NetBackup™ Commands Reference Guide
- Introduction
- Appendix A. NetBackup Commands- acsd
- backupdbtrace
- backuptrace
- bmrc
- bmrconfig
- bmrepadm
- bmrprep
- bmrs
- bmrsrtadm
- bp
- bparchive
- bpbackup
- bpbackupdb
- bpcatarc
- bpcatlist
- bpcatres
- bpcatrm
- bpcd
- bpchangeprimary
- bpcleanrestore
- bpclient
- bpclimagelist
- bpclntcmd
- bpclusterutil
- bpcompatd
- bpconfig
- bpdbjobs
- bpdbm
- bpdgclone
- bpdown
- bpduplicate
- bperror
- bpexpdate
- bpfis
- bpflist
- bpgetconfig
- bpgetdebuglog
- bpimage
- bpimagelist
- bpimmedia
- bpimport
- bpinst
- bpkeyfile
- bpkeyutil
- bplabel
- bplist
- bpmedia
- bpmedialist
- bpminlicense
- bpnbat
- bpnbaz
- bppficorr
- bpplcatdrinfo
- bpplclients
- bppldelete
- bpplinclude
- bpplinfo
- bppllist
- bpplsched
- bpplschedrep
- bpplschedwin
- bppolicynew
- bpps
- bprd
- bprecover
- bprestore
- bpretlevel
- bpschedule
- bpschedulerep
- bpsetconfig
- bpstsinfo
- bpstuadd
- bpstudel
- bpstulist
- bpsturep
- bptestbpcd
- bptestnetconn
- bpup
- bpverify
- cat_convert
- cat_export
- cat_import
- configureCerts
- configureMQ
- configureWebServerCerts
- create_nbdb
- csconfig cldinstance
- csconfig cldprovider
- csconfig meter
- csconfig reinitialize
- csconfig throttle
- duplicatetrace
- importtrace
- jbpSA
- jnbSA
- ltid
- mklogdir
- msdpcldutil
- nbauditreport
- nbcallhomeproxyconfig
- nbcatsync
- NBCC
- NBCCR
- nbcertcmd
- nbcertupdater
- nbcldutil
- nbcmdrun
- nbcomponentupdate
- nbcplogs
- nbcredkeyutil
- nbdb_admin
- nbdb_backup
- nbdb_move
- nbdb_ping
- nbdb_restore
- nbdb_unload
- nbdb2adutl
- nbdbms_start_server
- nbdbms_start_stop
- nbdc
- nbdecommission
- nbdelete
- nbdeployutil
- nbdevconfig
- nbdevquery
- nbdiscover
- nbdna
- nbemm
- nbemmcmd
- nbepicfile
- nbfindfile
- nbfirescan
- nbfp
- nbftadm
- nbftconfig
- nbgetconfig
- nbhba
- nbholdutil
- nbhostidentity
- nbhostmgmt
- nbhsmcmd
- nbhypervtool
- nbidpcmd
- nbimageshare
- nbinstallcmd
- nbjm
- nbkmiputil
- nbkmscmd
- nbkmsutil
- nblogparser
- nbmariadb
- nbmysql
- nbmlb
- nborair
- nboracmd
- nbpem
- nbpemreq
- nbmariadb
- nbmlb
- nbperfchk
- nbpgsql
- nbplupgrade
- nbrb
- nbrbutil
- nbreplicate
- nbrepo
- nbrestorevm
- nbseccmd
- nbserviceusercmd
- nbsetconfig
- nbshvault
- nbsmartdiag
- nbsnapimport
- nbsnapreplicate
- nbsqlcmd
- nbsqlite
- nbstl
- nbstlutil
- nbstop
- nbsu
- nbsvrgrp
- netbackup_deployment_insights
- resilient_clients
- restoretrace
- stopltid
- tiermover
- tldd
- tldcd
- tpautoconf
- tpclean
- tpconfig
- tpext
- tpreq
- tpunmount
- verifytrace
- vltadm
- vltcontainers
- vlteject
- vltinject
- vltoffsitemedia
- vltopmenu
- vltrun
- vmadd
- vmchange
- vmcheckxxx
- vmd
- vmdelete
- vmoprcmd
- vmphyinv
- vmpool
- vmquery
- vmrule
- vmupdate
- vnetd
- vssat
- vwcp_manage
- vxlogcfg
- vxlogmgr
- vxlogview
- W2KOption
 
Name
nbkmsutil — run the NetBackup Key Management Service utility
SYNOPSIS
 [-createkey] [-createkg] [-deletekey] [-deletekg] [-export] [-gethmkid] [-getkpkid] [-import] [-ksstats] [-listkeys] [-listkgs] [-modifyhmk] [-modifykey] [-modifykg] [-modifykpk] [-quiescedb] [-recoverkey] [-unquiescedb] 
 -createkey [ -nopphrase ] -kgname key_group_name -keyname key_name [ -activate ] [ -desc description ] 
 -createkg -kgname key_group_name [ -cipher type ] [ -desc description ] 
 -deletekey -keyname key_name -kgname key_group_name 
 -deletekg -kgname key_group_name 
 -export -path secure_key_container [-key_groups key_group_name_1 ... | -key_file key_file_name] 
 -gethmkid 
 -getkpkid 
 -import -path secure_key_container [-preserve_kgname] [-desc description] [-preview] 
 -ksstats [-noverbose] 
 -listkeys -kgname key_group_name [ -keyname key_name | -activekey ] [ -verbose ] 
 -listkgs [ -kgname key_group_name | -cipher type | -emptykgs | -noactive ] [ -verbose ] 
 -modifyhmk [ -nopphrase ] 
 -modifykey -keyname key_name -kgname key_group_name [ -state new_state | -activate ] [ -name new_keyname ] [ -desc new_description ] 
 -modifykg -kgname key_group_name [ -name new_key_group_name ] [ -desc new_description ] 
 -modifykpk [ -nopphrase ] 
 -quiescedb 
 -recoverkey -keyname key_name -kgnamekey_group_name -tag key_tag [-desc description] 
 -unquiescedb 
  
On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/admincmd/ 
On Windows systems, the directory path to this command is install_path\NetBackup\bin\admincmd\ 
DESCRIPTION
The nbkmsutil command performs the following operations:
| -createkey | Create a new key. The default state of the new key is Prelive. This command requires a bpnbat -login -loginType WEB logon. When multiperson authorization is enabled for the key management operation, a ticket is generated which, when approved, the key is created. For versions of NetBackup earlier than 10.5, when multiperson authorization is enabled, you cannot perform this operation with this command. | 
| -createkg | Create a new key group. The default cipher of the new key group is AES_256. This command requires a bpnbat -login -loginType WEB logon. When multiperson authorization is enabled for the key management operation, a ticket is generated which, when approved, the key group is created. For versions of NetBackup earlier than 10.5, when multiperson authorization is enabled, you cannot perform this operation with this command. | 
| -deletekey | Delete a key. Only keys in Prelive and Terminated states can be deleted. This command requires a bpnbat -login -loginType WEB logon. When multiperson authorization is enabled for the key management operation, a ticket is generated which, when approved, the key is deleted. For versions of NetBackup earlier than 11.011.0, when multiperson authorization is enabled, you cannot perform this operation with this command. | 
| -deletekg | Delete an empty key group. This command requires a bpnbat -login -loginType WEB logon. When multiperson authorization is enabled for the key management operation, a ticket is generated which, when approved, the key group is deleted. For versions of NetBackup earlier than 10.5, when multiperson authorization is enabled, you cannot perform this operation with this command. To force the delete of a key group that is not empty, use the -force option. # nbkmsutil -deletekg -kgname key_group_name -force | 
| -export | Exports keys and keys groups across domains This command requires a bpnbat -login -loginType WEB logon. When multiperson authorization is enabled for the key management operation, a ticket is generated which, when approved, keys are exported. The -path option is not supported with multiperson authorization. You must go to the ticket details and copy and save the response to import the keys. For versions of NetBackup earlier than 10.5, when multiperson authorization is enabled, you cannot perform this operation with this command. | 
| -gethmkid | Return the current HMK ID. | 
| -getkpkid | Returns the current KPK ID. | 
| -import | Imports keys and keys groups across domains This command requires a bpnbat -login -loginType WEB logon. When multiperson authorization is enabled for the key management operation, a ticket is generated which, when approved, imports the keys. For versions of NetBackup earlier than 10.5, when multiperson authorization is enabled, you cannot perform this operation with this command. To preview the results of the import option, use -preview. # nbkmsutil -import -path secure_key_container -preview | 
| -ksstats | Returns the keystore statistics. The statistics consist of the number of key groups, the total number of keys, and the outstanding quiesce calls. | 
| -listkeys | Get the details of keys. | 
| -listkgs | Get the details of the key groups. If no option is specified, retrieve the details of all the key groups. | 
| -modifyhmk | Modify the host master key (HMK). HMK is used to encrypt the keystore. To modify the HMK, provide an optional seed (passphrase) and an HMK ID which can remind the user of the specified passphrase. The passphrase and the HMK ID are both read interactively. This command requires a bpnbat -login -loginType WEB logon. When multiperson authorization is enabled for the key management operation, a ticket is generated which, when approved, the HMK passphrase is updated. For versions of NetBackup earlier than 10.5, when multiperson authorization is enabled, you cannot perform this operation with this command. | 
| -modifykey | Modify key attributes. This command requires a bpnbat -login -loginType WEB logon. When multiperson authorization is enabled for the key management operation, a ticket is generated which, when approved, the key is updated. For versions of NetBackup earlier than 10.5, when multiperson authorization is enabled, you cannot perform this operation with this command. | 
| -modifykg | Modify key group attributes. This command requires a bpnbat -login -loginType WEB logon. When multiperson authorization is enabled for the key management operation, a ticket is generated which, when approved, the key group is updated. For versions of NetBackup earlier than 10.5, when multiperson authorization is enabled, you cannot perform this operation with this command. | 
| -modifykpk | Modify the key protection key (KPK). KPK is used to encrypt KMS keys. KPK is per keystore. To modify the KPK, provide an optional seed (passphrase) and a KPK ID which can remind the user of the specified passphrase. The passphrase and the KPK ID are both read interactively. This command requires a bpnbat -login -loginType WEB logon. When multiperson authorization is enabled for the key management operation, a ticket is generated which, when approved, the KPK passphrase is updated. For versions of NetBackup earlier than 10.5, when multiperson authorization is enabled, you cannot perform this operation with this command. | 
| -quiescedb | Sends a quiesce request to KMS. If the command succeeds, the current outstanding quiesce count is returned (as multiple backup jobs might quiesce the KMS DB to back it up) | 
| -recoverkey | Restore could fail if a key used in encrypting the backup data is lost. Such Keys can be recovered (re-created) with the knowledge of the original Key's attributes (tag and passphrase). This command requires a bpnbat -login -loginType WEB logon. When multiperson authorization is enabled for the key management operation, a ticket is generated which, when approved, the key is recovered. For versions of NetBackup earlier than 10.5, when multiperson authorization is enabled, you cannot perform this operation with this command. | 
| -unquiescedb | Sends an unquiesce request to KMS. If the command succeeds, the current outstanding quiesce count is returned. A count of zero (0) means that the KMS database is completely unquiesced. | 
OPTIONS
- -activate
- Sets the state of the specified key to active. The default state is prelive. 
- -activekey
- Retrieves the details of a specific key group's active key. 
- -cipher
- The type of cipher that the key group supports. All keys that belong to a key group support the same cipher type. Supported cipher types are BLOW, AES_128, AES_192, and AES_256 (default cipher). 
- -emptykgs
- Retrieves the details of all the key groups with zero keys in it. 
- -keyname
- key_name specifies the name of a key. This name should be unique within a key group. The key group name and key name uniquely identify a key in the keystore. 
- -kgname
- key_group_name specifies the name of a key group. Within a keystore, the key group name uniquely identifies the key group. 
- -name
- Specifies the new name of the key group when used with -modifykg or the new name of the key when used with -modifykey. The new key group name must not conflict with other names in the keystore. 
- -noactive
- Retrieves the details of all the key groups in which there are no active keys. 
- -nopphrase
- Disables the utility function that prompts you for a pass phrase. Instead, the utility creates the key. The default condition is the use of the pass phrase to create a key with a seed. A lengthy seed and a strong seed results in a strong key. 
- -noverbose
- Disables verbosity. The default condition is verbosity, which prints the details in readable format. 
- -state
- new_state specifies the new state of the Key. Possible states are Prelive, Active, Inactive, Deprecated, and Terminated. - Key states can be changed only in the following ways: - Prelive to Active 
- Transition between Active and Inactive 
- Transition between Inactive and Deprecated 
- Transition between Deprecated and Terminated 
 
- -tag
- key_tag specifies a random unique identifier that is created for the key record that the utility creates. The listkey option can display this tag. If you need to recover (recreate) the key record, you need to use the original tag value, hence the - tag option for these recovery options.