NetBackup™ Security and Encryption Guide
- Read this first for secure communications in NetBackup- About secure communication in NetBackup
- How NetBackup CA-signed certificates (or host ID-based certificates) are deployed during installation
- How secure communication works with master server cluster nodes
- About NetBackup clients installed on nodes of a clustered application
- How NetBackup certificates are deployed on hosts during upgrades
- When an authorization token is required during certificate deployment
- Why do you need to map host names (or IP addresses) to host IDs
- How to reset host attributes or host communication status
- What has changed for catalog recovery
- What has changed with Auto Image Replication
- How the hosts with revoked certificates work
- Are NetBackup certificates backed up
- Can you configure external certificates for master server
- How secure communication works with master server cluster nodes using external certificates
- How revocation lists work for external certificates
- How communication happens when a host cannot directly connect to the master server
- How NetBackup 8.1 or later hosts communicate with NetBackup 8.0 and earlier hosts
- How communication with legacy media servers happens in the case of cloud configuration
- Communication failure scenarios
- Secure communication support for other hosts in NetBackup domain
- Communication between NetBackup 8.1 or later master server
- Secure communication support for BMR
- Configuration for VMware backups that protect SQL Server and backups with SQL Servers that use multiple NICs
 
- Increasing NetBackup security- About NetBackup security and encryption
- NetBackup security implementation levels
- World-level security
- Enterprise-level security
- Datacenter-level security overview
- NetBackup Access Control (NBAC)
- Combined world, enterprise, and datacenter levels
- NetBackup security implementation types
- Operating system security
- NetBackup security vulnerabilities
- Standard NetBackup security
- Client side encryption security
- NBAC on primary, media server, and graphical user interface security
- NBAC complete security
 
- Security deployment models- Workgroups
- Single datacenters
- Multi-datacenters
- Workgroup with NetBackup
- Single datacenter with standard NetBackup
- Single datacenter with client side encryption
- Single datacenter with NBAC on primary and media servers
- Single datacenter with NBAC complete
- Multi-datacenter with standard NetBackup
- Multi-datacenter with client side encryption
- Multi-datacenter with NBAC on primary and media servers
- Multi-datacenter with NBAC complete
 
- Auditing NetBackup operations- About NetBackup auditing
- Viewing the current audit settings
- About audit events
- Audit retention period and catalog backups of audit records
- Viewing the detailed NetBackup audit report
- User identity in the audit report
- Disabling auditing
- Audit alert notification for audit failures (NetBackup Administration Console)
- Send audit events to system logs
 
- Section I. Identity and access management- About identity and access management
- AD and LDAP domains
- Access keys
- API keys
- Auth.conf file
- Role-based access control- RBAC features
- RBAC settings
- Disable web UI access for operating system (OS) administrators
- Disable command-line (CLI) access for operating system (OS) administrators
- Configuring RBAC
- Add AD or LDAP domains
- Default RBAC roles
- Administrator
- Default Cloud Administrator
- Default NetBackup Command Line (CLI) Administrator
- Default Kubernetes Administrator
- Default NetBackup Kubernetes Operator Service
- Default Oracle Administrator
- Default Microsoft SQL Server Administrator
- Default Resiliency Administrator
- Default RHV Administrator
- Default SaaS Administrator
- Default AHV Administrator
- Default Security Administrator
- Default Storage Administrator
- Default Universal Share Administrator
- Default VMware Administrator
- Add a custom RBAC role
- Edit or remove a role a custom role
- View users in RBAC
- Add a user to a role (non-SAML)
- Add a smart card user to a role (non-SAML, without AD/LDAP)
- Add a user to a role (SAML)
- Remove a user from a role
 
- Smart card or digital certificate- Configure user authentication with smart cards or digital certificates
- Configure smart card authentication with domain
- Configure smart card authentication without domain
- Edit the configuration for smart card authentication
- Add or delete a CA certificate that is used for smart card authentication
- Disable or temporarily disable smart card authentication
 
- Single Sign-On (SSO)
- Enhanced Auditing
- NetBackup Access Control Security (NBAC)- About using NetBackup Access Control (NBAC)
- NetBackup access management administration
- About NetBackup Access Control (NBAC) configuration
- Configuring NetBackup Access Control (NBAC)- NBAC configuration overview
- Configuring NetBackup Access Control (NBAC) on standalone primary servers
- Installing the NetBackup primary server highly available on a cluster
- Configuring NetBackup Access Control (NBAC) on a clustered primary server
- Configuring NetBackup Access Control (NBAC) on media servers
- Installing and configuring access control on clients
- About including authentication and authorization databases in the NetBackup hot catalog backups
- NBAC configure commands summary
- Unifying NetBackup Management infrastructures with the setuptrust command
- Using the setuptrust command
 
- Configuring Access Control host properties for the primary and media server
- Access Control host properties dialog for the client
- Using NetBackup Access Control (NBAC) with Auto Image Replication
- Troubleshooting Access Management- Troubleshooting NBAC issues
- Configuration and troubleshooting tips for NetBackup Authentication and Authorization
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX primary server
- Verification points in a mixed environment with a Windows primary server
- About the nbac_cron utility
- Using the nbac_cron utility
 
- Using the Access Management utility
- About determining who can access NetBackup
- Viewing specific user permissions for NetBackup user groups- Granting permissions
- Authorization objects
- Media authorization object permissions
- Policy authorization object permissions
- Drive authorization object permissions
- Report authorization object permissions
- NBU_Catalog authorization object permissions
- Robot authorization object permissions
- Storage unit authorization object permissions
- DiskPool authorization object permissions
- BUAndRest authorization object permissions
- Job authorization object permissions
- Service authorization object permissions
- HostProperties authorization object permissions
- License authorization object permissions
- Volume group authorization object permissions
- VolumePool authorization object permissions
- DevHost authorization object permissions
- Security authorization object permissions
- Fat server authorization object permissions
- Fat client authorization object permissions
- Vault authorization object permissions
- Server group authorization object permissions
- Key management system (kms) group authorization object permissions
 
- Upgrading NetBackup Access Control (NBAC)
 
 
- Section II. Encryption of data-in-transit- NetBackup CA and NetBackup certificates- Overview of security certificates in NetBackup
- About secure communication in NetBackup
- About the Security Management utilities
- About host management- Hosts tab
- Adding host ID to host name mappings
- Add or Remove Host Mappings dialog box
- Removing host ID to host name mappings
- Mappings for Approval tab
- Viewing auto-discovered mappings
- Mapping Details dialog box
- Approving host ID to host name mappings
- Rejecting host ID to host name mappings
- Adding shared or cluster mappings
- Add Shared or Cluster Mappings dialog box
- Resetting NetBackup host attributes
- Allowing or disallowing automatic certificate reissue
- Adding or deleting comment for a host
 
- About global security settings- About secure communication settings
- Disabling insecure communication
- About insecure communication with 8.0 and earlier hosts
- About communication with 8.0 or earlier host in multiple NetBackup domains
- Automatically mapping host ID to host names and IP addresses
- About disaster recovery settings
- Setting a passphrase to encrypt disaster recovery packages
- Disaster recovery packages
 
- About host name-based certificates
- About host ID-based certificates- Web login requirements for nbcertcmd command options
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About NetBackup certificate deployment security levels
- Automatic host ID-based certificate deployment
- Deploying host ID-based certificates
- Deploying host ID-based certificates in an asynchronous manner
- Implication of clock skew on certificate validity
- Setting up trust with the master server (Certificate Authority)
- Forcing or overwriting certificate deployment
- Retaining host ID-based certificates when reinstalling NetBackup on non-primary hosts
- Deploying certificates on a client that has no connectivity with the primary server
- About host ID-based certificate expiration and renewal
- Deleting sensitive certificates and keys from media servers and clients
- Cleaning host ID-based certificate information from a host before cloning a virtual machine
- About reissuing host ID-based certificates
 
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Deleting host ID-based certificates
- Host ID-based certificate deployment in a clustered setup- About deployment of a host ID-based certificate on a clustered NetBackup host
- Deploying host ID-based certificates on cluster nodes
- Revoking a host ID-based certificate for a clustered NetBackup setup
- Deploying a host ID-based certificate on a clustered NetBackup setup using reissue token
- Creating a reissue token for a clustered NetBackup setup
- Renewing a host ID-based certificate on a clustered NetBackup setup
- Viewing certificate details of a clustered NetBackup setup
- Removing CA certificates from a clustered NetBackup setup
- Generating a certificate on a clustered master server after disaster recovery installation
 
- About the communication between a NetBackup client located in a demilitarized zone and a primary server through an HTTP tunnel
- Adding a NetBackup host manually
- Migrating NetBackup CA- Setting the required key strength before installation or upgrade using the NB_KEYSIZE environment variable
- Migrating NetBackup CA when the entire NetBackup domain is upgraded
- Manually migrating NetBackup CA after installation or upgrade
- Establishing communication with clients that do not have new CA certificates after CA migration
- Viewing a list of NetBackup CAs in the domain
- Viewing the CA migration summary
- Decommissioning the inactive NetBackup CA
 
 
- Configuring data-in-transit encryption (DTE)- About the data channel
- Data-in-transit encryption support
- Workflow to configure data-in-transit encryption
- Configure the global data-in-transit encryption setting
- Configure the DTE mode on a client
- View the DTE mode of a NetBackup job
- View the DTE-specific attributes of a NetBackup image and an image copy
- Configure the DTE mode on the media server
- Modify the DTE mode on a backup image
- Media device selection (MDS) and resource allocation
- How DTE configuration settings work in various NetBackup operations
 
- External CA and external certificates- About external CA support in NetBackup
- Workflow to use external certificates for NetBackup host communication
- Configuration options for external CA-signed certificates- ECA_CERT_PATH for NetBackup servers and clients
- ECA_TRUST_STORE_PATH for NetBackup servers and clients
- ECA_PRIVATE_KEY_PATH for NetBackup servers and clients
- ECA_KEY_PASSPHRASEFILE for NetBackup servers and clients
- ECA_CRL_CHECK for NetBackup servers and clients
- ECA_CRL_PATH for NetBackup servers and clients
- ECA_CRL_PATH_SYNC_HOURS for NetBackup servers and clients
- ECA_CRL_REFRESH_HOURS for NetBackup servers and clients
- ECA_DISABLE_AUTO_ENROLLMENT for NetBackup servers and clients
- ECA_DR_BKUP_WIN_CERT_STORE for NetBackup servers and clients
- MANAGE_WIN_CERT_STORE_PRIVATE_KEY option for NetBackup primary servers
 
- Limitations of Windows Certificate Store support when NetBackup services are running in Local Service account context
- About certificate revocation lists for external CA
- About certificate enrollment
- About viewing enrollment status of primary servers
- Configuring an external certificate for the NetBackup web server
- Configuring the primary server to use an external CA-signed certificate
- Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
- Enrolling an external certificate for a remote host
- Viewing the certificate authorities that your NetBackup domain supports
- Viewing external CA-signed certificates in the NetBackup web UI
- Renewing a file-based external certificate
- Removing certificate enrollment
- Disabling the NetBackup CA in a NetBackup domain
- Enabling the NetBackup CA in a NetBackup domain
- Disabling an external CA in a NetBackup domain
- Changing the subject name of an enrolled external certificate
- About external certificate configuration for a clustered primary server
 
- Regenerating keys and certificates- About regenerating keys and certificates
- Regenerating NetBackup authentication broker keys and certificates
- Regenerating host identity keys and certificates
- Regenerating web service keys and certificates
- Regenerating nbcertservice keys and certificates
- Regenerating tomcat keys and certificates
- Regenerating JWT keys
- Regenerating NetBackup gateway certificates
- Regenerating web trust store certificates
- Regenerating VMware vCenter plug-in certificates
- Regenerating NetBackup Administrator Console session certificates
- Regenerating NetBackup encryption key file
 
 
- NetBackup CA and NetBackup certificates
- Section III. Encryption of data at rest- Data at rest encryption security- Data at rest encryption terminology
- Data at rest encryption considerations
- Destination types for encryption of data at rest
- Encryption security questions to consider
- Comparison of encryption options
- About NetBackup client encryption
- Configuring standard encryption on clients- Managing standard encryption configuration options
- Managing the NetBackup encryption key file
- About configuring standard encryption from the server
- Restoring an encrypted backup file to another client
- About configuring standard encryption directly on clients
- Setting standard encryption attribute in policies
- Changing the client encryption settings from the NetBackup server
 
- Configuring legacy encryption on clients- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Restoring a legacy encrypted backup created on another client
- About setting legacy encryption attribute in policies
- Changing client legacy encryption settings from the server
- Additional legacy key file security for UNIX clients
 
 
- NetBackup key management service- About FIPS enabled KMS
- Installing KMS
- Configuring KMS- Creating the key database
- About key groups and key records
- Overview of key record states
- About backing up the KMS database files
- About recovering KMS by restoring all data files
- Recovering KMS by restoring only the KMS data file
- Recovering KMS by regenerating the data encryption key
- Problems backing up the KMS data files
- Solutions for backing up the KMS data files
- Creating a key record
- Listing keys from a key group
- Configuring NetBackup to work with KMS
- Configuring NetBackup KMS using the KMS web application
 
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands- CLI usage help
- Create a new key group
- Create a new key
- Modify key group attributes
- Modify key attributes
- Get details of key groups
- Get details of keys
- Delete a key group
- Delete a key
- Recover a key
- About exporting and importing keys from the KMS database
- Modify host master key (HMK)
- Get host master key (HMK) ID
- Get key protection key (KPK) ID
- Modify key protection key (KPK)
- Get keystore statistics
- Quiesce KMS database
- Unquiesce KMS database
- Key creation options
 
- Troubleshooting KMS
 
- External key management service- About external KMS
- Certificate configuration and authorization
- Workflow for external KMS configuration
- Validating KMS credentials
- Configuring KMS credentials
- Configuring KMS
- Configuring keys in an external KMS for NetBackup consumption
- Creating keys in an external KMS
- Determining a key group name during storage configuration
- Working with multiple KMS servers
- Working with external KMS during backup and restore
- Key rotation
- Disaster recovery when catalog backup is encrypted using an external KMS server
- Alerts for expiration of KMS credentials
 
 
- Data at rest encryption security
- FIPS compliance in NetBackup- About FIPS
- About FIPS support in NetBackup
- Prerequisites
- Specify entropy randomness in NetBackup
- Configure FIPS mode in your NetBackup domain
- Enable FIPS mode on NetBackup during installation
- Enable FIPS mode on a NetBackup host after installation
- Enable FIPS mode for the NetBackup Authentication Broker service
- Enable FIPS mode for the NetBackup Administration Console
- Disable FIPS mode for NetBackup
- NB_FIPS_MODE option for NetBackup servers and clients
- USE_URANDOM for NetBackup servers and clients
 
- NetBackup web services account
- Running NetBackup services with non-privileged user (service user) account
- Immutability and indelibility of data in NetBackup
- Backup anomaly detection
- Malware detection- About malware detection
- Configuration steps for malware detection
- Prerequisites for a scan host
- Prerequisites for scan host pool
- Supported Malware tools and their configurations
- Configure a new scan host pool
- Add a new host in a scan host pool
- Add an existing scan host
- Manage credentials
- Remove the scan host
- Deactivate the scan host
- Scan a policy client backup images for malware
- Perform malware scanning
- Scan a VMware asset for malware
- View the malware scan status
- Actions for malware scanned images
- Recover from malware-affected images (clients protected by policies)
- Recover a VMware asset affected by malware
- Malware scan timeout configuration for NetBackup server
- MALWARE_DETECTION_JOBS_PER_SCAN_HOST configurations
- Malware scan automated cleanup configuration for NetBackup server
 
Important considerations for using a service user account
Review the following to run NetBackup services with the service user account.
- Do not use the service user account to perform any NetBackup operations. The service user account is intended only to run NetBackup services. 
- It is recommended that the primary group of the service user must only be for the service user. 
- It is not recommended to use the root user as the service user. 
- The nbwebsvc user should not be used as the service user. 
- nbwebgrp must be a secondary group of the service user. 
- Number of processes that can be run with the service user must be same as the processes that run with the root user. - Use ulimit -u to find the maximum number of user processes that can run with the service user. 
- Number of files that can be opened with the service user must be same as the files that are opened with the root user. - Use the ulimit -Hn command to view the maximum number of files that can be open with the service user. 
- Using a service user account other than the root user account involves a one-time conversion that may significantly increase the upgrade time based on your catalog size. 
- Other than the installation directory, all external paths must be accessible by the service user. - See Giving access permissions to service user account on external paths. 
- Environment variable paths must be accessible by the service user. 
- The service user must have access to the OS temporary directory that is usually /tmp or /var/tmp. This may be dictated by P_tmpdir macro. 
- Service user account can be a password-less account. 
- If a service user is configured, legacy log files (/user/openv/netbackup/logs on UNIX or C:\Program Files\Veritas\NetBackup\logs on Windows) have a prefix as SERVICE_USER. - For example: SERVICE_USER.040921_00001.log 
- The service user name must contain less than 32 characters and must have English characters only. 
- If the bpcd and vnetd processes run under an application account such as Oracle Admin, you must not change that account to the service user account.