Important Update: Cohesity Products Knowledge Base Articles
All Cohesity Knowledge Base Articles are now managed via the Cohesity Support Portal: https://support.cohesity.com/s/searchunify. The Knowledge Base articles available here will not reflect the latest information or may no longer be accessible.
Description
The Federal Information Processing Standards (FIPS) define U.S. and Canadian Government security and interoperability requirements for computer systems. The FIPS 140-2 standard specifies the security requirements for cryptographic modules. It describes the approved security functions for symmetric and asymmetric key encryption, message authentication, and hashing.
For more information about the FIPS 140-2 standard and its validation program, see the National Institute of Standards and Technology (NIST) and the Communications Security Establishment Canada (CSEC) Cryptographic Module Validation Program website at https://csrc.nist.gov/projects/cryptographic-module-validation-program.
The Backup Exec 21.1 Deduplication Storage Folder is now FIPS validated and can be operated in FIPS mode.
Solution
1. Ensure that Backup Exec is upgraded to version 21.1.
2. To comply with FIPS encryption standards, please Enable Encryption on Deduplication Storage folder by changing following setting:
3. Disable Lockdown settings.
To disable the Lockdown, click Backup Exec Settings > Network And Security > Disk storage lockdown settings > Disable and enter the System Logon Account credentials.
NOTE: Lockdown setting needs to be only disabled temporarily to execute the script and should not be left disabled permanently.
4. Stop all BE and Deduplication services.
5. Enable the FIPS mode for Deduplication Storage Folder by running the following commands:
X:\Program Files\Veritas\Backup Exec>set_fips_mode.bat 1
(Where X: is the install drive)
Warning: It is recommended that you do not disable the Backup Exec Deduplication FIPS mode once you enable it, for security reasons.
6. Start all BE and Deduplication services.
7. Enable Lockdown Settings.
To enable the Lockdown, click Backup Exec Settings > Network And Security > Disk storage lockdown settings > Enable.
8. To get status of the Deduplication Storage Folder FIPS mode, enter the following commands:
X:\Program Files\Veritas\Backup Exec>crcontrol.exe --getmode
(Where X: is the install drive)
NOTE:
- In case of CAS-MBES setup it is recommended to enable FIPS mode for Deduplication Storage Folder on all the servers.
- Enable FIPS mode on remote servers for client-side Deduplication.
Command to enable FIPS mode on AWS: C:\Program Files\Veritas\Backup Exec\RAWS>set_fips_mode.bat 1
- FIPS mode can also be enabled for non-encryption enabled Deduplication Storage Folder. But encryption needs to be manually enabled as discussed in step 2.
Linux Client Side Deduplication works when FIPS is enabled with Backup Exec 22.2 :
1. Update RALUS on Linux server to 22.2. Confirm set_fips_mode.sh is installed.
2. On Backup Exec server, add the linux server and set job to use client side deduplication
3. On Linux machine , stop beremote -> run set_fips_mode.sh as "./set_fips_mode.sh 1" .
Restart beremote on linux server and confirm /etc/VRTSralus/fips.conf is created.
4. Restart all BE services on Backup Exec server.
5. Run the linux server backup with client side deduplication enabled and it should complete successfully which was not the case with earlier versions before BE 22.2 RALUS agent.
References
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.