Description:
About FIPS support in NetBackup:
The Federal Information Processing Standards (FIPS) define U.S. and Canadian Government security and interoperability requirements for computer systems. The FIPS 140-2 standard specifies the security requirements for cryptographic modules. It describes the approved security functions for symmetric and asymmetric key encryption, message authentication, and hashing.
By default, the FIPS mode is disabled in NetBackup.
The following workloads are supported in FIPS-compliant mode:
- Oracle, MS-SQL, SAP HANA, DB2, VMware, Hyper-V, RHV, Nutanix, DynamicNAS, MongoDB, Hadoop, HBase, MySQL, PostgreSQL, SQLite,MariaDB, SharePoint
The following operating system-level support is available in the FIPS mode:
- Once you enable the FIPS mode on RHEL 8, the operating system requires that each RPM package has a SHA-256 digest. RPMs that do not have this digest will fail to install. The RPMs that are built using the native toolchain present on RHEL 6 or RHEL 7 platforms do not include a SHA-256 digest and therefore can fail to install on RHEL 8 when the FIPS mode is enabled. This issue affects NetBackup 9.1 and earlier setups as packages for these versions are built using the OS native toolchain on RHEL 7 or earlier. Starting with NetBackup 10.0, the packages are built using a toolchain that adds the SHA-256 digest and these can be installed on RHEL 8 with the FIPS mode enabled.
The following components, configurations, or operations are not supported in the FIPS mode:
- Client-side encryption.
Note: To perform a backup with client-side encryption, you need to disable the FIPS mode on the client host.
- NDMP backups , Sybase database used by NetBackup
Scripts (Perl, batch, shell, python) that are executed within NetBackup
OpsCenter
Binaries or utilities: restore_spec_utility, nbcloudrestore, nbcallhomeproxyconfig, nbbsdtar, nbrepo
NetBackup domain with NBAC enabled
If NBAC is configured in the NetBackup domain, it is recommended that you do not enable the FIPS mode. If NBAC is configured in the NetBackup domain, it is recommended that you do not enable the FIPS mode.
The MQBROKER processes do not support NetBackup-level FIPS configuration on Windows.
MIT Kerberos used by Hadoop and HBase does not operate with a FIPS-enabled OpenSSL. To perform backup with Kerberos authentication, you need to disable FIPS on the backup host.
NetBackup CloudPoint does not support the CloudPoint host that is configured in the FIPS mode.
SharePoint internally uses encryption algorithms that do not comply with FIPS standards. The Windows FIPS policy blocks the MD5 hashing algorithms that SharePoint uses. Therefore, the OS-level FIPS policy should be disabled for the SharePoint restores for successful operation.
Note that NetBackup-FIPS is supported for protecting SharePoint.
See the following articles for more details:
FIPS and SharePoint Server - https://docs.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/federal-information-processing-standard-security-standards
SharePoint 2016 and FIPS - https://social.technet.microsoft.com/Forums/en-US/3c748d4e-eecd-443f-a7c4-6a36da6b16bc/sharepoint-2016-and-fips?forum=SP2016
Prerequisites:
Review the given prerequisites before you configure FIPS in your NetBackup environment.
Note: If you are configuring FIPS mode during installation, then make sure the NetBackup version is 10.1 or later.
- Ensure the following before the FIPS mode is enabled in the NetBackup domain and on the NetBackup clients.
- The NetBackup master server and media servers are 10.0 or later.
NetBackup clients are 8.1 or later.
Note: If the FIPS mode is enabled and the backups are targeted to the media server deduplication pool (MSDP), the CPU consumption of your system may increase.
- For seamless SSL communication among the NetBackup processes while the FIPS mode is enabled, ensure the following:
The NetBackup CA private key is in a FIPS-compliant encryption format that is PKCS 8.
The private key is generated with a FIPS-compliant algorithm for example, RSA.
·The private key strength of the NetBackup CA is set to 2048 or 3072 bits. If the private key strength does not match the supported value, migrate the CA.
For more information about “Migrating NetBackup CA” please see NetBackup™ Security and Encryption Guide
If you have configured external CA, contact the concerned security administrator.
For more information about external CA support in NetBackup see NetBackup™ Security and Encryption Guide.
- The ongoing NetBackup CA migration process is complete.
Warning: If the prerequisites are not met, some of the NetBackup functions may not work.
Configuring FIPS mode during NetBackup installation:
Windows:
Windows installer provides ‘FIPS compliance in NetBackup’ screen to configure FIPS mode during installation. Below are the different types of windows installation and FIPS configuration options.
- Local primary, media, and client installation.
Check ‘Enable FIPS mode’ checkbox to enable FIPS mode during local installation. By default, FIPS mode is disabled.
- ·Remote primary, media, and client installation.
If FIPS mode is enabled during remote installation, then all remote hosts NetBackup installation and further options will be run in FIPS mode.
- ·Clustered Server Installation
Enabling FIPS mode during clustered server installation will enable FIPS mode on nodes which will get added on Netbackup Remote Host scree. If you are adding new node into existing cluster group by running windows installer on that node then make sure you match the FIPS mode configuration value with rest of the nodes in the cluster group.
Unix:
FIPS mode can be configured during Unix installation using NetBackup answer file. Use NB_FIPS_MODE property with Enable or Disable value to configure FIPS during Unix installation.
For more information about configuring FIPS mode during NetBackup installation refer `NetBackup Installation Guide.
Configuring FIPS mode during NetBackup Upgrade:
NetBackup does not support enabling or disabling FIPS mode during upgrade. Enable FIPS mode before the upgrade if the existing NetBackup version supports FIPS, otherwise, enable it after the upgrade.
Enabling or disabling FIPS mode during windows remote upgrade will not change the FIPS mode value in NetBackup configuration on remote hosts.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.