Veritas NetBackup™ Cloud Administrator's Guide

Last Published:
Product(s): NetBackup (9.1)
  1. About NetBackup cloud storage
    1.  
      About cloud storage features and functionality
    2.  
      About the catalog backup of cloud configuration files
    3.  
      About support limitations for NetBackup cloud storage
  2. About the cloud storage
    1.  
      About the cloud storage vendors for NetBackup
    2. About the Amazon S3 cloud storage API type
      1.  
        Amazon S3 cloud storage vendors certified for NetBackup
      2.  
        Amazon S3 storage type requirements
      3.  
        Permissions required for Amazon S3 cloud provider user
      4.  
        Amazon S3 cloud storage provider options
      5.  
        Amazon S3 cloud storage options
      6.  
        Amazon S3 advanced server configuration options
      7.  
        Amazon S3 credentials broker details
      8.  
        About private clouds from Amazon S3-compatible cloud providers
      9.  
        About Amazon S3 storage classes
      10.  
        Amazon virtual private cloud support with NetBackup
      11. About protecting data in Amazon for long-term retention
        1. About protecting data in Amazon Glacier
          1.  
            About restoring data from Amazon Glacier
        2. About protecting data in Amazon Glacier vault
          1.  
            About backing up data to Amazon Glacier vault
          2.  
            About restoring data from Amazon Glacier vault
      12. Protecting data using Amazon's cloud tiering
        1.  
          About backing up data using LIFECYCLE storage class
        2.  
          About restoring data from LIFECYCLE storage class
      13. About using Amazon IAM roles with NetBackup
        1.  
          Configuring AWS IAM Role with NetBackup
      14.  
        About NetBackup character restrictions for Amazon S3 cloud connector
      15. Protecting data with Amazon Snowball and Amazon Snowball Edge
        1.  
          Configuring NetBackup for Amazon Snowball with Amazon Snowball client
        2.  
          Configuring NetBackup for Amazon Snowball with Amazon S3 API interface
        3.  
          Using multiple Amazon S3 adapters
        4.  
          Configuring NetBackup with Amazon Snowball Edge with file interface
        5.  
          Configuring NetBackup for Amazon Snowball Edge with S3 API interface
        6.  
          Configuring SSL for Amazon Snowball and Amazon Snowball Edge
        7.  
          Post backup procedures if you have used S3 API interface
    3. About Microsoft Azure cloud storage API type
      1.  
        Microsoft Azure cloud storage vendors certified for NetBackup
      2.  
        Microsoft Azure storage type requirements
      3.  
        Microsoft Azure cloud storage provider options
      4.  
        Microsoft Azure advanced server configuration options
      5.  
        Protecting data in Microsoft Azure Archive for long-term retention
    4. About OpenStack Swift cloud storage API type
      1.  
        OpenStack Swift cloud storage vendors certified for NetBackup
      2.  
        OpenStack Swift storage type requirements
      3.  
        OpenStack Swift cloud storage provider options
      4.  
        OpenStack Swift storage region options
      5.  
        OpenStack Swift add cloud storage configuration options
      6.  
        OpenStack Swift proxy settings
  3. Configuring cloud storage in NetBackup
    1.  
      Before you begin to configure cloud storage in NetBackup
    2.  
      Configuring cloud storage in NetBackup
    3.  
      Cloud installation requirements
    4. Scalable Storage properties
      1.  
        Configuring advanced bandwidth throttling settings
      2.  
        Advanced bandwidth throttling settings
    5. Cloud Storage properties
      1.  
        Adding a cloud storage instance
      2.  
        Changing cloud storage host properties
      3.  
        Deleting a cloud storage host instance
    6. About the NetBackup CloudStore Service Container
      1.  
        NetBackup CloudStore Service Container security certificates
      2.  
        NetBackup CloudStore Service Container security modes
      3.  
        NetBackup cloudstore.conf configuration file
    7.  
      Deploying host name-based certificates
    8.  
      Deploying host ID-based certificates
    9.  
      About data compression for cloud backups
    10.  
      About data encryption for cloud storage
    11.  
      About NetBackup KMS for encryption of NetBackup cloud storage
    12.  
      About external KMS for encryption of NetBackup cloud storage
    13.  
      About cloud storage servers
    14.  
      About object size for cloud storage
    15. About the NetBackup media servers for cloud storage
      1.  
        Using media server as NetBackup Cloud master host
    16. Configuring a storage server for cloud storage
      1.  
        KMS database encryption settings
      2.  
        Assigning a storage class to Amazon cloud storage
    17.  
      Changing cloud storage server properties
    18. NetBackup cloud storage server properties
      1.  
        NetBackup cloud storage server bandwidth throttling properties
      2.  
        NetBackup cloud storage server connection properties
      3.  
        NetBackup cloud storage server encryption properties
    19.  
      About cloud storage disk pools
    20.  
      Configuring a disk pool for cloud storage
    21.  
      Saving a record of the KMS key names for NetBackup cloud storage encryption
    22.  
      Adding backup media servers to your cloud environment
    23. Configuring a storage unit for cloud storage
      1.  
        Cloud storage unit properties
      2.  
        Configure a favorable client-to-server ratio
      3.  
        Control backup traffic to the media servers
    24.  
      About NetBackup Accelerator and NetBackup Optimized Synthetic backups
    25.  
      Enabling NetBackup Accelerator with cloud storage
    26.  
      Enabling optimized synthetic backups with cloud storage
    27.  
      Creating a backup policy
    28. Changing cloud storage disk pool properties
      1.  
        Cloud storage disk pool properties
    29.  
      Certificate validation against Certificate Revocation List (CRL)
    30.  
      Managing Certification Authorities (CA) for NetBackup Cloud
  4. Monitoring and Reporting
    1.  
      About monitoring and reporting for cloud backups
    2.  
      Viewing cloud storage job details
    3.  
      Viewing the compression ratio
    4.  
      Viewing NetBackup cloud storage disk reports
    5.  
      Displaying KMS key information for cloud storage encryption
  5. Operational notes
    1.  
      NetBackup bpstsinfo command operational notes
    2.  
      Unable to configure additional media servers
    3.  
      Cloud configuration may fail if NetBackup Access Control is enabled
    4.  
      Deleting cloud storage server artifacts
    5.  
      Using csconfig reinitialize to load updated cloud configuration settings
    6.  
      Enabling or disabling communication between master server and legacy cloud storage media servers
  6. Troubleshooting
    1. About unified logging
      1.  
        About using the vxlogview command to view unified logs
      2.  
        Examples of using vxlogview to view unified logs
    2. About legacy logging
      1.  
        Creating NetBackup log file directories for cloud storage
    3.  
      NetBackup cloud storage log files
    4.  
      Enable libcurl logging
    5.  
      NetBackup Administration Console fails to open
    6. Troubleshooting cloud storage configuration issues
      1.  
        NetBackup Scalable Storage host properties unavailable
      2.  
        Connection to the NetBackup CloudStore Service Container fails
      3.  
        Cannot create a cloud storage disk pool
      4.  
        Cannot create a cloud storage
      5.  
        Data transfer to cloud storage server fails in the SSL mode
      6.  
        Amazon GovCloud cloud storage configuration fails in non-SSL mode
      7.  
        Data restore from the Google Nearline storage class may fail
      8.  
        Backups may fail for cloud storage configurations with Frankfurt region
      9.  
        Backups may fail for cloud storage configurations with the cloud compression option
      10.  
        Fetching storage regions fails with authentication version V2
    7. Troubleshooting cloud storage operational issues
      1.  
        Cloud storage backups fail
      2.  
        Stopping and starting the NetBackup CloudStore Service Container
      3.  
        A restart of the nbcssc (on legacy media servers), nbwmc, and nbsl processes reverts all cloudstore.conf settings
      4.  
        NetBackup CloudStore Service Container startup and shutdown troubleshooting
      5.  
        bptm process takes time to terminate after cancelling GLACIER restore job
      6.  
        Handling image cleanup failures for Amazon Glacier vault
      7.  
        Cleaning up orphaned archives manually
      8.  
        Restoring from Amazon Glacier vault spans more than 24 hours for single fragment
      9.  
        Restoring from GLACIER_VAULT takes more than 24 hours for Oracle databases
      10.  
        Troubleshooting failures due to missing Amazon IAM permissions
      11.  
        Restore job fails if the restore job start time overlaps with the backup job end time
      12.  
        Post processing fails for restore from Azure archive
    8.  
      Troubleshooting Amazon Snowball and Amazon Snowball Edge issues
  7.  
    Index

About using Amazon IAM roles with NetBackup

An AWS IAM role is an Amazon Web Services (AWS) identity with the permission policy that determines what tasks an identity is authorized to perform. You can use roles to delegate access to users, applications, or the services that normally don't have access to AWS resources. A role is intended to be assumable by anyone who needs it. If a user assumes a role, temporary security credentials are created dynamically and provided to the user.

For example, an application running on the AWS Elastic Compute Cloud (EC2) instances requires the credentials to access the other AWS services like S3 service. With the traditional approach, you provide the fixed credentials access key and secret access key. With IAM roles, temporary credentials are used to connect to the other AWS services.

Considerations

NetBackup supports the AWS IAM Roles for stream-based backup operations, wherein:

  1. NetBackup uses AWS IAM Role that is attached to the AWS EC2 instances on which media server is configured for all S3 storage communications.

  2. NetBackup fetches the role name and temporary credentials by connecting to the AWS EC2 metadata.

  3. NetBackup master server can be deployed on AWS EC2 instance or on-premises. You must do the required network settings for communication between the master and the media servers.

  4. The NetBackup media server that uses the IAM role to backup data to cloud must be deployed on the AWS EC2 instance.

  5. AWS IAM Role with required permissions must be attached to the NetBackup media server running on the AWS EC2 instance. See Permissions required for Amazon S3 cloud provider user.

  6. Backup data is stored in S3 storage of the same AWS account where the AWS IAM role is created.

  7. NetBackup supports the AWS IAM Role-based authentication for both Amazon and Amazon Gov cloud providers.

  8. You can modify existing cloud storage server (alias) to use AWS IAM role for authentication only using the csconfig command.

  9. Use the AWS Management Console to perform IAM Role allocation, modification, and revocation operations. NetBackup does not store any role-specific information.

  10. Ensure that the AWS EC2 instance metadata service is accessible to NetBackup media server. You verify using AWS commands. For example,

    To get the role name, run:

    curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

    To get the credentials, run:

    curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name

  11. For IPv6 only deployments, AWS IAM Role cannot be used because AWS EC2 instance metadata service is supported only for IPv4.

  12. AWS IAM Role is also supported with the MSDP direct cloud tiering storage server.

AWS IAM Role deployment

The following diagram illustrates the deployment:

As the diagram illustrates, to use AWS IAM role with NetBackup:

  • NetBackup master server can be deployed on-premises or in the cloud.

  • Backup data is stored in S3 storage of the same AWS account where the AWS IAM role is created.

  • AWS IAM role is attached to AWS EC2 instance on which the media server is running.

Note:

When role is attached to AWS EC2 instance that has access to S3 storage, NetBackup user doesn't need to provide any credentials.

Tip: You get better performance, if the NetBackup clients are deployed in cloud.