NetBackup™ Upgrade Guide

How to plan for an upgrade to NetBackup 10.4

Several factors must be considered when you prepare for an upgrade to NetBackup 10.4.

For Linux environments, the new NetBackup database must have a non-root user for operations. You are prompted for the non-root user if the root user starts the NetBackup daemons. The username must meet the criteria shown:

If the NetBackup daemons already start with a non-root user this same account is used to run the NetBackup database.

The new database has a connection pooler service that by default uses port 13787. Confirm that this port is available for database operation before upgrade. Failure to provide valid port numbers renders NetBackup unusable until the port issues are resolved.

If this port is not available, you can change the value with the answer file during a Linux upgrade. The Linux interactive upgrade does not have a prompt. For a Windows primary server, you can change the port value by selecting the Custom installation path during upgrade. More information about the answer file is available:

See About the NetBackup answer file.

During upgrade, additional disk space is required for the conversion. The space is necessary to create the new PostgreSQL databases as well as to store the temporary .dat files. Veritas expects the new database to be approximately the same as the old database. The temporary .dat files require space equivalent to size of the current ASA .db files.

On Linux primary servers, the database files are in the /usr/openv/db/data directory. On Windows primary servers, the database files are in the install_path\Veritas\NetBackupDB\data directory.

New to NetBackup 9.1, you can start most of the NetBackup daemons and services as a non-root user. Veritas recommends that you start the NetBackup services as a non-root user. If you decide to use a less privileged user, you must plan accordingly. Ensure that the user account has access to the paths of disaster recovery files, external certificate authority (ECA) files, and temporary files.

On UNIX and Linux, you see a new prompt during the primary server upgrade. The new prompt asks you to provide a service user, preferably a non-root user. You must create this user in advance and the user must have nbwebgrp as the secondary group.

The service user is used as the database user if it is a non-root account. In this case, you are not prompted for a separate database user.

On Windows, you can use the Local Service built-in account as the service account. This option is available in the Custom upgrade path for primary servers.

You can use the nbserviceusercmd command to change the service user on media servers and clients after the installation completes. Refer to the NetBackup Commands Reference Guide for more information about the nbserviceusercmd command. For more details about the service user account, refer to https://www.veritas.com/support/en_US/article.100053035.

On Windows, if services such as the NetBackup Legacy Network Service or the NetBackup Client Service run as an administrator account other than Local System, their Log on as value isn't changed.

When a user upgrades from a pre-NetBackup 9.1 environment to a NetBackup 9.1 or later environment, changes are made to Cloud protection plans. If the pre-upgrade environment has one protection plan with multiple cloud assets from different cloud provider types, that plan is split into one protection plan per cloud provider type after upgrade. The assets are distributed among the new protection plans based on the cloud provider type. For example, if there was a WeeklyBackups protection plan that contained Amazon, Azure, and Google assets, it is split as shown:

If your environment includes computers with NetBackup Snapshot Manager, you must upgrade these computers before any other NetBackup computers. The correct upgrade order is: NetBackup Snapshot Manager computers > primary servers > media servers > clients. More information about upgrade order and NetBackup versions is available:

See About compatibility between NetBackup versions.

The NetBackup 8.1 upgrade includes a rolling conversion of the Media Server Deduplication Pool (MSDP).

By default, the rolling conversion is performed when the system is not busy. In other words, the conversion runs when backups, restores, CRQP, CRC checks, compaction, etc. are not active. This conversion is not expected to affect normal system operations. After the rolling conversion is finished, there is no difference between the converted system and a new installation. More information about the rolling conversion is available.

See MSDP upgrade considerations for NetBackup 8.1.

See About MSDP rolling data conversion.

If you plan to use role-based access control (RBAC), you must designate a security administrator. More information is available:

See About the NetBackup web user interface.

See NetBackup Web UI Administrator's Guide.

Beginning with NetBackup 8.0, the NetBackup primary server includes a configured Tomcat web server to support critical backup operations. This web server operates under user account elements with limited privileges. These user account elements must be available on each primary server (or each node of a clustered primary server). More information is available:

See NetBackup primary server web server user and group creation.

Upgrades of NetBackup 8.2 Linux clusters with NAT enabled incorrectly identify the NAT state. As a result, NAT is disabled after the upgrade to 10.4. After you complete the NetBackup 10.4 upgrade, you must turn NAT on again. More information is included in the post-upgrade procedure.

See Post-install procedure for upgrading to NetBackup 10.4.

Veritas does not support the installation or upgrade of the NetBackup database on a btrfs file system. If the NetBackup database resides on a btrfs file system, move the database to a supported file system (such as ext4 or xfs) before you start the upgrade. The database files reside on the primary server in the directories under /usr/openv/db. More information about moving the database before an upgrade is available. See Preinstall procedure for upgrading to NetBackup 10.4.

This information is applicable to NetBackup upgrades of 8.2 and earlier environments.

NetBackup uses security certificates to authenticate NetBackup hosts for secure communication. The security certificates conform to the X.509 Public Key Infrastructure (PKI) standard. A NetBackup primary server acts as the certificate authority (CA) and issues digital certificates to hosts. NetBackup supports the following certificate key sizes: 2048 bits, 3072 bits, 4096 bits, and 8192 bits.

With a NetBackup 9.1 upgrade, new root CA with 2048 bit key strength is deployed. To use a certificate key size larger than 2048 bits, set the NB_KEYSIZE environment variable on the primary server before you start the installation.

For example:

NB_KEYSIZE = 4096

The NB_KEYSIZE can only have the following values: 2048, 3072, 4096, and 8192.

For more information about CA migration and certificate key sizes, see the NetBackup Security and Encryption Guide.

Table: Overview of the upgrade process shows the overview of the upgrade procedure.