhost-config\powershell\
 Scan host configurations 629
Configuring scan host

5 Run the following command:

.\configure-scanhost.ps1 --install

6 Use the information displayed at the end of script to register the scan host to
NetBackup primary server.

Scan host configuration using Shell

This utility installs and configures the prerequisites required to run a malware scan
on the scan host (RHEL (8.x, 9.x) / SUSE 12 and above). Additionally, this utility
can be used to install NetBackup Malware Scanner on the scan host.
For more information, refer to the ReadMe.md file located at Shell ReadMe.md.
Prerequisites
■ RHEL version: 8.x, 9.x
■ Internet connectivity is required and the subscription manager must be attached.
■ Uses jq for parsing the inputs.json file.
■ the default login shell must be bash.
Steps to configure scan host using Shell
1 Clone the repository from GitHub and move it to your scan host as follows:
git clone
https://github.com/VeritasOS/netbackup-scanhost-config.git

2 Navigate to netbackup-scanhost-config\shell folder as follows:

cd netbackup-scanhost-config\shell

3 Provide the scan host details in the inputs.json file. Refer to the Terminologies
section in ReadMe.md file for the complete list of options.
■ install_avira: Installs NetBackup Malware Scanner if set to true, defaults
to false.
■ avira_package_path: (Required only if install_avira is set to true). Local
absolute path to the NetBackup Malware Scanner zip package
(NBAntimalwareClient) which is available on the Veritas download center.

4 Run the following command:

sh configure-scanhost.sh [--verbose] [--install]

5 Use the information displayed at the end of script to register the scan host to
NetBackup primary server.
 Scan host configurations 630
Configuring scan host

Scan host configuration using Ansible

Using Ansible, single/multiple scan hosts can be configured at once by providing
the host details in inventory/hosts.yml file. NetBackup footprint is not required
on the scan host. This utility installs and configures the prerequisites required to
run a malware scan on the scan host (RHEL 8.x/9.x/ Windows Server 2016 and
above). Additionally, this utility can be used to install NetBackup Malware Scanner
on the scan host.
For more information, refer to the ReadMe.md file located at Ansible ReadMe.md.
Prerequisites
■ The minimum required configuration for the scan host is 8 CPU and 32-GB
RAM.
■ For the supported operating systems of the scan host, refer to the Software
Compatibility List.
■ NetBackup footprint is not required on the scan host. The existing systems with
the NetBackup client or media server can be used as scan host, too.
■ (Linux) The scan host must be reachable from the media server over SSH.

Note: SSH connection to scan host from the media server must be successful.

■ Following are the platform specific requirements:

(For Windows) openssh, nfs-client, vc runtime, non-administrator user and Avira
configured using previously created non-administrator user.
(For Linux) libnsl, cifs-utils, non-root user and Avira configured using previously
created non-administrator user.
Steps to configure scan host using Ansible

Note: Ensure that you perform all the steps in this procedure on Ansible control
host.

1 Clone the repository from GitHub and move it to your Ansible control host as
follows:
git clone
https://github.com/VeritasOS/netbackup-scanhost-config.git

2 Navigate to netbackup-scanhost-config\ansible folder as follows:

cd netbackup-scanhost-config\ansible
 Scan host configurations 631
Configuring scan host

3 By default, the host key checking would happen before configuring the scan
host. To add the fingerprint of the scan host for Linux hosts, manually perform
SSH to the scan host as follows:
ssh-keyscan -H {{HOST}} >> ~/.ssh/known_hosts

4 Provide the scan host details in the inventory/hosts.yml file. Refer to the
Terminologies section in ReadMe.md file for the complete list of options.
■ install_avira: Installs NetBackup Malware Scanner if set to true, defaults
to false.
■ avira_package_path: (Required only if install_avira is set to true). Local
absolute path to the NetBackup Malware Scanner zip package
(NBAntimalwareClient) which is available on the Veritas download center.
■ ansible_user: Scan host username who must be a user with Administrator
or root/sudo privileges. When using the sudo privileges, provide the sudo
password as follows:
ansible_sudo_pass=<password>

■ ansible_ssh_pass: Scan host password.

5 Run the following to run the playbook:

ansible-playbook playbook.yml

6 Use the credentials displayed at the end of script to register the scan host to
NetBackup primary server.

Manual scan host configuration

The scan host must have NetBackup Malware Scanner (Avira) installed and must
be reachable from media server over SSH.
Configure the required share type such as NFS or SMB.
Notes: Perform the following steps on MSDP storage server:
■ Configure NFS and SMB configurations. Also, NFS or SMB client must be on
scan host.
■ For SMB share, ensure that storage server is connected/joined to Active Directory
Domain and obtain an active directory domain details and a valid user credentials.
■ Ensure that user specified in the share type has required permission to mount.
For more information on the additional prerequisites (such as SMB/NFS client
software) and scan host configuration steps, refer to NetBackup Administrator
Guide.
 Scan host configurations 632
Configuring scan host

Scenario based scan host configuration

For NFS share type, depending on the platform and malware scanner tool, refer to
the following examples for configuring the scan host manually:
■ For Windows, NFS share type and Microsoft Defender Antivirus:
See “Configure malware scan host for Windows NFS share type and Microsoft
Defender” on page 632.
■ For Linux, NFS share type:
See “Configure malware scan host for Linux NFS share type and Avira”
on page 634.

Configure malware scan host for Windows NFS share type

and Microsoft Defender
NetBackup malware scanning feature requires configuration of an additional host
(a scan-host).
Before configuring scan host ensure that the following prerequisites are met:
See “Prerequisites for a scan host” on page 621.
Scan host configuration
1 Install OpenSSH:

Note: For Windows 2019, OpenSSH server feature can be enabled.

■ Download OpenSSH package from

https://github.com/PowerShell/Win32-OpenSSH/releases and extract it to
C:\Program Files folder.

■ Add C:\Program Files to environment variable PATH.

■ Open PowerShell and run it as an administrator.
■ Navigate to C:\Program Files and run the following commands to install
sshd and enable port 22:
powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1
netsh advfirewall firewall add rule name=sshd dir=in
action=allow protocol=TCP localport=22
sc.exe config sshd start= auto
net start sshd

2 Install NFS client by running the following command on PowerShell:

Install-WindowsFeature -Name NFS-Client
 Scan host configurations 633
Configuring scan host

3 Enable UID mapping:

■ Run the following commands on PowerShell to enable NFS user mapping:

PS C:\Users\Administrator> Set-NfsMappingStore -EnableUNMLookup

$True -UNMServer localhost
PS C:\Users\Administrator> nfsadmin mapping

The following are the settings on localhost

Mapping Server Lookup : Enabled

Mapping Server : localhost
AD Lookup : Disabled
AD Domain

■ Create the passwd and group files as follows:

Note: Ensure that the file extension is not created. The entry that is created
must be in the file type format.

■ C:\Windows\System32\drivers\etc\passwd file:
<scanuser>:x:<uid>:<uid>:Description:C:\Users\<scanuser>
For example,

C:\Windows\System32\drivers\etc\passwd -
scanuser:x:1000:1000:Description:C:\Users\scanuser

■ C:\Windows\System32\drivers\etc\group file:
<scanuser>:x:<uid>:<uid>
For example,

C:\Windows\System32\drivers\etc\group - scanuser:x:1000:1000

Note: For scanning VMWare and Cloud images on Windows scan host,
enable nfsadmin mapping to UID/GID 0. Scan user must be an
administrator.
passwd file content -
Administrator:x:0:0:Description:C:\Users\Administrator

group file content - Administrator:x:0:0

 Scan host configurations 634
Configuring scan host

4 Restart NFS client:

After updating passwd/group files, restart NFS client service using the following
commands:
nfsadmin client stop

nfsadmin client start

5 Verify the ID (UID/GID) mapping for user by running the following command
using PowerShell:

Get-NfsMappedIdentity -AccountName scanuser -AccountType User

UserIdentifier : 1001
GroupIdentifier : 1001
UserName : scanuser
PrimaryGroup :
SupplementaryGroups :

6 Install VC runtime:
Download and install VC runtime package from
https://aka.ms/vs/17/release/vc_redist.x64.exe.
7 Configure the Malware scanner tool (Microsoft Defender Antivirus).
See “Configuring Microsoft Defender Antivirus” on page 619.

Configure malware scan host for Linux NFS share type

and Avira
NetBackup malware scanning feature requires configuration of an additional host
(a scan-host).
Before configuring scan host ensure that the prerequisites mentioned in the following
section are met:
See “Prerequisites for a scan host” on page 621.
Scan host configuration

Note: For ease of understanding the following documented procedure, refer to

Video.

1 Install NFS client: $ yum install nfs-utils -y

2 Install libnsl: $ yum install libnsl -y
 Scan host configurations 635
Configuring scan host

3 Create non-root user account for performing a scan: $ useradd scanuser

4 Set password of scan user (username: scanuser): $ passwd scanuser
5 Provide mount and unmount access to scanuser: $ vim /etc/sudoers
Add the following line:

scanuser ALL=(ALL) NOPASSWD: /bin/umount, /bin/mount

Install malware tool using scanuser: $ su scanuser

6 Download the latest available version of NetBackup Malware Scanner tool
(Avira) (NBAntiMalwareClient_2.4.zip) from Veritas Support Downloads:
$ unzip NBAntiMalwareClient_2.4.zip

$ cd NBAntiMalwareClient_2.4_LinuxR_x86/

$ sh setup.sh

Or
If malware scanner is already installed and needs to be upgraded:

$ unzip NBAntiMalwareClient_2.4.zip
$ cd NBAntiMalwareClient_2.4_LinuxR_x86/
$ sh setup.sh
>> NetBackup Malware Scanner is already installed. Do you want
to update it? (y/n): default: y
Note: To replace all binaries at target location, enter option
-ALL

7 Copy RSA key: $ hostname

Copy the hostname to notepad for later use.
$ ssh-keyscan <hostname> 2>/dev/null | grep ssh-rsa | awk '{print
$3}' | base64 -d | sha256sum

Note: Copy the RSA key to notepad for later use.

 Scan host configurations 636
Configuring a scan host pool

8 Create a scan host pool.

For more information on creating the scan host pool, refer to the following
section:
See “Configuring a scan host pool” on page 636.
9 Validate malware scanner configuration through Web UI as follows:
The Validate configuration feature within NetBackup Web UI is available in
NetBackup version 10.4 and higher. If NetBackup version is below 10.4 then
create small size backup image using a policy type Standard or MS Windows
and trigger scan using that image. If the NetBackup or the malware scan job
fails, then the job will have the details needed to troubleshoot.

Configuring a scan host pool

Refer to the following topics to configure a scan host pool.
See “Add an existing scan host” on page 638.
See “Validating the scan host pool configuration” on page 639.
See “Add a new host in a scan host pool” on page 637.

Prerequisites for scan host pool

Scan host pool is a group of scan hosts. Scan host pool configurations must be
performed from NetBackup Web UI before the scan host configuration is competed.
■ All the scan host added in the scan host pool must have same malware tool as
that of the scan host pool.
■ All the scan host added in the pool must have same share type as that of scan
host pool.
■ To add scan host in a scan pool, credentials of scan host and RSA key are
required. To get the RSA key of the scan host, See “Managing credentials for
malware scanning” on page 640.
■ Before performing the scan, ensure that the scan hosts are active and available
in scan host pool.
 Scan host configurations 637
Configuring a scan host pool

Configure a new scan host pool

To configure a new scan host pool
1 On left, click Detection and reporting > Malware detection.
2 On the Malware detection page, select Malware detection settings >
Malware scanner host pools on the top-right corner to go to host pool list
page.
3 On the Malware scanner host pools page, click Add to add a new host pool.
4 On the Add malware scanner host pools page, enter the details such as
Host pool name, Malware scanner, and Type of share.
5 Click Save and add hosts.

Add a new host in a scan host pool

Use this procedure to add a new scan host in the scan host pool that is configured.
See the following topic for prerequisites.
See “Prerequisites for scan host pool” on page 636.
To add a new host in a scan host pool
1 On the left, click Detection and reporting > Malware detection.
2 Click Malware detection page, click Malware detection settings on the
top-right corner.
3 On the Malware scanner host pools page, select the desired scan host pool
and click Manage hosts from the action menu.
4 On the Manage malware scanner hosts page, click Add new.
5 On the Add malware scanner host page, enter Host name.
6 Click on Select existing credential or Add a new credential.
See “Managing credentials for malware scanning” on page 640.
7 Select the media server to validate credentials.
8 Click on Validate credentials. On successful validation, click Save to save
the credentials.
9 Select from the following options:
■ To save the credentials and validate the configuration later, click Save.
See “Validating the scan host pool configuration” on page 639.
■ To save the credentials and immediately validate the configuration, click
Save and validate configuration.
 Scan host configurations 638
Managing a scan host

Note: By default three parallel scans are supported per scan host and this limit is
configurable. Having more scan hosts in the scan pool increases the number of
parallel scans.
See “Configure resource limits for malware detection” on page 642.

Managing a scan host

Refer to the following topics to manage a scan host:
■ See “Add an existing scan host” on page 638.
■ See “Validating the scan host pool configuration” on page 639.
■ See “Remove the scan host” on page 639.
■ See “Deactivate the scan host” on page 640.
■ See “Managing credentials for malware scanning” on page 640.

Add an existing scan host

Use this procedure to add a same scan host in another scan host pool of same
share type.
To configure an existing scan host
1 On left, click Detection and reporting > Malware detection.
2 On the Malware detection page, click Malware detection settings on the
top right corner.
3 On the Malware scanner host pools page, select the desired scan host pool
and click Manage hosts from the action menu.
4 On the Manage malware scanner hosts page, click Add existing to select
pre-existing host.

Note: List includes all scan hosts from all scan host pools.

5 On the Add existing malware scanner host window, select the desired one
or more scan hosts.
6 Click Add.
 Scan host configurations 639
Managing a scan host

Validating the scan host pool configuration

Use this procedure to validate the configuration for a new or an existing scan host
in the scan host pool that is configured.
To validate the scan host pool configuration
1 On the left, click Detection and reporting > Malware detection.
2 Click Malware detection page, click Malware detection settings on the
top-right corner.
3 After adding a new scan host or an existing scan host, on the Manage malware
scanner hosts page, select the desired scan host and click Validate
configuration from the action menu.
To add a new scan host or an existing scan host, see the following topics.
See “Add a new host in a scan host pool” on page 637.
See “Add an existing scan host” on page 638.
4 On the Validate configuration page, enter the details to search and select an
image to validate the configuration.

Note: Validating the configuration is only supported for backup image of

Standard policy type.

5 Select the backups to scan and click on Validate configuration.

Note: It is recommended to use backup image with small number of files. For
large backups, IA creation may delay and test scan might fail.

6 After successful validation, click Finish.

The Malware scanner host pools page is displayed with the list of added
scanner hosts.

Remove the scan host

1 On left, click Detection and reporting > Malware detection.
2 On the Malware detection page, click Malware detection settings on the
top right corner.
 Scan host configurations 640
Managing a scan host

3 On the Malware scanner host pools page, select the desired scan host pool
and click Manage hosts from the action menu.
4 Select the desired host and click Remove, to remove scan host from scan host
pool.

Deactivate the scan host

1 On left, click Detection and reporting > Malware detection.
2 On the Malware detection page, click Malware detection settings on the
top right corner.
3 On the Malware scanner host pools page, select the desired scan host pool
and click Manage hosts from the action menu.
4 Select the desired host and click Deactivate.

Managing credentials for malware scanning

To add new credentials
1 On the left, click Detection and reporting > Malware detection.
2 On the right, click Malware detection settings > Malware scanner host
pools.
3 Select the desired scan host pool. Then click Actions > Manage hosts.
4 Select the desired host. Then click Actions > Manage credentials.
5 Select Add a new credential and click Next.
6 Add the details such as the Credential name, Tag, and Description.
7 On the Host credentials tab, add the Host username, Host password, SSH
port, RSA key, and Share type.
■ To validate the SSH connection between the MSDP media server and the
host, run the following command:
ssh username@remote_host_name

■ To verify the RSA key for a remote scan host, run the following command:
ssh-keyscan scan_host_name 2>/dev/null | grep ssh-rsa

■ To obtain the RSA key for the scan host, use the following command. Use
the command from any Linux host with SSH connectivity to the scan host
(this host can be the scan host itself):
ssh-keyscan scan_host_name 2>/dev/null | grep ssh-rsa | awk
'{print $3}' | base64 -d | sha256sum
 Scan host configurations 641
Managing a scan host

For example, the output is

33f697637ab3f0911c1d462d4bde8be3eec61a33403e8f6a88daecb415a31eef
- where the RSA key is
33f697637ab3f0911c1d462d4bde8be3eec61a33403e8f6a88daecb415a31eef

Note: Ensure that you remove the - character from the RSA key when you
copy.
The following host key algorithms are used to connect to scan host in the
given order:
rsa-sha2-512, rsa-sha2-256, ssh-rsa

8 For SMB share type, enter the following additional details:

■ Active directory domain: A domain to which the storage server is
connected (used to authenticate mounts on scan host).
■ Active directory group: A group name in an Active Directory domain.
■ Active directory user: A user that is added in the selected Active Directory
group.
■ Password

9 Click Save.

To add existing credentials

1 On the left, click Detection and reporting > Malware detection.
2 On the right, click Malware detection settings > Malware scanner host
pools.
3 Select the desired scan host pool. Then click Actions > Manage hosts.
4 Select the desired host and click Actions > Manage credentials.
5 Select Select existing credential.
6 Select the desired credential and click Select.
 Scan host configurations 642
Configure resource limits for malware detection

To validate the scan host credentials

1 After you provide the credentials for the scan host on the Add malware scanner
host page, search for and select the media server.

Note: Only SSH credentials are validated by connecting to scan host from the
selected media server. The media server must be a Linux media server with
NetBackup version 10.3 or later.

2 Click Validate credential.

3 After the credentials are successfully validated, click Save.

Configure resource limits for malware detection

To configure resource limits for malware detection
1 On left, click Detection and reporting > Malware detection.
2 On the top right, click Malware detection settings > Resource limits.
3 Click Edit to edit the resource limit of the resource type.
4 Set the global limit which would be considered when resource limit is not set
for a resource type.
Or, click Add to override the global setting.
5 Enter the new host name and set the limits.

Note: Resource type scan host: Number of scans per scan host. Default: 3,
Minimum: 1, Maximum: 10
Resource type storage server: Number of scans per storage server. Default:
20, Minimum: 1, Maximum: 50

6 Click Save.

Caution: Setting the Instant Access limit to large value would lead to Storage
server resources (memory, CPU, disk) being used for malware scanning
purpose. It is advised to set the value based on the existing load on storage
server due to backup/duplication operations.
 Scan host configurations 643
Configure resource limits for malware detection

Note: For NetBackup version 10.2 and later, global parallel scans limit configured
through MALWARE_DETECTION_JOBS_PER_SCAN_HOST configuration option
is not applicable. Configure the global parallel scans limit using the Web UI.
 Chapter 37
Performing malware scan
This chapter includes the following topics:

■ Performing malware scan before recovery

■ Perform a malware scan

■ Backup images

■ Assets by policy type

■ Assets by workload type

Performing malware scan before recovery

The following table provides the scenarios when the Scan for malware before
recovery option is enabled/disabled:

Scenarios Enabled

If user does not have RBAC permissions to trigger malware scan. No

If primary copy is snapshot (NAS-Data-Protection) in any of the selected No

backup images.
Note: In selected date range, user must select backup image as the
primary copy to trigger recovery time scan.

Images in selected date range must only be in the backup format

(combination of backup and snapshot is not supported).

If scan host pool is not configured. No

 Performing malware scan 645
Performing malware scan before recovery

To perform malware scan before recovery of files/folders

1 On the left, click Recovery.
2 Under Regular recovery, click Start recovery.
3 Select the following properties:

Source client The client that performed the backup.

Destination client The client to which you want to restore the backup.

Policy type The type of policy that is associated with the backup you want to
restore.

Restore type The type of restore that you want to perform. The restore types that
are available depend on the policy type that you choose.

4 Click Next.
The following warning message is displayed when images which are not
scanned are selected for recovery:

One or more images selected for recovery are not scanned.

5 In the Recovery details page:

■ Edit the Date range in the Use date picker option.
Or
Click Use backup history to view and select specific images.

Note: The table displays all the backup image details for selected time
frame. You can filter and sort the images based on the malware scan results,
schedule type, or policy name.

■ Click Apply to apply the date changes or add the selected images for
recovery.

6 To perform the malware scan of files/folders selected for recovery, select the
Scan for malware before recovery option.
User will be able to list Most recent files/folders when Scan for malware
before recovery option is selected.

Note: The Allow the selection of images that are malware-affected option
will be disabled if user selects Scan for malware before recovery option.
 Performing malware scan 646
Perform a malware scan

7 On the left, expand the Source client directory. Select any directories that you
want to restore. Or in the right pane, select any files or directories. Click Next.
8 Select the Restore target and the Recovery options.
9 Select one of the following options under Malware scan and recover option
for files infected with malware:
■ If any files are infected with malware, recover only uninfected files (clean)
■ If any files are infected with malware, recover the latest clean copy of the
files within the selected date range
■ If any files are infected with malware, recover all files, including infected
files
■ If any files are infected with malware, do not perform the recovery job
Select a malware scanner host pool and click Next.
10 In the Review page, view the summary of all the selections that you made, and
click:
■ Start recovery
Or

■ (Applicable when Scan for malware before recovery is selected) Start

scan and recovery

You can see the progress of the restore job in the Activity monitor.

Note: For NAS-Data-Protection policy type multiple recovery jobs can be triggered
for multi-volume restore. A comma separated list of Job IDs one per volume is
displayed. The recovery job column would display only one Job ID NetBackup.

Perform a malware scan

To perform a malware scan
1 On left, click Detection and reporting > Malware detection.
2 On the Malware detection page, click Scan for malware.
3 In the Search by option, select one of the following:
■ Backup images
■ Assets by policy type
■ Assets by workload type
 Performing malware scan 647
Perform a malware scan

Note: NetBackup supports VMware assets for malware scan of backup

images only with MSDP.

For more information on the options for scanning, refer to the following
on-demand scan:
■ See “Backup images” on page 648.
■ See “Assets by policy type” on page 650.
■ See “Assets by workload type” on page 652.
Following steps are applicable for scanning Assets by policy type and Assets
by workload type.
4 From the Client/Asset table, select a Client/Asset to scan.
5 Click Next.

Note: (Applicable only if Search by option is selected as Assets by policy

type) If the selected client in the previous step supports multiple policy types,
then user has an option of selecting a single policy type for scanning.

6 For the Start date/time and End date/time verify the date and the time range
or update it.

Note: According to selection criterion, scan gets initiated to maximum of 100

images.

7 In the Scanner host pool, Select the appropriate host pool name.
8 (Applicable only for the NAS-Data-Protection policy type) In the Volume field,
Select volume backed up for NAS devices.
Volume-level filtering only fetches the top-level directories of the
NAS-Data-Protection volume backup. Volume-level filtering is applicable only
if the top-level directory is a volume. In such a case, you can select individual
backup images with the Backup images option in the Search by option.
9 From the Current status of malware scan, select one of the following:
■ Not scanned
■ Not infected
■ Infected
 Performing malware scan 648
Backup images

■ All

10 Click Scan for malware.

There are more than 100 images in your search. Unable to scan more than
100 images. Adjust the date range and try again.
11 After the scan is initiated, the Malware Scan Progress is displayed. Following
are the status fields:
■ Not scanned
■ Not infected
■ Infected
■ Failed

Note: When we hover on failed status, the tool tip displays the reason for
failed scan.
The backup images which failed in validation, are ignored. Malware scanning
is supported for the backup images that are stored on storage with instant
access capability for the supported policy type only.

■ Pending
■ In progress

Backup images
This section describes the procedure for scanning policy of client backup images
for malware.
To scan policy of client backup images for malware
1 On left, click Detection and reporting > Malware detection.
2 On the Malware detection page, click Scan for malware.
3 In the Search by option, select Backup images.
4 In the search criteria, review and edit the following:
■ Policy name
Only supported policy types are listed.
■ Client name
Displays the clients that have backup images for a supported policy type.
■ Policy type
 Performing malware scan 649
Backup images

■ Type of backup
Any incremental backup images that do not have the NetBackup Accelerator
feature enabled are not supported for the VMware workload.
■ Copies
If the selected copy does not support instant access, then the backup image
is skipped for the malware scan.
(For NAS-Data-Protection policy type) Select the Copies as Copy 2.
■ Disk pool
MSDP (PureDisk), OST (DataDomain) and AdvancedDisk storage type
disk pools are listed.
■ Disk type
MSDP (PureDisk), OST (DataDomain) and AdvancedDisk disk types are
listed.
■ Malware scan status.
■ For the Select the timeframe of backups, verify the date and the time
range or update it.

5 Click Search.
Select the search criteria and ensure that the selected scan host is active and
available.
6 From the Select the backups to scan table select one or more images for
scan.
7 In the Select a malware scanner host pool, Select the appropriate host pool
name.

Note: Scan host from the selected scan host pool must be able to access the
instant access mount created on storage server which is configured with
NFS/SMB share type.

8 Click Scan for malware.

9 After the scan is initiated, the Malware Scan Progress is displayed.
The following are the status fields:
■ Not scanned
■ Not infected
■ Infected
■ Failed
 Performing malware scan 650
Assets by policy type

Hover over the status to view the reason for the failed scan.

Note: Any backup images that fail validation are ignored. Malware scanning
is supported for the backup images that are stored on storage with instant
access capability and for the supported policy types only.

■ In progress
■ Pending

Note: You can cancel the malware scan for one or more in progress and
pending jobs.

Assets by policy type

NetBackup supports MS-Windows, Cloud-Object-Store, NAS-Data-Protection and
Standard policy types for malware scan. The following section describes the
procedure for scanning NAS-Data-Protection backup images for malware.

NAS-Data-Protection
Each NAS volume or share is read over NFS or SMB, and backed up using a
configured number of backup streams. The maximum number of streams per volume
determines the number of backup streams that are created to back up each volume.
For example, consider a policy that contains 10 volumes and the maximum number
of streams is 4. The backup of the policy creates 4 backup streams for each volume,
with a total of 40 child backup streams and 10 parent backup streams.

Note: The number of scans depends on the number of batches that were created
to perform the scan. Only the parent stream backup image is visible on the Malware
detection UI.

For more information on multi stream backups, refer to NetBackup NAS

Administrator's Guide.
To scan the supported assets by policy type, perform the following:
1 On left, click Detection and reporting > Malware detection.
2 On the Malware detection page, click Scan for malware.
3 In the Search by option, select Assets by policy type.
 Performing malware scan 651
Assets by policy type

4 From the Client/Asset table, select a Client/Asset to scan.

5 Click Next.
If the selected client in the previous step supports multiple policy types, you
can select a single policy type for scanning.
6 For the Start date/time and End date/time verify the date and the time range
or update it.
The scan is initiated for a maximum of 100 images.
7 In the Scanner host pool, select the appropriate host pool name.
8 In the Volume field, Select volume backed up for NAS devices.

Note: Volume level filtering only fetches top-level directories of the

NAS-Data-Protection volume backup. Volume level filtering is applicable only
if the top-level directory is a volume. In such case, user has the option to select
individual backup images by using the Backup images option in the Search
by option.

9 From the Current status of malware scan, select one of the following:
■ Not scanned
■ Not infected
■ Infected
■ All

10 Click Scan for malware.

Warning: Scan is limited to only 100 images. Adjust the date range and try
again.

11 After the scan is initiated, the Malware Scan Progress is displayed. The
following are the status fields:
■ Not scanned
■ Not infected
■ Infected
■ Failed
 Performing malware scan 652
Assets by workload type

Note: Hover over the status to view the reason for the failed scan.
Any backup images that fail validation are ignored. Malware scanning is
supported for the backup images that are stored on storage with instant
access capability and for the supported policy types only.

■ Pending
■ In progress

More information is available on the malware scan status.

See “View the malware scan status” on page 654.

Note: For NAS-Data-Protection any backup images that were created on the
previous version of NetBackup 10.4 media server, you must select the Malware
scan status option as All.

Assets by workload type

This section describes the procedure for scanning VMware, Universal shares,
Kubernetes and Cloud VM assets for malware.
Ensure that you meet the following prerequisites:
■ The backups were performed with a storage server at NetBackup 10.1 or later.
■ Backup images are stored on MSDP storage only with instant access capability,
for the supported policy type only.
■ The last backup must be successful.
■ You must have an RBAC role with permissions to perform malware scans.
To scan the supported assets for malware, perform the following:
1 On left, select the supported workload under Workloads.
2 Select the resource which has backups completed (for example, VMware/Cloud
VM, Universal shares, Kubernetes and so on).
3 Select Actions > Scan for malware.
4 On the Malware scan page, perform the following:
■ Select the date range for the scan by selecting Start date/time and End
date/time.
■ Select Scanner host pool
 Performing malware scan 653
Assets by workload type

■ From the Select current status of malware scan list select one of the
following:
■ Not scanned
■ Not infected
■ Infected
■ All

5 Click Scan for malware.

Note: The malware scanner host can initiate a scan of three images at the
same time.

6 After the scan starts, you can see the Malware Scan Progress on Malware
Detection, the following fields are visible:
■ Not scanned
■ Not infected
■ Infected
■ Failed

Note: Any backup images that fail validation are ignored.

■ In progress
■ Pending
 Chapter 38
Managing scan tasks
This chapter includes the following topics:

■ View the malware scan status

■ Actions for malware scanned images

■ Recover from malware-affected images (clients protected by protection plan)

■ Recover from malware-affected images (clients protected by policies)

■ Clean file recovery for virtual workload (VMware)

View the malware scan status

To view the malware scan status
◆ On the left, click Detection and reporting > Malware detection.
The following columns are displayed:
■ Client - Name of the NetBackup client where the malware is detected.
■ Backup time - Time when the backup was performed.
■ Scan status - The scan status of the backup image. The different statuses
are infected, not infected, failed, in progress, pending, canceled, and
cancellation in progress.
■ Files infected - Indicates the number of files that were found infected during
the scan.
■ Scan progress - Indicates the percentage of scan completed.
■ Total files - Indicates the count of files and folders as recorded in the catalog
for the backup image (list of backup images in case of DNAS). For recovery
time scan, the Total files column would only indicate the count of files
selected for recovery.
 Managing scan tasks 655
Actions for malware scanned images

■ % infected - Provides the percentage of infected files as compared to Total

files.

Note: Skipped files during recovery are considered as Not-infected.

■ Elapsed time - Represents the time since scan request was accepted (Date
of scan) till the time of completion of scan (End date of Scan). The elapsed
time would consist of idle time, time spent in pending state. For resume of
failed jobs it would include time spent from failure till the time when the
resume operation was triggered.
■ Scanned files - Indicates the number of files that are scanned.
■ Schedule type - The backup type of the associated backup job
■ Date of scan - Date when the scan was performed.
■ Policy type - Type of the policy that was selected for scanning.
■ Policy name - Name of the policy that was used for scanning.
■ Malware scanner - Name of the malware scanner that was used for
scanning.
■ Scanner host pool - Indicates the host pool used for malware scanning.
■ Malware scanner version - Version of the malware scanner that was used
for scanning.

Note: To view additional columns that are not displayed, use the Show or hide
columns pull down menu.

Actions for malware scanned images

Once you scan the backup images for malware detection, a tabular data is available
on the Malware detection home page.
See “View the malware scan status” on page 654.
For each backup image, the following quick configurations are available.
To expire all the copies
1 On the left, click Detection and reporting > Malware detection.
2 For the desired scan result, click Actions > Expire all copies.
3 Confirm to expire all the copies of the selected backup image.
 Managing scan tasks 656
Actions for malware scanned images

Note: This option is available only for infected scan results.

To view any infected files

1 On the left, click Detection and reporting > Malware detection.
2 For the desired scan result, click Actions > View infected files.

Note: This option is available only for infected scan results and scan type
'Recovery'.

3 In the Infected files table, search or the desired file, if needed.

4 If you want to export the list, click Export list.

Note: A list of infected files from the selected malware scanning result is
exported in .csv format. The file name is of the following format:
backupid_infected_files_timestamp.csv

To export the infected files list

1 On the left, click Detection and reporting > Malware detection.
2 For the desired malware affected, click Actions > Export infected files list.

Note: A .csv file contains backup time, names, hashes of the infected files
and virus information.
For Microsoft Windows Defender, if real time protection is enabled, then hashes
of the infected files are not created as files are not accessible.

To export the unscannable files list

1 On the left, click Detection and reporting > Malware detection.
2 For the desired malware affected, click Actions > Export unscannable files
list.

Note: A .csv file contains the list of files that the malware scanner skips due
to issues such as file input or output errors, encrypted (password protected)
files, etc.
 Managing scan tasks 657
Actions for malware scanned images

To cancel a malware scan

1 On the left, click Detection and reporting > Malware detection.
2 For the wanted scan result, click Actions > Cancel malware scan.
Note: You can only cancel the malware scan from the "in progress" and the
"pending" states.
3 Click Cancel scan to confirm.
The status changes to Cancellation in progress.

Note: The Cancel malware scan is not supported for scan results with scan type
'Recovery'.

To rescan an image
1 On the left, click Detection and reporting > Malware detection.
2 For the wanted scan result, click Actions > Rescan image.
3 Click Rescan to confirm.
4 For a bulk rescan, when you select one or more images with a different or am
empty scanner host pool, you must select a new scanner host pool.
■ Click Rescan image.
■ Select a new scan host pool.
The new scan host pool is applicable for all the selected images for this
rescan.
■ Click Rescan to confirm.
Rescan (and resume) is not supported for scan results with scan type
recovery.

5 For a rescan of failed or canceled jobs, scanning is triggered from the point of
failure (resumed) instead of from a complete scan, under the following
conditions:
■ If the value of Date of scan is more than 48 hours, then the job is not
resumed and the full scan is initiated. This action ensures that the malware
signatures that are used for the scan do not differ significantly.
■ Supported for Standard or MS-Windows policy backup images that have a
large number of files (> 500 KB). For a DNAS policy, it is supported for
more than one stream.
■ Instant Access must have succeeded for the failed job.
 Managing scan tasks 658
Recover from malware-affected images (clients protected by protection plan)

■ Resume identifies the first instant access capable copy to scan, which can
be different from the copy that was selected for the initial scan request.
After the job is resumed the existing scan result is moved from the state "failed"
to "pending" and subsequently to an "in-progress" state. The progress update
can continue from the point of failure. For a complete rescan the new scan
result is displayed. If the user needs to perform a complete scan, then it can
be started using the on-demand scan options.
To delete the scan results
1 On the left, click Detection and reporting > Malware detection.
2 Any scan results that are in a "failed" or "canceled" state can be deleted
manually. Click Actions > Delete scan results.
3 Click Yes to confirm the deletion of the selected scan results.
You can select a maximum of 20 scan results to delete.
To view the details of a scan result
1 On the left, click Detection and reporting > Malware detection.
2 Click Actions > View details to view details for the backup images with
individual batch level.

Note: The View details option is available only for the scan results that are in
"failed" or "in progress" state.

3 On the View details page, you can copy information to the Clipboard. Click
Actions > Copy failure details or Actions > Copy the scan results.
4 Click Close.

Recover from malware-affected images (clients

protected by protection plan)
To restore from malware-affected recovery points, you must have the Administrator
role or equivalent RBAC permissions. To recover a specific recovery point that is
affected by malware, see the following topic:
See “Recover from malware-affected images (clients protected by policies) ”
on page 659.
 Managing scan tasks 659
Recover from malware-affected images (clients protected by policies)

To recover from malware-affected images for clients protected by protection

plan
1 On left pane select the supported Workload.
2 Locate the protected resource and click Actions > Recover.
3 On the Recovery points tab you can see Malware scan status of each
recovery point, as follows:
■ Not scanned
■ Not infected
■ Infected

4 Select the recovery point.

5 Select Allow the selection of recovery points that are malware-affected.
This option only displays if there are recovery points that contain
malware-affected images.

Note: To restore from malware-affected recovery points, you must have the
Administrator role or equivalent RBAC permissions.

6 Click Recover and select the type of recovery. Then follow the prompts.
For more details on recovering a VM, see the NetBackup for VMware
Administrator’s Guide.

Recover from malware-affected images (clients

protected by policies)
To restore from malware-affected images, you must have the Administrator role or
equivalent RBAC permissions. To recover a VMware asset that is affected by
malware, see the following topic.
See “Recover from malware-affected images (clients protected by protection plan)”
on page 658.
To recover from malware-affected images (clients protected by policies)
1 On the left, click Recovery.
2 Under Regular recovery, click Start recovery.
 Managing scan tasks 660
Recover from malware-affected images (clients protected by policies)

3 Select the following properties:

Source client The client that performed the backup.

Destination client The client to which you want to restore the backup.

Policy type The type of policy that is associated with the backup you want to
restore.

Restore type The type of restore that you want to perform. The restore types that
are available depend on the policy type that you choose.

4 Click Next.
5 Select the Start date and End date.
Or, click Backup history to view and select specific images. Click Select to
add the selected images for recovery.

Note: The table displays all the backup image details for selected time frame.
You can filter and sort the images based on the malware scan results, schedule
type, policy type or policy name.

6 To include any malware-infected images in the recovery, select Allow the

selection of images that are malware-affected.

Note: The Allow the selection of images that are malware-affected option
will be disabled if user selects Scan for malware before recovery option.
See “Performing malware scan before recovery” on page 644.

7 On the left, expand the Source client directory. Select any directories that you
want to restore. Or in the right pane, select any files or directories. Click Next.
8 Select the recovery target.
9 To restore any files that are malware-infected, click Allow recovery of files
infected by malware. Otherwise, NetBackup only restores the files that are
scanned and free from malware.
10 Select any other recovery options that you want. Then click Next.
11 Review the recovery settings and then click Start recovery.
 Managing scan tasks 661
Clean file recovery for virtual workload (VMware)

Clean file recovery for virtual workload (VMware)

To restore from malware-affected images, you must have the Administrator role or
equivalent RBAC permissions.
To recover a VMware asset that is affected by malware, refer to the following
procedure:
VMware single file restore from recovery point (with agent and agentless)
1 On left pane select Workload > VMware.
2 Search and click on the virtual machine to be recovered.
3 On the Recovery points tab, select the date for recovery point.
4 Select Allow the selection of recovery points that are malware-affected.
This option only displays if there are recovery points that contain
malware-affected images.

Note: To restore from malware-affected recovery points, you must have the
Administrator role or equivalent RBAC permissions.

5 Click Recover and select the type of recovery as Restore files and folders.
Then follow the prompts.

Note: NetBackup now provides support for VMware single file restore clean
recovery by selecting the Allow recovery of files infected by malware option
in the Recovery options. This option overrides the default behavior.

For more details on recovering a VM, see the NetBackup for VMware
Administrator’s Guide.
To recover a specific recovery point that is affected by malware, refer to the following
procedure:
Single file restore using recovery flow (with agent)
1 On the left, click Recovery.
2 Under Regular recovery, click Start recovery.
 Managing scan tasks 662
Clean file recovery for virtual workload (VMware)

3 Select the following properties:

Policy type The type of policy that is associated with the backup you want to
restore.

Select the policy type as VMware.

Source client The client that performed the backup. Under the Virtual machines
search tab, select the virtual machine and click Apply.

Destination client The client to which you want to restore the backup.

Restore type The type of restore that you want to perform. The restore types that
are available depend on the policy type that you choose.
Note: Clean recovery is supported only for normal backups.

4 Click Next.
5 Edit the Date range.
Or, click Use backup history to view and select specific images. Click Apply
to add the selected images for recovery.

Note: The table displays all the backup image details for selected time frame.
You can filter and sort the images based on the malware scan results, schedule
type, policy type or policy name.

6 To include any malware-infected images in the recovery, select Allow the

selection of images that are malware-affected.
7 On the left, expand the Source client directory. Select any directories that you
want to restore. Or in the right pane, select any files or directories. Click Next.
8 Select the recovery target.
9 To restore any files that are malware-infected, click Allow recovery of files
infected by malware. Otherwise, NetBackup only restores the files that are
scanned and free from malware.
10 Select any other recovery options that you want. Then click Next.
11 Review the recovery settings and then click Start recovery.
 Chapter 39
Malware scan
configuration parameters
This chapter includes the following topics:

■ MALWARE_SCAN_OPERATION_TIMEOUT

■ MALWARE_DETECTION_CLEANUP_PERIOD

■ MALWARE_DETECTION_TIMEOUT_PERIOD option for NetBackup servers

■ FAIL_SAFE_SCAN_RETRY_COUNT

MALWARE_SCAN_OPERATION_TIMEOUT
The MALWARE_SCAN_OPERATION_TIMEOUT parameter is used to configure
the duration of the scan operation that is allowed to run before timeout happens.
Scan operation for backup image can take a long time based upon the factors like
backup size, number of files in the backup. By default, scan operation times out
after 2 days. User can set the timeout value from 1 hour to 30 days.

Table 39-1 MALWARE_SCAN_OPERATION_TIMEOUT option information

Usage Description

Where to use On NetBackup media servers.

 Malware scan configuration parameters 664
MALWARE_DETECTION_CLEANUP_PERIOD

Table 39-1 MALWARE_SCAN_OPERATION_TIMEOUT option information

(continued)

Usage Description

How to use Use nbgetconfig or nbsetconfig commands to view, add,

or change the value of the timeout.

For information about these commands, see the NetBackup

Commands Reference Guide.

Set the configuration key on the MSDP media server where

ScanManager (nbcs) is started. For multiple MSDP media
servers, set the configuration key on each server.

Use the following format:

MALWARE_SCAN_OPERATION_TIMEOUT = 120

By default scan operation timeout value is 2880 minutes (2 days).

The minimum supported value is 60 minutes (1 hour) and the
maximum supported value is 43200 minutes (30 days).

Equivalent NetBackup No equivalent exists in the host properties.

web UI property

MALWARE_DETECTION_CLEANUP_PERIOD
Malware detection performs automated cleanup of scan jobs which are older than
30 days in batches and displays the following state:
■ Clean
■ Failed
■ Cancel
Cleanup runs every 24 hours after NetBackup has started.

Table 39-2 Malware detection clean up option information

Usage Description

Where to use User can modify the configuration parameters in bp.conf file on the primary
server.
 Malware scan configuration parameters 665
MALWARE_DETECTION_TIMEOUT_PERIOD option for NetBackup servers

Table 39-2 Malware detection clean up option information (continued)

Usage Description

How to use Set the following parameters in bp.conf file:

■ To change the cleanup period in days:

MALWARE_DETECTION_CLEANUP_PERIOD = 45
Note: Value should be in number of days only. Although any Integer
value greater then 0 is accepted. NetBackup recommends not to set
more than 6 month i.e. 180 (days). If you sets invalid value, then default
value of 30 days is used.
■ To switch off the cleanup period:
MALWARE_DETECTION_CLEANUP_PERIOD = 0
■ To change the scan job batch size:
MALWARE_DETECTION_CLEANUP_BATCH_SIZE = 600 (setting
batch size 600)
Note: You can set any value between 1 to 5000 for batch size. If you
set invalid value then default value of 500 is used.

MALWARE_DETECTION_TIMEOUT_PERIOD
option for NetBackup servers
The MALWARE_DETECTION_TIMEOUT_PERIOD parameter is used to configure
the duration of the scan operation that is allowed to run before timeout happens.
Scan operation for backup image can take a long time based upon the factors like
backup size, number of files in the backup. By default, scan operation times out
after 2 days. User can set the timeout value in hours.

Table 39-3 MALWARE_DETECTION_TIMEOUT_PERIOD option information

Usage Description

Where to Use On NetBackup primary servers.

How to use Use nbgetconfig or nbsetconfig commands to view, add,

or change the value of the timeout.

For information about these commands, see the NetBackup

Commands Reference Guide.

Use the following format:

MALWARE_DETECTION_TIMEOUT_PERIOD = 72
 Malware scan configuration parameters 666
FAIL_SAFE_SCAN_RETRY_COUNT

Table 39-3 MALWARE_DETECTION_TIMEOUT_PERIOD option information

(continued)

Usage Description

Equivalent NetBackup No equivalent exists in the host properties.

web UI property

FAIL_SAFE_SCAN_RETRY_COUNT
The FAIL_SAFE_SCAN_RETRY_COUNT parameter is used by the primary server
to attempt the scan job on different scan host from the same scan host pool. The
scan job is attempted depending on the value specified in the
FAIL_SAFE_SCAN_RETRY_COUNT parameter when the scan job fails due to an
issue related to scan host environment.
Following are the permissible values for FAIL_SAFE_SCAN_RETRY_COUNT
parameter:

Value Description

0 Disabled

1 Default retry count

3 Maximum retry count value

 Chapter 40
Troubleshooting
This chapter includes the following topics:

■ Troubleshooting issues with malware scanning

Troubleshooting issues with malware scanning

Failed to get response from NetBackup malware utility
(Applicable on scan host RHEL 8.x and NFS version 4.x) When scanning large size
backup (~ 200 million files), following error is displayed on the Web UI for failed
job:

Failed to get response from NetBackup malware utility.

While scan is in progress on scan host, NFS mount points are not accessible from
scan host. Scan job remains in progress and timeout after two days. NFS exports
on storage server are accessible.
Workaround: Ensure that you use NFS version 3 for mounting IA mounts on scan
host over NFS by setting the following configuration in /etc/nfsmount.conf file
on scan host:
# grep Defaultvers /etc/nfsmount.conf Defaultvers=3

Failed to connect to the scan host

SSH connection to scan host from media server failed.
Workaround: Verify the following scan host credentials:
■ RSA (SHA256) key
■ User name
■ Password
 Troubleshooting 668
Troubleshooting issues with malware scanning

Refer to NetBackup Web UI Administrator’s Guide for the scan host configuration.

Failed to determine the scan host OS

Error can be due to unsupported scan host.
Workaround: For a complete list of supported platforms for the scan host, refer to
the Software Compatibility list document.

Failed to copy NetBackup malware utility to the scan host

■ Not enough space is available on the scan host.
■ SSH user does not have access to the required directories on the scan host.
Workaround
■ On a Windows scan host, check for space availability in C:\ folder.
■ On a Linux scan host, check for space availability in /tmp folder.

Failed to get the scan host credentials

Media server is not able to fetch the credentials to access scan host from the
Primary.
Workaround: Check that credentials for scan host are specified.

Time-out has occurred during the scan

Default scan operation time out is two days. Time to scan may vary depending on
the factors sch as workload type, network bandwidth, backup size.
Workaround: Scan time-out is configurable and can be changed by setting the
MALWARE_SCAN_OPERATION_TIMEOUT configuration key.
■ Minimum value: 1 hour
■ Maximum value: 30 days

Failed to get response from NetBackup malware utility

Mismatch between nbmalwareutil binary and the ScanManager
Workaround:
Contact NetBackup support.

Failed to launch the scanner

Malware scanner-specific failure message.
Workaround: Refer to nbmalwarescanner logs on the media server.
 Troubleshooting 669
Troubleshooting issues with malware scanning

Failed to mount the backup image

IA share is not accessible from the scan host.
Workaround: Check IA configuration on storage server. Verify on activity monitor
that IA job is successful.

Failed to unmount the backup image

IA share is busy or not accessible.
Workaround: Refer to nbmalwarescanner logs on the media server.

Failed to run a scan

Generic failure during the scan of a backup image.
Workaround: Refer to nbmalwarescanner logs on the media server.

Instant access mount created but not deleted by malware

scan
Generic failure during the scan of a backup image.
Workaround:
■ Verify if any scan is in progress.
■ If no scan is in progress, then obtain the list of such instant access mounts with
ID's of the instant access mount created using the GET IA API from the following
directory:
/netbackup/recovery/workloads/{workload}/instant-access-mounts

■ Using the DELETE API, delete the instant access mount:

/netbackup/recovery/workloads/{workload}/instant-access-mounts/{mounId}

All mount drives are exhausted

Only five backup images can be mounted at the same time on windows scan host.
Workaround:
■ Ensure that scan host is not part of multiple NetBackup domains.
■ Check if there are any Stale mounts on the scan host by running net use.
■ Following drive letters are used for mounting the IA shares on the windows scan
host. Ensure that they are not in use. L:\ M:\ N:\ O:\ P:\

Either the Windows Defender is not installed or the

environment variable is not set
Microsoft Windows Defender is not installed on the scan host or not configured
properly.
 Troubleshooting 670
Troubleshooting issues with malware scanning

Workaround: Ensure that Microsoft Windows Defender is installed on scan host.

Refer NetBackup Web UI Administrator’s Guide for the scan host configuration.

Either Symantec protection engine is not installed or the

environment variable is not set
Symantec Protection Engine is not installed on the scan host or not configured
properly.
Workaround: Ensure that Symantec Protection Engine is installed on scan host.
Refer NetBackup Web UI Administrator’s Guide for the scan host configuration.

Failed to perform malware scan of the backup image

Generic error for Scan failure.
Workaround: Contact NetBackup support.

Net bios name can be at most 15 chars long

Storage server host name cannot be more than 15 characters for the SMB share
support.
If Windows Server 2016 is used to set up Active Directory domain, then it does not
allow a connection to a storage server with host name of length more than 15
characters.
Workaround: Ensure that the character limit is not more than 15 characters.

Failed to run a scan

Generic failure during scanning backup image.
Workaround: Check for the following errors:
■ Refer to nbmalwarescanner logs on the media server.
■ Check for space on media server storage.
■ Check for NFS service failure on media server.

Too many infected files in the selected time range

Review the nbmalwarescanner to view the infected files list for the backup images
in the selected date range.
Workaround: Update the date range or recovery files and folders selection to
reduce the number of infected files. Retry the operation. You can also perform one
of the following:
■ Select the Allow recovery of files impacted by malware option which can be
used to recover selective clean files.
 Troubleshooting 671
Troubleshooting issues with malware scanning

■ Skip that backup image from recovery.

Large number of infected files

■ There are too many infected files in the selected scan result. If the scan result
has infected files greater than 5000, the following message is displayed:
Large number of infected files. To view the complete list of
infected files, export the list.
Workaround: Export the infected file list in .csv format and download it to view
it.
■ There are many infected files in the selected scan result or the infected file paths
are long to be captured in the database. Following error message is displayed:
Large number of infected files.
Workaround: This result cannot be exported or viewed.
: As the results cannot be exported or viewed, review the scan logs to view a
detailed list of the infected files for the selected scan result.

Scan operation is divided into parts

For large size backup, scan operation is divided into parts. For example, if total
number of files in the backup are 1,000,000, the scan operation will be divided into
two parts of 500,000 files each.
Each part would be created and scanned separately. Each part can be assigned
with different scan host. The Malware detection UI displays only single entry for
backup.
Workaround: Each divided part details can be obtained by using the REST API.

The NB_MALWARE_SCANNER_PATH environment

variable is missing
When performing a malware scan operation with the NetBackup Malware Scanner
installed on the scan host, it fails with the following error message:
Missing environment variable NB_MALWARE_SCANNER_PATH

Workaround: Ensure that NetBackup Malware Scanner is installed. Note the install
location.
Login on the scan host as user using the same user credentials that were provided
during scan host configuration on the primary server. Add the following lines to
~/.bashrc:

export
NB_MALWARE_SCANNER_PATH=<installLocation>/savapi-sdk-linux64/bin

export PATH=$PATH:$NB_MALWARE_SCANNER_PATH
 Troubleshooting 672
Troubleshooting issues with malware scanning

Failed to perform malware scan on Windows scan host

Malware scanning on Windows scan host may fail if there are cygwin mks toolkit
installed.
Workaround: UNIX utilities are installed, however, defined scanuser cannot have
those UNIX utilities in the PATH variable.

Issues related to space and directory access on the scan

host
Error/Issue Description Workaround

■ Failed to open the file. ■ Not enough space is ■ On a Windows scan host,
■ Unable to create a available on the scan check space availability in
directory. host. C:\
■ Failed to generate the ■ SSH user does not have ■ On a Linux scan host
result file. access to the required check space availability in
■ Failed to open the output directories on the scan /tmp
file. host.
■ Unable to create directory
for result file.
■ Failed to open the result
file.
■ Unable to create mount
destination directory.
■ Unable to create directory
for a log file.

Issue related to NAS-Data-Protection

When upgrading NetBackup from previous version to NetBackup version 10.2.1 or
later with the following options selected, the No images match the search
criteria message is displayed:

Options Fields

Search by: Backup images Policy type: NAS-Data-Protection

Copies: Copy2

Malware scan status: Not scanned (Default)

Search by: Assets by policy type Policy type: NAS-Data-Protection

Copies: Copy2

Scanner host pool: Select the required scanner host pool.

Malware scan status: Not scanned (Default)

 Troubleshooting 673
Troubleshooting issues with malware scanning

Workaround
To view the images that are backed up, ensure that you select the Malware scan
status option as All to scan the NAS-Data-Protection backup images created on
earlier version of NetBackup media server.

Issues in scan performance

When using Instant Access mount points for malware scan (traditional malware
scan) in NetBackup versions prior to 10.3, performance issues were observed.
Workaround: Upgrade to NetBackup media and storage server 10.3 or later.
NetBackup 10.3 introduces the dynamic scan feature. This improves the instant
access time as well as the scan performance.
The following table provides the differences between the traditional malware scan
and dynamic scan:

Key scanning procedure Traditional malware Dynamic scan

scan using Instant
Access mount points

Instant access stage.
Analyzes the tar stream and
builds each file's header and
extent map file (LMDB
database), which is time
consuming for large number
of files in the backup.
Restores TIR (catalog
database) and IM (image
metadata) information from
fragment.

Instant access share Accesses it's header file and Query's the directory from
(NFS/SMB) is mounted and reads the attribute from it. catalog database to get all the
user tries to list or access the files and directories which are
file. under this directory. It can
also query each files and
directories attribute to the
output.
 Troubleshooting 674
Troubleshooting issues with malware scanning

Key scanning procedure Traditional malware Dynamic scan

scan using Instant
Access mount points

Scan host opens a file Opens and loads the LMDB Builds the index in memory
database. and reads directly from data
container.

■ To get file's extent by

locating and reading the
tar header and analyze
the content.
■ To get SO list (PureDisk
only) by searching the SO
list from fragment FP map
■ To build mapping table by
inserting the SO list
(PureDisk only)

Scan host reads a file
Searches from LMDB If storage server is 3rd party
database and reads from data storage vendor, it reads data
container. through OST interface
directly. If storage server is
PureDisk, it searches from
mapping table and reads data
from data container.

Details of log file location for errors

The following table provides the details for the respective log files to be viewed
depending on the use case:

Table 40-1 Log file locations

Use case Components on Components Log file path

primary server on media
server

Configurations nbwebservice ncfnbcs For primary server:

Scan process nbwebservice ncfnbcs ■ /usr/openv/logs/nbwebservice

■ /usr/openv/netbackup/logs/
bprd nbmalwarescanner
bprd/
Recovery nbwebservice For media server:
bprd ■ /usr/openv/logs/ncfnbcs
■ /usr/openv/netbackup/
logs/nbmalwarescanner/