Veritas NetBackup™ Cloud Administrator's Guide
- About NetBackup cloud storage
- About the cloud storage
- About the Amazon S3 cloud storage API type
- About protecting data in Amazon for long-term retention
- Protecting data using Amazon's cloud tiering
- About using Amazon IAM roles with NetBackup
- Protecting data with Amazon Snowball and Amazon Snowball Edge
- About Microsoft Azure cloud storage API type
- About OpenStack Swift cloud storage API type
- Configuring cloud storage in NetBackup
- Scalable Storage properties
- Cloud Storage properties
- About the NetBackup CloudStore Service Container
- About the NetBackup media servers for cloud storage
- Configuring a storage server for cloud storage
- NetBackup cloud storage server properties
- Configuring a storage unit for cloud storage
- Changing cloud storage disk pool properties
- Monitoring and Reporting
- Operational notes
- About unified logging
- About legacy logging
- Troubleshooting cloud storage configuration issues
- Troubleshooting cloud storage operational issues
Certificate validation against Certificate Revocation List (CRL)
For all the cloud providers, NetBackup provides a capability to verify the SSL certificates against the CRL (Certificate Revocation List). If SSL is enabled and the CRL option is enabled, each non-self-signed SSL certificate is verified against the CRL. If the certificate is revoked, NetBackup does not connect to the cloud provider.
You can enable validation against CRL using one of the following ways:
csconfing CLI: crl parameter is added with the SSL parameters. The option is available when you add or update the storage server. CRL value can be changed only through csconfig CLI before creating an alias.
Storage server properties dialog: Update the USE_CRL property from the storage server properties dialog. From the GUI, you can only disable the CRL option, after configuration.
You can also use to the nbdevconfig CLI with getconfig and setconfig options to enable or disable verification against CRL.
Post upgrade, for the cloud and cloud catalyst storage servers with SSL enabled, the CRL validation is enabled by default.
CRL distribution endpoints are http thus, turn off any firewall rule that block http (port 80) connection to external network. For example, http://crl3.provider.com/server-g2.crl
CRL download URL is dynamically fetched from the certificate thus, disable any firewall rule that blocks unknown URLs.
Typically, CRL URLs (distribution endpoints) support IPV4. For IPV6 environments disable the CRL option.
Private Clouds typically have a self-signed certificate. Thus, for private clouds, CRL check is not required. The check is skipped even if CRL option is enabled.
CRL distribution point must be present in the x.509 certificate. The type of distribution point must http.