Description
To use an External KMS server with NetBackup 8.3 or above, the configuration needs to be performed in two phases.
Phase 1: Setting up trust between the External KMS server and NetBackup.
NetBackup only supports certificate-based trust setup. So there are two possible scenarios, either using an external CA or using a local CA for certificates.
Scenario 1: External KMS is using external CA certificates.
Perform the following steps if external CA certificates are being used in the environment:
- Get a certificate from the external CA and save private key, certificate and trust store for later use.
- Open Gemalto web UI and log in with Administrative credentials
3. Go to Users page and create a new user that matches the common name in the certificate that was created in Step 1:
4. Click on the user that was created and assign the required permissions. In this example, the Key Users permissions are being granted. Make sure the user has sufficient permission to read keys at the minimum. If you want NetBackup to be able to create keys, then a user with permission Key Users generally can both list and create keys.
5. Once the user is created, the credentials (private key, certificate and trust store/CA certificate that are saved in previous step) can be used to pre-check the communication with the external KMS. Go to the NetBackup master server and execute following command:nbkmscmd -precheckKMSConfig -kmsServerName <server name> -port <port number> -certPath <path to certificate> -privateKeyPath <path to private key> -trustStorePath <path to trust store or CA>
Note that the following parameters are not references to NetBackup entities but, rather, are ECA entities which would be provided to the NetBackup administrators by whomever administers their ECA:
certificate
private key
trust store or CA
So, for example, if the ECA administrator provided the NetBackup administrator with the following:
1 -> A certificate file named "/kms_cert/eca/cert_chain.pem"
2 -> A private key file named "/kms_cert/eca/private/key.pem"
3 -> A CA file named "/kms_cert/eca/trusted/cacerts.pem"
Then the command syntax would look something like:
nbkmscmd -precheckKMSConfig -kmsServerName my_ekms_server.test.lab -port 5696 -certPath /kms_cert/eca/cert_chain.pem -privateKeyPath /kms_cert/eca/private/key.pem -trustStorePath /kms_cert/eca/trusted/cacerts.pem
Note further that the above *.pem files are not required to be placed in a directory called "/kms_cert/eca", that is just the path (on the master server) that the NetBackup administrator chose in this particular example.
For more information or assistance with the nbkmscmd command, please reference the Veritas NetBackup Commands Reference Guide.
6. Once the communication with the external server is validated, the KMS server can be registered with NetBackup using the nbkmscmd command.
Scenario 2: The external KMS has its own local CA configured for certificates.
Perform these steps if the KMS server is using a local CA:
- Open Gemalto web UI and login with Administrative credentials
2. Select CA from the menu on the left side of Web UI.
3. Select Create CSR. Fill in the information about the NetBackup master server and then select Create.
Note: Make sure to use RSA as algorithm else it will not work with NetBackup
4. Select save csr and save private key. Save the private key as key.pem.
5. Select the Local Certificate Authority that will be used to sign the CSR.
6. Select Upload and Sign CSR.
7. Paste in the CSR that was downloaded and select Issue Certificate. A certificate appears at the top of the list of certificates.
8. Download this certificate by left-clicking on the 'three dots' shown in the Action column, and then selecting Download. Save the certificate as cert.pem. To connect to the NextGen KeySecure, this signed certificate will be used by the NetBackup Master server, along with the private key that was downloaded.
9. Click the 'three dots' next to the certificate authority name and download the CA certificate as CA.pem.
10. Go to the Users page and create a new user that matches the common name on the certificate that was generated in previous steps.
11. Click on the created user and assign the required permissions. In this example, Key Users permissions are being granted. Make sure the user has sufficient permission to read keys at a minimum. If you also want NetBackup to be able to create keys, then users with the permission Key Users generally can both list and create keys.
12. Once the user is created, the credentials (private key, certificate and trust store/CA certificate that are saved in previous step) can be used to pre-check the communication with the external KMS server. Go to the NetBackup master server and execute following command:nbkmscmd -precheckKMSConfig -kmsServerName <server name> -port <port number> -certPath <path to certificate> -privateKeyPath <path to private key> -trustStorePath <path to trust store or CA>
For more information or assistance with the nbkmscmd command, please reference the Veritas NetBackup Commands Reference Guide.
3. Once the communication with external server is validated, the KMS server can be registered with NetBackup using the nbkmscmd command.
Phase 2: Accessing Keys from the External KMS server.
To access the keys through NetBackup, there are some attributes in the keys that are required so that they can be queried by NetBackup's KMIP client. If the user configured in NetBackup has permission to create keys, then that user should be leveraged to create the new keys as the new keys that are created by that user will automatically have the required attribute set. In order to use existing keys, the following steps must be performed:
1. Open the Gemalto web UI and log in with credentials whose certificate is registered with the NetBackup master server in Phase 1.
2. Select any existing key to configure it for use with NetBackup:
3. Select Edit (by left clicking on the 'three dots' shown in the last column). In the Edit interface a list will appear of different attributes of the key that can be modified.
4. Select Raw in the Key Metadata section.
5. Enter the KMIP custom attributes required for NetBackup in JSON format.
- x-application: Must always be "NetBackup"
- x-keygroup: This must be equal to the key group name that you want to use. For more information on key group naming, please reference the Veritas NetBackup Security and Encryption Guide.
6. Once this is completed, click Update at the bottom of the page.
7. Post update, the nbkmscmd command can be used to list the keys.
nbkmscmd -listKeys -name <kms configuration name>
Note: The screenshots are captured from Gemalto SafeNet KeySecure k170v in a lab environment and might differ for other versions or implementations. This is a third party product and as such is not under control of Veritas. The material was correct at the time of the original publication date for this technical article.
For more details on the commands in this article, refer to the Veritas NetBackup Security and Encryption Guide and the Veritas NetBackup Commands Reference Guide.