NetBackup and Veritas Appliances Hardening Guide
- Top recommendations to improve your NetBackup and Veritas appliances security posture
- Steps to protect Flex Appliance
- Managing single sign-on (SSO)
- About lockdown mode
- Configuring an isolated recovery environment on a WORM storage server
- Steps to protect NetBackup Appliance
- About single sign-on (SSO) authentication and authorization
- About authentication using smart cards and digital certificates
- About data encryption
- About forwarding logs to an external server
- Steps to protect NetBackup
- Configure NetBackup for single sign-on (SSO)
- Configure user authentication with smart cards or digital certificates
- Access codes
- Workflow to configure immutable and indelible data
- Add a configuration for an external CMS server
- Configuring an isolated recovery environment on a NetBackup BYO media server
- About FIPS support in NetBackup
- Workflow for external KMS configuration
- Workflow to configure data-in-transit encryption
- Workflow to use external certificates for NetBackup host communication
- About certificate revocation lists for external CA
- Configuring an external certificate for a clustered primary server
- Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- About protecting the MSDP catalog
- How to set up malware scanning
- About backup anomaly detection
Configure the SAML KeyStore
To establish a trust between the NetBackup primary server and the IDP server, you must configure an SAML KeyStore on the NetBackup primary server. Depending on whether you are using the NetBackup CA or an external certificate authority (ECA), refer to either of the following sections:
Note:
If you are using a combination of an ECA and NetBackup CA in your environment, by default, the ECA is considered while establishing trust with the IDP server.
Note:
The SAML KeyStore configuration using batch files, such as configureCerts.bat, configureCerts, configureSAMLECACert.bat, configureSAMLECACertand their corresponding options is deprecated.
If you are using the NetBackup CA, create the NetBackup CA KeyStore on the NetBackup primary server.
To create a NetBackup CA KeyStore
- Log on to the NetBackup primary server as root or administrator.
- Run the following command:
nbidpcmd -cCert -M master_server -f
-f is optional. Use the option for the forceful update.
Once the NetBackup CA KeyStore is created, ensure that you update the NetBackup CA KeyStore every time the NetBackup CA certificate is renewed.
To renew the NetBackup CA KeyStore
- Log on to the NetBackup primary server as root or administrator.
- Run the following command:
nbidpcmd -rCert -M master_server
- Download the new SP metadata XML file from the NetBackup primary server by entering the following URL in your browser:
https://primaryserver/netbackup/sso/saml2/metadata
Where primaryserver is the IP address or host name of the NetBackup primary server.
- Upload the new SP metadata XML file to the IDP.
To remove the NetBackup CA KeyStore
- Log on to the NetBackup primary server as root or administrator.
- Run the following command
nbidpcmd -dCert -M master_server
- Download the new SP metadata XML file from the NetBackup primary server by entering the following URL in your browser:
https://primaryserver/netbackup/sso/saml2/metadata
Where primaryserver is the IP address or host name of the NetBackup primary server.
- Upload the new SP metadata XML file to the IDP.
- See Enroll the NetBackup primary server with the IDP.
If you are using an ECA, import the ECA KeyStore to the NetBackup primary server.
Note:
If you are using a combination of an ECA and the NetBackup CA in your environment, by default, the ECA is considered while establishing trust with the IDP server. To use the NetBackup CA, you must first remove the ECA KeyStore.
To configure an ECA KeyStore
- Log on to the primary server as root or administrator.
- Depending on whether you want to configure SAML ECA keystore using the configured NetBackup ECA KeyStore or you want to provide the ECA certificate chain and private key, run the following commands:
Run the following command to use NetBackup ECA configured KeyStore:
nbidpcmd -cECACert -uECA existing ECA configuration [-f] [-M primary_server]
Run the following command to use ECA certificate chain and private key provided by the user:
nbidpcmd -cECACert -certPEM certificate chain file -privKeyPath private key file [-ksPassPath Keystore Passkey File] [-f] [-M <master_server>]
Certificate chain file specifies the certificate chain file path. The file must be in PEM format and must be accessible to the primary server on which the configuration is being performed.
Private key file specifies the private key file path. The file must be in PEM format and must be accessible to the primary server on which the configuration is being performed.
KeyStore passkey file specifies the KeyStore password file path and must be accessible to the primary server on which the configuration is being performed.
Primary server is the host name or IP address of primary server on which you want to perform SAML ECA KeyStore configuration. The NetBackup primary server where you run the command is selected by default.
To remove the ECA KeyStore
- Log on to the primary server as root or administrator.
- Download the new SP metadata XML file from the NetBackup primary server by entering the following URL in your browser:
https://primaryserver/netbackup/sso/saml2/metadata
Where primaryserver is the IP address or host name of the NetBackup primary server.
- Upload the new SP metadata XML file to the IDP.