Veritas NetBackup™ Appliance Security Guide

Last Published:
Product(s): Appliances (4.0)
Platform: NetBackup Appliance OS
  1. About the NetBackup appliance Security Guide
    1.  
      About the NetBackup appliance Security Guide
  2. User authentication
    1. About user authentication on the NetBackup appliance
      1.  
        User types that can authenticate on the NetBackup appliance
    2. About configuring user authentication
      1.  
        Generic user authentication guidelines
    3.  
      About authenticating LDAP users
    4.  
      About authenticating Active Directory users
    5.  
      About authentication using smart cards and digital certificates
    6.  
      About authenticating Kerberos-NIS users
    7.  
      About the appliance login banner
    8. About user name and password specifications
      1.  
        About STIG-compliant password policy rules
  3. User authorization
    1.  
      About user authorization on the NetBackup appliance
    2. About authorizing NetBackup appliance users
      1.  
        NetBackup appliance user role privileges
    3.  
      About the Administrator user role
    4.  
      About the NetBackupCLI user role
    5.  
      About user authorization in NetBackup
  4. Intrusion prevention and intrusion detection systems
    1.  
      About Symantec Data Center Security on the NetBackup appliance
    2.  
      About the NetBackup appliance intrusion prevention system
    3.  
      About the NetBackup appliance intrusion detection system
    4.  
      Reviewing SDCS events on the NetBackup appliance
    5.  
      Running SDCS in unmanaged mode on the NetBackup appliance
    6.  
      Running SDCS in managed mode on the NetBackup appliance
  5. Log files
    1.  
      About NetBackup appliance log files
    2.  
      Viewing log files using the Support command
    3.  
      Where to find NetBackup appliance log files using the Browse command
    4.  
      Gathering device logs on a NetBackup appliance
    5.  
      Log Forwarding feature overview
  6. Operating system security
    1.  
      About NetBackup appliance operating system security
    2.  
      Major components of the NetBackup appliance OS
    3.  
      Vulnerability scanning of the NetBackup appliance
    4.  
      Disable user access to the NetBackup appliance operating system
    5.  
      Manage support access to the maintenance shell
  7. Data security
    1.  
      About data security
    2.  
      About data integrity
    3.  
      About data classification
    4. About data encryption
      1.  
        KMS support
  8. Web security
    1.  
      About SSL usage
    2.  
      Implementing third-party SSL certificates
  9. Network security
    1.  
      About IPsec Channel Configuration
    2.  
      About NetBackup appliance ports
    3.  
      About the NetBackup Appliance firewall
  10. Call Home security
    1. About AutoSupport
      1.  
        Data security standards
    2. About Call Home
      1.  
        Configuring Call Home from the NetBackup Appliance Shell Menu
      2.  
        Enabling and disabling Call Home from the appliance shell menu
      3.  
        Configuring a Call Home proxy server from the NetBackup Appliance Shell Menu
      4.  
        Understanding the Call Home workflow
    3. About SNMP
      1.  
        About the Management Information Base (MIB)
  11. Remote Management Module (RMM) security
    1.  
      Introduction to IPMI configuration
    2.  
      Recommended IPMI settings
    3.  
      RMM ports
    4.  
      Enabling SSH on the Remote Management Module
    5.  
      Replacing the default IPMI SSL certificate
  12. STIG and FIPS conformance
    1.  
      OS STIG hardening for NetBackup appliance
    2.  
      Unenforced STIG hardening rules
    3.  
      FIPS 140-2 conformance for NetBackup appliance
  13. Appendix A. Security release content
    1.  
      NetBackup Appliance security release content
  14.  
    Index

Implementing third-party SSL certificates

Use the steps in this section to manually deploy and configure the external (third-party) certificates for NetBackup Appliance layer. Refer to the following table for different types of certificates used in NetBackup Appliance.

Table: Types of third-party certificates

Certificate type

Description

Appliance host certificate

The Appliance host certificate is based on the X.509 or PKCS#7 standard. The certificate is encoded in either DER (binary) or PEM (text) format. Veritas recommends that you use RSA public and private keys of length 2048 bits or higher.

Note:

Ensure that the CN part of the certificate Subject field specifies the fully qualified hostname of the appliance

SubjectAlternativeName certificate extension must contain all the appliance hostnames and IP addresses by which the appliance can be reached. You must include the fully qualified hostnames and the short names.

Appliance host private key (corresponding to the host certificate)

The Appliance host private key must be in PKCS#8 standard and encoded in PEM format. We recommend using appliance as the passphrase for encryption. Using any other passphrase can cause issues while connecting to MongoDB, after the certificates are replaced during an upgrade.

(Optional) Intermediary CA certificates

Intermediary CA certificates form a certificate chain from the appliance host certificate to the root CA certificate. These certificates are only required if the host certificates are issued by a CA other than the root CA.

Root CA certificates

These include the root CA certificates of the Appliance certificate chain and its peers. If the appliance needs to interact with the hosts that have certificates from different Certificate Authorities, you must have all those intermediary and root CA certificates ready in a file called cacerts.pem.

Note:

The Appliance host certificate, private key, and its intermediary CA certificates can all be in a single PEM file.

Prerequisites

Ensure that you have read the prerequisites and performed the necessary steps, before installing the third-party certificates.

  • To implement the third-party certificates in NetBackup appliance you must log in with the root account. Ensure that you have privileges to access the maintenance account, override the Symantec Data Center security, and log in with the root account.

  • To prevent errors, ensure that the certificate files meet the following criterion:

    • All certificate files must have a suffix of .pem or .cer and include "-----BEGIN CERTIFICATE-----" at the beginning of the certificate.

    • All certificate files must contain the host name and FQDN in the subject alternative name (SAN) field of the certificate. If the certificate is used in a HA environment, the SAN field must contain the VIP, host name, and FQDN.

    • Subject name and common name fields must not be left empty.

    • Subject fields must be unique for each host.

    • Subject fields can contain a maximum of 255 characters.

    • Server and client authentication attributes must be set in the certificate.

    • Only ASCII 7 characters can be used in the subject and SAN fields of the certificate.

  • The private key must be in the PKCS#8 PEM format and it must begin with a header line of -----BEGIN ENCRYPTED PRIVATE KEY----- or -----BEGIN PRIVATE KEY-----

  • NetBackup Appliance's web service uses the PKCS#12 standard and requires certificate files to be in the X.509 (.pem) format. If you obtained the certificate and private key in any other format you must first convert them to the X.509 (.pem) format. See the table below for steps on converting your certificate files to the required format with the help of OpenSSL. You can download OpenSSL from http://www.openssl.org.

Table: Procedure to convert certificate files to the required format

Certificate file format

Certificate file suffix

Procedure to convert the certificate file to the required format

DER

.DER or .der

Convert DER format to an X.509 (.pem) format using the following command:

openssl x509 -inform der -in cert.der -outform pem -out cert.pem

 

.p7b

If the certificate file does not contain the "---BEGIN PKCS7 - " string, use the following command to convert it to an X.509 (.pem) format:

openssl pkcs7 -inform der -in cacerts.der.p7b -out cacerts.p7b

openssl pkcs7 -print_certs -in cacerts.p7b -out cacerts.pem

p7b

.p7b

If the certificate file contains the "---BEGIN PKCS7 - " string, use the following command to convert it to an X.509 (.pem) format:

openssl pkcs7 -print_certs -in cacerts.p7b -out cacerts.pem

Assuming that your appliance host certificate, appliance host private key, and root CA certificate files are named as server.pem, serverkey.pem, and cacerts.pem respectively, perform the following steps to configure third-party certificates in NetBackup Appliance.

Step 1: Install the certificate files to the existing Java KeyStore and TrustStore

Third-party certificates are stored in a Java KeyStore (JKS). A Java KeyStore (JKS) is a repository of security certificates that is used by Java-based services such as the Tomcat web server.

The root CA SSL certificate is loaded into a Java TrustStore that is used by the NetBackup Web Management Console. This TrustStore is part of the NetBackup catalog backup.

To install certificate files to the existing Java KeyStore and TrustStore in NetBackup Appliance, perform the following steps:

  1. Log on to the maintenance account using SSH and override the Symantec Data Center Security protection.
  2. Log on to the appliance using the root account.
  3. Copy the appliance host certificate, private key, and CA certificate files to a temporary directory such as /tmp.
  4. Ensure that all certificate files are in X.509 PEM format. These files typically have a suffix of .pem or .cer. and contain a header line -----BEGIN CERTIFICATE----- at the beginning of the certificate. For a procedure to convert certificate files to the required format, see the Prerequisites section.
  5. Convert the PEM formatted X.509 certificate (server.pem) and private key (serverkey.pem), to the PKCS#12 format using the CA certificate file cacerts.pem. Type the following command:

    openssl pkcs12 -export -in server.pem -inkey serverkey.pem -out server.p12 -name tomcat -CAfile cacerts.pem -caname root

    Note:

    When the OpenSSL command prompts for the import password, type the private key's passphrase. When it prompts for the export password, type appliance.

  6. Copy the NetBackup Appliance's webservice KeyStore file to your working directory, as follows:

    cp /opt/apache-tomcat/security/keystore ./keystore

  7. Import the PKCS#12 file (server.p12) to the Java KeyStore, type the following command:keytool -importkeystore -deststorepass appliance -destkeypass appliance -destkeystore keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass appliance -alias tomcat

    To prevent any exceptions from occurring, ensure the following:

    • Specify appliance as the password for the -deststorepass and -destkeypass options. Note that only alphanumeric characters are supported for the password.

    • Specify tomcat for the -alias option.

  8. Run the following command to ensure that all the DNS values are correctly applied to the entry in Java KeyStore.

    keytool -list -v -alias tomcat -keystore keystore -storepass appliance

  9. At the bottom of the cacerts.pem certificate authority (CA) certificate file, ensure that you have included the chain of intermediary CA certificates (if any) up to the root CA certificate.
  10. Import the CA certificate file cacerts.pem to the Java TrustStore. The Java TrustStore is used by the NetBackup Web Management Console. Type the following commands:

    keytool -import -noprompt -trustcacerts -file cacerts.pem -alias vxosrootcachain -keystore keystore -storepass appliance

    If the cacerts.pem file consists of multiple intermediary CA certificates, ensure that you split the certificates into separate files as indicated by the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags in the certificate. You can then run the command separately for each CA certificate file.

    keytool -import -noprompt -trustcacerts -file cacertn.pem alias vxosrootcachain[n] -keystore keystore -storepass appliance

    Where cacertn represents each of the individual certificate files (for example, cacert1.pem, cacert2.pem, ... , cacertn.pem.

Step 2: Shutdown the database and relevant web services

To shutdown the database and relevant web services, type the following commands:

systemctl stop nginx
service as-alertmanager stop
service as-analyzer stop 
service as-transmission stop
/opt/IMAppliance/scripts/infraservices.sh webserver stop
/opt/IMAppliance/scripts/infraservices.sh database stop
Step 3: Install the new Java KeyStore in the Tomcat web server

To install the new KeyStore in the Tomcat web server, perform the following steps:

  1. Backup the existing web server KeyStore file using the following command

    cp /opt/apache-tomcat/security/keystore /opt/apache-tomcat/security/keystore.orig

  2. Replace the existing KeyStore file with the new KeyStore file:

    cp ./keystore /opt/apache-tomcat/security/keystore

  3. Set the permissions for the new KeyStore file using the following command:
    chmod 700 /opt/apache-tomcat/security
    chmod 600 /opt/apache-tomcat/security/keystore 
    chown -R tomcat:tomcat /opt/apache-tomcat/security 
    
Step 4: Copy the certificate files to the default location

Perform the following steps:

  1. Copy the certificate files to /etc/vxos-ssl/servers/certs.
    cp serverkey.pem /etc/vxos-ssl/servers/certs
    cp server.pem /etc/vxos-ssl/servers/certs
    cp cacerts.pem /etc/vxos-ssl/servers/certs
    
  2. Concatenate the private key (serverkey.pem) and certificate (server.pem).
    cat /etc/vxos-ssl/servers/certs/server.pem >> 
    /etc/vxos-ssl/servers/certs/serverkey.pem
  3. Set the required file permissions for the certificate files, as follows:
    chown root:infra /etc/vxos-ssl/servers/certs/serverkey.pem
    chown root:infra /etc/vxos-ssl/servers/certs/server.pem
    chown root:infra /etc/vxos-ssl/servers/certs/cacerts.pem
    
    chmod 440 /etc/vxos-ssl/servers/certs/serverkey.pem
    chmod 440 /etc/vxos-ssl/servers/certs/server.pem
    chmod 440 /etc/vxos-ssl/servers/certs/cacerts.pem
    
  4. To ensure that the correct certificate files are used, check whether the names of the certificate files in /etc/vxos-ssl/servers/certs/ are in the short name format, rename the files to a fully qualified domain name (FQDN) format. For example, change <ServerName>.<DomainName>.com--self.cert.pem to <ServerName>--self.cert.pem. Use the following commands:
    rm /etc/vxos-ssl/servers/certs/<FQDN_hostname>-self.cert.pem
    
    cp /etc/vxos-ssl/servers/certs/<short_hostname>.cert.pem 
    /etc/vxos-ssl/servers/certs/<FQDN_hostname>-self.cert.pem
    
    tpconfig -delete -nb_appliance <short_hostname>

    check whether the certificate files in /etc/vxos-ssl/servers/certs/ are the same as /usr/openv/var/global/appliance_certificates/

Step 5: Configure MongoDB to use the new certificate files

To configure the third-party SSL certificates in MongoDB, perform the following steps:

  1. Edit the line containing certificateKeyFile in /etc/mongod.conf, and add /etc/vxos-ssl/servers/certs/serverkey.pem.
  2. Edit the line containing certificateKeyFilePassword in /etc/mongod.conf, and add the passphrase of the private key.
  3. Edit /etc/vxos-ssl/cert.conf, and add the following:
    server_cert=/etc/vxos-ssl/servers/certs/serverkey.pem
    client_cert=/etc/vxos-ssl/servers/certs/cacerts.pem
    pem_password=<passphrase of the private key>
    
  4. Type the following commands to start the mongodb and web service:
    /opt/IMAppliance/scripts/infraservices.sh database start 
    /opt/IMAppliance/scripts/infraservices.sh webserver start 
Step 6: Configure the NGINX gateway server to use the new certificate files

To configure the third-party SSL certificates in NGINX gateway, perform the following:

  1. Ensure that /etc/nginx/conf.d/appsol.conf is writable.

    Edit the lines containing ssl_certificate and ssl_certificate_key to point to the certificates and private key (concatenated with the certificate):

    ssl_certificate /etc/vxos-ssl/servers/certs/server.pem;
    ssl_certificate_key /etc/vxos-ssl/servers/certs/serverkey.pem;
    
  2. Ensure that /etc/nginx/locations/appsol.conf is writable.

    Edit the lines containing proxy_ssl_certificate and proxy_ssl_certificate_key to point to the certificates and private key (concatenated with the certificate):

    proxy_ssl_certificate /etc/vxos-ssl/servers/certs/server.pem;
    proxy_ssl_certificate_key /etc/vxos-ssl/servers/certs/serverkey.pem;
    
  3. Type the following commands to start the NGINX server:

    systemctl start nginx

Step 8: Start the auto support services

Type the following commands to start the Auto Support Service:

service as-alertmanager start
service as-analyzer start
service as-transmission start
Step 9: Deploy the third-party certificates on primary servers

For each primary server that is associated with NetBackup Appliance media server (of version 3.1.2 or later) - if the media server uses a third party certificate signed by a different CA, run the following command on each primary server for each third-party root CA SSL certificate that you need to deploy.

  • For an appliance primary server or a UNIX-based (non-appliance) primary server, run the following commands:

    /usr/openv/java/jre/bin/keytool -importcert -storepass `cat 
    /usr/openv/var/global/jkskey` -keystore 
    /usr/openv/var/global/wsl/credentials/truststoreMSDP 
    -file <path to root CA certificate file> 
    -alias <descriptive label for root CA certificate>
  • For a Windows-based (non-appliance) primary server, use a text editor or a shell or command utility such as type to read the jkskey file stored at \Program Files\Veritas\NetBackup\var\global\jkskey. Run the following command to replace the KeyStore password:

    \Program Files\Veritas\NetBackup\jre\bin\keytool" -importcert -keystore "C:\Program Files\Veritas\NetBackup\var\global\wsl\credentials\truststoreMSDP" -storepass <keystore password> -file "<path to root CA certificate file>" -alias <descriptive label for root CA certificate>

    Note:

    Thejkskey file contains the NetBackup password for the Java KeyStore files that are used by the NetBackup Web Management Console. Any changes made to thejkskey file can cause a system failure.

Before you use the Copilot feature on an appliance deployed with third-party certificates, ensure the following:

  • The appliance's certificate file (in /etc/vxos-ssl/servers/certs/) is same as the primary server's certificate file (in /usr/openv/var/global/appliance_certificates/).

  • The appliance's certificate file (in /etc/vxos-ssl/servers/certs/) is named in the <FQDN_hostname>-self.cert.pem format.

Run the following commands on each of the associated appliances:

rm /etc/vxos-ssl/servers/certs/<FQDN_hostname>-self.cert.pem

cp /etc/vxos-ssl/servers/certs/server.pem 
/etc/vxos-ssl/servers/certs/<FQDN_hostname>-self.cert.pem

tpconfig -delete -nb_appliance <Short_hostname>

/opt/NBUAppliance/scripts/copilot_users.pl --add