Please enter search query.
Search <book_title>...
NetBackup™ Security and Encryption Guide
Last Published:
2025-01-22
Product(s):
NetBackup & Alta Data Protection (10.5.0.1)
- Read this first for secure communications in NetBackup
- About secure communication in NetBackup
- How NetBackup CA-signed certificates (or host ID-based certificates) are deployed during installation
- How secure communication works with primary server cluster nodes
- About NetBackup clients installed on nodes of a clustered application
- How NetBackup certificates are deployed on hosts during upgrades
- When an authorization token is required during certificate deployment
- Why do you need to map host names (or IP addresses) to host IDs
- How to reset host attributes or host communication status
- What has changed for catalog recovery
- What has changed with Auto Image Replication
- How the hosts with revoked certificates work
- Are NetBackup certificates backed up
- Can you configure external certificates for primary server
- How secure communication works with primary server cluster nodes using external certificates
- How revocation lists work for external certificates
- How communication happens when a host cannot directly connect to the primary server
- How NetBackup 8.1 or later hosts communicate with NetBackup 8.0 and earlier hosts
- How communication with legacy media servers happens in the case of cloud configuration
- Communication failure scenarios
- Secure communication support for other hosts in NetBackup domain
- Secure communication support for BMR
- Configuration for VMware backups that protect SQL Server and backups with SQL Servers that use multiple NICs
- Increasing NetBackup security
- About NetBackup security and encryption
- NetBackup security implementation levels
- World-level security
- Enterprise-level security
- Datacenter-level security overview
- NetBackup Access Control (NBAC)
- Combined world, enterprise, and datacenter levels
- NetBackup security implementation types
- Operating system security
- NetBackup security vulnerabilities
- Standard NetBackup security
- Client side encryption security
- NBAC on primary, media server, and graphical user interface security
- NBAC complete security
- Security deployment models
- Workgroups
- Single datacenters
- Multi-datacenters
- Workgroup with NetBackup
- Single datacenter with standard NetBackup
- Single datacenter with client side encryption
- Single datacenter with NBAC on primary and media servers
- Single datacenter with NBAC complete
- Multi-datacenter with standard NetBackup
- Multi-datacenter with client side encryption
- Multi-datacenter with NBAC on primary and media servers
- Multi-datacenter with NBAC complete
- Auditing NetBackup operations
- About NetBackup auditing
- Viewing the current audit settings
- About audit events
- Audit retention period and catalog backups of audit records
- Viewing the detailed NetBackup audit report
- User identity in the audit report
- Disabling auditing
- Audit alert notification for audit failures (NetBackup Administration Console)
- Send audit events to system logs
- SYSLOG_AUDIT_USE_OCSF_FORMAT for NetBackup primary server
- Section I. Identity and access management
- About identity and access management
- AD and LDAP domains
- Access keys
- API keys
- Auth.conf file
- Role-based access control
- RBAC features
- RBAC settings
- Configuring RBAC
- Role permissions
- Notes for using NetBackup RBAC
- Add AD or LDAP domains
- Default RBAC roles
- Add a custom RBAC role
- Edit or remove a role a custom role
- View users in RBAC
- Add a user to a role (non-SAML)
- Add a smart card user to a role (non-SAML, without AD/LDAP)
- Add a user to a role (SAML)
- Remove a user from a role
- NetBackup interface access for OS Administrators
- Smart card or digital certificate
- Configure user authentication with smart cards or digital certificates
- Configure smart card authentication with a domain
- Configure smart card authentication without a domain
- Edit the configuration for smart card authentication
- Add or delete a CA certificate that is used for smart card authentication
- Disable or temporarily disable smart card authentication
- Single Sign-On (SSO)
- NetBackup Access Control Security (NBAC)
- About using NetBackup Access Control (NBAC)
- NetBackup access management administration
- About NetBackup Access Control (NBAC) configuration
- Configuring NetBackup Access Control (NBAC)
- NBAC configuration overview
- Configuring NetBackup Access Control (NBAC) on standalone primary servers
- Installing the NetBackup primary server highly available on a cluster
- Configuring NetBackup Access Control (NBAC) on a clustered primary server
- Configuring NetBackup Access Control (NBAC) on media servers
- Installing and configuring access control on clients
- About including authentication and authorization databases in the NetBackup hot catalog backups
- NBAC configure commands summary
- Unifying NetBackup Management infrastructures with the setuptrust command
- Using the setuptrust command
- Configuring Access Control host properties for the primary and media server
- Access Control host properties dialog for the client
- Using NetBackup Access Control (NBAC) with Auto Image Replication
- Troubleshooting Access Management
- Troubleshooting NBAC issues
- Configuration and troubleshooting tips for NetBackup Authentication and Authorization
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX primary server
- Verification points in a mixed environment with a Windows primary server
- About the nbac_cron utility
- Using the nbac_cron utility
- Using the Access Management utility
- About determining who can access NetBackup
- Viewing specific user permissions for NetBackup user groups
- Granting permissions
- Authorization objects
- Media authorization object permissions
- Policy authorization object permissions
- Drive authorization object permissions
- Report authorization object permissions
- NBU_Catalog authorization object permissions
- Robot authorization object permissions
- Storage unit authorization object permissions
- DiskPool authorization object permissions
- BUAndRest authorization object permissions
- Job authorization object permissions
- Service authorization object permissions
- HostProperties authorization object permissions
- License authorization object permissions
- Volume group authorization object permissions
- VolumePool authorization object permissions
- DevHost authorization object permissions
- Security authorization object permissions
- Fat server authorization object permissions
- Fat client authorization object permissions
- Vault authorization object permissions
- Server group authorization object permissions
- Key management system (kms) group authorization object permissions
- Upgrading NetBackup Access Control (NBAC)
- Configuration requirements if using Change Server with NBAC
- Minimizing security configuration risk
- Configuring multifactor authentication
- About multifactor authentication
- Configure multifactor authentication for your user account
- Disable multifactor authentication for your user account
- Enforce multifactor authentication for all users
- Configure multifactor authentication for your user account when it is enforced in the domain
- Reset multifactor authentication for a user
- Configuring multi-person authorization
- About multi-person authorization
- Workflow to configure multi-person authorization for NetBackup operations
- RBAC roles and permissions for multi-person authorization
- Multi-person authorization process with respect to roles
- NetBackup operations that need multi-person authorization
- Configure multi-person authorization
- View multi-person authorization tickets
- Manage multi-person authorization tickets
- Add exempted users
- Schedule expiration and purging of multi-person authorization tickets
- Disable multi-person authorization
- Section II. Encryption of data-in-transit
- NetBackup CA and NetBackup certificates
- Overview of security certificates in NetBackup
- About secure communication in NetBackup
- About the Security Management utilities
- About host management
- Hosts tab
- Adding host ID to host name mappings
- Add or Remove Host Mappings dialog box
- Removing host ID to host name mappings
- Mappings for Approval tab
- Viewing auto-discovered mappings
- Mapping Details dialog box
- Approving host ID to host name mappings
- Rejecting host ID to host name mappings
- Adding shared or cluster mappings
- Add Shared or Cluster Mappings dialog box
- Resetting NetBackup host attributes
- Allowing or disallowing automatic certificate reissue
- Adding or deleting comment for a host
- About global security settings
- About secure communication settings
- Disabling insecure communication
- About insecure communication with 8.0 and earlier hosts
- About communication with 8.0 or earlier host in multiple NetBackup domains
- Automatically mapping host ID to host names and IP addresses
- About disaster recovery settings
- Disaster recovery packages
- Setting a passphrase to encrypt disaster recovery packages
- Validate the disaster recovery package passphrase
- About host name-based certificates
- About host ID-based certificates
- Web login requirements for nbcertcmd command options
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About NetBackup certificate deployment security levels
- Automatic host ID-based certificate deployment
- Managing passphrases and passphrase keys for encryption of private key of host ID-based certificates
- Deploying host ID-based certificates
- Deploying host ID-based certificates in an asynchronous manner
- Implication of clock skew on certificate validity
- Setting up trust with the primary server (Certificate Authority)
- Forcing or overwriting certificate deployment
- Retaining host ID-based certificates when reinstalling NetBackup on non-primary hosts
- Deploying certificates on a client that has no connectivity with the primary server
- About host ID-based certificate expiration and renewal
- Deleting sensitive certificates and keys from media servers and clients
- Cleaning host ID-based certificate information from a host before cloning a virtual machine
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Deleting host ID-based certificates
- Host ID-based certificate deployment in a clustered setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- Deploying host ID-based certificates on cluster nodes
- Revoking a host ID-based certificate for a clustered NetBackup setup
- Deploying a host ID-based certificate on a clustered NetBackup setup using reissue token
- Creating a reissue token for a clustered NetBackup setup
- Renewing a host ID-based certificate on a clustered NetBackup setup
- Viewing certificate details of a clustered NetBackup setup
- Removing CA certificates from a clustered NetBackup setup
- Generating a certificate on a clustered primary server after disaster recovery installation
- About the communication between a NetBackup client located in a demilitarized zone and a primary server through an HTTP tunnel
- Adding a NetBackup host manually
- Migrating NetBackup CA
- Setting the required key strength before installation or upgrade using the NB_KEYSIZE environment variable
- Migrating NetBackup CA when the entire NetBackup domain is upgraded
- Manually migrating NetBackup CA after installation or upgrade
- Establishing communication with clients that do not have new CA certificates after CA migration
- Viewing a list of NetBackup CAs in the domain
- Viewing the CA migration summary
- Decommissioning the inactive NetBackup CA
- Configuring data-in-transit encryption (DTE)
- About the data channel
- Data-in-transit encryption support
- Workflow to configure data-in-transit encryption
- Configure the global data-in-transit encryption setting
- Configure the DTE mode on a client
- View the DTE mode of a NetBackup job
- View the DTE-specific attributes of a NetBackup image and an image copy
- Configure the DTE mode on the media server
- Modify the DTE mode on a backup image
- Media device selection (MDS) and resource allocation
- How DTE configuration settings work in various NetBackup operations
- External CA and external certificates
- About external CA support in NetBackup
- Workflow to use external certificates for NetBackup host communication
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- ECA_TRUST_STORE_PATH for NetBackup servers and clients
- ECA_PRIVATE_KEY_PATH for NetBackup servers and clients
- ECA_KEY_PASSPHRASEFILE for NetBackup servers and clients
- ECA_CRL_CHECK for NetBackup servers and clients
- ECA_CRL_PATH for NetBackup servers and clients
- ECA_CRL_PATH_SYNC_HOURS for NetBackup servers and clients
- ECA_CRL_REFRESH_HOURS for NetBackup servers and clients
- ECA_DISABLE_AUTO_ENROLLMENT for NetBackup servers and clients
- ECA_DR_BKUP_WIN_CERT_STORE for NetBackup servers and clients
- MANAGE_WIN_CERT_STORE_PRIVATE_KEY option for NetBackup primary servers
- Limitations of Windows Certificate Store support when NetBackup services are running in Local Service account context
- About certificate revocation lists for external CA
- About certificate enrollment
- About viewing enrollment status of primary servers
- Configure an external certificate for the NetBackup web server
- Configuring the primary server to use an external CA-signed certificate
- Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
- Enrolling an external certificate for a remote host
- Viewing the certificate authorities that your NetBackup domain supports
- Viewing external CA-signed certificates in the NetBackup web UI
- Renewing a file-based external certificate
- Removing certificate enrollment
- Disabling the NetBackup CA in a NetBackup domain
- Enabling the NetBackup CA in a NetBackup domain
- Disabling an external CA in a NetBackup domain
- Changing the subject name of an enrolled external certificate
- About external certificate configuration for a clustered primary server
- Regenerating keys and certificates
- About regenerating keys and certificates
- Regenerating NetBackup authentication broker keys and certificates
- Regenerating host identity keys and certificates
- Regenerating web service keys and certificates
- Regenerating nbcertservice keys and certificates
- Regenerating tomcat keys and certificates
- Regenerating JWT keys
- Regenerating NetBackup gateway certificates
- Regenerating web trust store certificates
- Regenerating VMware vCenter plug-in certificates
- Regenerating NetBackup Administrator Console session certificates
- Regenerating NetBackup encryption key file
- NetBackup CA and NetBackup certificates
- Section III. Encryption of data at rest
- Data at rest encryption security
- Data at rest encryption terminology
- Data at rest encryption considerations
- Destination types for encryption of data at rest
- Encryption security questions to consider
- Comparison of encryption options
- About NetBackup client encryption
- Configuring standard encryption on clients
- Managing standard encryption configuration options
- Managing the NetBackup encryption key file
- About configuring standard encryption from the server
- Restoring an encrypted backup file to another client
- About configuring standard encryption directly on clients
- Setting standard encryption attribute in policies
- Changing the client encryption settings from the NetBackup server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Restoring a legacy encrypted backup created on another client
- About setting legacy encryption attribute in policies
- Changing client legacy encryption settings from the server
- Additional legacy key file security for UNIX clients
- NetBackup key management service
- About FIPS enabled KMS
- Installing KMS
- Configuring KMS
- Creating the key database
- About key groups and key records
- Overview of key record states
- About backing up the KMS database files
- About recovering KMS by restoring all data files
- Recovering KMS by restoring only the KMS data file
- Recovering KMS by regenerating the data encryption key
- Problems backing up the KMS data files
- Solutions for backing up the KMS data files
- Creating a key record
- Listing keys from a key group
- Configuring NetBackup to work with KMS
- Configuring NetBackup KMS using the KMS web application
- About using KMS for encryption
- KMS database constituents
- KMS operations using command-line interface (CLI)
- CLI usage help
- Create a new key group
- Create a new key
- Modify key group attributes
- Modify key attributes
- Get details of key groups
- Get details of keys
- Delete a key group
- Delete a key
- Recover a key
- About exporting and importing keys from the KMS database
- Modify host master key (HMK)
- Get host master key (HMK) ID
- Get key protection key (KPK) ID
- Modify key protection key (KPK)
- Get keystore statistics
- Quiesce KMS database
- Unquiesce KMS database
- Key creation options
- Troubleshooting KMS
- External key management service
- About external KMS
- Certificate configuration and authorization
- Workflow for external KMS configuration
- Validating KMS credentials
- Configuring KMS credentials
- Configuring KMS
- Configuring keys in an external KMS for NetBackup consumption
- Creating keys in an external KMS
- Determining a key group name during storage configuration
- Working with multiple KMS servers
- Working with external KMS during backup and restore
- Checking the compatibility of KMS vendor with NetBackup
- Key rotation
- Disaster recovery when catalog backup is encrypted using an external KMS server
- Alerts for expiration of KMS credentials
- Data at rest encryption security
- Ciphers used in NetBackup for secure communication
- FIPS compliance in NetBackup
- About FIPS
- About FIPS support in NetBackup
- Prerequisites
- Specify entropy randomness in NetBackup
- Configure FIPS mode in your NetBackup domain
- Enable FIPS mode on NetBackup during installation
- Enable FIPS mode on a NetBackup host after installation
- Enable FIPS mode for the NetBackup Authentication Broker service
- Enable FIPS mode for the NetBackup Administration Console
- Disable FIPS mode for NetBackup
- NB_FIPS_MODE option for NetBackup servers and clients
- USE_URANDOM for NetBackup servers and clients
- NetBackup web services account
- Running NetBackup services with non-privileged user (service user) account
- Running NetBackup commands with non-privileged user account
- Immutability and indelibility of data in NetBackup
- Anomaly detection
- Section IV. Malware scanning
- Introduction
- How to setup Malware scanning
- Instant Access configurations
- Malware tools configurations
- Scan host configurations
- NetBackup malware scan host capabilities
- Prerequisites for a scan host
- Limitations and considerations for scan host using NFS share
- Configuring scan host
- Configuring a scan host pool
- Managing a scan host
- Configure resource limits for malware detection
- Performing malware scan
- Managing scan tasks
- Malware scan configuration parameters
- Troubleshooting
Configuration for scan instances
The traditional malware scan using Instant Access is based on vpfsd instance. NetBackup 10.3 and later uses a separate vpfsd instance for malware scanning which is configurable. This configuration is done using the parameter. By default, malware scan uses one instance. In most cases, scan instance is adequate but increasing the number of scan instances improves scan performance, although it also requires more CPU and memory. You can increase the number of scan instances from 1 to 4 and distribute the malware scan shares cross all the scan instances.
To change the number of scan instances
- Stop NetBackup on the media server using the following command:
systemctl stop netbackup
Or
/usr/openv/netbackup/bin/goodies/netbackup stop
- Modify the number of scan instances as follows:
Change the value of numOfScanInstance parameter in the
vpfsd_config.jsonfile. The value must be an integer between 1 and 4.For example:
# grep numOfInstance /msdp/vol1/etc/puredisk/vpfsd_config.json
BYO (build-your-own): <storage path>/etc/puredisk/vpfsd_config.json
NetBackup Appliance and NetBackup Flex Scale: /msdp/data/dp1/pdvol/etc/puredisk/vpfsd_config.json
NetBackup Flex: /mnt/msdp/vol0/etc/puredisk/vpfsd_config.json
- Modify the number of vpfsd instances (numOfInstance), the value must be an integer between 2 and 16. Ensure that the value of numOfInstance is greater than numOfScanInstance.
- Start NetBackup on the media server using the following command:
systemctl start netbackup
Or
/usr/openv/netbackup/bin/goodies/netbackup start
Note:
Malware scan instances are part of vpfsd instances, which are reserved only for malware scanning.