Veritas NetBackup™ Security and Encryption Guide
- Increasing NetBackup security
- Security deployment models
- Port security
- About NetBackup daemons, ports, and communication
- Additional port information for products that interoperate with NetBackup
- About configuring ports
- Auditing NetBackup operations
- Configuring Enhanced Auditing
- Access control security
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Configuring user groups
- About defining a user group and users
- Viewing specific user permissions for NetBackup user groups
- Security management in NetBackup
- About the Security Management utilities
- About audit events
- About host management
- Adding shared or cluster mappings
- Allowing or disallowing automatic certificate reissue
- About global security settings
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Security certificate deployment in a clustered NetBackup setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- Data at rest key management
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
- Regenerating keys and certificates
- NetBackup web services account
About the communication between a NetBackup client located in a demilitarized zone and a master server through an HTTP tunnel
In a NetBackup deployment setup, the client computers can be in a demilitarized zone (DMZ) where the communication takes place only through specific web ports.
All NetBackup clients must be able to communicate with the web management service on the master server to deploy security certificates and authorize peers for secure connections. For example, the NetBackup client sends requests to the master server for deploying certificates, which is essential for secure NetBackup communication. In a DMZ setup, the client might not be able to send web service requests directly to the master server. In this scenario, a NetBackup client sends a connection request and a web service request to the HTTP tunnel on the media server by the HTTP CONNECT proxy method. The HTTP tunnel accepts the connection request and forwards the web service request to the master server.
The HTTP tunneling feature allows the NetBackup clients in a DMZ to send web service requests to the master server. The NetBackup media server forms an HTTP tunnel that forwards the web service request from the NetBackup client to the master server. The further web service communication uses Secure Socket Layer (SSL).
The port number 1556 on the media server must be accessible by the NetBackup client for sending web service requests.
In a single domain or multi-domain environment, when the NetBackup client in a DMZ tries to send a web service connection request to the master server, it follows a particular sequence::
Table: Sequence to send a connection request
1. The NetBackup client tries to send the connection request directly to the master server.
In a DMZ, the web service connection request might not succeed.
2. If the direct connection fails, then the client checks if a media server is specified to use HTTP tunneling to send the web service connection request to the master server.
You can define a preferred media server that the NetBackup client can use for sending the web service connection.
Add the WEB_SERVER_TUNNEL option in the registry on Windows client or in the
For more information, refer to the WEB_SERVER_TUNNEL option for NetBackup clients section in the NetBackup Administrator's Guide Volume I.
3. If a media server is not specified, then the client refers to a list of media servers that is available in the NetBackup configuration and uses them for sending web service connection requests.
NetBackup client maintains an internal cache file (
The following additional options are available for configuring the HTTP Tunnel feature:
WEB_SERVER_TUNNEL_USE - You can use this option on the NetBackup clients to configure the default communication behavior using the HTTP Tunnel.
WEB_SERVER_TUNNEL_ENABLE - By default, HTTP Tunnel is enabled on the media server. You can use this option on the media servers to disable the HTTP Tunnel feature.
For more information, refer to the NetBackup Administrator's Guide Volume I.
If your NetBackup client configuration does not contain information about the media servers in the domain, run the nbsetconfig command on the master server. The registry on a Windows client or the
bp.conffile on a UNIX client includes the master and the media servers that the client selects to send connection and web service requests.
If you use the nbcertcmd -getCertificate command on the NetBackup client in a DMZ, and if you see one of the following errors:
EXIT STATUS 5955: The host name is not known to the master server.
EXIT STATUS 5954: The host name could not be resolved to the requesting host's IP address.
Use a token to deploy the security certificate because the master server cannot match the IP address of the HTTP tunnel to the identity of the host that requests the certificate.
NetBackup audit report lists the media server as the user if an HTTP tunnel is used to send a certificate request to the master server.