Veritas NetBackup™ Security and Encryption Guide
- Read this first for secure communications in NetBackup
- About secure communication in NetBackup
- How NetBackup CA-signed certificates (or host ID-based certificates) are deployed during installation
- How secure communication works with master server cluster nodes
- About NetBackup clients installed on nodes of a clustered application
- How NetBackup certificates are deployed on hosts during upgrades
- When an authorization token is required during certificate deployment
- Why do you need to map host names (or IP addresses) to host IDs
- How to reset host attributes or host communication status
- What has changed for catalog recovery
- What has changed with Auto Image Replication
- How the hosts with revoked certificates work
- Are NetBackup certificates backed up
- Can you configure external certificates for master server
- How secure communication works with master server cluster nodes using external certificates
- How revocation lists work for external certificates
- How communication happens when a host cannot directly connect to the master server
- How NetBackup 8.1 or later hosts communicate with NetBackup 8.0 and earlier hosts
- How communication with legacy media servers happens in the case of cloud configuration
- Communication failure scenarios
- Secure communication support for other hosts in NetBackup domain
- Communication between NetBackup 8.1 or later master server and OpsCenter server
- Secure communication support for BMR
- Configuration for VMware backups that protect SQL Server and backups with SQL Servers that use multiple NICs
- Increasing NetBackup security
- About NetBackup security and encryption
- NetBackup security implementation levels
- World-level security
- Enterprise-level security
- Datacenter-level security overview
- NetBackup Access Control (NBAC)
- Combined world, enterprise, and data center levels
- NetBackup security implementation types
- Operating system security
- NetBackup security vulnerabilities
- Standard NetBackup security
- Client side encryption security
- NBAC on master, media server, and graphical user interface security
- NBAC complete security
- Security deployment models
- Workgroups
- Single datacenters
- Multi-datacenters
- Workgroup with NetBackup
- Single datacenter with standard NetBackup
- Single datacenter with client side encryption
- Single datacenter with NBAC on master and media servers
- Single datacenter with NBAC complete
- Multi-datacenter with standard NetBackup
- Multi-datacenter with client side encryption
- Multi-datacenter with NBAC on master and media servers
- Multi-datacenter with NBAC complete
- Auditing NetBackup operations
- About NetBackup auditing
- Viewing the current audit settings
- About audit events
- Audit retention period and catalog backups of audit records
- Viewing the detailed NetBackup audit report
- User identity in the audit report
- Disabling auditing
- Audit alert notification for audit failures (NetBackup Administration Console)
- Send audit events to system logs
- Section I. Identity and access management
- About identity and access management
- AD and LDAP domains
- API keys
- Auth.conf file
- Role-based access control (RBAC)
- Smart card or digital certificate
- Single Sign-On (SSO)
- Enhanced Auditing
- NetBackup Access Control Security (NBAC)
- About using NetBackup Access Control (NBAC)
- NetBackup access management administration
- About NetBackup Access Control (NBAC) configuration
- Configuring NetBackup Access Control (NBAC)
- NBAC configuration overview
- Configuring NetBackup Access Control (NBAC) on standalone master servers
- Installing the NetBackup master server highly available on a cluster
- Configuring NetBackup Access Control (NBAC) on a clustered master server
- Configuring NetBackup Access Control (NBAC) on media servers
- Installing and configuring NetBackup Access Control (NBAC) on clients
- About including authentication and authorization databases in the NetBackup hot catalog backups
- NBAC configure commands summary
- Unifying NetBackup Management infrastructures with the setuptrust command
- Using the setuptrust command
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Using NetBackup Access Control (NBAC) with Auto Image Replication
- Troubleshooting Access Management
- Troubleshooting NBAC issues
- Configuration and troubleshooting tips for NetBackup Authentication and Authorization
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About the nbac_cron utility
- Using the nbac_cron utility
- Using the Access Management utility
- About determining who can access NetBackup
- Viewing specific user permissions for NetBackup user groups
- Granting permissions
- Authorization objects
- Media authorization object permissions
- Policy authorization object permissions
- Drive authorization object permissions
- Report authorization object permissions
- NBU_Catalog authorization object permissions
- Robot authorization object permissions
- Storage unit authorization object permissions
- DiskPool authorization object permissions
- BUAndRest authorization object permissions
- Job authorization object permissions
- Service authorization object permissions
- HostProperties authorization object permissions
- License authorization object permissions
- Volume group authorization object permissions
- VolumePool authorization object permissions
- DevHost authorization object permissions
- Security authorization object permissions
- Fat server authorization object permissions
- Fat client authorization object permissions
- Vault authorization object permissions
- Server group authorization object permissions
- Key management system (kms) group authorization object permissions
- Upgrading NetBackup Access Control (NBAC)
- Section II. Encryption of data in transit
- NetBackup CA and NetBackup certificates
- Overview of security certificates in NetBackup
- About secure communication in NetBackup
- About the Security Management utilities
- About host management
- Hosts tab
- Adding host ID to host name mappings
- Add or Remove Host Mappings dialog box
- Removing host ID to host name mappings
- Mappings for Approval tab
- Viewing auto-discovered mappings
- Mapping Details dialog box
- Approving host ID to host name mappings
- Rejecting host ID to host name mappings
- Adding shared or cluster mappings
- Add Shared or Cluster Mappings dialog box
- Resetting NetBackup host attributes
- Allowing or disallowing automatic certificate reissue
- Adding or deleting comment for a host
- About global security settings
- About secure communication settings
- Disabling insecure communication
- About insecure communication with 8.0 and earlier hosts
- About communication with 8.0 or earlier host in multiple NetBackup domains
- Automatically mapping host ID to host names and IP addresses
- About disaster recovery settings
- Setting a passphrase to encrypt disaster recovery packages
- Disaster recovery packages
- About host name-based certificates
- About host ID-based certificates
- Web login requirements for nbcertcmd command options
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About NetBackup certificate deployment security levels
- Automatic host ID-based certificate deployment
- Deploying host ID-based certificates
- Deploying host ID-based certificates in an asynchronous manner
- Implication of clock skew on certificate validity
- Setting up trust with the master server (Certificate Authority)
- Forcing or overwriting certificate deployment
- Retaining host ID-based certificates when reinstalling NetBackup on non-master hosts
- Deploying certificates on a client that has no connectivity with the master server
- About host ID-based certificate expiration and renewal
- Deleting sensitive certificates and keys from media servers and clients
- Cleaning host ID-based certificate information from a host before cloning a virtual machine
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Deleting host ID-based certificates
- Host ID-based certificate deployment in a clustered setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- Deploying host ID-based certificates on cluster nodes
- Revoking a host ID-based certificate for a clustered NetBackup setup
- Deploying a host ID-based certificate on a clustered NetBackup setup using reissue token
- Creating a reissue token for a clustered NetBackup setup
- Renewing a host ID-based certificate on a clustered NetBackup setup
- Viewing certificate details of a clustered NetBackup setup
- Removing CA certificates from a clustered NetBackup setup
- Generating a certificate on a clustered master server after disaster recovery installation
- About the communication between a NetBackup client located in a demilitarized zone and a master server through an HTTP tunnel
- Adding a NetBackup host manually
- Migrating NetBackup CA
- Setting the required key strength before installation or upgrade using the NB_KEYSIZE environment variable
- Migrating NetBackup CA when the entire NetBackup domain is upgraded to NetBackup 8.3
- Manually migrating NetBackup CA after installation or upgrade
- Establishing communication with clients that do not have new CA certificates after CA migration
- Viewing a list of NetBackup CAs in the domain
- Viewing the CA migration summary
- Decommissioning the inactive NetBackup CA
- External CA and external certificates
- About external CA support in NetBackup
- Workflow to use external certificates for NetBackup host communication
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- ECA_TRUST_STORE_PATH for NetBackup servers and clients
- ECA_PRIVATE_KEY_PATH for NetBackup servers and clients
- ECA_KEY_PASSPHRASEFILE for NetBackup servers and clients
- ECA_CRL_CHECK for NetBackup servers and clients
- ECA_CRL_PATH for NetBackup servers and clients
- ECA_CRL_PATH_SYNC_HOURS for NetBackup servers and clients
- ECA_CRL_REFRESH_HOURS for NetBackup servers and clients
- ECA_DISABLE_AUTO_ENROLLMENT for NetBackup servers and clients
- ECA_DR_BKUP_WIN_CERT_STORE for NetBackup servers and clients
- About certificate revocation lists for external CA
- About certificate enrollment
- About viewing enrollment status of master servers
- Configuring an external certificate for the NetBackup web server
- Configuring the master server to use an external CA-signed certificate
- Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
- Enrolling an external certificate for a remote host
- Viewing the certificate authorities that your NetBackup domain supports
- Viewing external CA-signed certificates in the NetBackup web UI
- Renewing a file-based external certificate
- Removing certificate enrollment
- Disabling the NetBackup CA in a NetBackup domain
- Enabling the NetBackup CA in a NetBackup domain
- Disabling an external CA in a NetBackup domain
- Changing the subject name of an enrolled external certificate
- About external certificate configuration for a clustered master server
- Regenerating keys and certificates
- About regenerating keys and certificates
- Regenerating NetBackup authentication broker keys and certificates
- Regenerating host identity keys and certificates
- Regenerating web service keys and certificates
- Regenerating nbcertservice keys and certificates
- Regenerating tomcat keys and certificates
- Regenerating JWT keys
- Regenerating NetBackup gateway certificates
- Regenerating web trust store certificates
- Regenerating VMware vCenter plug-in certificates
- Regenerating NetBackup Administrator Console session certificates
- Regenerating OpsCenter keys and certificates
- Regenerating NetBackup encryption key file
- NetBackup CA and NetBackup certificates
- Section III. Encryption of data at rest
- Data at rest encryption security
- Data at rest encryption terminology
- Data at rest encryption considerations
- Destination types for encryption of data at rest
- Encryption security questions to consider
- Comparison of encryption options
- About NetBackup client encryption
- Configuring standard encryption on clients
- Managing standard encryption configuration options
- Managing the NetBackup encryption key file
- About configuring standard encryption from the server
- Restoring an encrypted backup file to another client
- About configuring standard encryption directly on clients
- Setting standard encryption attribute in policies
- Changing the client encryption settings from the NetBackup server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Restoring a legacy encrypted backup created on another client
- About setting legacy encryption attribute in policies
- Changing client legacy encryption settings from the server
- Additional legacy key file security for UNIX clients
- NetBackup key management service
- About FIPS enabled KMS
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- Creating the key database
- About key groups and key records
- Overview of key record states
- About backing up the KMS database files
- About recovering KMS by restoring all data files
- Recovering KMS by restoring only the KMS data file
- Recovering KMS by regenerating the data encryption key
- Problems backing up the KMS data files
- Solutions for backing up the KMS data files
- Creating a key record
- Listing keys from a key group
- Configuring NetBackup to work with KMS
- Configuring NetBackup KMS using the KMS web application
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- CLI usage help
- Create a new key group
- Create a new key
- Modify key group attributes
- Modify key attributes
- Get details of key groups
- Get details of keys
- Delete a key group
- Delete a key
- Recover a key
- About exporting and importing keys from the KMS database
- Modify host master key (HMK)
- Get host master key (HMK) ID
- Get key protection key (KPK) ID
- Modify key protection key (KPK)
- Get keystore statistics
- Quiesce KMS database
- Unquiesce KMS database
- Key creation options
- Troubleshooting KMS
- External key management service
- About external KMS
- Certificate configuration and authorization
- Workflow for external KMS configuration
- Validating KMS credentials
- Configuring KMS credentials
- Configuring KMS
- Configuring keys in an external KMS for NetBackup consumption
- Creating keys in an external KMS
- Determining a key group name during storage configuration
- Working with multiple KMS servers
- Working with external KMS during backup and restore
- Key rotation
- Disaster recovery when catalog backup is encrypted using an external KMS server
- Alerts for expiration of KMS credentials
- Data at rest encryption security
- NetBackup web services account
- Immutability and indelibility of data in NetBackup
Troubleshooting AD or LDAP domain configuration issues
After you added an AD or LDAP domain configuration, verify the configuration using the vssat validateprpl and vssat validategroup commands. The commands validate the existing AD / LDAP user and group respectively.
A successful execution of the vssat validateprpl and the vssat validategroup commands implies that the associated AD or LDAP domain is successfully added.
For information about these commands, see the NetBackup Commands Reference Guide.
If the commands fail, the following error message is displayed:
The principal or group does not exist.
Validation of AD or LDAP domain can fail because of any of the following reasons:
Connection cannot be established with the AD or LDAP server
Invalid user credentials
Invalid user base DN or group base DN
Multiple users or groups exist with the same name under the user base DN or the group base DN
User or group does not exist
To troubleshoot the issue
- Check if the nbatd logs contain the following error:
(authldap.cpp) CAuthLDAP::validatePrpl - ldap_simple_bind_s() failed for user 'CN=Test User,OU=VTRSUsers,DC=VRTS,DC=com', error = -1, errmsg = Can't contact LDAP server,9:debugmsgs,1
- Check if any of the following scenarios is true and carry out the steps provided for that scenario.
The LDAP server URL (-s option) that is provided with the vssat addldapdomain may be wrong
Run the following command to validate:
ldapsearch -H <LDAP_URI> -D "<admin_user_DN>" -w <passwd> -d <debug_level> -o nettimeout=<seconds>
Example:
ldapsearch -H ldaps://example.veritas.com:389 -D "CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com" -w ******** -d 5 -o nettimeout=60
TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized. ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The server certificate issuer is not a trusted CA
This is applicable if the ldaps option is used and can be validated using the ldapsearch command:
set env var LDAPTLS_CACERT to cacert.pem
ldapsearch -H <LDAPS_URI> -D "<admin_user_DN>" -w <passwd> -d <debug_level> -o nettimeout=<seconds>
File path for
cacert.pem:On Windows:
<Install_path>\NetBackup\var\global\vxss\eab\data\systemprofile\certstore\trusted\pluggins\ldap\cacert.pem
On Unix:
/usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile/certstore/trusted/pluggins/ldap/cacert.pem
Example:
ldapsearch -H ldaps://example.veritas.com:389 -D "CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com" -w ******** -d 5 -o nettimeout=60
TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized.. ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The NetBackup Authentication Service (nbatd) does not trust the certificate authority that has signed the LDAP server's security certificate
See Certificate authorities trusted by the NetBackup Authentication Service.
Use the -f option of the vssat addldapdomain command to add the CA certificate in the Authentication Service (nbatd) trust store.
To troubleshoot the issue
- Check if the nbatd logs contain the following error:
CAuthLDAP::validatePrpl - ldap_simple_bind_s() failed for user 'CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com', error = 49, errmsg = Invalid credentials,9:debugmsgs,1
- Check if the following scenario is true and carry out the steps provided for the scenario.
Invalid admin user DN or password provided while adding an LDAP domain using the vssat addldapdomain command
Run the following command to validate:
ldapsearch -H <LDAP_URI> -D "<admin_user_DN>" -w <passwd> -d <debug_level> -o nettimeout=<seconds>
Example:
ldapsearch -H ldap://example.veritas.com:389 -D "CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com" -w ******** -d 5 - o nettimeout=60 ldap_bind: Invalid credentials (49)
To troubleshoot the issue
- Check if the nbatd logs contain the following error:
CAuthLDAP::validatePrpl - ldap_search_s() error = 10, errmsg = Referral,9:debugmsgs,1 CAuthLDAP::validatePrpl - ldap_search_s() error = 34, errmsg = Invalid DN syntax,9:debugmsgs,1
- You may see the errors in the logs if user base DN (the -u option) or group base DN (the -g option) values are incorrect.
Run the following command to validate:
Example:
ldapsearch -H ldap://example.veritas.com:389 -D "CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com" -w ****** -b "OU=VRTSUsers,DC=VRTS,DC=con" "(&(cn=test user)(objectClass=user))"
ldapsearch -H ldap://example.veritas.com:389 -D "CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com" -w ****** -b "VRTS" "(&(cn=test user)(objectClass=user))"
To troubleshoot the issue
- Check if the nbatd logs contain the following error:
CAuthLDAP::validateGroup - search returned '2' entries for group name 'team_noone', even with referrals set to OFF,9:debugmsgs,1
- This is applicable if user search attribute (-a option) and group search attribute (-y option) do not have unique values for the existing user base DN and group base DN respectively.
Validate the number of matching entries for the existing base DN using the ldapsearch command.
ldapsearch -H <LDAP_URI> -D "<admin_user_DN>" -w <passwd> -d <debug_level> -o nettimeout=<seconds> -b <BASE_DN> <search_filter>
Example:
ldapsearch -H ldap://example.veritas.com:389 -D "CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com" -w ****** -b "DC=VRTS,DC=com" "(&(cn=test user)(objectClass=user))" # LDAPv3 # base <DC=VRTS,DC=com> with scope subtree # filter: (cn=Test User) # requesting: ALL # Test User, VRTSUsers, VRTS.com dn: CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com # Test User, RsvUsers, VRTS.com dn: CN=Test User,OU=RsvUsers,DC=VRTS,DC=com # numEntries: 2
To troubleshoot the issue
- Check if the nbatd logs contain the following error:
CAuthLDAP::validatePrpl - user 'test user' NOT found,9:debugmsgs,4 CAuthLDAP::validateGroup - group 'test group' NOT found,9:debugmsgs,4
- If a user or group exists in the LDAP domain, but the vssat validateprpl or the vssat validategroup command fails with this error, validate if the user or the group exists in the current base DNs (-u and -g options) using the following command.
ldapsearch -H <LDAP_URI> -D "<admin_user_DN>" -w <passwd> -d <debug_level> -o nettimeout=<seconds> -b <BASE_DN> <search_filter>