Veritas NetBackup™ Security and Encryption Guide
- Read this first for secure communications in NetBackup
- Communication failure scenarios
- Increasing NetBackup security
- Security deployment models
- Auditing NetBackup operations
- About audit events
- Section I. Identity and access management
- About identity and access management
- AD and LDAP domains
- API keys
- Auth.conf file
- Role-based access control (RBAC)
- Smart card or digital certificate
- Single Sign-On (SSO)
- Enhanced Auditing
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Viewing specific user permissions for NetBackup user groups
- Section II. Encryption of data in transit
- NetBackup CA and NetBackup certificates
- About the Security Management utilities
- About host management
- Adding shared or cluster mappings
- Allowing or disallowing automatic certificate reissue
- About global security settings
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About NetBackup certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Host ID-based certificate deployment in a clustered setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- Migrating NetBackup CA
- External CA and external certificates
- About external CA support in NetBackup
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- About certificate revocation lists for external CA
- About certificate enrollment
- Configuring an external certificate for the NetBackup web server
- About external certificate configuration for a clustered master server
- Regenerating keys and certificates
- NetBackup CA and NetBackup certificates
- Section III. Encryption of data at rest
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- NetBackup key management service
- About FIPS enabled KMS
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
- External key management service
- Configuring KMS credentials
- Configuring KMS
- Creating keys in an external KMS
- Working with multiple KMS servers
- Data at rest encryption security
- NetBackup web services account
- Immutability and indelibility of data in NetBackup
Resetting NetBackup host attributes
In certain scenarios, you may need to clean up or reset host attributes: For example, you have downgraded the host.
In such cases, you need to reset host ID to host name mapping information, communication status and so on for successful communication.
You must reset the host attributes of the downgraded host if you want the master server to communicate with the host in an insecure mode.
Resetting host attributes resets host ID to host name mapping information, communication status and so on. It does not reset the host ID, host name, or security certificates of the host.
After you reset the host attributes, the connection status (is secure flag) is set to insecure state. At the time of the next host communication, the connection status is updated appropriately.
If you have inadvertently used the Reset Host Attributes option, you can undo the changes by restarting the bpcd service. Else the host attributes are automatically updated with the appropriate values after 24 hours.
See Add or Remove Host Mappings dialog box.
NetBackup 8.1 master server can communicate securely with all 8.1 hosts. However, it communicates insecurely with 8.0 and earlier hosts.
In certain scenarios, you may need to downgrade a NetBackup client from 8.1 version to 8.0 or earlier. After the downgrade, the master server cannot communicate with the client, because the communication status for the client is still set to secure mode. The communication status is not automatically updated to insecure mode after the downgrade.
Use one of the following options to reset a host:
To reset a host using the NetBackup Administration Console
- Expand Security Management > Host Management.
- On the Hosts tab, in the details pane, right-click the host that you have downgraded and which you want to reset, and click Reset Host Attributes.
Note:
To resume insecure communication with downgraded hosts, ensure that the Enable insecure communication with 8.0 and earlier hosts option on the Security Management > Global Security Settings > Secure Communication tab is selected.
To reset host attributes using the command-line interface
- Run the following command to authenticate your web services login:
bpnbat -login -loginType WEB
- Run the following command to reset the host:
nbemmcmd -resethost