NetBackup and Veritas Appliances Hardening Guide
- Top recommendations to improve your NetBackup and Veritas appliances security posture
- Steps to protect Flex Appliance
- Managing single sign-on (SSO)
- About lockdown mode
- Configuring an isolated recovery environment on a WORM storage server
- Steps to protect NetBackup Appliance
- About single sign-on (SSO) authentication and authorization
- About authentication using smart cards and digital certificates
- About data encryption
- About forwarding logs to an external server
- Steps to protect NetBackup
- Configure NetBackup for single sign-on (SSO)
- Configure user authentication with smart cards or digital certificates
- Access codes
- Workflow to configure immutable and indelible data
- Add a configuration for an external CMS server
- Configuring an isolated recovery environment on a NetBackup BYO media server
- About FIPS support in NetBackup
- Workflow for external KMS configuration
- Workflow to configure data-in-transit encryption
- Configure the DTE mode on a client
- How DTE configuration settings work in various NetBackup operations
- Modify the DTE mode on a backup image
- Workflow to use external certificates for NetBackup host communication
- About certificate revocation lists for external CA
- Configuring an external certificate for a clustered primary server
- Configuration options for external CA-signed certificates for a virtual name
- Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- About protecting the MSDP catalog
- How to set up malware scanning
- About backup anomaly detection
About implementing external certificates
NetBackup Appliance's web service uses the PKCS#12 standard and requires certificate files to be in the X.509 (
.pem) format. If the certificate files are in the
.p7b formats, NetBackup Appliance automatically converts the files to an accepted format.
To prevent errors while importing certificates, ensure that the external certificate files meet the following requirements.
Certificate files are in the
.pemfile format and begin with "-----BEGIN CERTIFICATE-----".
Certificate files contain the host name and FQDN in the subject alternative name (SAN) field of the certificate. If the certificate is used in an HA environment, the SAN field must contain VIP, host name, and FQDN.
Subject name and common name fields are not empty.
Subject fields are unique for each host.
Subject fields contain a maximum of 255 characters.
Server and client authentication attributes are set in the certificate.
Only ASCII 7 characters are used in the subject and SAN fields of the certificate.
The private key file is in the PKCS#8 PEM format and begins with -----BEGIN ENCRYPTED PRIVATE KEY----- or -----BEGIN PRIVATE KEY-----.
Although optional, you can use the Settings > Security > Certificate > CertificateSigningRequest > Create command to generate a CSR. Copy the CSR content from the command line to your external certificate portal to obtain the required external certificate files.
Example: Enter specified value or use the default value. Common Name (eg, your name or your server's hostname) [Default abc123]: Organizational Unit Name (eg, section) :Appliance Organization Name (eg, company) [Default Company Ltd]:YourCompanyName Locality Name (eg, city) [Default City]:YourCity State or Province Name (full name) :YourStateorProvince Country Name (2 letter code) [XX]:YourCountryName Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request. ----- A challenge password :123456 An optional company name :ABCD Subject Alternative Name (DNS Names and/or IP Addresses comma separated): abc123,def456.yourcompany.com Subject Alternative Name (email comma separated): Certificate Signing Request Name [Default abc123.csr]: Validity period (in days) [Default 365 days]: Ensure that the Distinguished Name (DN) is specified as a string consisting of a sequence of key=value pairs separated by a comma: Then the generated certificate signing request will be shown on the screen.
Starting from version 4.1, you can register an external certificate on both NetBackup Appliance and NetBackup using the Settings > Security > Certificate > Import command.
Perform the following steps to import the host certificate, host private key, and trust store to register the external certificate on NetBackup and NetBackup Appliance. Both NetBackup and NetBackup Appliance layers use the same host certificate, host private key, and trust store.
- Log in to the appliance as an Administrator user.
- From the NetBackup Appliance Shell Menu, run the Settings > Security > Certificate > Import command. The following NFS and CFS share locations are now accessible:
- Upload the certificate file, trust store file, and private key file to either of the share locations and enter the paths to the files.
- Choose how to access the certificate revocation list (CRL). A CRL comprises a list of external certificates that have been revoked by the external certificate and should not be trusted. Select either of the following options:
Use the CRL location provided in the certificate file.
Provide the location of a CRL file (
.crl) in the local network.
Do not use a CRL.
- Confirm the location of the certificate files you want to register on the appliance.
A detailed example of how to import the certificates is provided here.
Identify the certificate which should be imported.
Import the certificate.
Enter the certificate: Enter the following details for external certificate configuration: Enter the certificate file path: cert_chain.pem Enter the trust store file path: cacerts.pem Enter the private key path: key.pem Enter the password for the passphrase file path or skip security configuration (default: NONE): Should a CRL be honored for the external certificate? 1) Use the CRL defined in the certificate. 2) Use the specific CRL directory. 3) Do not use a CRL. q) Skip security configuration. CRL option (1): 2 Enter the CRL location path: crl Then confirm input information and answer the subsequent questions.
You can manage external certificates on NetBackup Appliance using thecommands.
You can use the Settings > > > command to add a server CA, HTTPS proxy CA, or LDAP CA certificate to the certificate authority list. Ensure that you paste the CA certificate content in the PEM or P7B format. The Appliance appends this CA certificate to the certificate authority list. Before appending the CA certificate, the appliance verifies whether the CA certificate is already being used on the appliance. If yes, the appliance quits with a message.
You can use the Settings > > > command to remove a server CA certificate from the certificate authority list. The available CA certificates are listed and you can select the certificate that you want to remove.