Veritas Solution Guide for Sheltered Harbor
- About Veritas Sheltered Harbor solutions
- Prerequisites to configure Sheltered Harbor solutions
- Veritas Sheltered Harbor solution workflow
- Glossary
Perform data vaulting using interactive mode
Interactive mode of command lets you perform configure, backup, and restore data operations. To perform these data vaulting operations, you need to manually enter the values to run the Sheltered Harbor solution. Interactive mode is performed manually and cannot be used for automated daily data vaulting process.
To understand how the data vaulting operations are performed using the interactive mode, see the following:
Configuration operation is the first step to be done to configure the Sheltered Harbor solution.
Note:
Ensure that the configure and register operations are completed before you perform the backup or restore operations.
Use the following procedures to perform the configure operation:
To configure the Sheltered Harbor solution
- Run either of the following commands on the command prompt:
nbshvault --configure
nbshvault --configure [--config-dir config-dir-path]
If you have provided the config-dir option during configuration, you should use the config-dir option in the command as well.
- Enter the Institution ID.
- Enter the following logging information about the Sheltered Harbor solution:
Maximum log file size (default size is 10 MB).
The Sheltered Harbor solution rotates the log when the log file size exceeds to the maximum log file size.
Verbose value (default value is 2).
You need to specify the verbose value between 2 to 5 to see warning, and critical level message in the log file. To see the debug level messages, specify the verbose value as 6.
- Enter the Sheltered Harbor license file path.
Note:
Sheltered Harbor validates licenses of financial institutions every year. The license file needs to be provisioned on the NetBackup client where the Sheltered Harbor solution runs.
Note:
Ensure that you have the read permissions to the license file to run the nbshvault command.
- Enter monitoring log type such as Live monitor or Stage monitor to send an attestation message after successful data vaulting.
- Select the solution type such as Veritas Alta™ Solution for Sheltered Harbor or Veritas NetBackup™ Solution for Sheltered Harbor.
Note:
Veritas Alta™ Solution for Sheltered Harbor is the default option selected.
- Enter the NetBackup API key path when you select the solution type as Veritas NetBackup™ Solution for Sheltered Harbor.
For more information about NetBackup API key, see https://www.veritas.com
Note:
You need to create NetBackup API key using NetBackup web UI beforehand with the required RBAC permissions. You must add the NetBackup API key in the text file with the following format <primary server name>:<NetBackup API key>.
Ensure that you have the read permissions to the API key path.
- Enter the primary server backup policy.
Note:
The storage unit value in the primary server backup policy needs to be configured with the immutable cloud storage bucket or with the storage lifecycle policy replicating the image to IRE domain on immutable storage.
- Enter the following details for KMIP based KMS and Azure key vault:
Select KMIP based KMS or Azure Key Vault.
For example, (KMIP, Azure).
If you enter KMIP based KMS, do the following:
Enter the KMS server name:
Enter the KMIP port [5696 is default]:
Enter the absolute path of certificate file:
Enter the absolute path of private key file:
Enter the absolute path of CA certificate file:
Enter the envelope private encryption key ID:
Enter the envelope public encryption key ID:
Enter the envelope private sign key ID:
Enter the envelope public sign key ID:
If you enter Azure Key Vault, do the following:
Enter Vault URI of Azure Key Vault:
Enter an authentication option for Azure Key Vault:
1. Managed Identity
2. Service principal with a Client Secret [1,2] : 2
Enter Azure client ID:
Enter Azure tenant ID:
Enter Azure Client secret path: /root/sharbor/storage/tsp/jsonf.json
Do you want to use online certificate status protocol (OCSP) [y,n] [n is default]:
Enter Azure envelope private encryption key ID: SH
Enter Azure envelope public encryption key ID: SH
Enter Azure envelope private sign key ID: SH
Enter Azure envelope public sign key ID: SH
If you want to configure the solution, the following information is asked:
Enter the proxy server hostname or IP address
Enter the proxy port [3128 is default]
Enter the proxy type
HTTP
HTTPS
SOCKS5 [1,2,3] [1 is default]
Do you want to configure proxy server authentication ? [y,n] (n):
Enter the username:
Enter the absolute path of the proxy server password file
The following example shows the configuration operation:
[root@sh-lin-5 bin]# nbshvault --configure
This command configures Sheltered Harbor solution in NetBackup.
Do you want to continue ? [y,n] (y) y
Enter the institution ID: XXXXXXX
===== Logging =====
Enter the maximum log file size in MB [10 MB is default]: 10
Enter the verbose value [2 is default]: 10
===== Solution Type =====
Enter NetBackup Sheltered Harbor solution type
1.Veritas Alta™ Solution for Sheltered Harbor
2.Veritas NetBackup™ Solution for Sheltered Harbor [1,2] [1 is default] : 1
===== License =====
Enter the Sheltered Harbor license file path: ${PATH_TO_LICENSE_FILE}
===== Sheltered Harbor Monitoring Log Type =====
Enter monitoring log type for sending an attestation message after successful data vaulting
1.Live monitor
2.Stage monitor [1,2] [1 is default] : 2
===== NetBackup Artifact Information =====
Enter the primary server policy: ${POLICY_NAME}
===== KMS =====
Do you want to configure KMIP based KMS or Azure Key Vault ? [KMIP, Azure]
[KMIP is default] : KMIP
Enter the KMS server name: xxxxyyyyyzzzz.com
Enter the KMIP port [5696 is default]:
Enter the absolute path of certificate file: ${path}/cert_chain.pem
Enter the absolute path of private key file: ${path}/key.pem
Enter the absolute path of CA certificate file: /${path}/cacerts.pem
Enter the envelope private encryption key ID: 47776665456789098765fghjklhhg6768900hj
Enter the envelope public encryption key ID: hhyvvgfrrykj68894048746326532thg
Enter the envelope private sign key ID: 47776665456789098765fghjklhhg6768900hj
Enter the envelope public sign key ID: hhyvvgfrrykj68894048746326532thg
===== PROXY SERVER DETAILS =====
Do you want to configure proxy server for outbound external connections ? [y,n] (n) : y
Enter the proxy server hostname or IP address : ${PROXY_IP_ADD}
Enter the proxy port [3128 is default] : 3128
Enter the proxy type
1. HTTP
2. HTTPS
3. SOCKS5 [1,2,3] [1 is default] : 3
Do you want to configure proxy server authentication ? [y,n] (n) : y
Enter the username : admin
Enter the absolute path of proxy server password file : ${PATH_TO_PROXY_FILE}
Configuration is saved successfully.
The requested operation is successfully completed.
After configuration with the Sheltered Harbor solution, you must register the institution with the Sheltered Harbor monitoring log.
Note:
Ensure that you have configured the Sheltered Harbor solution before you register the institution.
Use the following procedures to register the institution with the Sheltered Harbor monitoring log.
Registration procedure
- Run either of the following commands on the command prompt:
nbshvault --register
nbshvault --register [--config-dir config-dir-path]
If you have provided the config-dir option during configuration, you should use the config-dir option in the command as well.
- Enter the institution ID, and registration ID (provided by the Sheltered Harbor).
The following example shows the register operation:
nbshvault --register This operation generates private key and sends registration message to the Sheltered Harbor monitoring log. Do you want to continue? [y,n] (y) y Enter the institution ID: Enter the registration key provided by Sheltered Harbor: Institution ID is already registered.
On successfully running the command, the following message is displayed on the console:
Registration successful. Status: 'Institution' is registered successfully. Please use the same public/private key for attestation Message: On Boarding Created
Backup operation lets you back up the institution input data using interactive mode. Use the following procedures to perform the operation.
Backup procedure
- Run either of the following commands:
nbshvault -b | --backup
nbshvault -b | --backup [config-dir config-dir-path]
If you have provided the config-dir option during configuration, you should use the the same option for the command as well.
- Enter the Institution ID.
- Enter the input storage path and transfer storage path.
Note:
Use the --force option along with --backup when the backup JSON file is provided to continue with backup even though attestation for the last backup has failed.
The backup and attest command options cannot run in parallel as they process the same set of files.
The following example shows the backup operation:
nbshvault -b This command backs up the data as per the Sheltered Harbor compliance specifications. Do you want to continue? [y,n] (y) Enter the institution ID: Enter the input storage path: Enter the transfer storage path:
Restore operation in the Sheltered Harbor solution lets you decrypt the restored data files to its original state. The restore operation can be done using the following two methods:
Archive retrieval
Archive retrieval retrieves specified archive (encrypted volumes and a secure envelope) to recovery storage using BAR GUI or NetBackup web UI.
Data restoration
Data restoration process decrypts data and validates integrity of restored files. This can be done by restore operation using the interactive mode.
To perform restore operation, first you need to restore the data using the Backup Archive Restore (BAR) GUI or web UI to the recovery storage location. You can then perform the restore operation using the interactive mode.
Use the following procedure to perform the restore operation.
Restore procedure
- Run either of the following commands on the command prompt:
nbshvault -r | --restore
nbshvault -r | --restore [--config-dir config-dir-path]
If you have provided the config-dir option during configuration, you should use the same option in the command.
- Enter the institution ID.
- Enter the recovery storage path and restored data storage path.
The following example shows the restore operation:
nbshvault -r This command performs data restoration as per the Sheltered Harbor compliance specifications. Do you want to continue? [y,n] (y) Enter the institution ID: Enter the recovery storage path: /root/recovery_storage/ Enter the restored data storage path: /root/d4/
The nbshvault --attest command option is used when the data vaulting to Veritas Alta Recovery Vault and IRE is completed but it failed to send an attestation message to the Sheltered Harbor monitoring log.
Use the following procedures to perform the attestation operation.
Attestation procedure
- Run either of the following commands on the command prompt to send the attestation message to complete the backup operation:
nbshvault --attest
nbshvault --attest [config-dir config-dir-path]
The command nbshvault can be executed by non-root RBAC user by running it along with 'nbcmdrun' command. Only non-interactive mode is supported when it is executed using nbcmdrun command.
Refer to the NetBackup Command Reference Guide for more information about nbcmdrun command.
Note:
Run the nbshvault --report command option to fetch the backup keyword for attestation.
The backup and attest command options cannot run in parallel as they process the same set of files.
The following example shows the attest operation:
nbshvault --attest Enter the institution ID: institution ID Checking for any latest pending image for attestation Skipping vaulting attestation as vaulting attestation is set to false in input configuration JSON file.