Symantec NetBackup™ Appliance Security Guide

Last Published:
Product(s): Appliances (3.1.1 (5340), 3.1.1 (5330), 3.1.1 (5240), 3.1.1 (5230), 3.1.1 (5220))
  1. About the NetBackup Appliance Security Guide
    1.  
      About the NetBackup Appliance Security Guide
  2. User authentication
    1. About user authentication on the NetBackup appliance
      1.  
        User types that can authenticate on the NetBackup appliance
    2. About configuring user authentication
      1.  
        Generic user authentication guidelines
    3.  
      About authenticating LDAP users
    4.  
      About authenticating Active Directory users
    5.  
      About authenticating Kerberos-NIS users
    6.  
      About the appliance login banner
    7. About user name and password specifications
      1.  
        About STIG compliant password policy rules
  3. User authorization
    1.  
      About user authorization on the NetBackup Appliance
    2. About authorizing NetBackup appliance users
      1.  
        NetBackup Appliance user role privileges
    3.  
      About the Administrator user role
    4.  
      About the NetBackupCLI user role
  4. Intrusion prevention and intrusion detection systems
    1.  
      About Symantec Data Center Security on the NetBackup Appliance
    2.  
      About the NetBackup Appliance intrusion prevention system
    3.  
      About the NetBackup Appliance intrusion detection system
    4.  
      Reviewing SDCS events on the NetBackup appliance
    5.  
      Running SDCS in unmanaged mode on the NetBackup appliance
    6.  
      Running SDCS in managed mode on the NetBackup appliance
    7.  
      Overriding the NetBackup Appliance intrusion prevention system policy
    8.  
      Re-enabling the NetBackup Appliance intrusion prevention system policy
  5. Log files
    1.  
      About NetBackup Appliance log files
    2.  
      Viewing log files using the Support command
    3.  
      Where to find NetBackup Appliance log files using the Browse command
    4.  
      Gathering device logs with the DataCollect command
    5.  
      Log Forwarding feature overview
  6. Operating system security
    1.  
      About NetBackup appliance operating system security
    2.  
      Major components of the NetBackup Appliance OS
    3.  
      Disabled service accounts on the NetBackup Appliance
    4.  
      Vulnerability scanning of the NetBackup Appliance
  7. Data security
    1.  
      About data security
    2.  
      About data integrity
    3.  
      About data classification
    4. About data encryption
      1.  
        KMS support
  8. Web security
    1.  
      About SSL usage
    2.  
      Implementing third-party SSL certificates
  9. Network security
    1.  
      About IPsec Channel Configuration
    2.  
      About NetBackup Appliance ports
  10. Call Home security
    1.  
      About AutoSupport
    2. About Call Home
      1.  
        Configuring Call Home from the NetBackup Appliance Shell Menu
      2.  
        Enabling and disabling Call Home from the NetBackup Appliance Shell Menu
      3.  
        Configuring a Call Home proxy server from the NetBackup Appliance Shell Menu
      4.  
        Understanding the Call Home workflow
    3. About SNMP
      1.  
        About the Management Information Base (MIB)
  11. IPMI security
    1.  
      Introduction to IPMI configuration
    2.  
      Recommended IPMI settings
    3.  
      Replacing the default IPMI SSL certificate
  12. STIG and FIPS conformance
    1.  
      OS STIG hardening for NetBackup appliances
    2.  
      Unenforced STIG hardening rules
    3.  
      FIPS 140-2 conformance for NetBackup appliances
  13. Appendix A. Security release content
    1.  
      NetBackup Appliance security release content

Replacing the default IPMI SSL certificate

Veritas recommends that the default IPMI SSL certificate used to access the IPMI web interface be replaced with either a certificate signed by a trusted internal or external Certificate Authority (in PEM format), or by a self-signed certificate. You can use the following procedure to create a minimal self-signed certificate on a Linux computer and import it into the IPMI web interface:

To create a minimal self-signed certificate on a Linux computer and import it into the IPMI web interface:

  1. Run the following command to generate the private key called ipmi.key:
    $ openssl genrsa -out ipmi.key 2048
	
Generating RSA private key, 2048 bit long modulus
	
.....+++

	.+++

	e is 65537 (0x10001)
  2. Generate a certificate signing request called ipmi.csr using ipmi.key, filling in each field with their appropriate values:

    Note:

    To avoid extra warnings in your browser, set the CN to the fully qualified domain name of the IPMI interface. You are about to enter is what is called a Distinguished Name or a DN.

    $ openssl req -new -key ipmi.key -out ipmi.csr

    Refer to the following guidelines to enter information to be incorporated into your certificate request:

    Country Name (2 letter code) [AU]:

    Enter your Country's name. For example, US.

    State or Province Name (full name) [Some-State]:

    Enter your State's or Province's name. For example, OR.

    Locality Name (eg, city) []:

    Enter your Locality name. For example, Springfield.

    Organization Name (eg, company) [Internet Widgits Pty Ltd]:

    Enter your Organization's name. For example, Veritas.

    Organizational Unit Name (eg, section) []:

    Enter your Organization Unit's name.

    Common Name (eg, YOUR name) []:

    Enter hostname.your.company.

    Email Address []:

    Enter your email address. For example, email@your.company .

    A challenge password []:

    Enter the appropriate challenge password, which is the extra attribute to be sent with your certificate request.

    An optional company name []:

    Enter the appropriate optional company name, which is the extra attribute to be sent with your certificate request.

    Note:

    Enter '.', to leave any field blank.

  3. Sign ipmi.csr with ipmi.key and create a certificate called ipmi.crt that is valid for 1 year:
    $ openssl x509 -req -in ipmi.csr 

-out ipmi.crt -signkey ipmi.key 

-days 365

	Signature ok

	subject=/C=US/ST=OR/L=Springfield

/O=Veritas/OU=Your OU/

CN=hostname.your.company/

emailAddress=email@your.company
	

Getting Private key
  4. Concatenate ipmi.crt and ipmi.key to create a certificate in PEM format called ipmi.pem.
    $ cat ipmi.crt ipmi.key > ipmi.pem
  5. Copy ipmi.pem to a host that has access to the appliance's IPMI web interface.
  6. Login to your Veritas Remote Management (IPMI web interface).
  7. Click Configuration > SSL.

    The appliance displays the SSL Upload page.

  8. From the SSL Upload page, click Choose File to import the certificate.
  9. Select the ipmi.pem and click Upload.
  10. A warning may appear that says an SSL certificate already exists, press OK to continue.
  11. To import the key, click Choose File again (notice it says New Privacy Key next to the button).
  12. Select the ipmi.pem and click Upload.
  13. A confirmation appears stating that the certificate and key were uploaded successfully, press OK to restart the Web service.
  14. Close and reopen the Veritas Remote Management (IPMI web interface) interface to verify that the new certificate is being presented.