Import and restore jobs in AutoDR server fail. Enable AutoDR with manual KMS key transfer.

Import and restore jobs in AutoDR server fail. Enable AutoDR with manual KMS key transfer.

Article: 100046030
Last Published: 2020-09-18
Ratings: 1 0
Product(s): NetBackup

Problem

When KMS encryption is enabled in CloudCatalyst, user cannot share the images in S3 bucket in Automated Disaster Recovery (AutoDR) server.

Error Message

Import and restore jobs in AutoDR server fail. In import job description, error is:
Error bpdm (pid=xxx) cannot restore-TIR backup id xxxx, error = no entity was found

Cause

The KMS key information doesn’t exist in AutoDR server.

Solution

An update to MSDP for NetBackup version 8.2 is needed to resolve the issue.  The EEB for Etrack 3981133 (version 7 or later) is needed for configuring AutoDR including if using KMS encryption CloudCatalyst.

Here are the steps:

  1. Install EEB_3981133 both on-premise CloudCatalyst server and AutoDR server in the cloud.
  2. Manual KMS key transfer.

In on-prem side:

  1. CloudCatalyst server: Find the key group name for the given CloudCatalyst server

Find contentrouter.cfg in /etc/pdregistry.cfg
Find key group name is in contentrouter.cfg under [KMSOptions]
(Example KMSKeyGroupName=amazon.com:test1)

  1. NetBackup master server: Exports the key group with a passphrase to a file:

/usr/openv/netbackup/bin/admincmd/nbkmsutil -export -key_groups <CloudCatalyst-key-group-name> -path <key file path>

  In AutoDR server (cloud side)

  1. Install NetBackup as an all-in-one system and install EEB_3981133.
  2. Copy the exported key to AutoDR server
  3. Config KMS server

/usr/openv/netbackup/bin/nbkms -createemptydb
/usr/openv/netbackup/bin/nbkms

  1. Import keys to KMS service.

/usr/openv/netbackup/bin/admincmd/nbkmsutil -import -path <key file path> -preserve_kgname

  1. Config AutoDR server with this script

/usr/openv/pdde/pdag/scripts/ims_system_config.py

Please make sure to include the switch "--kms_enabled" so that the storage server is created with encryption enabled.

Handle On-Prem KMS key changes

In case of KMS key changes for the given group for on-premise CloudCatalyst server after AutoDR server is steup, user needs to export the key file from on-premise KMS server and import key file in AutoDR server.

  1. On-premise NetBackup master server: Exports the key group with a passphrase to a file

/usr/openv/netbackup/bin/admincmd/nbkmsutil -export -key_groups <CloudCatalyst-key-group-name> -path <key file path>

  1. AutoDR server:

/usr/openv/netbackup/bin/admincmd/nbkmsutil -deletekg -kgname < CloudCatalyst-key-group-name> -force
/usr/openv/netbackup/bin/admincmd/nbkmsutil -import -path <key file path> -preserve_kgname

Applies to

NetBackup 8.2

Bundle EEB 3981133

References

Etrack : 3980925 SW_DOWNLOAD : 3981133

Was this content helpful?