Veritas NetBackup™ Deduplication Guide

Last Published:
Product(s): NetBackup (8.3.0.1)
  1. Introducing the NetBackup media server deduplication option
    1.  
      About the NetBackup deduplication options
  2. Planning your deployment
    1.  
      Planning your MSDP deployment
    2.  
      NetBackup naming conventions
    3.  
      About MSDP deduplication nodes
    4.  
      About the NetBackup deduplication destinations
    5.  
      About MSDP storage capacity
    6. About MSDP storage and connectivity requirements
      1.  
        Fibre Channel and iSCSI comparison for MSDP
    7. About NetBackup media server deduplication
      1.  
        About MSDP storage servers
      2.  
        About MSDP load balancing servers
      3.  
        About MSDP server requirements
      4.  
        About MSDP unsupported configurations
    8. About NetBackup Client Direct deduplication
      1.  
        About MSDP client deduplication requirements and limitations
    9. About MSDP remote office client deduplication
      1.  
        About MSDP remote client data security
      2.  
        About remote client backup scheduling
    10.  
      About the NetBackup Deduplication Engine credentials
    11.  
      About the network interface for MSDP
    12.  
      About MSDP port usage
    13.  
      About MSDP optimized synthetic backups
    14.  
      About MSDP and SAN Client
    15.  
      About MSDP optimized duplication and replication
    16. About MSDP performance
      1.  
        How file size may affect the MSDP deduplication rate
    17. About MSDP stream handlers
      1.  
        Oracle stream handler
      2.  
        Microsoft SQL Server stream handler
    18. MSDP deployment best practices
      1.  
        Use fully qualified domain names
      2.  
        About scaling MSDP
      3.  
        Send initial full backups to the storage server
      4.  
        Increase the number of MSDP jobs gradually
      5.  
        Introduce MSDP load balancing servers gradually
      6.  
        Implement MSDP client deduplication gradually
      7.  
        Use MSDP compression and encryption
      8.  
        About the optimal number of backup streams for MSDP
      9.  
        About storage unit groups for MSDP
      10.  
        About protecting the MSDP data
      11.  
        Save the MSDP storage server configuration
      12.  
        Plan for disk write caching
  3. Provisioning the storage
    1.  
      About provisioning the storage for MSDP
    2.  
      Do not modify MSDP storage directories and files
    3.  
      About volume management for NetBackup MSDP
  4. Licensing deduplication
    1.  
      About the MSDP license
    2.  
      Licensing NetBackup MSDP
  5. Configuring deduplication
    1.  
      Configuring MSDP server-side deduplication
    2.  
      Configuring MSDP client-side deduplication
    3.  
      About the MSDP Deduplication Multi-Threaded Agent
    4. Configuring the Deduplication Multi-Threaded Agent behavior
      1.  
        MSDP mtstrm.conf file parameters
    5.  
      Configuring deduplication plug-in interaction with the Multi-Threaded Agent
    6.  
      About MSDP fingerprinting
    7.  
      About the MSDP fingerprint cache
    8. Configuring the MSDP fingerprint cache behavior
      1.  
        MSDP fingerprint cache behavior options
    9.  
      About seeding the MSDP fingerprint cache for remote client deduplication
    10.  
      Configuring MSDP fingerprint cache seeding on the client
    11. Configuring MSDP fingerprint cache seeding on the storage server
      1.  
        NetBackup seedutil options
    12.  
      Enabling 250-TB support for MSDP
    13. About MSDP Encryption using NetBackup KMS service
      1.  
        Upgrading KMS for MSDP
    14.  
      About MSDP Encryption using external KMS server
    15. Configuring a storage server for a Media Server Deduplication Pool
      1.  
        MSDP storage path properties
      2.  
        MSDP network interface properties
    16.  
      Configuring a storage server for a PureDisk Deduplication Pool
    17.  
      About disk pools for NetBackup deduplication
    18. Configuring a disk pool for deduplication
      1.  
        Media Server Deduplication Pool properties
    19.  
      Creating the data directories for 250-TB MSDP support
    20.  
      Adding volumes to a 250-TB Media Server Deduplication Pool
    21. Configuring a Media Server Deduplication Pool storage unit
      1.  
        Media Server Deduplication Pool storage unit properties
      2.  
        MSDP storage unit recommendations
    22.  
      Configuring client attributes for MSDP client-side deduplication
    23.  
      Disabling MSDP client-side deduplication for a client
    24.  
      About MSDP compression
    25.  
      About MSDP encryption
    26.  
      MSDP compression and encryption settings matrix
    27.  
      Configuring encryption for MSDP backups
    28.  
      Configuring encryption for MSDP optimized duplication and replication
    29.  
      About the rolling data conversion mechanism for MSDP
    30.  
      Modes of rolling data conversion
    31.  
      MSDP encryption behavior and compatibilities
    32.  
      Configuring optimized synthetic backups for MSDP
    33.  
      About a separate network path for MSDP duplication and replication
    34.  
      Configuring a separate network path for MSDP duplication and replication
    35. About MSDP optimized duplication within the same domain
      1. About the media servers for MSDP optimized duplication within the same domain
        1.  
          About MSDP push duplication within the same domain
        2.  
          About MSDP pull duplication within the same domain
    36. Configuring MSDP optimized duplication within the same NetBackup domain
      1. Configuring NetBackup optimized duplication or replication behavior
        1.  
          Setting NetBackup configuration options by using the command line
    37.  
      About MSDP replication to a different domain
    38. Configuring MSDP replication to a different NetBackup domain
      1. About NetBackup Auto Image Replication
        1.  
          One-to-many Auto Image Replication model
        2.  
          Cascading Auto Image Replication model
        3.  
          About the domain relationship for replication
        4.  
          About the replication topology for Auto Image Replication
        5. Viewing the replication topology for Auto Image Replication
          1.  
            Sample volume properties output for MSDP replication
      2.  
        About trusted master servers for Auto Image Replication
      3.  
        About the certificate to be used for adding a trusted master server
      4.  
        Adding a trusted master server using a NetBackup CA-signed (host ID-based) certificate
      5.  
        Adding a trusted master server using external CA-signed certificate
      6.  
        Removing a trusted master server
      7.  
        Enabling NetBackup clustered master server inter-node authentication
      8.  
        Configuring NetBackup CA and NetBackup host ID-based certificate for secure communication between the source and the target MSDP storage servers
      9.  
        Configuring external CA for secure communication between the source MSDP storage server and the target MSDP storage server
      10. Configuring a target for MSDP replication to a remote domain
        1.  
          Target options for MSDP replication
        2.  
          Configuring a NetBackup Deduplication Engine user with limited permissions for Auto Image Replication
    39.  
      About configuring MSDP optimized duplication and replication bandwidth
    40.  
      About storage lifecycle policies
    41.  
      About the storage lifecycle policies required for Auto Image Replication
    42. Creating a storage lifecycle policy
      1.  
        Storage Lifecycle Policy dialog box settings
    43.  
      About MSDP backup policy configuration
    44.  
      Creating a backup policy
    45. Resilient Network properties
      1.  
        Resilient connection resource usage
    46.  
      Specifying resilient connections
    47.  
      Adding an MSDP load balancing server
    48.  
      About variable-length deduplication on NetBackup clients
    49.  
      About the MSDP pd.conf configuration file
    50. Editing the MSDP pd.conf file
      1.  
        MSDP pd.conf file parameters
    51.  
      About the MSDP contentrouter.cfg file
    52.  
      About saving the MSDP storage server configuration
    53.  
      Saving the MSDP storage server configuration
    54.  
      Editing an MSDP storage server configuration file
    55.  
      Setting the MSDP storage server configuration
    56.  
      About the MSDP host configuration file
    57.  
      Deleting an MSDP host configuration file
    58.  
      Resetting the MSDP registry
    59. About protecting the MSDP catalog
      1.  
        About the MSDP shadow catalog
      2.  
        About the MSDP catalog backup policy
    60.  
      Changing the MSDP shadow catalog path
    61.  
      Changing the MSDP shadow catalog schedule
    62.  
      Changing the number of MSDP catalog shadow copies
    63. Configuring an MSDP catalog backup
      1.  
        MSDP drcontrol options
    64.  
      Updating an MSDP catalog backup policy
    65.  
      About MSDP FIPS compliance
    66.  
      Configuring the NetBackup client-side deduplication to support multiple interfaces of MSDP
    67.  
      About MSDP multi-domain support
    68.  
      About MSDP mutli-domain VLAN Support
    69. About NetBackup WORM storage support for immutable and indelible data
      1.  
        About the NetBackup command line options to configure immutable and indelible data
  6. Configuring deduplication to the cloud with NetBackup Cloud Catalyst
    1. Using NetBackup Cloud Catalyst to upload deduplicated data to the cloud
      1. Optimized duplication is used to copy data from an MSDP storage server to a Cloud Catalyst storage server (preferred use case)
        1.  
          MSDP storage servers fan-in to a single Cloud Catalyst storage server
      2.  
        Backups go directly to a Cloud Catalyst storage server
    2.  
      Cloud Catalyst requirements and limitations
    3.  
      Configuring a Linux media server as a Cloud Catalyst storage server
    4. Configuring a Cloud Catalyst storage server for deduplication to the cloud
      1.  
        How to configure a NetBackup Cloud Catalyst Appliance
      2.  
        How to configure a Linux media server as a Cloud Catalyst storage server
      3.  
        Configuring a Cloud Catalyst storage server as the target for the deduplications from MSDP storage servers
      4.  
        Certificate validation using Online Certificate Status Protocol (OCSP)
      5.  
        Managing Cloud Catalyst storage server with IAM Role or CREDS_CAPS credential broker type
      6.  
        Configuring a storage lifecycle policy for NetBackup Cloud Catalyst
    5.  
      About the Cloud Catalyst esfs.json configuration file
    6.  
      About the Cloud Catalyst cache
    7.  
      Controlling data traffic to the cloud when using Cloud Catalyst
    8.  
      Configuring source control or target control optimized duplication for Cloud Catalyst
    9.  
      Configuring a Cloud Catalyst storage server as the source for optimized duplication
    10.  
      Decommissioning Cloud Catalyst cloud storage
    11.  
      NetBackup Cloud Catalyst workflow processes
    12.  
      Disaster recovery for Cloud Catalyst
    13.  
      About image sharing in cloud using Cloud Catalyst
  7. MSDP cloud support
    1. About MSDP cloud support
      1.  
        Operating system requirement for configuration
      2.  
        Limitations
    2.  
      Creating a cloud storage unit
    3.  
      Updating cloud credentials for a cloud LSU
    4.  
      Updating encryption configurations for a cloud LSU
    5.  
      Deleting a cloud LSU
    6.  
      Backup data to cloud by using cloud LSU
    7.  
      Duplicate data cloud by using cloud LSU
    8.  
      Configuring AIR to use cloud LSU
    9.  
      About backward compatibility support
    10.  
      About the configuration items in cloud.json, contentrouter.cfg and spa.cfg
    11.  
      About the tool updates for cloud support
    12.  
      About the disaster recovery for cloud LSU
    13.  
      About Image Sharing using MSDP cloud
  8. Monitoring deduplication activity
    1.  
      Monitoring the MSDP deduplication and compression rates
    2. Viewing MSDP job details
      1.  
        MSDP job details
    3.  
      About MSDP storage capacity and usage reporting
    4.  
      About MSDP container files
    5.  
      Viewing storage usage within MSDP container files
    6.  
      Viewing MSDP disk reports
    7.  
      About monitoring MSDP processes
    8.  
      Reporting on Auto Image Replication jobs
  9. Managing deduplication
    1. Managing MSDP servers
      1.  
        Viewing MSDP storage servers
      2.  
        Determining the MSDP storage server state
      3.  
        Viewing MSDP storage server attributes
      4.  
        Setting MSDP storage server attributes
      5.  
        Changing MSDP storage server properties
      6.  
        Clearing MSDP storage server attributes
      7.  
        About changing the MSDP storage server name or storage path
      8.  
        Changing the MSDP storage server name or storage path
      9.  
        Removing an MSDP load balancing server
      10.  
        Deleting an MSDP storage server
      11.  
        Deleting the MSDP storage server configuration
    2. Managing NetBackup Deduplication Engine credentials
      1.  
        Determining which media servers have deduplication credentials
      2.  
        Adding NetBackup Deduplication Engine credentials
      3.  
        Changing NetBackup Deduplication Engine credentials
      4.  
        Deleting credentials from a load balancing server
    3. Managing Media Server Deduplication Pools
      1.  
        Viewing Media Server Deduplication Pools
      2.  
        Determining the Media Server Deduplication Pool state
      3.  
        Changing Media Server Deduplication Pool state
      4.  
        Viewing Media Server Deduplication Pool attributes
      5.  
        Setting a Media Server Deduplication Pool attribute
      6. Changing a Media Server Deduplication Pool properties
        1.  
          How to resolve volume changes for Auto Image Replication
      7.  
        Clearing a Media Server Deduplication Pool attribute
      8.  
        Determining the MSDP disk volume state
      9.  
        Changing the MSDP disk volume state
      10.  
        Inventorying a NetBackup disk pool
      11.  
        Deleting a Media Server Deduplication Pool
    4.  
      Deleting backup images
    5.  
      About MSDP queue processing
    6.  
      Processing the MSDP transaction queue manually
    7.  
      About MSDP data integrity checking
    8. Configuring MSDP data integrity checking behavior
      1.  
        MSDP data integrity checking configuration parameters
    9.  
      About managing MSDP storage read performance
    10. About MSDP storage rebasing
      1.  
        MSDP server-side rebasing parameters
    11.  
      About the MSDP data removal process
    12.  
      Resizing the MSDP storage partition
    13.  
      How MSDP restores work
    14.  
      Configuring MSDP restores directly to a client
    15.  
      About restoring files at a remote site
    16.  
      About restoring from a backup at a target master domain
    17.  
      Specifying the restore server
  10. Recovering MSDP
    1.  
      About recovering the MSDP catalog
    2.  
      Restoring the MSDP catalog from a shadow copy
    3.  
      Recovering from an MSDP storage server disk failure
    4.  
      Recovering from an MSDP storage server failure
    5.  
      Recovering the MSDP storage server after NetBackup catalog recovery
  11. Replacing MSDP hosts
    1.  
      Replacing the MSDP storage server host computer
  12. Uninstalling MSDP
    1.  
      About uninstalling MSDP
    2.  
      Deactivating MSDP
  13. Deduplication architecture
    1.  
      MSDP server components
    2.  
      Media server deduplication backup process
    3.  
      MSDP client components
    4.  
      MSDP client - side deduplication backup process
  14. Troubleshooting
    1. About unified logging
      1.  
        About using the vxlogview command to view unified logs
      2.  
        Examples of using vxlogview to view unified logs
    2. About legacy logging
      1.  
        Creating NetBackup log file directories for MSDP
    3.  
      NetBackup MSDP log files
    4. Troubleshooting MSDP installation issues
      1.  
        MSDP installation on SUSE Linux fails
    5. Troubleshooting MSDP configuration issues
      1.  
        MSDP storage server configuration fails
      2.  
        MSDP database system error (220)
      3.  
        MSDP server not found error
      4.  
        License information failure during MSDP configuration
      5.  
        The disk pool wizard does not display an MSDP volume
    6. Troubleshooting MSDP operational issues
      1.  
        Verify that the MSDP server has sufficient memory
      2.  
        MSDP backup or duplication job fails
      3.  
        MSDP client deduplication fails
      4.  
        MSDP volume state changes to DOWN when volume is unmounted
      5.  
        MSDP errors, delayed response, hangs
      6.  
        Cannot delete an MSDP disk pool
      7.  
        MSDP media open error (83)
      8.  
        MSDP media write error (84)
      9.  
        MSDP no images successfully processed (191)
      10.  
        MSDP storage full conditions
      11.  
        Troubleshooting MSDP catalog backup
      12.  
        Storage Platform Web Service (spws) does not start
      13.  
        Disk volume API or command line option does not work
    7.  
      Viewing MSDP disk errors and events
    8.  
      MSDP event codes and messages
    9. Troubleshooting Cloud Catalyst issues
      1. Cloud Catalyst logs
        1.  
          Error messages in esfs_filesystem
      2. Problems encountered while using the Cloud Storage Server Configuration Wizard
        1.  
          Unable to select the desired media server
        2.  
          Unable to select the Deduplication option
        3. Storage Server Creation Status errors
          1.  
            Login credentials or certificate failed message
          2.  
            Failure to add credentials
      3. Disk pool problems
        1.  
          Disk pool creation problem due to timeout issue
        2.  
          One disk pool for each Cloud Catalyst storage server
      4. Problems during cloud storage server configuration
        1.  
          Media server not available in Media Servers tab to add credentials
        2.  
          Add credentials failed message for media server
      5.  
        Status 191: No images were successfully processed
      6.  
        Media write error (84) if due to a full local cache directory
      7.  
        Troubleshooting restarting ESFS after the Cloud Catalyst storage server is down
      8.  
        Restarting the vxesfsd process
      9.  
        Problems restarting vxesfsd
      10.  
        Unable to create CloudCatalyst with a media server that has version earlier to 8.2
      11. Cloud Catalyst troubleshooting tools
        1.  
          esfs_cleanup.sh script
        2.  
          esfs_check consistency checking tool
        3.  
          setlsu_ioctl tool
        4.  
          cred_ioctl tool
    10.  
      Unable to obtain the administrator password to use an AWS EC2 instance that has a Windows OS
    11. Trouble shooting multi-domain issues
      1.  
        Unable to configure OpenStorage server from another domain
      2.  
        MSDP storage server is down when you configure an OpenStorage server
      3.  
        MSDP server is overloaded when it is used by multiple NetBackup domains
  15. Appendix A. Migrating to MSDP storage
    1.  
      Migrating from PureDisk to the NetBackup MSDP
    2.  
      Migrating from another storage type to MSDP
  16.  
    Index

About image sharing in cloud using Cloud Catalyst

Image sharing, which was earlier known as Automated disaster recovery (DR), provides a self-describing storage solution over Cloud Catalyst. Cloud Catalyst with Image sharing in cloud is a self-describing storage server. Cloud Catalyst without Image sharing in cloud is not a self-describing storage server.

Image sharing helps users with an easy and a visualized way to manage and provision images in cloud object storage and even the ability to convert backed up VMs as AWS instances in certain scenarios.

Important features of image sharing
  • In a situation where Cloud Catalyst backed up the deduplicated data to cloud, but the NetBackup catalog was available only on the on-premises NetBackup server. There, the data cannot be restored from the cloud without the on-premises NetBackup server.

    Image sharing in cloud uploads the NetBackup catalog along with the backup images and lets you restore data from the cloud without the on-premises NetBackup server.

  • You can launch an all-in-one NetBackup in the cloud on demand called the cloud recovery host, and recover the backup images from cloud.

  • Image sharing discovers the backup images that are stored in AWS S3 through the REST APIs, recovers the NetBackup catalog, and restores the images.

  • You can use command line options or NetBackup Web UI that have the function as REST APIs.

Things to consider before you use image sharing
  • Before you install NetBackup, create an instance based on RHEL 7.3 or later (up to RHEL 8.0) in AWS. You can also set up a computer based on RHEL 7.3 or later (up to RHEL 8.0). The recommendation is that the instance has more than 64 GB of memory, 8 CPUs.

  • The HTTPS port 443 is enabled.

  • Change host name to the server's FQDN.

  • Add the following items in the /etc/hosts file:

    "External IP" "Server's FQDN"

    "Internal IP" "Server's FQDN"

    For a computer, add the following items in the /etc/hosts file:

    "IP address" "Server's FQDN"

  • For an instance in AWS, change the search domain order in the /etc/resolv.conf file to search external domains before internal domains.

  • NetBackup should be an all-in-one setup.

    Refer to the NetBackup Installation Guide for more information.

Configure image sharing

After installing NetBackup, you can run the ims_system_config.py script to configure image sharing.

The path to access the command is: /usr/openv/pdde/pdag/scripts/.

Use the following command to run the ims_system_config.py script:

Amazon Web Service cloud provider:

ims_system_config.py -k <AWS_access_key> -s <AWS_secret_access_key> -b <name_S3_bucket>

If you have configured IAM role in the EC2 instance, use the following command:

-python /usr/openv/pdde/pdag/scripts/ims_system_config.py
-k dummy -s dummy -b <name_S3_bucket>
			

Microsoft Azure cloud provider:

ims_system_config.py -cp 2 -k <key_id> -s <secret_key> -b <container_name>

Other S3 compatible cloud provider (For example, Hitachi HCP):

If Cloud Instance has been existed in NetBackup, use the following command:

ims_system_config.py -cp 3 -t PureDisk -k <key_id> -s <secret_key> -b <bucket_name> -bs <bucket_sub_name> -c <Cloud_instance_name> [-p <mount_point>]

Or use the following command:

ims_system_config.py -cp 3 -t PureDisk -k <key_id> -s <secret_key> -b <bucket_name> -pt <cloud_provider_type> -sh <s3_hostname> -sp <s3_http_port> -sps <s3_https_port> -ssl <ssl_usage> [-p <mount_point>]

Example for HCP provider:

ims_system_config.py -cp 3 -t PureDisk -k xxx -s xxx -b emma -bs subtest -pt hitachicp  -sh yyy.veritas.com -sp 80 -sps 443 -ssl 0

Description: (Specify the following options to use HCP cloud)

-cp 3: Specify third-party S3 cloud provider that is used.

-pt hitachicp: Specify cloud provider type as hitachicp (HCP LAN)

-t PureDisk_hitachicp_rawd: Specify storage server type as PureDisk_hitachicp_rawd

-sh <s3_hostname>: Specify HCP storage server host name

-sp <s3_http_port>: Specify HCP storage server HTTP port (Default is 80)

-sps <s3_https_port>: Specify HCP storage server HTTP port (Default is 443)

-ssl <ssl_usage>: Specify whether to use SSL. (0- Disable SSL. 1- Enable SSL. Default is 1.) If SSL is disabled, it uses <s3_http_port> to make connection to <s3_hostname>. Otherwise, it uses <s3_https_port>.

Using image sharing using NetBackup Web UI

You can access NetBackup Web UI to use image sharing. For more information, refer to the Using image sharing from the NetBackup Web UI topic in the NetBackup Web UI Administrator's Guide.

Using image sharing with the nbimageshare command

You can use the nbimageshare command to use image sharing.

Run the nbimageshare command to list and import the virtual machine and standard images and then recover the virtual machines.

The path to access the command is: /usr/openv/netbackup/bin/admincmd/

For more information about the nbimageshare command, refer to the NetBackup Commands Reference Guide.

The following table lists the steps for image sharing and the command options:

Table: Steps for image sharing and the command options

Step

Command

Log on to NetBackup

nbimageshare --login <username> <password>
nbimageshare --login -interact

List all the backup images that are in the cloud

nbimageshare --listimage

Note:

In the list of images, the increment schedule type might be differential incremental or cumulative incremental.

Import the backup images to NetBackup

Import a single image:

nbimageshare --singleimport
<client> <policy> <backupID>

Import multiple images:

nbimageshare --batchimport 
<image_list_file_path>

Note:

The format of the image_list_file_path is same as the output of "list images".

The multiple images number must be equal to or less than 64.

You can import an already imported image. This action does not affect the NetBackup image catalog.

Recover the VM as an AWS EC2 instance

nbimageshare --recovervm 
<client> <policy> <backupID>
  • Only VM images are supported.

  • The AWS account must have the following read and write permissions to S3:

    "ec2:CreateTags"
    "ec2:DescribeImportImageTasks"
    "ec2:ImportImage"
    "iam:ListRolePolicies"
    "iam:ListRoles"
    "iam:GetRole"
    "iam:GetRolePolicy"
    "iam:CreateRole"
    "iam:PutRolePolicy"
    										
Manual KMS key transfer in Image sharing in case of NetBackup KMS

When KMS encryption is enabled, you can share the images in S3 bucket to the cloud recovery host with manual KMS key transfer.

On-premises side:

  1. Storage server: Find the key group name for the given Storage server

    Find contentrouter.cfg in /etc/pdregistry.cfg

    Find key group name is in contentrouter.cfg under [KMSOptions]

    (Example KMSKeyGroupName=amazon.com:test1)

  2. NetBackup master server: Exports the key group with a passphrase to a file:

    /usr/openv/netbackup/bin/admincmd/nbkmsutil -export -key_groups <key-group-name> -path <key file path>

Cloud recovery host (cloud side):

  1. Copy the exported key to the cloud recovery host

  2. Config KMS server

    /usr/openv/netbackup/bin/nbkms -createemptydb
    /usr/openv/netbackup/bin/nbkms
    /usr/openv/netbackup/bin/nbkmscmd -discovernbkms -autodiscover
  3. Import keys to KMS service.

    /usr/openv/netbackup/bin/admincmd/nbkmsutil -import -path <key file path> -preserve_kgname

  4. Configure the cloud recovery host with ims_system_config.py

On-premises KMS key changes

In case of KMS key changes for the given group for on-premises storage server after the cloud recovery host is set up, you must export the key file from on-premises KMS server and import that key file on the cloud recovery host.

  1. On-premises NetBackup master server: Exports the key group with a passphrase to a file

    /usr/openv/netbackup/bin/admincmd/nbkmsutil -export -key_groups <key-group-name> -path <key file path>

  2. Cloud recovery host:

    /usr/openv/netbackup/bin/admincmd/nbkmsutil -deletekg -kgname <key-group-name> -force

    /usr/openv/netbackup/bin/admincmd/nbkmsutil -import -path <key file path> -preserve_kgname

Manual steps in image sharing in case of external KMS

If an on-premises storage server is configured to use keys from external KMS server, then make sure that the same KMS server is configured on the cloud recovery host before running ims_system_config.py. To know more about configuring an external KMS server in NetBackup, refer to NetBackup Security and Encryption Guide.

Make sure that the external KMS server is reachable from the cloud recovery host on a specific port.

Additional information about image sharing
  • Before you run ims_system_config.py to configure the cloud recovery host on RHEL 8, install Python 2, and create a soft link from Python 2 to Python. Theims_system_config.py script uses Python 2.

  • After the image is imported to cloud, the image catalog still exists on the cloud. If the image is expired on the on-premises storage, then restoring the image on the cloud fails even though the image catalog exists on the cloud.

  • If the image expires on the cloud storage, the image catalog in the cloud is removed but the image data in the bucket is not removed.

  • You can restore any image that you import. For the recover the VM as an AWS EC2 instance option, you can recover only the VM images that are full backup images or accelerator-enabled incremental backup images to cloud.

  • Image sharing supports many policy types from NetBackup 8.2 or later. In the scenarios, CloudCatalyst, where the images are shared, must have a new installation of NetBackup 8.2 or later.

    See the NetBackup compatibility lists for the latest information on the supported policy types.

  • After the image sharing is configured, the storage server is in a read-only mode.

  • For information on the VM recovery limitations, refer to the AWS VM import information in AWS help.

  • You can configure the maximum active jobs when the images are imported to cloud storage.

    Modify the file path /usr/openv/var/global/wsl/config/web.conf to add the configuration item as imageshare.maxActiveJobLimit.

    For example, imageshare.maxActiveJobLimit=16.

    The default value is 16 and the configurable range is 1 to 100.

    If the import request is made and the active job count exceeds the configured limit, the following message is displayed:

    "Current active job count exceeded active job count limitation".

  • The images that are direct to cloud storage can be shared.

    In optimized deduplication or AIR cascading scenarios, only the images in Cloud Catalyst that has optimized deduplication or has an AIR target can be shared.

    If Cloud Catalyst is not set for optimized deduplication or is not an AIR target, you cannot use image sharing. If Amazon Glacier is enabled in Cloud Catalyst, you cannot use image sharing.

    In these scenarios to disable image sharing:

    Modify the <install_directory>/etc/puredisk/spa.cfg file and add the following configuration item:

    EnableIMandTIR=false

  • Regarding the errors about role policy size limitation:

    Errors that occur when the role policy size exceeds the maximum size is an AWS limitation. You can find the following error in a failed restore job:

    "error occurred (LimitExceeded) when calling the PutRolePolicy operation:
    Maximum policy size of 10240 bytes exceeded for role vmimport"

    Workaround:

    • You can change the maximum policy size limit for the vmimport role.

    • You can list and delete the existing policies using the following commands:

      aws iam list-role-policies --role-name vmimport
      aws iam delete-role-policy --role-name vmimport --policy-name 
      <bucketname> -vmimport
  • The recover operation includes AWS import process. Therefore, a vmdk image cannot be recovered concurrently in two restore jobs at the same time.

  • The image sharing feature can recover the virtual machines that satisfy the Amazon Web Services VM import prerequisites.

    For more information about the prerequisites, refer to the following article:

    https://docs.aws.amazon.com/vm-import/latest/userguide/vmie_prereqs.html

  • If you cannot obtain the administrator password to use an AWS EC2 instance that has a Windows OS, the following error is displayed:

    Password is not available. This instance was launched from a custom AMI, or the default password has changed. A password cannot be retrieved for this instance. If you have forgotten your password, you can reset it using the Amazon EC2 configuration service. For more information, see Passwords for a Windows Server Instance.

    This error occurs after the instance is launched from an AMI that is converted using image sharing.

  • You cannot cancel an import job on the cloud recovery host.

  • If there is data optimization done on the on-premises image, you might not be able to restore the image that you have imported on the cloud recovery host. You can expire this image, import it again on the image-sharing server, and then restore the image.

  • After the backup job, duplication job, or AIR import job completes, you can import the images on a cloud recovery host.