NetBackup™ Security and Encryption Guide

Last Published:
Product(s): NetBackup & Alta Data Protection (10.5.0.1)
  1. Read this first for secure communications in NetBackup
    1.  
      About secure communication in NetBackup
    2.  
      How NetBackup CA-signed certificates (or host ID-based certificates) are deployed during installation
    3.  
      How secure communication works with primary server cluster nodes
    4.  
      About NetBackup clients installed on nodes of a clustered application
    5.  
      How NetBackup certificates are deployed on hosts during upgrades
    6.  
      When an authorization token is required during certificate deployment
    7.  
      Why do you need to map host names (or IP addresses) to host IDs
    8.  
      How to reset host attributes or host communication status
    9.  
      What has changed for catalog recovery
    10.  
      What has changed with Auto Image Replication
    11.  
      How the hosts with revoked certificates work
    12.  
      Are NetBackup certificates backed up
    13.  
      Can you configure external certificates for primary server
    14.  
      How secure communication works with primary server cluster nodes using external certificates
    15.  
      How revocation lists work for external certificates
    16.  
      How communication happens when a host cannot directly connect to the primary server
    17.  
      How NetBackup 8.1 or later hosts communicate with NetBackup 8.0 and earlier hosts
    18.  
      How communication with legacy media servers happens in the case of cloud configuration
    19. Communication failure scenarios
      1.  
        Failure during communication with 8.0 or earlier hosts
      2.  
        Catalog backup failure
    20.  
      Secure communication support for other hosts in NetBackup domain
    21.  
      Secure communication support for BMR
    22.  
      Configuration for VMware backups that protect SQL Server and backups with SQL Servers that use multiple NICs
  2. Increasing NetBackup security
    1.  
      About NetBackup security and encryption
    2.  
      NetBackup security implementation levels
    3.  
      World-level security
    4.  
      Enterprise-level security
    5.  
      Datacenter-level security overview
    6.  
      NetBackup Access Control (NBAC)
    7.  
      Combined world, enterprise, and datacenter levels
    8.  
      NetBackup security implementation types
    9.  
      Operating system security
    10.  
      NetBackup security vulnerabilities
    11.  
      Standard NetBackup security
    12.  
      Client side encryption security
    13.  
      NBAC on primary, media server, and graphical user interface security
    14.  
      NBAC complete security
  3. Security deployment models
    1.  
      Workgroups
    2.  
      Single datacenters
    3.  
      Multi-datacenters
    4.  
      Workgroup with NetBackup
    5.  
      Single datacenter with standard NetBackup
    6.  
      Single datacenter with client side encryption
    7.  
      Single datacenter with NBAC on primary and media servers
    8.  
      Single datacenter with NBAC complete
    9.  
      Multi-datacenter with standard NetBackup
    10.  
      Multi-datacenter with client side encryption
    11.  
      Multi-datacenter with NBAC on primary and media servers
    12.  
      Multi-datacenter with NBAC complete
  4. Auditing NetBackup operations
    1.  
      About NetBackup auditing
    2.  
      Viewing the current audit settings
    3. About audit events
      1.  
        Viewing audit events
      2.  
        Troubleshooting auditing issues related to the Access History tab
    4.  
      Audit retention period and catalog backups of audit records
    5.  
      Viewing the detailed NetBackup audit report
    6.  
      User identity in the audit report
    7.  
      Disabling auditing
    8.  
      Audit alert notification for audit failures (NetBackup Administration Console)
    9.  
      Send audit events to system logs
    10.  
      SYSLOG_AUDIT_USE_OCSF_FORMAT for NetBackup primary server
  5. Section I. Identity and access management
    1. About identity and access management
      1.  
        About access control in NetBackup
    2. AD and LDAP domains
      1.  
        Adding AD or LDAP domains in NetBackup
      2.  
        Troubleshooting AD or LDAP domain configuration issues
      3.  
        Certificate authorities trusted by the NetBackup Authentication Service
    3. Access keys
      1.  
        Access keys
      2.  
        Access codes
      3.  
        Request CLI access through web UI authentication
      4.  
        Approve the CLI access request of another user
      5.  
        Edit the settings for command-line access
    4. API keys
      1.  
        About API keys
      2.  
        Creating API keys
      3.  
        Managing an API key
      4. Using an API key
        1.  
          Setting an API key environment variable to run NetBackup commands
    5. Auth.conf file
      1.  
        Authorization file (auth.conf) characteristics
    6. Role-based access control
      1.  
        RBAC features
      2.  
        RBAC settings
      3.  
        Configuring RBAC
      4.  
        Role permissions
      5.  
        Notes for using NetBackup RBAC
      6.  
        Add AD or LDAP domains
      7. Default RBAC roles
        1.  
          Add a custom RBAC role for a PaaS administrator
        2.  
          Add a custom RBAC role to restore Azure-managed instances
      8.  
        Add a custom RBAC role
      9.  
        Edit or remove a role a custom role
      10.  
        View users in RBAC
      11.  
        Add a user to a role (non-SAML)
      12.  
        Add a smart card user to a role (non-SAML, without AD/LDAP)
      13.  
        Add a user to a role (SAML)
      14.  
        Remove a user from a role
    7. NetBackup interface access for OS Administrators
      1.  
        Disable command-line (CLI) access for operating system (OS) administrators
      2.  
        Disable web UI access for operating system (OS) administrators
    8. Smart card or digital certificate
      1.  
        Configure user authentication with smart cards or digital certificates
      2.  
        Configure smart card authentication with a domain
      3.  
        Configure smart card authentication without a domain
      4.  
        Edit the configuration for smart card authentication
      5.  
        Add or delete a CA certificate that is used for smart card authentication
      6.  
        Disable or temporarily disable smart card authentication
    9. Single Sign-On (SSO)
      1.  
        About single sign-on (SSO) configuration
      2. Configure NetBackup for single sign-on (SSO)
        1.  
          Configure the SAML KeyStore
        2.  
          Configure the SAML keystore and add and enable the IDP configuration
        3.  
          Enroll the NetBackup primary server with the IDP
        4.  
          Manage an IDP configuration
    10. NetBackup Access Control Security (NBAC)
      1.  
        About using NetBackup Access Control (NBAC)
      2.  
        NetBackup access management administration
      3.  
        About NetBackup Access Control (NBAC) configuration
      4. Configuring NetBackup Access Control (NBAC)
        1.  
          NBAC configuration overview
        2.  
          Configuring NetBackup Access Control (NBAC) on standalone primary servers
        3.  
          Installing the NetBackup primary server highly available on a cluster
        4.  
          Configuring NetBackup Access Control (NBAC) on a clustered primary server
        5.  
          Configuring NetBackup Access Control (NBAC) on media servers
        6.  
          Installing and configuring access control on clients
        7.  
          About including authentication and authorization databases in the NetBackup hot catalog backups
        8.  
          NBAC configure commands summary
        9.  
          Unifying NetBackup Management infrastructures with the setuptrust command
        10.  
          Using the setuptrust command
      5. Configuring Access Control host properties for the primary and media server
        1.  
          Authentication Domain tab
        2.  
          Authorization Service tab
        3.  
          Network Attributes tab
      6. Access Control host properties dialog for the client
        1.  
          Authentication Domain tab for the client
        2.  
          Network Attributes tab for the client
      7.  
        Using NetBackup Access Control (NBAC) with Auto Image Replication
      8. Troubleshooting Access Management
        1.  
          Troubleshooting NBAC issues
        2.  
          Configuration and troubleshooting tips for NetBackup Authentication and Authorization
        3. Windows verification points
          1.  
            Primary server verification points for Windows
          2.  
            Media server verification points for Windows
          3.  
            Client verification points for Windows
        4. UNIX verification points
          1.  
            UNIX primary server verification
          2.  
            UNIX media server verification
          3.  
            UNIX client verification
        5. Verification points in a mixed environment with a UNIX primary server
          1.  
            Primary server verification points for a mixed UNIX primary server
          2.  
            Media server verification points for a mixed UNIX primary server
          3.  
            Client verification points for a mixed UNIX primary server
        6. Verification points in a mixed environment with a Windows primary server
          1.  
            Primary server verification points for a mixed Windows primary server
          2.  
            Media server verification points for a mixed Windows primary server
          3.  
            Client verification points for a mixed Windows primary server
        7.  
          About the nbac_cron utility
        8.  
          Using the nbac_cron utility
      9.  
        Using the Access Management utility
      10. About determining who can access NetBackup
        1.  
          Individual users
        2.  
          User groups
        3.  
          NetBackup default user groups
        4. Configuring user groups
          1.  
            Creating a new user group
          2.  
            Creating a new user group by copying an existing user group
          3.  
            Renaming a user group
          4.  
            Adding a new user to the user group
        5. About defining a user group and users
          1.  
            Logging on as a new user
          2.  
            Assigning a user to a user group
          3.  
            About authorization objects and permissions
      11. Viewing specific user permissions for NetBackup user groups
        1.  
          Granting permissions
        2.  
          Authorization objects
        3.  
          Media authorization object permissions
        4.  
          Policy authorization object permissions
        5.  
          Drive authorization object permissions
        6.  
          Report authorization object permissions
        7.  
          NBU_Catalog authorization object permissions
        8.  
          Robot authorization object permissions
        9.  
          Storage unit authorization object permissions
        10.  
          DiskPool authorization object permissions
        11.  
          BUAndRest authorization object permissions
        12.  
          Job authorization object permissions
        13.  
          Service authorization object permissions
        14.  
          HostProperties authorization object permissions
        15.  
          License authorization object permissions
        16.  
          Volume group authorization object permissions
        17.  
          VolumePool authorization object permissions
        18.  
          DevHost authorization object permissions
        19.  
          Security authorization object permissions
        20.  
          Fat server authorization object permissions
        21.  
          Fat client authorization object permissions
        22.  
          Vault authorization object permissions
        23.  
          Server group authorization object permissions
        24.  
          Key management system (kms) group authorization object permissions
      12.  
        Upgrading NetBackup Access Control (NBAC)
      13.  
        Configuration requirements if using Change Server with NBAC
  6. Minimizing security configuration risk
    1.  
      About security configuration risk
    2.  
      Security settings to be configured to minimize risk
    3.  
      Set the current posture as security baseline
  7. Configuring multifactor authentication
    1.  
      About multifactor authentication
    2.  
      Configure multifactor authentication for your user account
    3.  
      Disable multifactor authentication for your user account
    4.  
      Enforce multifactor authentication for all users
    5.  
      Configure multifactor authentication for your user account when it is enforced in the domain
    6.  
      Reset multifactor authentication for a user
  8. Configuring multi-person authorization
    1.  
      About multi-person authorization
    2.  
      Workflow to configure multi-person authorization for NetBackup operations
    3.  
      RBAC roles and permissions for multi-person authorization
    4.  
      Multi-person authorization process with respect to roles
    5.  
      NetBackup operations that need multi-person authorization
    6.  
      Configure multi-person authorization
    7.  
      View multi-person authorization tickets
    8.  
      Manage multi-person authorization tickets
    9.  
      Add exempted users
    10.  
      Schedule expiration and purging of multi-person authorization tickets
    11.  
      Disable multi-person authorization
  9. Section II. Encryption of data-in-transit
    1. NetBackup CA and NetBackup certificates
      1.  
        Overview of security certificates in NetBackup
      2.  
        About secure communication in NetBackup
      3. About the Security Management utilities
        1.  
          About login activity
      4. About host management
        1.  
          Hosts tab
        2.  
          Adding host ID to host name mappings
        3.  
          Add or Remove Host Mappings dialog box
        4.  
          Removing host ID to host name mappings
        5.  
          Mappings for Approval tab
        6.  
          Viewing auto-discovered mappings
        7.  
          Mapping Details dialog box
        8.  
          Approving host ID to host name mappings
        9.  
          Rejecting host ID to host name mappings
        10. Adding shared or cluster mappings
          1.  
            About shared or cluster mapping scenarios
        11.  
          Add Shared or Cluster Mappings dialog box
        12.  
          Resetting NetBackup host attributes
        13. Allowing or disallowing automatic certificate reissue
          1.  
            Configuring validity of the autoreissue parameter for a host
        14.  
          Adding or deleting comment for a host
      5. About global security settings
        1.  
          About secure communication settings
        2.  
          Disabling insecure communication
        3.  
          About insecure communication with 8.0 and earlier hosts
        4.  
          About communication with 8.0 or earlier host in multiple NetBackup domains
        5.  
          Automatically mapping host ID to host names and IP addresses
        6.  
          About disaster recovery settings
        7.  
          Disaster recovery packages
        8.  
          Setting a passphrase to encrypt disaster recovery packages
        9.  
          Validate the disaster recovery package passphrase
      6. About host name-based certificates
        1.  
          Deploying host name-based certificates
      7. About host ID-based certificates
        1.  
          Web login requirements for nbcertcmd command options
        2. Using the Certificate Management utility to issue and deploy host ID-based certificates
          1.  
            Viewing host ID-based certificate details
        3. About NetBackup certificate deployment security levels
          1.  
            Configuring the certificate deployment security levels
        4.  
          Automatic host ID-based certificate deployment
        5.  
          Managing passphrases and passphrase keys for encryption of private key of host ID-based certificates
        6.  
          Deploying host ID-based certificates
        7.  
          Deploying host ID-based certificates in an asynchronous manner
        8.  
          Implication of clock skew on certificate validity
        9. Setting up trust with the primary server (Certificate Authority)
          1.  
            Finding and communicating the fingerprint of the certificate authority
        10.  
          Forcing or overwriting certificate deployment
        11.  
          Retaining host ID-based certificates when reinstalling NetBackup on non-primary hosts
        12.  
          Deploying certificates on a client that has no connectivity with the primary server
        13.  
          About host ID-based certificate expiration and renewal
        14.  
          Deleting sensitive certificates and keys from media servers and clients
        15.  
          Cleaning host ID-based certificate information from a host before cloning a virtual machine
        16. About reissuing host ID-based certificates
          1.  
            Creating a reissue token
          2.  
            Changing the key pair for a host
      8. About Token Management for host ID-based certificates
        1.  
          Creating authorization tokens
        2.  
          Deleting authorization tokens
        3.  
          Viewing authorization token details
        4.  
          About expired authorization tokens and cleanup
      9. About the host ID-based certificate revocation list
        1.  
          Refreshing the CRL on the primary server
        2.  
          Refreshing the CRL on a NetBackup host
      10. About revoking host ID-based certificates
        1.  
          Removing trust between a host and a primary server
        2.  
          Revoking a host ID-based certificate
        3.  
          Determining a NetBackup host's certificate state
        4.  
          Getting a list of NetBackup hosts that have revoked certificates
      11.  
        Deleting host ID-based certificates
      12. Host ID-based certificate deployment in a clustered setup
        1. About deployment of a host ID-based certificate on a clustered NetBackup host
          1.  
            Host ID-based certificate deployment on the active primary server node
          2.  
            Host ID-based certificate deployment on inactive primary server nodes
        2.  
          Deploying host ID-based certificates on cluster nodes
        3.  
          Revoking a host ID-based certificate for a clustered NetBackup setup
        4.  
          Deploying a host ID-based certificate on a clustered NetBackup setup using reissue token
        5.  
          Creating a reissue token for a clustered NetBackup setup
        6.  
          Renewing a host ID-based certificate on a clustered NetBackup setup
        7.  
          Viewing certificate details of a clustered NetBackup setup
        8.  
          Removing CA certificates from a clustered NetBackup setup
        9.  
          Generating a certificate on a clustered primary server after disaster recovery installation
      13.  
        About the communication between a NetBackup client located in a demilitarized zone and a primary server through an HTTP tunnel
      14.  
        Adding a NetBackup host manually
      15. Migrating NetBackup CA
        1.  
          Setting the required key strength before installation or upgrade using the NB_KEYSIZE environment variable
        2.  
          Migrating NetBackup CA when the entire NetBackup domain is upgraded
        3.  
          Manually migrating NetBackup CA after installation or upgrade
        4.  
          Establishing communication with clients that do not have new CA certificates after CA migration
        5.  
          Viewing a list of NetBackup CAs in the domain
        6.  
          Viewing the CA migration summary
        7.  
          Decommissioning the inactive NetBackup CA
    2. Configuring data-in-transit encryption (DTE)
      1.  
        About the data channel
      2.  
        Data-in-transit encryption support
      3.  
        Workflow to configure data-in-transit encryption
      4.  
        Configure the global data-in-transit encryption setting
      5. Configure the DTE mode on a client
        1.  
          DTE_CLIENT_MODE for clients
      6.  
        View the DTE mode of a NetBackup job
      7.  
        View the DTE-specific attributes of a NetBackup image and an image copy
      8.  
        Configure the DTE mode on the media server
      9. Modify the DTE mode on a backup image
        1.  
          DTE_IGNORE_IMAGE_MODE for NetBackup servers
      10.  
        Media device selection (MDS) and resource allocation
      11. How DTE configuration settings work in various NetBackup operations
        1.  
          Backup
        2.  
          Restore
        3.  
          MSDP backup, restore, and optimized duplication
        4.  
          Universal-Share policy backup
        5.  
          Catalog backup and recovery
        6.  
          Duplication
        7.  
          Synthetic backup
        8.  
          Verify
        9.  
          Import
        10.  
          Replication
    3. External CA and external certificates
      1. About external CA support in NetBackup
        1.  
          Command-line options used for external certificate configuration
      2.  
        Workflow to use external certificates for NetBackup host communication
      3. Configuration options for external CA-signed certificates
        1. ECA_CERT_PATH for NetBackup servers and clients
          1.  
            Specifying Windows certificate store for ECA_CERT_PATH
        2.  
          ECA_TRUST_STORE_PATH for NetBackup servers and clients
        3.  
          ECA_PRIVATE_KEY_PATH for NetBackup servers and clients
        4.  
          ECA_KEY_PASSPHRASEFILE for NetBackup servers and clients
        5.  
          ECA_CRL_CHECK for NetBackup servers and clients
        6.  
          ECA_CRL_PATH for NetBackup servers and clients
        7.  
          ECA_CRL_PATH_SYNC_HOURS for NetBackup servers and clients
        8.  
          ECA_CRL_REFRESH_HOURS for NetBackup servers and clients
        9.  
          ECA_DISABLE_AUTO_ENROLLMENT for NetBackup servers and clients
        10.  
          ECA_DR_BKUP_WIN_CERT_STORE for NetBackup servers and clients
        11.  
          MANAGE_WIN_CERT_STORE_PRIVATE_KEY option for NetBackup primary servers
      4.  
        Limitations of Windows Certificate Store support when NetBackup services are running in Local Service account context
      5. About certificate revocation lists for external CA
        1.  
          How CRLs from ECA_CRL_PATH are used
        2.  
          How CRLs from CDP URLs are used
      6. About certificate enrollment
        1.  
          About automatic enrollment of an external certificate
      7.  
        About viewing enrollment status of primary servers
      8. Configure an external certificate for the NetBackup web server
        1.  
          Update or renew the external certificate for the web server
        2.  
          Remove the external certificate configured for the web server
      9.  
        Configuring the primary server to use an external CA-signed certificate
      10.  
        Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
      11.  
        Enrolling an external certificate for a remote host
      12.  
        Viewing the certificate authorities that your NetBackup domain supports
      13.  
        Viewing external CA-signed certificates in the NetBackup web UI
      14.  
        Renewing a file-based external certificate
      15.  
        Removing certificate enrollment
      16.  
        Disabling the NetBackup CA in a NetBackup domain
      17.  
        Enabling the NetBackup CA in a NetBackup domain
      18.  
        Disabling an external CA in a NetBackup domain
      19.  
        Changing the subject name of an enrolled external certificate
      20. About external certificate configuration for a clustered primary server
        1.  
          Workflow to use external certificates for a clustered primary server
        2. Configuration options for external CA-signed certificates for a virtual name
          1.  
            CLUSTER_ECA_CERT_PATH for clustered primary server
          2.  
            CLUSTER_ECA_TRUST_STORE_PATH for clustered primary server
          3.  
            CLUSTER_ECA_PRIVATE_KEY_PATH for clustered primary server
          4.  
            CLUSTER_ECA_KEY_PASSPHRASEFILE for clustered primary server
        3.  
          Configuring an external certificate for a clustered primary server
    4. Regenerating keys and certificates
      1.  
        About regenerating keys and certificates
      2.  
        Regenerating NetBackup authentication broker keys and certificates
      3.  
        Regenerating host identity keys and certificates
      4.  
        Regenerating web service keys and certificates
      5.  
        Regenerating nbcertservice keys and certificates
      6.  
        Regenerating tomcat keys and certificates
      7.  
        Regenerating JWT keys
      8.  
        Regenerating NetBackup gateway certificates
      9.  
        Regenerating web trust store certificates
      10.  
        Regenerating VMware vCenter plug-in certificates
      11.  
        Regenerating NetBackup Administrator Console session certificates
      12.  
        Regenerating NetBackup encryption key file
  10. Section III. Encryption of data at rest
    1. Data at rest encryption security
      1.  
        Data at rest encryption terminology
      2.  
        Data at rest encryption considerations
      3.  
        Destination types for encryption of data at rest
      4.  
        Encryption security questions to consider
      5.  
        Comparison of encryption options
      6. About NetBackup client encryption
        1.  
          Installation prerequisites for encryption security
        2. About running an encryption backup
          1.  
            About choosing encryption for a backup
          2.  
            Standard encryption backup process
          3.  
            Legacy encryption backup process
        3.  
          NetBackup standard encryption restore process
        4.  
          NetBackup legacy encryption restore process
      7. Configuring standard encryption on clients
        1.  
          Managing standard encryption configuration options
        2.  
          Managing the NetBackup encryption key file
        3. About configuring standard encryption from the server
          1.  
            About creating encryption key files on the clients
          2.  
            Creating the key files
          3.  
            Best practices for key file restoration
          4.  
            Manual retention to protect key file pass phrases
          5.  
            Automatic backup of the key file
        4.  
          Restoring an encrypted backup file to another client
        5.  
          About configuring standard encryption directly on clients
        6.  
          Setting standard encryption attribute in policies
        7.  
          Changing the client encryption settings from the NetBackup server
      8. Configuring legacy encryption on clients
        1. About configuring legacy encryption from the client
          1.  
            Managing legacy encryption key files
        2. About configuring legacy encryption from the server
          1.  
            About pushing the legacy encryption configuration to clients
          2.  
            About pushing the legacy encryption pass phrases to clients
        3.  
          Restoring a legacy encrypted backup created on another client
        4.  
          About setting legacy encryption attribute in policies
        5.  
          Changing client legacy encryption settings from the server
        6. Additional legacy key file security for UNIX clients
          1.  
            Running the bpcd -keyfile command
          2.  
            Terminating bpcd on UNIX clients
    2. NetBackup key management service
      1. About FIPS enabled KMS
        1.  
          About Federal Information Processing Standards (FIPS)
      2. Installing KMS
        1.  
          Using KMS with NBAC
        2.  
          About installing KMS with HA clustering
        3.  
          Enabling the monitoring of the KMS service
        4.  
          Disabling the monitoring of the KMS service
      3. Configuring KMS
        1.  
          Creating the key database
        2. About key groups and key records
          1.  
            About creating key groups
          2.  
            About creating key records
        3. Overview of key record states
          1.  
            Key record state considerations
          2.  
            Prelive key record state
          3.  
            Active key record state
          4.  
            Inactive key record state
          5.  
            Deprecated key record state
          6.  
            Terminated key record state
        4.  
          About backing up the KMS database files
        5.  
          About recovering KMS by restoring all data files
        6.  
          Recovering KMS by restoring only the KMS data file
        7.  
          Recovering KMS by regenerating the data encryption key
        8.  
          Problems backing up the KMS data files
        9.  
          Solutions for backing up the KMS data files
        10.  
          Creating a key record
        11.  
          Listing keys from a key group
        12. Configuring NetBackup to work with KMS
          1.  
            NetBackup and key records from KMS
          2.  
            Example of setting up NetBackup to use tape encryption
        13.  
          Configuring NetBackup KMS using the KMS web application
      4. About using KMS for encryption
        1.  
          About importing KMS encrypted images
        2.  
          Example of running an encrypted tape backup
        3.  
          Example of verifying an encryption backup
      5. KMS database constituents
        1.  
          Creating an empty KMS database
        2.  
          Importance of the KPK ID and HMK ID
        3.  
          About periodically updating the HMK and KPK
        4.  
          Backing up the KMS keystore and administrator keys
      6. KMS operations using command-line interface (CLI)
        1.  
          CLI usage help
        2.  
          Create a new key group
        3.  
          Create a new key
        4.  
          Modify key group attributes
        5.  
          Modify key attributes
        6.  
          Get details of key groups
        7.  
          Get details of keys
        8.  
          Delete a key group
        9.  
          Delete a key
        10.  
          Recover a key
        11. About exporting and importing keys from the KMS database
          1. Exporting keys
            1.  
              Troubleshooting common errors during an export
          2. Importing keys
            1.  
              Troubleshooting common errors during an import
        12.  
          Modify host master key (HMK)
        13.  
          Get host master key (HMK) ID
        14.  
          Get key protection key (KPK) ID
        15.  
          Modify key protection key (KPK)
        16.  
          Get keystore statistics
        17.  
          Quiesce KMS database
        18.  
          Unquiesce KMS database
        19.  
          Key creation options
      7. Troubleshooting KMS
        1.  
          Solution for backups not encrypting
        2.  
          Solution for restores that do not decrypt
        3.  
          Troubleshooting example - backup with no active key record
        4.  
          Troubleshooting example - restore with an improper key record state
    3. External key management service
      1.  
        About external KMS
      2.  
        Certificate configuration and authorization
      3.  
        Workflow for external KMS configuration
      4.  
        Validating KMS credentials
      5. Configuring KMS credentials
        1.  
          Listing KMS credentials
        2.  
          Updating KMS credentials
        3.  
          Deleting KMS credentials
      6. Configuring KMS
        1.  
          Listing KMS configurations
        2.  
          Updating KMS configuration
        3.  
          Deleting KMS configuration
      7.  
        Configuring keys in an external KMS for NetBackup consumption
      8. Creating keys in an external KMS
        1.  
          Listing keys
      9.  
        Determining a key group name during storage configuration
      10. Working with multiple KMS servers
        1.  
          Migrating one KMS server to another KMS server
        2.  
          Using a separate KMS server for each storage configuration
      11.  
        Working with external KMS during backup and restore
      12.  
        Checking the compatibility of KMS vendor with NetBackup
      13.  
        Key rotation
      14.  
        Disaster recovery when catalog backup is encrypted using an external KMS server
      15.  
        Alerts for expiration of KMS credentials
  11. Ciphers used in NetBackup for secure communication
    1.  
      Ciphers used in NetBackup
  12. FIPS compliance in NetBackup
    1.  
      About FIPS
    2.  
      About FIPS support in NetBackup
    3.  
      Prerequisites
    4.  
      Specify entropy randomness in NetBackup
    5.  
      Configure FIPS mode in your NetBackup domain
    6.  
      Enable FIPS mode on NetBackup during installation
    7.  
      Enable FIPS mode on a NetBackup host after installation
    8.  
      Enable FIPS mode for the NetBackup Authentication Broker service
    9.  
      Enable FIPS mode for the NetBackup Administration Console
    10. Disable FIPS mode for NetBackup
      1.  
        Disable FIPS mode for a NetBackup host
      2.  
        Disable FIPS mode for NetBackup Authentication broker (nbatd)
      3.  
        Disable FIPS mode for the NetBackup Administration Console
    11.  
      NB_FIPS_MODE option for NetBackup servers and clients
    12.  
      USE_URANDOM for NetBackup servers and clients
  13. NetBackup web services account
    1.  
      About the NetBackup web services account
    2.  
      Changing the web service user account
  14. Running NetBackup services with non-privileged user (service user) account
    1. About a NetBackup service user account
      1.  
        Important considerations for using a service user account
    2.  
      Configuring a service user account
    3.  
      Changing a service user account after installation or upgrade
    4.  
      Giving access permissions to service user account on external paths
    5.  
      NetBackup services that run with the service user account
  15. Running NetBackup commands with non-privileged user account
    1. Running NetBackup commands using the nbcmdrun wrapper command
      1.  
        How does nbcmdrun function
      2.  
        Disable the nbcmdrun command
      3.  
        Reenable the nbcmdrun command
  16. Immutability and indelibility of data in NetBackup
    1.  
      About immutable and indelible data
    2.  
      Workflow to configure immutable and indelible data
    3.  
      Deleting an immutable image from storage using the bpexpdate command
    4.  
      Removing an immutable image from the catalog using the bpexpdate command
  17. Anomaly detection
    1. About backup anomaly detection
      1.  
        How a backup anomaly is detected
      2.  
        Configure backup anomaly detection settings
      3.  
        Detecting backup anomalies on the primary server
      4.  
        Detecting backup anomalies on the media server
      5.  
        View backup anomalies
    2. About system anomaly detection
      1.  
        Configure system anomaly detection settings
      2.  
        Configure rules-based anomaly detection
      3.  
        Configure risk engine-based anomaly detection
      4.  
        View system anomalies
    3.  
      Anomaly configuration to enable automatic scanning
    4. Computation of entropy and file attributes in NetBackup
      1.  
        Support information for computation of entropy and file attributes
      2.  
        COMPUTE_IMAGE_ENTROPY for NetBackup primary servers
      3.  
        Disable backup anomaly detection and computation of entropy and file attributes for a client
  18. Section IV. Malware scanning
    1. Introduction
      1. About malware scanning
        1. Workflow for malware scanning
          1.  
            Malware scanning workflow for MSDP backup images
          2.  
            Malware scanning workflow for OST and AdvancedDisk
      2.  
        About dynamic scan
      3.  
        About file hash search with malware hash
      4.  
        Limitations
    2. How to setup Malware scanning
      1.  
        How to set up malware scanning
    3. Instant Access configurations
      1.  
        About Instant Access configurations
      2.  
        MSDP build-your-own (BYO) server prerequisites and hardware requirements to configure Instant Access
      3.  
        Instant Access tuning parameters for malware scanning (BYO)
      4.  
        Configuration for scan instances
    4. Malware tools configurations
      1.  
        Supported malware tools
      2. Configuring NetBackup Malware Scanner (Avira)
        1.  
          Configuration of mirror server for Signature update
        2.  
          Configure a proxy server on Windows or Linux
        3. Configure the NetBackup Malware Scanner on scan host
          1.  
            Configure the NetBackup Malware Scanner for Windows
          2.  
            Configure a NetBackup Malware Scanner Linux
      3.  
        Configuring Symantec Protection Engine
      4.  
        Configuring Microsoft Defender Antivirus
    5. Scan host configurations
      1.  
        NetBackup malware scan host capabilities
      2. Prerequisites for a scan host
        1.  
          Prerequisites for Windows scan host
        2.  
          Prerequisites for Linux scan host
      3.  
        Limitations and considerations for scan host using NFS share
      4. Configuring scan host
        1. Automated scan host configuration
          1.  
            Scan host configuration using PowerShell
          2.  
            Scan host configuration using Shell
          3.  
            Scan host configuration using Ansible
        2. Manual scan host configuration
          1.  
            Configure malware scan host for Windows NFS share type and Microsoft Defender
          2.  
            Configure malware scan host for Linux NFS share type and Avira
      5. Configuring a scan host pool
        1.  
          Prerequisites for scan host pool
        2.  
          Configure a new scan host pool
        3.  
          Add a new host in a scan host pool
      6. Managing a scan host
        1.  
          Add an existing scan host
        2.  
          Validating the scan host pool configuration
        3.  
          Remove the scan host
        4.  
          Deactivate the scan host
        5.  
          Managing credentials for malware scanning
      7.  
        Configure resource limits for malware detection
    6. Performing malware scan
      1.  
        Performing malware scan before recovery
      2. Perform a malware scan
        1.  
          Scanning backup images
        2.  
          Assets by policy type
        3.  
          Assets by workload type
    7. Managing scan tasks
      1.  
        View the malware scan status
      2.  
        Actions for malware scanned images
      3.  
        Recover from malware-affected images (clients protected by protection plan)
      4.  
        Recover from malware-affected images (clients protected by policies)
      5.  
        Clean file recovery for virtual workload (VMware)
    8. Malware scan configuration parameters
      1.  
        MALWARE_SCAN_OPERATION_TIMEOUT
      2.  
        MALWARE_DETECTION_CLEANUP_PERIOD
      3.  
        MALWARE_DETECTION_TIMEOUT_PERIOD option for NetBackup servers
      4.  
        FAIL_SAFE_SCAN_RETRY_COUNT
      5.  
        Malware hash configuration parameters
    9. Troubleshooting
      1.  
        Troubleshooting issues with malware scanning

Troubleshooting issues with malware scanning

Failed to get response from NetBackup malware utility

(Applicable on scan host RHEL 8.x and NFS version 4.x) When scanning large size backup (~ 200 million files), following error is displayed on the Web UI for failed job:

Failed to get response from NetBackup malware utility.

While scan is in progress on scan host, NFS mount points are not accessible from scan host. Scan job remains in progress and timeout after two days. NFS exports on storage server are accessible.

Workaround: Ensure that you use NFS version 3 for mounting IA mounts on scan host over NFS by setting the following configuration in /etc/nfsmount.conf file on scan host:

# grep Defaultvers /etc/nfsmount.conf Defaultvers=3

Failed to connect to the scan host

SSH connection to scan host from media server failed.

Workaround: Verify the following scan host credentials:

  • RSA (SHA256) key

  • User name

  • Password

Refer to NetBackup Web UI Administrator's Guide for the scan host configuration.

Failed to determine the scan host OS

Error can be due to unsupported scan host.

Workaround: For a complete list of supported platforms for the scan host, refer to the Software Compatibility list document.

Failed to copy NetBackup malware utility to the scan host

  • Not enough space is available on the scan host.

  • SSH user does not have access to the required directories on the scan host.

Workaround

  • On a Windows scan host, check for space availability in C:\ folder.

  • On a Linux scan host, check for space availability in /tmp folder.

Failed to get the scan host credentials

Media server is not able to fetch the credentials to access scan host from the Primary.

Workaround: Check that credentials for scan host are specified.

Time-out has occurred during the scan

Default scan operation time out is two days. Time to scan may vary depending on the factors sch as workload type, network bandwidth, backup size.

Workaround: Scan time-out is configurable and can be changed by setting the MALWARE_SCAN_OPERATION_TIMEOUT configuration key.

  • Minimum value: 1 hour

  • Maximum value: 30 days

Failed to get response from NetBackup malware utility

Mismatch between nbmalwareutil binary and the ScanManager

Workaround:

Contact NetBackup support.

Failed to launch the scanner

Malware scanner-specific failure message.

Workaround: Refer to nbmalwarescanner logs on the media server.

Failed to mount the backup image

IA share is not accessible from the scan host.

Workaround: Check IA configuration on storage server. Verify on activity monitor that IA job is successful.

Failed to unmount the backup image

IA share is busy or not accessible.

Workaround: Refer to nbmalwarescanner logs on the media server.

Failed to run a scan

Generic failure during the scan of a backup image.

Workaround: Refer to nbmalwarescanner logs on the media server.

Instant access mount created but not deleted by malware scan

Generic failure during the scan of a backup image.

Workaround:

  • Verify if any scan is in progress.

  • If no scan is in progress, then obtain the list of such instant access mounts with ID's of the instant access mount created using the GET IA API from the following directory:

    /netbackup/recovery/workloads/{workload}/instant-access-mounts

  • Using the DELETE API, delete the instant access mount:

    /netbackup/recovery/workloads/{workload}/instant-access-mounts/{mounId}

All mount drives are exhausted

Only five backup images can be mounted at the same time on windows scan host.

Workaround:

  • Ensure that scan host is not part of multiple NetBackup domains.

  • Check if there are any Stale mounts on the scan host by running net use.

  • Following drive letters are used for mounting the IA shares on the windows scan host. Ensure that they are not in use. L:\ M:\ N:\ O:\ P:\

Either the Windows Defender is not installed or the environment variable is not set

Microsoft Windows Defender is not installed on the scan host or not configured properly.

Workaround: Ensure that Microsoft Windows Defender is installed on scan host.

Refer NetBackup Web UI Administrator's Guide for the scan host configuration.

Either Symantec protection engine is not installed or the environment variable is not set

Symantec Protection Engine is not installed on the scan host or not configured properly.

Workaround: Ensure that Symantec Protection Engine is installed on scan host.

Refer NetBackup Web UI Administrator's Guide for the scan host configuration.

Failed to perform malware scan of the backup image

Generic error for Scan failure.

Workaround: Contact NetBackup support.

Net bios name can be at most 15 chars long

Storage server host name cannot be more than 15 characters for the SMB share support.

If Windows Server 2016 is used to set up Active Directory domain, then it does not allow a connection to a storage server with host name of length more than 15 characters.

Workaround: Ensure that the character limit is not more than 15 characters.

Failed to run a scan

Generic failure during scanning backup image.

Workaround: Check for the following errors:

  • Refer to nbmalwarescanner logs on the media server.

  • Check for space on media server storage.

  • Check for NFS service failure on media server.

Too many infected files in the selected time range

Review the nbmalwarescanner to view the infected files list for the backup images in the selected date range.

Workaround: Update the date range or recovery files and folders selection to reduce the number of infected files. Retry the operation. You can also perform one of the following:

  • Select the Allow recovery of files impacted by malware option which can be used to recover selective clean files.

  • Skip that backup image from recovery.

Large number of infected files

  • There are too many infected files in the selected scan result. If the scan result has infected files greater than 5000, the following message is displayed:

    Large number of infected files. To view the complete list of infected files, export the list.

    Workaround: Export the infected file list in .csv format and download it to view it.

  • There are many infected files in the selected scan result or the infected file paths are long to be captured in the database. Following error message is displayed:

    Large number of infected files.

    Workaround: This result cannot be exported or viewed.

    : As the results cannot be exported or viewed, review the scan logs to view a detailed list of the infected files for the selected scan result.

Scan operation is divided into parts

For large size backup, scan operation is divided into parts. For example, if total number of files in the backup are 1,000,000, the scan operation will be divided into two parts of 500,000 files each.

Each part would be created and scanned separately. Each part can be assigned with different scan host. The Malware detection UI displays only single entry for backup.

Workaround: Each divided part details can be obtained by using the REST API.

The NB_MALWARE_SCANNER_PATH environment variable is missing

When performing a malware scan operation with the NetBackup Malware Scanner installed on the scan host, it fails with the following error message:

Missing environment variable NB_MALWARE_SCANNER_PATH

Workaround: Ensure that NetBackup Malware Scanner is installed. Note the install location.

Login on the scan host as user using the same user credentials that were provided during scan host configuration on the primary server. Add the following lines to ~/.bashrc:

export NB_MALWARE_SCANNER_PATH=<installLocation>/savapi-sdk-linux64/bin

export PATH=$PATH:$NB_MALWARE_SCANNER_PATH

Failed to perform malware scan on Windows scan host

Malware scanning on Windows scan host may fail if there are cygwin mks toolkit installed.

Workaround: UNIX utilities are installed, however, defined scanuser cannot have those UNIX utilities in the PATH variable.

Issues related to space and directory access on the scan host

Error/Issue

Description

Workaround

  • Failed to open the file.

  • Unable to create a directory.

  • Failed to generate the result file.

  • Failed to open the output file.

  • Unable to create directory for result file.

  • Failed to open the result file.

  • Unable to create mount destination directory.

  • Unable to create directory for a log file.

  • Not enough space is available on the scan host.

  • SSH user does not have access to the required directories on the scan host.

  • On a Windows scan host, check space availability in C:\

  • On a Linux scan host check space availability in /tmp

Issue related to NAS-Data-Protection

When upgrading NetBackup from previous version to NetBackup version 10.2.1 or later with the following options selected, the No images match the search criteria message is displayed:

Options

Fields

Search by: Backup images

Policy type: NAS-Data-Protection

Copies: Copy2

Malware scan status: Not scanned (Default)

Search by: Assets by policy type

Policy type: NAS-Data-Protection

Copies: Copy2

Scanner host pool: Select the required scanner host pool.

Malware scan status: Not scanned (Default)

Workaround

To view the images that are backed up, ensure that you select the Malware scan status option as All to scan the NAS-Data-Protection backup images created on earlier version of NetBackup media server.

Issues in scan performance

When using Instant Access mount points for malware scan (traditional malware scan) in NetBackup versions prior to 10.3, performance issues were observed.

Workaround: Upgrade to NetBackup media and storage server 10.3 or later. NetBackup 10.3 introduces the dynamic scan feature. This improves the instant access time as well as the scan performance.

The following table provides the differences between the traditional malware scan and dynamic scan:

Key scanning procedure

Traditional malware scan using Instant Access mount points

Dynamic scan

Instant access stage.

Analyzes the tar stream and builds each file's header and extent map file (LMDB database), which is time consuming for large number of files in the backup.

Restores TIR (catalog database) and IM (image metadata) information from fragment.

Instant access share (NFS/SMB) is mounted and user tries to list or access the file.

Accesses it's header file and reads the attribute from it.

Query's the directory from catalog database to get all the files and directories which are under this directory. It can also query each files and directories attribute to the output.

Scan host opens a file

Opens and loads the LMDB database.

Builds the index in memory and reads directly from data container.

  • To get file's extent by locating and reading the tar header and analyze the content.

  • To get SO list (PureDisk only) by searching the SO list from fragment FP map

  • To build mapping table by inserting the SO list (PureDisk only)

Scan host reads a file

Searches from LMDB database and reads from data container.

If storage server is 3rd party storage vendor, it reads data through OST interface directly. If storage server is PureDisk, it searches from mapping table and reads data from data container.

Details of log file location for errors

The following table provides the details for the respective log files to be viewed depending on the use case:

Table: Log file locations

Use case

Components on primary server

Components on media server

Log file path

Configurations

nbwebservice

ncfnbcs

For primary server:

  • /usr/openv/logs/nbwebservice

  • /usr/openv/netbackup/logs/bprd/

For media server:

  • /usr/openv/logs/ncfnbcs

  • /usr/openv/netbackup/logs/nbmalwarescanner/

Scan process

nbwebservice

bprd

ncfnbcs

nbmalwarescanner

Recovery

nbwebservice

bprd

SSH login is disabled by default

For VMWare VM backup scan, ensure that you use scan user with uid=0. SSH login is disabled by default and user may not enable it for security reasons.

Workaround

In above scenario, perform the following:

If SSH login is disabled for the root user, then non-root scan user can be added to group 0 (root) to be able to scan all the files.

For example, uid=1001(scanuser) gid=1001(scanuser) groups=1001(scanuser),0(root)