Search <book_title>...

Veritas NetBackup™ Virtual Appliance Documentation

Last Published: 2022-04-25

Product(s): Appliances (5.0)

Platform: NetBackup Virtual Appliance

Getting to know the NetBackup Virtual Appliance
1. NetBackup Virtual Appliance product description
2. NetBackup Virtual Appliance supported features
3. About the NetBackup Virtual Appliance documentation
4. NetBackup Virtual Appliance 5.0 new features, enhancements, and changes
5. Known limitations of the NetBackup Virtual Appliance 5.0 release
6. Operational Notes for the NetBackup Virtual Appliance 5.0 release
Preparing to deploy the appliance
1. NetBackup Virtual Appliance product files (OVF templates)
2. NetBackup Virtual Appliance deployment methods
3. NetBackup Virtual Appliance deployment guidelines
  1. Configuration overview for NetBackup Virtual Appliance MSDP cloud applications
  2. NetBackup Virtual Appliance initial deployment checklist
Deploying and configuring the appliance
1. How to deploy and configure a NetBackup Virtual Appliance combined primary and media server
2. How to deploy and configure a NetBackup Virtual Appliance media server
3. How to deploy and configure a NetBackup Virtual Appliance primary server
Post initial configuration procedures
1. About modifying the NetBackup Virtual Appliance settings
2. Adding a permanent license key if an evaluation license key expires
3. Managing license keys on the NetBackup Virtual Appliance
Appliance common tasks
1. Common tasks in NetBackup Virtual Appliance
Storage management
1. About NetBackup Virtual Appliance storage configuration
2. About OpenStorage plugin installation
  1. Installing the OpenStorage plugin
  2. Uninstalling the OpenStorage plugin
Deduplication pool catalog backup and recovery
1. About the NetBackup Virtual Appliance deduplication pool catalog backup policy
2. Automatic configuration of the NetBackup Virtual Appliance deduplication pool catalog backup policy
3. Manually configuring the NetBackup Virtual Appliance deduplication pool catalog backup policy
4. Manually updating the NetBackup Virtual Appliance deduplication pool catalog backup policy
5. Recovering the NetBackup Virtual Appliance deduplication pool catalog
Network connection management
1. About IPv4-IPv6-based network support
2. Network settings for the NetBackup Virtual Appliance
3. Configuring DNS and host name mapping for the NetBackup Virtual Appliance
4. Setting the date and time on a NetBackup Virtual Appliance
5. Configuring static routes on the NetBackup Virtual Appliance
6. Expanding the bandwidth on the NetBackup Virtual Appliance
Managing users
1. About managing NetBackup Virtual Appliance users
2. About NetBackup Virtual Appliance account types
3. Adding NetBackup Virtual Appliance users
4. Deleting NetBackup Virtual Appliance users
5. Adding NetBackup Virtual Appliance user groups
6. Deleting NetBackup Virtual Appliance user groups
7. Granting roles to NetBackup Virtual Appliance users and user groups
8. Revoking roles from NetBackup Virtual Appliance users and user groups
9. About user name and password specifications
  1. About STIG-compliant password policy rules
10. Changing NetBackup Virtual Appliance user passwords
11. About password management and recovery
12. About authenticating LDAP users
13. About authenticating Active Directory users
  1. Adding an Active Directory server configuration
  2. Unconfiguring Active Directory user authentication on the NetBackup Virtual Appliance
14. About authentication using Smart Cards and digital certificates
15. About authenticating Kerberos-NIS users
  1. Adding a Kerberos-NIS authentication configuration on the NetBackup Virtual Appliance
  2. Unconfiguring Kerberos-NIS user authentication on the NetBackup Virtual Appliance
16. Generic user authentication guidelines
17. About user authorization on the NetBackup Virtual Appliance
18. Creating NetBackup administrator user accounts
19. Deleting NetBackup administrator user accounts
Using the appliance
1. About configuring Host parameters for your appliance on the NetBackup Virtual Appliance
2. About Copilot functionality and Share management
3. About NetBackup Virtual Appliance as a VMware backup host
  1. NetBackup Virtual Appliance as backup host: component overview
  2. Notes on NetBackup Virtual Appliance as a VMware backup host
4. About running NetBackup commands from the appliance
5. About mounting a remote NFS
  1. Mounting a remote NFS drive
  2. Unmounting an NFS drive
6. About Auto Image Replication from a NetBackup Virtual Appliance
7. Generating certificates
Monitoring the appliance
1. About NetBackup Virtual Appliance alerts
2. Setting up email notifications for a NetBackup Virtual Appliance
3. Setting up SNMP notifications for a NetBackup Virtual Appliance
4. Enabling and disabling Call Home from the appliance shell menu
5. Configuring a Call Home proxy server from the NetBackup Virtual Appliance Shell Menu
6. About SNMP
  1. About the Management Information Base (MIB)
7. About Call Home
  1. Understanding the Call Home workflow
  2. About the Product Improvement Program
8. About AutoSupport
9. About storage email alerts
Appliance security
1. About Symantec Data Center Security on the NetBackup Virtual Appliance
2. About data security
3. About data integrity
4. About data classification
5. About data encryption
  1. KMS support
6. About SSL usage
7. About implementing ECA certificates
8. About the NetBackup Virtual Appliance intrusion detection system
9. About the NetBackup Virtual Appliance intrusion prevention system
10. Major components of the NetBackup Virtual Appliance OS
11. OS STIG hardening for NetBackup Virtual Appliance
12. FIPS 140-2 conformance for NetBackup Virtual Appliance
13. Disable user access to the NetBackup appliance operating system
14. Manage support access to the maintenance shell
15. About the appliance login banner
16. Setting the appliance login banner
  1. Creating the appliance login banner
  2. Removing the appliance login banner
17. Log Forwarding feature overview
Upgrading the appliance
1. About upgrading to NetBackup Virtual Appliance software version 5.0
2. Requirements and best practices for upgrading NetBackup appliances
  1. Upgrade time estimation
3. Pre-upgrade tasks for appliance upgrades
4. Methods for downloading appliance software release updates
  1. Downloading software updates directly to a NetBackup appliance
  2. Downloading software updates to a NetBackup appliance using a client share
5. Installing a NetBackup Virtual Appliance software update using the NetBackup Virtual Appliance Shell Menu
6. Troubleshooting upgrade issues
NetBackup client upgrades with VxUpdate
1. About VxUpdate
2. VxUpdate repository management
3. Deployment policy management
4. Manually initiating upgrades from the primary server using VxUpdate
5. Manually initiating upgrades from the client using VxUpdate
6. Deployment job status
Appliance restore
1. About appliance restore
2. Creating an appliance checkpoint from the appliance shell menu
3. Rollback to an appliance checkpoint from the appliance shell menu
4. About NetBackup Virtual Appliance factory reset
5. Factory reset best practices
6. How to factory reset the NetBackup Virtual Appliance
Decommissioning and Reconfiguring
1. About decommissioning a NetBackup Virtual Appliance
2. Decommissioning a NetBackup Virtual Appliance with the media server role
3. Migrating from NetBackup Cloud Catalyst Appliance to MSDP direct cloud tiering
Troubleshooting
1. About troubleshooting the NetBackup Virtual Appliance
2. About contacting Technical Support
3. Determining the NetBackup Virtual Appliance serial number
4. About disaster recovery
  1. Recovering a NetBackup appliance primary server using NetBackup catalog restore
5. About NetBackup support utilities
  1. NetBackup Domain Network Analyzer (NBDNA)
  2. NetBackup Support Utility (NBSU)
6. Troubleshooting NetBackup Virtual Appliance deployment or initial configuration issues
7. Error messages displayed on the NetBackup Virtual Appliance Shell Menu
8. NetBackup status codes applicable for NetBackup Virtual Appliance
9. Installing an EEB
10. Rolling back an EEB using the NetBackup Virtual Appliance Shell Menu
Appliance logging
1. About NetBackup Virtual Appliance log files
2. Viewing log files using the Support command
3. Where to find NetBackup Virtual Appliance log files using the Browse command
4. Enabling and disabling VxMS logging
5. Gathering device logs on a NetBackup virtual appliance
6. Moving the log data
7. About forwarding logs to an external server
Commands overview
1. About the NetBackup Virtual Appliance Shell Menu
2. Logging in to the NetBackup Virtual Appliance Shell Menu
3. Using the NetBackup Virtual Appliance Shell Menu
4. About the NetBackup Virtual Appliance Shell Menu command views
Appendix A. Appliance commands
1. Appliance > Primary
2. Appliance > Media
3. Appliance > ShowDedupPassword
4. Appliance > Status
5. Appliance > Configure
Appendix B. Manage commands
1. Manage > Software > Delete
2. Manage > Software > Download
3. Manage > Software > List
4. Manage > Software > Install
5. Manage > Software > Share
6. Manage > Software > Readme
7. Manage > Software > Rollback
8. Manage > Software > Cancel
9. Manage > Software > DownloadAnalyzer
10. Manage > Software > DownloadProgress
11. Manage > Software > UpgradeStatus
12. Manage > Software > VxUpdate
13. Manage > Storage > Show
14. Manage > Storage > Add
15. Manage > Storage > Create
16. Manage > Storage > Delete
17. Manage > Storage > Edit
18. Manage > Storage > Monitor
19. Manage > Storage > Move
20. Manage > Storage > Remove
21. Manage > Storage > Resize
22. Manage > Storage > Scan
23. Manage > OpenStorage > Install
24. Manage > OpenStorage > List
25. Manage > OpenStorage > Readme
26. Manage > OpenStorage > Share
27. Manage > OpenStorage > Uninstall
28. Manage > MountPoints > List
29. Manage > MountPoints > Mount
30. Manage > MountPoints > Unmount
31. Manage > License > Add
32. Manage > License > List
33. Manage > License > ListInfo
34. Manage > License > Remove
35. Manage > Certificates > Generate
36. Manage > Certificates > Delete
37. Manage > NetBackupCLI > Create
38. Manage > NetBackupCLI > Delete
39. Manage > NetBackupCLI > List
Appendix C. Monitor commands
1. Monitor > Uptime
2. Monitor > Who
3. Monitor > NetworkStatus
4. Monitor > Top
5. Monitor > MemoryStatus
6. Monitor > SDCS
7. Monitor > NetBackup
8. Monitor > Hardware
Appendix D. Network commands
1. Network > Configure
2. Network > Date
3. Network > DNS
4. Network > Gateway
5. Network > Hostname
6. Network > Hosts
7. Network > IPv4
8. Network > IPv6
9. Network > LinkAggregation
10. Network > NetStat
11. Network > NTPServer
12. Network > Ping
13. Network > SetProperty
14. Network > Show
15. Network > TimeZone
16. Network > TraceRoute
17. Network > Unconfigure
18. Network > WANOptimization
Appendix E. Reports commands
1. Reports > Deduplication
2. Reports > Process
Appendix F. Settings commands
1. Settings > Deduplication
2. Settings > LifeCycle
3. Settings > LogForwarding
4. Settings > NetBackup
5. Settings > NetBackup DNAT
6. Settings > NetBackup NATServers
7. Settings > Password
8. Settings > SystemLocale
9. Settings > Share
10. Settings > Sysctl
11. Settings > Notifications > LoginBanner
12. Settings > Security > Authentication > AccountStatus
13. Settings > Security > Authentication > LDAP
14. Settings > Security > Authentication > ActiveDirectory
15. Settings > Security > Authentication > Kerberos
16. Settings > Security > Authentication > LocalUser
17. Main > Settings > Security > Authentication > CIFSShare
18. Settings > Security > Authorization
19. Main > Settings > Security > Certificate
20. Main > Settings > Security > Certificate > CertificateSigningRequest
21. Main > Settings > Security > STIG
22. Main > Settings > Security > FIPS
23. Main > Settings > Security > SecurityLevel
24. Main > Settings > Security > Sessions
25. Settings > Alerts > CallHome
26. Settings > Alerts > SNMP
27. Settings > Alerts > Email
28. Settings > Alerts > Hardware
Appendix G. Support commands
1. Support > Checkpoint
2. Support > Cleanup > CleanMonInvData
3. Support > DataCollect
4. Support > Disk
5. Support > Errors
6. Support > FactoryReset
7. Support > InfraServices
8. Support > InstantAccess
9. Support > iostat
10. Support > LogBrowser
11. Support > Logs
12. Support > Maintenance
13. Support > Messages
14. Support > NBDNA
15. Support > nbperfchk
16. Support > NBSU
17. Support > Processes
18. Support > Reboot
19. Support > Service
20. Support > Shutdown
21. Support > Storage Create LogPartition
22. Support > Storage Create NDMPLogPartition
23. Support > Storage SanityCheck
24. Support > Storage Reset
25. Support > System
26. Support > Test
Appendix H. Available commands for a NetBackupCLI user
1. Command
2. Password

About implementing ECA certificates

NetBackup Virtual Appliance's web service uses the PKCS#12 standard and requires certificate files to be in the X.509 (.pem) format. If the certificate files are in the .der, .DER, or .p7b formats, NetBackup Virtual Appliance automatically converts the files to an accepted format.

Certificate requirements

To prevent errors while importing certificates, ensure that the external certificate files meet the following requirements.

Certificate files are in the .pem file format and begin with "-----BEGIN CERTIFICATE-----".
Certificate files contain the host name and FQDN in the subject alternative name (SAN) field of the certificate. If the certificate is used in an HA environment, the SAN field must contain VIP, host name, and FQDN.
Subject name and common name fields are not empty.
Subject fields are unique for each host.
Subject fields contain a maximum of 255 characters.
Server and client authentication attributes are set in the certificate.
Only ASCII 7 characters are used in the subject and SAN fields of the certificate.
The private key file is in the PKCS#8 PEM format and begins with -----BEGIN ENCRYPTED PRIVATE KEY----- or -----BEGIN PRIVATE KEY-----.

Certificate Signing Request (CSR)

Although optional, you can use the Settings > Security > Certificate > CertificateSigningRequest > Create command to generate a CSR. Copy the CSR content from the command line to your ECA portal to obtain the required external certificate files.

Example:
Enter specified value or use the default value.
Common Name (eg, your name or your server's hostname) [Default nbapp2ao]:
Organizational Unit Name (eg, section) []:Appliance
Organization Name (eg, company) [Default Company Ltd]:Veritas
Locality Name (eg, city) [Default City]:Beijing
State or Province Name (full name) []:Beijing
Country Name (2 letter code) [XX]:CH
Email Address []:support@veritas.com
Please enter the following 'extra' attributes
to be sent with your certificate request.
-----
A challenge password []:123456
An optional company name []:VRTS
Subject Alternative Name (DNS Names and/or IP Addresses comma separated):
nbapp2ao,nbapp2ao.engba.veritas.com
Subject Alternative Name (email comma separated):
Certificate Signing Request Name [Default nbapp2ao.csr]:
Validity period (in days) [Default 365 days]:
Ensure that the Distinguished Name (DN) is specified as a string consisting 
of a sequence of key=value pairs separated by a comma:
Then the generated certificate signing request will be shown on the screen. 
The private key file is /root/privkey.pem.

Starting from version 4.1, you can register an ECA on both NetBackup Virtual Appliance and NetBackup using the Settings > Security > Certificate > Import command.

Perform the following steps to import the host certificate, host private key, and trust store to register the ECA on NetBackup and NetBackup Virtual Appliance. Both NetBackup and NetBackup Virtual Appliance layers use the same host certificate, host private key, and trust store.

Log in to the appliance as an Administrator user.
From the NetBackup Virtual Appliance Shell Menu, run the Settings > Security > Certificate > Import command. The following NFS and CFS share locations are now accessible:
- NFS: /inst/share
- CFS: \\<ApplianceName>\general_share
Upload the certificate file, trust store file, and private key file to either of the share locations and enter the paths to the files.
Choose how to access the certificate revocation list (CRL). A CRL comprises a list of external certificates that have been revoked by the ECA and should not be trusted. Select either of the following options:
- Use the CRL location provided in the certificate file.
- Provide the location of a CRL file (.crl ) in the local network.
- Do not use a CRL.
Confirm the location of the certificate files you want to register on the appliance.

A detailed example of how to import the certificates is provided here.

Identify the certificate which should be imported.

After certificate uploaded, /inst/share/ may look like that:
/inst/share # ls
cacerts.pem  cert_chain.pem  crl  key.pem
/inst/share # ls crl
NBAECA.crl  NBAECA_INTERMEDIATE.crl  NBRootCA.crl

Import the certificate.

Enter the certificate:
Enter the following details for external certificate configuration:
Enter the certificate file path: cert_chain.pem
Enter the trust store file path: cacerts.pem
Enter the private key path: key.pem
Enter the password for the passphrase file path or skip security 
configuration (default: NONE):
Should a CRL be honored for the external certificate?
1) Use the CRL defined in the certificate.
2) Use the specific CRL directory.
3) Do not use a CRL.
q) Skip security configuration.
CRL option (1): 2
Enter the CRL location path: crl
Then confirm input information and answer the subsequent questions.

The certificate files are stored in the /usr/openv/var/hostcert directory after enrollment.

Support for Copilot

Before you use the Copilot feature on an appliance deployed with external certificates, ensure the following:

The appliance's certificate file (in /etc/vxos-ssl/servers/certs/) is same as the primary server's certificate file (in /usr/openv/var/global/appliance_certificates/).
The appliance's certificate file (in /etc/vxos-ssl/servers/certs/) is named in the <FQDN_hostname>-self.cert.pem format.

Run the following commands on each of the associated appliances:

rm /etc/vxos-ssl/servers/certs/<FQDN_hostname>-self.cert.pem

cp /etc/vxos-ssl/servers/certs/server.pem 
/etc/vxos-ssl/servers/certs/<FQDN_hostname>-self.cert.pem

tpconfig -delete -nb_appliance <Short_hostname>

/opt/NBUAppliance/scripts/copilot_users.pl --add

Adding and removing certificates

You can manage external certificates on NetBackup Virtual Appliance using the Certificate commands.

You can use the Settings > Security > Certificate > Add CACertificate command to add a server CA, HTTPS proxy CA, or LDAP CA certificate to the certificate authority list. Ensure that you paste the CA certificate content in the PEM or P7B format. The Appliance appends this CA certificate to the certificate authority list. Before appending the CA certificate, the appliance verifies whether the CA certificate is already being used on the appliance. If yes, the appliance quits with a message. The newly added CA certificate is updated to the System wide trust store, Tomcat key store and NetBackup trust store.

System wide trust store:
The CA certificates is added to the system wide trust store. Copy the CA certificates to /etc/pki/ca-trust/source/anchors/, and add the CA certificates to all the locations under /etc/pki/ca-trust/extracted. This includes the /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt, /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem, objsign-ca-bundle.pem tls-ca-bundle.pem, and /etc/pki/ca-trust/extracted/java/cacerts.
Tomcat key store:
The CA certificate is added to the Tomcat trust store, /opt/apache-tomcat/security/keystore.
NetBackup trust store:
If ECA is enabled by NetBackup, the CA is appended to the end of the /usr/openv/var/hostcert/trustStorePath/cacerts.pem file. Call configureWebServerCerts to update the NetBackup web service trust store. This includes /usr/openv/var/global/wsl/credentials/externalcacreds/nbwebservice.bcfks and /usr/openv/var/global/wsl/credentials/tpcredentials/nbwebservice.bcfks.

You can use the Settings > Security > Certificate > Remove CACertificate command to remove a server CA certificate from the certificate authority list. The available CA certificates are listed and you can select the certificate that you want to remove. The System wide trust store, Tomcat key store, and NetBackup trust stores are updated to remove the CA certificate.

System wide trust store:
The CA certificate file under /etc/pki/ca-trust/source/anchors is removed and the system wide trust store is updated. This includes /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt, /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem, objsign-ca-bundle.pem tls-ca-bundle.pem, and /etc/pki/ca-trust/extracted/java/cacerts.
Tomcat key store:
The CA certificate is removed from the Tomcat key store.
NetBackup trust store:
Remove the CA certificate from the NetBackup relevant key store. The CA in the /usr/openv/var/hostcert/trustStorePath/cacerts.pem file is removed and then the CA in NetBackup web service trust store is removed. This includes the /usr/openv/var/global/wsl/credentials/externalcacreds/nbwebservice.bcfks and /usr/openv/var/global/wsl/credentials/tpcredentials/nbwebservice.bcfks.