Search <book_title>...

NetBackup™ Commands Reference Guide

Last Published: 2025-03-18

Product(s): NetBackup (11.0)

Introduction
Appendix A. NetBackup Commands
1. acsd
2. backupdbtrace
3. backuptrace
4. bmrc
5. bmrconfig
6. bmrepadm
7. bmrprep
8. bmrs
9. bmrsrtadm
10. bp
11. bparchive
12. bpbackup
13. bpbackupdb
14. bpcatarc
15. bpcatlist
16. bpcatres
17. bpcatrm
18. bpcd
19. bpchangeprimary
20. bpcleanrestore
21. bpclient
22. bpclimagelist
23. bpclntcmd
24. bpclusterutil
25. bpcompatd
26. bpconfig
27. bpdbjobs
28. bpdbm
29. bpdgclone
30. bpdown
31. bpduplicate
32. bperror
33. bpexpdate
34. bpfis
35. bpflist
36. bpgetconfig
37. bpgetdebuglog
38. bpimage
39. bpimagelist
40. bpimmedia
41. bpimport
42. bpinst
43. bpkeyfile
44. bpkeyutil
45. bplabel
46. bplist
47. bpmedia
48. bpmedialist
49. bpminlicense
50. bpnbat
51. bpnbaz
52. bppficorr
53. bpplcatdrinfo
54. bpplclients
55. bppldelete
56. bpplinclude
57. bpplinfo
58. bppllist
59. bpplsched
60. bpplschedrep
61. bpplschedwin
62. bppolicynew
63. bpps
64. bprd
65. bprecover
66. bprestore
67. bpretlevel
68. bpschedule
69. bpschedulerep
70. bpsetconfig
71. bpstsinfo
72. bpstuadd
73. bpstudel
74. bpstulist
75. bpsturep
76. bptestbpcd
77. bptestnetconn
78. bpup
79. bpverify
80. cat_convert
81. cat_export
82. cat_import
83. configureCerts
84. configureMQ
85. configureWebServerCerts
86. create_nbdb
87. csconfig cldinstance
88. csconfig cldprovider
89. csconfig meter
90. csconfig reinitialize
91. csconfig throttle
92. duplicatetrace
93. importtrace
94. jbpSA
95. jnbSA
96. ltid
97. mklogdir
98. msdpcldutil
99. nbauditreport
100. nbcallhomeproxyconfig
101. nbcatsync
102. NBCC
103. NBCCR
104. nbcertcmd
105. nbcertupdater
106. nbcldutil
107. nbcmdrun
108. nbcomponentupdate
109. nbcplogs
110. nbcredkeyutil
111. nbdb_admin
112. nbdb_backup
113. nbdb_move
114. nbdb_ping
115. nbdb_restore
116. nbdb_unload
117. nbdb2adutl
118. nbdbms_start_server
119. nbdbms_start_stop
120. nbdc
121. nbdecommission
122. nbdelete
123. nbdeployutil
124. nbdevconfig
125. nbdevquery
126. nbdiscover
127. nbdna
128. nbemm
129. nbemmcmd
130. nbepicfile
131. nbfindfile
132. nbfirescan
133. nbfp
134. nbftadm
135. nbftconfig
136. nbgetconfig
137. nbhba
138. nbholdutil
139. nbhostidentity
140. nbhostmgmt
141. nbhsmcmd
142. nbhypervtool
143. nbidpcmd
144. nbimageshare
145. nbinstallcmd
146. nbjm
147. nbkmiputil
148. nbkmscmd
149. nbkmsutil
150. nblogparser
151. nbmariadb
152. nbmysql
153. nbmlb
154. nborair
155. nboracmd
156. nbpem
157. nbpemreq
158. nbmariadb
159. nbmlb
160. nbperfchk
161. nbpgsql
162. nbplupgrade
163. nbrb
164. nbrbutil
165. nbreplicate
166. nbrepo
167. nbrestorevm
168. nbseccmd
169. nbserviceusercmd
170. nbsetconfig
171. nbshvault
172. nbsmartdiag
173. nbsnapimport
174. nbsnapreplicate
175. nbsqlcmd
176. nbsqlite
177. nbstl
178. nbstlutil
179. nbstop
180. nbsu
181. nbsvrgrp
182. netbackup_deployment_insights
183. resilient_clients
184. restoretrace
185. stopltid
186. tiermover
187. tldd
188. tldcd
189. tpautoconf
190. tpclean
191. tpconfig
192. tpext
193. tpreq
194. tpunmount
195. verifytrace
196. vltadm
197. vltcontainers
198. vlteject
199. vltinject
200. vltoffsitemedia
201. vltopmenu
202. vltrun
203. vmadd
204. vmchange
205. vmcheckxxx
206. vmd
207. vmdelete
208. vmoprcmd
209. vmphyinv
210. vmpool
211. vmquery
212. vmrule
213. vmupdate
214. vnetd
215. vssat
216. vwcp_manage
217. vxlogcfg
218. vxlogmgr
219. vxlogview
220. W2KOption

Name

nbkmiputil — executes the various external KMS server operations.

SYNOPSIS

nbkmiputil -getKey -kmsServer kms_server_name -port kms_server_port -trustStorePath CA_certificate_file_path -certPath certificate_file_path -privateKeyPath private_key_file_path -keyId key_ID [-kadLength KAD_length] | -nbKeyGroup key_group_name [-kadLength KAD_length] | -kad key_associated_data [-passphrasePath private_key_passphrase_file_path] [-crlCheckLevel LEAF | CHAIN | DISABLE] [-getDetails] [-connectTimeout time_in_seconds] [-requestTimeout time_in_seconds] [-kmipVersion version] [-jsonCompact]

nbkmiputil -listKeyIDs -kmsServer kms_server_name -port kms_server_port -trustStorePath CA_certificate_file_path -certPath certificate_file_path -privateKeyPath private_key_file_path [-nbKeyGroup key_group_name] [-activeKey] [-passphrasePath private_key_passphrase_file_path] [-crlCheckLevel LEAF | CHAIN | DISABLE] [-getDetails] [-connectTimeout time_in_seconds] [-requestTimeout time_in_seconds] [-kmipVersion version] [-maxItems number] [-offset number] [-jsonCompact]

nbkmiputil -setAttribute -kmsServer kms_server_name -port kms_server_port -trustStorePath CA_certificate_file_path -certPath certificate_file_path -privateKeyPath private_key_file_path -keyId key_ID -attributeName attribute_name -attributeValue attribute_value [-passphrasePath private_key_passphrase_file_path] [-crlCheckLevel LEAF | CHAIN | DISABLE] [-connectTimeout time_in_seconds] [-requestTimeout time_in_seconds] [-kmipVersion version] [-jsonCompact]

nbkmiputil -validate -kmsServer kms_server_name -port kms_server_port -trustStorePath CA_certificate_file_path -certPath certificate_file_path -privateKeyPath private_key_file_path [-passphrasePath private_key_passphrase_file_path] [-crlCheckLevel LEAF | CHAIN | DISABLE] [-connectTimeout time_in_seconds] [-requestTimeout time_in_seconds] [-kmipVersion version] [-jsonCompact]

nbkmiputil -ekmsCheckCompat | -ecc -kmsServer kms_server_name -port kms_server_port -trustStorePath CA_certificate_file_path -certPath certificate_file_path -privateKeyPath private_key_file_path [-passphrasePath private_key_passphrase_file_path] [-crlCheckLevel LEAF | CHAIN | DISABLE] [-kmipVersion version] [-jsonCompact] [-extended] [-verbose]

nbkmiputil -setState -kmsServer kms_server_name -port kms_server_port -trustStorePath CA_certificate_file_path -certPath certificate_file_path -privateKeyPath private_key_file_path -keyId key_ID -stateType 1 | 2 | 3 | 4 [-revocationReason 1 | 2 | 3 | 4 | 5 | 6 | 7] [-passphrasePath private_key_passphrase_file_path] [-crlCheckLevel LEAF | CHAIN | DISABLE] [-connectTimeout time_in_seconds] [-requestTimeout seconds] [-kmipVersion version] [-jsonCompact]

On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/goodies/

On Windows systems, the directory path to this command is install_path\NetBackup\bin\goodies\

DESCRIPTION

The nbkmiputil runs the various external KMS server operations like retrieving keys, listing key IDs, setting key attributes, setting key states, and validating KMS servers.

The command supports the following operations:

-ekmsCheckCompat or -ecc	Use -ekmsCheckCompat or -ecc to determine if NetBackup is compatible with the specified external KMS server. You can also use this option to determine if the following KMIP operations are supported on the external KMS server: Create keys and retrieve keys by key group and key ID.
-getKey	Fetches the NetBackup keys from the external KMS server.
-listKeyIDs	Lists NetBackup key IDs that are present in the external KMS server as per the specified options.
-setAttribute	Sets the custom attribute for the given key in the external KMS server. Supported attribute names are x-application, x-keygroup, and x-comment.
-setState	Sets the state for the given key in the external KMS server.
-validate	Validates the related functionality with the external KMS server. The functionality that is validated includes: Connecting to the external KMS server. Listing NetBackup key IDs present in the external KMS server. Fetch the key for any active NetBackup key ID. Fetch and set the attributes on any NetBackup key ID.

OPTIONS

-activeKey

Specifies whether to list only active NetBackup keys.

-attributeName

Specifies the custom attribute name to be set. Supported attribute names are x-application, x-keygroup, and x-comment.

-attributeValue

Specifies the custom attribute value to be set. Supported attribute value for attribute x-application : NetBackup.

-certPath

Specifies the path of the PEM-encoded certificate that is to be used for authentication with the external KMS server.

-connectTimeout

Specifies the time-out value to connect to the external KMS server in seconds. The default value is 120 seconds.

-crlCheckLevel

Specifies the CRL check level. The possible values are: LEAF, CHAIN, and DISABLE. The default value is LEAF.

LEAF - Revocation status of peer's leaf certificate is checked.
CHAIN - Revocation status of full chain of peer certificate is checked.
DISABLE - Revocation status of peer certificate is not checked.

-extended

Performs operations such as locate keys, get attributes, and set attributes in addition to creating and retrieving keys by key group and key ID.

-getDetails

Displays the additional key attributes details for the NetBackup keys.

-jsonCompact

Specifies whether to display the output in JSON compact form.

-kad

Specifies the key associated data (KAD) of the NetBackup key to be fetched from the external KMS server.

-kadLength

Specifies the length up to which KAD of a NetBackup key is to be generated.

-keyId

If -keyId is used with the -getKey option, it specifies the key ID of the NetBackup key to be fetched from the external KMS server. If it is used with the -setAttribute option, it specifies the key ID of the key for which a custom attribute is to be set.

-kmsServer

Specifies the external KMS server name with which you want to connect.

-kmipVersion version

Specifies the KMIP version to be used. Supported KMIP versions: 1.0, 1.1, 1.2, 1.3, 1.4, and 2.0.

-maxItems

Specifies the maximum number of key IDs to be listed.

-nbKeyGroup

If it is used with the -getKey option, it specifies the key group name whose active and latest key is to be fetched from the external KMS server. If it is used with the -listKeyIDs option, it specifies the key group name for which keys are to be listed.

-offset

Specifies the offset number of the key ID from where the list of key IDs starts. The default value is 0.

-passphrasePath

Specifies the path of the file containing the passphrase that is required to access the keystore for authentication with the external KMS server.

-port

The port number in use by the external KMS server.

-privateKeyPath

Specifies the path of the private key that is to be used for authentication with the external KMS server.

-requestTimeout

Specifies the time-out value for the given request to external KMS server in seconds. Default value is 300 seconds.

-revocationReason 1 | 2 | 3| 4 | 5 | 6 | 7

Supported key revocation reasons:

For -stateType DEACTIVATED:

1 | UNSPECIFIED: The reason for key revocation is not specified.
2 | AFFILIATION_CHANGED: The key owner's affiliation with the organization has changed.
3 | SUPERSEDED: The current key needs to be replaced with the newly issued key.
4 | CESSATION_OF_OPERATION: The key is no longer required because the associated operation or the service is discontinued.
5 | PRIVILEGE_WITHDRAWN: The privileges with the given key are withdrawn.

For -stateType COMPROMISED:

6 | KEY_COMPROMISE: The key is compromised.
7 | CA_COMPROMISE: The certificate authority (CA) that issued the certificate to the external KMS server is compromised.

-stateType 1 | 2 | 3 | 4

Supported state types:

1 | ACTIVE: You can use this key for cryptographic purpose.
2 | DEACTIVATED: You should only use this key to process cryptographic information.
3 | COMPROMISED: You should only use this key to process cryptographic information in a trusted client using managed keys that are compromised.
4 | DESTROYED: You should not use this key to process cryptographic information.

-trustStorePath

Specifies the path of the PEM-encoded CA certificate that is to be used for authentication with the external KMS server.

-verbose

Specifies whether to display a detailed output in a JSON form.

EXAMPLES

Example 1: Set custom attributes for the external KMS.

nbkmiputil -setAttribute -kmsServer example.veritas.com -port 5696 
-certPath /usr/cert.pem -privateKeyPath /usr/key.pem -trustStorePath 
/usr/ca.pem -keyId EFF18E49-DBBF-4F84-BF94-13F4A6B6E32B 
-attributeName x-keygroup -attributeValue msdp