NetBackup™ Security and Encryption Guide
- Read this first for secure communications in NetBackup
- Communication failure scenarios
- Increasing NetBackup security
- Security deployment models
- Auditing NetBackup operations
- About audit events
- Section I. Identity and access management
- About identity and access management
- AD and LDAP domains
- Access keys
- API keys
- Auth.conf file
- Role-based access control
- Default RBAC roles
- NetBackup interface access for OS Administrators
- Smart card or digital certificate
- Single Sign-On (SSO)
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the primary and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX primary server
- Verification points in a mixed environment with a Windows primary server
- About determining who can access NetBackup
- Viewing specific user permissions for NetBackup user groups
- Minimizing security configuration risk
- Configuring multifactor authentication
- Configuring multi-person authorization
- Section II. Encryption of data-in-transit
- NetBackup CA and NetBackup certificates
- About the Security Management utilities
- About host management
- Adding shared or cluster mappings
- Allowing or disallowing automatic certificate reissue
- About global security settings
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About NetBackup certificate deployment security levels
- Setting up trust with the primary server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Host ID-based certificate deployment in a clustered setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- Migrating NetBackup CA
- Configuring data-in-transit encryption (DTE)
- Configure the DTE mode on a client
- Modify the DTE mode on a backup image
- How DTE configuration settings work in various NetBackup operations
- External CA and external certificates
- About external CA support in NetBackup
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- About certificate revocation lists for external CA
- About certificate enrollment
- Configure an external certificate for the NetBackup web server
- About external certificate configuration for a clustered primary server
- Regenerating keys and certificates
- NetBackup CA and NetBackup certificates
- Section III. Encryption of data at rest
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- NetBackup key management service
- About FIPS enabled KMS
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- KMS operations using command-line interface (CLI)
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
- External key management service
- Configuring KMS credentials
- Configuring KMS
- Creating keys in an external KMS
- Working with multiple KMS servers
- Data at rest encryption security
- Ciphers used in NetBackup for secure communication
- FIPS compliance in NetBackup
- Disable FIPS mode for NetBackup
- NetBackup web services account
- Running NetBackup services with non-privileged user (service user) account
- Running NetBackup commands with non-privileged user account
- Immutability and indelibility of data in NetBackup
- Anomaly detection
- Section IV. Malware scanning
- Introduction
- How to setup Malware scanning
- Instant Access configurations
- Malware tools configurations
- Scan host configurations
- Prerequisites for a scan host
- Configuring scan host
- Configuring a scan host pool
- Managing a scan host
- Performing malware scan
- Managing scan tasks
- Malware scan configuration parameters
- Troubleshooting
MSDP build-your-own (BYO) server prerequisites and hardware requirements to configure Instant Access
The following are prerequisites for using the Instant Access MSDP build-your-own (BYO) server feature:
The Instant Access feature is supported on an MSDP BYO storage server with Red Hat Enterprise Linux 7.6 or later.
The Instant Access feature is not supported on SUSE Linux.
You must set up Active Directory-based user authentication for the Instant Access.
For more information, see Active Directory-based authentication section in the Veritas NetBackup™ Deduplication Guide.
NFS services must be installed and running if you want to use the instant access over NFS.
Samba services must be installed and running if you want to use instant access over CIFS/SMB.
You must configure Samba users on the corresponding storage server and enter the credentials on the client.
For more information, see Active Directory-based authentication section in the Veritas NetBackup™ Deduplication Guide.
(For NFS) Ensure that the
nfs-utils
is installed using the following command:yum install nfs-utils -y
(For SMB)
Ensure that the Linux samba and samba winbind packages are installed using the following command:
yum install samba samba-common samba-winbind samba-winbind-clients samba-winbind-modules -y
Ensure that the following commands are run to grant permissions to the SMB shares:
setsebool -P samba_export_all_rw on
setsebool -P samba_export_all_ro on
NGINX is installed and running.
Installing NGINX from Red Hat Software Collections:
Refer to https://www.softwarecollections.org/en/scls/rhscl/rh-nginx114/ for instructions.
Because the package name depends on the NGINX version, run yum search rh-nginx to check if a new version is available. (For NetBackup 8.3, an EEB is required if NGINX is installed from Red Hat Software Collections.)
Installing NGINX from the EPEL repository:
Refer to https://fedoraproject.org/wiki/EPEL for installation instructions of the repository and further information.
The EPEL repository is a volunteer-based community effort and not commercially supported by Red Hat.
Before you start the storage configuration, ensure that the new BYO NGINX configuration entry
/etc/nginx/conf.d/byo.conf
is included as part of the HTTP section of the original/etc/nginx/nginx.conf
file.If SE Linux has been configured, ensure that the
policycoreutils
andpolicycoreutils-python
packages are installed from the same RHEL yum source (RHEL server), and then run the following commands:semanage port -a -t http_port_t -p tcp 10087
setsebool -P httpd_can_network_connect 1
Enable the logrotate permission in SE Linux using the following command:
semanage permissive -a logrotate_t
After NGINX is installed, the HTTP web service at port 80 is enabled by default. Remove
/etc/nginx/conf.d/default.conf
or edit the file to disable the HTTP web service if it is not needed.Ensure that the
/mnt
folder on the storage server is not directly mounted by any mount points. Mount points should be mounted to its subfolders.If you configure the Instant Access feature on BYO after storage is configured or upgraded without the NGINX service installed, run the command:
/usr/openv/pdde/vpfs/bin/vpfs_config.sh --configure_byo
Ensure that the required network ports are open.
See "NetBackup media server ports" in the NetBackup Network Ports Reference Guide.
CPU |
Memory |
Disk |
---|---|---|
|
|
|