Search <book_title>...

Veritas NetBackup™ Appliance Security Guide

Last Published: 2023-06-08

Product(s): Appliances (5.1.1)

Platform: NetBackup Appliance OS

About implementing external certificates

NetBackup appliance's web service uses the PKCS#12 standard and requires certificate files to be in the X.509 (.pem) format. If the certificate files are in the .der, .DER, or .p7b formats, NetBackup appliance automatically converts the files to an accepted format.

Certificate requirements

To prevent errors while importing certificates, ensure that the external certificate files meet the following requirements.

Certificate files are in the .pem file format and begin with "-----BEGIN CERTIFICATE-----".
Certificate files contain the host name and FQDN in the subject alternative name (SAN) field of the certificate. If the certificate is used in an HA environment, the SAN field must contain VIP, host name, and FQDN.
Subject name and common name fields are not empty.
Subject fields are unique for each host.
Subject fields contain a maximum of 255 characters.
Server and client authentication attributes are set in the certificate.
Only ASCII 7 characters are used in the subject and SAN fields of the certificate.
The private key file is in the PKCS#8 PEM format and begins with -----BEGIN ENCRYPTED PRIVATE KEY----- or -----BEGIN PRIVATE KEY-----.

Certificate Signing Request (CSR)

Although optional, you can use the Settings > Security > Certificate > CertificateSigningRequest > Create command to generate a CSR. Copy the CSR content from the command line to your external certificate portal to obtain the required external certificate files.

Example:
Enter specified value or use the default value.
Common Name (eg, your name or your server's hostname) [Default abc123]:
Organizational Unit Name (eg, section) []:Appliance
Organization Name (eg, company) [Default Company Ltd]:YourCompanyName
Locality Name (eg, city) [Default City]:YourCity
State or Province Name (full name) []:YourStateorProvince
Country Name (2 letter code) [XX]:YourCountryName
Email Address []:email@yourcompany.com
Please enter the following 'extra' attributes
to be sent with your certificate request.
-----
A challenge password []:123456
An optional company name []:ABCD
Subject Alternative Name (DNS Names and/or IP Addresses comma separated):
abc123,def456.yourcompany.com
Subject Alternative Name (email comma separated):
Certificate Signing Request Name [Default abc123.csr]:
Validity period (in days) [Default 365 days]:
Ensure that the Distinguished Name (DN) is specified as a string consisting 
of a sequence of key=value pairs separated by a comma:
Then the generated certificate signing request will be shown on the screen.

Starting from version 4.1, you can register an external certificate on both NetBackup appliance and NetBackup using the Settings > Security > Certificate > Import command.

Perform the following steps to import the host certificate, host private key, and trust store to register the external certificate on NetBackup and NetBackup appliance. Both NetBackup and NetBackup appliance layers use the same host certificate, host private key, and trust store.

Log in to the appliance as an Administrator user.
From the NetBackup Appliance Shell Menu, run the Settings > Security > Certificate > Import command. The following NFS and CFS share locations are now accessible:
- NFS: /inst/share
- CFS: \\<ApplianceName>\general_share
Upload the certificate file, trust store file, and private key file to either of the share locations and enter the paths to the files.
Choose how to access the certificate revocation list (CRL). A CRL comprises a list of external certificates that have been revoked by the external certificate and should not be trusted. Select either of the following options:
- Use the CRL location provided in the certificate file.
- Provide the location of a CRL file (.crl ) in the local network.
- Do not use a CRL.
Confirm the location of the certificate files you want to register on the appliance.

A detailed example of how to import the certificates is provided here.

Identify the certificate which should be imported.

Import the certificate.

Enter the certificate:
Enter the following details for external certificate configuration:
Enter the certificate file path: cert_chain.pem
Enter the trust store file path: cacerts.pem
Enter the private key path: key.pem
Enter the password for the passphrase file path or skip security 
configuration (default: NONE):
Should a CRL be honored for the external certificate?
1) Use the CRL defined in the certificate.
2) Use the specific CRL directory.
3) Do not use a CRL.
q) Skip security configuration.
CRL option (1): 2
Enter the CRL location path: crl
Then confirm input information and answer the subsequent questions.

Adding and removing certificates

You can manage external certificates on NetBackup appliance using the Certificate commands.

You can use the Settings > Security > Certificate > Add CACertificate command to add a server CA, HTTPS proxy CA, or LDAP CA certificate to the certificate authority list. Ensure that you paste the CA certificate content in the PEM or P7B format. The Appliance appends this CA certificate to the certificate authority list. Before appending the CA certificate, the appliance verifies whether the CA certificate is already being used on the appliance. If yes, the appliance quits with a message.

You can use the Settings > Security > Certificate > Remove CACertificate command to remove a server CA certificate from the certificate authority list. The available CA certificates are listed and you can select the certificate that you want to remove.