NetBackup and Veritas Appliances Hardening Guide
- Top recommendations to improve your NetBackup and Veritas appliances security posture
- Steps to protect Flex Appliance
- Managing single sign-on (SSO)
- About lockdown mode
- Configuring an isolated recovery environment on a WORM storage server
- Steps to protect NetBackup Appliance
- About single sign-on (SSO) authentication and authorization
- About authentication using smart cards and digital certificates
- About data encryption
- About forwarding logs to an external server
- Steps to protect NetBackup
- Configure NetBackup for single sign-on (SSO)
- Configure user authentication with smart cards or digital certificates
- Access codes
- Workflow to configure immutable and indelible data
- Add a configuration for an external CMS server
- Configuring an isolated recovery environment on a NetBackup BYO media server
- About FIPS support in NetBackup
- Workflow for external KMS configuration
- Workflow to configure data-in-transit encryption
- Configure the DTE mode on a client
- How DTE configuration settings work in various NetBackup operations
- Modify the DTE mode on a backup image
- Workflow to use external certificates for NetBackup host communication
- About certificate revocation lists for external CA
- Configuring an external certificate for a clustered primary server
- Configuration options for external CA-signed certificates for a virtual name
- Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- About protecting the MSDP catalog
- How to set up malware scanning
- About backup anomaly detection
Configure smart card authentication without a domain
You can configure NetBackup to validate users with smart cards or certificates without an associated AD or LDAP domain. Only users are supported for this configuration. User groups are not supported.
To configure smart card authentication without a domain
- At the top right, select Settings > Smart card authentication.
- Turn on Smart card authentication.
- (Conditional step) If AD or LDAP domain is configured in your environment, select Continue without the domain option.
- Select a Certificate mapping attribute: Common name (CN) or Universal principal name (UPN).
- Optionally, enter the OCSP URI.
If you do not provide the OCSP URI, the URI in the user certificate is used.
- Click Save.
- To the right of CA certificates, click Add.
- Browse for or drag and drop the CA certificates and click Add.
- Smart card authentication requires a list of trusted root or intermediate CA certificates. Add the CA certificates that are associated with the user digital certificates or the user smart cards.
Certificate file types must be
PKCS #7format and less than 64KB in size.
- On the Smart card authentication page, verify the configuration information.
Before users can use a digital certificate that is not installed on a smart card, the certificate must be uploaded to the browser's certificate manager.
- When users sign in, they now see an option to Sign in with certificate or smart card.
If you do not want users to have this sign-in option yet, turn off Smart card authentication. (For example, if all users do not yet have their certificates configured on their hosts.). The settings that you configured are retained even if you turn off smart card authentication.