NetBackup™ Web UI Cloud Object Store Administrator's Guide
- Introduction
- Managing Cloud object store assets
- Protecting Cloud object store assets
- About accelerator support
- About incremental backup
- About policies for Cloud object store assets
- Planning for policies
- Prerequisites for Cloud object store policies
- Creating a backup policy
- Setting up attributes
- Creating schedule attributes for policies
- Configuring the Start window
- Configuring exclude dates
- Configuring include dates
- Configuring the Cloud objects tab
- Adding conditions
- Adding tag conditions
- Example of conditions and tag conditions
- Managing Cloud object store policies
- Recovering Cloud object store assets
- Troubleshooting
- Recovery for Cloud object store using web UI for original bucket recovery option starts but job fails with error 3601
- Recovery Job does not start
- Restore fails: "Error bpbrm (PID=3899) client restore EXIT STATUS 40: network connection broken"
- Access tier property not restored after overwrite existing to original location
- Reduced accelerator optimization in Azure for OR query with multiple tags
- Backup is failed and shows a certificate error with Amazon S3 bucket names containing dots (.)
- Azure backup job fails when space is provided in tag query for either tag key name or value.
- The Cloud object store account has encountered an error
- Bucket list empty when selecting it in policy selection
- Creating second account on Cloudian fails by selecting existing region
- Restore failed with 2825 incomplete restore operation
- Bucket listing of cloud provider fails when adding bucket in Cloud objects tab
Check certificate for revocation
For all the cloud providers, NetBackup provides a capability to verify the revocation status of SSL certificates using Online Certificate Status Protocol (OCSP). If SSL and the option, both are enabled, NetBackup verifies each SSL certificate. To verify, NetBackup makes an OCSP request to the CA to check revocation status of certificate presented during SSL handshake. NetBackup does not connect to the cloud provider, if the status is returned as revoked, or it failed to connect to the OCSP endpoint present in the SSL certificate.
To enable validation, update the USE_CRL property from the Cloud object store account dialog.
OCSP endpoints are HTTP thus, turn off any firewall rule that block HTTP (port 80) connection to external network. For example, http://ocsp.sca1b.amazontrust.com
OCSP URL is dynamically retrieved from the certificate thus, disable any firewall rule that blocks unknown URLs.
Typically, OCSP URLs endpoint support IPV4. For IPV6 environments disable the 'Check certificate revocation' option.
Private Clouds typically have a self-signed certificate. Thus, for private clouds, Check certificate revocation is not required. Disable this check while configuring the account, otherwise, account creation fails.
OSCP URL of CA should be present in certificate's 'Authority Information Access' extension.