Veritas NetBackup™ Security and Encryption Guide
- Increasing NetBackup security
- Security deployment models
- Port security
- About NetBackup daemons, ports, and communication
- Additional port information for products that interoperate with NetBackup
- About configuring ports
- Auditing NetBackup operations
- Configuring Enhanced Auditing
- Access control security
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Viewing specific user permissions for NetBackup user groups
- Security management in NetBackup
- About the Security Management utilities
- About audit events
- About host management
- Adding shared or cluster mappings
- Allowing or disallowing automatic certificate reissue
- About global security settings
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Security certificate deployment in a clustered NetBackup setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- Data at rest key management
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
- Regenerating keys and certificates
- NetBackup web services account
Forcing or overwriting certificate deployment
In some situations it may be necessary to use the -force option with the nbcertcmd -getCertificate command. For example, to force certificate deployment to a host or to overwrite the existing host ID-based certificate information and fetch a new certificate.
A host may already have a host ID-based certificate, but needs to overwrite the old certificate with a new one. This is required, for example, when a master server is replaced with a new server. Since the clients have the old certificate to the old server, when the nbcertcmd -getCertificate command is run on the clients, it fails with the following error:
Certificate already exists for the server.
Use the following procedure to overwrite the existing host ID-based certificate information and fetch a new certificate.
To force certificate deployment on a host
- The host administrator runs the following command on the non-master host:
nbcertcmd -getCertificate -server master_server_name -force
Depending on the security setting on the master server, a token may also need to be specified.
Use the -cluster option to deploy a cluster certificate.
A host may have been issued a certificate, but over time the certificate has become corrupted or the certificate file has been deleted.
The administrator of the non-master host can run the following command to confirm the condition of the certificate:
nbcertcmd -listCertDetails
If the certificate is corrupt, the command fails with the following error:
Certificate could not be read from the local certificate store.
If no certificate details display, the certificate is not available.
Use the following procedure to overwrite the existing host ID-based certificate information and to fetch a new certificate.
To fetch a new host ID-based certificate
- The host administrator runs the following command on the non-master host:
nbcertcmd -getCertificate -force
Depending on the security setting on the master server, a token may also need to be specified.
Use the -cluster option to deploy a cluster certificate.