Description
Overview
NetBackup version 10.3.0.1 and later provides an option to verify the storage array certificate for any communication that happens between NetBackup Snapshot Manager and the storage array. For the verification to succeed, the root certificate of the storage array must be maintained in the trust store of NetBackup Snapshot Manager.
You must manually download the storage array certificate and add it to the NBSM trust store. Once the certificate is added to the trust store, during the plugin configuration or plugin update operations, select the Verify Certificate option to enable certificate verification.
Follow the steps to add and list certificates into NBSM trust store.
- Sign in to the NBSM host.
- Using the mechanism provided by the storage array, download the root certificate of the storage array.
- Run the following command to add a certificate to NBSM.
"
flexsnap_configure truststore --ca"
- Run the following command to list certificates added in truststore. "flexsnap_configure truststore"
Example usage of flexsnap_configure
#
flexsnap_configure truststore --ca dspure09.pemCN=dspure09,O=Pure Storage,L=Default City,ST=MN,C=US ... done
#
flexsnap_configure truststoreCN=VeritasStorageArrayRootCA,O=Veritas,OU=saurabh.joshi1 ... ok
CN=r7515-088v01.vxindia.veritas.com,O=Isilon,ST=Some-State,C=AU ... ok
CN=StorageArrayRootCA,O=Veritas,OU=saurabh.joshi1 ... ok
CN=dspure09,O=Pure Storage,L=Default City,ST=MN,C=US ... ok
Plugin configuration screen
Update credentials screen shows the Verify Certificate option.
The following are the considerations and limitations while using the Verify Certificate option:
- By default, the Verify Certificate option is inactive for existing plugins after the NBSM upgrade.
- To enable this option for existing plugins, you must add the root certificate to NBSM trust store after the NBSM upgrade.
- At present, the Verify Certificate option is not supported for Qumulo storage array and NetApp Storage Array if configured via ZAPI.
This is also now updated in JAVA GUI and the tpconfig command line tool:
Please find the screens attached below for JAVA GUI Add and Change PlugIn options
For tpconfig utility, the screenshots are attached below:
In the tpconfig utility, true or false needs to be entered manually for the option "Enter Verify Certificate" depending on whether certificate needs to be verified or not.
The process for certificate addition as well as considerations and limitations given above remain the same across WebUI, JAVA GUI and the tpconfig utility.