Veritas NetBackup™ 8.0 Security and Encryption Guide

Last Published:
Product(s): NetBackup (8.0)
  1. Increasing NetBackup security
    1.  
      About NetBackup security and encryption
    2.  
      NetBackup security implementation levels
    3.  
      World-level security
    4.  
      Enterprise-level security
    5.  
      Datacenter-level security overview
    6.  
      NetBackup Access Control (NBAC)
    7.  
      Combined world, enterprise, and data center levels
    8.  
      NetBackup security implementation types
    9.  
      Operating system security
    10.  
      NetBackup security vulnerabilities
    11.  
      Standard NetBackup security
    12.  
      Media Server Encryption Option (MSEO) security
    13.  
      Client side encryption security
    14.  
      NBAC on master, media server, and graphical user interface security
    15.  
      NBAC complete security
    16.  
      All NetBackup security
  2. Security deployment models
    1.  
      Workgroups
    2.  
      Single datacenters
    3.  
      Multi-datacenters
    4.  
      Workgroup with NetBackup
    5.  
      Single datacenter with standard NetBackup
    6.  
      Single datacenter with Media Server Encryption Option (MSEO)
    7.  
      Single datacenter with client side encryption
    8.  
      Single datacenter with NBAC on master and media servers
    9.  
      Single datacenter with NBAC complete
    10.  
      Single datacenter with all security implemented
    11.  
      Multi-datacenter with standard NetBackup
    12.  
      Multi-datacenter with Media Server Encryption Option (MSEO)
    13.  
      Multi-datacenter with client side encryption
    14.  
      Multi-datacenter with NBAC on master and media servers
    15.  
      Multi-datacenter with NBAC complete
    16.  
      Multi-datacenter with all NetBackup security
  3. Port security
    1.  
      About NetBackup TCP/IP ports
    2. About NetBackup daemons, ports, and communication
      1.  
        Standard NetBackup ports
      2.  
        NetBackup master server outgoing ports
      3.  
        NetBackup media server outgoing ports
      4.  
        NetBackup enterprise media management (EMM) server outgoing ports
      5.  
        Client outgoing ports
      6.  
        Windows administration console and Java server outgoing ports
      7.  
        Java console outgoing ports
      8.  
        About MSDP port usage
      9.  
        About Cloud port usage
      10. Additional port information for products that interoperate with NetBackup
        1.  
          About communication and firewall considerations
        2.  
          Ports required to communicate with backup products
        3.  
          Web browser to NetBackup Web GUI connection
        4.  
          About NetBackup user interface and NetBackup server software communication
        5.  
          About NetBackup server to NetBackup master server (NBSL) communication
        6.  
          About SNMP traps
        7.  
          About communication between NetBackup and Sybase database communication
        8.  
          About email communication in NetBackup
    3. About configuring ports
      1.  
        Enabling or disabling random port assignments
      2.  
        Specifying firewall connection options on a NetBackup server or client
      3.  
        Specifying firewall connection options for destination computers from a source computer
      4.  
        Editing port information in configuration files
      5.  
        Updating client connection options
      6.  
        Updating port settings for the Media Manager in the vm.conf file
    4.  
      Port requirements for NDMP backups
    5.  
      Known firewall problems encountered when using NetBackup with third-party robotic products
  4. Auditing NetBackup operations
    1.  
      About NetBackup auditing
    2.  
      Viewing the current audit settings
    3.  
      Configuring auditing on a NetBackup master server
    4.  
      User identity in the audit report
    5.  
      About Enhanced Auditing
    6.  
      Enabling Enhanced Auditing
    7. Configuring Enhanced Auditing
      1.  
        Connecting to a media server with Enhanced Auditing
      2.  
        Changing a server across NetBackup domains
      3.  
        Configuration requirements if using Change Server with NBAC or Enhanced Auditing
    8.  
      Disabling Enhanced Auditing
    9.  
      Auditing host property changes
    10.  
      Retaining and backing up audit trail records
    11.  
      Viewing the audit report
    12.  
      Using the command line -reason or -r option
    13.  
      nbaudit log behavior
    14.  
      Audit alert notification for audit failures
  5. Access control security
    1.  
      About access control in NetBackup
    2.  
      User management
    3.  
      User authentication
    4.  
      Impact of Access Control via Enhanced Auditing on Java interface authorization
  6. NetBackup Access Control Security (NBAC)
    1.  
      About using NetBackup Access Control (NBAC)
    2.  
      NetBackup access management administration
    3.  
      About NetBackup Access Control (NBAC) configuration
    4. Configuring NetBackup Access Control (NBAC)
      1.  
        NBAC configuration overview
      2.  
        Configuring NetBackup Access Control (NBAC) on standalone master servers
      3.  
        Installing the NetBackup master server highly available on a cluster
      4.  
        Configuring NetBackup Access Control (NBAC) on a clustered master server
      5.  
        Configuring NetBackup Access Control (NBAC) on media servers
      6.  
        Installing and configuring NetBackup Access Control (NBAC) on clients
      7.  
        Establishing a trust relationship between the broker and the Windows remote console
      8.  
        About including authentication and authorization databases in the NetBackup hot catalog backups
      9.  
        NBAC configure commands summary
      10.  
        Unifying NetBackup Management infrastructures with the setuptrust command
      11.  
        Using the setuptrust command
    5. Configuring Access Control host properties for the master and media server
      1.  
        Authentication Domain tab
      2.  
        Authorization Service tab
      3.  
        Network Attributes tab
    6. Access Control host properties dialog for the client
      1.  
        Authentication Domain tab for the client
      2.  
        Network Attributes tab for the client
    7. Troubleshooting Access Management
      1.  
        Troubleshooting NBAC issues
      2.  
        Configuration and troubleshooting topics for NetBackup Authentication and Authorization
      3. Windows verification points
        1.  
          Master server verification points for Windows
        2.  
          Media server verification points for Windows
        3.  
          Client verification points for Windows
      4. UNIX verification points
        1.  
          UNIX master server verification
        2.  
          UNIX media server verification
        3.  
          UNIX client verification
      5. Verification points in a mixed environment with a UNIX master server
        1.  
          Master server verification points for a mixed UNIX master server
        2.  
          Media server verification points for a mixed UNIX master server
        3.  
          Client verification points for a mixed UNIX master server
      6. Verification points in a mixed environment with a Windows master server
        1.  
          Master server verification points for a mixed Windows master server
        2.  
          Media server verification points for a mixed Windows master server
        3.  
          Client verification points for a mixed Windows master server
      7.  
        About the nbac_cron utility
      8.  
        Using the nbac_cron utility
    8.  
      Using the Access Management utility
    9. About determining who can access NetBackup
      1.  
        Individual users
      2.  
        User groups
      3.  
        NetBackup default user groups
      4. Configuring user groups
        1.  
          Creating a new user group
        2.  
          Creating a new user group by copying an existing user group
        3.  
          Renaming a user group
        4.  
          Adding a new user to the user group
      5. About defining a user group and users
        1.  
          Logging on as a new user
        2.  
          Assigning a user to a user group
        3.  
          About authorization objects and permissions
    10. Viewing specific user permissions for NetBackup user groups
      1.  
        Granting permissions
      2.  
        Authorization objects
      3.  
        Media authorization object permissions
      4.  
        Policy authorization object permissions
      5.  
        Drive authorization object permissions
      6.  
        Report authorization object permissions
      7.  
        NBU_Catalog authorization object permissions
      8.  
        Robot authorization object permissions
      9.  
        Storage unit authorization object permissions
      10.  
        DiskPool authorization object permissions
      11.  
        BUAndRest authorization object permissions
      12.  
        Job authorization object permissions
      13.  
        Service authorization object permissions
      14.  
        HostProperties authorization object permissions
      15.  
        License authorization object permissions
      16.  
        Volume group authorization object permissions
      17.  
        VolumePool authorization object permissions
      18.  
        DevHost authorization object permissions
      19.  
        Security authorization object permissions
      20.  
        Fat server authorization object permissions
      21.  
        Fat client authorization object permissions
      22.  
        Vault authorization object permissions
      23.  
        Server group authorization object permissions
      24.  
        Key management system (kms) group authorization object permissions
    11.  
      Upgrading NetBackup Access Control (NBAC)
    12.  
      Upgrading NetBackup when an older version of NetBackup is using a root broker installed on a remote machine
  7. Security certificates in NetBackup
    1. Overview of security certificates in NetBackup
      1.  
        Deploying security certificates on NetBackup hosts
    2. About the Security Management utilities
      1.  
        About login activity
      2.  
        Troubleshooting auditing issues related to the Access History tab
    3. About host name-based certificates
      1.  
        Deploying host name-based certificates
    4. About host ID-based certificates
      1.  
        Web login requirements for nbcertcmd command options
      2. Using the Certificate Management utility to issue and deploy host ID-based certificates
        1.  
          Viewing host ID-based certificate details
      3. About certificate deployment security levels
        1.  
          Configuring the certificate deployment security levels
      4.  
        Automatic host ID-based certificate deployment
      5.  
        Deploying host ID-based certificates
      6.  
        Implication of clock skew on certificate validity
      7. Setting up trust with the master server (Certificate Authority)
        1.  
          Finding and communicating the fingerprint of a CA certificate
      8.  
        Deploying certificates from multiple masters
      9.  
        Forcing or overwriting certificate deployment
      10.  
        Retaining host ID-based certificates when reinstalling NetBackup on non-master hosts
      11.  
        Deploying certificates on a client that has no connectivity with the master server
      12.  
        About host ID-based certificate expiration and renewal
      13.  
        Cleaning host ID-based certificate information from a host before cloning a virtual machine
      14. About reissuing host ID-based certificates
        1.  
          Creating a reissue token
        2.  
          Changing the key pair for a host
    5. About Token Management for host ID-based certificates
      1.  
        Creating authorization tokens
      2.  
        Deleting authorization tokens
      3.  
        Viewing authorization token details
      4.  
        About expired authorization tokens and cleanup
    6. About revoking host ID-based certificates
      1.  
        Removing trust between a host and a master server
      2.  
        Revoking a host ID-based certificate
    7. Security certificate deployment in a clustered NetBackup setup
      1. About deployment of a host ID-based certificate on a clustered NetBackup host
        1.  
          Host ID-based certificate deployment on the active master server node
        2.  
          Host ID-based certificate deployment on inactive master server nodes
        3.  
          Host ID-based certificate deployment on active or inactive media server nodes (upgrade only)
      2.  
        Deploying a host ID-based certificates on inactive master server nodes
      3.  
        Deploying a host ID-based certificate on a clustered NetBackup media server (upgrade only)
      4.  
        Renewing a host ID-based certificate on a clustered NetBackup host
      5. About deploying a new host ID-based certificate
        1.  
          Revoking a host ID-based certificate from a clustered NetBackup host
        2.  
          Creating a reissue token for a clustered NetBackup setup
        3.  
          Deploying a new host ID-based certificate on a clustered NetBackup setup
      6.  
        Viewing certificate details for a clustered NetBackup setup
      7.  
        Removing CA certificates from a clustered NetBackup setup
  8. Data at rest encryption security
    1.  
      Data at rest encryption terminology
    2.  
      Data at rest encryption considerations
    3.  
      Encryption security questions to consider
    4.  
      Comparison of encryption options
    5. About NetBackup client encryption
      1.  
        Installation prerequisites for encryption security
      2. About running an encryption backup
        1.  
          About choosing encryption for a backup
        2.  
          Standard encryption backup process
        3.  
          Legacy encryption backup process
      3.  
        NetBackup standard encryption restore process
      4.  
        NetBackup legacy encryption restore process
    6. Configuring standard encryption on clients
      1.  
        Managing standard encryption configuration options
      2.  
        Managing the NetBackup encryption key file
      3. About configuring standard encryption from the server
        1.  
          About creating encryption key files on the clients
        2.  
          Creating the key files
        3.  
          Best practices for key file restoration
        4.  
          Manual retention to protect key file pass phrases
        5.  
          Automatic backup of the key file
      4.  
        Restoring an encrypted backup file to another client
      5.  
        About configuring standard encryption directly on clients
      6.  
        Setting standard encryption attribute in policies
      7.  
        Changing the client encryption settings from the NetBackup server
    7. Configuring legacy encryption on clients
      1. About configuring legacy encryption from the client
        1.  
          Managing legacy encryption key files
      2. About configuring legacy encryption from the server
        1.  
          About pushing the legacy encryption configuration to clients
        2.  
          About pushing the legacy encryption pass phrases to clients
      3.  
        Restoring a legacy encrypted backup created on another client
      4.  
        About setting legacy encryption attribute in policies
      5.  
        Changing client legacy encryption settings from the server
      6. Additional legacy key file security for UNIX clients
        1.  
          Running the bpcd -keyfile command
        2.  
          Terminating bpcd on UNIX clients
    8.  
      Media server encryption
  9. Data at rest key management
    1.  
      Federal Information Processing Standards (FIPS)
    2.  
      About FIPS enabled KMS
    3. About the Key Management Service (KMS)
      1.  
        KMS considerations
      2.  
        KMS principles of operation
      3.  
        About writing an encrypted tape
      4.  
        About reading an encrypted tape
      5.  
        KMS terminology
    4. Installing KMS
      1.  
        Using KMS with NBAC
      2.  
        About installing KMS with HA clustering
      3.  
        Enabling cluster use with the KMS service
      4.  
        Enabling the monitoring of the KMS service
      5.  
        Disabling the monitoring of the KMS service
      6.  
        Removing the KMS service from monitored list
    5. Configuring KMS
      1.  
        Creating the key database
      2. About key groups and key records
        1.  
          About creating key groups
        2.  
          About creating key records
      3. Overview of key record states
        1.  
          Key record state considerations
        2.  
          Prelive key record state
        3.  
          Active key record state
        4.  
          Inactive key record state
        5.  
          Deprecated key record state
        6.  
          Terminated key record state
      4.  
        About backing up the KMS database files
      5.  
        About recovering KMS by restoring all data files
      6.  
        Recovering KMS by restoring only the KMS data file
      7.  
        Recovering KMS by regenerating the data encryption key
      8.  
        Problems backing up the KMS data files
      9.  
        Solutions for backing up the KMS data files
      10.  
        Creating a key record
      11.  
        Listing keys from a key group
      12. Configuring NetBackup to work with KMS
        1.  
          NetBackup and key records from KMS
        2.  
          Example of setting up NetBackup to use tape encryption
    6. About using KMS for encryption
      1.  
        Example of running an encrypted tape backup
      2.  
        Example of verifying an encryption backup
      3.  
        About importing KMS encrypted images
    7. KMS database constituents
      1.  
        Creating an empty KMS database
      2.  
        Importance of the KPK ID and HMK ID
      3.  
        About periodically updating the HMK and KPK
      4.  
        Backing up the KMS keystore and administrator keys
    8. Command line interface (CLI) commands
      1.  
        CLI usage help
      2.  
        Create a new key group
      3.  
        Create a new key
      4.  
        Modify key group attributes
      5.  
        Modify key attributes
      6.  
        Get details of key groups
      7.  
        Get details of keys
      8.  
        Delete a key group
      9.  
        Delete a key
      10.  
        Recover a key
      11. About exporting and importing keys from the KMS database
        1. Exporting keys
          1.  
            Troubleshooting common errors during an export
        2. Importing keys
          1.  
            Troubleshooting common errors during an import
      12.  
        Modify host master key (HMK)
      13.  
        Get host master key (HMK) ID
      14.  
        Get key protection key (KPK) ID
      15.  
        Modify key protection key (KPK)
      16.  
        Get keystore statistics
      17.  
        Quiesce KMS database
      18.  
        Unquiesce KMS database
      19.  
        Key creation options
    9. Troubleshooting KMS
      1.  
        Solution for backups not encrypting
      2.  
        Solution for restores that do not decrypt
      3.  
        Troubleshooting example - backup with no active key record
      4.  
        Troubleshooting example - restore with an improper key record state

UNIX master server verification

Use the following procedures to verify the UNIX master server:

  • Verify UNIX master server settings.

  • Verify which computers are permitted to perform authorization lookups.

  • Verify that the database is configured correctly.

  • Verify that the nbatd and nbazd processes are running.

  • Verify that the host properties are configured correctly.

The following table describes the verification process for the UNIX master server.

Table: Verification process for the UNIX master server

Process

Description

Verify UNIX master server settings

Determine in what domain a host is registered (where the primary authentication broker resides), and determine the name of the computer the certificate represents. Run bpnbat with -whoami with -cf for the master server's credential file. The server credentials are located in the /usr/openv/var/vxss/credentials/ directory.

For example:

    bpnbat -whoami -cf 
    /usr/openv/var/vxss/credentials/unix_master.company.com
    Name: unix_master.company.com
    Domain: NBU_Machines@unix_master.company.com
    Issued by: /CN=broker/OU=root@unix_master/O=vx
    Expiry Date: Oct 31 15:44:30 2007 GMT
    Authentication method: Veritas Private Security
    Operation completed successfully.

If the domain listed is not NBU_Machines@unix_master.company.com, or the file does not exist, consider running bpnbat -addmachine for the name in question (unix_master). Run this command on the computer that serves the NBU_Machines domain (unix_master).

Then, on the computer where we want to place the certificate (unix_master), run: bpnbat -loginmachine

Note:

When determining if a credential has expired, remember that the output displays the expiration time in GMT, not local time.

Note:

For the remaining procedures in this verification topic, assume that the commands are performed from a console window. The window in which the user identity is in question has run bpnbat -login using an identity that is a member of NBU_Security Admin. This identity is usually the first identity with which the security was set up.

Verify which computers are present in the authentication broker

To verify which computers are present in the authentication broker, log on as a member of the Administrators group and run the following command:

bpnbat -ShowMachines

The following command shows which computers you have run:

bpnbat -AddMachine

Verify which computers are permitted to perform authorization lookups

To verify which computers can perform authorization lookups, log on as root on the authorization broker and run the following command:

    bpnbaz -ShowAuthorizers
    ==========
    Type: User
    Domain Type: vx
    Domain:NBU_Machines@unix_master.company.com
    Name: unix_master.company.com

    ==========
    Type: User
    Domain Type: vx
    Domain:NBU_Machines@unix_master.company.com
    Name: unix_media.company.com

    Operation completed successfully.

This command shows that unix_master and unix_media are permitted to perform authorization lookups. Note that both servers are authenticated against the same vx (Veritas Private Domain) Domain, NBU_Machines@unix_master.company.com.

If a master server or media server is not part of the list of authorized computers, run bpnbaz -allowauthorization <server_name> to add the missing computer.

Verify that the database is configured correctly

To make sure that the database is configured correctly, run bpnbaz -listgroups:

    bpnbaz -listgroups
    NBU_Operator
    NBU_Admin
    NBU_SAN Admin
    NBU_User
    NBU_Security Admin
    Vault_Operator
    Operation completed successfully.

If the groups do not appear, or if bpnbaz -listmainobjects does not return data, run bpnbaz -SetupSecurity.

Verify that the nbatd and nbazd processes are running

Run the ps command to ensure that the nbatd and nbazd processes are running on the designated host. If necessary, start them.

For example:

    ps -fed |grep vx
    root 10716  1  0   Dec 14 ?  0:02 /usr/openv/netbackup/bin/private/nbatd
    root 10721  1  0   Dec 14 ?  4:17 /usr/openv/netbackup/bin/private/nbazd

Verify that the host properties are configured correctly

In the Access Control host properties, verify that the NetBackup Authentication and Authorization property is set correctly. (The setting should be either Automatic or Required, depending on whether all of the computers use NetBackup Authentication and Authorization or not. If all computers do not use NetBackup Authentication and Authorization, set it to Automatic.

In the Access Control host properties, verify that the authentication domains on the list are spelled correctly. Also make sure that they point to the proper servers (valid authentication brokers). If all domains are UNIX-based, they should point to a UNIX machine that is running the authentication broker.

This process can also be verified in bp.conf using cat.

    cat bp.conf
    SERVER = unix_master
    SERVER = unix_media
    CLIENT_NAME = unix_master
    AUTHENTICATION_DOMAIN = company.com "default company 
     NIS namespace" 
    NIS unix_master 0
    AUTHENTICATION_DOMAIN = unix_master "unix_master password file" 
    PASSWD unix_master 0
    AUTHORIZATION_SERVICE = unix_master.company.com 0
    USE_VXSS = AUTOMATIC
    #