NetBackup™ Security and Encryption Guide
- Read this first for secure communications in NetBackup
- Communication failure scenarios
- Increasing NetBackup security
- Security deployment models
- Auditing NetBackup operations
- About audit events
- Section I. Identity and access management
- About identity and access management
- AD and LDAP domains
- Access keys
- API keys
- Auth.conf file
- Role-based access control
- Default RBAC roles
- Smart card or digital certificate
- Single Sign-On (SSO)
- Enhanced Auditing
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the primary and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX primary server
- Verification points in a mixed environment with a Windows primary server
- About determining who can access NetBackup
- Viewing specific user permissions for NetBackup user groups
- Section II. Encryption of data-in-transit
- NetBackup CA and NetBackup certificates
- About the Security Management utilities
- About host management
- Adding shared or cluster mappings
- Allowing or disallowing automatic certificate reissue
- About global security settings
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About NetBackup certificate deployment security levels
- Setting up trust with the primary server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Host ID-based certificate deployment in a clustered setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- Migrating NetBackup CA
- Configuring data-in-transit encryption (DTE)
- Configure the DTE mode on a client
- Modify the DTE mode on a backup image
- How DTE configuration settings work in various NetBackup operations
- External CA and external certificates
- About external CA support in NetBackup
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- About certificate revocation lists for external CA
- About certificate enrollment
- Configuring an external certificate for the NetBackup web server
- About external certificate configuration for a clustered primary server
- Regenerating keys and certificates
- NetBackup CA and NetBackup certificates
- Section III. Encryption of data at rest
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- NetBackup key management service
- About FIPS enabled KMS
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
- External key management service
- Configuring KMS credentials
- Configuring KMS
- Creating keys in an external KMS
- Working with multiple KMS servers
- Data at rest encryption security
- Ciphers used in NetBackup for secure communication
- FIPS compliance in NetBackup
- Disable FIPS mode for NetBackup
- NetBackup web services account
- Running NetBackup services with non-privileged user (service user) account
- Running NetBackup commands with non-privileged user account
- Immutability and indelibility of data in NetBackup
- Backup anomaly detection
- Section IV. Malware scanning
Detecting backup anomalies on the media server
This topic provides the workflow and the procedure that enable the media server to detect backup anomalies.
Note:
By default, the anomaly detection algorithm runs on the NetBackup primary server. If you see any impact on the primary server because of the anomaly detection process, you can configure a media server to detect anomalies.
To enable the media server to detect backup anomalies
- Install the NetBackup media server software on your system (or upgrade the media server software).
- On the primary server, add anomaly proxy server details. The proxy server should be the media server where you want the anomaly algorithms to be run.
- (Optional) If you want to preserve the data that the primary server has gathered earlier, do the following:
Ensure that the nbanomalymgmt service is disabled using the web UI.
Ensure that the nbanomalymgmt service on the media server is stopped.
Go to the following directory:
On Windows: Install_Path\NetBackup\var\global
On UNIX: /usr/openv/var/global
The directory resides on the shared disk on a clustered primary server.
Copy the NB_Anomaly.db, NB_Anomaly.db-shm, and NB_Anomaly-wal files from the anomaly_detection folder on the primary server to the anomaly_detection folder on the media server.
You can copy the anomaly_config.conf file to preserve the automatic malware scan settings.
Start the nbanomalymgmt service on the media server.
- On the media server, start the nbanomalymgmt service manually. Use the following script:
nbanomalymgmt -start
- Configure the backup anomaly settings in the NetBackup web UI. NetBackup takes these settings into account during anomaly detection.
See Configure anomaly detection settings.
See How a backup anomaly is detected.
If any anomalies are detected, they are notified using the NetBackup web UI.
See View anomalies.