Veritas NetBackup™ Security and Encryption Guide

Last Published:
Product(s): NetBackup (8.1.2)
  1. Increasing NetBackup security
    1.  
      About NetBackup security and encryption
    2.  
      NetBackup security implementation levels
    3.  
      World-level security
    4.  
      Enterprise-level security
    5.  
      Datacenter-level security overview
    6.  
      NetBackup Access Control (NBAC)
    7.  
      Combined world, enterprise, and data center levels
    8.  
      NetBackup security implementation types
    9.  
      Operating system security
    10.  
      NetBackup security vulnerabilities
    11.  
      Standard NetBackup security
    12.  
      Client side encryption security
    13.  
      NBAC on master, media server, and graphical user interface security
    14.  
      NBAC complete security
  2. Security deployment models
    1.  
      Workgroups
    2.  
      Single datacenters
    3.  
      Multi-datacenters
    4.  
      Workgroup with NetBackup
    5.  
      Single datacenter with standard NetBackup
    6.  
      Single datacenter with client side encryption
    7.  
      Single datacenter with NBAC on master and media servers
    8.  
      Single datacenter with NBAC complete
    9.  
      Multi-datacenter with standard NetBackup
    10.  
      Multi-datacenter with client side encryption
    11.  
      Multi-datacenter with NBAC on master and media servers
    12.  
      Multi-datacenter with NBAC complete
  3. Port security
    1.  
      About NetBackup TCP/IP ports
    2. About NetBackup daemons, ports, and communication
      1.  
        Standard NetBackup ports
      2.  
        NetBackup master server outgoing ports
      3.  
        NetBackup media server outgoing ports
      4.  
        NetBackup enterprise media management (EMM) server outgoing ports
      5.  
        Client outgoing ports
      6.  
        Java server outgoing ports
      7.  
        Java console outgoing ports
      8.  
        About MSDP port usage
      9.  
        About Cloud port usage
      10. Additional port information for products that interoperate with NetBackup
        1.  
          About communication ports and firewall considerations in OpsCenter
        2.  
          Ports required to communicate with backup products
        3.  
          Web browser to launch OpsCenter user interface
        4.  
          About OpsCenter user interface and OpsCenter server software communication
        5.  
          About OpsCenter server to NetBackup master server (NBSL) communication
        6.  
          About SNMP traps
        7.  
          About communication between OpsCenter and Sybase database
        8.  
          About email communication in OpsCenter
    3. About configuring ports
      1.  
        Enabling or disabling random port assignments
      2.  
        Editing port information in configuration files
      3.  
        Updating client connection options
      4.  
        Updating port settings for the Media Manager in the vm.conf file
    4.  
      Port requirements for NDMP backups
    5.  
      Known firewall problems encountered when using NetBackup with third-party robotic products
  4. Auditing NetBackup operations
    1.  
      About NetBackup auditing
    2.  
      Viewing the current audit settings
    3.  
      Configuring auditing on a NetBackup master server
    4.  
      User identity in the audit report
    5.  
      About Enhanced Auditing
    6.  
      Enabling Enhanced Auditing
    7. Configuring Enhanced Auditing
      1.  
        Connecting to a media server with Enhanced Auditing
      2.  
        Changing a server across NetBackup domains
      3.  
        Configuration requirements if using Change Server with NBAC or Enhanced Auditing
    8.  
      Disabling Enhanced Auditing
    9.  
      Auditing host property changes
    10.  
      Retaining and backing up audit trail records
    11.  
      Viewing the audit report
    12.  
      Using the command line -reason or -r option
    13.  
      When a user action fails to create an audit record
    14.  
      Audit alert notification for audit failures
    15.  
      About auditing events for alerts and email notifications in the NetBackup web UI
  5. Access control security
    1.  
      About access control in NetBackup
    2.  
      User management
    3.  
      User authentication
    4.  
      Impact of Enhanced Auditing on NetBackup Administration Console authorization
  6. About AD and LDAP domains
    1.  
      Adding AD or LDAP domains in NetBackup
    2.  
      Troubleshooting AD or LDAP domain configuration issues
  7. Security management in NetBackup
    1.  
      Overview of security certificates in NetBackup
    2. About configuring a third-party certificate for the NetBackup web server
      1.  
        Configuring a third-party certificate for the web server on the NetBackup master server
      2.  
        Updating or renewing a third-party certificate for the web server
      3.  
        Removing a third-party certificate configuration for the web server
    3.  
      About secure communication in NetBackup
    4. About the Security Management utilities
      1.  
        About login activity
    5. About audit events
      1.  
        Viewing audit events
      2.  
        Audit Events tab
      3.  
        Viewing audit event details
      4.  
        Audit Events Details dialog box
      5.  
        Viewing audit event status
      6.  
        Troubleshooting auditing issues related to the Access History tab
    6. About host management
      1.  
        Hosts tab
      2.  
        Adding host ID to host name mappings
      3.  
        Add or Remove Host Mappings dialog box
      4.  
        Removing host ID to host name mappings
      5.  
        Mappings for Approval tab
      6.  
        Viewing auto-discovered mappings
      7.  
        Mapping Details dialog box
      8.  
        Approving host ID to host name mappings
      9.  
        Rejecting host ID to host name mappings
      10. Adding shared or cluster mappings
        1.  
          About shared or cluster mapping scenarios
      11.  
        Add Shared or Cluster Mappings dialog box
      12.  
        Resetting NetBackup host attributes
      13. Allowing or disallowing automatic certificate reissue
        1.  
          Configuring validity of the autoreissue parameter for a host
      14.  
        Adding or deleting comment for a host
    7. About global security settings
      1.  
        About secure communication settings
      2.  
        Disabling insecure communication
      3.  
        About insecure communication with 8.0 and earlier hosts
      4.  
        About communication with 8.0 or earlier host in multiple NetBackup domains
      5.  
        Automatically mapping host ID to host names and IP addresses
      6.  
        About disaster recovery settings
      7.  
        Setting a passphrase to encrypt disaster recovery packages
      8.  
        Disaster recovery packages
    8. About host name-based certificates
      1.  
        Deploying host name-based certificates
    9. About host ID-based certificates
      1.  
        Web login requirements for nbcertcmd command options
      2. Using the Certificate Management utility to issue and deploy host ID-based certificates
        1.  
          Viewing host ID-based certificate details
      3. About NetBackup certificate deployment security levels
        1.  
          Configuring the certificate deployment security levels
      4.  
        Automatic host ID-based certificate deployment
      5.  
        Deploying host ID-based certificates
      6.  
        Deploying host ID-based certificates in an asynchronous manner
      7.  
        Implication of clock skew on certificate validity
      8. Setting up trust with the master server (Certificate Authority)
        1.  
          Finding and communicating the fingerprint of the certificate authority
      9.  
        Forcing or overwriting certificate deployment
      10.  
        Retaining host ID-based certificates when reinstalling NetBackup on non-master hosts
      11.  
        Deploying certificates on a client that has no connectivity with the master server
      12.  
        About host ID-based certificate expiration and renewal
      13.  
        Deleting sensitive certificates and keys from media servers and clients
      14.  
        Cleaning host ID-based certificate information from a host before cloning a virtual machine
      15. About reissuing host ID-based certificates
        1.  
          Creating a reissue token
        2.  
          Changing the key pair for a host
    10. About Token Management for host ID-based certificates
      1.  
        Creating authorization tokens
      2.  
        Deleting authorization tokens
      3.  
        Viewing authorization token details
      4.  
        About expired authorization tokens and cleanup
    11. About the host ID-based certificate revocation list
      1.  
        Refreshing the CRL on the master server
      2.  
        Refreshing the CRL on a NetBackup host
    12. About revoking host ID-based certificates
      1.  
        Removing trust between a host and a master server
      2.  
        Revoking a host ID-based certificate
      3.  
        Determining a NetBackup host's certificate state
      4.  
        Getting a list of NetBackup hosts that have revoked certificates
    13.  
      Deleting host ID-based certificates
    14. Security certificate deployment in a clustered NetBackup setup
      1. About deployment of a host ID-based certificate on a clustered NetBackup host
        1.  
          Host ID-based certificate deployment on the active master server node
        2.  
          Host ID-based certificate deployment on inactive master server nodes
      2.  
        Deploying host ID-based certificates on cluster nodes
      3.  
        Revoking a host ID-based certificate for a clustered NetBackup setup
      4.  
        Deploying a host ID-based certificate on a clustered NetBackup setup using reissue token
      5.  
        Creating a reissue token for a clustered NetBackup setup
      6.  
        Renewing a host ID-based certificate on a clustered NetBackup setup
      7.  
        Viewing certificate details of a clustered NetBackup setup
      8.  
        Removing CA certificates from a clustered NetBackup setup
      9.  
        Generating a certificate on a clustered master server after disaster recovery installation
    15.  
      About the communication between a NetBackup client located in a demilitarized zone and a master server through an HTTP tunnel
    16.  
      Adding a NetBackup host manually
  8. Data at rest encryption security
    1.  
      Data at rest encryption terminology
    2.  
      Data at rest encryption considerations
    3.  
      Encryption security questions to consider
    4.  
      Comparison of encryption options
    5. About NetBackup client encryption
      1.  
        Installation prerequisites for encryption security
      2. About running an encryption backup
        1.  
          About choosing encryption for a backup
        2.  
          Standard encryption backup process
        3.  
          Legacy encryption backup process
      3.  
        NetBackup standard encryption restore process
      4.  
        NetBackup legacy encryption restore process
    6. Configuring standard encryption on clients
      1.  
        Managing standard encryption configuration options
      2.  
        Managing the NetBackup encryption key file
      3. About configuring standard encryption from the server
        1.  
          About creating encryption key files on the clients
        2.  
          Creating the key files
        3.  
          Best practices for key file restoration
        4.  
          Manual retention to protect key file pass phrases
        5.  
          Automatic backup of the key file
      4.  
        Restoring an encrypted backup file to another client
      5.  
        About configuring standard encryption directly on clients
      6.  
        Setting standard encryption attribute in policies
      7.  
        Changing the client encryption settings from the NetBackup server
    7. Configuring legacy encryption on clients
      1. About configuring legacy encryption from the client
        1.  
          Managing legacy encryption key files
      2. About configuring legacy encryption from the server
        1.  
          About pushing the legacy encryption configuration to clients
        2.  
          About pushing the legacy encryption pass phrases to clients
      3.  
        Restoring a legacy encrypted backup created on another client
      4.  
        About setting legacy encryption attribute in policies
      5.  
        Changing client legacy encryption settings from the server
      6. Additional legacy key file security for UNIX clients
        1.  
          Running the bpcd -keyfile command
        2.  
          Terminating bpcd on UNIX clients
  9. Data at rest key management
    1.  
      Federal Information Processing Standards (FIPS)
    2.  
      About FIPS enabled KMS
    3. About the Key Management Service (KMS)
      1.  
        KMS considerations
      2.  
        KMS principles of operation
      3.  
        About writing an encrypted tape
      4.  
        About reading an encrypted tape
      5.  
        KMS terminology
    4. Installing KMS
      1.  
        Using KMS with NBAC
      2.  
        About installing KMS with HA clustering
      3.  
        Enabling cluster use with the KMS service
      4.  
        Enabling the monitoring of the KMS service
      5.  
        Disabling the monitoring of the KMS service
      6.  
        Removing the KMS service from monitored list
    5. Configuring KMS
      1.  
        Creating the key database
      2. About key groups and key records
        1.  
          About creating key groups
        2.  
          About creating key records
      3. Overview of key record states
        1.  
          Key record state considerations
        2.  
          Prelive key record state
        3.  
          Active key record state
        4.  
          Inactive key record state
        5.  
          Deprecated key record state
        6.  
          Terminated key record state
      4.  
        About backing up the KMS database files
      5.  
        About recovering KMS by restoring all data files
      6.  
        Recovering KMS by restoring only the KMS data file
      7.  
        Recovering KMS by regenerating the data encryption key
      8.  
        Problems backing up the KMS data files
      9.  
        Solutions for backing up the KMS data files
      10.  
        Creating a key record
      11.  
        Listing keys from a key group
      12. Configuring NetBackup to work with KMS
        1.  
          NetBackup and key records from KMS
        2.  
          Example of setting up NetBackup to use tape encryption
    6. About using KMS for encryption
      1.  
        About importing KMS encrypted images
      2.  
        Example of running an encrypted tape backup
      3.  
        Example of verifying an encryption backup
    7. KMS database constituents
      1.  
        Creating an empty KMS database
      2.  
        Importance of the KPK ID and HMK ID
      3.  
        About periodically updating the HMK and KPK
      4.  
        Backing up the KMS keystore and administrator keys
    8. Command line interface (CLI) commands
      1.  
        CLI usage help
      2.  
        Create a new key group
      3.  
        Create a new key
      4.  
        Modify key group attributes
      5.  
        Modify key attributes
      6.  
        Get details of key groups
      7.  
        Get details of keys
      8.  
        Delete a key group
      9.  
        Delete a key
      10.  
        Recover a key
      11. About exporting and importing keys from the KMS database
        1. Exporting keys
          1.  
            Troubleshooting common errors during an export
        2. Importing keys
          1.  
            Troubleshooting common errors during an import
      12.  
        Modify host master key (HMK)
      13.  
        Get host master key (HMK) ID
      14.  
        Get key protection key (KPK) ID
      15.  
        Modify key protection key (KPK)
      16.  
        Get keystore statistics
      17.  
        Quiesce KMS database
      18.  
        Unquiesce KMS database
      19.  
        Key creation options
    9. Troubleshooting KMS
      1.  
        Solution for backups not encrypting
      2.  
        Solution for restores that do not decrypt
      3.  
        Troubleshooting example - backup with no active key record
      4.  
        Troubleshooting example - restore with an improper key record state
  10. Regenerating keys and certificates
    1.  
      About regenerating keys and certificates
    2.  
      Regenerating NetBackup authentication broker keys and certificates
    3.  
      Regenerating host identity keys and certificates
    4.  
      Regenerating web service keys and certificates
    5.  
      Regenerating nbcertservice keys and certificates
    6.  
      Regenerating tomcat keys and certificates
    7.  
      Regenerating JWT keys
    8.  
      Regenerating NetBackup gateway certificates
    9.  
      Regenerating web trust store certificates
    10.  
      Regenerating VMware vCenter plug-in certificates
    11.  
      Regenerating OpsCenter Administrator Console session certificates
    12.  
      Regenerating OpsCenter keys and certificates
    13.  
      Regenerating NetBackup encryption key file
  11. NetBackup web services account
    1.  
      About the NetBackup web services account
    2.  
      Changing the web service user account
  12. Appendix A. NetBackup Access Control Security (NBAC)
    1.  
      About using NetBackup Access Control (NBAC)
    2.  
      NetBackup access management administration
    3.  
      About NetBackup Access Control (NBAC) configuration
    4. Configuring NetBackup Access Control (NBAC)
      1.  
        NBAC configuration overview
      2.  
        Configuring NetBackup Access Control (NBAC) on standalone master servers
      3.  
        Installing the NetBackup master server highly available on a cluster
      4.  
        Configuring NetBackup Access Control (NBAC) on a clustered master server
      5.  
        Configuring NetBackup Access Control (NBAC) on media servers
      6.  
        Installing and configuring NetBackup Access Control (NBAC) on clients
      7.  
        About including authentication and authorization databases in the NetBackup hot catalog backups
      8.  
        NBAC configure commands summary
      9.  
        Unifying NetBackup Management infrastructures with the setuptrust command
      10.  
        Using the setuptrust command
    5. Configuring Access Control host properties for the master and media server
      1.  
        Authentication Domain tab
      2.  
        Authorization Service tab
      3.  
        Network Attributes tab
    6. Access Control host properties dialog for the client
      1.  
        Authentication Domain tab for the client
      2.  
        Network Attributes tab for the client
    7.  
      Using NetBackup Access Control (NBAC) with Auto Image Replication
    8. Troubleshooting Access Management
      1.  
        Troubleshooting NBAC issues
      2.  
        Configuration and troubleshooting topics for NetBackup Authentication and Authorization
      3. Windows verification points
        1.  
          Master server verification points for Windows
        2.  
          Media server verification points for Windows
        3.  
          Client verification points for Windows
      4. UNIX verification points
        1.  
          UNIX master server verification
        2.  
          UNIX media server verification
        3.  
          UNIX client verification
      5. Verification points in a mixed environment with a UNIX master server
        1.  
          Master server verification points for a mixed UNIX master server
        2.  
          Media server verification points for a mixed UNIX master server
        3.  
          Client verification points for a mixed UNIX master server
      6. Verification points in a mixed environment with a Windows master server
        1.  
          Master server verification points for a mixed Windows master server
        2.  
          Media server verification points for a mixed Windows master server
        3.  
          Client verification points for a mixed Windows master server
      7.  
        About the nbac_cron utility
      8.  
        Using the nbac_cron utility
    9.  
      Using the Access Management utility
    10. About determining who can access NetBackup
      1.  
        Individual users
      2.  
        User groups
      3.  
        NetBackup default user groups
      4. Configuring user groups
        1.  
          Creating a new user group
        2.  
          Creating a new user group by copying an existing user group
        3.  
          Renaming a user group
        4.  
          Adding a new user to the user group
      5. About defining a user group and users
        1.  
          Logging on as a new user
        2.  
          Assigning a user to a user group
        3.  
          About authorization objects and permissions
    11. Viewing specific user permissions for NetBackup user groups
      1.  
        Granting permissions
      2.  
        Authorization objects
      3.  
        Media authorization object permissions
      4.  
        Policy authorization object permissions
      5.  
        Drive authorization object permissions
      6.  
        Report authorization object permissions
      7.  
        NBU_Catalog authorization object permissions
      8.  
        Robot authorization object permissions
      9.  
        Storage unit authorization object permissions
      10.  
        DiskPool authorization object permissions
      11.  
        BUAndRest authorization object permissions
      12.  
        Job authorization object permissions
      13.  
        Service authorization object permissions
      14.  
        HostProperties authorization object permissions
      15.  
        License authorization object permissions
      16.  
        Volume group authorization object permissions
      17.  
        VolumePool authorization object permissions
      18.  
        DevHost authorization object permissions
      19.  
        Security authorization object permissions
      20.  
        Fat server authorization object permissions
      21.  
        Fat client authorization object permissions
      22.  
        Vault authorization object permissions
      23.  
        Server group authorization object permissions
      24.  
        Key management system (kms) group authorization object permissions
    12.  
      Upgrading NetBackup Access Control (NBAC)
    13.  
      Upgrading NetBackup when an older version of NetBackup is using a root broker installed on a remote machine

KMS considerations

The following table describes the considerations that relate to the functionality and use of KMS.

Table: Considerations that relate to the functionality and use of KMS

Consideration

Description

New NBKMS service

The nbkms service is a master-server-based service that provides encryption keys to the media server BPTM processes.

New nbkmsutil KMS configuration utility

For security reasons, the KMS configuration utility can only be run from the master server as root or administrator.

NetBackup wide changes

Changes were necessary throughout NetBackup for the following:

  • To allow for the ENCR_ prefix on the volume pool names.

  • To communicate with the key Management Service.

  • To provide support for the T10 / SCSI standard tape drives with embedded encryption.

  • NetBackup GUI and CLI changes to report the encryption key tag addition to the NetBackup image information

    The bpimmedia and bpimagelist were modified.

  • An emphasis on recoverability and ease of use for this NetBackup release

    The recommended option is that all encryption keys are generated with pass phrases. You type in a pass phrase and the key management system creates a reproducible encryption key from that pass phrase.

KMS installation and deployment decisions

Following are decisions you must make for KMS deployment:

  • Whether to choose KMS random generated keys or pass phrase generated keys

  • Whether to include NBAC deployment

KMS security

No burden is placed on existing NetBackup services with additional security concerns.

Cipher types

The following cipher types are supported in KMS:

  • AES_128

  • AES_192

  • AES_256 (default cipher)

KMS recoverability

You can use KMS in such a way where all of the encryption keys are generated from pass phrases. You can record these pass phrases and then use them at a later time to recreate the entire KMS for NetBackup.

KMS files

KMS files associated with it where information on the keys is kept, as follows:

  • Key file or key database

    Contains the data encryption keys. The key file is located at /opt/openv/kms/db/KMS_DATA.dat.

  • Host master key

    Contains the encryption key that encrypts and protects the KMS_DATA.dat key file using AES 256. The host master key is located at /opt/openv/kms/key/KMS_HMKF.dat

  • Key protection key

    Encryption key that encrypts and protects individual records in the KMS_DATA.dat key file using AES 256. The key protection key is located at /opt/openv/kms/key/KMS_KPKF.dat. Currently the same key protection key is used to encrypt all of the records.

    • Back up KMS files

      If you want to back up the KMS files, the best practices should be followed. Put the KMS database file on one tape and the HMK files and KPK files on another tape. To gain access to encrypted tapes, someone would then need to obtain both tapes.

      Another alternative is to back up the KMS data files outside of the normal NetBackup process. You can copy these files to a separate CD, DVD, or USB drive.

      You can also rely on pass phrase generated encryption keys to manually rebuild KMS. All of the keys can be generated by pass phrases. If you have recorded all of the encryption key pass phrases you can manually recreate KMS from information you have written down. If you only have a few encryption keys you generate this process could be short.

Key records

Key records contain many fields but the primary records are the encryption key, the encryption key tag, and the record state. Key records also contain some metadata.

These key records are defined as follows:

  • Encryption key

    This key is given to the tape drive.

  • Encryption key Tag

    This tag is the identifier for the encryption key.

  • Record state

    Each of the key records has a state. The states are prelive, active, inactive, deprecated, and terminated.

  • Metadata

    Metadata includes logical name, creation date, modification date, and description.

Key groups

Key groups are a logical name and grouping of key records. All key records that are created must belong to a group. A key group can only have one active state key record at any time. NetBackup supports 100 key groups. Only 10 encryption keys are allowed per key group.

Tape drives and media capabilities

Drive, tape, and NetBackup capabilities must all match for drive encryption to be successful. A number of drives adhere to the T10 standard. Some well-known tape drives we support (that adhere to the T10 standard) are LT0-4, LT0-5, LT0-6, IBM TS1120/30/40, Oracle T10000B/C, and so on.

You can still run earlier LTO versions for reading and writing but you cannot encrypt the data. For example, if you use LT02 media, that data can be read in LT04 drives but they cannot be written in either unencrypted or encrypted format.

You must keep track of these drive issues and media issues as you run setup encryption. Not only do you need the drives that are capable of encryption but the media needs to be grouped and capable of encryption. For later decryption the tape must be placed in a drive that is capable of decryption.

Refer to Table: Media support for encryption for brief information about interoperability between media and tape drives. Veritas recommends that you refer to vendor-specific user guides for detailed information.

Refer to the article HOWTO56305 for more details.

KMS with NBAC

Information on using KMS with NBAC is included where applicable in various sections of this document. For further information, refer to the NetBackup NBAC documentation.

KMS with HA clustering

Information on using KMS with HA clustering is included where applicable in various sections of this document. For further information, refer to the NetBackup HA documentation

KMS logging

The service uses the new unified logging and has been assigned OID 286. The nbkmsutil command uses traditional logging and its logs can be found in the file /usr/openv/netbackup/logs/admin/*.log.

KMS with Cloud

Information on using KMS with Cloud providers is included where applicable in various sections of this document. For further information, refer to the NetBackup Cloud Administrator's Guide.

KMS with AdvancedDisk

Information on using KMS with AdvancedDisk storage is included where applicable in various sections of this document. For further information, refer to the NetBackup AdvancedDisk Storage Solutions Guide.

NBAC and KMS permissions

Typically when using NBAC and the Setupmaster command is run, the NetBackup related group permissions (for example, NBU_Admin and KMS_Admin) are created. The default root and administrator users are also added to those groups. In some cases the root and administrator users are not added to the KMS group when NetBackup is upgraded. The solution is to grant the root and administrator users NBU_Admin and KMS_Admin permissions manually.

Table: Media support for encryption

Media

LTO4 tape drives

LTO5 tape drives

LTO6 tape drives

LTO-2 media

Read only no encryption support

Not supported

Not supported

LTO-3 media

Read and Write no encryption support

Read only no encryption support

Not supported

LTO-4 media

Read and Write encryption enabled

Read and Write encryption enabled

read-only encryption enabled

LTO-5 media

Not supported

Read and Write encryption enabled

Read and Write encryption enabled

LTO-6 media

Not supported

Not supported

Read and Write encryption enabled