Please enter search query.
Search <book_title>...
Veritas NetBackup™ Security and Encryption Guide
Last Published:
2021-01-01
Product(s):
NetBackup (9.0.0.1, 9.0)
- Read this first for secure communications in NetBackup
- About secure communication in NetBackup
- How NetBackup CA-signed certificates (or host ID-based certificates) are deployed during installation
- How secure communication works with master server cluster nodes
- About NetBackup clients installed on nodes of a clustered application
- How NetBackup certificates are deployed on hosts during upgrades
- When an authorization token is required during certificate deployment
- Why do you need to map host names (or IP addresses) to host IDs
- How to reset host attributes or host communication status
- What has changed for catalog recovery
- What has changed with Auto Image Replication
- How the hosts with revoked certificates work
- Are NetBackup certificates backed up
- Can you configure external certificates for master server
- How secure communication works with master server cluster nodes using external certificates
- How revocation lists work for external certificates
- How communication happens when a host cannot directly connect to the master server
- How NetBackup 8.1 or later hosts communicate with NetBackup 8.0 and earlier hosts
- How communication with legacy media servers happens in the case of cloud configuration
- Communication failure scenarios
- Secure communication support for other hosts in NetBackup domain
- Communication between NetBackup 8.1 or later master server and OpsCenter server
- Secure communication support for BMR
- Configuration for VMware backups that protect SQL Server and backups with SQL Servers that use multiple NICs
- Increasing NetBackup security
- About NetBackup security and encryption
- NetBackup security implementation levels
- World-level security
- Enterprise-level security
- Datacenter-level security overview
- NetBackup Access Control (NBAC)
- Combined world, enterprise, and data center levels
- NetBackup security implementation types
- Operating system security
- NetBackup security vulnerabilities
- Standard NetBackup security
- Client side encryption security
- NBAC on master, media server, and graphical user interface security
- NBAC complete security
- Security deployment models
- Workgroups
- Single datacenters
- Multi-datacenters
- Workgroup with NetBackup
- Single datacenter with standard NetBackup
- Single datacenter with client side encryption
- Single datacenter with NBAC on master and media servers
- Single datacenter with NBAC complete
- Multi-datacenter with standard NetBackup
- Multi-datacenter with client side encryption
- Multi-datacenter with NBAC on master and media servers
- Multi-datacenter with NBAC complete
- Auditing NetBackup operations
- About NetBackup auditing
- Viewing the current audit settings
- About audit events
- Audit retention period and catalog backups of audit records
- Viewing the detailed NetBackup audit report
- User identity in the audit report
- Disabling auditing
- Audit alert notification for audit failures (NetBackup Administration Console)
- Send audit events to system logs
- Section I. Identity and access management
- About identity and access management
- AD and LDAP domains
- API keys
- Auth.conf file
- Role-based access control (RBAC)
- Smart card or digital certificate
- Single Sign-On (SSO)
- Enhanced Auditing
- NetBackup Access Control Security (NBAC)
- About using NetBackup Access Control (NBAC)
- NetBackup access management administration
- About NetBackup Access Control (NBAC) configuration
- Configuring NetBackup Access Control (NBAC)
- NBAC configuration overview
- Configuring NetBackup Access Control (NBAC) on standalone master servers
- Installing the NetBackup master server highly available on a cluster
- Configuring NetBackup Access Control (NBAC) on a clustered master server
- Configuring NetBackup Access Control (NBAC) on media servers
- Installing and configuring NetBackup Access Control (NBAC) on clients
- About including authentication and authorization databases in the NetBackup hot catalog backups
- NBAC configure commands summary
- Unifying NetBackup Management infrastructures with the setuptrust command
- Using the setuptrust command
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Using NetBackup Access Control (NBAC) with Auto Image Replication
- Troubleshooting Access Management
- Troubleshooting NBAC issues
- Configuration and troubleshooting tips for NetBackup Authentication and Authorization
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About the nbac_cron utility
- Using the nbac_cron utility
- Using the Access Management utility
- About determining who can access NetBackup
- Viewing specific user permissions for NetBackup user groups
- Granting permissions
- Authorization objects
- Media authorization object permissions
- Policy authorization object permissions
- Drive authorization object permissions
- Report authorization object permissions
- NBU_Catalog authorization object permissions
- Robot authorization object permissions
- Storage unit authorization object permissions
- DiskPool authorization object permissions
- BUAndRest authorization object permissions
- Job authorization object permissions
- Service authorization object permissions
- HostProperties authorization object permissions
- License authorization object permissions
- Volume group authorization object permissions
- VolumePool authorization object permissions
- DevHost authorization object permissions
- Security authorization object permissions
- Fat server authorization object permissions
- Fat client authorization object permissions
- Vault authorization object permissions
- Server group authorization object permissions
- Key management system (kms) group authorization object permissions
- Upgrading NetBackup Access Control (NBAC)
- Section II. Encryption of data in transit
- NetBackup CA and NetBackup certificates
- Overview of security certificates in NetBackup
- About secure communication in NetBackup
- About the Security Management utilities
- About host management
- Hosts tab
- Adding host ID to host name mappings
- Add or Remove Host Mappings dialog box
- Removing host ID to host name mappings
- Mappings for Approval tab
- Viewing auto-discovered mappings
- Mapping Details dialog box
- Approving host ID to host name mappings
- Rejecting host ID to host name mappings
- Adding shared or cluster mappings
- Add Shared or Cluster Mappings dialog box
- Resetting NetBackup host attributes
- Allowing or disallowing automatic certificate reissue
- Adding or deleting comment for a host
- About global security settings
- About secure communication settings
- Disabling insecure communication
- About insecure communication with 8.0 and earlier hosts
- About communication with 8.0 or earlier host in multiple NetBackup domains
- Automatically mapping host ID to host names and IP addresses
- About disaster recovery settings
- Setting a passphrase to encrypt disaster recovery packages
- Disaster recovery packages
- About host name-based certificates
- About host ID-based certificates
- Web login requirements for nbcertcmd command options
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About NetBackup certificate deployment security levels
- Automatic host ID-based certificate deployment
- Deploying host ID-based certificates
- Deploying host ID-based certificates in an asynchronous manner
- Implication of clock skew on certificate validity
- Setting up trust with the master server (Certificate Authority)
- Forcing or overwriting certificate deployment
- Retaining host ID-based certificates when reinstalling NetBackup on non-master hosts
- Deploying certificates on a client that has no connectivity with the master server
- About host ID-based certificate expiration and renewal
- Deleting sensitive certificates and keys from media servers and clients
- Cleaning host ID-based certificate information from a host before cloning a virtual machine
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Deleting host ID-based certificates
- Host ID-based certificate deployment in a clustered setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- Deploying host ID-based certificates on cluster nodes
- Revoking a host ID-based certificate for a clustered NetBackup setup
- Deploying a host ID-based certificate on a clustered NetBackup setup using reissue token
- Creating a reissue token for a clustered NetBackup setup
- Renewing a host ID-based certificate on a clustered NetBackup setup
- Viewing certificate details of a clustered NetBackup setup
- Removing CA certificates from a clustered NetBackup setup
- Generating a certificate on a clustered master server after disaster recovery installation
- About the communication between a NetBackup client located in a demilitarized zone and a master server through an HTTP tunnel
- Adding a NetBackup host manually
- Migrating NetBackup CA
- Setting the required key strength before installation or upgrade using the NB_KEYSIZE environment variable
- Migrating NetBackup CA when the entire NetBackup domain is upgraded to NetBackup 8.3
- Manually migrating NetBackup CA after installation or upgrade
- Establishing communication with clients that do not have new CA certificates after CA migration
- Viewing a list of NetBackup CAs in the domain
- Viewing the CA migration summary
- Decommissioning the inactive NetBackup CA
- External CA and external certificates
- About external CA support in NetBackup
- Workflow to use external certificates for NetBackup host communication
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- ECA_TRUST_STORE_PATH for NetBackup servers and clients
- ECA_PRIVATE_KEY_PATH for NetBackup servers and clients
- ECA_KEY_PASSPHRASEFILE for NetBackup servers and clients
- ECA_CRL_CHECK for NetBackup servers and clients
- ECA_CRL_PATH for NetBackup servers and clients
- ECA_CRL_PATH_SYNC_HOURS for NetBackup servers and clients
- ECA_CRL_REFRESH_HOURS for NetBackup servers and clients
- ECA_DISABLE_AUTO_ENROLLMENT for NetBackup servers and clients
- ECA_DR_BKUP_WIN_CERT_STORE for NetBackup servers and clients
- About certificate revocation lists for external CA
- About certificate enrollment
- About viewing enrollment status of master servers
- Configuring an external certificate for the NetBackup web server
- Configuring the master server to use an external CA-signed certificate
- Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
- Enrolling an external certificate for a remote host
- Viewing the certificate authorities that your NetBackup domain supports
- Viewing external CA-signed certificates in the NetBackup web UI
- Renewing a file-based external certificate
- Removing certificate enrollment
- Disabling the NetBackup CA in a NetBackup domain
- Enabling the NetBackup CA in a NetBackup domain
- Disabling an external CA in a NetBackup domain
- Changing the subject name of an enrolled external certificate
- About external certificate configuration for a clustered master server
- Regenerating keys and certificates
- About regenerating keys and certificates
- Regenerating NetBackup authentication broker keys and certificates
- Regenerating host identity keys and certificates
- Regenerating web service keys and certificates
- Regenerating nbcertservice keys and certificates
- Regenerating tomcat keys and certificates
- Regenerating JWT keys
- Regenerating NetBackup gateway certificates
- Regenerating web trust store certificates
- Regenerating VMware vCenter plug-in certificates
- Regenerating NetBackup Administrator Console session certificates
- Regenerating OpsCenter keys and certificates
- Regenerating NetBackup encryption key file
- NetBackup CA and NetBackup certificates
- Section III. Encryption of data at rest
- Data at rest encryption security
- Data at rest encryption terminology
- Data at rest encryption considerations
- Destination types for encryption of data at rest
- Encryption security questions to consider
- Comparison of encryption options
- About NetBackup client encryption
- Configuring standard encryption on clients
- Managing standard encryption configuration options
- Managing the NetBackup encryption key file
- About configuring standard encryption from the server
- Restoring an encrypted backup file to another client
- About configuring standard encryption directly on clients
- Setting standard encryption attribute in policies
- Changing the client encryption settings from the NetBackup server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Restoring a legacy encrypted backup created on another client
- About setting legacy encryption attribute in policies
- Changing client legacy encryption settings from the server
- Additional legacy key file security for UNIX clients
- NetBackup key management service
- About FIPS enabled KMS
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- Creating the key database
- About key groups and key records
- Overview of key record states
- About backing up the KMS database files
- About recovering KMS by restoring all data files
- Recovering KMS by restoring only the KMS data file
- Recovering KMS by regenerating the data encryption key
- Problems backing up the KMS data files
- Solutions for backing up the KMS data files
- Creating a key record
- Listing keys from a key group
- Configuring NetBackup to work with KMS
- Configuring NetBackup KMS using the KMS web application
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- CLI usage help
- Create a new key group
- Create a new key
- Modify key group attributes
- Modify key attributes
- Get details of key groups
- Get details of keys
- Delete a key group
- Delete a key
- Recover a key
- About exporting and importing keys from the KMS database
- Modify host master key (HMK)
- Get host master key (HMK) ID
- Get key protection key (KPK) ID
- Modify key protection key (KPK)
- Get keystore statistics
- Quiesce KMS database
- Unquiesce KMS database
- Key creation options
- Troubleshooting KMS
- External key management service
- About external KMS
- Certificate configuration and authorization
- Workflow for external KMS configuration
- Validating KMS credentials
- Configuring KMS credentials
- Configuring KMS
- Configuring keys in an external KMS for NetBackup consumption
- Creating keys in an external KMS
- Determining a key group name during storage configuration
- Working with multiple KMS servers
- Working with external KMS during backup and restore
- Key rotation
- Disaster recovery when catalog backup is encrypted using an external KMS server
- Alerts for expiration of KMS credentials
- Data at rest encryption security
- NetBackup web services account
- Immutability and indelibility of data in NetBackup
Specifying Windows certificate store for ECA_CERT_PATH
NetBackup selects a certificate from any of the local machine certificate stores on a Windows host.
In case of Windows certificate store, ECA_CERT_PATH is a list of comma-separated clauses.
Each clause is of the form Store name\Issuer\Subject. Each clause element contains a query.
$hostname is a keyword that is replaced with the fully qualified domain name of the host. Use double quotes when a \ is present in the actual path. For example, MY\Veritas\"NetBackup\$hostname".
$shorthostname is a keyword that is replaced with the short name of the host. Use double quotes when a \ is present in the actual path. For example, MY\Veritas\"NetBackup\$shorthostname".
The 'Store name' should be the exact name of the store where the certificate resides. For example: 'MY'
The 'Issuer' is optional. If this is provided, NetBackup picks the certificates for which the Issuer DN contains the provided substring.
The 'Subject' is mandatory. NetBackup picks the certificate for which the Subject DN contains the provided substring.
You must ensure to:
Add the root certificate to Trusted Root Certification Authorities or Third-Party Root Certification Authorities in the Windows certificate store.
If you have any intermediate CAs, add their certificates to the Intermediate Certification Authorities in the Windows certificate store.
Example - Certificate locations with WHERE CLAUSE:
My\Veritas\$hostname, My\ExampleCompany\$hostname
Where (certificate store is MY, Issuer DN contains Veritas, Subject DN contains $hostname) OR (certificate store name is MY, Issuer DN contains ExampleCompany, Subject DN contains $hostname)
MY\Veritas\"NetBackup\$hostname"
Where certificate store name is MY, Issuer DN contains Veritas, Subject DN contains NetBackup\$hostname
MY\\$hostname
Where certificate store name is MY, any Issuer DN, Subject DN contains $hostname
MY\\$shorthostname
Where certificate store name is MY, any Issuer DN, Subject DN contains $shorthostname
MY\Veritas\NetBackup $hostname
Where certificate store name is MY, Issuer DN contains Veritas, Subject DN contains NetBackup $hostname
If you provide a space between words, it is considered as a valid character.
Example - Certificate locations with invalid data:
MY\\
The Subject DN should have some value.
My\$hostname
The Subject DN should have some value.
\\$hostname
The certificate store name should have exact value of the store in which the certificate resides.
MY\CN=Veritas\CN=$hostname
The Subject DN and issuer DN cannot contain =, and also specific tags like CN=.