NetBackup and Veritas Appliances Hardening Guide
- Top recommendations to improve your NetBackup and Veritas appliances security posture
- Steps to protect Flex Appliance
- Managing single sign-on (SSO)
- About lockdown mode
- Configuring an isolated recovery environment on a WORM storage server
- Steps to protect NetBackup Appliance
- About single sign-on (SSO) authentication and authorization
- About authentication using smart cards and digital certificates
- About data encryption
- About forwarding logs to an external server
- Steps to protect NetBackup
- Configure NetBackup for single sign-on (SSO)
- Configure user authentication with smart cards or digital certificates
- Access codes
- Workflow to configure immutable and indelible data
- Add a configuration for an external CMS server
- Configuring an isolated recovery environment on a NetBackup BYO media server
- About FIPS support in NetBackup
- Workflow for external KMS configuration
- Workflow to configure data-in-transit encryption
- Workflow to use external certificates for NetBackup host communication
- About certificate revocation lists for external CA
- Configuring an external certificate for a clustered primary server
- Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- About protecting the MSDP catalog
- How to set up malware scanning
- About backup anomaly detection
Validating KMS credentials
If incorrect credentials are configured in NetBackup, communication with external KMS server may fail. To avoid such failures, you can carry out certain validations before a credential can be configured for the KMS use. If a validation check is not passed, the credential cannot be configured.
The following validations are carried out while you configure a new credential or updating an existing one and it is not recommended to configure credentials if any of the checks fail:
The certificate path is valid
The trust store path is valid
The private key path is valid
The certificate(s) in certificate chain are readable
The certificate(s) in trust store are readable
The private key is readable
The Common Name field is not empty
The certificate is not expired
The certificate is currently valid
The private key matches the certificate
The certificates are in the appropriate order
The following CRL validation checks are performed, if the ECA_CRL_PATH is configured and the CRL check level is other than DISABLE:
The CRL directory consists of CRL files
The CRL check level is valid
The CRL path is valid
The available CRLs are readable
To validate KMS credentials and KMS compatibility
- Run the following command:
nbkmiputil -kmsServer kms_server_name -port port -certPathcert_path -privateKeyPath private_key_path -trustStorePathtrust_store_path -validate
The nbkmiputil command validates the KMS functionality including connection to the KMS server.
It also tests operations like list keys, fetch keys, set attributes, and fetch attributes. For set attributes, you must have the 'write' permission for the KMS server. The nbkmiputil command also validates CA fingerprint on the server certificate that is exchanged through TLS handshake. nbkmiputil uses TLS 1.2 and later protocol for secure communication with external KMS server.
- (This step is conditional). If the KMS vendor is not listed as a supported KMS vendor in the NetBackup hardware compatibility list and you want to verify the compatibility of the vendor with NetBackup, use the following command:
The command requires you to have the 'write' privileges for the external KMS server. The command creates eight Symmetric keys on the external KMS server and performs various KMIP operations to check the compatibility. After the compatibility check, you need to explicitly delete the keys that are created.
- Check if the NetBackup primary server is compatible with the KMS vendor and it can communicate with the KMS vendor using the KMIP protocol. Run the following command:
nbkmiputil -kmsServer kms_server_name -port port -certPathcert_path -privateKeyPath private_key_path -truststorepathtrust_store_path -ekmsCheckCompat
It is recommended that you run the -ekmsCheckCompat option to check whether you can successfully configure KMS in your environment.
This option creates eight test keys on the specified KMS server that you can manually delete later.
- If a check fails, contact Veritas Technical Support.