Search <book_title>...

NetBackup™ Commands Reference Guide

Last Published: 2022-12-19

Product(s): NetBackup (10.1.1)

Introduction
Appendix A. NetBackup Commands
1. acsd
2. add_media_server_on_clients
3. backupdbtrace
4. backuptrace
5. bmrc
6. bmrconfig
7. bmrepadm
8. bmrprep
9. bmrs
10. bmrsrtadm
11. bp
12. bparchive
13. bpbackup
14. bpbackupdb
15. bpcatarc
16. bpcatlist
17. bpcatres
18. bpcatrm
19. bpcd
20. bpchangeprimary
21. bpcleanrestore
22. bpclient
23. bpclimagelist
24. bpclntcmd
25. bpclusterutil
26. bpcompatd
27. bpconfig
28. bpdbjobs
29. bpdbm
30. bpdgclone
31. bpdown
32. bpduplicate
33. bperror
34. bpexpdate
35. bpfis
36. bpflist
37. bpgetconfig
38. bpgetdebuglog
39. bpimage
40. bpimagelist
41. bpimmedia
42. bpimport
43. bpinst
44. bpkeyfile
45. bpkeyutil
46. bplabel
47. bplist
48. bpmedia
49. bpmedialist
50. bpminlicense
51. bpnbat
52. bpnbaz
53. bppficorr
54. bpplcatdrinfo
55. bpplclients
56. bppldelete
57. bpplinclude
58. bpplinfo
59. bppllist
60. bpplsched
61. bpplschedrep
62. bpplschedwin
63. bppolicynew
64. bpps
65. bprd
66. bprecover
67. bprestore
68. bpretlevel
69. bpschedule
70. bpschedulerep
71. bpsetconfig
72. bpstsinfo
73. bpstuadd
74. bpstudel
75. bpstulist
76. bpsturep
77. bptestbpcd
78. bptestnetconn
79. bptpcinfo
80. bpup
81. bpverify
82. cat_convert
83. cat_export
84. cat_import
85. configureCerts
86. configureMQ
87. configureWebServerCerts
88. create_nbdb
89. csconfig cldinstance
90. csconfig cldprovider
91. csconfig meter
92. csconfig reinitialize
93. csconfig throttle
94. duplicatetrace
95. importtrace
96. jbpSA
97. jnbSA
98. ltid
99. mklogdir
100. msdpcldutil
101. nbauditreport
102. nbcallhomeproxyconfig
103. nbcatsync
104. NBCC
105. NBCCR
106. nbcertcmd
107. nbcertupdater
108. nbcldutil
109. nbcloudrestore
110. nbcomponentupdate
111. nbcplogs
112. nbcredkeyutil
113. nbdb_admin
114. nbdb_backup
115. nbdb_move
116. nbdb_ping
117. nbdb_restore
118. nbdb_unload
119. nbdb2adutl
120. nbdbms_start_server
121. nbdbms_start_stop
122. nbdc
123. nbdecommission
124. nbdelete
125. nbdeployutil
126. nbdevconfig
127. nbdevquery
128. nbdiscover
129. nbdna
130. nbemm
131. nbemmcmd
132. nbfindfile
133. nbfirescan
134. nbfp
135. nbftadm
136. nbftconfig
137. nbgetconfig
138. nbhba
139. nbholdutil
140. nbhostidentity
141. nbhostmgmt
142. nbhypervtool
143. nbidpcmd
144. nbimageshare
145. nbinstallcmd
146. nbjm
147. nbkmiputil
148. nbkmscmd
149. nbkmsutil
150. nboraadm
151. nborair
152. nbpem
153. nbpemreq
154. nbmlb
155. nbperfchk
156. nbplupgrade
157. nbrb
158. nbrbutil
159. nbreplicate
160. nbrepo
161. nbrestorevm
162. nbseccmd
163. nbserviceusercmd
164. nbsetconfig
165. nbsmartdiag
166. nbsnapimport
167. nbsnapreplicate
168. nbsqladm
169. nbstl
170. nbstlutil
171. nbstop
172. nbsu
173. nbsvrgrp
174. netbackup_deployment_insights
175. resilient_clients
176. restoretrace
177. stopltid
178. tldd
179. tldcd
180. tpautoconf
181. tpclean
182. tpconfig
183. tpext
184. tpreq
185. tpunmount
186. verifytrace
187. vltadm
188. vltcontainers
189. vlteject
190. vltinject
191. vltoffsitemedia
192. vltopmenu
193. vltrun
194. vmadd
195. vmchange
196. vmcheckxxx
197. vmd
198. vmdelete
199. vmoprcmd
200. vmphyinv
201. vmpool
202. vmquery
203. vmrule
204. vmupdate
205. vnetd
206. vssat
207. vwcp_manage
208. vxlogcfg
209. vxlogmgr
210. vxlogview
211. W2KOption

Name

nbkmscmd — configures the key management service (KMS) in NetBackup.

SYNOPSIS

nbkmscmd -configureCredential -credName credential_name -certPath certificate_file_path -privateKeyPath private_key_file_path -trustStorePath CA_certificate_file_path [-passphrasePath private_key_passphrase_file_path] [-crlCheckLevel LEAF | CHAIN | DISABLE] [-server master_server_name] [-description description] [-force]

To configure NetBackup KMS (NBKMS):

nbkmscmd -configureKMS -name configuration_name -type NBKMS -hmkId host_master_key_ID_to_identify_HMK_passphrase -kpkId key_protection_key_ID_to_identify_KPK_passphrase [-useRandomPassphrase 0 | 1] [-enabledForBackup 0 | 1] [-priority priority_of_KMS_server] [-server master_server_name] [-description description]

To configure external KMS:

nbkmscmd -configureKMS -name configuration_name -type KMIP -port port_to_connect_to_external_KMS_server -kmsServerName network_name_of_external_KMS_server -credId credential_ID | -credName credential_name [-enabledForBackup 0 | 1] [-priority priority_of_KMS_server] [-server master_server_name] [-description description]

nbkmscmd -createKey -name configuration_name -keyName name_of_the_key_to _be_created -keyGroupName key_group_name [-algorithm key_algorithm] [-comment comment_about_the_key] [-keyPassphraseFilePath file_path_of_the_key_passphrase] [-reason reason][-server master_server_name]

nbkmscmd -deleteCredential -credName credential_name | -credId credential_ID [-force] [-server master_server_name]

nbkmscmd -deleteKMSConfig -name configuration_name [-server master_server_name] [-reason reason_for_deleting] [-force]

nbkmscmd -discoverNBKMS

nbkmscmd -listCredential [-credName credential_name | -credId credential_ID] [-server master_server_name] [-jsonCompact] [-jsonRaw] [-pageLimit number_of_records_to_be_listed after_offset] [-pageOffset record_number]

nbkmscmd -listKeys -name configuration_name [-keyGroupName key_group_name] [-server master_server_name] [-jsonCompact] [-jsonRaw] [-pageLimit number_of_records_to_be_listed_after_offset] [-pageOffset record_number]

nbkmscmd -listKMSConfig [-name configuration_name] [-server master_server_name] [-jsonCompact] [-jsonRaw] [-pageLimit number_of_records_to_be_listed_after_offset] [-pageOffset record_number]

nbkmscmd -precheckKMSConfig -port port_to_connect_to_external_KMS_server -kmsServerName network_name_of_external_KMS_server -certPath certificate_file_path -privateKeyPath private_key_file_path -trustStorePath CA_certificate_file_path [-passphrasePath private_key_passphrase_file_path] [-crlCheckLevel LEAF | CHAIN | DISABLE] [-credId credential_ID | -credName credential_name] [-server master_server_name] [-jsonRaw]

nbkmscmd -updateCredential -credId credential_ID | -credName credential_name -certPath certificate_file_path -privateKeyPath private_key_file_path -trustStorePath CA_certificate_file_path [-passphrasePath private_key_passphrase_file_path] [-crlCheckLevel LEAF | CHAIN | DISABLE] [-server master_server_name] [-description description] [-force]

To update NetBackup KMS (NBKMS) configuration:

nbkmscmd -updateKMSConfig -name configuration_name [-server master_server_name] [-priority priority_of_KMS_server] [-enabledForBackup 0 | 1] [-description description]

To update external KMS configuration:

nbkmscmd -updateKMSConfig -name configuration_name [-server master_server_name] [-priority priority_of_KMS_server] [-port port_to_connect_to_external_KMS_server] [-kmsServerName network_name_of_external_KMS_server] [-credId credential_ID | -credName credential_name] [-enabledForBackup 0 | 1] [-description description]

nbkmscmd -validateKMSConfig -name configuration_name [-server master_server_name] [-jsonRaw]

On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/

On Windows systems, the directory path to this command is install_path\NetBackup\bin\

DESCRIPTION

The nbkmscmd command is used to configure KMS. You can also create KMS credentials and keys. All of these commands require NetBackup administrator privileges to run. Additionally, these operations require a bpnbat web log-on (bpnbat -login -loginType WEB) using an account that has NetBackup administrator privileges.

The nbkmscmd supports the following operations:

-configureCredential	Adds the KMS configuration credential in the NetBackup database. The credential ID and its credential name are added in the database. These credentials are used to connect to external KMS.
-configureKMS	Adds an entry for the KMS configuration in the NetBackup database.
-createKey	Creates an active NetBackup key in the KMS server that is associated with the provided configuration name. To create key, KMS server should allow NetBackup to create key and to set NetBackup attributes on that key. For NetBackup KMS (NBKMS), If the specified key-group name does not exist then the key-group is created with specified algorithm.
-deleteCredential	Deletes the specified KMS configuration credential from the NetBackup database.
-deleteKMSConfig	Deletes the KMS configuration entry from the NetBackup database.
-discoverNBKMS	Discovers whether the NetBackup KMS (NBKMS) is configured and running and adds it to NetBackup database.
-listCredential	Lists the details of the specified KMS configuration credential in JSON format. If the credential name or ID is not specified, credential details for all KMS configurations are listed.
-listKeys	Lists the NetBackup keys from the specified KMS configuration in JSON format.
-listKMSConfig	Lists the details of the specified KMS configuration in JSON format. If the configuration name is not provided, this operation lists the configuration details of all KMS.
-precheckKMSConfig	Performs a dry run of KMS configuration operations to validate the required connections and setup.
-updateCredential	Updates the specified KMS configuration credential.
-updateKMSConfig	Updates the specified KMS configuration in the NetBackup database.
-validateKMSConfig	Validates the functionality with the specified KMS configuration and ensures that backup and restore functionality works.

OPTIONS

-algorithm algorithm

Specifies the encryption algorithm for the key created.

-certPath certificate_file_path

Specifies the path of the certificate that is used to connect to the remote server.

-comment comment

Specifies a comment about the key.

-credId credential_ID

Specifies the credential ID of the KMS configuration.

-credName credential_name

Specifies the credential name of the KMS configuration.

-crlCheckLevel LEAF | CHAIN | DISABLE

Specifies the revocation check level for certificates of the external KMS server. The default value is LEAF.

Accepted values for CRL check level are:

DISABLE: Revocation check is disabled. The revocation status of the certificate is not validated against the CRL during host communication.

LEAF: The revocation status of the leaf certificate is validated against the CRL.

CHAIN: The revocation status of all the certificates from the certificate chain are validated against the CRL.

-description description

Used to provide further information about the current operation.

-enabledForBackup 0 | 1

Specifies whether keys from this KMS should be used for backup or not. The default value is 1.

Provide 0 if the keys from this KMS should not be used for backup.

-force

Suppresses the confirmation prompts and performs the specified operation.

-hmkId host_master_key_ID_to_identify_HMK_passphrase

Specifies the host master key (HMK) ID to identify HMK passphrase. This option is only applicable if the KMS type is NBKMS.

-jsonCompact

Generates output data in a compacted JSON format.

-jsonRaw

Displays the JSON response of the web server.

-keyGroupName key_group_name

Specifies the name of the key group that is used to retrieve or set keys.

-keyName key_name

Specifies the name of the key.

-keyPassphraseFilePath file_path_of_the_key_passphrase

Specifies the file path that has the passphrase that is used to create the key. Not all KMS types support key passphrase.

-kmsServerName network_name_of_external_KMS_server

Specifies the network name for the KMS server. If there are multiple network names for the KMS server, separate the names with a comma (,). This option is only applicable if the KMS type is KMIP.

-kpkId key_protection_key_ID_to_identify_KPK_passphrase

Specifies the key protection key (KPK) ID to identify KPK passphrase. This option is only applicable if KMS type is NBKMS.

-name configuration_name

Specifies a unique name for the KMS configuration.

-pageLimit number_of_records_to_be_listed after_offset

Specifies the number of records to be listed after the offset. Valid values for -pageLimit are 1 to 100. The default value is 100.

-pageOffset record_number

Specifies the record number from where the records start listing. The default value is 0.

-passphrasePath private_key_passphrase_file_path

Specifies the file path of the passphrase that is used to encrypt the certificate private key.

-port port_to_connect_to_external_KMS_server

Specifies the port number to be used to connect to external KMS server. This option is only applicable if KMS type is KMIP.

-priority priority_of_KMS_server

Specifies the KMS server to be used when NetBackup checks for keys during encryption or decryption. By default, the KMS server priority is set to 0. A KMS server with the highest value gets the first priority to be used during encryption or decryption.

-privateKeyPath private_key_file_path

Specifies the file path for the certificate private key.

-reason reason

Specifies the reason to perform the current operation.

-server master_server_name

Specifies an alternate master server. By default, this command uses the first server entry in the NetBackup configuration file.

-trustStorePath CA_certificate_file_path

Specifies the file path for the CA certificate that is used to verify the remote server.

-type NBKMS | KMIP

Specifies the KMS type. NBKMS and KMIP are the valid KMS types.

-useRandomPassphrase 0|1

Specifies whether random passphrases should be used or not. The default value is 0. Provide 1 if random passphrases should be used for KMS configuration.

EXAMPLES

Example 1: Configure credential for External KMS

nbkmscmd -configureCredential -credName ExtKMS_Credential 
-certPath /EKMS_creds/cert_chain.pem -privateKeyPath 
/EKMS_creds/key.pem -trustStorePath /EKMS_creds/cacerts.pem 
-description "Configuring credential for external KMS"

Example 2: Configure external KMS.

nbkmscmd -configureKMS -name ExtKMS -type KMIP 
-kmsServerName extkms.veritas.com -port 5696 
-credName ExtKMS_Credential -priority 1 -description 
"Configuring external KMS with configutation name ExtKMS"