NetBackup and Veritas Appliances Hardening Guide
- Top recommendations to improve your NetBackup and Veritas appliances security posture
- Introduction
- Keeping all systems and software updated
- Enabling multifactor authentication
- Increasing the appliance security level
- Implementing an immutable data vault
- Securing credentials
- Reducing network exposure
- Enabling encryption
- Enabling catalog protection
- Enabling malware scanning and anomaly detection
- Enabling security observability
- Restricting user access
- Configuring a sign-in banner
- Steps to protect Flex Appliance
- About Flex Appliance hardening
- Managing single sign-on (SSO)
- Managing user authentication with smart cards or digital certificates
- About lockdown mode
- Using network access control
- Using an external certificate
- Forwarding logs
- Creating a NetBackup WORM storage server instance
- Configuring an isolated recovery environment on a WORM storage server
- Protecting the NetBackup catalog on a WORM storage server
- Using a sign-in banner
- Steps to protect NetBackup Appliance
- About NetBackup Appliance hardening
- About single sign-on (SSO) authentication and authorization
- About authentication using smart cards and digital certificates
- Disable user access to the NetBackup appliance operating system
- About Network Access Control
- About data encryption
- FIPS 140-2 conformance for NetBackup Appliance
- About implementing external certificates
- About forwarding logs to an external server
- Creating the appliance login banner
- Steps to protect NetBackup
- About NetBackup hardening
- Configure NetBackup for single sign-on (SSO)
- Configure user authentication with smart cards or digital certificates
- Access codes
- Workflow to configure immutable and indelible data
- Add a configuration for an external CMS server
- Configuring an isolated recovery environment on a NetBackup BYO media server
- About FIPS support in NetBackup
- Installing KMS
- Workflow for external KMS configuration
- Validating KMS credentials
- Configuring KMS credentials
- Configuring KMS
- Creating keys in an external KMS
- Workflow to configure data-in-transit encryption
- Workflow to use external certificates for NetBackup host communication
- About certificate revocation lists for external CA
- Configuring an external certificate for the NetBackup web server
- Configuring the primary server to use an external CA-signed certificate
- Configuring an external certificate for a clustered primary server
- Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- ECA_TRUST_STORE_PATH for NetBackup servers and clients
- ECA_PRIVATE_KEY_PATH for NetBackup servers and clients
- ECA_KEY_PASSPHRASEFILE for NetBackup servers and clients
- ECA_CRL_CHECK for NetBackup servers and clients
- ECA_CRL_PATH for NetBackup servers and clients
- ECA_CRL_PATH_SYNC_HOURS for NetBackup servers and clients
- ECA_CRL_REFRESH_HOURS for NetBackup servers and clients
- ECA_DISABLE_AUTO_ENROLLMENT for NetBackup servers and clients
- ECA_DR_BKUP_WIN_CERT_STORE for NetBackup servers and clients
- MANAGE_WIN_CERT_STORE_PRIVATE_KEY option for NetBackup primary servers
- Guidelines for managing the primary server NetBackup catalog
- About protecting the MSDP catalog
- How to set up malware scanning
- About backup anomaly detection
- Send audit events to system logs
- Send audit events to log forwarding endpoints
- Display a banner to users when they sign in
About implementing external certificates
NetBackup Appliance's web service uses the PKCS#12 standard and requires certificate files to be in the X.509 (.pem) format. If the certificate files are in the .der, .DER, or .p7b formats, NetBackup Appliance automatically converts the files to an accepted format.
To prevent errors while importing certificates, ensure that the external certificate files meet the following requirements.
Certificate files are in the
.pemfile format and begin with "-----BEGIN CERTIFICATE-----".Certificate files contain the host name and FQDN in the subject alternative name (SAN) field of the certificate. If the certificate is used in an HA environment, the SAN field must contain VIP, host name, and FQDN.
Subject name and common name fields are not empty.
Subject fields are unique for each host.
Subject fields contain a maximum of 255 characters.
Server and client authentication attributes are set in the certificate.
Only ASCII 7 characters are used in the subject and SAN fields of the certificate.
The private key file is in the PKCS#8 PEM format and begins with -----BEGIN ENCRYPTED PRIVATE KEY----- or -----BEGIN PRIVATE KEY-----.
Although optional, you can use the Settings > Security > Certificate > CertificateSigningRequest > Create command to generate a CSR. Copy the CSR content from the command line to your external certificate portal to obtain the required external certificate files.
Example: Enter specified value or use the default value. Common Name (eg, your name or your server's hostname) [Default abc123]: Organizational Unit Name (eg, section) []:Appliance Organization Name (eg, company) [Default Company Ltd]:YourCompanyName Locality Name (eg, city) [Default City]:YourCity State or Province Name (full name) []:YourStateorProvince Country Name (2 letter code) [XX]:YourCountryName Email Address []:email@yourcompany.com Please enter the following 'extra' attributes to be sent with your certificate request. ----- A challenge password []:123456 An optional company name []:ABCD Subject Alternative Name (DNS Names and/or IP Addresses comma separated): abc123,def456.yourcompany.com Subject Alternative Name (email comma separated): Certificate Signing Request Name [Default abc123.csr]: Validity period (in days) [Default 365 days]: Ensure that the Distinguished Name (DN) is specified as a string consisting of a sequence of key=value pairs separated by a comma: Then the generated certificate signing request will be shown on the screen.
Starting from version 4.1, you can register an external certificate on both NetBackup Appliance and NetBackup using the Settings > Security > Certificate > Import command.
Perform the following steps to import the host certificate, host private key, and trust store to register the external certificate on NetBackup and NetBackup Appliance. Both NetBackup and NetBackup Appliance layers use the same host certificate, host private key, and trust store.
- Log in to the appliance as an Administrator user.
- From the NetBackup Appliance Shell Menu, run the Settings > Security > Certificate > Import command. The following NFS and CFS share locations are now accessible:
NFS:
/inst/shareCFS:
\\<ApplianceName>\general_share
- Upload the certificate file, trust store file, and private key file to either of the share locations and enter the paths to the files.
- Choose how to access the certificate revocation list (CRL). A CRL comprises a list of external certificates that have been revoked by the external certificate and should not be trusted. Select either of the following options:
Use the CRL location provided in the certificate file.
Provide the location of a CRL file (
.crl) in the local network.Do not use a CRL.
- Confirm the location of the certificate files you want to register on the appliance.
A detailed example of how to import the certificates is provided here.
Identify the certificate which should be imported.
Import the certificate.
Enter the certificate: Enter the following details for external certificate configuration: Enter the certificate file path: cert_chain.pem Enter the trust store file path: cacerts.pem Enter the private key path: key.pem Enter the password for the passphrase file path or skip security configuration (default: NONE): Should a CRL be honored for the external certificate? 1) Use the CRL defined in the certificate. 2) Use the specific CRL directory. 3) Do not use a CRL. q) Skip security configuration. CRL option (1): 2 Enter the CRL location path: crl Then confirm input information and answer the subsequent questions.
You can manage external certificates on NetBackup Appliance using the commands.
You can use the Settings > > > command to add a server CA, HTTPS proxy CA, or LDAP CA certificate to the certificate authority list. Ensure that you paste the CA certificate content in the PEM or P7B format. The Appliance appends this CA certificate to the certificate authority list. Before appending the CA certificate, the appliance verifies whether the CA certificate is already being used on the appliance. If yes, the appliance quits with a message.
You can use the Settings > > > command to remove a server CA certificate from the certificate authority list. The available CA certificates are listed and you can select the certificate that you want to remove.