How to configure NetBackup Secure Communications Administration

Description

This content in this guide can be used as a reference to getting started with the administration and management of some of the newer security features of NetBackup.

Veritas Support has produced this video to help you navigate through the administration process. 

We have also captured the step by step instructions below.

1. The following steps start form the NBU Admin Console on the Master Server.

2. You’ll notice that if you click the getting started item in the right-hand pane, the first thing you are prompted to do is set a passphrase for the DR package so that the catalog backup can be successful.  

3. So, let’s go to the global security settings and set the passphrase now. 
   • The passphrase is used to secure the Disaster Recovery Package which contains Master Server identity information. This will be important should you need to recover the master server without redeploying certificates to your entire environment again.  

4. Along the bottom of the console in the right-hand pane are two tabs. The second tab, “Disaster recovery”, is where we set the passphrase for the Disaster Recovery package.  

Note: Take note of the rules for a valid passphrase. You should also record this passphrase somewhere safe and test it occasionally using the command:  (nbhostidentity -testpassphrase -infile <DR_file_path>) 

5. Next, we should look at are the Secure Communications setting on the first tab.

Note: This section lets you know if NetBackup is using self-generated Certificates for identity information or if it’s using your own certificate chains from your corporate PKI infrastructure. You can run NetBackup in mixed mode or dedicated mode. 

6. The ‘Enable insecure communication’ setting is enabled by default and allows clients and media servers below 8.1 to communicate insecurely until they are upgraded.  Disabling this setting will prevent pre-8.1 clients and media servers from communicating with NetBackup master and media servers running 8.1 and above, which will lead to backup failures. (In addition to pre-8.0 clients, this applies pre-8.0 media servers and also to all 8.0 hosts, both clients and media servers.  No pre-8.1 hosts are Secure Comms capable and will be denied connectivity by the 8.1+ hosts unless this setting is left enabled.)

7. The ‘automatically map host names’ setting allows NetBackup to automatically map cross referenced aliases and hostname discoveries. The default is “On” but as per the notes on the settings, this may not be favourable in high security environments. 

8. Next, let's talk about the ‘Security level for Certificate Deployment’ setting.
   • For most environments the default setting of high should be suitable. The criteria when a client can get a certificate is defined to the right of the slider. The ‘medium’ setting will allow unknown hosts to obtain certificates if the hostname can be resolved to an IP and the ‘very high’ setting results in all hosts requiring a token to get a certificate. 

9. Let's assume the first thing we might want to do is deploy some new clients that are unknown to the master running with the default ‘High’ security setting. We will need an authorization token.  
   • Click on token management 

10. In the right-hand pane, you can create and clean up tokens by right clicking  

11. Right clicking an existing token presents the addition options to show or delete a token.  

12. Let say we want to install 10 new clients; we can create an Authorization token that only allows 10 uses within a specified time frame  

13. Click create  

Note: You can now use this token on the clients.  

14. We can view information and manage deployed certificates under the certificate management section of the security 

15. Here you can see the state of existing certificates, revoke certificates, generate reissue tokens for known clients and view the Certificate authority (CA) fingerprint. 

16. Certificates can be mapped to more than one host name. This may be needed if your clients are multihomed or resolve to different names on different segments of your network.
    • To manage certificate-to-hostname mappings, go to the Host Management section  

17. Here you can see the status of clients, their mappings and host ID’s (a unique identifier for each client UUID). The Green padlock indicates the client is NetBackup 8.1+ and has securely communicated with the master. The Red Padlock indicates the client is down level or has not securely communicated yet.

18. At the bottom of the right-hand pane you will notice the ‘Mappings for Approval’ tab. You should frequently check this for any mapping conflicts that require approval.

19. Finally, you should look at the ‘Security Events’ section. Here you can view audit trails of security operations.
    • This is split into between 2 tabs accessible via the tabs at the bottom of the right-hand pane.  

20. The first tab can be used to monitor and review access history.  

21. The second tab can be used to monitor certificate authority. Both these areas can be useful when troubleshooting certificate and logon issues.  
     
22. This completes our tour of the new Secure Communication and Certificate management features of NetBackup.