How to disable specific versions of the TLS protocol in NetBackup using the DisableTLSProtocol configuration parameter

Description

By default, the NetBackup Authentication service (nbatd) communicates via the TLS 1.0, 1.1, or 1.2 protocol. From NetBackup 8.1 and later, you can disable specific versions of the TLS protocol using the DisableTLSProtocol configuration parameter as most of the security scanners detect TLSv1 and v1.1 insecure.

The valid values for the DisableTLSProtocol configuration parameter are:

• "TLSv1"
• "TLSv1.1"

You might get alerts like below depending on your scanner:
The PCI (Payment Card Industry) Data Security Standard requires a minimum of TLS v1.1 and recommends TLS v1.2. In addition, FIPS 140-2 standard requires a minimum of TLS v1.1 and recommends TLS v1.2.

And Security team could ask to disable the same.

To disable the TLS protocol, complete the following steps:

1. Open the VRTSatlocal.conf file from either of the following locations:

• On Unix platform: nb_install_path/var/global/vxss/eab/data/root/.VRTSat/profile/VRTSatlocal.conf
• On Windows platform: nb_install_path\NetBackup\var\global\vxss\eab\data\systemprofile\VRTSatlocal.conf

2. In the VRTSatlocal.conf file, under the [Security\Authentication\Authentication Broker] section, add the following parameter:
"DisableTLSProtocol"="TLSv<version_number>"

The <version_number> is the TLS version number that you want to disable. For example, to disable TLS 1.1, add the following parameter:

"DisableTLSProtocol"="TLSv1.1"

Note: Adding TLS 1.1 also disables the TLS 1 protocol and the NetBackup Authentication service communicates via the TLS 1.2 protocol.

3. Save the VRTSatlocal.conf file and restart the NetBackup Authentication service.

 

Important information

• The DisableTLSProtocol configuration parameter disables the version of the TLS protocol that you enter as well as the lower version of the protocol.
• For NetBackup 8.1 or later, the NetBackup authentication service can communicate only using the TLS 1.2 protocol.
• If you have NetBackup 8.0 or earlier versions of media servers or clients, then you must enable the TLS 1 protocol that the NetBackup authentication service requires only if NBAC, Enhanced Auditing, or Cloud storage is configured.
• The DisableTLSProtocol configuration parameter can only accept one value at a time.
• If you enter values other than the valid values for the DisableTLSProtocol configuration parameter, the NetBackup authentication service communicates using the TLS 1.2 protocol and all the other versions of the TLS protocol are disabled.
• NetBackup is not affected by any changes made at the OS level to disable TLS versions as NetBackup has its own embedded TLS library. Veritas encourages Administrators to update the OS TLS configuration as required by their security standards.

Note: Applies to Windows

If an "Access Denied" error occurs while editing the VRTSatlocal.conf file:

1.  First, try opening Notepad.exe as administrator (for example right click and select Run As Administrator).

If the error continues, perform the following:

1. Copy the file VRTSatlocal.conf file to the Desktop; leaving the original file in place.
2. Make a backup copy of the file on the Desktop called VRTSatlocal.conf2
   • This is for backup purposes only and is not necessary for the Solution.
3. Edit the file VRTSatlocal.conf on the Desktop.
4. From Notepad.exe, do a save and replace operation to the original location of this file:

install_path\NetBackup\var\global\vxss\eab\data\systemprofile\VRTSatlocal.conf

This type of issue has been seen on other Windows servers, even with files not related to NetBackup. Attempting to save files that don't have a .txt extension result in "Access Denied" messages.

Also while editing the VRTSatlocal.conf you might encounter two entries :

• [Security\Authentication\Authentication Broker]
• [Security\Authentication\Authentication Brokers]

Add the entry under  "[Security\Authentication\Authentication Broker] " and not "Brokers" with an extra 's'.