NetBackup™ Commands Reference Guide
- Introduction
- Appendix A. NetBackup Commands
- acsd
- backupdbtrace
- backuptrace
- bmrc
- bmrconfig
- bmrepadm
- bmrprep
- bmrs
- bmrsrtadm
- bp
- bparchive
- bpbackup
- bpbackupdb
- bpcatarc
- bpcatlist
- bpcatres
- bpcatrm
- bpcd
- bpchangeprimary
- bpcleanrestore
- bpclient
- bpclimagelist
- bpclntcmd
- bpclusterutil
- bpcompatd
- bpconfig
- bpdbjobs
- bpdbm
- bpdgclone
- bpdown
- bpduplicate
- bperror
- bpexpdate
- bpfis
- bpflist
- bpgetconfig
- bpgetdebuglog
- bpimage
- bpimagelist
- bpimmedia
- bpimport
- bpinst
- bpkeyfile
- bpkeyutil
- bplabel
- bplist
- bpmedia
- bpmedialist
- bpminlicense
- bpnbat
- bpnbaz
- bppficorr
- bpplcatdrinfo
- bpplclients
- bppldelete
- bpplinclude
- bpplinfo
- bppllist
- bpplsched
- bpplschedrep
- bpplschedwin
- bppolicynew
- bpps
- bprd
- bprecover
- bprestore
- bpretlevel
- bpschedule
- bpschedulerep
- bpsetconfig
- bpstsinfo
- bpstuadd
- bpstudel
- bpstulist
- bpsturep
- bptestbpcd
- bptestnetconn
- bpup
- bpverify
- cat_convert
- cat_export
- cat_import
- configureCerts
- configureMQ
- configureWebServerCerts
- create_nbdb
- csconfig cldinstance
- csconfig cldprovider
- csconfig meter
- csconfig reinitialize
- csconfig throttle
- duplicatetrace
- importtrace
- jbpSA
- jnbSA
- ltid
- mklogdir
- msdpcldutil
- nbauditreport
- nbcallhomeproxyconfig
- nbcatsync
- NBCC
- NBCCR
- nbcertcmd
- nbcertupdater
- nbcldutil
- nbcmdrun
- nbcomponentupdate
- nbcplogs
- nbcredkeyutil
- nbdb_admin
- nbdb_backup
- nbdb_move
- nbdb_ping
- nbdb_restore
- nbdb_unload
- nbdb2adutl
- nbdbms_start_server
- nbdbms_start_stop
- nbdc
- nbdecommission
- nbdelete
- nbdeployutil
- nbdevconfig
- nbdevquery
- nbdiscover
- nbdna
- nbemm
- nbemmcmd
- nbepicfile
- nbfindfile
- nbfirescan
- nbfp
- nbftadm
- nbftconfig
- nbgetconfig
- nbhba
- nbholdutil
- nbhostidentity
- nbhostmgmt
- nbhypervtool
- nbidpcmd
- nbimageshare
- nbinstallcmd
- nbjm
- nbkmiputil
- nbkmscmd
- nbkmsutil
- nboraadm
- nborair
- nboracmd
- nbpem
- nbpemreq
- nbmariadb
- nbmlb
- nbperfchk
- nbplupgrade
- nbrb
- nbrbutil
- nbreplicate
- nbrepo
- nbrestorevm
- nbseccmd
- nbserviceusercmd
- nbsetconfig
- nbshvault
- nbsmartdiag
- nbsnapimport
- nbsnapreplicate
- nbsqladm
- nbsqlite
- nbstl
- nbstlutil
- nbstop
- nbsu
- nbsvrgrp
- netbackup_deployment_insights
- resilient_clients
- restoretrace
- stopltid
- tldd
- tldcd
- tpautoconf
- tpclean
- tpconfig
- tpext
- tpreq
- tpunmount
- verifytrace
- vltadm
- vltcontainers
- vlteject
- vltinject
- vltoffsitemedia
- vltopmenu
- vltrun
- vmadd
- vmchange
- vmcheckxxx
- vmd
- vmdelete
- vmoprcmd
- vmphyinv
- vmpool
- vmquery
- vmrule
- vmupdate
- vnetd
- vssat
- vwcp_manage
- vxlogcfg
- vxlogmgr
- vxlogview
- W2KOption
Name
nbkmscmd — configures the key management service (KMS) in NetBackup.
SYNOPSIS
-configureCredential -credName credential_name -certPath certificate_file_path -privateKeyPath private_key_file_path -trustStorePath CA_certificate_file_path [-passphrasePath private_key_passphrase_file_path] [-crlCheckLevel LEAF | CHAIN | DISABLE] [-server master_server_name] [-description description] [-force]
To configure NetBackup KMS (NBKMS):
-configureKMS -name configuration_name -type NBKMS -hmkId host_master_key_ID_to_identify_HMK_passphrase -kpkId key_protection_key_ID_to_identify_KPK_passphrase [-useRandomPassphrase 0 | 1] [-enabledForBackup 0 | 1] [-priority priority_of_KMS_server] [-server master_server_name] [-description description]
To configure external KMS:
-configureKMS -name configuration_name -type KMIP -port port_to_connect_to_external_KMS_server -kmsServerName network_name_of_external_KMS_server -credId credential_ID | -credName credential_name [-enabledForBackup 0 | 1] [-priority priority_of_KMS_server] [-server master_server_name] [-description description]
-createKey -name configuration_name -keyName name_of_the_key_to _be_created -keyGroupName key_group_name [-algorithm key_algorithm] [-comment comment_about_the_key] [-keyPassphraseFilePath file_path_of_the_key_passphrase] [-reason reason][-server master_server_name]
-deleteCredential -credName credential_name | -credId credential_ID [-force] [-server master_server_name]
-deleteKMSConfig -name configuration_name [-server master_server_name] [-reason reason_for_deleting] [-force]
-discoverNBKMS
-listCredential [-credName credential_name | -credId credential_ID] [-server master_server_name] [-jsonCompact] [-jsonRaw] [-pageLimit number_of_records_to_be_listed after_offset] [-pageOffset record_number]
-listKeys -name configuration_name [-keyGroupName key_group_name] [-server master_server_name] [-jsonCompact] [-jsonRaw] [-pageLimit number_of_records_to_be_listed_after_offset] [-pageOffset record_number]
-listKMSConfig [-name configuration_name] [-server master_server_name] [-jsonCompact] [-jsonRaw] [-pageLimit number_of_records_to_be_listed_after_offset] [-pageOffset record_number]
-precheckKMSConfig -port port_to_connect_to_external_KMS_server -kmsServerName network_name_of_external_KMS_server -certPath certificate_file_path -privateKeyPath private_key_file_path -trustStorePath CA_certificate_file_path [-passphrasePath private_key_passphrase_file_path] [-crlCheckLevel LEAF | CHAIN | DISABLE] [-credId credential_ID | -credName credential_name] [-server master_server_name] [-jsonRaw]
-updateCredential -credId credential_ID | -credName credential_name -certPath certificate_file_path -privateKeyPath private_key_file_path -trustStorePath CA_certificate_file_path [-passphrasePath private_key_passphrase_file_path] [-crlCheckLevel LEAF | CHAIN | DISABLE] [-server master_server_name] [-description description] [-force]
To update NetBackup KMS (NBKMS) configuration:
-updateKMSConfig -name configuration_name [-server master_server_name] [-priority priority_of_KMS_server] [-enabledForBackup 0 | 1] [-description description]
To update external KMS configuration:
-updateKMSConfig -name configuration_name [-server master_server_name] [-priority priority_of_KMS_server] [-port port_to_connect_to_external_KMS_server] [-kmsServerName network_name_of_external_KMS_server] [-credId credential_ID | -credName credential_name] [-enabledForBackup 0 | 1] [-description description]
-validateKMSConfig -name configuration_name [-server master_server_name] [-jsonRaw]
On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/
On Windows systems, the directory path to this command is install_path\NetBackup\bin\
DESCRIPTION
The nbkmscmd command is used to configure KMS. You can also create KMS credentials and keys. All of these commands require NetBackup administrator privileges to run. Additionally, these operations require a bpnbat web log-on (bpnbat -login -loginType WEB) using an account that has NetBackup administrator privileges.
The nbkmscmd supports the following operations:
|
-configureCredential |
Adds the KMS configuration credential in the NetBackup database. The credential ID and its credential name are added in the database. These credentials are used to connect to external KMS. |
|
-configureKMS |
Adds an entry for the KMS configuration in the NetBackup database. |
|
-createKey |
Creates an active NetBackup key in the KMS server that is associated with the provided configuration name. To create key, KMS server should allow NetBackup to create key and to set NetBackup attributes on that key. For NetBackup KMS (NBKMS), If the specified key-group name does not exist then the key-group is created with specified algorithm. |
|
-deleteCredential |
Deletes the specified KMS configuration credential from the NetBackup database. |
|
-deleteKMSConfig |
Deletes the KMS configuration entry from the NetBackup database. |
|
-discoverNBKMS |
Discovers whether the NetBackup KMS (NBKMS) is configured and running and adds it to NetBackup database. |
|
-listCredential |
Lists the details of the specified KMS configuration credential in JSON format. If the credential name or ID is not specified, credential details for all KMS configurations are listed. |
|
-listKeys |
Lists the NetBackup keys from the specified KMS configuration in JSON format. |
|
-listKMSConfig |
Lists the details of the specified KMS configuration in JSON format. If the configuration name is not provided, this operation lists the configuration details of all KMS. |
|
-precheckKMSConfig |
Performs a dry run of KMS configuration operations to validate the required connections and setup. |
|
-updateCredential |
Updates the specified KMS configuration credential. |
|
-updateKMSConfig |
Updates the specified KMS configuration in the NetBackup database. |
|
-validateKMSConfig |
Validates the functionality with the specified KMS configuration and ensures that backup and restore functionality works. |
OPTIONS
- -algorithm algorithm
Specifies the encryption algorithm for the key created.
- -certPath certificate_file_path
Specifies the path of the certificate that is used to connect to the remote server.
- -comment comment
Specifies a comment about the key.
- -credId credential_ID
Specifies the credential ID of the KMS configuration.
- -credName credential_name
Specifies the credential name of the KMS configuration.
- -crlCheckLevel LEAF | CHAIN | DISABLE
Specifies the revocation check level for certificates of the external KMS server. The default value is LEAF.
Accepted values for CRL check level are:
DISABLE: Revocation check is disabled. The revocation status of the certificate is not validated against the CRL during host communication.
LEAF: The revocation status of the leaf certificate is validated against the CRL.
CHAIN: The revocation status of all the certificates from the certificate chain are validated against the CRL.
- -description description
Used to provide further information about the current operation.
- -enabledForBackup 0 | 1
Specifies whether keys from this KMS should be used for backup or not. The default value is 1.
Provide 0 if the keys from this KMS should not be used for backup.
- -force
Suppresses the confirmation prompts and performs the specified operation.
- -hmkId host_master_key_ID_to_identify_HMK_passphrase
Specifies the host master key (HMK) ID to identify HMK passphrase. This option is only applicable if the KMS type is NBKMS.
- -jsonCompact
Generates output data in a compacted JSON format.
- -jsonRaw
Displays the JSON response of the web server.
- -keyGroupName key_group_name
Specifies the name of the key group that is used to retrieve or set keys.
- -keyName key_name
Specifies the name of the key.
- -keyPassphraseFilePath file_path_of_the_key_passphrase
Specifies the file path that has the passphrase that is used to create the key. Not all KMS types support key passphrase.
- -kmsServerName network_name_of_external_KMS_server
Specifies the network name for the KMS server. If there are multiple network names for the KMS server, separate the names with a comma (,). This option is only applicable if the KMS type is KMIP.
- -kpkId key_protection_key_ID_to_identify_KPK_passphrase
Specifies the key protection key (KPK) ID to identify KPK passphrase. This option is only applicable if KMS type is NBKMS.
- -name configuration_name
Specifies a unique name for the KMS configuration.
- -pageLimit number_of_records_to_be_listed after_offset
Specifies the number of records to be listed after the offset. Valid values for -pageLimit are 1 to 100. The default value is 100.
- -pageOffset record_number
Specifies the record number from where the records start listing. The default value is 0.
- -passphrasePath private_key_passphrase_file_path
Specifies the file path of the passphrase that is used to encrypt the certificate private key.
- -port port_to_connect_to_external_KMS_server
Specifies the port number to be used to connect to external KMS server. This option is only applicable if KMS type is KMIP.
- -priority priority_of_KMS_server
Specifies the KMS server to be used when NetBackup checks for keys during encryption or decryption. By default, the KMS server priority is set to 0. A KMS server with the highest value gets the first priority to be used during encryption or decryption.
- -privateKeyPath private_key_file_path
Specifies the file path for the certificate private key.
- -reason reason
Specifies the reason to perform the current operation.
- -server master_server_name
Specifies an alternate master server. By default, this command uses the first server entry in the NetBackup configuration file.
- -trustStorePath CA_certificate_file_path
Specifies the file path for the CA certificate that is used to verify the remote server.
- -type NBKMS | KMIP
Specifies the KMS type. NBKMS and KMIP are the valid KMS types.
- -useRandomPassphrase 0|1
Specifies whether random passphrases should be used or not. The default value is 0. Provide 1 if random passphrases should be used for KMS configuration.
EXAMPLES
Example 1: Configure credential for External KMS
nbkmscmd -configureCredential -credName ExtKMS_Credential -certPath /EKMS_creds/cert_chain.pem -privateKeyPath /EKMS_creds/key.pem -trustStorePath /EKMS_creds/cacerts.pem -description "Configuring credential for external KMS"
Example 2: Configure external KMS.
nbkmscmd -configureKMS -name ExtKMS -type KMIP -kmsServerName extkms.veritas.com -port 5696 -credName ExtKMS_Credential -priority 1 -description "Configuring external KMS with configutation name ExtKMS"