NetBackup™ Security and Encryption Guide
- Read this first for secure communications in NetBackup
- Communication failure scenarios
- Increasing NetBackup security
- Security deployment models
- Auditing NetBackup operations
- About audit events
- Section I. Identity and access management
- About identity and access management
- AD and LDAP domains
- Access keys
- API keys
- Auth.conf file
- Role-based access control
- Default RBAC roles
- NetBackup interface access for OS Administrators
- Smart card or digital certificate
- Single Sign-On (SSO)
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the primary and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX primary server
- Verification points in a mixed environment with a Windows primary server
- About determining who can access NetBackup
- Viewing specific user permissions for NetBackup user groups
- Minimizing security configuration risk
- Configuring multifactor authentication
- Configuring multi-person authorization
- Section II. Encryption of data-in-transit
- NetBackup CA and NetBackup certificates
- About the Security Management utilities
- About host management
- Adding shared or cluster mappings
- Allowing or disallowing automatic certificate reissue
- About global security settings
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About NetBackup certificate deployment security levels
- Setting up trust with the primary server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Host ID-based certificate deployment in a clustered setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- Migrating NetBackup CA
- Configuring data-in-transit encryption (DTE)
- Configure the DTE mode on a client
- Modify the DTE mode on a backup image
- How DTE configuration settings work in various NetBackup operations
- External CA and external certificates
- About external CA support in NetBackup
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- About certificate revocation lists for external CA
- About certificate enrollment
- Configure an external certificate for the NetBackup web server
- About external certificate configuration for a clustered primary server
- Regenerating keys and certificates
- NetBackup CA and NetBackup certificates
- Section III. Encryption of data at rest
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- NetBackup key management service
- About FIPS enabled KMS
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- KMS operations using command-line interface (CLI)
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
- External key management service
- Configuring KMS credentials
- Configuring KMS
- Creating keys in an external KMS
- Working with multiple KMS servers
- Data at rest encryption security
- Ciphers used in NetBackup for secure communication
- FIPS compliance in NetBackup
- Disable FIPS mode for NetBackup
- NetBackup web services account
- Running NetBackup services with non-privileged user (service user) account
- Running NetBackup commands with non-privileged user account
- Immutability and indelibility of data in NetBackup
- Anomaly detection
- Section IV. Malware scanning
- Introduction
- How to setup Malware scanning
- Instant Access configurations
- Malware tools configurations
- Scan host configurations
- Prerequisites for a scan host
- Configuring scan host
- Configuring a scan host pool
- Managing a scan host
- Performing malware scan
- Managing scan tasks
- Malware scan configuration parameters
- Troubleshooting
Configure the SAML keystore and add and enable the IDP configuration
Before proceeding with the following steps, ensure that you have downloaded the IDP metadata XML file and saved it on the NetBackup primary server.
To configure SAML keystore and add and enable an IDP configuration
- Log on to the primary server as root or administrator.
- Run the following command.
For IDP and NetBackup CA SAML KeyStore configuration:
nbidpcmd -ac -n IDP configuration name -mxp IDP XML metadata file [-t SAML2] [-e true | false] [-u IDP user field] [-g IDP user group field] [-cCert] [-f] [-M primary server]
Alternatively for IDP and ECA SAML KeyStore configuration:
Depending on whether you want to configure SAML ECA KeyStore using the configured NetBackup ECA KeyStore or you want to provide the ECA certificate chain and private key, run the following commands:
Use NetBackup ECA configured keystore:
nbidpcmd -ac -n IDP configuration name -mxp IDP XML metadata file[-t SAML2] [-e true | false] [-u IDP user field] [-g IDP user group field] -cECACert -uECA existing ECA configuration [-f] [-M Primary Server]
Use ECA certificate chain and private key provided by the user:
nbidpcmd -ac -n IDP configuration name -mxp IDP XML metadata file[-t SAML2] [-e true | false] [-u IDP user field] [-g IDP user group field] -cECACert -certPEM certificate chain file -privKeyPath private key file [-ksPassPath KeyStore passkey file] [-f] [-M primary server]
Replace the variables as follows:
IDP configuration name is a unique name provided to the IDP configuration.
IDP XML metadata file is the path to the XML metadata file, which contains the configuration details of the IDP in Base64URL-encoded format.
-e true | false enables or disables the IDP configuration. An IDP configuration must be added and enabled, otherwise users cannot sign in with the single sign-on (SSO) option. Even though you can add multiple IDP configurations on a NetBackup primary server, only one IDP configuration can be enabled at a time.
The SAML attribute names IDP user field and IDP user group field are used to map user identity information and group information in the Identity Provider. These fields are optional, and if not provided, they are mapped to the userPrincipalName and memberOf SAML attributes by default.
For instance, if you have customized the attribute mapping in the Identity Provider to use attributes like email and groups, when configuring the SAML configuration, you need to provide the -u option for email and -g option for groups.
If you have not provided values for these attributes during configuration, ensure that the Identity Provider returns the values against the userPrincipalName and memberOf attributes.
For Example:
If SAML response is as follows:
saml:AttributeStatement <saml:Attribute Name="userPrincipalName"> <saml:AttributeValue>username@domainname</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="memberOf"> <saml:AttributeValue>CN=group name, DC=domainname</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>
It implies that you need to map the -u and -g options against the fields "saml:Attribute Name".
Note:
Ensure that the SAML attribute values are returned in the format of username@domainname for the field mapped to the -u option that defaults to userPrincipalName. If you include the domain name when returning group information, it should follow the format "(CN=group name, DC=domainname)" or "(domainname\groupname).
However, if you return the group name as plain text without domain information, it should be mapped without the domain name in the SAML RBAC group.
primary Server is the host name or IP address of primary server to which you want to add or modify the IDP configuration. The NetBackup primary server where you run the command is selected by default.
Certificate Chain File is the certificate chain file path. The file must be in PEM format and must be accessible to the primary server on which the configuration is being performed.
Private Key File is the private key file path. The file must be in PEM format and must be accessible to the primary server on which the configuration is being performed.
KeyStore Passkey File is the KeyStore passkey file path and must be accessible to the primary server on which the configuration is being performed.
If your Identity Provider is already configured with SAML attribute names as userPrincipalName and memberOf, you do not have to provide the -u and -g option while configuration. If you are using any other custom attributes name, provide those names against -u and -g as follows:
For example:
If the Identity Provider SAML attribute names are mapped as "email" and"groups", use the following command for configuration:
nbidpcmd -ac -n veritas_configuration -mxp file.xml -t SAML2 -e true -u email -g groups -cCert -Mprimary_server.abc.com
-u and -g are optional and it depends on the Identity Provider configuration. Ensure that you specify the same parameter values that you have provided at the time of configuration.