Veritas NetBackup™ Security and Encryption Guide
- Increasing NetBackup security
- Security deployment models
- Port security
- About NetBackup daemons, ports, and communication
- Additional port information for products that interoperate with NetBackup
- About configuring ports
- Auditing NetBackup operations
- Configuring Enhanced Auditing
- Access control security
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Configuring user groups
- About defining a user group and users
- Viewing specific user permissions for NetBackup user groups
- Security management in NetBackup
- About the Security Management utilities
- About audit events
- About host management
- Adding shared or cluster mappings
- Allowing or disallowing automatic certificate reissue
- About global security settings
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Security certificate deployment in a clustered NetBackup setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- Data at rest key management
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
- Regenerating keys and certificates
- NetBackup web services account
Changing a server across NetBackup domains
For Enhanced Auditing, when you perform a Change Server operation from a master or media server in one NetBackup domain to a host (master or media server or client) in another NetBackup domain, you must execute additional steps on each NetBackup server. You must also set up a trust on both master servers.
Executing these steps is a one-time activity.
The following steps help you to change the server and set up the trust on both master servers.
To change server from a master to master server
- We have two NetBackup domains, NetBackup Domain 1 and NetBackup Domain 2.
Consider two master servers, Master_nbu_dom1 and Master_nbu_dom2. Master_nbu_dom1 has media servers Media1_nbu_dom1, Media2_nbu_dom1, MediaN_nbu_dom1, and a set of clients. Similarly, Master_nbu_dom2 has media servers Media1_nbu_dom2, Media2_nbu_dom2, MediaM_nbu_dom2, and a set of clients as shown in the image:
The user is connected to one of the servers in NetBackup Domain 1 (either master or media), for example, Master_server_nbu_dom1, and wants to do a change server to one of the hosts on NetBackup Domain 2, for example Host_nbu_dom2. It is mandatory that both the master servers (Master_nbu_dom1 and Master_nbu_dom2 here) establish a trust. Host_nbu_dom2 must set up a trust with Master_server_nbu_dom1.
- To set up the trust, you must invoke a set of commands on UNIX and Windows:
On UNIX and Linux:
/usr/openv/netbackup/sec/at/bin/vssat setuptrust - b
Master_server_nbu_dom1:1556:nbatd -s high on Host_nbu_dom2.
- You must add an additional server entry in Host_nbu_dom2 for the Master_server_nbu_dom1 in the bp.conf file. Run the following command:
SERVER = Master_server_nbu_dom1 /*this should __not__ be the first SERVER entry*/
You can also add the additional server entry by connecting to the target master server through the NetBackup Administration Console.
- The host that has the NetBackup Administration Console or the remote Java Administration console is also required to trust the X.509 NBATD certificate on the Master_server_nbu_dom2.
The trust can be set up by directly connecting to the Master_server_nbu_dom2master server through the GUI.
You can also invoke /usr/openv/java/sec/at/bin/vssat setuptrust -b
Master_server_nbu_dom2:1556:nbatd -s high on the NetBackup Administration Console host.