NetBackup and Veritas Appliances Hardening Guide
- Top recommendations to improve your NetBackup and Veritas appliances security posture
- Steps to protect Flex Appliance
- Managing single sign-on (SSO)
- About lockdown mode
- Configuring an isolated recovery environment on a WORM storage server
- Steps to protect NetBackup Appliance
- About single sign-on (SSO) authentication and authorization
- About authentication using smart cards and digital certificates
- About data encryption
- About forwarding logs to an external server
- Steps to protect NetBackup
- Configure NetBackup for single sign-on (SSO)
- Configure user authentication with smart cards or digital certificates
- Access codes
- Workflow to configure immutable and indelible data
- Add a configuration for an external CMS server
- Configuring an isolated recovery environment on a NetBackup BYO media server
- About FIPS support in NetBackup
- Workflow for external KMS configuration
- Workflow to configure data-in-transit encryption
- Workflow to use external certificates for NetBackup host communication
- About certificate revocation lists for external CA
- Configuring an external certificate for a clustered primary server
- Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- About protecting the MSDP catalog
- How to set up malware scanning
- About backup anomaly detection
How CRLs from ECA_CRL_PATH are used
Use this section if you want to use ECA_CRL_PATH as the CRL source for the NetBackup CRL cache.
To use CRLs from ECA_CRL_PATH
- Ensure that the CRLs for external CAs are stored in a directory and the directory path is accessible by the host.
If you have a Flex Appliance application instance, the files must be stored in the following directory on the instance:
/mnt/nbdata/hostcert/crl
You can specify the CRL details that are required for external CA configuration during NetBackup installation or upgrade on the host.
Select one of the following certificate revocation list (CRL) options during installation or upgrade:
Use the CRL defined in the certificate - No additional information is required.
Use the CRL at the following path - You are prompted to provide a path to the CRL.
If you choose to use the Do not use a CRL option, peer host's certificate is not verified with the CRL during host communication.
For more information, refer to the NetBackup Installation Guide.
- Specify the CRL directory path for the ECA_CRL_PATH configuration option.
- Ensure that the ECA_CRL_CHECK configuration option is set to a value other than DISABLE.
During host communication, the revocation status of the external certificate is verified with the CRL in the NetBackup CRL cache that contains the CRLs from ECA_CRL_PATH.
By default, CRLs from the cache are updated every one hour. To change the time interval, set the ECA_CRL_PATH_SYNC_HOURS option to a different value.
To manually update the CRL cache with the ECA_CRL_PATH CRLs, run the nbcertcmd -updateCRLCache command.
To manually delete the CRLs from the CRL cache, run the nbcertcmd -cleanupCRLCache command.