NetBackup™ Web UI Security Administrator's Guide
- Introducing the NetBackup web user interface
- Managing role-based access control
- Steps to create an object group
- Adding AD or LDAP domains
- Security events and audit logs
- Managing hosts
- Managing security certificates
- Managing NetBackup security certificates
- Using external security certificates with NetBackup
- Managing user sessions
- Managing master server security settings
- Creating and using API keys
- Configuring smart card authentication
- Troubleshooting access to the web UI
- Unable to add AD or LDAP domains with the vssat command
About NetBackup certificate deployment security levels
Security levels for certificate deployment are specific to NetBackup CA-signed certificates. If the NetBackup web server is not configured to use NetBackup certificates for secure communication, the security levels cannot be accessed.
The NetBackup certificate deployment level determines the checks that are performed before the NetBackup CA issues a certificate to a NetBackup host. It also determines how frequently the NetBackup Certificate Revocation List (CRL) is refreshed on the host.
NetBackup certificates are deployed on hosts during installation (after the host administrator confirms the master server fingerprint) or with the nbcertcmd command. Choose a deployment level that corresponds to the security requirements of your NetBackup environment.
During NetBackup certificate deployment on a NAT client, you must provide an authorization token irrespective of the certificate deployment security level that is set on the master server. This is because, the master server cannot resolve the host name to the IP address from which the request is sent.
For more information on NAT support in NetBackup, refer to the NetBackup Administrator's Guide, Volume I.
Table: Description of NetBackup certificate deployment security levels
An authorization token is required for every new NetBackup certificate request.
The CRL that is present on the host is refreshed every hour.
No authorization token is required if the host is known to the master server. A host is considered to be known to the master server if the host can be found in the following entities:
The CRL that is present on the host is refreshed every 4 hours.
The certificates are issued without an authorization token if the master server can resolve the host name to the IP address from which the request was originated.
The CRL that is present on the host is refreshed every 8 hours.