About NetBackup 8.1 catalog passphrases.

About NetBackup 8.1 catalog passphrases.

Article: 100040029
Last Published: 2017-09-20
Ratings: 2 1
Product(s): NetBackup


The NetBackup 8.1 release has a number of security enhancements; one of which is the requirement for certificates to reside on each host and for the master server to act as a certificate authority (CA).  With those changes, a method had to be established to allow the master server identity to be recovered prior to the restoration of the databases.  This new method is the addition of a DR package file generation which occurs as part of the catalog backup.

The DR package contains the needed certificate information to reestablish the identity, without which all media servers and clients would have to have certificates redeployed to them.    In order to protect the certificate information, the DR package is encrypted and a passphrase must be configured in order to allow for decryption of the file.  The result is the new 8.1 requirement for the catalog passphrase.

The disaster recovery package contains the following information:

  • Security certificates and private keys of the master server and the NetBackup CA (Certificate Authority)
  • Information about the hosts in the domain
  • Security settings

The DR package file is located in the same directory as the DR file as established in the NBU-Catalog policy > Disaster Recovery tab.

After new installations of a NetBackup master server, the passphrase must be set before creating any NetBackup catalog policy.
After an upgrade of a NetBackup master server, any existing NetBackup catalog policies will fail until the disaster recovery passphrase is set.

Once set, the passphrase is valid until a new passphrase is set.

To set or modify a passphrase from the NetBackup Administration Console.
  1. In the NetBackup Administration Console, expand Security Management > Global Security Settings
  2. In the details pane, click the Disaster Recovery tab.
  3. Provide Passphrase and Confirm Passphrase.
Review the following password rule:
  • The existing passphrase and the new passphrase must be different.
  • The passphrase must contain minimum of 8 and maximum of 20 characters.
  • Only the following characters are supported for the passphrase: White spaces, uppercase characters (A to Z), lowercase characters (a to z), numbers (0 to 9), and special characters.
Special characters include: ~ ! @ # $ % ^ & * ( ) _ + - = ` { } [ ] | : ; ' , . / ? < > "
  • Caution: If you enter a character that is not supported, you may face problems during disaster recovery package restore. The passphrase may not be validated and you may not be able to restore the disaster recovery package. See article 000125933 for details.
  1. Click Save. If the passphrase already exists, it is overwritten.
User-added image
To set or modify a passphrase using the command-line interface:
  1. The NetBackup administrator must be logged on to the NetBackup Web Management Service to perform this task.
    • Use the following command to log on: bpnbat -login -loginType WEB
  2. Run the following command to set a passphrase to encrypt disaster recovery packages:
    • nbseccmd -drpkgpassphrase
  3. Enter the passphrase.
    • If a passphrase already exists, it is overwritten.

After a successful hot catalog backup, the passphrase can be validated by using the nbhostidentity command, while specifying the DR package file name. 


In the path to the DR file location, specified in the policy:
User-added image

In this case, the dr package file name is:  catalog_1505917889_FULL.drpkg

Run the nbhostidentify command to verify the passphrase:
nbhostidentity -testpassphrase -infile <DR_package_location

Example command and output using the above information:
  nbhostidentity -testpassphrase -infile S:\DR-files\catalog_1505917889_FULL.drpkg
Specify the passphrase that is associated with the disaster recovery package.
Passphrase: *************
The specified passphrase is valid for the disaster recovery package - S:\DR-files\catalog_1505917889_FULL.drpkg.
Command is successfully carried out.

Note that the passphrase is not echoed to the screen.

Was this content helpful?