NetBackup and Veritas Appliances Hardening Guide
- Top recommendations to improve your NetBackup and Veritas appliances security posture
- Steps to protect Flex Appliance
- Managing single sign-on (SSO)
- About lockdown mode
- Configuring an isolated recovery environment on a WORM storage server
- Steps to protect NetBackup Appliance
- About single sign-on (SSO) authentication and authorization
- About authentication using smart cards and digital certificates
- About data encryption
- About forwarding logs to an external server
- Steps to protect NetBackup
- Configure NetBackup for single sign-on (SSO)
- Configure user authentication with smart cards or digital certificates
- Access codes
- Workflow to configure immutable and indelible data
- Add a configuration for an external CMS server
- Configuring an isolated recovery environment on a NetBackup BYO media server
- About FIPS support in NetBackup
- Workflow for external KMS configuration
- Workflow to configure data-in-transit encryption
- Workflow to use external certificates for NetBackup host communication
- About certificate revocation lists for external CA
- Configuring an external certificate for a clustered primary server
- Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- About protecting the MSDP catalog
- How to set up malware scanning
- About backup anomaly detection
Import
In the import workflow, backup image is read from the storage unit and the NetBackup catalog is created. Therefore, a client does not come into picture. The hosts that participate are the media server and the primary server from the same domain.
Note:
If you want to retain the DTE controls based on the image, you must upgrade the media servers that are to be used for the import operations to NetBackup 10.0 before you perform the import operation.
The following table is applicable for all import workflows such as phase-1 import, phase-2 import and Storage Lifecycle Policy (SLP) import.
Table: DTE mode is OFF in the image
Global DTE mode | Media server 9.1 or later with DTE mode | Media server earlier than 9.1 | |
---|---|---|---|
On | Off | ||
Preferred Off | Data is not encrypted | Data is not encrypted | Data is not encrypted |
Preferred On | Data is encrypted | Data is not encrypted | Data is not encrypted |
Enforced | Data is encrypted | Operation fails | Operation fails |
Table: When the image DTE mode is On and the media server DTE setting is On
Global DTE mode | Host | Value of the DTE_IGNORE_IMAGE_MODE configuration option | ||
---|---|---|---|---|
NEVER (default) | WHERE_UNSUPPORTED | ALWAYS | ||
Preferred Off | NetBackup media server 9.1 and later | Data is encrypted | Data is encrypted | Data is not encrypted |
NetBackup media server earlier than 9.1 | Data is not encrypted | Data is not encrypted | Data is not encrypted | |
Preferred On | NetBackup media server 9.1 and later | Data is encrypted | Data is encrypted | Data is encrypted |
NetBackup media server earlier than 9.1 | Data is not encrypted | Data is not encrypted | Data is not encrypted | |
Enforced | NetBackup media server 9.1 and later | Data is encrypted | Data is encrypted | Data is encrypted |
NetBackup media server earlier than 9.1 | Operation fails | Operation fails | Operation fails |
Note:
For phase-1 import, you need to set DTE_IGNORE_IMAGE_MODE on the media server to ignore the DTE mode of the image for 9.1 and later media servers.
For phase-1 import scenario, NetBackup media server earlier than 9.1 is not aware of the DTE mode in the image. If the image was created with the DTE mode set to On, for phase-1 import, the job does not fail for media servers with version earlier than 9.1 and the image DTE mode is set to Off in the catalog.
Note:
When DTE_IGNORE_IMAGE_MODE is set to ALWAYS, DTE decision is as per Table: DTE mode is OFF in the image.
Table: When the image DTE mode is On and the media server DTE setting on 10.0 or later is Off
Global DTE mode | Value of the DTE_IGNORE_IMAGE_MODE configuration option | ||
---|---|---|---|
NEVER (default) | WHERE_UNSUPPORTED | ALWAYS | |
Preferred Off | Operation fails | Operation fails | Data is not encrypted |
Preferred On | Operation fails | Operation fails | Data is not encrypted |
Enforced | Operation fails | Operation fails | Operation fails |
Note:
If DTE_IGNORE_IMAGE_MODE is set to ALWAYS, the DTE decision is as per the table - Table: DTE mode is OFF in the image.
In this case, the image is already replicated in the target disk pool and now the intention is to create a catalog out of that image through SLP import policy. As this operation happens in the target domain and no cross-domain operation happens, the target DTE global setting comes into the picture.
If the replicated image has the DTE mode On, then irrespective of other DTE configurations, the import operation is carried out with DTE mode On.
If the replicated image has the DTE mode Off, the DTE mode is derived based on the target domain global DTE setting and import is carried out based on the derived DTE mode.
Review the following MSDP limitations that need to be considered for this workflow:
If the MSDP storage server has multiple load balancing media servers attached to it and if the selected media server is 10.0.0.1 or later, the storage server must be 10.0.0.1 or later. Else, backup job fails. You must upgrade the 10.0 storage server to 10.0.0.1.
If the load balancing media server is 10.0 or earlier, the data may be transferred in plain text and job is always successful, even if DTE was to be honored.
Ideally, you must have load balancing media servers and storage servers with 10.0.0.1 or later when DTE is enabled.
In case of mixed environment, where either storage server or even one of the load balancing media servers is of version earlier than 10.0, the following configuration is required in order to honor end-to-end encryption:
DTE should be enabled from NetBackup side based on the DTE configuration settings - global / media server / client DTE mode
Encryption should be enabled from MSDP side using the ENCRYPTION flag in pd.conf
Refer to the NetBackup Deduplication Guide for details on enabling encryption using MSDP.
Note:
If you set DTE On for NetBackup, but the ENCRYPTION flag in pd.conf is not enabled, the data path from the load balancing media server to the storage server is not encrypted. However, the job DTE mode and the image DTE mode may be On.
If DTE is enabled at the NetBackup side and encryption is enabled from MSDP side (ENCRYPTION flag in pd.conf), MSDP encryption takes the precedence over NetBackup DTE. It results in data-at-rest encryption and not data-in-transit encryption.