NetBackup and Veritas Appliances Hardening Guide
- Top recommendations to improve your NetBackup and Veritas appliances security posture
- Steps to protect Flex Appliance
- Managing single sign-on (SSO)
- About lockdown mode
- Configuring an isolated recovery environment on a WORM storage server
- Steps to protect NetBackup Appliance
- About single sign-on (SSO) authentication and authorization
- About authentication using smart cards and digital certificates
- About data encryption
- About forwarding logs to an external server
- Steps to protect NetBackup
- Configure NetBackup for single sign-on (SSO)
- Configure user authentication with smart cards or digital certificates
- Access codes
- Workflow to configure immutable and indelible data
- Add a configuration for an external CMS server
- Configuring an isolated recovery environment on a NetBackup BYO media server
- About FIPS support in NetBackup
- Workflow for external KMS configuration
- Workflow to configure data-in-transit encryption
- Workflow to use external certificates for NetBackup host communication
- About certificate revocation lists for external CA
- Configuring an external certificate for a clustered primary server
- Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
- Configuration options for external CA-signed certificates
- ECA_CERT_PATH for NetBackup servers and clients
- About protecting the MSDP catalog
- How to set up malware scanning
- About backup anomaly detection
Installing KMS
The following procedure describes how to install KMS.
Note:
For more information about configuring KMS in a Cloud storage environment refer to the NetBackup Cloud Administrator's Guide.
The KMS service is called nbkms.
The service does not run until the data file has been set up, which minimizes the effect on environments not using KMS.
To install KMS
- Run the nbkms -createemptydb command.
- Enter a pass phrase for the host master key (HMK). You can also press Enter to create a randomly generated key.
- Enter an ID for the HMK. This ID can be anything descriptive that you want to use to identify the HMK.
- Enter a pass phrase for the key protection key (KPK).
- Enter an ID for the KPK. The ID can be anything descriptive that you want to use to identify the KPK.
The KMS service starts when after you enter the ID and press Enter.
- Start the KMS service as follows:
On UNIX, run the following command:
/usr/openv/netbackup/bin/nbkms
On Windows, do the following:
Start > Run > Services.msc > Start the NetBackup Key Management Service
- Use the grep command to ensure that the service has started, as follows: ps -ef | grep nbkms
- Run the following command to register the nbkms service with NetBackup web services:
nbkmscmd -discovernbkms
- Create the key group. The key group name must be an identical match to the volume pool name. All key group names must have a prefix ENCR_.
Note:
When using key management with Cloud storage and PureDisk, the ENCR_ prefix is not required for the key group name.
To create a (non-Cloud storage) key group use the following command syntax. nbkmsutil -createkg -kgname ENCR_volumepoolname
The ENCR_ prefix is essential. When BPTM receives a volume pool request that includes the ENCR_ prefix, it provides that volume pool name to KMS. KMS identifies it as an exact match of the volume pool and then picks the active key record for backups out of that group.
To create a Cloud storage key group use the following command syntax.
nbkmsutil -createkg -kgname storage_server_name:volume_name
- Create a key record by using the -createkey option.
nbkmsutil -createkey -kgname ENCR_volumepool -keyname keyname -activate -desc "message"
The key name and message are optional; they can help you identify this key when you display the key.
The -activate option skips the prelive state and creates this key as active.
- Provide the pass phrase again when the script prompts you.
In the following example the key group is called ENCR_pool1 and the key name is Q1_2008_key. The description explains that this key is for the months January, February, and March.
nbkmsutil -createkey -kgname ENCR_pool1 -keyname Q1_2008_key -activate -desc "key for Jan, Feb, & Mar"
- You can create another key record using the same command; a different key name and description help you distinguish they key records: nbkmsutil -createkey -kgname ENCR_pool1 -keyname Q2_2008_key -activate -desc "key for Apr, May, & Jun"
Note:
If you create more than one key record by using the command nbkmsutil -kgname name -activate, only the last key remains active.
- To list all of the keys that belong to a key group name, use the following command:
nbkmsutil -listkeys -kgname keyname
Note:
You need the passphrase, salt (if applicable), key group name, and key tag to recover this key if it is lost. You must store all this information at a secure place. Salt, key group name, and key tag can be found in the output of the nbkmsutil -listkeys command execution.
The following command and output use the examples in this procedure.