How to configure an External Certificate Authority (ECA) to be used for just the WebUI (port 443) on a NetBackup 8.2 Build-Your-Own Master server
How to configure an External Certificate Authority (ECA) to be used for just the WebUI (port 443) on a NetBackup 8.2 Build-Your-Own Master server
Description
The below steps can be used to configure an External Certificate Authority (ECA) to be used for the WebUI (port 443) on a NetBackup 8.2+ Build-Your-Own server (Windows/UNIX). These steps are a set of basic commands for a simplified procedure. It is possible that your environment may require more settings then specified below. For information on configuring ECA's (for example, supported file types, CRL updates, etc), please see our Veritas NetBackup™ Security and Encryption Guide: UNIX, Windows, and Linux.
If you are looking to implement an ECA on a NetBackup Appliance you will need to follow a different process outlined in our Veritas NetBackup™ Appliance Security Guide (3.2).
If you want to implement an ECA for all communications on a NetBackup 8.2 Build-Your-Own Server Environment, please see Article 100047422
To Setup an ECA for WebUI (port 443) on a NetBackup 8.2 Master server:
Note: Always take a full catalog backup with Disaster Recovery enabled before starting this process.
Note: Certificates required permissions for webservices user
- Update the configuration file (bp.conf file or Windows Registry) with the below entries:
Warning: Incorrect use of the Windows registry editor may prevent the operating system from functioning properly. Great care should be taken when making changes to a Windows registry. Registry modifications should only be carried-out by persons experienced in the use of the registry editor application. It is recommended that a complete backup of the registry and workstation be made prior to making any registry changes.
Windows: HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\NetBackup\CurrentVersion\Config
Unix: /usr/openv/netbackup/bp.conf
ECA_CERT_PATH = host + intermediate cert [certificate-int.pem]
ECA_PRIVATE_KEY_PATH = [Path to Private Key]
ECA_TRUST_STORE_PATH = root CA cert [ca.cert.pem]
ECA_KEY_PASSPHRASEFILE = [Optional. Only used if the "ECA_PRIVATE_KEY_PATH" is encrypted]
Note: To ensure that the full certificate chain is presented you will want to append the Leaf certificate with any Intermediate Certificates so its in the same file. That file will then be used for the ECA_CERT_PATH entry in the registry/bp.conf entry. For more information on this, please see Article 100046207
Example:
ECA_CERT_PATH = C:\Temp\Complete_Chain.pem (can also be .crt or .cer)
ECA_PRIVATE_KEY_PATH = C:\Temp\Private.key
ECA_TRUST_STORE_PATH = C:\Temp\Root_Cert.pem (can also be a .crt or .cer)
ECA_KEY_PASSPHRASEFILE = C:\Temp\private_key_password.txt
NOTE: You can also use the nbsetconfig command to modify the configuration file or registry. For more information on this, see our "NetBackup™ Commands Reference Guide".
- Run the ECA health check to ensure no issues with Certificates configured:
nbcertcmd.exe -ecahealthcheck
NOTE: Details on any Errors can be found in the Status Codes Reference Guide
- Configure the ECA to be used by the NetBackup Web UI (port 443) by using the below command:
Windows:
<Install_Path>\NetBackup\wmc\bin\install\configureWebServerCerts.bat -addExternalCert -webUI -certpath [ECA_CERT_PATH] -privatekeypath [ECA_PRIVATE_KEY_PATH] -truststorepath [ECA_TRUST_STORE_PATH] -passphrasePath [ECA_KEY_PASSPHRASEFILE]
Example:
<Install_Path>\NetBackup\wmc\bin\install\configureWebServerCerts.bat -addExternalCert -webUI -certpath C:\Temp\Complete_Chain.pem -privatekeypath C:\Temp\Private.key -truststorepath C:\Temp\Root_Cert.pem -passphrasePath C:\Temp\private_key_password.txt
Unix:
/usr/openv/wmc/bin/install/configureWebServerCerts -addExternalCert -webUI -certpath [ECA_CERT_PATH] -privatekeypath [ECA_PRIVATE_KEY_PATH] -truststorepath [ECA_TRUST_STORE_PATH] -passphrasePath [ECA_KEY_PASSPHRASEFILE]
Example:
/usr/openv/wmc/bin/install/configureWebServerCerts -addExternalCert -webUI -certpath /var/tmp/Complete_Chain.pem -privatekeypath /var/tmp/Private.key -truststorepath /var/tmp/Root_Cert.pem -passphrasePath /var/tmp/private_key_password.txt
- Restart the "NetBackup Web Management Console" service.
Windows:
Open Services in Windows and manually restart the NetBackup Web Management Console service
Unix:
# nbwmc stop; nbwmc start
- Optional. You can run a security scan and/or use the below command to confirm that your NetBackup server is displaying the ECA on port 443:
Windows:
<Install_Path>\NetBackup\bin\goodies\vxsslcmd.exe s_client -connect [master_hostname]:443 -showcerts
Unix:
# /usr/openv/netbackup/bin/goodies/vxsslcmd s_client -connect [master_hostname]:443 -showcerts
Internal Notes
Related Knowledge Base Articles
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.