Veritas NetBackup™ Appliance Security Guide

Last Published:
Product(s): Appliances (5.1.1)
Platform: NetBackup Appliance OS
  1. About the NetBackup appliance Security Guide
    1.  
      About the NetBackup appliance Security Guide
  2. User authentication
    1. About user authentication on the NetBackup appliance
      1.  
        User types that can authenticate on the NetBackup appliance
    2. About configuring user authentication
      1.  
        Generic user authentication guidelines
    3.  
      About authenticating LDAP users
    4.  
      About authenticating Active Directory users
    5. About authentication using smart cards and digital certificates
      1.  
        2FA
      2.  
        Smart card Authentication for NetBackup Web UI
      3.  
        Smart card authentication for NetBackup Appliance Web UI
      4.  
        Smart card authentication for NetBackup Appliance Shell Menu
      5.  
        Configure role-based access control
      6.  
        Configure authentication for a smart card or digital certificate for the NetBackup Web UI
    6. About single sign-on (SSO) authentication and authorization
      1.  
        Configure single sign-on (SSO) for a NetBackup Appliance
    7.  
      About the appliance login banner
    8. About user name and password specifications
      1.  
        About STIG-compliant password policy rules
  3. User authorization
    1.  
      About user authorization on the NetBackup appliance
    2. About authorizing NetBackup appliance users
      1.  
        NetBackup appliance user role privileges
    3.  
      About the Administrator user role
    4.  
      About the NetBackupCLI user role
    5.  
      About user authorization in NetBackup
  4. Intrusion prevention and intrusion detection systems
    1.  
      About Symantec Data Center Security on the NetBackup appliance
    2.  
      About the NetBackup appliance intrusion prevention system
    3.  
      About the NetBackup appliance intrusion detection system
    4.  
      Reviewing SDCS events on the NetBackup appliance
    5.  
      Running SDCS in unmanaged mode on the NetBackup appliance
    6.  
      Running SDCS in managed mode on the NetBackup appliance
  5. Log files
    1.  
      About NetBackup appliance log files
    2.  
      Viewing log files using the Support command
    3.  
      Where to find NetBackup appliance log files using the Browse command
    4.  
      Gathering device logs on a NetBackup appliance
    5.  
      Log Forwarding feature overview
  6. Operating system security
    1.  
      About NetBackup appliance operating system security
    2.  
      Major components of the NetBackup appliance OS
    3.  
      Disable user access to the NetBackup appliance operating system
    4.  
      Manage support access to the maintenance shell
  7. Data security
    1.  
      About data security
    2.  
      About data integrity
    3.  
      About data classification
    4. About data encryption
      1.  
        KMS support
  8. Web security
    1.  
      About SSL usage
    2.  
      About implementing external certificates
  9. Network security
    1.  
      About Network Access Control
    2.  
      About IPsec Channel Configuration
    3.  
      About NetBackup appliance ports
    4.  
      About the NetBackup Appliance firewall
  10. Call Home security
    1. About AutoSupport
      1.  
        Data security standards
    2. About Call Home
      1.  
        Configuring Call Home from the NetBackup Appliance Shell Menu
      2.  
        Enabling and disabling Call Home from the appliance shell menu
      3.  
        Configuring a Call Home proxy server from the NetBackup Appliance Shell Menu
      4.  
        Understanding the Call Home workflow
    3. About SNMP
      1.  
        About the Management Information Base (MIB)
  11. Remote Management Module (RMM) security
    1.  
      Introduction to IPMI configuration
    2.  
      Recommended IPMI settings
    3.  
      RMM ports
    4.  
      Enabling SSH on the Remote Management Module
    5.  
      Replacing the default IPMI SSL certificate
    6.  
      Implementing an external IPMI SSL certificate
  12. STIG and FIPS conformance
    1.  
      OS STIG hardening for NetBackup appliance
    2.  
      FIPS 140-2 conformance for NetBackup appliance
    3.  
      About FIPS compliant ciphers
  13.  
    Index

Implementing an external IPMI SSL certificate

Use the following procedure to implement an external IPMI SSL certificate and import it into the IPMI web interface.

This procedure uses the following pass phrase and file names as examples. You can substitute this information as needed for your application.

  • Pass phrase: 1234

  • Private key file name: privkey5250.pem

  • CSR file name: ipmi5250.req

  • Certificate file name: ipmi5250.cer

To create and implement an external IPMI SSL certificate

  1. Generate the private key.

    Note:

    A pass phrase is required to generate the key. This example procedure uses "1234". The pass phrase can be removed later.

    Perform the following tasks to generate the private key:

    • Log in to the NetBackup Appliance Shell Menu (shell menu) and enter the maintenance mode with the following command:

      Support > Maintenance

    • Enter the name of the private key file with the following command, followed by the pass phrase when prompted:

      openssl genrsa -aes256 -out privkey5250.pem 2048

    • Display the private key file content with the following command:

      cat privkey5250.pem

    • Check the private key file with the following command, followed by the pass phrase when prompted:

      openssl rsa -in privkey5250.pem -check - noout

  2. Generate the CSR for the IPMI.

    The CSR file is created as a .req file and is uploaded to the CMP request.

    • Enter the name of the CSR with the following command, followed by the pass phrase when prompted:

      openssl req -new -key privkey5250.pem - sha256 -out csr_ipmi.req -subj/CN=<HostFQDN>/OU=<>/O=<>/C=<>/L=<>/ST=<>

      Where CN is the server IPMI FQDN name, OU is the organizational unit, O is the organization, C is the country, L is the location, and ST is the state. The output file name result is ipmi5250.req.

    • Verify the CSR with the following command:

      openssl req -in ipmi5250.req -subject -verify - noout

    • Display the CSR file content with the following:

      cat ipmi5250.req

      These contents are used in the CSR request on the CMP website.

    • You will receive the new certificate in an email. Save the certificates for IPMI and name the file as ipmi5250.cer.

    • Display and view the certificate details with the following command:

      openssl x509 -text -in certificate.cer

  3. Implement the IPMI certificate as follows:

    • Remove the pass phrase from the private key with the following command, followed by the pass phrase when prompted:

      openssl rsa -in privkey5250.pem -out privkey.pem

    • If the Remote Management Console (RMM) uses version BMC 2.86 or later, concatenate the CA root certificate, the CA intermediate certificate, and the server certificate into a single .pem file. For example:

      cat ipmi5250.cer root-cacert.pem root-intermediatecert.pem > ipmi5250certificate.pem

      If the RMM uses a BMC version earlier than 2.86, you must only use the server certificate that you received from the third-party certificate authority to upload.

    • Copy the ipmi5250certificate.pem file to a Windows server where you can connect to the RMM console from the web browser.

    • Log in to the RMM console and click Configuration > SSL Certification on the left screen menu.

    • Click Choose file. When prompted for a new SSL certificate, select ipmi5250certificate.pem for New SSL certificate and privkey.pem for New Private Key.

    • Click Upload. When a prompt appears to indicate that the certificate already exists, click OK. A message appears to indicate that the certificate was uploaded successfully.

    • The RMM console reboots automatically. Wait a few minutes, then log in and reload the webpage to confirm that the certificate has been applied successfully.