NetBackup and Veritas Appliances Hardening Guide
- Top recommendations to improve your NetBackup and Veritas appliances security posture
- Steps to protect Flex Appliance
- Managing single sign-on (SSO)
- About lockdown mode
- Configuring an isolated recovery environment on a WORM storage server
- Steps to protect NetBackup Appliance
- About single sign-on (SSO) authentication and authorization
- About authentication using smart cards and digital certificates
- About data encryption
- About forwarding logs to an external server
- Steps to protect NetBackup
- Configure NetBackup for single sign-on (SSO)
- Configure user authentication with smart cards or digital certificates
- Access codes
- Workflow to configure immutable and indelible data
- Add a configuration for an external CMS server
- Configuring an isolated recovery environment on a NetBackup BYO media server
- About FIPS support in NetBackup
- Workflow for external KMS configuration
- Workflow to configure data-in-transit encryption
- Workflow to use external certificates for NetBackup host communication
- About certificate revocation lists for external CA
- Configuring an external certificate for a clustered primary server
- Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- About protecting the MSDP catalog
- How to set up malware scanning
- About backup anomaly detection
Specifying Windows certificate store for ECA_CERT_PATH
NetBackup selects a certificate from any of the local machine certificate stores on a Windows host.
In case of Windows certificate store, ECA_CERT_PATH is a list of comma-separated clauses.
Each clause is of the form Store name\Issuer\Subject. Each clause element contains a query.
$hostname is a keyword that is replaced with the fully qualified domain name of the host. Use double quotes when a \ is present in the actual path. For example, MY\Veritas\"NetBackup\$hostname".
$shorthostname is a keyword that is replaced with the short name of the host. Use double quotes when a \ is present in the actual path. For example, MY\Veritas\"NetBackup\$shorthostname".
The 'Store name' should be the exact name of the store where the certificate resides. For example: 'MY'
The 'Issuer' is optional. If this is provided, NetBackup picks the certificates for which the Issuer DN contains the provided substring.
The 'Subject' is mandatory. NetBackup picks the certificate for which the Subject DN contains the provided substring.
You must ensure to:
Add the root certificate to Trusted Root Certification Authorities or Third-Party Root Certification Authorities in the Windows certificate store.
If you have any intermediate CAs, add their certificates to the Intermediate Certification Authorities in the Windows certificate store.
My\Veritas\$hostname, My\ExampleCompany\$hostname
Where (certificate store is MY, Issuer DN contains Veritas, Subject DN contains $hostname) OR (certificate store name is MY, Issuer DN contains ExampleCompany, Subject DN contains $hostname)
MY\Veritas\"NetBackup\$hostname"
Where certificate store name is MY, Issuer DN contains Veritas, Subject DN contains NetBackup\$hostname
MY\\$hostname
Where certificate store name is MY, any Issuer DN, Subject DN contains $hostname
MY\\$shorthostname
Where certificate store name is MY, any Issuer DN, Subject DN contains $shorthostname
MY\Veritas\NetBackup $hostname
Where certificate store name is MY, Issuer DN contains Veritas, Subject DN contains NetBackup $hostname
If you provide a space between words, it is considered as a valid character.
MY\\
The Subject DN should have some value.
My\$hostname
The Subject DN should have some value.
\\$hostname
The certificate store name should have exact value of the store in which the certificate resides.
MY\CN=Veritas\CN=$hostname
The Subject DN and issuer DN cannot contain =, and also specific tags like CN=.