Veritas NetBackup™ Flex Scale Administrator's Guide
- Product overview
- Viewing information about the NetBackup Flex Scale cluster environment
- NetBackup Flex Scale infrastructure management
- User management
- About Universal Shares
- Node and disk management
- License management
- User management
- NetBackup Flex Scale network management
- Bonding operations
- Data network configurations
- NetBackup Flex Scale infrastructure monitoring
- Resiliency in NetBackup Flex Scale
- EMS server configuration
- Site-based disaster recovery in NetBackup Flex Scale
- Performing disaster recovery using RESTful APIs
- NetBackup Flex Scale security
- Troubleshooting
- Collecting logs for cluster nodes
- Troubleshooting NetBackup Flex Scale issues
- Appendix A. Configuring NetBackup optimized duplication
- Appendix B. Disaster recovery terminologies
- Appendix C. Configuring Auto Image Replication
Deploying external certificates on NetBackup Flex Scale
Starting from this release, you can generate and use external certificates instead of internal certificates. External Certificate Authority (ECA) certificates are the digital credentials that attest to the certificate owner's identity and affiliation. Once you deploy the external certificates, all the NetBackup Flex Scale components use them. These include the NetBackup primary server, media server, storage engine, management gateway, and the NetBackup Flex Scale web services. One certificate is deployed for all the components. The external certificates also deploy a certificate bundle and (optionally) certificate revocation list. To generate an external certificate, you have to create a certificate request with proper 'Subject Distinguished Name' and 'Subject Alternative Names.' You can generate a certificate request using the GUI. The necessary FQDNs are auto-populated to generate the correct request. You can add additional information as needed. Based on the certificate request, you can create an external certificate. When deploying external certificate for the first time, you have to provide a CA certificate bundle. This is used to validate the incoming and deployed external certificate. You can also optionally provide a certification revocation list. NetBackup components use the CRL.
Some important terminologies:
A certificate authority, also known as a certification authority, is a trusted organization that verifies websites (and other entities) so that you know who you are communicating with online. Their objective is to make the internet a more secure place for both organizations and users. Becoming a Certificate Authority (CA) means that you (or your customers) oversee the issuing process of cryptographic pairs of private keys and public certificates.
Certificate bundle (CA bundle) is a file that contains root and intermediate certificates. The end-entity certificate along with a CA bundle constitutes the certificate chain.
Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. CRL is optional. It may be provided as a file or embedded in certificate as a URL.
Subject Alternative Name: This field lets you specify additional host names (such as sites, IP addresses, common names) to be protected by a single SSL certificate. They are added to generate certificates for new nodes or additional VLAN IPs to be added in the future.
Considerations while deploying ECA:
All certificates for communication should be obtained from a common trusted CA. Auto Image Replication (AIR) between MDSPs that uses different external CAs is not supported but you can concatenate the individual root CA certificates into one file and upload them as a CA bundle.
After ECA is deployed on the cluster, you can renew or update the ECA.
It is recommended to pause backup/restore operations before starting ECA deployment/renewal.
The CA bundle and CRL file independent of other security artifacts.
When you deploy security artifacts, they are validated and if inconsistencies are found, you are notified, and deployment does not proceed. If you provide an external certificate and CA certificate bundle, the EC certificate is validated against the user provided CA certificate bundle. If only one of the items is provided, it is validated against deployed artifacts.
Only NetBackup Certificate Authority (NBCA) + ECA deployment is supported in this release.
You cannot revert to NBCA deployment once NBCA + ECA deployment is done.
NBCA renewal has to be run manually from the management node after NBCA is revoked.
NBCA is auto renewed 60 days before expiration. You are notified 60 days before the expiration of the ECA certificates. An alert appears on the appliance GUI and an email is also sent. If NBCA renewal fails, user is notified and AutoSupport alert is raised.
You can deploy external certificate only if all NetBackup Flex Scale components are up and running. These include NetBackup primary and media services, storage engines, management gateway, and NetBackup Flex Scale management web services.
You cannot deploy security artifacts, if upgrade, add node or VLAN operation is in progress and vice versa.
If the ECA's subject alternative names have information on new nodes (FQDNs) to be added, add node operation succeeds seamlessly and all services come up after the add node operation. If subject alternative names are not updated, add node operation fails.
For Nutanix, HBase workloads using SSL certificates, append the respective SSL certificates to the CA bundle after ECA certificates are renewed. If you do not append the SSL certificates to the CA bundle during ECA renewal, backup and restore operations for the workloads may fail.