How to configure an External Certificate Authority (ECA) for all communications on a NetBackup 8.2+ Build-Your-Own Server Environment
Description
The below steps can be used to configure a file-based External Certificate Authority (ECA) for the NetBackup WebUI (port 443) and NetBackup Host (port 1556) on a NetBackup 8.2+ Build-Your-Own server (Windows/UNIX). These steps are a set of basic commands for a simplified procedure. It is possible that your environment may require more settings than specified below. For information on configuring ECA's (for example, supported file types, CRL updates, etc), please see our Veritas NetBackup™ Security and Encryption Guide: UNIX, Windows, and Linux.
Please know: Configuring NetBackup Master to use External Certificate Authority for all communications is a serious undertaking. We say this because it will involve NetBackup admins to configure ECA's on each master server, media server, and client. This means that NetBackup will no longer be responsible for managing certificates on the master, media and client. Instead, the NetBackup administrators will be responsible for managing certificates for the entire environment. For example, it will be up to NetBackup administrators to renew certificates when they expire.
If you only need to configure ECA just the WebUI (port 443), please see Article 100047283
If you are looking to implement an ECA on a NetBackup Appliance WebUI (port 443) you will need to follow a different process outlined in our Veritas NetBackup™ Appliance Security Guide (3.2).
To Setup an ECA:
Note: Always take a full catalog backup with Disaster Recovery enabled before starting this process.
- On the Master Server, update the configuration file (bp.conf file or Windows Registry) with the below entries:
Warning: Incorrect use of the Windows registry editor may prevent the operating system from functioning properly. Great care should be taken when making changes to a Windows registry. Registry modifications should only be carried-out by persons experienced in the use of the registry editor application. It is recommended that a complete backup of the registry and workstation be made prior to making any registry changes.
Windows: HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\NetBackup\CurrentVersion\Config
Unix: /usr/openv/netbackup/bp.conf
ECA_CERT_PATH = host + intermediate cert [certificate-int.pem]
ECA_PRIVATE_KEY_PATH = [Path to Private Key]
ECA_TRUST_STORE_PATH = root CA cert [ca.cert.pem]
ECA_KEY_PASSPHRASEFILE = [Optional. Only used if the "ECA_PRIVATE_KEY_PATH" is encrypted]
Note: To ensure that the full certificate chain is presented you will want to append the Leaf certificate with any Intermediate Certificates and so its in the same file. That file will then be used for the ECA_CERT_PATH entry in the registry/bp.conf entry. For more information on this, please see Article 100046207
Example:
ECA_CERT_PATH = C:\Temp\Complete_Chain.pem (can also be .crt or .cer
ECA_PRIVATE_KEY_PATH = C:\Temp\Private.key
ECA_TRUST_STORE_PATH = C:\Temp\Root_Cert.pem (can also be a .crt or .cer)
ECA_KEY_PASSPHRASEFILE = C:\Temp\private_key_password.txt
Note: You can also use the nbsetconfig command to modify the configuration file or registry. For more information on this, see our NetBackup™ Commands Reference Guide.
- Run the ECA health check to ensure no issues with Certificates configured:
# nbcertcmd -ecahealthcheck
Note: Details on any Errors can be found in the Status Codes Reference Guide.
- Configure the ECA to be used by the NetBackup by using the below command:
Windows:
<Install_Path>\NetBackup\wmc\bin\install\configureWebServerCerts.bat -addExternalCert -all -certpath [ECA_CERT_PATH] -privatekeypath [ECA_PRIVATE_KEY_PATH] -truststorepath [ECA_TRUST_STORE_PATH] -passphrasePath [ECA_KEY_PASSPHRASEFILE]
Example:
<Install_Path>\NetBackup\wmc\bin\install\configureWebServerCerts.bat -addExternalCert -all -certpath C:\Temp\Complete_Chain.pem -privatekeypath C:\Temp\Private.key -truststorepath C:\Temp\Root_Cert.pem -passphrasePath C:\Temp\private_key_password.txt
Unix:
# /usr/openv/wmc/bin/install/configureWebServerCerts -addExternalCert -all -certpath [ECA_CERT_PATH] -privatekeypath [ECA_PRIVATE_KEY_PATH] -truststorepath [ECA_TRUST_STORE_PATH] -passphrasePath [ECA_KEY_PASSPHRASEFILE]
Example:
# /usr/openv/wmc/bin/install/configureWebServerCerts -addExternalCert -all -certpath /var/tmp/Complete_Chain.pem -privatekeypath /var/tmp/Private.key -truststorepath /var/tmp/Root_Cert.pem -passphrasePath /var/tmp/private_key_password.txt
- Restart the "NetBackup Web Management Console" service.
Windows:
Open Services in Windows and manually restart the NetBackup Web Management Console service
Unix:
# nbwmc stop; nbwmc start
- Restart the "NetBackup Messaging Queue Broker" service.
Windows:
Open Services in Windows and manually restart the NetBackup Messaging Queue Broker service
Unix:
# nbmqbroker stop; nbmqbroker start
- Enroll certificate:
nbcertcmd -enrollCertificate
Note: Your master server will now be configured in Mixed Mode. This means that both the NetBackup CA and the External CA are enabled. You can confirm the master server has ECA's enabled by running:
nbcertcmd -getSecConfig -caUsage
NBCA:ON
ECA:ON
- Before configuring ECA on the media server or client, if the media server/client is already registered to the master server, please ensure NBCA is working correctly. This includes the checks to validate the certificate is not expired and communication from master server to media server/client as well as vice-versa is working without any issues.
To check master server to client/media server communication you may use the command:bptestbpcd -client <client_name> -verbose
To check client to master server communication you may use the command:bpclntcmd -pn -verbose
- On your Media server and Clients, update the configuration file (bp.conf file or Windows Registry) with the below entries:
Windows: HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\NetBackup\CurrentVersion\Config
Unix: /usr/openv/netbackup/bp.conf
ECA_CERT_PATH = [Path to full Certificate Chain]
ECA_PRIVATE_KEY_PATH = [Path to Private Key]
ECA_TRUST_STORE_PATH = [Path to file containing the Root CA]
ECA_KEY_PASSPHRASEFILE = [Optional. Only used if the "ECA_PRIVATE_KEY_PATH" is encrypted]
Example:
ECA_CERT_PATH = C:\Temp\Complete_Chain.pem (can also be .crt or .cer)
ECA_PRIVATE_KEY_PATH = C:\Temp\Private.key
ECA_TRUST_STORE_PATH = C:\Temp\Root_Cert.pem (can also be a .crt or .cer)
ECA_KEY_PASSPHRASEFILE = C:\Temp\private_key_password.txt
Note: You can also use the nbsetconfig command to modify the configuration file or registry. For more information on this, see our NetBackup™ Commands Reference Guide.
- Run the ECA health check to ensure no issues with Certificates configured:
nbcertcmd -ecahealthcheck
Note: Details on any Errors can be found in the Status Codes Reference Guide.
- The NetBackup media server and/or clients will auto-enroll the External CA during the proxy connection with the master server. Now would be a good time to force that connection by running a test backup. You can also run
nbcertcmd -enrollcertificate
Note: NetBackup will use the ECA if configured on a server but will not advertise the External Certificate over port 1556. This is Mixed Mode activity. If an ECA is not found, it will default to NBCA. To advertise the ECA over port 1556, the NBCA would need to be removed
- Optional. On the master server, run the below command to remove the default NBCA:
Windows:
<Install_Path>\NetBackup\wmc\bin\install\configureWebServerCerts.bat -removeNBCert [-force]
Unix:
# /usr/openv/wmc/bin/install/configureWebServerCerts -removeNBCert [-force]
- Restart the "NetBackup Web Management Console" service on the master server:
Windows:
Open Services in Windows and manually restart the NetBackup Web Management Console service
Unix:
# nbwmc stop; nbwmc start
- Optional. If you need to back out of your configuration changes. You can undo the changes made by running:
Windows:
<Install_Path>\NetBackup\wmc\bin\install\configureWebServerCerts.bat -addNBCert
<Install_Path>\NetBackup\wmc\bin\install\configureWebServerCerts.bat -removeExternalCert -all
Open Services in Windows and manually restart the NetBackup Web Management Console service
nbcertcmd -removeenrollment
Unix:
# /usr/openv/wmc/bin/install/configureWebServerCerts -addNBCert
# /usr/openv/wmc/bin/install/configureWebServerCerts -removeExternalCert -all
# nbwmc stop; nbwmc start
# /usr/openv/mqbroker/bin/nbmqbroker stop; /usr/openv/mqbroker/bin/nbmqbroker start
# nbcertcmd -removeenrollment
Internal Note
Related Knowledge Base Articles
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.