Veritas NetBackup™ 8.0 Security and Encryption Guide
- Increasing NetBackup security
- Security deployment models
- Port security
- About NetBackup daemons, ports, and communication
- Additional port information for products that interoperate with NetBackup
- About configuring ports
- Auditing NetBackup operations
- Configuring Enhanced Auditing
- Access control security
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Viewing specific user permissions for NetBackup user groups
- Security certificates in NetBackup
- Overview of security certificates in NetBackup
- About the Security Management utilities
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About revoking host ID-based certificates
- Security certificate deployment in a clustered NetBackup setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- About deploying a new host ID-based certificate
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- Data at rest key management
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
Changing the key pair for a host
Consider changing a key pair only if a key is compromised or leaked. Changing a key pair results in both a new host ID-based certificate and a new host name-based certificate.
The following procedure describes changing a key pair for a host, and then getting a new certificate using the new key pair. Do not perform the procedure for a master server, only a non-master host.
To change a key pair for a non-cluster host
- The NetBackup host administrator backs up the following directories:
On Windows: Install_path\NetBackup\var\VxSS\at\systemprofile
On UNIX: /usr/openv/var/vxss/at/root
- The NetBackup host administrator removes the directory from the host.
- Restart the NetBackup services on the host.
The master server administrator performs the following steps:
Log in to the NetBackup Web Management Service:
bpnbat -login -logintype WEB
Revoke the host ID-based certificate:
nbcertcmd -revokeCertificate -host host_name
Generate a reissue token for the NetBackup host where the key pair is to be changed.
Deploy a new host name-based certificate:
bpnbaz - ProvisionCert host_name
- The NetBackup host administrator uses the reissue token to deploy a new host ID-based certificate with an updated key pair.
Use the following command to enter the token directly:
nbcertcmd -getCertificate -force -token token
Use the following command if the token is in a file:
nbcertcmd -getCertificate -force -file /directory/token_file
- If the host has more than one master server, repeat the process beginning at step 4 for each master server.
- Restart the NetBackup services on the NetBackup host where the key was changed.
To change a key pair for a host in a cluster
- The NetBackup resource is typically clustered on the master or the media server.
The NetBackup host administrator backs up the following directories:
On Windows: Cluster_shared_disk\Veritas\NetBackup\var\VxSS\at\systemprofile
On UNIX: /usr/openv/var/vxss/at/root
- The NetBackup host administrator removes the directory from the host.
- Restart the NetBackup services on the host.
The master server administrator performs the following steps:
Log in to the NetBackup Web Management Service:
bpnbat -login -logintype WEB
Revoke the host ID-based certificate:
nbcertcmd -revokeCertificate -host host_name
Generate a reissue token for the NetBackup host where the key pair is to be changed.
Deploy a new host name-based certificate:
bpnbaz - ProvisionCert cluster_name
- The NetBackup host administrator uses the reissue token to deploy a new host ID-based certificate with an updated key pair. Use the following command:
nbcertcmd -getCertificate -force -file /directory/token_file -cluster
- If the host has more than one master server, repeat the process at step 4 for each master server.
- Restart the NetBackup services on the active node where the key was changed.