Veritas NetBackup™ 8.0 Security and Encryption Guide
- Increasing NetBackup security
- Security deployment models
- Port security
- About NetBackup daemons, ports, and communication
- Additional port information for products that interoperate with NetBackup
- About configuring ports
- Auditing NetBackup operations
- Configuring Enhanced Auditing
- Access control security
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Viewing specific user permissions for NetBackup user groups
- Security certificates in NetBackup
- Overview of security certificates in NetBackup
- About the Security Management utilities
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About revoking host ID-based certificates
- Security certificate deployment in a clustered NetBackup setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- About deploying a new host ID-based certificate
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- Data at rest key management
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
Overview of security certificates in NetBackup
NetBackup uses security certificates to authenticate NetBackup hosts. The security certificates conform to the X.509 Public Key Infrastructure (PKI) standard. A master server acts as the Certificate Authority (CA) and issues digital certificates to hosts.
Any security certificates that were generated before NetBackup 8.0 are now referred to as host name-based certificates. NetBackup is in the process of replacing these older certificates with newer host ID-based certificates. The transition will be completed in future releases and the use of host name-based certificates will be eliminated.
However, the transition is ongoing and NetBackup 8.0 continues to require the older host name-based certificates for some operations. The following table lists which type of certificate is required for various operations.
Table: Security certificate requirements
Operation or situation | Type of certificate required |
---|---|
NetBackup master server cluster installation | For a NetBackup master server in a cluster solution other than WSFC and VCS on Windows, you must deploy a host name-based certificate to all of the nodes in the cluster. |
To use the NetBackup Java consoles to connect to media servers and clients | To connect to a media server with the NetBackup Administration Console, the media server must have host name-based and host ID-based certificates installed. To connect to a Windows or UNIX client with the Backup, Archive, and Restore user interface, the client must have a host ID-based certificate installed. |
NetBackup Access Control (NBAC) | If NBAC is enabled on a NetBackup host, the hosts require host name-based certificates. These are automatically deployed when NBAC is enabled. |
Enhanced Auditing operations | Enhanced Auditing operations require that the hosts have host name-based certificates. |
Targeted Auto Image Replication operations | Targeted Auto Image Replication operations require that the hosts have host name-based certificates. |
Cloud storage | The NetBackup CloudStore Service Container requires that the host name-based certificate be installed on the media server. If one is not installed, the Service Container cannot start. For more information, see the NetBackup Cloud Administrator's Guide. |