Important Update: Cohesity Products Documentation
All Cohesity product documentation are now managed via the Cohesity Docs Portal: https://docs.cohesity.com/HomePage/Content/home.htm. Some documentation available here may not reflect the latest information or may no longer be accessible.
NetBackup™ Commands Reference Guide
- Introduction
- Appendix A. NetBackup Commands
- acsd
- backupdbtrace
- backuptrace
- bmrc
- bmrconfig
- bmrepadm
- bmrprep
- bmrs
- bmrsrtadm
- bp
- bparchive
- bpbackup
- bpbackupdb
- bpcatarc
- bpcatlist
- bpcatres
- bpcatrm
- bpcd
- bpchangeprimary
- bpcleanrestore
- bpclient
- bpclimagelist
- bpclntcmd
- bpclusterutil
- bpcompatd
- bpconfig
- bpdbjobs
- bpdbm
- bpdgclone
- bpdown
- bpduplicate
- bperror
- bpexpdate
- bpfis
- bpflist
- bpgetconfig
- bpgetdebuglog
- bpimage
- bpimagelist
- bpimmedia
- bpimport
- bpinst
- bpkeyfile
- bpkeyutil
- bplabel
- bplist
- bpmedia
- bpmedialist
- bpminlicense
- bpnbat
- bpnbaz
- bppficorr
- bpplcatdrinfo
- bpplclients
- bppldelete
- bpplinclude
- bpplinfo
- bppllist
- bpplsched
- bpplschedrep
- bpplschedwin
- bppolicynew
- bpps
- bprd
- bprecover
- bprestore
- bpretlevel
- bpschedule
- bpschedulerep
- bpsetconfig
- bpstsinfo
- bpstuadd
- bpstudel
- bpstulist
- bpsturep
- bptestbpcd
- bptestnetconn
- bpup
- bpverify
- cat_convert
- cat_export
- cat_import
- configureCerts
- configureMQ
- configureWebServerCerts
- create_nbdb
- csconfig cldinstance
- csconfig cldprovider
- csconfig meter
- csconfig reinitialize
- csconfig throttle
- duplicatetrace
- importtrace
- jbpSA
- jnbSA
- ltid
- mklogdir
- msdpcldutil
- msdpimgutil
- nbauditreport
- nbcallhomeproxyconfig
- nbcatsync
- NBCC
- NBCCR
- nbcertcmd
- nbcertupdater
- nbcldutil
- nbcmdrun
- nbcomponentupdate
- nbcplogs
- nbcredkeyutil
- nbdb_admin
- nbdb_backup
- nbdb_move
- nbdb_ping
- nbdb_restore
- nbdb_unload
- nbdb2adutl
- nbdbms_start_server
- nbdbms_start_stop
- nbdc
- nbdecommission
- nbdelete
- nbdeployutil
- nbdevconfig
- nbdevquery
- nbdiscover
- nbdna
- nbemm
- nbemmcmd
- nbepicfile
- nbfindfile
- nbfirescan
- nbfp
- nbftadm
- nbftconfig
- nbgetconfig
- nbhba
- nbholdutil
- nbhostidentity
- nbhostmgmt
- nbhsmcmd
- nbhypervtool
- nbidpcmd
- nbimageshare
- nbinstallcmd
- nbjm
- nbkmiputil
- nbkmscmd
- nbkmsutil
- nblogparser
- nbmariadb
- nbmysql
- nbmlb
- nborair
- nboracmd
- nbpem
- nbpemreq
- nbmariadb
- nbmlb
- nbperfchk
- nbpgsql
- nbplupgrade
- nbrb
- nbrbutil
- nbreplicate
- nbrepo
- nbrestorevm
- nbseccmd
- nbserviceusercmd
- nbsetconfig
- nbshvault
- nbsmartdiag
- nbsnapimport
- nbsnapreplicate
- nbsqlcmd
- nbsqlite
- nbstl
- nbstlutil
- nbstop
- nbsu
- nbsvrgrp
- netbackup_deployment_insights
- resilient_clients
- restoretrace
- stopltid
- tiermover
- tldd
- tldcd
- tpautoconf
- tpclean
- tpconfig
- tpext
- tpreq
- tpunmount
- verifytrace
- vltadm
- vltcontainers
- vlteject
- vltinject
- vltoffsitemedia
- vltopmenu
- vltrun
- vmadd
- vmchange
- vmcheckxxx
- vmd
- vmdelete
- vmoprcmd
- vmphyinv
- vmpool
- vmquery
- vmrule
- vmupdate
- vnetd
- vssat
- vwcp_manage
- vxlogcfg
- vxlogmgr
- vxlogview
- W2KOption
Name
nbkmscmd — configures the key management service (KMS) in NetBackup.
SYNOPSIS
-configureCredential -credName credential_name -type CKMS -ckmsType AWS -ckmsCredType ACCESS_KEY | IAM [-accessKeyId access_key_id] [-secretAccessKeyPath secret_access_key_file_path] [ -description description]
-configureCredential -credName credential_name -type CKMS -ckmsType Azure -ckmsCredType SERVICE_PRINCIPAL | MANAGED_IDENTITY -clientId client_id [-tenantId tenant_id] [-secretKeyPath secret_key_file_path] [ -description description]
-configureCredential -credName credential_name -type CKMS -ckmsType GCP -ckmsCredType SERVICE_ACCOUNT | IAM [-clientMailId client_mail_id] [-privateKeyPath private_key_file_path] [-privateKeyId private_key_id] [-clientId cliend_id] [-projectId project_id] [ -description description]
-configureCredential -credName credential_name -type PROXY_SERVER -proxyServer proxy_server -proxyPort proxy_port [-proxyServerType AUTHENTICATED | UNAUTHENTICATED ] [ -credFilePath cred_file_path] [-trustStorePath trust_store_file_path] [-description description]
-configureCredential -credName credential_name -certPath certificate_file_path -privateKeyPath private_key_file_path -trustStorePath CA_certificate_file_path [-passphrasePath private_key_passphrase_file_path] [-crlCheckLevel LEAF | CHAIN | DISABLE] [-server master_server_name] [-description description] [-force]
To configure NetBackup KMS (NBKMS):
-configureKMS -name configuration_name -type NBKMS -hmkId host_master_key_ID_to_identify_HMK_passphrase -kpkId key_protection_key_ID_to_identify_KPK_passphrase [-useRandomPassphrase 0 | 1] [-enabledForBackup 0 | 1] [-priority priority_of_KMS_server] [-server master_server_name] [-description description]
To configure external KMS:
-configureKMS -name configuration_name -type KMIP -port port_to_connect_to_external_KMS_server -kmsServerName network_name_of_external_KMS_server -credId credential_ID | -credName credential_name [-enabledForBackup 0 | 1] [-priority priority_of_KMS_server] [-server master_server_name] [-description description]
-configureKMS -name configuration_name -type CKMS -credId credentialID | -credName credential_name [-ckmsProxyServerCredId proxy_server_cred_id | -ckmsProxyServerCredName proxy_server_cred_name] [-description description]
-createKey -name configuration_name -keyName name_of_the_key_to _be_created -keyGroupName key_group_name [-algorithm key_algorithm] [-comment comment_about_the_key] [-keyPassphraseFilePath file_path_of_the_key_passphrase] [-reason reason][-server master_server_name]
-deleteCredential -credName credential_name | -credId credential_ID [-force] [-server master_server_name]
-deleteKMSConfig -name configuration_name [-server master_server_name] [-reason reason_for_deleting] [-force]
-discoverNBKMS
-listCredential [-credName credential_name | -credId credential_ID] [-server master_server_name] [-jsonCompact] [-jsonRaw] [-pageLimit number_of_records_to_be_listed after_offset] [-pageOffset record_number]
-listKeys -name configuration_name [-keyGroupName key_group_name] [-server master_server_name] [-jsonCompact] [-jsonRaw] [-pageLimit number_of_records_to_be_listed_after_offset] [-pageOffset record_number]
-listKMSConfig [-name configuration_name] [-server master_server_name] [-jsonCompact] [-jsonRaw] [-pageLimit number_of_records_to_be_listed_after_offset] [-pageOffset record_number]
-precheckKMSConfig -port port_to_connect_to_external_KMS_server -kmsServerName network_name_of_external_KMS_server -certPath certificate_file_path -privateKeyPath private_key_file_path -trustStorePath CA_certificate_file_path [-passphrasePath private_key_passphrase_file_path] [-crlCheckLevel LEAF | CHAIN | DISABLE] [-credId credential_ID | -credName credential_name] [-server master_server_name] [-jsonRaw]
-updateCredential -credId credential_ID | -credName credential_name -certPath certificate_file_path -privateKeyPath private_key_file_path -trustStorePath CA_certificate_file_path [-passphrasePath private_key_passphrase_file_path] [-crlCheckLevel LEAF | CHAIN | DISABLE] [-server master_server_name] [-description description] [-force]
-updateCredential -credName credential_name -type CKMS -ckmsType AWS -ckmsCredType ACCESS_KEY | IAM [-accessKeyId access_key_id] [-secretAccessKeyPath -secret_access_key_file_path] [ -description description]
-updateCredential -credName credential_name -type CKMS -ckmsType Azure -ckmsCredType SERVICE_PRINCIPAL | MANAGED_IDENTITY -clientId client_id [-tenantId tenant_id] [-secretKeyPath secret_key_file_path] [ -description description]
-updateCredential -credName credential_name -type CKMS -ckmsType GCP -ckmsCredType SERVICE_ACCOUNT | IAM [-clientMailId client_mail_id] [-privateKeyPath private_key_file_path] [-privateKeyId private_key_id] [-clientId cliend_id] [-projectId project_id] [-description description]
-updateCredential -credName credential_name -type PROXY_SERVER -proxyServer proxy_server -proxyPort proxy_port[-proxyServerType AUTHENTICATED | UNAUTHENTICATED ] [ -credFilePathcred_file_path] [-trustStorePath trust_store_file_path] [-descriptiondescription]
To update NetBackup KMS (NBKMS) configuration:
-updateKMSConfig -name configuration_name [-server master_server_name] [-priority priority_of_KMS_server] [-enabledForBackup 0 | 1] [-status 0|1] [-description description]
To update external KMS configuration:
-updateKMSConfig -name configuration_name [-server master_server_name] [-priority priority_of_KMS_server] [-port port_to_connect_to_external_KMS_server] [-kmsServerName network_name_of_external_KMS_server] [-credId credential_ID | -credName credential_name] [-enabledForBackup 0 | 1] [-description description]
-updateKMSConfig -name configuration_name [-credId credentialID | -credName credential_name] [-ckmsProxyServerCredId ckmsProxyServerCredId | -ckmsProxyServerCredName ckmsProxyServerCredName] [-description description]
-validateKMSConfig -name configuration_name [-server master_server_name] [-jsonRaw]
On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/
On Windows systems, the directory path to this command is install_path\NetBackup\bin\
DESCRIPTION
The nbkmscmd command is used to configure Key Management Service (KMS). You can also create KMS credentials and KMS keys. All of these commands require NetBackup administrator privileges to run. Additionally, these operations require a bpnbat web log-on (bpnbat -login -loginType WEB) using an account that has NetBackup administrator privileges.
The nbkmscmd supports the following operations:
|
-configureCredential |
Adds the KMS configuration credentials to the NetBackup database. The credentials include the ID and name. These credentials are used to connect to external KMS, cloud KMS, or a proxy server. |
|
-configureKMS |
Adds an entry for the KMS configuration in the NetBackup database. When multiperson authorization is enabled for the key management operation, when the generated ticket is approved, KMS is configured. When multiperson authorization is enabled, you cannot perform this operation with this command in versions of NetBackup earlier than 10.5. |
|
-createKey |
Creates an active NetBackup key in the KMS server that is associated with the provided configuration name. To create a key, the KMS server should allow NetBackup to create the key and to set NetBackup attributes on that key. For NetBackup KMS (NBKMS), If the specified key-group name does not exist then the key-group is created with specified algorithm. When multiperson authorization is enabled for the key management operation, when the generated ticket is approved, the key is created. When multiperson authorization is enabled, you cannot perform this operation with this command in versions of NetBackup earlier than 10.5. |
|
-deleteCredential |
Deletes the specified KMS configuration credential from the NetBackup database. When multiperson authorization is enabled for the key management operation, when the generated ticket is approved, the specified credential is deleted. When multiperson authorization is enabled, you cannot perform this operation with this command in versions of NetBackup earlier than 10.5. |
|
-deleteKMSConfig |
Deletes the KMS configuration entry from the NetBackup database. When multiperson authorization is enabled for the key management operation, when the generated ticket is approved, the KMS configuration is deleted. When multiperson authorization is enabled, you cannot perform this operation with this command in versions of NetBackup earlier than 10.5. |
|
-discoverNBKMS |
Discovers whether the NetBackup KMS (NBKMS) is configured and running and adds it to NetBackup database. |
|
-listCredential |
Lists the details of the specified KMS configuration credential in JSON format. If the credential name or ID is not specified, credential details for all KMS configurations are listed. |
|
-listKeys |
Lists the NetBackup keys from the specified KMS configuration in JSON format. |
|
-listKMSConfig |
Lists the details of the specified KMS configuration in JSON format. If the configuration name is not provided, this operation lists the configuration details of all KMS. |
|
-precheckKMSConfig |
Performs a dry run of KMS configuration operations to validate the required connections and setup. |
|
-updateCredential |
Updates the specified KMS configuration credential. When multiperson authorization is enabled for the key management operation, a ticket is generated which, when approved, the specified credential is updated. When multiperson authorization is enabled, you cannot perform this operation with this command in versions of NetBackup earlier than 10.5. |
|
-updateKMSConfig |
Updates the specified KMS configuration in the NetBackup database. When multiperson authorization is enabled for the key management operation, a ticket is generated which, when approved, the KMS configuration is updated. When multiperson authorization is enabled, you cannot perform this operation with this command in versions of NetBackup earlier than 11.111.1. |
|
-validateKMSConfig |
Validates the functionality with the specified KMS configuration and ensures that backup and restore functionality works. |
OPTIONS
- -accessKeyId
Specifies the access key ID for AWS cloud KMS.
- -algorithm algorithm
Specifies the encryption algorithm for the key created. This option is required for Cloud KMS.
- -certPath certificate_file_path
Specifies the path of the certificate that is used to connect to the remote server. Make sure that the certificate file contains a complete certificate chain with leaf certificate on the top, followed by intermediate CAs.
- -ckmsCredType
Specifies the cloud KMS credential type. Valid values depend on the cloud KMS type:
For AWS: ACCESS_KEY and IAM.
For GCP: SERVICE_ACCOUNT and IAM.
For Azure: SERVICE_PRINCIPAL and MANAGED_IDENTITY.
- -ckmsProxyServerCredId
Specifies the credential ID of the proxy server that is used to connect to this KMS.
- -ckmsProxyServerCredName
Specifies the credential name of the proxy server that is used to connect to this KMS.
- -ckmsType
Specifies the cloud KMS type. AWS, GCP, and AZURE are the valid cloud KMS types.
- -clientId
Specifies the client ID for GCP or Azure cloud KMS.
- -clientMailId
Specifies the client email ID for GCP service account.
- -comment comment
Specifies a comment about the key.
- -credFilePath
Specifies the path of the file that has the credentials of the proxy server. This option is valid only for AUTHENTICATED proxy server type. The first line in the file must contain the username and the second line must contain the password.
- -credId credential_ID
Specifies the credential ID of the KMS configuration.
- -credName credential_name
Specifies the credential name of the KMS configuration.
- -crlCheckLevel LEAF | CHAIN | DISABLE
Specifies the revocation check level for certificates of the external KMS server. The default value is LEAF.
Accepted values for CRL check level are:
DISABLE: Revocation check is disabled. The revocation status of the certificate is not validated against the CRL during host communication.
LEAF: The revocation status of the leaf certificate is validated against the CRL.
CHAIN: The revocation status of all the certificates from the certificate chain are validated against the CRL.
- -description description
Used to provide further information about the current operation.
- -enabledForBackup 0 | 1
Specifies whether keys from this KMS should be used for backup or not. The default value is 1.
Provide 0 if the keys from this KMS should not be used for backup.
- -force
Suppresses the confirmation prompts and performs the specified operation.
- -hmkId host_master_key_ID_to_identify_HMK_passphrase
Specifies the host master key (HMK) ID to identify HMK passphrase. This option is only applicable if the KMS type is NBKMS.
- -jsonCompact
Generates output data in a compacted JSON format.
- -jsonRaw
Displays the JSON response of the web server.
- -keyGroupName key_group_name
Specifies the name of the key group that is used to retrieve or set keys.
- -keyName key_name
Specifies the name of the key. For cloud KMS, it specifies the unique identifier of the key.
For AWS: KMS Key ARN
Example: arn:aws:kms:us-east-1:123456789012:key/abcd1234-12ab-34cd-56ef-1234567890ab
For Azure: Key URI
Example: https://myvault.vault.azure.net/keys/mykey/1234567890abcdef1234567890abcdef
For GCP: Resource Name
Example: projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key
- -keyPassphraseFilePath file_path_of_the_key_passphrase
Specifies the file path that has the passphrase that is used to create the key. Not all KMS types support a key passphrase.
- -kmsServerName network_name_of_external_KMS_server
Specifies the network name for the KMS server. If there are multiple network names for the KMS server, separate the names with a comma (,). This option is only applicable if the KMS type is KMIP.
- -kpkId key_protection_key_ID_to_identify_KPK_passphrase
Specifies the key protection key (KPK) ID to identify KPK passphrase. This option is only applicable if KMS type is NBKMS.
- -name configuration_name
Specifies a unique name for the KMS configuration.
- -pageLimit number_of_records_to_be_listed after_offset
Specifies the number of records to be listed after the offset. Valid values for -pageLimit are 1 to 100. The default value is 100.
- -pageOffset record_number
Specifies the record number from where the records start listing. The default value is 0.
- -passphrasePath private_key_passphrase_file_path
Specifies the file path of the passphrase that is used to encrypt the certificate private key.
- -port port_to_connect_to_external_KMS_server
Specifies the port number to be used to connect to external KMS server. This option is only applicable if KMS type is KMIP.
- -priority priority_of_KMS_server
Specifies the KMS server to be used when NetBackup checks for keys during encryption or decryption. By default, the KMS server priority is set to 0. A KMS server with the highest value gets the first priority to be used during encryption or decryption.
- -privateKeyId
Specifies the private key ID for GCP service account.
- -privateKeyPath private_key_file_path
Specifies the file path for the certificate private key or the private key file path for GCP service account credentials.
- -projectId
Specifies the project ID for GCP service account.
- -proxyPort
Specifies the proxy server port.
- -proxyServer
Specifies the proxy server address.
- -proxyServerType
Specifies the proxy server type. The valid proxy server types are AUTHENTICATED and UNAUTHENTICATED. The default value is AUTHENTICATED.
- -reason reason
Specifies the reason to perform the current operation.
- -secretAccessKeyPath
Specifies the secret access key file path for AWS cloud KMS.
- -secretKeyPath
Specifies the secret key file path for Azure service principal.
- -server master_server_name
Specifies an alternate master server. By default, this command uses the first server entry in the NetBackup configuration file.
- -status 0|1
Specifies if NetBackup operations should use the specified KMS server. The value 1 indicates to use the KMS server for NetBackup operations. Use 0 if you do not want to use the KMS server for NetBackup operations. The default value is 1.
- -tenantId
Specifies the tenant ID for Azure service principal.
- -trustStorePath CA_certificate_file_path
Specifies the file path for the CA certificate that is used to verify the remote server. Make sure that the CA certificate file only contains all the CA certificates including intermediate CAs. The use of -trustStorePath is optional for PROXY_SERVER type credentials.
- -type NBKMS | KMIP | CKMS | PROXY_SERVER
Specifies the KMS type. NBKMS, KMIP, CKMS, and PROXY_SERVER are the valid KMS types.
- -useRandomPassphrase 0|1
Specifies whether random passphrases should be used or not. The default value is 0. Provide 1 if random passphrases should be used for KMS configuration.
EXAMPLES
Example 1: Configure credential for External KMS.
nbkmscmd -configureCredential -credName ExtKMS_Credential -certPath /EKMS_creds/cert_chain.pem -privateKeyPath /EKMS_creds/key.pem -trustStorePath /EKMS_creds/cacerts.pem -description "Configuring credential for external KMS"
Example 2: Configure external KMS.
nbkmscmd -configureKMS -name ExtKMS -type KMIP -kmsServerName extkms.com -port 5696 -credName ExtKMS_Credential -priority 1 -description "Configuring external KMS with configutation name ExtKMS"