Problem
When KMS encryption is enabled in CloudCatalyst, user cannot share the images in S3 bucket in Automated Disaster Recovery (AutoDR) server.
Error Message
Import and restore jobs in AutoDR server fail. In import job description, error is:
Error bpdm (pid=xxx) cannot restore-TIR backup id xxxx, error = no entity was found
Cause
The KMS key information doesn’t exist in AutoDR server.
Solution
An update to MSDP for NetBackup version 8.2 is needed to resolve the issue. The EEB for Etrack 3981133 (version 7 or later) is needed for configuring AutoDR including if using KMS encryption CloudCatalyst.
Here are the steps:
- Install EEB_3981133 both on-premise CloudCatalyst server and AutoDR server in the cloud.
- Manual KMS key transfer.
In on-prem side:
- CloudCatalyst server: Find the key group name for the given CloudCatalyst server
Find contentrouter.cfg in /etc/pdregistry.cfg
Find key group name is in contentrouter.cfg under [KMSOptions]
(Example KMSKeyGroupName=amazon.com:test1)
- NetBackup master server: Exports the key group with a passphrase to a file:
/usr/openv/netbackup/bin/admincmd/nbkmsutil -export -key_groups <CloudCatalyst-key-group-name> -path <key file path>
In AutoDR server (cloud side)
- Install NetBackup as an all-in-one system and install EEB_3981133.
- Copy the exported key to AutoDR server
- Config KMS server
/usr/openv/netbackup/bin/nbkms -createemptydb
/usr/openv/netbackup/bin/nbkms
- Import keys to KMS service.
/usr/openv/netbackup/bin/admincmd/nbkmsutil -import -path <key file path> -preserve_kgname
- Config AutoDR server with this script
/usr/openv/pdde/pdag/scripts/ims_system_config.py
Please make sure to include the switch "--kms_enabled" so that the storage server is created with encryption enabled.
Handle On-Prem KMS key changes
In case of KMS key changes for the given group for on-premise CloudCatalyst server after AutoDR server is steup, user needs to export the key file from on-premise KMS server and import key file in AutoDR server.
- On-premise NetBackup master server: Exports the key group with a passphrase to a file
/usr/openv/netbackup/bin/admincmd/nbkmsutil -export -key_groups <CloudCatalyst-key-group-name> -path <key file path>
- AutoDR server:
/usr/openv/netbackup/bin/admincmd/nbkmsutil -deletekg -kgname < CloudCatalyst-key-group-name> -force
/usr/openv/netbackup/bin/admincmd/nbkmsutil -import -path <key file path> -preserve_kgname
Applies to
NetBackup 8.2
Bundle EEB 3981133