Configuration settings for the TLS protocol in NetBackup 10.5 and later

Description

Starting with NetBackup 10.5, the TLS 1.3 protocol is supported. NetBackup 10.5 and later versions will use the TLS 1.3 protocol by default in secure communication workflows as follows:

• secure proxy
• data-in-transit encryption (DTE)
• external KMS server
• AD/LDAP server
• MSDP
• HTTPS communication using cURL.

Earlier versions of NetBackup use the TLS 1.2 protocol for secure communication.

Configuration settings related to TLS protocol version

1. TLS_MAX_VERSION

NetBackup uses TLS 1.3 protocol for secure communication between hosts with NetBackup version 10.5 or later. The TLS_MAX_VERSION setting can be used to configure the maximum TLS protocol version for secure communication. With this setting, you can enforce the TLS 1.2 protocol.

The supported values for the TLS_MAX_VERSION setting are :
TLSv1.2
TLSv1.3

NetBackup also provides the below settings to configure the maximum TLS protocol version for specific secure communication. These settings override the TLS_MAX_VERSION setting.

• SECURE_PROXY_TLS_MAX_VERSION:
  This setting can be used to configure a maximum TLS protocol version for the secure communication between vnetd proxies on different NetBackup hosts.
   
• DTE_TLS_MAX_VERSION:
  This setting can be used to configure a maximum TLS protocol version for data-in-transit encryption (DTE) workflows.
   
• EKMS_TLS_MAX_VERSION:
  This setting can be used to configure a maximum TLS protocol version for the secure communication between NetBackup primary server and an external KMS server.

2. TLS_MIN_VERSION

NetBackup uses TLS 1.3 protocol for secure communication between hosts with NetBackup version 10.5 or later. The TLS_MIN_VERSION setting can be used to configure the minimum TLS protocol version for secure communication. With this setting, you can enforce the TLS 1.3 protocol.

The supported values for the TLS_MIN_VERSION setting are:

• TLSv1.2
• TLSv1.3

Note: There is no setting to configure the minimum TLS protocol version for specific secure communication.

Warning: 
While configuring the TLS_MAX_VERSION or TLS_MIN_VERSION settings, ensure that the TLS protocol versions of the communicating hosts are compatible with each other.

Configuration settings related to TLS 1.3 protocol

NetBackup provides different configuration settings which you can use to override the default behavior in respect to the TLS 1.3 protocol.

1. TLS_CIPHER_SUITES

The TLS_CIPHER_SUITES setting configures the cipher suites that NetBackup uses for TLS 1.3 communication. The value must be a colon-separated list of permitted OpenSSL TLS 1.3 cipher suites.
For the permitted cipher suites, requirements, and limitations, see the OpenSSL TLS 1.3 cipher suites documentation.

You can use this setting to change the TLS 1.3 cipher suites that NetBackup uses for secure proxy, data-in-transit encryption and external KMS server.

Warning:
Note that when you configure the TLS_CIPHER_SUITES setting, hosts that do not have a common cipher suite will fail to communicate with each other.

Note: NetBackup also provides the below settings to configure TLS 1.3 cipher suites for specific secure communication. These settings override the TLS_CIPHER_SUITES setting.

• SECURE_PROXY_TLS_CIPHER_SUITES:
  This setting can be used to set TLS 1.3 cipher suites for the secure communication between vnetd proxies on different NetBackup hosts.

• DTE_TLS_CIPHER_SUITES:
  This setting can be used to set TLS 1.3 cipher suites for data-in-transit encryption (DTE) workflows.

• EKMS_TLS_CIPHER_SUITES:
  This setting can be used to set TLS 1.3 cipher suites for secure communication between NetBackup primary server and the external KMS server.

2. TLS_GROUPS_LIST

The TLS_GROUPS_LIST setting configures the TLS groups that NetBackup uses for TLS 1.3 communication. The value must be a colon-separated list of permitted OpenSSL TLS 1.3 groups.

TLS_GROUPS_LIST = <group1>[:<group2>:<group3>: ... :<groupN>]

<group1> to <groupN>: Specify the desired TLS groups in order of preference.

When TLS_GROUPS_LIST is set, it takes precedence over any TLS groups specified in OpenSSL configuration files.

Note: This setting is supported on NetBackup 11.0 and above hosts.

Caution:
Note that when you configure the TLS_GROUPS_LIST setting, hosts or services that do not have a common TLS group will fail to communicate with each other.
When configuring TLS_GROUPS_LIST, please consider the following:

• Impact on Communication: Be cautious about the groups you specify. Misconfiguring this setting can disrupt communication with services or backlevel hosts that do not support the specified groups.
• Compatibility with Non-PQC Services: If PQC mode is enabled, ensure that the list includes at least one non-PQC TLS group. This ensures successful communication with services that do not support PQC.
• FIPS Compliance: If any communicating host or service operates in FIPS mode, ensure that the list contains at least one FIPS-compliant group to maintain compatibility.