Veritas NetBackup™ Appliance Security Guide

Last Published:
Product(s): Appliances (4.1)
Platform: NetBackup Appliance OS
  1. About the NetBackup appliance Security Guide
    1.  
      About the NetBackup appliance Security Guide
  2. User authentication
    1. About user authentication on the NetBackup appliance
      1.  
        User types that can authenticate on the NetBackup appliance
    2. About configuring user authentication
      1.  
        Generic user authentication guidelines
    3.  
      About authenticating LDAP users
    4.  
      About authenticating Active Directory users
    5.  
      About authentication using smart cards and digital certificates
    6.  
      About authenticating Kerberos-NIS users
    7.  
      About the appliance login banner
    8. About user name and password specifications
      1.  
        About STIG-compliant password policy rules
  3. User authorization
    1.  
      About user authorization on the NetBackup appliance
    2. About authorizing NetBackup appliance users
      1.  
        NetBackup appliance user role privileges
    3.  
      About the Administrator user role
    4.  
      About the NetBackupCLI user role
    5.  
      About user authorization in NetBackup
  4. Intrusion prevention and intrusion detection systems
    1.  
      About Symantec Data Center Security on the NetBackup appliance
    2.  
      About the NetBackup appliance intrusion prevention system
    3.  
      About the NetBackup appliance intrusion detection system
    4.  
      Reviewing SDCS events on the NetBackup appliance
    5.  
      Running SDCS in unmanaged mode on the NetBackup appliance
    6.  
      Running SDCS in managed mode on the NetBackup appliance
  5. Log files
    1.  
      About NetBackup appliance log files
    2.  
      Viewing log files using the Support command
    3.  
      Where to find NetBackup appliance log files using the Browse command
    4.  
      Gathering device logs on a NetBackup appliance
    5.  
      Log Forwarding feature overview
  6. Operating system security
    1.  
      About NetBackup appliance operating system security
    2.  
      Major components of the NetBackup appliance OS
    3.  
      Disable user access to the NetBackup appliance operating system
    4.  
      Manage support access to the maintenance shell
  7. Data security
    1.  
      About data security
    2.  
      About data integrity
    3.  
      About data classification
    4. About data encryption
      1.  
        KMS support
  8. Web security
    1.  
      About SSL usage
    2.  
      About implementing ECA certificates
  9. Network security
    1.  
      About IPsec Channel Configuration
    2.  
      About NetBackup appliance ports
    3.  
      About the NetBackup Appliance firewall
  10. Call Home security
    1. About AutoSupport
      1.  
        Data security standards
    2. About Call Home
      1.  
        Configuring Call Home from the NetBackup Appliance Shell Menu
      2.  
        Enabling and disabling Call Home from the appliance shell menu
      3.  
        Configuring a Call Home proxy server from the NetBackup Appliance Shell Menu
      4.  
        Understanding the Call Home workflow
    3. About SNMP
      1.  
        About the Management Information Base (MIB)
  11. Remote Management Module (RMM) security
    1.  
      Introduction to IPMI configuration
    2.  
      Recommended IPMI settings
    3.  
      RMM ports
    4.  
      Enabling SSH on the Remote Management Module
    5.  
      Replacing the default IPMI SSL certificate
  12. STIG and FIPS conformance
    1.  
      OS STIG hardening for NetBackup appliance
    2.  
      FIPS 140-2 conformance for NetBackup appliance
  13. Appendix A. Security release content
    1.  
      \NetBackup Appliance security release content
  14.  
    Index

About implementing ECA certificates

NetBackup appliance's web service uses the PKCS#12 standard and requires certificate files to be in the X.509 (.pem or .cer) format. If the certificate files are in the .der, .DER, or .p7b formats, NetBackup appliance automatically converts the files to an accepted format.

Certificate requirements

To prevent errors while importing certificates, ensure that the external certificate files meet the following requirements.

  • Certificate files are in the .pem file format and begin with "-----BEGIN CERTIFICATE-----".

  • Certificate files contain the host name and FQDN in the subject alternative name (SAN) field of the certificate. If the certificate is used in an HA environment, the SAN field must contain VIP, host name, and FQDN.

  • Subject name and common name fields are not empty.

  • Subject fields are unique for each host.

  • Subject fields contain a maximum of 255 characters.

  • Server and client authentication attributes are set in the certificate.

  • Only ASCII 7 characters are used in the subject and SAN fields of the certificate.

  • The private key file is in the PKCS#8 PEM format and begins with -----BEGIN ENCRYPTED PRIVATE KEY----- or -----BEGIN PRIVATE KEY-----.

Certificate Signing Request (CSR)

Although optional, you can use the Settings > Security > Certificate > CertificateSigningRequest > Create command to generate a CSR. Copy the CSR content from the command line to your ECA portal to obtain the required external certificate files.

Register the ECA

Starting from version 4.1, you can register an ECA on both NetBackup appliance and NetBackup using the Settings > Security > Certificate > Import command.

Perform the following steps to import the host certificate, host private key, and trust store to register the ECA on NetBackup and NetBackup appliance. Both NetBackup and NetBackup appliance layers use the same host certificate, host private key, and trust store.

  1. Log in to the appliance as an Administrator user.
  2. From the NetBackup Appliance Shell Menu, run the Settings > Security > Certificate > Import command. The following NFS and CFS share locations are now accessible:

    • NFS: /inst/share

    • CFS: \\<ApplianceName>\general_share

  3. Upload the certificate file, trust store file, and private key file to either of the share locations and enter the paths to the files.
  4. Choose how to access the certificate revocation list (CRL). A CRL comprises a list of external certificates that have been revoked by the ECA and should not be trusted. Select either of the following options:

    • Use the CRL location provided in the certificate file.

    • Provide the location of a CRL file (.crl ) in the local network.

    • Do not use a CRL.

  5. Confirm the location of the certificate files you want to register on the appliance.
Support for Copilot

Before you use the Copilot feature on an appliance deployed with external certificates, ensure the following:

  • The appliance's certificate file (in /etc/vxos-ssl/servers/certs/) is same as the primary server's certificate file (in /usr/openv/var/global/appliance_certificates/).

  • The appliance's certificate file (in /etc/vxos-ssl/servers/certs/) is named in the <FQDN_hostname>-self.cert.pem format.

Run the following commands on each of the associated appliances: 

rm /etc/vxos-ssl/servers/certs/<FQDN_hostname>-self.cert.pem

cp /etc/vxos-ssl/servers/certs/server.pem 
/etc/vxos-ssl/servers/certs/<FQDN_hostname>-self.cert.pem

tpconfig -delete -nb_appliance <Short_hostname>

/opt/NBUAppliance/scripts/copilot_users.pl --add