NetBackup and Veritas Appliances Hardening Guide
- Top recommendations to improve your NetBackup and Veritas appliances security posture
- Steps to protect Flex Appliance
- Managing single sign-on (SSO)
- About lockdown mode
- Configuring an isolated recovery environment on a WORM storage server
- Steps to protect NetBackup Appliance
- About single sign-on (SSO) authentication and authorization
- About authentication using smart cards and digital certificates
- About data encryption
- About forwarding logs to an external server
- Steps to protect NetBackup
- Configure NetBackup for single sign-on (SSO)
- Configure user authentication with smart cards or digital certificates
- Access codes
- Workflow to configure immutable and indelible data
- Add a configuration for an external CMS server
- Configuring an isolated recovery environment on a NetBackup BYO media server
- About FIPS support in NetBackup
- Workflow for external KMS configuration
- Workflow to configure data-in-transit encryption
- Configure the DTE mode on a client
- How DTE configuration settings work in various NetBackup operations
- Modify the DTE mode on a backup image
- Workflow to use external certificates for NetBackup host communication
- About certificate revocation lists for external CA
- Configuring an external certificate for a clustered primary server
- Configuration options for external CA-signed certificates for a virtual name
- Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- About protecting the MSDP catalog
- How to set up malware scanning
- About backup anomaly detection
About certificate revocation lists for external CA
Certificate revocation list (CRL) for an external certificate authority (CA) contains a list of digital certificates that the external CA has revoked before the scheduled expiration date and should no longer be trusted.
NetBackup supports PEM and DER formats for CRLs for external CA.
CRLs for all CRL issuers or external CAs are stored in the NetBackup CRL cache that resides on each host.
During secure communication, each NetBackup host verifies the revocation status of the peer host's external certificate with the CRL that is available in the NetBackup CRL cache, based on the ECA_CRL_CHECK configuration option.
The NetBackup CRL cache is updated with the required CRLs using one of the following CRL sources:
ECA_CRL_PATH configuration option
A NetBackup configuration option (from
CRL distribution point (CDP)
If you have not specified ECA_CRL_PATH, NetBackup downloads the CRLs from the URLs that are specified in the peer host certificate's CDP and caches them in the NetBackup CRL cache.
NetBackup supports downloading CRLs from HTTP and HTTPS URLs that are specified in CDP.
The NetBackup CRL cache contains only the latest copy of a CRL for each CA (including root and intermediate CAs).
The bpclntcmd -crl_download service updates the CRL cache during host communication in the following scenarios irrespective of the time interval set for the ECA_CRL_PATH_SYNC_HOURS or ECA_CRL_REFRESH_HOURS options:
When CRLs in the CRL cache are expired
If CRLs are available in the CRL source (ECA_CRL_PATH or CDP), but they are missing from the CRL cache
Once the bpclntcmd -crl_download service updates the CRLs in the CRL cache, it does not download the CRLs for the same CA for the next 15 min even though a valid download scenario has occurred. If you want to update the CRL within 15 min, terminate the bpclntcmd -crl_download service.