NetBackup™ Web UI Cloud Object Store Administrator's Guide

To add a Cloud object store account:

1. On the left, click Cloud object store under Workloads.
2. In the Cloud object store account tab, click Add.
3. Enter a name for the account in Cloud object store name field, select a provider from the list Select Cloud object store provider, and select a backup host from Backup host for validation list. Credential validation, backup, and recovery of the Cloud object stores are supported by NetBackup 10.1 or later on RHEL media server.
4. Select a region from the available list of regions. Click Add above the Region table to add a new region.

   Adding a new region. Region is not available for some Cloud object store providers.

   For GCP, which supports dual region buckets, select the base region during account creation. For example, if a dual region bucket is in the regions US-CENTRAL1, US-WEST1, select US, as region during account creation to list the bucket.

5. In Access settings page: Select a type of access method for the account:

   • Access credentials-In this method, NetBackup uses the Access key ID, and the secret access key to access and secure the Cloud object store account. If you select this method, perform the subsequent steps 6 to 10 as required to create the account.

   • IAM role (EC2)-NetBackup retrieves the IAM role name and the credentials that are associated with the EC2 instance. The selected backup host must be hosted on the EC2 instance. Make sure the IAM role associated with EC2 instance has required permissions to access the required cloud resources for Cloud object store protection. Make sure that you select correct region as per permissions given to EC2 instance while configuring the Cloud object store account with this option. If you select this option, perform the optional steps 7 and 8 as required, and then perform steps 9 and 10.

   • Assume role-In this method, NetBackup uses the provided key, the secret access key, and the role ARN to retrieve temporary credentials for the same account and cross account. Perform the steps 6 to10 as required to create the account.

     See Creating cross account access in AWS .

   • Credentials broker- NetBackup retrieves the credentials to access the cloud resources required for Cloud object store protection.

6. You can add existing credentials or create new credentials for the account:

   • To select an exiting credential for the account, select the Select existing credentials option, select the required credential from the table, and click Next.

   • To add a new credential for the account, select Add new credentials. Enter a Credential name, Tag, and Description for the new credential.

     For cloud providers supported through AWS S3 compatible APIs, use AWS S3 compatible credentials. Specify the Access key ID and Secret access key.

     For Microsoft Azure cloud provider, provide Azure Blob credentials, specify Storage account and Access key.

   • If you use Assume role as the access method, specify the Amazon Resource Name (ARN) of the role to use for the account, in the Role ARN field.

7. (Optional) Select Use SSL if you want to use the SSL (Secure Sockets Layer) protocol for user authentication or data transfer between NetBackup and cloud storage provider.

   • Authentication only: Select this option, if you want to use SSL only at the time of authenticating users while they access the cloud storage.

   • Authentication and data transfer: Select this option, if you want to use SSL to authenticate users and transfer the data from NetBackup to the cloud storage, along with user authentication.

   • Check certificate revocation (IPv6 not supported for this option): For all the cloud providers, NetBackup provides a capability to verify the SSL certificates against the CRL (Certificate Revocation List). If SSL is enabled and the CRL option is enabled, each non-self-signed SSL certificate is verified against the CRL. If the certificate is revoked, NetBackup does not connect to the cloud provider.

   Note:

   NetBackup supports only Certificate Authority (CA)-signed certificates while it communicates with cloud storage in the SSL mode. Ensure that the cloud server (public or private) has CA-signed certificate. If it does not have the CA-signed certificate, data transfer between NetBackup and cloud provider fails in the SSL mode.

   Note:

   The FIPS region of Amazon GovCloud cloud provider (that is s3-fips-us-gov-west-1.amazonaws.com) supports only secured mode of communication. Therefore, if you disable the Use SSL option while you configure Amazon GovCloud cloud storage with the FIPS region, the configuration fails.

8. (Optional) Select the Use proxy server option to use proxy server and provide proxy server settings. Once you select the Use proxy server option, you can specify the following details:

   • Proxy host - Specify IP address or name of the proxy server.

   • Proxy Port - Specify port number of the proxy server.

   • Proxy type - You can select one of the following proxy types:

     • HTTP

       Note:

       You need to provide the proxy credentials for HTTP proxy type.

     • SOCKS

     • SOCKS4

     • SOCKS5

     • SOCKS4A

   Select Use proxy tunneling for HTTP proxy type.

   After you enable Use proxy tunneling, HTTP CONNECT requests are sent from the backup or recovery host to the HTTP proxy server. The TCP connection is directly forwarded to the cloud back-end storage. The data passes through the proxy server without reading the headers or data from the connection.

   Select one of the following authentication types if you use HTTP proxy type.

   • None - Authentication is not enabled. User name and password are not required.

   • Basic - Username and password needed.

   • NTLM - Username and password needed.

   User name is the username of the proxy server.

   Password can be empty. You can use maximum 256 characters.

9. Click Next.
10. In the Review page, review the entire configuration of the account, and click Finish to save the account.