Search <book_title>...

NetBackup 8.3 CA migration video

Last Published: 2020-10-30

Product(s): NetBackup & Alta Data Protection (8.3)

NetBackup CA migration video
1. Migrating NetBackup CA

Migrating NetBackup CA

In certain scenarios, you may need to migrate your existing NetBackup certificate authority (CA) hierarchy to a new one. NetBackup supports migrating the existing NetBackup CA. This chapter provides information on the NetBackup CA migration process.

NetBackup security certificates that is used to authenticate NetBackup hosts conform to the X.509 Public Key Infrastructure (PKI) standard. A NetBackup master server acts as the certificate authority (CA) and issues digital certificates to hosts. NetBackup uses the NetBackup authentication daemon (NBATD) as its PKI provider. NBATD and its client implementation generate the RSA private key that is used for authentication.

NetBackup now supports certificate authorities with the following key strengths: 2048 bits, 4096 bits, 8192 bits, and 16384 bits.

Note:

After NetBackup 8.3 master server installation or upgrade, by default a new root CA with 2048-bits key strength is deployed. With upgrade, you need to migrate the existing CA to a new CA.

Table: NetBackup CA migration procedures for various use cases

Use case	Description
When you need a NetBackup CA with a key strength other than the default one (2048 bits)
When you want to migrate the existing NetBackup CA after the entire NetBackup domain is upgraded to 8.3

Use case

Description

When you need a NetBackup CA with a key strength other than the default one (2048 bits)

When you want to migrate the existing NetBackup CA after the entire NetBackup domain is upgraded to 8.3

The NetBackup CA migration process comprises the following phases:

Initiating NetBackup CA migration
Note:
If NetBackup Access Control (NBAC) is enabled on the NetBackup master server, OpsCenter needs to re-establish the trust with the master server after the CA migration. Run the following command:
vssat setuptrust --broker nb_master_server_name:1556:nbatd --securitylevel high
For information about commands, see the NetBackup Commands Reference Guide.
The vssat command resides at the following location:
Windows
INSTALL_PATH\NetBackup\sec\at\bin\vssat
UNIX
/usr/openv/netbackup/sec/at/bin
Activating the new NetBackup CA
Completing NetBackup CA migration
Decommissioning the old NetBackup CA
Note:
Decommissioning the old NetBackup CA is an optional clean-up task.

See the video NetBackup CA migration for details.

Windows	INSTALL_PATH\NetBackup\sec\at\bin\vssat
UNIX	/usr/openv/netbackup/sec/at/bin