NetBackup™ Web UI Cloud Object Store Administrator's Guide

To add a Cloud object store account:

1. On the left, click Cloud object store under Workloads.
2. In the Cloud object store account tab, click Add. Enter a name for the account in the Cloud object store name field, and select a provider from the list Select Cloud object store provider.
3. To select a backup host or scale-out server, click Select host for validation. The host should be NetBackup 10.1 or later, on a RHEL media server that supports Credential validation, backup, and recovery of the Cloud object stores.

   • To select a backup host, select the Backup host option, and select a host from the list.

   • To use a scale-out server, select the Scale out server option, select a server from the list. NetBackup Snapshot Manager servers 10.3 or later, serve as scale-out servers.

     If you have a very large number of buckets, you can also use NetBackup Snapshot Manager as a backup host with NetBackup 10.3 or later releases. Select the Scale out server option, and select a NetBackup Snapshot Manager from the list.

     Note:

     Your existing NetBackup primary server must be already configured with this instance of NetBackup Snapshot Manager.

4. Select a region from the available list of regions. Click Add above the Region table to add a new region.

   Adding a new region. Region is not available for some Cloud object store providers.

   For GCP, which supports dual-region buckets, select the base region during account creation. For example, if a dual-region bucket is in the regions US-CENTRAL1, US-WEST1, select US, as the region during account creation to list the bucket.

5. In the Access settings page: Select a type of access method for the account:

   • Access credentials-In this method, NetBackup uses the Access key ID, and the secret access key to access and secure the Cloud object store account. If you select this method, perform the subsequent steps 6 to 10 as required to create the account.

   • IAM role (EC2)-NetBackup retrieves the IAM role name and the credentials that are associated with the EC2 instance. The selected backup host or scale-out server must be hosted on the EC2 instance. Make sure the IAM role associated with the EC2 instance has required permissions to access the required cloud resources for Cloud object store protection. Make sure that you select the correct region as per permissions associated with the EC2 instance while configuring the Cloud object store account with this option. If you select this option, perform the optional steps 7 and 8 as required, and then perform steps 9 and 10.

   • Assume role-NetBackup uses the provided key, the secret access key, and the role ARN to retrieve temporary credentials for the same account and cross-account. Perform the steps 6 to 10 as required to create the account.

     See Creating cross-account access in AWS .

   • Assume role (EC2)- NetBackup retrieves the AWS IAM role credentials that are associated with the selected backup host or scale-out server, hosted on an EC2 instance. Henceforward, NetBackup assumes the role mentioned in the Role ARN to access the cloud resources required for Cloud object store protection.

   • Credentials broker- NetBackup retrieves the credentials to access the required cloud resources for Cloud object store protection.

   • Service principal- NetBackup uses the tenant ID, client ID, and client secret associated with the service principal to access the cloud resources required for Cloud object store protection. Supported by Azure.

   • Managed identity- NetBackup retrieves the Azure AD tokens, using the managed identity that is associated with the selected backup host or scale-out server or the user. NetBackup uses these Azure AD tokens to access the required cloud resources for Cloud object store protection. You can use system or user-assigned managed identities.

6. You can add existing credentials or create new credentials for the account:

   • To select an existing credential for the account, select the Select existing credentials option, select the required credential from the table, and click Next.

   • To use Managed identity for Azure, select System assigned or User assigned. For the user-assigned method, enter the Client ID associated with the user to access the cloud resources.

   • To add a new credential for the account, select Add new credentials. Enter a Credential name, Tag, and Description for the new credential.

     For cloud providers supported through AWS S3-compatible APIs, use AWS S3-compatible credentials. Specify the Access key ID and Secret access key.

     For Microsoft Azure cloud provider:

     • For the Access key method, provide Storage account credentials, specify Storage account.

     • For the Service principal method, provide Client ID, Tenant ID, and Secret key.

   • If you use Assume role as the access method, specify the Amazon Resource Name (ARN) of the role to use for the account, in the Role ARN field.

7. (Optional) Select Use SSL if you want to use the SSL (Secure Sockets Layer) protocol for user authentication or data transfer between NetBackup and the cloud storage provider.

   • Authentication only: Select this option if you want to use SSL only at the time of authenticating users while they access the cloud storage.

   • Authentication and data transfer: Select this option if you want to use SSL to authenticate users and transfer the data from NetBackup to the cloud storage, along with user authentication.

   • Check certificate revocation (IPv6 not supported for this option): For all the cloud providers, NetBackup provides the capability to verify the SSL certificates against the CRL (Certificate Revocation List). If SSL is enabled and the CRL option is enabled, each non-self-signed SSL certificate is verified against the CRL. If the certificate is revoked, NetBackup does not connect to the cloud provider.

   Note:

   NetBackup supports only Certificate Authority (CA)-signed certificates while it communicates with cloud storage in SSL mode. Ensure that the cloud server (public or private) has a CA-signed certificate. If it does not have the CA-signed certificate, data transfer between NetBackup and the cloud provider fails in SSL mode.

   Note:

   The FIPS region of the Amazon GovCloud cloud provider (that is s3-fips-us-gov-west-1.amazonaws.com) supports only secured mode of communication. Therefore, if you disable the Use SSL option while you configure Amazon GovCloud cloud storage with the FIPS region, the configuration fails.

8. (Optional) Select the Use proxy server option to use a proxy server and provide proxy server settings. Once you select the Use proxy server option, you can specify the following details:

   • Proxy host - Specify IP address or name of the proxy server.

   • Proxy Port - Specify port number of the proxy server.

   • Proxy type - You can select one of the following proxy types:

     • HTTP

       Note:

       You need to provide the proxy credentials for the HTTP proxy type.

     • SOCKS

     • SOCKS4

     • SOCKS5

     • SOCKS4A

   Select Use proxy tunneling for the HTTP proxy type.

   After you enable Use proxy tunneling, HTTP CONNECT requests are sent from the backup or recovery host to the HTTP proxy server. The TCP connection is directly forwarded to the cloud back-end storage. The data passes through the proxy server, without reading the headers or data from the connection.

   Select one of the following authentication types if you use the HTTP proxy type.

   • None - Authentication is not enabled. A username and password are not required.

   • Basic - Username and password needed.

   • NTLM - Username and password needed.

   Username - is the username of the proxy server.

   Password - can be empty. You can use a maximum 256 characters.

9. Click Next.
10. In the Review page, review the entire configuration of the account, and click Finish to save the account.