How to prevent NetBackup from using SHA/SHA1 ciphers

Article: 100044289
Last Published: 2022-09-15
Ratings: 6 1
Product(s): NetBackup & Alta Data Protection

Description

New versions of Transport Layer Security (TLS) / Secure Sockets Layer (SSL) provide stronger encryption ciphers than SHA/SHA1. The following configuration changes can be used to prevent SHA/SHA1 use by NetBackup and OpsCenter.

Note: Custom modifications to these files are not preserved across NetBackup upgrades. Reapply these manual changes after each upgrade.

 

1. nbatd authentication broker service: (on primary servers)

Note: Not present and not applicable, on NetBackup versions prior to 7.6.

Update the VRTSatlocal.conf file in the following directory:

UNIX/Linux: /usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile/
Windows: <install_path>\NetBackup\var\global\vxss\eab\data\systemprofile\

Add :!SHA to left of :@STRENGTH in the cipher list of the SSLCipherSuite keyword.

Example:

[Security\Authentication\Authentication Broker]
"SSLCipherSuite"="AES:!aNULL:!SHA:@STRENGTH"

...snip...
[Security\Authentication\Client\SSL]
"SSLCipherSuite"="AES:!aNULL:!SHA:@STRENGTH"

Note: Insertion should be to the left of :@STRENGTH if it exists, no matter the version of NetBackup. If it doesn't exist, place :!SHA at the end.

Example:

[Security\Authentication\Authentication Broker]
"SSLCipherSuite"="AES:!aNULL:!SHA"

...snip...
[Security\Authentication\Client\SSL]
"SSLCipherSuite"="AES:!aNULL:!SHA"

 

2. nbwmc web services: (on primary servers and OpsCenter servers)

Note: Not applicable to NetBackup versions prior to 8.1, as they only support *_SHA ciphers.

Update the server.xml file in this directory for NetBackup versions 8.1 - 8.1.2:

UNIX/Linux: /usr/openv/wmc/webserver/conf/
Windows: <install_path>\NetBackup\wmc\webserver\conf\

Update the server.xml file in this directory for NetBackup versions 8.2 and higher:

UNIX/Linux: /usr/openv/var/global/wsl/webserver/conf/
Windows: <install_path>\NetBackup\var\global\wsl\webserver\conf\

Locate the 'Connector' tags with 'SSLEnabled'.

Remove the *_SHA or *_SHA1 entries from the comma-separated cipher= lists.

Example:

<Connector SSLEnabled="True" ... ciphers="TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA" ... >

becomes...

<Connector SSLEnabled="True" ... ciphers="TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" ... >

Note: Be sure to remove any comma and space (, ) that precedes a removed cipher name.
Note: Be sure to remove the trailing comma and space (, ) if removing the first cipher in the list.

For OpsCenter, edit the cipher list at:

C:\Program Files\Symantec\OpsCenter\gui\webserver\conf\server.xml

 

3. vnetd proxy services (on primary servers, media servers, and clients)

Note: Not applicable before NetBackup 8.1.
Note: The process restart will cause connections to drop, affecting current jobs.

Add the following to the NetBackup configuration.

SECURE_PROXY_CIPHER_LIST = AES:!aNULL:!SHA:@STRENGTH

Please note that the white space in these commands is significant. The only spaces are the ones after ‘cd’ and ‘echo’.

UNIX/Linux:
cd /usr/openv/netbackup/bin
echo 'SECURE_PROXY_CIPHER_LIST=AES:!aNULL:!SHA:@STRENGTH'|./nbsetconfig

Windows:
cd <install_path>\NetBackup\bin
echo SECURE_PROXY_CIPHER_LIST=AES:!aNULL:!SHA:@STRENGTH|nbsetconfig

Confirm the change.

UNIX/Linux: ./nbgetconfig SECURE_PROXY_CIPHER_LIST
Windows: nbgetconfig SECURE_PROXY_CIPHER_LIST

Expected output:

SECURE_PROXY_CIPHER_LIST = AES:!aNULL:!SHA:@STRENGTH

Stop the vnetd proxy processes, confirm down, and restart.

UNIX/Linux:
  ./vnetd -terminate
  ./bpps vnetd
  ./vnetd -standalone

Windows:
  bpdown
  bpps
  bpup

 

4. nbmqbroker service (on primary servers)

Note: Not applicable before NetBackup 8.2.  Applicable in NetBackup 8.2 only if the dynamic NAT feature is enabled.
Note: The process restart will cause connections to drop, affecting current jobs and administration.

Remove unwanted ciphers from the two {ciphers, ["name1", "name2", ... "nameN"]} lists in these files.

Please note and preserve the double quotes (") around each cipher name and the comma (,) after each cipher name in each list - except for the last name..

UNIX/Linux:
/usr/openv/var/global/mqbroker/mqbroker.config
/usr/openv/mqbroker/templates/mqbroker.config_template

Windows:
<install_path>\NetBackup\var\global\mqbroker\mqbroker.config
<install_path>\NetBackup\mqbroker\templates\mqbroker.config_template

Update both files. The template file will preserve/overwrite the config file whenever the nbmqbroker is reconfigured.  But the template file must be updated manually after each upgrade when it too is overwritten by the new version from the distribution.

Stop NetBackup, confirm down, and restart.

 

Was this content helpful?